CentOS 7 安装openvpn的步骤详解

检查系统环境

[root@ss-usa-odo01 ~]# cat /etc/redhat-release
CentOS Linux release 7.0.1406 (Core)
[root@ss-usa-odo01 ~]# df -hP
Filesystem         Size  Used Avail Use% Mounted on
/dev/ploop12288p1   30G  484M   28G   2% /
devtmpfs           256M     0  256M   0% /dev
tmpfs              256M     0  256M   0% /dev/shm
tmpfs              256M   88K  256M   1% /run
tmpfs              256M     0  256M   0% /sys/fs/cgroup
[root@ss-usa-odo01 ~]# cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state
[root@ss-usa-odo01 ~]# grep IPADDR /etc/sysconfig/network-scripts/ifcfg-venet0:0 | awk -F= '{print $2}'
104.223.122.202
[root@ss-usa-odo01 ~]#

系统初始化下

[root@ss-usa-odo01 ~]# curl -Lks onekey.sh/centos_init|bash
[root@ss-usa-odo01 ~]# reboot

更新源

[root@ss-usa-odo01 ~]# yum clean all && yum makecache && yum install epel-release -y && yum update -y
将CentOS 7的FrieWall换成iptables

bash -c "$(curl -Ls onekey.sh/friewall2iptables)"

yum安装openvpn

[root@ss-usa-odo01 ~]# yum install openvpn easy-rsa net-tools -y
 
配置openvpn Server端
[root@ss-usa-odo01 ~]# cp /usr/share/doc/openvpn-2.3.11/sample/sample-config-files/server.conf /etc/openvpn/
[root@ss-usa-odo01 ~]# mkdir /etc/openvpn/easy-rsa
[root@ss-usa-odo01 ~]# /bin/cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
[root@ss-usa-odo01 ~]# cd /etc/openvpn/easy-rsa
[root@ss-usa-odo01 /etc/openvpn/easy-rsa]# vi vars  #参考下面的图做修改

 

[root@ss-usa-odo01 /etc/openvpn/easy-rsa]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

 

使用build-ca脚本构建CA证书，证书将创建在/etc/openvpn/easy-rsa/。按Enter键接受默认值：

[root@ss-usa-odo01 /etc/openvpn/easy-rsa]# ./build-ca
Generating a 2048 bit RSA private key
.....................................................................+++
..........................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ShangHai]:
Locality Name (eg, city) [PuDong]:
Organization Name (eg, company) [Prime Research Asia]:
Organizational Unit Name (eg, section) [Social Media]:
Common Name (eg, your name or your server's hostname) [Prime Research Asia CA]:
Name [EasyRSA]:
Email Address [admin@dwhd.org]:
[root@ss-usa-odo01 /etc/openvpn/easy-rsa]#

 

下一步，我们将创建密钥和服务器本身的证书。和以前一样，接受默认值，然后按Y确认证书的签字：

[root@ss-usa-odo01 /etc/openvpn/easy-rsa]# ./build-key-server server
Generating a 2048 bit RSA private key
............................+++
...................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ShangHai]:
Locality Name (eg, city) [PuDong]:
Organization Name (eg, company) [Prime Research Asia]:
Organizational Unit Name (eg, section) [Social Media]:
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [admin@dwhd.org]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'ShangHai'
localityName          :PRINTABLE:'PuDong'
organizationName      :PRINTABLE:'Prime Research Asia'
organizationalUnitName:PRINTABLE:'Social Media'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'admin@dwhd.org'
Certificate is to be certified until Jun 11 18:27:02 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ss-usa-odo01 /etc/openvpn/easy-rsa]#
Linux之CentOS 7 安装openvpn

接下来，生成用于信息交流，以补充对RSA的Diffie-Hellman文件（这将需要相当长的一段时间）。这将创建一个名为dh2048.pem内的/ etc / OpenVPN的/ RSA /密钥文件中：

[root@ss-usa-odo01 /etc/openvpn/easy-rsa]# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..................+.................
最后，为每个使用VPN服务器的客户端创建单独的证书文件：

[root@ss-usa-odo01 /etc/openvpn/easy-rsa]# ./build-key 104.233.122.202-lookback
Generating a 2048 bit RSA private key
...+++
...........................................................+++
writing new private key to '104.233.122.202-lookback.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ShangHai]:
Locality Name (eg, city) [PuDong]:
Organization Name (eg, company) [Prime Research Asia]:
Organizational Unit Name (eg, section) [Social Media]:
Common Name (eg, your name or your server's hostname) [104.233.122.202-lookback]:
Name [EasyRSA]:
Email Address [admin@dwhd.org]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'ShangHai'
localityName          :PRINTABLE:'PuDong'
organizationName      :PRINTABLE:'Prime Research Asia'
organizationalUnitName:PRINTABLE:'Social Media'
commonName            :PRINTABLE:'104.233.122.202-lookback'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'admin@dwhd.org'
Certificate is to be certified until Jun 11 18:35:47 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ss-usa-odo01 /etc/openvpn/easy-rsa]#
Linux之CentOS 7 安装openvpn

防止VPN被DDOS攻击，生成ta.key

[root@ss-usa-odo01 /etc/openvpn/easy-rsa]# openvpn --genkey --secret ../ta.key

接下来开始修改server端的配置文件

[root@ss-usa-odo01 /etc/openvpn/easy-rsa]# cp keys/{ca.crt,dh2048.pem,server.crt,server.key} /etc/openvpn/
[root@ss-usa-odo01 /etc/openvpn/easy-rsa]# cd ..
[root@ss-usa-odo01 /etc/openvpn]# vi server.conf

###下面是我的配置文件可以参考
[root@ss-usa-odo01 /etc/openvpn]# grep -Ev '^($|#)' server.conf
;local a.b.c.d  #指定监听的本机IP(因为有些计算机具备多个IP地址)，该命令是可选的，默认监听所有IP地址。
port 22033      #服务端端口号，根据需要自行修改
proto tcp       #通过tcp协议来连接，也可以通过udp，看实际的需求
;proto udp
;dev tap
dev tun         #路由模式，注意windows下必须使用dev tap
;dev-node MyTap #非Windows系统通常不需要设置这个
ca ca.crt       #ca证书存放位置，这边是放在默认路径下的不需要修改，如果放在其他路径下，后面要加上绝对路径，根据实际情况更改
cert server.crt #服务器证书存放位置，这边是放在默认路径下的不需要修改，如果放在其他路径下，后面要加上绝对路径，根据实际情况更改
key server.key  #服务器密钥存放位置，这边是放在默认路径下的不需要修改，如果放在其他路径下，后面要加上绝对路径，根据实际情况更改
dh dh2048.pem   #dh2048.pem存放位置，这边是放在默认路径下的不需要修改，如果放在其他路径下，后面要加上绝对路径，根据实际情况更改
;topology subnet
server 10.188.0.0 255.255.0.0   #虚拟局域网网段设置，请根据需要自行修改
ifconfig-pool-persist ipp.txt   #在openvpn重启时,再次连接的客户端将依然被分配和以前一样的IP地址
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "route 0.0.0.0 0.0.0.0" #全网走openvpn
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
push "redirect-gateway def1 bypass-dhcp" #客户端所有网络通信通过vpn，这个可以选择的，如果注释掉的话那就是本地的数据包还是从本地出去，不强制走VPN
push "dhcp-option DNS 8.8.8.8"           #指定客户端使用的主DNS
push "dhcp-option DNS 8.8.4.4"           #指定客户端使用的备DNS
client-to-client                         #开启客户端互访
duplicate-cn                             #支持一个证书多个客户端登录使用，建议不启用
keepalive 5 30                           #服务端5面监测一次，如果30秒没响应就认定客户端down了
tls-auth ta.key 0                        #防DDOS攻击，服务器端0,客户端1
;cipher BF-CBC        # Blowfish (default) #这是默认的加密算法
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo                                 #允许数据压缩，如果启用了客户端配置文件也需要有这项
max-clients 100                          #最大客户端并发连接数量
user nobody                              #定义运行openvpn的用户
group nobody                             #定义运行openvpn的用户组
persist-key                              #通过keepalive检测超时后，重新启动VPN，不重新读取keys，保留第一次使用的keys
persist-tun                              #通过keepalive检测超时后，重新启动VPN，一直保持tun或者tap设备是linkup的，否则网络连接会先linkdown然后linkup
status /tmp/openvpn-status.log           #定期把openvpn的一些状态信息写到文件中，以便自己写程序计费或者进行其他操作
;log         openvpn.log                 #记录日志，每次重新启动openvpn后删除原有的log信息
log-append  /tmp/openvpn.log             #记录日志，每次重新启动openvpn后追加原有的log信息 
verb 3                                   #设置日志要记录的级别，可选0-9，0 只记录错误信息，4 能记录普通的信息，5 和 6 在连接出现问题时能帮助调试，9 是极端的，所有信息都会显示，甚至连包头等信息都显示（像tcpdump）
mute 20        
                         #相同信息的数量，如果连续出现 20 条相同的信息，将不记录到日志中。
[root@ss-usa-odo01 /etc/openvpn]#

[root@ss-usa-odo01 /etc/openvpn]# echo -e "###OpenVPN ADD\nnet.ipv4.conf.default.accept_source_route = 1\nnet.ipv4.conf.default.rp_filter = 0\nnet.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@ss-usa-odo01 /etc/openvpn]# sysctl -p
net.ipv4.conf.default.accept_source_route = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.ip_forward = 1
[root@ss-usa-odo01 /etc/openvpn]#

[root@ss-usa-odo01 /etc/openvpn]# systemctl -f enable openvpn@server
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
[root@ss-usa-odo01 /etc/openvpn]# systemctl start openvpn@server
[root@ss-usa-odo01 /etc/openvpn]# systemctl -l status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: active (running) since 一 2016-06-13 16:08:20 EDT; 10s ago
  Process: 6464 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS)
 Main PID: 6465 (openvpn)
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─6465 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --cd /etc/openvpn/ --config server.conf
 
6月 13 16:08:20 ss-usa-odo01.90r.org systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
6月 13 16:08:20 ss-usa-odo01.90r.org systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@ss-usa-odo01 /etc/openvpn]# cat /tmp/openvpn.log
Mon Jun 13 16:07:47 2016 us=2075 Current Parameter Settings:
Mon Jun 13 16:07:47 2016 us=2135   config = 'server.conf'
Mon Jun 13 16:07:47 2016 us=2144   mode = 1
Mon Jun 13 16:07:47 2016 us=2150   persist_config = DISABLED
Mon Jun 13 16:07:47 2016 us=2156   persist_mode = 1
Mon Jun 13 16:07:47 2016 us=2162   show_ciphers = DISABLED
Mon Jun 13 16:07:47 2016 us=2168   show_digests = DISABLED
Mon Jun 13 16:07:47 2016 us=2174   show_engines = DISABLED
Mon Jun 13 16:07:47 2016 us=2180   genkey = DISABLED
Mon Jun 13 16:07:47 2016 us=2185   key_pass_file = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2192   show_tls_ciphers = DISABLED
Mon Jun 13 16:07:47 2016 us=2199 Connection profiles [default]:
Mon Jun 13 16:07:47 2016 us=2206   proto = tcp-server
Mon Jun 13 16:07:47 2016 us=2214   local = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2219   local_port = 22033
Mon Jun 13 16:07:47 2016 us=2224   remote = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2229   remote_port = 22033
Mon Jun 13 16:07:47 2016 us=2234   remote_float = DISABLED
Mon Jun 13 16:07:47 2016 us=2240   bind_defined = DISABLED
Mon Jun 13 16:07:47 2016 us=2246   bind_local = ENABLED
Mon Jun 13 16:07:47 2016 us=2252   connect_retry_seconds = 5
Mon Jun 13 16:07:47 2016 us=2258   connect_timeout = 10
Mon Jun 13 16:07:47 2016 us=2264   connect_retry_max = 0
Mon Jun 13 16:07:47 2016 us=2271   socks_proxy_server = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2277   socks_proxy_port = 0
Mon Jun 13 16:07:47 2016 us=2283   socks_proxy_retry = DISABLED
Mon Jun 13 16:07:47 2016 us=2289   tun_mtu = 1500
Mon Jun 13 16:07:47 2016 us=2305   tun_mtu_defined = ENABLED
Mon Jun 13 16:07:47 2016 us=2311   link_mtu = 1500
Mon Jun 13 16:07:47 2016 us=2316   link_mtu_defined = DISABLED
Mon Jun 13 16:07:47 2016 us=2322   tun_mtu_extra = 0
Mon Jun 13 16:07:47 2016 us=2327   tun_mtu_extra_defined = DISABLED
Mon Jun 13 16:07:47 2016 us=2333   mtu_discover_type = -1
Mon Jun 13 16:07:47 2016 us=2338   fragment = 0
Mon Jun 13 16:07:47 2016 us=2344   mssfix = 1450
Mon Jun 13 16:07:47 2016 us=2350   explicit_exit_notification = 0
Mon Jun 13 16:07:47 2016 us=2357 Connection profiles END
Mon Jun 13 16:07:47 2016 us=2363   remote_random = DISABLED
Mon Jun 13 16:07:47 2016 us=2368   ipchange = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2373   dev = 'tun'
Mon Jun 13 16:07:47 2016 us=2378   dev_type = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2382   dev_node = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2388   lladdr = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2394   topology = 1
Mon Jun 13 16:07:47 2016 us=2400   tun_ipv6 = DISABLED
Mon Jun 13 16:07:47 2016 us=2405   ifconfig_local = '10.188.0.1'
Mon Jun 13 16:07:47 2016 us=2411   ifconfig_remote_netmask = '10.188.0.2'
Mon Jun 13 16:07:47 2016 us=2416   ifconfig_noexec = DISABLED
Mon Jun 13 16:07:47 2016 us=2422   ifconfig_nowarn = DISABLED
Mon Jun 13 16:07:47 2016 us=2437   ifconfig_ipv6_local = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2442   ifconfig_ipv6_netbits = 0
Mon Jun 13 16:07:47 2016 us=2487   ifconfig_ipv6_remote = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2494   shaper = 0
Mon Jun 13 16:07:47 2016 us=2500   mtu_test = 0
Mon Jun 13 16:07:47 2016 us=2506   mlock = DISABLED
Mon Jun 13 16:07:47 2016 us=2512   keepalive_ping = 5
Mon Jun 13 16:07:47 2016 us=2518   keepalive_timeout = 30
Mon Jun 13 16:07:47 2016 us=2523   inactivity_timeout = 0
Mon Jun 13 16:07:47 2016 us=2537   ping_send_timeout = 5
Mon Jun 13 16:07:47 2016 us=2542   ping_rec_timeout = 60
Mon Jun 13 16:07:47 2016 us=2547   ping_rec_timeout_action = 2
Mon Jun 13 16:07:47 2016 us=2554   ping_timer_remote = DISABLED
Mon Jun 13 16:07:47 2016 us=2559   remap_sigusr1 = 0
Mon Jun 13 16:07:47 2016 us=2564   persist_tun = ENABLED
Mon Jun 13 16:07:47 2016 us=2569   persist_local_ip = DISABLED
Mon Jun 13 16:07:47 2016 us=2574   persist_remote_ip = DISABLED
Mon Jun 13 16:07:47 2016 us=2579   persist_key = ENABLED
Mon Jun 13 16:07:47 2016 us=2585   passtos = DISABLED
Mon Jun 13 16:07:47 2016 us=2590   resolve_retry_seconds = 1000000000
Mon Jun 13 16:07:47 2016 us=2596   username = 'nobody'
Mon Jun 13 16:07:47 2016 us=2601   groupname = 'nobody'
Mon Jun 13 16:07:47 2016 us=2617   chroot_dir = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2622   cd_dir = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2627   writepid = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2645   up_script = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2650   down_script = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2655   down_pre = DISABLED
Mon Jun 13 16:07:47 2016 us=2660   up_restart = DISABLED
Mon Jun 13 16:07:47 2016 us=2668   up_delay = DISABLED
Mon Jun 13 16:07:47 2016 us=2675   daemon = DISABLED
Mon Jun 13 16:07:47 2016 us=2681   inetd = 0
Mon Jun 13 16:07:47 2016 us=2686   log = ENABLED
Mon Jun 13 16:07:47 2016 us=2692   suppress_timestamps = DISABLED
Mon Jun 13 16:07:47 2016 us=2696   nice = 0
Mon Jun 13 16:07:47 2016 us=2701   verbosity = 6
Mon Jun 13 16:07:47 2016 us=2706   mute = 0
Mon Jun 13 16:07:47 2016 us=2711   gremlin = 0
Mon Jun 13 16:07:47 2016 us=2716   status_file = '/tmp/openvpn-status.log'
Mon Jun 13 16:07:47 2016 us=2721   status_file_version = 1
Mon Jun 13 16:07:47 2016 us=2727   status_file_update_freq = 60
Mon Jun 13 16:07:47 2016 us=2732   occ = ENABLED
Mon Jun 13 16:07:47 2016 us=2738   rcvbuf = 0
Mon Jun 13 16:07:47 2016 us=2743   sndbuf = 0
Mon Jun 13 16:07:47 2016 us=2749   mark = 0
Mon Jun 13 16:07:47 2016 us=2754   sockflags = 0
Mon Jun 13 16:07:47 2016 us=2759   fast_io = DISABLED
Mon Jun 13 16:07:47 2016 us=2765   lzo = 7
Mon Jun 13 16:07:47 2016 us=2773   route_script = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2779   route_default_gateway = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2784   route_default_metric = 0
Mon Jun 13 16:07:47 2016 us=2791   route_noexec = DISABLED
Mon Jun 13 16:07:47 2016 us=2797   route_delay = 0
Mon Jun 13 16:07:47 2016 us=2803   route_delay_window = 30
Mon Jun 13 16:07:47 2016 us=2809   route_delay_defined = DISABLED
Mon Jun 13 16:07:47 2016 us=2815   route_nopull = DISABLED
Mon Jun 13 16:07:47 2016 us=2820   route_gateway_via_dhcp = DISABLED
Mon Jun 13 16:07:47 2016 us=2826   max_routes = 100
Mon Jun 13 16:07:47 2016 us=2831   allow_pull_fqdn = DISABLED
Mon Jun 13 16:07:47 2016 us=2838   route 10.188.0.0/255.255.0.0/nil/nil
Mon Jun 13 16:07:47 2016 us=2843   management_addr = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2850   management_port = 0
Mon Jun 13 16:07:47 2016 us=2856   management_user_pass = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2862   management_log_history_cache = 250
Mon Jun 13 16:07:47 2016 us=2877   management_echo_buffer_size = 100
Mon Jun 13 16:07:47 2016 us=2883   management_write_peer_info_file = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2889   management_client_user = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2895   management_client_group = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2901   management_flags = 0
Mon Jun 13 16:07:47 2016 us=2912   shared_secret_file = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=2918   key_direction = 1
Mon Jun 13 16:07:47 2016 us=2924   ciphername_defined = ENABLED
Mon Jun 13 16:07:47 2016 us=2940   ciphername = 'BF-CBC'
Mon Jun 13 16:07:47 2016 us=2946   authname_defined = ENABLED
Mon Jun 13 16:07:47 2016 us=2951   authname = 'SHA1'
Mon Jun 13 16:07:47 2016 us=2957   prng_hash = 'SHA1'
Mon Jun 13 16:07:47 2016 us=2963   prng_nonce_secret_len = 16
Mon Jun 13 16:07:47 2016 us=2968   keysize = 0
Mon Jun 13 16:07:47 2016 us=2974   engine = DISABLED
Mon Jun 13 16:07:47 2016 us=2979   replay = ENABLED
Mon Jun 13 16:07:47 2016 us=2989   mute_replay_warnings = DISABLED
Mon Jun 13 16:07:47 2016 us=2994   replay_window = 64
Mon Jun 13 16:07:47 2016 us=2999   replay_time = 15
Mon Jun 13 16:07:47 2016 us=3004   packet_id_file = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3010   use_iv = ENABLED
Mon Jun 13 16:07:47 2016 us=3015   test_crypto = DISABLED
Mon Jun 13 16:07:47 2016 us=3020   tls_server = ENABLED
Mon Jun 13 16:07:47 2016 us=3026   tls_client = DISABLED
Mon Jun 13 16:07:47 2016 us=3031   key_method = 2
Mon Jun 13 16:07:47 2016 us=3047   ca_file = 'ca.crt'
Mon Jun 13 16:07:47 2016 us=3053   ca_path = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3069   dh_file = 'dh2048.pem'
Mon Jun 13 16:07:47 2016 us=3074   cert_file = 'server.crt'
Mon Jun 13 16:07:47 2016 us=3080   extra_certs_file = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3096   priv_key_file = 'server.key'
Mon Jun 13 16:07:47 2016 us=3102   pkcs12_file = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3107   cipher_list = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3112   tls_verify = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3118   tls_export_cert = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3123   verify_x509_type = 0
Mon Jun 13 16:07:47 2016 us=3129   verify_x509_name = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3135   crl_file = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3140   ns_cert_type = 0
Mon Jun 13 16:07:47 2016 us=3146   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3152   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3157   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3163   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3169   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3174   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3179   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3184   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3189   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3194   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3199   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3204   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3209   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3214   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3220   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3234   remote_cert_ku[i] = 0
Mon Jun 13 16:07:47 2016 us=3241   remote_cert_eku = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3246   ssl_flags = 0
Mon Jun 13 16:07:47 2016 us=3252   tls_timeout = 2
Mon Jun 13 16:07:47 2016 us=3258   renegotiate_bytes = 0
Mon Jun 13 16:07:47 2016 us=3263   renegotiate_packets = 0
Mon Jun 13 16:07:47 2016 us=3268   renegotiate_seconds = 3600
Mon Jun 13 16:07:47 2016 us=3274   handshake_window = 60
Mon Jun 13 16:07:47 2016 us=3278   transition_window = 3600
Mon Jun 13 16:07:47 2016 us=3293   single_session = DISABLED
Mon Jun 13 16:07:47 2016 us=3298   push_peer_info = DISABLED
Mon Jun 13 16:07:47 2016 us=3303   tls_exit = DISABLED
Mon Jun 13 16:07:47 2016 us=3309   tls_auth_file = 'ta.key'
Mon Jun 13 16:07:47 2016 us=3315   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3321   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3327   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3332   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3338   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3344   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3350   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3356   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3361   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3367   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3372   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3377   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3382   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3389   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3395   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3403   pkcs11_protected_authentication = DISABLED
Mon Jun 13 16:07:47 2016 us=3410   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3415   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3421   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3426   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3432   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3437   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3443   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3448   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3454   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3459   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3465   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3481   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3486   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3503   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3509   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3514   pkcs11_private_mode = 00000000
Mon Jun 13 16:07:47 2016 us=3530   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3535   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3540   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3545   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3550   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3557   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3563   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3568   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3573   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3579   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3585   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3590   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3595   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3601   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3606   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3613   pkcs11_cert_private = DISABLED
Mon Jun 13 16:07:47 2016 us=3619   pkcs11_pin_cache_period = -1
Mon Jun 13 16:07:47 2016 us=3624   pkcs11_id = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3630   pkcs11_id_management = DISABLED
Mon Jun 13 16:07:47 2016 us=3637   server_network = 10.188.0.0
Mon Jun 13 16:07:47 2016 us=3643   server_netmask = 255.255.0.0
Mon Jun 13 16:07:47 2016 us=3654   server_network_ipv6 = ::
Mon Jun 13 16:07:47 2016 us=3660   server_netbits_ipv6 = 0
Mon Jun 13 16:07:47 2016 us=3666   server_bridge_ip = 0.0.0.0
Mon Jun 13 16:07:47 2016 us=3672   server_bridge_netmask = 0.0.0.0
Mon Jun 13 16:07:47 2016 us=3678   server_bridge_pool_start = 0.0.0.0
Mon Jun 13 16:07:47 2016 us=3685   server_bridge_pool_end = 0.0.0.0
Mon Jun 13 16:07:47 2016 us=3690   push_entry = 'route 0.0.0.0 0.0.0.0'
Mon Jun 13 16:07:47 2016 us=3708   push_entry = 'redirect-gateway def1 bypass-dhcp'
Mon Jun 13 16:07:47 2016 us=3724   push_entry = 'dhcp-option DNS 8.8.8.8'
Mon Jun 13 16:07:47 2016 us=3729   push_entry = 'dhcp-option DNS 8.8.4.4'
Mon Jun 13 16:07:47 2016 us=3734   push_entry = 'route 10.188.0.0 255.255.0.0'
Mon Jun 13 16:07:47 2016 us=3740   push_entry = 'topology net30'
Mon Jun 13 16:07:47 2016 us=3747   push_entry = 'ping 5'
Mon Jun 13 16:07:47 2016 us=3751   push_entry = 'ping-restart 30'
Mon Jun 13 16:07:47 2016 us=3754   ifconfig_pool_defined = ENABLED
Mon Jun 13 16:07:47 2016 us=3758   ifconfig_pool_start = 10.188.0.4
Mon Jun 13 16:07:47 2016 us=3762   ifconfig_pool_end = 10.188.255.251
Mon Jun 13 16:07:47 2016 us=3766   ifconfig_pool_netmask = 0.0.0.0
Mon Jun 13 16:07:47 2016 us=3769   ifconfig_pool_persist_filename = 'ipp.txt'
Mon Jun 13 16:07:47 2016 us=3773   ifconfig_pool_persist_refresh_freq = 600
Mon Jun 13 16:07:47 2016 us=3776   ifconfig_ipv6_pool_defined = DISABLED
Mon Jun 13 16:07:47 2016 us=3780   ifconfig_ipv6_pool_base = ::
Mon Jun 13 16:07:47 2016 us=3783   ifconfig_ipv6_pool_netbits = 0
Mon Jun 13 16:07:47 2016 us=3790   n_bcast_buf = 256
Mon Jun 13 16:07:47 2016 us=3793   tcp_queue_limit = 64
Mon Jun 13 16:07:47 2016 us=3796   real_hash_size = 256
Mon Jun 13 16:07:47 2016 us=3800   virtual_hash_size = 256
Mon Jun 13 16:07:47 2016 us=3803   client_connect_script = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3807   learn_address_script = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3810   client_disconnect_script = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3814   client_config_dir = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3817   ccd_exclusive = DISABLED
Mon Jun 13 16:07:47 2016 us=3820   tmp_dir = '/tmp'
Mon Jun 13 16:07:47 2016 us=3824   push_ifconfig_defined = DISABLED
Mon Jun 13 16:07:47 2016 us=3828   push_ifconfig_local = 0.0.0.0
Mon Jun 13 16:07:47 2016 us=3831   push_ifconfig_remote_netmask = 0.0.0.0
Mon Jun 13 16:07:47 2016 us=3835   push_ifconfig_ipv6_defined = DISABLED
Mon Jun 13 16:07:47 2016 us=3841   push_ifconfig_ipv6_local = ::/0
Mon Jun 13 16:07:47 2016 us=3845   push_ifconfig_ipv6_remote = ::
Mon Jun 13 16:07:47 2016 us=3849   enable_c2c = ENABLED
Mon Jun 13 16:07:47 2016 us=3853   duplicate_cn = ENABLED
Mon Jun 13 16:07:47 2016 us=3858   cf_max = 0
Mon Jun 13 16:07:47 2016 us=3862   cf_per = 0
Mon Jun 13 16:07:47 2016 us=3865   max_clients = 100
Mon Jun 13 16:07:47 2016 us=3869   max_routes_per_client = 256
Mon Jun 13 16:07:47 2016 us=3882   auth_user_pass_verify_script = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3886   auth_user_pass_verify_script_via_file = DISABLED
Mon Jun 13 16:07:47 2016 us=3889   port_share_host = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3893   port_share_port = 0
Mon Jun 13 16:07:47 2016 us=3896   client = DISABLED
Mon Jun 13 16:07:47 2016 us=3900   pull = DISABLED
Mon Jun 13 16:07:47 2016 us=3906   auth_user_pass_file = '[UNDEF]'
Mon Jun 13 16:07:47 2016 us=3911 OpenVPN 2.3.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on May 10 2016
Mon Jun 13 16:07:47 2016 us=3919 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Mon Jun 13 16:07:47 2016 us=4002 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Mon Jun 13 16:07:47 2016 us=59407 Diffie-Hellman initialized with 2048 bit key
Mon Jun 13 16:07:47 2016 us=59920 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Jun 13 16:07:47 2016 us=59938 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 13 16:07:47 2016 us=59946 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 13 16:07:47 2016 us=59958 TLS-Auth MTU parms [ L:1544 D:1182 EF:68 EB:0 ET:0 EL:3 ]
Mon Jun 13 16:07:47 2016 us=59975 Socket Buffers: R=[87380->87380] S=[16384->16384]
Mon Jun 13 16:07:47 2016 us=60070 ROUTE_GATEWAY ON_LINK IFACE=venet0 HWADDR=00:00:00:00:00:00
Mon Jun 13 16:07:47 2016 us=60296 TUN/TAP device tun0 opened
Mon Jun 13 16:07:47 2016 us=60311 TUN/TAP TX queue length set to 100
Mon Jun 13 16:07:47 2016 us=60323 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jun 13 16:07:47 2016 us=60341 /usr/sbin/ip link set dev tun0 up mtu 1500
Mon Jun 13 16:07:47 2016 us=72043 /usr/sbin/ip addr add dev tun0 local 10.188.0.1 peer 10.188.0.2
Mon Jun 13 16:07:47 2016 us=89355 /usr/sbin/ip route add 10.188.0.0/16 via 10.188.0.2
Mon Jun 13 16:07:47 2016 us=90077 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:143 ET:0 EL:3 AF:3/1 ]
Mon Jun 13 16:07:47 2016 us=90257 GID set to nobody
Mon Jun 13 16:07:47 2016 us=90268 UID set to nobody
Mon Jun 13 16:07:47 2016 us=90275 Listening for incoming TCP connection on [undef]
Mon Jun 13 16:07:47 2016 us=90283 TCPv4_SERVER link local (bound): [undef]
Mon Jun 13 16:07:47 2016 us=90287 TCPv4_SERVER link remote: [undef]
Mon Jun 13 16:07:47 2016 us=90295 MULTI: multi_init called, r=256 v=256
Mon Jun 13 16:07:47 2016 us=90441 IFCONFIG POOL: base=10.188.0.4 size=16382, ipv6=0
Mon Jun 13 16:07:47 2016 us=90453 IFCONFIG POOL LIST
Mon Jun 13 16:07:47 2016 us=90480 MULTI: TCP INIT maxclients=100 maxevents=104
Mon Jun 13 16:07:47 2016 us=90495 Initialization Sequence Completed
Mon Jun 13 16:08:07 2016 us=790588 TCP/UDP: Closing socket
Mon Jun 13 16:08:07 2016 us=790658 /usr/sbin/ip route del 10.188.0.0/16
RTNETLINK answers: Operation not permitted
Mon Jun 13 16:08:07 2016 us=791611 ERROR: Linux route delete command failed: external program exited with error status: 2
Mon Jun 13 16:08:07 2016 us=791637 Closing TUN/TAP interface
Mon Jun 13 16:08:07 2016 us=791657 /usr/sbin/ip addr del dev tun0 local 10.188.0.1 peer 10.188.0.2
RTNETLINK answers: Operation not permitted
Mon Jun 13 16:08:07 2016 us=792360 Linux ip addr del failed: external program exited with error status: 2
Mon Jun 13 16:08:07 2016 us=830989 SIGINT[hard,] received, process exiting
[root@ss-usa-odo01 /etc/openvpn]#

 

[root@ss-usa-odo01 /etc/openvpn]# iptables -nvxL --lin
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination        
1      127988 174103095 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2           0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0         
3           0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0         
4         228    14272 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
5         651    33525 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination        
1           0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
 
Chain OUTPUT (policy ACCEPT 77183 packets, 5938860 bytes)
num      pkts      bytes target     prot opt in     out     source               destination        
[root@ss-usa-odo01 /etc/openvpn]# iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 22033 -j ACCEPT
[root@ss-usa-odo01 /etc/openvpn]# iptables -nvxL --lin
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination        
1      127988 174103095 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2           0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0         
3           0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0         
4           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22033
5         228    14272 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
6         651    33525 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination        
1           0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
 
Chain OUTPUT (policy ACCEPT 77183 packets, 5938860 bytes)
num      pkts      bytes target     prot opt in     out     source               destination     
[root@ss-usa-odo01 /etc/openvpn]# iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@ss-usa-odo01 /etc/openvpn]# iptables -I FORWARD 2 -s 10.0.0.0/8 -j ACCEPT
[root@ss-usa-odo01 /etc/openvpn]# iptables -nvxL --lin
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination        
1      128015 174104967 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2           0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0         
3           0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0         
4           0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22033
5         228    14272 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
6         651    33525 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination        
1           0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2           0        0 ACCEPT     all  --  *      *       10.0.0.0/8           0.0.0.0/0         
3           0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
 
Chain OUTPUT (policy ACCEPT 3 packets, 436 bytes)
num      pkts      bytes target     prot opt in     out     source               destination        
[root@ss-usa-odo01 /etc/openvpn]# iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 104.223.122.202
[root@ss-usa-odo01 /etc/openvpn]# iptables -t nat -nvxL --lin
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination        
 
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination        
1           0        0 SNAT       all  --  *      *       10.0.0.0/8           0.0.0.0/0            to:104.223.122.202
 
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num      pkts      bytes target     prot opt in     out     source               destination        
[root@ss-usa-odo01 /etc/openvpn]# iptables-save >/etc/sysconfig/iptables
[root@ss-usa-odo01 /etc/openvpn]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Mon Jun 13 16:14:40 2016
*raw
:PREROUTING ACCEPT [366072:522504090]
:OUTPUT ACCEPT [204986:14628967]
COMMIT
# Completed on Mon Jun 13 16:14:40 2016
# Generated by iptables-save v1.4.21 on Mon Jun 13 16:14:40 2016
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 104.223.122.202
COMMIT
# Completed on Mon Jun 13 16:14:40 2016
# Generated by iptables-save v1.4.21 on Mon Jun 13 16:14:40 2016
*mangle
:PREROUTING ACCEPT [366072:522504090]
:INPUT ACCEPT [366072:522504090]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [204986:14628967]
:POSTROUTING ACCEPT [204986:14628967]
COMMIT
# Completed on Mon Jun 13 16:14:40 2016
# Generated by iptables-save v1.4.21 on Mon Jun 13 16:14:40 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [98:11832]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22033 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.0.0/8 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jun 13 16:14:40 2016
[root@ss-usa-odo01 /etc/openvpn]#

iptables -nvxL --lin
iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 22033 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD 2 -s 10.0.0.0/8 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 104.223.122.202
iptables-save >/etc/sysconfig/iptables
 
###由于OpenVPN本事不支持多端口，因此我们可以借助iptables来实现多端口使用
iptables -t nat -A PREROUTING -p tcp -d 104.223.122.202 -m multiport --dports 22034:22044 -j REDIRECT --to-port 22033
这样就把所有发往104.223.122.202这个Ip的22034-22044端口的数据包都转发到了22033上了
104.223.122.202是你的OpenVPN的监听IP

客户端配置文件参考

client
dev tun
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
remote 104.223.122.202 22033
ca 104.223.122.202-ca.crt
cert 104.223.122.202-lookback.crt
key 104.223.122.202-lookback.key
tls-auth 104.223.122.202-ta.key 1