需求

实现公司通过SMB访问租房NAS,并且拨通OpenVPN之后，只有OpenVPN客户端之间的流量经过OpenVPN，其他流量按原来的方式。

工具

OpenVPN Server(Ubuntu)
OpenVPN Client(Windows、CentOS)

步骤

在Ubuntu机器上安装OpenVPN, curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh && bash openvpn-install.sh
修改OpenVPN Server的配置文件, vim /etc/openvpn/server.conf

;服务端配置
port 1194
proto tcp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
client-to-client # 允许客户端之间的连接
server 192.168.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
dh none
persist-key
persist-tun
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_JFIAtsavKPr9oaij.crt
key server_JFIAtsavKPr9oaij.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log /var/log/openvpn.log
duplicate-cn  # 允许多个客户端使用同一个配置文件
verb 3

OpenVPN生成的客户端配置在设置的用户名home目录下，有个.ovpn, 修改这个配置文件如下：

client
proto tcp
remote <公网IP> <端口>
dev tun
resolv-retry infinite
nobind
dhcp-option DNS 192.168.5.1 # 配置为你的默认的DNS服务器地址
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_JFIAtsavKPr9oaij name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
;setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
...... # 省略
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...... # 省略
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
...... # 省略
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...... # 省略
-----END OpenVPN Static key V1-----
</tls-crypt>

Windows安装openvpn客户端, scoop install openvpn
CentOS安装openvpn客户端, yum -y install openvpn，CentOS openvpn client启动命令为：openvpn –config /data/openvpn/com-lan.ovpn –daemon