|
|
Centos8.5系统安装OpenVPN-超详细0 z0 o! k# ~3 O# E" {) y
( `' M9 Z& b: H1 _( _; I/ j4 v- s9 y
需求:公司外部员工需要访问内部办公网服务器,所以需要搭建一个vpn提供外部员工使用。
0 F: O8 L; s( x* c0 ~# m6 U; M2 ~8 |/ w% Q( h' R
1: 环境
( u% i3 v9 W& j' R; q2 `1 P服务器系统:CentOS Linux release 8.5.2111
% k$ f, B" e% n) V4 g* U" K! W9 b服务器配置:不重要
% A$ z6 S- i5 y1 e) t- ?4 ^服务器IP:: |, c8 ^! G$ h6 R1 I; ] O
Openvpn服务器:" r. G: w4 j! u6 e! E) G1 R
外网:: z2 n: i7 k7 ^7 |$ i
内网:
" u! K* j/ o& f$ j# \内网测试服务器:
4 p& D1 B% H/ ^- j- m2 R jopenvpn客户端服务器网段:10.10.10.0/22$ Q7 Z3 S0 M5 J4 o- k6 O
OpenVpn版本:openvpn-2.6.17
' c) p7 K9 F8 ~% U: k5 c! C7 B' yeasy-rsa版本:3.0.8
) i: R6 S4 P) V0 } ~
0 p$ E8 q: O# \+ m2 z0 E: e安装包存放的路径:/usr/src/install/
+ M4 Q) i* Q3 y% H$ f程序安装目录:/data/openvpn: o: M, `3 a7 }
$ y8 I! V# i/ y7 @& A: F' C
备注:6 }* n# m1 `! c9 R+ M# c( H
root# 代表在root用户下执行的命令
- h1 l: C- x; F4 y8 v# M$ 代表是在普通用户下执行的命令
6 d* p1 R5 A9 }, v: u$ U* P# 单个#号代表注释
, g8 @- |6 W- I s$ g
U6 `1 ^# {! o6 U, s- R# X* X6 P0 a1 }* _
2:安装步骤4 y9 Z9 ]) Y5 q1 N. `: ?
2.1 准备工作
9 l2 k/ _* j+ J1 y- g(以下所有操作均在Openvpn服务器操作)
4 b9 a' l1 B$ d% s$ s# 关闭防火墙
+ u/ P' P! L* Proot# systemctl stop firewalld: S8 ~+ o! f, Y; A- ]4 d r+ F
root# systemctl disable firewalld m* R) o* v3 T, E `, d
( j3 d- B1 A8 H* t, E: C
# 关闭selinux
1 z! ^. c' f E/ s& Broot# sed -i 's/enforcing/disabled/' /etc/selinux/config
* b& }2 i, a9 ]' L& |0 a: hroot# setenforce 0
, T1 v3 \0 k# }, T6 |
/ C& F8 S( K$ F# 安装依赖0 Y- ^2 B0 D8 w D
root# yum install -y vim wget lrzsz gcc-c++ openssl openssl-devel net-tools lzo lzo-devel pam pam-devel
; L Q# O8 \/ l1 \- J5 P6 G1 d- F. ]9 X, M5 _+ _0 B5 A" k
# 下载安装包0 p( h& M4 N1 L0 [, l6 \
root# mkdir /tmp/install
; ~7 \% N* _/ P& F7 }. Q" r% nroot# cd /tmp/install
7 C, y" M+ o( S3 \3 u& yroot# wget https://swupdate.openvpn.org/com ... penvpn-2.5.6.tar.gz
: _0 O2 j3 ^7 g& }% ~. sroot# wget https://github.com/OpenVPN/easy- ... 8/EasyRSA-3.0.8.tgz
- C9 u( F; S- V1 _0 S9 |/ \
' N$ E# r N: o8 [) d& e& S$ d7 M: b' u4 Z- j0 g
2.2 安装OpenVpn和EasyRSA$ {( A7 j& n6 {( j: g. j
#1)安装OpenVpn1 g; U: W2 {. r/ E, u3 j6 c
root# cd /tmp/install4 n: F$ U# o4 E8 C: \
2 l& z5 C6 d3 s6 }9 ?#创建目录
) E6 x0 ]/ V( droot# mkdir /data* n0 j( ~, k( }7 U& J5 d* _$ {
9 K" g n/ H$ f" f, Y- N( l#解压缩$ Z2 o' E/ z6 |9 S1 G' n! b
root# tar -zxvf openvpn-2.6.17.tar.gz
. _" [) O0 _7 c9 c N
7 |. b& I: b9 _( _9 P. l
4 g/ v K* {1 `6 N% fdnf install -y autoconf automake libtool pkgconfig gcc gcc-c++ make openssl-devel lzo-devel pam-devel iproute lz4-devel python3-docutils libnl3-devel pkgconf-pkg-config libcap-ng-devel
- ]/ S, }4 z$ q
- d3 B0 T6 e' F, Lroot# cd openvpn-2.6.17
8 Q! _0 g- Q& g* H1 n# o2 M& }8 U" i1 I( ]$ C! r* r2 C
) _ b( z, C7 A- _: ~
生成configure文件:
0 I P+ a. c& n& Q6 ]0 x7 L5 v! e6 y5 b8 b: `, `$ |: P
# autoreconf -fi' W: y& q' z6 _6 a/ j& [! t
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, '.'.
! F9 S3 V$ r7 I7 xlibtoolize: copying file './ltmain.sh'
f9 U, E+ t( @2 slibtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.# i$ `: m( w H6 S" m
libtoolize: copying file 'm4/libtool.m4'2 a# Z4 P2 k. I8 J' s9 c
libtoolize: copying file 'm4/ltoptions.m4'. v; ^" q% N8 D/ T) C0 k$ u2 n8 H
libtoolize: copying file 'm4/ltsugar.m4'
+ n4 _9 }* X* s* z/ J, e. l" C3 plibtoolize: copying file 'm4/ltversion.m4'+ s M( R( |+ d, _% p) L& s; | K
libtoolize: copying file 'm4/lt~obsolete.m4'
; I/ j( X7 F3 M& t' i tlibtoolize: Remember to add 'LT_INIT' to configure.ac.& S, ?" R% w; i; y; C( t4 B
configure.ac:74: installing './compile' r/ p! z! c! B
configure.ac:73: installing './config.guess'
4 A+ ~$ f3 z; V6 L1 S U$ O& Hconfigure.ac:73: installing './config.sub'
6 s$ n9 W* N+ v2 ^ T7 kconfigure.ac:72: installing './install-sh' C+ Y$ Y9 M p g0 a8 Y0 w
configure.ac:72: installing './missing'
- x4 T- R% F1 c, Y3 ?( z& Zsrc/compat/Makefile.am: installing './depcomp'
! z' Y* T$ {5 V) @7 {% r
3 v; L' p- y8 J0 G0 Q' `1 _) \# A
" p& i7 S. K4 n; \, j( [dnf install -y libnl-3-dev pkgconf-pkg-config
7 J: k' t, q1 R) f& E ^* n1 l/ F7 i V9 T1 U; [* H! q! h; m6 }
#--prefix= 后面路径是安装openvpn到那个文件路径下( S( ?1 v, a6 D. r3 G" b8 L
root# ./configure --prefix=/data/openvpn/
" o; v7 s* ~5 _/ Y. T/ V2 @9 K5 @1 @% h
#编译
' M6 |; ]1 b( Rroot# make && make install
; d3 W" @ J0 f+ h# g; t; p Q8 L: A8 c: u1 K2 ]$ ?$ T1 i3 v
#添加openvpn的环境变量
' }: b p2 P4 L0 E) W8 lroot# echo -e "PATH=\$PATH:/data/openvpn/sbin" >/etc/profile.d/openvpn256.sh7 A1 a% e. ^3 T
, A# O; K$ j8 \! n! S4 x) D#加载环境变量
( z0 t. A1 \8 W& [root# source /etc/profile
5 w! M+ P! v/ W6 O) }, w
8 d% ~3 Q. g$ l D7 P2 _2 Y#执行下面的命令看看是否成功,出现以下内容表示成功5 e# z/ c6 p/ K6 |; M# A' A
) _, _; [/ `9 T; G9 ?7 Q8 v% I# openvpn --version
]" Q! H" Z, h. |9 k) BOpenVPN 2.6.17 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
5 _; H: u. I" }0 clibrary versions: OpenSSL 1.1.1k FIPS 25 Mar 2021, LZO 2.08
r# n8 B9 C v3 d6 {$ cDCO version: N/A4 W5 I' e8 |1 s8 U) p4 y# D
Originally developed by James Yonan
7 P* q/ T9 N6 b& UCopyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>% K' Q' k9 T, T& @. \; I
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=auto enable_dco_arg=auto enable_debug=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no
$ m9 w' U: e* c3 [- y, N0 o( A2 h. Z; h: j
#2)安装EasyRSA
% R$ o( _, d0 @8 l1 L. Wroot# cd /tmp/install
9 l5 e! s2 u0 D& g. rroot# tar -zxvf easy-rsa-3.2.2.tar.gz
' W0 @$ S- l1 a5 ]- k6 Y# cp -r easy-rsa-3.2.2 /data/easyRSA-3.3.2
1 ^7 Z0 x3 b# w$ M- Q! t1 J2 `" j7 ~, D4 T
% Y1 m o/ x" n) }4 W2.3 服务端配置
, U: O+ b5 \' a8 s g2.3.1 准备CA签发机构环境4 F) S% Q6 U, `2 h
#拷贝EasyRSA9 O4 ?, |/ z% c/ X n& I
root# cp -r /data/EasyRSA /data/openvpn/easy-rsa-server
3 h" z x: j9 [* }5 P( O. A7 Jcp -r /data/easyRSA-3.3.2/ /data/openvpn/easy-rsa-server9 E+ t5 {5 }& g6 g0 m. l5 F( ]. d
+ H; ]3 W9 c2 ?1 u0 n5 W
# t/ O0 |6 L3 c/ ?$ a
root# cd /data/openvpn/easy-rsa-server( @' H, `6 V7 B3 j, O7 s2 @% z6 x
cd /data/openvpn/easy-rsa-server/easyrsa3
T; s0 v- c( H$ M' p2 d) N& e( A; O' v$ B
8 [+ U3 A2 @; f8 b#准备签发证书的默认变量文件" p: k6 m, Y1 [
root# egrep -v "^$|^#" vars.example >vars
# X" I- C& M7 _7 [0 U( f( K
/ Q/ k& ^& |$ i* J. Y8 K% d3 ~[root@openvpn easyrsa3]# egrep -v "^$|^#" vars.example > vars3 L6 d! ?) n: j- f9 j7 }
[root@openvpn easyrsa3]# cat vars
' O: F. B1 {; iif [ -z "$EASYRSA_CALLER" ]; then9 d! d. b/ o* v% \! ~# y1 Z
echo "You appear to be sourcing an Easy-RSA *vars* file. This is" >&2
7 u" Y8 B( s) l3 O! t echo "no longer necessary and is disallowed. See the section called" >&2
( E, ^* G' }! \3 z echo "*How to use this file* near the top comments for more details." >&2
: u0 v( y" k4 b* L# T# J/ l7 l return 1
/ ~ {6 Z6 `, w* m& r. r Mfi
0 `. ^1 [) Y! F# a& j
- D7 p" ~" K7 C$ l5 F' O8 o% f5 ]7 E1 b: p
w* g1 D4 G* }4 v$ t. ?8 b R#编辑vars文件,在最后一行增加以下内容
9 U9 R0 w7 V9 G U2 E- |4 `% i4 mroot# vim vars7 v0 p9 B: `3 j+ w
#添加参数,设置CA证书有效期为100年(日期可以你自己决定设置多长)! J, A# O1 M7 w5 g: g r
set_var EASYRSA_CA_EXPIRE 36500! v3 o/ }$ g/ j0 \2 h5 @0 N& S9 T
#添加参数,设置服务器证书为10年
+ j! O5 o7 r' Yset_var EASYRSA_CERT_EXPIRE 3650
5 H% `! [$ h9 ~; }# n
) j; F- p) Z1 H- w1 W8 g8 d V7 g0 `9 H5 B" {- d0 { l
查看配置vars的内容:
2 A" \% ~$ o2 o5 j8 r5 _9 N% u" G2 r1 J$ p1 ` h5 F; n
! z, c, e7 R* Z
if [ -z "$EASYRSA_CALLER" ]; then
m' l$ s: W: E+ F% X: P echo "You appear to be sourcing an Easy-RSA 'vars' file." >&29 Z" h7 a# F) f" [9 L! d- @
echo "This is no longer necessary and is disallowed. See the section called" >&26 S2 J* L5 E6 S. ?
echo "'How to use this file' near the top comments for more details." >&2
) S: h+ I, \; r0 x5 W return 16 H5 X: Q& k4 g" h% e* A( A
fi+ {) Q2 U2 W0 g- F `
set_var EASYRSA_CA_EXPIRE 36500; q7 S& A2 }$ h* ~! x
set_var EASYRSA_CERT_EXPIRE 73000 z0 Q7 S- X( u# n* ]
' a; i7 ]' K+ ^7 M, V
8 W F, U8 X! ]2 t" N# Q% f
2.3.2 创建CA机构与服务器证书
* ^2 q* O' W; C! O& l8 W# A#1)创建CA机构. P l7 y' T" H' e3 l
root# cd /data/openvpn/easy-rsa-server' _; w! |1 I. R3 ? S
cd /data/openvpn/easy-rsa-server/easyrsa3
; y6 [8 D' X. m; l2 S2 f: V c2 W) I, d m5 A: ?* K
#初始化,执行此命令会生成pki目录, e4 i. }. |6 _" `4 Y9 m# b6 F
! e: [) w2 G' r) Z4 ~[root@openvpn easyrsa3]# ls
/ s G5 Y7 m8 N: zeasyrsa openssl-easyrsa.cnf vars vars.example x509-types
7 q2 m1 a% c% q V5 G6 t# O[root@openvpn easyrsa3]# ./easyrsa init-pki
. M/ f6 b$ @. d3 Q% GUsing Easy-RSA 'vars' configuration:
- Y9 `8 b% E4 X7 O0 B& k/ J* /data/openvpn/easy-rsa-server/easyrsa3/vars" N0 |, C- ^% g
8 c j+ c* P9 w* TNotice
, P. T |$ r1 H# N8 p+ O/ _3 g------
2 s% c z! c: D) Z, D: E/ s'init-pki' complete; you may now create a CA or requests.3 Y5 |, F/ Z( N+ Q' G+ Q$ a7 y
4 Y% l1 ?5 V; [+ N3 P, D
Your newly created PKI dir is:. R- O7 B# p! C: z/ ?) C* O3 m
* /data/openvpn/easy-rsa-server/easyrsa3/pki
" X3 U# a0 u" r( ?* K
4 E, J1 |8 P- o9 U+ }8 r+ K6 ?! K+ \Using Easy-RSA configuration:2 c0 f" e Q; ^
* /data/openvpn/easy-rsa-server/easyrsa3/vars
6 U" ]7 _0 m* a9 k) c8 @, _9 }5 M[root@openvpn easyrsa3]# ls
1 o/ l8 ^# {+ o3 oeasyrsa openssl-easyrsa.cnf pki vars vars.example x509-types9 l" C6 T [$ w) V
\. ^% i" a6 i" j* k3 c# u- s
" Z/ {* R4 a- g% J
: J+ ]5 S3 P0 X7 W B! Y* ]. j#创建CA机构,nopass代表不需要密码的意思
! K: O i" o/ {! p- V+ O, Croot# ./easyrsa build-ca nopass. o: t* g5 V. T& @ a' F
* L1 m; U* A0 V( D' d c( z* M/ P( k$ n" w2 F! N t% ]
: L0 [( y8 b+ j; ?0 M1 w7 o; `[root@openvpn easyrsa3]# ./easyrsa build-ca nopass
3 P% I+ e% z; @% s# m# ^ TUsing Easy-RSA 'vars' configuration:1 Q2 `. Q1 t# L$ M
* /data/openvpn/easy-rsa-server/easyrsa3/vars
- q; l8 [+ W1 V! e" a..+++++
0 f( m9 K9 W% g2 a5 D.........+++++/ D: d, V, E( f
You are about to be asked to enter information that will be incorporated
1 ^" Y% }3 V6 K: ]: xinto your certificate request.
, g. c1 z. @3 vWhat you are about to enter is what is called a Distinguished Name or a DN.. T0 x# D, j9 e( o* c0 y+ F7 y
There are quite a few fields but you can leave some blank
" _5 b6 \( f. }; D- Y7 ^For some fields there will be a default value,+ Q9 Z8 F* b3 B8 j0 m
If you enter '.', the field will be left blank.
* I# D# {! C, e5 U-----
8 N1 R8 x" C f$ ACommon Name (eg: your user, host, or server name) [Easy-RSA CA]:jckj
* L# Y- P2 O' D L3 @
5 |- u3 U' l$ a" nNotice
) w; K5 u- M/ @------
- } k3 o. U8 y( FCA creation complete. Your new CA certificate is at:
4 a: W, q% f1 R# ^( J/ j- b# o4 T9 c* /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt
0 f: O9 o( q+ R8 [5 |/ j& I; d- O- m, \2 \7 j
Create an OpenVPN TLS-AUTH|TLS-CRYPT-V1 key now: See 'help gen-tls'7 A. s7 x \5 g- V* O8 A- ^
f2 ?, }, J5 K. lBuild-ca completed successfully.4 q* K4 d" N: L7 B* f
. y* a4 O# p+ h% l. d7 p; g
w* ^5 z, V1 Z) K
0 K- X A4 o+ s#执行创建ca机构成功的话,会出现下面的这个ca.crt文件
' [. d$ i% K$ N2 }Your new CA certificate file for publishing is at:
5 H. u: J% k* R: H/data/openvpn/easy-rsa-server/pki/ca.crt
; {0 x0 N- r' U' X# s1 Q
0 e- v; D$ b- a' B$ o! D: b8 u#CA证书文件
0 r0 M1 I6 C' i" [" s+ r9 K% \8 Y1 J* } t% ^
[root@openvpn easyrsa3]# ls -l /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt ; U' m! B2 c' i- c: c8 @7 [0 f r
-rw-------. 1 root root 1176 Jan 17 12:19 /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt% i, t; b' J& ]8 }
# N) |1 l* |1 q; d; v0 K2 r" D' Z+ m& j
#CA秘钥文件& Z |2 w/ |+ s1 `) Q
3 n# n8 u' T2 V6 F3 ~, [/ g4 K[root@openvpn easyrsa3]# ls -l /data/openvpn/easy-rsa-server/easyrsa3/pki/private/ca.key 7 S$ i% V% q" s" Z
-rw-------. 1 root root 1704 Jan 17 12:17 /data/openvpn/easy-rsa-server/easyrsa3/pki/private/ca.key8 O- R! K7 l- @, n- b4 Z! z, |
5 K9 ]; r4 V2 Y; \
9 W3 a( P* M6 Y6 B0 y
#2)创建服务端证书. m$ z; q7 W2 k! O& t9 V' T
root# cd /data/openvpn/easy-rsa-server
. O7 p( m( [$ r1 lcd /data/openvpn/easy-rsa-server/easyrsa3
5 {& W7 L$ ^- ?' ~0 j7 _#创建服务端证书申请文件,openvpnserver为了区别参数标识,我这里设置为openvpnserver,如果你自己安装的话可以使用默认的server 这个名称% ]' S1 ]4 ~& L/ w5 t# ]: T
root# ./easyrsa gen-req openvpnserver nopass# {. C5 b# \% H
( I2 V% o0 X( v! e5 i: j
. n, Y6 m) z+ ^* S6 ?* ` ]! W$ o7 j8 F; ]( P
! r4 K, P1 r+ f2 Y[root@openvpn easyrsa3]# ./easyrsa gen-req openvpnserver nopass
4 D/ N$ a5 ?& ]; T: A6 ~5 f& rUsing Easy-RSA 'vars' configuration:" w% Q6 N0 f* K* ^
* /data/openvpn/easy-rsa-server/easyrsa3/vars
: Y7 U3 s/ M0 U: I) dGenerating a RSA private key+ q: s9 `8 w* R/ }. M
.............................+++++$ B" v: Z8 |' a0 B- o- ]
.................................................................+++++
5 ^' I- ]( F6 M( Wwriting new private key to '/data/openvpn/easy-rsa-server/easyrsa3/pki/253f5ec5/temp.2.1'& N6 T) u$ p) V% H2 b, Y6 N0 _2 q
-----
& S2 ]+ r: e0 d: L/ c: Q# {You are about to be asked to enter information that will be incorporated
+ K h; c. w. `/ Qinto your certificate request.. k+ S. ]) Y4 r: F
What you are about to enter is what is called a Distinguished Name or a DN.; l$ D$ G: v t" i' X" \
There are quite a few fields but you can leave some blank
" j/ o6 L1 `' b, s" i- lFor some fields there will be a default value,
9 H4 T7 c( T, P: @6 wIf you enter '.', the field will be left blank.- i# e9 W& H4 e( s# _
-----# s' I" _5 p9 B E1 `
Common Name (eg: your user, host, or server name) [openvpnserver]: 回车
8 ~( l% H2 c* L, t7 j0 A8 X- P: D* L8 x% W2 x2 d
Notice! x/ T7 b+ e K- e
------
$ F$ [% b7 N7 oPrivate-Key and Public-Certificate-Request files created.: G' s T- F; |, u3 b9 F% A
Your files are:
2 p5 p( ~$ x3 m" f7 l' Y* req: /data/openvpn/easy-rsa-server/easyrsa3/pki/reqs/openvpnserver.req0 \/ T3 j/ W( {' L# N3 |" c
* key: /data/openvpn/easy-rsa-server/easyrsa3/pki/private/openvpnserver.key7 z# z7 l1 c: ^+ E
* L! V F! z; C6 `" d) N5 n
* J: c" L9 f* F2 b8 B! m
) j3 ?$ k7 F' X. ]# S9 F$ g. |. c
" S1 A8 k1 f* E* J4 c#默认回车就行7 }: {; a% F- F7 z; N8 f* a
Common Name (eg: your user, host, or server name) [openvpnserver]:
# Q0 J% n, [+ eKeypair and certificate request completed. Your files are:7 e- c* @7 N I" T# X
- e0 f8 Z9 X$ @
( u' A$ N- d9 c4 B* y1 M! S- a
! }$ }: l! l/ e- P
3 I2 }" q: G, w. `6 J" `: h
#请求文件
7 f5 R' m4 E4 J- g9 Freq: /data/openvpn/easy-rsa-server/easyrsa3/pki/reqs/openvpnserver.req
; |8 C) @% P( W4 \ t1 U#私钥文件
0 r9 ]' |8 n; [/ k4 i# o5 Wkey: /data/openvpn/easy-rsa-server/easyrsa3/pki/private/openvpnserver.key
* Z2 B* O) p& t- U# U
& d, |8 U/ z V) n: H#3)签发服务端证书2 Q$ [5 M. H+ a0 e4 l
绿色部分不做:
6 g- E: y& e8 x1 jroot# cd /data/openvpn/easy-rsa-server
+ o' f1 j' [5 b1 ~( I" \6 H! m z5 |cd /data/openvpn/easy-rsa-server/easyrsa3" f& {0 P$ @ ]1 F
#这里的server是代表服务端意思,openvpnserver这个是上面我们创建的服务端证书的名称
* @( l! x9 E1 A# |root# ./easyrsa sign server openvpnserver
) ^* i* U- c' Q+ y#输入yes
{! J! M e% N$ |4 G, UType the word 'yes' to continue, or any other input to abort.5 r4 ?- c$ W4 u5 E
Confirm request details: yes
* k9 q2 @$ s6 Y9 S6 ?* W. Q#服务端的证书文件
1 K1 @9 B7 W3 d5 v4 qCertificate created at: /data/openvpn/easy-rsa-server/pki/issued/openvpnserver.crt
: u* F. W/ W! I9 V# @' K
; _, r4 Y+ F8 M
$ v; H9 c7 s6 S, ^% w1 E# |0 d" C% g, n* g; C% K3 r3 m8 j# m. c4 |7 x
[root@openvpn easyrsa3]# ./easyrsa sign server openvpnserver
: ^' L' f9 e' ?# |" U2 f" BUsing Easy-RSA 'vars' configuration:$ @0 M+ j1 Z2 y8 A1 W. `
* /data/openvpn/easy-rsa-server/easyrsa3/vars
+ N6 U b& J1 W% q9 C+ zPlease check over the details shown below for accuracy. Note that this request
) x4 y7 O: w2 y9 phas not been cryptographically verified. Please be sure it came from a trusted
: m+ X0 k+ ~7 Rsource or that you have verified the request checksum with the sender.7 i, J/ F8 H. }" E
You are about to sign the following certificate:
# W+ @* D7 P2 g7 o6 R _4 P8 V. r0 W4 N& x' d. e, {$ P
Requested CN: 'openvpnserver'
/ T) k3 i- u4 s7 o% l Requested type: 'server'
/ C: Z/ I( ]& n! Q Valid for: '365' days$ d5 Q- x& ]( p
7 M$ b$ Q# `4 P' t5 D. [0 H& V
$ y/ y, G2 A* ^: e6 | Dsubject=: v! k1 v& F, ]$ @: O1 r; X
commonName = openvpnserver3 Y( }" k7 p1 j
* s; j, @( b; g" i7 g0 b# p5 c
Type the word 'yes' to continue, or any other input to abort./ C" n+ t% `7 Q" i5 g. n
Confirm requested details: yes
2 ~6 l4 Z* c0 A& ^& ?2 O
; c2 J6 K7 ~- Z5 T7 m$ }" bUsing configuration from /data/openvpn/easy-rsa-server/easyrsa3/pki/774d5125/temp.1.14 O+ K( F' S5 D" ?9 Q
Check that the request matches the signature- U1 y9 p, s I9 Q
Signature ok6 {# Y4 M* W" G. K
The Subject's Distinguished Name is as follows
/ @3 `; M" F5 JcommonName :ASN.1 12:'openvpnserver', i% y* ^. F7 I: q5 |
Certificate is to be certified until Jan 17 04:25:48 2027 GMT (365 days)
0 e/ R$ ]" Z& T$ Z! h' i% H3 V5 u, j; ]7 ~
Write out database with 1 new entries
3 L4 Q/ s$ ^+ R" x- cData Base Updated
& Y+ M" r: v& y; f& s* o
0 v* F8 M$ P3 R3 ^# ~( Z1 r6 ]Notice
V( d0 M0 L* l$ }------' w0 M) m' K: l% h0 }
Inline file created:
& q( G3 y/ e' O9 f2 E; W* /data/openvpn/easy-rsa-server/easyrsa3/pki/inline/private/openvpnserver.inline
% R% S. d' J3 r6 z) N9 d% ]6 e; A
8 j' B/ }5 ^) H" m' `" V8 T; o* D4 T C* g+ c# y4 T- E7 N; C
Notice
- O, l, t; e3 [4 `------ B( r7 x$ b, E: X! A$ q
Certificate created at:: P$ I! p' N, \3 O4 C
* /data/openvpn/easy-rsa-server/easyrsa3/pki/issued/openvpnserver.crt
* r/ b$ U( M( X' F0 v* Q' i$ {+ o. q: L9 M0 X) O
: b; H% r% b# w7 c) I. v5 e" y) N" v+ a" c/ |% A+ ^9 e6 }/ B* r
#4)创建交互秘钥
0 e. U7 i1 I- N0 q8 hroot# cd /data/openvpn/easy-rsa-server
O% @: ]6 J1 @& z5 Acd /data/openvpn/easy-rsa-server/easyrsa3
5 P3 {% \- v. T$ proot# ./easyrsa gen-dh
( R, m g0 N$ {& V: X4 e) TDH parameters of size 2048 created at /data/openvpn/easy-rsa-server/pki/dh.pem5 Z/ ?( ^' K' X" h9 V0 w
2 ~8 J+ f4 Y" g7 @' Z/ v! P9 u" j4 X
[root@openvpn easyrsa3]# ./easyrsa gen-dh. M! o' S* q& }; r6 Z6 b
Using Easy-RSA 'vars' configuration:0 s; f; n$ F: @: x+ b, \
* /data/openvpn/easy-rsa-server/easyrsa3/vars5 N/ W. q7 U* d& _* J& T9 d5 Z
Generating DH parameters, 2048 bit long safe prime, generator 2
3 y+ U8 m! M( U3 P2 r3 oThis is going to take a long time
/ J9 J& |; @& _6 D# D............................................................................................+...........+..............................................+.....................................+.................................+....................................................+.........................................................................................................+...................+.................................................................................................................................................................................+......................................................+.............................................................................+..............................................................................+...............................................................................................................+........................................+....................................+............................................+.............................................................................................+........................................................................................................++*++*++*++*
$ S! `; J9 x( D8 tDH parameters appear to be ok.
% g, n) n% _$ U- g
1 D9 D& c) F' y% K' m1 [8 y$ FNotice
0 o+ ]5 z3 Y( a. r/ ^7 g) u------
/ E: K& S' j" W# W6 f- M5 X$ j) ]" | p: W0 T2 ?& E2 k
DH parameters of size 2048 created at:4 }8 _& }( M( p- A a
* /data/openvpn/easy-rsa-server/easyrsa3/pki/dh.pem
/ e, {3 _: `( b( u: Z' L* h9 G5 K: R+ _( w2 Y; z. n4 n, ]3 n
! q3 ~% ?/ }0 J5 y: x- q
2 M, u! \ d7 U' i6 B#5) 启用安全增强配置
0 Q/ X, F0 H! q) Z. }% ^root# cd /data/openvpn/easy-rsa-server2 K% r. R+ \, N# s1 o: U' m$ ~
cd /data/openvpn/easy-rsa-server/easyrsa3# M6 d) G/ U! n$ b l: [& J
p9 O$ A% ]9 y" ~: ?: v
root# openvpn --genkey tls-auth ta.key
' R, T$ E+ N- n. h# X' S4 m$ d
* x0 Y4 t7 u6 H
, I8 B0 m- }% a6 N2 H[root@openvpn easyrsa3]# openvpn --genkey tls-auth ta.key0 {6 B; w+ ~6 W+ i
[root@openvpn easyrsa3]# ls
6 s( }; ~9 P: B% c# measyrsa openssl-easyrsa.cnf pki ta.key vars vars.example x509-types
7 w% H2 l4 V8 q/ I" y1 a( l* W[root@openvpn easyrsa3]#
; L3 J9 o# v% }* P! g% J* F! t' M J7 a% J/ q4 F3 c5 O
8 c6 t9 D% }6 ^8 g/ c& J# n8 G
T9 P9 U& h4 F: v @$ a4 Q+ S; ~4 E2.3.3 OpenVPN服务端配置# u0 c& z% g1 a$ p* a
#创建openvpn用户: @, o1 E. w" j2 i9 y/ \$ _
root# groupadd openvpn
9 F; A* X0 Q( a8 ~root# useradd -M -s /sbin/nologin -g openvpn openvpn2 [5 C+ g9 {& |% V
! o9 a$ {! x K2 F0 r _[root@localhost easy-rsa-server]# groupadd openvpn
+ D( u) ^# l. ?9 i[root@localhost easy-rsa-server]# useradd -M -s /sbin/nologin -g openvpn openvpn
6 J9 L/ h N& K( v6 c' X5 F+ v& q3 l1 H7 d" K
4 w: J4 `( h+ z/ s. p, A: [7 N6 M# 创建证书存放目录4 d" D/ ^. V a1 i+ b- B
root# mkdir /data/openvpn/certificate
, j& d4 r$ f% |- {4 I" @! g
: k% w) S9 @, T4 _# 创建日志存放目录 ?; W( x$ c: n$ b
root# mkdir /data/openvpn/logs
- Q2 a* d% Y3 [root# chown openvpn. /data/openvpn/logs
4 {+ L3 D1 O/ w) Y, J3 k( K
( \1 B. h. s4 j2 r, [5 {* ?: L/ W6 l. ^9 V2 l) x- d5 _$ j
[root@localhost logs]# chown -R openvpn. /data/openvpn/logs/
7 D1 ]3 k8 @5 R1 x7 T# D
6 H$ t$ N3 F9 ] P2 |7 b3 C0 N: @' j) j9 O$ _
# 将服务端证书秘钥和交互秘钥复制到certificate目录
3 d: j5 O& g" I4 e. p
( s# s2 |, {/ ^[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt /data/openvpn/certificate/' A3 z9 g. X5 r ]' }3 a7 H B- f
[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/issued/openvpnserver.crt /data/openvpn/certificate/
7 x3 f: H7 b. W" b5 n" f[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/private/openvpnserver.key /data/openvpn/certificate/. ^5 m" f8 g! y/ ]
[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/dh.pem /data/openvpn/certificate/" A/ E! C$ W! B
[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/ta.key /data/openvpn/certificate/
# h2 M2 G2 n- I) g+ t* b Q4 ]: c# f/ ?$ s
#添加配置文件! R4 A# T& z% }
root# cd /data/openvpn/" X) n3 W r9 O# l4 l5 o" m" q" }
root# vim /data/openvpn/server.conf
" X2 Q) J( i: |+ q- G- l#__server.conf—stat___
7 ?( o U/ w ^+ l$ h#端口- L3 E: I; B7 e! N
port 1195
z9 I* S) Z0 o8 H#协议
( D+ |4 }; Z6 E @, \& y- @proto tcp
( F+ h4 q! p5 }) rdev tun8 @1 n& K s0 e+ l3 [) v8 j/ `
#ca证书文件
: ~ c* h0 W! m8 {ca /data/openvpn/certificate/ca.crt
; a: T8 u+ i8 M/ Y3 ~#服务端证书文件 c9 G9 ~! b% V; c
cert /data/openvpn/certificate/openvpnserver.crt
7 U3 Y# r6 T1 ?/ H# c4 i$ ~! f0 Z#服务端私钥文件
2 s/ ]0 Z- R& e5 V% ekey /data/openvpn/certificate/openvpnserver.key
0 D: \7 v4 A. l2 {7 i5 ?# b8 l( h#交换秘钥文件5 N4 Q. I* s3 |5 m. j( j
dh /data/openvpn/certificate/dh.pem
6 g" ^" W( m) ~+ P4 h: d- C#安全增强文件,0是服务端,1是客户端4 g5 j& q( {' Q. t- [ f1 |4 [
tls-auth /data/openvpn/certificate/ta.key 08 \! Z7 }* ?4 r( q4 N
#分配客户端IP的网段,不能和服务器一个网段,不能冲突4 t! c1 w! D2 C k5 S' c$ w5 s
server 10.8.0.0 255.255.255.0
[( U2 F& W; i7 C+ K4 L. _#运行通讯的内网路由,可以多条( A7 Y1 c5 V. o8 e. v: t5 _
push "route 192.168.0.0 255.255.255.0"
* { I& e4 F* ^( ]4 s/ m& x+ z. L$ K" K4 f: H/ D
push "route 192.168.6.0 255.255.255.0"
: |5 {5 n/ _$ m5 `push "route 172.30.1.0 255.255.252.0"
$ H' K ^' ~. ?4 V#会话检测,每十秒测试一下,超过120秒没回应就认为对方down
, E$ C( {7 u* Y8 C8 lkeepalive 10 120
9 \1 n" |( v1 C# Z#加密算法% i! A6 S3 J6 Q& ]/ U
cipher AES-256-CBC/ S$ `( Z( O* |- |
#压缩算法* Y# @! [7 V6 _% U
compress lz4-v2
5 \1 {/ M6 }- D#推送客户端使用lz4-v2算法
9 `2 v0 F v( |& V7 B$ Fpush "compress lz4-v2"7 p- q3 E c1 s) \
#最大客户端数6 E, l- E9 s, P% ~2 v9 B# a0 R
max-clients 100
0 _4 ` b. [0 J1 J- V( I1 c#运行openvpn的用户和用户组
0 W, r: I- r# k2 guser openvpn
6 K- h: q; u/ Ngroup openvpn
6 g5 W0 ?9 j) r# N#状态日志
8 B7 p3 G% Z; I2 c& ~9 nstatus /data/openvpn/logs/openvpn-status.log2 U; \8 j/ y# p O2 c4 \/ N7 X, W: H# w
log-append /data/openvpn/logs/openvpn.log/ U# g- ]1 O. e1 l: t
#日志级别
0 B; k; j, G4 F* ?6 p; `3 c% ?verb 3
6 H4 N N6 x% ]1 R* Q5 ~. tmute 20
6 J/ ?9 z. h6 b, O#__server.conf—end___
7 ]1 Y2 z F8 u( [6 N* m
! a+ C8 Q( r% B0 N2 w
( U3 h( S% A2 P/ X: n#内核转发规则
" V0 M, e0 y& M' W( L! l3 U4 Uroot# echo "net.ipv4.ip_forward=1" >>/etc/sysctl.conf4 f. D. S, T0 m9 r
root# sysctl -p
' n' Y5 ?/ B% @+ O1 A
* c7 C; n/ @( S# j, b#iptablesNAT规则
2 p/ d6 J3 J. k- m' ^ D+ {' M#这里的ip就是server.conf 中的server 10.10.10.0 255.255.252.0 ;添加转发规则到开机启动项
4 I$ P q7 E' c) M% M) \ w* ?root#echo 'iptables -t nat -A POSTROUTING -s 10.10.10.0/22 -j MASQUERADE' >> /etc/rc.d/rc.local1 j4 M2 C, B- H7 I/ U; H2 V
root#echo 'iptables -t nat -A POSTROUTING -s 172.30.1.0/22 -j MASQUERADE' >> /etc/rc.d/rc.local K, t% Z }4 T( F
root# chmod +x /etc/rc.d/rc.local
% A! f% F1 x; L3 Z1 B, v3 C5 groot# /etc/rc.d/rc.local
4 C: z, ^) I- I
+ Q8 u \( E8 y$ U2 p# O2 x& |, @5 Y) h- g$ W u' Y8 o
上面的可以暂时不执行,都使用firewall-cmd方式添加 : + ~1 P- p5 Q' A5 c8 ]
firewall-cmd --permanent --zone=public --add-interface=tun0
. A0 s+ u- p6 p3 _7 I X) \firewall-cmd --permanent --zone=public --add-masquerade
# n& z8 F! q; h: I6 p/ z) }( rfirewall-cmd --permanent --add-forward2 x: a9 ~7 D$ b, j* A' [
添加转发规则。允许可通行。; ~! S( c- Y8 C' c% R! k
, J3 O% d7 _3 O0 O
8 e2 {9 z. b* v" E" I
: J& }1 [- w/ C: r4 m) E2.3.4 启动OpenVPN8 B+ m Y( Y# V$ x7 m5 \
# 创建启动文件
- m6 n' W/ q$ h; G5 t, k( I uroot# vim /etc/systemd/system/openvpn.service
0 \2 g& I9 p. ]* ~[Unit]5 o7 _% v8 O% G8 S- ^8 D; l: C7 Y4 I6 A
Description=OpenVPN Server8 X# {8 [. t# J$ e! t
After=network.target, O6 P% f* `# B. p H1 `
After=syslog.target6 C, {% [7 n; J/ N3 B9 _, g
! y T; p" P+ ~( @5 k[Install]& {' K0 F7 p: e* `4 ~' y- n
WantedBy=multi-user.target
5 R4 N, v" a- T( C5 a! R7 X0 q v/ ?' S1 a
[Service]
% E4 ?$ P0 |7 Y- v( }, ]ExecStart=/data/openvpn/sbin/openvpn --config /data/openvpn/server.conf. P/ i8 b* u1 M' H( r( k
# J. u' T7 |9 _8 m2 D' r2 W& `2 l8 ]8 E5 u7 \1 ^
#加载系统服务
8 O% I( J8 k9 |, p1 Z' a7 }1 Vroot# systemctl daemon-reload
B8 r9 |2 f5 E: L& e# S#开机启动
" K7 I6 j% [0 {/ qroot# systemctl enable openvpn.service
/ `( l6 Q/ f- n% ?#启动服务% U$ S6 d1 y$ R1 ]) ?- B. j
root# systemctl start openvpn.service
+ D" G1 U% k& F+ \#查看服务运行状态, E1 F/ }7 |. J
root# systemctl status openvpn.service
( w, T J) A" c6 j v# L! @' d
* B8 h( }! R/ P& d. G1 w
/ z# O, A( L, [% [ l2.4 客户端文件配置
9 l8 @, p1 w9 X2.4.1 准备客户端证书
1 b: J' s+ o, b' B, ?#1)创建客户端申请证书
' Q( w3 x. e3 O6 ?7 `9 J
. e" l! I# }/ m, v, g9 y% J8 O[root@openvpn data]# cp -r /data/easyRSA-3.3.2/ /data/openvpn/easy-rsa-client) g' G+ t% ~* W% _- K, L
[root@openvpn data]# cd /data/openvpn/easy-rsa-client/easyrsa3/
0 ~5 h9 M- G4 f5 p+ o[root@openvpn easyrsa3]# ls3 a: U% L7 H$ w7 N1 d( @7 T9 V
easyrsa openssl-easyrsa.cnf vars.example x509-types+ W0 _. t" l9 @5 U" J" J
[root@openvpn easyrsa3]# 5 B% r: M* r( c; ?$ [$ \& E
9 V; J3 H" a( `% u3 g
0 Q! y2 S* n8 h$ C! o: A9 R
`3 v: T5 k6 N5 v% h9 } V9 |#初始化,执行此命令会生成pki目录* ~1 b) P) c/ g. @0 }" @8 R
root# ./easyrsa init-pki0 U6 ?2 b9 ^8 ?7 N" z
! B' o$ P1 D4 A7 v9 D5 m" N2 H+ d
1 T0 b8 E* ]. R' f
[root@openvpn easyrsa3]# ./easyrsa init-pki6 E, n) |4 _0 Z
: h! u9 t' C# C; Z! ?* u, ^Notice2 [: k% t! o% C; r$ B5 K4 b
------# h- h4 ]% x {) w. x4 {
'init-pki' complete; you may now create a CA or requests.
( [5 U. } s- x0 Y' g, v" I" Y! ?4 u6 U* u( A" b7 M$ J
Your newly created PKI dir is:6 r% w9 j$ C/ H5 Q# @9 G! a
* /data/openvpn/easy-rsa-client/easyrsa3/pki
. w3 d# f$ p) @- A+ R4 R
/ q6 {) q( z9 o2 J6 P/ d* M! ?, @Using Easy-RSA configuration:
% ? i5 F) d8 h: j* undefined
5 j7 V9 h8 r+ j
7 X5 T* V) [5 o! L6 i
; E4 r9 {( D' z( U5 s5 R3 M8 I#创建客户端申请证书,我这里用的是名字全拼1 s4 o7 W4 F3 W4 c" T& ^9 ], l
& e; O, ~& n& Q3 b q
0 u& k! S+ l" w& f6 F2 Z! c
3 S, V, `' h; l" o* L5 p7 M: o7 b[root@openvpn easyrsa3]# ./easyrsa gen-req longrui nopass% N. Y- _; E+ E J( V7 S
Generating a RSA private key9 ~ c5 h0 @: l7 E% G
..+++++
+ g& m& w) L# |.......+++++
1 _4 o0 J) [: S+ R+ R1 Iwriting new private key to '/data/openvpn/easy-rsa-client/easyrsa3/pki/2f9b0fd7/temp.2.1'- a6 [+ Y) n8 |
-----# B6 ^/ I2 f1 D6 w) z# F) [
You are about to be asked to enter information that will be incorporated: A/ t* U1 [( b
into your certificate request." X/ X/ w, c/ }* w" W5 b: R
What you are about to enter is what is called a Distinguished Name or a DN.
/ Q3 ^1 ~3 ?/ j7 MThere are quite a few fields but you can leave some blank5 M+ g; H) \! V6 K
For some fields there will be a default value,3 J( n, ?( w/ q$ ?
If you enter '.', the field will be left blank., l; [ V: W R
-----
) |1 Y, A0 u. M: I+ a$ \Common Name (eg: your user, host, or server name) [longrui]:
8 ]2 i! u$ j7 Q3 K% O" M: e
) ?- t. o7 b$ |+ Z) dNotice
2 R. b; X: Y( A' M------
4 F+ {* `# S7 I0 D' w3 NPrivate-Key and Public-Certificate-Request files created.
1 [& A4 W7 V0 K: I2 j" n8 _Your files are:
. `: w: I) z% Z7 _* req: /data/openvpn/easy-rsa-client/easyrsa3/pki/reqs/longrui.req8 Q6 g5 d( o% d3 k0 C
* key: /data/openvpn/easy-rsa-client/easyrsa3/pki/private/longrui.key I; v/ I+ e0 z" P
! a3 ^4 I5 H( y" a" R V
" X- p4 `2 z7 ], K5 Q' y3 y/ I3 z' Y2 R( D9 C# t
#2)服务端签发证书* s: L2 B: q; ~& U* K! O
8 `" g+ x' g% l4 X. K[root@openvpn easy-rsa-server]# cd /data/openvpn/easy-rsa-server/easyrsa3/
5 @! P5 @6 Q% D0 v0 Y[root@openvpn easyrsa3]#
. d: y0 ]7 n- N4 y; `' f
/ f( q, ?: V7 d4 ~#将客户端证书复制到CA工作目录
* F0 P) H- l' D3 q" y% D4 s% Y
4 E# q2 s5 y% K; C. D9 e* r* {6 n' `# g1 w# x/ _
[root@openvpn easyrsa3]# ./easyrsa import-req /data/openvpn/easy-rsa-client/easyrsa3/pki/reqs/longrui.req longrui
0 c; N$ i6 @( s9 W0 v" `% WUsing Easy-RSA 'vars' configuration:! x8 P& d8 ?' N+ l! x
* /data/openvpn/easy-rsa-server/easyrsa3/vars
/ s- w9 Y9 F& s* H# k9 ?5 E0 f. Z0 ? @/ t/ q0 P/ j0 U' O4 W
Notice
0 x% T( h2 T: K' Q% Z6 l% H5 g------
4 I* S! L# M. K- v% wRequest successfully imported with short-name: longrui- ~0 c# _' }3 d# a' \& @
This request is now ready to be signed.
/ V$ o* a( W% z
2 C% A1 H0 `7 e2 U& [0 H! f0 j! T
8 g3 ]; D% d @3 R#设置客户端证书有效期,我这里设置的是90天
3 k( {! X+ O# r9 R0 H& [root# sed -i "s/set_var EASYRSA_CERT_EXPIRE.*$/set_var EASYRSA_CERT_EXPIRE\t90/g" ./vars8 I" b4 ?5 Z/ K8 z& Q/ ]
#签发证书
) z- u$ h H1 M( J6 M0 v4 o% xroot# ./easyrsa sign client longrui
/ m& ?$ u( d! B* c$ ^5 o#输入yes- k- V" L6 `+ j! q/ [
Type the word 'yes' to continue, or any other input to abort.! G" k- k, g F) E5 Z
Confirm request details:yes. _3 s, v/ X% ?7 f
6 D5 J+ ~% w3 c. M; g
. `; r& K6 R/ z# o& ]6 B
#生成的证书7 c' {, U: W% y4 u. D2 ~+ A
Certificate created at: /data/openvpn/easy-rsa-server/pki/issued/longrui.crt# X$ ~! X/ F. |' v% f6 A( x
# W5 u# x1 |! ]1 a8 R% |( y% ~
7 V0 B# ]" @3 L' E7 S0 x: v
[root@openvpn easyrsa3]# ./easyrsa sign client longrui , C$ P- B9 H7 g/ t
Using Easy-RSA 'vars' configuration:# P4 g& S! `# K4 H5 C% c
* /data/openvpn/easy-rsa-server/easyrsa3/vars& V4 p8 L; |5 m0 s$ ?
Please check over the details shown below for accuracy. Note that this request" V* n9 ~3 b2 [
has not been cryptographically verified. Please be sure it came from a trusted( i( I2 e8 U! ^% R. F
source or that you have verified the request checksum with the sender.
! `. h6 V$ z( Y: d- yYou are about to sign the following certificate:/ q* F0 V! c: v
* h6 S8 a" ~# U4 e Requested CN: 'longrui'8 ^9 ~" j, x; E, y6 V1 R4 D
Requested type: 'client'
# h3 X+ {5 h& Y; v( w Valid for: '365' days8 \+ O) s, g" G, [" A; q6 `& a
) U- M( G5 N0 S( _" ~. U& C' @. ?# w+ D4 |
subject=4 S8 `9 x9 w2 q' I' Z
commonName = longrui* ~- t; \7 @/ F; z" \# d- R
- _- x; l# T2 z7 y6 _) Z( g7 b! Z, S) `
Type the word 'yes' to continue, or any other input to abort.
8 A; M: J* ~) Z: U% a Confirm requested details: yes
4 O7 N' l9 f2 K& z5 b# b: N% a, m" \2 E3 ]6 |
Using configuration from /data/openvpn/easy-rsa-server/easyrsa3/pki/48fc94cb/temp.1.1/ _" V U7 i# |" z) s
Check that the request matches the signature% k, S5 d _2 Q7 J5 c+ ^, H k
Signature ok F- z8 ? {7 e& @
The Subject's Distinguished Name is as follows; S" @$ d4 Z3 y/ F! G
commonName :ASN.1 12:'longrui'% R, U% l) ?- e- j4 O, m) |
Certificate is to be certified until Jan 17 07:12:25 2027 GMT (365 days). F( P' U* O$ _& }3 `% _# F
: @! h# H+ y4 z- z2 }/ g
Write out database with 1 new entries/ I" M! G5 c, V: O) Y
Data Base Updated( K P/ {% }0 s% M( v' U
6 I! E/ b ?$ x8 @( DWARNING8 M0 _. t/ c0 r. M
=======
/ B2 [3 d Y8 x' }" t7 x5 ~INCOMPLETE Inline file created:2 h6 u& U7 M- u8 Z$ ^, W) F: M6 d: h4 J
* /data/openvpn/easy-rsa-server/easyrsa3/pki/inline/longrui.inline# v- I1 }+ \' P* s5 w9 R
( ^* E% U2 }# o' p* N, b( S$ M, [" U
: ^2 C8 ]0 J! i0 ?# J1 V7 W' i
Notice6 c7 h m1 }9 f# x0 T4 ^6 @6 T+ X
------5 Y; z& q7 S7 v$ h
Certificate created at:# N+ C" h, ?/ \. p7 I+ l% B' k
* /data/openvpn/easy-rsa-server/easyrsa3/pki/issued/longrui.crt* B" A5 f0 K+ q& k, f1 d8 v; q
}' Z% M5 D' K1 H1 E8 [$ E2 M! l
9 W) u0 c4 {" X) U( d
2.4.2 准备客户端配置文件
- _, O2 A( }2 o, A$ o! O' x) t: k) p#创建存放目录
! W5 ]: x' |0 s! {root# mkdir /data/openvpn/client/
# g1 H) q$ [' b G2 S#创建张三证书存放的目录. a1 W5 Y2 c+ t; X& M
root# mkdir /data/openvpn/client/longrui+ {/ Q# i8 q5 Q4 D
#复制证书
( x p% A# ~' @ ]! Z
2 |* N* x) W* }" i7 H* \3 F$ ~. L2 t N: B+ [$ W. B/ j
[root@openvpn easyrsa3]# mkdir /data/openvpn/client/longrui
9 Z' a x4 R) t3 C6 j0 Y- x% y* E[root@openvpn easyrsa3]# find /data/openvpn/ \( -name "longrui.key" -o -name "longrui.crt" -o -name "ca.crt" -o -name "ta.key" \) -exec cp {} /data/openvpn/client/longrui \;) M! V4 ~# N9 n( D2 r0 {
cp: '/data/openvpn/client/longrui/longrui.crt' and '/data/openvpn/client/longrui/longrui.crt' are the same file0 m6 @" [. F+ g: f2 O* [% H
cp: '/data/openvpn/client/longrui/ca.crt' and '/data/openvpn/client/longrui/ca.crt' are the same file
, I0 C k4 |7 q5 D& D- gcp: '/data/openvpn/client/longrui/ta.key' and '/data/openvpn/client/longrui/ta.key' are the same file' x9 N% t0 w- ` q/ s% ^
cp: '/data/openvpn/client/longrui/longrui.key' and '/data/openvpn/client/longrui/longrui.key' are the same file7 z" o0 R) G0 i( m
: m* n2 v! ^0 Z+ v' a! o' ~
* @& k' N2 {9 ~. W3 @- t2 k) Q
F6 g" P$ ^$ o' D) K[root@openvpn2 ~]# firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.160.131.0/24 -j MASQUERADE( F, `9 F: X* ]1 |6 @
success
! s% n& n7 Q" Z2 k% j* g% B[root@openvpn2 ~]# firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 1 -s 172.30.0.0/22 -j MASQUERADE' J: i3 s' ]$ U5 l5 N
success/ _. \ _6 @: u( G. L
0 c/ e! f2 ~) Z$ a2 [8 g/ j
firewall-cmd --add-interface=tun09 g0 r R: J5 Q8 I/ g: `, l7 H
; i# F7 D. V( n4 w% A+ |. [$ D2 I
修改文件:
) R, c; {6 {, C/ Y4 S& jroot# vim /data/openvpn/client/longrui/client.ovpn
3 ], O3 h% u& ^$ Q6 kclient! E- [+ q$ B! W6 a5 ]2 G1 T) P; @
dev tun
) \7 j! [# M9 }1 mproto tcp
; n' f# d4 K3 n9 Sremote 公网ip 1194
8 ~1 C4 h; r- {: jresolv-retry infinite! J1 J: L9 N/ C8 w
nobind O I' U8 [; X4 C* n
ca ca.crt/ Z0 W, ]" G% O6 \
cert longrui.crt
8 _' w4 ?6 I: N7 o& u4 Zkey longrui.key: s& Z* M) X" X/ [' T$ k) [
remote-cert-tls server
8 ^9 C5 r; P( u) ~4 mtls-auth ta.key 1& F ~' k) P5 v$ r$ J
cipher AES-256-CBC) P0 ?4 o. `: H5 x; S$ C0 f' [
verb 3
2 G& ^- V$ o* W8 \& `! jcompress lz4-v2
8 o$ l+ D5 \ \/ M2 p
+ B/ h& X4 b* g! q! q% h0 ~0 A; j+ I- z
2.5 测试# b+ K1 z9 I4 Z. _7 v% Y% ]
#将证书下载下来
7 v- _ v) Y# l1 P$ F0 _5 ] qroot# cd /data/openvpn/client/
! t2 a" i3 }1 K: J, a/ N7 s9 Y6 v+ d- Proot# tar -zcvf longrui.tar.gz longrui/ p4 q- |. T1 B) R5 y
root# sz longrui.tar.gz
* p7 k4 t1 U" O9 G9 |+ r$ d) ]" _* T, F, C& j
#win10 安装客户端(这里不演示了)
6 E' u" ^: {9 g" U6 X. d6 ihttps://swupdate.openvpn.org/com ... tall-2.4.5-I601.exe
- c" u# p1 h j' z( {#将 zhangsan.tar.gz 复制到 openvpn的config目录,然后点击链接" T& O9 I: \) `% M2 j A/ N
( z- T% P& C& r' z1 G( ] {# d; A d7 t/ Y
#双击运行
( B5 L0 U8 c7 _' K0 T; H! N5 S" c
. B9 [0 c* c# ^- d% i0 A* k3 b& R* y: d
5 S" l; U3 L5 i7 ]" S
#这样表示链接成功了
/ @3 T+ n( I9 f) Y. g/ i$ [1 h4 }. B2 J. {8 s
7 Q! v0 ~6 [# i+ ?& O, _* e#测试连接mysql数据库端口1 S, Y. u4 ^. P
, Q/ e; w7 N8 X* p2 ^" Q% j
- F M/ `) K3 H# r" }. `% ]
& _" e# F1 w O0 c3 :安装包# Y$ T( B+ L) E! p
官网下载地址:1 t% t& A I$ }+ X
openvpn 服务端下载地址:7 C) d0 F8 g- A3 Q6 o
https://swupdate.openvpn.org/com ... penvpn-2.5.6.tar.gz3 f4 U) F b2 }$ l7 |
openvpn 客户端下载地址:" f+ m" \6 W8 o
https://swupdate.openvpn.org/com ... tall-2.4.5-I601.exe
. a. d* O: F0 M6 Q! rEasyRSA下载地址:
: k0 {6 v/ W& khttps://github.com/OpenVPN/easy- ... 8/EasyRSA-3.0.8.tgz
9 O' L& A* R% |+ X1 \2 _7 U6 w" R9 R% T% J) w: I2 @; A5 h
( s2 Z# m( k5 B- x& } 添加防火墙规则:+ `5 w0 k/ K! y3 X& H
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i tun0 -o bondmgt -j ACCEPT
# |& {8 s! o, k' N firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i bondmgt -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
: s) f4 G; }6 z" X& j firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.160.131.0/24 -j MASQUERADE8 e. _+ k6 @, Q0 O9 q5 u/ _
firewall-cmd --zone=internal --add-masquerade --permanent
6 ?8 v' i- k$ p6 {
1 I6 \( `$ u+ K( U9 z0 I* q2 f% i这是后面测试的结果,上面的可以暂时不执行:" _+ i0 y) y4 j
firewall-cmd --permanent --zone=public --add-interface=tun0
- D# ]2 ?8 J( }& C3 {4 S2 Qfirewall-cmd --permanent --zone=public --add-masquerade
+ t$ g# P4 @4 P1 t" I' x1 mfirewall-cmd --permanent --add-forward
1 L9 W, E% ^: i1 X& O
8 @! k8 g7 l4 Z3 e2 `7 b添加转发规则。允许可通行。 |
\6 O A- j9 Y' U6 x( c( _- ?. a5 o# O1 `& S9 I
2 w H, S" z& s2 G4 m. {+ L; i
./easyrsa sign-req client wogong3; o( D+ Q+ c) x0 @
#wogong3为创建客户端的证书的Common Name( _/ y5 [$ N, z& y4 w' ]
验证证书是否正确, Q8 I- i) a( Z. }5 h
openssl verify -CAfile ca.crt issued/wogong2.crt) D3 ~' p9 b" W
openssl verify -CAfile ca.crt issued/wogong3.crt
; K$ P( x W2 O7 f. g3 ]: [& y5 D% X: o' a
& L5 w" a) I' J$ O! S
- j; \5 D# A7 [: _7 k& x0 j: L
- L( O9 G2 T5 E, ^ k) q+ e5 G- p7 ^# _2 v0 a
7 t1 q7 M' e" {0 }8 v# C/ p9 l9 S3 ^: M) p( S* @0 @0 x
Z9 o5 R. c' ?; L; Y
, V4 b5 P/ D8 p* U# e4 O |
|
发表于 2026-1-17 13:18:00
发表于 2026-3-11 10:47:45