- 积分
- 16843
在线时间 小时
最后登录1970-1-1
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
使用环境:
% u! I& b9 C# l! d openvpn服务端安装在centos6.5或者centos7系统平台以上版本;
) ~& \; l) S! } openvpn客户端安装在windows10平台上;) A) n( I# \ V; ?( ?; ^+ t6 w6 }
其中的操作步骤有些很像此前写过的一篇文章CA服务器签署证书的步骤;
5 u0 O# Q; o6 L* Oopenvpn就是安全的vpn,通过openssl实现ssl加密解密;
' e% {: n* Y }( _ `openvpn实现的简单原理个人理解是:
8 ?; i3 N c/ O! D# p8 S通过openvpn客户端和服务器端用虚拟网卡建立逻辑的安全的通信连接,然后再通过物理网卡传输数据;
3 `7 R8 Q- |5 x3 z; E. s( G即首先openvpn服务端,安装程序并开启服务,然后服务器端会自动生成一个虚拟网卡tun0,用来建立安全通行用的,并监听一个端口,准备接收客户端的请求;
; K$ _$ J% K0 z8 R* z第二,客户端安装openvpn后,也自动生成一个虚拟网卡,openvpn客户端需要指定openvpn服务端的物理网卡上的ip地址和监听的端口进行连接;4 ?6 S- F2 w' r3 l, t
第三,证书、密钥、密码都通过后,即实现了vpn(虚拟私有网络)功能;8 W B# { s9 Q/ a+ e3 f
具体配置步骤:
3 `; s, `& c3 `第一:安装软件. Y; i9 N$ y: ?' g3 ^; W
]# yum install openvpn easy-rsa
8 \2 s: G" [/ _第二:准备相关目录和配置文件! T5 i ~4 _$ H8 ^. H; r& z% S
]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/easy-rsa/vars
* Z; ~& h5 A( g& l' h ]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/openvpn/easy-rsa/( C+ G, u, V7 m7 C/ d
复制的文件有:easyrsa、openssl-1.0.cnf、x509-types;
- e/ I+ t, C) A# I; S& w! c' w. s ]# cp /usr/share/doc/openvpn-2.4.5/sample/sample-config-files/server.conf /etc/openvpn/* w" E8 U( H* B+ w7 ~( y
编辑vars文件:
% h' h* Y* @& b1 U' x) O set_var EASYRSA_REQ_COUNTRY "CN"
6 y3 P" R! ~+ m! ]5 l/ k( j! @: u set_var EASYRSA_REQ_PROVINCE "Beijing"& @# B: R& B k6 h
set_var EASYRSA_REQ_CITY "Beijing"5 j- F8 g2 W$ w& Z) z. r! s( V
set_var EASYRSA_REQ_ORG "OpenVPN CA"
5 C' c- P2 B7 _7 _4 Z' W set_var EASYRSA_REQ_EMAIL "[url=mailto:4********4@.qq.com]4********4@.qq.com[/url]"
; c8 I' J! U2 T7 {' s set_var EASYRSA_REQ_OU "My VPN"
) Q5 ~, w8 M) |& t. h; T( L" Q0 x8 P创建服务器端证书和key:, ?( q5 ^$ i$ s0 B$ u8 G) K0 Q
第一:目录初始化:! y r3 u4 u6 H3 j
]# cd /etc/openvpn/easy-rsa/
3 V! g; R* U( \5 o0 \' @ ]# ./easyrsa init-pki2 {$ O4 o. t6 j5 |
第二:创建根证书:3 v/ P, w) @& s% [0 [
]# ./easyrsa build-ca1 m: o' B/ E( v% [
Enter PEM pass phrase: 输入2次pem密码,并记住(输入的pem密码是openvpn,后面会用到);! \# c3 k% h! o8 {
........' D- I' i/ S0 W0 a; }4 {) V" H
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 输入名称;(输入的是opvpn-ca)
* G7 o7 v5 v$ Q$ @) P& G 回车后显示:3 D1 M; u; z: w9 G) F9 K
CA creation complete and you may now import and sign cert requests.
1 m4 s% \) G" Y8 BYour new CA certificate file for publishing is at:* _5 T4 Y! c0 ]1 {
/etc/openvpn/easy-rsa/pki/ca.crt
# W* o0 g$ e' G+ b" m+ ` e1 V第三:创建服务器端证书:* N, K" \: L, ~, K, m7 H9 l
]# ./easyrsa gen-req server nopass; Y7 f4 d, w0 F. i/ R3 k
Common Name (eg: your user, host, or server name) [server]: (输入是node2)4 W/ F( u4 i+ c& m$ \. D0 D
输入回车后显示:
" A- H0 K- y# K0 C; ?* O5 CKeypair and certificate request completed. Your files are:. Q+ g0 _9 S5 ]1 I( c# l6 j' u0 V! l
req: /etc/openvpn/easy-rsa/pki/reqs/server.req5 A$ \2 Q7 i, F4 _
key: /etc/openvpn/easy-rsa/pki/private/server.key
2 k- q2 z& ?% |/ s, _1 Z9 x第四:签署服务器端证书:
! l( S* q6 N- C1 r0 Y ]# ./easyrsa sign server server# e1 @ M# W# y8 ^. W
回车后,Confirm request details: (输入yes); l6 E% q& F V4 n; W
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: (输入之前CA根证书的pem密码是openvpn)
0 }2 }! M+ ?: C' s回车后显示:
! a$ m' y& \0 X8 V! }Check that the request matches the signature0 P! V( X# y$ e$ p% o+ g
Signature ok8 m7 _: _! @8 p4 |
The Subject's Distinguished Name is as follows9 w! Q. H; r$ u6 u5 h. J
commonName :ASN.1 12:'node2'2 O* z( R5 l% M! S! I% N1 b1 @2 L
Certificate is to be certified until Apr 4 16:04:29 2028 GMT (3650 days)( y m! [6 z' A- A+ v
Write out database with 1 new entries( P9 R1 H" p- ^6 N7 d4 l& E- N
Data Base Updated
& G1 C+ i9 K+ {0 z b, ]* f+ @! O6 OCertificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt1 K. ^( f6 U, g
第五:创建Diffie-Hellman,确保key穿越不安全网络的命令:/ H5 |1 M9 R% h5 W% U J2 K @
]# ./easyrsa gen-dh
- b5 y5 i# r: V1 \5 T9 V回车后,等的时间稍微长一点,最后显示:
7 |) a0 V2 G0 i( F# _+ v4 F7 gDH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
5 B: O; }9 D x; D2 C" _! V 第六:生成ta密钥文件- J! j, o/ A' T6 b+ t+ T1 W
]# openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key3 [0 E! F; ?$ R
不执行此命令,会报错:
* w+ s1 [& A/ S5 {; D' ISat Apr 7 12:53:37 2018 WARNING: cannot stat file 'ta.key': No such file or directory (errno=2)" n1 e+ ~ W- I X
Options error: --tls-auth fails with 'ta.key': No such file or directory (errno=2)9 C& d% p1 ~8 |# z+ O; p
Options error: Please correct these errors.& s: B, b6 F6 V0 X2 B
Use --help for more information., F2 V+ r% i- I2 Y# e% g4 E
创建客户端证书及key :' Q8 E$ E( s. m5 i1 y
第一:创建过程同服务端:
5 E, G/ C, } A ]# mkdir /root/client
% r) L2 B- q9 ]4 w ]# cd /root/client- t& P4 K. _' I( r# l
]# cp -r /usr/share/easy-rsa/3.0.3/* ./, E3 [9 \4 Z1 d! f# p
]# ./easyrsa init-pki
* ]* P( E- }8 ?1 k$ c ]# ./easyrsa gen-req client1 X, K' Q- o5 V! D
回车后显示Enter PEM pass phrase: 输入密码,密码是之后客户端连接服务器要用的(输入的是vpnclient)
. ?+ T3 D5 r$ |2 O" q0 wCommon Name (eg: your user, host, or server name) [client]: (输入的是client,后面会用到)
' |& v! b. a4 _" q0 X( P# r6 b. _ 回车后显示:
8 L7 T5 ^4 M4 e6 D |) z8 \$ M- bKeypair and certificate request completed. Your files are:
, K( N( ?/ ^" h- {1 r" {; @req: /root/client/pki/reqs/client.req
3 F7 O3 G' k( W2 s8 q: h' ?4 xkey: /root/client/pki/private/client.key
! {1 E( K2 q9 }! A/ n! @第二:将得到的clientone.req导入然后签约证书:
3 P4 D. ^; Y: W: A" ] ]# ./easyrsa import-req /root/client/pki/reqs/client.req client
- A$ f/ B2 N5 S* a; ]8 n0 t 回车后显示:
4 v. h+ E/ H1 V2 I7 JNote: using Easy-RSA configuration from: ./vars
; c$ [- H1 h$ |9 x N8 M! k `1 vThe request has been successfully imported with a short name of: clientone# M' G n. `' m9 k6 b
You may now use this name to perform signing operations on this request. @! v: t- \% C6 H
第三:签约证书
8 _2 y- y B# n ]# ./easyrsa sign client client* B+ F% d2 n! C/ Y$ [& {3 k
回车后,输入yes;1 t+ g% K( r, V) }) G
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: (输入的是openvpn)
6 i8 n7 X! t. {8 S+ N( [( t 注意:+ V4 P- @, A/ v9 C0 N% _1 V
这里生成client所以第一个client位置必须为client,第二个参数client要与之前导入名字一致,导入的时候会要求输入密码,这个密码是第一次设置的根证书的密码,不要输错;因为openvpn是一个客户端对应一组证书密钥文件的;- y, W, t0 _/ c* ~. X, l( r
回车后显示:: E8 {; u. X* A7 V( p
Check that the request matches the signature
" K5 [# s5 e) WSignature ok
9 Y( ?8 t" Q$ n/ ?7 \6 H; v- _The Subject's Distinguished Name is as follows$ f; f; b! ?. f* @1 j3 F
commonName :ASN.1 12:'client'
* H2 v& ^) Q; `; xCertificate is to be certified until Apr 4 16:38:37 2028 GMT (3650 days)4 N/ ]0 H r# {/ h, h
Write out database with 1 new entries
; T7 l" ?% ?' j1 j' ?# F; Y8 JData Base Updated" I0 i0 X! K5 H# A' q
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt
1 X/ S1 A X: T0 {拷贝相关文件+ a7 B0 S$ E% t- ^6 h) j
拷贝服务器端所需文件到各自位置:( T& }3 `, q @) y: Q- S2 U# c2 }9 E
]# cp pki/ca.crt /etc/openvpn/; `0 p: G, G) t
]# cp pki/private/server.key /etc/openvpn/
: P6 |+ |* a" v! I& m6 |]# cp pki/issued/server.crt /etc/openvpn/+ [1 w' {7 m: `" \. @& t4 Q
]# cp pki/dh.pem /etc/openvpn/# g8 _1 R2 _# U
]# cp /etc/openvpn/easy-rsa/ta.key /etc/openvpn/
. D$ ]" f% H6 Y4 v7 [5 L拷贝客户端所需文件到各种位置:/ |$ R. y9 a* ^
# cp pki/ca.crt /root/client/! L6 \ V1 S# v4 {+ g
# cp pki/issued/client.crt /root/client/" ~8 l/ R$ @: a+ H
# cp /root/client/pki/private/client.key /root/client/) z* q# D& A" O
# cp /etc/openvpn/easy-rsa/ta.key /root/client/
* x. k8 W4 j1 |修改vpn配置文件:5 P2 X# A5 G1 I/ R
]# egrep -v "^$|^#|^;" /etc/openvpn/server.conf
% g+ M9 b7 q. {% tport 1194% }- f6 a* X+ P0 l1 L! V% W5 \
proto udp! C1 G: p" l: o' y7 N3 i
dev tun
) l# d* Y. x2 d- [' w. Z) J( v: nca /etc/openvpn/ca.crt
' Z+ Q, c3 i1 d% I3 f! Xcert /etc/openvpn/server.crt' A0 U- j( s' e `
key /etc/openvpn/server.key # This file should be kept secret1 _0 d9 i, t4 W% w) h9 B( b
dh /etc/openvpn/dh.pem
; k8 L! B: R$ B. @! dserver 192.168.11.0 255.255.255.0
0 C( Z' r0 g/ Nifconfig-pool-persist ipp.txt* U( X0 V* f/ G7 T+ [
push "redirect-gateway def1 bypass-dhcp"
: x) r4 @( j! B0 N" p+ i* Ypush "dhcp-option DNS 8.8.8.8"% w/ k( E6 R" o. J/ p
push "dhcp-option DNS 8.8.8.8"- t4 q' _& Z$ n2 _4 \! R7 V
keepalive 10 120* A: ^8 _0 ]4 v& C
tls-auth ta.key 0 # This file is secret
6 c2 B/ n+ d! D; U# Rcipher AES-256-CBC9 x( I% x+ K, J& B) k3 V: c2 z5 K
comp-lzo
5 m0 }% I3 p9 q0 v( i9 Xmax-clients 1006 m" x& V4 M' s) k I
persist-key* z; I8 `$ `; s$ s
persist-tun
& z: Y" @$ N& S2 {8 nstatus openvpn-status.log
, j# h O" b3 |1 m2 _0 N ]9 uverb 3
( ^7 J l( u: X4 ^2 d3 H1 \explicit-exit-notify 1 . l7 M: s# r' z! u: F4 b
启动openvpn服务端:; @0 T/ ?* I' o1 U( w, Z3 v( G& F
]# openvpn /etc/openvpn/server.conf & w$ y% s. T# B$ H& `5 ^
启动成功后显示:. ^6 u3 Z( x/ g- W; X
7 s d. \% s/ Z) Y& o @
. k! ?1 ^ {1 R- o或使用systemctl启动:1 T1 | d& I* b. N+ x5 i* _
systemctl -f enable openvpn@server.service( l9 S2 A3 X4 N2 t; b1 ~9 a2 d: r* I, y
#设置启动文件' I1 x$ Z" r, k1 O
systemctl start openvpn@server.service. z5 E9 I$ [. Y+ ]
#启动openvpn的命令
; U0 z. T( C+ T6 F9 t: ~windows7上配置openvpn客户端:
+ C) W; a& B2 F( ^# U& H第一:下载openvpn客户端7 p2 G6 J+ Q- o5 T
链接地址:http://openvpn.ustc.edu.cn/+ D! k; ^7 i& l2 |2 o3 B
L; J0 f. W: L) @1 J9 ^) N安装过程就不表了,具体配置说下:
7 B+ Y) l- C& I5 E 下载相关文件到本特指的目录:
* {7 _1 k! b( o+ W i3 f9 T 从centos7上把client.crt、client.conf并改名为client.ovpn、client.key、ta.key四个文件,放在安装目录下的config目录里即可;( N% P0 U a U' R4 {' X" `+ q
client.ovpn配置文件内容:
, A$ m4 q) o u% N f( @client
+ K, \) W' X! b# F3 k" Odev tun
; \- Z6 t. z0 a4 g- c' ?3 B; pproto udp3 }9 n. u; g6 t( {$ ~
remote 192.168.255.198 1194! B7 i7 ]4 p. T* { q
resolv-retry infinite* d. i6 n- v& J) Z. C2 F
nobind8 w }2 X% Y; Q9 w( A/ P$ M
persist-key7 R$ A; L7 z8 |9 \
persist-tun
: c$ i$ c; a1 B2 J' ~5 m, Uca ca.crt# p+ A7 ]/ Y. G& l
cert client.crt+ V7 Q$ B9 z- G8 M2 [& A4 l
key client.key4 e' m+ [; [( ~% v! u% @- \, j
remote-cert-tls server& c* N( G# B2 I E% i3 t
tls-auth ta.key 1
6 Y3 S! ^, @" q) T K- Pcipher AES-256-CBC% t2 Q+ r6 I9 A, Q% H3 g
verb 3
?1 f# B0 s/ |8 fopenvpn客户端登录:# Y' w, j' u. h/ {$ r+ M V
双击图标后,弹出输入密码的窗口,此前设定的密码为vpnclient即可成功登录;. x' {, a, v' |# }, H
' _" z, s' r X! W7 t
表示成功登录;
0 B8 L* {6 v9 H, I1 }6 |) w$ U" J# J5 j0 O6 x. G/ v
openvpn图标变为绿色即成功连接openvpn服务器;
9 K: U& S% E \) s, ], b5 K8 V
- z" y7 C, @% z( b |
|
/4 
|返回首页|Archiver|小黑屋|易陆发现技术论坛
( 蜀ICP备2026014127号-1 )
窥视卡
雷达卡
发表于 2020-1-19 08:49:57
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜