系统环境展开目录
安装软件包展开目录
环境就是新装 CentOS7.4,使用阿里云的 epel 源和常规源,不知道别的源有没有更新这个包,不废话,直接安装软件包。
[root@localhost ~]# yum -y install openvpn easy-rsa
看这里,如果是 2.2 的,直接去看这里吧。
配置 easy-rsa-3.0展开目录
复制文件展开目录
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
[root@localhost ~]# cd /etc/openvpn/easy-rsa/
[root@localhost easy-rsa]# \rm 3 3.0
[root@localhost easy-rsa]# cd 3.0.3/
[root@localhost 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
生成证书展开目录
创建一个新的 PKI 和 CA展开目录
[root@localhost 3.0.3]# pwd
/etc/openvpn/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa init-pki #创建空的pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.3/pki
[root@localhost 3.0.3]# ./easyrsa build-ca nopass #创建新的CA,不使用密码
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
......................+++
................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key.pClvaQ1GLD'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 回车
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3.0.3/pki/ca.crt创建服务端证书。展开目录
[root@localhost 3.0.3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...........................+++
..............................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/server.key.wy7Q0fuG6A'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: 回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3.0.3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key签约服务端证书展开目录
[root@localhost 3.0.3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Apr 7 14:54:08 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt创建 Diffie-Hellman展开目录
[root@localhost 3.0.3]# ./easyrsa gen-dh
............................................................
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem到这里服务端的证书就创建完了,然后创建客户端的证书。
创建客户端证书展开目录
复制文件展开目录
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa
[root@localhost ~]# cd /etc/openvpn/client/easy-rsa/
[root@localhost easy-rsa]# \rm 3 3.0
[root@localhost easy-rsa]# cd 3.0.3/
[root@localhost 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars生成证书展开目录
[root@localhost 3.0.3]# pwd
/etc/openvpn/client/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa init-pki #创建新的pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3.0.3/pki
[root@localhost 3.0.3]# ./easyrsa gen-req dalin nopass #客户证书名为大林,木有密码
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
....................................................+++
............+++
writing new private key to '/etc/openvpn/client/easy-rsa/3.0.3/pki/private/dalin.key.FkrLzXH9Bm'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [dalin]: 回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/dalin.req
key: /etc/openvpn/client/easy-rsa/3.0.3/pki/private/dalin.key最后签约客户端证书展开目录
[root@localhost 3.0.3]# cd /etc/openvpn/easy-rsa/3.0.3/
[root@localhost 3.0.3]# pwd
/etc/openvpn/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/dalin.req dalin
Note: using Easy-RSA configuration from: ./vars
The request has been successfully imported with a short name of: dalin
You may now use this name to perform signing operations on this request.
[root@localhost 3.0.3]# ./easyrsa sign client dalin
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
commonName = dalin
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'dalin'
Certificate is to be certified until Apr 8 01:54:57 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/dalin.crt整理证书展开目录
现在所有的证书都已经生成完了,下面来整理一下。
服务端所需要的文件展开目录
[root@localhost ~]# mkdir /etc/openvpn/certs
[root@localhost ~]# cd /etc/openvpn/certs/
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem .
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt .
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt .
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key .
[root@localhost certs]# ll
总用量 20
-rw-------. 1 root root 1172 4月 11 10:02 ca.crt
-rw-------. 1 root root 424 4月 11 10:03 dh.pem
-rw-------. 1 root root 4547 4月 11 10:03 server.crt
-rw-------. 1 root root 1704 4月 11 10:02 server.key
客户端所需的文件展开目录
[root@localhost certs]# mkdir /etc/openvpn/client/dalin/
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client/dalin/
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/dalin.crt /etc/openvpn/client/dalin/
[root@localhost certs]# cp /etc/openvpn/client/easy-rsa/3.0.3/pki/private/dalin.key /etc/openvpn/client/dalin/
[root@localhost certs]# ll /etc/openvpn/client/dalin/
总用量 16
-rw-------. 1 root root 1172 4月 11 10:07 ca.crt
-rw-------. 1 root root 4431 4月 11 10:08 dalin.crt
-rw-------. 1 root root 1704 4月 11 10:08 dalin.key其实这三个文件就够了,之前全下载下来是因为方便,然而这次懒得弄了,哈哈,编写服务端配置文件。顺便提一下再添加用户在./easyrsa gen-req这里开始就行了, 像是吊销用户证书的命令都自己用./easyrsa --help去看吧,GitHub 项目地址
服务器配置文件展开目录
[root@localhost ~]# vim /etc/openvpn/server.conf
local 192.168.1.113
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
server 17.166.221.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
client-to-client
keepalive 20 120
comp-lzo
#duplicate-cn
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 1
mute 20启动服务展开目录
启动服务
[root@localhost ~]# systemctl start openvpn@server配置 OpenVPN 服务器端文件展开目录
编辑 / etc/openvpn/server.conf 文件,没有就手动创建,我的配置文件如下。如果是云服务器,尽量不要使用 upd 协议和 1194 端口,因为在国内很多接入商都不允许,导致 1194 端被封不能用。当然你也可以试一下,如果被封了就换一下。
local 192.168.1.168 #服务器IP
port 1194 #占用端口
proto udp #使用udp协议
dev tun #使用tun模式,也可以使用tap
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem #指定证书位置
ifconfig-pool-persist /etc/openvpn/ipp.txt #存放每个人使用的IP
server 17.166.221.0 255.255.255.0 #客户端DHCP
push "route 192.168.1.0 255.255.255.0" #VPN访问网段,我的内网是192.168.1.0网段
push "redirect-gateway def1 bypass-dhcp" #所有流量都走VPN,如果不需要将下三行去掉
push "dhcp-option DNS 223.5.5.5" #DNS1
push "dhcp-option DNS 223.6.6.6" #DNS2
client-to-client #允许客户端之间互通
keepalive 20 120 #保持连接时间
comp-lzo #开启vpn压缩
#duplicate-cn #允许多人使用同一个证书连接VPN,不建议使用,注释状态
user openvpn #运行用户
group openvpn #运行组
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 1 #日志级别0-9,等级越高,记录越多
mute 20
启动 openvpn,看状态。展开目录
[root@openvpn ~]# systemctl start openvpn@server
[root@openvpn ~]# systemctl enable openvpn@server
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
正常启动了,下面开始配置 iptables 及转发。
配置 iptables 及转发展开目录
关闭 firewall展开目录
[root@openvpn ~]# systemctl stop firewalld.service //停止服务
[root@openvpn ~]# systemctl disable firewalld.service //禁止开启动
[root@openvpn ~]# firewall-cmd --state //查看状态安装 iptables,写入策略,开启 1194 及 22 端口展开目录
[root@openvpn ~]# yum -y install iptables iptables-services
[root@openvpn ~]# cat >>/etc/sysconfig/iptables<<OEF
> # Generated by iptables-save v1.4.7 on Fri Jul 7 17:16:42 2017
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [90:10238]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> *nat
> :PREROUTING ACCEPT [37:5449]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> COMMIT
> # Completed on Fri Jul 7 17:16:42 2017
> OEF
[root@openvpn ~]# systemctl restart iptables.service
[root@openvpn ~]# iptables -t nat -A POSTROUTING -s 17.166.221.0/24 -o ens192 -j MASQUERADE #NAT
开启转发展开目录
[root@openvpn ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@openvpn ~]# sysctl -p服务端到此配置结束,生成证书开始连接。
客户端配置展开目录
1. 添加 openvpn 用户展开目录
使用 easy-rsa-3.0 的忽略这里撒,直接从编辑 client.ovpn 文件开始。
[root@openvpn ~]# cd /etc/openvpn/easy-rsa/2.0/
[root@openvpn /etc/openvpn/easy-rsa/2.0]# source vars
[root@openvpn /etc/openvpn/easy-rsa/2.0]# ./build-key dalin
[root@openvpn /etc/openvpn/easy-rsa/2.0]# sz keys/dalin.* #下载用户证书文件
[root@openvpn /etc/openvpn/easy-rsa/2.0]# sz keys/ca.* #下载CA2. 编辑 client.ovpn 文件展开目录
client
proto udp
dev tun
remote 36.0.0.0 1194
ca ca.crt
cert dalin.crt
key dalin.key
resolv-retry infinite
nobind
mute-replay-warnings
keepalive 20 120
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20测试展开目录
emmmm,貌似没有可用的的测试服务器,用云服务器吧,试了一个 windows 的云服务器,死活连接不上,貌似是有限制,只好上 linux 了,但是遇到了点问题,连接是能连接上,ping 内网服务器不通,显示 Destination Host Prohibited,症状如下。
解决办法
修改 iptables 配置文件,这行去掉,重启 iptables 即可,修改之前记得保存一下 iptables 配置,上面貌似 NAT 那条木有保存。
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited我是直接复制 Centos6 的默认规则贴近来的,所以会有上面那条,如果你没有上面那条,配置没问题就可以正常使用了,不通的原因是因为 FORWARD 链中没有规则,所以 FORWORD 的数据包都被扔掉了,而且要添加我也不知道要怎么写,所以直接就注释了吧,哈哈,如果你的 vpn 服务器只是装 vpn,没有什么限制端口访问控制之类的东西直接将 iptables 的默认规则全清了把 NAT 贴进去就行了,最后的结果。
最后看看外网 IP,是不是公司的,telnet 了一下一个 2008 系统,可以通过,酱紫就可以了。
针对windows下的策略 有可能会提醒添加route错误,这种情况下,增加在 client.conf 中增加两行 route-method exe route-delay 2 然后配置完成后,将文件ca.crt,client.conf,dalin.crt,dalin.key 拷贝除去,只需要双击conf文件 既可以启动成功。