linux centos7安装openVpn

添加脚本install.sh：

#!/bin/bash
# ============================================
# 一键安装 OpenVPN + EasyRSA（单客户端参数版）
# 用法:
#   bash install_openvpn.sh client1
# 会自动判断是否已安装，没装则安装并创建服务端。
# ============================================

set -e

CLIENT_NAME=$1
EASYRSA_DIR="/usr/share/easy-rsa/3.0.8"
OVPN_DIR="/root/openvpn-clients"
SERVER_NAME="server"
SERVER_IP=47.115.149.200
if [[ -z "$CLIENT_NAME" ]]; then
  echo "❌ 请输入客户端名称，例如：bash install_openvpn.sh client1"
  exit 1
fi

# 检查是否为 root
if [[ $EUID -ne 0 ]]; then
  echo "❌ 请使用 root 用户运行"
  exit 1
fi

# 检查 OpenVPN 是否已安装
if ! command -v openvpn &>/dev/null; then
  echo "✅ 正在安装 OpenVPN 与 EasyRSA..."
  if [ -f /etc/redhat-release ]; then
    yum install -y epel-release
    yum install -y openvpn easy-rsa
  else
    apt update -y
    apt install -y openvpn easy-rsa
  fi
fi

cd "$EASYRSA_DIR"

# 检查 PKI 是否已初始化
if [ ! -d "pki" ]; then
  echo "✅ 初始化 EasyRSA PKI..."
  ./easyrsa init-pki
  ./easyrsa build-ca nopass <<EOF
CN
EOF

  echo "✅ 生成服务器证书..."
  ./easyrsa gen-req $SERVER_NAME nopass
  ./easyrsa sign-req server $SERVER_NAME <<EOF
yes
EOF

  echo "✅ 生成 Diffie-Hellman & TLS 密钥..."
  ./easyrsa gen-dh
  openvpn --genkey --secret ta.key

  echo "✅ 拷贝服务端文件..."
  mkdir -p /etc/openvpn/server
  cp pki/ca.crt pki/private/${SERVER_NAME}.key pki/issued/${SERVER_NAME}.crt pki/dh.pem ta.key /etc/openvpn/server/

  # 写入 server.conf
  cat > /etc/openvpn/server/server.conf << 'EOF'
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA256
tls-auth ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"
keepalive 10 120
cipher AES-256-GCM
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
EOF

  systemctl enable openvpn@server
  systemctl restart openvpn@server
  echo "✅ OpenVPN 服务端已启动！"
else
  echo "✅ 检测到已存在 PKI 环境，跳过服务端初始化..."
fi

# 检查是否已有该客户端
if [ -f "pki/private/${CLIENT_NAME}.key" ]; then
  echo "⚠️  客户端 ${CLIENT_NAME} 已存在，跳过生成"
else
  echo "✅ 生成客户端证书: $CLIENT_NAME"
  ./easyrsa gen-req $CLIENT_NAME nopass
  ./easyrsa sign-req client $CLIENT_NAME <<EOF
yes
EOF
fi

# 生成客户端配置文件
echo "✅ 正在生成 ${CLIENT_NAME}.ovpn ..."
cat > $OVPN_DIR/${CLIENT_NAME}.ovpn <<EOF
client
dev tun
proto udp
remote ${SERVER_IP} 1215
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA256
cipher AES-256-GCM
verb 3
key-direction 1

<ca>
$(cat pki/ca.crt)
</ca>

<cert>
$(cat pki/issued/${CLIENT_NAME}.crt)
</cert>

<key>
$(cat pki/private/${CLIENT_NAME}.key)
</key>

<tls-auth>
$(cat ta.key)
</tls-auth>
EOF

echo
echo "🎉 客户端配置已生成：$OVPN_DIR/${CLIENT_NAME}.ovpn"
echo "📤 你可以用以下命令下载："
echo "  scp root@${SERVER_IP}:$OVPN_DIR/${CLIENT_NAME}.ovpn ./"
echo

执行

cp /etc/openVpn/server/*  /etc/openVpn/
#查看端口号或修改端口号
sudo vim /etc/openVpn/server.conf 
#放行端口号
firewall-cmd --permanent --add-port=端口号/udp
firewall-cmd --reload
#查看放行的端口号
firewall-cmd --list-ports
#放行后重启服务
sudo systemctl restart openvpn@server
#创建新的openVpn客户端配置文件
./install.sh 客户名