doina

一个小菜鸟运维工程师.

Centos 7 OpenVPN Server端安装

简述

因为搞了几个云主机,但是只有一个公网IP,
每次连接都需要先登录到有公网IP的主机在进行调整,现在准备来装个VPN来解决这个问题.

OpenVPN官网: https://openvpn.net/
OpenVPN是一个用于创建虚拟专用网络加密通道的软件包,最早由James Yonan编写。OpenVPN允许建立的VPN使用公开密钥、电子证书、或者用户名/密码来进行身份验证。
它大量使用了OpenSSL加密库中的SSLv3/TLSv1协议函数库。
目前OpenVPN能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X与Microsoft Windows以及Android和iOS上运行,并包含了许多安全性的功能。它并不是一个基于Web的VPN软件,也不与IPsec及其他VPN软件包兼容。

服务器内网:10.241.0.1 openvpn:10.8.0.0

搭建OpenVPN

#安装EPEL源
[root@deploy ~]# yum -y install epel-release
[root@deploy ~]# ll /etc/yum.repos.d/ | grep epel
-rw-r--r--  1 root root  951 Oct  3  2017 epel.repo
-rw-r--r--  1 root root 1.1K Oct  3  2017 epel-testing.repo
[root@deploy ~]# yum clean all
[root@deploy ~]# yum makecache

#安装OpenVPN已经证书制作工具
[root@deploy ~]# yum -y install openvpn easy-rsa

#准备生成证书
[root@deploy ~]# mkdir -p /etc/openvpn/keys
[root@deploy ~]# cp -rf /usr/share/easy-rsa/3.0.3/* /etc/openvpn/keys/
[root@deploy ~]# cd /etc/openvpn/keys/

#证书信息
[root@deploy keys]# vim vars
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BeiJing"
export KEY_CITY="Beijing"
export KEY_ORG="Organization Name"
export KEY_EMAIL="misteryyj@163.com"
export KEY_CN=droplet.example.com
export KEY_NAME=server
export KEY_OU=server
export KEY_SIZE=1024

#生成ta证书
[root@deploy keys]# openvpn --genkey --secret ta.key

#初始化,会在当前目录创建PKI目录
[root@deploy keys]# ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/keys/pki

#创建根证书,首先会提示设置密码,然后一直回车,用于ca对之后生成的server和client证书签名时使用
[root@deploy keys]# ./easyrsa build-ca
Enter PEM pass phrase: #ca证书的密码
Verifying - Enter PEM pass phrase: #ca证书的密码
-----
Your new CA certificate file for publishing is at:
/etc/openvpn/keys/pki/ca.crt

#创建server端证书和private key,直接回车,nopass表示不加密private key
[root@deploy keys]# ./easyrsa gen-req server nopass 
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/keys/pki/reqs/server.req
key: /etc/openvpn/keys/pki/private/server.key

#给server端证书做签名,输入yes,然后输入build-ca时设置的那个密码
[root@deploy keys]# ./easyrsa sign server server 
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/keys/pki/private/ca.key:

Certificate created at: /etc/openvpn/keys/pki/issued/server.crt

#创建Diffie-Hellman
[root@deploy keys]#  ./easyrsa gen-dh 

Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
........................................................................+.........................
..................................................................................................
..............................+...................................................................
.......+..........................................................................................
..................................................................................................
................+....................+..+.......................................................+.
.....+........................+...............................................+...................
.......+............................+.............................................................
....................................................................+.............................
..................................................................................................
.................................................................................................+
.......................................++*++*

DH parameters of size 2048 created at /etc/openvpn/keys/pki/dh.pem

#创建服务端证书,生成请求,使用gen-req来生成req
[root@deploy keys]# ./easyrsa  gen-req  openvpn
Enter PEM pass phrase: #server证书的密码
Verifying - Enter PEM pass phrase: #server证书的密码
-----
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/keys/pki/reqs/openvpn.req
key: /etc/openvpn/keys/pki/private/openvpn.key


#签发服务端证书
[root@deploy keys]# ./easyrsa sign-req server openvpn
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/keys/pki/private/ca.key:

Certificate created at: /etc/openvpn/keys/pki/issued/openvpn.crt

#签发client端证书,可以直按回车密码为空、也可以设置输入密码(如设置密码,客户端连接时需输入密码)
[root@deploy keys]# ./easyrsa build-client-full client

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...+++
......................................................................................................................................................+++
writing new private key to '/etc/openvpn/keys/pki/private/client.key.W9fIHNcLKK'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/keys/pki/private/ca.key:

#查看生成的证书文件
#服务端
[root@deploy keys]# ll pki/issued/
total 24K
-rw------- 1 root root 4.4K Aug  5 16:04 client.crt
-rw------- 1 root root 4.5K Aug  5 16:03 openvpn.crt
-rw------- 1 root root 4.5K Aug  5 15:48 server.crt
#客户端
[root@deploy keys]# ll pki/private/
total 16K
-rw------- 1 root root 1.8K Aug  5 15:48 ca.key
-rw------- 1 root root 1.8K Aug  5 16:04 client.key
-rw------- 1 root root 1.8K Aug  5 15:58 openvpn.key
-rw------- 1 root root 1.7K Aug  5 15:48 server.key

#配置转发
[root@deploy keys]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@deploy keys]# sysctl -p
net.ipv4.ip_forward = 1

配置文件

[root@deploy ~]# cd /etc/openvpn
[root@deploy openvpn]# wget http://openvpn.se/files/other/checkpsw.sh
#[root@deploy openvpn]# http://download.baiyongjie.com/linux/openvpn/checkpsw.sh


#拷贝配置文件模板到安装目录
[root@deploy ~]# cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/server.conf  /etc/openvpn/

#编辑vpn的配置文件
vim /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/pki/ca.crt
cert /etc/openvpn/keys/pki/issued/openvpn.crt
key /etc/openvpn/keys/pki/private/openvpn.key
dh /etc/openvpn/keys/pki/dh.pem
tls-auth /etc/openvpn/keys/ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 114.114.114.114"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 50
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3
mute 20

#配置防火墙
[root@deploy ~]# vim /etc/sysconfig/iptables

#OPENVPN
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A INPUT -s 10.8.0.0/24 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
COMMIT


*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.241.0.1
COMMIT

#启动OpenVPN
[root@deploy openvpn]# systemctl start openvpn@server
Enter Private Key Password: Error getting authority: Error initializing authority: Could not connect: No such file or directory (g-io-error-quark, 1)
*********

[root@deploy openvpn]# ps -ef|grep openvpn
openvpn   7405     1  0 17:56 ?        00:00:00 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
root      7467 22125  0 17:57 pts/0    00:00:00 grep --color=auto openvpn

[root@deploy openvpn]# netstat -pnul | grep 1194 
udp     0     0 0.0.0.0:1194      0.0.0.0:*          7405/openvpn 

windows客户端配置

客户端工具下载:
官网下载地址: https://openvpn.net/index.php/open-source/downloads.html
如官网无法下载: http://download.baiyongjie.com/linux/openvpn/client/openvpn-install-2.4.6-I602.exe

安装:

1. 默认安装,安装路径默认为C:Program FilesOpenVPN
2. 将client.key client.crt ca.crt ta.crt拷贝到C:Program FilesOpenVPNconfig
3. 新建.opvn文件,内容如下
client
dev tun
proto tcp
remote 101.89.82.106 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
#auth-user-pass 使用账号密码验证,服务器也需要响应的配置
4.启动openvpn,右键右下角带锁的小电脑,选择connect

连接日志:
《Centos 7 OpenVPN Server端安装》

点赞

发表评论

电子邮件地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据