|
|
使用环境:8 M8 y" A* q! X2 u5 P6 Q
openvpn服务端安装在centos6.5或者centos7系统平台以上版本;% |5 P$ t; [8 Q) O
openvpn客户端安装在windows10平台上;
* S9 O- u+ _6 x: ], O/ X其中的操作步骤有些很像此前写过的一篇文章CA服务器签署证书的步骤;6 O3 p; c! Q/ t4 T
openvpn就是安全的vpn,通过openssl实现ssl加密解密;
$ Z9 J4 Y* I' `+ U* D( Jopenvpn实现的简单原理个人理解是:
* e7 z* b# y% [: z* g) F& z! _& \通过openvpn客户端和服务器端用虚拟网卡建立逻辑的安全的通信连接,然后再通过物理网卡传输数据;
' r. L. y% H; N) \3 W( _即首先openvpn服务端,安装程序并开启服务,然后服务器端会自动生成一个虚拟网卡tun0,用来建立安全通行用的,并监听一个端口,准备接收客户端的请求;) N/ K( W- D8 J
第二,客户端安装openvpn后,也自动生成一个虚拟网卡,openvpn客户端需要指定openvpn服务端的物理网卡上的ip地址和监听的端口进行连接;
; L% E' k4 U4 t第三,证书、密钥、密码都通过后,即实现了vpn(虚拟私有网络)功能;0 b, ^' O; A( f. d/ s* }
具体配置步骤:
2 |! C9 ~9 C" V* N; A第一:安装软件
' U% ~/ w. u* _$ r& p# {" E ]# yum install openvpn easy-rsa2 g1 k% i$ C/ C4 \# b. u
第二:准备相关目录和配置文件; Q n2 Q6 Z: Y4 }+ g
]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/easy-rsa/vars
. R3 a1 @4 O! D, f7 g$ C ]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/openvpn/easy-rsa/# O' x- Z1 R O- z$ c0 K
复制的文件有:easyrsa、openssl-1.0.cnf、x509-types; 4 J* G- w+ T* n( U# D# m1 u
]# cp /usr/share/doc/openvpn-2.4.5/sample/sample-config-files/server.conf /etc/openvpn/
& D5 n& X& Y' a1 B5 `% X$ P3 a# _ 编辑vars文件:" o4 g. l3 T" ] ^
set_var EASYRSA_REQ_COUNTRY "CN"
+ X8 ?. z5 I, B+ Y0 G2 k( _ set_var EASYRSA_REQ_PROVINCE "Beijing"
( D5 y! A$ @/ p" u1 @ set_var EASYRSA_REQ_CITY "Beijing"3 M3 o2 v, J) W: Q& V9 [
set_var EASYRSA_REQ_ORG "OpenVPN CA"
; F' q- R% D y3 B) o set_var EASYRSA_REQ_EMAIL "[url=mailto:4********4@.qq.com]4********4@.qq.com[/url]"# U% y4 T* t; U9 e
set_var EASYRSA_REQ_OU "My VPN"
$ k1 V5 M0 Z+ f) U6 v1 p创建服务器端证书和key:6 m. {. r! [5 w. C5 M& K
第一:目录初始化:
$ p; e+ f3 e& g ]# cd /etc/openvpn/easy-rsa/
' F4 o( D3 X5 {1 E/ |$ I1 n8 q3 M ]# ./easyrsa init-pki5 Z+ P- V" U0 T4 A
第二:创建根证书:
+ ?% o. C1 _( u. u+ b1 i ]# ./easyrsa build-ca
. K$ x& Z( N3 \0 X) H8 s6 j Enter PEM pass phrase: 输入2次pem密码,并记住(输入的pem密码是openvpn,后面会用到);! v4 m- b: X" X. S* ^- n1 s* B
........4 |4 X+ o3 n" f! q/ u( d
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 输入名称;(输入的是opvpn-ca)
" G3 H" v- Z# B7 `1 i$ y 回车后显示:
* \& W6 K3 a1 H! `CA creation complete and you may now import and sign cert requests.5 x& Q" x- V, o6 V& m5 d) O
Your new CA certificate file for publishing is at:0 z5 A4 z+ y8 I7 a7 k h. [
/etc/openvpn/easy-rsa/pki/ca.crt4 K* Y' D- F2 Q# P1 [- _4 ?
第三:创建服务器端证书:$ x, \ r! j; B# u, a* \$ n
]# ./easyrsa gen-req server nopass
* c9 V& Q0 `0 f' R2 ]( YCommon Name (eg: your user, host, or server name) [server]: (输入是node2)) O7 ^! p: e( ^& O. w3 p& W
输入回车后显示:
`& z: M6 c/ y* G) [ c8 S6 s* DKeypair and certificate request completed. Your files are:$ A! |: j3 H e j- _/ W
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
\$ c+ Y1 U h# T' Ekey: /etc/openvpn/easy-rsa/pki/private/server.key
( j( z* u6 G: Q' {+ d) l第四:签署服务器端证书:! D7 a+ S! u, J- H
]# ./easyrsa sign server server' l4 o1 Q a6 R" O. m6 ]9 q
回车后,Confirm request details: (输入yes)
& k1 r% Q& S1 N# w \) ^Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: (输入之前CA根证书的pem密码是openvpn), K1 ~7 K; N7 c9 P) }! M# G
回车后显示:' W4 Z; E4 r. L* R; X
Check that the request matches the signature
+ g8 y2 D* }; w t; ASignature ok0 N5 u3 [- H- X3 x6 \3 k% r/ F
The Subject's Distinguished Name is as follows
4 T' I- ^6 g6 h: B& W j2 f GcommonName :ASN.1 12:'node2'
4 g* X* D. p/ d9 ?$ TCertificate is to be certified until Apr 4 16:04:29 2028 GMT (3650 days)1 u4 ^& T* ^6 u5 a0 J- a
Write out database with 1 new entries9 [. h' V1 A" Y& k' |0 p% F
Data Base Updated
1 l% j" R, t1 [" s6 p' GCertificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt3 w3 \- p2 }7 [: z
第五:创建Diffie-Hellman,确保key穿越不安全网络的命令:
9 w `6 A" y; a ]# ./easyrsa gen-dh
* X8 U2 U9 l. A. ]. D回车后,等的时间稍微长一点,最后显示:5 E( J# |/ H: h, ]) k* K O% R
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem% U+ C% i% O" E/ ^- f2 ^7 E
第六:生成ta密钥文件( V) m/ `7 X5 x+ r
]# openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key5 H Q6 P" }* w, O+ J
不执行此命令,会报错:
' i- L6 ?0 ?4 n/ bSat Apr 7 12:53:37 2018 WARNING: cannot stat file 'ta.key': No such file or directory (errno=2)
. i/ h3 G4 S1 E# P! gOptions error: --tls-auth fails with 'ta.key': No such file or directory (errno=2)
9 V5 n7 e0 F1 a" y, J7 l- }Options error: Please correct these errors.
% S A: {9 B' Z+ L. v8 p* B3 PUse --help for more information.# I1 C9 F5 N3 J- V
创建客户端证书及key :( b; n9 h- j* t0 t& Y
第一:创建过程同服务端: u) C7 U* D; O8 y6 v- j
]# mkdir /root/client3 t3 [1 T! F) r" K
]# cd /root/client) K6 O2 G+ ~* {0 Q" s" ]
]# cp -r /usr/share/easy-rsa/3.0.3/* ./
# V) X% e. n0 i: Q' l0 h ]# ./easyrsa init-pki
% H; q% P) Y# Z9 O! g ]# ./easyrsa gen-req client4 q5 i' K/ h! k% k
回车后显示Enter PEM pass phrase: 输入密码,密码是之后客户端连接服务器要用的(输入的是vpnclient)" M# d. w3 Q/ d- p
Common Name (eg: your user, host, or server name) [client]: (输入的是client,后面会用到)) j" o/ m/ R9 h' u
回车后显示:) I; E# L6 s, d3 J# L
Keypair and certificate request completed. Your files are:
: q+ W9 w' Q2 J X nreq: /root/client/pki/reqs/client.req6 p: s: v4 v# x& v
key: /root/client/pki/private/client.key) |. I& C6 g2 f
第二:将得到的clientone.req导入然后签约证书:" @, u$ S9 m) n' `% L
]# ./easyrsa import-req /root/client/pki/reqs/client.req client/ q. g# j0 X/ p3 ]
回车后显示:
2 i0 h; f, u+ q* H' |! @ y# }Note: using Easy-RSA configuration from: ./vars5 F' O. g- i2 x7 u% |( N: z1 o
The request has been successfully imported with a short name of: clientone
! R) g3 ^( v9 {: pYou may now use this name to perform signing operations on this request.3 b/ K7 Q0 @& ^! d0 ?
第三:签约证书
* `, A( |' R: D* [/ }; A% A ]# ./easyrsa sign client client
, d: P1 |' C; X- ]& [, W* _回车后,输入yes;0 [+ Y5 D8 ~8 K3 a0 u' g+ J
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: (输入的是openvpn)- f5 U* ^% W% x% H9 k
注意:
2 J8 M' n; E- {0 W0 U这里生成client所以第一个client位置必须为client,第二个参数client要与之前导入名字一致,导入的时候会要求输入密码,这个密码是第一次设置的根证书的密码,不要输错;因为openvpn是一个客户端对应一组证书密钥文件的;% a# |. N0 B' G9 m0 t( ], R
回车后显示:
( I3 H/ N! {1 z0 g. w1 S6 u$ n- iCheck that the request matches the signature
M4 ~' @2 F! k- S3 rSignature ok
' V) L# n- n* L: p/ E+ Y2 c& BThe Subject's Distinguished Name is as follows8 |/ k4 F) t# h3 ^
commonName :ASN.1 12:'client'7 a. L) H; j6 N6 O' \. G: d
Certificate is to be certified until Apr 4 16:38:37 2028 GMT (3650 days)
; [6 ~ u: q8 T# x: jWrite out database with 1 new entries
$ `1 A- v9 m% G7 L4 ] a) D2 VData Base Updated7 L; Q0 K) U- e* I; `
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt9 ]3 M; e9 x* p2 {" V/ B, q
拷贝相关文件! U: `3 v1 [2 a0 q8 v! N
拷贝服务器端所需文件到各自位置:( i0 w* l( M* Q' e; W7 K
]# cp pki/ca.crt /etc/openvpn/- @( U' H8 F1 M4 C: Q! i$ D& t( f" O
]# cp pki/private/server.key /etc/openvpn/7 k' \5 `. q: q: I
]# cp pki/issued/server.crt /etc/openvpn/! ]& X. N% Z4 j- W2 F; F
]# cp pki/dh.pem /etc/openvpn/
: b( r* C* t6 D* M! {) {9 y) e]# cp /etc/openvpn/easy-rsa/ta.key /etc/openvpn/
. z% d9 I X$ c拷贝客户端所需文件到各种位置:
3 [9 e, j/ y' @# cp pki/ca.crt /root/client/: T; L5 D3 X) v7 @. x, p$ |
# cp pki/issued/client.crt /root/client/
1 }4 l9 m6 o0 o8 D( F) R+ k9 d( w# cp /root/client/pki/private/client.key /root/client/
4 V' l w, U3 O& z; X3 i$ j) ~. }1 S# cp /etc/openvpn/easy-rsa/ta.key /root/client/
/ E! M+ ]! G9 Z {: L4 z修改vpn配置文件:5 v, ]! l9 X" t7 i- ?
]# egrep -v "^$|^#|^;" /etc/openvpn/server.conf1 l* Q' g; ~( ]+ v
port 1194$ r. D) o- ], T" H4 Z
proto udp
0 B" L7 u& ]/ J# E- Adev tun2 K6 i4 |: Y4 t) \+ i x
ca /etc/openvpn/ca.crt* s ~/ j% N0 M0 G6 G
cert /etc/openvpn/server.crt0 S7 A( Z/ C7 B# W6 ]9 ^5 W- K' ?3 r
key /etc/openvpn/server.key # This file should be kept secret
" |6 j) L) p9 l8 @. t+ I# ]( Ydh /etc/openvpn/dh.pem
' }; s' d$ B! q- x; c1 D \2 Cserver 192.168.11.0 255.255.255.0
7 ~* E! _" j& C, c2 q6 s+ Mifconfig-pool-persist ipp.txt
0 {/ Z, Z! w/ Z$ S& Apush "redirect-gateway def1 bypass-dhcp"( S- @9 I6 T0 E8 A! i+ o
push "dhcp-option DNS 8.8.8.8"
8 L+ d, d" E# t: K' L# `, f5 x9 Fpush "dhcp-option DNS 8.8.8.8"+ X6 Y+ X6 j: k* `5 C" Q( H9 D# s
keepalive 10 120& D5 z2 i/ E/ K! f1 u9 @2 k
tls-auth ta.key 0 # This file is secret- ~" x& B. G, R
cipher AES-256-CBC5 y5 n7 n5 a( y4 E* s) K5 w
comp-lzo2 J. b% F L" L# ~& M
max-clients 100. X9 {1 ~3 L. h' V
persist-key
/ Z5 m9 Y/ M% O+ n3 spersist-tun
8 p" e H& O: n' w2 C# Q& I0 [status openvpn-status.log1 \+ U: v8 \1 m4 p
verb 3
! h: F0 d5 M+ N! Sexplicit-exit-notify 1 6 f: {. [) T: Z* {: C
启动openvpn服务端:+ R! H: ~6 x o( r7 q! A
]# openvpn /etc/openvpn/server.conf &
- t [; c7 p; B( ? 启动成功后显示:" n: A6 O3 F1 G" p' }
; q& e4 Y9 ]- x: K! r
) H! A8 R3 j# ?3 O或使用systemctl启动:/ d# b* A, z1 P
systemctl -f enable openvpn@server.service( j- C! n: I" N1 }7 h) G' K
#设置启动文件# {# N4 s2 P# Q8 |, \9 J* z! D6 I+ @* B
systemctl start openvpn@server.service& P% y6 I+ b" e( F5 Y
#启动openvpn的命令" L E; g) L) y1 R8 }
windows7上配置openvpn客户端:7 G. d# B' b6 P& A6 U
第一:下载openvpn客户端
& g# E4 l* i% I& l) C" ? 链接地址:http://openvpn.ustc.edu.cn/
; R' f; [ G5 y, i. Q* ]3 P. u1 F8 _$ g& X
安装过程就不表了,具体配置说下:, q$ [1 X4 g! i5 e1 G$ q
下载相关文件到本特指的目录:
9 J, o0 @ x( Z4 n: L6 s+ O2 z 从centos7上把client.crt、client.conf并改名为client.ovpn、client.key、ta.key四个文件,放在安装目录下的config目录里即可;
; H/ n$ n$ B3 M2 m( ^; mclient.ovpn配置文件内容:% |2 V. i2 e6 Y
client
2 |2 W! L* n" Q) W& S7 [' i7 `dev tun) G& x; V& v; D5 k
proto udp
9 |# T) X6 T7 b5 \remote 192.168.255.198 1194/ p& {$ L& B# a, U
resolv-retry infinite$ z0 P7 K& S6 q& f0 k" q
nobind
9 W- v3 G6 @; \ g, r U) vpersist-key
6 W) ~* k5 _4 u8 L+ Gpersist-tun
8 \ A1 D2 C- d( P; Y# sca ca.crt
! Y: G& z8 x* M6 E4 s9 \cert client.crt
; t! P) w% b0 b: G% q8 |key client.key
4 O* f; }7 B; t1 {5 G7 z+ |remote-cert-tls server8 k( u) l/ S; K
tls-auth ta.key 1
3 B! e7 Q6 M* P' s' B& k5 |* A p, }cipher AES-256-CBC5 |* s2 X1 r: H5 m+ t2 l
verb 3
" ]7 u5 f( w$ K- Lopenvpn客户端登录:5 M! \' E8 H/ I( `
双击图标后,弹出输入密码的窗口,此前设定的密码为vpnclient即可成功登录; w2 m4 @6 C, Z; v# u% T( y
0 V7 a% d9 \ i& b: ~表示成功登录;
7 o5 Q% p" d0 o2 G! C- ^ {. Y
/ ]" ~* B6 P( n9 I0 Eopenvpn图标变为绿色即成功连接openvpn服务器;
- S" {9 O* j2 R; R. S1 |% W: {( h5 E& M2 A$ ?
|
|
发表于 2020-1-19 08:49:57