赞
踩
一,安装服务
1,安装openvpn
[root@ c7-41 ~] yum -y install epel-re*
[root@ c7-41 ~] yum -y install openvpn
[root@ c7-41 ~] rpm -qa |grep openvpn
openvpn-2.4.8-1.el7.x86_64
2,安装open-rsa
[root@ c7-41 ~] wget https://github.com/OpenVPN/easy-rsa/archive/master.zip #下载
[root@ c7-41 ~] unzip master.zip #解压
[root@ c7-41 ~] mv easy-rsa-master/ easy-rsa
[root@ c7-41 ~] cp -R easy-rsa/ /etc/openvpn/
[root@ c7-41 ~] ls /etc/openvpn/
client easy-rsa server
3,配置vars文件
[root@ c7-41 ~] cd /etc/openvpn/easy-rsa/easyrsa3/
[root@ c7-41 easyrsa3] cp vars.example vars
[root@ c7-41 easyrsa3] cat >>vars<<EOF
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "BJ"
set_var EASYRSA_REQ_CITY "Beijing"
set_var EASYRSA_REQ_ORG "Benet"
set_var EASYRSA_REQ_EMAIL "xxxxxxx@qq.com"
set_var EASYRSA_REQ_OU "dynamic"
EOF
二,创建server证书
4,初始化目录
[root@ c7-41 easyrsa3] ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/easyrsa3/pki
5,创建CA证书
[root@ c7-41 easyrsa3] ./easyrsa build-ca Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Enter New CA Key Passphrase: #123456 Re-Enter New CA Key Passphrase: #123456 Generating RSA private key, 2048 bit long modulus ................................................+++ .+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:dynamic #拥有者 CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
6,创建服务端证书
[root@ c7-41 easyrsa3] ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key .....+++ .........................................................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-1997.WQm9ot/tmp.KN2Hts' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: #dynamic-server Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
7,签约服务端证书
[root@ c7-41 easyrsa3] ./easyrsa sign server server Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 825 days: subject= commonName = dynamic-server Type the word 'yes' to continue, or any other input to abort. Confirm request details: #yes Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-2023.n85PSv/tmp.XjwFLm Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #123456 ca密码 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'dynamic-server' Certificate is to be certified until Aug 8 06:42:27 2022 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
8,创建数据穿越密钥
[root@ c7-41 easyrsa3] ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time #时间会有点长
...............................................................+....................................................................................................................................................................................................................................................................+...........................................+....................+..............................................................................................................++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
三,创建client证书
9,初始化目录
[root@ c7-41 easyrsa3] cd /etc/openvpn/client/
[root@ c7-41 client] cp -R /root/easy-rsa/ client
[root@ c7-41 client] cd client/easyrsa3/
[root@ c7-41 easyrsa3] ls
easyrsa openssl-easyrsa.cnf vars.example x509-types
[root@ c7-41 easyrsa3] ./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/client/easyrsa3/pki
10,创建客户端CA证书
[root@ c7-41 easyrsa3] ./easyrsa build-ca Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Enter New CA Key Passphrase: #123456 Re-Enter New CA Key Passphrase: #123456 Generating RSA private key, 2048 bit long modulus ...............................................+++ ......+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #dynamic CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/client/client/easyrsa3/pki/ca.crt
11,创建客户端证书
[root@ c7-41 easyrsa3] ./easyrsa gen-req client1 Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key ........................................................+++ .....+++ writing new private key to '/etc/openvpn/client/client/easyrsa3/pki/easy-rsa-2206.uzz9W3/tmp.Zk3AAg' Enter PEM pass phrase: #123456 Verifying - Enter PEM pass phrase: #123456 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client1]: #dynamic-client1 Keypair and certificate request completed. Your files are: req: /etc/openvpn/client/client/easyrsa3/pki/reqs/client1.req key: /etc/openvpn/client/client/easyrsa3/pki/private/client1.key
12,导入客户端证书
[root@ c7-41 easyrsa3] cd /etc/openvpn/easy-rsa/easyrsa3/
[root@ c7-41 easyrsa3] ./easyrsa import-req /etc/openvpn/client/client/easyrsa3/pki/reqs/client1.req client1
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: client1
You may now use this name to perform signing operations on this request.
13,签约客户端证书
[root@ c7-41 easyrsa3] ./easyrsa sign client client1 Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 825 days: subject= commonName = dynamic-client1 Type the word 'yes' to continue, or any other input to abort. Confirm request details: #yes Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-2286.nEJsJH/tmp.8rGYcb Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #123456 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'dynamic-client1' Certificate is to be certified until Aug 8 07:03:05 2022 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/client1.crt
四,配置openvpn
14,拷贝证书文件
[root@ c7-41 easyrsa3] cd /etc/openvpn/easy-rsa/easyrsa3/pki/
[root@ c7-41 pki] cp ca.crt /etc/openvpn/server/
[root@ c7-41 pki] cp private/server.key /etc/openvpn/server/
[root@ c7-41 pki] cp issued/server.crt /etc/openvpn/server/
[root@ c7-41 pki] cp dh.pem /etc/openvpn/server/
[root@ c7-41 pki] cp ca.crt /etc/openvpn/client/
[root@ c7-41 pki] cp issued/client1.crt /etc/openvpn/client/
[root@ c7-41 pki] cp /etc/openvpn/client/client/easyrsa3/pki/private/client1.key /etc/openvpn/client/
[root@ c7-41 pki] ls /etc/openvpn/server/
ca.crt dh.pem server.crt server.key
[root@ c7-41 pki] ls /etc/openvpn/client/
ca.crt client client1.crt client1.key
五,配置server.conf
15,超链接配置文件server.conf
[root@ c7-41 pki] cp /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf /etc/openvpn/ [root@ c7-41 pki] cd /etc/openvpn/ [root@ c7-41 openvpn] cp server.conf server.conf.bak [root@ c7-41 openvpn] egrep -v "^#|^;|^$" server.conf.bak > server.conf [root@ c7-41 openvpn] vim server.conf [root@ c7-41 openvpn] cat server.conf local 0.0.0.0 #填写自己openVPN服务器的ip,默认侦听服务器上所有的ip port 55555 #侦听端口,默认1194 proto tcp #端口协议,默认udp,也可以开启tcp方便映射转发 dev tun #默认创建一个路由ip隧道 ca /etc/openvpn/server/ca.crt #根证书 cert /etc/openvpn/server/server.crt #证书 key /etc/openvpn/server/server.key #私钥文件 dh /etc/openvpn/server/dh.pem server 10.8.0.0 255.255.255.0 #设置服务器模式,提供一个VPN子网 push "route 172.16.1.0 255.255.255.0" #推送路由信息到客户端,允许客户端能够连接到服务器背后的其他私有子网 ifconfig-pool-persist ipp.txt #指定用于记录客户端和虚拟ip地址的关联联系的文件 keepalive 10 120 #keepalive指令将导致类似于ping命令被来回发送 persist-key persist-tun status openvpn-status.log #状态日志 verb 3 #日志级别0-9 ,等级越高,记录越多 comp-lzo #在VPN连接上启用压缩 client-to-client #允许客户端之间沟通 log /var/log/openvpn.log
16,配置firewalld转发并启动
[root@ c7-41 openvpn] systemctl stop firewalld [root@ c7-41 openvpn] echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-sysctl.conf [root@ c7-41 openvpn] sysctl -p net.ipv4.ip_forward = 1 [root@ c7-41 openvpn] openvpn --daemon --config /etc/openvpn/server.conf [root@ c7-41 openvpn] echo "openvpn --daemon --config /etc/openvpn/server.conf">>/etc/rc.d/rc.local [root@ c7-41 openvpn] ll /etc/rc.d/rc.local -rw-r--r--. 1 root root 524 May 5 15:42 /etc/rc.d/rc.local [root@ c7-41 openvpn] chmod +x /etc/rc.d/rc.local [root@ c7-41 openvpn] ll /etc/rc.d/rc.local -rwxr-xr-x. 1 root root 524 May 5 15:42 /etc/rc.d/rc.local [root@ c7-41 openvpn] ps -ef | grep openvpn root 12749 1 0 15:42 ? 00:00:00 openvpn --daemon --config /etcopenvpn/server.conf root 17999 1699 0 15:42 pts/0 00:00:00 grep --color=auto openvpn [root@ c7-41 openvpn] ss -anpt| grep 55555 LISTEN 0 32 *:55555 *:* users:(("openvpn",pid=12749,fd=6))
17,安装客户端(win-10系统)
18,客户端证书下载
[root@ c7-41 openvpn] cd /etc/openvpn/client/
[root@ c7-41 client] sz ca.crt client1.crt client1.key #传送至openVPN客户端软件的config目录下
拷贝sample-config中的client.ovpn到config目录下
19,配置client.opvn
client
dev tun
proto tcp
remote 10.0.0.41 55555 #修改成openVPN服务器的ip和openVPN端口
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
20,客户方连接测试
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。