记一次openvpn搭建
发布时间:2018-08-17 14:07:18 编辑:龙龙龙 分类:技术文档
准备工作:
yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel
yum install -y pkcs11-helper pkcs11-helper-devel
yum install rpm-build
wget http://oss.aliyuncs.com/aliyunecs/openvpn-2.2.2.tar.gz
[root@openvpn]# rpmbuild -tb openvpn-2.2.2.tar.gz
编译完成后,/root/rpmbuild/RPMS/x86_64目录下会生成名为 openvpn-2.2.2-1.x86_64.rpm 的安装包。
[root@openvpn]# rpm -ivh openvpn-2.2.2-1.x86_64.rpm
cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0
export KEY_COUNTRY="CN" 所在的国家
export KEY_PROVINCE="BJ" 所在的省份
export KEY_CITY="Hangzhou" 所在的城市
export KEY_ORG="aliyun" 所属的组织
export KEY_EMAIL=my@test.com 邮件地址
生成证书、密钥和参数文件
ln -s openssl-1.0.0.cnf openssl.cnf
source ./vars
./clean-all
生成ca证书
./build-ca
生成服务端证书
./build-key-server myopenvpn
两次交互确认 Y
keys文件夹下会生成 aliyuntest.key、aliyuntest.csr和aliyuntest.crt三个文件
生成客户端证书
./build-key longlonglong
同样两次交互 两次确认
keys目录下会生成 1024 位 RSA 服务器密钥longlonglong.key、longlonglong.crt和longlonglong.csr三个文件。
./build-dh
生成用于客户端验证的 Diffie Hellman 参数,完成后,keys目录下会生成 dh 参数文件dh1024.pem。
拷贝:
执行以下命令,将/usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys目录下的所有文件复制到/etc/openvpn目录下:
cp -a /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys/* /etc/openvpn/
执行以下命令,将 OpenVPN 服务端配置文件server.conf复制到/etc/openvpn/目录下:
cp -a /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/
查看server.conf去掉注释
egrep -v "^$|^#|^;" server.conf
完成如下配置:
local 172.21.47.159 #这个IP是外网IP地址。如果是阿里的ecs,请用eth0的地址,应该内网IP。会映射到外网
port 1194
proto udp
dev tun
ca ca.crt
cert zhaofantest.crt
key zhaofantest.key # This file should be kept secret
dh dh1024.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
系统内核设置 转发
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
iptables 规则
# Generated by iptables-save v1.4.7 on Fri Aug 17 09:58:29 2018
*filter
:INPUT ACCEPT [36:3000]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [34:6726]
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
COMMIT
# Completed on Fri Aug 17 09:58:29 2018
# Generated by iptables-save v1.4.7 on Fri Aug 17 09:58:29 2018
*nat
:PREROUTING ACCEPT [6:926]
:POSTROUTING ACCEPT [42:3028]
:OUTPUT ACCEPT [42:3028]
-A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Aug 17 09:58:29 2018
重启iptables 启动openvpn
这里不打命令了。
服务端到这里就配置好了
接下来是客户端
安装openvpn-gui
这里简单説下
复制sample-config文件夹下的client.open放到config文件夹下
把服务端生成的 longlonglong.crt longlonglong.key longlonglong.csr ca.crt 也放到config这里。
client.opvn 配置如下 每个参数的意思查百度吧
client
dev tun
proto udp
resolv-retry infinite
nobind
remote 47.74.213.63 1194
ns-cert-type server
comp-lzo
ca ca.crt
cert lll.crt
key lll.key
keepalive 10 120
persist-key
persist-tun
verb 5
redirect-gateway
route-method exe
route-delay 2
status lll-status.log
log-append lll.log
以下内容编译于20200224
centos7 easy-rsa3 openvpn
yum 包:
yum -y install openssh-server lzo openssl openssl-devel openvpn NetworkManager-openvpn openvpn-auth-ldap zip unzip
制作证书的包:
这个我是放到/home/software 下的
wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
解压后重命名easy-rsa放到 /etc/openvpn下
先进入该目录
cd /etc/openvpn/easy-rsa/easyrsa3/
cp vars.example vars
[root@openvpn-101-100 easyrsa3]# vim vars set_var EASYRSA_REQ_COUNTRY "CN" ##国家 set_var EASYRSA_REQ_PROVINCE "ZheJiang" ##省份 set_var EASYRSA_REQ_CITY "NingBo" ##城市 set_var EASYRSA_REQ_ORG "Boden" ##组织名称自定义 set_var EASYRSA_REQ_EMAIL "121526895@qq.com" ##邮箱 set_var EASYRSA_REQ_OU "LLL"
创建服务端证书和key
cd /etc/openvpn/easy-rsa/easyrsa3/
初始化
./easyrsa init-pki
创建根证书
输入两次一样的密码 自定义一个名字
[root@openvpn-101-100 easyrsa3]# ./easyrsa build-ca Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Enter New CA Key Passphrase: ##设置密码 Re-Enter New CA Key Passphrase: ##重复输入密码 Generating RSA private key, 2048 bit long modulus ....................+++ ...............+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:dynamic ## 自定义一个名字 CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
创建服务端证书
[root@openvpn-101-100 easyrsa3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key ..................................................+++ .......+++ writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key.BKg9lvKsJ7' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]:dynamic-server ##自定义一个名字 Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
签发服务端证书
一个yes 一个是CA证书密码
[root@openvpn-101-100 easyrsa3]# ./easyrsa sign server server Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 1080 days: subject= commonName = dynamic-server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes ##输入 yes Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/safessl-easyrsa.cnf Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: ##输入生成CA证书的密码 123456 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'dynamic-server' Certificate is to be certified until Mar 17 14:30:18 2022 GMT (1080 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
创建 Diffie-Hellman,确保 key 穿越不安全网络的命令
./easyrsa gen-dh
创建客户端证书和key
[root@openvpn-101-100 easyrsa3]# cd /root/ [root@openvpn-101-100 ~]# mkdir client [root@openvpn-101-100 ~]# cp -R /home/software/easy-rsa/ client/ [root@openvpn-101-100 ~]# cd /root/client/easy-rsa/easyrsa3/
初始化客户端目录
./easyrsa init-pki
生成用户输入自定义密码。
[root@openvpn-101-100 easyrsa3]# ./easyrsa gen-req testuser Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key .............+++ .............................................+++ writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/testuser.key.vPKic04NzX' Enter PEM pass phrase: ##输入自定义密码 666666 Verifying - Enter PEM pass phrase: ##输入自定义密码 666666 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [testuser]: ##默认直接回车 Keypair and certificate request completed. Your files are: req: /root/client/easy-rsa/easyrsa3/pki/reqs/testuser.req key: /root/client/easy-rsa/easyrsa3/pki/private/testuser.key
将得到的testuser.req 导入 然后签约证书
[root@openvpn-101-100 easyrsa3]# cd /etc/openvpn/easy-rsa/easyrsa3/ [root@openvpn-101-100 easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/testuser.req testuser Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 The request has been successfully imported with a short name of: testuser You may now use this name to perform signing operations on this request.
签发客户端证书
第一个yes 第二个输入ca密码
[root@openvpn-101-100 easyrsa3]# ./easyrsa sign client testuser Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 1080 days: subject= commonName = testuser Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/safessl-easyrsa.cnf Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'testuser' Certificate is to be certified until Mar 17 14:42:56 2022 GMT (1080 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/testuser.crt
放到想放的地方 配合openvpn的server.conf
[root@openvpn-101-100 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn [root@openvpn-101-100 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn [root@openvpn-101-100 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn [root@openvpn-101-100 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn
vim /etc/openvpn/server.conf 内容
port 1194 proto tcp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh.pem server 172.16.1.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client duplicate-cn push "redirect-gateway def1" push "route 192.168.1.0 255.255.255.0" push "dhcp-option DNS 114.114.114.114" keepalive 10 120 comp-lzo max-clients 100 persist-key persist-tun daemon status openvpn-status.log log-append /var/log/myvpn/openvpn.log verb 3
这个192.168.1.0 是你要连的局域网 如果人家是192.168.0.*网段的 你就写192.168.0.0 注意掩码
最后启动openvpn
openvpn --daemon --config /etc/openvpn/server.conf
防火墙 我用iptables的
openvpn --daemon --config /etc/openvpn/server.conf
# Generated by iptables-save v1.4.21 on Mon Feb 24 14:00:55 2020 *nat :PREROUTING ACCEPT [16:1357] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [1:76] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -j MASQUERADE COMMIT # Completed on Mon Feb 24 14:00:55 2020 # Generated by iptables-save v1.4.21 on Mon Feb 24 14:00:55 2020 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [33:3340] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Mon Feb 24 14:00:55 2020
服务端完成
客户端配置开始 下载客户端
下载地址
https://openvpn.net/community-downloads/
/root/client/下的
ca.crt testuser.crt testuser.key testuser.ovpn
这些文件都拷贝到客户端,我的客户端是windows 放到config目录下
testuser.ovpn 配置下
client dev tun proto tcp remote 192.168.1.109 1194 //主要这里修改成自己 server端 ip resolv-retry infinite nobind persist-key persist-tun ca ca.crt //这里需要证书 cert testuser.crt //这里是客户端证书 key testuser.key comp-lzo verb 3
然后右下角连接就好了
----平淡的流年