Linux运维之路


虚拟专用网 openvpn配置管理

admin 2019-08-11 777浏览 2条评论
首页/正文
分享到: / / / /

初始化yum源

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

安装TAB键补全工具

yum install -y bash-completion.noarch

安装open_vpn服务器端

yum install openvpn -y

安装密钥生成工具

yum install easy-rsa -y

生成密钥证书

 #创建密钥文件夹
  mkdir /opt/easy-rsa/ -p
 
 # 进入密钥文件夹
 cd /opt/easy-rsa/

初始化证书

需要准备vars文件

将原有的模板文件拷贝到 /opt/easy-rsa 目录下,或者直接修改为 下面的内容

[root@iZ8vb2567465ubejdyjpboZ easy-rsa] cp -a /usr/share/easy-rsa/3.0.3/* ./

[root@iZ8vb2567465ubejdyjpboZ easy-rsa]  cp -a /usr/share/doc/easy-rsa-3.0.3/vars.example ./vars

[root@iZ8vb2567465ubejdyjpboZ easy-rsa]# ll
total 72
-rw-r--r-- 1 root root  2415 Aug 10 23:50 ChangeLog
-rw-r--r-- 1 root root  1305 Aug 10 23:50 COPYING.md
-rwxr-xr-x 1 root root 35985 Aug 22  2017 easyrsa
-rw-r--r-- 1 root root  4560 Sep  3  2015 openssl-1.0.cnf
-rw-r--r-- 1 root root  3350 Aug 10 23:50 README.quickstart.md
-rw-r--r-- 1 root root   703 Aug 10 23:56 vars
-rw-r--r-- 1 root root  8126 Aug 10 23:50 vars.example
drwxr-xr-x 2 root root  4096 Aug 11 00:05 x509-types

修改 vars 文件为 以下内容:

vim vars

if [ -z "$EASYRSA_CALLER" ]; then
        echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
        echo "This is no longer necessary and is disallowed. See the section called" >&2
        echo "'How to use this file' near the top comments for more details." >&2
        return 1
fi
set_var EASYRSA_DN  "cn_only"
set_var EASYRSA_REQ_COUNTRY "CN"                    #所在的国家
set_var EASYRSA_REQ_PROVINCE "Shanghai"             #所在的省份
set_var EASYRSA_REQ_CITY "Shanghai"                 #所在的城市
set_var EASYRSA_REQ_ORG "chenleilei"                #所在的组织
set_var EASYRSA_REQ_EMAIL "370460370@qq.com"        #邮箱的地址
set_var EASYRSA_NS_SUPPORT "yes"                    ### 这里输入yes

初始化生成证书

./easyrsa init-pki

[root@iZ8vb2567465ubejdyjpboZ easy-rsa]# ./easyrsa init-pki  

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /opt/easy-rsa/pki

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal:  yes          ## 输入 yes 确认

[root@iZ8vb2567465ubejdyjpboZ easy-rsa]# echo $?
0

2.创建根证书,会提示设置密码,用于ca对之后生成的server和client证书签名时使用,其他可默认.

生成 ca.crt 文件: /opt/easy-rsa/pki/ca.crt

[root@m01 easy-rsa]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.....................+++
..................................................................+++
writing new private key to '/opt/easy-rsa/pki/private/ca.key.ggOTFt9Y8c'
Enter PEM pass phrase:   1234    #设置密码
Verifying - Enter PEM pass phrase:  1234   #重复密码

Common Name (eg: your user, host, or server name) [Easy-RSA CA]: [回车]
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/opt/easy-rsa/pki/ca.crt          ## 生成 ca.crt 文件

3. 创建server端证书和服务端私钥文件

这是服务端要使用的文件. nopass表示不加密私钥文件,其他可默认

server 标识名字

[root@iZ8vb2567465ubejdyjpboZ easy-rsa]# ./easyrsa gen-req server nopass
[root@iZ8vb2567465ubejdyjpboZ easy-rsa]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.......+++
.................................................................................................+++
writing new private key to '/opt/easy-rsa/pki/private/server.key.QI3kKUqpow'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:

Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/server.req           ## 服务端请求文件
key: /opt/easy-rsa/pki/private/server.key		 ## 服务端私钥文件

req: /opt/easy-rsa/pki/reqs/server.req ## 服务端请求文件

key: /opt/easy-rsa/pki/private/server.key ## 服务端私钥文件

4. 为server端签名,将他变为服务端公钥文件

[root@iZ8vb2567465ubejdyjpboZ easy-rsa]# ./easyrsa sign server server

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes     #---- yes

Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:  1234   #这里输入ca证书密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Aug  7 16:31:17 2029 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /opt/easy-rsa/pki/issued/server.crt

生成了新的ca证书:

/opt/easy-rsa/pki/issued/server.crt ## 服务端公钥文件

到了这里我们就生成了两份文件:

/opt/easy-rsa/pki/issued/server.crt ## 服务端公钥文件

/opt/easy-rsa/pki/private/server.key ## 服务端私钥文件

5. 创建密钥交换文件

创建Diffie-Hellman文件,秘钥交换时的Diffie-Hellman算法

生成过程会等待一段时间

[root@iZ8vb2567465ubejdyjpboZ easy-rsa]# ./easyrsa gen-dh

DH parameters of size 2048 created at /opt/easy-rsa/pki/dh.pem   # 出现这个代表成功

6. 创建客户端私钥文件

./easyrsa gen-req chenleilei nopass
[root@iZ8vb2567465ubejdyjpboZ easy-rsa]# ./easyrsa gen-req chenleilei nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key	
...............+++
...............................................................+++
writing new private key to '/opt/easy-rsa/pki/private/chenleilei.key.IRYvcqEqXW'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [chenleilei]:

Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/chenleilei.req        ##客户端请求文件
key: /opt/easy-rsa/pki/private/chenleilei.key     ##客户端私钥文件

req: /opt/easy-rsa/pki/reqs/chenleilei.req ##客户端请求文件 key: /opt/easy-rsa/pki/private/chenleilei.key ##客户端私钥文件

./easyrsa sign client chenleilei

7. 给客户端的证书签名

.[root@iZ8vb2567465ubejdyjpboZ easy-rsa]# ./easyrsa sign server chenleilei

[root@iZ8vb2567465ubejdyjpboZ easy-rsa]# ./easyrsa sign client chenleilei
Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = chenleilei


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details:  yes     ## 输入yes
  
 Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:  1234    #输入密码1234回车
 
 
生成客户端文件: /opt/easy-rsa/pki/issued/chenleilei.crt

生成客户端文件: /opt/easy-rsa/pki/issued/chenleilei.crt

此时证书都创建完毕

[root@iZ8vb2567465ubejdyjpboZ easy-rsa]# tree
.
├── easyrsa
├── openssl-1.0.cnf
├── pki
│   ├── ca.crt
│   ├── certs_by_serial
│   │   ├── 3016A5709BC9E15E4C349833D7921AA4.pem
│   │   └── D0DB3A7F934CB10E0D1CEED746D37217.pem
│   ├── dh.pem
│   ├── index.txt
│   ├── index.txt.attr
│   ├── index.txt.attr.old
│   ├── index.txt.old
│   ├── issued
│   │   ├── chenleilei.crt           ##客户端公钥文件
│   │   └── server.crt				 ##服务端公钥文件
│   ├── private
│   │   ├── ca.key					 ## ca证书文件
│   │   ├── chenleilei.key			 ## 客户端私钥
│   │   └── server.key			     ## 服务端私钥
│   ├── reqs 
│   │   ├── chenleilei.req
│   │   └── server.req
│   ├── serial
│   └── serial.old
├── vars
└── x509-types
    ├── ca
    ├── client
    ├── COMMON
    ├── san
    └── server

6 directories, 25 files

配置openVPN

安装openvpn

[root@openvpn easy-rsa]#  yum install openvpn -y

配置openvpn

[root@openvpn easy-rsa]# cd /etc/openvpn/
[root@web01 openvpn]# cp /usr/share/doc/openvpn-2.4.7/sample/sample-config-files/server.conf  ./
[root@web01 openvpn]# vim server.conf
修改为以下配置:
#========================================
port 1194                               #端口
proto udp                               #协议
dev tun                                 #采用路由隧道模式tun
ca ca.crt                               #ca证书文件位置
cert server.crt                         #服务端公钥名称
key server.key                          #服务端私钥名称
dh dh.pem                               #交换证书
server 10.8.0.0 255.255.255.0           #给客户端分配地址池,注意:不能和VPN服务器内网网段有相同
push "route 192.168.0.0 255.255.255.0"   #允许客户端访问内网192.168.0.0网段
ifconfig-pool-persist ipp.txt           #地址池记录文件位置
keepalive 10 120                        #存活时间,10秒ping一次,120 如未收到响应则视为断线
max-clients 100                         #最多允许100个客户端连接
status openvpn-status.log               #日志记录位置
verb 3                                  #openvpn版本
client-to-client                        #客户端与客户端之间支持通信
log /var/log/openvpn.log                #openvpn日志记录位置
persist-key     #通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys。
persist-tun     #检测超时后,重新启动VPN,一直保持tun是linkup的。否则网络会先linkdown然后再linkup
duplicate-cn
\cp -af  /opt/easy-rsa/pki/ca.crt ./
\cp -af /opt/easy-rsa/pki/issued/server.crt ./
\cp -af /opt/easy-rsa/pki/private/server.key ./
\cp -af /opt/easy-rsa/pki/private/
\cp -af /opt/easy-rsa/pki/issued/chenleilei.crt ./
\cp -af /opt/easy-rsa/pki/private/chenleilei.key ./
\cp -af /opt/easy-rsa/pki/dh.pem ./
[root@iZ8vb2567465ubejdyjpboZ openvpn]# ll
total 44
-rw------- 1 root root    1172 Aug 11 13:12 ca.crt
-rw------- 1 root root    4672 Aug 11 13:23 chenleilei.crt
-rw------- 1 root root    1704 Aug 11 13:15 chenleilei.key
drwxr-x--- 2 root openvpn 4096 Feb 20 23:23 client
-rw------- 1 root root     424 Aug 11 13:13 dh.pem
drwxr-x--- 2 root openvpn 4096 Feb 20 23:23 server
-rw-r--r-- 1 root root    1393 Aug 11 13:59 server.conf
-rw------- 1 root root    4775 Aug 11 13:13 server.crt
-rw------- 1 root root    1704 Aug 11 13:12 server.key

开启内核转发:

配置openvpn,首先需要开启内核转发功能
[root@m01 ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@m01 ~]# systemctl restart network

添加启动文件 [不添加无法启动]

[root@iZ8vb2567465ubejdyjpboZ openvpn]# systemctl enable -f openvpn@server

启动open vpn

[root@iZ8vb2567465ubejdyjpboZ openvpn]# systemctl start openvpn@server
[root@iZ8vb2567465ubejdyjpboZ openvpn]# systemctl status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2019-08-11 14:11:32 CST; 5s ago
 Main PID: 17822 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─17822 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf

Aug 11 14:11:32 iZ8vb2567465ubejdyjpboZ systemd[1]: Starting OpenVPN Robust And Highly ....
Aug 11 14:11:32 iZ8vb2567465ubejdyjpboZ systemd[1]: Started OpenVPN Robust And Highly F....
Hint: Some lines were ellipsized, use -l to show in full.

安装openvpn客户端(windows)

下载openvpn

https://www.techspot.com/downloads/5182-openvpn.html

安装openvpn

下载证书:

[root@iZ8vb2567465ubejdyjpboZ openvpn]# ll ca.crt chenleilei.crt chenleilei.key 
-rw------- 1 root root 1172 Aug 11 13:12 ca.crt
-rw------- 1 root root 4672 Aug 11 13:23 chenleilei.crt
-rw------- 1 root root 1704 Aug 11 13:15 chenleilei.key

我们需要下载这3个文件
打包:
tar zcf chenleilei.tar.gz ca.crt chenleilei.* 

下载:
安装下载工具
yum install -y lrzsz

下载证书:
sz chenleilei.tar.gz

将客户端证书文件移动到C:\Program Files\OpenVPN\config

创建客户端配置文件:

写入到 C:\Program Files\OpenVPN\config 目录下 改为 .ovpn 后缀

配置文件:

chenleilei.ovpn

client                  #指定当前VPN是客户端
dev tun                 #使用tun隧道传输协议
proto udp               #使用udp协议传输数据
remote 10.0.0.102 1194   #openvpn服务器公网IP地址端口号
resolv-retry infinite   #断线自动重新连接,在网络不稳定的情况下非常有用
nobind                  #不绑定本地特定的端口号
ca ca.crt               #指定CA证书的文件路径
cert client.crt         #指定当前客户端的证书文件路径
key client.key          #指定当前客户端的私钥文件路径
verb 3                  #指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细
persist-key     #通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys
persist-tun     #检测超时后,重新启动VPN,一直保持tun是linkup的。否则网络会先linkdown然后再linkup

配置完成后连接服务器

连接成功后打开cmd 查看我们现在获取的ip

无法上网配置:

systemctl start firewalld
firewall-cmd --add-service=openvpn --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --reload

连接后的服务器测试:

ping 内部网络:

ping 公网网络:

openVPN 双认证的实现

在客户端配置文件中添加认证

[root@web01 ~]# vim /etc/openvpn/server.conf

#底部添加:
script-security 3   #允许使用自定义脚本
auth-user-pass-verify /etc/openvpn/check.sh via-env
username-as-common-name #用户密码登陆方式验证

编写脚本

vim /etc/openvpn/check.sh

#!/bin/sh
###########################################################
PASSFILE="/etc/openvpn/openvpnfile"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

    if [ ! -r "${PASSFILE}" ]; then
      echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
      exit 1
    fi

    CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

    if [ "${CORRECT_PASSWORD}" = "" ]; then
      echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
          exit 1
          fi
    if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
      echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
      exit 0
    fi
    echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

添加权限:

vim /etc/openvpn/check.sh
chmod +x /etc/openvpn/check.sh

添加用户密码文件:

vim /etc/openvpn/openvpnfile
leilei 123         #用户和密码用空格分隔

重载openvpn服务

[root@openvpn ~]# systemctl restart openvpn@server

windows的openvpn客户端 添加配置:

auth-user-pass	#添加用户密码认证

连接测试:

连接成功

ping内网:

最后修改:2019-08-11 17:09:40 © 著作权归作者所有
如果觉得我的文章对你有用,请随意赞赏
扫一扫支付

上一篇

发表评论

评论列表

匿名用户 2019-08-27 11:01:39

CentOS release 6.6 (Final) 

回复
匿名用户 2019-08-27 10:59:38

4. 为server端签名,将他变为服务端公钥文件


$> ./easyrsa sign server server 

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013

Easy-RSA error:

Unknown cert type 'server'

回复
匿名用户 2019-08-27 10:59:38

4. 为server端签名,将他变为服务端公钥文件


$> ./easyrsa sign server server 

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013

Easy-RSA error:

Unknown cert type 'server'

回复