1. Introdução e implantação do OpenVPN
1.1 Introdução ao OpenVPN
OpenVPN é um daemon VPN sólido e eficiente, suporta segurança SSL/TLS, ponte Ethernet, suporta
proxy TCP ou UDP ou transmissão de túnel NAT, suporta endereço IP dinâmico e DHCP, pode suportar
centenas de usuários e é portátil para a maioria dos principais sistemas operacionais de plataforma .
OpenVPN requer a biblioteca OpenSSL porque usa os recursos de criptografia do OpenSSL. OpenVPN suporta criptografia convencional, ou seja, usando uma chave pré-compartilhada (ou seja, modo de chave estática) ou segurança de chave pública de certificado
do lado do cliente e do servidor (ou seja, modo SSL/TLS).
Ele também oferece suporte a canais TCP/UDP não criptografados. OpenVPN foi projetado
para se conectar à rede usando a interface de rede virtual TUN/TAP, que pode ser usada na maioria das plataformas.
OpenVPN permite que qualquer opção seja colocada na linha de comando ou em um arquivo de configuração (nos arquivos de configuração chamamos de diretivas de opções)
1.2 Implantação OpenVPN
1.2.1 Ambiente de implantação OpenVPN
Use o host HUAWEI CLOUD como servidor OpenVPN
| o host | PI |
|---|---|
| servidor openvpn | 192.168.0.248 |
| servidor web-node1 | 192.168.0.250 |
| Cliente Windows10 | 192.168.10.18 |
Versão do sistema operacional e sincronização de horário
[root@openvpn-server ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
[root@openvpn-server ~]# ntp
ntpd ntpdc ntpq ntptime
ntpdate ntp-keygen ntpstat
[root@openvpn-server ~]# ntpdate time1.aliyun.com
6 Feb 10:46:45 ntpdate[12220]: the NTP socket is in use, exiting
1.2.2 Instalar OpenVPN
Instale ferramentas de gerenciamento de certificados openvpn e easy-rsa
[root@openvpn-server ~]# yum install epel-release -y
[root@openvpn-server ~]# yum install openvpn -y
[root@openvpn-server ~]# yum install easy-rsa -y
Organização do arquivo de configuração
[root@openvpn-server ~]# cp /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf /etc/openvpn
[root@openvpn-server ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easyrsa-server
[root@openvpn-server ~]# cp /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easyrsa-server/3
3/ 3.0/ 3.0.6/
[root@openvpn-server ~]# cp /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easyrsa-server/3
3/ 3.0/ 3.0.6/
[root@openvpn-server ~]# cp /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easyrsa-server/3/vars
[root@openvpn-server ~]# cd /etc/openvpn/easyrsa-server
[root@openvpn-server easyrsa-server]# cd 3
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── server
└── serverClient
1 directory, 9 files
1.2.3 Inicializar ambiente pki e autoridade emissora de CA
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ll
total 72
-rwxr-xr-x 1 root root 48730 Feb 6 10:37 easyrsa
-rw-r--r-- 1 root root 4651 Feb 6 10:37 openssl-easyrsa.cnf
-rw-r--r-- 1 root root 8576 Feb 6 10:37 vars
drwxr-xr-x 2 root root 4096 Feb 6 10:37 x509-types
[root@openvpn-server 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easyrsa-server/3/pki
[root@openvpn-server 3]# ll pki/
total 16
-rw------- 1 root root 4651 Feb 6 10:48 openssl-easyrsa.cnf
drwx------ 2 root root 4096 Feb 6 10:48 private
drwx------ 2 root root 4096 Feb 6 10:48 reqs
1.2.4 Criar uma organização CA
[root@openvpn-server 3]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating RSA private key, 2048 bit long modulus
......................+++
...................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easyrsa-server/3/pki/ca.crt
[root@openvpn-server 3]# ll pki/c
ca.crt certs_by_serial/
[root@openvpn-server 3]# ll pki/ca.crt
-rw------- 1 root root 1172 Feb 6 10:49 pki/ca.crt
[root@openvpn-server 3]# ll pki/private/ca.key
-rw------- 1 root root 1675 Feb 6 10:49 pki/private/ca.key
1.2.5 Gerar chave privada do servidor
[root@openvpn-server 3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.............................+++
.+++
writing new private key to '/etc/openvpn/easyrsa-server/3/pki/private/server.key.k5cfaNWDBd'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easyrsa-server/3/pki/reqs/server.req
key: /etc/openvpn/easyrsa-server/3/pki/private/server.key
[root@openvpn-server 3]# ll pki/reqs/
total 4
-rw------- 1 root root 887 Feb 6 10:50 server.req
[root@openvpn-server 3]# ll pki/private/
total 8
-rw------- 1 root root 1675 Feb 6 10:49 ca.key
-rw------- 1 root root 1704 Feb 6 10:50 server.key
1.2.6 Emissão de certificado de servidor
Utilize a CA autoconstruída para emitir o certificado do servidor, ou seja, gerar o certificado crt do servidor, e o certificado crt será enviado posteriormente a cada cliente usuário, de forma a realizar a transmissão criptografada
de dados com o servidor openvpn .
[root@openvpn-server 3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 1080 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject''s Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Jan 21 02:54:54 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easyrsa-server/3/pki/issued/server.crt
[root@openvpn-server 3]# ll pki/issued/server.crt
-rw------- 1 root root 4552 Feb 6 10:54 pki/issued/server.crt
1.2.7 Gerar certificado dh.pem
O método de troca de chaves DH, publicado por Whitfield Diffie (Bailey Whitfield Diffie) e Martin Edward Hellman
(Martin Edward Hellman) em 1976, é um protocolo de segurança que
permite que ambas as partes. Sob a condição de informação, uma chave é estabelecida através de um canal inseguro Esta chave é geralmente
usada como uma chave de "criptografia simétrica" por ambas as partes na transmissão de dados subsequente. O princípio matemático do DH é o
problema do logaritmo discreto básico. Faça coisas semelhantes Existem também algoritmos de criptografia assimétrica, como: RSA. Possui uma ampla gama de aplicações, incluindo SSH,
VPN, Https... e é considerada a pedra angular da criptografia moderna.
.pemA diferença entre um certificado e .crtum certificado é que o método de codificação é diferente e eles são essencialmente arquivos de certificado.
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.............................................................+...........................................................++*++*
DH parameters of size 2048 created at /etc/openvpn/easyrsa-server/3/pki/dh.pem
[root@openvpn-server 3]# ll /etc/openvpn/easyrsa-server/3/pki/dh.pem
-rw------- 1 root root 424 Feb 6 10:58 /etc/openvpn/easyrsa-server/3/pki/dh.pem
1.2.8 Gerar certificado de cliente
[root@openvpn-server ~]# pwd
/root
[root@openvpn-server ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easyrsa-client
[root@openvpn-server ~]# cp /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easyrsa-client/3/vars
[root@openvpn-server ~]# cd /etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# ll
total 72
-rwxr-xr-x 1 root root 48730 Feb 6 11:01 easyrsa
-rw-r--r-- 1 root root 4651 Feb 6 11:01 openssl-easyrsa.cnf
-rw-r--r-- 1 root root 8576 Feb 6 11:01 vars
drwxr-xr-x 2 root root 4096 Feb 6 11:01 x509-types
[root@openvpn-server 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easyrsa-client/3/pki
[root@openvpn-server 3]# ll pki
total 16
-rw------- 1 root root 4651 Feb 6 11:02 openssl-easyrsa.cnf
drwx------ 2 root root 4096 Feb 6 11:02 private
drwx------ 2 root root 4096 Feb 6 11:02 reqs
[root@openvpn-server 3]# ll pki/private/
total 0
[root@openvpn-server 3]# ll pki/reqs/
total 0
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# ./easyrsa gen-req lisuo nopass
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.............+++
......................................................................................+++
writing new private key to '/etc/openvpn/easyrsa-client/3/pki/private/lisuo.key.qShPkliedt'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [lisuo]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easyrsa-client/3/pki/reqs/lisuo.req
key: /etc/openvpn/easyrsa-client/3/pki/private/lisuo.key
[root@openvpn-server 3]# tree /etc/openvpn/easyrsa-client/3/pki/
/etc/openvpn/easyrsa-client/3/pki/
├── openssl-easyrsa.cnf
├── private
│ └── lisuo.key
├── reqs
│ └── lisuo.req
└── safessl-easyrsa.cnf
2 directories, 4 files
1.2.9 Emitir um certificado para o cliente
Emitir certificados de cliente no diretório do servidor openvpn
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# cd /etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa import-req /etc/openvpn/easyrsa-client/3/pki/reqs/lisuo.req lisuo
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: lisuo
You may now use this name to perform signing operations on this request.
[root@openvpn-server 3]# ./easyrsa sign client lisuo
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 1080 days:
subject=
commonName = lisuo
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject''s Distinguished Name is as follows
commonName :ASN.1 12:'lisuo'
Certificate is to be certified until Jan 21 03:07:37 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt
[root@openvpn-server 3]# ll /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt
-rw------- 1 root root 4431 Feb 6 11:07 /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt
1.2.10 Arquivar o certificado do servidor no diretório do servidor
Arquive e salve o certificado do servidor emitido
[root@openvpn-server 3]# mkdir /etc/openvpn/certs
[root@openvpn-server 3]# cd /etc/openvpn/certs
[root@openvpn-server certs]# pwd
/etc/openvpn/certs
[root@openvpn-server certs]# cp /etc/openvpn/easyrsa-server/3/pki/dh.pem .
[root@openvpn-server certs]# cp /etc/openvpn/easyrsa-server/3/pki/ca.crt .
[root@openvpn-server certs]# cp /etc/openvpn/easyrsa-server/3/pki/issued/server.crt .
[root@openvpn-server certs]# cp /etc/openvpn/easyrsa-server/3/pki/private/server.key .
[root@openvpn-server certs]# pwd
/etc/openvpn/certs
[root@openvpn-server certs]# tree
.
├── ca.crt
├── dh.pem
├── server.crt
└── server.key
0 directories, 4 files
1.2.11 Arquivar o certificado do cliente no diretório correspondente
Arquivar e salvar o certificado de cliente emitido
[root@openvpn-server certs]# mkdir /etc/openvpn/client/lisuo
[root@openvpn-server certs]# cd /etc/openvpn/client/lisuo
[root@openvpn-server lisuo]# pwe
-bash: pwe: command not found
[root@openvpn-server lisuo]# pwd
/etc/openvpn/client/lisuo
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-server/3/pki/ca.crt .
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt .
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-server/3/pki/private/lisuo.key .
cp: cannot stat ‘/etc/openvpn/easyrsa-server/3/pki/private/lisuo.key’: No such file or directory
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-client/3/pki/private/lisuo.key .
[root@openvpn-server lisuo]# pwd
/etc/openvpn/client/lisuo
[root@openvpn-server lisuo]# tree
.
├── ca.crt
├── lisuo.crt
└── lisuo.key
0 directories, 3 files
1.2.12 Configuração do servidor
Instruções de configuração do lado do servidor
[root@openvpn-server ~]# vim /etc/openvpn/server.conf
local 192.168.0.148 # 本机监听IP
port 1194 # 端口
# TCP or UDP server?
proto tcp # 协议,指定OpenVPN创建的通信隧道类型
#proto udp
#dev tap:创建一个以太网隧道,以太网使用tap
dev tun # 创建一个路由IP隧道,互联网使用tun一个TUN设备大多时候,被用于基于IP协议的通讯。一个TAP设备允
# 许完整的以太网帧通过Openvpn隧道,因此提供非ip协议的支持,比如IPX协议和AppleTalk协议
#dev-node MyTap # TAP-Win32适配器。非windows不需要
#topology subnet # 网络拓扑,不需要配置
server 10.8.0.0 255.255.255.0 #客户端连接后分配IP的地址池,服务器默认会占用第一个IP 10.8.0.1
#ifconfig-pool-persist ipp.txt #为客户端分配固定IP,不需要配置
#server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 #配置网桥模式,不需要
push "route 10.20.0.0 255.255.255.0" # 给客户端生成的静态路由表,下一跳为openvpn服务器的
# 10.8.0.1,地址段为openvpn服务器后的公司内部网络,可以是多个网段
push "route 192.168.0.0 255.255.255.0"
;client-config-dir ccd #为指定的客户端添加路由,改路由通常是客户端后面的内网网段而不是服务端的,也不需要设置
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script #运行外部脚本,创建不同组的iptables 规则,不配置
;push "redirect-gateway def1 bypass-dhcp" #启用后,客户端所有流量都将通过VPN服务器,因此不需要配置
#;push "dhcp-option DNS 208.67.222.222" #推送DNS服务器,不需要配置
#;push "dhcp-option DNS 208.67.220.220"
#client-to-client #允许不同的client通过openvpn server直接通信,不开启
;duplicate-cn #多个用户共用一个账户,一般用于测试环境,生产环境都是一个用户一个证书
keepalive 10 120 #设置服务端检测的间隔和超时时间,默认为每 10 秒 ping一次,如果 120 秒没有回应则认为对方已经 down
#tls-auth /etc/openvpn/server/ta.key 0 #可使用以下命令来生成:openvpn –genkey –secret
ta.key #服务器和每个客户端都需要拥有该密钥的一个拷贝。第二个参数在服务器端应该为’0’,在客户端应该为’1’
cipher AES-256-CBC #加密算法
;compress lz4-v2 #启用压缩
;push "compress lz4-v2"
;comp-lzo #旧户端兼容的压缩配置,需要客户端配置开启压缩
;max-clients 100 #最大客户端数
user nobody #运行openvpn服务的用户和组
group nobody
#persist-key #重启OpenVPN服务,重新读取keys文件,保留使用第一次的keys文件,不开启
#persist-tun #重启OpenVPN服务,一直保持tun或者tap设备是up的,否则会先down然后再up,不开启
status openvpn-status.log #openVPN状态记录文件,每分钟会记录一次
#;log openvpn.log #日志记录方式和路径,log会在openvpn启动的时候清空日志文件
log-append /var/log/openvpn/openvpn.log #重启openvpn后在之前的日志后面追加新的日志
verb 3 #设置日志级别,0-9,级别越高记录的内容越详细,
mute 20 #相同类别的信息只有前20条会输出到日志文件中
explicit-exit-notify 1 # 通知客户端,在服务端重启后可以自动重新连接,仅能用于udp模式,tcp模式不需要
# 配置即可实现断开重连接,且tcp配置后会导致openvpn服务无法启动。
...
[root@openvpn-server ~]# mkdir /var/log/openvpn
[root@openvpn-server ~]# chown nobody.nobody /var/log/openvpn
configuração final
[root@openvpn-server ~]# grep "^[a-Z]" /etc/openvpn/server.conf
local 192.168.0.248
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key # This file should be kept secret
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 10.20.0.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
client-to-client
keepalive 10 120
# tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 9
mute 20
1.2.13 Arquivo de configuração do cliente
[root@openvpn-server ~]# cd /etc/openvpn/client/lisuo/
[root@openvpn-server lisuo]# ll
total 16
-rw------- 1 root root 1172 Feb 6 11:11 ca.crt
-rw------- 1 root root 4431 Feb 6 11:12 lisuo.crt
-rw------- 1 root root 1704 Feb 6 11:12 lisuo.key
[root@openvpn-server lisuo]# grep -Ev "^(#|$|;)" /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/client.conf > /etc/openvpn/client/lisuo/client.ovpn
[root@openvpn-server lisuo]# vim /etc/openvpn/client/lisuo/client.ovpn
client # 声明自己是个客户端
dev tun # 接口类型,必须和服务端保持一致
proto tcp # 使用的协议,必须和服务端保持一致
remote 192.168.0.248 1194 #server端的ip和端口,可以写域名但是需要可以解析成IP
resolv-retry infinite # 如果是写的server端的域名,那么就始终解析,如果域名发生变化,
# 会重新连接到新的域名对应的IP
nobind #本机不绑定监听端口,客户端是随机打开端口连接到服务端的1194
persist-key #
persist-tun
ca ca.crt
cert lisuo.crt
key lisuo.key
remote-cert-tls server #指定采用服务器校验方式
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
[root@openvpn-server lisuo]# tree
.
├── ca.crt
├── client.ovpen
├── lisuo.crt
└── lisuo.key
0 directories, 4 files
1.2.14 Início do OpenVPN
[root@openvpn-server lisuo]# cd
[root@openvpn-server ~]# systemctl stop firewalld
[root@openvpn-server ~]# systemctl disable firewalld
[root@openvpn-server ~]# yum install iptables-services iptables -y
[root@openvpn-server ~]# systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@openvpn-server ~]# systemctl start iptables.service
[root@openvpn-server ~]# iptables -F
[root@openvpn-server ~]# iptables -X
[root@openvpn-server ~]# iptables -Z
[root@openvpn-server ~]# iptables -vnL
Chain INPUT (policy ACCEPT 6 packets, 348 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 352 bytes)
pkts bytes target prot opt in out source destination
[root@openvpn-server ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
"/etc/sysctl.conf" 19L, 582C written
[root@openvpn-server ~]# sysctl -p
...
net.ipv4.ip_forward = 1
[root@openvpn-server ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j MASQUERADE
[root@openvpn-server ~]# iptables -A INPUT -p TCP --dport 1194 -j ACCEPT
[root@openvpn-server ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@openvpn-server ~]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
36 2088 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 19 packets, 1484 bytes)
pkts bytes target prot opt in out source destination
[root@openvpn-server ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.8.0.0/16 0.0.0.0/0
[root@openvpn-server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@openvpn-server ~]# mkdir /var/log/openvpn
[root@openvpn-server ~]# chown nobody.nobody /var/log/openvpn
# 启动OpenVPN
[root@openvpn-server ~]# systemctl start [email protected]
[root@openvpn-server ~]# systemctl status [email protected]
● [email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled; vendor preset: disabled)
Active: active (running) since Thu 2020-02-06 12:08:13 CST; 5s ago
Main PID: 12628 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/[email protected]
└─12628 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Feb 06 12:08:13 openvpn-server systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Feb 06 12:08:13 openvpn-server systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@openvpn-server ~]# systemctl enable [email protected]
Created symlink from /etc/systemd/system/multi-user.target.wants/[email protected] to /usr/lib/systemd/system/[email protected].
[root@openvpn-server ~]# tail /var/log/openvpn/openvpn.log
Thu Feb 6 12:08:17 2020 us=581126 MULTI TCP: multi_tcp_action a=TA_TUN_READ p=0
Thu Feb 6 12:08:17 2020 us=581133 MULTI TCP: multi_tcp_dispatch a=TA_TUN_READ mi=0x00000000
Thu Feb 6 12:08:17 2020 us=581144 read from TUN/TAP returned 48
Thu Feb 6 12:08:17 2020 us=581153 MULTI TCP: multi_tcp_post TA_TUN_READ -> TA_UNDEF
Thu Feb 6 12:08:17 2020 us=581162 SCHEDULE: schedule_find_least NULL
Thu Feb 6 12:08:21 2020 us=589032 EP_WAIT[0] rwflags=0x0001 ev=0x00000001 arg=0x00000002
Thu Feb 6 12:08:21 2020 us=589088 MULTI: REAP range 16 -> 32
Thu Feb 6 12:08:21 2020 us=589098 MULTI TCP: multi_tcp_action a=TA_TUN_READ p=0
Thu Feb 6 12:08:21 2020 us=589116 MULTI TCP: multi_tcp_dispatch a=TA_TUN_READ mi=0x00000000
Thu Feb 6 12:08:21 2020 us=589126 NOTE: --mute triggered...
Verifique o dispositivo da placa de rede tun:
[root@openvpn-server ~]# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::8a69:b152:413b:2421 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
1.2.15 Instale o cliente Windows do OpenVPN
Endereço oficial de download do cliente
Endereço não oficial
1.2.16 Teste de conexão do cliente
Salve o certificado no diretório de instalação do cliente openvpn:C:\Program Files\OpenVPN\config
[root@openvpn-server ~]# cd /etc/openvpn/client/lisuo/
[root@openvpn-server lisuo]# tar -cJvf lisuo.tar.xz ./*
./ca.crt
./client.ovpen
./lisuo.crt
./lisuo.key
[root@openvpn-server lisuo]# ll
total 28
-rw------- 1 root root 1172 Feb 6 11:11 ca.crt
-rw-r--r-- 1 root root 214 Feb 6 11:47 client.ovpn
-rw------- 1 root root 4431 Feb 6 11:12 lisuo.crt
-rw------- 1 root root 1704 Feb 6 11:12 lisuo.key
-rw-r--r-- 1 root root 4756 Feb 6 12:16 lisuo.tar.xz
Conexão bem-sucedida: Uma mensagem de aviso será exibida informando que a configuração atual armazenou a senha em cache na memória e você pode usar a
opção auth-nocache para evitar exibi-la.
route printUse as seguintes informações na linha de comando do Windows
Adicione outro host na nuvem, IP: 192.168.0.250/24, para testar se você pode acessar diretamente a LAN na nuvem.
[root@ecs-d1b9 ~]# hostname web-server-node1
[root@ecs-d1b9 ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.250 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::f816:3eff:feb5:85a1 prefixlen 64 scopeid 0x20<link>
ether fa:16:3e:b5:85:a1 txqueuelen 1000 (Ethernet)
RX packets 331 bytes 39550 (38.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 369 bytes 38421 (37.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@ecs-d1b9 ~]# hostname web-server-node1
[root@ecs-d1b9 ~]# exit
logout
Connection to 192.168.0.250 closed.
A situação de dois hosts em nuvem
No sistema cliente Windows 10, a conexão xshell direta 192.168.0.250
foi conectada com sucesso e o nome do host éweb-server-node1
2. Funções avançadas do OpenVPN
Criação de contas e revogação de certificados de contas envolvidas na entrada e saída de funcionários.
2.1 Definir proteção por senha para a chave secreta
Crie uma nova conta chamada stevenux e defina uma senha de certificado para melhorar a segurança do certificado.
2.2.1 Solicitação e emissão de certificado
[root@openvpn-server lisuo]# cd /etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# ll
total 76
-rwxr-xr-x 1 root root 48730 Feb 6 11:01 easyrsa
-rw-r--r-- 1 root root 4651 Feb 6 11:01 openssl-easyrsa.cnf
drwx------ 4 root root 4096 Feb 6 11:04 pki
-rw-r--r-- 1 root root 8576 Feb 6 11:01 vars
drwxr-xr-x 2 root root 4096 Feb 6 11:01 x509-types
[root@openvpn-server 3]# ./easyrsa gen-req stevenux
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...............................................................+++
...................+++
writing new private key to '/etc/openvpn/easyrsa-client/3/pki/private/stevenux.key.0zvtMm6qk9'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [stevenux]:www.suosuoli.cn
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easyrsa-client/3/pki/reqs/stevenux.req
key: /etc/openvpn/easyrsa-client/3/pki/private/stevenux.key
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# cd /etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# cd /etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa import-req /etc/openvpn/easyrsa-client/3/pki/reqs/stevenux.req stevenux
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: stevenux
You may now use this name to perform signing operations on this request.
[root@openvpn-server 3]# ./easyrsa import-req /etc/openvpn/easyrsa-client/3/pki/reqs/stevenux.req stevenux
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Easy-RSA error:
Unable to import the request as the destination file already exists.
Please choose a different name for your imported request file.
Existing file at: /etc/openvpn/easyrsa-server/3/pki/reqs/stevenux.req
[root@openvpn-server 3]# ./easyrsa sign client stevenux
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 1080 days:
subject=
commonName = www.suosuoli.cn
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject''s Distinguished Name is as follows
commonName :ASN.1 12:'www.suosuoli.cn'
Certificate is to be certified until Jan 21 08:15:11 2023 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easyrsa-server/3/pki/issued/stevenux.crt
# 整理新账户证书
[root@openvpn-server 3]# mkdir /etc/openvpn/client/stevenux
[root@openvpn-server 3]# cd /etc/openvpn/client/stevenux
[root@openvpn-server stevenux]# pwd
/etc/openvpn/client/stevenux
[root@openvpn-server stevenux]# cp /etc/openvpn/easyrsa-server/3/pki/ca.crt .
[root@openvpn-server stevenux]# cp /etc/openvpn/easyrsa-server/3/pki/issued/stevenux.crt .
[root@openvpn-server stevenux]# cp /etc/openvpn/easyrsa-server/3/pki/private/stevenux.key .
[root@openvpn-server stevenux]# cp /etc/openvpn/client/lisuo/client.ovpn .
[root@openvpn-server stevenux]# vim client.ovpn
client
dev tun
proto tdp
remote 114.116.248.58 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert stevenux.crt
key stevenux.key
remote-cert-tls server
# tls-auth ta.key 1
cipher AES-256-CBC
verb 3
"client.ovpn" 15L, 219C written
[root@openvpn-server stevenux]# ll
total 20
-rw------- 1 root root 1172 Feb 6 16:25 ca.crt
-rw-r--r-- 1 root root 219 Feb 6 16:27 client.ovpn
-rw------- 1 root root 1704 Feb 6 16:25 stevenux.key
-rw------- 1 root root 4453 Feb 6 16:25 stevenux.crt
[root@openvpn-server stevenux]# pwd
/etc/openvpn/client/stevenux
[root@openvpn-server stevenux]# tar cJvf stevenux.tar.xz ./*
./ca.crt
./client.ovpn
./stevenux.key
./stevenux.crt
[root@openvpn-server stevenux]# sz stevenux.tar.xz
2.2 Gerenciamento de certificados de conta
Trata-se principalmente da criação e revogação de certificados, e da distribuição e revogação de certificados para entrada e demissão de funcionários correspondentes.
2.2.1 Configuração de expiração automática de certificado
O prazo de validade é baseado no horário do servidor e começa a verificar se o prazo de validade do certificado está dentro do prazo de validade baseado no horário do servidor.
[root@openvpn-server stevenux]# cd /etc/openvpn/easyrsa-server/3/
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# vim vars
124 #set_var EASYRSA_CERT_EXPIRE 1080
125 set_var EASYRSA_CERT_EXPIRE 90
...
2.2.2 Cancelamento manual de certificado
revogar
[root@openvpn-server 3]# cat /etc/openvpn/easyrsa-server/3/pki/index.txt
V 230121025454Z B149F5E246A16B3EF695B06030D82C3B unknown /CN=server
V 230121030737Z E18D86613FBFB4256BE241A3EB6A448F unknown /CN=lisuo
V 230121081511Z 7EC6AE9190A57A46FECC83ABA79920E3 unknown /CN=www.suosuoli.cn
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa revoke lisuo
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Please confirm you wish to revoke the certificate with the following subject:
subject=
commonName = lisuo
Type the word 'yes' to continue, or any other input to abort.
Continue with revocation: yes
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
Revoking Certificate E18D86613FBFB4256BE241A3EB6A448F.
Data Base Updated
IMPORTANT!!!
Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.
# 生成证书吊销文件
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa gen-crl
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
An updated CRL has been created.
CRL file: /etc/openvpn/easyrsa-server/3/pki/crl.pem
[root@openvpn-server 3]# vim /etc/openvpn/server.conf
crl-verify /etc/openvpn/easyrsa-server/3/pki/crl.pem
"/etc/openvpn/server.conf" 318L, 10946C written
...
[root@openvpn-server 3]# systemctl restart openvpn@server
Neste momento, lisuo não conseguiu se conectar
Ver registros de revogação
[root@openvpn-server 3]# cat /etc/openvpn/easyrsa-server/3/pki/index.txt
V 230121025454Z B149F5E246A16B3EF695B06030D82C3B unknown /CN=server
R 230121030737Z 200206120802Z E18D86613FBFB4256BE241A3EB6A448F unknown /CN=lisuo # R 表示已经被吊销
V 230121081511Z 7EC6AE9190A57A46FECC83ABA79920E3 unknown /CN=www.suosuoli.cn
2.2.3 Emissão de Certificado de Renomeação de Conta
Se a empresa tiver um funcionário chamado lisuo que se demitiu e o certificado foi revogado, mas um novo funcionário se chamar
lisuo, a forma geral de distinguir é adicionar números após o nome do usuário, como lisuo1, lisuo2,
etc. você deseja usar o lisuo Se o nome da conta emitir um certificado, você precisará excluir a
conta lisuo antes do servidor e excluir o registro de emissão e o certificado, caso contrário, o certificado do novo usuário não poderá ser importado e o certificado específico reemissão
processo é o seguinte:
[root@openvpn-server ~]# cd /etc/openvpn/easyrsa-client/3/
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-client/3
[root@openvpn-server 3]# rm -rf pki/private/lisuo.key
[root@openvpn-server 3]# rm -rf pki/reqs/lisuo.req
[root@openvpn-server 3]# rm -rf /etc/openvpn/client/lisuo/
# 删除被R标记的吊销了的记录
[root@openvpn-server 3]# vim /etc/openvpn/easyrsa-server/3/pki/index.txt
R 230121030737Z 200206120802Z E18D86613FBFB4256BE241A3EB6A448F unknown /CN=lisuo
# 生成该账户证书请求文件
[root@openvpn-server 3]# ./easyrsa gen-req lisuo
# CA导入请求文件并签发
[root@openvpn-server ~]# cd /etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# pwd
/etc/openvpn/easyrsa-server/3
[root@openvpn-server 3]# ./easyrsa import-req /etc/openvpn/easyrsa-client/3/pki/reqs/lisuo.req lisuo
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: lisuo
You may now use this name to perform signing operations on this request.
[root@openvpn-server 3]# ./easyrsa sign client lisuo
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 90 days:
subject=
commonName = lisuo
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easyrsa-server/3/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject''s Distinguished Name is as follows
commonName :ASN.1 12:'lisuo'
Certificate is to be certified until May 6 12:39:04 2020 GMT (90 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt
# 归档打包证书文件
[root@openvpn-server 3]# mkdir /etc/openvpn/client/lisuo
[root@openvpn-server 3]# cd /etc/openvpn/client/lisuo
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-server/3/pki/issued/lisuo.crt .
[root@openvpn-server lisuo]# cp /etc/openvpn/easyrsa-client/3/pki/private/lisuo.key .
[root@openvpn-server lisuo]# cp ../
lisuo/ stevenux/
[root@openvpn-server lisuo]# cp ../stevenux/ca.crt .
[root@openvpn-server lisuo]# cp ../stevenux/client.ovpn .
[root@openvpn-server lisuo]# cat ../stevenux/client.ovpn
client
dev tun
proto tdp
remote 114.116.248.58 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert stevenux.crt
key stevenux.key
remote-cert-tls server
# tls-auth ta.key 1
cipher AES-256-CBC
verb 3
[root@openvpn-server lisuo]# tree
.
├── ca.crt
├── client.ovpn
├── lisuo.crt
└── lisuo.key
0 directories, 4 files
[root@openvpn-server lisuo]# tar czvf lisuo.tar.gz ./*
./ca.crt
./client.ovpn
./lisuo.crt
./lisuo.key
[root@openvpn-server lisuo]# sz lisuo.tar.gz
2.3 Visão geral da configuração
2.3.1 Configuração do servidor OpenVPN
[root@openvpn-server ~]# cat /etc/openvpn/server.conf
local 172.18.200.101
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 10.20.0.0 255.255.0.0"
push "route 172.31.0.0 255.255.0.0"
client-to-client
keepalive 10 120
cipher AES-256-CBC
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 9
mute 20
crl-verify /etc/openvpn/easy-rsa/3.0.3/pki/crl.pem
2.3.2 Configuração do cliente OpenVPN
[root@openvpn-server ~]# cat /etc/openvpn/client/zhangxiaoming/client.ovpn
client
dev tun
proto tcp
remote 172.18.200.101 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert zhangshijie.crt
key zhangshijie.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
2.4 Script para criação automática de contas
Nova conta OpenVPN e referência de escrita de script de certificado revogado:
- nova conta
#!/bin/bash
# Add a user to openvpn
if [[ $# -eq 0 ]]; then
echo "Usage: basename $0 USERNAME1 [USERNAME2 [USERNAME3...]]"
fi
for user in "$@"; do
echo"Adding new user: $user"
if [[ -d "/etc/openvpn/client/$user" ]]; then
rm -rf /etc/openvpn/client/$user
rm -rf /etc/openvpn/easy-rsa/3.0.3/pki/reqs/$user.req
sed -i '/'''$user'''/d' /etc/openvpn/easy-rsa/3.0.3/pki/index.txt
fi
echo "Gen .csr file."
cd/etc/openvpn/client/easy-rsa/3.0.3
./easyrsa init-pki
./easyrsa gen-req $user nopass
echo "Sign client certification."
cd /etc/ openvpn/easy-rsa/3.0.3/
./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/$user.req $user
./easyrsa sign client $user
echo "Manage the crts."
mkdir -p /etc/openvpn/client/$user/
cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client/$user/
cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/$user.crt /etc/openvpn/client/$user/
cp /etc/openvpn/client/easy-rsa/3.0.3/pki/private/$user.key /etc/openvpn/client/$user/
cp /etc/openvpn/client/admin.ovpn /etc/openvpn/client/$user/$user.ovpn
sed -i 's/admin/'''$user'''/g' /etc/openvpn/client/$user/$user.ovpn
cd etc/openvpn/client/$user/
zip -r $user.zip *
mv /etc/openvpn/client/$user/$user.zip ~
echo "All done."
done
2.5 Revogar script de certificado
- certificado de revogação
#!/bin/bash
# Del a user from openvpn
if [[ $# -eq 0 ]]; then
echo "Usage: basename $0 USERNAME"
fi
echo "Revoking $1..."
cd /etc/openvpn/easy-rsa/3.0.3/
./easyrsa revoke $1 # 吊销$user账户的证书
./easyrsa gen-crl
if [[ -f /etc/openvpn/easy-rsa/3.0.3/pki/crl.pem ]]; then
echo "crl-verify /etc/openvpn/easyrsa-server/3/pki/crl.pem" >> /etc/openvpn/server.conf
else
echo "Can not find crl.pem. Exit."
fi
echo "Done."