centos7部署opensvn

OpenVPN 是一个基于 OpenSSL 库的应用层 VPN 实现。和传统 VPN 相比，它的优点是简单易用

OpenVPN允许参与建立VPN的单点使用共享金钥，电子证书，或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库中的SSLv3/TLSv1 协议函式库。OpenVPN能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X与Windows 2000/XP/Vista上运行，并包含了许多安全性的功能。它并不是一个基于Web的VPN软件，也不与IPsec及其他VPN软件包兼容。

OpenVPN2.0后引入了用户名/口令组合的身份验证方式，它可以省略客户端证书，但是仍有一份服务器证书需要被用作加密。 OpenVPN所有的通信都基于一个单一的IP端口， 默认且推荐使用UDP协议通讯，同时TCP也被支持。OpenVPN连接能通过大多数的代理服务器，并且能够在NAT的环境中很好地工作。服务端具有向客 户端“推送”某些网络配置信息的功能，这些信息包括：IP地址、路由设置等。OpenVPN提供了两种虚拟网络接口：通用Tun/Tap驱动，通过它们， 可以建立三层IP隧道，或者虚拟二层以太网，后者可以传送任何类型的二层以太网络数据。传送的数据可通过LZO算法压缩。在选择协议时候，需要注意2个加密隧道之间的网络状况，如有高延迟或者丢包较多的情况下，请选择TCP协议作为底层协议，UDP协议由于存在无连接和重传机制，导致要隧道上层的协议进行重传，效率非常低下。 ^[1]

准备资源：

系统：CentOS Linux release 7.3.1611 (Core)  外网ip:10.0.0.45  内网ip:172.16.1.45

<https://openvpn.net/community-downloads/>

<https://www.techspot.com/downloads/5182-openvpn.html>

安装openvpn

[root@ localhost ~]# yum -y install epel-re*
[root@ localhost ~]# yum -y install openvpn
[root@ localhost ~]# rpm -qa | grep openvpn 

安装open-rsa

[root@ openvpn ~]# wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
[root@ openvpn ~]# unzip master.zip
[root@ openvpn ~]# mv easy-rsa-master/ easy-rsa
[root@ openvpn ~]# cp -R easy-rsa/ /etc/openvpn/
[root@ openvpn ~]# ls /etc/openvpn/
client  easy-rsa  server

配置vars文件

[root@ openvpn ~]# cd /etc/openvpn/easy-rsa/easyrsa3/
[root@ openvpn easyrsa3]# cp vars.example vars
[root@ openvpn easyrsa3]# cat >>vars<<EOF
set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "BJ"
set_var EASYRSA_REQ_CITY        "Beijing"
set_var EASYRSA_REQ_ORG         "Benet"
set_var EASYRSA_REQ_EMAIL       "[email protected]"
set_var EASYRSA_REQ_OU          "dynamic"
EOF

创建server证书

初始化目录

[root@ localhost easyrsa3]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/easyrsa3/pki

创建CA证书

[root@ localhost easyrsa3]# ./easyrsa build-ca

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase: 123456（这里是自己添加的密码）
Re-Enter New CA Key Passphrase: 123456
Generating RSA private key, 2048 bit long modulus
............................+++
.........................................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:tyk

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt

创建服务端证书

[root@ localhost easyrsa3]# ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
........................................................................................+++
...+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-1773.PhA1gD/tmp.DbNelu'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:tyk-server（为server起名）

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key

签约服务端证书

[root@ localhost easyrsa3]# ./easyrsa sign server server



Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = tyk-server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes这里输入yes
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-1812.Bo5CrH/tmp.kNNaaU
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:123456（这里输入密码）
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'tyk-server'
Certificate is to be certified until Jun  6 10:01:36 2022 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt

创建数据穿越密钥

[root@ localhost easyrsa3]# ./easyrsa gen-dh

初始化目录

[root@ localhost easyrsa3]# cd /etc/openvpn/client/
[root@ localhost client]# cp -R /root/easy-rsa/ client
[root@ localhost client]# cd client/easyrsa3/
[root@ localhost easyrsa3]# ls
easyrsa  openssl-easyrsa.cnf  vars.example  x509-types
[root@ localhost easyrsa3]# ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/client/easyrsa3/pki

创建客户端ca证书

[root@ localhost easyrsa3]# ./easyrsa build-ca
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase: 123456　　
Re-Enter New CA Key Passphrase: 123456
Generating RSA private key, 2048 bit long modulus
.....................................+++
...................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:dynamic（输入客户端的名字）

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/client/client/easyrsa3/pki/ca.crt

创建客户端证书

[root@ localhost easyrsa3]# ./easyrsa gen-req client1
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
...........+++
..................+++
writing new private key to '/etc/openvpn/client/client/easyrsa3/pki/easy-rsa-1874.7cfv5F/tmp.dCZVu5'
Enter PEM pass phrase:123456（也是以后登录vpn的密码）
Verifying - Enter PEM pass phrase:123456
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client1]:dynamic-client1（起名）

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/client/easyrsa3/pki/reqs/client1.req
key: /etc/openvpn/client/client/easyrsa3/pki/private/client1.key

[root@ localhost easyrsa3]#  ./easyrsa import-req /etc/openvpn/client/client/easyrsa3/pki/reqs/client1.req client1

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

The request has been successfully imported with a short name of: client1
You may now use this name to perform signing operations on this request.

签约客户端证书

[root@ localhost easyrsa3]# ./easyrsa sign client client1

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = dynamic-client1


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes（输入yes）
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-1940.hOlAjb/tmp.cyDM0B
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'dynamic-client1'
Certificate is to be certified until Jun  6 10:26:36 2022 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/client1.crt

配置openvpn

拷贝证书文件

[root@ localhost easyrsa3]# cd /etc/openvpn/easy-rsa/easyrsa3/pki/
[root@ localhost pki]# cp ca.crt /etc/openvpn/server/
[root@ localhost pki]# cp private/server.key /etc/openvpn/server/
[root@ localhost pki]# cp issued/server.crt /etc/openvpn/server/
[root@ localhost pki]# cp dh.pem /etc/openvpn/server/
[root@ localhost pki]# cp ca.crt /etc/openvpn/client/
[root@ localhost pki]# cp issued/client1.crt /etc/openvpn/client/
[root@ localhost pki]# cp /etc/openvpn/client/client/easyrsa3/pki/private/client1.key /etc/openvpn/client/
[root@ localhost pki]# cp /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf /etc/openvpn
[root@ localhost pki]# cd /etc/openvpn
[root@ localhost openvpn]# cp server.conf server.conf.bak
[root@ localhost openvpn]# egrep -v "^#|^;|^$" server.conf.bak > server.conf

配置server.conf

[root@ localhost openvpn]# vim server.conf
local 0.0.0.0
port 55555
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.16.1.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3
comp-lzo
client-to-client
log /var/log/openvpn.log

配置firewalld转发并启动openvpn

[root@ localhost openvpn]# systemctl stop firewalld
[root@ localhost openvpn]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-sysctl.conf
[root@ localhost openvpn]# sysctl -p
net.ipv4.ip_forward = 1
[root@ localhost openvpn]# openvpn --daemon --config /etc/openvpn/server.conf
[root@ localhost openvpn]# echo "openvpn --daemon --config /etc/openvpn/server.conf">>/etc/rc.d/rc.local
[root@ localhost openvpn]# ps -ef | grep openvpn
root       2037      1  0 18:31 ?        00:00:00 openvpn --daemon --config /etc/openvpn/server.conf
root       2049   1484  0 18:32 pts/0    00:00:00 grep --color=auto openvpn
[root@ localhost openvpn]# ss -anpt| grep 55555
LISTEN     0      32           *:55555                    *:*                   users:(("openvpn",pid=2037,fd=6))

因为我是win10 的版本，所以就安装的win10的，记得安装的时候点亮中间三个小勾勾

客户端证书下载

[root@ localhost openvpn]# cd /etc/openvpn/client/
[root@ localhost client]#  sz ca.crt client1.crt client1.key
下载到openvpn客户端软件的config目录下

 然后~~~~~~~~~

 修改客户端client配置文件

添加

client1
dev tun
proto tcp
remote 10.0.0.45 55555
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

然后管理员打开openvpn连接。。。。。。。。。。。。。。。。。。。。