OpenVPN配置手册

2.1 安装OpenVPN Server

1) 安装软件 [root@srv1 ~]# yum --enablerepo=epel install openvpn easy-rsa net-tools bridge-utils -y

2.2 创建CA与Server证书证书

1) 初始化PKI [root@srv1 ~]# cd /usr/share/easy-rsa/3 [root@srv1 3]# ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /usr/share/easy-rsa/3/pki 2) 创建CA证书 [root@srv1 3]# ./easyrsa build-ca Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Enter New CA Key Passphrase: # 设定密码 Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus ..........+++ .................................................+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Server-CA# 设定名称 CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /usr/share/easy-rsa/3/pki/ca.crt 3) 创建Server端证书 [root@srv1 3]# ./easyrsa build-server-full srv1 nopass Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key .............................+++ .......+++ writing new private key to '/usr/share/easy-rsa/3/pki/private/srv1.key.otEvE6k1qV' ----- Using configuration from /usr/share/easy-rsa/3/pki/safessl-easyrsa.cnf Enter pass phrase for /usr/share/easy-rsa/3/pki/private/ca.key:# 输入CA密码 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'srv1' Certificate is to be certified until Feb 9 13:25:12 2023 GMT (1080 days) Write out database with 1 new entries Data Base Updated 4) 创建Client端证书 [root@srv1 3]# ./easyrsa build-client-full client1 nopass Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key ..............................+++ ....+++ writing new private key to '/usr/share/easy-rsa/3/pki/private/client1.key.DhKH8jiBKN' ----- Using configuration from /usr/share/easy-rsa/3/pki/safessl-easyrsa.cnf Enter pass phrase for /usr/share/easy-rsa/3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client1' Certificate is to be certified until Feb 9 14:48:32 2023 GMT (1080 days) Write out database with 1 new entries Data Base Updated 5) 生成DH [root@srv1 3]# ./easyrsa gen-dh Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .............................................................. DH parameters of size 2048 created at /usr/share/easy-rsa/3/pki/dh.pem 6) 生成TLS验证的秘钥 [root@srv1 3]# openvpn --genkey --secret ./pki/ta.key 7) 复制已生成的证书 [root@srv1 3]# cp -pR /usr/share/easy-rsa/3/pki/{issued,private,ca.crt,dh.pem,ta.key} \ /etc/openvpn/server/ [root@srv1 3]# cd [root@srv1 ~]#

2.3 开启IP转发

1) 配置IP转发 [root@srv1 ~]# vim /etc/sysctl.d/10-ipv4_forward.conf net.ipv4.ip_forward = 1 2) 启用IP转发 [root@srv1 ~]# sysctl --system * Applying /usr/lib/sysctl.d/00-system.conf ... * Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ... kernel.yama.ptrace_scope = 0 * Applying /etc/sysctl.d/10-ipv4_forward.conf ... net.ipv4.ip_forward = 1 * Applying /usr/lib/sysctl.d/50-default.conf ... kernel.sysrq = 16 kernel.core_uses_pid = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.promote_secondaries = 1 net.ipv4.conf.all.promote_secondaries = 1 fs.protected_hardlinks = 1 fs.protected_symlinks = 1 * Applying /etc/sysctl.d/99-sysctl.conf ... * Applying /etc/sysctl.conf ...

2.4 配置并启用VPN Server

1) 配置OpenVPN Server [root@srv1 ~]# cp /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf \ /etc/openvpn/server/ [root@srv1 ~]# vim /etc/openvpn/server/server.conf # 定义32行，OpenVPN所监听的端口 port 1194 # 定义35行，OpenVPN所使用的协议(按需求更改) ;proto tcp proto udp # 定义78行，指定ca证书及服务器证书 ca ca.crt cert issued/srv1.crt key private/srv1.key # 定义85行，dh dh dh.pem # 定义101行，VPN所分配拟的网络段地址(不与本地网络ID一致) server 192.168.188.0 255.255.255.0 # 取消143行注释，服务器本地网络地址 push "route 10.0.0.0 255.255.255.0" # 定义231行,Keppalive设定 keepalive 10 120 # 定义244行,TLS-auth的key名 tls-auth ta.key 0 # 取消263行注释,启用压缩 comp-lzo # 确认281行,启用persist选项 persist-key persist-tun # 修改287行,修改OpenVPN的status日志存放位置 status /var/log/openvpn-status.log #取消改296-297行注释,修改OpenVPN的日志存放位置 log /var/log/openvpn.log log-append /var/log/openvpn.log # 修改306行,定义日志级别 verb 3 其他选项(根据需求选择,本次实验未添加) 允许同一账号多人同时使用 duplicate-cn 允许客户端与客户端之间通信 client-to-client 记录客户端所获取到的IP地址信息列表，客户端重启后获取到与上次分配的IP相同的IP地址信息 ifconfig-pool-persist 2) 启动OpenVPN Server [root@srv1 ~]# systemctl enable --now openvpn-server@server 3) 设定防火墙 [root@srv1 ~]# firewall-cmd --add-port=1194/udp --permanent [root@srv1 ~]# firewall-cmd --reload 4) 复制客户端所需要的证书 [root@srv1 ~]# scp /etc/openvpn/server/ca.crt root@client.1000cc.net:~ [root@srv1 ~]# scp /etc/openvpn/server/ta.key root@client.1000cc.net:~ [root@srv1 ~]# scp /etc/openvpn/server/issued/client1.crt root@client.1000cc.net:~ [root@srv1 ~]# scp /etc/openvpn/server/private/client1.key root@client.1000cc.net:~

3.1 OpenVPN Client (Linux)

1) 安装OpenVPN [root@client ~]# yum --enablerepo=epel install openvpn -y 2) 导入OpenVPN证书及客户端证书 [root@client ~]# cd /etc/openvpn/ [root@client openvpn]# mv ~/ca.crt . [root@client openvpn]# mv ~/ta.key . [root@client openvpn]# mkdir client/issued client/private [root@client openvpn]# mv ~/client1.crt client/issued/ [root@client openvpn]# mv ~/client1.key client/private/ 3) 配置OpenVPN客户端证书 客户端配置文件的内容与服务器端基本一致(绿色标出客户端本身采用的内容) [root@client client]# vim client/client.conf # 定义为客户端 client # 定义设备为tun dev tun # 使用默认upd协议 ;proto tcp proto udp # 定义VPN服务器 remote 10.0.0.11 1194 # 启用自动重连，适合不稳定的网络环境 resolv-retry infinite # 客户端默认不需要绑定本机特定的端口号 nobind 开启persist特性 persist-key persist-tun # ca.crt及客户端凭证所在位置的位置 ca /etc/openvpn/ca.crt cert /etc/openvpn/client/issued/client1.crt key /etc/openvpn/client/private/client1.key # 启用ta.key认证。客户端值是1 tls-auth /etc/openvpn/ta.key 1 # 启用压缩 comp-lzo # 日志级别定义 verb 3 3) 客户端目录结构 [root@client openvpn]# tree . ├── ca.crt ├── client │   ├── client.conf │   ├── issued │   │   └── client1.crt │   └── private │   └── client1.key ├── server └── ta.key 4 directories, 5 files

3.2 OpenVPN Client (OtherOS)

1) Windows与MacOS的客户端配置文件 客户端的配置文件与Linux上是一样的。只是后缀名为.ovpn作为结尾 2) Windows与MacOS客户端软件 下载地址: https://openvpn.net/community-downloads/ PS: 如果连不上，请科学上网或者是找百度咨询 :-)