|
|
Centos8.5系统安装OpenVPN-超详细
7 `8 s+ W2 o2 b0 Z# C" F$ L: ]6 z( S* L4 E$ C4 Z( K N
需求:公司外部员工需要访问内部办公网服务器,所以需要搭建一个vpn提供外部员工使用。% A) a0 G: W. o/ Z
% s! K. X S1 Z. ]5 M$ x
1: 环境
Q! s2 i& l: ^" n+ B8 E( N! y4 i服务器系统:CentOS Linux release 8.5.21116 {2 S1 }3 I! N, q4 u2 p' e1 T% _
服务器配置:不重要* j2 M6 A0 h+ x* f% A/ w& O4 r
服务器IP:$ _6 P* X: Z# W# X( g
Openvpn服务器:
( ?9 N3 S0 p" u; g. a外网:' P" R! ^' n& n: v0 u$ f
内网:
7 M0 t: d! e! `+ t# d内网测试服务器:
5 [- b! ]# _9 F$ ]0 O. h% g& C' M/ kopenvpn客户端服务器网段:10.10.10.0/22) P& Q8 h' h- h7 }
OpenVpn版本:openvpn-2.6.17: Q- ~3 d; U9 E4 `4 q9 ~
easy-rsa版本:3.0.8
' o2 U% _" g$ ?6 p( W
' B9 S: f% V+ C: t) p安装包存放的路径:/usr/src/install/, ]; u+ O8 X; K# _3 V" h
程序安装目录:/data/openvpn
. X+ d, l1 o: ~5 m9 S, G0 O1 B# N5 c) |
备注:
4 z" g0 R9 S; D# wroot# 代表在root用户下执行的命令
# S4 D! [7 J$ C: k2 a$ 代表是在普通用户下执行的命令
% w- D T2 L* |3 S8 ~0 ?) z# 单个#号代表注释
% b9 ?/ d5 X; q! @- f% `7 d- q0 `% \
" W( h$ J: F6 W' d {
2:安装步骤
8 h# p. m6 f, Q7 R6 A: @" }4 R2.1 准备工作
# ]9 g, Z+ |- |8 d(以下所有操作均在Openvpn服务器操作)8 W0 Y' I0 `! p1 b8 i, J W
# 关闭防火墙
8 o' J6 i! Q3 b3 [% g, W/ D2 yroot# systemctl stop firewalld( Y: w4 |9 U) ~. M, S+ i, `% m
root# systemctl disable firewalld
! w' G9 V3 W% j% c: @7 e5 L
8 ]$ l- g( _: I6 Q# 关闭selinux* t! b3 q$ y/ ^1 {+ H- \
root# sed -i 's/enforcing/disabled/' /etc/selinux/config$ w( A" w0 b( h* K$ L; g% h
root# setenforce 0( |. j; ]3 s( f7 b/ Q
! e5 U! f7 ?6 {# 安装依赖* s, ?. G# g* l
root# yum install -y vim wget lrzsz gcc-c++ openssl openssl-devel net-tools lzo lzo-devel pam pam-devel
% U' I8 {: P' Y! Q# c
. K+ [: h0 f9 z$ K7 q* J4 h4 E i# 下载安装包
- U" |( o8 d. @( S: W$ jroot# mkdir /tmp/install- \- P8 e `, F; `9 v! V/ K
root# cd /tmp/install j% `8 W, M5 |1 s, l
root# wget https://swupdate.openvpn.org/com ... penvpn-2.5.6.tar.gz
7 J9 ]. a7 u; v9 C7 Y4 ~2 Jroot# wget https://github.com/OpenVPN/easy- ... 8/EasyRSA-3.0.8.tgz
9 z- Z1 {! @% x1 C2 ]& }6 b! I. U. F i2 y# {- `3 S" {2 R" W9 N
0 ?) @- L4 Y" f3 X' p9 W. H# _. b2.2 安装OpenVpn和EasyRSA( p/ G+ m2 i% X, {7 e
#1)安装OpenVpn- V ]( K2 E" @% R4 W- c
root# cd /tmp/install8 _9 N9 ^5 z L- j# _) o7 n
$ }8 N# P* |9 Y, X: A
#创建目录
9 U `( L. [ _6 Oroot# mkdir /data
5 U6 v" U1 l0 ?# x
( A6 E% g1 u6 O) y+ G+ ?8 M0 _& J#解压缩
/ ~% ~, r' _9 q5 y6 ^( ]2 croot# tar -zxvf openvpn-2.6.17.tar.gz6 t N7 m1 A1 V3 R
5 I" P, d& m9 |* Q1 \
, D* r8 C3 M/ pdnf install -y autoconf automake libtool pkgconfig gcc gcc-c++ make openssl-devel lzo-devel pam-devel iproute lz4-devel python3-docutils libnl3-devel pkgconf-pkg-config libcap-ng-devel
/ l, R! B# j7 L( l. |5 V! |; n
) o$ |# K6 G; t, o2 g( |root# cd openvpn-2.6.17" ^9 L U" F$ q2 |
0 X$ W5 b, j. ^0 L* J& v# ?5 G+ \4 K" ~- R
( V- L, w- E# {生成configure文件:
. Q. `+ U9 g4 S) c) G$ ]
, M6 z1 O% o8 O4 E9 S# autoreconf -fi/ S# Z2 j0 _. S8 l
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, '.'., T/ l( U8 v, L' V5 F+ ]! d% {9 ?
libtoolize: copying file './ltmain.sh'
7 S7 E8 F7 O" c# ^+ m2 |: t5 Plibtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.- Q" u- s s" ^3 p5 v
libtoolize: copying file 'm4/libtool.m4'
' i; O) h+ {/ Z1 c0 T, S. _libtoolize: copying file 'm4/ltoptions.m4'. S/ X% ^( x7 d( o
libtoolize: copying file 'm4/ltsugar.m4'
% f! k7 b/ r$ c. ^/ Rlibtoolize: copying file 'm4/ltversion.m4'
& C- F0 L: n% u; B* a5 dlibtoolize: copying file 'm4/lt~obsolete.m4'
3 R7 o/ m5 u8 b+ f) }libtoolize: Remember to add 'LT_INIT' to configure.ac.) s) n4 Q! \+ c2 F2 l- ~
configure.ac:74: installing './compile'6 g- t$ d6 Z+ k4 P O
configure.ac:73: installing './config.guess'
6 @. |7 i) b! l, E4 Y( c ?, wconfigure.ac:73: installing './config.sub'4 e' P* z4 z7 q$ |
configure.ac:72: installing './install-sh'
3 {% P; `6 @3 e" P% hconfigure.ac:72: installing './missing'+ v6 }1 O+ I. t! W6 y' Z; `7 a
src/compat/Makefile.am: installing './depcomp'
3 s! H' d. E( K! a# o; E4 H) ^
5 f) t; Y# U+ B( r* e% Y5 k7 H% f7 D" d: M4 Y
dnf install -y libnl-3-dev pkgconf-pkg-config& K$ O: j N* `( [6 R% i K4 l
! P5 N: b7 b' ?1 C
#--prefix= 后面路径是安装openvpn到那个文件路径下
* ~7 U0 k$ h# i& ~! _root# ./configure --prefix=/data/openvpn/6 L! n# L% p9 D, J _: ^' j4 o8 f
?- \1 @4 [5 F* z
#编译
. ], d/ r! `6 @/ i8 T7 P- c1 v0 _root# make && make install
7 [, |2 G n7 j
1 j- f" B5 i0 R. B#添加openvpn的环境变量& a3 w1 E* @! P/ h* A
root# echo -e "PATH=\$PATH:/data/openvpn/sbin" >/etc/profile.d/openvpn256.sh
8 L }: q% ^+ @+ l8 |8 F5 Y+ G8 [8 u8 E6 u: c
#加载环境变量; T5 t$ h; V V& s+ k0 C
root# source /etc/profile
2 j) |% G# D! F: T
2 Y( `# R( S/ f/ I3 H/ V0 k#执行下面的命令看看是否成功,出现以下内容表示成功! H1 G. Q! W" r3 X+ W* h8 W
9 X, t" V3 x) i3 G7 r7 V2 y& s. h# openvpn --version9 Q2 z: } l/ Q( ]6 p, n8 C
OpenVPN 2.6.17 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
' L+ t# D5 [4 D! l: ulibrary versions: OpenSSL 1.1.1k FIPS 25 Mar 2021, LZO 2.08
3 v7 {2 P6 i1 nDCO version: N/A3 J+ j, q4 y( ]% U
Originally developed by James Yonan
3 `* i7 R: E( q5 @+ P9 O/ FCopyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
& \4 q; @2 C- {7 F. W' f* y+ eCompile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=auto enable_dco_arg=auto enable_debug=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no5 R+ a" P! i8 J! {$ s% ^
2 \, D6 t# ]. j/ x
#2)安装EasyRSA( O/ J2 t2 |0 L* d Y9 D8 \( {
root# cd /tmp/install! f3 E; z8 O) g% D2 e$ C, ]1 k
root# tar -zxvf easy-rsa-3.2.2.tar.gz
& G, t- U: e0 @' e# cp -r easy-rsa-3.2.2 /data/easyRSA-3.3.2
. w6 z' h4 \+ {# z5 |, Y9 R" f) O* J8 |! D6 m, {/ \
: `: N8 S: E2 X1 W+ P
2.3 服务端配置6 C% v9 J, |: Z2 Y! a: M
2.3.1 准备CA签发机构环境
4 @% k+ O$ q! F#拷贝EasyRSA
0 j* }, G5 H5 V2 f+ j# Sroot# cp -r /data/EasyRSA /data/openvpn/easy-rsa-server
* g9 U/ @7 A2 zcp -r /data/easyRSA-3.3.2/ /data/openvpn/easy-rsa-server
, k/ O* o( G9 _, a7 k5 ]- x
* t- n/ e% _; v4 O- S1 i
6 @: u2 B1 ?' P. P% X Lroot# cd /data/openvpn/easy-rsa-server N- [2 G' w) `* e) ? S
cd /data/openvpn/easy-rsa-server/easyrsa34 F+ \5 F6 N4 u
$ T# C* c; W" ?! O- V/ ] S
#准备签发证书的默认变量文件8 H3 G% Q4 C/ H; D8 b
root# egrep -v "^$|^#" vars.example >vars/ I* O1 k: a+ S9 F8 I, `+ W6 `% k
" R& B. p0 k4 Y1 q[root@openvpn easyrsa3]# egrep -v "^$|^#" vars.example > vars4 e, q) F c% Y, H$ I
[root@openvpn easyrsa3]# cat vars8 A/ s+ o. u5 `' g' K& M
if [ -z "$EASYRSA_CALLER" ]; then
5 c# ]* i- `! R; z echo "You appear to be sourcing an Easy-RSA *vars* file. This is" >&2 c9 v& d, S# t# R
echo "no longer necessary and is disallowed. See the section called" >&2: N- f0 Q) }# W" v* E
echo "*How to use this file* near the top comments for more details." >&2$ E) l1 N3 V- ^& b# V1 o
return 1
* ~3 V, Q. D/ ?- x% ^2 `fi
* x0 e9 b7 Q5 `1 z
P R: F9 _2 a7 D! {; J9 Y: H' o$ M2 N3 o8 H# s
+ F: \; ~2 I! u; U
#编辑vars文件,在最后一行增加以下内容1 ]6 A( ^) Q2 K: c4 N) E
root# vim vars
8 {8 ~( ]+ |, h6 r#添加参数,设置CA证书有效期为100年(日期可以你自己决定设置多长)# a4 ? x* M! f) c
set_var EASYRSA_CA_EXPIRE 36500: q) a+ Z% i0 E
#添加参数,设置服务器证书为10年
" ?- e3 `: k" S! y) e* J( Hset_var EASYRSA_CERT_EXPIRE 3650
! ~$ `+ Q6 i Q" R: [4 }2 x7 D
# W1 o7 x. N' }9 h0 E4 |' f. w! o! I9 {
查看配置vars的内容:
# j5 O+ P3 F) d, E0 \- c
* Z& m6 }# s8 ~6 y; l }! H8 y5 b
. U/ G$ T& k9 d& l1 ~; h- O& L7 Fif [ -z "$EASYRSA_CALLER" ]; then
- ~$ S( W5 S# o# P a( x echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
. M& O% Q9 f& r) ^ echo "This is no longer necessary and is disallowed. See the section called" >&2
1 u1 J( I( \$ B9 D1 M7 \ echo "'How to use this file' near the top comments for more details." >&2; l" F- R0 a( z9 E/ B
return 13 ^" e* ~8 G( w- x. N4 A0 o T
fi
- N* U4 E2 ]* J, j. s, Nset_var EASYRSA_CA_EXPIRE 36500
( k# C$ }2 p rset_var EASYRSA_CERT_EXPIRE 7300
a4 k$ M/ F0 P U: |* M
3 @" n+ F3 z! R/ T6 e# M' {/ _/ b
: f& a7 F& L" M, p( B) ^2.3.2 创建CA机构与服务器证书
4 H4 Z; F8 Q' C7 \# j#1)创建CA机构1 C& i; P) Q6 O( Z3 ?+ q, j
root# cd /data/openvpn/easy-rsa-server
9 K+ {5 P. O7 ?+ ^ Z/ l; ncd /data/openvpn/easy-rsa-server/easyrsa3! F, \0 V5 Q, K: }
$ V/ u' ?1 r/ E, {6 |#初始化,执行此命令会生成pki目录
" U- I6 ^' r$ ^1 {8 k6 b
( k! S6 ?" B- |3 N- }3 r' k2 i/ H[root@openvpn easyrsa3]# ls
! _" Q9 }8 K5 w" X, ^# m; ceasyrsa openssl-easyrsa.cnf vars vars.example x509-types( m8 c6 T2 I% X0 J
[root@openvpn easyrsa3]# ./easyrsa init-pki- {. P- P W, L
Using Easy-RSA 'vars' configuration:- f& A1 m8 S% C8 z; D& \
* /data/openvpn/easy-rsa-server/easyrsa3/vars
( b; V" \0 C, \- ~6 o E' G6 h0 I
* A2 R H* R3 Z; {( P/ ~Notice
$ J& n0 i6 a4 s- O------
, e, H- V) D6 P7 S/ D: h'init-pki' complete; you may now create a CA or requests.
* e8 `6 U b' l4 M6 I
6 w/ p/ f+ l; m' G) iYour newly created PKI dir is:+ ^6 z1 s2 E7 F0 T( h
* /data/openvpn/easy-rsa-server/easyrsa3/pki
& j Z/ T& n/ |3 P2 X* l; f8 W! s6 x1 m0 j7 }# V+ @- s6 G8 J
Using Easy-RSA configuration:
) i" ^+ E! b) x* /data/openvpn/easy-rsa-server/easyrsa3/vars. T- h0 B c+ C8 e% d
[root@openvpn easyrsa3]# ls
! H5 t3 w# f6 v) V. F3 Oeasyrsa openssl-easyrsa.cnf pki vars vars.example x509-types
+ f+ F4 E0 j4 J2 X) ?0 K, q/ L/ D v
# v7 [$ \: n; F4 b3 }0 G! j
! O* L* Z7 I9 x h; Y
#创建CA机构,nopass代表不需要密码的意思
9 X" D6 P& ?7 m" f3 n3 \4 C7 A9 f0 vroot# ./easyrsa build-ca nopass
6 r8 X$ n' K, n) I% x' f0 ?% y
3 J+ s6 c p, c* J( A% }
& U8 v+ H$ }0 D- F
- J4 l* q$ }5 ]! ^" _[root@openvpn easyrsa3]# ./easyrsa build-ca nopass" |" S' z" L: E0 ?( Y$ \
Using Easy-RSA 'vars' configuration:+ s8 ?* \9 p* E4 m3 E0 d
* /data/openvpn/easy-rsa-server/easyrsa3/vars
- D- Q# Y/ d5 q# S8 R..+++++- R& [$ Q( l: M, ?- R$ u- q6 l$ l
.........+++++& I1 b$ u- C/ B9 S5 q
You are about to be asked to enter information that will be incorporated( J. K' E" j( h0 }1 M& f+ E- Q
into your certificate request.- f" P8 I- q: _: b
What you are about to enter is what is called a Distinguished Name or a DN.2 n b! ?) K% [* {
There are quite a few fields but you can leave some blank- a* y8 g, t- E
For some fields there will be a default value,; a" d) c3 `' C1 }# Z( B4 |
If you enter '.', the field will be left blank.
) _9 Z' o3 M) D0 b7 T1 i& S-----6 I6 _1 J w& G: K
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:jckj
) _' C" b# i- Y% d( Y5 |7 W* [2 }, q1 Z! k
Notice ~2 S; A- D/ d t! M" L, I* l
------
( c& ]" v# ]% }6 ~% qCA creation complete. Your new CA certificate is at:
: i) Q! T: @" k* p* /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt
) Q/ Z/ p, ?" g( s% d( a, n m7 r" i% |# B; w5 k
Create an OpenVPN TLS-AUTH|TLS-CRYPT-V1 key now: See 'help gen-tls'4 k4 E9 Q! \% H! i0 {# k3 q
+ N3 I C- e/ H$ l8 a
Build-ca completed successfully.: E3 w' S8 j1 n! q: ~* s
& G# u) i4 m1 T P, R% k% L
. o& p$ a J5 A% p" G+ j' |
' u' ]* }0 ]' K) Q* d- O' _8 N* ~7 q#执行创建ca机构成功的话,会出现下面的这个ca.crt文件
/ [1 b- `+ ~* _# P/ PYour new CA certificate file for publishing is at:
' p3 _. i+ a, ~) o7 m9 w/data/openvpn/easy-rsa-server/pki/ca.crt
4 T1 `1 w- G; N, E5 e. z
$ s9 ?8 i) t/ }! D e#CA证书文件
9 o0 l, p1 o M- Q, e; p
% ~, l7 `8 q% C/ \3 w3 b[root@openvpn easyrsa3]# ls -l /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt
$ H; i5 w, s R9 E; Z) A7 m+ O-rw-------. 1 root root 1176 Jan 17 12:19 /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt7 l( {2 z8 Q$ ]3 i
- b( Y4 [2 V) H+ q
3 P I6 M/ K4 F5 j, L) x1 v#CA秘钥文件
$ v5 c( x% j4 B$ i) M D# Z4 P/ F
[root@openvpn easyrsa3]# ls -l /data/openvpn/easy-rsa-server/easyrsa3/pki/private/ca.key / x8 ^, _% Y/ Q
-rw-------. 1 root root 1704 Jan 17 12:17 /data/openvpn/easy-rsa-server/easyrsa3/pki/private/ca.key; H$ j+ E" d% A/ K) V
- E$ v/ e: C$ c
4 s' P1 _/ m' H8 S#2)创建服务端证书
; b: I& i: M/ q+ ^- hroot# cd /data/openvpn/easy-rsa-server
2 |3 t4 L- n9 C" b7 X5 r2 rcd /data/openvpn/easy-rsa-server/easyrsa3% ?5 g& s- C* {2 w
#创建服务端证书申请文件,openvpnserver为了区别参数标识,我这里设置为openvpnserver,如果你自己安装的话可以使用默认的server 这个名称
2 N2 ~+ {" u* S' X4 J) Jroot# ./easyrsa gen-req openvpnserver nopass
& J9 i& Q/ B" Q, k, B a" f, L. |, ]& t9 [$ y
- v x' j, E* {
6 g6 a W- `% Y7 g
7 q) I7 |- c: _
[root@openvpn easyrsa3]# ./easyrsa gen-req openvpnserver nopass
. z; K ~5 \+ a! W9 J; `Using Easy-RSA 'vars' configuration:
5 E5 g+ ]" g" G* /data/openvpn/easy-rsa-server/easyrsa3/vars
& O7 I" q0 u3 i* N! ? s lGenerating a RSA private key; B# m6 B: s) \2 e- u( \
.............................+++++; Y" [0 d8 b! ~6 v
.................................................................+++++( E8 Z8 c. T$ \' k, G. m
writing new private key to '/data/openvpn/easy-rsa-server/easyrsa3/pki/253f5ec5/temp.2.1'
) ]+ {" o% J6 R7 @5 N-----
, S% l7 n3 G! P0 \; f; k8 ~You are about to be asked to enter information that will be incorporated
2 x7 R5 s( R# t( {into your certificate request.+ w* _" M8 t) _. @4 L' e0 |
What you are about to enter is what is called a Distinguished Name or a DN.
" e- q3 `' J( `: NThere are quite a few fields but you can leave some blank
+ Y, D/ b, L- n% \For some fields there will be a default value,
, j' s4 Q% e; _1 _If you enter '.', the field will be left blank.3 a' m) P: W7 Q+ T: }
-----: G( [( i; g4 F1 F# A
Common Name (eg: your user, host, or server name) [openvpnserver]: 回车9 s4 S' }' ~; {! E; K6 g9 ]
5 y) a! w: W3 s. B, H& p) N
Notice
3 R j; @# T1 {- |- n; P% U------
5 k; ]0 C' ^5 ^+ ~ ~; N! T- c/ HPrivate-Key and Public-Certificate-Request files created." I1 {9 i# a6 o+ s( A
Your files are:7 ^3 t9 x0 Q Z5 Y
* req: /data/openvpn/easy-rsa-server/easyrsa3/pki/reqs/openvpnserver.req
/ [2 d. O$ ]' i2 @* o* key: /data/openvpn/easy-rsa-server/easyrsa3/pki/private/openvpnserver.key
0 Q( a7 d6 f; U' m4 Z R1 g- w, M
1 k$ T! I! r6 q' ^7 j
, a/ c3 N( z/ t2 T$ C$ ^* L' a a( T5 D: U$ ~; U
8 l0 p* K0 f6 A4 d* D6 n* n7 E; f
#默认回车就行1 S- F! ~ V9 D
Common Name (eg: your user, host, or server name) [openvpnserver]:
( v! J/ Y7 S8 H! K, P- Y- |/ HKeypair and certificate request completed. Your files are:
- q& M! e+ l, i( @0 e5 b4 S0 X. Z, d/ J }* }4 H0 B
3 Q' H* s+ K8 i) u( W* z+ b: ~% Q, f3 J- }2 D# s4 J1 K
7 @: |. s1 q4 L#请求文件. \2 o+ }2 u( u; i6 v- N& ^
req: /data/openvpn/easy-rsa-server/easyrsa3/pki/reqs/openvpnserver.req
! x* a% k' U/ p0 s+ e7 Q! h#私钥文件
% l: H6 x1 r# x) x( G$ t! {key: /data/openvpn/easy-rsa-server/easyrsa3/pki/private/openvpnserver.key9 [' P1 _9 s/ i; l6 z9 w
1 J$ M7 ~0 ^' ^! c, J% `
#3)签发服务端证书2 h( W4 v) r7 ~/ l8 e. d+ \
绿色部分不做:
- ~4 {7 z% U! o1 B% j% ^& @. Uroot# cd /data/openvpn/easy-rsa-server+ c4 i1 B7 X$ b+ X2 @! p
cd /data/openvpn/easy-rsa-server/easyrsa3
& a! ~- H6 k, \: J4 q7 p#这里的server是代表服务端意思,openvpnserver这个是上面我们创建的服务端证书的名称
5 W* E! x% C4 P8 W6 J1 Oroot# ./easyrsa sign server openvpnserver
- G* S5 E% I4 o#输入yes
/ s L& j8 Y" R) O! X1 a |% dType the word 'yes' to continue, or any other input to abort.) n ^. ^: _7 R! M
Confirm request details: yes3 M% h% \! i6 b( N3 I
#服务端的证书文件# N* K! N: q# t/ g
Certificate created at: /data/openvpn/easy-rsa-server/pki/issued/openvpnserver.crt
, G/ g8 X. [/ \6 m! p4 w H# Z1 {5 f5 T9 E. K3 ?8 Z3 V
$ p& u- L7 E8 k _6 E6 X$ Z. L7 j+ f9 I0 D2 w0 r
[root@openvpn easyrsa3]# ./easyrsa sign server openvpnserver
# s. t! J+ N! O8 N/ G* f" B8 GUsing Easy-RSA 'vars' configuration:
# r' h# u: L& L* /data/openvpn/easy-rsa-server/easyrsa3/vars
. E$ ?: d- i. |/ F9 m6 r4 rPlease check over the details shown below for accuracy. Note that this request
: Q7 u4 [0 L6 |: O2 rhas not been cryptographically verified. Please be sure it came from a trusted
, u1 N4 N, h& t* asource or that you have verified the request checksum with the sender.7 e% g+ I4 K% k& {
You are about to sign the following certificate:6 Y" u1 W3 f! m$ i: g# T0 y
- E9 ?" ^9 c; M7 A# G- Y/ N7 a2 S Requested CN: 'openvpnserver'6 M B; ~! d- }) \' ?% s% R) a
Requested type: 'server'
9 `6 A9 C |9 I0 K O: W Valid for: '365' days5 i3 f4 S+ X- p7 W! |9 B0 J$ j
8 l) B2 K, q+ F
; G) S+ O7 ~' x1 p+ y6 ?" w) @$ ~subject=
" _. y6 R! J. L5 Y) S g: _ commonName = openvpnserver
4 H: L |! Y0 c; Y# k& C0 X$ ]! J/ _) s& a" I* E
Type the word 'yes' to continue, or any other input to abort.
) v* E$ K! c3 }) V5 U Confirm requested details: yes
. X; s l5 I* }7 r j3 _ V7 u( o' ^/ B( [
Using configuration from /data/openvpn/easy-rsa-server/easyrsa3/pki/774d5125/temp.1.1$ s( o/ Q$ G8 c5 v& a2 r
Check that the request matches the signature# b4 Y4 q4 a. H$ ^- Q0 U
Signature ok, |5 s) L* G! B3 q6 ]0 k
The Subject's Distinguished Name is as follows% r3 q2 A. A" L1 D; g# w7 x
commonName :ASN.1 12:'openvpnserver'
" d1 W4 V6 n8 }Certificate is to be certified until Jan 17 04:25:48 2027 GMT (365 days)
. | J7 y0 R' _
% o/ F$ N, d0 W% dWrite out database with 1 new entries' ~* s$ Y5 A7 V* R4 Z! L
Data Base Updated6 y) z K3 V3 s J. K: v
; p) _% ?9 w, W4 _; h/ U
Notice
, P# D, z5 o, D! Q------9 Y# Q6 }8 \( f6 m! z' r$ Z
Inline file created:4 {* t- V1 |* n: Q# C
* /data/openvpn/easy-rsa-server/easyrsa3/pki/inline/private/openvpnserver.inline
" f# x! o( o1 K9 s; v" k; }+ \
# |* g; Y" v/ ]2 n& V- Y* p ?0 F7 l& \! w2 A" O h
Notice9 }4 Q/ g# m% |2 L
------4 m6 _/ Q0 }6 F A O/ `* ~6 V
Certificate created at:" S2 G0 e# D/ v4 ]$ p, V
* /data/openvpn/easy-rsa-server/easyrsa3/pki/issued/openvpnserver.crt3 L) {+ r9 |; q$ _& G s! q8 h. j
# A+ d. E# }0 E% Q$ [; o! C
; Z2 K- ], {/ a, j
) ]8 r% ]% a' `5 _- p" p#4)创建交互秘钥' S5 W) N* j3 a& a& `
root# cd /data/openvpn/easy-rsa-server
- m0 M# o7 |# X& v5 C N+ ucd /data/openvpn/easy-rsa-server/easyrsa3
0 Z" o; g* q) u/ T qroot# ./easyrsa gen-dh' h8 H1 o; S3 T) E* l* v- }! o2 w
DH parameters of size 2048 created at /data/openvpn/easy-rsa-server/pki/dh.pem- M7 e$ R% C% `
4 u x: `" h/ K" C/ X' {7 e3 H( r" y! J: C/ }
[root@openvpn easyrsa3]# ./easyrsa gen-dh
$ n5 k4 \0 U- ~* CUsing Easy-RSA 'vars' configuration:! w# E- ?7 j2 m: J- m
* /data/openvpn/easy-rsa-server/easyrsa3/vars
+ G6 ^; @! J2 wGenerating DH parameters, 2048 bit long safe prime, generator 2+ _; i k9 z- m4 k9 g- G! _
This is going to take a long time
" N& W- C- V4 W............................................................................................+...........+..............................................+.....................................+.................................+....................................................+.........................................................................................................+...................+.................................................................................................................................................................................+......................................................+.............................................................................+..............................................................................+...............................................................................................................+........................................+....................................+............................................+.............................................................................................+........................................................................................................++*++*++*++*
0 B4 G: c: I! k/ G; @4 oDH parameters appear to be ok.! \4 f' s0 [ T* i7 ]4 K8 W
! |& F9 Y. q% H4 G
Notice
! I8 f# \* _7 q/ j0 U" E: @/ L3 i7 O------
4 o9 J) p P+ l' }3 ~7 s: b
) B6 [1 I" A2 b4 H0 D/ M3 G3 A/ YDH parameters of size 2048 created at:
" a: b- X- ]) [+ C+ x* /data/openvpn/easy-rsa-server/easyrsa3/pki/dh.pem' k5 ~- w! U2 b* H# ]; d1 [5 o
0 W1 v ]' Q" Q, ]! G1 c
; `( t4 @9 n" x0 a: l* @$ `8 e7 W7 z9 d2 K- i5 M+ V$ O
#5) 启用安全增强配置# A# l$ J- T) W3 P
root# cd /data/openvpn/easy-rsa-server3 r) W# Q" d3 H+ u$ t
cd /data/openvpn/easy-rsa-server/easyrsa3( K$ i: b! u, [. c: d& k
7 {( v5 B. ^4 B/ z1 Xroot# openvpn --genkey tls-auth ta.key
/ P4 P1 U- J$ w) M _
& k, U# V1 h! ~4 n W% P- m0 A# S/ }8 u/ c9 \. @; L; D
[root@openvpn easyrsa3]# openvpn --genkey tls-auth ta.key7 G* h |+ A9 b, K9 \. w
[root@openvpn easyrsa3]# ls8 F4 ~* n. A4 t6 E; ]9 d
easyrsa openssl-easyrsa.cnf pki ta.key vars vars.example x509-types
2 H# M2 h8 p, f0 P% E1 {8 o7 P[root@openvpn easyrsa3]#
6 C) ]* ~0 E# c: M: Y5 b
: a& m! Z7 C- j" O2 _" a; d
/ _ D% I8 |2 L1 F9 v
$ e: `2 M6 |( H* K4 h2.3.3 OpenVPN服务端配置
% ]& Y. W: u% q#创建openvpn用户( N c0 P1 {; q9 W# F5 L( w
root# groupadd openvpn
P% e0 M" B( ^- q7 G: T( {* Iroot# useradd -M -s /sbin/nologin -g openvpn openvpn
" \2 M# |2 V$ a0 l0 A
" @6 Z( l& u* f6 t[root@localhost easy-rsa-server]# groupadd openvpn; w# I4 f. ~/ j' y* N- e: s- q, Y
[root@localhost easy-rsa-server]# useradd -M -s /sbin/nologin -g openvpn openvpn
: m' [+ F8 l) n% S5 ^6 B) }
; q+ }6 `5 }2 Z
% y6 }) p4 [2 @$ [; k' x t' y0 e! F# 创建证书存放目录9 p9 t) M4 M3 r, H
root# mkdir /data/openvpn/certificate
! k/ W E4 t' [* i/ I- J9 [6 R
" T& u* b0 X2 h7 {! W$ h# 创建日志存放目录" m9 `2 {: [6 J
root# mkdir /data/openvpn/logs
. B4 Z+ u6 h1 P% d9 G3 qroot# chown openvpn. /data/openvpn/logs! _& x7 E8 y) Q6 k" @' c) c
2 a# \6 x" P9 o I. [7 ?6 Q- N9 l' q' R0 P
[root@localhost logs]# chown -R openvpn. /data/openvpn/logs/
0 M" M1 o' e7 P1 H8 _/ ?# B! F" |' q" C% G) B ^) I" S
" T: Q- n. Q* ~/ Q' L) A3 M+ B
# 将服务端证书秘钥和交互秘钥复制到certificate目录
, D5 \3 |: F2 M3 Y
, |/ n+ z! J0 u[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt /data/openvpn/certificate/) O6 x+ M. q# w+ X8 h
[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/issued/openvpnserver.crt /data/openvpn/certificate/; `/ A8 o! Q7 @7 \& x% p1 X
[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/private/openvpnserver.key /data/openvpn/certificate// q2 E! o8 x- R8 y5 `
[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/dh.pem /data/openvpn/certificate/
+ o, [* b4 ^$ i9 o+ W* c[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/ta.key /data/openvpn/certificate/& I* [ r0 W$ e8 D
6 a+ I7 q7 S6 o' ^9 b. Q3 D$ u! y9 {#添加配置文件
9 Q& L2 L" L* f6 U% F+ T1 jroot# cd /data/openvpn/, w: N; T/ X8 p5 q; l4 W/ ]) ~# E$ H
root# vim /data/openvpn/server.conf
2 x* H; g+ e9 ^, f4 |. W#__server.conf—stat___
, l5 D6 a/ t- E: [( B4 U#端口0 k7 V8 Y+ s% J+ d! G
port 11950 V: i) |+ v' O/ I" ]. s- J& t
#协议! ^5 z5 d7 B0 R" g6 w1 J6 N6 h
proto tcp% a( |& i" X8 p3 L0 j
dev tun
" t! d+ l0 L7 j" B% ^- R1 A#ca证书文件4 b: o1 U# q9 N' t5 `
ca /data/openvpn/certificate/ca.crt
0 {! t8 u- W* x& B% a3 \* v3 t6 z#服务端证书文件1 P K* e" ^$ t4 i" [
cert /data/openvpn/certificate/openvpnserver.crt
4 X s) u. t/ s5 F+ E5 M#服务端私钥文件
1 J( n2 A {$ E4 _" h L- Fkey /data/openvpn/certificate/openvpnserver.key! A6 k" g3 W1 ?3 X2 ]( [5 w
#交换秘钥文件8 \+ j5 b7 `( {1 S, q+ r8 j
dh /data/openvpn/certificate/dh.pem
' U4 l) G: }9 z8 W#安全增强文件,0是服务端,1是客户端
$ a# B3 D# o) u9 etls-auth /data/openvpn/certificate/ta.key 02 X" d* G4 A/ }
#分配客户端IP的网段,不能和服务器一个网段,不能冲突5 u" ~& W4 j6 E6 H
server 10.8.0.0 255.255.255.0
- v# E( q* l* W+ s/ U: |1 s' ~( h#运行通讯的内网路由,可以多条1 o4 M5 w% d6 q5 F$ l) O
push "route 192.168.0.0 255.255.255.0"# l$ u$ }$ j- w: i l
. D" F6 t8 z. z; }: R! J% X2 a _push "route 192.168.6.0 255.255.255.0"0 O9 h4 R+ v; ~, P6 i* m
push "route 172.30.1.0 255.255.252.0"# }% h3 G, p1 B# I0 j. Z
#会话检测,每十秒测试一下,超过120秒没回应就认为对方down
: Q+ \1 _# C$ o( ~, Y& X" tkeepalive 10 1203 a* V% \7 _1 ^$ g T9 V) T
#加密算法
# }; H I7 U8 }* a$ f: Tcipher AES-256-CBC: \7 d" s& m) D# Q$ S- l
#压缩算法+ ^& s( I" m+ T4 y. N4 P9 Z: i; i
compress lz4-v2
J6 z) i @3 A7 M2 F" P+ P/ f#推送客户端使用lz4-v2算法* ^ q7 r6 P8 m* ~5 k2 B( j
push "compress lz4-v2"; J- L4 u" ?: z; ?4 k$ V- f
#最大客户端数
+ P4 M; G- R# v8 Q' K- I emax-clients 100( T. S; [, c, T' g6 K; H$ h9 Z
#运行openvpn的用户和用户组6 S- h6 c* O- I' Z' k' ? T
user openvpn0 F0 [) x ]$ k2 R9 o0 m
group openvpn
. R- b+ D0 ^. |. {! e5 S0 V#状态日志
) V% e% }! n- l: u; Hstatus /data/openvpn/logs/openvpn-status.log) f* a4 @/ ?+ e
log-append /data/openvpn/logs/openvpn.log
% O$ Q0 V: W, K, N: }#日志级别" @; h0 O/ ~8 y3 x* z4 {+ q
verb 3; y/ q H/ n/ _9 f4 b
mute 20
5 h1 @) `/ g# r' E% Z% I#__server.conf—end___
" ]: t" P+ Y) E3 Y9 _- S, s9 r% _2 {, X0 R: s* Y
2 E/ A. d- ` E( H1 y1 D
#内核转发规则
* w% r/ H4 _) e* t1 [root# echo "net.ipv4.ip_forward=1" >>/etc/sysctl.conf7 P9 T2 H. t: ]& k# h0 p) l
root# sysctl -p- `0 h7 ]; s; q c# v4 I( D
q* J' y; q2 Q/ g% d#iptablesNAT规则
: _7 G; j' _( }/ F#这里的ip就是server.conf 中的server 10.10.10.0 255.255.252.0 ;添加转发规则到开机启动项
4 U* f+ @8 a- A7 m- Q. ?, e% ~root#echo 'iptables -t nat -A POSTROUTING -s 10.10.10.0/22 -j MASQUERADE' >> /etc/rc.d/rc.local
) I8 v2 G! }+ |3 d8 Droot#echo 'iptables -t nat -A POSTROUTING -s 172.30.1.0/22 -j MASQUERADE' >> /etc/rc.d/rc.local
2 m+ |1 x, j; uroot# chmod +x /etc/rc.d/rc.local5 R! `6 O$ h; z3 Z+ c1 ~5 Z" Q" |9 w# y
root# /etc/rc.d/rc.local+ ~4 T6 M5 [0 c$ ?2 S
5 t) s0 |- d( T! F. S+ R! d! V# z5 i/ _
: M" t8 X) ?5 @/ ^/ o, Z7 Z* |: _3 i上面的可以暂时不执行,都使用firewall-cmd方式添加 :
) x; ?$ s! E% ^' O* Q) D3 |firewall-cmd --permanent --zone=public --add-interface=tun06 H2 O8 R9 B, w' x+ r5 d Q
firewall-cmd --permanent --zone=public --add-masquerade
: s9 x. \* k* f0 {6 u2 Ifirewall-cmd --permanent --add-forward' }! R5 L8 J( ~& f
添加转发规则。允许可通行。
4 N; e; K6 r0 w/ ^4 t7 U4 i! B9 L& t& K
- Q- ?# i/ K9 H5 r7 z( N& b; ~
( J0 ?( C W6 g0 j) b3 B2.3.4 启动OpenVPN
3 G1 T1 z2 N9 d/ `" D# 创建启动文件
; J2 e3 T; t6 f! g: \: F/ ^root# vim /etc/systemd/system/openvpn.service' [2 s) a2 s! M9 P
[Unit]7 d% a% K' Z5 t5 f4 \ ]5 I
Description=OpenVPN Server7 V. z4 ~9 s) U+ `/ X5 s" ^
After=network.target. [4 s* p. _' X, E5 A, \
After=syslog.target* u/ _8 o. t. M7 n) Y1 a+ \
' q5 k- A& `6 j
[Install]
# K& p" \- y2 x6 H2 |WantedBy=multi-user.target
4 C- A$ U* J% z# Y1 B( S) k0 ?# \4 u9 O6 i l. i$ G
[Service]
* Z0 ^- w$ v' W4 Y0 ^ExecStart=/data/openvpn/sbin/openvpn --config /data/openvpn/server.conf2 L1 F: ^' w, F6 E0 V; {$ o
" w$ a) {2 Q+ V, K
2 o8 g6 D F7 b" K5 n#加载系统服务
; Z+ S) D5 o" P" a9 \root# systemctl daemon-reload( R; b0 K$ m/ H/ [: H1 C
#开机启动
. H) a& e4 r8 }! F- g- x/ uroot# systemctl enable openvpn.service
0 X1 _% m# |! d# z#启动服务+ A# c: m8 L$ g& Z- X0 Z
root# systemctl start openvpn.service
/ l6 E- e0 p" p6 m#查看服务运行状态% s. ~. V" H: }3 x
root# systemctl status openvpn.service u, ]* p5 ]; u5 |' u6 l9 ]0 w. s8 V8 [
4 @$ ]: e% R3 {% e3 h- ?
) d* ~& t% T) v8 c i& Q. { }
2.4 客户端文件配置
% j* s3 V0 ?( A! r. o7 N# P2.4.1 准备客户端证书$ Q) x, V+ Q5 j, }
#1)创建客户端申请证书5 m2 D& P1 G9 K& d' f$ D
6 I( F, D X' m7 A* I! F
[root@openvpn data]# cp -r /data/easyRSA-3.3.2/ /data/openvpn/easy-rsa-client4 j" H' b: D' i3 Q V2 \
[root@openvpn data]# cd /data/openvpn/easy-rsa-client/easyrsa3/
" l, |7 g6 V) e* W# h. P1 k; O[root@openvpn easyrsa3]# ls
( e- _1 e. w6 ~' O0 D3 |easyrsa openssl-easyrsa.cnf vars.example x509-types
" ~* I# w0 @' E: E7 W! V$ v[root@openvpn easyrsa3]# % T. y1 O+ r5 L
0 s9 ]. \7 h9 u# W* m
3 j# H! \2 d1 Y% ^9 I# \, M& R4 Q7 ?0 B% a* |8 Y' d* v) `
#初始化,执行此命令会生成pki目录& S8 b' b. h/ p
root# ./easyrsa init-pki
$ |1 D' I4 l0 `9 H. ]% C- @5 V. W- w6 Z, {6 i% x" U6 c. b$ a* Z
, ~; i8 i7 h7 Q* F5 \ q/ f- h
[root@openvpn easyrsa3]# ./easyrsa init-pki" c& `- w P- ~
. k8 A$ b& P8 ]. I
Notice4 M+ K& P0 x3 g7 {4 C
------
' J* W0 {4 n8 U5 m'init-pki' complete; you may now create a CA or requests.
7 P- [" M0 g( ?" t; `! U, i5 E* D" C+ |$ P
Your newly created PKI dir is:
) U6 L) c! \+ ]* /data/openvpn/easy-rsa-client/easyrsa3/pki, e/ k+ P+ _) x9 ?& U
; n0 \! a9 W9 N( PUsing Easy-RSA configuration:9 N+ T% e& l2 m; n' W8 [
* undefined# Y& J: U+ S9 F: t' m5 `. E
/ ~$ _$ L4 C+ p* }* s E6 y; K8 ~
* c* @$ c2 h7 d1 P& L5 d {- c#创建客户端申请证书,我这里用的是名字全拼+ w: ?& ]) K. e9 U
3 q5 _: O( s8 s& f& |5 k4 O3 I' e
! P" t* {. R$ C* J+ U# W* r
; ~" y# P, r7 h1 o' t[root@openvpn easyrsa3]# ./easyrsa gen-req longrui nopass( z3 y6 x: x! A! G% F% Q( f
Generating a RSA private key& F5 L( L1 ?; w$ |' |& _
..+++++# X/ i* {* Y, h3 x. e! n! n; `* S8 U5 a
.......+++++ D5 z7 o: i6 q$ g, q5 o/ z
writing new private key to '/data/openvpn/easy-rsa-client/easyrsa3/pki/2f9b0fd7/temp.2.1'1 O5 Q ~, k: c' W* F$ _1 _- O' _3 K
-----1 N* M2 L/ k3 X4 Q6 v, m
You are about to be asked to enter information that will be incorporated0 A9 ~8 e$ o o
into your certificate request.
% x' L1 y- U( M+ N7 D+ r/ lWhat you are about to enter is what is called a Distinguished Name or a DN.# b8 [" q' u8 C# S; m
There are quite a few fields but you can leave some blank4 Y& t L. i ?$ W1 l6 o
For some fields there will be a default value,
, _3 u1 ^6 D7 Z( ~7 e# g( lIf you enter '.', the field will be left blank.
, [8 z I# B" C9 ~-----3 C; e9 V1 Y4 y. B7 O7 ~
Common Name (eg: your user, host, or server name) [longrui]:
2 u& f/ p) M6 o5 S
7 U4 q. k9 \' }8 E* o: hNotice. x+ f. Y: H& R. f/ C
------
8 Z" f0 f8 M% t' ^% l. E2 FPrivate-Key and Public-Certificate-Request files created.
- S9 T' `0 }0 @ j6 UYour files are:
: U) t- Y) b$ ^2 Z `* req: /data/openvpn/easy-rsa-client/easyrsa3/pki/reqs/longrui.req6 o* G5 M+ v7 {2 ~* j
* key: /data/openvpn/easy-rsa-client/easyrsa3/pki/private/longrui.key
% ?- h5 ?; |4 T: e0 e: `3 `( J
" p+ m% @" m4 C) I+ d+ U: A9 x6 M4 T& h
$ s! e F. S$ X$ w8 G3 Y
#2)服务端签发证书# d; k8 R5 Y$ W: S2 c
* M; f0 v# P! P0 a) r9 p6 h. f[root@openvpn easy-rsa-server]# cd /data/openvpn/easy-rsa-server/easyrsa3/
# g/ ^" s3 F! h7 W3 @2 E: Y' |[root@openvpn easyrsa3]#
, y9 C) l' G/ ]+ W; m6 s5 H7 h# v6 P R4 o x) y, o9 \$ u
#将客户端证书复制到CA工作目录
& {1 g7 b; f1 W* Z! ?0 X, q5 @/ [+ V% Q" y9 r' C& s2 ?" n$ E
) W3 M8 \, m* x9 ][root@openvpn easyrsa3]# ./easyrsa import-req /data/openvpn/easy-rsa-client/easyrsa3/pki/reqs/longrui.req longrui
( i; {9 ~+ A; }* ]Using Easy-RSA 'vars' configuration:7 Q# i$ D( N! I2 T2 J) U' u
* /data/openvpn/easy-rsa-server/easyrsa3/vars6 e- I3 @. v6 }
) p- {/ i2 {7 M: I" g' U
Notice8 W( G T+ Q) I9 O% `
------
; q9 O# H3 L7 _4 p& |/ eRequest successfully imported with short-name: longrui
: ]1 n/ o9 ?1 [; ?This request is now ready to be signed.
]9 y5 v( d1 o7 W" D
6 t0 t! v1 f( `* u
9 f" w* m% q# v c. n6 p
1 r. |) y0 ]7 k6 ?% `; R#设置客户端证书有效期,我这里设置的是90天
6 L/ ^8 m5 R" P" N: P4 m. {# Broot# sed -i "s/set_var EASYRSA_CERT_EXPIRE.*$/set_var EASYRSA_CERT_EXPIRE\t90/g" ./vars, O! a/ C; \ ]9 F& Y) v# L
#签发证书9 `. e7 P/ b+ f) z- z- }. `. h
root# ./easyrsa sign client longrui
^& Q d3 F5 g0 W+ N) e#输入yes- O# f7 g+ `' z1 [; d! Q
Type the word 'yes' to continue, or any other input to abort.
/ l$ g8 n6 ]! ?% E6 KConfirm request details:yes [& M/ M, h# d) O6 C
* S1 t. k A. r( p2 ]/ P% \
. v$ L0 C4 r; k8 e" J
#生成的证书
5 M* u7 C0 t0 Q) g1 @* `Certificate created at: /data/openvpn/easy-rsa-server/pki/issued/longrui.crt
4 {; n, j: H6 Q) N4 [7 I; y, R
1 H2 c" ^# X! s3 Z3 D7 o2 B- J) d5 ?' ]
[root@openvpn easyrsa3]# ./easyrsa sign client longrui
7 Q8 Y9 Z8 |6 ~Using Easy-RSA 'vars' configuration:
8 p3 c- {- r: A7 O4 Y3 r' a* /data/openvpn/easy-rsa-server/easyrsa3/vars' J/ G, f" d2 T1 i/ |
Please check over the details shown below for accuracy. Note that this request
; b. M+ ~: X% ehas not been cryptographically verified. Please be sure it came from a trusted3 v' y" ~. K4 K, V5 L0 \5 X
source or that you have verified the request checksum with the sender.
, u% K7 m' P# bYou are about to sign the following certificate:" ]1 }2 |/ k1 o$ H4 r% D9 v
3 H8 ~1 r- ?" j* y
Requested CN: 'longrui'& F8 i1 o0 Y) G" K: W; E
Requested type: 'client'
9 }7 m6 N- E( z8 a( C Valid for: '365' days4 S% J; V& Q. |# x, k) @
# m$ j( \- w$ f3 j8 X- m
4 g( |' y4 {6 J+ Q1 y4 b# r4 H/ c
subject=
3 {. L) L& a8 l. P commonName = longrui# X! k6 Q% r1 J: U. Y+ J0 a/ J) H
( n( B m& r a$ l- H) UType the word 'yes' to continue, or any other input to abort.9 d! k- y3 r" }
Confirm requested details: yes
/ J) s: l; M/ W* ]* N2 Y- @( V$ C% i3 k& @2 l
Using configuration from /data/openvpn/easy-rsa-server/easyrsa3/pki/48fc94cb/temp.1.17 `* U+ _) Q6 x+ h# o
Check that the request matches the signature% [5 p+ F' w8 r5 E
Signature ok" ~5 o0 \: G3 v$ n( x
The Subject's Distinguished Name is as follows
! ?* p2 e5 t! |- j4 ZcommonName :ASN.1 12:'longrui'
- h* u2 m1 S' ]. x5 l8 xCertificate is to be certified until Jan 17 07:12:25 2027 GMT (365 days)" l0 f! _3 s! Q% L( ?1 N2 O+ A7 t# f
0 x7 _( e1 b# F3 w7 oWrite out database with 1 new entries
" c. j& Z# G1 ^/ N7 A- @Data Base Updated5 E9 Y# Y0 r1 w' K
5 ]0 I9 B1 K$ H/ \7 q6 _% m9 L0 bWARNING/ G9 v9 }. U4 ^: f- P5 X& G
=======& K1 S8 t7 u; Z4 g5 q- L3 l
INCOMPLETE Inline file created:* K1 o/ ]; Y9 y4 b8 ~
* /data/openvpn/easy-rsa-server/easyrsa3/pki/inline/longrui.inline5 C; T4 S P; B# ^8 L7 m
; l q$ T: J. j# l, K9 D V$ I9 g
5 l& I: ~! Z% `( I( H. }5 I2 |Notice
7 o& \6 f5 w" S' H& ]& E------" e8 ? \( p% [) ~$ h# p) U3 B
Certificate created at:0 c! G+ K; ?) [2 T2 t
* /data/openvpn/easy-rsa-server/easyrsa3/pki/issued/longrui.crt
/ s8 R, }8 h7 d! |. E3 F! D, q4 o
1 L. f$ X+ N6 A# o- p" }
2.4.2 准备客户端配置文件
9 r+ ~1 K4 w q# L#创建存放目录5 n* X3 X( a$ L
root# mkdir /data/openvpn/client/+ i7 H: u, \5 z, ]$ o/ B; x
#创建张三证书存放的目录; @, `2 T; j2 H$ Z2 w7 R
root# mkdir /data/openvpn/client/longrui
8 T& h" G/ w* _" V/ z% \* T#复制证书) p/ R2 x0 k- j8 i( q7 ?7 X% D3 f. F
. N2 v: ]- d( X' q
7 \: l: `, w& x[root@openvpn easyrsa3]# mkdir /data/openvpn/client/longrui. g6 o( T0 m9 G# A6 X. {
[root@openvpn easyrsa3]# find /data/openvpn/ \( -name "longrui.key" -o -name "longrui.crt" -o -name "ca.crt" -o -name "ta.key" \) -exec cp {} /data/openvpn/client/longrui \;
/ q, Z4 N5 |% O; Y9 E4 C! E$ zcp: '/data/openvpn/client/longrui/longrui.crt' and '/data/openvpn/client/longrui/longrui.crt' are the same file; H0 E- \$ q2 t! w0 {: k0 u7 S: b
cp: '/data/openvpn/client/longrui/ca.crt' and '/data/openvpn/client/longrui/ca.crt' are the same file; P; l ]/ D( J4 l5 w
cp: '/data/openvpn/client/longrui/ta.key' and '/data/openvpn/client/longrui/ta.key' are the same file
9 P& r" ?7 c% U* o* }6 x ucp: '/data/openvpn/client/longrui/longrui.key' and '/data/openvpn/client/longrui/longrui.key' are the same file; ?$ T2 U1 Q6 K4 {5 B# }% e) B; E8 X; J
7 K. @' h5 H5 Z; C# e1 A0 O2 H# W2 C- }3 S
# i8 w e l& z1 X. j[root@openvpn2 ~]# firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.160.131.0/24 -j MASQUERADE
! r {6 C; J- o; R! Esuccess
9 P; g; P# ]; T[root@openvpn2 ~]# firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 1 -s 172.30.0.0/22 -j MASQUERADE' B5 n5 }7 N4 T( b0 U+ j: A7 Z& C9 p- @
success0 \/ c* F2 k6 L3 [* o$ Y- A
3 N3 E H S/ S$ {6 d: W" k5 Rfirewall-cmd --add-interface=tun0
7 v( j' g! e" |
9 T, O6 D/ o- f- H$ k修改文件:
7 _7 }3 G1 l( A8 ?6 }root# vim /data/openvpn/client/longrui/client.ovpn: j1 v) W c- U0 ?6 O& A
client
) g( L0 ~( O3 hdev tun
4 h) A4 _3 ]3 I) w2 N, \5 R1 Jproto tcp# W- b( Q5 \4 F2 P0 @! l" T
remote 公网ip 1194: Q" I, G, _; f% r& c8 f9 z
resolv-retry infinite
7 W# o% [1 a/ m, a; jnobind v% |( c; ?- m, ]: P
ca ca.crt
3 M) U4 p0 `! P# scert longrui.crt% ]3 T5 \- P5 E
key longrui.key5 q- e5 W. y6 N/ O2 J
remote-cert-tls server
" {, d. n2 q8 Y8 _4 ?0 {tls-auth ta.key 18 k C7 A1 n( A# G8 T5 t/ x
cipher AES-256-CBC: e* _4 L) J8 z# L) K
verb 3; {7 g) X+ M5 f! Y, e8 r" u! w
compress lz4-v28 O# M7 w, f5 U( a5 Q
3 m1 [( t$ X( Q3 Z. W$ }# t' J! r" l0 ]- t
2.5 测试
7 {( Z' `% s* G8 g& R3 [#将证书下载下来
' J6 Z# q+ R( ~. B- f: Q. m+ \root# cd /data/openvpn/client/9 v7 r9 s* S5 M. {3 Z/ y+ e$ |
root# tar -zcvf longrui.tar.gz longrui& h! }1 _5 e: n& l6 r/ y6 [
root# sz longrui.tar.gz% [2 U+ ?' \8 ~9 |7 L
/ J* C' {% Z; N, g% X$ o; c9 P
#win10 安装客户端(这里不演示了)
$ O% V$ @/ r# s6 N! `https://swupdate.openvpn.org/com ... tall-2.4.5-I601.exe0 J p9 \1 t+ A7 E O6 g7 K6 N: y
#将 zhangsan.tar.gz 复制到 openvpn的config目录,然后点击链接
# v4 ]! P/ G) }8 s7 S
- `7 M, m r- b! D2 m6 U) |9 }2 V
6 M8 i2 _8 o% W% |: P6 ~6 a#双击运行
/ B/ G+ g. F: \0 T! R- H9 v
0 ]7 ~" z( B: m, |4 E3 i9 e
- R( N; Z# q3 i( U% r) X/ ]5 g6 }8 k0 k& X% }$ Y! {1 \7 O
#这样表示链接成功了
. M O! G1 r" z* c2 b( O+ ]( T7 A& u- }6 t5 Q: j
( ]$ _5 F- V# F! a" T2 R2 l8 }#测试连接mysql数据库端口
1 @( g4 @) A6 x9 g) D7 j! w
; ~; _9 w% E9 {" ~. J' W2 u4 G: A! p+ |2 p: F6 Y' B
1 V5 r/ j) V/ J
3 :安装包
( ^8 |! u) D6 A# i+ Q4 ]官网下载地址:
* x, b4 ], P3 o8 x& N# K, Topenvpn 服务端下载地址:
& H" ]+ v3 K8 I' e: w1 v) c5 Zhttps://swupdate.openvpn.org/com ... penvpn-2.5.6.tar.gz
3 b. j* t f1 \7 y+ c) Z' K" f/ lopenvpn 客户端下载地址:8 p8 _3 t/ B1 q' {/ h# L$ W, d
https://swupdate.openvpn.org/com ... tall-2.4.5-I601.exe
& ~1 _4 i' e6 V2 oEasyRSA下载地址:
' `: x- V- _9 P" c q: Fhttps://github.com/OpenVPN/easy- ... 8/EasyRSA-3.0.8.tgz
6 r! ]' g% y# z% t& ]
+ I& b& Z! E% k/ K, w4 d
$ }# m' G7 k: Q- \ R+ e: \ 添加防火墙规则:
5 p3 F. t9 [* k! d6 B0 a! |firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i tun0 -o bondmgt -j ACCEPT7 w1 S2 X }, t3 F
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i bondmgt -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
5 \ x5 ^+ R' i' `# ]. i4 p firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.160.131.0/24 -j MASQUERADE
% q' b8 i7 u3 E& Nfirewall-cmd --zone=internal --add-masquerade --permanent5 Q6 K- f {, q) @
" Q! s8 t: W! ?5 n
这是后面测试的结果,上面的可以暂时不执行:8 s1 k; l4 i/ S+ R& k' L
firewall-cmd --permanent --zone=public --add-interface=tun0& `, n9 l }# S8 L" y& f0 `7 B
firewall-cmd --permanent --zone=public --add-masquerade
1 C0 o: S' Z# K( q' Q N4 Y- s$ @firewall-cmd --permanent --add-forward
6 |+ h$ ]# j/ A0 {" l2 q4 _. Y5 B
* T( E4 ?" m+ H% @0 t添加转发规则。允许可通行。 |
' s7 y9 Q/ @: J' I0 D4 m5 n! | |. \( ~# I
# A. N+ H' Z/ |" |./easyrsa sign-req client wogong3
% P: a( q; R4 w7 w6 `. n#wogong3为创建客户端的证书的Common Name
( [2 A- V; D4 G: A; L/ ^ d4 E验证证书是否正确( L$ F5 x, p+ q$ |+ Q
openssl verify -CAfile ca.crt issued/wogong2.crt" e4 s) O% N) e, t1 y+ P0 w
openssl verify -CAfile ca.crt issued/wogong3.crt
( z! h0 s2 Q9 H2 u5 B
, {9 E7 S. d$ P; U. v+ ?- W8 a( i1 H8 k
0 A$ M- c# L( B9 N
( ~( |4 t1 n* p( z; B5 @: r, ~2 C' C: z T
8 n7 o) f0 o" ?) r# P, v3 W& T* o8 k) C, p3 O% ^
8 T$ g1 `9 s x- I. I$ ?2 s
( J0 S* R; N, g5 W/ T6 i- Y8 x4 @
|
|
发表于 2026-1-17 13:18:00
发表于 2026-3-11 10:47:45