centos7部署OpenVpn 一、简介 二、环境规划 三

发表于

「这是我参与11月更文挑战的第3天,活动详情查看:2021最后一次更文挑战

一、简介

VPN直译就是虚拟专用通道,是提供给企业之间或者个人与公司之间安全数据传输的隧道,OpenVPN无疑是Linux下开源VPN的先锋,提供了良好的性能和友好的用户GUI。

OpenVPN大量使用了OpenSSL加密库中的SSLv3/TLSv1协议函数库。

OpenVPN 是一个基于 OpenSSL 库的应用层 VPN 实现。和传统 VPN 相比,它的优点是简单易用。

openvpn原理

二、环境规划

openvpn 服务端 centos7

IP 192.168.31.168

双网卡

三、安装部署

1.配置yum源(安装epel)

参考地址:fedoraproject.org/wiki/EPEL

1
2
3
bash复制代码yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum update
yum repolist

2.生成证书

2.1.下载证书生成工具easy-rsa

1
bash复制代码yum -y install easy-rsa

2.2.创建证书环境目录

1
2
3
bash复制代码mkdir -p /opt/easy-rsa
cp -a /usr/share/easy-rsa/3.0.8/* /opt/easy-rsa/
cp -a /usr/share/doc/easy-rsa-3.0.8/vars.example /opt/easy-rsa/vars

2.3.生成秘钥前,准备vars文件

修改文件/opt/easy-rsa/vars中的如下配置(要取消注释)

1
2
3
4
5
6
7
bash复制代码set_var EASYRSA_DN      "cn_only"
set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "Shanghai"
set_var EASYRSA_REQ_CITY        "Shanghai"
set_var EASYRSA_REQ_ORG         "lucifer"
set_var EASYRSA_REQ_EMAIL       "pc1107750981@163.com"
set_var EASYRSA_NS_SUPPORT      "yes"

2.4.初始化

在当前目录下创建pki目录,用于存储证书

1
2
3
4
5
6
7
bash复制代码[root@openvpn easy-rsa]# cd /opt/easy-rsa/
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa init-pki

Note: using Easy-RSA configuration from: /opt/easy-rsa/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /opt/easy-rsa/pki

2.5.创建根证书

根证书用于ca对之后生成的server和client证书签名时使用。(输入两次密码,直接回车)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
bash复制代码[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa build-ca

Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase: 
Re-Enter New CA Key Passphrase: 
Generating RSA private key, 2048 bit long modulus
.....+++
..........................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/opt/easy-rsa/pki/ca.crt

2.6.创建server端证书和私钥文件

nopass表示不加密私钥文件,生成过程中直接回车默认

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
bash复制代码[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
...........................+++
........................................................................+++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-1326.TIfM4D/tmp.rxSnIM'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:

Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/server.req
key: /opt/easy-rsa/pki/private/server.key

2.7.给server证书签名(输入yes,输入密码)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
bash复制代码[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa sign server server

Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-1397.ds5qpo/tmp.lX0IFN
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Jun  3 14:02:46 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /opt/easy-rsa/pki/issued/server.crt

2.8.创建Diffie-Hellman文件,秘钥交换时的Diffie-Hellman算法

1
bash复制代码/opt/easy-rsa/easyrsa gen-dh

2.9.创建client端证书和私钥文件

nopass表示不加密私钥文件,生成过程中直接回车默认

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
bash复制代码[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa gen-req client nopass

Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
..................................................................+++
...................................................................................................................+++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-1761.HYs4Xv/tmp.z02JuI'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:

Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/client.req
key: /opt/easy-rsa/pki/private/client.key

2.10. 给client端证书签名(输入yes,输入密码)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
bash复制代码[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa sign client client

Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = client


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-1828.VwQHeF/tmp.eYqBSS
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client'
Certificate is to be certified until Jun  3 14:09:37 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /opt/easy-rsa/pki/issued/client.crt

四、OpenVPN服务端部署

1.安装openvpn软件

1
bash复制代码yum -y install openvpn

2.修改配置文件

自行创建配置文件/etc/openvpn/server.conf,并加入如下配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
bash复制代码port 1194 #端口
proto udp #协议
dev tun #采用路由隧道模式tun
ca ca.crt #ca证书文件位置
cert server.crt #服务端公钥名称
key server.key #服务端私钥名称
dh dh.pem #交换证书
server 10.8.0.0 255.255.255.0 #给客户端分配地址池,注意:不能和VPN服务器内网网段有相同
push "route 192.168.31.1 255.255.255.0" #允许客户端访问内网192.168.31.1网段
ifconfig-pool-persist ipp.txt #地址池记录文件位置
keepalive 10 120 #存活时间,10秒ping一次,120 如未收到响应则视为断线
max-clients 100 #最多允许100个客户端连接
status openvpn-status.log #日志记录位置
verb 3 #openvpn版本
client-to-client #客户端与客户端之间支持通信
log /var/log/openvpn.log #openvpn日志记录位置
persist-key #通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys。
persist-tun #检测超时后,重新启动VPN,一直保持tun是linkup的。否则网络会先linkdown然后再linkup
duplicate-cn
  1. 拷贝证书到openvpn主配置文件目录下
1
2
3
4
bash复制代码cp -a /opt/easy-rsa/pki/ca.crt /etc/openvpn/
cp -a /opt/easy-rsa/pki/issued/server.crt /etc/openvpn/
cp -a /opt/easy-rsa/pki/private/server.key /etc/openvpn/
cp -a /opt/easy-rsa/pki/dh.pem /etc/openvpn/

4 启动openvpn

1
2
bash复制代码systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service

五、OpenVPN客户端部署

1.安装OpenVPN客户端软件

这里是在windows环境下部署OpenVPN的客户端的,首先需要下载安装OpenVPN客户端软件

2.配置客户端

拷贝服务端生成的证书到OpenVPN安装目录的config目录下

分别拷贝以下几个文件

1
2
3
bash复制代码/opt/easy-rsa/pki/ca.crt 
/opt/easy-rsa/pki/issued/client.crt
/opt/easy-rsa/pki/private/client.key

3.编写客户端配置文件

在OpenVPN安装目录的config目录下,新建一个client.ovpn文件,在文件中添加如下配置:

1
2
3
4
5
6
7
8
9
10
11
12
bash复制代码client #指定当前VPN是客户端
dev tun #使用tun隧道传输协议
proto udp #使用udp协议传输数据
remote 192.168.31.168 1194 #openvpn服务器IP地址端口号
resolv-retry infinite #断线自动重新连接,在网络不稳定的情况下非常有用
nobind #不绑定本地特定的端口号
ca ca.crt #指定CA证书的文件路径
cert client.crt #指定当前客户端的证书文件路径
key client.key #指定当前客户端的私钥文件路径
verb 3 #指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细
persist-key #通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys
persist-tun #检测超时后,重新启动VPN,一直保持tun是linkup的。否则网络会先linkdown然后再linkup

4.启动OpenVPN客户端软件

双击安装好后的OpenVPN软件,然后右键点击连接。

连接成功后,在托任务栏位置的OpenVPN图标会变绿色,则说明OpenVPN已经连接成功。

OpenVPN会分配一个IP地址给客户端,客户端会使用该虚拟网络IP地址与服务端进行通信。

本文转载自: 掘金

开发者博客 – 和开发相关的 这里全都有

0%