Open Vpn CentOS7部署
一、简介
VPN直译就是虚拟专用通道,是提供给企业之间或者个人与公司之间安全数据传输的隧道,OpenVPN无疑是Linux下开源VPN的先锋,提供了良好的性能和友好的用户GUI。
OpenVPN大量使用了OpenSSL加密库中的SSLv3/TLSv1协议函数库。
OpenVPN 是一个基于 OpenSSL 库的应用层 VPN 实现。和传统 VPN 相比,它的优点是简单易用。
1.配置yum源(安装epel)
参考地址:https://fedoraproject.org/wiki/EPEL
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum update
yum repolist
二、生成证书
2.1.下载证书生成工具easy-rsa
yum -y install easy-rsa
2.2.创建证书环境目录
mkdir -p /opt/easy-rsa cp -a /usr/share/easy-rsa/3.0.8/* /opt/easy-rsa/ cp -a /usr/share/doc/easy-rsa-3.0.8/vars.example /opt/easy-rsa/vars
2.3.生成秘钥前,准备vars文件
修改文件/opt/easy-rsa/vars中的如下配置(要取消注释)
set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "Shanghai" set_var EASYRSA_REQ_CITY "Shanghai" set_var EASYRSA_REQ_ORG "Tom" set_var EASYRSA_REQ_EMAIL "abc@163.com" set_var EASYRSA_NS_SUPPORT "yes"
2.4.初始化
在当前目录下创建pki目录,用于存储证书
[root@openvpn easy-rsa]# cd /opt/easy-rsa/ [root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa init-pki Note: using Easy-RSA configuration from: /opt/easy-rsa/vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /opt/easy-rsa/pki
2.5.创建根证书
根证书用于ca对之后生成的server和client证书签名时使用。(输入两次密码,直接回车)
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa build-ca Note: using Easy-RSA configuration from: /opt/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Enter New CA Key Passphrase: #这里输入密码 Re-Enter New CA Key Passphrase: #这里输入密码 Generating RSA private key, 2048 bit long modulus .....+++ ..........................................+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /opt/easy-rsa/pki/ca.crt #运行后会得到ca.crt文件
2.6.创建server端证书和私钥文件
nopass表示不加密私钥文件,生成过程中直接回车默认
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa gen-req server nopass Note: using Easy-RSA configuration from: /opt/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key ...........................+++ ........................................................................+++ writing new private key to '/opt/easy-rsa/pki/easy-rsa-1326.TIfM4D/tmp.rxSnIM' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: Keypair and certificate request completed. Your files are: req: /opt/easy-rsa/pki/reqs/server.req #运行后会得到server.req文件 key: /opt/easy-rsa/pki/private/server.key #运行后会得到server.key文件
2.7.给server证书签名(输入yes,输入密码)
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa sign server server Note: using Easy-RSA configuration from: /opt/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 825 days: subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /opt/easy-rsa/pki/easy-rsa-1397.ds5qpo/tmp.lX0IFN Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: 输入创建根证书时的密码
Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Jun 3 14:02:46 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /opt/easy-rsa/pki/issued/server.crt #运行后会得到server.crt文件
2.8.创建Diffie-Hellman文件,秘钥交换时的Diffie-Hellman算法
/opt/easy-rsa/easyrsa gen-dh
2.9.创建client端证书和私钥文件
nopass表示不加密私钥文件,生成过程中直接回车默认
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa gen-req 证书名 nopass Note: using Easy-RSA configuration from: /opt/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key ..................................................................+++ ...................................................................................................................+++ writing new private key to '/opt/easy-rsa/pki/easy-rsa-1761.HYs4Xv/tmp.z02JuI' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client]: Keypair and certificate request completed. Your files are: req: /opt/easy-rsa/pki/reqs/client.req key: /opt/easy-rsa/pki/private/client.key #运行后会得到client.key文件
2.10. 给client端证书签名(输入yes,输入密码)
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa sign client 证书名 Note: using Easy-RSA configuration from: /opt/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 825 days: subject= commonName = client Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /opt/easy-rsa/pki/easy-rsa-1828.VwQHeF/tmp.eYqBSS Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: 输入创建根证书时的密码
Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client' Certificate is to be certified until Jun 3 14:09:37 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /opt/easy-rsa/pki/issued/client.crt #运行后会得到client.crt文件
三、OpenVPN服务端部署
1.安装openvpn软件
yum -y install openvpn
2.修改配置文件
自行创建配置文件/etc/openvpn/server.conf,并加入如下配置
port 1194 #端口 proto tcp #协议UDP或者TCP dev tun #采用路由隧道模式tun ca ca.crt #ca证书文件位置 cert server.crt #服务端公钥名称 key server.key #服务端私钥名称 dh dh.pem #交换证书 tls-auth ta.key 0 [可选]#拒绝服务攻击证书文件,该选项需要和客户端同步开启,并且把ta.key文件放在客户端配置文件目录(创建方式:openvpn --genkey --secret ta.key)
server 192.168.100.0 255.255.255.0 #给客户端分配地址池,注意:不能和VPN服务器内网网段一样 client-config-dir ccd #为客户端分配静态IP文件夹
(/etc/openvpn/ccd 创建ccd目录,创建client1,client2..与客户端证书名称对应,如果是用户名密码验证需要和用户名对应, 输入内容 ifconfig-push 172.16.100.2 255.255.255.0)
client-to-client #开启客户端互访 keepalive 10 120 #存活时间,10秒ping一次,120 如未收到响应则视为断线 max-clients 100 #最多允许100个客户端连接 persist-key #通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys persist-tun #检测超时后,重新启动VPN,一直保持tun是linkup的。否则网络会先linkdown然后再linkup status openvpn-status.log #openvpn日志记录位置,默认在 /etc/openvpn verb 3 #openvpn版本 #ifconfig-pool-persist ipp.txt #在openvpn重启时,再次连接的客户端将依然被分配和以前一样的IP地址 #user nobody #group nobody #route 192.168.31.0 255.255.255.0 #允许客户端访问内网192.168.31.1网段
#learn-address ./script
port 1194 proto tcp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 192.168.100.0 255.255.255.0 client-config-dir ccd client-to-client keepalive 10 120 max-clients 100 persist-key persist-tun status openvpn-status.log verb 3 #ifconfig-pool-persist ipp.txt #user nobody #group nobody #route 10.9.0.0 255.255.255.252 #learn-address ./script
3. 拷贝证书到openvpn主配置文件目录下
cp -a /opt/easy-rsa/pki/ca.crt /etc/openvpn/ cp -a /opt/easy-rsa/pki/issued/server.crt /etc/openvpn/ cp -a /opt/easy-rsa/pki/private/server.key /etc/openvpn/ cp -a /opt/easy-rsa/pki/dh.pem /etc/openvpn/
4. 启动openvpn
systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service
四、OpenVPN客户端部署
1. 安装OpenVPN客户端软件
这里是在windows环境下部署OpenVPN的客户端的,首先需要下载安装OpenVPN客户端软件
2. 配置客户端
拷贝服务端生成的证书到OpenVPN安装目录的config目录下
分别拷贝以下几个文件
/opt/easy-rsa/pki/ca.crt /opt/easy-rsa/pki/issued/client.crt /opt/easy-rsa/pki/private/client.key
3. 编写客户端配置文件
在OpenVPN安装目录的config目录下,新建一个client.ovpn文件,在文件中添加如下配置:
client #指定当前VPN是客户端
dev tun #使用tun隧道传输协议
proto udp #使用udp协议传输协议
dev-node #指定客户端连接所使用的虚拟网卡(例如:dev-node "本地连接2",网卡名最好用英文)
(定义openvpn运行时使用哪一种模式,openvpn有两种运行模式一种是tap模式,一种是tun模式。
tap模式也就是桥接模式,通过软件在系统中模拟出一个tap设备,该设备是一个二层设备,同时支持链路层协议。
tun模式也就是路由模式,通过软件在系统中模拟出一个tun路由,tun是ip层的点对点协议。
具体使用哪一种模式,需要根据自己的业务进行定义。)
remote 192.168.31.168 1194 #openvpn服务器IP地址端口号 resolv-retry infinite #断线自动重新连接,在网络不稳定的情况下非常有用 nobind #不绑定本地特定的端口号 ca ca.crt #指定CA证书的文件路径 cert client.crt #指定当前客户端的证书文件路径 key client.key #指定当前客户端的私钥文件路径 verb 3 #指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细 persist-key #通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys persist-tun #检测超时后,重新启动VPN,一直保持tun是linkup的。否则网络会先linkdown然后再linkup
auth-nocache #不缓存密码到内存
client ;dev tap dev tun ;dev-node MyTap proto tcp remote my-server-1 1194 ;remote my-server-2 1194 ;remote-random resolv-retry infinite nobind auth-nocache ;user nobody ;group nobody persist-key persist-tun ;mute-replay-warnings ca ca.crt cert client.crt key client.key remote-cert-tls server ;tls-auth ta.key 1 ;cipher x verb 3 ;mute 20
4. 启动OpenVPN客户端软件
1,连接成功后,在托任务栏位置的OpenVPN图标会变绿色,则说明OpenVPN已经连接成功。
2,windows开机自动连接,右键点击图标的属性,在目标路径的最后面添加 --connect client.ovpn,如下图
将快捷方式放入启动项
OpenVPN会分配一个IP地址给客户端,客户端会使用该虚拟网络IP地址与服务端进行通信。
