centos6.5环境搭建openvp服务器及windows客户端搭建及配置详解

1、环境搭建


说明:
vpn client 192.168.8.16/24
openvpn server:
eth0: 192.168.8.41
eth1: 172.16.1.10


app server: 
172.16.1.20


app server和openvpn的eth1都在vmnet2上


openvpn server
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:6C:85:A0  
          inet addr:192.168.8.41  Bcast:192.168.8.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe6c:85a0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9587674 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5211921 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1241650018 (1.1 GiB)  TX bytes:1238208023 (1.1 GiB)


eth1      Link encap:Ethernet  HWaddr 00:0C:29:6C:85:AA  
          inet addr:172.16.1.10  Bcast:172.16.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe6c:85aa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:122 errors:0 dropped:0 overruns:0 frame:0
          TX packets:73 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:11314 (11.0 KiB)  TX bytes:6306 (6.1 KiB)


lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1572 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1572 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:141358 (138.0 KiB)  TX bytes:141358 (138.0 KiB)


2、时间同步:

# ntpdate 192.168.8.102


3、创建openvpn的安装目录

# mkdir -pv /home/tools/openvpn
mkdir: created directory `/home/tools'
mkdir: created directory `/home/tools/openvpn'
# cd /home/tools/openvpn/
上传安装软件到该目录
# ls -l
total 1464
-rw-r--r-- 1 root root 583045 Jun 29 17:30 lzo-2.06.tar.gz
-rw-r--r-- 1 root root 911158 Jun 29 17:30 openvpn-2.2.2.tar.gz


4、安装依赖包

# yum install -y gcc*
# yum install -y openssl*


编译安装依赖包,通过执行 echo $?可以判断步骤是否正确


tar zxf lzo-2.06.tar.gz 
cd lzo-2.06
./configure 
make
make install


安装openvpnserver
# tar zxf openvpn-2.2.2.tar.gz 
# cd openvpn-2.2.2


# ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib
# make && make install


验证是否安装成功
# ll /usr/local/sbin/openvpn 
-rwxr-xr-x 1 root root 2545339 Jun 29 17:55 /usr/local/sbin/openvpn
# which openvpn
/usr/local/sbin/openvpn


5、配置openvpn server的各种密钥

# cd /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0
# vim vars


export KEY_COUNTRY="CN"
export KEY_PROVINCE="SZ"
export KEY_CITY="shenzhen"
export KEY_ORG="chinasoft"
export KEY_EMAIL="chinasoft@qq.com"
export KEY_EMAIL=chinasoft@qq.com
export KEY_CN=CN
export KEY_NAME=chinasoft
export KEY_OU=chinasoft
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234


使配置生效
[root@node3 2.0]# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/keys
[root@node3 2.0]# ./clean-all 
[root@node3 2.0]# ./build-ca 
Generating a 1024 bit RSA private key
................................................++++++
....................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SZ]:
Locality Name (eg, city) [shenzhen]:
Organization Name (eg, company) [chinasoft]:
Organizational Unit Name (eg, section) [chinasoft]:
Common Name (eg, your name or your server's hostname) [CN]:chinasoft
Name [chinasoft]:
Email Address [chinasoft@qq.com]:


# ll keys/
total 12
-rw-r--r-- 1 root root 1367 Jun 29 18:09 ca.crt
-rw------- 1 root root  916 Jun 29 18:09 ca.key
-rw-r--r-- 1 root root    0 Jun 29 18:08 index.txt
-rw-r--r-- 1 root root    3 Jun 29 18:08 serial


生成服务器端证书和秘钥key文件

# ./build-key-server server
Generating a 1024 bit RSA private key
.................................++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SZ]:
Locality Name (eg, city) [shenzhen]:
Organization Name (eg, company) [chinasoft]:
Organizational Unit Name (eg, section) [chinasoft]:
Common Name (eg, your name or your server's hostname) [server]:chinasoft
Name [chinasoft]:
Email Address [chinasoft@qq.com]:


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456  
An optional company name []:chinasoft
Using configuration from /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'SZ'
localityName          :PRINTABLE:'shenzhen'
organizationName      :PRINTABLE:'chinasoft'
organizationalUnitName:PRINTABLE:'chinasoft'
commonName            :PRINTABLE:'chinasoft'
name                  :PRINTABLE:'chinasoft'
emailAddress          :IA5STRING:'chinasoft@qq.com'
Certificate is to be certified until Jun 27 10:13:59 2026 GMT (3650 days)
Sign the certificate? [y/n]:y




1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


建立2份客户端证书,分别为client和ett



[root@node3 2.0]# ./build-key test


注意:./build-key test 这条命令不能配置成 ./build-key chinasoft及其他和组织等名称相同的文件名,否则无法通信


Generating a 1024 bit RSA private key
.......++++++
................................++++++
writing new private key to 'test.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SZ]:
Locality Name (eg, city) [shenzhen]:
Organization Name (eg, company) [chinasoft]:
Organizational Unit Name (eg, section) [chinasoft]:
Common Name (eg, your name or your server's hostname) [test]:chinasoft
Name [chinasoft]:
Email Address [chinasoft@qq.com]:


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:chinasoft
Using configuration from /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'SZ'
localityName          :PRINTABLE:'shenzhen'
organizationName      :PRINTABLE:'chinasoft'
organizationalUnitName:PRINTABLE:'chinasoft'
commonName            :PRINTABLE:'chinasoft'
name                  :PRINTABLE:'chinasoft'
emailAddress          :IA5STRING:'chinasoft@qq.com'
Certificate is to be certified until Jun 27 13:29:36 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2


创建加密的客户端key



# ./build-key-pass ett
Generating a 1024 bit RSA private key
........................................++++++
................++++++
writing new private key to 'ett.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SZ]:
Locality Name (eg, city) [shenzhen]:
Organization Name (eg, company) [chinasoft]:
Organizational Unit Name (eg, section) [chinasoft]:
Common Name (eg, your name or your server's hostname) [ett]:chinasoft
Name [chinasoft]:
Email Address [chinasoft@qq.com]:


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:chinasoft
Using configuration from /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'SZ'
localityName          :PRINTABLE:'shenzhen'
organizationName      :PRINTABLE:'chinasoft'
organizationalUnitName:PRINTABLE:'chinasoft'
commonName            :PRINTABLE:'chinasoft'
name                  :PRINTABLE:'chinasoft'
emailAddress          :IA5STRING:'chinasoft@qq.com'
Certificate is to be certified until Jun 27 10:24:44 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2


生成传输进行密钥交换时用到的交换密钥协议文件

# ./build-dh
# ll keys/dh1024.pem 
-rw-r--r-- 1 root root 245 Jun 29 19:05 keys/dh1024.pem


为防止恶意攻击,如DOS、UDP port flooding,我们生成一个HMAC firewall

# openvpn --genkey --secret keys/ta.key
[root@node3 2.0]# ll keys/ta.key 
-rw------- 1 root root 636 Jun 29 19:07 keys/ta.key


6、配置openvpn.conf文件

# mkdir /etc/openvpn
# cp -a keys /etc/openvpn/
[root@node3 2.0]# cp ../../sample-config-files/server.conf /etc/openvpn/
[root@node3 2.0]# tree /etc/op
openldap/ openvpn/  opt/      
[root@node3 2.0]# tree /etc/openvpn/
-bash: tree: command not found
[root@node3 2.0]# tree /etc/openvpn/
/etc/openvpn/
├── keys
│   ├── 01.pem
│   ├── ca.crt
│   ├── ca.key
│   ├── chinasoft.crt
│   ├── chinasoft.csr
│   ├── chinasoft.key
│   ├── dh1024.pem
│   ├── ett.crt
│   ├── ett.csr
│   ├── ett.key
│   ├── index.txt
│   ├── index.txt.attr
│   ├── index.txt.old
│   ├── serial
│   ├── serial.old
│   ├── server.crt
│   ├── server.csr
│   ├── server.key
│   └── ta.key
└── server.conf




# vim /etc/openvpn/server.conf


local 192.168.8.41 # 监听地址
port 52155 # 监听端口
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt # ca证书
cert /etc/openvpn/keys/server.crt # 服务证书
key /etc/openvpn/keys/server.key # 服务key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0 # vpn server动态分配给vpn client的地址池,一般不需要修改
push "route 172.16.1.0 255.255.255.0" # vpn server所在的内网网段,如果有多个可写写多个push
ifconfig-pool-persist /etc/openvpn/keys/ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
duplicate-cn
log /var/log/openvpn.log


打开路由转发功能

# vim /etc/sysctl.conf 
net.ipv4.ip_forward = 1
使配置生效
# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296


8、启动openvpn server服务

# /usr/local/sbin/openvpn --config /etc/openvpn/server.conf &
检查服务是否正常启动
# netstat -lntup|grep vpn
tcp        0      0 0.0.0.0:52155               0.0.0.0:*                   LISTEN      28959/openvpn    


加入启动脚本
# echo '/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &' >> /etc/rc.local 
[root@node3 openvpn]# tail -1 /etc/rc.local 
tail: inotify cannot be used, reverting to polling
/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &


将openvpn添加为服务的形式
# cp /home/tools/openvpn/openvpn-2.2.2/sample-scripts/openvpn.init /etc/init.d/openvpn
[root@node3 openvpn]# chkconfig --add openvpn
[root@node3 openvpn]# chkconfig --list openvpn
openvpn         0:off1:off2:off3:on4:on5:on6:off
[root@node3 openvpn]# chmod +x /etc/init.d/openvpn 
[root@node3 openvpn]# chkconfig openvpn on
[root@node3 openvpn]# chkconfig --list openvpn
openvpn         0:off1:off2:on3:on4:on5:on6:off
[root@node3 openvpn]# killall openvpn
[root@node3 openvpn]# service openvpn start
Starting openvpn:                                          [  OK  ]
[1]+  Done                    /usr/local/sbin/openvpn --config /etc/openvpn/server.conf
[root@node3 openvpn]# service openvpn restart
Shutting down openvpn:                                     [  OK  ]
Starting openvpn:                                          [  OK  ]


# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:6C:85:A0  
          inet addr:192.168.8.41  Bcast:192.168.8.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe6c:85a0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9941129 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5344611 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1366753019 (1.2 GiB)  TX bytes:1255169492 (1.1 GiB)


eth1      Link encap:Ethernet  HWaddr 00:0C:29:6C:85:AA  
          inet addr:172.16.1.10  Bcast:172.16.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe6c:85aa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:414 errors:0 dropped:0 overruns:0 frame:0
          TX packets:78 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:28834 (28.1 KiB)  TX bytes:6644 (6.4 KiB)


lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1738 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1738 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:155542 (151.8 KiB)  TX bytes:155542 (151.8 KiB)


tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:240 (240.0 b)  TX bytes:0 (0.0 b)

如果启动报错:
需要修改服务启动服务脚本/etc/init.d/openvpn 
for c in `/bin/ls *.conf 2>/dev/null`; do
改为
for c in `/bin/ls server.conf 2>/dev/null`; do


9、windows客户端openvpn-2.2.2-install.exe安装



在vpn server中安装文件传输工具,将下列文件传送给客户端,放置在E:\Program Files (x86)\OpenVPN\config\test目录下

client.conf 改名为 test.ovpn


# yum install -y lrzsz
# sz -y ca.crt test.crt test.key client.conf


报错:
failed to update database
TXT_DB error number 2


解决办法:
 
vim /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/keys/index.txt.attr
将unique_subject = yes  改为unique_subject = no


在vpn客户端连通后ping 172.16.1.20
通过在appserver 172.16.1.20上抓包发现只有请求的数据包,没有回应
# tcpdump -nnn -s 10000|grep -i icmp


将appserver的网关指向vpnserver的内网网卡后可以ping通,访问nginx服务http://172.16.1.20也正常


# route add default gw 172.16.1.10


或者添加静态路由

# route add -net 10.8.0.0/24 gw 172.16.1.10


如果要是永久生效,有如下几种方法:
方法一:
vi /etc/sysconfig/network-scripts/route-eth0  #默认不存在此文件
加入如下内容:
10.8.0.0/24 via 172.16.1.10
提示:写到配置里,重启网络服务和重启系统都会生效!
 
方法二:
vi /etc/sysconfig/static-routes  #默认不存在此文件
加入如下内容:
any net 10.8.0.0/24 gw 172.16.1.10
提示:写到配置里,重启网络服务和重启系统都会生效!
 
方法三:
vi /etc/rc.local
加入如下内容:
route add -net 10.8.0.0/24 gw 172.16.1.10
PS: 方法一推荐生产环境使用
提示:方法三写到/etc/rc.local里只在开机时加载,当手工重启网络后会失效,但是重启系统后会生效!


注意:如果当VPN客户端的网关不是VPNSERVER内网地址的时候,所有的VPN客户端都要加网络路由,当VPN客户端的网关是VPNSETVER内网地址就不需要添加静态路由了
posted @ 2016-06-30 10:53  reblue520  阅读(569)  评论(0编辑  收藏  举报