个人博客

OpenVPN安装(编译安装)

20 04月
作者:西洪室|分类:技术
一、配置系统环境
1、关闭selinux
永久关闭:
通过 source /etc/selinux/config 也不能让修改的文件立即生效。所以需要下面的临时关闭的方式结合使用。
[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[root@localhost ~]# grep SELINUX /etc/selinux/config
# SELINUX= can take one of these three values:
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
SELINUXTYPE=targeted

临时关闭:
下面配置是立即生效,但是系统重启后会失效。
[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
Permissive

2、关闭防火墙
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl disable firewalld
二、OpenVPN安装(编译安装)
OpenVPN依赖包安装
yum -y install gcc gcc-c++ make autoconf openssl-devel lzo-devel pam-devel net-tools git
下载编译安装
wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.8.tar.gz
tar zxvf openvpn-2.4.8.tar.gz
cd openvpn-2.4.8
./configure --prefix=/opt/openvpn-2.4.8
make  && make install
建立软连接
ln -s /opt/openvpn-2.4.8/ /usr/local/openvpn
三、OpenVPN需要的各种证书配置(ca/dh)
下载easy-rsa,复制easyrsa3到openvpn安装目录
cd
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa
cp -r easyrsa3/ /opt/openvpn-2.4.8/
将vars.example复制一份命名为vars,此文件为制作证书时所使用到的配置文件,根据需要,只修改了如下选项
cd /opt/openvpn-2.4.8/easyrsa3/
cp vars.example vars
vim vars
修改后的vars文件是这样的
[root@localhost easyrsa3]# grep -Ev '^#|^$' vars
if [ -z "$EASYRSA_CALLER" ]; then
    echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
    echo "This is no longer necessary and is disallowed. See the section called" >&2
    echo "'How to use this file' near the top comments for more details." >&2
    return 1
fi
set_var EASYRSA_DN    "org"
set_var EASYRSA_REQ_COUNTRY    "CN"
set_var EASYRSA_REQ_PROVINCE    "Sichuan"
set_var EASYRSA_REQ_CITY    "Chengdu"
set_var EASYRSA_REQ_ORG        "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL    "ko@163.com"
set_var EASYRSA_REQ_OU        "My Organizational Unit"
1、ca根证书创建
初始化,会在当前目录创建PKI目录,用于存储一些中间变量及最终生成的证书
[root@localhost easyrsa3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /opt/openvpn-2.4.8/easyrsa3/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /opt/openvpn-2.4.8/easyrsa3/pki
创建根证书,会提示设置密码(159753),用于ca对之后生成的server和client证书签名时使用,然后会提示设置Country Name,State or Province Name,Locality Name,Organization Name,Organizational Unit Name,Common Name,Email Address,可以键入回车使用默认的,也可以手动更改
[root@localhost easyrsa3]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: /opt/openvpn-2.4.8/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Enter New CA Key Passphrase:        ##设置密码:159753
Re-Enter New CA Key Passphrase:        ##设置密码:159753
Generating RSA private key, 2048 bit long modulus
..............................+++
................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:                                ##默认,回车
State or Province Name (full name) [Sichuan]:                        ##默认,回车
Locality Name (eg, city) [Chengdu]:
Organization Name (eg, company) [Copyleft Certificate Co]:            ##默认,回车
Organizational Unit Name (eg, section) [My Organizational Unit]:        ##默认,回车
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:        ##默认,回车
Email Address [ko@163.com]:                                            ##默认,回车
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/opt/openvpn-2.4.8/easyrsa3/pki/ca.crt
2、创建server端证书和private key
nopass表示不加密private key,然后会提示设置Country Name,State or Province Name,Locality Name,Organization Name,Organizational Unit Name,Common Name,Email Address,可以键入回车使用默认的,也可以手动更改
[root@localhost easyrsa3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /opt/openvpn-2.4.8/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.+++
......................................+++
writing new private key to '/opt/openvpn-2.4.8/easyrsa3/pki/easy-rsa-99001.OYE7Cv/tmp.M72eBJ'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:                                    ##默认,回车
State or Province Name (full name) [Sichuan]:                            ##默认,回车
Locality Name (eg, city) [Chengdu]:                                        ##默认,回车
Organization Name (eg, company) [Copyleft Certificate Co]:                    ##默认,回车
Organizational Unit Name (eg, section) [My Organizational Unit]:                ##默认,回车
Common Name (eg: your user, host, or server name) [server]:                    ##默认,回车
Email Address [ko@163.com]:                                                    ##默认,回车
Keypair and certificate request completed. Your files are:
req: /opt/openvpn-2.4.8/easyrsa3/pki/reqs/server.req
key: /opt/openvpn-2.4.8/easyrsa3/pki/private/server.key
给server端证书做签名,首先是对一些信息的确认,可以输入yes,然后输入build-ca时设置的那个密码
[root@localhost easyrsa3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /opt/openvpn-2.4.8/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
    countryName               = CN
    stateOrProvinceName       = Sichuan
    localityName              = Chengdu
    organizationName          = Copyleft Certificate Co
    organizationalUnitName    = My Organizational Unit
    commonName                = server
    emailAddress              = ko@163.com
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes                                                    ##输入yes确认信息
Using configuration from /opt/openvpn-2.4.8/easyrsa3/pki/easy-rsa-99028.VxZjvp/tmp.mX4vYY
Enter pass phrase for /opt/openvpn-2.4.8/easyrsa3/pki/private/ca.key:              ##输入build-ca时设置的密码:159753
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :ASN.1 12:'Sichuan'
localityName          :ASN.1 12:'Chengdu'
organizationName      :ASN.1 12:'Copyleft Certificate Co'
organizationalUnitName:ASN.1 12:'My Organizational Unit'
commonName            :ASN.1 12:'server'
emailAddress          :IA5STRING:'ko@163.com'
Certificate is to be certified until Jul 18 02:48:39 2022 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /opt/openvpn-2.4.8/easyrsa3/pki/issued/server.crt
3、创建Diffie-Hellman文件
时间会有点长,耐心等待
[root@localhost easyrsa3]# ./easyrsa gen-dh
4、生成 tls-auth key
这个 key 主要用于防止 DoS 和 TLS 攻击,这一步其实是可选的,但为了安全还是生成一下,该文件在后面配置 open VPN 时会用到。
/opt/openvpn-2.4.8/sbin/openvpn --genkey --secret /opt/openvpn-2.4.8/easyrsa3/pki/ta.key
5、配置client密码用户

使用User/Pass方式验证登录VPN,虽然使用的是User/Pass方式登录,但是在Server端仍然需要证书,这样的VPN和web的HTTPs方式有点类似(不能等同),只需Server端有证书,Client可以不提供自己的证书,Client只需验证Server的合法性即可,所以Client端只需ca.crt(根证书)即可。当然,由于Client不是使用证书验证的,所以安全性方面必然有所下降,但是省去了烦琐的CA管理

配置OpenVPN

首先我们需要编写一个用户认证的脚本 (脚本是由openvpn官网提供的)
vim /etc/openvpn/checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.


PASSFILE="/etc/openvpn/psw-file"

LOG_FILE="/etc/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`


###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
接下来给脚本执行权限
chmod 755 /etc/openvpn/checkpsw.sh
现在我们配置用户密码文件(前面为用户名,后面为密码。 中间使用空格分开)
cat /etc/openvpn/psw-file
abc 123456
test test
接下来我们需要修改openvpn的server.conf(在service.conf最后一行添加)
cat >>/etc/openvpn/server.conf<<EOF
script-security 3
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env    #指定用户认证脚本
username-as-common-name
verify-client-cert none
EOF
接下来我们需要修改client.ovpn(主要是注释crt和key路径,以及添加一行auth-user-pass)
client
dev tun
proto tcp
remote 192.168.16.110 41194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
;cert cyh.crt      #注释
;key cyh.key      #注释
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
auth-user-pass   


四、创建Openvpn配置文件
创建openvpn配置文件目录,复制配置文件模板
mkdir /etc/openvpn/
cp /root/openvpn-2.4.8/sample/sample-config-files/server.conf /etc/openvpn/
创建日志文件目录
mkdir /var/log/openvpn
修改配置文件
vim /etc/openvpn/server.conf
grep -Ev "^$|^[#;]" /etc/openvpn/server.conf
local 192.168.16.110
port 41194
proto udp
dev tun
ca /usr/local/openvpn/server-cert/ca.crt
cert /usr/local/openvpn/server-cert/server.crt
key /usr/local/openvpn/server-cert/server.key  # This file should be kept secret
dh /usr/local/openvpn/server-cert/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.22.0 255.255.255.0"
keepalive 10 120
tls-auth /opt/openvpn-2.4.8/server-cert/ta.key 0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
五、启动openvpn
nohup /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf > /tmp/openvpn.log 2>&1 &
添加到启动项
echo "nohup /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf > /tmp/openvpn.log 2>&1 &" >> /etc/rc.local


浏览1325 评论1
返回
目录
返回
首页
牛奶吐司面包 mysql5.6 升级 mysql5.7

发表评论

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

  • 评论列表