(centos6.5)openvpn 服务端的安装(easy-rsa3)

(centos6.5)openvpn 服务端的安装(easy-rsa3)

实验环境：
虚拟机：centos6.5
网卡：
eth0 Link encap:Ethernet HWaddr 00:0C:29:67:AD:0E
inet addr:192.168.10.115 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe67:ad0e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:231268 errors:0 dropped:0 overruns:0 frame:0
TX packets:125895 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:133612975 (127.4 MiB) TX bytes:77793350 (74.1 MiB)

网络设置
开启服务器端路由转发功能
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p

安装依赖包：
yum install -y gcc openssl-devel lzo-devel pam-devel
yum install -y openvpn
#rpm -qa | grep openvpn
#openvpn-2.4.6-1.el6.x86_64
下载easy-rsa:
wget -c https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip
mv easy-rsa-master /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa/easyrsa3/
vim vars:

# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"

# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="CN"
export KEY_PROVINCE="Shanghai"
export KEY_CITY="Shanghai"
export KEY_ORG="yjpal"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyOrganizationalUnit"

# X509 Subject Field
export KEY_NAME="EasyRSA"

# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234

# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
# export KEY_CN="CommonName"

./easyrsa init-pki #建立一个空的pki结构，生成一系列的文件和目录
./easyrsa build-ca #创建ca 密码 和 cn那么需要记住 password:123456
./easyrsa gen-req server nopass #创建服务端证书 common name 最好不要跟前面的cn那么一样
./easyrsa sign server server #签约服务端证书
./easyrsa gen-dh #创建Diffie-Hellman
cd /etc/openvpn
mkdir keys ccd
cd keys
openvpn --genkey --secret ta.key
cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/keys
cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn/keys
cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn/keys
cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn/keys

touch checkpsw.sh ipp.txt keys openvpn.log openvpn-status.log psw-file server.conf vpn_add_del.sh
mkdir /var/log/openvpn && touch /var/log/openvpn/openvpn.log

cat server.conf
local 192.168.10.115
port 1194
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh.pem
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
script-security 3
client-cert-not-required
username-as-common-name
client-config-dir /etc/openvpn/ccd
server 30.30.30.0 255.255.255.0
push "route 192.168.10.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
;topology subnet
push "redirect-gateway def1 bypass-dhcp"
;push "redirect-gateway def1”
push "dhcp-option DNS 210.22.70.3"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3

cat checkpsw.sh

#!/bin/bash
#for user password
#by liuq
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

if [ ! -r "${PASSFILE}" ];then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>${LOG_FILE}
exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ];then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=

\"${password}\"." >> ${LOG_FILE}
exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ];then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=

\"${password}\"." >> ${LOG_FILE}
exit 1

cat vpn_add_del.sh

#!/bin/bash
#create user by lp
#创建openvpn user
case $1 in
'add')
openvpn_add()
{
echo -n "Please input your openvpn username:"
read username
echo -n "Please input your openvpn password:"
read password
echo -n "Please input your openvpn ip address:"
read ip_address
WORK_DIR=/etc/openvpn
IP=`expr $ip_address + 1`
}
openvpn_add
if [ -e $WORK_DIR/ccd/$username ]
then
printf '%100s\n' | tr ' ' -
echo -e "\033[31m $username is exits!!! \033[0m"
printf '%100s\n' | tr ' ' -
else
touch $WORK_DIR/ccd/$username
echo -e "\033[36m create user $uername is sucessed! \033[0m"
echo "$username $password">>$WORK_DIR/psw-file
echo -e "\033[36m set $username for password is sucessed! \033[0m"
echo "ifconfig-push 30.30.30.$ip_address 30.30.30.$IP" >>$WORK_DIR/ccd/$username
echo -e "\033[36m add address is sucessed! \033[0m"
fi
;;
'del')
openvpn_del()
{
WORK_DIR=/etc/openvpn
echo -n "Please input your want to delete openvpn username:"
read username
}
openvpn_del
if [ -e $WORK_DIR/ccd/$username ]
then
find $WORK_DIR -type f -name $username | xargs rm -f
sed -i "/$username/d" $WORK_DIR/psw-file
echo -e "\033[31m openvpn user delete is sucessed! \033[0m"
else
echo -e "\033[31m user delete is failed! \033[0m"
exit
fi
;;
'alter')
openvpn_alter()
{

附加：
#下面是客户端的证书
#首先创建一个工作的目录
cd /home/
mkdir client && cd client
cp -R ~/easy-rsa/ ./ #这是解压过的easy-rsa 而不是生成了服务端证书的easy-rsa
cd easy-rsa/easyrsa3/
cp vars.example vars

#开始生成
./easyrsa init-pki
./easyrsa gen-req orangleliu #用自己的名字，需要创建一个密码 和 cn name，自己用的 需要记住

#现在客户端的证书要跟服务端的交互，也就是签约，这样这个用户才能使用此vpn
#切换到server证书目录下
cd /etc/openvpn/easy-rsa/easyrsa3/
./easyrsa import-req /home/client/easy-rsa/easyrsa3/pki/reqs/orangleliu.req orangleliu #导入req
./easyrsa sign client orangleliu #用户签约，根据提示输入服务端的ca密码

客户端使用：

 

防火墙的前期配置：

# Generated by iptables-save v1.4.7 on Thu May 24 14:12:57 2018
*nat
:PREROUTING ACCEPT [87:7337]
:POSTROUTING ACCEPT [1:132]
:OUTPUT ACCEPT [1:132]
-A POSTROUTING -s 30.30.30.0/24 -j MASQUERADE
-A POSTROUTING -s 30.30.30.0/24 -o eth0 -j SNAT --to-source 192.168.10.115
COMMIT
# Completed on Thu May 24 14:12:57 2018
# Generated by iptables-save v1.4.7 on Thu May 24 14:12:57 2018
*filter
:INPUT ACCEPT [30:3723]
:FORWARD ACCEPT [1823:493850]
:OUTPUT ACCEPT [4786:1235439]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A FORWARD -s 30.30.30.0/25 -i tun0 -j ACCEPT
-A FORWARD -s 30.30.30.0/24 -i tun0 -j ACCEPT
-A FORWARD -s 30.30.30.0/24 -i tun0 -j DROP
COMMIT
# Completed on Thu May 24 14:12:57 2018