系统环境:
CentOS 6.75
OpenVPN 2.3.11
安装过程
1、安装EPEL6的yum源并更新本地缓存
#rpm -ivh http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm #yum makecache
2、关闭SElinux和防火墙
[[email protected] ~]# service iptables stop [[email protected] ~]# chkconfig iptables off
vi /etc/sysconfig/selinux
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
reboot //重启server
3、安装openvpn 和easy-rsa
[[email protected] ~]# yum -y install openvpn easy-rsa
4、easy-rsa配置
[[email protected] ~]# mkdir -p /etc/openvpn/easy-rsa/keys [[email protected] ~]# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
5、创建CA证书和密钥
a、vi /etc/openvpn/easy-rsa/vars //修改以下内容
export KEY_COUNTRY="CN" //所在国家 export KEY_PROVINCE="SH" //所在省份 export KEY_CITY="Shanghai" //所在省份 export KEY_ORG="OpenVPN ORG" //所在组织 export KEY_EMAIL="[email protected]" //邮箱 export KEY_OU="OpenVPN" //所在单位
b、初始化证书的授权中心
[[email protected] easy-rsa]# pwd /etc/openvpn/easy-rsa [[email protected] easy-rsa]# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
c、清除已存在的证书文件
[[email protected] easy-rsa]# ./clean-all [[email protected] easy-rsa]# ls keys/ index.txt serial
d、创建CA证书, 一路回车即可
[[email protected] easy-rsa]# ./build-ca Generating a 2048 bit RSA private key ..........................+++ ............+++ writing new private key to ‘ca.key‘ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [OpenVPN ORG]: Organizational Unit Name (eg, section) [OpenVPN]: Common Name (eg, your name or your server‘s hostname) [OpenVPN ORG CA]: Name [EasyRSA]: Email Address [[email protected]]: [[email protected] easy-rsa]#
[[email protected] easy-rsa]# ls keys/ ca.crt ca.key index.txt serial
e、创建服务器端证书,server为证书名称
./build-key-server server
[[email protected] easy-rsa]# ./build-key-server server Generating a 2048 bit RSA private key ..........+++ ...............................+++ writing new private key to ‘server.key‘ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [OpenVPN ORG]: Organizational Unit Name (eg, section) [OpenVPN]: Common Name (eg, your name or your server‘s hostname) [server]: Name [EasyRSA]: Email Address [[email protected]]: Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject‘s Distinguished Name is as follows countryName :PRINTABLE:‘CN‘ stateOrProvinceName :PRINTABLE:‘SH‘ localityName :PRINTABLE:‘Shanghai‘ organizationName :PRINTABLE:‘OpenVPN ORG‘ organizationalUnitName:PRINTABLE:‘OpenVPN‘ commonName :PRINTABLE:‘server‘ name :PRINTABLE:‘EasyRSA‘ emailAddress :IA5STRING:‘[email protected]‘ Certificate is to be certified until Aug 13 02:14:17 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
注意: 以下两个地方设置为yes
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
[[email protected] easy-rsa]# ls keys/ 01.pem ca.key index.txt.attr serial server.crt server.key ca.crt index.txt index.txt.old serial.old server.csr
f、生成Diffie-Hellman文件
./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time
[[email protected] easy-rsa]# ls keys 01.pem ca.key index.txt index.txt.old serial.old server.csr ca.crt dh2048.pem index.txt.attr serial server.crt server.key
g、生成TLS-auth密钥
这一步是可选操作,openvpn提供了TLS-auth功能,可以用来抵御Dos、UDP端口淹没攻击。出于安全考虑,可以启用该功能。执行以下命令来生成TLS-auth所需要的密钥文件
[[email protected] easy-rsa]# openvpn --genkey --secret keys/ta.key [[email protected] easy-rsa]# ls keys/ 01.pem ca.key index.txt index.txt.old serial.old server.csr ta.key ca.crt dh2048.pem index.txt.attr serial server.crt server.key
6、拷贝服务器端证书、密钥等
[[email protected] keys]# pwd /etc/openvpn/easy-rsa/keys [[email protected] keys]# cp server.crt server.key dh2048.pem ca.crt ta.key /etc/openvpn/ [[email protected] keys]# cd /etc/openvpn/ [[email protected] openvpn]# ls ca.crt dh2048.pem easy-rsa server.crt server.key ta.key
7、修改服务器端配置文件
注意:OpenVPN推荐使用证书进行认证,安全性很高,但是配置起来很麻烦。还好它也能像pptp等vpn一样使用用户名/密码进行认证。不管何种认证方式,服务端的ca.crt, server.crt, server.key, dh1024.pem这四个证书都是要的。使用username/passwd方式,你需要在服务器配置文件中加入以下语句,取消客户端的证书认证,如果不加下面这条指令,则表示需要证书和用户名密码双重验证登录!
client-cert-not-required
然后加入auth-user-pass-verify,开启用户密码脚本:
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
加入script-security消除警告
script-security 3 system
checkpsw.sh脚本可以通过网络获取
wget http://openvpn.se/files/other/checkpsw.sh
如果下载失败,可以创建一个checkpsw.sh文件,注意复制文件到linux系统下换行符的问题
内容如下,只需要修改PASSFILE和LOG_FILE两个变量
- # cd /usr/local/openvpn/etc/
- # wget http://openvpn.se/files/other/checkpsw.sh
- # chmod +x checkpsw.sh
- # cat checkpsw.sh
- #!/bin/sh
- ###########################################################
- # checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
- #
- # This script will authenticate OpenVPN users against
- # a plain text file. The passfile should simply contain
- # one row per user with the username first followed by
- # one or more space(s) or tab(s) and then the password.
- PASSFILE="/etc/openvpn/psw-file"
- LOG_FILE="/etc/openvpn/openvpn-password.log"
- TIME_STAMP=`date "+%Y-%m-%d %T"`
- ###########################################################
- if [ ! -r "${PASSFILE}" ]; then
- echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>
- ${LOG_FILE}
- exit 1
- fi
- CORRECT_PASSWORD=`awk ‘!/^;/&&!/^#/&&$1=="‘${username}‘"{print $2;exit}‘ ${PASSFILE}`
- if [ "${CORRECT_PASSWORD}" = "" ]; then
- echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
- exit 1
- fi
- if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
- echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
- exit 0
- fi
- echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
- exit 1
checkpsw.sh默认从文件/etc/openvpn/psw-file中读取用户名密码。
赋予checkpsw.sh文件可执行权限
chmod +x checkpsw.sh
psw-file中一行是一个账号,用户名和密码之间用空格隔开,如:
username password
修改psw-file文件的权限,保证openvpn用户对该文件有读取权限
[[email protected] openvpn]# chmod 400 psw-file [[email protected] openvpn]# chown nobody.nobody psw-file [[email protected] openvpn]# ll total 48 -rw-r--r-- 1 root root 1732 Aug 15 11:03 ca.crt -rw-r--r-- 1 root root 1267 Aug 15 12:49 checkpsw.sh -rw-r--r-- 1 root root 424 Aug 15 11:03 dh2048.pem drwxr-xr-x 3 root root 4096 Aug 15 10:09 easy-rsa -r-------- 1 nobody nobody 28 Aug 15 12:50 psw-file -rw-r--r-- 1 root root 10749 Aug 15 12:56 server.conf -rw-r--r-- 1 root root 5483 Aug 15 11:03 server.crt -rw------- 1 root root 1704 Aug 15 11:03 server.key -rw------- 1 root root 636 Aug 15 11:03 ta.key
拷贝server.conf 配置文件
[[email protected] openvpn]# cp /usr/share/doc/openvpn-2.3.11/sample/sample-config-files/server.conf /etc/openvpn/server.conf [[email protected] openvpn]# ls ca.crt dh2048.pem easy-rsa server.conf server.crt server.key ta.key
修改server.conf,配置如下:
[[email protected] openvpn]# cat server.conf|egrep -v "^#|^;|^$"
port 1194 //指定监听的本机端口 proto udp //指定传输协议 dev tun //指定通信隧道类型 ca ca.crt //指定CA证书路径 cert server.crt //指定服务器端证书路径 key server.key //指定服务器端私钥文件路径 dh dh2048.pem //指定迪菲赫尔曼参数的文件路径 server 10.8.0.0 255.255.255.0 //指定虚拟局域网段 ifconfig-pool-persist ipp.txt //服务器给客户端分配的IP地址,下次客户端继续使用该IP push "dhcp-option DNS 8.8.8.8" // client-to-client //允许客户端与客户端相连接,默认情况下客户端只能与服务器相连接 keepalive 10 120 //每10秒ping一次,连接超时时间设为120秒 tls-auth ta.key 0 //开启TLS-auth,使用ta.key防御攻击。服务器端的第二个参数值为0,客户端的为1。 comp-lzo //开启VPN连接压缩,如果服务器端开启,客户端也必须开启 persist-key persist-tun //持久化选项可以尽量避免访问在重启时由于用户权限降低而无法访问的某些资源。 status openvpn-status.log //指定记录OpenVPN状态的日志文件路径 log openvpn.log verb 3 //日志级别 client-cert-not-required //不使用客户端证书认证 username-as-common-name script-security 3 system auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env //
服务器端需要的文件,注意checkpsw.sh和psw-file两个文件的权限和属主属组
[[email protected] openvpn]# ll total 76 -rw-r--r-- 1 root root 1732 Aug 15 11:03 ca.crt -rwxr-xr-x 1 root root 1249 Aug 15 13:42 checkpsw.sh -rw-r--r-- 1 root root 424 Aug 15 11:03 dh2048.pem drwxr-xr-x 3 root root 4096 Aug 15 13:17 easy-rsa -rw------- 1 root root 23 Aug 15 15:25 ipp.txt -rw------- 1 root root 3813 Aug 15 15:17 openvpn.log -rw-r--r-- 1 root root 434 Aug 15 15:17 openvpn-password.log -rw------- 1 root root 371 Aug 15 15:28 openvpn-status.log -r-------- 1 nobody nobody 28 Aug 15 12:50 psw-file -rw-r--r-- 1 root root 10601 Aug 15 15:15 server.conf -rw-r--r-- 1 root root 10724 Aug 15 14:40 server.conf.bak -rw-r--r-- 1 root root 5483 Aug 15 11:03 server.crt -rw------- 1 root root 1704 Aug 15 11:03 server.key -rw------- 1 root root 636 Aug 15 11:03 ta.key
8、修改客户端配置文件client.conf
注释掉客户端证书的配置
client.conf配置文件内容
client //指定当前VPN是客户端 dev tun //必须与服务器端的保持一致 proto udp //必须与服务器端的保持一致 remote 172.16.100.225 1194 //指定连接的远程服务器的实际IP地址和端口号 resolv-retry infinite //断线自动重新连接,在网络不稳定的情况下(例如:笔记本电脑无线网络)非常有用。 nobind //不绑定特定的本地端口号 user nobody group nobody persist-key persist-tun ca ca.crt //指定CA证书的文件路径 remote-cert-tls server // tls-auth ta.key 1 //tls认证开启,必须与服务器一致 comp-lzo //必须与服务器一致 verb 3 auth-user-pass //增加询问账户名密码
9、windows客户端的安装和配置
下载openvpn的客户端:http://www.openvpn.net/release/openvpn-2.0.9-install.exe
安装完成后,将服务器端的
ca.crt client.conf ta.key
三个文件拷贝到openvpn安装目录下的config目录中
登录
双击“C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3"图标,在桌面右下角弹出openvpn的图标,然后右键--client--Connect,输出账号密码登录
10、OpenVPN 服务器端的防火墙规则配置
清空iptables配置: iptables -F iptables -X 配置openvpn的nat功能,将所有网段的包转发到eth0口: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 添加FORWARD白名单: iptables -A FORWARD -i tun+ -j ACCEPT 开启系统的路由功能: echo "1" > /proc/sys/net/ipv4/ip_forward service iptables save //保存iptables配置 service iptables restart //重启iptables
cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Mon Aug 15 16:47:30 2016 *nat :PREROUTING ACCEPT [38:8664] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Mon Aug 15 16:47:30 2016 # Generated by iptables-save v1.4.7 on Mon Aug 15 16:47:30 2016 *filter :INPUT ACCEPT [218:28319] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [95:13949] -A FORWARD -i tun+ -j ACCEPT COMMIT # Completed on Mon Aug 15 16:47:30 2016
参考资料:
http://www.cnblogs.com/linuxprobe/p/5428098.html
http://www.cnblogs.com/electron/p/3488033.html
http://ylw6006.blog.51cto.com/470441/1009004