使用yum安装openvpn,不需要进行编译,不过安装openvpn后需要使用到easy-rsa,如果直接安装的,会在初始话证书中遇到一些问题,至于什么问题这里就不多叙述了。下面安装一下openvpn依赖的工具。
[root@wulaoer ~]# yum install -y epel-release [root@wulaoer ~]# yum install -y openvpn easy-rsa openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig
openvpn安装后,会在/etc/openvpn目录下创建两个目录一个是client,一个是server目录.
[root@wulaoer ~]# cp -a /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf /etc/openvpn/server/
把openvpn的配置文件copy到server目录下,方便配置openvpen。
使用easy-rsa制作openvpn证书
[root@wulaoer ~]# wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.7.zip [root@wulaoer ~]# unzip v3.0.7.zip [root@wulaoer ~]# mv easy-rsa-3.0.7 easy [root@wulaoer ~]# mkdir -p /etc/openvpn/ [root@wulaoer ~]# cp -a easy /etc/openvpn/ [root@wulaoer ~]# cd /etc/openvpn/easy/easyrsa3/ [root@wulaoer easyrsa3]# cp vars.example vars [root@wulaoer easyrsa3]# vim vars .......................................... set_var EASYRSA_REQ_COUNTRY "CN" #国家 set_var EASYRSA_REQ_PROVINCE "HK" #省 set_var EASYRSA_REQ_CITY "Hong Kong" #城市 set_var EASYRSA_REQ_ORG "Hong Hong vpn" #组织 set_var EASYRSA_REQ_EMAIL "me@example.net" #邮箱 set_var EASYRSA_REQ_OU "wulaoer" #公司、组织 ........................................... [root@wulaoer easyrsa3]# ./easyrsa init-pki [root@wulaoer easyrsa3]# ./easyrsa build-ca Note: using Easy-RSA configuration from: ./vars #使用vars文件里面配置的信息 Generating a 2048 bit RSA private key .................+++ ........................................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/ca.key.Lg8IKADc4Q' Enter PEM pass phrase: #设置ca密码(我此处是写的openvpn) Verifying - Enter PEM pass phrase: #再输一遍上面的密码 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #直接回车,就是默认的CA作为名字 CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt #ca证书存放路径
制作服务端证书
[root@wulaoer easyrsa3]# ./easyrsa gen-req server nopass #nopass设置免证书密码,如果要设置密码可以取消此参数选项 Note: using Easy-RSA configuration from: ./vars #使用vars文件里面配置的信息 Generating a 2048 bit RSA private key .....................................+++ ................................................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.yuG9HRsSlU' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: #直接回车,默认名字为server Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/server.req key: /etc/openvpn/easy-rsa/pki/private/server.key #密钥key的路径
给证书进行签名或者签约
[root@wulaoer easyrsa3]# ./easyrsa sign server server #第二个server是只上面服务端证书的CN名字,我们用的默认server,根据实际证书名自行定义
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: #输入上面ca证书生成时的密码(123456)
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'server'
Certificate is to be certified until May 22 03:23:38 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt #服务端证书路径
dh证书
[root@wulaoer easyrsa3]# ./easyrsa gen-dh #创建Diffie-Hellman,时间有点长 Note: using Easy-RSA configuration from: ./vars Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ............................................................+...........................................................+.......................................................................................................+...........+..........................................................................................................................................................................................................................................................................+............................................................................................................+....................................................................................................+................................................................+.....................................................................................................................................................+............................................+............+......................................................................................+......................................................................+...........................+................................................................+...........................................................................................................++*++* DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem #dh证书路径 [root@wulaoer server]# cd /etc/openvpn/server [root@wulaoer server]# openvpn --genkey --secret ta.key
创建客户端证书
[root@wulaoer client]# mkdir -p /etc/openvpn/client [root@wulaoer client]# cd /etc/openvpn/client [root@wulaoer client]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/openvpn/client [root@wulaoer client]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example ./vars [root@wulaoer client]# ./easyrsa init-pki [root@wulaoer client]# ./easyrsa gen-req client nopass #client为证书名,可自定义,nopass同样设置免密 Generating a 2048 bit RSA private key .....................................................+++ .................................+++ writing new private key to '/etc/openvpn/client/pki/private/client.key.0rbEXauafe' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/client/pki/reqs/client.req key: /etc/openvpn/client/pki/private/client.key #key路径
对客户端证书进行签名
#切换到服务端easy-rsa目录下:
cd /etc/openvpn/easy-rsa
#导入req
./easyrsa import-req /etc/openvpn/client/pki/reqs/client.req client
./easyrsa sign client client #签名,第一个client是固定的参数表示客户端,第二个client指上面导入的客户端证书名
./easyrsa sign client client
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #输入'yes'
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: #输入ca密码(123456)
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'client'
Certificate is to be certified until Apr 13 14:37:17 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt #最终客户端证书路径
修改配置文件
服务器端证书和密钥统一放到和server.conf一个目录下,便于配置
cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/server cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/server cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server
修改openvpn服务端配置文件server.conf
cat /etc/openvpn/server.conf local 0.0.0.0 port 1194 #指定端口 proto tcp #指定协议 dev tun #采用路由隧道模式 ca /etc/openvpn/server/ca.crt #ca证书位置,相对路径,表示ca.crt和server.conf要在同一目录 cert /etc/openvpn/server/server.crt #服务端证书 key /etc/openvpn/server/server.key #服务端key dh /etc/openvpn/server/dh.pem #dh密钥 server 10.8.0.0 255.255.255.0 #给客户端分配的地址池 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" #客户端网关使用openvpn服务器网关 push "dhcp-option DNS 8.8.8.8" #指定dns push "dhcp-option DNS 114.114.114.114" keepalive 10 120 #心跳检测,10秒检测一次,2分钟内没有回应则视为断线 tls-auth ta.key 0 #服务端值为0,客户端为1 cipher AES-256-CBC comp-lzo #传输数据压缩 persist-key persist-tun status openvpn-status.log verb 3
客户端所需证书(下载保存到客户端和客户端配置文件同一目录下)
/etc/openvpn/easy-rsa/pki/issued/client.crt #在服务端证书生成目录下 /etc/openvpn/client/pki/private/client.key #上面的客户端生成目录下 /etc/openvpn/easy-rsa/pki/ca.crt #ca证书 /etc/openvpn/server/ta.key
服务启动
systemctl start openvpen
防火墙配置
[root@wulaoer]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#' /etc/sysctl.conf [root@wulaoer]# sysctl -p [root@wulaoer]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Tue Dec 26 16:39:36 2017 *filter :INPUT ACCEPT [1707:292253] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1615:1130954] -A FORWARD -i tun+ -j ACCEPT COMMIT # Completed on Tue Dec 26 16:39:36 2017 # Generated by iptables-save v1.4.7 on Tue Dec 26 16:39:36 2017 *nat :PREROUTING ACCEPT [28:3113] :POSTROUTING ACCEPT [16:960] :OUTPUT ACCEPT [22:1365] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT #iptables -t nat -L -n [root@wulaoer]# iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination
客户端验证
下面在linux中安装客户端
yum install -y openvpn #linux客户端安装 cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/client.conf /etc/openvpn/client.ovpn cat /etc/openvpn/client.ovpn client dev tun proto tcp #和server端一致 remote 123.xxx.xxx.xxx 1194 #指定服务端IP和端口 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server ca ca.crt #ca证书 cert client.crt #客户端证书 key client.key #客户端密钥 tls-auth ta.key 1 #ta密钥 cipher AES-256-CBC comp-lzo #传输内容压缩 verb 3 #日志级别
把上面ca.crt,client.crt client.key,ta.key下载到本地,这里注意ca.crt是服务端的数据,其他的是客户端的数据。配置成功后启动客户端,
openvpn --daemon --cd /etc/openvpn --config client.ovpn --log-append /var/log/openvpn.log #放后台执行
后台启动即可,这里需要注意日志的内容,客户端的配置需要可服务的配置必须要一一对应,否则启动后验证不通过。
您可以选择一种方式赞助本站
支付宝扫一扫赞助
微信钱包扫描赞助
赏