之前有一篇搭建openvpn的文章,很久以前写的了,easy-rsa版本是2的吧,这里一篇3.0.6的教程奉上,之前的教程链接如下:https://olei.me/181/
2,0的配置过程有什么问题,我忘记了,可能回答不上来,这个3.0.6的近期给公司搭建了,很多人在用,没什么问题;各位搭建中遇到什么问题直接留言吧,或者邮件也可以~
安装阶段
添加源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.backup mv /etc/yum.repos.d/epel-testing.repo /etc/yum.repos.d/epel-testing.repo.backup wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
安装openvpn、easy-rsa(easy-rsa版本为3.0.6为例)
yum install -y openvpn easy-rsa
配置阶段
配置easy-rsa3.0
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa/
cd 3.0.6/
find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
这里说明一下,正常来说
easy-rsa-3.0.6安装完之后,vars.example文件在/usr/share/doc/easy-rsa-3.0.6/目录,至于有些人说找不到这个文件,我暂时还没遇到过,可能你的安装方式和我不一致,或版本不同
创建一个新的 PKI 和 CA
$ pwd /etc/openvpn/easy-rsa/3.0.6 --- $ ./easyrsa init-pki # 创建空的pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.6/pki --- $ ./easyrsa build-ca nopass #创建新的CA,不使用密码 Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ......................+++ ................................................+++ writing new private key to '/etc/openvpn/easy-rsa/3.0.6/pki/private/ca.key.pClvaQ1GLD' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 回车 CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/3.0.6/pki/ca.crt
创建服务端证书
$ pwd /etc/openvpn/easy-rsa/3.0.6 --- $ ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ...........................+++ ..............................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/3.0.6/pki/private/server.key.wy7Q0fuG6A' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: 回车 Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/3.0.6/pki/reqs/server.req key: /etc/openvpn/easy-rsa/3.0.6/pki/private/server.key
签约服务端证书
$ pwd
/etc/openvpn/easy-rsa/3.0.6
---
$ ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Apr 7 14:54:08 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.6/pki/issued/server.crt
创建Diffie-Hellman
$ pwd /etc/openvpn/easy-rsa/3.0.6 --- $ ./easyrsa gen-dh ............................................................ DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.6/pki/dh.pem
创建客户端证书
- 复制文件
$ cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa
$ cd /etc/openvpn/client/easy-rsa/
$ cd 3.0.6/
$ find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
- 生成证书
$ pwd /etc/openvpn/client/easy-rsa/3.0.6 --- $ ./easyrsa init-pki #创建新的pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3.0.6/pki --- $ ./easyrsa gen-req eicas nopass #客户证书名为eicas,木有密码 Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ....................................................+++ ............+++ writing new private key to '/etc/openvpn/client/easy-rsa/3.0.6/pki/private/eicas.key.FkrLzXH9Bm' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [eicas]: 回车 Keypair and certificate request completed. Your files are: req: /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/eicas.req key: /etc/openvpn/client/easy-rsa/3.0.3/pki/private/eicas.key
- 最后签约客户端证书
$ cd /etc/openvpn/easy-rsa/3.0.6/
$ pwd
/etc/openvpn/easy-rsa/3.0.6
---
$ ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.6/pki/reqs/eicas.req eicas
Note: using Easy-RSA configuration from: ./vars
The request has been successfully imported with a short name of: eicas
You may now use this name to perform signing operations on this request.
---
$ ./easyrsa sign client eicas
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
commonName = eicas
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'eicas'
Certificate is to be certified until Apr 8 01:54:57 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.6/pki/issued/eicas.crt
整理证书
现在所有的证书都已经生成完了,下面来整理一下。
- 服务端所需要的文件
$ mkdir /etc/openvpn/certs $ cd /etc/openvpn/certs/ $ cp /etc/openvpn/easy-rsa/3.0.6/pki/dh.pem . $ cp /etc/openvpn/easy-rsa/3.0.6/pki/ca.crt . $ cp /etc/openvpn/easy-rsa/3.0.6/pki/issued/server.crt . $ cp /etc/openvpn/easy-rsa/3.0.6/pki/private/server.key . $ ll --- 总用量 20 -rw-------. 1 root root 1172 4月 11 10:02 ca.crt -rw-------. 1 root root 424 4月 11 10:03 dh.pem -rw-------. 1 root root 4547 4月 11 10:03 server.crt -rw-------. 1 root root 1704 4月 11 10:02 server.key
- 客户端所需的文件
$ mkdir /etc/openvpn/client/eicas/ $ cp /etc/openvpn/easy-rsa/3.0.6/pki/ca.crt /etc/openvpn/client/eicas/ $ cp /etc/openvpn/easy-rsa/3.0.6/pki/issued/eicas.crt /etc/openvpn/client/eicas/ $ cp /etc/openvpn/client/easy-rsa/3.0.6/pki/private/eicas.key /etc/openvpn/client/eicas/ $ ll /etc/openvpn/client/eicas/ --- total 16 -rw------- 1 root root 1147 Feb 11 10:08 ca.crt -rw------- 1 root root 4403 Feb 11 10:08 eicas.crt -rw------- 1 root root 1708 Feb 11 10:09 eicas.key
配置server.conf
local 0.0.0.0
port 1194 #指定端口
proto tcp #指定协议(可以指定udp,udp比tcp快)
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0 #给客户端分配的地址池
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route 192.168.252.0 255.255.0.0" # route根据实际情况修改
push "redirect-gateway def1 bypass-dhcp" #客户端网关使用openvpn服务器网关
push "dhcp-option DNS 8.8.8.8" #指定dns
push "dhcp-option DNS 114.114.114.114"
client-to-client
keepalive 10 120 #心跳检测,10秒检测一次,2分钟内没有回应则视为断线
#tls-auth ta.key 0 #服务端值为0,客户端为1
cipher AES-256-CBC
comp-lzo
#传输数据压缩
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20
开启IP转发
$ vim /etc/sysctl.conf # 添加: net.ipv4.ip_forward=1 # 生效 $ sysctl -p
iptables设置
$ iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE $ iptables-save > /etc/openvpn-rule $ cd /etc/ $ iptables-restore < openvpn-rule
启动openvpn
$ systemctl start openvpn@server $ systemctl enable openvpn@server
客户端准备
客户端连接工具
Windows:openvpn guiMac:tunnelblick
可能有的涉及到科学上网或者国外网速下载很慢,下面提供我的对象存储下载链接:
Windows 7、8、8.1、server2012:openvpn guiWindows 10:openvpn guiMac:tunnelblick
客户端.ovpn文件制作
(这里使用把证书内容写入
.ovpn里面,当然在配置文件中写入路径也没问题)
- 客户端所需要的证书路径如下
ll /etc/openvpn/client/eicas/ --- total 16 -rw------- 1 root root 1147 Feb 11 10:08 ca.crt -rw------- 1 root root 4403 Feb 11 10:08 eicas.crt -rw------- 1 root root 1708 Feb 11 10:09 eicas.key
- 本地编辑client.ovpn
client proto tcp dev tun remote xxx.xxx.xxx.xxx 1194 # 服务端公网IP,默认端口是1194 # 此处[inline]也可以写下载下来本地的客户端各个证书的路径 ca [inline] cert [inline] key [inline] resolv-retry infinite nobind mute-replay-warnings keepalive 20 120 comp-lzo #user openvpn #group openvpn persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3 mute 20 <ca> ca证书的内容粘贴此处 </ca> crt证书内容粘贴此处 <cert> </cert> <key> 秘钥内容粘贴此处 </key>
openvpn gui使用
- 直接打开软件,导入上述写的
.ovpn文件即可,成功的话,会有提示 mac的那个也是导入就行了,具体还是不会可以百度一下
账号密码设置
开启服务端账号密码登录配置
- 编辑服务端
server.conf文件
$ vim /etc/openvpn/server.conf # 添加如下内容 # use username and password login script-security 3 auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env client-cert-not-required username-as-common-name
- 添加密码检查脚本checkpsw.sh
$ vim /etc/openvpn/checkpsw.sh
---
#!/bin/sh
###########################################################
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file" # 账号密码的路径
LOG_FILE="/etc/openvpn/openvpn-password.log" # 账号密码的日志
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
- 添加账号密码
$ vim /etc/openvpn/psw-file # 账号+空格+密码的形式,例如: test 123456
- 重启openvpn
systemctl restart openvpn@server
设置客户端.ovpn密码账号登录内容
- 编辑之前创建的
client.ovpn文件,添加一行:
auth-user-pass
- 完整如下
client proto tcp dev tun remote xxx.xxx.xxx.xxx 1194 # 服务端公网IP,默认端口是1194 # 此处[inline]也可以写下载下来本地的客户端各个证书的路径 ca [inline] cert [inline] key [inline] resolv-retry infinite nobind mute-replay-warnings keepalive 20 120 comp-lzo #user openvpn #group openvpn persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3 auth-user-pass mute 20 <ca> ca证书的内容粘贴此处 </ca> crt证书内容粘贴此处 <cert> </cert> <key> 秘钥内容粘贴此处 </key>
之后重新连接即可
Windows 10运行成功效果图
本文作者为olei,转载请注明。
