openvpn部署
孙富阳, 江湖人称没人称。多年互联网运维工作经验,曾负责过孙布斯大规模集群架构自动化运维管理工作。擅长Web集群架构与自动化运维,曾负责国内某大型博客网站运维工作。
1.vpn概述
两点如何传输数据最安全
方案1: 专线
方案2: 硬件设备3层路由器 , 硬件vpn设备 vpn virtual private network 虚拟专有网络
方案3: 开源软件
pptp 使用最简单,不是很稳定,依赖于硬件设备的支持
OpenVPN 实现用户/运维/开发,访问网站内网
IpSEC
OpenSwan
2.OpenVPN应用场景
主机远程访问服务器设备 VPN 访问单台设备
主机远程访问服务器设备 VPN 访问单台设备
企业公司之间建立通讯 VPN IDC-IDC
3. OpenVPN服务端配置
#先添加内核参数(否则无法连接内部网络)
[root@vpn ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@vpn ~]# sysctl -p
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.ip_forward = 1
#使用easy-rsa生成秘钥证书
[root@vpn ~]# yum install easy-rsa#生成秘钥证书前需要准备vars文件
[root@vpn ~]# mkdir /opt/easy-rsa
[root@vpn ~]# cd /opt/easy-rsa/
[root@vpn /opt/easy-rsa]# cp -a /usr/share/easy-rsa/3.0.8/* ./
[root@vpn /opt/easy-rsa]# cp -a /usr/share/doc/easy-rsa-3.0.8/vars.example ./vars
[root@vpn /opt/easy-rsa]# vim vars
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "CN" ##所在国家
set_var EASYRSA_REQ_PROVINCE "beijing" ##所在省份
set_var EASYRSA_REQ_CITY "shanghai" ##所在城市
set_var EASYRSA_REQ_ORG "sfy" ##所在的组织
set_var EASYRSA_REQ_EMAIL "2195802440@qq.com" ##邮箱地址
set_var EASYRSA_NS_SUPPORT "yes"
#初始化生成证书
[root@vpn /opt/easy-rsa]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /opt/easy-rsa/pki
#创建根证书,会提示设置密码,用于ca对之后生成的server和client证书签名时使用,其他默认即可
[root@vpn /opt/easy-rsa]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase: ###输入密码
Re-Enter New CA Key Passphrase: ###输入密码
Generating RSA private key, 2048 bit long modulus
......+++
....................................................................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: ##直接回车
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/opt/easy-rsa/pki/ca.crt
#创建server端证书和私钥文件,nopass表示不加密私钥文件,其他可以默认
[root@vpn /opt/easy-rsa]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
....................+++
..+++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-2041.2qaRXL/tmp.TOl2dW'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: #####直接回车
Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/server.req
key: /opt/easy-rsa/pki/private/server.key
#给server端证书签名,首先是对一些信息的确认,可以输入yes,然后输入创建ca根证书时设置的密码
[root@vpn /opt/easy-rsa]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes ###输入yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-2089.eVFgoM/tmp.Hjdzxn
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: ###输入密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Sep 3 01:52:09 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /opt/easy-rsa/pki/issued/server.crt
#创建Diffie-Hellman文件,秘钥交换时的Diffie-Hellman算法(耐心等待即可)
[root@vpn /opt/easy-rsa]# ./easyrsa gen-dh#创建client端证书和私钥文件,nopass表示是不加密私钥文件,其他默认即可
[root@vpn /opt/easy-rsa]# ./easyrsa gen-req client nopass
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
............................................................................................................................................................+++
.......+++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-2240.QwREH4/tmp.p1Jyl7'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]: ###回车即可
Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/client.req
key: /opt/easy-rsa/pki/private/client.key
#给client端证书签名,首先是对一些信息的确认,可以输入yes,然后输入创建ca根证书时设置的密码
[root@vpn /opt/easy-rsa]# ./easyrsa sign client client
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes ###输入yes即可
Using configuration from /opt/easy-rsa/pki/easy-rsa-2289.52oYT9/tmp.WF8wkn
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: ###输入密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Sep 3 02:10:49 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /opt/easy-rsa/pki/issued/client.crt
#安装openvpn
[root@vpn /opt/easy-rsa]# yum -y install openvpn#复制配置文件至etc并修改
[root@vpn /opt/easy-rsa]# cp /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/server.conf /etc/openvpn/
[root@vpn /opt/easy-rsa]# cat /etc/openvpn/server.conf
port 1194 #端口
proto udp #协议
dev tun #采用路由隧道模式tun
ca ca.crt #ca证书文件位置
cert server.crt #服务端公钥名称
key server.key #服务端私钥名称
dh dh.pem #交换证书
server 10.8.0.0 255.255.255.0 #给客户端分配地址池,注意:不能和vpn服务器内网网段有相同
push "route 172.16.1.0 255.255.255.0" #允许客户端访问172.16.1.0网段
ifconfig-pool-persist ipp.txt #地址池记录文件位置
keepalive 10 120 #存活时间,10秒ping一次,120秒如未收到响应则视为断线
max-clients 100 #最多允许100个客户端连接
status openvpn-status.log #日志记录位置
verb 3 #openvpn版本
client-to-client #客户端与客户端之间支持通信
log /var/log/openvpn.log #openvpn日志记录位置
persist-key # #通过keepalive检测超时后,重新启动VPN,不重 新读取keys,保留第一次使用的keys
persist-tun #检测超时后,重新启动VPN,一直保持tun是 linkup的。否则网络会先linkdown然后再linkup
duplicate-cn
#拷贝证书至配置文件指定的目录
[root@vpn /opt/easy-rsa]# cd /etc/openvpn/
[root@vpn /etc/openvpn]# cp /opt/easy-rsa/pki/ca.crt ./
[root@vpn /etc/openvpn]# cp /opt/easy-rsa/pki/issued/server.crt ./
[root@vpn /etc/openvpn]# cp /opt/easy-rsa/pki/private/server.key ./
[root@vpn /etc/openvpn]# cp /opt/easy-rsa/pki/dh.pem ./
启动openvpn服务并加入开机自启动
[root@mb01 /etc/openvpn]# systemctl start openvpn@server
[root@mb01 /etc/openvpn]# systemctl enable openvpn@server
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
#检查进程与端口
[root@mb01 /etc/openvpn]# ip a s tun0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::10bb:e986:5a1c:138c/64 scope link flags 800
valid_lft forever preferred_lft forever
[root@mb01 /etc/openvpn]# ss -lntup |grep 1194
udp UNCONN 0 0 *:1194 *:* users:(("openvpn",pid=2172,fd=6))
[root@mb01 /etc/openvpn]# ps -ef |grep openvpn
root 2172 1 0 21:55 ? 00:00:00 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
root 2219 1680 0 21:56 pts/0 00:00:00 grep --color=auto openvpn
#服务端日志:
[root@mb01 /etc/openvpn]# tail -f /var/log/openvpn.log
ROUTE_GATEWAY 10.0.0.2/255.255.255.0 IFACE=eth0 HWADDR=00:50:56:2c:77:be#openvpn发下当前系统网关
/sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2#添加openvpn虚拟网卡 tun0
/sbin/ip route add 10.8.0.0/24 via 10.8.0.2#在系统中添加路由信息
4.OpenVPN客户端配置
#将服务端创建的客户端秘钥下载至本地
[root@mb01 /opt/easy-rsa/pki]# sz issued/client.crt
[root@mb01 /opt/easy-rsa/pki]# sz private/client.key
[root@mb01 /etc/openvpn]# sz /etc/openvpn/ca.crt
编辑client.ovpn并放入客户端配置文件内
client #指定当前VPN是客户端
dev tun #使用tun隧道传输协议
proto udp #使用udp协议传输数据
remote 10.0.0.61 1194 #openvpn服务器IP地址端口号
resolv-retry infinite #断线自动重新连接,在网络不稳定的情况 下非常有用
nobind #不绑定本地特定的端口号
ca ca.crt #指定CA证书的文件路径
cert client.crt #指定当前客户端的证书文件路径
key client.key #指定当前客户端的私钥文件路径
verb 3 #指定日志文件的记录详细级别,可选0- 9,等级越高日志内容越详细
persist-key #通过keepalive检测超时后,重新启动 VPN,不重新读取keys,保留第一次使用的keys
5.OpenVPN加密/认证
#openvpn server端
1.先配置服务端支持密码认证:
[root@vpn ~]# echo script-security 3 >> /etc/openvpn/server.conf
####允许使用自定义脚本
[root@vpn ~]#echo auth-user-pass-verify /etc/openvpn/check.sh via-env >> /etc/openvpn/server.conf
###脚本路径
[root@vpn ~]# echo username-as-common-name >> /etc/openvpn/server.conf
#用户密码登陆方式验证
2. 编写配置文件指定的/etc/openvpn/check.sh 脚本文件(复制粘贴即可)
[root@vpn ~]# vim /etc/openvpn/check.sh
#!/bin/sh
#desc: openvpn uesr check scripts
#author: by oldboylinux
###########################################################
PASSFILE="/etc/openvpn/openvpnfile" #密码文件 用户名 密码明文
LOG_FILE="/var/log/openvpn-password.log" #用户登录情况的日志
TIME_STAMP=`date "+%Y-%m-%d %T"`
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
3.将脚本设置为可执行
[root@vpn ~]# chmod +x /etc/openvpn/check.sh4.创建用户
[root@vpn ~]# cat > /etc/openvpn/openvpnfile<<EOF
> oldboy 1 #这样写是可以使用的密码登录的
> lidao:1 #这样写是不能使用密码登录的
> EOF
5. 重启服务端
[root@vpn ~]# systemctl restart openvpn@server.service#openvpn 客户端
只需将auth-user-pass加入客户端配置文件即可
评论已关闭