|
|
使用环境:
5 b8 w8 t( j! D openvpn服务端安装在centos6.5或者centos7系统平台以上版本;' y0 N4 D, h: k4 v8 l2 K* O
openvpn客户端安装在windows10平台上;8 w* y9 l& |8 G: V' v
其中的操作步骤有些很像此前写过的一篇文章CA服务器签署证书的步骤;# i4 H d) l. M+ H' H+ Z+ r
openvpn就是安全的vpn,通过openssl实现ssl加密解密;2 D. _* D( Y. P* `0 p& I
openvpn实现的简单原理个人理解是:( W; K0 j9 G2 Z" l2 g
通过openvpn客户端和服务器端用虚拟网卡建立逻辑的安全的通信连接,然后再通过物理网卡传输数据;: J0 z6 `4 a; p# B4 v$ \$ S
即首先openvpn服务端,安装程序并开启服务,然后服务器端会自动生成一个虚拟网卡tun0,用来建立安全通行用的,并监听一个端口,准备接收客户端的请求;
2 }; c9 M- q; V M第二,客户端安装openvpn后,也自动生成一个虚拟网卡,openvpn客户端需要指定openvpn服务端的物理网卡上的ip地址和监听的端口进行连接;
! f* D' Y* W2 j第三,证书、密钥、密码都通过后,即实现了vpn(虚拟私有网络)功能;
+ s6 ]" t y9 Q2 X# J具体配置步骤:1 l+ n# a* |% F+ Z" Q, L
第一:安装软件9 K& Z6 G* a5 h% J. j, o
]# yum install openvpn easy-rsa# j7 u" S( T7 u5 O# p
第二:准备相关目录和配置文件
* X! g3 }, j& X" e ]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/easy-rsa/vars
Q( M$ r& Y. | ]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/openvpn/easy-rsa// N d8 B( P6 ~* n& F
复制的文件有:easyrsa、openssl-1.0.cnf、x509-types; ' C5 m; q% x2 L
]# cp /usr/share/doc/openvpn-2.4.5/sample/sample-config-files/server.conf /etc/openvpn/9 s# `$ Z4 X3 y$ H: `# m3 S3 X$ ~9 a) ?
编辑vars文件:
+ p1 h* Z4 E$ C- g set_var EASYRSA_REQ_COUNTRY "CN"
! O2 N5 {/ I$ o set_var EASYRSA_REQ_PROVINCE "Beijing"
3 n0 {6 u( ~7 Q! V+ T- P set_var EASYRSA_REQ_CITY "Beijing" z3 \! Q) z8 Y, E5 z! p
set_var EASYRSA_REQ_ORG "OpenVPN CA"4 ?3 Z+ g- f6 J5 R) N/ x* r
set_var EASYRSA_REQ_EMAIL "[url=mailto:4********4@.qq.com]4********4@.qq.com[/url]"
7 ]5 b% k4 |, }2 S# l& n! y set_var EASYRSA_REQ_OU "My VPN"
" k) p9 ]1 d; g1 W) ]% m创建服务器端证书和key:
( k9 {& b+ n( F l* h% c第一:目录初始化:% k( b* v' E) p# E/ z R9 l) g& ]
]# cd /etc/openvpn/easy-rsa// T0 S7 i% s( G
]# ./easyrsa init-pki
% B( F5 c& w; v- v {0 G第二:创建根证书:
# [: j. V. ]9 o4 s Z. Z ]# ./easyrsa build-ca
! x' {/ D' _7 }' J8 _ Enter PEM pass phrase: 输入2次pem密码,并记住(输入的pem密码是openvpn,后面会用到);
% M* u D: q# p: c& o/ e+ x ........
7 ~, y# E# K% R3 O4 o. l: o Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 输入名称;(输入的是opvpn-ca)9 O: R8 a3 h! n! e
回车后显示:
2 a4 u; P5 c. U e" d7 j0 N9 q9 r+ xCA creation complete and you may now import and sign cert requests.
8 {6 S+ R+ G: Y( K. B6 K* u: |, bYour new CA certificate file for publishing is at:
$ r; I1 x- N( R. |& F3 d7 E4 c. p7 h/etc/openvpn/easy-rsa/pki/ca.crt6 B! J' r! _; C! u
第三:创建服务器端证书:1 ~2 B+ l& L# c6 @. C7 A0 t E# M
]# ./easyrsa gen-req server nopass
3 I, z6 d6 W7 I dCommon Name (eg: your user, host, or server name) [server]: (输入是node2)! Y7 v4 W. L* X* K1 l
输入回车后显示:
4 R% m# Q1 i, d, r9 GKeypair and certificate request completed. Your files are:
6 e9 h& z' ^" Z9 j$ A/ f; ?5 s# {req: /etc/openvpn/easy-rsa/pki/reqs/server.req
" y. O c5 T6 G- \1 |* lkey: /etc/openvpn/easy-rsa/pki/private/server.key
7 }* p2 b4 T) B* r第四:签署服务器端证书:
: O# n/ s: _& g- M; h ]# ./easyrsa sign server server1 ~& J; W l7 i/ h
回车后,Confirm request details: (输入yes)# Q' v( D5 \2 Z8 q9 w% s
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: (输入之前CA根证书的pem密码是openvpn)9 M9 `& l4 o0 T2 [) S
回车后显示:, i- }6 s6 H4 d8 r: l
Check that the request matches the signature
' H6 w- E; ], MSignature ok( V2 I$ B. o: q6 ^1 t& b- r
The Subject's Distinguished Name is as follows
$ h3 ^: E2 o) B7 w4 f# d# _commonName :ASN.1 12:'node2' Q/ U- g9 h8 o
Certificate is to be certified until Apr 4 16:04:29 2028 GMT (3650 days)
' S+ j( r0 j+ M! X9 R3 V% wWrite out database with 1 new entries2 {' _4 @. [; B6 |; U) ~4 L& ~
Data Base Updated
( j8 q; o: p ZCertificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
# A0 Y+ ~1 \- z" s( H第五:创建Diffie-Hellman,确保key穿越不安全网络的命令:
" j4 y: R- J; J( r! | ]# ./easyrsa gen-dh
$ ], }9 r* J" T( W回车后,等的时间稍微长一点,最后显示:' u* z. S; B4 S; `( ?
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem: H; F" s, W0 a, x( ~
第六:生成ta密钥文件) |, ]) S+ m, \ k$ ?, b
]# openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key
( D. n1 {( i# k6 M6 f 不执行此命令,会报错:) t6 Q9 a) J) x6 T, @$ L) A' G9 O- ~6 A
Sat Apr 7 12:53:37 2018 WARNING: cannot stat file 'ta.key': No such file or directory (errno=2)
- u5 W! R9 g! w7 l2 IOptions error: --tls-auth fails with 'ta.key': No such file or directory (errno=2)* P& \" T3 d4 r" a5 Q8 ]3 `
Options error: Please correct these errors.
& l# j/ g: ~' s$ m8 E5 TUse --help for more information.
# k V0 J* _3 k( k c% \创建客户端证书及key :
L/ t# _: }+ |9 i) Y) Y: U$ I% [第一:创建过程同服务端:
, J! Y+ E. o- ? ]# mkdir /root/client; d: B3 P. S9 {+ Q7 {% v% X
]# cd /root/client
" h& M4 u9 e: X' r" t9 G ]# cp -r /usr/share/easy-rsa/3.0.3/* ./
6 X! Y. f& J' ?5 f3 Z ]# ./easyrsa init-pki6 b/ F5 e# a& I" H
]# ./easyrsa gen-req client
( B: S8 V6 e, r6 W" F, W回车后显示Enter PEM pass phrase: 输入密码,密码是之后客户端连接服务器要用的(输入的是vpnclient). t9 w; X) o8 }# y% C
Common Name (eg: your user, host, or server name) [client]: (输入的是client,后面会用到)
3 v8 |* w8 Y. f 回车后显示:
& F X$ _( Y+ d/ T" v) e2 Y, {0 s$ ]1 BKeypair and certificate request completed. Your files are:$ A* L/ v( U# r; x
req: /root/client/pki/reqs/client.req
4 o$ T! N$ ~% ~6 i" ]0 v- B3 tkey: /root/client/pki/private/client.key+ l, F6 ], l( p: R) w! a% n! t5 n
第二:将得到的clientone.req导入然后签约证书:9 v) C( r1 Y" A& Y2 C
]# ./easyrsa import-req /root/client/pki/reqs/client.req client
' o0 P, ~, O y1 M 回车后显示:
" H% x( H) k$ t6 b! [4 ?Note: using Easy-RSA configuration from: ./vars
* o! {% e( J, k! y9 ]- f% ZThe request has been successfully imported with a short name of: clientone
" o, m* v+ l! B' D1 nYou may now use this name to perform signing operations on this request.
& _# K4 l; t6 U) G第三:签约证书+ p# _( X$ X7 @1 {9 e8 C! C3 v
]# ./easyrsa sign client client
; E5 `' K/ b7 @( z9 T# D: k/ q- L回车后,输入yes;
& M0 a- |) x [; @* J+ {Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: (输入的是openvpn) R3 k" `. v: a+ v
注意:: X. U& V; P+ ^' S
这里生成client所以第一个client位置必须为client,第二个参数client要与之前导入名字一致,导入的时候会要求输入密码,这个密码是第一次设置的根证书的密码,不要输错;因为openvpn是一个客户端对应一组证书密钥文件的;
) t' z7 e* R/ P6 x1 T( k 回车后显示:3 V3 N0 B$ {7 Z
Check that the request matches the signature
8 [/ Y' f8 {: @0 y' BSignature ok2 n, A& s* o8 U }: h ^
The Subject's Distinguished Name is as follows
, l" o, ^0 A7 w- ?! u* CcommonName :ASN.1 12:'client'+ P% }2 l" c7 U1 y' t: y, Z5 b* z! N" N
Certificate is to be certified until Apr 4 16:38:37 2028 GMT (3650 days)
+ l$ Z7 v$ `) u8 M9 }Write out database with 1 new entries
2 n+ W D. Q' ^+ d' f! rData Base Updated
1 M$ Q8 W- z; d% N- n0 W' F; VCertificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt
0 ]3 A4 f0 }% D* K& Q拷贝相关文件: Z+ Z$ l- ?: u* i n. Y
拷贝服务器端所需文件到各自位置:
$ M, e& A+ {& \5 q]# cp pki/ca.crt /etc/openvpn/
( v! z1 T0 }& S2 F* P]# cp pki/private/server.key /etc/openvpn/
; | ^, U$ n. R+ ]]# cp pki/issued/server.crt /etc/openvpn/
6 }- u) y9 L/ c* a3 M]# cp pki/dh.pem /etc/openvpn// U4 ]0 j- ]. P6 ^; T; a
]# cp /etc/openvpn/easy-rsa/ta.key /etc/openvpn/
- P2 \* c8 _7 ?7 F7 O拷贝客户端所需文件到各种位置:
; \: m: @$ q$ Z( k# cp pki/ca.crt /root/client/
6 M4 M: z/ `8 |( m7 G8 l3 y6 T# cp pki/issued/client.crt /root/client/
5 y! _5 t- ]% O* k# cp /root/client/pki/private/client.key /root/client/4 g$ I0 s: _9 L, i5 O0 H6 W
# cp /etc/openvpn/easy-rsa/ta.key /root/client/, h$ x6 K4 i; o! t
修改vpn配置文件:) p5 Q4 V9 N% m% M, s9 i
]# egrep -v "^$|^#|^;" /etc/openvpn/server.conf, J. }. U# @' O8 P
port 1194# b Z7 f; y& s
proto udp0 U: I+ ?, s1 R
dev tun7 ? q' Q1 }1 o& N7 r
ca /etc/openvpn/ca.crt$ U. M& N" m$ N& f; [: N
cert /etc/openvpn/server.crt
) ^0 S# c. Y* l9 ykey /etc/openvpn/server.key # This file should be kept secret
- ^( v) d& h' b. ]1 |; a7 `2 d; Udh /etc/openvpn/dh.pem
; H; {1 ^: H0 d) e. i; [0 [1 lserver 192.168.11.0 255.255.255.0
/ ~( q% A1 R5 n2 E2 B; m: yifconfig-pool-persist ipp.txt
! H: ?, Z3 C1 a' kpush "redirect-gateway def1 bypass-dhcp"6 M* y5 {- a% e0 n
push "dhcp-option DNS 8.8.8.8": N) `9 F% [# [
push "dhcp-option DNS 8.8.8.8"
; P" b$ t2 z! X5 R+ `2 z: I1 `- J9 okeepalive 10 120+ \$ j; M% d* R$ _
tls-auth ta.key 0 # This file is secret
& w% u7 Y- ^2 ~9 k9 u& N2 o( [cipher AES-256-CBC" P+ S$ Z6 G4 E. e$ R5 }
comp-lzo6 B, L# l, X) \$ J b- H. v9 a5 B
max-clients 100
) d. y# Z1 B- A2 Npersist-key- H- `/ M2 M& h* p/ |" y" P
persist-tun; v* L9 h6 _7 X' ~* [* ]
status openvpn-status.log
9 A8 {2 ]5 w3 S5 K+ i, Sverb 3
8 Y, x5 P( V" T0 Texplicit-exit-notify 1 / L/ W* B" u9 T7 c1 f; M* j
启动openvpn服务端:
% x( H3 V @) x* H0 k6 g6 W7 w]# openvpn /etc/openvpn/server.conf &
% k; e3 ~ i; R& ] 启动成功后显示:
0 [4 y' S# n2 u6 P; n" Z$ c7 Z3 r- i. `) e* a/ }' ?: M% C2 Z
7 N' v/ u4 V0 p" g; r
或使用systemctl启动:' g" z8 B2 T4 |2 q2 P
systemctl -f enable openvpn@server.service
1 N9 M$ ~9 K3 T1 Y# h#设置启动文件
) A& C% _6 X) a p) osystemctl start openvpn@server.service
, l! s+ m* w& D0 v9 R- j' l1 \#启动openvpn的命令" M2 v' L9 Q. ~& ^8 h3 K1 |
windows7上配置openvpn客户端:: M5 F% L2 F- h3 F1 v p
第一:下载openvpn客户端6 E! Y5 g# _# V9 p( J' r# N5 j
链接地址:http://openvpn.ustc.edu.cn/
4 B/ C0 W! \$ t* i" _$ H7 J% |$ B6 ^1 U* j1 b; g
安装过程就不表了,具体配置说下:$ g9 O, f: v G
下载相关文件到本特指的目录:
+ d2 b7 `6 i' d3 K3 C 从centos7上把client.crt、client.conf并改名为client.ovpn、client.key、ta.key四个文件,放在安装目录下的config目录里即可;2 d+ W; o+ [* y: B* L- H' M
client.ovpn配置文件内容:6 C6 J2 Y* f3 v& c
client2 q6 G: A% }( m. q
dev tun
# m q6 y' l: [2 |% X8 v" _' Fproto udp
* Q2 \8 r, V a$ l0 s wremote 192.168.255.198 1194 b' I% @5 V1 i: c6 K
resolv-retry infinite
$ _( ]. U) a/ B/ O7 e( {nobind
' Y6 \% G) v' w- x* X% v; \persist-key8 u( ]" q0 z+ [' T5 U' r
persist-tun1 e7 I" r2 r' C6 {
ca ca.crt& g. c8 d. W4 d. j
cert client.crt
$ w1 H; H) y6 V. q4 ?key client.key
7 A+ ~/ i2 D; \, e" Rremote-cert-tls server
: T: E$ R" ]9 {5 @9 M9 {tls-auth ta.key 1/ d/ H3 ~! r7 u
cipher AES-256-CBC/ E! T: U9 E: Q0 e6 p
verb 3
6 o( J; l- b: _8 S3 X8 V* o1 |1 q/ Uopenvpn客户端登录:8 E/ r+ b9 {# [) h
双击图标后,弹出输入密码的窗口,此前设定的密码为vpnclient即可成功登录;' U2 p. E" a+ R1 K
% M/ e0 k& T- @! E4 F2 k! e; A& w
表示成功登录;: A. {; v8 C% f2 v
& \5 o# q; I9 A6 F3 v% G0 }
openvpn图标变为绿色即成功连接openvpn服务器;
/ j9 Y h% N) g: L( V/ c- r& Y' v6 N1 o
|
|
发表于 2020-1-19 08:49:57