前言
为了方便远程办公时访问公司的内部系统,如:svn、OA、wiki、禅道等等;通通在防火墙上做了端口映射。发现有时也不好用,所有开始弄OPENVPN。
openvpn简介
官方网站:https://openvpn.net 打不开请爬墙
openssl原理:http://www.178linux.com/archives/2704 参考书生的博客,哈哈
openvpn原理:http://freeloda.blog.51cto.com/2033581/1354768 参考往期学员的博客,此处就不赘述了。
安装配置步骤
1、安装openvpn软件
2、生成服务器证书
3、修改主配置文件
4、生成并签署客户端证书
4、客户端配置并连接
一、安装openvpn软件
安装epel源
# rpm -ivh http://mirrors.zju.edu.cn/epel/6/i386/epel-release-6-8.noarch.rpm Retrieving http://mirrors.zju.edu.cn/epel/6/i386/epel-release-6-8.noarch.rpm Preparing... ########################################### [100%] 1:epel-release ########################################### [100%]
安装openvpn
先安装依赖包:# yum -y localinstall pkcs11-helper-1.11-3.el6.x86_64.rpm 之后安装vpn: # yum -y install openvpn-2.3.8-1.el6.x86_64.rpm
下载easyesa,创建CA、生成证书都需要它
# wget https://github.com/OpenVPN/easy-rsa/archive/master.zip # unzip master.zip # mv easy-rsa-master/ /etc/openvpn
二、生成服务器证书
先切换目录到/etc/openvpn/easy-rsa-master/easyrsa3以便生成证书
# cd /etc/openvpn/easy-rsa-master/easyrsa3/ # pki目录初始化,此动作会删除pki目录下所有证书及密钥文件 # ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa-master/easyrsa3/pki # 创建根证书,密钥文件需要设置密码保护,并指定一个名称 # ./easyrsa build-ca Generating a 2048 bit RSA private key .............................+++ .......................................................+++ writing new private key to '/etc/openvpn/easy-rsa-master/easyrsa3/pki/private/ca.key.NgXw582N1L' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: #这块需要输入密码 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:hzcf #可以自定义 CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa-master/easyrsa3/pki/ca.crt 生成一个服务器端的证书请求文件,不需要密码保护 # ./easyrsa gen-req server no pass Ignoring unknown command option: 'no' Ignoring unknown command option: 'pass' Generating a 2048 bit RSA private key ...+++ ......+++ writing new private key to '/etc/openvpn/easy-rsa-master/easyrsa3/pki/private/server.key.Q4us0AebEk' Enter PEM pass phrase: #需要输入密码 Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]:server Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa-master/easyrsa3/pki/reqs/server.req key: /etc/openvpn/easy-rsa-master/easyrsa3/pki/private/server.key # 签署服务器端的请求证书,需要输入根证书的密码授权 # ./easyrsa sign-req server server You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes #输入yes Using configuration from /etc/openvpn/easy-rsa-master/easyrsa3/openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa-master/easyrsa3/pki/private/ca.key: #这块需要输入CA生成的密码 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'server' Certificate is to be certified until Dec 18 07:55:09 2025 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa-master/easyrsa3/pki/issued/server.crt
#生成 Diffie Hellman 参数 # ./easyrsa gen-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .......................................+............................................................................+. ..................................................+................................................................. ...........................+..............++*++* DH parameters of size 2048 created at /etc/openvpn/easy-rsa-master/easyrsa3/pki/dh.pem # 查看服务器端生成的所有证书及密钥文件 # yum -y install tree # tree pki pki ├── ca.crt ├── certs_by_serial │ └── 01.pem ├── dh.pem ├── index.txt ├── index.txt.attr ├── index.txt.old ├── issued │ └── server.crt ├── private │ ├── ca.key │ └── server.key ├── reqs │ └── server.req ├── serial └── serial.old 4 directories, 12 files # 为方便查看及配置,把服务器端需要用到的证书及密钥文件放到/etc/openvpn目录下 # cp pki/ca.crt /etc/openvpn # cp pki/private/server.key /etc/openvpn # cp pki/issued/server.crt /etc/openvpn # cp pki/dh.pem /etc/openvpn
三、修改主配置文件,
默认没有主配置文件,需要从/usr/share/doc下复制一个模版文件过来
# cp /usr/share/doc/openvpn-2.3.8/sample/sample-config-files/server.conf /etc/openvpn # egrep -v "^(#|;)|^$" server.conf port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 # egrep -v "^(#|;)|^$" server.conf >> server.conf.2 # rm -rf server.conf # mv server.conf.2 server.conf # vim server.conf local 0.0.0.0 port 51194 proto tcp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key # This file should be kept secret dh /etc/openvpn/dh.pem server 10.38.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" #启用后,客户端连接后所有上网请求都走VPN网关 push "route 10.0.1.0 255.255.0.0" push "route 10.0.2.0 255.255.0.0" push "dhcp-option DNS 114.114.114.114" keepalive 10 120 comp-lzo max-clients 100 persist-key persist-tun status /var/log/openvpn-status.log log /var/log/openvpn.log log-append /var/log/openvpn.log client-to-client verb 3
需要启用路由转发
# sysctl -w net.ipv4.ip_forward=1 # 修改配置文件使其永久生效 # # vim /etc/sysctl.conf net.ipv4.ip_forward = 1 # sysctl -p 重读配置文件 # 防火墙开启路由功能 # iptables -t nat -A POSTROUTING -s 10.38.0.0/24 -j MASQUERADE
服务启动后会生成一个VPN网关
# openvpn --config server.conf & # # ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.28.0.1 P-t-P:10.28.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
四、生成并签署客户端证书
生成一个证书请求文件,在服务器端或客户端都可以生成;设置密码保护并指定一个名称
# cp -r /etc/openvpn/easy-rsa-master/ /tmp # cd /tmp/easy-rsa-master/easyrsa3/ # ./easyrsa init-pki # ./easyrsa gen-req pandong Generating a 2048 bit RSA private key ...................................+++ ...........+++ writing new private key to '/tmp/easy-rsa-master/easyrsa3/pki/private/pandong.key.eBhsiM5QVM' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [pandong]:pandong Keypair and certificate request completed. Your files are: req: /tmp/easy-rsa-master/easyrsa3/pki/reqs/pandong.req key: /tmp/easy-rsa-master/easyrsa3/pki/private/pandong.key # 导入客户端证书请求文件 # cd /etc/openvpn/easy-rsa-master/easyrsa3/ # ./easyrsa import-req /tmp/easy-rsa-master/easyrsa3/pki/reqs/pandong.req pandong The request has been successfully imported with a short name of: pandong You may now use this name to perform signing operations on this request. # 签署客户端证书,同样,需要需要输入根证书密码授权 # ./easyrsa sign-req client pandong You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = pandong Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes # 输入:yes Using configuration from /etc/openvpn/easy-rsa-master/easyrsa3/openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa-master/easyrsa3/pki/private/ca.key: # 输入密码 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'pandong' Certificate is to be certified until Dec 18 09:51:35 2025 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa-master/easyrsa3/pki/issued/pandong.crt
五、客户端配置并连接
到官网下载相应的软件 https://openvpn.net/index.php/open-source/downloads.html
默认会安装到 C:\Program Files\OpenVPN 下
下载根证书、客户端证书、客户端密钥这三个文件,放到 C:\Program Files\OpenVPN\config下
# sz /etc/openvpn/easy-rsa-master/easyrsa3/pki/ca.crt # sz /etc/openvpn/easy-rsa-master/easyrsa3/pki/issued/pandong.crt # sz /tmp/easy-rsa-master/easyrsa3/pki/private/pandong.key
修改客户端配置文件,默认没有此文件,需要从 C:\Program Files\OpenVPN\sample-config\client.ovpn 复制一份到config目录下
client dev tun proto tcp remote 211.103.153.157 56794 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert pandong.crt key pandong.key comp-lzo verb 3
有配置文件和证书后,点击connect并输入liuliang.key的密钥密码后即可连接,如图
原创文章,作者:oranix,如若转载,请注明出处:http://www.178linux.com/10334
