Open VPN搭建

作者: admin 分类: Linux 发布时间: 2019-04-28 20:58 浏览:998 次    

 

OpenVPN是一个开放源码的基于SSL的VPN系统,同时支持TCP/UDP,支持从NAT设备后的连接。OpenVPN开发站点在 www.openvpn.net

环境:centos 6.6

PC:172.20.20.10   openvpn server:eth0 172.20.20.22 (外网) eth1:192.168.10.0/24

1、检查PC与server之间的通讯

%title插图%num

2、配置vpn服务器时间同步

[root@localhost ~]# /usr/sbin/ntpdate pool.ntp.org
14 Apr 22:41:42 ntpdate[1852]: step time server 110.75.186.248 offset -28800.830399 sec

[root@localhost ~]# echo '#time sync' >>/var/spool/cron/root

[root@localhost ~]# echo '*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1' >>/var/spool/cron/root

[root@localhost ~]# crontab -l
#time sync
*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1

注:加入定时任务(永久同步)

3、创建安装环境

[root@localhost ~]# yum -y install gcc   openssl*

[root@localhost ~]# mkdir -p /home/tools/openvpn

[root@localhost ~]# cd /home/tools/openvpn/

[root@localhost openvpn]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz  #压缩软件,加快传输速度

[root@localhost openvpn]# wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz

[root@localhost openvpn]# ls
lzo-2.06.tar.gz  openvpn-2.2.2.tar.gz

4、安装lzo

[root@localhost openvpn]# tar zxf lzo-2.06.tar.gz 

[root@localhost openvpn]# cd lzo-2.06

[root@localhost lzo-2.06]# ./configure 

[root@localhost lzo-2.06]# make

[root@localhost lzo-2.06]# make install

[root@localhost lzo-2.06]# echo $?    #检查是否安装成功(0为成功,1不成功)
0

5、安装openvpn(注意openvpn依懒于openssl)

[root@localhost openvpn]# tar zxf openvpn-2.2.2.tar.gz

[root@localhost openvpn]# cd openvpn-2.2.2

[root@localhost openvpn-2.2.2]# ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib

[root@localhost openvpn-2.2.2]# make

[root@localhost openvpn-2.2.2]# make install

[root@localhost openvpn-2.2.2]# echo $?
0

注:如果没有openssl会报configure: error: OpenSSL Crypto headers not found.

6、生成serverCA证书

[root@localhost openvpn-2.2.2]# cd easy-rsa/2.0/

[root@localhost 2.0]# cp vars vars.bak
[root@localhost 2.0]# vim vars
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="Beijing"
export KEY_ORG="wangfujing"
export KEY_EMAIL="lnhxzwb@126.com"
export KEY_EMAIL=lnhxzwb@126.com
export KEY_CN=CN
export KEY_NAME=wangfujing
export KEY_OU=wangfujing
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234

[root@localhost 2.0]# . vars

[root@localhost 2.0]#. clean-all
[root@localhost 2.0]# . build-ca

Generating a 1024 bit RSA private key

........................................++++++

....++++++

Country Name (2 letter code) [CN]:        (直接回车)
State or Province Name (full name) [BJ]:  (直接回车)
Locality Name (eg, city) [Beijing]:       (直接回车)
Organization Name (eg, company) [wangfujing]:   (直接回车)
Organizational Unit Name (eg, section) [wangfujing]:  (直接回车)
Common Name (eg, your name or your server's hostname) [CN]:wangfujing  应为服务FQDN
Name [wangfujing]:                 (直接回车)
Email Address [lnhxzwb@126.com]:   (直接回车)
[root@localhost 2.0]# ll keys/
总用量 12
-rw-r--r--. 1 root root 1375 4月  14 23:56 ca.crt
-rw-------. 1 root root  916 4月  14 23:56 ca.key
-rw-r--r--. 1 root root    0 4月  14 23:54 index.txt
-rw-r--r--. 1 root root    3 4月  14 23:54 serial

7、生成服务器端密钥文件

[root@localhost 2.0]# ./build-key-server server

Generating a 1024 bit RSA private key

...................++++++

....++++++

Country Name (2 letter code) [CN]: (直接回车)
State or Province Name (full name) [BJ]:(直接回车)
Locality Name (eg, city) [Beijing]:(直接回车)
Organization Name (eg, company) [wangfujing]:(直接回车)
Organizational Unit Name (eg, section) [wangfujing]:(直接回车)
Common Name (eg, your name or your server's hostname) [server]:(直接回车)
Name [wangfujing]:(直接回车)
Email Address [lnhxzwb@126.com]:(直接回车)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(直接回车)
An optional company name []:wangfujing 
Using configuration from /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok

The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'Beijing'
organizationName      :PRINTABLE:'wangfujing'
organizationalUnitName:PRINTABLE:'wangfujing'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'wangfujing'
emailAddress          :IA5STRING:'lnhxzwb@126.com'
Certificate is to be certified until Apr 12 16:07:13 2026 GMT (3650 days)
Sign the certificate? [y/n]:y     提示是否生成
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]# ll keys/
总用量 48
-rw-r--r--. 1 root root 4100 4月  15 00:07 01.pem
-rw-r--r--. 1 root root 1375 4月  14 23:56 ca.crt
-rw-------. 1 root root  916 4月  14 23:56 ca.key
-rw-r--r--. 1 root root  132 4月  15 00:07 index.txt
-rw-r--r--. 1 root root   21 4月  15 00:07 index.txt.attr
-rw-r--r--. 1 root root    0 4月  14 23:54 index.txt.old
-rw-r--r--. 1 root root    3 4月  15 00:07 serial
-rw-r--r--. 1 root root    3 4月  14 23:54 serial.old
-rw-r--r--. 1 root root 4100 4月  15 00:07 server.crt
-rw-r--r--. 1 root root  790 4月  15 00:07 server.csr
-rw-------. 1 root root  912 4月  15 00:07 server.key

8、生成客户端证书和KEY文件

[root@localhost 2.0]# ./build-key test  #连接时不需要密码验证

Generating a 1024 bit RSA private key

...............++++++

......++++++

writing new private key to 'test.key'
Country Name (2 letter code) [CN]:     (直接回车)
State or Province Name (full name) [BJ]:   (直接回车)
Locality Name (eg, city) [Beijing]:     (直接回车)
Organization Name (eg, company) [wangfujing]:   (直接回车)
Organizational Unit Name (eg, section) [wangfujing]:   (直接回车)
Common Name (eg, your name or your server's hostname) [test]:   (直接回车)
Name [wangfujing]:   (直接回车)
Email Address [lnhxzwb@126.com]:   (直接回车)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:   (直接回车)
An optional company name []:wangfujing  
Using configuration from /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'Beijing'
organizationName      :PRINTABLE:'wangfujing'
organizationalUnitName:PRINTABLE:'wangfujing'
commonName            :PRINTABLE:'test'
name                  :PRINTABLE:'wangfujing'
emailAddress          :IA5STRING:'lnhxzwb@126.com'
Certificate is to be certified until Apr 12 16:13:23 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]# ./build-key-pass ett  #连接之前需要输入密码

Generating a 1024 bit RSA private key

.++++++
.....++++++

writing new private key to 'ett.key'
Enter PEM pass phrase:              输入验证密码
Verifying - Enter PEM pass phrase:  确定密码

-----

Country Name (2 letter code) [CN]:(直接回车)
State or Province Name (full name) [BJ]:(直接回车)
Locality Name (eg, city) [Beijing]:(直接回车)
Organization Name (eg, company) [wangfujing]:(直接回车)
Organizational Unit Name (eg, section) [wangfujing]:(直接回车)
Common Name (eg, your name or your server's hostname) [ett]:(直接回车)
Name [wangfujing]:(直接回车)
Email Address [lnhxzwb@126.com]:(直接回车)  

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:wangfujing
Using configuration from /home/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'Beijing'
organizationName      :PRINTABLE:'wangfujing'
organizationalUnitName:PRINTABLE:'wangfujing'
commonName            :PRINTABLE:'ett'
name                  :PRINTABLE:'wangfujing'
emailAddress          :IA5STRING:'lnhxzwb@126.com'
Certificate is to be certified until Apr 12 16:16:27 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

9、生成密钥协议文件

[root@localhost 2.0]# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...................+..................+..................................+
......+...............................................................+...
...+......................................................................
..........................................................................
..........................................................................
.............+..............+................+...+......+.................
.....................+....................................................
......................................................++*++*++*

10、创建配置文件

[root@localhost 2.0]# mkdir /etc/openvpn

[root@localhost 2.0]# cp -ap keys/* /etc/openvpn/

[root@localhost 2.0]# cd /home/tools/openvpn/openvpn-2.2.2/sample-config-files

[root@localhost sample-config-files]# cp server.conf client.conf /etc/openvpn/

[root@localhost sample-config-files]# cd /etc/openvpn/

[root@localhost openvpn]# cp server.conf server.conf.bak

[root@localhost openvpn]# grep -vE ";|#|^$" server.conf  > server.conf
[root@localhost openvpn]# vim server.conf
local 172.20.10.22        #服务器地址
port 1194                 #监听端口,默认1194,建议生产更改
proto tcp                 #使用协议,默认为udp,生产使用tcp
dev tun                   #采用模式,默认为路由模式(tun),可选tap或tun
ca /etc/openvpn/keys/ca.crt     #ca证书,此文件须和server.conf同一目录下,如果不在必须写绝路径
cert /etc/openvpn/keys/server.crt    #服务器证书,此文件须和server.conf同一目录下,如果不在必须写绝路径
key /etc/openvpn/keys/server.key   #服务器密钥,此文件须和server.conf同一目录下,如果不在必须写绝路径
dh /etc/openvpn/keys/dh1024.pem   #交互文件,此文件须和server.conf同一目录下,如果不在必须写绝路径
server 10.8.0.0 255.255.255.0     #VPN地址池
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.255.0"        #推送到客户端的路由,多网段写多条
client-to-client                 #允许多客户端通讯
#duplicate-cn                    #允许同一用户多地登陆
keepalive 10 120                 #每10秒ping一次,若120秒未收到包,则断开
comp-lzo                         #开启压缩
persist-key                      #当VPN超时后,重新连接时不重新读取私钥
persist-tun                      #通过keepalive检测VPN超时后重新启动VPN时,保持tun/tap状态

status openvpn-status.log        #日志状态
log /var/log/openvpn.log         #日志
verb 3                           #日志文件冗余

11、开启路由转发

[root@localhost openvpn]# echo "net.ipv4.ip_forward = 1" >/etc/sysctl.conf

[root@localhost openvpn]# sysctl -p            #重新加载
net.ipv4.ip_forward = 1

12、启动服务并检查

[root@localhost openvpn]# /usr/local/sbin/openvpn --config /etc/openvpn/server.conf &

[root@localhost openvpn]# netstat -lntup |grep vpn
tcp        0      0 172.20.10.22:1194           0.0.0.0:*                   LISTEN      18202/openvpn

[root@localhost openvpn]# echo '#startup openvpn service by wangfujing' >> /etc/rc.local

[root@localhost openvpn]# echo '/usr/local/sbin/openvpn --config /etc/openvpn/server.comf &' >>/etc/rc.local

[root@localhost openvpn]# tail -2 /etc/rc.local
#startup openvpn service by wangfujing
/usr/local/sbin/openvpn --config /etc/openvpn/server.comf &

[root@localhost openvpn]# ifconfig              #多出一个虚拟网卡
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255

13、测试

[root@localhost keys]# sz -y ca.crt test.key test.crt (下载客户端证书和密钥)

在windows客户端根据自己的系统类型下载客户端安装

https://openvpn.net/index.php/download/community-downloads.html

%title插图%num

修改配置文件 :vpn安装目录下config目录下放入证书和密钥及配置文件

%title插图%num

配置文件 内容如下:

client
dev tun
proto tcp
remote 172.20.10.22 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert test.crt
key test.key
ns-cert-type server
comp-lzo
verb 3

14、连接测试

%title插图%num

显示绿色表示成功

 

 


温馨提示:如无特殊说明,本站文章均为作者原创,转载时请注明出处及相应链接!

发表评论