centos7.6 安装 openvpn--2.4.7

2019/04/10 19:23
阅读数 2.8K

openvpn-server端 搭建

1,软件版本

  • Centos - 7.x
  • easy-rsa - 3.0.3
  • OpenVPN - 2.4.7

2,安装

  • 建议安装启用epel源,采用yum的方式安装openvpn
yum install -y epel-release 
yum update -y
yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel
yum install -y easy-rsa
yum install -y openvpn

3,使用路由还是桥接?

建议使用路由,除非你有一些需要桥接的特定场景,例如:

  • VPN需要能够处理非ip协议,如IPX
  • 通过VPN运行应用程序,该VPN依赖于网络广播(如局域网游戏)
  • 希望允许跨VPN浏览Windows文件共享,而无需设置Samba或WINS服务器

4.确定私有子网

Server 与 Client 的VPN通道子网,不要与已有环境的网络冲突即可。 默认:10.8.0.0/16

5,配置证书密钥

我们通过yum方式安装的 easy-rsa 版本是3.x,直接从安装路径copy一份工具出来。这里用默认的 easy-rsa 3.x 来配置生成证书密钥

cp -rf /usr/share/easy-rsa/3.0.3 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-client-full client1 nopass
./easyrsa build-client-full client2 nopass
./easyrsa gen-dh

openvpn --genkey --secret ta.key

补充:easy-rsa 2.x 执行方式(下载地址

6,配置server端

# 日志存放目录
mkdir -p /var/log/openvpn/
# 用户管理目录
mkdir -p /etc/openvpn/server/user
# 配置权限
chown openvpn:openvpn /var/log/openvpn -R
创建Server配置文件

编辑/etc/openvpn/server/server.conf文件,并写入以下内容:

#################################################
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################
port 1199
proto tcp-server
## Enable the management interface
# management-client-auth
# management localhost 7505 /etc/openvpn/user/management-file
dev tun     # TUN/TAP virtual network device
user openvpn
group openvpn
ca /etc/openvpn/server/easy-rsa/pki/ca.crt
cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt
key /etc/openvpn/server/easy-rsa/pki/private/server.key
dh /etc/openvpn/server/easy-rsa/pki/dh.pem
tls-auth /etc/openvpn/server/easy-rsa/ta.key 0
## Using System user auth.
# plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
## Using Script Plugins
auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env
script-security 3
# client-cert-not-required  # Deprecated option
verify-client-cert
username-as-common-name
## Connecting clients to be able to reach each other over the VPN.
client-to-client
## Allow multiple clients with the same common name to concurrently connect.
duplicate-cn
# client-config-dir /etc/openvpn/server/ccd
# ifconfig-pool-persist ipp.txt
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 114.114.114.114"
# comp-lzo - DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.
compress lzo
# cipher AES-256-CBC
ncp-ciphers "AES-256-GCM:AES-128-GCM"
## In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited.
# explicit-exit-notify 1
keepalive 10 120
persist-key
persist-tun
verb 3
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log

注意!!! 这里创建完配置文件后,需要做个配置文件的软连接,因为当前版本的 openvpn systemd 启动文件中读取的是.service.conf配置。

cd /etc/openvpn/server/
ln -sf server.conf .service.conf
创建用户密码文件

格式是 用户 密码 以空格分割即可

cat /etc/openvpn/server/user/psw-file << EOF
mytest1 mytestpass1
mytest2 mytestpass2
.......
EOF
chmod 600 /etc/openvpn/server/user/psw-file
chown openvpn:openvpn /etc/openvpn/server/user/psw-file
创建密码检查脚本
vim /etc/openvpn/server/user/checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/server/user/psw-file"
LOG_FILE="/var/log/openvpn/password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>  ${LOG_FILE}
  exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
  exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1
关闭防火墙和SELinux
systemctl disable --now firewalld NetworkManager
setenforce 0
sed -ri '/^[^#]*SELINUX=/s#=.+$#=disabled#' /etc/selinux/config
开启内核路由转发功能
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
加载系统参数
sysctl -p
启动服务
# 查看service名
rpm -ql openvpn |grep service
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/systemd/system/openvpn@.service
# 启动
systemctl start openvpn-server@.service.service

openvpn-client端 搭建

  • Linux 服务器安装 OpenVPN 相对简单一些,为了方便安装,我们用 yum 直接安装,具体过程如下:
yum -y install epel-release
yum -y install openvpn
  • OpenVPN 安装完成后会在 /etc/openvpn 生成对应的文件,具体如下:
[root@client ~]# ll /etc/openvpn/
total 8
drwxr-x--- 2 root openvpn  34 Jul 26 15:06 client
drwxr-x--- 2 root openvpn   6 Apr 26 23:04 server

1,准备配置文件及证书文件

  • 从server上将生成的ca.crtclient1.crtclient1.keyta.key文件下载到client客户端对应目录中去
  • 配置文件修改完成后, /etc/openvpn 目录结构如下所示:
[root@client ~]# tree /etc/openvpn/
/etc/openvpn/
├── ca.crt                               # 服务端提供
├── client
├── client1.crt                          # 服务端提供
├── client1.key                          # 服务端提供
├── client.ovpn                          # 客户端配置文件
├── passwd                               # 账号密码文件,需要新建,第一行账号,第二行是密码
├── server
└── ta.key                               # 服务端提供
2 directories, 6 files

client.ovpn 配置文件如下:

[root@client ~]# cat /etc/openvpn/client.ovpn 
#
client
proto tcp-client
dev tun
auth-user-pass
remote x.x.x.x 1199               # x.x.x.x 代表服务端IP地址映射的公网IP地址

ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1

remote-cert-tls server
auth-nocache
persist-tun
persist-key
compress lzo
verb 4
mute 10

2,创建openvpn客户端systemctl服务

[root@client ~]# cat /usr/lib/systemd/system/openvpn-client.service
[Unit]
Description=OpenVPN Client
Documentation=https://github.com/OpenVPN/openvpn
After=network.target

[Service]
ExecStart=/usr/sbin/openvpn \
  --daemon \
  --cd /etc/openvpn \
  --config client.ovpn \
  --auth-user-pass /etc/openvpn/passwd \
  --log-append /var/log/openvpn.log
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536


[Install]
WantedBy=multi-user.target

启动服务
systemctl enable openvpn-client.service && systemctl start openvpn-client.service
命令执行完后,可以用以下命令查看相关日志
tail -f /var/log/openvpn.log
当日志末尾出现类似如下内容说明正常连接了
[root@client ~]# tail -f /var/log/openvpn.log
Tue Apr  2 17:23:38 2019 us=742170 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Apr  2 17:23:38 2019 us=742465 ROUTE_GATEWAY 172.16.40.254/255.255.255.0 IFACE=enp1s0 HWADDR=e0:d5:5e:bc:af:07
Tue Apr  2 17:23:38 2019 us=743007 TUN/TAP device tun0 opened
Tue Apr  2 17:23:38 2019 us=743067 TUN/TAP TX queue length set to 100
Tue Apr  2 17:23:38 2019 us=743111 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Apr  2 17:23:38 2019 us=743156 /sbin/ip link set dev tun0 up mtu 1500
Tue Apr  2 17:23:38 2019 us=746898 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Tue Apr  2 17:23:38 2019 us=747652 /sbin/ip route add 192.168.10.0/24 via 10.8.0.5
Tue Apr  2 17:23:38 2019 us=748326 /sbin/ip route add 10.8.0.0/24 via 10.8.0.5
Tue Apr  2 17:23:38 2019 us=749066 Initialization Sequence Completed

展开阅读全文
打赏
0
0 收藏
分享
加载中
更多评论
打赏
0 评论
0 收藏
0
分享
返回顶部
顶部