|
|
使用环境:
7 I% A. c4 G) k4 ^" F% e' E" [ openvpn服务端安装在centos6.5或者centos7系统平台以上版本;; b% a6 W' y. I, j/ J; V
openvpn客户端安装在windows10平台上;8 {" n. z; h2 g6 c* E) F1 i
其中的操作步骤有些很像此前写过的一篇文章CA服务器签署证书的步骤; N: |4 ~. p4 }/ A. E
openvpn就是安全的vpn,通过openssl实现ssl加密解密;
6 z# D5 T; |& G" `& ]openvpn实现的简单原理个人理解是:; e7 ~; {7 _! {
通过openvpn客户端和服务器端用虚拟网卡建立逻辑的安全的通信连接,然后再通过物理网卡传输数据;0 l7 W8 P0 q# G6 n$ u/ ~! l4 l
即首先openvpn服务端,安装程序并开启服务,然后服务器端会自动生成一个虚拟网卡tun0,用来建立安全通行用的,并监听一个端口,准备接收客户端的请求;1 q7 o3 D0 a4 |6 f7 A
第二,客户端安装openvpn后,也自动生成一个虚拟网卡,openvpn客户端需要指定openvpn服务端的物理网卡上的ip地址和监听的端口进行连接;
, H( X" e+ E% k2 [. \4 i0 M0 u( H第三,证书、密钥、密码都通过后,即实现了vpn(虚拟私有网络)功能;
6 O2 {0 d9 _) _* `; e) w- b4 D1 n具体配置步骤:
8 @+ ]) G) y1 Q8 b0 s, b7 y第一:安装软件
7 o2 K2 W/ ~% r& c$ u4 ]- k# W ]# yum install openvpn easy-rsa; @ ?! v' S( Z, {9 w3 D- Z8 t
第二:准备相关目录和配置文件
0 Z# F M7 t: t ]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/easy-rsa/vars
8 n9 F! o, J% S2 r2 A5 M0 s ]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/openvpn/easy-rsa/
m7 l b% ~* X复制的文件有:easyrsa、openssl-1.0.cnf、x509-types;
0 `2 g6 d# A5 M2 P/ ^2 y ]# cp /usr/share/doc/openvpn-2.4.5/sample/sample-config-files/server.conf /etc/openvpn/ a0 v. o) [' P; Z
编辑vars文件:
0 H7 U* J7 H& W set_var EASYRSA_REQ_COUNTRY "CN"
# Z. F* m6 ?) d9 D0 J set_var EASYRSA_REQ_PROVINCE "Beijing"
5 @& O* f1 d7 [+ h6 X set_var EASYRSA_REQ_CITY "Beijing"2 Z( {/ c8 _* {
set_var EASYRSA_REQ_ORG "OpenVPN CA"
( I" N. ~) H$ y2 e9 {7 r set_var EASYRSA_REQ_EMAIL "[url=mailto:4********4@.qq.com]4********4@.qq.com[/url]"
0 m2 B6 z( u, t+ }: S. Y/ c set_var EASYRSA_REQ_OU "My VPN"
( u- w) L; l. Q2 Q创建服务器端证书和key:
4 F% D0 s$ T7 T( V- P9 ^" C第一:目录初始化: y0 z* J' @& S; m7 c* `8 `
]# cd /etc/openvpn/easy-rsa/7 Z& H. x# i; {
]# ./easyrsa init-pki
3 H+ K$ n" t6 [第二:创建根证书:9 J" h. G- P0 m) ?( i
]# ./easyrsa build-ca
0 g1 l6 ?) ~! i, |! E0 j Enter PEM pass phrase: 输入2次pem密码,并记住(输入的pem密码是openvpn,后面会用到);3 n/ p0 e! D6 C' S9 P L4 @
........
1 E$ P/ N& g( X; M; F8 `/ ~ Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 输入名称;(输入的是opvpn-ca)
X9 K. p. J4 G. f* U 回车后显示:
: X' G4 J4 o7 u5 \8 X# C$ F# d( Q; nCA creation complete and you may now import and sign cert requests.8 p: a" \3 `- C" L9 K
Your new CA certificate file for publishing is at:
, u8 Q" l5 p! `: B8 _2 {% K5 o0 v8 S8 n/etc/openvpn/easy-rsa/pki/ca.crt& q% R: Z' h! Z& p9 n
第三:创建服务器端证书:
; |: z: s9 ~, W ]# ./easyrsa gen-req server nopass
4 U. O! D3 I' k" \ ]Common Name (eg: your user, host, or server name) [server]: (输入是node2)0 k$ q% o; g- z. v2 I
输入回车后显示:
# D! E' j9 S- ~4 x, RKeypair and certificate request completed. Your files are:5 w! R& z, B @5 a$ D
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
; ]) Q, e' ?$ J' E' Kkey: /etc/openvpn/easy-rsa/pki/private/server.key2 h; u o$ a! I- N& p+ t; P. f
第四:签署服务器端证书:4 W* p- }2 l% w5 v/ U) a3 i
]# ./easyrsa sign server server( R! c4 L0 x' i3 w
回车后,Confirm request details: (输入yes)
) ?1 Q$ |/ T2 ~Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: (输入之前CA根证书的pem密码是openvpn)
) c+ N4 [6 `& C. b% {回车后显示:
( j- D7 v: c, F: {% ~) ACheck that the request matches the signature
; Q: H4 f$ c' u5 KSignature ok9 d% W( b' \4 X0 ?; d# h% F
The Subject's Distinguished Name is as follows
- f7 [9 P; ~! s4 \4 V- a; gcommonName :ASN.1 12:'node2'2 q" u2 n. C- c" D0 S0 z/ J" K- J
Certificate is to be certified until Apr 4 16:04:29 2028 GMT (3650 days)
6 a5 Y* q: X% Y/ r% g/ ~Write out database with 1 new entries& H* U- d6 u- W' F; t
Data Base Updated. g/ E0 I+ x; m1 ~6 Q
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
C& M! B [5 U* z第五:创建Diffie-Hellman,确保key穿越不安全网络的命令:
7 g( x* H7 n# |) g( M ]# ./easyrsa gen-dh9 w4 D; P0 p) R2 J2 t
回车后,等的时间稍微长一点,最后显示:0 k- ^$ @7 F0 h
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
( z6 f( N3 N j) ^) M1 `/ H( f 第六:生成ta密钥文件
$ r: F7 I( F% m; k* p) ^0 Y ]# openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key" K% f* w$ Y( R& ?/ j- L! c
不执行此命令,会报错:/ |. @( a$ J# `0 m5 ^0 F
Sat Apr 7 12:53:37 2018 WARNING: cannot stat file 'ta.key': No such file or directory (errno=2)
' l T& r2 C a3 COptions error: --tls-auth fails with 'ta.key': No such file or directory (errno=2): m$ i6 p/ c! B" U; t& b+ S
Options error: Please correct these errors.
* \1 l* n; Q" V( _- H: d4 zUse --help for more information.7 t6 {/ k1 V" g9 ~! O/ n1 A9 T
创建客户端证书及key :
6 v. }+ b* O2 M' m; T' ^第一:创建过程同服务端:5 b4 a5 Q2 \% [ |3 N9 l7 }* q
]# mkdir /root/client
8 f/ p- l& D& J; ] ]# cd /root/client
$ b* D1 w3 j! @! U4 v' m- \$ E ]# cp -r /usr/share/easy-rsa/3.0.3/* ./, C* F5 r6 h2 G4 ^/ ^3 y5 P6 ^
]# ./easyrsa init-pki8 s: S( o( C% u: B( q* Q
]# ./easyrsa gen-req client5 M# D& T5 l c
回车后显示Enter PEM pass phrase: 输入密码,密码是之后客户端连接服务器要用的(输入的是vpnclient)8 ~, q2 u+ T$ u: X; `/ X8 f! p
Common Name (eg: your user, host, or server name) [client]: (输入的是client,后面会用到)
+ x/ T) H$ X7 E' M) \ 回车后显示:- n2 v. E: {0 x; _3 F4 o" V
Keypair and certificate request completed. Your files are:
' M- H8 r9 x' S( N4 z6 U- G: vreq: /root/client/pki/reqs/client.req4 Q1 R5 }5 k6 C1 `
key: /root/client/pki/private/client.key/ F0 v+ _$ a' U A
第二:将得到的clientone.req导入然后签约证书:
X7 o% w9 y+ l, ^ ]# ./easyrsa import-req /root/client/pki/reqs/client.req client% H+ K, s- ]0 D% S) b o
回车后显示:( D7 S9 W, D$ Y6 T2 ^3 m( j9 I
Note: using Easy-RSA configuration from: ./vars1 Z O4 ]0 S* A A7 q
The request has been successfully imported with a short name of: clientone0 \" s K, Y, e! [# m) n
You may now use this name to perform signing operations on this request.
2 T* K, S4 L: W( L% {5 _% q第三:签约证书8 k5 N& D5 m' t3 p7 v+ @$ V
]# ./easyrsa sign client client8 @2 u6 ^8 A- c; s* @. I
回车后,输入yes;
6 ~# H5 e; ]6 JEnter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: (输入的是openvpn). q1 s8 Q( L5 ?- x( J8 C4 W" c$ x% J
注意:
0 k) Q* h! n2 J: o: _" X这里生成client所以第一个client位置必须为client,第二个参数client要与之前导入名字一致,导入的时候会要求输入密码,这个密码是第一次设置的根证书的密码,不要输错;因为openvpn是一个客户端对应一组证书密钥文件的;
$ x0 J3 w1 q1 }! t0 C 回车后显示:
' m* F& ^2 t2 J' X6 `Check that the request matches the signature
) X6 I5 m1 g1 e$ ]/ E4 e. t8 rSignature ok
l& f+ N% t, m& _1 ~" tThe Subject's Distinguished Name is as follows
# g7 [+ b7 b& p3 N$ W$ e2 Z1 f; dcommonName :ASN.1 12:'client'
0 B7 V4 }& Y$ [* l( C7 A9 MCertificate is to be certified until Apr 4 16:38:37 2028 GMT (3650 days)4 x6 J; X W9 Z( b, d
Write out database with 1 new entries
( ], ~; \, z3 h6 OData Base Updated
2 |& p6 m/ |1 q: V' SCertificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt
: H3 J2 d7 }' U' ], z) P2 F拷贝相关文件
: [! W1 w m+ O! F; s- r拷贝服务器端所需文件到各自位置:7 J$ L8 S1 h, _9 }5 U$ g) l& T9 j
]# cp pki/ca.crt /etc/openvpn/
- f5 o; @) r/ s6 i]# cp pki/private/server.key /etc/openvpn/
' `' E: f) m2 Y1 U. {]# cp pki/issued/server.crt /etc/openvpn/( D- P8 c( i. {
]# cp pki/dh.pem /etc/openvpn/
0 G5 _9 t3 |3 @8 d! ~]# cp /etc/openvpn/easy-rsa/ta.key /etc/openvpn/. S/ L! r6 @* l- z3 E9 i
拷贝客户端所需文件到各种位置:' p, w2 b& ?, `- O+ H/ O r
# cp pki/ca.crt /root/client/
( @" v% y& k& r# cp pki/issued/client.crt /root/client/; P6 D ^ p; b3 X2 m. ?% j
# cp /root/client/pki/private/client.key /root/client/9 t( ]! F3 e% E! m ~9 }9 i
# cp /etc/openvpn/easy-rsa/ta.key /root/client/
4 h0 j: F' m! {) E8 N$ S. K% V& Z修改vpn配置文件:! L9 x' q2 T! m
]# egrep -v "^$|^#|^;" /etc/openvpn/server.conf
/ x8 D# J* K! c! S$ yport 1194
~; Y I+ s A. j6 Mproto udp
$ R% h% `( U" B; q+ Q/ I0 K) Q) hdev tun
. G, @. G; ]+ m( b- C4 k7 _ca /etc/openvpn/ca.crt
$ o- W4 `6 @4 @cert /etc/openvpn/server.crt
8 R' }8 T& N" W7 D- vkey /etc/openvpn/server.key # This file should be kept secret, c9 o r6 H; K! E4 I% ^5 W
dh /etc/openvpn/dh.pem
S" z8 V* S- L* i P- s4 Wserver 192.168.11.0 255.255.255.0' T' @4 b0 q1 \) f0 e9 j9 |- U8 h! K
ifconfig-pool-persist ipp.txt
& _" |% b% ~$ ^2 ]: L5 c Bpush "redirect-gateway def1 bypass-dhcp" C! a1 Y- {8 w0 ~7 N
push "dhcp-option DNS 8.8.8.8"- n& V3 H- Y5 S$ i% b; Y
push "dhcp-option DNS 8.8.8.8"
* H- Y9 `2 u! q- \: g4 H" o8 Kkeepalive 10 120% S: f- e9 L) b/ ~& @: Q$ y$ z
tls-auth ta.key 0 # This file is secret0 ^* z# d1 N# ^8 B3 k
cipher AES-256-CBC, ?! ]9 l) g: s) N, Q! }7 K; b+ K
comp-lzo0 n/ [- D( W; z* O7 k
max-clients 100
* i$ [8 {- {6 L; h) x' Y" Dpersist-key" V: P' x! |7 ~
persist-tun1 p/ J! z$ ~: ]+ g
status openvpn-status.log
! N) N8 W" N7 q) L" @" cverb 3& G2 P: \$ {6 I6 b/ w x
explicit-exit-notify 1
& z( w# V# t8 b7 T+ p启动openvpn服务端:
# {0 v8 s9 D; y]# openvpn /etc/openvpn/server.conf &
9 x2 c6 z+ y9 @: j 启动成功后显示:5 X$ Q% N* d1 k9 t9 \% n g( K
3 E6 ~9 n0 Q4 D& J1 g
+ Z, G. J+ ^$ ?# J* N+ X或使用systemctl启动:
7 O$ ]( c: |( d- m) Bsystemctl -f enable openvpn@server.service4 H/ W2 R( ~- q- l; {1 z
#设置启动文件
\" e4 J5 w3 X. P k3 Msystemctl start openvpn@server.service
0 l% A7 I3 Y' I# m#启动openvpn的命令
1 A8 C4 J7 B- `0 jwindows7上配置openvpn客户端:# ^( q; m. h' X ^% d+ Y4 [
第一:下载openvpn客户端
- x% H6 Y2 w3 O+ X 链接地址:http://openvpn.ustc.edu.cn/
6 t* `7 F' D' J1 L, J# ^0 l9 j# A" g: w; @
安装过程就不表了,具体配置说下:
# V/ X. V: g7 F' x4 h 下载相关文件到本特指的目录:
8 j9 C* D8 t& T; o 从centos7上把client.crt、client.conf并改名为client.ovpn、client.key、ta.key四个文件,放在安装目录下的config目录里即可;4 ]# b* K7 [0 h# c+ Z
client.ovpn配置文件内容:
9 `# y: n7 ^6 u; K# i$ ]client. o7 [( [, v$ S4 n, e/ | {! G
dev tun
- v/ k9 `; S* r- Gproto udp
/ i" u* U* F6 J6 Kremote 192.168.255.198 1194
1 \: K% X7 k" K0 q% q* uresolv-retry infinite
3 w0 I+ t: x' mnobind9 G- s* Q1 U) c" p* I9 W5 R: g- u
persist-key
: z( O# R, D% |persist-tun. Z3 r6 t5 M! W
ca ca.crt
+ Z, t& @# T0 Icert client.crt
% F1 e. J1 r' N! r) t4 M9 @; e) X: okey client.key2 Q6 Q8 G1 l: c. S, T
remote-cert-tls server5 e3 P# ?, y4 J3 J% j
tls-auth ta.key 10 `+ k2 m9 Z: p
cipher AES-256-CBC3 |8 o1 L+ ?. f7 Z
verb 3* d0 p% G& T6 x, e. y! S. g6 w
openvpn客户端登录:
$ C3 [! K5 p6 z2 n$ v" | 双击图标后,弹出输入密码的窗口,此前设定的密码为vpnclient即可成功登录;0 A! s' q x5 ?2 ^+ D; W
( c: {' X9 y9 ^3 h* n: l2 y表示成功登录;
4 H+ M- o0 B* t( r3 a B. R: z$ }+ x. H! m [: s
openvpn图标变为绿色即成功连接openvpn服务器;
+ ?& M0 h9 @/ g5 _4 Z/ X
7 y- f3 ?) v/ n7 z |
|
发表于 2020-1-19 08:49:57