服务器环境:
1,阿里云香港主机
2,外网47.52.57.XX 内网172.31.160.200
安装步骤:
1,安装依赖组件
LSZ(一种无损压缩算法),PAM(一种可插入式的身份验证模块)
# yum install -y gcc openssl-devel lzo-devel pam-devel
2,网络设置
开启内核转发
# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
# sysctl -p
保证vpn地址池可路由出外网(为客户端分配172.16.30.0/24网段ip)
iptables -t nat -A POSTROUTING -s 172.16.30.0/24 -o eth0 -j MASQUERADE
设置openvpn服务端口通过
iptables -A INPUT -p UDP --dport 1194 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
注:阿里云默认不用设置,请在安全组中开始1194端口
3,时间同步
客户端和服务器时间不统一将会无法连接
ntpdate asia.pool.ntp.org
4,安装Openvpn服务端
wget http://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.gz
tar zxvf openvpn-2.4.3.tar.gz
cd openvpn-2.4.3
./configure --prefix=/usr/local/openvpn
make && make install
5,配置服务端
主要有两个部分:
生成服务器和客户端所需的各种证书。
是编写服务器和客户端所需的配置文件。
(1)下载easy-rsa,创建证书(这部分可以参考"easy-rsa 生成Openvpn证书"快速生成所有证书)。
Github 源码2.x
地址:https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip
cd
wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip
yum install -y unzip
unzip 2.x.zip
cp -rf easy-rsa-release-2.x/easy-rsa/ /usr/local/openvpn/
########创建CA证书########
#cd /usr/local/openvpn/easy-rsa/2.0
#source ./vars #初始化命令,用于设置后续命令所需的相关变量信息
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/openvpn/easy-rsa/2.0/keys
#./clean-all #清除之前创建的所有证书和密钥
#./build-ca #生成CA证书和密钥
Generating a 2048 bit RSA private key
...+++
...........................................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [California]:BJ
Locality Name (eg, city) [SanFrancisco]:BJ
Organization Name (eg, company) [Fort-Funston]:BJ
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:OPS
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:Openvpn_CA
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:
##我们的CA证书和密钥就已经生成成功了,生成的证书和密码默认均存放在当前目录keys。
[root@localhost 2.0]#ls keys/
ca.crt ca.key index.txt serial
############创建服务端证书#############
命令./build-key-server ServerName来生成客户端证书和密钥
[root@localhost 2.0]#./build-key-server server
Generating a 2048 bit RSA private key
............................+++
....................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [California]:BJ
Locality Name (eg, city) [SanFrancisco]:BJ
Organization Name (eg, company) [Fort-Funston]:BJ
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:OPS
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/open***/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'BJ'
organizationalUnitName:PRINTABLE:'OPS'
commonName :PRINTABLE:'server'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Aug 20 05:16:14 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]#ls ./keys/
01.pem ca.crt ca.key index.txt index.txt.attr index.txt.old serial serial.old server.crt server.csr server.key
############创建客户端证书###############
命令./build-key clientName来生成客户端证书和密钥
[root@localhost 2.0]#./build-key client1
Generating a 2048 bit RSA private key
........................................................+++
..................................................+++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [California]:BJ
Locality Name (eg, city) [SanFrancisco]:BJ
Organization Name (eg, company) [Fort-Funston]:BJ
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:OPS
Common Name (eg, your name or your server's hostname) [client1]:Openvpn_Client
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'BJ'
organizationalUnitName:PRINTABLE:'OPS'
commonName :T61STRING:'Client1'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Aug 20 05:34:01 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]#ls ./keys/
01.pem 02.pem ca.crt ca.key client1.crt client1.csr client1.key index.txt index.txt.attr index.txt.attr.old index.txt.old serial serial.old server.crt server.csr server.key
生成迪菲·赫尔曼交换密钥
命令为./build-dh(无需额外输入,耐心等待生成完毕即可)。迪菲·赫尔曼交换密钥是一种安全协议,用以对数据进行加密。
./build-dh
###########生成TLS-auth密钥############
这一步骤是可选操作。Openvpn提供了TLS-auth功能,可以用来抵御Dos、UDP端口淹没攻击。出于安全考虑,你可以启用该功能;启用该功能,你需要执行命令openvpn --genkey --secret keys/ta.key来生成TLS-auth所需的密钥文件。
#/usr/local/openvpn/sbin/openvpn --genkey --secret keys/ta.key
到这里,我们的证书生成就告一段落了。如果你以后想要生成新的客户端或执行其他操作,只需要先执行命令. ./vars,然后执行相应的命令即可,例如./build-key client2。
1:CA证书和密钥
2:服务器端证书和密钥。
3:客户端client1的证书和密钥,
4:迪菲·赫尔曼交换密钥 (如果你的KEY_SIZE=1024,则该文件名称为dh1024.pem)。
5:启用tls-auth所需的文件。
其中,服务器端需要用到的文件有:
ca.crt
ca.key
dh2048.pem (如果最初的变量KEY_SIZE设为1024,这里就是dh1024.pem)
server.crt
server.key
ta.key (如果不开启tls-auth,则无需该文件)
客户端client1需要用到的文件有:
ca.crt
client1.crt
client1.key (名称client1根据个人设置可能有所不同)
ta.key (如果不开启tls-auth,则无需该文件)
(2)编辑服务器所需的配置文件。
mkdir -p /usr/local/openvpn/config
cd /usr/local/openvpn/config
cp /usr/local/openvpn/easy-rsa/2.0/keys/{ca.crt,ca.key,server.crt,server.key,client1.crt,client1.key,dh2048.pem,ta.key} .
# ls
ca.crt ca.key dh2048.pem server.crt server.key
cp /usr/local/openvpn/openvpn-2.4.3/server.conf .
mkdir -p /var/log/openvpn #创建日志目录
# vim server.conf
port 11944
proto udp
dev tun
ca /usr/local/openvpn/config/ca.crt
cert /usr/local/openvpn/config/server.crt
key /usr/local/openvpn/config/server.key
dh /usr/local/openvpn/config/dh2048.pem
server 172.16.30.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.16.30.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
client-to-client
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 2
#如果需要开启用户名密码验证开启以下
#auth-user-pass-verify /usr/local/openvpn/checkpsw.sh via-env
#username-as-common-name
#verify-client-cert
#script-security 3
port 1194 #指定监听的本机端口号
proto udp #指定采用的传输协议,可以选择tcp或udp
dev tun #指定创建的通信隧道类型,可选tun或tap,前者工作在三层(TCP/IP),后者工作2层(链路层)
ca /usr/local/openvpn/config/ca.crt #指定CA证书的文件路径
cert /usr/local/openvpn/config/server.crt #指定服务器端的证书文件路径
key /usr/local/openvpn/config/server.key #指定服务器端的私钥文件路径
dh /usr/local/openvpn/config/dh2048.pem #指定迪菲赫尔曼参数的文件路径
server 172.16.100.0 255.255.255.0 #指定虚拟局域网占用的IP地址段和子网掩码,此处配置的服务器自身占用10.0.0.1。
ifconfig-pool-persist ipp.txt #服务器自动给客户端分配IP后,客户端下次连接时,仍然采用上次的IP地址(第一次分配的IP保存在ipp.txt中,下一次分配其中保存的IP)。
push "redirect-gateway def1 bypass-dhcp" #如果启用,该命令将配置所有客户端通过vpn重定向其默认
#网络网关,导致所有IP流量(如Web浏览和#和DNS查找)通过vpn
push "dhcp-option DNS 8.8.8.8" #给客户端推送DNS
#tls-auth /usr/local/open***/config/ta.key 0 #开启TLS-auth,使用ta.key防御攻击。服务器端的第二个参数值为0,客户端的为1。
keepalive 10 120 #每10秒ping一次,连接超时时间设为120秒。
comp-lzo #开启vpn连接压缩,如果服务器端开启,客户端也必须开启
client-to-client #允许客户端与客户端相连接,默认情况下客户端只能与服务器相连接
persist-key
persist-tun #持久化选项可以尽量避免访问在重启时由于用户权限降低而无法访问的某些资源。
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log #日志保存路径
verb 4 #指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细
explicit-exit-notify 2 #服务端重启,客户端自动重连
注意
1,push "redirect-gateway def1 bypass-dhcp" 如果启用,该命令将配置所有客户端通过vpn重定向其默认网络网关,导致所有IP流量通过VPN。
2,client-config-dir ccd #指定文件,对客户端进行细粒度配置(单独给某个客户端推送路由等)。
3,TUN和TAP不一样,TUN是点对点的三层设备,工作在IP层,处理IP分组(本文采用tun方式,有兴趣可以尝试tap方式);TAP是虚拟以太网设备,工作在第二层,处理以太网帧。
6,启动Open
/usr/local/openvpn/sbin/openvpn /usr/local/openvpn/openvpn-2.4.3/server.conf &
如有错误请查看日志 tail -f /var/log/openvpn/openvpn.log
遇到的小坑
生成ta密钥文件
# openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key
不执行此命令,会报错:
Sat Apr 7 12:53:37 2018 WARNING: cannot stat file 'ta.key': No such file or directory (errno=2)
Options error: --tls-auth fails with 'ta.key': No such file or directory (errno=2)
Options error: Please correct these errors.
Use --help for more information.