centos7 openvpn搭建以及账号密码设置(针对easy-rsa版本为3.0.6)

olei 1,673 views 4

之前有一篇搭建openvpn的文章,很久以前写的了,easy-rsa版本是2的吧,这里一篇3.0.6的教程奉上,之前的教程链接如下:https://olei.me/181/

2,0的配置过程有什么问题,我忘记了,可能回答不上来,这个3.0.6的近期给公司搭建了,很多人在用,没什么问题;各位搭建中遇到什么问题直接留言吧,或者邮件也可以~

安装阶段

添加源

mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup 
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.backup
mv /etc/yum.repos.d/epel-testing.repo /etc/yum.repos.d/epel-testing.repo.backup 
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

安装openvpneasy-rsa(easy-rsa版本为3.0.6为例)

yum install -y openvpn easy-rsa

配置阶段

配置easy-rsa3.0

cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa/
cd 3.0.6/
find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars

这里说明一下,正常来说 easy-rsa-3.0.6 安装完之后,vars.example 文件在 /usr/share/doc/easy-rsa-3.0.6/ 目录,至于有些人说找不到这个文件,我暂时还没遇到过,可能你的安装方式和我不一致,或版本不同

创建一个新的 PKICA

$ pwd
/etc/openvpn/easy-rsa/3.0.6
---
$ ./easyrsa init-pki  # 创建空的pki
Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.6/pki
---
$ ./easyrsa build-ca nopass #创建新的CA,不使用密码
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
......................+++
................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.6/pki/private/ca.key.pClvaQ1GLD'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 回车

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3.0.6/pki/ca.crt

创建服务端证书

$ pwd
/etc/openvpn/easy-rsa/3.0.6
---
$ ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...........................+++
..............................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.6/pki/private/server.key.wy7Q0fuG6A'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: 回车

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3.0.6/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3.0.6/pki/private/server.key

签约服务端证书

$ pwd
/etc/openvpn/easy-rsa/3.0.6
---
$ ./easyrsa sign server server

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Apr  7 14:54:08 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3.0.6/pki/issued/server.crt

创建Diffie-Hellman

$ pwd
/etc/openvpn/easy-rsa/3.0.6
---
$ ./easyrsa gen-dh

............................................................
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.6/pki/dh.pem

创建客户端证书

  • 复制文件
$ cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa
$ cd /etc/openvpn/client/easy-rsa/
$ cd 3.0.6/
$ find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
  • 生成证书
$ pwd
/etc/openvpn/client/easy-rsa/3.0.6
---
$ ./easyrsa init-pki #创建新的pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3.0.6/pki
---
$ ./easyrsa gen-req eicas nopass  #客户证书名为eicas,木有密码

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
....................................................+++
............+++
writing new private key to '/etc/openvpn/client/easy-rsa/3.0.6/pki/private/eicas.key.FkrLzXH9Bm'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [eicas]: 回车

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/eicas.req
key: /etc/openvpn/client/easy-rsa/3.0.3/pki/private/eicas.key
  • 最后签约客户端证书
$ cd /etc/openvpn/easy-rsa/3.0.6/
$ pwd
/etc/openvpn/easy-rsa/3.0.6
---

$ ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.6/pki/reqs/eicas.req eicas

Note: using Easy-RSA configuration from: ./vars

The request has been successfully imported with a short name of: eicas
You may now use this name to perform signing operations on this request.
---

$ ./easyrsa sign client eicas

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

subject=
    commonName                = eicas


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'eicas'
Certificate is to be certified until Apr  8 01:54:57 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3.0.6/pki/issued/eicas.crt

整理证书

现在所有的证书都已经生成完了,下面来整理一下。

  • 服务端所需要的文件
$ mkdir /etc/openvpn/certs
$ cd /etc/openvpn/certs/  
$ cp /etc/openvpn/easy-rsa/3.0.6/pki/dh.pem .        
$ cp /etc/openvpn/easy-rsa/3.0.6/pki/ca.crt .
$ cp /etc/openvpn/easy-rsa/3.0.6/pki/issued/server.crt .
$ cp /etc/openvpn/easy-rsa/3.0.6/pki/private/server.key .
$ ll
---
总用量 20
-rw-------. 1 root root 1172 4月  11 10:02 ca.crt
-rw-------. 1 root root  424 4月  11 10:03 dh.pem
-rw-------. 1 root root 4547 4月  11 10:03 server.crt
-rw-------. 1 root root 1704 4月  11 10:02 server.key
  • 客户端所需的文件
$ mkdir /etc/openvpn/client/eicas/
$ cp /etc/openvpn/easy-rsa/3.0.6/pki/ca.crt /etc/openvpn/client/eicas/
$ cp /etc/openvpn/easy-rsa/3.0.6/pki/issued/eicas.crt /etc/openvpn/client/eicas/
$ cp /etc/openvpn/client/easy-rsa/3.0.6/pki/private/eicas.key /etc/openvpn/client/eicas/
$ ll /etc/openvpn/client/eicas/
---
total 16
-rw------- 1 root root 1147 Feb 11 10:08 ca.crt
-rw------- 1 root root 4403 Feb 11 10:08 eicas.crt
-rw------- 1 root root 1708 Feb 11 10:09 eicas.key

配置server.conf

local 0.0.0.0
port 1194                       #指定端口
proto tcp                        #指定协议(可以指定udp,udp比tcp快)
dev tun

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem

server 10.8.0.0 255.255.255.0                                          #给客户端分配的地址池
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route 192.168.252.0 255.255.0.0"  # route根据实际情况修改
push "redirect-gateway def1 bypass-dhcp"                       #客户端网关使用openvpn服务器网关
push "dhcp-option DNS 8.8.8.8"               #指定dns
push "dhcp-option DNS 114.114.114.114"
client-to-client

keepalive 10 120                                                                #心跳检测,10秒检测一次,2分钟内没有回应则视为断线
#tls-auth ta.key 0                                                                  #服务端值为0,客户端为1
cipher AES-256-CBC
comp-lzo
                                                                      #传输数据压缩
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3
mute 20

开启IP转发

$ vim /etc/sysctl.conf
# 添加:
net.ipv4.ip_forward=1

# 生效
$ sysctl -p

iptables设置

$ iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
$ iptables-save > /etc/openvpn-rule
$ cd /etc/
$ iptables-restore < openvpn-rule

启动openvpn

$ systemctl start openvpn@server
$ systemctl enable openvpn@server

客户端准备

客户端连接工具

可能有的涉及到科学上网或者国外网速下载很慢,下面提供我的对象存储下载链接:

客户端.ovpn文件制作

(这里使用把证书内容写入.ovpn里面,当然在配置文件中写入路径也没问题)

  • 客户端所需要的证书路径如下
ll /etc/openvpn/client/eicas/
---
total 16
-rw------- 1 root root 1147 Feb 11 10:08 ca.crt
-rw------- 1 root root 4403 Feb 11 10:08 eicas.crt
-rw------- 1 root root 1708 Feb 11 10:09 eicas.key
  • 本地编辑client.ovpn
client
proto tcp
dev tun
remote xxx.xxx.xxx.xxx 1194 # 服务端公网IP,默认端口是1194

# 此处[inline]也可以写下载下来本地的客户端各个证书的路径
ca [inline] 
cert [inline]
key [inline]

resolv-retry infinite
nobind
mute-replay-warnings

keepalive 20 120
comp-lzo
#user openvpn
#group openvpn

persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20

<ca>
ca证书的内容粘贴此处
</ca>
crt证书内容粘贴此处
<cert>

</cert>

<key>
秘钥内容粘贴此处
</key>

openvpn gui使用

  • 直接打开软件,导入上述写的.ovpn文件即可,成功的话,会有提示
  • mac的那个也是导入就行了,具体还是不会可以百度一下

账号密码设置

开启服务端账号密码登录配置

  • 编辑服务端server.conf文件
$ vim /etc/openvpn/server.conf
# 添加如下内容
# use username and password login
script-security 3
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
client-cert-not-required
username-as-common-name
  • 添加密码检查脚本checkpsw.sh
$ vim /etc/openvpn/checkpsw.sh
---
#!/bin/sh
###########################################################
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file" # 账号密码的路径
LOG_FILE="/etc/openvpn/openvpn-password.log" # 账号密码的日志
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
  • 添加账号密码
$ vim /etc/openvpn/psw-file
# 账号+空格+密码的形式,例如:

test 123456
  • 重启openvpn
systemctl restart openvpn@server

设置客户端.ovpn密码账号登录内容

  • 编辑之前创建的client.ovpn文件,添加一行:
auth-user-pass
  • 完整如下
client
proto tcp
dev tun
remote xxx.xxx.xxx.xxx 1194 # 服务端公网IP,默认端口是1194

# 此处[inline]也可以写下载下来本地的客户端各个证书的路径
ca [inline] 
cert [inline]
key [inline]

resolv-retry infinite
nobind
mute-replay-warnings

keepalive 20 120
comp-lzo
#user openvpn
#group openvpn

persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
auth-user-pass
mute 20

<ca>
ca证书的内容粘贴此处
</ca>
crt证书内容粘贴此处
<cert>

</cert>

<key>
秘钥内容粘贴此处
</key>

之后重新连接即可

Windows 10运行成功效果图

发表评论 取消回复
表情 图片 链接 代码

  1. 凌一
    凌一 Lv 1

    一gi我里giao giao,最新版还能Android连接吗,好久没玩这个了。

    • olei
      olei 站长

      @凌一可以呀,这个只是一个内网vpn而已,并非科学上网哦

  2. 老猫
    老猫 Lv 1

    你有没有遇到tap windows 数字签名的问题啊?因为数字签名不对,导致tap-windows无法正常工作。

  3. 34
    34 Lv 1

    谢谢大佬

分享