1. OpenVPN の導入と展開
1.1 OpenVPN の概要
OpenVPN は健全で効率的な VPN デーモンであり、SSL/TLS セキュリティ、イーサネット ブリッジをサポートし、
TCP または UDP プロキシまたは NAT トンネル送信をサポートし、動的 IP アドレスと DHCP をサポートし、
数百ほとんどの主要プラットフォーム オペレーティング システムに移植可能です。 。
OpenVPN は OpenSSL の暗号化機能を使用するため、OpenSSL ライブラリが必要です。
OpenVPN は従来の暗号化、つまり事前共有キー (静的キー モード) またはクライアントおよびサーバー側の証明書公開
キー セキュリティ (SSL/TLS モード) を使用する暗号化をサポートしています。暗号化されていない TCP/UDP チャネルもサポートします。
OpenVPNは、ほとんどのプラットフォームで使用できる TUN/TAP 仮想ネットワーク インターフェイスを使用してネットワークに接続するように設計されています。
OpenVPN では、コマンドラインまたは設定ファイルに任意のオプションを配置できます (設定ファイルではオプション ディレクティブと呼ばれます)。
1.2 OpenVPN の導入
1.2.1 OpenVPN 導入環境
HUAWEI CLOUD ホストを OpenVPN サーバーとして使用する
| ザ・ホスト | IP |
|---|---|
| オープンVPNサーバー | 192.168.0.248 |
| ウェブサーバーノード1 | 192.168.0.250 |
| Windows10クライアント | 192.168.10.18 |
OSのバージョンと時刻の同期
[root@openvpn-server ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
[root@openvpn-server ~]# ntp
ntpd ntpdc ntpq ntptime
ntpdate ntp-keygen ntpstat
[root@openvpn-server ~]# ntpdate time1.aliyun.com
6 Feb 10:46:45 ntpdate[12220]: the NTP socket is in use, exiting
1.2.2 OpenVPN のインストール
openvpn および easy-rsa 証明書管理ツールをインストールする
[root@openvpn-server ~]# yum install epel-release -y
[root@openvpn-server ~]# yum install openvpn -y
[root@openvpn-server ~]# yum install easy-rsa -y
設定ファイルの構成
[root@openvpn-server ~]# cp /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf /etc/openvpn
[root@openvpn-server ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easyrsa-server
[root@openvpn-server ~]# cp /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easyrsa-server/3
3/ 3.0/ 3.0.6/
[root@openvpn-server ~]# cp /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easyrsa-server/3
3/ 3.0/ 3.0.6/
[root@openvpn-server ~]# cp /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easyrsa-server/3/vars
[root@openvpn-server ~]# cd /etc/openvpn/easyrsa-server
[root@openvpn-server easyrsa-server]# cd 3
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── server
└── serverClient
1 directory, 9 files
1.2.3 pki環境とCA発行権限の初期化
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ll
total 72
-rwxr-xr-x 1 root root 48730 Feb 6 10:37 easyrsa
-rw-r--r-- 1 root root 4651 Feb 6 10:37 openssl-easyrsa.cnf
-rw-r--r-- 1 root root 8576 Feb 6 10:37 vars
drwxr-xr-x 2 root root 4096 Feb 6 10:37 x509-types
[root@openvpn-server 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easyrsa-server/3/pki
[root@openvpn-server 3]# ll pki/
total 16
-rw------- 1 root root 4651 Feb 6 10:48 openssl-easyrsa.cnf
drwx------ 2 root root 4096 Feb 6 10:48 private
drwx------ 2 root root 4096 Feb 6 10:48 reqs
1.2.4 CA 組織の作成
[root@openvpn-server 3]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating RSA private key, 2048 bit long modulus
......................+++
...................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easyrsa-server/3/pki/ca.crt
[root@openvpn-server 3]# ll pki/c
ca.crt certs_by_serial/
[root@openvpn-server 3]# ll pki/ca.crt
-rw------- 1 root root 1172 Feb 6 10:49 pki/ca.crt
[root@openvpn-server 3]# ll pki/private/ca.key
-rw------- 1 root root 1675 Feb 6 10:49 pki/private/ca.key
1.2.5 サーバー秘密鍵の生成
[root@openvpn-server 3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.............................+++
.+++
writing new private key to '/etc/openvpn/easyrsa-server/3/pki/private/server.key.k5cfaNWDBd'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easyrsa-server/3/pki/reqs/server.req
key: /etc/openvpn/easyrsa-server/3/pki/private/server.key
[root@openvpn-server 3]# ll pki/reqs/
total 4
-rw------- 1 root root 887 Feb 6 10:50 server.req
[root@openvpn-server 3]# ll pki/private/
total 8
-rw------- 1 root root 1675 Feb 6 10:49 ca.key
-rw------- 1 root root 1704 Feb 6 10:50 server.key
1.2.6 サーバー証明書の発行
自己構築された CA を使用してサーバー証明書を発行します。つまり、サーバーの crt 証明書を生成します。crt 証明書は後で各ユーザークライアントに送信され、openvpn-server とのデータの暗号化された送信を実現します
。 。
[root@openvpn-server 3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 1080 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject''s Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Jan 21 02:54:54 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easyrsa-server/3/pki/issued/server.crt
[root@openvpn-server 3]# ll pki/issued/server.crt
-rw------- 1 root root 4552 Feb 6 10:54 pki/issued/server.crt
1.2.7 dh.pem 証明書の生成
DH キー交換方式は、
1976 年に Whitfield Diffie (Bailey Whitfield Diffie) と Martin Edward Hellman (Martin Edward Hellman) によって公開されたセキュリティ プロトコルであり、情報
を. このキーは通常
、後続のデータ送信で双方によって「対称暗号化」キーとして使用されます。DH の数学的原理は基本離散対数
問題です。同様のことを行います。 RSA などの非対称暗号化アルゴリズムもあります。SSH、VPN、HTTPS などの幅広い用途があり、
現代の暗号化の基礎と呼ばれています。
.pem証明書と.crt証明書の違いは、エンコード方法が異なることと、本質的には証明書ファイルであることです。
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.............................................................+...........................................................++*++*
DH parameters of size 2048 created at /etc/openvpn/easyrsa-server/3/pki/dh.pem
[root@openvpn-server 3]# ll /etc/openvpn/easyrsa-server/3/pki/dh.pem
-rw------- 1 root root 424 Feb 6 10:58 /etc/openvpn/easyrsa-server/3/pki/dh.pem
1.2.8 クライアント証明書の生成
[root@openvpn-server ~]# pwd
/root
[root@openvpn-server ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easyrsa-client
[root@openvpn-server ~]# cp /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easyrsa-client/3/vars
[root@openvpn-server ~]# cd /etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# ll
total 72
-rwxr-xr-x 1 root root 48730 Feb 6 11:01 easyrsa
-rw-r--r-- 1 root root 4651 Feb 6 11:01 openssl-easyrsa.cnf
-rw-r--r-- 1 root root 8576 Feb 6 11:01 vars
drwxr-xr-x 2 root root 4096 Feb 6 11:01 x509-types
[root@openvpn-server 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easyrsa-client/3/pki
[root@openvpn-server 3]# ll pki
total 16
-rw------- 1 root root 4651 Feb 6 11:02 openssl-easyrsa.cnf
drwx------ 2 root root 4096 Feb 6 11:02 private
drwx------ 2 root root 4096 Feb 6 11:02 reqs
[root@openvpn-server 3]# ll pki/private/
total 0
[root@openvpn-server 3]# ll pki/reqs/
total 0
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# ./easyrsa gen-req lisuo nopass
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.............+++
......................................................................................+++
writing new private key to '/etc/openvpn/easyrsa-client/3/pki/private/lisuo.key.qShPkliedt'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [lisuo]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easyrsa-client/3/pki/reqs/lisuo.req
key: /etc/openvpn/easyrsa-client/3/pki/private/lisuo.key
[root@openvpn-server 3]# tree /etc/openvpn/easyrsa-client/3/pki/
/etc/openvpn/easyrsa-client/3/pki/
├── openssl-easyrsa.cnf
├── private
│ └── lisuo.key
├── reqs
│ └── lisuo.req
└── safessl-easyrsa.cnf
2 directories, 4 files
1.2.9 クライアントの証明書を発行する
openvpn サーバー ディレクトリでクライアント証明書を発行する
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# cd /etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa import-req /etc/openvpn/easyrsa-client/3/pki/reqs/lisuo.req lisuo
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: lisuo
You may now use this name to perform signing operations on this request.
[root@openvpn-server 3]# ./easyrsa sign client lisuo
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 1080 days:
subject=
commonName = lisuo
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject''s Distinguished Name is as follows
commonName :ASN.1 12:'lisuo'
Certificate is to be certified until Jan 21 03:07:37 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt
[root@openvpn-server 3]# ll /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt
-rw------- 1 root root 4431 Feb 6 11:07 /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt
1.2.10 サーバー証明書をサーバー ディレクトリにアーカイブする
発行されたサーバー証明書をアーカイブして保存します
[root@openvpn-server 3]# mkdir /etc/openvpn/certs
[root@openvpn-server 3]# cd /etc/openvpn/certs
[root@openvpn-server certs]# pwd
/etc/openvpn/certs
[root@openvpn-server certs]# cp /etc/openvpn/easyrsa-server/3/pki/dh.pem .
[root@openvpn-server certs]# cp /etc/openvpn/easyrsa-server/3/pki/ca.crt .
[root@openvpn-server certs]# cp /etc/openvpn/easyrsa-server/3/pki/issued/server.crt .
[root@openvpn-server certs]# cp /etc/openvpn/easyrsa-server/3/pki/private/server.key .
[root@openvpn-server certs]# pwd
/etc/openvpn/certs
[root@openvpn-server certs]# tree
.
├── ca.crt
├── dh.pem
├── server.crt
└── server.key
0 directories, 4 files
1.2.11 クライアント証明書を対応するディレクトリにアーカイブする
発行されたクライアント証明書をアーカイブして保存する
[root@openvpn-server certs]# mkdir /etc/openvpn/client/lisuo
[root@openvpn-server certs]# cd /etc/openvpn/client/lisuo
[root@openvpn-server lisuo]# pwe
-bash: pwe: command not found
[root@openvpn-server lisuo]# pwd
/etc/openvpn/client/lisuo
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-server/3/pki/ca.crt .
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt .
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-server/3/pki/private/lisuo.key .
cp: cannot stat ‘/etc/openvpn/easyrsa-server/3/pki/private/lisuo.key’: No such file or directory
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-client/3/pki/private/lisuo.key .
[root@openvpn-server lisuo]# pwd
/etc/openvpn/client/lisuo
[root@openvpn-server lisuo]# tree
.
├── ca.crt
├── lisuo.crt
└── lisuo.key
0 directories, 3 files
1.2.12 サーバー構成
サーバー側の構成手順
[root@openvpn-server ~]# vim /etc/openvpn/server.conf
local 192.168.0.148 # 本机监听IP
port 1194 # 端口
# TCP or UDP server?
proto tcp # 协议,指定OpenVPN创建的通信隧道类型
#proto udp
#dev tap:创建一个以太网隧道,以太网使用tap
dev tun # 创建一个路由IP隧道,互联网使用tun一个TUN设备大多时候,被用于基于IP协议的通讯。一个TAP设备允
# 许完整的以太网帧通过Openvpn隧道,因此提供非ip协议的支持,比如IPX协议和AppleTalk协议
#dev-node MyTap # TAP-Win32适配器。非windows不需要
#topology subnet # 网络拓扑,不需要配置
server 10.8.0.0 255.255.255.0 #客户端连接后分配IP的地址池,服务器默认会占用第一个IP 10.8.0.1
#ifconfig-pool-persist ipp.txt #为客户端分配固定IP,不需要配置
#server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 #配置网桥模式,不需要
push "route 10.20.0.0 255.255.255.0" # 给客户端生成的静态路由表,下一跳为openvpn服务器的
# 10.8.0.1,地址段为openvpn服务器后的公司内部网络,可以是多个网段
push "route 192.168.0.0 255.255.255.0"
;client-config-dir ccd #为指定的客户端添加路由,改路由通常是客户端后面的内网网段而不是服务端的,也不需要设置
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script #运行外部脚本,创建不同组的iptables 规则,不配置
;push "redirect-gateway def1 bypass-dhcp" #启用后,客户端所有流量都将通过VPN服务器,因此不需要配置
#;push "dhcp-option DNS 208.67.222.222" #推送DNS服务器,不需要配置
#;push "dhcp-option DNS 208.67.220.220"
#client-to-client #允许不同的client通过openvpn server直接通信,不开启
;duplicate-cn #多个用户共用一个账户,一般用于测试环境,生产环境都是一个用户一个证书
keepalive 10 120 #设置服务端检测的间隔和超时时间,默认为每 10 秒 ping一次,如果 120 秒没有回应则认为对方已经 down
#tls-auth /etc/openvpn/server/ta.key 0 #可使用以下命令来生成:openvpn –genkey –secret
ta.key #服务器和每个客户端都需要拥有该密钥的一个拷贝。第二个参数在服务器端应该为’0’,在客户端应该为’1’
cipher AES-256-CBC #加密算法
;compress lz4-v2 #启用压缩
;push "compress lz4-v2"
;comp-lzo #旧户端兼容的压缩配置,需要客户端配置开启压缩
;max-clients 100 #最大客户端数
user nobody #运行openvpn服务的用户和组
group nobody
#persist-key #重启OpenVPN服务,重新读取keys文件,保留使用第一次的keys文件,不开启
#persist-tun #重启OpenVPN服务,一直保持tun或者tap设备是up的,否则会先down然后再up,不开启
status openvpn-status.log #openVPN状态记录文件,每分钟会记录一次
#;log openvpn.log #日志记录方式和路径,log会在openvpn启动的时候清空日志文件
log-append /var/log/openvpn/openvpn.log #重启openvpn后在之前的日志后面追加新的日志
verb 3 #设置日志级别,0-9,级别越高记录的内容越详细,
mute 20 #相同类别的信息只有前20条会输出到日志文件中
explicit-exit-notify 1 # 通知客户端,在服务端重启后可以自动重新连接,仅能用于udp模式,tcp模式不需要
# 配置即可实现断开重连接,且tcp配置后会导致openvpn服务无法启动。
...
[root@openvpn-server ~]# mkdir /var/log/openvpn
[root@openvpn-server ~]# chown nobody.nobody /var/log/openvpn
最終構成
[root@openvpn-server ~]# grep "^[a-Z]" /etc/openvpn/server.conf
local 192.168.0.248
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key # This file should be kept secret
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 10.20.0.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
client-to-client
keepalive 10 120
# tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 9
mute 20
1.2.13 クライアント設定ファイル
[root@openvpn-server ~]# cd /etc/openvpn/client/lisuo/
[root@openvpn-server lisuo]# ll
total 16
-rw------- 1 root root 1172 Feb 6 11:11 ca.crt
-rw------- 1 root root 4431 Feb 6 11:12 lisuo.crt
-rw------- 1 root root 1704 Feb 6 11:12 lisuo.key
[root@openvpn-server lisuo]# grep -Ev "^(#|$|;)" /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/client.conf > /etc/openvpn/client/lisuo/client.ovpn
[root@openvpn-server lisuo]# vim /etc/openvpn/client/lisuo/client.ovpn
client # 声明自己是个客户端
dev tun # 接口类型,必须和服务端保持一致
proto tcp # 使用的协议,必须和服务端保持一致
remote 192.168.0.248 1194 #server端的ip和端口,可以写域名但是需要可以解析成IP
resolv-retry infinite # 如果是写的server端的域名,那么就始终解析,如果域名发生变化,
# 会重新连接到新的域名对应的IP
nobind #本机不绑定监听端口,客户端是随机打开端口连接到服务端的1194
persist-key #
persist-tun
ca ca.crt
cert lisuo.crt
key lisuo.key
remote-cert-tls server #指定采用服务器校验方式
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
[root@openvpn-server lisuo]# tree
.
├── ca.crt
├── client.ovpen
├── lisuo.crt
└── lisuo.key
0 directories, 4 files
1.2.14 OpenVPNの開始
[root@openvpn-server lisuo]# cd
[root@openvpn-server ~]# systemctl stop firewalld
[root@openvpn-server ~]# systemctl disable firewalld
[root@openvpn-server ~]# yum install iptables-services iptables -y
[root@openvpn-server ~]# systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@openvpn-server ~]# systemctl start iptables.service
[root@openvpn-server ~]# iptables -F
[root@openvpn-server ~]# iptables -X
[root@openvpn-server ~]# iptables -Z
[root@openvpn-server ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 348 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 352 bytes)
pkts bytes target prot opt in out source destination
[root@openvpn-server ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
"/etc/sysctl.conf" 19L, 582C written
[root@openvpn-server ~]# sysctl -p
...
net.ipv4.ip_forward = 1
[root@openvpn-server ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j MASQUERADE
[root@openvpn-server ~]# iptables -A INPUT -p TCP --dport 1194 -j ACCEPT
[root@openvpn-server ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@openvpn-server ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
36 2088 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19 packets, 1484 bytes)
pkts bytes target prot opt in out source destination
[root@openvpn-server ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.8.0.0/16 0.0.0.0/0
[root@openvpn-server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@openvpn-server ~]# mkdir /var/log/openvpn
[root@openvpn-server ~]# chown nobody.nobody /var/log/openvpn
# 启动OpenVPN
[root@openvpn-server ~]# systemctl start [email protected]
[root@openvpn-server ~]# systemctl status [email protected]
● [email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled; vendor preset: disabled)
Active: active (running) since Thu 2020-02-06 12:08:13 CST; 5s ago
Main PID: 12628 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/[email protected]
└─12628 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Feb 06 12:08:13 openvpn-server systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Feb 06 12:08:13 openvpn-server systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@openvpn-server ~]# systemctl enable [email protected]
Created symlink from /etc/systemd/system/multi-user.target.wants/[email protected] to /usr/lib/systemd/system/[email protected].
[root@openvpn-server ~]# tail /var/log/openvpn/openvpn.log
Thu Feb 6 12:08:17 2020 us=581126 MULTI TCP: multi_tcp_action a=TA_TUN_READ p=0
Thu Feb 6 12:08:17 2020 us=581133 MULTI TCP: multi_tcp_dispatch a=TA_TUN_READ mi=0x00000000
Thu Feb 6 12:08:17 2020 us=581144 read from TUN/TAP returned 48
Thu Feb 6 12:08:17 2020 us=581153 MULTI TCP: multi_tcp_post TA_TUN_READ -> TA_UNDEF
Thu Feb 6 12:08:17 2020 us=581162 SCHEDULE: schedule_find_least NULL
Thu Feb 6 12:08:21 2020 us=589032 EP_WAIT[0] rwflags=0x0001 ev=0x00000001 arg=0x00000002
Thu Feb 6 12:08:21 2020 us=589088 MULTI: REAP range 16 -> 32
Thu Feb 6 12:08:21 2020 us=589098 MULTI TCP: multi_tcp_action a=TA_TUN_READ p=0
Thu Feb 6 12:08:21 2020 us=589116 MULTI TCP: multi_tcp_dispatch a=TA_TUN_READ mi=0x00000000
Thu Feb 6 12:08:21 2020 us=589126 NOTE: --mute triggered...
tun ネットワーク カード デバイスを確認します。
[root@openvpn-server ~]# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::8a69:b152:413b:2421 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
1.2.15 OpenVPN の Windows クライアントをインストールする
1.2.16 クライアント接続テスト
証明書を openvpn クライアントのインストール ディレクトリに保存します。C:\Program Files\OpenVPN\config
[root@openvpn-server ~]# cd /etc/openvpn/client/lisuo/
[root@openvpn-server lisuo]# tar -cJvf lisuo.tar.xz ./*
./ca.crt
./client.ovpen
./lisuo.crt
./lisuo.key
[root@openvpn-server lisuo]# ll
total 28
-rw------- 1 root root 1172 Feb 6 11:11 ca.crt
-rw-r--r-- 1 root root 214 Feb 6 11:47 client.ovpn
-rw------- 1 root root 4431 Feb 6 11:12 lisuo.crt
-rw------- 1 root root 1704 Feb 6 11:12 lisuo.key
-rw-r--r-- 1 root root 4756 Feb 6 12:16 lisuo.tar.xz
接続の成功: 現在の構成ではパスワードがメモリにキャッシュされているという警告メッセージが表示されます。auth
-nocache オプションを使用するとパスワードの表示を回避できます。
Windows コマンドラインでroute print次の情報を使用します。
別のクラウド ホスト (IP: 192.168.0.250/24) を追加して、クラウド LAN に直接アクセスできるかどうかをテストします。
[root@ecs-d1b9 ~]# hostname web-server-node1
[root@ecs-d1b9 ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.250 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:feb5:85a1 prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:b5:85:a1 txqueuelen 1000 (Ethernet)
RX packets 331 bytes 39550 (38.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 369 bytes 38421 (37.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@ecs-d1b9 ~]# hostname web-server-node1
[root@ecs-d1b9 ~]# exit
logout
Connection to 192.168.0.250 closed.
2 つのクラウド ホストの状況
クライアントの Windows 10 システムでは、直接 xshell 接続 192.168.0.250 が
正常に接続され、ホスト名はweb-server-node1
2. OpenVPNの高度な機能
従業員の出入りに伴うアカウントの作成とアカウント証明書の失効。
2.1 秘密キーのパスワード保護を設定する
stevenux という名前の新しいアカウントを作成し、証明書のセキュリティを向上させるために証明書のパスワードを設定します。
2.2.1 証明書の申請と発行
[root@openvpn-server lisuo]# cd /etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# ll
total 76
-rwxr-xr-x 1 root root 48730 Feb 6 11:01 easyrsa
-rw-r--r-- 1 root root 4651 Feb 6 11:01 openssl-easyrsa.cnf
drwx------ 4 root root 4096 Feb 6 11:04 pki
-rw-r--r-- 1 root root 8576 Feb 6 11:01 vars
drwxr-xr-x 2 root root 4096 Feb 6 11:01 x509-types
[root@openvpn-server 3]# ./easyrsa gen-req stevenux
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...............................................................+++
...................+++
writing new private key to '/etc/openvpn/easyrsa-client/3/pki/private/stevenux.key.0zvtMm6qk9'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [stevenux]:www.suosuoli.cn
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easyrsa-client/3/pki/reqs/stevenux.req
key: /etc/openvpn/easyrsa-client/3/pki/private/stevenux.key
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# cd /etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# cd /etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa import-req /etc/openvpn/easyrsa-client/3/pki/reqs/stevenux.req stevenux
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: stevenux
You may now use this name to perform signing operations on this request.
[root@openvpn-server 3]# ./easyrsa import-req /etc/openvpn/easyrsa-client/3/pki/reqs/stevenux.req stevenux
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Easy-RSA error:
Unable to import the request as the destination file already exists.
Please choose a different name for your imported request file.
Existing file at: /etc/openvpn/easyrsa-server/3/pki/reqs/stevenux.req
[root@openvpn-server 3]# ./easyrsa sign client stevenux
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 1080 days:
subject=
commonName = www.suosuoli.cn
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject''s Distinguished Name is as follows
commonName :ASN.1 12:'www.suosuoli.cn'
Certificate is to be certified until Jan 21 08:15:11 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easyrsa-server/3/pki/issued/stevenux.crt
# 整理新账户证书
[root@openvpn-server 3]# mkdir /etc/openvpn/client/stevenux
[root@openvpn-server 3]# cd /etc/openvpn/client/stevenux
[root@openvpn-server stevenux]# pwd
/etc/openvpn/client/stevenux
[root@openvpn-server stevenux]# cp /etc/openvpn/easyrsa-server/3/pki/ca.crt .
[root@openvpn-server stevenux]# cp /etc/openvpn/easyrsa-server/3/pki/issued/stevenux.crt .
[root@openvpn-server stevenux]# cp /etc/openvpn/easyrsa-server/3/pki/private/stevenux.key .
[root@openvpn-server stevenux]# cp /etc/openvpn/client/lisuo/client.ovpn .
[root@openvpn-server stevenux]# vim client.ovpn
client
dev tun
proto tdp
remote 114.116.248.58 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert stevenux.crt
key stevenux.key
remote-cert-tls server
# tls-auth ta.key 1
cipher AES-256-CBC
verb 3
"client.ovpn" 15L, 219C written
[root@openvpn-server stevenux]# ll
total 20
-rw------- 1 root root 1172 Feb 6 16:25 ca.crt
-rw-r--r-- 1 root root 219 Feb 6 16:27 client.ovpn
-rw------- 1 root root 1704 Feb 6 16:25 stevenux.key
-rw------- 1 root root 4453 Feb 6 16:25 stevenux.crt
[root@openvpn-server stevenux]# pwd
/etc/openvpn/client/stevenux
[root@openvpn-server stevenux]# tar cJvf stevenux.tar.xz ./*
./ca.crt
./client.ovpn
./stevenux.key
./stevenux.crt
[root@openvpn-server stevenux]# sz stevenux.tar.xz
2.2 アカウント証明書の管理
主に、証明書の作成と失効、および該当する従業員の入社と退職のための証明書の配布と失効です。
2.2.1 証明書の自動有効期限設定
有効期限はサーバー時刻に基づいており、証明書の有効期間がサーバー時刻に基づいた有効期間内であるかどうかの確認を開始します。
[root@openvpn-server stevenux]# cd /etc/openvpn/easyrsa-server/3/
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# vim vars
124 #set_var EASYRSA_CERT_EXPIRE 1080
125 set_var EASYRSA_CERT_EXPIRE 90
...
2.2.2 証明書の手動キャンセル
取り消す
[root@openvpn-server 3]# cat /etc/openvpn/easyrsa-server/3/pki/index.txt
V 230121025454Z B149F5E246A16B3EF695B06030D82C3B unknown /CN=server
V 230121030737Z E18D86613FBFB4256BE241A3EB6A448F unknown /CN=lisuo
V 230121081511Z 7EC6AE9190A57A46FECC83ABA79920E3 unknown /CN=www.suosuoli.cn
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa revoke lisuo
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Please confirm you wish to revoke the certificate with the following subject:
subject=
commonName = lisuo
Type the word 'yes' to continue, or any other input to abort.
Continue with revocation: yes
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
Revoking Certificate E18D86613FBFB4256BE241A3EB6A448F.
Data Base Updated
IMPORTANT!!!
Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.
# 生成证书吊销文件
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa gen-crl
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
An updated CRL has been created.
CRL file: /etc/openvpn/easyrsa-server/3/pki/crl.pem
[root@openvpn-server 3]# vim /etc/openvpn/server.conf
crl-verify /etc/openvpn/easyrsa-server/3/pki/crl.pem
"/etc/openvpn/server.conf" 318L, 10946C written
...
[root@openvpn-server 3]# systemctl restart openvpn@server
現時点では lisuo は接続できませんでした
失効記録の表示
[root@openvpn-server 3]# cat /etc/openvpn/easyrsa-server/3/pki/index.txt
V 230121025454Z B149F5E246A16B3EF695B06030D82C3B unknown /CN=server
R 230121030737Z 200206120802Z E18D86613FBFB4256BE241A3EB6A448F unknown /CN=lisuo # R 表示已经被吊销
V 230121081511Z 7EC6AE9190A57A46FECC83ABA79920E3 unknown /CN=www.suosuoli.cn
2.2.3 アカウント名変更証明書の発行
会社に lisuo という名前の従業員がいて、退職して証明書が取り消されているが、新入社員の名前が
lisuo である場合、一般的な区別方法は、lisuo1、lisuo2 などのようにユーザー名の後に数字を追加することです
。 lisuo を使用したい場合、アカウント名が証明書を発行する場合は、
サーバーより先に lisuo アカウントを削除し、発行レコードと証明書を削除する必要があります。そうしないと、新しいユーザーの証明書をインポートできず、特定の証明書を再発行できません。
プロセスは次のとおりです。
[root@openvpn-server ~]# cd /etc/openvpn/easyrsa-client/3/
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# rm -rf pki/private/lisuo.key
[root@openvpn-server 3]# rm -rf pki/reqs/lisuo.req
[root@openvpn-server 3]# rm -rf /etc/openvpn/client/lisuo/
# 删除被R标记的吊销了的记录
[root@openvpn-server 3]# vim /etc/openvpn/easyrsa-server/3/pki/index.txt
R 230121030737Z 200206120802Z E18D86613FBFB4256BE241A3EB6A448F unknown /CN=lisuo
# 生成该账户证书请求文件
[root@openvpn-server 3]# ./easyrsa gen-req lisuo
# CA导入请求文件并签发
[root@openvpn-server ~]# cd /etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa import-req /etc/openvpn/easyrsa-client/3/pki/reqs/lisuo.req lisuo
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: lisuo
You may now use this name to perform signing operations on this request.
[root@openvpn-server 3]# ./easyrsa sign client lisuo
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 90 days:
subject=
commonName = lisuo
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject''s Distinguished Name is as follows
commonName :ASN.1 12:'lisuo'
Certificate is to be certified until May 6 12:39:04 2020 GMT (90 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt
# 归档打包证书文件
[root@openvpn-server 3]# mkdir /etc/openvpn/client/lisuo
[root@openvpn-server 3]# cd /etc/openvpn/client/lisuo
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt .
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-client/3/pki/private/lisuo.key .
[root@openvpn-server lisuo]# cp ../
lisuo/ stevenux/
[root@openvpn-server lisuo]# cp ../stevenux/ca.crt .
[root@openvpn-server lisuo]# cp ../stevenux/client.ovpn .
[root@openvpn-server lisuo]# cat ../stevenux/client.ovpn
client
dev tun
proto tdp
remote 114.116.248.58 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert stevenux.crt
key stevenux.key
remote-cert-tls server
# tls-auth ta.key 1
cipher AES-256-CBC
verb 3
[root@openvpn-server lisuo]# tree
.
├── ca.crt
├── client.ovpn
├── lisuo.crt
└── lisuo.key
0 directories, 4 files
[root@openvpn-server lisuo]# tar czvf lisuo.tar.gz ./*
./ca.crt
./client.ovpn
./lisuo.crt
./lisuo.key
[root@openvpn-server lisuo]# sz lisuo.tar.gz
2.3 構成の概要
2.3.1 OpenVPN サーバーの構成
[root@openvpn-server ~]# cat /etc/openvpn/server.conf
local 172.18.200.101
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 10.20.0.0 255.255.0.0"
push "route 172.31.0.0 255.255.0.0"
client-to-client
keepalive 10 120
cipher AES-256-CBC
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 9
mute 20
crl-verify /etc/openvpn/easy-rsa/3.0.3/pki/crl.pem
2.3.2 OpenVPN クライアントの構成
[root@openvpn-server ~]# cat /etc/openvpn/client/zhangxiaoming/client.ovpn
client
dev tun
proto tcp
remote 172.18.200.101 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert zhangshijie.crt
key zhangshijie.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
2.4 アカウントを自動作成するスクリプト
OpenVPN の新しいアカウントと失効した証明書のスクリプト作成リファレンス:
- 新しいアカウント
#!/bin/bash
# Add a user to openvpn
if [[ $# -eq 0 ]]; then
echo "Usage: basename $0 USERNAME1 [USERNAME2 [USERNAME3...]]"
fi
for user in "$@"; do
echo"Adding new user: $user"
if [[ -d "/etc/openvpn/client/$user" ]]; then
rm -rf /etc/openvpn/client/$user
rm -rf /etc/openvpn/easy-rsa/3.0.3/pki/reqs/$user.req
sed -i '/'''$user'''/d' /etc/openvpn/easy-rsa/3.0.3/pki/index.txt
fi
echo "Gen .csr file."
cd/etc/openvpn/client/easy-rsa/3.0.3
./easyrsa init-pki
./easyrsa gen-req $user nopass
echo "Sign client certification."
cd /etc/ openvpn/easy-rsa/3.0.3/
./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/$user.req $user
./easyrsa sign client $user
echo "Manage the crts."
mkdir -p /etc/openvpn/client/$user/
cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client/$user/
cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/$user.crt /etc/openvpn/client/$user/
cp /etc/openvpn/client/easy-rsa/3.0.3/pki/private/$user.key /etc/openvpn/client/$user/
cp /etc/openvpn/client/admin.ovpn /etc/openvpn/client/$user/$user.ovpn
sed -i 's/admin/'''$user'''/g' /etc/openvpn/client/$user/$user.ovpn
cd etc/openvpn/client/$user/
zip -r $user.zip *
mv /etc/openvpn/client/$user/$user.zip ~
echo "All done."
done
2.5 証明書取り消しスクリプト
- 失効証明書
#!/bin/bash
# Del a user from openvpn
if [[ $# -eq 0 ]]; then
echo "Usage: basename $0 USERNAME"
fi
echo "Revoking $1..."
cd /etc/openvpn/easy-rsa/3.0.3/
./easyrsa revoke $1 # 吊销$user账户的证书
./easyrsa gen-crl
if [[ -f /etc/openvpn/easy-rsa/3.0.3/pki/crl.pem ]]; then
echo "crl-verify /etc/openvpn/easyrsa-server/3/pki/crl.pem" >> /etc/openvpn/server.conf
else
echo "Can not find crl.pem. Exit."
fi
echo "Done."