devbox
我家小花儿
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

openvpn配置使用静态密钥

作者:我家小花儿 | 2024-03-02 21:58:02

openvpn配置使用静态密钥

        openvpn客户端在和服务端建立连接时,一般建立ssl通信,流量都需要经过加密。正常建立ssl连接的时候,流程是很复杂的,需要握手信息,需要验证证书,需要协商和交换对称加密密钥。这个对称加密密钥是用来做什么的呢?其实ssl在建立连接前期的协商步骤中使用非对称加密算法(一般为RSA算法),是为了交换某些生成后续对称加密密钥所必须的信息,避免在网络中明文传输对称加密的密钥。一旦协商完成,对称密钥也就交换完成,后续的通信,都是使用对称加密来通信。为什么不能全程都使用非对称加密来加解密数据?因为非对称加密的效率比较低,所以在对称加密密钥协商完成后,后续通信都用这个对称加密密钥进行对称加密。这里说的比较笼统,感兴趣的可以自行去谷歌ssl连接建立的过程。

        oponvpn支持配置静态密钥,也就是说不用协商密钥,默认通信的双方都知道是用哪个对称加密密钥来加解密。这在某些场景下还是很有用的,每种技术都有它特定的应用场景。当然,用静态密钥本身安全性就不高,一旦别人拿到这个静态密钥,那整个通信过程就相当于明文通信了。正是因为不安全,所以openvpn官方强烈不推荐使用,可能在某些新版本中都禁用了这个功能。使用静态密钥还有一个局限性,就是只能有一个服务端,一个客户端,不能多个客户端端同时连接openvpn服务器。

        openvpn使用静态密钥也有一个优点,就是配置会特别简单,不需要ca证书,服务端客户端证书,私钥这些,只需要一个对称加密密钥。

静态密钥生成

        在linux下,使用openvpn的命令生成静态密钥:

openvpn –genkey –secret static.key

生成的static.key,服务端和客户端共用

服务端配置(centos)

        如果还不懂openvpn怎么搭建的,可以参考我前面的文章:openvpn组网技术原理及配置过程(centos服务器/安卓客户端/linux客户端)-CSDN博客

        服务端配置文件server.conf如下:

  1. ################################################
  2. # Sample OpenVPN 2.0 config file for            #
  3. # multi-client server.                          #
  4. #                                               #
  5. # This file is for the server side              #
  6. # of a many-clients <-> one-server              #
  7. # OpenVPN configuration.                        #
  8. #                                               #
  9. # OpenVPN also supports                         #
  10. # single-machine <-> single-machine             #
  11. # configurations (See the Examples page         #
  12. # on the web site for more info).               #
  13. #                                               #
  14. # This config should work on Windows            #
  15. # or Linux/BSD systems.  Remember on            #
  16. # Windows to quote pathnames and use            #
  17. # double backslashes, e.g.:                     #
  18. # "C:\\Program Files\\OpenVPN\\config\\foo.key" #
  19. #                                               #
  20. # Comments are preceded with '#' or ';'         #
  21. #################################################
  22. dev tun
  23. port 7379
  24.  
  25. proto udp
  26.  
  27. # 此处不能配置server的子网范围,只能用ifconfig配置两个ip,一个是服务端ip,一个是客户端ip
  28. #server 10.9.0.0 255.255.255.0
  29. ifconfig 10.9.0.1 10.9.0.2
  30.  
  31. # 配置静态密钥
  32. secret static.key
  33.  
  34. #ifconfig-pool-persist ipp.txt
  35.  
  36. #The persist options will try to avoid
  37. # accessing certain resources on restart
  38. # that may no longer be accessible because
  39. # of the privilege downgrade.
  40. persist-key
  41. persist-tun
  42.  
  43. # 将客户端的所有流量都重定向到服务端
  44. push "redirect-gateway def1 bypass-dhcp"
  45.  
  46. # 向客户端推送DNS地址,也可以是用其他可用的DNS,可以取服务端本机的DNS地址
  47. push "dhcp-option DNS 100.100.2.136"
  48. push "dhcp-option DNS 100.100.2.138"
  49.  
  50. # 这个是保活的检测间隔
  51. keepalive 10 120
  52.  
  53. # 加密算法,服务端和客户端要一致
  54. cipher AES-256-CBC
  55.  
  56. #compress lz4-v2
  57. #push "compress lz4-v2"
  58. # 设置压缩
  59. comp-lzo
  60.  
  61. # It's a good idea to reduce the OpenVPN
  62. # daemon's privileges after initialization.
  63. #
  64. # You can uncomment this out on
  65. # non-Windows systems.
  66. # openvpn运行的用户和用户组
  67. user root
  68. group root
  69.  
  70. #comp-lzo
  71.  
  72. #log-append openvpn-static.log
  73.  
  74. # 日志保存
  75. log         openvpn.log
  76.  
  77. # Set the appropriate level of log
  78. # file verbosity.
  79. #
  80. # 0 is silent, except for fatal errors
  81. # 4 is reasonable for general usage
  82. # 5 and 6 can help to debug connection problems
  83. # 9 is extremely verbose
  84. # 日志等级
  85. verb 3

客户端配置(centos)

        可以先使用linux的openvpn客户端尝试连接,方便解决问题,linux客户端配置如下,静态密钥我们也用内联的方式:

  1. ##############################################
  2. # Sample client-side OpenVPN 2.0 config file #
  3. # for connecting to multi-client server.     #
  4. #                                            #
  5. # This configuration can be used by multiple #
  6. # clients, however each client should have   #
  7. # its own cert and key files.                #
  8. #                                            #
  9. # On Windows, you might want to rename this  #
  10. # file so it has a .ovpn extension           #
  11. ##############################################
  12.  
  13. # Specify that we are a client and that we
  14. # will be pulling certain config file directives
  15. # from the server.
  16. ;client
  17.  
  18. # Use the same setting as you are using on
  19. # the server.
  20. # On most systems, the VPN will not function
  21. # unless you partially or fully disable
  22. # the firewall for the TUN/TAP interface.
  23. # 此处跟服务端一致
  24. ;dev tap
  25. dev tun
  26.  
  27. # Windows needs the TAP-Win32 adapter name
  28. # from the Network Connections panel
  29. # if you have more than one.  On XP SP2,
  30. # you may need to disable the firewall
  31. # for the TAP adapter.
  32. ;dev-node MyTap
  33.  
  34. # Are we connecting to a TCP or
  35. # UDP server?  Use the same setting as
  36. # on the server.
  37. ;proto tcp
  38. # 此处跟服务端一致
  39. proto udp
  40.  
  41. # The hostname/IP and port of the server.
  42. # You can have multiple remote entries
  43. # to load balance between the servers.
  44. # 这里填服务端的ip端口
  45. remote 1.1.1.1 7379
  46. #remote my-server-2 1194
  47.  
  48. 这里要跟服务端的配置一致
  49. ifconfig 10.9.0.2 10.9.0.1
  50.  
  51. # Choose a random host from the remote
  52. # list for load-balancing.  Otherwise
  53. # try hosts in the order specified.
  54. ;remote-random
  55.  
  56. # Keep trying indefinitely to resolve the
  57. # host name of the OpenVPN server.  Very useful
  58. # on machines which are not permanently connected
  59. # to the internet such as laptops.
  60. # 使用默认配置
  61. resolv-retry infinite
  62.  
  63. # Most clients don't need to bind to
  64. # a specific local port number.
  65. # 使用默认配置,随机分配端口
  66. nobind
  67.  
  68. # Downgrade privileges after initialization (non-Windows only)
  69. ;user nobody
  70. ;group nobody
  71.  
  72. # Try to preserve some state across restarts.
  73. # 尝试在重新启动时保留一些状态
  74. persist-key
  75. persist-tun
  76.  
  77. # If you are connecting through an
  78. # HTTP proxy to reach the actual OpenVPN
  79. # server, put the proxy server/IP and
  80. # port number here.  See the man page
  81. # if your proxy server requires
  82. # authentication.
  83. ;http-proxy-retry # retry on connection failures
  84. ;http-proxy [proxy server] [proxy port #]
  85.  
  86. # Wireless networks often produce a lot
  87. # of duplicate packets.  Set this flag
  88. # to silence duplicate packet warnings.
  89. ;mute-replay-warnings
  90.  
  91. # SSL/TLS parms.
  92. # See the server config file for more
  93. # description.  It's best to use
  94. # a separate .crt/.key file pair
  95. # for each client.  A single ca
  96. # file can be used for all clients.
  97. #ca ca.crt
  98. #cert client.crt
  99. #key client.key
  100.  
  101. # Verify server certificate by checking that the
  102. # certicate has the correct key usage set.
  103. # This is an important precaution to protect against
  104. # a potential attack discussed here:
  105. #  http://openvpn.net/howto.html#mitm
  106. #
  107. # To use this feature, you will need to generate
  108. # your server certificates with the keyUsage set to
  109. #   digitalSignature, keyEncipherment
  110. # and the extendedKeyUsage to
  111. #   serverAuth
  112. # EasyRSA can do this for you.
  113. #remote-cert-tls server
  114.  
  115. # If a tls-auth key is used on the server
  116. # then every client must also have the key.
  117. #tls-auth ta.key 1
  118.  
  119. # Select a cryptographic cipher.
  120. # If the cipher option is used on the server
  121. # then you must also specify it here.
  122. # Note that v2.4 client/server will automatically
  123. # negotiate AES-256-GCM in TLS mode.
  124. # See also the ncp-cipher option in the manpage
  125. # 这里是加密算法,跟服务端一致
  126. cipher AES-256-CBC
  127.  
  128. # Enable compression on the VPN link.
  129. # Don't enable this unless it is also
  130. # enabled in the server config file.
  131. #comp-lzo
  132.  
  133. # Set log file verbosity.
  134. verb 3
  135.  
  136. # Silence repeating messages
  137. ;mute 20
  138. # 服务端已经配置,这里不需要重新配置
  139. #redirect-gateway autolocal
  140. # 允许压缩
  141. comp-lzo
  142.  
  143. # 这里我是想在客户端连接好服务器端后就更改本地的DNS,但是发现没成功,还是需要手动编辑/etc/resolv.conf文件进行修改
  144. dhcp-option DNS 100.100.2.136
  145. dhcp-option DNS 100.100.2.138
  146.  
  147.  
  148. #下面是静态密钥的内容
  149. <secret>
  150. #
  151. # 2048 bit OpenVPN static key
  152. #
  153. -----BEGIN OpenVPN Static key V1-----
  154. xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  155. -----END OpenVPN Static key V1-----
  156. </secret>

如果连接上后DNS解析不正常,可以手动修改DNS,直接编辑/etc/resolv.com,比如将DNS修改为8.8.8.8

安卓客户端配置

        由于openvpn官方不推荐使用静态密钥,似乎已经弃用了这个功能,用OpenVPN Connect导入只有静态密钥的配置文件,连接的时候会直接报错要求导入ca证书。找了一阵没办法解决,于是尝试用OpenVPN For Android这个客户端,连接的时候也报错,提示静态密钥强烈不建议使用,但是提示了一下可以使用--allow-deprecated-insecure-static-crypto来强行使用静态密钥。后来发现这个应该是在使用命令行的时候传入的参数,安卓客户端启动哪有命令行?尝试直接在自定义选项中加“--allow-deprecated-insecure-static-crypto”,会报识别不了该配置。参考了一下其他配置,这个配置在配置文件应该直接使用字符串"allow-deprecated-insecure-static-crypto yes",果然能通过了。后面又根据报错日志新增了两个自定义配置,才成功建立连接。

        完整的配置过程如下:

0、先决条件:安装OpenVPN For Android,版本0.7.51,或者以上。我尝试使用0.7.39版本,发现会报错无法识别allow-deprecated-insecure-static-crypto选项,因此应该是高版本才支持这个选项

1、将上面centos客户端的配置的配置复制一份,然后在后面添加这三条配置

  1. allow-compression yes
  2. allow-deprecated-insecure-static-crypto yes
  3. cipher AES-256-CBC

2、然后将上一步修改好的配置文件发送到安卓手机,导入这个配置,然后执行连接

        或者你先导入centos客户端配置导入OpenVPN For Android,然后再在这个配置的基础上添加那三条自定义选项,也是可以的。自定义选项配置是点击PROFILES右边的编辑按钮,然后ADVANCED下面的Custom Options

        如果显示已经连接成功,但是还是无法访问到外网或者无法访问到openvpn服务端主机,你需要检查一下PROFLE的ROUTING下的Use default Route选项是否勾选,如果没有勾选要勾选上才可以,可能有的系统导入配置文件后,默认是没有勾选的,就导致流量数据没有发往openvpn服务端。

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/我家小花儿/article/detail/182638
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号