|
|
使用环境:6 R1 ^. ^% o9 h. J, M$ X, R. z
openvpn服务端安装在centos6.5或者centos7系统平台以上版本;+ ^" e- L! x" ^/ `
openvpn客户端安装在windows10平台上;
" p4 I; @( K4 e" N其中的操作步骤有些很像此前写过的一篇文章CA服务器签署证书的步骤;! A1 A8 u/ O) T" g, c) E$ N
openvpn就是安全的vpn,通过openssl实现ssl加密解密;7 y1 o$ \7 |; e* J. B8 D
openvpn实现的简单原理个人理解是:
& x2 Y/ S" v( X' B+ a: V通过openvpn客户端和服务器端用虚拟网卡建立逻辑的安全的通信连接,然后再通过物理网卡传输数据;, ?: a6 K, ~2 k* M: w. A
即首先openvpn服务端,安装程序并开启服务,然后服务器端会自动生成一个虚拟网卡tun0,用来建立安全通行用的,并监听一个端口,准备接收客户端的请求;9 X3 ]' M% C3 a6 D
第二,客户端安装openvpn后,也自动生成一个虚拟网卡,openvpn客户端需要指定openvpn服务端的物理网卡上的ip地址和监听的端口进行连接;' X, ]6 q( [' l1 N5 s+ H
第三,证书、密钥、密码都通过后,即实现了vpn(虚拟私有网络)功能;
S4 h" q0 F0 R5 F+ P具体配置步骤:
" O1 p: `& r& z' O8 ~) z! b, O第一:安装软件; l5 u) i# v9 S- s, u2 f( L5 c) t
]# yum install openvpn easy-rsa
6 j @2 {* ~2 I! x% u2 ~+ G( B l第二:准备相关目录和配置文件5 y- Z% \3 O( ?
]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/easy-rsa/vars
5 B: f6 y- ~5 o' Q/ _ ]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/openvpn/easy-rsa/
! a" e8 Z6 U2 }; L- h复制的文件有:easyrsa、openssl-1.0.cnf、x509-types; $ ]/ O, L8 Y; r& k3 @
]# cp /usr/share/doc/openvpn-2.4.5/sample/sample-config-files/server.conf /etc/openvpn/
1 g p% D8 o' s! ~. q( Z% E; V' f 编辑vars文件:6 j2 j2 ?, h2 u
set_var EASYRSA_REQ_COUNTRY "CN"
+ |7 ?# {9 P# x9 @! |# Z6 p7 R set_var EASYRSA_REQ_PROVINCE "Beijing"
' ^: r/ O' u' M3 |1 r) \7 y3 \$ y9 p5 E set_var EASYRSA_REQ_CITY "Beijing"0 q2 v3 a+ h" \( T v( K# l* m2 ^
set_var EASYRSA_REQ_ORG "OpenVPN CA"
v% y2 c4 M% v! O) c" q, l3 l set_var EASYRSA_REQ_EMAIL "[url=mailto:4********4@.qq.com]4********4@.qq.com[/url]"2 S3 y* X9 m) c6 r
set_var EASYRSA_REQ_OU "My VPN"+ b" K) c1 `4 o4 Q1 ~# C
创建服务器端证书和key:
( `# n0 L! V# ~5 ? a6 J- E4 R第一:目录初始化:0 ~3 _$ K: U; [
]# cd /etc/openvpn/easy-rsa/
' E0 b) ]% }# ~! k* H0 D( s' r ]# ./easyrsa init-pki& ?1 P$ W; ^1 L# w, D8 |" v4 _/ Q
第二:创建根证书:
6 v8 ?+ z: u5 R! z/ l! H ]# ./easyrsa build-ca: l9 m$ e9 L4 T/ c2 M
Enter PEM pass phrase: 输入2次pem密码,并记住(输入的pem密码是openvpn,后面会用到);; L, Y A* Q4 w1 z, Q% D
........
0 @$ s8 C t0 }: y Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 输入名称;(输入的是opvpn-ca)+ o" b' h9 K& y% r7 L; `
回车后显示:. R3 K* a1 s' e
CA creation complete and you may now import and sign cert requests.
+ P! P/ Z, w) }' ?5 h) ^3 G0 fYour new CA certificate file for publishing is at:
+ Y" Z6 O) J9 I; {) L" {/etc/openvpn/easy-rsa/pki/ca.crt
. v! E8 M1 u4 c3 B( c* F第三:创建服务器端证书:
& _8 v* X0 [; V* j/ e' _" a2 R ]# ./easyrsa gen-req server nopass- m* ?4 g& x0 V5 I: c5 H( G
Common Name (eg: your user, host, or server name) [server]: (输入是node2)
9 r |9 ~* I, R8 A( h- i% y& I- W5 q+ y 输入回车后显示:
, W0 w. y" B# EKeypair and certificate request completed. Your files are:: E6 q5 `% L- z$ O4 F: A
req: /etc/openvpn/easy-rsa/pki/reqs/server.req8 t' c* F) A. P% ?6 j A/ H% l
key: /etc/openvpn/easy-rsa/pki/private/server.key% Y- d* v& m% D$ @6 p! t+ T
第四:签署服务器端证书:
4 o4 W% D, g8 T) M( e" H4 \7 Q. O ]# ./easyrsa sign server server$ M( V1 ~3 X( o
回车后,Confirm request details: (输入yes)
& A( n/ ~' p4 d# [* SEnter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: (输入之前CA根证书的pem密码是openvpn)
8 R. V) d, x. S回车后显示:1 K% K- I2 V' g3 R" g
Check that the request matches the signature
# S% ?9 \2 [! S, ?( L5 ^5 fSignature ok
. ]- S! `3 l8 J0 ~- UThe Subject's Distinguished Name is as follows
# Q5 A$ s! F& F3 b- ~8 M, y) g1 w# ucommonName :ASN.1 12:'node2'% S' \4 F+ v) o: C9 K& s# Q
Certificate is to be certified until Apr 4 16:04:29 2028 GMT (3650 days)4 m6 ~3 ~: d4 s& g: Y5 H
Write out database with 1 new entries
& [! X4 b, G) |3 JData Base Updated
& u7 w$ k4 k" gCertificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt, n+ i! d% D# l- a, R, q
第五:创建Diffie-Hellman,确保key穿越不安全网络的命令:3 \6 O- U, g4 }: G
]# ./easyrsa gen-dh3 d' D$ W8 I- `
回车后,等的时间稍微长一点,最后显示:( B* h3 }$ |0 x
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
; D& d* ^ j$ I' S) _2 Z 第六:生成ta密钥文件
* d1 B4 v& ` r6 \ p6 r' i ]# openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key$ d9 X9 M2 I; U, r( D2 R: m: @" h
不执行此命令,会报错:
4 ^% v) G, y' Q$ sSat Apr 7 12:53:37 2018 WARNING: cannot stat file 'ta.key': No such file or directory (errno=2)
M4 Y# c+ F. s9 C9 }" |: \Options error: --tls-auth fails with 'ta.key': No such file or directory (errno=2)
, A9 s( {1 c4 A, |' j4 lOptions error: Please correct these errors.# o. q9 e" u U* M+ z3 [2 N0 R
Use --help for more information.
: g% I) G z; w/ b' O4 P创建客户端证书及key :
5 n, i; ^/ z$ u第一:创建过程同服务端:; t" A5 ?0 u' I: Z
]# mkdir /root/client7 ?7 [, }# W2 M Y7 ~
]# cd /root/client$ y0 M2 M4 b) A. o* n
]# cp -r /usr/share/easy-rsa/3.0.3/* ./% u' i. q: ]' W) f3 m. N5 r& [
]# ./easyrsa init-pki
2 J% j( ~- i/ K* B; b ]# ./easyrsa gen-req client0 ^, M; g, ]0 L) m, e& e
回车后显示Enter PEM pass phrase: 输入密码,密码是之后客户端连接服务器要用的(输入的是vpnclient)* V8 X4 R6 R- u0 I* p6 K
Common Name (eg: your user, host, or server name) [client]: (输入的是client,后面会用到); K5 @; \1 m4 D0 I1 @5 _
回车后显示:
0 ~+ F1 x3 s3 BKeypair and certificate request completed. Your files are:
& V# \; e& `' }" i( ?req: /root/client/pki/reqs/client.req
- e, S' ~6 R' u$ F4 d0 s m! z: bkey: /root/client/pki/private/client.key
2 d+ ?- d/ P# S' j% j第二:将得到的clientone.req导入然后签约证书:1 Q; B3 m" ]5 k
]# ./easyrsa import-req /root/client/pki/reqs/client.req client
8 D, u0 w2 K) X 回车后显示:* c0 @6 _* a& V) R1 B
Note: using Easy-RSA configuration from: ./vars
& H! p: V3 G. XThe request has been successfully imported with a short name of: clientone
7 u- V. q4 ?; V+ i$ x0 vYou may now use this name to perform signing operations on this request.3 R2 P4 [5 [! S/ `. I) u8 B
第三:签约证书
7 V+ Z, P1 r* I9 M ]# ./easyrsa sign client client
7 v% C2 p2 ]# y% v/ y2 U回车后,输入yes;2 A' A; Z0 A2 a( ?) }; B! l# a6 S5 X% x
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: (输入的是openvpn)! x V3 ^* w. {
注意:, j# }% p% X/ r4 T, d
这里生成client所以第一个client位置必须为client,第二个参数client要与之前导入名字一致,导入的时候会要求输入密码,这个密码是第一次设置的根证书的密码,不要输错;因为openvpn是一个客户端对应一组证书密钥文件的;
7 k: Q& `) b& N6 L; [ 回车后显示: q. a4 m! X" t' o; B) j w% A
Check that the request matches the signature/ u$ C7 i; w G i8 \
Signature ok2 n0 z+ d! ]0 S3 n
The Subject's Distinguished Name is as follows
. ` S$ f/ b" z; x' V c! A* [commonName :ASN.1 12:'client'6 S+ d7 N% M0 W) [+ r
Certificate is to be certified until Apr 4 16:38:37 2028 GMT (3650 days)9 z. T: _( i" s% `8 f g
Write out database with 1 new entries
, r$ P+ z0 S5 n" _Data Base Updated
( u/ U7 v5 n) K6 r& FCertificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt( q8 e5 e N: \6 _
拷贝相关文件$ ], o- v# Q, ?3 r3 x2 Q, v/ V0 X
拷贝服务器端所需文件到各自位置:
9 {: [1 P _# G- C]# cp pki/ca.crt /etc/openvpn/
) z, _. _% R+ z+ W8 L" a]# cp pki/private/server.key /etc/openvpn/+ L7 Z5 Q/ N+ [/ w$ m" W" o3 `
]# cp pki/issued/server.crt /etc/openvpn/3 G5 b4 \$ q+ c5 Y, N( }: z2 u
]# cp pki/dh.pem /etc/openvpn/
: ~" x# f) T) u; k6 ]]# cp /etc/openvpn/easy-rsa/ta.key /etc/openvpn/
( ]# B2 t, C- Z4 @1 S* c: n, P拷贝客户端所需文件到各种位置:
( H4 K: v# y5 _9 x# Y# cp pki/ca.crt /root/client/
6 D( ?+ J2 v$ v! I1 b" ~' z# cp pki/issued/client.crt /root/client/
; h" J$ M" C0 n* ~# cp /root/client/pki/private/client.key /root/client/
* M- a$ U% V& ^* d! t; I# cp /etc/openvpn/easy-rsa/ta.key /root/client/
$ o$ I! O/ _3 c7 x修改vpn配置文件:
3 E+ v: V8 h; ]: ^* P) h! P5 f]# egrep -v "^$|^#|^;" /etc/openvpn/server.conf
$ P+ x- X& s8 k( W8 n) I5 rport 1194, J/ a/ ~5 b# j) B3 }
proto udp! M" n, r, }" u8 f7 D
dev tun; E; R8 N/ K& d x6 `1 O
ca /etc/openvpn/ca.crt# w1 R7 z& m5 v
cert /etc/openvpn/server.crt
( U7 h2 [% G# h; S& P/ o/ lkey /etc/openvpn/server.key # This file should be kept secret
6 x7 k6 N- a4 |2 J T& C( `dh /etc/openvpn/dh.pem; f! I/ P7 \# ?* r. G
server 192.168.11.0 255.255.255.0
3 u7 L7 d$ D4 _ y6 x) A/ A% jifconfig-pool-persist ipp.txt
$ t+ S4 R; [8 D" L0 L! hpush "redirect-gateway def1 bypass-dhcp"$ j) z& A; B3 y- A/ \; M8 |0 e6 F
push "dhcp-option DNS 8.8.8.8"
' ~ |/ N1 P9 W& k9 W, |/ y) ~. T* Fpush "dhcp-option DNS 8.8.8.8"
! k! U, K. b9 e, Q0 ykeepalive 10 120% J9 ^* O$ V. [, A+ ~. j5 A6 R
tls-auth ta.key 0 # This file is secret
G8 {5 \7 ], [* C% w. k7 ycipher AES-256-CBC
+ }' e" p7 N7 n0 r [3 {5 ccomp-lzo
/ b# J0 \4 ]7 r0 hmax-clients 100% q8 Y" v1 c+ ~1 ]- q! M& S |
persist-key& X( a& a# t- ~8 }5 z. H' b
persist-tun
1 `6 v) {1 d8 rstatus openvpn-status.log) W; M. f3 y) B0 F
verb 33 A& U% x) n& @
explicit-exit-notify 1 ! e8 r/ d/ F D3 {9 |
启动openvpn服务端:
9 v8 Z2 A) J1 W/ i; _]# openvpn /etc/openvpn/server.conf &: |0 q8 f- d$ M) P: R0 F
启动成功后显示:
8 v: [9 Y* v% f, G, G6 Z. X! z1 f: P) r' a0 n! ?
0 P% R1 y$ { a9 y, ^. K或使用systemctl启动:, B( B- [' s7 }; J# a* ?$ b
systemctl -f enable openvpn@server.service
, E& j: s* }4 d ?9 m7 |6 P#设置启动文件
& O6 U: i2 E% {5 F& \9 isystemctl start openvpn@server.service
& T8 l0 W! i! N1 E4 b#启动openvpn的命令
" {; C+ T& y2 P( F/ }7 owindows7上配置openvpn客户端:
6 C/ \4 i" Z. r) `0 a第一:下载openvpn客户端3 ]# K& t' j, W, L9 E l" E
链接地址:http://openvpn.ustc.edu.cn// z$ Y1 E! W+ s+ y
# V+ O$ o( n/ P+ L
安装过程就不表了,具体配置说下:
4 _- [; z6 {$ O5 Y& R 下载相关文件到本特指的目录:
( U4 u' N: P u* K 从centos7上把client.crt、client.conf并改名为client.ovpn、client.key、ta.key四个文件,放在安装目录下的config目录里即可;4 `4 Q7 s8 f+ y& ` h" {
client.ovpn配置文件内容:$ m/ R! C$ b- U% Z2 V
client) m' F9 Z: P+ H1 r3 z( f- R' i
dev tun+ y5 G, t# s3 h$ N9 a
proto udp0 d# ~* h' n7 ~! g" Z
remote 192.168.255.198 11941 ]( A( n4 d5 k* |# \7 ^- G
resolv-retry infinite
N+ A% D7 h0 anobind1 X# b! a3 w/ u _2 G" @/ V
persist-key$ D3 p. q8 {5 v7 P
persist-tun
$ k0 B, P/ e" d/ K, Pca ca.crt2 N2 y: h8 V8 a, f4 K
cert client.crt% b$ ~+ g* K K7 z
key client.key5 p) W. D: l+ p: W
remote-cert-tls server* s" T# }" @/ D9 t: k, `9 j0 z
tls-auth ta.key 1
! o) g% ^* n, S' |% icipher AES-256-CBC# Q- s4 y7 y3 _" f
verb 3' K1 z1 {1 H; U0 b! M& \
openvpn客户端登录:, {4 Y0 N; T5 K! H! [# r4 x2 A
双击图标后,弹出输入密码的窗口,此前设定的密码为vpnclient即可成功登录;
% N; h* i; G W$ R9 A
6 p; e6 v+ I' W& W) }0 M+ t4 B表示成功登录;
0 r) I' F. x! O6 \9 M: @& d& m S5 }
openvpn图标变为绿色即成功连接openvpn服务器;4 V4 p. T) o7 G9 e
/ H$ E+ x$ p$ t* t
|
|
发表于 2020-1-19 08:49:57