1. Introduction et déploiement d'OpenVPN
1.1 Introduction à OpenVPN
OpenVPN est un démon VPN solide et efficace, il prend en charge la sécurité SSL/TLS, le pont Ethernet, prend en charge la
transmission par proxy TCP ou UDP ou par tunnel NAT, prend en charge l'adresse IP dynamique et DHCP, peut prendre en charge
des centaines d'utilisateurs et est portable pour la plupart des principaux systèmes d'exploitation de plate-forme. .
OpenVPN nécessite la bibliothèque OpenSSL car elle utilise les capacités de chiffrement d'OpenSSL.
OpenVPN prend en charge le cryptage conventionnel, c'est-à-dire l'utilisation d'une clé pré-partagée (c'est-à-dire le mode clé statique) ou d'une sécurité de clé publique de certificat côté client et serveur
(c'est-à-dire le mode SSL/TLS). Il prend également en charge les canaux TCP/UDP non cryptés. OpenVPN est conçu
pour se connecter au réseau à l'aide de l'interface réseau virtuelle TUN/TAP, qui peut être utilisée sur la plupart des plateformes.
OpenVPN permet de placer n'importe quelle option sur la ligne de commande ou dans un fichier de configuration (dans les fichiers de configuration, nous appelons directives d'options)
1.2 Déploiement OpenVPN
1.2.1 Environnement de déploiement OpenVPN
Utiliser l'hôte HUAWEI CLOUD comme serveur OpenVPN
l'hôte | PI |
---|---|
serveur openvpn | 192.168.0.248 |
serveur Web-nœud1 | 192.168.0.250 |
Client Windows10 | 192.168.10.18 |
Version du système d'exploitation et synchronisation de l'heure
[root@openvpn-server ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
[root@openvpn-server ~]# ntp
ntpd ntpdc ntpq ntptime
ntpdate ntp-keygen ntpstat
[root@openvpn-server ~]# ntpdate time1.aliyun.com
6 Feb 10:46:45 ntpdate[12220]: the NTP socket is in use, exiting
1.2.2 Installer OpenVPN
Installez les outils de gestion de certificats openvpn et easy-rsa
[root@openvpn-server ~]# yum install epel-release -y
[root@openvpn-server ~]# yum install openvpn -y
[root@openvpn-server ~]# yum install easy-rsa -y
Organisation du fichier de configuration
[root@openvpn-server ~]# cp /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf /etc/openvpn
[root@openvpn-server ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easyrsa-server
[root@openvpn-server ~]# cp /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easyrsa-server/3
3/ 3.0/ 3.0.6/
[root@openvpn-server ~]# cp /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easyrsa-server/3
3/ 3.0/ 3.0.6/
[root@openvpn-server ~]# cp /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easyrsa-server/3/vars
[root@openvpn-server ~]# cd /etc/openvpn/easyrsa-server
[root@openvpn-server easyrsa-server]# cd 3
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── server
└── serverClient
1 directory, 9 files
1.2.3 Initialiser l'environnement pki et l'autorité émettrice de l'AC
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ll
total 72
-rwxr-xr-x 1 root root 48730 Feb 6 10:37 easyrsa
-rw-r--r-- 1 root root 4651 Feb 6 10:37 openssl-easyrsa.cnf
-rw-r--r-- 1 root root 8576 Feb 6 10:37 vars
drwxr-xr-x 2 root root 4096 Feb 6 10:37 x509-types
[root@openvpn-server 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easyrsa-server/3/pki
[root@openvpn-server 3]# ll pki/
total 16
-rw------- 1 root root 4651 Feb 6 10:48 openssl-easyrsa.cnf
drwx------ 2 root root 4096 Feb 6 10:48 private
drwx------ 2 root root 4096 Feb 6 10:48 reqs
1.2.4 Créer une organisation CA
[root@openvpn-server 3]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating RSA private key, 2048 bit long modulus
......................+++
...................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easyrsa-server/3/pki/ca.crt
[root@openvpn-server 3]# ll pki/c
ca.crt certs_by_serial/
[root@openvpn-server 3]# ll pki/ca.crt
-rw------- 1 root root 1172 Feb 6 10:49 pki/ca.crt
[root@openvpn-server 3]# ll pki/private/ca.key
-rw------- 1 root root 1675 Feb 6 10:49 pki/private/ca.key
1.2.5 Générer la clé privée du serveur
[root@openvpn-server 3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.............................+++
.+++
writing new private key to '/etc/openvpn/easyrsa-server/3/pki/private/server.key.k5cfaNWDBd'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easyrsa-server/3/pki/reqs/server.req
key: /etc/openvpn/easyrsa-server/3/pki/private/server.key
[root@openvpn-server 3]# ll pki/reqs/
total 4
-rw------- 1 root root 887 Feb 6 10:50 server.req
[root@openvpn-server 3]# ll pki/private/
total 8
-rw------- 1 root root 1675 Feb 6 10:49 ca.key
-rw------- 1 root root 1704 Feb 6 10:50 server.key
1.2.6 Délivrance d'un certificat de serveur
Utilisez l'autorité de certification auto-construite pour émettre le certificat du serveur, c'est-à-dire générer le certificat crt du serveur, et le certificat crt sera envoyé ultérieurement à chaque client utilisateur,
afin de réaliser la transmission cryptée des données avec le serveur openvpn .
[root@openvpn-server 3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 1080 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject''s Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Jan 21 02:54:54 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easyrsa-server/3/pki/issued/server.crt
[root@openvpn-server 3]# ll pki/issued/server.crt
-rw------- 1 root root 4552 Feb 6 10:54 pki/issued/server.crt
1.2.7 Générer un certificat dh.pem
La méthode d'échange de clés DH, publiée par Whitfield Diffie (Bailey Whitfield Diffie) et Martin Edward Hellman
(Martin Edward Hellman) en 1976, est un protocole de sécurité qui permet aux deux parties
de sous réserve d'informations, une clé est établie via un canal non sécurisé. . Cette clé est généralement
utilisée comme clé de « cryptage symétrique » par les deux parties lors de la transmission ultérieure de données. Le principe mathématique de DH est le
problème de base du logarithme discret. Faire des choses similaires Il existe également des algorithmes de cryptage asymétriques, tels que : RSA. Il dispose d'un large éventail d'applications, notamment SSH,
VPN, HTTPS... et est considéré comme la pierre angulaire du cryptage moderne.
.pem
La différence entre un certificat et .crt
un certificat est que la méthode de codage est différente et qu'il s'agit essentiellement de fichiers de certificat.
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.............................................................+...........................................................++*++*
DH parameters of size 2048 created at /etc/openvpn/easyrsa-server/3/pki/dh.pem
[root@openvpn-server 3]# ll /etc/openvpn/easyrsa-server/3/pki/dh.pem
-rw------- 1 root root 424 Feb 6 10:58 /etc/openvpn/easyrsa-server/3/pki/dh.pem
1.2.8 Générer un certificat client
[root@openvpn-server ~]# pwd
/root
[root@openvpn-server ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easyrsa-client
[root@openvpn-server ~]# cp /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easyrsa-client/3/vars
[root@openvpn-server ~]# cd /etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# ll
total 72
-rwxr-xr-x 1 root root 48730 Feb 6 11:01 easyrsa
-rw-r--r-- 1 root root 4651 Feb 6 11:01 openssl-easyrsa.cnf
-rw-r--r-- 1 root root 8576 Feb 6 11:01 vars
drwxr-xr-x 2 root root 4096 Feb 6 11:01 x509-types
[root@openvpn-server 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easyrsa-client/3/pki
[root@openvpn-server 3]# ll pki
total 16
-rw------- 1 root root 4651 Feb 6 11:02 openssl-easyrsa.cnf
drwx------ 2 root root 4096 Feb 6 11:02 private
drwx------ 2 root root 4096 Feb 6 11:02 reqs
[root@openvpn-server 3]# ll pki/private/
total 0
[root@openvpn-server 3]# ll pki/reqs/
total 0
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# ./easyrsa gen-req lisuo nopass
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.............+++
......................................................................................+++
writing new private key to '/etc/openvpn/easyrsa-client/3/pki/private/lisuo.key.qShPkliedt'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [lisuo]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easyrsa-client/3/pki/reqs/lisuo.req
key: /etc/openvpn/easyrsa-client/3/pki/private/lisuo.key
[root@openvpn-server 3]# tree /etc/openvpn/easyrsa-client/3/pki/
/etc/openvpn/easyrsa-client/3/pki/
├── openssl-easyrsa.cnf
├── private
│ └── lisuo.key
├── reqs
│ └── lisuo.req
└── safessl-easyrsa.cnf
2 directories, 4 files
1.2.9 Émettre un certificat pour le client
Émettre des certificats clients dans le répertoire du serveur openvpn
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# cd /etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa import-req /etc/openvpn/easyrsa-client/3/pki/reqs/lisuo.req lisuo
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: lisuo
You may now use this name to perform signing operations on this request.
[root@openvpn-server 3]# ./easyrsa sign client lisuo
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 1080 days:
subject=
commonName = lisuo
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject''s Distinguished Name is as follows
commonName :ASN.1 12:'lisuo'
Certificate is to be certified until Jan 21 03:07:37 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt
[root@openvpn-server 3]# ll /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt
-rw------- 1 root root 4431 Feb 6 11:07 /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt
1.2.10 Archiver le certificat du serveur dans le répertoire du serveur
Archivez et enregistrez le certificat de serveur émis
[root@openvpn-server 3]# mkdir /etc/openvpn/certs
[root@openvpn-server 3]# cd /etc/openvpn/certs
[root@openvpn-server certs]# pwd
/etc/openvpn/certs
[root@openvpn-server certs]# cp /etc/openvpn/easyrsa-server/3/pki/dh.pem .
[root@openvpn-server certs]# cp /etc/openvpn/easyrsa-server/3/pki/ca.crt .
[root@openvpn-server certs]# cp /etc/openvpn/easyrsa-server/3/pki/issued/server.crt .
[root@openvpn-server certs]# cp /etc/openvpn/easyrsa-server/3/pki/private/server.key .
[root@openvpn-server certs]# pwd
/etc/openvpn/certs
[root@openvpn-server certs]# tree
.
├── ca.crt
├── dh.pem
├── server.crt
└── server.key
0 directories, 4 files
1.2.11 Archiver le certificat client dans le répertoire correspondant
Archivez et sauvegardez le certificat client émis
[root@openvpn-server certs]# mkdir /etc/openvpn/client/lisuo
[root@openvpn-server certs]# cd /etc/openvpn/client/lisuo
[root@openvpn-server lisuo]# pwe
-bash: pwe: command not found
[root@openvpn-server lisuo]# pwd
/etc/openvpn/client/lisuo
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-server/3/pki/ca.crt .
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt .
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-server/3/pki/private/lisuo.key .
cp: cannot stat ‘/etc/openvpn/easyrsa-server/3/pki/private/lisuo.key’: No such file or directory
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-client/3/pki/private/lisuo.key .
[root@openvpn-server lisuo]# pwd
/etc/openvpn/client/lisuo
[root@openvpn-server lisuo]# tree
.
├── ca.crt
├── lisuo.crt
└── lisuo.key
0 directories, 3 files
1.2.12 Configuration du serveur
Instructions de configuration côté serveur
[root@openvpn-server ~]# vim /etc/openvpn/server.conf
local 192.168.0.148 # 本机监听IP
port 1194 # 端口
# TCP or UDP server?
proto tcp # 协议,指定OpenVPN创建的通信隧道类型
#proto udp
#dev tap:创建一个以太网隧道,以太网使用tap
dev tun # 创建一个路由IP隧道,互联网使用tun一个TUN设备大多时候,被用于基于IP协议的通讯。一个TAP设备允
# 许完整的以太网帧通过Openvpn隧道,因此提供非ip协议的支持,比如IPX协议和AppleTalk协议
#dev-node MyTap # TAP-Win32适配器。非windows不需要
#topology subnet # 网络拓扑,不需要配置
server 10.8.0.0 255.255.255.0 #客户端连接后分配IP的地址池,服务器默认会占用第一个IP 10.8.0.1
#ifconfig-pool-persist ipp.txt #为客户端分配固定IP,不需要配置
#server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 #配置网桥模式,不需要
push "route 10.20.0.0 255.255.255.0" # 给客户端生成的静态路由表,下一跳为openvpn服务器的
# 10.8.0.1,地址段为openvpn服务器后的公司内部网络,可以是多个网段
push "route 192.168.0.0 255.255.255.0"
;client-config-dir ccd #为指定的客户端添加路由,改路由通常是客户端后面的内网网段而不是服务端的,也不需要设置
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script #运行外部脚本,创建不同组的iptables 规则,不配置
;push "redirect-gateway def1 bypass-dhcp" #启用后,客户端所有流量都将通过VPN服务器,因此不需要配置
#;push "dhcp-option DNS 208.67.222.222" #推送DNS服务器,不需要配置
#;push "dhcp-option DNS 208.67.220.220"
#client-to-client #允许不同的client通过openvpn server直接通信,不开启
;duplicate-cn #多个用户共用一个账户,一般用于测试环境,生产环境都是一个用户一个证书
keepalive 10 120 #设置服务端检测的间隔和超时时间,默认为每 10 秒 ping一次,如果 120 秒没有回应则认为对方已经 down
#tls-auth /etc/openvpn/server/ta.key 0 #可使用以下命令来生成:openvpn –genkey –secret
ta.key #服务器和每个客户端都需要拥有该密钥的一个拷贝。第二个参数在服务器端应该为’0’,在客户端应该为’1’
cipher AES-256-CBC #加密算法
;compress lz4-v2 #启用压缩
;push "compress lz4-v2"
;comp-lzo #旧户端兼容的压缩配置,需要客户端配置开启压缩
;max-clients 100 #最大客户端数
user nobody #运行openvpn服务的用户和组
group nobody
#persist-key #重启OpenVPN服务,重新读取keys文件,保留使用第一次的keys文件,不开启
#persist-tun #重启OpenVPN服务,一直保持tun或者tap设备是up的,否则会先down然后再up,不开启
status openvpn-status.log #openVPN状态记录文件,每分钟会记录一次
#;log openvpn.log #日志记录方式和路径,log会在openvpn启动的时候清空日志文件
log-append /var/log/openvpn/openvpn.log #重启openvpn后在之前的日志后面追加新的日志
verb 3 #设置日志级别,0-9,级别越高记录的内容越详细,
mute 20 #相同类别的信息只有前20条会输出到日志文件中
explicit-exit-notify 1 # 通知客户端,在服务端重启后可以自动重新连接,仅能用于udp模式,tcp模式不需要
# 配置即可实现断开重连接,且tcp配置后会导致openvpn服务无法启动。
...
[root@openvpn-server ~]# mkdir /var/log/openvpn
[root@openvpn-server ~]# chown nobody.nobody /var/log/openvpn
configuration finale
[root@openvpn-server ~]# grep "^[a-Z]" /etc/openvpn/server.conf
local 192.168.0.248
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key # This file should be kept secret
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 10.20.0.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
client-to-client
keepalive 10 120
# tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 9
mute 20
1.2.13 Fichier de configuration client
[root@openvpn-server ~]# cd /etc/openvpn/client/lisuo/
[root@openvpn-server lisuo]# ll
total 16
-rw------- 1 root root 1172 Feb 6 11:11 ca.crt
-rw------- 1 root root 4431 Feb 6 11:12 lisuo.crt
-rw------- 1 root root 1704 Feb 6 11:12 lisuo.key
[root@openvpn-server lisuo]# grep -Ev "^(#|$|;)" /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/client.conf > /etc/openvpn/client/lisuo/client.ovpn
[root@openvpn-server lisuo]# vim /etc/openvpn/client/lisuo/client.ovpn
client # 声明自己是个客户端
dev tun # 接口类型,必须和服务端保持一致
proto tcp # 使用的协议,必须和服务端保持一致
remote 192.168.0.248 1194 #server端的ip和端口,可以写域名但是需要可以解析成IP
resolv-retry infinite # 如果是写的server端的域名,那么就始终解析,如果域名发生变化,
# 会重新连接到新的域名对应的IP
nobind #本机不绑定监听端口,客户端是随机打开端口连接到服务端的1194
persist-key #
persist-tun
ca ca.crt
cert lisuo.crt
key lisuo.key
remote-cert-tls server #指定采用服务器校验方式
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
[root@openvpn-server lisuo]# tree
.
├── ca.crt
├── client.ovpen
├── lisuo.crt
└── lisuo.key
0 directories, 4 files
1.2.14 Démarrage d'OpenVPN
[root@openvpn-server lisuo]# cd
[root@openvpn-server ~]# systemctl stop firewalld
[root@openvpn-server ~]# systemctl disable firewalld
[root@openvpn-server ~]# yum install iptables-services iptables -y
[root@openvpn-server ~]# systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@openvpn-server ~]# systemctl start iptables.service
[root@openvpn-server ~]# iptables -F
[root@openvpn-server ~]# iptables -X
[root@openvpn-server ~]# iptables -Z
[root@openvpn-server ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 348 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 352 bytes)
pkts bytes target prot opt in out source destination
[root@openvpn-server ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
"/etc/sysctl.conf" 19L, 582C written
[root@openvpn-server ~]# sysctl -p
...
net.ipv4.ip_forward = 1
[root@openvpn-server ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j MASQUERADE
[root@openvpn-server ~]# iptables -A INPUT -p TCP --dport 1194 -j ACCEPT
[root@openvpn-server ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@openvpn-server ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
36 2088 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19 packets, 1484 bytes)
pkts bytes target prot opt in out source destination
[root@openvpn-server ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.8.0.0/16 0.0.0.0/0
[root@openvpn-server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@openvpn-server ~]# mkdir /var/log/openvpn
[root@openvpn-server ~]# chown nobody.nobody /var/log/openvpn
# 启动OpenVPN
[root@openvpn-server ~]# systemctl start [email protected]
[root@openvpn-server ~]# systemctl status [email protected]
● [email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled; vendor preset: disabled)
Active: active (running) since Thu 2020-02-06 12:08:13 CST; 5s ago
Main PID: 12628 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/[email protected]
└─12628 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Feb 06 12:08:13 openvpn-server systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Feb 06 12:08:13 openvpn-server systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@openvpn-server ~]# systemctl enable [email protected]
Created symlink from /etc/systemd/system/multi-user.target.wants/[email protected] to /usr/lib/systemd/system/[email protected].
[root@openvpn-server ~]# tail /var/log/openvpn/openvpn.log
Thu Feb 6 12:08:17 2020 us=581126 MULTI TCP: multi_tcp_action a=TA_TUN_READ p=0
Thu Feb 6 12:08:17 2020 us=581133 MULTI TCP: multi_tcp_dispatch a=TA_TUN_READ mi=0x00000000
Thu Feb 6 12:08:17 2020 us=581144 read from TUN/TAP returned 48
Thu Feb 6 12:08:17 2020 us=581153 MULTI TCP: multi_tcp_post TA_TUN_READ -> TA_UNDEF
Thu Feb 6 12:08:17 2020 us=581162 SCHEDULE: schedule_find_least NULL
Thu Feb 6 12:08:21 2020 us=589032 EP_WAIT[0] rwflags=0x0001 ev=0x00000001 arg=0x00000002
Thu Feb 6 12:08:21 2020 us=589088 MULTI: REAP range 16 -> 32
Thu Feb 6 12:08:21 2020 us=589098 MULTI TCP: multi_tcp_action a=TA_TUN_READ p=0
Thu Feb 6 12:08:21 2020 us=589116 MULTI TCP: multi_tcp_dispatch a=TA_TUN_READ mi=0x00000000
Thu Feb 6 12:08:21 2020 us=589126 NOTE: --mute triggered...
Vérifiez le périphérique de la carte réseau TUN :
[root@openvpn-server ~]# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::8a69:b152:413b:2421 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
1.2.15 Installer le client Windows d'OpenVPN
Adresse de téléchargement officielle du client
Adresse non officielle
1.2.16 Test de connexion client
Enregistrez le certificat dans le répertoire d'installation du client openvpn :C:\Program Files\OpenVPN\config
[root@openvpn-server ~]# cd /etc/openvpn/client/lisuo/
[root@openvpn-server lisuo]# tar -cJvf lisuo.tar.xz ./*
./ca.crt
./client.ovpen
./lisuo.crt
./lisuo.key
[root@openvpn-server lisuo]# ll
total 28
-rw------- 1 root root 1172 Feb 6 11:11 ca.crt
-rw-r--r-- 1 root root 214 Feb 6 11:47 client.ovpn
-rw------- 1 root root 4431 Feb 6 11:12 lisuo.crt
-rw------- 1 root root 1704 Feb 6 11:12 lisuo.key
-rw-r--r-- 1 root root 4756 Feb 6 12:16 lisuo.tar.xz
Connexion réussie : un message d'avertissement s'affichera, indiquant que la configuration actuelle a mis en cache le mot de passe en mémoire et que vous pouvez utiliser l'
option auth-nocache pour éviter de l'afficher.
route print
Utilisez les informations suivantes sur la ligne de commande Windows
Ajoutez un autre hôte cloud, IP : 192.168.0.250/24, pour tester si vous pouvez accéder directement au réseau local cloud.
[root@ecs-d1b9 ~]# hostname web-server-node1
[root@ecs-d1b9 ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.250 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:feb5:85a1 prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:b5:85:a1 txqueuelen 1000 (Ethernet)
RX packets 331 bytes 39550 (38.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 369 bytes 38421 (37.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@ecs-d1b9 ~]# hostname web-server-node1
[root@ecs-d1b9 ~]# exit
logout
Connection to 192.168.0.250 closed.
La situation de deux hébergeurs cloud
Sur le système client Windows 10, la connexion xshell directe 192.168.0.250
est connectée avec succès et le nom d'hôte estweb-server-node1
2. Fonctions avancées d'OpenVPN
Création de comptes et révocation des attestations de comptes intervenant dans les entrées et sorties des salariés.
2.1 Définir la protection par mot de passe pour la clé secrète
Créez un nouveau compte nommé stevenux et définissez un mot de passe de certificat pour améliorer la sécurité du certificat.
2.2.1 Demande et délivrance du certificat
[root@openvpn-server lisuo]# cd /etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# ll
total 76
-rwxr-xr-x 1 root root 48730 Feb 6 11:01 easyrsa
-rw-r--r-- 1 root root 4651 Feb 6 11:01 openssl-easyrsa.cnf
drwx------ 4 root root 4096 Feb 6 11:04 pki
-rw-r--r-- 1 root root 8576 Feb 6 11:01 vars
drwxr-xr-x 2 root root 4096 Feb 6 11:01 x509-types
[root@openvpn-server 3]# ./easyrsa gen-req stevenux
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...............................................................+++
...................+++
writing new private key to '/etc/openvpn/easyrsa-client/3/pki/private/stevenux.key.0zvtMm6qk9'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [stevenux]:www.suosuoli.cn
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easyrsa-client/3/pki/reqs/stevenux.req
key: /etc/openvpn/easyrsa-client/3/pki/private/stevenux.key
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# cd /etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# cd /etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa import-req /etc/openvpn/easyrsa-client/3/pki/reqs/stevenux.req stevenux
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: stevenux
You may now use this name to perform signing operations on this request.
[root@openvpn-server 3]# ./easyrsa import-req /etc/openvpn/easyrsa-client/3/pki/reqs/stevenux.req stevenux
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Easy-RSA error:
Unable to import the request as the destination file already exists.
Please choose a different name for your imported request file.
Existing file at: /etc/openvpn/easyrsa-server/3/pki/reqs/stevenux.req
[root@openvpn-server 3]# ./easyrsa sign client stevenux
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 1080 days:
subject=
commonName = www.suosuoli.cn
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject''s Distinguished Name is as follows
commonName :ASN.1 12:'www.suosuoli.cn'
Certificate is to be certified until Jan 21 08:15:11 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easyrsa-server/3/pki/issued/stevenux.crt
# 整理新账户证书
[root@openvpn-server 3]# mkdir /etc/openvpn/client/stevenux
[root@openvpn-server 3]# cd /etc/openvpn/client/stevenux
[root@openvpn-server stevenux]# pwd
/etc/openvpn/client/stevenux
[root@openvpn-server stevenux]# cp /etc/openvpn/easyrsa-server/3/pki/ca.crt .
[root@openvpn-server stevenux]# cp /etc/openvpn/easyrsa-server/3/pki/issued/stevenux.crt .
[root@openvpn-server stevenux]# cp /etc/openvpn/easyrsa-server/3/pki/private/stevenux.key .
[root@openvpn-server stevenux]# cp /etc/openvpn/client/lisuo/client.ovpn .
[root@openvpn-server stevenux]# vim client.ovpn
client
dev tun
proto tdp
remote 114.116.248.58 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert stevenux.crt
key stevenux.key
remote-cert-tls server
# tls-auth ta.key 1
cipher AES-256-CBC
verb 3
"client.ovpn" 15L, 219C written
[root@openvpn-server stevenux]# ll
total 20
-rw------- 1 root root 1172 Feb 6 16:25 ca.crt
-rw-r--r-- 1 root root 219 Feb 6 16:27 client.ovpn
-rw------- 1 root root 1704 Feb 6 16:25 stevenux.key
-rw------- 1 root root 4453 Feb 6 16:25 stevenux.crt
[root@openvpn-server stevenux]# pwd
/etc/openvpn/client/stevenux
[root@openvpn-server stevenux]# tar cJvf stevenux.tar.xz ./*
./ca.crt
./client.ovpn
./stevenux.key
./stevenux.crt
[root@openvpn-server stevenux]# sz stevenux.tar.xz
2.2 Gestion des certificats de compte
Il s'agit principalement de la création et de la révocation des attestations, et de la distribution et de la révocation des attestations d'entrée et de démission des salariés correspondants.
2.2.1 Configuration de l'expiration automatique du certificat
Le délai d'expiration est basé sur l'heure du serveur et il commence à vérifier si la période de validité du certificat est comprise dans la période de validité basée sur l'heure du serveur.
[root@openvpn-server stevenux]# cd /etc/openvpn/easyrsa-server/3/
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# vim vars
124 #set_var EASYRSA_CERT_EXPIRE 1080
125 set_var EASYRSA_CERT_EXPIRE 90
...
2.2.2 Annulation manuelle du certificat
révoquer
[root@openvpn-server 3]# cat /etc/openvpn/easyrsa-server/3/pki/index.txt
V 230121025454Z B149F5E246A16B3EF695B06030D82C3B unknown /CN=server
V 230121030737Z E18D86613FBFB4256BE241A3EB6A448F unknown /CN=lisuo
V 230121081511Z 7EC6AE9190A57A46FECC83ABA79920E3 unknown /CN=www.suosuoli.cn
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa revoke lisuo
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Please confirm you wish to revoke the certificate with the following subject:
subject=
commonName = lisuo
Type the word 'yes' to continue, or any other input to abort.
Continue with revocation: yes
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
Revoking Certificate E18D86613FBFB4256BE241A3EB6A448F.
Data Base Updated
IMPORTANT!!!
Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.
# 生成证书吊销文件
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa gen-crl
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
An updated CRL has been created.
CRL file: /etc/openvpn/easyrsa-server/3/pki/crl.pem
[root@openvpn-server 3]# vim /etc/openvpn/server.conf
crl-verify /etc/openvpn/easyrsa-server/3/pki/crl.pem
"/etc/openvpn/server.conf" 318L, 10946C written
...
[root@openvpn-server 3]# systemctl restart openvpn@server
Pour le moment, Lisuo n'a pas pu se connecter
Afficher les enregistrements de révocation
[root@openvpn-server 3]# cat /etc/openvpn/easyrsa-server/3/pki/index.txt
V 230121025454Z B149F5E246A16B3EF695B06030D82C3B unknown /CN=server
R 230121030737Z 200206120802Z E18D86613FBFB4256BE241A3EB6A448F unknown /CN=lisuo # R 表示已经被吊销
V 230121081511Z 7EC6AE9190A57A46FECC83ABA79920E3 unknown /CN=www.suosuoli.cn
2.2.3 Délivrance du certificat de changement de nom de compte
Si l'entreprise a un employé nommé lisuo qui a démissionné et que le certificat a été révoqué, mais qu'un nouvel employé s'appelle
lisuo, alors la manière générale de faire la distinction est d'ajouter des chiffres après le nom d'utilisateur, tels que lisuo1, lisuo2,
etc. vous souhaitez utiliser lisuo Si le nom du compte émet un certificat, vous devez alors supprimer le
compte lisuo avant le serveur et supprimer l'enregistrement d'émission et le certificat, sinon le certificat du nouvel utilisateur ne peut pas être importé et la réémission spécifique du certificat
le processus est le suivant :
[root@openvpn-server ~]# cd /etc/openvpn/easyrsa-client/3/
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# rm -rf pki/private/lisuo.key
[root@openvpn-server 3]# rm -rf pki/reqs/lisuo.req
[root@openvpn-server 3]# rm -rf /etc/openvpn/client/lisuo/
# 删除被R标记的吊销了的记录
[root@openvpn-server 3]# vim /etc/openvpn/easyrsa-server/3/pki/index.txt
R 230121030737Z 200206120802Z E18D86613FBFB4256BE241A3EB6A448F unknown /CN=lisuo
# 生成该账户证书请求文件
[root@openvpn-server 3]# ./easyrsa gen-req lisuo
# CA导入请求文件并签发
[root@openvpn-server ~]# cd /etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa import-req /etc/openvpn/easyrsa-client/3/pki/reqs/lisuo.req lisuo
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: lisuo
You may now use this name to perform signing operations on this request.
[root@openvpn-server 3]# ./easyrsa sign client lisuo
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 90 days:
subject=
commonName = lisuo
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject''s Distinguished Name is as follows
commonName :ASN.1 12:'lisuo'
Certificate is to be certified until May 6 12:39:04 2020 GMT (90 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt
# 归档打包证书文件
[root@openvpn-server 3]# mkdir /etc/openvpn/client/lisuo
[root@openvpn-server 3]# cd /etc/openvpn/client/lisuo
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt .
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-client/3/pki/private/lisuo.key .
[root@openvpn-server lisuo]# cp ../
lisuo/ stevenux/
[root@openvpn-server lisuo]# cp ../stevenux/ca.crt .
[root@openvpn-server lisuo]# cp ../stevenux/client.ovpn .
[root@openvpn-server lisuo]# cat ../stevenux/client.ovpn
client
dev tun
proto tdp
remote 114.116.248.58 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert stevenux.crt
key stevenux.key
remote-cert-tls server
# tls-auth ta.key 1
cipher AES-256-CBC
verb 3
[root@openvpn-server lisuo]# tree
.
├── ca.crt
├── client.ovpn
├── lisuo.crt
└── lisuo.key
0 directories, 4 files
[root@openvpn-server lisuo]# tar czvf lisuo.tar.gz ./*
./ca.crt
./client.ovpn
./lisuo.crt
./lisuo.key
[root@openvpn-server lisuo]# sz lisuo.tar.gz
2.3 Aperçu de la configuration
2.3.1 Configuration du serveur OpenVPN
[root@openvpn-server ~]# cat /etc/openvpn/server.conf
local 172.18.200.101
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 10.20.0.0 255.255.0.0"
push "route 172.31.0.0 255.255.0.0"
client-to-client
keepalive 10 120
cipher AES-256-CBC
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 9
mute 20
crl-verify /etc/openvpn/easy-rsa/3.0.3/pki/crl.pem
2.3.2 Configuration du client OpenVPN
[root@openvpn-server ~]# cat /etc/openvpn/client/zhangxiaoming/client.ovpn
client
dev tun
proto tcp
remote 172.18.200.101 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert zhangshijie.crt
key zhangshijie.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
2.4 Script pour créer automatiquement des comptes
Nouveau compte OpenVPN et référence d'écriture du script de certificat révoqué :
- nouveau compte
#!/bin/bash
# Add a user to openvpn
if [[ $# -eq 0 ]]; then
echo "Usage: basename $0 USERNAME1 [USERNAME2 [USERNAME3...]]"
fi
for user in "$@"; do
echo"Adding new user: $user"
if [[ -d "/etc/openvpn/client/$user" ]]; then
rm -rf /etc/openvpn/client/$user
rm -rf /etc/openvpn/easy-rsa/3.0.3/pki/reqs/$user.req
sed -i '/'''$user'''/d' /etc/openvpn/easy-rsa/3.0.3/pki/index.txt
fi
echo "Gen .csr file."
cd/etc/openvpn/client/easy-rsa/3.0.3
./easyrsa init-pki
./easyrsa gen-req $user nopass
echo "Sign client certification."
cd /etc/ openvpn/easy-rsa/3.0.3/
./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/$user.req $user
./easyrsa sign client $user
echo "Manage the crts."
mkdir -p /etc/openvpn/client/$user/
cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client/$user/
cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/$user.crt /etc/openvpn/client/$user/
cp /etc/openvpn/client/easy-rsa/3.0.3/pki/private/$user.key /etc/openvpn/client/$user/
cp /etc/openvpn/client/admin.ovpn /etc/openvpn/client/$user/$user.ovpn
sed -i 's/admin/'''$user'''/g' /etc/openvpn/client/$user/$user.ovpn
cd etc/openvpn/client/$user/
zip -r $user.zip *
mv /etc/openvpn/client/$user/$user.zip ~
echo "All done."
done
2.5 Script de révocation du certificat
- certificat de révocation
#!/bin/bash
# Del a user from openvpn
if [[ $# -eq 0 ]]; then
echo "Usage: basename $0 USERNAME"
fi
echo "Revoking $1..."
cd /etc/openvpn/easy-rsa/3.0.3/
./easyrsa revoke $1 # 吊销$user账户的证书
./easyrsa gen-crl
if [[ -f /etc/openvpn/easy-rsa/3.0.3/pki/crl.pem ]]; then
echo "crl-verify /etc/openvpn/easyrsa-server/3/pki/crl.pem" >> /etc/openvpn/server.conf
else
echo "Can not find crl.pem. Exit."
fi
echo "Done."