centos6.5环境搭建openvp服务器及windows客户端搭建及配置详解
1、环境搭建
说明:
vpn client 192.168.8.16/24
openvpn server:
eth0: 192.168.8.41
eth1: 172.16.1.10
app server:
172.16.1.20
app server和openvpn的eth1都在vmnet2上
openvpn server
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:6C:85:A0
inet addr:192.168.8.41 Bcast:192.168.8.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe6c:85a0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9587674 errors:0 dropped:0 overruns:0 frame:0
TX packets:5211921 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1241650018 (1.1 GiB) TX bytes:1238208023 (1.1 GiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:6C:85:AA
inet addr:172.16.1.10 Bcast:172.16.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe6c:85aa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:122 errors:0 dropped:0 overruns:0 frame:0
TX packets:73 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11314 (11.0 KiB) TX bytes:6306 (6.1 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1572 errors:0 dropped:0 overruns:0 frame:0
TX packets:1572 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:141358 (138.0 KiB) TX bytes:141358 (138.0 KiB)
2、时间同步:
# ntpdate 192.168.8.1023、创建openvpn的安装目录
# mkdir -pv /home/tools/openvpnmkdir: created directory `/home/tools'
mkdir: created directory `/home/tools/openvpn'
# cd /home/tools/openvpn/
上传安装软件到该目录
# ls -l
total 1464
-rw-r--r-- 1 root root 583045 Jun 29 17:30 lzo-2.06.tar.gz
-rw-r--r-- 1 root root 911158 Jun 29 17:30 openvpn-2.2.2.tar.gz
4、安装依赖包
# yum install -y gcc*# yum install -y openssl*
编译安装依赖包,通过执行 echo $?可以判断步骤是否正确
tar zxf lzo-2.06.tar.gz
cd lzo-2.06
./configure
make
make install
安装openvpnserver
# tar zxf openvpn-2.2.2.tar.gz
# cd openvpn-2.2.2
# ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib
# make && make install
验证是否安装成功
# ll /usr/local/sbin/openvpn
-rwxr-xr-x 1 root root 2545339 Jun 29 17:55 /usr/local/sbin/openvpn
# which openvpn
/usr/local/sbin/openvpn
5、配置openvpn server的各种密钥
# cd /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0# vim vars
export KEY_COUNTRY="CN"
export KEY_PROVINCE="SZ"
export KEY_CITY="shenzhen"
export KEY_ORG="chinasoft"
export KEY_EMAIL="chinasoft@qq.com"
export KEY_EMAIL=chinasoft@qq.com
export KEY_CN=CN
export KEY_NAME=chinasoft
export KEY_OU=chinasoft
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
使配置生效
[root@node3 2.0]# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/keys
[root@node3 2.0]# ./clean-all
[root@node3 2.0]# ./build-ca
Generating a 1024 bit RSA private key
................................................++++++
....................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SZ]:
Locality Name (eg, city) [shenzhen]:
Organization Name (eg, company) [chinasoft]:
Organizational Unit Name (eg, section) [chinasoft]:
Common Name (eg, your name or your server's hostname) [CN]:chinasoft
Name [chinasoft]:
Email Address [chinasoft@qq.com]:
# ll keys/
total 12
-rw-r--r-- 1 root root 1367 Jun 29 18:09 ca.crt
-rw------- 1 root root 916 Jun 29 18:09 ca.key
-rw-r--r-- 1 root root 0 Jun 29 18:08 index.txt
-rw-r--r-- 1 root root 3 Jun 29 18:08 serial
生成服务器端证书和秘钥key文件
# ./build-key-server serverGenerating a 1024 bit RSA private key
.................................++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SZ]:
Locality Name (eg, city) [shenzhen]:
Organization Name (eg, company) [chinasoft]:
Organizational Unit Name (eg, section) [chinasoft]:
Common Name (eg, your name or your server's hostname) [server]:chinasoft
Name [chinasoft]:
Email Address [chinasoft@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:chinasoft
Using configuration from /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SZ'
localityName :PRINTABLE:'shenzhen'
organizationName :PRINTABLE:'chinasoft'
organizationalUnitName:PRINTABLE:'chinasoft'
commonName :PRINTABLE:'chinasoft'
name :PRINTABLE:'chinasoft'
emailAddress :IA5STRING:'chinasoft@qq.com'
Certificate is to be certified until Jun 27 10:13:59 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
建立2份客户端证书,分别为client和ett
[root@node3 2.0]# ./build-key test
注意:./build-key test 这条命令不能配置成 ./build-key chinasoft及其他和组织等名称相同的文件名,否则无法通信
Generating a 1024 bit RSA private key
.......++++++
................................++++++
writing new private key to 'test.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SZ]:
Locality Name (eg, city) [shenzhen]:
Organization Name (eg, company) [chinasoft]:
Organizational Unit Name (eg, section) [chinasoft]:
Common Name (eg, your name or your server's hostname) [test]:chinasoft
Name [chinasoft]:
Email Address [chinasoft@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:chinasoft
Using configuration from /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SZ'
localityName :PRINTABLE:'shenzhen'
organizationName :PRINTABLE:'chinasoft'
organizationalUnitName:PRINTABLE:'chinasoft'
commonName :PRINTABLE:'chinasoft'
name :PRINTABLE:'chinasoft'
emailAddress :IA5STRING:'chinasoft@qq.com'
Certificate is to be certified until Jun 27 13:29:36 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
创建加密的客户端key
# ./build-key-pass ett
Generating a 1024 bit RSA private key
........................................++++++
................++++++
writing new private key to 'ett.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SZ]:
Locality Name (eg, city) [shenzhen]:
Organization Name (eg, company) [chinasoft]:
Organizational Unit Name (eg, section) [chinasoft]:
Common Name (eg, your name or your server's hostname) [ett]:chinasoft
Name [chinasoft]:
Email Address [chinasoft@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:chinasoft
Using configuration from /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SZ'
localityName :PRINTABLE:'shenzhen'
organizationName :PRINTABLE:'chinasoft'
organizationalUnitName:PRINTABLE:'chinasoft'
commonName :PRINTABLE:'chinasoft'
name :PRINTABLE:'chinasoft'
emailAddress :IA5STRING:'chinasoft@qq.com'
Certificate is to be certified until Jun 27 10:24:44 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
生成传输进行密钥交换时用到的交换密钥协议文件
# ./build-dh# ll keys/dh1024.pem
-rw-r--r-- 1 root root 245 Jun 29 19:05 keys/dh1024.pem
为防止恶意攻击,如DOS、UDP port flooding,我们生成一个HMAC firewall
# openvpn --genkey --secret keys/ta.key[root@node3 2.0]# ll keys/ta.key
-rw------- 1 root root 636 Jun 29 19:07 keys/ta.key
6、配置openvpn.conf文件
# mkdir /etc/openvpn# cp -a keys /etc/openvpn/
[root@node3 2.0]# cp ../../sample-config-files/server.conf /etc/openvpn/
[root@node3 2.0]# tree /etc/op
openldap/ openvpn/ opt/
[root@node3 2.0]# tree /etc/openvpn/
-bash: tree: command not found
[root@node3 2.0]# tree /etc/openvpn/
/etc/openvpn/
├── keys
│ ├── 01.pem
│ ├── ca.crt
│ ├── ca.key
│ ├── chinasoft.crt
│ ├── chinasoft.csr
│ ├── chinasoft.key
│ ├── dh1024.pem
│ ├── ett.crt
│ ├── ett.csr
│ ├── ett.key
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.old
│ ├── serial
│ ├── serial.old
│ ├── server.crt
│ ├── server.csr
│ ├── server.key
│ └── ta.key
└── server.conf
# vim /etc/openvpn/server.conf
local 192.168.8.41 # 监听地址
port 52155 # 监听端口
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt # ca证书
cert /etc/openvpn/keys/server.crt # 服务证书
key /etc/openvpn/keys/server.key # 服务key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0 # vpn server动态分配给vpn client的地址池,一般不需要修改
push "route 172.16.1.0 255.255.255.0" # vpn server所在的内网网段,如果有多个可写写多个push
ifconfig-pool-persist /etc/openvpn/keys/ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
duplicate-cn
log /var/log/openvpn.log
打开路由转发功能
# vim /etc/sysctl.confnet.ipv4.ip_forward = 1
使配置生效
# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
8、启动openvpn server服务
# /usr/local/sbin/openvpn --config /etc/openvpn/server.conf &检查服务是否正常启动
# netstat -lntup|grep vpn
tcp 0 0 0.0.0.0:52155 0.0.0.0:* LISTEN 28959/openvpn
加入启动脚本
# echo '/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &' >> /etc/rc.local
[root@node3 openvpn]# tail -1 /etc/rc.local
tail: inotify cannot be used, reverting to polling
/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &
将openvpn添加为服务的形式
# cp /home/tools/openvpn/openvpn-2.2.2/sample-scripts/openvpn.init /etc/init.d/openvpn
[root@node3 openvpn]# chkconfig --add openvpn
[root@node3 openvpn]# chkconfig --list openvpn
openvpn 0:off1:off2:off3:on4:on5:on6:off
[root@node3 openvpn]# chmod +x /etc/init.d/openvpn
[root@node3 openvpn]# chkconfig openvpn on
[root@node3 openvpn]# chkconfig --list openvpn
openvpn 0:off1:off2:on3:on4:on5:on6:off
[root@node3 openvpn]# killall openvpn
[root@node3 openvpn]# service openvpn start
Starting openvpn: [ OK ]
[1]+ Done /usr/local/sbin/openvpn --config /etc/openvpn/server.conf
[root@node3 openvpn]# service openvpn restart
Shutting down openvpn: [ OK ]
Starting openvpn: [ OK ]
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:6C:85:A0
inet addr:192.168.8.41 Bcast:192.168.8.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe6c:85a0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9941129 errors:0 dropped:0 overruns:0 frame:0
TX packets:5344611 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1366753019 (1.2 GiB) TX bytes:1255169492 (1.1 GiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:6C:85:AA
inet addr:172.16.1.10 Bcast:172.16.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe6c:85aa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:414 errors:0 dropped:0 overruns:0 frame:0
TX packets:78 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28834 (28.1 KiB) TX bytes:6644 (6.4 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1738 errors:0 dropped:0 overruns:0 frame:0
TX packets:1738 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:155542 (151.8 KiB) TX bytes:155542 (151.8 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:240 (240.0 b) TX bytes:0 (0.0 b)
如果启动报错:
需要修改服务启动服务脚本/etc/init.d/openvpn
for c in `/bin/ls *.conf 2>/dev/null`; do
改为
for c in `/bin/ls server.conf 2>/dev/null`; do
9、windows客户端openvpn-2.2.2-install.exe安装
在vpn server中安装文件传输工具,将下列文件传送给客户端,放置在E:\Program Files (x86)\OpenVPN\config\test目录下
client.conf 改名为 test.ovpn
# sz -y ca.crt test.crt test.key client.conf
报错:
failed to update database
TXT_DB error number 2
解决办法:
vim /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/keys/index.txt.attr
将unique_subject = yes 改为unique_subject = no
在vpn客户端连通后ping 172.16.1.20
通过在appserver 172.16.1.20上抓包发现只有请求的数据包,没有回应
# tcpdump -nnn -s 10000|grep -i icmp
将appserver的网关指向vpnserver的内网网卡后可以ping通,访问nginx服务http://172.16.1.20也正常
# route add default gw 172.16.1.10
# route add -net 10.8.0.0/24 gw 172.16.1.10
如果要是永久生效,有如下几种方法:
方法一:
vi /etc/sysconfig/network-scripts/route-eth0 #默认不存在此文件
加入如下内容:
10.8.0.0/24 via 172.16.1.10
提示:写到配置里,重启网络服务和重启系统都会生效!
方法二:
vi /etc/sysconfig/static-routes #默认不存在此文件
加入如下内容:
any net 10.8.0.0/24 gw 172.16.1.10
提示:写到配置里,重启网络服务和重启系统都会生效!
方法三:
vi /etc/rc.local
加入如下内容:
route add -net 10.8.0.0/24 gw 172.16.1.10
PS: 方法一推荐生产环境使用
提示:方法三写到/etc/rc.local里只在开机时加载,当手工重启网络后会失效,但是重启系统后会生效!
注意:如果当VPN客户端的网关不是VPNSERVER内网地址的时候,所有的VPN客户端都要加网络路由,当VPN客户端的网关是VPNSETVER内网地址就不需要添加静态路由了