OpenVPN2.0后引入了用户名/口令组合的身份验证方式,它可以省略客户端证书,但是仍有一份服务器证书需要被用作加密。 OpenVPN所有的通信都基于一个单一的IP端口, 默认且推荐使用UDP协议通讯,同时TCP也被支持。OpenVPN连接能通过大多数的代理服务器,并且能够在NAT的环境中很好地工作。服务端具有向客 户端“推送”某些网络配置信息的功能,这些信息包括:IP地址、路由设置等。OpenVPN提供了两种虚拟网络接口:通用Tun/Tap驱动,通过它们, 可以建立三层IP隧道,或者虚拟二层以太网,后者可以传送任何类型的二层以太网络数据。传送的数据可通过LZO算法压缩。在选择协议时候,需要注意2个加密隧道之间的网络状况,如有高延迟或者丢包较多的情况下,请选择TCP协议作为底层协议,UDP协议由于存在无连接和重传机制,导致要隧道上层的协议进行重传,效率非常低下。 [1]
准备资源:
系统:CentOS Linux release 7.3.1611 (Core) 外网ip:10.0.0.45 内网ip:172.16.1.45
<https://openvpn.net/community-downloads/>
<https://www.techspot.com/downloads/5182-openvpn.html>
安装openvpn
[root@ localhost ~]# yum -y install epel-re* [root@ localhost ~]# yum -y install openvpn [root@ localhost ~]# rpm -qa | grep openvpn
安装open-rsa
[root@ openvpn ~]# wget https://github.com/OpenVPN/easy-rsa/archive/master.zip [root@ openvpn ~]# unzip master.zip [root@ openvpn ~]# mv easy-rsa-master/ easy-rsa [root@ openvpn ~]# cp -R easy-rsa/ /etc/openvpn/ [root@ openvpn ~]# ls /etc/openvpn/client easy-rsa server
配置vars文件
[root@ openvpn ~]# cd /etc/openvpn/easy-rsa/easyrsa3/ [root@ openvpn easyrsa3]# cp vars.example vars [root@ openvpn easyrsa3]# cat >>vars<<EOF set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "BJ" set_var EASYRSA_REQ_CITY "Beijing" set_var EASYRSA_REQ_ORG "Benet" set_var EASYRSA_REQ_EMAIL "602616568@qq.com" set_var EASYRSA_REQ_OU "dynamic" EOF
创建server证书
初始化目录
[root@ localhost easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/easyrsa3/pki
创建CA证书
[root@ localhost easyrsa3]# ./easyrsa build-ca Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Enter New CA Key Passphrase: 123456(这里是自己添加的密码) Re-Enter New CA Key Passphrase: 123456 Generating RSA private key, 2048 bit long modulus ............................+++ .........................................................................+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:tyk CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
创建服务端证书
[root@ localhost easyrsa3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key ........................................................................................+++ ...+++ writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-1773.PhA1gD/tmp.DbNelu' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]:tyk-server(为server起名) Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
签约服务端证书
[root@ localhost easyrsa3]# ./easyrsa sign server server Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 825 days: subject= commonName = tyk-server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes这里输入yes Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-1812.Bo5CrH/tmp.kNNaaU Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:123456(这里输入密码) Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'tyk-server' Certificate is to be certified until Jun 6 10:01:36 2022 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
创建数据穿越密钥
[root@ localhost easyrsa3]# ./easyrsa gen-dh
初始化目录
[root@ localhost easyrsa3]# cd /etc/openvpn/client/ [root@ localhost client]# cp -R /root/easy-rsa/ client [root@ localhost client]# cd client/easyrsa3/ [root@ localhost easyrsa3]# ls easyrsa openssl-easyrsa.cnf vars.example x509-types [root@ localhost easyrsa3]# ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/client/client/easyrsa3/pki
创建客户端ca证书
[root@ localhost easyrsa3]# ./easyrsa build-caUsing SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017Enter New CA Key Passphrase: 123456 Re-Enter New CA Key Passphrase: 123456Generating RSA private key, 2048 bit long modulus.....................................+++...................+++e is 65537 (0x10001)You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [Easy-RSA CA]:dynamic(输入客户端的名字)CA creation complete and you may now import and sign cert requests.Your new CA certificate file for publishing is at:/etc/openvpn/client/client/easyrsa3/pki/ca.crt
创建客户端证书
[root@ localhost easyrsa3]# ./easyrsa gen-req client1 Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key ...........+++ ..................+++ writing new private key to '/etc/openvpn/client/client/easyrsa3/pki/easy-rsa-1874.7cfv5F/tmp.dCZVu5' Enter PEM pass phrase:123456(也是以后登录vpn的密码) Verifying - Enter PEM pass phrase:123456 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client1]:dynamic-client1(起名) Keypair and certificate request completed. Your files are: req: /etc/openvpn/client/client/easyrsa3/pki/reqs/client1.req key: /etc/openvpn/client/client/easyrsa3/pki/private/client1.key
[root@ localhost easyrsa3]# ./easyrsa import-req /etc/openvpn/client/client/easyrsa3/pki/reqs/client1.req client1 Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 The request has been successfully imported with a short name of: client1 You may now use this name to perform signing operations on this request.
签约客户端证书
[root@ localhost easyrsa3]# ./easyrsa sign client client1 Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 825 days: subject= commonName = dynamic-client1 Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes(输入yes) Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-1940.hOlAjb/tmp.cyDM0B Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'dynamic-client1' Certificate is to be certified until Jun 6 10:26:36 2022 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/client1.crt
配置openvpn
拷贝证书文件
[root@ localhost easyrsa3]# cd /etc/openvpn/easy-rsa/easyrsa3/pki/ [root@ localhost pki]# cp ca.crt /etc/openvpn/server/ [root@ localhost pki]# cp private/server.key /etc/openvpn/server/ [root@ localhost pki]# cp issued/server.crt /etc/openvpn/server/ [root@ localhost pki]# cp dh.pem /etc/openvpn/server/ [root@ localhost pki]# cp ca.crt /etc/openvpn/client/ [root@ localhost pki]# cp issued/client1.crt /etc/openvpn/client/ [root@ localhost pki]# cp /etc/openvpn/client/client/easyrsa3/pki/private/client1.key /etc/openvpn/client/ [root@ localhost pki]# cp /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf /etc/openvpn [root@ localhost pki]# cd /etc/openvpn [root@ localhost openvpn]# cp server.conf server.conf.bak [root@ localhost openvpn]# egrep -v "^#|^;|^$" server.conf.bak > server.conf
配置server.conf
[root@ localhost openvpn]# vim server.conflocal 0.0.0.0 port 55555 proto tcp dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/server.crt key /etc/openvpn/server/server.key dh /etc/openvpn/server/dh.pem server 10.8.0.0 255.255.255.0 push "route 172.16.1.0 255.255.255.0" ifconfig-pool-persist ipp.txt keepalive 10 120 persist-key persist-tun status openvpn-status.log verb 3 comp-lzo client-to-client log /var/log/openvpn.log
配置firewalld转发并启动openvpn
[root@ localhost openvpn]# systemctl stop firewalld [root@ localhost openvpn]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-sysctl.conf [root@ localhost openvpn]# sysctl -p net.ipv4.ip_forward = 1 [root@ localhost openvpn]# openvpn --daemon --config /etc/openvpn/server.conf [root@ localhost openvpn]# echo "openvpn --daemon --config /etc/openvpn/server.conf">>/etc/rc.d/rc.local [root@ localhost openvpn]# ps -ef | grep openvpn root 2037 1 0 18:31 ? 00:00:00 openvpn --daemon --config /etc/openvpn/server.conf root 2049 1484 0 18:32 pts/0 00:00:00 grep --color=auto openvpn [root@ localhost openvpn]# ss -anpt| grep 55555 LISTEN 0 32 *:55555 *:* users:(("openvpn",pid=2037,fd=6))
因为我是win10 的版本,所以就安装的win10的,记得安装的时候点亮中间三个小勾勾
客户端证书下载
[root@ localhost openvpn]# cd /etc/openvpn/client/ [root@ localhost client]# sz ca.crt client1.crt client1.key 下载到openvpn客户端软件的config目录下
然后~~~~~~~~~
修改客户端client配置文件
添加
client1
dev tun
proto tcp
remote 10.0.0.45 55555
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
然后管理员打开openvpn连接。。。。。。。。。。。。。。。。。。。。
来源:https://www.cnblogs.com/tyk3201/p/12403946.html