1. Introduction to OpenVPN
OpenVPN official documentation: https://openvpn.net/community-resources/how-to/#additional-documentation
1. Overview of OpenVPN
OpenVPN is a full-featured SSL VPN that implements OSI Layer 2 or Layer 3 security network extensions using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and Applied to VPN virtual interfaces through firewall rules, allowing access control policies for users or groups. OpenVPN is not a web application proxy, nor does it run through a web browser.
OpenVPN 2.0 extends the functionality of OpenVPN 1.x versions. By providing a scalable client/server model, multiple clients are allowed to connect to a single OpenVPN server process through a single TCP or UDP port.
OpenVPN supports certificate-based two-way authentication, that is, the client must authenticate the server certificate, and the server must also authenticate the client certificate to establish mutual trust.
2. OpenVPN configuration mode
There are two modes of OpenVPN configuration, routing VPN and bridging VPN.
Overall, routing is probably a better option for most people as it is more efficient than bridging and easier to set up (in terms of the OpenVPN configuration itself). Routing also provides greater ability to selectively control access on a client-specific basis.
I recommend using routing unless you need a specific feature that requires bridging, like:
- This VPN needs to be able to handle non-ip protocols such as IPX;
- Are running applications that rely on network broadcasts (such as LAN games) through a VPN;
- Want to allow browsing of Windows file shares over VPN without setting up a Samba or WINS server.
3. Encryption and authentication
(1) encryption
OpenVPN uses the OpenSSL library to encrypt data and control information. That means, it can use any algorithm supported by OpenSSL. It provides an optional packet HMAC function to increase the security of the connection. In addition, OpenSSL's hardware acceleration can also improve its performance.
(2) Identity verification
OpenVPN provides a variety of authentication methods to confirm the identity of both parties, including:
① Pre-share private key
② Third-party certificate
③ Username/password combination
The pre-shared key is the simplest, but at the same time it can only be used to create a point-to-point VPN; the third-party certificate based on PKI provides the most complete functions, but requires an additional maintenance of a PKI certificate system. After OpenVPN2.0, the user name/password combination authentication method is introduced, which can omit the client certificate, but still requires a server certificate for encryption.
4. OpenVPN composition _
Before installing and using openvpn, introduce the components of OpenVPN. The entire installation process involves the following four parts:
- Server server program installation and client program installation
- Easyrsa Certificate Generator
- Server-side configuration file
- Client configuration file
Easyrsa is a certificate generator, it is an independent program, it can generate various required certificates and keys for OpenVPN, the so-called certificate is a public key bound with additional information, the key can be understood as private key. Note: One of the tls keys ta.key is not generated by Easyrsa but by the OpenVPN main program . For the configuration files of Server and Client, there are sample configuration files in the decompression directory when compiling and installing, which can be generated by modifying the sample configuration files.
2. Topology and basic environment configuration
1. Introduction to the installation environment:
| Role |
system |
IP |
gateway |
OpenVpn version |
easy-rsa version |
| OpenVPN-Server |
CentOS Linux release 7.9.2009 (Core) |
172.16.10.10/24 |
172.16.10.254 |
OpenVpn-2.5.7 |
easy-rsa-3.1.1 |
| VPN-Client |
Window 10 |
192.168.50.10/24 |
192.168.50.254 |
2. Topology
3. The network environment configuration of the company branch:
Configure company branch NAT to allow internal addresses to be translated through NAT
3.1 . Define the address that allows conversion
| [AR-3]acl 2001 [AR-3-acl-basic-2001]rule 10 permit source 192.168.50.0 0.0.0.255 [AR-3-acl-basic-2001]rule 20 permit source 192.168.60.0 0.0.0.255 [AR-3-acl-basic-2001]q |
3.2 . Configure NAT conversion under the interface .
| [AR-3]interface GigabitEthernet 0/0/0 [AR-3-GigabitEthernet0/0/0]dis th [V200R003C00] # interface GigabitEthernet0/0/0 ip address 180.10.123.1 255.255.255.252 # [AR-3-GigabitEthernet0/0/0]nat outbound 2001 |
4. Network environment configuration of the company headquarters:
4.1 . Configure NAT on the firewall to allow the internal network of the headquarters to access the external network through NAT :
4.1.1 . Configure the address group allowed to be converted in the headquarters intranet:
| ip address-set NeiWang_AddressGroup type group address 0 172.16.10.0 mask 24 address 1 172.16.30.0 mask 24 |
4.1.2 . Configure NAT on the headquarters firewall :
| nat-policy rule name Source_NAT source-zone trust egress-interface GigabitEthernet1/0/1 source-address address-set NeiWang_AddressGroup #Allow the addresses in the intranet address group to be translated through the G1/0/1 interface address action nat easy-ip |
web configuration:
| Address group configuration:
|
NAT address configuration
|
4.2 . Configure port mapping on the OpenVPN server at the headquarters :
| [FW-USG6000V1] nat server openvpn 0 protocol tcp global 113.65.10.1 33808 inside 172.16.10.10 |
WEB configuration:
4. 3. Configure the access policy on the headquarters firewall:
4.3.1 , configure services that allow external networks to access internal networks
( 1 ), define the source address group, only allow some external addresses to serve the internal network
| ip address-set permit_vpn_client type object address 0 range 180.10.123.1 180.10.123.1 |
( 2 ), define the destination address group, and only allow access to the specified internal address. It is necessary to configure the internal server address and the egress address
| ip address-set server_vpn type object address 0 range 113.65.10.1 113.65.10.1 address 1 range 172.16.10.10 172.16.10.10 |
(3)、配置访问服务端口,只允许外部网络访问OpenVPN服务器的端口
| ip service-set vpn_port type object service 0 protocol tcp source-port 0 to 65535 destination-port 1194 |
(4)、配置允许从外部访问内部的策略
| security-policy rule name untrust_to_trust source-zone untrust destination-zone trust source-address address-set permit_vpn_client #调用源地址组 destination-address address-set server_vpn #调用目的地址组 service vpn_port action permit |
web配置:
|
|
|
4.3.2、从内部访问外部:
| security-policy rule name trust_to_untrust source-zone trust destination-zone untrust action permit |
web配置:
4.3.3、本端访问trust
当需要从内部网络ping防火墙接口地址时需要这个配置:
| security-policy rule name local_to_trust source-zone local destination-zone trust action permit |
web配置:
5、服务器基础环境配置:
5.1、关闭SELINUX和firewalld:
| systemctl stop firewalld && systemctl disable firewalld |
| getenforce #查看状态 setenforce 0 && sed -i 's/SELINUX=.*/SELINUX=disabled/' /etc/selinux/config |
5.2、配置安装时所需的yum源。
(1)、需改系统自带的Base源指向清华源。
我们在vi编辑中输入如下进行连接地址全文替换修改Base源指向清华源:
| [root@node2 yum.repos.d]# vi CentOS-Base.repo :%s@http://mirror.centos.org/@https://mirrors.tuna.tsinghua.edu.cn/@ |
5.3、安装EPEL镜像
| [root@node2 yum.repos.d]# yum -y install epel-release |
配置EPEL
使用下面命令替换epel指向清华大学源
| [root@worker01 yum.repos.d]# sed -e 's!^metalink=!#metalink=!g' \ |
或者使用更简便的使用EPEL镜像的方法
三、在服务器上搭建openvpn
1、编译安装openssl:
OpenVPN使用OpenSSL库来加密数据与控制信息,所以先需要安装openssl。
1.1、下载openssl:
1.1.1 openssl下载站点:
1.1.2 openssl下载地址
https://www.openssl.org/source/openssl-1.1.1q.tar.gz
1.2、安装依赖包:
| [root@worker02 ~]# yum install -y zlib zlib-devel perl-CPAN |
1.3、上传下载的openssl源码包到系统
| [root@worker02 ~]# rz rz waiting to receive. Starting zmodem transfer. Press Ctrl+C to cancel. Transferring openssl-1.1.1q.tar.gz... 100% 9632 KB 9632 KB/sec 00:00:01 0 Errors [root@worker02 ~]# |
1.4、解压源码包并进入目录解压的openssl目录下:
| [root@worker02 ~]# tar xf openssl-1.1.1q.tar.gz [root@worker02 ~]# cd openssl-1.1.1q [root@worker02 openssl-1.1.1q]# |
1.5、配置编译参数:
| [root@worker02 openssl-1.1.1q]# ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl --shared zlib Operating system: x86_64-whatever-linux2 Configuring OpenSSL version 1.1.1q (0x1010111fL) for linux-x86_64 Using os-specific seed configuration Creating configdata.pm Creating Makefile ********************************************************************** *** *** *** OpenSSL has been successfully configured *** *** *** *** If you encounter a problem while building, please open an *** *** issue on GitHub <https://github.com/openssl/openssl/issues> *** *** and include the output from the following command: *** *** *** *** perl configdata.pm --dump *** *** *** *** (If you are new to OpenSSL, you might want to consult the *** *** 'Troubleshooting' section in the INSTALL file first) *** *** *** ********************************************************************** [root@worker02 openssl-1.1.1q]# [root@worker02 openssl-1.1.1q]# ./config -t Operating system: x86_64-whatever-linux2 /usr/bin/env __CNF_CPPDEFINES='' __CNF_CPPINCLUDES='' __CNF_CPPFLAGS='' __CNF_CFLAGS='' __CNF_CXXFLAGS='' __CNF_LDFLAGS='' __CNF_LDLIBS='' /usr/bin/perl ./Configure linux-x86_64 [root@worker02 openssl-1.1.1q]# |
1.6、编译:
| [root@worker02 openssl-1.1.1q]# make -j4 |
1.7、安装:
| [root@worker02 openssl-1.1.1q]# make install |
[root@worker02 openssl-1.1.1q]# echo $?
0
[root@worker02 openssl-1.1.1q]#
1.8、备份原openssl:
| [root@worker02 openssl-1.1.1q]# mv /usr/bin/openssl /usr/bin/openssl.bak [root@worker02 openssl-1.1.1q]# |
1.9、将openssl做连接至bin目录和导出头文件:
| [root@worker02 openssl-1.1.1q]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl [root@worker02 openssl-1.1.1q]# ln -s /usr/local/openssl/include/openssl /usr/include/openssl [root@worker02 openssl-1.1.1q]# |
1.10、配置使库文件生效:
| [root@worker02 openssl-1.1.1q]# echo '/usr/local/openssl/lib/' >> /etc/ld.so.conf [root@worker02 openssl-1.1.1q]# [root@worker02 openssl-1.1.1q]# ldconfig -v |
1.11、配置openssl环节变量:
| [root@worker02 openssl-1.1.1q]# vi /etc/profile.d/openssl.sh export PATH=$PATH:/usr/local/openssl/bin [root@worker02 openssl-1.1.1q]# source /etc/profile.d/openssl.sh [root@worker02 openssl-1.1.1q]# [root@worker02 openssl-1.1.1q]# which openssl /usr/bin/openssl [root@worker02 openssl-1.1.1q]# openssl version OpenSSL 1.1.1q 5 Jul 2022 [root@worker02 openssl-1.1.1q]# ll |
2、安装openvpn
2.1、下载源码包进行编译安装
https://openvpn.net/community-downloads/
2.3、将下载好的源码包上传至系统
| [root@worker02 ~]# rz rz waiting to receive. Starting zmodem transfer. Press Ctrl+C to cancel. Transferring openvpn-2.5.7.tar.gz... 100% 1812 KB 1812 KB/sec 00:00:01 0 Errors |
2.4、先安装依赖包
| # yum install cyrus-sasl cyrus-sasl-plain cyrus-sasl-devel cyrus-sasl-lib cyrus-sasl-gssapi pam_krb5 pam pam-devel lzo* -y |
2.5、解压源码包:
| [root@worker02 ~]# [root@worker02 ~]# tar xf openvpn-2.5.7.tar.gz [root@worker02 ~]# ll total 50588 -rw-------. 1 root root 1583 Aug 4 02:18 anaconda-ks.cfg -rw-r--r-- 1 root root 39677175 Aug 19 05:48 cni-plugins-linux-amd64-v0.9.0.tgz -rw-r--r-- 1 root root 4323 Aug 23 05:46 i.y -rw-r--r-- 1 root root 5693 Aug 19 13:47 kube-flannel.yml -rw-r--r-- 1 root root 24904 Oct 31 03:11 mysql57-community-release-sles12.rpm drwxrwxr-x 19 root root 4096 Oct 31 02:48 openssl-1.1.1q -rw-r--r-- 1 root root 9864061 Oct 30 23:48 openssl-1.1.1q.tar.gz drwxrwxr-x 12 1000 1000 4096 May 24 04:48 openvpn-2.5.7 -rw-r--r-- 1 root root 1855516 Oct 31 05:20 openvpn-2.5.7.tar.gz drwxrwxrwx 3 1000 1000 4096 Oct 31 04:04 pam_mysql-0.7pre3 -rw-r--r-- 1 root root 333992 Oct 30 22:47 pam_mysql-0.7pre3.tar.gz [root@worker02 ~]# |
2.6、进入openvpn的解压目录下,并进行安装的编译参数配置:
| [root@worker02 ~]# cd openvpn-2.5.7 [root@worker02 openvpn-2.5.7]# ./configure OPENSSL_LIBS="-L/usr/local/openssl/lib/ -lssl -lcrypto" OPENSSL_CFLAGS="-I/usr/local/openssl/include/" --prefix=/usr/local/openvpn |
2.7、进行编译并安装:
| [root@worker02 openvpn-2.5.7]# make && make install |
| 说明: 安装之后使用到的认证pam插件会安装到/usr/local/openvpn/lib/openvpn/plugins/目录下 (是从/root/openvpn-2.5.7/src/plugins/auth-pam/.libs/openvpn-plugin-auth-pam.so安装过去): /usr/local/openvpn/lib/openvpn/plugins/openvpn-plugin-auth-pam.so |
也可以将openvpn-plugin-auth-pam.so复制到/etc/openvpn/目录下,但这样做法好像没有用:
[root@localhost .libs]# pwd
/root/openvpn-2.5.7/src/plugins/auth-pam/.libs
[root@localhost .libs]#
[root@localhost .libs]# cp openvpn-plugin-auth-pam.so /etc/openvpn/
2.8、配置添加openvpn的环境变量
| [root@localhost .libs]# echo -e "PATH=\$PATH:/usr/local/openvpn/sbin" >/etc/profile.d/openvpn.sh |
2.9、开启内核转发:
2.9.1、将Linux系统作为路由或者VPN服务就必须要开启IP转发功能
配置openvpn,首先需要开启内核转发功能
| [root@localhost]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf [root@localhost]# systemctl restart network |
2.9.2、配置linux的iptables地址伪装功能(MASQUERADE),改写封包来源IP为防火墙的IP,可以指定port 对应的范围,
进行完此处理动作后,直接跳往下一个规则链(mangle:postrouting)。
这个功能与 SNAT 略有不同,当进行IP 伪装时,不需指定要伪装成哪个 IP,IP 会从网卡直接读取。
这一步配置很关键了,这里如果不做配置,此时拨入的客户端只能和OpenVPN服务器通信,客户端无法访问到内部网络其他资源。
| [root@localhost]# iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE 或者: [root@localhost]# iptables -t nat -A POSTROUTING -s 10.88.60.0/24 -j MASQUERADE #对10.88.60.0/24网段做地址转换 |
| 保存规则 |
| [root@openvpn-wzhl ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@openvpn-wzhl ~]# |
3、使用easy-rsa来制作ca证书和openvpn使用到的其他证书
3.1、需要使用easy-rsa来制作ca证书,先下载easy-rsa:
在github 上,下载最新的easy-rsa
https://github.com/OpenVPN/easy-rsa 下载包
3.2、上传,解压缩
| [root@VPN-Server ~]# rz rz waiting to receive. Starting zmodem transfer. Press Ctrl+C to cancel. Transferring easy-rsa-3.1.1.zip... 100% 6265 KB 6265 KB/sec 00:00:01 0 Errors [root@VPN-Server ~]# 解压: [root@VPN-Server ~]# unzip easy-rsa-3.1.1.zip |
3.3、配置,使用easy-rsa来生成openvpn所需的证书。
(1)、easy-rsa-3.1.1.zip解压后在解压目录下的/easyrsa3/目下有easy-rsa的示例配置文件,将示例配置文件命名为vars:
| [root@VPN-Server ~]# cd easy-rsa-3.1.1/easyrsa3/ [root@VPN-Server easyrsa3]# cp vars.example vars |
(2)、编辑vars文件,根据自己环境配置
| [root@VPN-Server easyrsa3]# vim vars 1. set_var EASYRSA_REQ_COUNTRY "CN" 2. set_var EASYRSA_REQ_PROVINCE "GuangXi" 3. set_var EASYRSA_REQ_CITY "NanNing" 4. set_var EASYRSA_REQ_ORG "ITOps" 5. set_var EASYRSA_REQ_EMAIL "[email protected]" 6. set_var EASYRSA_REQ_OU "My OpenVPN" # CA证书过期时间,单位天 set_var EASYRSA_CA_EXPIRE 36500 # 签发证书的有效期是多少天,单位天 set_var EASYRSA_CERT_EXPIRE 36500 |
(3)、vars文件修改好之后,使修改后的文件生效,需要执行下面命令:
| [root@VPN-Server easyrsa3]# source vars |
3.4、创建服务端证书及key
进入/root/easy-rsa-3.1.1/easyrsa3/目录
[root@VPN-Server ~]# cd /root/easy-rsa-3.1.1/easyrsa3/
① 初始化,生成一个pki目录,用于存放后面生成的证书文件。
[root@VPN-Server easyrsa3]# ./easyrsa init-pki
② 创建根证书
[root@VPN-Server easyrsa3]# ./easyrsa build-ca
注意:这部分需要输入PEM密码 PEM pass phrase,输入两次,此密码必须记住,不然以后不能为证书签名。还需要输入common name 通用名,这个根据自己随便设置个独一无二的名称,也可以不用输入common name名称,直接回车即可,本次安装直接回车。
③ 创建服务器端证书
创建server端证书和私钥文件,nopass表示不加密私钥文件
[root@VPN-Server easyrsa3]# ./easyrsa gen-req server nopass
该过程中需要输入common name,随意但是不要跟之前的根证书的一样,也可直接回车,默认common name为server,本次使用默认。
④ 签约服务端证书
[root@VPN-Server easyrsa3]# ./easyrsa sign server server
该命令中.需要你确认生成,要输入yes,还需要你提供我们当时创建CA时候的密码。如果你忘记了密码,那你就重头开始再来一次吧
⑤ 创建Diffie-Hellman,确保key穿越不安全网络的命令
[root@VPN-Server easyrsa3]# ./easyrsa gen-dh
3.5、创建客户端证书
① 创建client端证书和密钥文件(nopass表示不加密密钥文件,生成过程中直接默认回车)
[root@VPN-Server easyrsa3]# ./easyrsa gen-req client nopass
c. 签约证书
[root@VPN-Server easyrsa3]# ./easyrsa sign client client
上面签约证书跟server类似,但是期间还是要输入CA的密码
3.6、把服务器端必要证书、密钥文件放到/etc/openvpn/ 目录下
这里因为编译安装openvpn,所以需要先创建/etc/openvpn/目录:
[root@VPN-Server easyrsa3]#mkdir /etc/openvpn/
3.6.1、将ca的证书、服务端的证书、秘钥复制到/etc/openvpn/ 目录下:
[root@VPN-Server easyrsa3]# pwd
/root/easy-rsa-3.1.1/easyrsa3
[root@VPN-Server easyrsa3]# cp -a pki/ca.crt /etc/openvpn/
[root@VPN-Server easyrsa3]# cp -a pki/issued/server.crt /etc/openvpn/
[root@VPN-Server easyrsa3]# cp -a pki/private/server.key /etc/openvpn/
[root@VPN-Server easyrsa3]# cp -a pki/dh.pem /etc/openvpn/
3.6.2、使用OpenVPN创建TLS认证密钥,创建这个密钥需要安装openvpn之后才可以使用openvpn命令创建这个密钥:
| [root@VPN-Server easyrsa3]# /usr/local/openvpn/sbin/openvpn --genkey --secret /etc/openvpn/ta.key |
3.7、为服务端编写配置文件
1)当你安装好了openvpn时候,他会提供一个server配置的文件例子,在解压目录/openvpn-2.5.7/sample/sample-config-files/ 下会有一个server.conf文件,我们将这个文件复制到/etc/openvpn
| [root@VPN-Server ~]# cp /root/openvpn-2.5.7/sample/sample-config-files/server.conf /etc/openvpn/ |
2)修改配置文件
[root@VPN-Server ~]# vim /etc/openvpn/server.conf
[root@VPN-Server ~]# grep '^[^#|;]' /etc/openvpn/server.conf
修改的地方如下:
| port 1194 |
监听端口 |
| proto tcp |
监听协议 |
| dev tun |
采用路由隧道模式 |
| ca /etc/openvpn/ca.crt |
ca证书路径 |
| cert /etc/openvpn/server.crt |
服务器证书 |
| key /etc/openvpn/server.key # This file should be kept secret |
服务器秘钥 |
| dh /etc/openvpn/dh.pem |
密钥交换协议文件 |
| server 10.88.0.0 255.255.255.0 |
给vpn客户端分配地址池,注意:不能和VPN服务器内网网段有相同 |
| ifconfig-pool-persist ipp.txt |
|
| push "10.88.0.0 255.255.255.0" |
通告分配给客户端的网络,还需要通告内网的网段,如果不通告内网网段,那么客户端接入后将无法访问内网中的主机 |
| push "172.16.10.0 255.255.255.0" |
通告企业总部内部网段,这样客户端接入后才可以访问总部内网中的主机 |
| push "redirect-gateway def1 bypass-dhcp" |
给网关 |
| push "dhcp-option DNS 8.8.8.8" |
dhcp分配dns |
| client-to-client |
VPN客户端之间互相通信 |
| keepalive 10 120 |
存活时间,10秒ping一次,120 如未收到响应则视为断线 |
| tls-auth /etc/openvpn/ta.key 0 # This file is secret |
开启TLS-auth,使用ta.key防御攻击,拒绝服务攻击的证书文件.服务器端的第二个参数值为0,客户端的为1 |
| cipher AES-256-GCM |
加密模式,默认使用CBC,需要改为GCM模式 |
| comp-lzo |
传输数据压缩 |
| max-clients 100 |
最多允许 100 客户端连接 |
| persist-key |
|
| persist-tun |
|
| status openvpn-status.log |
|
| log /var/log/openvpn.log |
|
| verb 3 |
3.8、启动openvpn:
[root@localhost .libs]# /usr/local/openvpn/sbin/openvpn /etc/openvpn/server.conf &
[1] 36909
[root@localhost .libs]# 2022-11-01 02:46:41 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
[root@localhost .libs]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1019/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1218/master
tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 36909/openvpn
tcp6 0 0 :::22 :::* LISTEN 1019/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1218/master
tcp6 0 0 :::3306 :::* LISTEN 1757/mysqld
udp 0 0 0.0.0.0:68 0.0.0.0:* 775/dhclient
udp 0 0 127.0.0.1:323 0.0.0.0:* 709/chronyd
udp6 0 0 ::1:323 :::* 709/chronyd
[root@localhost .libs]#
3.8.1、生成systemd启动配置文件:
生成的systemd启动配置文件可以放在/etc/systemd/system/目录下,也可以/usr/lib/systemd/system/目录下:
| [root@localhost ~]# cat /usr/lib/systemd/system/openvpn.service [Unit] Description=OpenVPN Server After=network.target After=syslog.target [Install] WantedBy=multi-user.target [Service] ExecStart=/usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf ExecStop=killall openvpn |
3.8.2、加载系统服务
[root@localhost ~]# systemctl daemon-reload
#开机启动
[root@localhost ~]# systemctl enable openvpn.service
#启动服务
[root@localhost ~]# systemctl start openvpn.service
注意:在使用systemd来管理openvpn时需要先把已经启动的openvpn进程关闭,然后才使用systemd来管理。
#查看服务运行状态
[root@localhost system]# systemctl status openvpn.service
● openvpn.service - OpenVPN Server
Loaded: loaded (/usr/lib/systemd/system/openvpn.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2023-02-21 03:10:31 EST; 6s ago
Main PID: 1805 (openvpn)
CGroup: /system.slice/openvpn.service
├─1805 /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf
└─1806 /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf
Feb 21 03:10:31 localhost.localdomain openvpn[1805]: 2023-02-21 03:10:31 TCPv4_SERVER link lo...94
Feb 21 03:10:31 localhost.localdomain openvpn[1805]: 2023-02-21 03:10:31 TCPv4_SERVER link re...C]
Feb 21 03:10:31 localhost.localdomain openvpn[1805]: 2023-02-21 03:10:31 MULTI: multi_init ca...56
Feb 21 03:10:31 localhost.localdomain openvpn[1805]: 2023-02-21 03:10:31 IFCONFIG POOL IPv4: ...62
Feb 21 03:10:31 localhost.localdomain openvpn[1805]: 2023-02-21 03:10:31 ifconfig_pool_read()...,'
Feb 21 03:10:31 localhost.localdomain openvpn[1805]: 2023-02-21 03:10:31 succeeded -> ifconfi...0)
Feb 21 03:10:31 localhost.localdomain openvpn[1805]: 2023-02-21 03:10:31 IFCONFIG POOL LIST
Feb 21 03:10:31 localhost.localdomain openvpn[1805]: 2023-02-21 03:10:31 qd,10.88.0.4,
Feb 21 03:10:31 localhost.localdomain openvpn[1805]: 2023-02-21 03:10:31 MULTI: TCP INIT maxc...04
Feb 21 03:10:31 localhost.localdomain openvpn[1805]: 2023-02-21 03:10:31 Initialization Seque...ed
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost system]#
3.9、配置客户端(client)配置文件
继续在服务器上面进行配置客户端的配置文件,服务器端口安装openvpn之后生成了客户端的示例配置文件,在解压目录下的sample/sample-config目录下,有client.conf 模板。
3.9.1、 将客户端配置文件client.conf其他拷贝到自己创建的目录下,如下拷贝到/root/client目录下:
[root@VPN-Server ~]# mkdir client
[root@VPN-Server easyrsa3]# cd /root/openvpn-2.5.7/sample/sample-config-files
[root@VPN-Server sample-config-files]# cp client.conf /root/client
3.9.2、将客户端使用到的证书、密钥拷贝到/root/client目录下:
| [root@VPN-Server ~]# cd /root/easy-rsa-3.1.1/easyrsa3/ [root@VPN-Server easyrsa3]# ll total 184 -rwxr-xr-x. 1 root root 146271 Oct 13 07:28 easyrsa -rw-------. 1 root root 0 Oct 23 22:17 ipp.txt -rw-r--r--. 1 root root 5043 Oct 13 07:28 openssl-easyrsa.cnf -rw-------. 1 root root 232 Oct 23 22:23 openvpn-status.log drwx------. 7 root root 4096 Oct 23 21:51 pki -rw-r--r--. 1 root root 9425 Oct 23 21:46 vars -rw-r--r--. 1 root root 9464 Oct 13 07:28 vars.example drwxr-xr-x. 2 root root 122 Oct 13 07:28 x509-types [root@VPN-Server easyrsa3]# |
3.9.2、将客户端证书拷贝到/root/client目录下:
| [root@VPN-Server easyrsa3]# cp -a pki/ca.crt /root/client/ [root@VPN-Server easyrsa3]# cp -a pki/issued/client.crt /root/client/ [root@VPN-Server easyrsa3]# cp -a pki/private/client.key /root/client/ [root@VPN-Server easyrsa3]# cp -a /etc/openvpn/ta.key /root/client/ |
3.9.3、修改client.conf 配置文件,修改内容如下:
| client dev tun proto tcp remote 113.65.10.1 33808 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-GCM comp-lzo verb 3 auth-nocache |
3.9.4、因为客户端使用的是windows系统,所以需要将client.conf文件重新命名为client.ovpn:
[root@VPN-Server client]# mv client.conf client.ovpn
在Windows使用openvpn客户端时需要将.conf文件修改为.ovpn后缀。
将client目录打包:
[root@localhost ~]# tar xcf client.tar client
将client.tar文件拷贝至windows主机,在Windows中安装好openvpn客户端之后,将这个client.tar压缩包解压,将client目录的下的所有文件放到安装openvpn客户端的安装目录下的config目录下。
四、客户端连接openvpn
1、下载openvpn客户端安装
2、在win10安装上安装openvpn客户端:
,默认安装(openvpn客户端需要.net支持,网络正常会自动安装)
4、客户端安装完成之后把在服务器端root/client目录下的文件复制到客户端config 目录下:
4、启动客户端
(1)启动,注意启动需以管理员权限启动
(3)连接成功
5、测试是否成功
(1)在client 查询ip,确实是openvpn 给定的ip
