侧边栏壁纸
博主头像
张种恩的技术小栈博主等级

行动起来,活在当下

  • 累计撰写 748 篇文章
  • 累计创建 65 个标签
  • 累计收到 39 条评论

目 录CONTENT

文章目录

CentOS 7搭建OpenVPN

zze
zze
2020-04-01 / 0 评论 / 0 点赞 / 958 阅读 / 12794 字

准备目录及文件

1、安装需要的软件包:

$ yum install openvpn easy-rsa -y

2、准备相关文件:

$ mkdir /etc/openvpn/easy-rsa
$ cp /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easy-rsa/vars
$ cp -r /usr/share/easy-rsa/3.0.6/* /etc/openvpn/easy-rsa/
$ cp /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf /etc/openvpn/
$ cd /etc/openvpn/easy-rsa/
$ cat << EOF >> vars
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Guangdong"
set_var EASYRSA_REQ_CITY "Shenzhen"
set_var EASYRSA_REQ_ORG "openvpnca"
set_var EASYRSA_REQ_EMAIL "632404164@qq.com"
set_var EASYRSA_REQ_OU  "openvpn"
EOF

生成服务端证书及秘钥

1、初始化,在当前目录创建 PKI 目录,用于存储证书:

$ ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

2、创建根证书,会提示设置密码,用于 ca 对之后生成的 server 和 client 证书签名时使用:

$ ./easyrsa build-ca

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase: 
Re-Enter New CA Key Passphrase: 
Generating RSA private key, 2048 bit long modulus
......+++
..........................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:openvpnca

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

Enter New CA Key Passphrase: 指定输入密码,我这里输入的是 openvpn

3、创建 server 端证书和私钥文件,nopass 表示不加密私钥文件:

$ ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
...........................+++
.................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.vt52mhEeV9'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:node2

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key

4、给 server 端证书签名,首先是对一些信息的确认,输入 yes,然后输入创建 ca 根证书时设置的密码(我这里的密码就是 openvpn):

$ ./easyrsa sign server server

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 1080 days:

subject=
    commonName                = node2


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'node2'
Certificate is to be certified until Mar 17 11:29:00 2023 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt

5、创建 Diffie-Hellman 文件,秘钥交换时的 Diffie-Hellman 算法,需要等一会儿哦:

$ ./easyrsa gen-dh

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
....................................................................................................


DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

6、生成 ta 密钥文件(可选):

$ openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key

生成客户端证书及秘钥

1、准备目录及文件:

$ mkdir /root/client
$ cd /root/client
$ cp -r /usr/share/easy-rsa/3.0.6/* ./

2、初始化,在当前目录创建 PKI 目录,用于存储证书:

$ ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/client/pki

3、创建 client 端证书和私钥文件,nopass 表示不加密私钥文件:

$ ./easyrsa gen-req client

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.................................+++
.....+++
writing new private key to '/root/client/pki/private/client.key.jfvebm2QiS'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:client    

Keypair and certificate request completed. Your files are:
req: /root/client/pki/reqs/client.req
key: /root/client/pki/private/client.key

Enter PEM pass phrase: 提示输入客户端密码,此密码用于客户端登录,我这里输入的是 openvpn

4、导入证书:

$ cd /etc/openvpn/easy-rsa
$ ./easyrsa import-req /root/client/pki/reqs/client.req client

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

The request has been successfully imported with a short name of: client
You may now use this name to perform signing operations on this request

5、给 client 端证书签名,首先是对一些信息的确认,输入 yes,然后输入创建 ca 根证书时设置的密码,我这里也就是 openvpn

$ ./easyrsa sign client client

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 1080 days:

subject=
    commonName                = client


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client'
Certificate is to be certified until Mar 17 11:48:44 2023 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt

整理相关文件到对应位置

1、拷贝服务端所需文件到各自位置:

$ cp pki/ca.crt /etc/openvpn/
$ cp pki/private/server.key /etc/openvpn/
$ cp pki/issued/server.crt /etc/openvpn/
$ cp pki/dh.pem /etc/openvpn/
$ cp /etc/openvpn/easy-rsa/ta.key /etc/openvpn/

2、拷贝客户端所需文件到各自位置:

$ cp pki/ca.crt /root/client/
$ cp pki/issued/client.crt /root/client/
$ cp /root/client/pki/private/client.key /root/client/
$ cp /etc/openvpn/easy-rsa/ta.key /root/client/

服务端配置及启动

1、修改配置文件如下:

$ vim /etc/openvpn/server.conf
user root
group root
port 1194				# 指定端口
proto tcp 				# 协议
dev tun 				# 采用路由隧道模式 tun
ca /etc/openvpn/ca.crt			# ca 证书文件位置
cert /etc/openvpn/server.crt		# 服务端公钥路径
key /etc/openvpn/server.key		# 服务端私钥名称
dh /etc/openvpn/dh.pem			# 交换证书
server 10.0.2.0 255.255.255.0		# 给客户端分配地址池,本机未使用的任意网段
ifconfig-pool-persist ipp.txt		# 地址池记录文件位置
push "route 172.16.1.0 255.255.255.0"	# 允许客户端访问内网 172.16.1.0 网段
push "dhcp-option DNS 225.5.5.5"	# 分配给客户端 DNS 地址
keepalive 10 120 			# 存活时间,10 秒 ping 一次,如 120 次未收到响应则视为断线
#tls-auth /etc/openvpn/ta.key 0		# ta 秘钥文件
max-clients 100 			# 最多允许100个客户端连接
persist-key				# 过 keepalive 检测超时后,重新启动 VPN,不重新读取 keys,保留第一次使用的 keys
persist-tun				# 检测超时后,重新启动 VPN,一直保持 tun 是 linkup 的,否则网络会先 linkdown 然后再 linkup
status openvpn-status.log		# 状态日志文件位置
log /var/log/openvpn.log                # openvpn日志记录位置
verb 3					# openvpn版本

2、开启核心转发:

$ sysctl -w net.ipv4.ip_forward=1
$ echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf 

3、启动服务:

# 前台启动
$ openvpn /etc/openvpn/server.conf
# 守护进程启动
$ openvpn --daemon --config /etc/openvpn/server.conf

客户端配置及使用

1、我的系统是 Mac OS,这里客户端软件使用 Tunnelblick,点击进入下载页

2、下载服务端生成的客户端密钥文件和 ca 文件至 Mac OS 的 ~/Documents/OpenVPN/config 目录中:如下:

$ ls
ca.crt      client.crt  client.key

这些文件在服务端的 /root/client 目录下哦。

3、在 ~/Documents/OpenVPN/config 下创建一个客户端配置文件,名称叫 client.ovpn,内容如下:

$ cat client.ovpn 
client                  # 指定当前 VPN 是客户端
dev tun                 # 使用 tun 隧道传输协议
proto tcp               # 使用 udp 协议传输数据
remote 10.0.1.61 1194   # openvpn 服务器IP地址端口号(根据 openvpn 服务端 IP 地址修改)
resolv-retry infinite   # 断线自动重新连接,在网络不稳定的情况下非常有用
nobind                  # 不绑定本地特定的端口号
ca ca.crt               # 指定 CA 证书的文件路径
cert client.crt         # 指定当前客户端的证书文件路径
key client.key          # 指定当前客户端的私钥文件路径
verb 3                  # 指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细
persist-key             # 通过 keepalive 检测超时后,重新启动 VPN,不重新读取 keys,保留第一次使用的 keys
persist-tun             # 检测超时后,重新启动 VPN,一直保持 tun 是 linkup 的,否则网络会先 linkdown 然后再 linkup

4、最终 Mac 的 ~/Documents/OpenVPN/config 目录下有文件如下:

$ ls
ca.crt      client.crt  client.key  client.ovpn

5、双击 client.ovpn 即可打开 Tunnelblick 自动连接。

内网主机配置

此时客户端发送的数据包虽然能抵达 openvpn 代理的内网地址,但无法与 openvpn 服务同内网网段主机进行通信,因为后端主机没有回客户端网段 10.0.2.0 的路由,所以会导致无法 ping 通,解决方式有如下两种。

方式一

可以在每个后端主机增加一条抵达 10.0.2.0 网络的路由,如下:

$ route add  -net 10.0.2.0/24 gw 172.16.1.61
$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.2.0        172.16.1.61     255.255.255.0   UG    0      0        0 eth1

方式二

可以在 openvpn 机器上做 SNAT,如下:

$ iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -d 172.16.1.0/24 -j SNAT --to-source 172.16.1.61

彩蛋

上面捣腾这么多,其实还有现成的一键部署的方法,见如下链接:

参考:

0

评论区