devbox
羊村懒王
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

centos7搭建openvpn服务端_cp -a /usr/share/doc/easy-rsa-3.0.8/vars.example .

作者:羊村懒王 | 2024-04-24 19:29:23

cp -a /usr/share/doc/easy-rsa-3.0.8/vars.example ./vars

适用场景

  • 个人电脑和公司办公网络互通

  • 不同部门,分公司的网络互通

主机环境

主机角色公网ip,内网ip,网关,子网系统信息
server(linux)公网地址,172.19.233.160,172.19.239.253,255.255.255.0centos7.9
client(linux)192.168.202.128,192.168.202.2,255.255.255.0ubuntu22.04
client(linux)192.168.202.129,192.168.202.2,255.255.255.0centos7.9

安装openvpn服务端(centos7.9)

repo源不能直接安装,需要下载rpm包

  1. #安装vim和wget以及下载epel的rpm包
  2. yum install -y vim wget
  4. mkdir /tmp/openvpn
  5. cd /tmp/openvpn
  6. wget https://repo.huaweicloud.com/epel/epel-release-latest-7.noarch.rpm
  7. rpm -ivh epel-release-latest-7.noarch.rpm
  8. yum update
  11. #安装easy-rsa以及生成server和client的证书
  13. yum install -y openssl lzo pam easy-rsa
  16. mkdir /root/easy-rsa
  17. cd /root/easy-rsa/
  18. cp -a  /usr/share/easy-rsa/3.0.8/* ./
  19. cp -a /usr/share/doc/easy-rsa-3.0.8/vars.example ./vars
  21. grep -v '^#' vars | grep -v ^$
  22. if [ -z "$EASYRSA_CALLER" ]; then
  23.     echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
  24.     echo "This is no longer necessary and is disallowed. See the section called" >&2
  25.     echo "'How to use this file' near the top comments for more details." >&2
  26.     return 1
  27. fi
  28. set_var EASYRSA_DN  "cn_only"
  29. set_var EASYRSA_REQ_COUNTRY "CN"
  30. set_var EASYRSA_REQ_PROVINCE    "SiChuan"
  31. set_var EASYRSA_REQ_CITY    "ChengDu"
  32. set_var EASYRSA_REQ_ORG "aaaaaa"
  33. set_var EASYRSA_REQ_EMAIL   "admin.openvpn@aaaaaa.cn"
  34. set_var EASYRSA_REQ_OU      "aaa"
  35. set_var EASYRSA_NS_SUPPORT  "yes"
  37. [root@iZf8z3xsyghofo5njspgavZ easy-rsa]# ./easyrsa init-pki
  39. Note: using Easy-RSA configuration from: /root/easy-rsa/vars
  41. init-pki complete; you may now create a CA or requests.
  42. Your newly created PKI dir is: /root/easy-rsa/pki
  44. ##生成ca根证书
  45. [root@iZf8z3xsyghofo5njspgavZ easy-rsa]# ./easyrsa build-ca
  47. Note: using Easy-RSA configuration from: /root/easy-rsa/vars
  48. Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
  50. Enter New CA Key Passphrase:     #输入密码
  51. Re-Enter New CA Key Passphrase:  #再次输入密码
  52. Generating RSA private key, 2048 bit long modulus
  53. .+++
  54. ......+++
  55. e is 65537 (0x10001)
  56. You are about to be asked to enter information that will be incorporated
  57. into your certificate request.
  58. What you are about to enter is what is called a Distinguished Name or a DN.
  59. There are quite a few fields but you can leave some blank
  60. For some fields there will be a default value,
  61. If you enter '.', the field will be left blank.
  62. -----
  63. Common Name (eg: your user, host, or server name) [Easy-RSA CA]:  #直接回车或输入主机名
  65. CA creation complete and you may now import and sign cert requests.
  66. Your new CA certificate file for publishing is at:
  67. /root/easy-rsa/pki/ca.crt
  69. ##生成服务端的证书和私钥
  70. [root@iZf8z3xsyghofo5njspgavZ easy-rsa]# ./easyrsa build-server-full server nopass
  72. Note: using Easy-RSA configuration from: /root/easy-rsa/vars
  73. Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
  74. Generating a 2048 bit RSA private key
  75. ...................................................................+++
  76. .....+++
  77. writing new private key to '/root/easy-rsa/pki/easy-rsa-27540.IzadnR/tmp.COc2PW'
  78. -----
  79. Using configuration from /root/easy-rsa/pki/easy-rsa-27540.IzadnR/tmp.KLkuTm
  80. Enter pass phrase for /root/easy-rsa/pki/private/ca.key:
  81. Check that the request matches the signature
  82. Signature ok
  83. The Subject's Distinguished Name is as follows
  84. commonName            :ASN.1 12:'server'
  85. Certificate is to be certified until Mar 13 12:26:56 2026 GMT (825 days)
  87. Write out database with 1 new entries
  88. Data Base Updated
  90. ##生成Diffie-Hellman算法需要的密钥文件
  91. [root@iZf8z3xsyghofo5njspgavZ easy-rsa]# ./easyrsa gen-dh
  93. Note: using Easy-RSA configuration from: /root/easy-rsa/vars
  94. Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
  95. Generating DH parameters, 2048 bit long safe prime, generator 2
  96. This is going to take a long time
  97. ................................+.......................................................................+..................................................................................................................................................................................................+.......................+..........+........+...................+.......................++*++*
  99. DH parameters of size 2048 created at /root/easy-rsa/pki/dh.pem
  101. ##生成客户端的证书和私钥保存到本地,并传递到客户端
  102. ##在服务端生成客户端的证书和私钥,每多一个客户端就要多生成一份
  103. [root@iZf8z3xsyghofo5njspgavZ easy-rsa]# ./easyrsa build-client-full client nopass
  105. Note: using Easy-RSA configuration from: /root/easy-rsa/vars
  106. Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
  107. Generating a 2048 bit RSA private key
  108. .....+++
  109. ...........................................................................................................................................+++
  110. writing new private key to '/root/easy-rsa/pki/easy-rsa-27647.Iycjw0/tmp.20jrOv'
  111. -----
  112. Using configuration from /root/easy-rsa/pki/easy-rsa-27647.Iycjw0/tmp.KaU3pL
  113. Enter pass phrase for /root/easy-rsa/pki/private/ca.key:
  114. Check that the request matches the signature
  115. Signature ok
  116. The Subject's Distinguished Name is as follows
  117. commonName            :ASN.1 12:'client'
  118. Certificate is to be certified until Mar 13 12:36:10 2026 GMT (825 days)
  120. Write out database with 1 new entries
  121. Data Base Updated
  125. #安装openvpn
  127. yum install -y openvpn
  130. #拷贝证书到/etc/openvpn/server/下面
  131. ls /etc/openvpn/server/
  134. [root@iZf8z3xsyghofo5njspgavZ easy-rsa]# cd /etc/openvpn/server/
  135. [root@iZf8z3xsyghofo5njspgavZ server]# ls
  136. [root@iZf8z3xsyghofo5njspgavZ server]# cp /root/easy-rsa/pki/ca.crt .
  137. [root@iZf8z3xsyghofo5njspgavZ server]# cp /root/easy-rsa/pki/issued/server.crt .
  138. [root@iZf8z3xsyghofo5njspgavZ server]# cp /root/easy-rsa/pki/private/server.key .
  139. [root@iZf8z3xsyghofo5njspgavZ server]# cp /root/easy-rsa/pki/dh.pem .
  140. [root@iZf8z3xsyghofo5njspgavZ server]# vim /etc/openvpn/server/server.conf 
  141. port 1194                               #端口,默认1194,这里可以修改为其他的
  142. proto udp                               #协议,可客户端一致,云上一定要打开此协议的端口
  143. dev tun                                 #采用路由隧道模式tun
  144. ca ca.crt                               #ca证书文件位置
  145. cert server.crt                         #服务端公钥名称
  146. key server.key                          #服务端私钥名称
  147. dh dh.pem                               #交换证书
  148. server 10.8.0.0 255.255.255.0           #给客户端分配地址池,注意:不能和VPN服务器内网网段有相同
  149. push "route 172.32.45.0 255.255.255.0"   #允许客户端访问内网网段,这个可以通过查看服务端的route -n获取
  150. ifconfig-pool-persist ipp.txt           #地址池记录文件位置
  151. keepalive 10 120                        #存活时间,10秒ping一次,120 如未收到响应则视为断线
  152. max-clients 10                         #最多允许10个客户端连接
  153. status openvpn-status.log               #日志记录位置
  154. verb 3                                  #openvpn版本
  155. client-to-client                        #客户端与客户端之间支持通信
  156. log /var/log/openvpn.log                #openvpn日志记录位置
  157. persist-key     #通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys。
  158. persist-tun     #检测超时后,重新启动VPN,一直保持tun是linkup的。否则网络会先linkdown然后再linkup
  159. duplicate-cn
  160. comp-lzo  #使用lzo压缩的通讯,服务端和客户端都必须配置
  163. [root@iZf8z3xsyghofo5njspgavZ server]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
  164. [root@iZf8z3xsyghofo5njspgavZ server]# systemctl restart network
  166. ##暂时未确定是否必须配置
  168. #临时关闭selinux
  169. setenforce 0
  170. #配置文件永久关闭 修改/etc/selinux/config 文件
  171. SELINUX=disabled
  174. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
  175. iptables -I INPUT -p udp --dport 1194 -j ACCEPT   ##端口和协议和server.conf一致
  178. #保存规则并重启
  179. service iptables save
  180. systemctl restart iptables
  182. #启动服务
  184. [root@testc openvpn]# systemctl -f enable openvpn@server.service
  185. Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
  187. #用systemctl启动暂时有问题,先手动启动看看
  188. cd /etc/openvpn/server/
  189. openvpn server.conf   #新打开一个命令行,然后查看/var/log/openvpn.log日志
  191. systemctl start openvpn@server.service
  192. systemctl status openvpn@server.service

注意事项

        云上部署openvpn服务端,一定要放开对应协议的端口即实例所在安全组设置。

安装openvpn客户端(ubuntu22.04)

  1. #安装openvpn软件和route命令
  2. apt update
  3. apt install openvpn vim net-tools  
  4.  
  5.  
  6. #传递密钥文件 ca.crt client.key  client.crt
  7. ls /etc/openvpn/client/
  8.  
  9.  
  10. #编写配置文件
  11. vim /etc/openvpn/client/client.conf 
  12. client
  13. dev tun
  14. proto udp  ##和服务端的协议需要一致
  15. remote 公网ip地址 1194   #公网的ip以及端口
  16. resolv-retry infinite
  17. nobind
  18. ca ca.crt
  19. cert client.crt
  20. key client.key
  21. verb 3
  22. persist-key
  23. comp-lzo   ##服务端客户端都要加
  24.  
  25.  
  26.  
  27. #生成service文件设置开机自启或手动启动步骤
  28.  
  29. cd /etc/openvpn/client
  30. openvpn client.conf
  31.  
  32.  
  33. systemctl -f enable openvpn@client.service
  34.  
  35. systemctl start openvpn@client

测试是否成功

        可以在客户端直接查看是否在服务打开后查看ip a s看看是否新增了一个tun0

        可以查看route -n看看是否有新增一条路由指向服务端的内部路由信息

        也可直接ssh连接服务端所指向的内网某个主机,看看是否可以连接

参考文档

openVN安装搭建步骤,实现内网穿透_openvpn搭建-CSDN博客

OpenVPN搭建(1) - 知乎

【运维知识进阶篇】手把手教你搭建OpenVPN(保姆级教程)_openvpn客户端-CSDN博客

CentOS搭建OpenVPN - 知乎



声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/羊村懒王/article/detail/481192
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号