首页 » Linux » 正文

搭建OPENVPN环境

| Linux | | 暂无评论 | 2690 views
  • **操作系统:**CentOS 7
  • openvpn: 2.4.9
  • easy-rsa: 3.0.7

安装openvpn和easy-rsa

rpm -ql epel-release > /dev/null || yum install epel-release -y
yum -y install openvpn easy-rsa

创建相应目录和和文件

mkdir -p /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
cp -p /usr/share/doc/easy-rsa-*/vars.example /etc/openvpn/easy-rsa/vars

easyrsa初始化

cd /etc/openvpn/easy-rsa
[root@test-server-7 easy-rsa]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

创建ca证书,nopass表示不使用密码

[root@test-server-7 easy-rsa]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
...............................................................
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

创建服务器证书文件

###创建服务器证书
[root@test-server-7 easy-rsa]# ./easyrsa gen-req server1 nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
..................................................................
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server1.req
key: /etc/openvpn/easy-rsa/pki/private/server1.key
###服务器证书签名
[root@test-server-7 easy-rsa]# ./easyrsa sign-req server server1
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
............................................................................
subject=
    commonName                = ./easyrsa sign-req server server1

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
.........................................................
commonName            :ASN.1 12:'./easyrsa sign-req server server1'
Certificate is to be certified until Nov 15 14:23:13 2022 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server1.crt

创建客户端证书文件

###创建客户端证书
[root@test-server-7 easy-rsa]# ./easyrsa gen-req client1 nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.............................+++
...+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-6371.F4NZBu/tmp.B3atfl'
-----
.......................................................................
-----
Common Name (eg: your user, host, or server name) [client1]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/client1.req
key: /etc/openvpn/easy-rsa/pki/private/client1.key
###客户端证书签名
[root@test-server-7 easy-rsa]# ./easyrsa sign-req client client1

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
.................................................................
Request subject, to be signed as a client certificate for 825 days:
subject=
    commonName                = ./easyrsa sign-req client client1

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-6502.KMukZv/tmp.O7sYnd
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'./easyrsa sign-req client client1'
Certificate is to be certified until Nov 15 14:23:20 2022 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client1.crt

创建Diffie-Hellman,时间会有点长

[root@test-server-7 easy-rsa]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...............................................................
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

生成TLS-auth密钥,OpenVPN提供了TLS-auth功能,可以用来抵御Dos、UDP端口淹没攻击。

openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key

生成证书吊销列表(CRL)密匙,若需吊销某个密匙,执行./easyrsa revoke name命令即可吊销

[root@test-server-7 easy-rsa]# ./easyrsa gen-crl
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-6600.tTNETy/tmp.GNdlFt

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

拷贝证书文件和启动配置文件

cp -p pki/ca.crt /etc/openvpn/server/
cp -p pki/issued/server1.crt /etc/openvpn/server/
cp -p pki/private/server1.key /etc/openvpn/server/
cp -p ta.key /etc/openvpn/server/

cp -p pki/ca.crt /etc/openvpn/client/
cp -p pki/issued/client1.crt /etc/openvpn/client/
cp -p pki/private/client1.key /etc/openvpn/client/
cp -p ta.key /etc/openvpn/client/

cp pki/dh.pem /etc/openvpn/server/
cp pki/crl.pem /etc/openvpn/server/

查看网络情况

[root@test-server-7 easy-rsa]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:d2:3b:fd brd ff:ff:ff:ff:ff:ff
    inet 10.0.200.150/24 brd 10.0.200.255 scope global noprefixroute ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::26f5:1b3e:5a9:597b/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

开启网络转发

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

开启防火墙

firewall-cmd --permanent --add-service=openvpn
firewall-cmd --permanent --add-interface=tun0

firewall-cmd --permanent --add-masquerade

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens32 -j MASQUERADE
firewall-cmd --reload

创建Server启动配置文件

touch /etc/openvpn/server/server.conf
cat >> /etc/openvpn/server/server.conf << EOF
port 1194
proto udp
dev tun
ca ca.crt
cert server1.crt
key server1.key  # This file should be kept secret
dh dh.pem
crl-verify crl.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 61.139.2.26"
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 100
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
explicit-exit-notify 1
EOF

创建客户端配置文件

touch /etc/openvpn/client/client.ovpn
cat >> /etc/openvpn/client/client.ovpn << EOF
client
dev tun
proto udp
remote 10.0.200.150 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
EOF

cp /etc/openvpn/client/client.ovpn /etc/openvpn/client/client.conf

启动openvpn服务

systemctl enable openvpn-server@server
systemctl start openvpn-server@server

查看服务运行情况

[root@test-server-7 easy-rsa]# systemctl status openvpn-server@server
● openvpn-server@server.service - OpenVPN service for server
   Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; enabled; vendor preset: disabled)
   Active: active (running) since 三 2020-08-12 11:21:43 EDT; 38s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 6732 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service
           └─6732 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps ...

8月 12 11:21:43 test-server-7 systemd[1]: Starting OpenVPN service for server...
8月 12 11:21:43 test-server-7 systemd[1]: Started OpenVPN service for server.
###端口监听
[root@test-server-7 easy-rsa]# ss -nlp|grep 1194
udp    UNCONN     0      0         *:1194                  *:*                   users:(("openvpn",pid=6732,fd=6))

打包/etc/openvpn/client/下面的文件,传送到客户端,然后启动客户端即可
如果是Linux客户端,把/etc/openvpn/client/下的文件解压到/etc/openvpn/client/目录下,然后执行以下命令即可启动

systemctl enable openvpn-client@client
systemctl start openvpn-client@client

如果是Windows客户端,把/etc/openvpn/client/下的文件解压到安装目录下的config目录然启动客户端即可自动连接

发表评论