|
|
Centos8.5系统安装OpenVPN-超详细
. M' N, m, i. m$ {4 Z; V. R' k* L& I% O% P) l5 U
需求:公司外部员工需要访问内部办公网服务器,所以需要搭建一个vpn提供外部员工使用。
" v. N% _2 e! V8 Q9 U% K& H
U5 [! ?' P4 z& R1: 环境
8 ?; m- T6 J$ o服务器系统:CentOS Linux release 8.5.2111
8 V8 f8 R6 V* L. N服务器配置:不重要
! p8 E! q9 [6 C4 v; U9 a- m服务器IP:+ p8 o0 ~6 p& d$ f
Openvpn服务器:
- a l0 k1 @; t8 i9 N外网:4 r& G( }% W/ K) D# J
内网:
0 \( h3 I. G: b- V; \内网测试服务器:; F: R( I1 L4 }8 K8 E v
openvpn客户端服务器网段:10.10.10.0/22/ L1 m; b! n y$ g1 e# P T
OpenVpn版本:openvpn-2.6.17
3 H. }" [) Z' h( M% w2 w8 veasy-rsa版本:3.0.8
0 ^; a- N* Y+ ~8 j2 H) ^( T. p9 Y% |( X1 }3 D. n0 [
安装包存放的路径:/usr/src/install/% C; [/ y, k" |/ _" ^5 j
程序安装目录:/data/openvpn7 ~( Q3 q9 S/ [6 b: ^" h4 C
, s- ]1 z. B0 p4 @3 @备注:+ Q4 i {# }$ R" r
root# 代表在root用户下执行的命令5 R6 s" {4 p' ]) |
$ 代表是在普通用户下执行的命令
- O5 q4 {4 t/ }: h# ?3 A5 m# 单个#号代表注释# q K4 T) e4 A- X3 r A7 Y, k& _
* n* [6 Y! z+ S8 V: G
2 m% ?1 P* Q) |: j. H2:安装步骤
# b l2 j' v: ?+ [) H$ x2.1 准备工作
5 m* X* M9 J! b N: B( {# q(以下所有操作均在Openvpn服务器操作)
# n* A+ l- ]: z! p; f# 关闭防火墙
, e( v. S' r# n- p- c$ ]# q& Y4 Croot# systemctl stop firewalld
" }- A {$ t) q8 ?8 I3 ?root# systemctl disable firewalld
5 N2 M8 z* U' S( L8 [3 m" P3 M1 _1 _; g: g( B* Z
# 关闭selinux! W( n3 L' q5 `3 ]! A6 V2 l
root# sed -i 's/enforcing/disabled/' /etc/selinux/config: f2 k) F) d7 ?) j
root# setenforce 0) f- G6 t) c! u' D+ h. ^) v! F% I
! ]: Z6 x- B( K# 安装依赖
; k/ a4 k5 i- @& P* k- s: P( oroot# yum install -y vim wget lrzsz gcc-c++ openssl openssl-devel net-tools lzo lzo-devel pam pam-devel
$ I% m, C8 s9 O7 h& R: s, K% |( a# F' ]7 D! Y+ h0 P* a
# 下载安装包+ j8 a' ~( L1 d( o
root# mkdir /tmp/install
1 i7 ^: l- y+ k4 _! Eroot# cd /tmp/install
8 Y) B. \7 T d! c* |5 Rroot# wget https://swupdate.openvpn.org/com ... penvpn-2.5.6.tar.gz
: s3 E6 l; H; M8 T& Lroot# wget https://github.com/OpenVPN/easy- ... 8/EasyRSA-3.0.8.tgz
8 V6 A/ ^8 O9 T: b( T4 R8 r7 V) u5 J% ?5 V/ H
9 @# X+ R( ^1 v3 g5 t/ i% D8 T2.2 安装OpenVpn和EasyRSA
' _3 Q; c6 [* {% L, u#1)安装OpenVpn
6 [ B7 r& D4 Z4 n6 lroot# cd /tmp/install! Q$ X. E0 m Q2 z5 b5 V; ^6 e
2 t/ i9 k$ S( c* F- Y5 a, n/ S
#创建目录8 S- V! r+ H0 `9 r
root# mkdir /data2 a/ d q/ K/ P1 D, K
3 K1 x& ?! f. {) M
#解压缩" r( E& q( r. f- @! d' M& G
root# tar -zxvf openvpn-2.6.17.tar.gz8 W3 {$ W( E( {7 `% p3 Z
5 M, [4 ~/ g f; g# ?* |7 o8 D* I6 r; A6 @5 k4 r0 b6 A
dnf install -y autoconf automake libtool pkgconfig gcc gcc-c++ make openssl-devel lzo-devel pam-devel iproute lz4-devel python3-docutils libnl3-devel pkgconf-pkg-config libcap-ng-devel" e B A' C, F3 ^
2 i3 b% F3 y$ p+ I8 nroot# cd openvpn-2.6.175 o5 L9 a# I6 R- I
3 c( Q- @* D. Q$ ?- i: v. ~4 k' H6 v) b! z$ i7 ^, {8 @2 F
生成configure文件:
4 s3 u6 G# }5 L M' n3 x5 M m- A8 N
$ j/ w- }, X& {7 G7 F0 r# autoreconf -fi U' ]0 y. X& A- O
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, '.'.. j! E1 q: a+ \! q
libtoolize: copying file './ltmain.sh'4 _/ y" ? D* z+ B
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'./ L1 P) Q& X7 }8 X; S
libtoolize: copying file 'm4/libtool.m4'/ m- @2 b2 T5 l' V/ h! F2 }
libtoolize: copying file 'm4/ltoptions.m4'* u1 i) M" e9 ^! K7 E4 H
libtoolize: copying file 'm4/ltsugar.m4'$ }- _6 b$ {( E9 f9 v- D! c9 @2 L
libtoolize: copying file 'm4/ltversion.m4'* q; _! P+ B6 M( [' n# n; u2 g
libtoolize: copying file 'm4/lt~obsolete.m4'
9 E0 V) h/ f* Q+ ilibtoolize: Remember to add 'LT_INIT' to configure.ac.
) e* L" Y. q( l* h: o6 v" a) [/ Yconfigure.ac:74: installing './compile'
( a9 @4 p; g* i! D8 `2 w: Nconfigure.ac:73: installing './config.guess': E) t. Z. u7 T) F: k
configure.ac:73: installing './config.sub'2 k! Y& X8 [8 i) Y
configure.ac:72: installing './install-sh'
3 d9 B) k4 D! ?+ Bconfigure.ac:72: installing './missing'
$ w% O% e( M4 t2 B' H- F8 ssrc/compat/Makefile.am: installing './depcomp'+ I* N4 h0 w# u1 ^6 K# o
* n* |$ `( M6 b( }+ O
% r' z s/ C3 hdnf install -y libnl-3-dev pkgconf-pkg-config# \8 G" f$ |0 v6 Q" Y
5 D( N. e4 k! o4 G; J: t% t6 A
#--prefix= 后面路径是安装openvpn到那个文件路径下+ ], o1 ^0 O/ g/ i! }$ C
root# ./configure --prefix=/data/openvpn// n6 U( B/ y j% L; r
% n) P6 `. B9 J0 c+ N, m* R* i#编译
: k0 K1 A5 W$ {% Xroot# make && make install
L) }- J7 _3 u5 E
% s& S! B* T/ Y1 V3 [1 Q+ K#添加openvpn的环境变量9 E9 U2 n( z0 i7 W( \( m! E
root# echo -e "PATH=\$PATH:/data/openvpn/sbin" >/etc/profile.d/openvpn256.sh
, ?! q# }6 D+ {: a' J" e r/ g( X% w6 m/ H
#加载环境变量6 F- T. i% J3 n6 g" Z& ?6 z
root# source /etc/profile6 C8 `$ W5 R3 t3 b& ]! f8 h" s8 d/ q( p
6 o+ h+ K! H: z0 Y$ m* \#执行下面的命令看看是否成功,出现以下内容表示成功# O# ]" M0 K0 H2 O3 g/ Z
% U6 k2 E0 W* m+ m# openvpn --version" {. v9 R. s7 x2 Y2 n+ x) y
OpenVPN 2.6.17 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]7 l/ O; t5 t9 H* T6 `3 b! O
library versions: OpenSSL 1.1.1k FIPS 25 Mar 2021, LZO 2.08
1 V& d* H* F% J! X( {9 t& _/ CDCO version: N/A Z/ Z5 ]. j7 g
Originally developed by James Yonan( S3 B9 C* K& t( s& A& e
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
6 f* h1 t; B) {- Z- h' ~( VCompile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=auto enable_dco_arg=auto enable_debug=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no) K6 L& M6 ^ ^
# \5 A2 s- }$ O. b4 L2 @/ w
#2)安装EasyRSA+ `# @# T' ?% v. b& Y# g B P+ d
root# cd /tmp/install! }! |( O* V; _! _, M- ~& v7 M8 n
root# tar -zxvf easy-rsa-3.2.2.tar.gz
; V0 |9 E# R& ?* y3 D/ B5 X2 C# cp -r easy-rsa-3.2.2 /data/easyRSA-3.3.21 X* W% x) m2 h/ V
, B1 r7 {, A, w& r& k, N% ^5 L7 }: i/ s2 D& s1 r9 K- e$ |
2.3 服务端配置; U' S/ {; L1 I0 H' M0 w
2.3.1 准备CA签发机构环境
C' K* L1 z) \$ ^8 H; B4 t+ m) T#拷贝EasyRSA
. K' | C; C n' l E( {root# cp -r /data/EasyRSA /data/openvpn/easy-rsa-server
9 J: j0 w6 ]) ecp -r /data/easyRSA-3.3.2/ /data/openvpn/easy-rsa-server4 m0 W9 D9 O% {' z1 c9 U: _9 ?. [
. o9 E6 R, e: e
3 Q' \. M" A5 @9 V1 [$ `root# cd /data/openvpn/easy-rsa-server
2 B3 Z- I6 I6 K% Y, c7 Ucd /data/openvpn/easy-rsa-server/easyrsa3, f8 W* N' i. y1 i4 ]
; m1 v/ g% u- |2 z7 K#准备签发证书的默认变量文件$ w, Y% c+ S9 c
root# egrep -v "^$|^#" vars.example >vars m* V1 f* i9 F/ p, z
( ^5 ~2 s" C* u4 L5 m& n[root@openvpn easyrsa3]# egrep -v "^$|^#" vars.example > vars
9 t9 g8 {) K- ^; H9 h% a[root@openvpn easyrsa3]# cat vars& |* K* Y! w# a7 H: i
if [ -z "$EASYRSA_CALLER" ]; then
p3 e+ {/ G$ l' r echo "You appear to be sourcing an Easy-RSA *vars* file. This is" >&2
) w: l+ [" `) R0 j2 L) P i# F echo "no longer necessary and is disallowed. See the section called" >&2
2 b, J- T1 W0 _) E+ Q echo "*How to use this file* near the top comments for more details." >&2! \2 \0 f x6 R/ g, T9 d2 G
return 1
+ }. v3 s- k0 l i* `# O3 ufi) e+ k( m$ ^+ q n: J" x: p
5 L: | U; k. ?4 b
' l& @; X, F$ C; K }/ ~* R- h; M$ _* r1 d
#编辑vars文件,在最后一行增加以下内容
6 n* B; C" z0 }# {6 V7 r' Proot# vim vars
( C/ I) a6 R5 U/ {( b( f#添加参数,设置CA证书有效期为100年(日期可以你自己决定设置多长)
+ ^# K( j# n6 Z- B7 vset_var EASYRSA_CA_EXPIRE 365006 O& e: H2 q& K+ x& K
#添加参数,设置服务器证书为10年) x* W i9 p% r! T- i
set_var EASYRSA_CERT_EXPIRE 3650
, i$ w+ N# ?) t8 y$ Q" u
* Z- z( Q* L4 x. l t4 u0 f
. ?$ \2 `& O. [; u5 M0 A2 |查看配置vars的内容:
% `- N% ^1 k. q& h0 R! ?. G5 F, F
) O6 N% I& {0 c! g
if [ -z "$EASYRSA_CALLER" ]; then
" [1 j( ?, C! o* A. g echo "You appear to be sourcing an Easy-RSA 'vars' file." >&23 f, [$ a5 t M2 \' X6 `" I
echo "This is no longer necessary and is disallowed. See the section called" >&2
' |0 N9 y7 y) U7 @# d$ d/ l echo "'How to use this file' near the top comments for more details." >&2
5 v% |% C3 ~ g5 b" b return 1
+ |( x- o: N l) Zfi
' Z4 l) @' I! g+ m# Q7 a# {: ?set_var EASYRSA_CA_EXPIRE 36500 L1 p: C% o' K, o" x% Q
set_var EASYRSA_CERT_EXPIRE 73003 ]1 q1 D5 E! B$ N
4 Z, ~3 T9 I8 c1 g6 p
; F$ i8 u9 L3 O- S2.3.2 创建CA机构与服务器证书
* }3 m4 i- ]) z" O* T9 I#1)创建CA机构2 I* ~% s0 w/ i3 o' j k' J
root# cd /data/openvpn/easy-rsa-server
) M7 t2 }. c+ }2 j/ w. j' fcd /data/openvpn/easy-rsa-server/easyrsa3
; m1 _/ Y% H' K H+ L; a3 t) n+ E0 Q# s/ V9 m
#初始化,执行此命令会生成pki目录
' \+ i1 E4 L) x* J' D$ i1 A r) e+ @2 K* ]) F4 I) v" {
[root@openvpn easyrsa3]# ls
0 j4 e; C9 v1 S6 h8 P4 t/ ?( weasyrsa openssl-easyrsa.cnf vars vars.example x509-types! `- l$ I, S2 f4 I9 ~
[root@openvpn easyrsa3]# ./easyrsa init-pki) ~1 m/ B9 F0 l: O" x) E0 F9 i1 T
Using Easy-RSA 'vars' configuration:
; k2 a( X1 q- @ s* /data/openvpn/easy-rsa-server/easyrsa3/vars
: v* z, l, l& B, y8 H# v1 u9 E* i# Y( A, N* D) p3 W0 |7 k: o
Notice. Q( J$ s; ^2 t5 O" c! b
------1 c3 k2 j ]5 y0 A* ]
'init-pki' complete; you may now create a CA or requests." J# T8 I' Q4 }
8 I" }) P" R" `, t2 |- ~- YYour newly created PKI dir is:+ [) ]: w2 `2 U: d
* /data/openvpn/easy-rsa-server/easyrsa3/pki9 y" u! @# F; s* O( O( i1 u
9 _) a6 [" q3 T, n- i, r4 m, J' F
Using Easy-RSA configuration:, K2 d: J5 g! ^* E! @1 c+ Q
* /data/openvpn/easy-rsa-server/easyrsa3/vars, }/ |- c) r- h' E0 d
[root@openvpn easyrsa3]# ls
6 X9 m+ O7 O* L- }$ I: j( u4 H# jeasyrsa openssl-easyrsa.cnf pki vars vars.example x509-types* W6 p9 k; g2 U/ n y5 v
+ L2 Y/ W: c+ c7 R
, ]. l/ `# R3 K I+ x2 S+ i) Y( H/ r9 H7 M) H
#创建CA机构,nopass代表不需要密码的意思! t# y3 W7 F( A+ h
root# ./easyrsa build-ca nopass, C* g' S* [9 Y
( |" ~# ?( e1 X6 O0 h3 Y
) V$ \2 {( R$ v4 `2 B; m0 F
7 ]( I+ r6 F- e' H* V[root@openvpn easyrsa3]# ./easyrsa build-ca nopass
M4 P5 ^, i, \9 k9 W+ Z2 E, v- \" x% @Using Easy-RSA 'vars' configuration:
" d/ H/ P9 W- H+ A: L" L& o+ W* /data/openvpn/easy-rsa-server/easyrsa3/vars
* ^9 ^8 `- B. m..+++++9 h z2 d# F7 q/ j0 C! g! I
.........+++++
1 G6 Z8 p) _$ O# tYou are about to be asked to enter information that will be incorporated7 @5 Z" f, p: h7 Q" V/ A
into your certificate request.
' @) ^- [8 j E: C4 T8 j; pWhat you are about to enter is what is called a Distinguished Name or a DN.6 R0 D! T' M( P7 ]. }1 G; i
There are quite a few fields but you can leave some blank6 M2 g+ D9 D/ G5 J
For some fields there will be a default value,0 e7 l6 l. S2 {- ? u) f
If you enter '.', the field will be left blank.9 @$ S# X9 T! V/ I1 r" T B
----- W/ k1 N" {% G
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:jckj1 o! E" _7 |# W3 j
) b$ b/ @5 ]- Q! D2 S
Notice6 }; y) t7 E* \, K2 c) E. O+ C/ w
------
7 W$ V" {& `. }3 G* VCA creation complete. Your new CA certificate is at:
1 U L) g0 A, ^- H& H( w5 f* /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt* G4 p% q. d, `3 H
+ T% q5 U* N6 h$ M8 A/ c3 U1 s& _+ WCreate an OpenVPN TLS-AUTH|TLS-CRYPT-V1 key now: See 'help gen-tls'
/ }7 W! R% e; K
3 ^+ {6 `0 L0 |) @" eBuild-ca completed successfully.
) K; a8 k' v, i" Q2 N) ?; C: s1 w6 P
& n. A2 S$ q! Q' F, ^. Y) {/ a/ D2 u7 p6 N
#执行创建ca机构成功的话,会出现下面的这个ca.crt文件- ?2 S! C7 h9 r, s
Your new CA certificate file for publishing is at:
5 w* {' x/ x8 `% U4 q( t/data/openvpn/easy-rsa-server/pki/ca.crt/ n8 \8 u! W# {# K% w$ A3 h
, [9 s( v, B! h! v6 X$ U# F9 D
#CA证书文件$ N' L6 B5 P: E6 z) C# r! u
* W' V, R9 S4 L8 i9 W[root@openvpn easyrsa3]# ls -l /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt
5 _( G8 i7 ?# [-rw-------. 1 root root 1176 Jan 17 12:19 /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt
. b6 A, W/ E2 W5 Y3 s0 L( s8 O9 O
7 M7 k* B. C* F5 U4 i9 d! m. N2 ~& | t
#CA秘钥文件) w* |4 i3 p* Q' Y
9 ^( u' h5 b5 w) Q" ^/ ]- c0 F
[root@openvpn easyrsa3]# ls -l /data/openvpn/easy-rsa-server/easyrsa3/pki/private/ca.key
0 ^4 ~ c! Y% _-rw-------. 1 root root 1704 Jan 17 12:17 /data/openvpn/easy-rsa-server/easyrsa3/pki/private/ca.key) n. m1 L! j/ _. B0 A
^7 l' H5 B/ P! C b
; a7 J. N5 J- [' g$ Z#2)创建服务端证书
+ S0 Y4 o5 U- S! W7 @, Broot# cd /data/openvpn/easy-rsa-server
; Y' N6 x& ^, y( w: c- O# j. X9 }1 Rcd /data/openvpn/easy-rsa-server/easyrsa3$ h3 g& R$ r) ~& b, F9 X
#创建服务端证书申请文件,openvpnserver为了区别参数标识,我这里设置为openvpnserver,如果你自己安装的话可以使用默认的server 这个名称
( R) v/ \4 m+ G) d7 `3 @- z, K' kroot# ./easyrsa gen-req openvpnserver nopass' f# r% B/ o6 x7 ~' O7 q4 R
b* h5 T- N& @! o6 n: a( p- u
) h9 U" Y$ L3 J2 x. S7 @9 x& `8 }3 U2 d$ c) T z* o: `
! ]- n$ O4 e1 }# p o3 B[root@openvpn easyrsa3]# ./easyrsa gen-req openvpnserver nopass
& j8 o v' E- _Using Easy-RSA 'vars' configuration:
$ a8 W: A5 Y) N1 c1 O2 t* /data/openvpn/easy-rsa-server/easyrsa3/vars
/ F' {% n) D' U0 I6 |6 e# [Generating a RSA private key) g0 b, K5 i- P( }8 s
.............................+++++
8 S4 b8 Y8 K8 Y( e5 w+ l; N5 j.................................................................+++++
. [4 O5 L. c4 A5 \writing new private key to '/data/openvpn/easy-rsa-server/easyrsa3/pki/253f5ec5/temp.2.1'# Q* W/ l( [8 k4 I
-----4 S7 [) `+ e2 m# z* x4 ^+ K6 P
You are about to be asked to enter information that will be incorporated
! }4 Z* y, p, t) X U: O/ hinto your certificate request.0 ?" x8 C0 E ?! F# x Y
What you are about to enter is what is called a Distinguished Name or a DN.
5 b! y. |# A3 W4 j; `: nThere are quite a few fields but you can leave some blank2 s# z. F, n7 T! |) F6 b# a
For some fields there will be a default value,5 i! I8 s: l+ h5 A n" I3 t
If you enter '.', the field will be left blank.1 C+ v+ c' P5 N7 t$ ]
-----# z3 A( l; J: p _; f- o
Common Name (eg: your user, host, or server name) [openvpnserver]: 回车
3 j! w2 s, S O7 T
: b x2 _+ m% ~Notice
( p0 B6 f+ @5 G7 |2 ^------! O- e/ Z' J! n! ~$ i! r+ e# f& H
Private-Key and Public-Certificate-Request files created.
! K) [: f7 w/ DYour files are:
$ @3 g2 [" U0 b9 ~2 Z9 @* req: /data/openvpn/easy-rsa-server/easyrsa3/pki/reqs/openvpnserver.req1 b+ `. k; b! J6 F1 \
* key: /data/openvpn/easy-rsa-server/easyrsa3/pki/private/openvpnserver.key
0 W7 E9 o3 k& B( D. k! _/ `, U
9 k+ U! m$ k# i+ \
( R8 i8 J1 S( ~ U' f7 @
) \ r4 T3 ~. h' Q; e
; q% G5 V, U, l#默认回车就行/ l% H6 j+ O# c |4 K
Common Name (eg: your user, host, or server name) [openvpnserver]:
6 |% x3 p/ E- p+ L. N$ t/ a& \8 x& G# iKeypair and certificate request completed. Your files are:
" C# ~' @) B. {* w+ z9 @/ \( s& p$ G0 z/ D S5 T* {* ]! _; ~: P: S
( Q9 k ~6 S* r3 q) W
9 T" M& e1 C8 o+ | L
' F( U, q7 w" Y, Q#请求文件
3 L2 ~/ L: n, x o" U2 M) c' _* freq: /data/openvpn/easy-rsa-server/easyrsa3/pki/reqs/openvpnserver.req+ q+ l$ a/ ~! p
#私钥文件2 o1 c; w2 b. M. E# g$ n
key: /data/openvpn/easy-rsa-server/easyrsa3/pki/private/openvpnserver.key$ D' l1 V6 J, R9 y
$ s7 T( v; y4 ]3 V9 {- {7 h
#3)签发服务端证书 K8 M& W/ L& Q; b
绿色部分不做:2 I6 _! L& @+ q8 D1 `' }
root# cd /data/openvpn/easy-rsa-server% E, _4 x; T$ C) h2 U
cd /data/openvpn/easy-rsa-server/easyrsa3
4 k. W2 v$ s6 h- d& Z' @#这里的server是代表服务端意思,openvpnserver这个是上面我们创建的服务端证书的名称- Y# o7 j; H( ~( ]2 t7 o7 k
root# ./easyrsa sign server openvpnserver+ F" }0 ~/ m" o' @
#输入yes, q7 T/ g+ ]4 t% }
Type the word 'yes' to continue, or any other input to abort./ `6 f* o5 f% n' Q$ @" @, h
Confirm request details: yes
, b# {) J& p# ]* L" ~; U" G* k#服务端的证书文件
* a# w$ W" n$ K2 VCertificate created at: /data/openvpn/easy-rsa-server/pki/issued/openvpnserver.crt
6 M8 { f+ G+ I5 z
' G! q3 w9 M3 }! }" w. q o( N) h2 V6 X+ e
% H) j4 |/ m7 x6 K. C
[root@openvpn easyrsa3]# ./easyrsa sign server openvpnserver
: T1 \2 M+ |6 h( u2 O, H& \* X7 EUsing Easy-RSA 'vars' configuration:
$ A9 I$ x0 V, u3 ]* I1 G4 |1 x* /data/openvpn/easy-rsa-server/easyrsa3/vars
+ H( G5 b8 U0 v# c: t6 w2 A$ fPlease check over the details shown below for accuracy. Note that this request" g' ?7 \/ T/ S+ D6 {: E0 t
has not been cryptographically verified. Please be sure it came from a trusted
z5 @0 L& O$ h" Ssource or that you have verified the request checksum with the sender.
; V- Y3 E F% y& }* j2 A( ?You are about to sign the following certificate:
" Y% j; v; T7 |' b$ M( P! M: @1 K+ ^7 E
Requested CN: 'openvpnserver'
4 y; m8 @9 J8 o9 I$ s5 G& ^) @" O Requested type: 'server'
1 }' U8 v( w, }: T! g. c1 ] Valid for: '365' days
/ g" M* A5 W4 u. P) L
/ u3 t2 e* M7 }+ Q3 h* ~! p+ ~1 }
; e8 S! x( `& @$ Q# ]subject=! {6 X L8 @8 a1 a
commonName = openvpnserver: }3 O x- C" O% t* w8 K
( N, I& `$ x# i% P, W! o/ c Y
Type the word 'yes' to continue, or any other input to abort.; k' n* y+ N- T* o( f, N: ]
Confirm requested details: yes
- Q& x& D, M6 N( @0 V. L$ ~
: p: n" Y; R% v9 ?Using configuration from /data/openvpn/easy-rsa-server/easyrsa3/pki/774d5125/temp.1.1
. f0 @( @7 E( Y5 e" pCheck that the request matches the signature7 l' H5 o; t. J/ ^6 T+ l
Signature ok) A- [: M/ W: K0 O1 \# f( z
The Subject's Distinguished Name is as follows
- Y4 O' S3 m2 @7 ZcommonName :ASN.1 12:'openvpnserver'
( k# J" E. |% K+ JCertificate is to be certified until Jan 17 04:25:48 2027 GMT (365 days)# w& \% u2 ]5 n5 @0 Q! Y( t
7 `# A" |6 y Y
Write out database with 1 new entries( T9 o' Y p! g! C. l( T
Data Base Updated
* N2 Q+ m: ^$ Y" V% M8 K8 e* z( R/ N1 Z
Notice$ V7 j6 J* f8 ^* Y6 ~: |6 {
------
/ Z% y l2 D# x2 M( _, yInline file created:
3 R0 Z" E4 v3 J0 M" d* a1 |* /data/openvpn/easy-rsa-server/easyrsa3/pki/inline/private/openvpnserver.inline
6 z4 H! I7 B/ r" m7 J% ?) }/ F* U0 V" R9 \; h' _: T
! Y5 U% _1 j# @, @9 _* p2 ]Notice5 M1 s3 A. J, g. w; w7 P
------0 O; F1 x$ n! U" X: C4 ~; F6 }0 K
Certificate created at:
& E$ s- I& G) ?# F$ |; w* /data/openvpn/easy-rsa-server/easyrsa3/pki/issued/openvpnserver.crt
p4 Z5 P& v4 {% M( b1 i7 A3 N! r) P M* k; x9 e8 E
$ b j" s5 W: g4 w, I6 U7 J7 n! a
- F. b4 w2 S% Y( a9 S. P
#4)创建交互秘钥
* z7 V) Y- ~1 M( R6 j; O! V) Froot# cd /data/openvpn/easy-rsa-server$ @+ ^! O+ Q% T8 ~7 \
cd /data/openvpn/easy-rsa-server/easyrsa3" ]- H l: R) I* r l3 |) o7 `& O. N, h
root# ./easyrsa gen-dh+ b7 [% w$ o& ?! p2 Z
DH parameters of size 2048 created at /data/openvpn/easy-rsa-server/pki/dh.pem' c Q) y7 U" ~' b
& m, F- k) G# j, ?. N& Q2 s# J; k1 _! v
8 L1 k1 p& W% \[root@openvpn easyrsa3]# ./easyrsa gen-dh
; a' v$ [) `! v0 IUsing Easy-RSA 'vars' configuration:" _" _& u6 M9 {# Z# F8 V
* /data/openvpn/easy-rsa-server/easyrsa3/vars
% ~6 F0 U1 p, ?# kGenerating DH parameters, 2048 bit long safe prime, generator 2' Q6 d# y; t: P$ ]4 j7 j4 [) j
This is going to take a long time8 d f) ^6 n8 L0 w
............................................................................................+...........+..............................................+.....................................+.................................+....................................................+.........................................................................................................+...................+.................................................................................................................................................................................+......................................................+.............................................................................+..............................................................................+...............................................................................................................+........................................+....................................+............................................+.............................................................................................+........................................................................................................++*++*++*++*
# n5 R% y" s: [1 y4 `DH parameters appear to be ok.! u1 X$ L% Y' Y4 J) ], l! ]0 }7 A
8 J8 G0 s8 C. i+ d; I4 c& k- |Notice
! Z3 E l- m+ S2 _0 [+ t------
" l! S1 A, b5 h2 Z) C" F8 w5 J- ]) k8 P7 w5 d
DH parameters of size 2048 created at:
! ~6 H2 }, N$ ~1 m+ w. ?1 ^* /data/openvpn/easy-rsa-server/easyrsa3/pki/dh.pem
7 Z3 Y4 z( _/ l/ k5 a0 K5 q2 t- q( X/ Y' h8 v2 r/ B/ I
; ^& j+ _3 z6 u/ h1 ?) m* F( k7 `# Y- V, {; J* b' N8 `
#5) 启用安全增强配置
1 m4 R2 X( R7 f6 C( Jroot# cd /data/openvpn/easy-rsa-server7 l4 Z2 H. r- u! Y6 _# _& |
cd /data/openvpn/easy-rsa-server/easyrsa3 a2 C' j0 K6 J( C6 a
|: x5 R( V# o" `* d- Oroot# openvpn --genkey tls-auth ta.key( w& s- ^% G2 m$ c% l
, G8 G5 j3 S8 h
4 f0 o# `' X, N7 ?9 D' U[root@openvpn easyrsa3]# openvpn --genkey tls-auth ta.key6 D0 l0 i( r8 p- P
[root@openvpn easyrsa3]# ls
& ^( j+ ^! p$ s$ d% V/ O. T; @# |1 Veasyrsa openssl-easyrsa.cnf pki ta.key vars vars.example x509-types, H( T* N7 i7 @" x: c, s
[root@openvpn easyrsa3]#
9 E9 u# d& @! S
* n# M/ ]* b1 E
" N; {+ N! H4 a) t4 Q0 V3 U% B6 q
8 v, c6 A9 r" F/ F5 Y2.3.3 OpenVPN服务端配置# g, s b. f" N2 O( ^3 W
#创建openvpn用户
; u, l+ |/ c' uroot# groupadd openvpn
. m: \2 F( h) H8 Z8 N1 Jroot# useradd -M -s /sbin/nologin -g openvpn openvpn
4 Y9 p3 ]9 T7 F: E/ d1 X7 O* ~
* n$ x+ L: S' g l: |0 A5 o6 Q ?8 S1 W[root@localhost easy-rsa-server]# groupadd openvpn0 D, I: O$ ^/ C- E
[root@localhost easy-rsa-server]# useradd -M -s /sbin/nologin -g openvpn openvpn
9 l& _- d# b" M9 h E7 m4 J5 y7 F$ _' `" N1 Y' b- r! q
4 ^' t4 D' B4 I Z
# 创建证书存放目录2 z2 |. q& F3 w
root# mkdir /data/openvpn/certificate' w) @" E7 f& z
& w0 k) u6 s$ P P2 F
# 创建日志存放目录9 m0 w5 \- |; P' n$ a" o
root# mkdir /data/openvpn/logs
4 X/ d! G' k! g$ R( hroot# chown openvpn. /data/openvpn/logs
S% m: q1 c. |: f" g" Q, j) f# I1 [2 U4 E; c
6 h2 T9 u C8 O6 D3 i m) I; B[root@localhost logs]# chown -R openvpn. /data/openvpn/logs/
v7 U8 a1 n+ ^( R \" E
% K1 F6 v: D2 j X# ~8 u) m1 ]4 ]! _+ h9 z
# 将服务端证书秘钥和交互秘钥复制到certificate目录8 {' E" f' b" ^6 i6 y9 K
9 v( L: X% e$ e; I+ W- F! d, ^
[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt /data/openvpn/certificate/
. a0 @8 {, A6 l( o' Y[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/issued/openvpnserver.crt /data/openvpn/certificate/! Q6 F: r. c: Q1 Y/ ~/ C0 b; E( v
[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/private/openvpnserver.key /data/openvpn/certificate/
& s; q( v$ ?$ b+ A[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/dh.pem /data/openvpn/certificate/
' | D0 i3 [1 f7 L[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/ta.key /data/openvpn/certificate/
6 Q" T* V* x9 r0 ~ Y9 G/ y! t1 d! @3 j+ V
#添加配置文件
E( |" b$ p% ]/ I4 jroot# cd /data/openvpn/7 |2 d, o. c1 e; I& s
root# vim /data/openvpn/server.conf
! c- k$ w% y" Q& A4 R" D! ^) D#__server.conf—stat___
8 E0 L0 C2 g% K' J [( d$ N8 u#端口
: a. J0 m t% G8 g+ W8 V$ V: Uport 11957 s, S! d; y) d& a0 H
#协议
4 ~# W/ m H6 t) h' r( l+ Eproto tcp* h$ ^# \+ L7 L5 z) x: a. @& ^6 }
dev tun0 Q: @: E' z1 {- A
#ca证书文件$ c9 |7 j+ D" O1 P
ca /data/openvpn/certificate/ca.crt% m. z) |6 E& v1 |# X8 c- O
#服务端证书文件
# ?: `9 a, G- F, @1 n% ?$ lcert /data/openvpn/certificate/openvpnserver.crt8 h$ Z$ q/ O/ P& ]# }1 z% G. Z
#服务端私钥文件
+ k4 a1 F" T3 ?) h3 fkey /data/openvpn/certificate/openvpnserver.key
# @9 i% \4 L" ?* P0 x- c#交换秘钥文件5 w6 L' A1 Z3 v! B+ H' M& f( f! |
dh /data/openvpn/certificate/dh.pem ?5 H& ]) C. q0 X: M0 E8 F' v
#安全增强文件,0是服务端,1是客户端; Z$ x' y$ T8 F& }2 s+ @5 ?
tls-auth /data/openvpn/certificate/ta.key 0) ~! b2 W( w* l/ l$ z& y* H
#分配客户端IP的网段,不能和服务器一个网段,不能冲突
6 v5 d. C# t' W9 `6 C3 {! S* nserver 10.8.0.0 255.255.255.0
/ V! V4 ~& o" i" r E3 S#运行通讯的内网路由,可以多条
- Z0 R e- q3 ?3 j6 T; @push "route 192.168.0.0 255.255.255.0"4 F4 h& E! z- _ \, i$ c( Y
0 [1 L1 ?: p) r
push "route 192.168.6.0 255.255.255.0"
, t2 d1 R" F( `8 ^; Opush "route 172.30.1.0 255.255.252.0"
k" J8 }( E5 ~! `) A: Q; j7 H#会话检测,每十秒测试一下,超过120秒没回应就认为对方down
* l; u! L% l8 M" o4 O$ Dkeepalive 10 120
( K# c7 h5 q) _6 F% ^#加密算法
: y* ~; o, b& [6 hcipher AES-256-CBC$ z, ` ^+ r5 S! b, \8 y5 v: e; [0 f
#压缩算法
5 T/ x7 Q! l' a5 Rcompress lz4-v29 a: C/ |- Q8 `% F( A1 Z
#推送客户端使用lz4-v2算法! Y0 B$ T. J5 ]6 G
push "compress lz4-v2"
' T, t! s [" R5 [! p* x1 M#最大客户端数7 _% p, O" I# Z* V, D$ L4 H% q
max-clients 100
% F" J0 P1 M$ }#运行openvpn的用户和用户组
* ~6 M- i' E% F; w) q% l: Cuser openvpn) l' j$ Q7 |- f& y0 p, ]
group openvpn8 _$ n4 _3 t: s; C
#状态日志
8 h8 |& O# Y8 jstatus /data/openvpn/logs/openvpn-status.log
! c4 y1 u& c: b. Z6 z; ^2 ]. o8 w, Hlog-append /data/openvpn/logs/openvpn.log5 a$ Z" C2 v2 E& G/ f5 Q S
#日志级别8 Q7 Q/ w6 W- s* C/ ?" J+ k( v
verb 31 q* {8 o. [$ [, b) \
mute 20
: P, h ~ P2 Y1 W( x/ \2 S#__server.conf—end___( e: N g8 J9 K8 f% O9 @9 r
9 Z/ L3 E, M- l# \4 [( p2 u, w
( C( K0 @0 g. F: E# M" D/ M: q#内核转发规则
$ ^) Q0 |( O( R) }root# echo "net.ipv4.ip_forward=1" >>/etc/sysctl.conf
- z8 C% V8 Y4 Jroot# sysctl -p
& O% c8 e; R* H$ X& Z! ]3 G
8 n. G `( I7 L, y) M) e8 m' y#iptablesNAT规则
9 H- d! }2 ]/ i+ O0 \' m- ]/ a, H: D#这里的ip就是server.conf 中的server 10.10.10.0 255.255.252.0 ;添加转发规则到开机启动项! W7 ~+ `" S: B" l/ I/ S' o
root#echo 'iptables -t nat -A POSTROUTING -s 10.10.10.0/22 -j MASQUERADE' >> /etc/rc.d/rc.local
5 k+ l/ Y j& H7 W1 a9 proot#echo 'iptables -t nat -A POSTROUTING -s 172.30.1.0/22 -j MASQUERADE' >> /etc/rc.d/rc.local
7 B4 q F1 G0 U- y; Froot# chmod +x /etc/rc.d/rc.local9 l0 \- D7 r. ~$ ]
root# /etc/rc.d/rc.local
5 b7 y0 ~* Z; s5 {% _5 \# z- z p9 l' ?% s. b
6 S2 o; D* f/ T0 u0 u+ D. C6 x4 m' X上面的可以暂时不执行,都使用firewall-cmd方式添加 :
. F# O5 }- H. o( U# T! ~: Pfirewall-cmd --permanent --zone=public --add-interface=tun05 {3 i( h5 L& m5 h: [1 p
firewall-cmd --permanent --zone=public --add-masquerade
$ U6 I1 z/ V. H% w. G$ Yfirewall-cmd --permanent --add-forward
0 o4 y: T( z }2 r1 I添加转发规则。允许可通行。% I: E4 U- G% M" {/ B$ A0 Z2 W
7 T" l+ S& }/ F7 t- w9 ^7 z K. T: @% n# P( j+ V% ^! J
9 p" u" [" D4 i( c2.3.4 启动OpenVPN3 t. O% X$ L. J. ~/ h( r' W9 y
# 创建启动文件
+ F" x$ R9 Y* M; n/ broot# vim /etc/systemd/system/openvpn.service
: s6 P; _0 L1 q- P[Unit]
3 J7 e0 J; v6 E5 Z4 q4 lDescription=OpenVPN Server) h: G. u! w/ M
After=network.target
9 e8 a1 Z6 {( uAfter=syslog.target: M0 s: ` E4 i! z
+ m1 h/ }! w& V4 o+ U6 t! N[Install]2 b0 u) \) U" U- \ z& Q' d& t
WantedBy=multi-user.target1 \+ R0 m7 a: y* K
; a G4 }8 i* X- N* s1 M% p: t
[Service]. Z4 c: Z( }' S1 N# V3 l
ExecStart=/data/openvpn/sbin/openvpn --config /data/openvpn/server.conf2 ^2 j1 q! L. T+ T$ f
+ Q% S- W# z4 ?! v
# L% g" |" Y7 u- E#加载系统服务/ m: T: g$ }' S: q
root# systemctl daemon-reload( y- L, ?7 h c5 q5 ^
#开机启动
$ @; B6 A4 z6 n9 k. o' kroot# systemctl enable openvpn.service
# D* P$ K$ ^3 i; Z; l$ s! d8 Q#启动服务/ ~9 Z' {! w; }4 v4 X6 m; x4 b
root# systemctl start openvpn.service
7 q" j$ _# P8 M" P#查看服务运行状态
( J( g; z' ]7 N$ }" F$ Aroot# systemctl status openvpn.service
H2 C: P& b6 E k' F2 N ?3 r; z- {. c9 x' ~
, K$ Q4 d) f& Q2.4 客户端文件配置
# T! ]# R0 `. U2.4.1 准备客户端证书
& X7 g8 p) _( M+ v#1)创建客户端申请证书- c4 e% _2 b/ [9 D) ?& x
/ O7 T P5 ^+ T, ][root@openvpn data]# cp -r /data/easyRSA-3.3.2/ /data/openvpn/easy-rsa-client
9 \2 F! Z5 X `, Y7 g/ h[root@openvpn data]# cd /data/openvpn/easy-rsa-client/easyrsa3/* g& L2 f# y; i! c4 ]* O# d9 r
[root@openvpn easyrsa3]# ls
# ~' \0 c4 P8 M" C8 Heasyrsa openssl-easyrsa.cnf vars.example x509-types
+ f" j# U- x! |9 I: Z7 X9 V) @[root@openvpn easyrsa3]# 5 A( d( m2 q5 M3 x: y: R
. b) x3 j- z" ~) x; x' l
* ~ p" N& p3 ^5 L3 e+ m& B! I% k2 X: c7 ]8 E" x: H1 h, l/ H+ k
#初始化,执行此命令会生成pki目录, k& ~: a4 g0 J" h
root# ./easyrsa init-pki- {( S! h2 V$ b
: `! _: `- g' W9 Z+ i+ W* h5 R9 l$ O
[root@openvpn easyrsa3]# ./easyrsa init-pki
' J# z4 i; M, T) V; \/ q3 _8 `
! Y/ H5 y- O; p; e5 D4 a6 b! W+ V% A; eNotice
# @0 |1 F7 l5 F6 f9 g4 \5 r- s% T------9 {" ~0 A( I5 ~- u( B3 q, b+ [
'init-pki' complete; you may now create a CA or requests.
. |) T; N* G- |/ w: G3 l3 X% d- Y
Your newly created PKI dir is:
5 f) w$ W6 \" K1 h: c9 ~* /data/openvpn/easy-rsa-client/easyrsa3/pki
" ^* g6 Q: |, s* X) S8 x2 g1 s8 D
4 P) t; I4 R- x7 nUsing Easy-RSA configuration:
0 O# @! N9 h& D. W( [* undefined0 N- I+ y/ W6 f3 W
$ O$ j9 @8 L. I6 p* f6 b2 c
/ d$ _1 u% B! } J#创建客户端申请证书,我这里用的是名字全拼
* ^! G) o% v" k3 }" E6 c9 _$ N [% z' }) [9 s4 g
8 z) `+ C- R' l, P: \; V
; V3 c3 E) R, z0 }* b0 x* C
[root@openvpn easyrsa3]# ./easyrsa gen-req longrui nopass3 F9 R" e: ~) u) ^4 b" j
Generating a RSA private key) e% s: G5 X2 [0 I$ V; ]
..+++++$ x) y& m- }" l7 ~6 r( Q
.......+++++1 j; `; g+ s) Q( r; ?! h4 B0 v
writing new private key to '/data/openvpn/easy-rsa-client/easyrsa3/pki/2f9b0fd7/temp.2.1'
% ^6 v0 Q9 S6 `-----
& u# |! P: @% o& aYou are about to be asked to enter information that will be incorporated( Y) ^: z! s* P5 D. l" A0 ]
into your certificate request.0 I! }/ z1 u2 {, Z
What you are about to enter is what is called a Distinguished Name or a DN.
+ L2 [+ N+ f% c8 M" uThere are quite a few fields but you can leave some blank. L! X* d4 I h4 _. Z& ?
For some fields there will be a default value,# j" u W& ] _
If you enter '.', the field will be left blank.
9 z' r8 B. Z% p5 g0 g; c2 o-----6 P. c3 G- l6 N4 L) d2 U2 l
Common Name (eg: your user, host, or server name) [longrui]:, j- \0 k6 t0 O+ h9 C% v6 H! l
4 @+ ?3 y- ]8 N G1 g
Notice
5 R# z4 q9 Q2 O5 E; M0 f5 \------
8 K. B- _6 B6 X5 G% Q+ \4 `8 SPrivate-Key and Public-Certificate-Request files created.0 p1 r( _3 C D8 x
Your files are:: { e0 g4 X6 ]( @) {, j
* req: /data/openvpn/easy-rsa-client/easyrsa3/pki/reqs/longrui.req% w8 h! R! @+ [( i: K! n
* key: /data/openvpn/easy-rsa-client/easyrsa3/pki/private/longrui.key: ^4 ]$ p6 n. z6 V8 y6 B2 n6 k
2 T' n. {" B7 x" `6 b. |! b+ R( ~
# }1 ]/ W8 y- u/ P! O$ q S/ y6 o+ }/ T" Y( r+ W
#2)服务端签发证书- x& v, [% W9 X/ j w
5 P/ R( r9 D; ?5 f) ~
[root@openvpn easy-rsa-server]# cd /data/openvpn/easy-rsa-server/easyrsa3/0 U' k8 J/ ^6 m1 w/ _
[root@openvpn easyrsa3]# 5 {3 |5 K; s$ I( C5 y. G2 w
' g' ]+ W. \+ F
#将客户端证书复制到CA工作目录3 l! }- x) i0 i1 ]+ d5 v! K! z
8 `* Z, P8 y+ m! ~1 i2 Z& c
6 N1 s' n& J* Q0 _: m0 Z[root@openvpn easyrsa3]# ./easyrsa import-req /data/openvpn/easy-rsa-client/easyrsa3/pki/reqs/longrui.req longrui: r5 {1 U2 z. g: Y
Using Easy-RSA 'vars' configuration:
0 }$ R; b8 s0 b* /data/openvpn/easy-rsa-server/easyrsa3/vars
' ?+ N7 a* U m+ ^' m5 x% o+ _! ^( A- G0 n7 H+ c1 A% z1 D
Notice. l! g) R l+ [ C# k& k
------
1 B, m9 O% l; f% H$ l) xRequest successfully imported with short-name: longrui
0 {3 J% H- n& D" L! n# xThis request is now ready to be signed.
8 l0 F5 G; V+ Q f/ c" h$ u$ ?5 A- s
m+ H2 o2 h1 z" ]' w* T7 T+ r8 Y7 C0 t3 L1 X5 ?/ M+ `
#设置客户端证书有效期,我这里设置的是90天
$ M. {6 y$ v1 u& \5 eroot# sed -i "s/set_var EASYRSA_CERT_EXPIRE.*$/set_var EASYRSA_CERT_EXPIRE\t90/g" ./vars: s2 G; d% _) m3 n6 r
#签发证书/ f+ }# D4 k8 B/ [6 ^
root# ./easyrsa sign client longrui
( u y: o6 S" d#输入yes
* \' U, {, o5 v# r2 G2 q+ X5 WType the word 'yes' to continue, or any other input to abort.
8 @+ `0 w! Z! i( TConfirm request details:yes- ~3 c. V8 D: x7 H9 d' P l. l
& K8 r) d5 s. r3 n0 `: U9 E: `
& c7 T$ v: V8 z7 B, }9 |$ }#生成的证书1 i) L* |; J9 ?2 E2 e
Certificate created at: /data/openvpn/easy-rsa-server/pki/issued/longrui.crt7 ~9 o! e. d; p* s' U
3 ]' u7 S" e. H' @" i
, P% \* P' U7 M% o
[root@openvpn easyrsa3]# ./easyrsa sign client longrui 4 J* o; C- Z% o, u [
Using Easy-RSA 'vars' configuration:
' p% B2 Z: l& x' d7 i* P3 r. m/ p6 E* /data/openvpn/easy-rsa-server/easyrsa3/vars7 J5 |5 x! {( G9 Y
Please check over the details shown below for accuracy. Note that this request
) U: u; ]0 A) W9 jhas not been cryptographically verified. Please be sure it came from a trusted2 n4 L. ^" g/ N+ y+ k8 [+ ^5 y
source or that you have verified the request checksum with the sender.
) a6 E' L. K5 j9 _1 ^+ `% tYou are about to sign the following certificate:8 O3 G5 k& C6 U9 }
& X2 c4 i6 j. P/ g o- P( _
Requested CN: 'longrui'
/ K8 t. E5 X' w6 d/ Z# b+ } Requested type: 'client'4 b& a) h8 Z P( X r
Valid for: '365' days
5 g" O* [' N! u) Y8 P2 m. o- K, y8 ~3 G! P @0 u& V
: ?/ w1 K9 g6 I* L
subject=
2 p( M* ?& ~% d8 R- C. l" z9 v5 h commonName = longrui
. }% q) c" C! c, s* l( [! R. |# e" E, f/ U( m! o9 ?
Type the word 'yes' to continue, or any other input to abort.2 E& C" w$ U8 x: K9 m3 y
Confirm requested details: yes8 h& N0 p+ k4 {9 B a! \- p
3 Z1 K4 a; c, A8 ZUsing configuration from /data/openvpn/easy-rsa-server/easyrsa3/pki/48fc94cb/temp.1.1
8 W+ x' W1 a1 KCheck that the request matches the signature' }6 g; A. ~& H0 K3 }6 S @
Signature ok
9 |3 h5 G+ f7 |# BThe Subject's Distinguished Name is as follows3 D3 X- I/ N% @9 o2 E% X& h
commonName :ASN.1 12:'longrui'6 }3 A1 m. R; p/ J
Certificate is to be certified until Jan 17 07:12:25 2027 GMT (365 days)
4 [0 j8 p K) }0 t
& V( U% _' ?1 s- Q( TWrite out database with 1 new entries
, o# O6 c, I# @8 f- cData Base Updated
! F# u, q6 |3 Z5 F4 q7 M) t$ f5 \: v" V1 p* i ~- U; H
WARNING% t* q( ?! R( w
=======8 E2 `& H( y& `0 \/ _
INCOMPLETE Inline file created:! W' Y9 N" ]: _3 o% o
* /data/openvpn/easy-rsa-server/easyrsa3/pki/inline/longrui.inline+ `+ {1 T0 k3 f' k
" k' \! W+ F( I6 a2 L, f. \# J7 O; W
Notice, \0 o$ K: i, y/ A2 E
------
- p" U3 W' W. f: F" ]& ZCertificate created at:$ \2 @4 A, G, q8 \
* /data/openvpn/easy-rsa-server/easyrsa3/pki/issued/longrui.crt
( k$ W, W3 C% l Y7 l6 N; d( ]8 R0 L! D! x/ s; o" ?
5 c+ J% M, U4 s6 s/ ~& q- [" V2 d2.4.2 准备客户端配置文件
# B+ @+ P1 ?1 y$ k) o0 }& g#创建存放目录
! J# g J( z; _root# mkdir /data/openvpn/client/
$ M$ n' P9 q7 p% }7 M0 t& H5 E#创建张三证书存放的目录5 O9 S) K8 B9 s$ n# z8 j
root# mkdir /data/openvpn/client/longrui
1 z# ^3 ]! F$ ^1 W% O& x, ?#复制证书5 T: ^* H& Y# l! L4 _/ x5 i. o
5 r* e$ x8 C. f% [; k$ s" c: m
' x* ~9 `7 e) K4 w
[root@openvpn easyrsa3]# mkdir /data/openvpn/client/longrui* [! L: ~3 m9 |1 o7 p8 `
[root@openvpn easyrsa3]# find /data/openvpn/ \( -name "longrui.key" -o -name "longrui.crt" -o -name "ca.crt" -o -name "ta.key" \) -exec cp {} /data/openvpn/client/longrui \;
! o# [% D) C& R4 `2 \+ Rcp: '/data/openvpn/client/longrui/longrui.crt' and '/data/openvpn/client/longrui/longrui.crt' are the same file
2 h' ?4 m: N% y J0 Icp: '/data/openvpn/client/longrui/ca.crt' and '/data/openvpn/client/longrui/ca.crt' are the same file2 n9 `% D' I. ^1 i
cp: '/data/openvpn/client/longrui/ta.key' and '/data/openvpn/client/longrui/ta.key' are the same file, ?! q. f: c4 j0 P4 J5 a8 _0 }
cp: '/data/openvpn/client/longrui/longrui.key' and '/data/openvpn/client/longrui/longrui.key' are the same file
% J, T9 Y7 F e/ i' Z
8 I+ w$ H' S( g8 ]/ e! t V7 e5 g' {# ?- u8 |
0 J* g# Q, Q# J9 Z9 g
[root@openvpn2 ~]# firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.160.131.0/24 -j MASQUERADE1 H+ c- I6 s" |/ [4 w5 c7 G
success- i; q% k+ T3 }% z
[root@openvpn2 ~]# firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 1 -s 172.30.0.0/22 -j MASQUERADE% q: ~0 U! _0 Z6 U
success# C* s+ g/ c7 T5 S
, y! o0 a5 ?; c
firewall-cmd --add-interface=tun0
; j% d1 N3 l" D2 u
S# W, |* R6 g: P+ H修改文件:! u! E. Z1 d6 ?# O- h/ z# ^
root# vim /data/openvpn/client/longrui/client.ovpn/ `" v8 `3 _ d' g
client% O+ t$ K0 L' e
dev tun
- c: D! ?4 @: o4 w5 Tproto tcp- G X* q! f% K' e _' b
remote 公网ip 11946 }* S* V2 k2 N( D
resolv-retry infinite
% D- T0 N+ f- U6 h* {0 Y4 C+ q1 _nobind, ?6 ~/ d# S' T' g& n; J$ |8 Q
ca ca.crt
" \1 U6 p2 h* Ocert longrui.crt
/ I2 s" M+ r: v zkey longrui.key) @: ^( d9 ^8 K
remote-cert-tls server8 G0 g' Z) |( A5 I3 j
tls-auth ta.key 10 U$ F5 s) a& \0 E e2 w
cipher AES-256-CBC
/ m3 k+ ?- g5 k3 {" _6 A5 N E6 Dverb 37 i& H" ^% F; k5 M
compress lz4-v2
; m' F' s, z2 B3 C) K4 _+ \& Z- \1 ~( H; B( K5 {1 D9 P7 u
1 v0 `7 N4 _3 R" B# t8 D. Y
2.5 测试
. }& ]0 E) }& R8 ]- Q#将证书下载下来: C* k, ?4 d' | a* a' o& J8 o% ^
root# cd /data/openvpn/client/
, y# i @4 ?! vroot# tar -zcvf longrui.tar.gz longrui
3 L9 y) J' k7 S4 B# C# Sroot# sz longrui.tar.gz) a- H1 W8 C6 ]$ G! V
' f3 t& o0 h9 O& X h3 l, x
#win10 安装客户端(这里不演示了)7 i+ j+ ~' Y8 G& U! o5 J5 [; w
https://swupdate.openvpn.org/com ... tall-2.4.5-I601.exe
3 R: C, X; x; H, b5 u1 B& i#将 zhangsan.tar.gz 复制到 openvpn的config目录,然后点击链接
/ k4 H- h4 F5 x& k
( d2 \ j5 H8 @& ^4 c; J& ~$ W! ^7 k) b; n. I3 f: v
#双击运行
- E: O% x$ C3 G/ V; C8 C. h( g7 k; i2 B, F
. Z; K# Z X! \: J9 z0 K8 i6 g6 t U% x* A d$ }
#这样表示链接成功了 f# y O' T3 D! x9 `5 r
: V3 w5 ?: t. J+ s5 V; d
' L; }/ L5 M+ ^#测试连接mysql数据库端口
0 L. I, s$ j5 O9 p) x
) j2 C! U" x! B4 b* S K! j- c8 a1 L8 o
. R9 c- ?" M: {' z0 m$ f4 m7 C5 a) Q0 n0 |" l- m( ?
3 :安装包6 ~& q, n0 Q6 K
官网下载地址:% m: q. o2 H. r0 |4 x
openvpn 服务端下载地址:
& `& Q7 W/ q) _! ~, B* A) ?1 {https://swupdate.openvpn.org/com ... penvpn-2.5.6.tar.gz
: l: [* p8 J8 }! c7 hopenvpn 客户端下载地址:
6 Q, k3 l1 i# W- o9 ?2 S! w8 Ahttps://swupdate.openvpn.org/com ... tall-2.4.5-I601.exe4 ]2 J2 N: f c) n
EasyRSA下载地址:2 Q4 J) H z3 n- U# F
https://github.com/OpenVPN/easy- ... 8/EasyRSA-3.0.8.tgz+ h' `0 v6 R+ d' x' J7 t% j9 |8 A( i
9 ?% V6 {. m4 j
4 F' m1 Q4 c& N5 o; K. G/ n
添加防火墙规则:
7 E0 D) L/ u$ q E' F4 _firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i tun0 -o bondmgt -j ACCEPT( J7 {0 D. j/ P. G$ }6 \/ G
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i bondmgt -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
w4 ^9 L7 u4 J: a/ W firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.160.131.0/24 -j MASQUERADE
# b2 z2 R0 o5 Y6 G) Ffirewall-cmd --zone=internal --add-masquerade --permanent$ i) `* U7 l; f6 W F& b
" x" W/ C) U7 g/ u, U这是后面测试的结果,上面的可以暂时不执行:
9 M0 X2 v0 Q& {9 A) O* H( Hfirewall-cmd --permanent --zone=public --add-interface=tun05 b3 k; s8 C7 f q- `5 e! K) {+ m0 p
firewall-cmd --permanent --zone=public --add-masquerade
$ d8 d; o+ g1 q- t0 ~) n+ Cfirewall-cmd --permanent --add-forward
7 F ^! S: p/ [/ _* d" U0 x* E; u( C" G) b* u
添加转发规则。允许可通行。 |
$ s$ L& K* U7 Z: G9 j/ N2 G) |& r
% p8 a) R# r6 {+ q
./easyrsa sign-req client wogong3' b6 m8 A: y$ _; x( @/ m* B3 O, S
#wogong3为创建客户端的证书的Common Name+ l4 ?$ C7 ^2 M, ^; X2 G# B
验证证书是否正确; g) y. N8 l4 U( X m9 P8 L& e) k1 ?
openssl verify -CAfile ca.crt issued/wogong2.crt
* `. c" C4 Q9 w9 \openssl verify -CAfile ca.crt issued/wogong3.crt3 @1 x9 K6 w' m5 l- s4 B/ m
, \% [7 U u/ V# u. x3 U
) w4 e- o3 s7 y* ?- \9 }" J' u* K0 t0 j9 u5 k# I7 a
, J1 a8 a: O$ [- y: ~0 K- O- ]# |5 w/ I) v! `
9 V1 C" h! D7 }5 b! _% d
6 b, \9 U: \5 X1 n/ @; ~/ Z
; J* O7 T) n. F0 s
3 v* H# g" y* O |
|
发表于 2026-1-17 13:18:00
发表于 2026-3-11 10:47:45