Cantos下的openvpn安装教程

2017-11-14 04:38| 发布者: andy| 查看: 130| 评论: 0


1.1 安装openvpn


1.1.1 wget工具安装


yum install wget -y


1.1.2 阿里云同步


wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo


1.1.3 安装 epel源


wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo


rpm -ivh http://mirrors.ustc.edu.cn/epel/7/x86_64/e/epel-release-7-9.noarch.rpm


1.1.4 安装 vpn


yum install openssl openssl-devel gcc gcc-c++ openvpn easy-rsa -y


1.2 复制配置文件


cp /usr/share/doc/openvpn-2.4.2/sample/sample-config-files/server.conf /etc/openvpn/


cp -r /usr/share/easy-rsa/2.0/* /etc/openvpn/


###查看openvpn组件


[root@m01 ~]# ll /etc/openvpn/


总用量 124


-rwxr-xr-x 1 root root 119 5月 22 09:20 build-ca


-rwxr-xr-x 1 root root 352 5月 22 09:20 build-dh


-rwxr-xr-x 1 root root 188 5月 22 09:20 build-inter


-rwxr-xr-x 1 root root 163 5月 22 09:20 build-key


-rwxr-xr-x 1 root root 157 5月 22 09:20 build-key-pass


-rwxr-xr-x 1 root root 249 5月 22 09:20 build-key-pkcs12


-rwxr-xr-x 1 root root 268 5月 22 09:20 build-key-server


-rwxr-xr-x 1 root root 213 5月 22 09:20 build-req


-rwxr-xr-x 1 root root 158 5月 22 09:20 build-req-pass


-rwxr-xr-x 1 root root 449 5月 22 09:20 clean-all


drwxr-x--- 2 root root 6 5月 12 05:24 client


-rwxr-xr-x 1 root root 1471 5月 22 09:20 inherit-inter


-rwxr-xr-x 1 root root 302 5月 22 09:20 list-crl


-rw-r--r-- 1 root root 7791 5月 22 09:20 openssl-0.9.6.cnf


-rw-r--r-- 1 root root 8348 5月 22 09:20 openssl-0.9.8.cnf


-rw-r--r-- 1 root root 8245 5月 22 09:20 openssl-1.0.0.cnf


-rwxr-xr-x 1 root root 12966 5月 22 09:20 pkitool


-rwxr-xr-x 1 root root 928 5月 22 09:20 revoke-full


drwxr-x--- 2 root root 6 5月 12 05:24 server


-rw-r--r-- 1 root root 10782 5月 22 09:20 server.conf


-rwxr-xr-x 1 root root 178 5月 22 09:20 sign-req


-rw-r--r-- 1 root root 2077 5月 22 09:20 vars


-rwxr-xr-x 1 root root 740 5月 22 09:20 whichopensslcnf


1.3 配置pki


cd /etc/openvpn


vim vars


#示例如下


export KEY_COUNTRY="CN"


export KEY_PROVINCE="BJ"


export KEY_CITY="BJ"


export KEY_ORG="IT"


export KEY_EMAIL="990974238@qq.com"


export KEY_OU="xiaodong"


#注在后面生成服务端ca证书时这里的配置会作为缺省配置


修改vars文件可执行并调用


chmod +x vars


[root@m01 openvpn]# cat vars


# easy-rsa parameter settings


# NOTE: If you installed from an RPM,


# don't edit this file in place in


# /usr/share/openvpn/easy-rsa --


# instead, you should copy the whole


# easy-rsa directory to another location


# (such as /etc/openvpn) so that your


# edits will not be wiped out by a future


# OpenVPN package upgrade.


# This variable should point to


# the top level of the easy-rsa


# tree.


export EASY_RSA="`pwd`"


#


# This variable should point to


# the requested executables


#


export OPENSSL="openssl"


export PKCS11TOOL="pkcs11-tool"


export GREP="grep"


# This variable should point to


# the openssl.cnf file included


# with easy-rsa.


export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`


# Edit this variable to point to


# your soon-to-be-created key


# directory.


#


# WARNING: clean-all will do


# a rm -rf on this directory


# so make sure you define


# it correctly!


export KEY_DIR="$EASY_RSA/keys"


# Issue rm -rf warning


echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR


# PKCS11 fixes


export PKCS11_MODULE_PATH="dummy"


export PKCS11_PIN="dummy"


# Increase this to 2048 if you


# are paranoid. This will slow


# down TLS negotiation performance


# as well as the one-time DH parms


# generation process.


export KEY_SIZE=2048


# In how many days should the root CA key expire?


export CA_EXPIRE=3650


# In how many days should certificates expire?


export KEY_EXPIRE=3650


# These are the default values for fields


# which will be placed in the certificate.


# Don't leave any of these fields blank.


export KEY_COUNTRY="CN"


export KEY_PROVINCE="BJ"


export KEY_CITY="BJ"


export KEY_ORG="IT"


export KEY_EMAIL="405304239@qq.com"


export KEY_OU="fgy"


# X509 Subject Field


export KEY_NAME="EasyRSA"


# PKCS11 Smart Card


# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"


# export PKCS11_PIN=1234


# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below


# You will also need to make sure your OpenVPN server config has the duplicate-cn option set


# export KEY_CN="CommonName"


1.4 产生ca证书


source ./vars


#NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys


#注也就是如果执行./clean-all就会清空/etc/openvpn/keys下所有文件


1.5 开始配置证书


1.5.1 清空原有证书


./clean-all


注下面这个命令在第一次安装时可以运行以后在添加完客户端后慎用因为这个命令会清除所有已经生成的证书密钥和上面的提示对应


1.5.2 生成服务器端和客户端ca证书(一路回车)


./build-ca


注:一路回车


./build-key-server server


注:生成服务器端密钥证书, 名字可以随便起但要记住后面要用到(一路回车 两个y)。


###一路回车(两个Y)


./build-key client


注生成客户端证书 名字任意建议写成你要发给的人的姓名方便管理这里与生成服务端证书配置类似中间一步提示输入服务端密码也可以不设置密码其他按照缺省提示一路回车即可。


如果想生成客户端使用密码方式证书登陆请使用其实不使用密码方式的也可以到时候在客户端登陆vpn后进行更改也是一样的。


#####./build-key-pass client-pass ###不用操作(重置)


1.5.3 生成DH验证文件


./build-dh


注生成diffie hellman参数用于增强openvpn安全性生成需要漫长等待让服务器飞一会。


1.5.4 生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击)


openvpn --genkey --secret keys/ta.key


1.6 修改配置文件


openvpn服务配置文件注可按照默认模板配置本例为自定义配置文件


cp /etc/openvpn/server.conf{,.bak}


cat > /etc/openvpn/server.conf<< EOF


local 10.0.0.61


port 1194


proto udp


dev tun


ca /etc/openvpn/keys/ca.crt


cert /etc/openvpn/keys/server.crt


key /etc/openvpn/keys/server.key


dh /etc/openvpn/keys/dh2048.pem


server 10.8.0.0 255.255.255.0


push "route 172.16.1.0 255.255.255.0"


ifconfig-pool-persist ipp.txt


keepalive 10 120


comp-lzo


persist-key


persist-tun


status openvpn-status.log


verb 3


client-to-client


duplicate-cn


log /var/log/openvpn.log


EOF


####openvpn配置文件内容注释如下


;local a.b.c.d


#设置监听IP默认是监听所有IP (10.0.0.61本机外网地址)


port 11940


#设置监听端口必须要对应的在防火墙里面打开


proto tcp


#设置用TCP还是UDP协议


dev tun


#设置创建tun的路由IP通道还是创建tap的以太网通道由于路由IP容易控制所以推荐使用tunnel


certificate(cert), and private key (key)


#ca文件是服务端和客户端都必须使用的但不需要ca.key


#服务端和客户端指定各自的.crt和.key


请注意路径,可以使用以配置文件开始为根的相对路径,// 也可以使用绝对路径// 请小心存放.key密钥文件


ca keys/ca.crt


cert keys/server.crt


key keys/server.key


#指定Diffie hellman parameters.默认是2048如果生成ca的时候修改过dh参数“export KEY_SIZE”则改为对应的数字


dh keys/dh2048.pem


#配置VPN使用的网段OpenVPN会自动提供基于该网段的DHCP服务但不能和任何一方的局域网段重复保证唯一server 10.18.18.0 255.255.255.0


#维持一个客户端和virtual IP的对应表以方便客户端重新连接可以获得同样的IP


ifconfig-pool-persist ipp.txt


#设置服务端检测的间隔和超时时间 每 10 秒 ping 一次如果 120 秒没有回应则认为对方已经 down


keepalive 10 120


#使用lzo压缩的通讯,服务端和客户端都必须配置


comp-lzo


#重启时仍保留一些状态


persist-keypersist-tun


#输出短日志,每分钟刷新一次,以显示当前的客户端


status openvpn-status.log


#缺省日志会记录在系统日志中但也可以导向到其他地方/建议调试的使用先不要设置,调试完成后再定义


log /var/log/openvpn/openvpn.log


log-append /var/log/openvpn/openvpn.log


#这里主要填写openvpn所在局域网的网段我的openvpn所在的局域网是172.16.10.0


push "route 172.16.10.0 255.255.255.0"


#默认客户端之间是不能直接通讯的除非把下面的语句注释掉


client-to-client


#持久化选项可以尽量避免访问在重启时由于用户权限降低而无法访问的某些资源//


#指定日志文件的记录详细级别可选0-9等级越高日志内容越详细


verb 3


#常用于测试开启的话一个证书可以多个客户端连接


duplicate-cn


1.7 创建openvpn日志目录


mkdir -p /var/log/openvpn/


1.8 启动openvpn服务


systemctl start openvpn@server.service


1.9 检测 ip a


#4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100


# link/none


# inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0


# valid_lft forever preferred_lft forever


1.10 设置开机启动


systemctl enable openvpn@server.service


1.11 开启路由转发功能


echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf


sysctl -p


1.12 设置防火墙


#设置iptables这一条至关重要通过配置nat将vpn网段IP转发到server内网,10.8.0.0/24是vpn网段


iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE


iptables -A INPUT -p TCP --dport 11940 -j ACCEPT


iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


#保存iptable设置


iptables-save


1.13 windows客户端配置


将服务器端生成的ca.crt client.crt client.key 下载到本地。放入 config/client目录


进入客户端OpenVPN目录将sample-config下的client.ovpn文件复制到config/client目录client目录自己新建个即可方便识别


client.ovpn配置文件做相应的修改


client


dev tun


proto udp


remote 10.0.0.61 1194


resolv-retry infinite


nobind


comp-lzo


persist-key


persist-tun


ca ca.crt


cert client.crt


key client.key


verb 3


##############################################


# Sample client-side OpenVPN 2.0 config file #


# for connecting to multi-client server. #


# #


# This configuration can be used by multiple #


# clients, however each client should have #


# its own cert and key files. #


# #


# On Windows, you might want to rename this #


# file so it has a .ovpn extension #


##############################################


# Specify that we are a client and that we


# will be pulling certain config file directives


# from the server.


client


# Use the same setting as you are using on


# the server.


# On most systems, the VPN will not function


# unless you partially or fully disable


# the firewall for the TUN/TAP interface.


;dev tap


dev tun


# Windows needs the TAP-Win32 adapter name


# from the Network Connections panel


# if you have more than one. On XP SP2,


# you may need to disable the firewall


# for the TAP adapter.


;dev-node MyTap


# Are we connecting to a TCP or


# UDP server? Use the same setting as


# on the server.


;proto tcp


proto udp


# The hostname/IP and port of the server.


# You can have multiple remote entries


# to load balance between the servers.


remote my-server-1 1194


;remote my-server-2 1194


remote 10.0.0.61 1194


# Choose a random host from the remote


# list for load-balancing. Otherwise


# try hosts in the order specified.


;remote-random


# Keep trying indefinitely to resolve the


# host name of the OpenVPN server. Very useful


# on machines which are not permanently connected


# to the internet such as laptops.


resolv-retry infinite


# Most clients don't need to bind to


# a specific local port number.


nobind


# Downgrade privileges after initialization (non-Windows only)


;user nobody


;group nobody


# Try to preserve some state across restarts.


persist-key


persist-tun


# If you are connecting through an


# HTTP proxy to reach the actual OpenVPN


# server, put the proxy server/IP and


# port number here. See the man page


# if your proxy server requires


# authentication.


;http-proxy-retry # retry on connection failures


;http-proxy [proxy server] [proxy port #]


# Wireless networks often produce a lot


# of duplicate packets. Set this flag


# to silence duplicate packet warnings.


;mute-replay-warnings


# SSL/TLS parms.


# See the server config file for more


# description. It's best to use


# a separate .crt/.key file pair


# for each client. A single ca


# file can be used for all clients.


ca ca.crt


cert client.crt


key client.key


# Verify server certificate by checking that the


# certicate has the correct key usage set.


# This is an important precaution to protect against


# a potential attack discussed here:


# http://openvpn.net/howto.html#mitm


#


# To use this feature, you will need to generate


# your server certificates with the keyUsage set to


# digitalSignature, keyEncipherment


# and the extendedKeyUsage to


# serverAuth


# EasyRSA can do this for you.


remote-cert-tls server


# If a tls-auth key is used on the server


# then every client must also have the key.


;tls-auth ta.key 1


# Select a cryptographic cipher.


# If the cipher option is used on the server


# then you must also specify it here.


;cipher x


# Enable compression on the VPN link.


# Don't enable this unless it is also


# enabled in the server config file.


comp-lzo


# Set log file verbosity.


verb 3


# Silence repeating messages


;mute 20


----end-----

<
 
QQ在线咨询
售前咨询热线
13435808100
售后服务热线
13435808100
返回顶部