- 积分
- 16841
在线时间 小时
最后登录1970-1-1
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
Centos8.5系统安装OpenVPN-超详细
" T2 j1 ~# \. m$ u% `& _6 b% e4 _
- S$ ~* N% C& H. u" w$ b需求:公司外部员工需要访问内部办公网服务器,所以需要搭建一个vpn提供外部员工使用。
0 L: p! V8 Z p+ H! { ]* {
$ c8 W; R" i% z6 v& |1: 环境6 ^/ q' ^9 u" m. Q+ @$ a
服务器系统:CentOS Linux release 8.5.2111# @, j' }* O7 d% z- U! |: q3 S/ i
服务器配置:不重要' q: y! o- A2 l8 E1 I) g# u
服务器IP:8 `/ T3 K; m( c; `6 v U
Openvpn服务器:
# \5 w* K, z3 _, B外网:
8 s+ n) u' N: l) @$ x+ E8 n内网:
8 ?& m$ ?9 g- p. K$ l1 U+ g) Z内网测试服务器:
' ?+ Z6 F/ z' G: X6 Dopenvpn客户端服务器网段:10.10.10.0/22' o# R2 C8 @+ ^$ V/ W
OpenVpn版本:openvpn-2.6.17' o1 B3 X# B; q+ v
easy-rsa版本:3.0.8* Q6 A' W2 F$ r7 }, l' k' z
) o0 D6 x2 z0 A" W" V安装包存放的路径:/usr/src/install/( A% w+ V, P0 s6 H1 o
程序安装目录:/data/openvpn
3 M/ h, B- |1 q* n+ R0 K4 y- k' b& z
备注:9 I& q. K \: w+ n! T, w
root# 代表在root用户下执行的命令0 v2 m) K( F6 b% r+ ~+ y ]
$ 代表是在普通用户下执行的命令1 y: Z" ^( V g
# 单个#号代表注释; h+ S+ I5 T: E9 M& G: l* h6 C
8 t7 j% ~. H* w3 P4 j9 x+ Q" W
- G: D2 q+ {( o, E- l2:安装步骤
9 z5 q0 M+ q9 l! r2.1 准备工作 Q/ O8 x! A9 B- I
(以下所有操作均在Openvpn服务器操作)
4 D# K2 K/ |. `3 I G2 I! Z; e# 关闭防火墙* L, F. d! K' e* z8 [' i' S
root# systemctl stop firewalld+ M' }4 p# v( [) ?
root# systemctl disable firewalld
$ r% d4 k; C" f/ E
" s: j1 H7 \- w# 关闭selinux% X' I' i, e3 ?, E( g3 ~$ M5 Q& n
root# sed -i 's/enforcing/disabled/' /etc/selinux/config
' k9 {9 e1 j4 ~# Groot# setenforce 0
1 H2 d& j% r% O4 u+ D3 P7 U
a3 u( x# G' ~: q6 y, g, e2 u, t# 安装依赖
; W! l3 E. l5 e- I: nroot# yum install -y vim wget lrzsz gcc-c++ openssl openssl-devel net-tools lzo lzo-devel pam pam-devel, x2 }5 C# z- ?! W9 E2 e
5 x- x/ B: J" C7 D1 U _/ l# 下载安装包9 _5 j2 { R# E$ ]
root# mkdir /tmp/install- V& Q( f) h# Z) M0 C& P6 t
root# cd /tmp/install
+ L) p7 Q! R" ~& j4 droot# wget https://swupdate.openvpn.org/com ... penvpn-2.5.6.tar.gz. Z/ L$ r! F& X9 I
root# wget https://github.com/OpenVPN/easy- ... 8/EasyRSA-3.0.8.tgz5 ]' q& L' J4 I$ y' u( T
2 |0 X8 Y7 p/ R- ]
- y8 |' u+ B4 J v# a" T8 ] S" B0 v2.2 安装OpenVpn和EasyRSA
- [4 ^( J- g! l3 D2 ] x#1)安装OpenVpn
6 E% z& D: p3 _root# cd /tmp/install$ [3 B7 e+ d6 N' {
. v/ ?2 q% V% b( t; o3 K#创建目录
! G( g. y2 F, s& K6 @" jroot# mkdir /data
5 g( H7 W( O/ ^2 J, `; V. I6 {8 l6 ?6 k) b" Z
#解压缩
0 A* R& j1 b' X9 _' Y: P+ kroot# tar -zxvf openvpn-2.6.17.tar.gz8 [& p+ B! W- L. e. m8 M
5 |: d, I' f" u: w* v& @5 R/ `
8 q- x/ s [3 S! n
dnf install -y autoconf automake libtool pkgconfig gcc gcc-c++ make openssl-devel lzo-devel pam-devel iproute lz4-devel python3-docutils libnl3-devel pkgconf-pkg-config libcap-ng-devel& f6 s& }# k: ]0 m3 `
3 \" _, _3 ]" w+ Y4 T+ droot# cd openvpn-2.6.17; H0 p( \' D7 a% Q$ ]1 g: D- ^
0 W9 J0 _ S, Z
4 h% f. t1 s2 I生成configure文件:
9 |/ U- O8 Q3 T( C r# O% T8 U" n/ w' O
# autoreconf -fi
2 w0 z, X2 t Y0 A/ Ulibtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, '.'.1 t, P" W( d0 U6 W
libtoolize: copying file './ltmain.sh'
7 C( X- q9 f c& rlibtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'." s$ p+ D( F/ [/ _4 Q! ]
libtoolize: copying file 'm4/libtool.m4'/ M: W9 O+ ~$ N+ O6 j/ P/ E
libtoolize: copying file 'm4/ltoptions.m4'
/ A5 H) [0 B. z1 r6 Glibtoolize: copying file 'm4/ltsugar.m4'- E+ `. _4 n2 ]( B" _! R
libtoolize: copying file 'm4/ltversion.m4'
1 [4 c1 i$ V/ K' L5 a/ D$ ilibtoolize: copying file 'm4/lt~obsolete.m4'( k, Y% F! o7 W" i+ V9 s V
libtoolize: Remember to add 'LT_INIT' to configure.ac.
2 b6 R. \8 Z# D7 W9 p+ r9 N% fconfigure.ac:74: installing './compile'
" G! b3 ~5 N; O xconfigure.ac:73: installing './config.guess'7 M3 V4 a+ |0 a$ H& A
configure.ac:73: installing './config.sub'
: U7 g0 C4 b9 {configure.ac:72: installing './install-sh'
" ~0 \' O3 O8 iconfigure.ac:72: installing './missing'1 B3 u2 k* z) K$ H2 {
src/compat/Makefile.am: installing './depcomp'
; ^, v* r! c3 j1 Y; i/ C. c( G) X7 s& Y+ y# C; r
( E+ @# b+ a9 @dnf install -y libnl-3-dev pkgconf-pkg-config
* W8 Z o$ x- E1 E+ m/ O2 r% V2 s8 S J" W+ Q8 O! L
#--prefix= 后面路径是安装openvpn到那个文件路径下5 h, K7 M4 I+ Y# t) ]8 m
root# ./configure --prefix=/data/openvpn/+ X; W4 g* Z# p% c
% ?" f# S5 r# l2 t7 D
#编译
' J* c- }) y/ a3 t' ~root# make && make install F6 A8 x& b- I. V9 v3 k6 C
: X/ i2 O; g7 P: G* t#添加openvpn的环境变量! k9 m4 J) }- O8 u. H
root# echo -e "PATH=\$PATH:/data/openvpn/sbin" >/etc/profile.d/openvpn256.sh
0 T! k9 n5 {* F0 h
/ ^ @1 ~9 y) D W#加载环境变量
* h8 _ _+ E9 p% `. Qroot# source /etc/profile
9 O3 M& X9 K9 X- z/ l( z
$ o% q5 ^8 k6 G8 U( i8 [$ h6 Z#执行下面的命令看看是否成功,出现以下内容表示成功
$ I. Q( v1 S0 r* V$ w3 C7 @+ G* [. Q& i6 h' r `1 D$ k
# openvpn --version
* N& n8 j2 N$ j% sOpenVPN 2.6.17 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]. T- ]8 _3 r; C, z
library versions: OpenSSL 1.1.1k FIPS 25 Mar 2021, LZO 2.08
& D% O$ p" a* b [& w8 nDCO version: N/A2 L6 x0 l2 f+ D8 b8 I2 x }- U0 I
Originally developed by James Yonan; ~7 i4 Q! `$ P# p. K3 X# O( F
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>3 i3 w( e9 [: \1 U: U/ k$ s1 S6 g
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=auto enable_dco_arg=auto enable_debug=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no6 c1 o, \0 b4 V: z& b
7 Q u5 }" z$ D1 m, H( @#2)安装EasyRSA' Z' R7 w/ m2 Q
root# cd /tmp/install9 x1 N: g0 \# p. ]- X& ^! \
root# tar -zxvf easy-rsa-3.2.2.tar.gz9 h# t# P" w* \: w* f
# cp -r easy-rsa-3.2.2 /data/easyRSA-3.3.2
3 c, H! v B3 p) d' m" b7 z$ l1 J
7 K3 r: V# |# I% ~
# K( A+ {2 {( ]! f2.3 服务端配置
% K) @5 g9 `7 b& F+ J2.3.1 准备CA签发机构环境% D# t" Q# ?# }7 ]4 t$ L' g
#拷贝EasyRSA
+ S, j+ c u) Z: uroot# cp -r /data/EasyRSA /data/openvpn/easy-rsa-server
# X1 q- G0 Z, k' `: b) fcp -r /data/easyRSA-3.3.2/ /data/openvpn/easy-rsa-server- P, z2 Z7 d% r" f& C
' _0 `. F4 `+ |# j/ v2 g9 Q
& t0 r/ Q5 i( J) B
root# cd /data/openvpn/easy-rsa-server4 n! ~/ q+ D5 [
cd /data/openvpn/easy-rsa-server/easyrsa3
0 D# S) {3 p& }
3 f$ E7 Y: J$ {#准备签发证书的默认变量文件2 ^: ?; t% H6 r8 y. M' x: o1 f
root# egrep -v "^$|^#" vars.example >vars
: b6 ~) _* n, [! S. e' l6 W' y/ B3 U {6 n7 [" l2 ^2 H8 |5 T
[root@openvpn easyrsa3]# egrep -v "^$|^#" vars.example > vars' t2 x) `% C9 o6 q/ R
[root@openvpn easyrsa3]# cat vars
- K+ ~3 z2 t, \, B: h; P; F; Pif [ -z "$EASYRSA_CALLER" ]; then
! y- C0 Z5 A# _- P! c echo "You appear to be sourcing an Easy-RSA *vars* file. This is" >&2
' O0 F& p+ V2 y echo "no longer necessary and is disallowed. See the section called" >&23 t c$ H! x+ p
echo "*How to use this file* near the top comments for more details." >&2
9 A3 S' w( h ^6 L& \. y return 1) J3 q. r; N6 a# g3 G ?; o! k+ s0 ~
fi
( Q& `, A/ m% m4 x' ]% e: b# f( _1 W2 v5 h; i, ~' c B
. r3 C8 g+ M" x! k1 A
: N. d7 R+ g$ |4 ~. i#编辑vars文件,在最后一行增加以下内容
~0 d7 j9 ]: R. x, broot# vim vars
# N' ^7 w1 ^" ] G) @! M#添加参数,设置CA证书有效期为100年(日期可以你自己决定设置多长)0 ~! p7 F7 @. P' `' Y4 [& u
set_var EASYRSA_CA_EXPIRE 365000 T7 l0 y: X. O9 D( w
#添加参数,设置服务器证书为10年
- Y5 u3 W$ `9 Y S t0 |) \set_var EASYRSA_CERT_EXPIRE 36505 T" D$ N; E7 `; J" V- u
3 Q9 J, x! |( I3 Q$ m1 N0 Q% ?9 o
9 `" `8 s3 @8 A' W" J2 l查看配置vars的内容:
) V, R" Y8 h9 V* f% y' n. V+ M3 l/ m3 A1 p- [% h+ `" V8 C
5 q+ N8 t; K1 e- e6 e# h) W+ Bif [ -z "$EASYRSA_CALLER" ]; then+ w- }) W% U1 A. @: [7 z
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2+ O0 W7 Y' r7 r( |
echo "This is no longer necessary and is disallowed. See the section called" >&2, @# k6 U6 ]5 i, Y
echo "'How to use this file' near the top comments for more details." >&22 a5 }' e; F8 u `3 e) m
return 1
* Y# t. W( Q: _; jfi. P- A( `0 O( d4 ~- l+ I
set_var EASYRSA_CA_EXPIRE 36500: @$ S6 Z! d \1 Q0 E
set_var EASYRSA_CERT_EXPIRE 7300
: H3 n* P9 Q7 T7 `. f4 d* ` ]
7 [* s5 n, b3 j9 Y* W. @
+ C6 \+ o2 O1 p5 D2.3.2 创建CA机构与服务器证书1 _2 S% y6 R" |* Q' e9 Y! a% u: X
#1)创建CA机构8 S0 d+ m( d! }& v$ n a
root# cd /data/openvpn/easy-rsa-server
2 i6 K8 X3 D8 X9 Z g4 L! Lcd /data/openvpn/easy-rsa-server/easyrsa3
k/ ?: Z w5 N' Y& n" ?9 y4 v5 j( `7 i7 i
#初始化,执行此命令会生成pki目录
3 h& |, r6 ?3 H4 p/ H( c6 w) g% ~ ~% | K9 G
[root@openvpn easyrsa3]# ls( ?$ B. Y+ y& E! Z8 m2 V# ~, b
easyrsa openssl-easyrsa.cnf vars vars.example x509-types- A/ ]* R3 C- q
[root@openvpn easyrsa3]# ./easyrsa init-pki
' n! u3 Q& m& ~5 _0 [Using Easy-RSA 'vars' configuration:
5 @3 n, y: e& k* x8 T* R* /data/openvpn/easy-rsa-server/easyrsa3/vars
) l, e' Q' ~2 f1 q9 s4 L. ~- l% w# a3 J$ q" W {' @! o' ]3 c/ |; r! ~( v
Notice
5 f: A2 E: L) r! C/ Q+ s------
$ ^, w; d$ \+ F$ ^" e, b! b' h'init-pki' complete; you may now create a CA or requests.
) M2 t% ?* E* }: Q5 `: [5 E3 X5 n- b1 I8 Z6 [% C
Your newly created PKI dir is:
1 G) @# U# Y+ x3 V/ X; m' L* /data/openvpn/easy-rsa-server/easyrsa3/pki' k; K* Z8 m0 x2 y2 y! C1 Y1 v* _
) r( {9 g; `2 U3 l
Using Easy-RSA configuration:
3 _9 b- A& ^4 ~/ r b* /data/openvpn/easy-rsa-server/easyrsa3/vars! X8 M- Q' b% V4 h, V- U, {, p
[root@openvpn easyrsa3]# ls
: u# K8 E" U" p& x3 w: Zeasyrsa openssl-easyrsa.cnf pki vars vars.example x509-types
0 @/ B: ?6 }/ N& d+ c! l5 o! o8 ~+ f. l! G+ T m; C* V4 U6 k
3 e/ J' m1 S) o8 m) [8 l5 O
3 e2 X$ B7 X8 B, u: `- e; x! F0 t" |#创建CA机构,nopass代表不需要密码的意思
' z, B- w2 G, E4 f4 X( w6 croot# ./easyrsa build-ca nopass h+ Z8 `$ i* R3 M
7 [' n( m& d: a: }$ {# t5 h2 ~: W. ~
( c! d3 f5 C# h( b L, j4 o
[root@openvpn easyrsa3]# ./easyrsa build-ca nopass+ n G& D7 q5 x$ ]; a$ f6 a
Using Easy-RSA 'vars' configuration:
! D! C9 i% L5 p4 Y" s/ H* /data/openvpn/easy-rsa-server/easyrsa3/vars
0 K+ @3 W, z" q* |" J..+++++. z0 Y+ A. L+ N8 B# R# e( f) `
.........+++++( N7 L1 g* i" l: p9 T c
You are about to be asked to enter information that will be incorporated- Z3 S: t v# M8 [' M& h: [* @
into your certificate request. \, J: F5 D: A' z6 c
What you are about to enter is what is called a Distinguished Name or a DN.+ G# N0 e- t6 n! R
There are quite a few fields but you can leave some blank
; K% j/ ?/ c" [5 f% X) C3 [For some fields there will be a default value,# E, }3 B) b; o" R, q# @) O8 j
If you enter '.', the field will be left blank.
/ J0 L$ h9 k( q; M-----
& x2 V' B7 u) ? o9 c1 S8 OCommon Name (eg: your user, host, or server name) [Easy-RSA CA]:jckj
! p: V$ I$ J/ d7 R: v5 }( b4 a2 f3 {8 W# F2 v' }
Notice
4 q# T% [# K6 ^1 n------9 m6 X: x4 T# D- R
CA creation complete. Your new CA certificate is at:
, G2 r1 w: ^( L2 Z9 W* /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt
( f3 ?! D% S0 i/ m+ T) r1 f# Y( C8 a: B# i4 C
Create an OpenVPN TLS-AUTH|TLS-CRYPT-V1 key now: See 'help gen-tls'& `% Y' B# D6 s6 u o+ c8 s* H
* ~. m" e; j! S# {Build-ca completed successfully.
0 H4 H, U: y3 \* V) G# V: E" Y$ R4 [# p, _# ?
" z. [' J3 |/ L" b
% ]" f$ j! r1 J3 Q- r#执行创建ca机构成功的话,会出现下面的这个ca.crt文件
- v. {8 R! m3 t @. j9 XYour new CA certificate file for publishing is at:
$ k9 x: T9 l/ q- L% s* }/ {/ B/data/openvpn/easy-rsa-server/pki/ca.crt; T0 [( {6 k! e+ @/ o
4 a; s7 E, V4 m, O" G#CA证书文件# q) |* l* \2 m; y
; Z& M( ? m' x3 L0 ?5 d7 O& [[root@openvpn easyrsa3]# ls -l /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt
: ?$ y1 L# j6 A( a-rw-------. 1 root root 1176 Jan 17 12:19 /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt7 f% N3 E% m! @8 R
& T1 g$ c! u9 E. D: X1 ?' `. f; h1 l
#CA秘钥文件4 Z: x9 n2 s3 B
. o& V" I8 A4 T( @4 b& A
[root@openvpn easyrsa3]# ls -l /data/openvpn/easy-rsa-server/easyrsa3/pki/private/ca.key . s. [$ |! v3 I* B$ D. F
-rw-------. 1 root root 1704 Jan 17 12:17 /data/openvpn/easy-rsa-server/easyrsa3/pki/private/ca.key1 b# g; E' t) L6 s$ ?
4 P4 {- g2 U$ l6 v! O
7 b7 A* W" r9 Y" d, t: W1 Z' W#2)创建服务端证书 D2 E+ @; A: g. J& C
root# cd /data/openvpn/easy-rsa-server
- e/ f8 d }1 B, n- U- w: Tcd /data/openvpn/easy-rsa-server/easyrsa3
. i& _2 ~: g8 Z#创建服务端证书申请文件,openvpnserver为了区别参数标识,我这里设置为openvpnserver,如果你自己安装的话可以使用默认的server 这个名称9 {7 M& Y9 ?4 N! m9 m( {3 U) w* {- v
root# ./easyrsa gen-req openvpnserver nopass
e- d! Y# V5 V$ Z$ B g$ t& O# F; w9 v: A8 _# X
# {8 [- M( q' |' S8 P0 p. e
1 X5 [" a& I, J" J$ I& O( V) i& m: _8 p; h3 v
[root@openvpn easyrsa3]# ./easyrsa gen-req openvpnserver nopass
j' B: V' G; `1 t. F, mUsing Easy-RSA 'vars' configuration:
1 s v% d. ?- @# @$ C+ r4 d# w* /data/openvpn/easy-rsa-server/easyrsa3/vars3 [+ Z: ?7 d# J: O B( [
Generating a RSA private key
4 K2 q- U2 h: S3 O3 i' N.............................+++++
. n- Q- m7 ~* N; p) D$ O.................................................................+++++4 v% t' i9 n! l5 K! p
writing new private key to '/data/openvpn/easy-rsa-server/easyrsa3/pki/253f5ec5/temp.2.1'3 J- U" w5 x+ H+ |) }) k% Z
-----! _' K+ `- B( {* {$ G3 g, I: b
You are about to be asked to enter information that will be incorporated
# }1 V! f4 o- i: P# S- rinto your certificate request.
# d2 ^- ^" }. Y! o+ Q1 W4 `% @/ RWhat you are about to enter is what is called a Distinguished Name or a DN.
4 l5 ~& u% ~. j* ?5 dThere are quite a few fields but you can leave some blank/ V: N' d' |6 w- S
For some fields there will be a default value,* _ y9 X0 S) r& Q4 N& Z$ f5 ]
If you enter '.', the field will be left blank.
* R, n# I; W1 m- Q% U. [------ k4 W* ?# z3 L* S2 C( r
Common Name (eg: your user, host, or server name) [openvpnserver]: 回车4 u/ z* |+ O+ u) D: D
3 ~& ]( C5 O7 jNotice
% x0 h) g0 I8 z! Y# f" {5 B. {------
# w5 o. f, x2 X$ {, v( U3 fPrivate-Key and Public-Certificate-Request files created.5 |- b. K* |7 a4 h
Your files are:
/ o7 M/ m$ \+ V5 g' }& H2 {: R9 f* req: /data/openvpn/easy-rsa-server/easyrsa3/pki/reqs/openvpnserver.req
- d& O% [* W3 t3 N( G9 U x1 D O* key: /data/openvpn/easy-rsa-server/easyrsa3/pki/private/openvpnserver.key, }: z [7 L6 X% `% Z' a8 z
- G: b* T4 b% T+ h. P u) G
4 K2 _ [4 [0 v! ^3 F8 c( `! V8 s: L6 B0 [- D& b4 a
) z' q# }$ Q! V- d#默认回车就行
- Z) M/ i9 ?4 `4 \, |& V% wCommon Name (eg: your user, host, or server name) [openvpnserver]:: P2 p1 ?4 _8 [
Keypair and certificate request completed. Your files are:
3 C' t2 O1 b1 m- J6 H3 g
- d5 F- P/ r6 O9 ]6 D* U: I$ Y& e& o2 n" L# j+ z
* k3 ]/ K) H) e' A3 c' q+ B! o
' m* `4 O; z/ i. t& C#请求文件/ F5 w& r' @- Q
req: /data/openvpn/easy-rsa-server/easyrsa3/pki/reqs/openvpnserver.req- L( W, Y5 Y1 Y
#私钥文件* M! k: f/ u- U6 ?7 P, {3 }* y
key: /data/openvpn/easy-rsa-server/easyrsa3/pki/private/openvpnserver.key
& `- T0 @2 W4 P s5 u- C
1 b( w. l4 ?, ?4 V#3)签发服务端证书
$ ]5 d1 ]1 k: @& f绿色部分不做:
- a8 a2 _, B a- A( {+ wroot# cd /data/openvpn/easy-rsa-server
) q8 \) K7 p( Bcd /data/openvpn/easy-rsa-server/easyrsa3! K, y. ?* y( q2 p" u
#这里的server是代表服务端意思,openvpnserver这个是上面我们创建的服务端证书的名称
( g+ b+ V" Q7 J5 c, i) l& x2 hroot# ./easyrsa sign server openvpnserver
1 U' s3 v0 J6 L1 o5 Z. e! m#输入yes
3 S; ]8 W3 V" J' I# fType the word 'yes' to continue, or any other input to abort.# n% h" c1 w! ]* K4 T
Confirm request details: yes3 `+ a6 z8 D+ e$ @) o" L
#服务端的证书文件
l m0 c# G2 ZCertificate created at: /data/openvpn/easy-rsa-server/pki/issued/openvpnserver.crt5 c. h7 S3 ]; Y: D3 [ d
. C1 F. _. j4 p/ \4 J
' E/ `$ D/ K- f8 V
' \" t1 q- o8 X( ][root@openvpn easyrsa3]# ./easyrsa sign server openvpnserver# t- A5 M& A( z) D) j& K: `+ ~
Using Easy-RSA 'vars' configuration:5 _ ?- J! S4 D! v- a7 g9 |8 G% v
* /data/openvpn/easy-rsa-server/easyrsa3/vars% L6 Q! G: c' F/ P% R* @
Please check over the details shown below for accuracy. Note that this request2 |5 G; p5 j- Z. F
has not been cryptographically verified. Please be sure it came from a trusted
7 q& j3 o! N% v) x/ p1 }; ?5 Usource or that you have verified the request checksum with the sender.: C! M- u/ ]: [/ [0 C
You are about to sign the following certificate:
6 v. a3 |' z: t+ T# \! W
. h" p( n, O! ~7 \3 m3 y" G- d Requested CN: 'openvpnserver'
/ `* N% g. z: ]" l9 m" [$ ` Requested type: 'server'. H& S9 N2 O+ ]6 ?) T
Valid for: '365' days* D9 y7 h7 H+ I/ y9 _
& s8 Y, O! ~5 G' b' _7 p6 o& j2 v5 a4 r) E& F
subject= V; \2 d+ @4 U' `; h
commonName = openvpnserver0 i5 G+ X2 P( i3 J# z8 N+ ~
3 o1 }7 X' T2 p# Q% p; e- S
Type the word 'yes' to continue, or any other input to abort.
* R4 M# q$ l4 ?) R Confirm requested details: yes
9 \& Z/ v- A }; ]
; \' Y4 z% \; } d! F* D1 T7 yUsing configuration from /data/openvpn/easy-rsa-server/easyrsa3/pki/774d5125/temp.1.1
# A. @9 s( l0 mCheck that the request matches the signature" M1 q* [9 o1 E( y, v) W
Signature ok
# C, U0 Q" `" P4 kThe Subject's Distinguished Name is as follows
7 N$ z" o7 l) }! f9 @commonName :ASN.1 12:'openvpnserver'1 O% [: G/ n1 f
Certificate is to be certified until Jan 17 04:25:48 2027 GMT (365 days)
# w' ?/ q) m# Z0 \ x( x( _# O; s* t" n* ~/ a5 s( }9 g
Write out database with 1 new entries
$ Y! X& j6 `; B4 [5 L" [Data Base Updated5 Q9 k1 v9 u% f# Y
6 x. v! E J- `" B' xNotice
! f7 t0 j7 Z% V------8 {/ M7 C" a* x& P7 Y4 h2 ~. [
Inline file created:
( u0 w$ s% \7 o; h! U. A; u* /data/openvpn/easy-rsa-server/easyrsa3/pki/inline/private/openvpnserver.inline7 |' d0 A* K' ?' J
' G: V& O: ?3 M' s
+ |' b3 E* A5 S# b/ \Notice" V W v8 C1 q# J8 B D c
------
0 T0 |. ?0 z% i2 H w* B8 A$ ~; x7 kCertificate created at:
4 ^2 B& I- i4 D* /data/openvpn/easy-rsa-server/easyrsa3/pki/issued/openvpnserver.crt
4 i; {7 h* k% V7 _3 m' S4 Z& d7 \ A k+ S7 \, ?1 X
' @( a m8 }; Y/ h6 v8 Q) a; z6 }4 C2 L4 o% ?
#4)创建交互秘钥7 k: B1 t0 |( S9 d
root# cd /data/openvpn/easy-rsa-server
) J. X3 t) C, Icd /data/openvpn/easy-rsa-server/easyrsa3- [; ?% Z# K: O
root# ./easyrsa gen-dh
1 J: l4 ?/ g/ l9 B) Z1 \DH parameters of size 2048 created at /data/openvpn/easy-rsa-server/pki/dh.pem, D! ~% t- i2 N: K) |6 k" L
% ]+ Z$ ~4 `' p9 c' J+ J5 g
6 C7 k0 j+ ]2 o: \+ D6 l[root@openvpn easyrsa3]# ./easyrsa gen-dh
x$ ?$ @2 Z3 ^# a; sUsing Easy-RSA 'vars' configuration:
$ u: U* o; Z% s3 o* /data/openvpn/easy-rsa-server/easyrsa3/vars3 Y5 c1 j7 I3 z, ]; C
Generating DH parameters, 2048 bit long safe prime, generator 2) V( Q( ~$ w- |. E" E, [
This is going to take a long time$ d: l6 c! E% h! |* }
............................................................................................+...........+..............................................+.....................................+.................................+....................................................+.........................................................................................................+...................+.................................................................................................................................................................................+......................................................+.............................................................................+..............................................................................+...............................................................................................................+........................................+....................................+............................................+.............................................................................................+........................................................................................................++*++*++*++*
, n: w1 _1 T+ z j GDH parameters appear to be ok.
. y6 Q( M5 f" R. s, A
" v- N8 i6 [3 S7 FNotice
9 X! N9 M" G ^. G------
; `5 j% ?7 y( S; L, v: S; d
' k v: o. ?: _# O' g; wDH parameters of size 2048 created at:0 c2 `8 R, }' w; A& I: f* O
* /data/openvpn/easy-rsa-server/easyrsa3/pki/dh.pem( V7 H9 J) S5 y- B& ]+ s
# J1 T; z0 ` n+ e) L* S: L
+ N* j) R8 D O: } [$ A' q' W5 e- F$ @/ ]( X
#5) 启用安全增强配置
5 P. A5 W$ m& d. W$ S) j8 Zroot# cd /data/openvpn/easy-rsa-server' H: u4 X4 h. [" M
cd /data/openvpn/easy-rsa-server/easyrsa3- Q6 O2 L& d( Z s
: m+ U+ l, ?$ z, h$ P) Y2 J' Z
root# openvpn --genkey tls-auth ta.key
$ ]; z7 y6 I5 q3 C9 U2 Z/ Y5 \6 e9 f7 W
$ B5 r$ C, P& j; \2 {
[root@openvpn easyrsa3]# openvpn --genkey tls-auth ta.key( o# @2 Y" p2 c. ]* ]% o3 y5 o
[root@openvpn easyrsa3]# ls
9 j# \' D3 X3 _7 T5 \. Neasyrsa openssl-easyrsa.cnf pki ta.key vars vars.example x509-types
0 J0 b/ D5 o* I8 X- I# H# g& |& O[root@openvpn easyrsa3]# * c0 l* G( \# q- K* q+ `
$ z2 D6 w; o; A. R# ]/ H; j' m: U F7 v H8 N2 z9 ?
# P% N/ b* T; ~5 ^6 C
2.3.3 OpenVPN服务端配置
. m* F+ O9 i/ k2 c#创建openvpn用户
4 l7 E1 ]# ]( O' J# Q. S. Q# f9 |. Xroot# groupadd openvpn5 {7 C% b: b! h4 g, b, H* _/ x/ ?9 y
root# useradd -M -s /sbin/nologin -g openvpn openvpn
[- ]% X- K2 j/ I" m
0 W( o: c! Z0 d% [[root@localhost easy-rsa-server]# groupadd openvpn6 w7 x5 a. }0 m/ V& D. z
[root@localhost easy-rsa-server]# useradd -M -s /sbin/nologin -g openvpn openvpn
0 ~" W- [9 b5 `3 `) a
8 |, W2 D/ j5 ^+ P! ^: t+ q; E! \" C7 N1 B
# 创建证书存放目录1 ^ b9 ~3 \" a4 g% W3 h8 f
root# mkdir /data/openvpn/certificate& c$ r( O K/ `% a9 b+ R: A
% P% j4 \& e8 i
# 创建日志存放目录6 r w+ g! s6 O8 B# y
root# mkdir /data/openvpn/logs% o2 x8 ^% Y# v$ l9 K
root# chown openvpn. /data/openvpn/logs9 w4 r D4 K8 M9 z* @
" m. Q1 g- f0 r5 L+ B% z
0 @' t2 U& P/ e) o( i6 {[root@localhost logs]# chown -R openvpn. /data/openvpn/logs/6 @3 t6 @' N% A
; W2 n% t$ x8 u
y+ p `/ h% H* J- j4 g! I$ k# 将服务端证书秘钥和交互秘钥复制到certificate目录, z- _ w/ Z1 J }
. `# P t6 p+ k+ Y9 X2 K[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/ca.crt /data/openvpn/certificate/
3 ]) d+ v" k# R" `7 |) }[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/issued/openvpnserver.crt /data/openvpn/certificate/
9 G# H& H# N& S5 B! q[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/private/openvpnserver.key /data/openvpn/certificate/
y; Z5 q! P2 `6 D% W2 l[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/pki/dh.pem /data/openvpn/certificate/; d& _5 b, _; A4 } G3 z# _5 T4 p* S
[root@openvpn easyrsa3]# cp /data/openvpn/easy-rsa-server/easyrsa3/ta.key /data/openvpn/certificate/
4 l5 t( m1 }4 y: I( @
h H9 }* [4 M: p#添加配置文件8 u2 T4 c( T$ F' l
root# cd /data/openvpn/
) C" C, n$ n% m, broot# vim /data/openvpn/server.conf
% E% M* a7 o2 Z1 }0 O* O#__server.conf—stat___0 C- W( i; E" q. r6 b- Q9 @# d
#端口. H$ o5 o# h4 c
port 1195
, R+ `6 m2 M- N" b: m4 W- P#协议
6 {: \5 m# P! n# Lproto tcp9 r- [% ?! W6 w" ]0 p
dev tun
, W8 c7 M% F7 d" Q7 N#ca证书文件4 S: C4 l5 j1 {# w$ v4 m" W
ca /data/openvpn/certificate/ca.crt& r! [2 X. E0 n4 }0 q
#服务端证书文件
/ J! { A$ {; Bcert /data/openvpn/certificate/openvpnserver.crt
. S- p( f2 s% t# Y& V2 c#服务端私钥文件
; I4 C) E. ~! L/ z" V! Gkey /data/openvpn/certificate/openvpnserver.key
1 Q9 `" |2 M, K% d" N. S#交换秘钥文件
9 ]6 Q9 X/ r9 ldh /data/openvpn/certificate/dh.pem
3 y) E, f* e, K, A#安全增强文件,0是服务端,1是客户端
/ Q8 v# `7 j, S3 mtls-auth /data/openvpn/certificate/ta.key 0
( @; n( h$ _+ e/ a0 V! j#分配客户端IP的网段,不能和服务器一个网段,不能冲突' z, }3 H9 w* |6 U$ w, D9 ]' L
server 10.8.0.0 255.255.255.0. X; i$ K) ]7 C# y) R. ~
#运行通讯的内网路由,可以多条
9 @6 O8 V. G }& Z' ypush "route 192.168.0.0 255.255.255.0" r1 P: I$ k2 ]. ~! l
$ r9 q7 j/ M3 e
push "route 192.168.6.0 255.255.255.0"+ C9 c( |0 j( R# `; L# g1 `" l) _
push "route 172.30.1.0 255.255.252.0"
' ^ B( R+ W) R. ]& J#会话检测,每十秒测试一下,超过120秒没回应就认为对方down) S/ E p4 E& w R
keepalive 10 120. Z5 w1 O! W7 [0 L3 X1 K
#加密算法
w& H& x$ \ k4 P. `7 |* O& S! |cipher AES-256-CBC
# Q I4 X# s1 K+ N#压缩算法% f3 B1 a/ Y- _' T* ^) U/ X& U
compress lz4-v2" z6 F! x1 r) U9 W) N
#推送客户端使用lz4-v2算法: r1 \7 j+ K0 j
push "compress lz4-v2"* K) ]9 }. J R0 ]3 L7 U; U6 n
#最大客户端数
5 X# g+ P* q- G- o/ E6 t$ k" hmax-clients 100
$ ]* h( x8 y/ j- X" U/ c* O#运行openvpn的用户和用户组# T W+ n! C! A. J/ Q8 y
user openvpn0 A1 L$ {# I' b5 G
group openvpn* L; A6 o* T; M" f \5 ~5 T
#状态日志
$ @' N: I5 W8 _; C3 e$ Y. n6 nstatus /data/openvpn/logs/openvpn-status.log
o* k. W' e: z* alog-append /data/openvpn/logs/openvpn.log3 E; ?/ ]% |; N
#日志级别
% w0 a( C8 ?+ K9 j! l& }/ vverb 3/ a4 V2 F, k' u# f2 m
mute 20
* ^! D+ S" Y; ^/ h#__server.conf—end___
! f9 |7 R* a0 s4 W& r+ ^1 L c9 T$ W. Q& f, B
# I2 @) {, F. d- {; G" Z
#内核转发规则5 T" m& M' Z' G! {/ ^& _7 K
root# echo "net.ipv4.ip_forward=1" >>/etc/sysctl.conf& F7 j. Z) B% G/ b4 Q
root# sysctl -p- w2 |5 l: k) n+ p& Y
/ K' w; D- Y2 L& g1 k* w* S+ J. K#iptablesNAT规则3 b% n& P' E0 ~
#这里的ip就是server.conf 中的server 10.10.10.0 255.255.252.0 ;添加转发规则到开机启动项
5 F. R2 I4 w, t2 i4 H+ o; froot#echo 'iptables -t nat -A POSTROUTING -s 10.10.10.0/22 -j MASQUERADE' >> /etc/rc.d/rc.local$ e3 E5 q: z% l6 x! ~+ p
root#echo 'iptables -t nat -A POSTROUTING -s 172.30.1.0/22 -j MASQUERADE' >> /etc/rc.d/rc.local
* t) g' V' R+ J3 Troot# chmod +x /etc/rc.d/rc.local% }7 H+ z# n0 U* x& m/ s# T1 e
root# /etc/rc.d/rc.local* l/ C; @7 ~" y( P
4 }* k" Y1 k" W. X* e2 }
2 J+ \, F2 b/ t% }上面的可以暂时不执行,都使用firewall-cmd方式添加 : 0 J" K7 S. K2 ~* Z+ A% v, K
firewall-cmd --permanent --zone=public --add-interface=tun0% Q+ L% U' x S
firewall-cmd --permanent --zone=public --add-masquerade
# E( x" G+ X1 l2 u2 M6 hfirewall-cmd --permanent --add-forward7 ^+ V M% ?1 D- L
6 B& A- c5 \) i1 X添加转发规则。允许可通行。- K( t& i$ W! G0 @; k: w Q
' }+ k' Q- [0 t3 P
6 t2 J. J9 m9 x. ~8 p3 F& ^6 F6 x3 ^; l8 b' o* m
2.3.4 启动OpenVPN
: W4 Z, E. Q, d2 |2 d# 创建启动文件: V& \& w; C2 j2 z7 E6 H. H2 b6 ^
root# vim /etc/systemd/system/openvpn.service
/ { h7 e. ] F* Q3 L2 q. V1 q' W[Unit]' T9 D) d. J+ s! d3 q, W+ _# Q
Description=OpenVPN Server
# Q4 p) p5 t) d" E, F4 B3 ?After=network.target" d5 v9 t8 x7 Y6 c
After=syslog.target$ L. e& e, ^: r) q: j
+ C! V3 M* c# r4 }' I3 j" D[Install]
# |; G4 @- S& X' X! fWantedBy=multi-user.target5 c' B" |, B2 p/ v( Y1 A
7 y1 b5 Z v$ `7 u- C3 {, ^4 p: T
[Service]
0 I7 c1 k0 j% E: @) wExecStart=/data/openvpn/sbin/openvpn --config /data/openvpn/server.conf9 r: k4 g* V, B1 z7 F* }8 {( G
5 R4 E1 k3 ]. a
1 ^' h, V/ @! H#加载系统服务, j: j" o0 f) ?& j; N' D
root# systemctl daemon-reload
! X& ?* [% [) p! D#开机启动
% z7 W" }. T! m3 d4 Lroot# systemctl enable openvpn.service
& Q. T$ y8 l. z% g#启动服务: p6 T6 w% o9 C' }% y* u
root# systemctl start openvpn.service' L4 m0 z: j3 K( I: l
#查看服务运行状态
' B& `; Z0 x2 V% b% mroot# systemctl status openvpn.service; {% M( F( i7 C2 h$ E
* E% v, }$ S5 e1 O7 W) y
( N' [/ A# z% B% w6 V% _0 J2.4 客户端文件配置
- E; E: W; g8 L2.4.1 准备客户端证书
t8 V, m, @! L Z- X! b#1)创建客户端申请证书5 E+ m8 b( m3 {2 b/ u
$ b% b, R% ]- X) F
[root@openvpn data]# cp -r /data/easyRSA-3.3.2/ /data/openvpn/easy-rsa-client
4 l5 W. R! d$ S! z[root@openvpn data]# cd /data/openvpn/easy-rsa-client/easyrsa3/% O& w1 z) ?4 b
[root@openvpn easyrsa3]# ls( g0 N, ?% t" L- P
easyrsa openssl-easyrsa.cnf vars.example x509-types# o. Q6 b, f! ?, `1 V
[root@openvpn easyrsa3]# ; \! C1 X, d1 Z( v' Z
6 C$ E1 T: v& ]
- F9 J8 U( k. V- A9 l: I5 A j) a! M' x4 o5 m7 [2 t7 P
#初始化,执行此命令会生成pki目录$ Y% F+ C5 e- h- |" l
root# ./easyrsa init-pki0 \9 Q8 G6 P; f* b
8 W$ j3 x9 l/ t6 A
" M f! k6 n0 S! X[root@openvpn easyrsa3]# ./easyrsa init-pki O# {3 e* Q T! q
3 S' b% L) Q* qNotice
- u8 W0 h& h2 b8 t0 V' @------
" r& A+ q! w% P) g3 u& Y'init-pki' complete; you may now create a CA or requests.4 L# {* v& ~, y& z" r
' ]4 o$ X4 i: k6 V, S
Your newly created PKI dir is:
3 g* k( h* T2 T, ^* X* /data/openvpn/easy-rsa-client/easyrsa3/pki
4 e+ G" H0 Q) X5 w+ X0 Y. u$ ?3 E1 l; S9 K& M( o
Using Easy-RSA configuration:( W! h( D% K+ C: @; X
* undefined
5 r- b& w1 T/ j( D. ^$ l3 j5 l a g6 f) J4 w ` l
( v$ U6 X/ U( s" z( {#创建客户端申请证书,我这里用的是名字全拼
* M: Q" `9 n8 q) J z1 U( Y! n# d5 H$ \5 u: L8 ]
; H6 ^( I- J' b! {; l
. ^+ q) `! j6 X: A' p[root@openvpn easyrsa3]# ./easyrsa gen-req longrui nopass! W U5 @& ^. {: M. \1 h8 T8 S
Generating a RSA private key
8 J& }9 I0 ?1 K: k..+++++
# c1 m2 ?9 F7 y5 E5 x.......+++++# n& S3 p+ l9 C
writing new private key to '/data/openvpn/easy-rsa-client/easyrsa3/pki/2f9b0fd7/temp.2.1'+ d1 L3 v }8 {8 g2 j1 w
-----
4 M7 @* P! k, e& O$ ?" L( QYou are about to be asked to enter information that will be incorporated
2 O T# n3 }: N$ m0 y. P& einto your certificate request.
0 W4 Q. M5 |3 a) a3 tWhat you are about to enter is what is called a Distinguished Name or a DN.
* q8 T5 W: b# bThere are quite a few fields but you can leave some blank
& e( b9 `1 h3 R# `8 UFor some fields there will be a default value,
% N/ x- f- h% j. _If you enter '.', the field will be left blank.. N2 X- ~5 B" ]; c6 e; G
-----
4 A; P9 `, e/ P% Q# ?" s9 A2 N5 vCommon Name (eg: your user, host, or server name) [longrui]:
0 c$ E8 v" n5 R5 E
' R1 T# Z2 Q6 C; k- gNotice- g4 Y, r8 C1 {* @. E
------
! F$ E" ?2 F' j' rPrivate-Key and Public-Certificate-Request files created.
7 { m* l2 Q& t* [6 a! J& P0 j2 MYour files are:
7 p" S0 z7 Z8 F' [9 ~' d& _8 \* req: /data/openvpn/easy-rsa-client/easyrsa3/pki/reqs/longrui.req3 M$ K) k# K9 u8 E! h
* key: /data/openvpn/easy-rsa-client/easyrsa3/pki/private/longrui.key
/ i5 M0 |) d( K: d+ L* B) J6 U6 n; v ]1 V
; j& I# Z: a5 L
. ]- a- x7 S& o; F2 E. D9 y
#2)服务端签发证书
! S. P- ]2 u6 K! n$ r, `! ~2 K2 a* K- }
[root@openvpn easy-rsa-server]# cd /data/openvpn/easy-rsa-server/easyrsa3/! Q2 D4 R( _3 x* M1 W9 J
[root@openvpn easyrsa3]# 1 T M6 p$ D& c9 R" w) Q* Y
! w+ D& V! p& h& z
#将客户端证书复制到CA工作目录1 ^/ B0 L2 q( v4 }) A' C" m& ?
2 _5 L$ {. ?; z0 d$ j. Z& u3 o. e/ R
[root@openvpn easyrsa3]# ./easyrsa import-req /data/openvpn/easy-rsa-client/easyrsa3/pki/reqs/longrui.req longrui" t$ h/ A( Y: C7 H& N# n6 a
Using Easy-RSA 'vars' configuration:+ |6 h5 u- Y1 t1 A9 |
* /data/openvpn/easy-rsa-server/easyrsa3/vars% U- @3 F( R3 y8 X$ u& u
1 q+ h3 p: `. ?9 _9 u# W5 _/ P, f' z
Notice
: t$ I i1 C2 E. z) |. \7 ^! [' S9 S------, C. Q3 G$ g6 L! {* Y9 }6 W* t
Request successfully imported with short-name: longrui' y \# b0 D2 ]; i$ @8 E
This request is now ready to be signed.
4 u x0 u5 p1 a" g' X, ]
: q, M# ?; V% _/ S
) q; X+ ^% K+ z6 q! j% r4 x4 K+ q& F; P" n& e3 W: x
#设置客户端证书有效期,我这里设置的是90天
7 q" B$ n$ D4 D5 M. Mroot# sed -i "s/set_var EASYRSA_CERT_EXPIRE.*$/set_var EASYRSA_CERT_EXPIRE\t90/g" ./vars
1 {6 @8 O+ R! m( P5 A' t# ~#签发证书
+ X8 Q, y7 k0 J+ A3 `root# ./easyrsa sign client longrui3 t" K- I, \4 t& N, }3 b# t
#输入yes
4 R& y& B* m+ vType the word 'yes' to continue, or any other input to abort." B8 G3 _$ v$ {$ ~! k
Confirm request details:yes
4 O: d; `9 v2 L% ]8 i$ L0 z1 x6 s; m- Y- e3 G7 b( ~9 z
/ P- \; t* T" G! G. s9 p#生成的证书1 V5 Y3 H8 g& M1 \6 N8 G, K3 r S4 c3 G+ ?
Certificate created at: /data/openvpn/easy-rsa-server/pki/issued/longrui.crt3 j+ g4 Q- q6 Q9 j$ Z
6 |, l4 F! U7 `% j) t) p1 L1 [
1 Z, S& I0 S+ H( g[root@openvpn easyrsa3]# ./easyrsa sign client longrui 6 v5 f: T9 M7 d0 u# j7 a
Using Easy-RSA 'vars' configuration:3 F$ W; K. d: ^+ [' |
* /data/openvpn/easy-rsa-server/easyrsa3/vars
0 o; u5 E$ C3 O7 ? J; q8 n8 `8 mPlease check over the details shown below for accuracy. Note that this request' h# q( h! X# {9 w2 m9 w
has not been cryptographically verified. Please be sure it came from a trusted! V: A# n2 L, S* L$ z; q( P
source or that you have verified the request checksum with the sender.9 ?. R8 c9 @/ }9 T, Y7 ~
You are about to sign the following certificate:8 v& b- E* x5 x+ g/ o
/ L( }# a+ W6 c5 \5 o+ e+ v Requested CN: 'longrui'
; ~0 J+ t! I3 @ G# @ Requested type: 'client'0 D1 Z! L4 k0 O, H5 A$ {+ S
Valid for: '365' days
7 i2 Q: W9 Y9 d$ f, u
- Z, V5 n* c+ k
7 F; Q: T: ?; a/ |subject=
! L: y f2 [7 f: @- J" M, G w commonName = longrui
# J( ?1 D2 j* U+ |
2 e$ e- u4 y, _# g: ?" Y: B0 L5 GType the word 'yes' to continue, or any other input to abort.! A: Q: e9 u, V% A
Confirm requested details: yes
# v# K( v3 A, z7 v: E8 s+ {7 W" K
6 y: h' i6 G0 p) e* I' fUsing configuration from /data/openvpn/easy-rsa-server/easyrsa3/pki/48fc94cb/temp.1.14 P' S3 u0 d5 z: j5 k" o$ `& r0 ~
Check that the request matches the signature6 C; G4 {( Q, M' F
Signature ok
7 B: t+ T' c0 P4 f$ yThe Subject's Distinguished Name is as follows
7 O# R9 {" K8 K3 YcommonName :ASN.1 12:'longrui'
8 P7 b( @0 E' m' O# L1 KCertificate is to be certified until Jan 17 07:12:25 2027 GMT (365 days)9 R/ m. I F8 V. i+ w% m( X
5 ~0 f& O! ]1 x& |2 d8 R
Write out database with 1 new entries
( i$ ^" R' A# KData Base Updated8 B- Z/ q1 E6 @6 H+ k( Q; t! e( j
' i0 O' R, A3 P }$ v+ U: V7 s+ B" vWARNING
( }& v$ u% m7 D7 }2 `4 m=======( P; `. @0 b) g
INCOMPLETE Inline file created:/ B) o3 E( T8 m" h% n2 Q9 v" q) I
* /data/openvpn/easy-rsa-server/easyrsa3/pki/inline/longrui.inline3 E$ k3 f9 H8 S: D# [
5 f7 r% `2 [. h6 Z4 R
# }' k; L5 Z! ~7 p/ B+ a' Z5 ZNotice
9 K& N: f6 L" f/ ^' y0 l9 ^8 K------
7 f) T+ g4 w$ F% m- ?# f( oCertificate created at:
9 M9 k+ r+ R( F7 |$ u R* /data/openvpn/easy-rsa-server/easyrsa3/pki/issued/longrui.crt/ F/ ^2 F! t, C3 j) R5 Z; [) I* N
1 ~8 v, @) b* Q: @# D4 N) X
& Z5 E4 m' a5 A* S' m# R2.4.2 准备客户端配置文件
6 e! d. b5 _. l# d1 i9 E- L2 M#创建存放目录5 s8 }& a/ y+ h3 e) z
root# mkdir /data/openvpn/client/
) p2 [* f+ E% R#创建张三证书存放的目录
9 o& _5 B% P( D! Eroot# mkdir /data/openvpn/client/longrui
& B3 s' G7 J* B: F: `#复制证书
) y3 e( }; [; |. g! B3 ?
( P, k+ K( Z- b4 y' L/ z( U" M6 A, s' ^) L
[root@openvpn easyrsa3]# mkdir /data/openvpn/client/longrui
6 [, r- L/ I1 F7 o) C4 d3 v/ C[root@openvpn easyrsa3]# find /data/openvpn/ \( -name "longrui.key" -o -name "longrui.crt" -o -name "ca.crt" -o -name "ta.key" \) -exec cp {} /data/openvpn/client/longrui \;
8 a9 j/ N ~0 U" R* Z) m9 Tcp: '/data/openvpn/client/longrui/longrui.crt' and '/data/openvpn/client/longrui/longrui.crt' are the same file' B, {1 l* y) ^) M
cp: '/data/openvpn/client/longrui/ca.crt' and '/data/openvpn/client/longrui/ca.crt' are the same file
# L8 o( I9 q) c7 Mcp: '/data/openvpn/client/longrui/ta.key' and '/data/openvpn/client/longrui/ta.key' are the same file
0 V" e) L9 R% t& T6 Pcp: '/data/openvpn/client/longrui/longrui.key' and '/data/openvpn/client/longrui/longrui.key' are the same file
3 x# t9 i5 v$ H( u0 f: D+ B) p! c- [; t* ]9 w, Z- {0 D, H: I! S& k, ~
9 |' |! g2 g+ L, O* L# c3 b9 A8 A' l G& o2 O: I9 G- Y& l
[root@openvpn2 ~]# firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.160.131.0/24 -j MASQUERADE
0 F4 i! M0 R) @5 d: msuccess
6 R) l4 z/ ]" p# d[root@openvpn2 ~]# firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 1 -s 172.30.0.0/22 -j MASQUERADE
5 i7 N8 ?3 k+ s( _; q% Z5 ?3 v, @success& S7 s2 b, K& _3 d6 X+ A( X
$ ~7 }- O* P0 |/ \
firewall-cmd --add-interface=tun0
2 Y2 l( ]! _1 L
! W' U2 _5 o$ H4 p3 m9 e修改文件:3 e! {" p0 L) W+ O( P% b" W/ e
root# vim /data/openvpn/client/longrui/client.ovpn
, h3 c$ c8 U% w( iclient) s! X, a2 ?9 l6 |
dev tun, y9 _% z. \, w, L9 E* ], g& s
proto tcp
4 o y% G0 W0 D2 aremote 公网ip 1194: j% U/ n3 z: ]
resolv-retry infinite! _0 v7 R1 k( L4 g9 b
nobind9 K" r7 `+ r! ]& \7 N6 x7 G; d+ H
ca ca.crt
8 {4 N) p# {/ m% M3 ~0 \. jcert longrui.crt+ V1 d" r* |$ H2 P& m
key longrui.key
; \. t9 G; E- @3 Yremote-cert-tls server
N1 ?: B4 e6 `1 ytls-auth ta.key 1 m0 r+ b3 D( c' I+ z# q
cipher AES-256-CBC* z8 r. O' W, ]/ {
verb 33 F& Z" v) _$ M- D
compress lz4-v2; @; m" _3 _1 P6 h* g7 q9 \
4 e9 m; v. X" i- k% U
6 L5 g- X' P2 t6 C! o6 n P2.5 测试; I. C Z6 O" r
#将证书下载下来
7 k6 R" I$ S% v; ?root# cd /data/openvpn/client/& v. f J, X4 o% E. y# A$ \; n
root# tar -zcvf longrui.tar.gz longrui2 L6 J0 _8 Z2 I: L3 ]
root# sz longrui.tar.gz
$ t5 G5 K6 L- }1 m: G: J" I, Z$ F+ S$ O2 W
#win10 安装客户端(这里不演示了)
$ } n- U! X9 |0 ?, Q2 `' k; Ohttps://swupdate.openvpn.org/com ... tall-2.4.5-I601.exe- Z6 e" ^+ a7 M7 T
#将 zhangsan.tar.gz 复制到 openvpn的config目录,然后点击链接, H% q9 y9 h; H4 ?, N
9 G/ N8 v+ d, h) S. D8 B5 a0 }
& Z3 E8 S" n# J- p#双击运行
) ]1 c7 {! r9 A L4 @4 W, g3 [3 A# F% h9 R, _ A3 ]% \4 m
) e% y0 S* e |1 j0 O5 l9 x
8 Q, b' T l2 ]$ y; O! J#这样表示链接成功了, F4 ~7 e: K* b7 @) W5 @5 S2 \3 |
+ k7 ] ^$ J4 U9 j+ d( s* A( e2 w
/ w/ J2 P P3 P/ p0 T, j+ Y#测试连接mysql数据库端口( ?/ q( O. s) t. G
& Y9 y: D( P4 ]
& _8 o5 F0 c) B' [8 e2 u4 i
6 }- j( ^0 I- T" I" N3 }& @$ ]: Q; K3 :安装包: N R" m5 `% f5 J. x6 k
官网下载地址:( e& u# t4 D. i" C, N9 l6 l& }. L
openvpn 服务端下载地址:
8 ^' ]/ t- T, X }( @https://swupdate.openvpn.org/com ... penvpn-2.5.6.tar.gz8 H K3 S4 \# e
openvpn 客户端下载地址:
9 A0 L: T/ R v6 l1 `https://swupdate.openvpn.org/com ... tall-2.4.5-I601.exe. O0 y& D+ E a0 K
EasyRSA下载地址:' r5 q% s2 x1 ~1 r3 M
https://github.com/OpenVPN/easy- ... 8/EasyRSA-3.0.8.tgz6 e) b3 |$ b+ V; j1 c, B, q& G
9 {& z3 I B. S% k/ }; }# v& Y9 G2 z' E- G$ |' A
添加防火墙规则:' P$ }' O& M0 y& m5 w
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i tun0 -o bondmgt -j ACCEPT
6 A. D- `2 K K* j" l( n firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i bondmgt -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT4 [, l' r# r5 k
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.160.131.0/24 -j MASQUERADE
$ J: i7 L0 ?: L. ofirewall-cmd --zone=internal --add-masquerade --permanent2 N7 s' K; e6 m$ e S; ]' P
8 t8 B$ [& r5 O- [: S6 \
这是后面测试的结果,上面的可以暂时不执行:
- p/ b) ?( P# N: h% A4 O" nfirewall-cmd --permanent --zone=public --add-interface=tun0
% f* t* Z# G, y" P' Q5 kfirewall-cmd --permanent --zone=public --add-masquerade0 ^ m! R5 F3 r9 }1 j
firewall-cmd --permanent --add-forward7 ^+ V M% ?1 D- L" V4 \$ x: r+ v
添加转发规则。允许可通行。 |
: C% c g" K4 f6 C
7 R0 \) X8 v- Q4 R7 J4 p- V' @" q- c5 \3 I
./easyrsa sign-req client wogong3
8 ]: Y# V2 F. n#wogong3为创建客户端的证书的Common Name Q# k' ]% j" B7 j- ^
验证证书是否正确$ ?7 v5 v1 P+ o' A- x) J$ @. S
openssl verify -CAfile ca.crt issued/wogong2.crt/ s E' H; ?6 n6 V; X5 S
openssl verify -CAfile ca.crt issued/wogong3.crt
- _4 y& J: _" S5 A$ |% ~, R; ?' B4 e
9 G/ ^6 J) X1 Q2 J" b6 N) K4 {# S9 z4 x7 z1 Q( l! [ C/ k$ x
v( X( U+ `# |# z2 w
( Y* F7 P+ {! h% b- W4 I- `' u/ O4 y& ^
. l6 H- v1 r8 E: Q" R) D8 w$ `; S; l8 h2 m6 P0 A7 ~
( b) P* m* l! z/ m# j( m4 k: u" M3 g8 o ~# ?
|
|
/4 
窥视卡
雷达卡
发表于 2026-1-17 13:18:00
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
楼主
发表于 2026-3-11 10:47:45
