Article Directory
- build steps
- OpenVPN server configuration
- OpenVPN client configuration
-
- Start the client service
- Configure Security Groups on Cloud Servers
- Test for interconnection
- Configure openVPN client on Windows
- Check if the openVPN service is running
- End openvpn service
- Set openVPN boot self-start script in Linux environment
- Configure the CCD function under the server to restrict mutual access between clients
build steps
Install the OpenVPN server
Test environment introduction:
cloud server (Ubuntu20.04 64-bit) to build the server, public network IP: 119.96.126.25
a test machine to build the client (RedHat system), IP: 10.10.111.24
another test machine to build the client ( MOXA system, Debian system), IP: 10.10.112.63
The final goal is to realize the interconnection between two clients
Install openVPN on three hosts using command
RedHat Department
yum install -y openvpn
Debian system
apt install openvpn
Install the Easy RSA suite (used to generate certificates and keys required by the server and client)
Download the Easy RSA source package;
Easy RSA download official website: https://github.com/OpenVPN/easy-rsa/releases
[root@localhost ~]wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz
After downloading, unzip it, create a directory easy-rsa in the /etc/openvpn directory, and copy all the files you just unzipped to this directory
[root@localhost ~]#tar -zxvf EasyRSA-3.1.2.tgz
[root@localhost ~]#mkdir /etc/openvpn/easy-rsa
[root@localhost ~]#cp -r EasyRSA-3.1.2/* /etc/openvpn/easy-rsa
Generate a private key and certificate on the server side
- Enter the installation directory of Easy RSA and configure parameters;
[root@localhost ~]# cd /etc/openvpn/easy-rsa/
[root@localhost easy-rsa]# cp vars.example vars
[root@localhost easy-rsa]# vim vars
- Clean up the original certificate and private key and initialize;
[root @localhost easy-rsa]# ./easyrsa clean-all
- Generate CA root certificate;
[root@localhost easy-rsa]# ./easyrsa build-ca
CA root certificate generation location:/etc/openvpn/easy-rsa/pki/ca.crt
- Generate a server certificate and private key for the OpenVPN server;
Note: Here, the nopass parameter setting does not require a password, so you will not be prompted to enter a password when starting the OpenVPN service.
[root@localhost easy-rsa]#Server ./easyrsa build-server-full server nopass
certificate path: /etc/openvpn/easy-rsa/pki/issued/server.crt
server private key path:/etc/openvpn/easy-rsa/pki/private/server.key
- Generate the key file required by the Diffie-Hellman algorithm;
[root@localhost easy-rsa]#Wait ./easyrsa gen-dh
for a while to generate successfully
- Generate tls-auth Key to prevent DDOS and TLS attacks;
[root@localhost easy-rsa] # openvpn --genkey --secret ta.key
ta.key path:/etc/openvpn/easy-rsa/ta.key
OpenVPN server configuration
- Modify the OpenVPN server configuration file vim /etc/openvpn/server/server.conf;
- copy the private key, public key and certificate to the same directory as server.conf;
Note: the files to be copied include ca.crt, ca.key, server.crt, server.key, dh.pem, ta.key.
[root@localhost server]# cp /etc/openvpn/easy-rsa/pki/ca.crt .
[root@localhost server]# cp /etc/openvpn/easy-rsa/pki/private/ca.key .
[root@localhost server]# cp /etc/openvpn/easy-rsa/pki/issued/server.crt .
[root@localhost server]# cp /etc/openvpn/easy-rsa/pki/private/server.key .
[root@localhost server]# cp /etc/openvpn/easy-rsa/pki/dh.pem .
[root@localhost server]#cp /etc/openvpn/easy-rsa/ta.key .
Start the server service
[root@uos server]# openvpn --config server.conf
OpenVPN client configuration
##Generate the client's certificate and private key on the server side, and generate one more copy for each additional client
[root@localhost easy-rsa]#Client ./easyrsa build-client-full client nopass
certificate path: Client /etc/openvpn/easy-rsa/pki/issued/client.crt
private key path: /etc/openvpn/easy-rsa/pki/private/client.key
The client certificate that will be generated (client.crt), private key (client.key), server root certificate (ca.crt), ta.key are packaged and sent to the client /etc/openvpn/client, you can use the sz command to send to the Windows side through XSHEEL, and then use the rz command from Windows end to client
- modify the OpenVPN client configuration file vim /etc/openvpn/client/client.conf
Start the client service
[root@uos client]#Use openvpn --config client.conf
the ifconfigIP address of the virtual network card
to perform the same operation on another client
Configure Security Groups on Cloud Servers
Before starting the client, I couldn’t connect to the server. After a long time, I found out that the port on the server was not allowed. This is very important! ! !
Test for interconnection
After one server and two clients start the openVPN service, ping each other to test whether they can connect to each other
Configure openVPN client on Windows
As before, first generate a client certificate and key on the server side, and then copy the 5 necessary files to the directory shown in the figure. Note: In the windows system, client.conf needs to be changed to client.ovpn
to open the openVPN client connection, and you can see that the connection is successful in the current state
Check if the openVPN service is running
ps -ef | grep openvpn
End openvpn service
kill -9 pid
Set openVPN boot self-start script in Linux environment
1. Open a terminal and log in to the system with root privileges
2. Create a systemd service to automatically start the OpenVPN client when the Linux system starts
vim /etc/systemd/system/openvpn-client.service
3. Copy and paste the following into the file:
[Unit]
Description=OpenVPN client service
After=network.target
[Service]
Type=simple
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/client --config /etc/openvpn/client/client.conf
Restart=always
[Install]
WantedBy=multi-user.target
4. After saving and closing, restart systemdthe service
sudo systemctl daemon-reload
sudo systemctl enable openvpn-client.service
5. Now, when the system boots, the OpenVPN client will automatically start and connect to the server.
Configure the CCD function under the server to restrict mutual access between clients
Purpose
The client-moxa (openVPN virtual IP address: 10.8.1.18) client can access the client-24 (openVPN virtual IP address: 10.8.1.6) client through the server, but the client-24 client cannot access client-moxa through the server client
configuration steps
1. First, enable the CCD function on the server, and add the following lines to the configuration file of the OpenVPN server:
client-config-dir /etc/openvpn/ccd
Among them, ccd is a folder path, which is used to store the client CCD configuration file. The path I created for the CCD folder here /etc/openvpn/is below .
2. In the ccd folder, create a file named client-24 for the client-24 client, and the content of the file is:
ifconfig-push 10.8.1.6 255.255.255.0
Among them, the file name here must be the same as the file name of the client.
This will assign a fixed IP address (for example, 10.8.1.6) to the client-24 client.
3. In the ccd folder, create a file named client-moxa for the client-moxa client, the file content is:
iroute 10.8.1.6 255.255.255.255
This will tell the OpenVPN server to route requests from client-moxa to the IP address 10.8.1.6 (the IP address of client-24).
4. Finally, in the server configuration file, add the following line:
push "route 10.8.1.0 255.255.255.0"
This will tell the client to route traffic to the 10.8.1.0/24 subnet, which includes the IP addresses of client-moxa clients and client-24 clients.
After completing the above steps, you can complete the configuration