Centos7的open构建
我的是centos7.6版本
[root@sed ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
安装服务并创建CA、证书等:
[root@sed ~]# yum install opensll openssl-devel easy-rsa openvpn -y
[root@sed ~]# find / -name “easy*” -type d
/usr/share/doc/easy-rsa-3.0.6
/usr/share/licenses/easy-rsa-3.0.6
/usr/share/easy-rsa
[root@sed ~]# cd /usr/share/easy-rsa/3
[root@sed 3]# ./easyrsa init-pki #初始化,并当前目录下生成pki目录
[root@sed 3]# ./easyrsa build-ca #创建根CA,要求输入两次密码,输入名称。我这里是myzdl.xim;得到ca.crt
[root@sed 3]# ./easyrsa gen-req vpnserver nopass #创建名称为vpnserver的证书请求文件;得到key和req
[root@sed 3]# ./easyrsa gen-req vpnclient nopass #同上
[root@sed 3]# ./easyrsa sign server vpnserver #用CA签名vpnserver.req生成vpnserver.crt;得到vpnserver.crt
[root@sed 3]# ./easyrsa sign client vpnclient #同上
[root@sed 3]# ./easyrsa gen-dh #生成DH参数文件
[root@sed ~]# systemctl start firewalld
[root@sed ~]# firewall-cmd --zone=public --add-service=openvpn --permanent
[root@sed ~]# firewall-cmd --reload
证书认证方式:
[root@sed 3]# cd /etc/openvpn/server/
[root@sed server]# find / -name “server.conf*”
/usr/share/doc/NetworkManager/examples/server.conf
/usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf
[root@sed server]# cp /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf server.conf.example
[root@sed server]# cat server.conf.example | grep -v ^#| grep -v ^$ | grep -v ^’;’ > server.conf
[root@sed server]# mkdir files
[root@sed server]# cp /usr/share/easy-rsa/3/pki/{ca.crt,dh.pem,issued/vpnserver.crt,private/vpnserver.key} files/ #将四个文件复制到指定目录
[root@sed server]#openvpn --genkey --secret files/ta.key
[root@sed server]# ls -l files/
total 24
-rw------- 1 root root 1164 Nov 23 07:54 ca.crt
-rw------- 1 root root 424 Nov 23 07:54 dh.pem
-rw------- 1 root root 636 Nov 23 07:55 ta.key
-rw------- 1 root root 4554 Nov 23 07:54 vpnserver.crt
-rw------- 1 root root 1704 Nov 23 07:54 vpnserver.key
[root@sed server]# cat server.conf #修改配置文件大致如下,具体的参数含义查阅"man openvpn"或"openvpn --help"
local 192.168.1.104
port 1194
proto udp
dev tun
ca /etc/openvpn/server/files/ca.crt
cert /etc/openvpn/server/files/vpnserver.crt
key /etc/openvpn/server/files/vpnserver.key # This file should be kept secret
dh /etc/openvpn/server/files/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth /etc/openvpn/server/files/ta.key 0 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
[root@sed ~]# openvpn --config /etc/openvpn/server/server.conf --daemon #启动服务
----windows测试:
客户端下载地址:https://www.techspot.com/downloads/5182-openvpn.html
客户端需要的文件:ca.crt、ta.key(用户名认证需要)、vpnclient.crt、vpnclient.crt
客户端参数:
client
dev tun
proto udp
remote 192.168.1.104 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert vpnclient.crt
key vpnclient.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
配置重要参数务必和服务器一致,不然无法连接。
用户名密码方式:
[root@sed server]# vim auth.sh #创建登录脚本
#!/bin/sh
PASSFILE="/etc/openvpn/server/login.user" #用户账户存储位置
LOG_FILE="/etc/openvpn/server/login.log" #日志存储位置
TIME_STAMP=`date "+%Y-%m-%d %T"`
######################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1
[root@sed server]# chmod o+x auth.sh #添加权限
[root@sed server]# cat login.user #创建认证文件
maray 123456a
bob 123456a
[root@sed server]# bash -x auth.sh #测试脚本是否OK
[root@sed server]# cat server.conf #添加如下标记的代码开启用户&密码认证。
local 192.168.1.104
port 1194
proto udp
dev tun
ca /etc/openvpn/server/files/ca.crt
cert /etc/openvpn/server/files/vpnserver.crt
key /etc/openvpn/server/files/vpnserver.key # This file should be kept secret
auth-user-pass-verify /etc/openvpn/server/auth.sh via-env
verify-client-cert none
username-as-common-name
dh /etc/openvpn/server/files/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth /etc/openvpn/server/files/ta.key 0 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
script-security 3
客户端参数:
client
dev tun
proto udp
remote 192.168.1.104 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
;cert vpnclient.crt #注销证书认证
;key vpnclient.key
auth-user-pass #启用用户名和密码认证
auth-nocache
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
[root@sed ~]# openvpn --config /etc/openvpn/server/server.conf --daemon #需要重启服务
----windows测试:
服务器日志:
[root@sed server]# cat login.log
2019-11-23 12:54:41: Successful authentication: username=“maray”.
2019-11-23 12:56:46: Successful authentication: username=“bob”.
客户端日志:
Sun Nov 24 01:56:45 2019 MANAGEMENT: CMD ‘username “Auth” “bob”’
Sun Nov 24 01:56:45 2019 MANAGEMENT: CMD ‘password […]’
Sun Nov 24 01:56:45 2019 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Sun Nov 24 01:56:45 2019 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Sun Nov 24 01:56:45 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.104:1194
Sun Nov 24 01:56:45 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Nov 24 01:56:45 2019 UDP link local: (not bound)
Sun Nov 24 01:56:45 2019 UDP link remote: [AF_INET]192.168.1.104:1194
Sun Nov 24 01:56:45 2019 MANAGEMENT: >STATE:1574531805,WAIT,
Sun Nov 24 01:56:45 2019 MANAGEMENT: >STATE:1574531805,AUTH,
Sun Nov 24 01:56:45 2019 TLS: Initial packet from [AF_INET]192.168.1.104:1194, sid=dd68fe1f 689ae311
Sun Nov 24 01:56:45 2019 VERIFY OK: depth=1, CN=myzdl.xim
Sun Nov 24 01:56:45 2019 VERIFY KU OK
Sun Nov 24 01:56:45 2019 Validating certificate extended key usage
Sun Nov 24 01:56:45 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Nov 24 01:56:45 2019 VERIFY EKU OK
以Linux服务器登录(用户名密码):
[root@sm ~]# cd /etc/openvpn/client/
[root@sm client]# find / -name "client.conf"
/usr/share/doc/openvpn-2.4.8/sample/sample-config-files/client.conf
[root@sm client]# cp /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/client.conf client.conf.example -p
[root@sm client]# cat client.conf.example | grep -v ^#| grep -v ^$ | grep -v ^';' > client.conf
[root@sm client]#
[root@sm client]# cat login #创建用户名密码文件二行。
bob
123456a
[root@sm client]# vim client.conf
client
dev tun
proto udp
remote 192.168.1.104 1194
resolv-retry infinite
nobind
auth-user-pass /etc/openvpn/client/login
persist-key
persist-tun
ca /etc/openvpn/client/ca.crt
remote-cert-tls server
tls-auth /etc/openvpn/client/ta.key 1 #值1
cipher AES-256-CBC
verb 3
[root@sm client]# ls -l #将之前的ca.crt、ta.key文件复制到客户端目录下
total 20
-rw-r--r-- 1 root root 1164 Nov 23 07:41 ca.crt
-rw-r--r-- 1 root root 262 Nov 23 13:47 client.conf
-rw-r--r-- 1 root root 3585 Nov 23 13:06 client.conf.example
-rw-r--r-- 1 root root 12 Nov 23 13:33 login
-rw-r--r-- 1 root root 636 Nov 23 07:55 ta.key
[root@sm client]# openvpn --config client.conf --daemon
[root@sm client]#
[root@sm client]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 103 0 0 ens33
10.8.0.1 10.8.0.9 255.255.255.255 UGH 0 0 0 tun0
10.8.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 103 0 0 ens33
192.168.9.0 0.0.0.0 255.255.255.0 U 101 0 0 ens37
192.168.188.0 0.0.0.0 255.255.255.0 U 102 0 0 ens38
-------------------------------------------------------------------------------------------------------------------
[root@sed ~]# man openvpn #更多参数参考
