OpenVPN
一、实验环境:
内网:192.168.100.* 外网:192.168.199.* 注意:双网卡时,内网IP不设置网关,否则会出错
VPN Server:eht0 192.168.100.2 255.255.255.0 无网关 DNS 192.168.100.21(内网DNS服务器)
eht1 192.168.199.2 255.255.255.0 192.168.199.1(外网防火墙IP) DNS:114.114.114.144(外网DNS)
Client: eht0 192.168.199.228 255.255.255.0 192.168.199.1 DNS:114.114.114.114
二、安装步骤:
1.关闭所有电脑的防火墙和selinux
2.测试VPN Server是否可以Ping通Client客户端的eth0网卡,如果不通,请使用route命令调整相关路由。
3.查看VPN Server系统版本
[[email protected] ~]# cat /etc/redhat-release CentOS release 6.8 (Final) [[email protected] ~]# uname -r 2.6.32-642.el6.x86_64
4.安装ntpdate时间同步工具
yum install ntpdate -y
5.同步服务器时间
[[email protected] ~]# ntpdate pool.ntp.org 23 May 09:02:08 ntpdate[1402]: step time server 52.187.51.163 offset -8.453661 sec
6.添加时间定时同步任务(这一步非常重要,且必须先时间同步,再添加定时任务)
echo ‘#time sync‘ >>/var/spool/cron/root echo ‘*/5 * * * * /usr/sbin/ntpdate/ pool/ntp.org >/dev/null 2>&1‘ >>/var/spool/cron/root crontab -l
7.安装lzo
wget -c http://www.oberhumer.com/opensource/lzo/download/lzo-2.09.tar.gz
tar -zxvf /usr/local/src/lzo-2.09.tar.gz
cd /usr/local/src/lzo-2.09/
./configure && make && make install
8.安装openvpn
rpm -qa openssl* #安装装前,先检查openssl是否安装,默认安装了openssl-1.0.1e-48.el6.x86_64,但是不完整,否则在编译openvpn时会报错
yum install openssl* -y #安装openssl
tar -zxvf /usr/local/src/openvpn-2.3.4.tar.gz
cd /usr/local/src/openvpn-2.3.4/
./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib/ && make && make install
#注意:安装过程中如果报错“configure: error: libpam required but missing” ,请安装pam-devel。
yum install pam-devel -y
9.检查是否安装成功
[[email protected] openvpn-2.3.4]# which openvpn
/usr/local/sbin/openvpn
三、配置openvpn
1.下载easy-rsa-master.zip
wget https://codeload.github.com/OpenVPN/easy-rsa/zip/master
2.解压easy-rsa-master.zip
unzip /usr/local/src/easy-rsa-master.zip
3.复制并编辑vars,新增如下内容
cp -R /usr/local/src/easy-rsa-master/ /usr/local/src/openvpn-2.3.4/easy-rsa #复制到/usr/local/src/openvpn-2.3.4/目录下,并将easy-rsa-master目录名变更为easy-rsa
cd /usr/local/src/openvpn-2.3.4/easy-rsa/easyrsa3
cp vars.example vars
vi vars #末尾新增如下内容:
#--------------------
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "SZ"
set_var EASYRSA_REQ_CITY "Shenzhen"
set_var EASYRSA_REQ_ORG "HBGSLZ"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "Dongguan"
4.创建服务端证书及key
(1)初始化
[[email protected] easyrsa3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/easy-rsa-server/easyrsa3/pki
(2)创建根证书
[[email protected] easyrsa3]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
................................................+++
....................+++
writing new private key to ‘/usr/local/easy-rsa-server/easyrsa3/pki/private/ca.key.5CbYGHjauj‘
Enter PEM pass phrase: #此处输入密码,用于证书签名
Verifying - Enter PEM pass phrase: #再次输入密码确认
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:root #输入Common Name,注意不可与下面创建服务器端证书名称相同
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/local/easy-rsa-server/easyrsa3/pki/ca.crt
########################---pki目录结构---###########################
[[email protected] easyrsa3]# tree pki/
pki/
├── ca.crt
├── certs_by_serial
├── index.txt
├── issued
├── private
│ └── ca.key
├── reqs
└── serial
4 directories, 4 files
########################---pki目录结构---###########################
(3)创建服务器端证书
[[email protected] easyrsa3]# ./easyrsa gen-req server nopass #生成服务器证书,不带密码
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.........................+++
........+++
writing new private key to ‘/usr/local/easy-rsa-server/easyrsa3/pki/private/server.key.L3bOcsqIxh‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:vpn01.hbgslz.com #输入Common Name,注意不可与上面创建根证书名称相同
Keypair and certificate request completed. Your files are:
req: /usr/local/easy-rsa-server/easyrsa3/pki/reqs/server.req
key: /usr/local/easy-rsa-server/easyrsa3/pki/private/server.key
########################---pki目录结构---###########################
[[email protected] easyrsa3]# tree pki/
pki/
├── ca.crt
├── certs_by_serial
├── index.txt
├── issued
├── private
│ ├── ca.key
│ └── server.key
├── reqs
│ └── server.req
└── serial
4 directories, 6 files
########################---pki目录结构---###########################
(4)签约服务器端证书
[[email protected] easyrsa3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = vpn01.hbgslz.com
Type the word ‘yes‘ to continue, or any other input to abort.
Confirm request details: yes #输入yes继续
Using configuration from /usr/local/easy-rsa-server/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /usr/local/easy-rsa-server/easyrsa3/pki/private/ca.key: #输入刚才创建根证书时的密码
Check that the request matches the signature
Signature ok
The Subject‘s Distinguished Name is as follows
commonName :PRINTABLE:‘vpn01.hbgslz.com‘
Certificate is to be certified until May 22 03:59:15 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /usr/local/easy-rsa-server/easyrsa3/pki/issued/server.crt
########################---pki目录结构---###########################
[[email protected] easyrsa3]# tree pki/
pki/
├── ca.crt
├── certs_by_serial
│ └── 01.pem
├── index.txt
├── index.txt.attr
├── index.txt.old
├── issued
│ └── server.crt
├── private
│ ├── ca.key
│ └── server.key
├── reqs
│ └── server.req
├── serial
└── serial.old
4 directories, 11 files
########################---pki目录结构---###########################
(5)创建Diffie-Hellman,确保key穿越不安全网络的命令
[[email protected] easyrsa3]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.............................................+..........................................................................................................................................................................................++*++*
DH parameters of size 2048 created at /usr/local/src/openvpn-2.3.4/easy-rsa-master/easyrsa3/pki/dh.pem
#注意:时间有点长,请耐心等待。
########################---pki目录结构---###########################
[[email protected] easyrsa3]# tree pki/
pki/
├── ca.crt
├── certs_by_serial
│ └── 01.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.old
├── issued
│ └── server.crt
├── private
│ ├── ca.key
│ └── server.key
├── reqs
│ └── server.req
├── serial
└── serial.old
4 directories, 12 files
########################---pki目录结构---###########################
5.创建客户端证书
(1)切换到/usr/local/easy-rsa-client/easyrsa3目录,初始化证书
[[email protected] easyrsa3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/easy-rsa-client/easyrsa3/pki
(2)创建客户端key及生成证书
[[email protected] easyrsa3]# ./easyrsa gen-req F3229732
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...............+++
......................................................+++
writing new private key to ‘/usr/local/easy-rsa-client/easyrsa3/pki/private/F3229732.key.ld5qzi8xm0‘
Enter PEM pass phrase: #输入客户端证书密码
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [F3229732]:F3229732 #输入证书名称
Keypair and certificate request completed. Your files are:
req: /usr/local/easy-rsa-client/easyrsa3/pki/reqs/F3229732.req
key: /usr/local/easy-rsa-client/easyrsa3/pki/private/F3229732.key
(3)切换至/usr/local/easy-rsa-server/easyrsa3,将得到的/usr/local/easy-rsa-client/easyrsa3/pki/reqs/F3229732.req导入并签约证书
#第一步:导入证书
[[email protected] easyrsa3]# ./easyrsa import-req /usr/local/easy-rsa-client/easyrsa3/pki/reqs/F3229732.req F3229732
Note: using Easy-RSA configuration from: ./vars
The request has been successfully imported with a short name of: F3229732
You may now use this name to perform signing operations on this request.
########################################################################################
#第二步:签约证书
[[email protected] easyrsa3]# ./easyrsa sign client F3229732
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
commonName = F3229732
Type the word ‘yes‘ to continue, or any other input to abort.
Confirm request details: yes #输入yes继续
Using configuration from /usr/local/easy-rsa-server/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /usr/local/easy-rsa-server/easyrsa3/pki/private/ca.key: #输入刚才创建根证书时的密码
Check that the request matches the signature
Signature ok
The Subject‘s Distinguished Name is as follows
commonName :PRINTABLE:‘F3229732‘
Certificate is to be certified until May 22 04:12:07 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /usr/local/easy-rsa-server/easyrsa3/pki/issued/F3229732.crt #签约成功
6.整理相关重要证书
服务器端(/usr/local/easy-rsa-server/easyrsa3/pki/)
/usr/local/easy-rsa-server/easyrsa3/pki/ca.crt
/usr/local/easy-rsa-server/easyrsa3/pki/reqs/server.req
/usr/local/easy-rsa-server/easyrsa3/pki/private/server.key
/usr/local/easy-rsa-server/easyrsa3/pki/issued/server.crt
/usr/local/easy-rsa-server/easyrsa3/pki/dh.pem
注意:服务器证书生成完后将pki整个目录复制到/etc/openvpn/目录下,该目录需要手动新增
##################################server.conf#############################################
local 192.168.199.3 #(自己vpn服务器 IP)
port 1194
proto tcp #使用的协议,默认使用UDP,如果使用HTTP proxy,必须使用TCP协议
dev tun #设备可选tap和tun,tap是二层设备,支持链路层协议。#tun是ip层的点对点协议,限制稍微多一些
ca pki/ca.crt
cert pki/issued/server.crt
key pki/private/server.key # This file should be kept secret
dh pki/dh.pem
keepalive 10 120
client-to-client
duplicate-cn #如果Client使用的CA的Common Name有重复了,或者说客户都使用相同的CA #和keys连接VPN,一定要打开这个选项,否则只允许一个人连接VPN
comp-lzo #对数据进行压缩,注意Server和Client一致
max-clients 100 #定义最大连接数
persist-key #通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys
persist-tun #通过keepalive检测超时后,重新启动VPN,一直保持tun或者tap设备是linkup的,否则网络连接会先linkdown然后linkup
status openvpn-status.log #openvpn状态log,定期把openvpn的一些状态信息写到文件中
log /var/log/openvpn.log
log-append /var/log/openvpn.log #每次重新启动openvpn后保留原有的log信息,新信息追加到文件最后
verb 3 #相当于debug level,可选0-9,具体查看manual
server 10.8.0.0 255.255.255.0 #连接VPN服务器后,VPN客户端获取的IP地址段
push "dhcp-option DNS 192.168.100.21" #向客户端发送DNS
#push "dhcp-option DNS 8.8.8.8"
#push "redirect-gateway" #客户端连接成功后,默认网关改为vpn网关
push "route 192.168.100.0 255.255.255.0" #服务器所在内部网络地址段,如果有多个Vlan,可多行部署
#
#
# #网桥模式
# #server 10.8.0.0 255.255.255.0
# #server-bridge 192.168.200.1 255.255.255.0 192.168.200.202 192.168.200.205 #客户端拨入后用于分配的地址池,200.1将会是客户端的网关
##################################server.conf#############################################
客户端(/usr/local/easy-rsa-client/easyrsa3/pki/)
/usr/local/easy-rsa-server/easyrsa3/pki/ca.crt
/usr/local/easy-rsa-client/easyrsa3/pki/private/F3229732.key
/usr/local/easy-rsa-server/easyrsa3/pki/issued/F3229732.crt
注意:每次生成客户端证书后,将以上三个文件ca.crt、F3229732.key、F3229732.crt复制到客户端OpenVPN安装目录下的config目录。例如:c:\Program Files\OpenVPN\config
并在该目录下新增F3229732.ovpn 文件,F3229732.ovpn 的大致内容如下:
############################F3229732.ovpn内容##############################
client
dev tun
proto tcp
remote 192.168.199.2 1194 #VPN服务器的外网IP地址
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert F3229732.crt
key F3229732.key
comp-lzo
verb 3
############################F3229732.ovpn内容##############################
7.开启系统转发forward功能(网桥模式不需开启,路由模式开启)
[[email protected] openvpn]# vim /etc/sysctl.conf
将net.ipv4.ip_forward = 0 改为 net.ipv4.ip_forward = 1
[[email protected] openvpn]# sysctl -p #修改完后一定要执行该命令,查看是否修改成功
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
8.封装出去的数据包(这一步非常重要,否则会无法连接内网服务器)
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
四、下载openvpn客户端,并进行配置
1.百度搜索openvpn 下载openvpn gui软件
2.推荐默认安装,安装目录为C:\Program Files (x86)\OpenVPN\
3.将上述准备好的三个客户端证书文件,复制到C:\Program Files (x86)\OpenVPN\config\目录下
4.在config目录下新增client.ovpn(该文件名称可以自定义,但是后缀名不可以变更),其内容如下
client
dev tun
proto tcp
remote 192.168.199.2 1194 #VPN服务器的外网IP地址
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert F3229732.crt
key F3229732.key
comp-lzo
verb 3
五、启动VPN服务器的服务,并测试
1.在vpn服务器上启动openvpn服务
[[email protected] openvpn]# /usr/local/sbin/openvpn --config openvpn-2.3.4/server.conf & #让openvpn服务启动并后台运行
注意:也可以将该命令写入开机启动文件/etc/rc.local当中 ,命令如下:
echo "/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &" >>/etc/rc.local #设为开机启动
[[email protected] openvpn]# netstat -nltup|grep vpn #查看VPN服务是否启动
tcp 0 0 192.168.199.2:1194 0.0.0.0:* LISTEN 56970/openvpn
2.开启OpenVPN客户端,鼠标放在任务栏下面的OpenVPN图标上,点击鼠标右键,选择connection,
如客户端证书生成时需要密码,则在提示框内输入客户端证书生成时的密码后,点击OK
3.连接成功后,会多出一个10.8.0.0/24 网段的IP
六、关键命令
1.启动openvpn服务
openvpn --config /etc/openvpn/server.conf &
2.开启nat模式,否则vpn客户端向服务器发送数据包无法返回
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
3.抓取ping的数据包来分析网络情况
tcpdum -nnn -s 10000 |grep -i icmp
4.检查vpn服务是否正常启动
netstat -lntup |grep vpn