Centos の構成 開いていますか?

開ける？

サーバー ログには、クライアントのログイン時刻とユーザー名を「2022-08-10:」のような形式で記録する必要があります。

08:10:30 認証が成功しました: username="vuser1"";

ログ ファイルは /var/log/openv.log に保存されます。

パスワード 123456 を持つユーザー vuser1 を作成します。認証にはユーザー名とパスワードを使用します。

InsideCli クライアント ネットワーク セグメントと通信できるため、StorageSrv ホストへのアクセスが可能になります。

SAMBA サービス;

クライアントのアドレス範囲は 172.16.0.0/24 で、OPENVPN は tcp 1194 ポート番号を使用します。

仕事。

---

1. yum 拡張機能のインストールと設定 (拡張機能のみインストール可能)
 

[local]
name=local
baseurl=file:///mnt
gpgcheck=0
enabled=1
[kz]
name=local
baseurl=file:///root/kz
enabled=1
gpgcheck=0

[root@routersrv kz]# pwd
/root/kz
yum clean all 清除缓存
yum makecache 刷新
yum install openvpn easy-rsa -y -q 

2. 証明書を構成する

#复制证书制作文件
[root@routserv /]# cp -r /usr/share/easy-rsa/3/* /etc/openvpn/

#初始化
[root@routserv openvpn]# ./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki

#创建根证书
[root@routserv openvpn]# ./easyrsa build-ca nopass 
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating RSA private key, 2048 bit long modulus
...................................................................................................+++
.......................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt

#创建服务器端证书和密钥
[root@routserv openvpn]# ./easyrsa gen-req server server nopass
Ignoring unknown command option: 'server'
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
........................+++
.....................................................+++
writing new private key to '/etc/openvpn/pki/easy-rsa-1959.fieXq1/tmp.Ruh2zR'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/pki/reqs/server.req
key: /etc/openvpn/pki/private/server.key

#证书签名
[root@routserv openvpn]# ./easyrsa sign server server  
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
    commonName                = server
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes										//yes
Using configuration from /etc/openvpn/pki/easy-rsa-1985.1mB4Qo/tmp.AHtNf8
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Dec 11 10:29:26 2024 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/pki/issued/server.crt

#生成db.pem
[root@routserv openvpn]# ./easyrsa gen-dh
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..+................................+...

3. サーバーファイルを構成する

#复制模板文件
[root@routserv openvpn]# cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf  /etc/openvpn/
[root@routserv openvpn]# vim /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca pki/ca.crt
cert pki/issued/server.crt
key pki/private/server.key
dh pki/dh.pem
server 172.16.0.0 255.255.255.0
#tls-auth ta.key 0 # This file is secret		
#explicit-exit-notify 1						
#下四行用man openvpn查询
script-security 3								
auth-user-pass-verify /etc/openvpn/auth.sh via-env	
username-as-common-name										
client-cert-not-required								

4. ログインログ認証スクリプトの設定

[root@routserv openvpn]# vim /etc/openvpn/auth.sh
#!/bin/sh
PASSFILE="/etc/openvpn/user"
LOG_FILE="/var/log/openvpn.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
if [ ! -r "${PASSFILE}" ]; then
    echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
    exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
    echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
    exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
    echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
    exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

[root@routserv openvpn]# chmod +x /etc/openvpn/auth.sh 
[root@routserv openvpn]# vim /etc/openvpn/user
vpnuser1 123456
[root@routserv openvpn]# systemctl restart openvpn@server

5. クライアントの設定

#首先将服务器端的ca证书和client.conf传送到客户端
[root@outsidecli /]# apt install openvpn -y
[root@routserv openvpn]# scp  /etc/openvpn/pki/ca.crt [email protected]:/etc/openvpn
[root@routserv openvpn]# scp  /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf  [email protected]:/etc/openvpn

6. client.confの設定

[root@outsidecli /]# vim /etc/openvpn/client.conf 
client
dev tun
proto tcp
remote 81.6.63.254 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
#cert client.crt		
#key client.key					
#tls-auth ta.key 1			
remote-cert-tls server
cipher AES-256-GCM   //模式和服务器一样设置成GCM
verb 3 
auth-user-pass			//需要添加

[root@outsidecli /]# systemctl restart openvpn@client
Enter Auth Username: vpnuser1
Enter Auth Password: ******

7. 検証

[root@outsidecli /]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:c3:f8:e1 brd ff:ff:ff:ff:ff:ff
    inet 81.6.63.110/24 brd 81.6.63.255 scope global ens33
       valid_lft forever preferred_lft forever
8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 172.16.0.6 peer 172.16.0.5/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::f7a:6f5:c062:fe1a/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
       
[root@routserv openvpn]# tail -f /var/log/openvpn.log 
2022-09-08 06:52:35: Successful authentication: username="vpnuser1".

8. トラブルシューティング

[root@outsidecli /]# systemctl status openvpn@client
● [email protected] - OpenVPN connection to client
   Loaded: loaded (/lib/systemd/system/[email protected]; enabled-runtime; vendor preset: enabled)
   Active: active (running) since Mon 2022-09-12 04:22:33 CST; 1min 20s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 9017 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 2281)
   Memory: 900.0K
   CGroup: /system.slice/system-openvpn.slice/[email protected]
           └─9017 /usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/open

9月 12 04:22:35 outsidecli ovpn-client[9017]: Data Channel: using negotiated cipher 'AES-256-GCM'
9月 12 04:22:35 outsidecli ovpn-client[9017]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256
9月 12 04:22:35 outsidecli ovpn-client[9017]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256
9月 12 04:22:35 outsidecli ovpn-client[9017]: ROUTE: default_gateway=UNDEF
9月 12 04:22:35 outsidecli ovpn-client[9017]: TUN/TAP device tun0 opened
9月 12 04:22:35 outsidecli ovpn-client[9017]: TUN/TAP TX queue length set to 100
9月 12 04:22:35 outsidecli ovpn-client[9017]: /sbin/ip link set dev tun0 up mtu 1500
9月 12 04:22:35 outsidecli ovpn-client[9017]: /sbin/ip addr add dev tun0 local 172.16.0.6 peer 172.16.0.5
9月 12 04:22:35 outsidecli ovpn-client[9017]: /sbin/ip route add 172.16.0.1/32 via 172.16.0.5
9月 12 04:22:35 outsidecli ovpn-client[9017]: Initialization Sequence Completed
lines 1-23/23 (END)
出现以上问题就是时间与服务器未匹配，设置时间同步即可