当前位置:   article > 正文

Centos7搭建OPEN

Centos7搭建OPEN

一,安装服务
1,安装openvpn

[root@ c7-41 ~] yum -y install epel-re*
[root@ c7-41 ~] yum -y install openvpn
[root@ c7-41 ~] rpm -qa |grep openvpn
openvpn-2.4.8-1.el7.x86_64
  • 1
  • 2
  • 3
  • 4

2,安装open-rsa

[root@ c7-41 ~] wget https://github.com/OpenVPN/easy-rsa/archive/master.zip #下载
[root@ c7-41 ~] unzip master.zip #解压
[root@ c7-41 ~] mv easy-rsa-master/ easy-rsa
[root@ c7-41 ~] cp -R easy-rsa/ /etc/openvpn/
[root@ c7-41 ~] ls /etc/openvpn/
client  easy-rsa  server
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6

3,配置vars文件

[root@ c7-41 ~] cd /etc/openvpn/easy-rsa/easyrsa3/
[root@ c7-41 easyrsa3] cp vars.example vars
[root@ c7-41 easyrsa3] cat >>vars<<EOF
set_var EASYRSA_REQ_COUNTRY     "CN" 
set_var EASYRSA_REQ_PROVINCE    "BJ" 
set_var EASYRSA_REQ_CITY        "Beijing" 
set_var EASYRSA_REQ_ORG         "Benet" 
set_var EASYRSA_REQ_EMAIL       "xxxxxxx@qq.com" 
set_var EASYRSA_REQ_OU          "dynamic" 
EOF
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10

二,创建server证书
4,初始化目录

[root@ c7-41 easyrsa3] ./easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/easyrsa3/pki
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6

5,创建CA证书

[root@ c7-41 easyrsa3] ./easyrsa build-ca

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase: #123456
Re-Enter New CA Key Passphrase: #123456
Generating RSA private key, 2048 bit long modulus
................................................+++
.+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:dynamic #拥有者

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23

6,创建服务端证书

[root@ c7-41 easyrsa3] ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.....+++
.........................................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-1997.WQm9ot/tmp.KN2Hts'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: #dynamic-server

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21

7,签约服务端证书

[root@ c7-41 easyrsa3] ./easyrsa sign server server

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = dynamic-server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: #yes
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-2023.n85PSv/tmp.XjwFLm
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #123456 ca密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'dynamic-server'
Certificate is to be certified until Aug  8 06:42:27 2022 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31

8,创建数据穿越密钥

[root@ c7-41 easyrsa3] ./easyrsa gen-dh

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time #时间会有点长
...............................................................+....................................................................................................................................................................................................................................................................+...........................................+....................+..............................................................................................................++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

三,创建client证书
9,初始化目录

[root@ c7-41 easyrsa3] cd /etc/openvpn/client/
[root@ c7-41 client] cp -R /root/easy-rsa/ client
[root@ c7-41 client] cd client/easyrsa3/
[root@ c7-41 easyrsa3] ls
easyrsa  openssl-easyrsa.cnf  vars.example  x509-types
[root@ c7-41 easyrsa3] ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/client/easyrsa3/pki
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

10,创建客户端CA证书

[root@ c7-41 easyrsa3] ./easyrsa build-ca
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase: #123456
Re-Enter New CA Key Passphrase: #123456
Generating RSA private key, 2048 bit long modulus
...............................................+++
......+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #dynamic

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/client/client/easyrsa3/pki/ca.crt
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21

11,创建客户端证书

[root@ c7-41 easyrsa3] ./easyrsa gen-req client1
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
........................................................+++
.....+++
writing new private key to '/etc/openvpn/client/client/easyrsa3/pki/easy-rsa-2206.uzz9W3/tmp.Zk3AAg'
Enter PEM pass phrase: #123456
Verifying - Enter PEM pass phrase: #123456
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client1]: #dynamic-client1

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/client/easyrsa3/pki/reqs/client1.req
key: /etc/openvpn/client/client/easyrsa3/pki/private/client1.key
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21

12,导入客户端证书

[root@ c7-41 easyrsa3] cd /etc/openvpn/easy-rsa/easyrsa3/
[root@ c7-41 easyrsa3] ./easyrsa import-req /etc/openvpn/client/client/easyrsa3/pki/reqs/client1.req client1

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

The request has been successfully imported with a short name of: client1
You may now use this name to perform signing operations on this request.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

13,签约客户端证书

[root@ c7-41 easyrsa3] ./easyrsa sign client client1

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = dynamic-client1


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: #yes
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-2286.nEJsJH/tmp.8rGYcb
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #123456
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'dynamic-client1'
Certificate is to be certified until Aug  8 07:03:05 2022 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/client1.crt
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31

四,配置openvpn
14,拷贝证书文件

[root@ c7-41 easyrsa3] cd /etc/openvpn/easy-rsa/easyrsa3/pki/
[root@ c7-41 pki] cp ca.crt /etc/openvpn/server/
[root@ c7-41 pki] cp private/server.key /etc/openvpn/server/
[root@ c7-41 pki] cp issued/server.crt /etc/openvpn/server/
[root@ c7-41 pki] cp dh.pem /etc/openvpn/server/
[root@ c7-41 pki] cp ca.crt /etc/openvpn/client/
[root@ c7-41 pki] cp issued/client1.crt /etc/openvpn/client/
[root@ c7-41 pki] cp /etc/openvpn/client/client/easyrsa3/pki/private/client1.key /etc/openvpn/client/

[root@ c7-41 pki] ls /etc/openvpn/server/
ca.crt  dh.pem  server.crt  server.key
[root@ c7-41 pki] ls /etc/openvpn/client/
ca.crt  client  client1.crt  client1.key
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13

五,配置server.conf
15,超链接配置文件server.conf

[root@ c7-41 pki] cp /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf /etc/openvpn/
[root@ c7-41 pki] cd /etc/openvpn/
[root@ c7-41 openvpn] cp server.conf server.conf.bak
[root@ c7-41 openvpn] egrep -v "^#|^;|^$" server.conf.bak > server.conf
[root@ c7-41 openvpn] vim server.conf
[root@ c7-41 openvpn] cat server.conf
local 0.0.0.0 	#填写自己openVPN服务器的ip,默认侦听服务器上所有的ip
port 55555 		#侦听端口,默认1194
proto tcp 		#端口协议,默认udp,也可以开启tcp方便映射转发
dev tun 		#默认创建一个路由ip隧道
ca /etc/openvpn/server/ca.crt 			#根证书
cert /etc/openvpn/server/server.crt 	#证书
key /etc/openvpn/server/server.key 		#私钥文件
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0 			#设置服务器模式,提供一个VPN子网
push "route 172.16.1.0 255.255.255.0" 	#推送路由信息到客户端,允许客户端能够连接到服务器背后的其他私有子网
ifconfig-pool-persist ipp.txt 			#指定用于记录客户端和虚拟ip地址的关联联系的文件
keepalive 10 120 			#keepalive指令将导致类似于ping命令被来回发送
persist-key
persist-tun
status openvpn-status.log 	#状态日志
verb 3    					#日志级别0-9 ,等级越高,记录越多
comp-lzo  					#在VPN连接上启用压缩
client-to-client        	#允许客户端之间沟通
log /var/log/openvpn.log
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25

16,配置firewalld转发并启动

[root@ c7-41 openvpn] systemctl stop firewalld
[root@ c7-41 openvpn] echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-sysctl.conf 
[root@ c7-41 openvpn] sysctl -p
net.ipv4.ip_forward = 1  
[root@ c7-41 openvpn] openvpn --daemon --config /etc/openvpn/server.conf
[root@ c7-41 openvpn] echo "openvpn --daemon --config /etc/openvpn/server.conf">>/etc/rc.d/rc.local
[root@ c7-41 openvpn] ll /etc/rc.d/rc.local
-rw-r--r--. 1 root root 524 May  5 15:42 /etc/rc.d/rc.local
[root@ c7-41 openvpn] chmod +x /etc/rc.d/rc.local
[root@ c7-41 openvpn] ll /etc/rc.d/rc.local
-rwxr-xr-x. 1 root root 524 May  5 15:42 /etc/rc.d/rc.local
[root@ c7-41 openvpn] ps -ef | grep openvpn
root      12749      1  0 15:42 ?        00:00:00 openvpn --daemon --config /etcopenvpn/server.conf
root      17999   1699  0 15:42 pts/0    00:00:00 grep --color=auto openvpn
[root@ c7-41 openvpn] ss -anpt| grep 55555
LISTEN     0      32           *:55555                    *:*                   users:(("openvpn",pid=12749,fd=6))
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16

17,安装客户端(win-10系统)
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
18,客户端证书下载

[root@ c7-41 openvpn] cd /etc/openvpn/client/
[root@ c7-41 client] sz ca.crt client1.crt client1.key #传送至openVPN客户端软件的config目录下
  • 1
  • 2

在这里插入图片描述
拷贝sample-config中的client.ovpn到config目录下
在这里插入图片描述
19,配置client.opvn
在这里插入图片描述


client
dev tun
proto tcp
remote 10.0.0.41 55555 #修改成openVPN服务器的ip和openVPN端口
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13

20,客户方连接测试
在这里插入图片描述

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/凡人多烦事01/article/detail/205559
推荐阅读
相关标签
  

闽ICP备14008679号