准备目录及文件
1、安装需要的软件包:
$ yum install openvpn easy-rsa -y
2、准备相关文件:
$ mkdir /etc/openvpn/easy-rsa
$ cp /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easy-rsa/vars
$ cp -r /usr/share/easy-rsa/3.0.6/* /etc/openvpn/easy-rsa/
$ cp /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf /etc/openvpn/
$ cd /etc/openvpn/easy-rsa/
$ cat << EOF >> vars
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Guangdong"
set_var EASYRSA_REQ_CITY "Shenzhen"
set_var EASYRSA_REQ_ORG "openvpnca"
set_var EASYRSA_REQ_EMAIL "632404164@qq.com"
set_var EASYRSA_REQ_OU "openvpn"
EOF
生成服务端证书及秘钥
1、初始化,在当前目录创建 PKI
目录,用于存储证书:
$ ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
2、创建根证书,会提示设置密码,用于 ca 对之后生成的 server 和 client 证书签名时使用:
$ ./easyrsa build-ca
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus
......+++
..........................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:openvpnca
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt
Enter New CA Key Passphrase:
指定输入密码,我这里输入的是openvpn
。
3、创建 server 端证书和私钥文件,nopass
表示不加密私钥文件:
$ ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...........................+++
.................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.vt52mhEeV9'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:node2
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key
4、给 server 端证书签名,首先是对一些信息的确认,输入 yes
,然后输入创建 ca 根证书时设置的密码(我这里的密码就是 openvpn
):
$ ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 1080 days:
subject=
commonName = node2
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'node2'
Certificate is to be certified until Mar 17 11:29:00 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
5、创建 Diffie-Hellman 文件,秘钥交换时的 Diffie-Hellman 算法,需要等一会儿哦:
$ ./easyrsa gen-dh
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
....................................................................................................
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
6、生成 ta
密钥文件(可选):
$ openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key
生成客户端证书及秘钥
1、准备目录及文件:
$ mkdir /root/client
$ cd /root/client
$ cp -r /usr/share/easy-rsa/3.0.6/* ./
2、初始化,在当前目录创建 PKI
目录,用于存储证书:
$ ./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/client/pki
3、创建 client 端证书和私钥文件,nopass
表示不加密私钥文件:
$ ./easyrsa gen-req client
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.................................+++
.....+++
writing new private key to '/root/client/pki/private/client.key.jfvebm2QiS'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:client
Keypair and certificate request completed. Your files are:
req: /root/client/pki/reqs/client.req
key: /root/client/pki/private/client.key
Enter PEM pass phrase:
提示输入客户端密码,此密码用于客户端登录,我这里输入的是openvpn
。
4、导入证书:
$ cd /etc/openvpn/easy-rsa
$ ./easyrsa import-req /root/client/pki/reqs/client.req client
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: client
You may now use this name to perform signing operations on this request
5、给 client 端证书签名,首先是对一些信息的确认,输入 yes
,然后输入创建 ca 根证书时设置的密码,我这里也就是 openvpn
:
$ ./easyrsa sign client client
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 1080 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Mar 17 11:48:44 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt
整理相关文件到对应位置
1、拷贝服务端所需文件到各自位置:
$ cp pki/ca.crt /etc/openvpn/
$ cp pki/private/server.key /etc/openvpn/
$ cp pki/issued/server.crt /etc/openvpn/
$ cp pki/dh.pem /etc/openvpn/
$ cp /etc/openvpn/easy-rsa/ta.key /etc/openvpn/
2、拷贝客户端所需文件到各自位置:
$ cp pki/ca.crt /root/client/
$ cp pki/issued/client.crt /root/client/
$ cp /root/client/pki/private/client.key /root/client/
$ cp /etc/openvpn/easy-rsa/ta.key /root/client/
服务端配置及启动
1、修改配置文件如下:
$ vim /etc/openvpn/server.conf
user root
group root
port 1194 # 指定端口
proto tcp # 协议
dev tun # 采用路由隧道模式 tun
ca /etc/openvpn/ca.crt # ca 证书文件位置
cert /etc/openvpn/server.crt # 服务端公钥路径
key /etc/openvpn/server.key # 服务端私钥名称
dh /etc/openvpn/dh.pem # 交换证书
server 10.0.2.0 255.255.255.0 # 给客户端分配地址池,本机未使用的任意网段
ifconfig-pool-persist ipp.txt # 地址池记录文件位置
push "route 172.16.1.0 255.255.255.0" # 允许客户端访问内网 172.16.1.0 网段
push "dhcp-option DNS 225.5.5.5" # 分配给客户端 DNS 地址
keepalive 10 120 # 存活时间,10 秒 ping 一次,如 120 次未收到响应则视为断线
#tls-auth /etc/openvpn/ta.key 0 # ta 秘钥文件
max-clients 100 # 最多允许100个客户端连接
persist-key # 过 keepalive 检测超时后,重新启动 VPN,不重新读取 keys,保留第一次使用的 keys
persist-tun # 检测超时后,重新启动 VPN,一直保持 tun 是 linkup 的,否则网络会先 linkdown 然后再 linkup
status openvpn-status.log # 状态日志文件位置
log /var/log/openvpn.log # openvpn日志记录位置
verb 3 # openvpn版本
2、开启核心转发:
$ sysctl -w net.ipv4.ip_forward=1
$ echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
3、启动服务:
# 前台启动
$ openvpn /etc/openvpn/server.conf
# 守护进程启动
$ openvpn --daemon --config /etc/openvpn/server.conf
客户端配置及使用
1、我的系统是 Mac OS,这里客户端软件使用 Tunnelblick,点击进入下载页。
2、下载服务端生成的客户端密钥文件和 ca 文件至 Mac OS 的 ~/Documents/OpenVPN/config
目录中:如下:
$ ls
ca.crt client.crt client.key
这些文件在服务端的
/root/client
目录下哦。
3、在 ~/Documents/OpenVPN/config
下创建一个客户端配置文件,名称叫 client.ovpn
,内容如下:
$ cat client.ovpn
client # 指定当前 VPN 是客户端
dev tun # 使用 tun 隧道传输协议
proto tcp # 使用 udp 协议传输数据
remote 10.0.1.61 1194 # openvpn 服务器IP地址端口号(根据 openvpn 服务端 IP 地址修改)
resolv-retry infinite # 断线自动重新连接,在网络不稳定的情况下非常有用
nobind # 不绑定本地特定的端口号
ca ca.crt # 指定 CA 证书的文件路径
cert client.crt # 指定当前客户端的证书文件路径
key client.key # 指定当前客户端的私钥文件路径
verb 3 # 指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细
persist-key # 通过 keepalive 检测超时后,重新启动 VPN,不重新读取 keys,保留第一次使用的 keys
persist-tun # 检测超时后,重新启动 VPN,一直保持 tun 是 linkup 的,否则网络会先 linkdown 然后再 linkup
4、最终 Mac 的 ~/Documents/OpenVPN/config
目录下有文件如下:
$ ls
ca.crt client.crt client.key client.ovpn
5、双击 client.ovpn
即可打开 Tunnelblick 自动连接。
内网主机配置
此时客户端发送的数据包虽然能抵达 openvpn 代理的内网地址,但无法与 openvpn 服务同内网网段主机进行通信,因为后端主机没有回客户端网段 10.0.2.0
的路由,所以会导致无法 ping 通,解决方式有如下两种。
方式一
可以在每个后端主机增加一条抵达 10.0.2.0
网络的路由,如下:
$ route add -net 10.0.2.0/24 gw 172.16.1.61
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.2.0 172.16.1.61 255.255.255.0 UG 0 0 0 eth1
方式二
可以在 openvpn 机器上做 SNAT,如下:
$ iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -d 172.16.1.0/24 -j SNAT --to-source 172.16.1.61
彩蛋
上面捣腾这么多,其实还有现成的一键部署的方法,见如下链接:
参考:
评论区