Open VPN搭建
OpenVPN是一个开放源码的基于SSL的VPN系统,同时支持TCP/UDP,支持从NAT设备后的连接。OpenVPN开发站点在 www.openvpn.net。
环境:centos 6.6
PC:172.20.20.10 openvpn server:eth0 172.20.20.22 (外网) eth1:192.168.10.0/24
1、检查PC与server之间的通讯
2、配置vpn服务器时间同步
[root@localhost ~]# /usr/sbin/ntpdate pool.ntp.org 14 Apr 22:41:42 ntpdate[1852]: step time server 110.75.186.248 offset -28800.830399 sec [root@localhost ~]# echo '#time sync' >>/var/spool/cron/root [root@localhost ~]# echo '*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1' >>/var/spool/cron/root [root@localhost ~]# crontab -l #time sync */5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1
注:加入定时任务(永久同步)
3、创建安装环境
[root@localhost ~]# yum -y install gcc openssl* [root@localhost ~]# mkdir -p /home/tools/openvpn [root@localhost ~]# cd /home/tools/openvpn/ [root@localhost openvpn]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz #压缩软件,加快传输速度 [root@localhost openvpn]# wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz [root@localhost openvpn]# ls lzo-2.06.tar.gz openvpn-2.2.2.tar.gz
4、安装lzo
[root@localhost openvpn]# tar zxf lzo-2.06.tar.gz [root@localhost openvpn]# cd lzo-2.06 [root@localhost lzo-2.06]# ./configure [root@localhost lzo-2.06]# make [root@localhost lzo-2.06]# make install [root@localhost lzo-2.06]# echo $? #检查是否安装成功(0为成功,1不成功) 0
5、安装openvpn(注意openvpn依懒于openssl)
[root@localhost openvpn]# tar zxf openvpn-2.2.2.tar.gz [root@localhost openvpn]# cd openvpn-2.2.2 [root@localhost openvpn-2.2.2]# ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib [root@localhost openvpn-2.2.2]# make [root@localhost openvpn-2.2.2]# make install [root@localhost openvpn-2.2.2]# echo $? 0
注:如果没有openssl会报configure: error: OpenSSL Crypto headers not found.
6、生成serverCA证书
[root@localhost openvpn-2.2.2]# cd easy-rsa/2.0/ [root@localhost 2.0]# cp vars vars.bak
[root@localhost 2.0]# vim vars export KEY_COUNTRY="CN" export KEY_PROVINCE="BJ" export KEY_CITY="Beijing" export KEY_ORG="wangfujing" export KEY_EMAIL="lnhxzwb@126.com" export KEY_EMAIL=lnhxzwb@126.com export KEY_CN=CN export KEY_NAME=wangfujing export KEY_OU=wangfujing export PKCS11_MODULE_PATH=changeme export PKCS11_PIN=1234 [root@localhost 2.0]# . vars [root@localhost 2.0]#. clean-all
[root@localhost 2.0]# . build-ca Generating a 1024 bit RSA private key ........................................++++++ ....++++++ Country Name (2 letter code) [CN]: (直接回车) State or Province Name (full name) [BJ]: (直接回车) Locality Name (eg, city) [Beijing]: (直接回车) Organization Name (eg, company) [wangfujing]: (直接回车) Organizational Unit Name (eg, section) [wangfujing]: (直接回车) Common Name (eg, your name or your server's hostname) [CN]:wangfujing 应为服务FQDN Name [wangfujing]: (直接回车) Email Address [lnhxzwb@126.com]: (直接回车)
[root@localhost 2.0]# ll keys/ 总用量 12 -rw-r--r--. 1 root root 1375 4月 14 23:56 ca.crt -rw-------. 1 root root 916 4月 14 23:56 ca.key -rw-r--r--. 1 root root 0 4月 14 23:54 index.txt -rw-r--r--. 1 root root 3 4月 14 23:54 serial
7、生成服务器端密钥文件
[root@localhost 2.0]# ./build-key-server server Generating a 1024 bit RSA private key ...................++++++ ....++++++ Country Name (2 letter code) [CN]: (直接回车) State or Province Name (full name) [BJ]:(直接回车) Locality Name (eg, city) [Beijing]:(直接回车) Organization Name (eg, company) [wangfujing]:(直接回车) Organizational Unit Name (eg, section) [wangfujing]:(直接回车) Common Name (eg, your name or your server's hostname) [server]:(直接回车) Name [wangfujing]:(直接回车) Email Address [lnhxzwb@126.com]:(直接回车) Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:(直接回车) An optional company name []:wangfujing Using configuration from /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'Beijing' organizationName :PRINTABLE:'wangfujing' organizationalUnitName:PRINTABLE:'wangfujing' commonName :PRINTABLE:'server' name :PRINTABLE:'wangfujing' emailAddress :IA5STRING:'lnhxzwb@126.com' Certificate is to be certified until Apr 12 16:07:13 2026 GMT (3650 days) Sign the certificate? [y/n]:y 提示是否生成 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
[root@localhost 2.0]# ll keys/ 总用量 48 -rw-r--r--. 1 root root 4100 4月 15 00:07 01.pem -rw-r--r--. 1 root root 1375 4月 14 23:56 ca.crt -rw-------. 1 root root 916 4月 14 23:56 ca.key -rw-r--r--. 1 root root 132 4月 15 00:07 index.txt -rw-r--r--. 1 root root 21 4月 15 00:07 index.txt.attr -rw-r--r--. 1 root root 0 4月 14 23:54 index.txt.old -rw-r--r--. 1 root root 3 4月 15 00:07 serial -rw-r--r--. 1 root root 3 4月 14 23:54 serial.old -rw-r--r--. 1 root root 4100 4月 15 00:07 server.crt -rw-r--r--. 1 root root 790 4月 15 00:07 server.csr -rw-------. 1 root root 912 4月 15 00:07 server.key
8、生成客户端证书和KEY文件
[root@localhost 2.0]# ./build-key test #连接时不需要密码验证 Generating a 1024 bit RSA private key ...............++++++ ......++++++ writing new private key to 'test.key' Country Name (2 letter code) [CN]: (直接回车) State or Province Name (full name) [BJ]: (直接回车) Locality Name (eg, city) [Beijing]: (直接回车) Organization Name (eg, company) [wangfujing]: (直接回车) Organizational Unit Name (eg, section) [wangfujing]: (直接回车) Common Name (eg, your name or your server's hostname) [test]: (直接回车) Name [wangfujing]: (直接回车) Email Address [lnhxzwb@126.com]: (直接回车) Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: (直接回车) An optional company name []:wangfujing Using configuration from /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'Beijing' organizationName :PRINTABLE:'wangfujing' organizationalUnitName:PRINTABLE:'wangfujing' commonName :PRINTABLE:'test' name :PRINTABLE:'wangfujing' emailAddress :IA5STRING:'lnhxzwb@126.com' Certificate is to be certified until Apr 12 16:13:23 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
[root@localhost 2.0]# ./build-key-pass ett #连接之前需要输入密码 Generating a 1024 bit RSA private key .++++++ .....++++++ writing new private key to 'ett.key' Enter PEM pass phrase: 输入验证密码 Verifying - Enter PEM pass phrase: 确定密码 ----- Country Name (2 letter code) [CN]:(直接回车) State or Province Name (full name) [BJ]:(直接回车) Locality Name (eg, city) [Beijing]:(直接回车) Organization Name (eg, company) [wangfujing]:(直接回车) Organizational Unit Name (eg, section) [wangfujing]:(直接回车) Common Name (eg, your name or your server's hostname) [ett]:(直接回车) Name [wangfujing]:(直接回车) Email Address [lnhxzwb@126.com]:(直接回车) Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:wangfujing Using configuration from /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'Beijing' organizationName :PRINTABLE:'wangfujing' organizationalUnitName:PRINTABLE:'wangfujing' commonName :PRINTABLE:'ett' name :PRINTABLE:'wangfujing' emailAddress :IA5STRING:'lnhxzwb@126.com' Certificate is to be certified until Apr 12 16:16:27 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
9、生成密钥协议文件
[root@localhost 2.0]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ...................+..................+..................................+ ......+...............................................................+... ...+...................................................................... .......................................................................... .......................................................................... .............+..............+................+...+......+................. .....................+.................................................... ......................................................++*++*++*
10、创建配置文件
[root@localhost 2.0]# mkdir /etc/openvpn [root@localhost 2.0]# cp -ap keys/* /etc/openvpn/ [root@localhost 2.0]# cd /home/tools/openvpn/openvpn-2.2.2/sample-config-files [root@localhost sample-config-files]# cp server.conf client.conf /etc/openvpn/ [root@localhost sample-config-files]# cd /etc/openvpn/ [root@localhost openvpn]# cp server.conf server.conf.bak [root@localhost openvpn]# grep -vE ";|#|^$" server.conf > server.conf
[root@localhost openvpn]# vim server.conf local 172.20.10.22 #服务器地址 port 1194 #监听端口,默认1194,建议生产更改 proto tcp #使用协议,默认为udp,生产使用tcp dev tun #采用模式,默认为路由模式(tun),可选tap或tun ca /etc/openvpn/keys/ca.crt #ca证书,此文件须和server.conf同一目录下,如果不在必须写绝路径 cert /etc/openvpn/keys/server.crt #服务器证书,此文件须和server.conf同一目录下,如果不在必须写绝路径 key /etc/openvpn/keys/server.key #服务器密钥,此文件须和server.conf同一目录下,如果不在必须写绝路径 dh /etc/openvpn/keys/dh1024.pem #交互文件,此文件须和server.conf同一目录下,如果不在必须写绝路径 server 10.8.0.0 255.255.255.0 #VPN地址池 ifconfig-pool-persist ipp.txt push "route 10.0.0.0 255.255.255.0" #推送到客户端的路由,多网段写多条 client-to-client #允许多客户端通讯 #duplicate-cn #允许同一用户多地登陆 keepalive 10 120 #每10秒ping一次,若120秒未收到包,则断开 comp-lzo #开启压缩 persist-key #当VPN超时后,重新连接时不重新读取私钥 persist-tun #通过keepalive检测VPN超时后重新启动VPN时,保持tun/tap状态 status openvpn-status.log #日志状态 log /var/log/openvpn.log #日志 verb 3 #日志文件冗余
11、开启路由转发
[root@localhost openvpn]# echo "net.ipv4.ip_forward = 1" >/etc/sysctl.conf [root@localhost openvpn]# sysctl -p #重新加载 net.ipv4.ip_forward = 1
12、启动服务并检查
[root@localhost openvpn]# /usr/local/sbin/openvpn --config /etc/openvpn/server.conf & [root@localhost openvpn]# netstat -lntup |grep vpn tcp 0 0 172.20.10.22:1194 0.0.0.0:* LISTEN 18202/openvpn [root@localhost openvpn]# echo '#startup openvpn service by wangfujing' >> /etc/rc.local [root@localhost openvpn]# echo '/usr/local/sbin/openvpn --config /etc/openvpn/server.comf &' >>/etc/rc.local [root@localhost openvpn]# tail -2 /etc/rc.local #startup openvpn service by wangfujing /usr/local/sbin/openvpn --config /etc/openvpn/server.comf & [root@localhost openvpn]# ifconfig #多出一个虚拟网卡 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
13、测试
[root@localhost keys]# sz -y ca.crt test.key test.crt (下载客户端证书和密钥)
在windows客户端根据自己的系统类型下载客户端安装
https://openvpn.net/index.php/download/community-downloads.html
修改配置文件 :vpn安装目录下config目录下放入证书和密钥及配置文件
配置文件 内容如下:
client dev tun proto tcp remote 172.20.10.22 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert test.crt key test.key ns-cert-type server comp-lzo verb 3
14、连接测试
显示绿色表示成功
温馨提示:如无特殊说明,本站文章均为作者原创,转载请注明出处!