欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

centos7系统安装配置openvpn服务端

程序员文章站 2023-11-18 10:18:10
一直没研究过vpn,最近找个视频,学了下,搭环境,测试成功,速记录在案: 使用环境:   openvpn服务端安装在centos7系统平台上; &nbs...

一直没研究过vpn,最近找个视频,学了下,搭环境,测试成功,速记录在案:

使用环境:

  openvpn服务端安装在centos7系统平台上;
  openvpn客户端安装在windows平台上;

其中的操作步骤有些很像此前写过的一篇文章ca服务器签署证书的步骤;
openvpn就是安全的vpn,通过openssl实现ssl加密解密;

openvpn实现的简单原理个人理解是:

通过openvpn客户端和服务器端用虚拟网卡建立逻辑的安全的通信连接,然后再通过物理网卡传输数据;
即首先openvpn服务端,安装程序并开启服务,然后服务器端会自动生成一个虚拟网卡tun0,用来建立安全通行用的,并监听一个端口,准备接收客户端的请求;
第二,客户端安装openvpn后,也自动生成一个虚拟网卡,openvpn客户端需要指定openvpn服务端的物理网卡上的ip地址和监听的端口进行连接;
第三,证书、密钥、密码都通过后,即实现了vpn(虚拟私有网络)功能;

具体配置步骤:

第一:安装软件
 ]# yum install openvpn easy-rsa

第二:准备相关目录和配置文件
 ]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/easy-rsa/vars

 ]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/openvpn/easy-rsa/
复制的文件有:easyrsa、openssl-1.0.cnf、x509-types; 

 ]# cp /usr/share/doc/openvpn-2.4.5/sample/sample-config-files/server.conf /etc/openvpn/

 编辑vars文件:
 set_var easyrsa_req_country "cn"
 set_var easyrsa_req_province "beijing"
 set_var easyrsa_req_city "beijing"
 set_var easyrsa_req_org "openvpn ca"
 set_var easyrsa_req_email "4********4@.qq.com"
 set_var easyrsa_req_ou  "my vpn"

创建服务器端证书和key:

第一:目录初始化:
   ]# cd /etc/openvpn/easy-rsa/
   ]# ./easyrsa init-pki

第二:创建根证书:
   ]# ./easyrsa build-ca
   enter pem pass phrase: 输入2次pem密码,并记住(输入的pem密码是openvpn,后面会用到);
   ........
   common name (eg: your user, host, or server name) [easy-rsa ca]: 输入名称;(输入的是opvpn-ca)

   回车后显示:
ca creation complete and you may now import and sign cert requests.
your new ca certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

第三:创建服务器端证书:

    ]# ./easyrsa gen-req server nopass
common name (eg: your user, host, or server name) [server]: (输入是node2)

  输入回车后显示:

keypair and certificate request completed. your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key

第四:签署服务器端证书:

  ]# ./easyrsa sign server server

回车后,confirm request details: (输入yes)

enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: (输入之前ca根证书的pem密码是openvpn)

回车后显示:

check that the request matches the signature
signature ok
the subject's distinguished name is as follows
commonname :asn.1 12:'node2'
certificate is to be certified until apr 4 16:04:29 2028 gmt (3650 days)

write out database with 1 new entries
data base updated

certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt

第五:创建diffie-hellman,确保key穿越不安全网络的命令:

  ]# ./easyrsa gen-dh

回车后,等的时间稍微长一点,最后显示:

dh parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

  第六:生成ta密钥文件

  ]# openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key

  不执行此命令,会报错:

sat apr 7 12:53:37 2018 warning: cannot stat file 'ta.key': no such file or directory (errno=2)
options error: --tls-auth fails with 'ta.key': no such file or directory (errno=2)
options error: please correct these errors.
use --help for more information.

创建客户端证书及key :

第一:创建过程同服务端:

  ]# mkdir /root/client
  ]# cd /root/client
  ]# cp -r /usr/share/easy-rsa/3.0.3/* ./
  ]# ./easyrsa init-pki
  ]# ./easyrsa gen-req client

回车后显示enter pem pass phrase: 输入密码,密码是之后客户端连接服务器要用的(输入的是vpnclient)
common name (eg: your user, host, or server name) [client]: (输入的是client,后面会用到)

  回车后显示:

keypair and certificate request completed. your files are:
req: /root/client/pki/reqs/client.req
key: /root/client/pki/private/client.key

第二:将得到的clientone.req导入然后签约证书:

  ]# ./easyrsa import-req /root/client/pki/reqs/client.req client

  回车后显示:

note: using easy-rsa configuration from: ./vars

the request has been successfully imported with a short name of: clientone
you may now use this name to perform signing operations on this request.

第三:签约证书

  ]# ./easyrsa sign client client

回车后,输入yes;

enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: (输入的是openvpn)

  注意:
这里生成client所以第一个client位置必须为client,第二个参数client要与之前导入名字一致,导入的时候会要求输入密码,这个密码是第一次设置的根证书的密码,不要输错;因为openvpn是一个客户端对应一组证书密钥文件的;

  回车后显示:

check that the request matches the signature
signature ok
the subject's distinguished name is as follows
commonname :asn.1 12:'client'
certificate is to be certified until apr 4 16:38:37 2028 gmt (3650 days)

write out database with 1 new entries
data base updated

certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt

拷贝相关文件

拷贝服务器端所需文件到各自位置:

]# cp pki/ca.crt /etc/openvpn/
]# cp pki/private/server.key /etc/openvpn/
]# cp pki/issued/server.crt /etc/openvpn/
]# cp pki/dh.pem /etc/openvpn/
]# cp /etc/openvpn/easy-rsa/ta.key /etc/openvpn/

拷贝客户端所需文件到各种位置:

]# cp pki/ca.crt /root/client/
]# cp pki/issued/client.crt /root/client/
]# cp /root/client/pki/private/client.key /root/client/
]# cp /etc/openvpn/easy-rsa/ta.key /root/client/

修改vpn配置文件:

]# egrep -v "^$|^#|^;" /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # this file should be kept secret
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option dns 8.8.8.8"
push "dhcp-option dns 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # this file is secret
cipher aes-256-cbc
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1 

启动openvpn服务器:

]# openvpn /etc/openvpn/server.conf &

  启动成功后显示:

sat apr 7 13:00:23 2018 openvpn 2.4.5 x86_64-redhat-linux-gnu [fedora epel patched] [ssl (openssl)] [lzo] [lz4] [epoll] [pkcs11] [mh/pktinfo] [aead] built on mar 1 2018
sat apr 7 13:00:23 2018 library versions: openssl 1.0.2k-fips 26 jan 2017, lzo 2.06
sat apr 7 13:00:23 2018 diffie-hellman initialized with 2048 bit key
sat apr 7 13:00:23 2018 outgoing control channel authentication: using 160 bit message hash 'sha1' for hmac authentication
sat apr 7 13:00:23 2018 incoming control channel authentication: using 160 bit message hash 'sha1' for hmac authentication
sat apr 7 13:00:23 2018 route_gateway 192.168.255.1/255.255.255.0 iface=eno16777736 hwaddr=00:0c:29:ef:e4:a7
sat apr 7 13:00:23 2018 tun/tap device tun0 opened
sat apr 7 13:00:23 2018 tun/tap tx queue length set to 100
sat apr 7 13:00:23 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
sat apr 7 13:00:23 2018 /sbin/ip link set dev tun0 up mtu 1500
sat apr 7 13:00:23 2018 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
sat apr 7 13:00:23 2018 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
sat apr 7 13:00:24 2018 could not determine ipv4/ipv6 protocol. using af_inet
sat apr 7 13:00:24 2018 socket buffers: r=[212992->212992] s=[212992->212992]
sat apr 7 13:00:24 2018 udpv4 link local (bound): [af_inet][undef]:1194
sat apr 7 13:00:24 2018 udpv4 link remote: [af_unspec]
sat apr 7 13:00:24 2018 multi: multi_init called, r=256 v=256
sat apr 7 13:00:24 2018 ifconfig pool: base=10.8.0.4 size=62, ipv6=0
sat apr 7 13:00:24 2018 ifconfig pool list
sat apr 7 13:00:24 2018 initialization sequence completed

centos7系统安装配置openvpn服务端

或使用systemctl启动:

systemctl -f enable openvpn@server.service
#设置启动文件

systemctl start openvpn@server.service
#启动openvpn的命令

windows7上配置openvpn客户端:

第一:下载openvpn客户端

  链接地址:

centos7系统安装配置openvpn服务端

安装过程就不表了,具体配置说下:

  下载相关文件到本特指的目录:
  从centos7上把client.crt、client.conf并改名为client.ovpn、client.key、ta.key四个文件,放在安装目录下的config目录里即可;

client.ovpn配置文件内容:

client
dev tun
proto udp
remote 192.168.255.12 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher aes-256-cbc
verb 3

openvpn客户端登录:

  双击图标后,弹出输入密码的窗口,此前设定的密码为vpnclient即可成功登录;

centos7系统安装配置openvpn服务端
centos7系统安装配置openvpn服务端

表示成功登录;

centos7系统安装配置openvpn服务端

openvpn图标变为绿色即成功连接openvpn服务器;

centos7系统安装配置openvpn服务端

后续深入openvpn使用配置,等用时再充电。