openvpn(3.0.3) 与 easy-rsa-3.0 配置生效

系统环境展开目录

安装软件包展开目录

环境就是新装 CentOS7.4,使用阿里云的 epel 源和常规源,不知道别的源有没有更新这个包,不废话,直接安装软件包。

[root@localhost ~]# yum -y install openvpn easy-rsa

20180410222902.png

看这里,如果是 2.2 的,直接去看这里吧。

配置 easy-rsa-3.0展开目录

复制文件展开目录
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
[root@localhost ~]# cd /etc/openvpn/easy-rsa/
[root@localhost easy-rsa]# \rm 3 3.0
[root@localhost easy-rsa]# cd 3.0.3/
[root@localhost 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars

生成证书展开目录

创建一个新的 PKI 和 CA展开目录
[root@localhost 3.0.3]# pwd
/etc/openvpn/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa init-pki  #创建空的pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.3/pki

[root@localhost 3.0.3]# ./easyrsa build-ca nopass #创建新的CA,不使用密码

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
......................+++
................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key.pClvaQ1GLD'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 回车

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3.0.3/pki/ca.crt
创建服务端证书。展开目录
[root@localhost 3.0.3]# ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...........................+++
..............................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/server.key.wy7Q0fuG6A'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: 回车

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3.0.3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key
签约服务端证书展开目录
[root@localhost 3.0.3]# ./easyrsa sign server server

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Apr  7 14:54:08 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt
创建 Diffie-Hellman展开目录
[root@localhost 3.0.3]# ./easyrsa gen-dh
............................................................
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem

到这里服务端的证书就创建完了,然后创建客户端的证书。

创建客户端证书展开目录

复制文件展开目录
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa
[root@localhost ~]# cd /etc/openvpn/client/easy-rsa/
[root@localhost easy-rsa]# \rm 3 3.0 
[root@localhost easy-rsa]# cd 3.0.3/
[root@localhost 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
生成证书展开目录
[root@localhost 3.0.3]# pwd
/etc/openvpn/client/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa init-pki #创建新的pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3.0.3/pki
[root@localhost 3.0.3]# ./easyrsa gen-req dalin nopass  #客户证书名为大林,木有密码

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
....................................................+++
............+++
writing new private key to '/etc/openvpn/client/easy-rsa/3.0.3/pki/private/dalin.key.FkrLzXH9Bm'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [dalin]: 回车

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/dalin.req
key: /etc/openvpn/client/easy-rsa/3.0.3/pki/private/dalin.key
最后签约客户端证书展开目录
[root@localhost 3.0.3]# cd /etc/openvpn/easy-rsa/3.0.3/
[root@localhost 3.0.3]# pwd
/etc/openvpn/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/dalin.req dalin

Note: using Easy-RSA configuration from: ./vars

The request has been successfully imported with a short name of: dalin
You may now use this name to perform signing operations on this request.

[root@localhost 3.0.3]# ./easyrsa sign client dalin

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

subject=
    commonName                = dalin


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'dalin'
Certificate is to be certified until Apr  8 01:54:57 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/dalin.crt

整理证书展开目录

现在所有的证书都已经生成完了,下面来整理一下。

服务端所需要的文件展开目录
[root@localhost ~]# mkdir /etc/openvpn/certs
[root@localhost ~]# cd /etc/openvpn/certs/  
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem .        
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt .
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt .
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key .
[root@localhost certs]# ll
总用量 20
-rw-------. 1 root root 1172 411 10:02 ca.crt
-rw-------. 1 root root  424 411 10:03 dh.pem
-rw-------. 1 root root 4547 411 10:03 server.crt
-rw-------. 1 root root 1704 411 10:02 server.key
客户端所需的文件展开目录
[root@localhost certs]# mkdir /etc/openvpn/client/dalin/
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client/dalin/
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/dalin.crt /etc/openvpn/client/dalin/
[root@localhost certs]# cp /etc/openvpn/client/easy-rsa/3.0.3/pki/private/dalin.key /etc/openvpn/client/dalin/
[root@localhost certs]# ll /etc/openvpn/client/dalin/
总用量 16
-rw-------. 1 root root 1172 411 10:07 ca.crt
-rw-------. 1 root root 4431 411 10:08 dalin.crt
-rw-------. 1 root root 1704 411 10:08 dalin.key

其实这三个文件就够了,之前全下载下来是因为方便,然而这次懒得弄了,哈哈,编写服务端配置文件。顺便提一下再添加用户在./easyrsa gen-req这里开始就行了, 像是吊销用户证书的命令都自己用./easyrsa --help去看吧,GitHub 项目地址

服务器配置文件展开目录
[root@localhost ~]# vim /etc/openvpn/server.conf
local 192.168.1.113
port 1194
proto tcp
dev tun

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem

ifconfig-pool-persist /etc/openvpn/ipp.txt

server 17.166.221.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
client-to-client
   
keepalive 20 120
comp-lzo
#duplicate-cn

user openvpn
group openvpn

persist-key                               
persist-tun
status openvpn-status.log    
log-append  openvpn.log     
verb 1
mute 20
启动服务展开目录

启动服务

[root@localhost ~]# systemctl start openvpn@server

配置 OpenVPN 服务器端文件展开目录

编辑 / etc/openvpn/server.conf 文件,没有就手动创建,我的配置文件如下。如果是云服务器,尽量不要使用 upd 协议和 1194 端口,因为在国内很多接入商都不允许,导致 1194 端被封不能用。当然你也可以试一下,如果被封了就换一下。

local 192.168.1.168   #服务器IP
port 1194             #占用端口
proto udp             #使用udp协议
dev tun               #使用tun模式,也可以使用tap

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt    
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem        #指定证书位置

ifconfig-pool-persist /etc/openvpn/ipp.txt          #存放每个人使用的IP

server 17.166.221.0 255.255.255.0                   #客户端DHCP
push "route 192.168.1.0 255.255.255.0"              #VPN访问网段,我的内网是192.168.1.0网段
push "redirect-gateway def1 bypass-dhcp"            #所有流量都走VPN,如果不需要将下三行去掉
push "dhcp-option DNS 223.5.5.5"                    #DNS1
push "dhcp-option DNS 223.6.6.6"                    #DNS2
client-to-client                                    #允许客户端之间互通
   
keepalive 20 120                                    #保持连接时间 
comp-lzo                                            #开启vpn压缩
#duplicate-cn                                       #允许多人使用同一个证书连接VPN,不建议使用,注释状态

user openvpn                                        #运行用户
group openvpn                                       #运行组

persist-key                                         
persist-tun
status openvpn-status.log    
log-append  openvpn.log     
verb 1                                              #日志级别0-9,等级越高,记录越多
mute 20

20171225111020.png

启动 openvpn,看状态。展开目录
[root@openvpn ~]# systemctl start openvpn@server
[root@openvpn ~]# systemctl enable openvpn@server
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.

20171225112216.png

正常启动了,下面开始配置 iptables 及转发。

配置 iptables 及转发展开目录

关闭 firewall展开目录
[root@openvpn ~]# systemctl stop firewalld.service    //停止服务
[root@openvpn ~]# systemctl disable firewalld.service //禁止开启动  
[root@openvpn ~]# firewall-cmd --state                //查看状态
安装 iptables,写入策略,开启 1194 及 22 端口展开目录
[root@openvpn ~]# yum -y install iptables iptables-services
[root@openvpn ~]# cat >>/etc/sysconfig/iptables<<OEF# Generated by iptables-save v1.4.7 on Fri Jul  7 17:16:42 2017
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [90:10238]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> *nat
> :PREROUTING ACCEPT [37:5449]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> COMMIT
> # Completed on Fri Jul  7 17:16:42 2017
> OEF
[root@openvpn ~]# systemctl restart iptables.service
[root@openvpn ~]# iptables -t nat -A POSTROUTING -s 17.166.221.0/24 -o ens192 -j MASQUERADE   #NAT

20171225113612.png

开启转发展开目录
[root@openvpn ~]# vim /etc/sysctl.conf 
net.ipv4.ip_forward = 1
[root@openvpn ~]# sysctl -p

服务端到此配置结束,生成证书开始连接。

客户端配置展开目录

1. 添加 openvpn 用户展开目录

使用 easy-rsa-3.0 的忽略这里撒,直接从编辑 client.ovpn 文件开始。

[root@openvpn ~]# cd /etc/openvpn/easy-rsa/2.0/
[root@openvpn /etc/openvpn/easy-rsa/2.0]# source vars 
[root@openvpn /etc/openvpn/easy-rsa/2.0]# ./build-key dalin
[root@openvpn /etc/openvpn/easy-rsa/2.0]# sz keys/dalin.*  #下载用户证书文件
[root@openvpn /etc/openvpn/easy-rsa/2.0]# sz keys/ca.*     #下载CA
2. 编辑 client.ovpn 文件展开目录
client
proto udp
dev tun
remote 36.0.0.0 1194

ca ca.crt
cert dalin.crt
key dalin.key

resolv-retry infinite
nobind
mute-replay-warnings

keepalive 20 120
comp-lzo
user openvpn
group openvpn

persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20

测试展开目录

emmmm,貌似没有可用的的测试服务器,用云服务器吧,试了一个 windows 的云服务器,死活连接不上,貌似是有限制,只好上 linux 了,但是遇到了点问题,连接是能连接上,ping 内网服务器不通,显示 Destination Host Prohibited,症状如下。

20171225125130.png

解决办法

修改 iptables 配置文件,这行去掉,重启 iptables 即可,修改之前记得保存一下 iptables 配置,上面貌似 NAT 那条木有保存。

#-A FORWARD -j REJECT --reject-with icmp-host-prohibited

我是直接复制 Centos6 的默认规则贴近来的,所以会有上面那条,如果你没有上面那条,配置没问题就可以正常使用了,不通的原因是因为 FORWARD 链中没有规则,所以 FORWORD 的数据包都被扔掉了,而且要添加我也不知道要怎么写,所以直接就注释了吧,哈哈,如果你的 vpn 服务器只是装 vpn,没有什么限制端口访问控制之类的东西直接将 iptables 的默认规则全清了把 NAT 贴进去就行了,最后的结果。

20171225130411.png

最后看看外网 IP,是不是公司的,telnet 了一下一个 2008 系统,可以通过,酱紫就可以了。

QQ截图20171225131627.png

针对windows下的策略
有可能会提醒添加route错误,这种情况下,增加在 client.conf 中增加两行
route-method exe
route-delay 2
然后配置完成后,将文件ca.crt,client.conf,dalin.crt,dalin.key  拷贝除去,只需要双击conf文件 既可以启动成功。

发表评论