江哥架构师笔记–
另外一篇
–
环境介绍 VPN客户端: 操作系统: windows 7: 客户端IP:10.2.18.12/24 VPN服务器: 操作系统:Centos 6.7 2.6.32-573.el6.x86_64 软件:OpenVPN 2.3.2.tar.gz 外网口IP:eth0 10.2.11.237/24 内网口IP:eth1 192.168.109.128/24 内网服务器: Node1:192.168.109.129/24 Node2:192.168.109.130/24 Node3:192.168.109.131/24 第一步:在openvpn服务器上配置时间同步 [root@openvpn ~]# ntpdate time1.aliyun.com 1 Apr 16:05:11 ntpdate[27048]: adjust time server 115.28.122.198 offset 0.009069 sec [root@openvpn ~]# echo "#time sync" >> /var/spool/cron/root [root@openvpn ~]# echo "*/5 * * * * /usr/sbin/ntpdate time1.aliyun.com > /dev/null 2>&1" >> /var/spool/cron/root [root@openvpn ~]# crontab -l */5 * * * * /usr/sbin/ntpdate time1.aliyun.com > /dev/null 2>&1 第二步:软件安装前提 [root@openvpn ~]# yum -y groupinstall "Development tools" [root@openvpn ~]#yum -y install gcc gcc-c++ openssl openssl-devl lzrsz pam-devel.x86_64 创建一个专门存放 openvpn 软件的目录 [root@openvpn ~]# mkdir -p /software/openvpn [root@openvpn openvpn]# wget http://oeb8n1oey.bkt.clouddn.com/lzo-2.09.tar.gz --2017-04-01 16:49:29-- http://oeb8n1oey.bkt.clouddn.com/lzo-2.09.tar.gz Resolving oeb8n1oey.bkt.clouddn.com... 150.138.226.203, 223.215.189.150, 223.215.189.180, ... Connecting to oeb8n1oey.bkt.clouddn.com|150.138.226.203|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 594855 (581K) [application/gzip] Saving to: “lzo-2.09.tar.gz” 100%[================================>] 594,855 1.84M/s in 0.3s 2017-04-01 16:49:38 (1.84 MB/s) - “lzo-2.09.tar.gz” saved [594855/594855] [root@openvpn openvpn]# wget http://oeb8n1oey.bkt.clouddn.com/openvpn-2.3.2.tar.gz --2017-04-01 17:12:25-- http://oeb8n1oey.bkt.clouddn.com/openvpn-2.3.2.tar.gz Resolving oeb8n1oey.bkt.clouddn.com... 223.215.189.150, 223.215.189.180, 223.215.189.173, ... Connecting to oeb8n1oey.bkt.clouddn.com|223.215.189.150|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1145108 (1.1M) [application/gzip] Saving to: “openvpn-2.3.2.tar.gz” 100%[==============================================>] 1,145,108 1.41M/s in 0.8s 2017-04-01 17:12:33 (1.41 MB/s) - “openvpn-2.3.2.tar.gz” saved [1145108/1145108] 第三步:安装软件及配置环境变量 1)安装lzo [root@openvpn openvpn]# tar xf lzo-2.09.tar.gz [root@openvpn openvpn]# cd lzo-2.09 [root@openvpn lzo-2.09]# ./configure && make && make install 2)安装openvpn [root@openvpn openvpn]# tar xf openvpn-2.3.2.tar.gz [root@openvpn openvpn]# cd openvpn-2.3.2 [root@openvpn openvpn-2.3.2]# ./configure --prefix=/usr/local/openvpn && make && make install 3)添加环境变量 [root@openvpn sbin]# echo "PATH=/usr/local/openvpn/sbin:$PATH" >> /etc/profile [root@openvpn sbin]# source /etc/profile [root@openvpn sbin]# which openvpn /usr/local/openvpn/sbin/openvpn 4)拷贝模板到/etc/openvpn下 [root@openvpn openvpn-2.3.2]#mkdir /etc/openvpn [root@openvpn openvpn-2.3.2]# cp -Rf sample/ /etc/openvpn/ 5)复制配置文件到主目录下 [root@openvpn openvpn-2.3.2]# cp sample/sample-config-files/server.conf /etc/openvpn/ 第四步:配置CA证书 1)下载esay-rsa [root@openvpn openvpn]# wget http://oeb8n1oey.bkt.clouddn.com/easy-rsa-master.zip [root@openvpn openvpn-2.3.2]# cd /software/openvpn/ [root@openvpn openvpn]# cp -Rf easy-rsa-master /etc/openvpn/easy-rsa [root@openvpn openvpn]# cd /etc/openvpn/easy-rsa/easyrsa3/ [root@openvpn easyrsa3]# cp vars.example vars [root@openvpn easyrsa3]# vim vars set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "ShangHai" set_var EASYRSA_REQ_CITY "ShangHai" set_var EASYRSA_REQ_ORG "ailishi" set_var EASYRSA_REQ_EMAIL "851628816@qq.com" set_var EASYRSA_REQ_OU "OpenVpn" 2)目录初始化 [root@openvpn easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/easyrsa3/pki 3)创建根证书 [root@openvpn easyrsa3]# ./easyrsa build-ca Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ..............+++ .................................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key.HYNTsEbda2' Enter PEM pass phrase: openvpn Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:admin CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt #注意::PEM密码必须记住,不然以后就不能为证书签名咯,还需要输入common name通用名,必须独一无二 4)创建服务端证书 [root@openvpn easyrsa3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ...................................................+++ ............+++ writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key.V3WCKqtX7v' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]:OpenVpnServer Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key 5)签约服务端证书:(将创建的服务端证书与CA证书签约) [root@openvpn easyrsa3]# ./easyrsa sign server server Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = OpenVpnServer Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:openvpn (创建根证书时,填写的pem密码) Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'OpenVpnServer' Certificate is to be certified until Mar 30 09:43:30 2027 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt 6)创建Diffie-Hellman,确保key穿越不安全网络的命令 [root@openvpn easyrsa3]# /usr/local/openvpn/sbin/openvpn --genkey --secret /etc/openvpn/ta.key [root@openvpn easyrsa3]# ./easyrsa gen-dh 创建客户端证书 1)拷贝文件 [root@openvpn easyrsa3]# mkdir -p /mnt/client [root@openvpn easyrsa3]# cp -Rf /software/openvpn/easy-rsa-master /mnt/client/easy-rsa [root@openvpn easyrsa3]# cd /mnt/client/easy-rsa/easyrsa3/ [root@openvpn easyrsa3]# ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /mnt/client/easy-rsa/easyrsa3/pki 2)创建客户端的key和crt [root@openvpn easyrsa3]# ./easyrsa gen-req alsvpn Generating a 2048 bit RSA private key ..............+++ ....+++ writing new private key to '/mnt/client/easy-rsa/easyrsa3/pki/private/alsvpn.key.Laur9yRBTi' Enter PEM pass phrase:clientopenvpn # 客户端在登录的时候需要输入此口令 Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [alsvpn]: Keypair and certificate request completed. Your files are: req: /mnt/client/easy-rsa/easyrsa3/pki/reqs/alsvpn.req key: /mnt/client/easy-rsa/easyrsa3/pki/private/alsvpn.key 3)将得到的alsvpn.req导入 [root@openvpn easyrsa3]# cd /etc/openvpn/easy-rsa/easyrsa3/ [root@openvpn easyrsa3]# ./easyrsa import-req /mnt/client/easy-rsa/easyrsa3/pki/reqs/alsvpn.req alsvpn Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: alsvpn You may now use this name to perform signing operations on this request. 4)签约客户端证书 [root@openvpn easyrsa3]# ./easyrsa sign client alsvpn Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = alsvpn Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: openvpn Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'alsvpn' Certificate is to be certified until Mar 30 09:56:36 2027 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/alsvpn.crt 查看 服务器 /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/alsvpn.req /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn/easy-rsa/easyrsa3/pki/issued/alsvpn.crt 客户端 /mnt/client/easy-rsa/easyrsa3/pki/reqs/alsvpn.req /mnt/client/easy-rsa/easyrsa3/pki/private/alsvpn.key 第五步:复制服务端配置文件 [root@openvpn ~]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/ [root@openvpn ~]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn/ [root@openvpn ~]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn/ [root@openvpn ~]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn/ 第六步:openvpn服务配置与启动 1)server.conf配置文件 [root@openvpn openvpn]# vim server.conf local 10.2.11.237 #外网口ip地址 port 1194 proto tcp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key # This file should be kept secret dh /etc/openvpn/dh.pem server 172.16.10.0 255.255.255.0 #vpn分配的地址 ifconfig-pool-persist ipp.txt push "route 192.168.109.0 255.255.255.0" # 推送一个默认路由,使vpn访问192.168.1.0网络通过VPN访问 keepalive 30 120 client-to-client # vpn客户端之间可以互相访问 duplicate-cn # 多人使用相同的证书和密钥连接VPN,否则只能一人使用 tls-auth /etc/openvpn/ta.key 0 # This file is secret comp-lzo max-clients 100 persist-key persist-tun status /var/log/openvpn-status.log log /var/log/openvpn.log verb 3 2)启动openvpn服务 /usr/local/openvpn/sbin/openvpn --daemon --config /etc/openvpn/server.conf & 开机启动 echo "/usr/local/openvpn/sbin/openvpn --daemon --config /etc/openvpn/server.conf > /dev/null 2>&1 &" >> /etc/rc.local [root@openvpn openvpn]# ps aux|grep openvpn root 30953 0.0 0.1 37836 1340 ? Ss 15:53 0:00 /usr/local/openvpn/sbin/openvpn --daemon --config /etc/openvpn/server.conf root 30960 0.0 0.0 103308 848 pts/0 S+ 15:54 0:00 grep openvpn 第七步:编辑客户端配置文件 [root@openvpn openvpn]# cp /software/openvpn/openvpn-2.3.2/sample/sample-config-files/client.conf /mnt/client/client.ovpn [root@openvpn openvpn]#vim /mnt/client/client.ovpn client dev tun proto tcp remote 10.2.11.237 1194 # 此为公网IP,也可以是域名 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert alsvpn.crt # 创建的用户证书 key alsvpn.key # 创建的用户秘钥 remote-cert-tls server tls-auth ta.key 1 comp-lzo verb 3 第八步:复制客户端配置文件 [root@openvpn ~]# mkdir -p /mnt/client/alsvpn [root@openvpn ~]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /mnt/client/alsvpn/ [root@openvpn ~]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/alsvpn.crt /mnt/client/alsvpn/ [root@openvpn ~]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/ [root@openvpn ~]# cp /mnt/client/easy-rsa/easyrsa3/pki/private/alsvpn.key /mnt/client/alsvpn/ [root@openvpn ~]# cp /etc/openvpn/ta.key /mnt/client/alsvpn/ [root@openvpn ~]# cp /mnt/client/client.ovpn /mnt/client/alsvpn/ 第九步:配置防火墙 iptables -I INPUT -s 172.16.10.0/24 -j ACCEPT iptables -I INPUT -p tcp -m tcp --dport 1194 -m comment --comment "openvpn" -j ACCEPT iptable -t nat -I POSTROUTING -s 172.16.10.0/24 -o eth1 -j MASQUERADE iptables -t nat -I POSTROUTING -s 172.16.10.0/24 -o eth1 -j SNAT --to-source 192.168.109.128 [root@openvpn ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@openvpn ~]# service iptables restart windows客户端配置 http://build.openvpn.net/downloads/releases/ 客户端软件下载地址 1)安装客户端软件省略(默认安装在C:\Program Files\OpenVPN) 2)配置客户端软件 拷贝vpn服务器上/mnt/clinet/alsvpn目录下的ca.crt alsvpn.crt alsvpn.key ta.key client.opvn到C:\Program Files\OpenVPN\config中 3)以管理员运行 4)右击电脑右下角的图标,点击connect 输入当时配置客户端证书,填写的密码,此处为clientopenvpn 5)拨号成功后,客户端会获取到ip地址 6)查看客户端是否获取到内网网段的路由 7)测试是否可以ping通内网 问题一:为客户端额外在增加一张证书 [root@openvpn easyrsa3]# mkdir -p /mnt/louis [root@openvpn easyrsa3]# cp -Rf /software/openvpn/easy-rsa-master /mnt/louis/easy-rsa [root@openvpn easyrsa3]# cd /mnt/louis/easy-rsa/easyrsa3/ [root@openvpn easyrsa3]# ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /mnt/louis/easy-rsa/easyrsa3/pki [root@openvpn easyrsa3]# ./easyrsa gen-req louis Generating a 2048 bit RSA private key .......................................................+++ ......................................+++ writing new private key to '/mnt/louis/easy-rsa/easyrsa3/pki/private/louis.key.OtmJu4Rquy' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [louis]: Keypair and certificate request completed. Your files are: req: /mnt/louis/easy-rsa/easyrsa3/pki/reqs/louis.req key: /mnt/louis/easy-rsa/easyrsa3/pki/private/louis.key [root@openvpn easyrsa3]# cd /etc/openvpn/easy-rsa/easyrsa3/ [root@openvpn easyrsa3]# ./easyrsa import-req /mnt/louis/easy-rsa/easyrsa3/pki/reqs/louis.req louis Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: louis You may now use this name to perform signing operations on this request. [root@openvpn easyrsa3]# ./easyrsa sign client louis Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = louis Type the word 'yes' to continue, or any other input to abort. Confirm request details: Aborting without confirmation. [root@openvpn easyrsa3]# ./easyrsa sign client louis Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = louis Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'louis' Certificate is to be certified until Apr 4 05:30:19 2027 GMT (3650 days) Write out database with 1 new entries Data Base Updated [root@openvpn client]# mkdir -p /mnt/client/louis [root@openvpn client]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /mnt/client/louis [root@openvpn client]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/louis.crt /mnt/client/louis/ [root@openvpn client]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/ ca.key server.key [root@openvpn client]# cp /mnt/louis/easy-rsa/easyrsa3/pki/private/louis.key /mnt/client/louis [root@openvpn client]# cp /mnt/louis/easy-rsa/easyrsa3/pki/private/louis.key /mnt/client/louis/ cp: overwrite `/mnt/client/louis/louis.key'? y [root@openvpn client]# cp /etc/openvpn/ta.key /mnt/client/louis/ [root@openvpn client]# cp /mnt/client/client.ovpn /mnt/client/louis/ [root@openvpn client]# cd /mnt/client/louis/ [root@openvpn louis]# ll total 24 -rw------- 1 root root 1147 Apr 6 13:32 ca.crt -rw-r--r-- 1 root root 3447 Apr 6 13:34 client.ovpn -rw------- 1 root root 4331 Apr 6 13:33 louis.crt -rw------- 1 root root 1834 Apr 6 13:34 louis.key -rw------- 1 root root 636 Apr 6 13:34 ta.key [root@openvpn louis]# vi client.ovpn Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/louis.crt ca ca.crt cert louis.crt key louis.key 基于证书为客户端分配固定ip地址 1)编辑/etc/openvpn/server.conf client-config-dir /etc/openvpn/ccd 2)创建文件 mkdir /etc/openvpn/ccd 3)touch xionghaihua ifconfig-push 172.16.10.17 172.16.10.18 4)重启openvpn服务
–
评论前必须登录!
注册