### OpenVPN服务器 #### 开启epel-release ```bash yum install epel-release -y ``` #### 安装openvpn、easy-rsa和iptables-services ```bash yum install openvpn easy-rsa iptables-services -y ``` #### 配置easy-rsa ```bash cd /etc/openvpn/ cp -r /usr/share/easy-rsa /etc/openvpn/ ``` ```bash cd /etc/openvpn/easy-rsa/3/ vim vars ``` ``` set_var EASYRSA "$PWD" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY "ID" set_var EASYRSA_REQ_PROVINCE "GuangDong" set_var EASYRSA_REQ_CITY "guangzhou" set_var EASYRSA_REQ_ORG "test CERTIFICATE AUTHORITY" set_var EASYRSA_REQ_EMAIL "sheyinsong@untes.co" set_var EASYRSA_REQ_OU "SHEYINSONG EASY CA" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 7500 set_var EASYRSA_CERT_EXPIRE 3650 set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_NS_COMMENT "SHEYINSONG CERTIFICATE AUTHORITY" set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf" set_var EASYRSA_DIGEST "sha256" ``` ```bash chmod +x vars ``` #### 创建CA ```bash cd /etc/openvpn/easy-rsa/3/ ./easyrsa init-pki ./easyrsa build-ca #提示输入CA私钥的密码 ``` #### 创建OpenVPN服务器的证书和私钥 ```bash ./easyrsa gen-req openvpn-server nopass ``` #### CA签名OpenVPN服务器证书 ```bash ./easyrsa sign-req server openvpn-server ``` #### 验证签名的证书 ```bash openssl verify -CAfile pki/ca.crt pki/issued/openvpn-server.crt ``` #### 创建OpenVPN客户端的证书和私钥 ```bash cd /etc/openvpn/easy-rsa/3/ ./easyrsa gen-req client01 nopass ``` #### CA签名OpenVPN客户端证书 ```bash ./easyrsa sign-req client client01 ``` #### 验证签名的证书 ```bash openssl verify -CAfile pki/ca.crt pki/issued/client01.crt ``` #### 创建DH Key ```bash ./easyrsa gen-dh ``` #### 创建CRL key ```bash ./easyrsa gen-crl ``` #### 销毁拨号客户端(`注意:销毁客户端私钥,需要销毁才执行`) ```bash ./easyrsa revoke client01 ``` #### 拷贝证书和私钥到openvpn的目录 ```bash cp pki/ca.crt /etc/openvpn/server/ cp pki/issued/openvpn-server.crt /etc/openvpn/server/ cp pki/private/openvpn-server.key /etc/openvpn/server/ ``` ```bash cp pki/ca.crt /etc/openvpn/client/ cp pki/issued/client01.crt /etc/openvpn/client/ cp pki/private/client01.key /etc/openvpn/client/ ``` ```bash cp pki/dh.pem /etc/openvpn/server/ cp pki/crl.pem /etc/openvpn/server/ ``` #### 配置OpenVPN服务器 ```bash vim /etc/openvpn/server.conf ``` ``` # OpenVPN Port, Protocol and the Tun port 1194 proto udp dev tun # OpenVPN Server Certificate - CA, server key and certificate ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/openvpn-server.crt key /etc/openvpn/server/openvpn-server.key #DH and CRL key dh /etc/openvpn/server/dh.pem crl-verify /etc/openvpn/server/crl.pem # Network Configuration - Internal network # Redirect all Connection through OpenVPN Server server 10.10.1.0 255.255.255.0 push "redirect-gateway def1" # Using the DNS from https://dns.watch push "dhcp-option DNS 114.114.114.114" push "dhcp-option DNS 8.8.8.8" #Enable multiple client to connect with same Certificate key duplicate-cn # TLS Security cipher AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 auth SHA512 auth-nocache # Other Configuration keepalive 20 60 persist-key persist-tun comp-lzo yes daemon # OpenVPN Log log-append /var/log/openvpn.log verb 3 ``` #### 开启路由转发功能 ```bash echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf sysctl -p ``` #### iptables防火墙配置 ```bash iptables -A INPUT -p udp --dport=1194 -j ACCEPT #开放openvpn端口 internet_dev=$(ip route get 84.200.69.80 | awk 'NR==1 {print $(NF-2)}') #获取访问外网的网卡名 iptables -t nat -A POSTROUTING -s 10.10.1.0/24 -o $internet_dev -j MASQUERADE #enp0s3为局域网通信的网卡接口，这里会把拨号成功的客户端对访问公网的流量进行IP伪装，修改成enp0s3的接口IP，然后经由内网网关传到路由器，再次通过路由器的NAT转换成路由器的公网ip. ``` iptables允许拨号网段的流量转发(`针对FORWARD默认拒绝的情况`) ```bash iptables -A FORWARD -s 10.10.1.0/24 -j ACCEPT iptables -A FORWARD -d 10.10.1.0/24 -j ACCEPT ``` #### firewalled防火墙配置 ```bash firewall-cmd --permanent --add-service=openvpn #开放openvpn服务端口 firewall-cmd --permanent --zone=trusted --add-interface=tun0 #把tun0加入trusted firewall-cmd --permanent --zone=trusted --add-masquerade #trusted开启masquerade internet_dev=$(ip route get 84.200.69.80 | awk 'NR==1 {print $(NF-2)}') firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.10.1.0/24 -o $internet_dev -j MASQUERADE firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -s 10.10.1.0/24 -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -d 10.10.1.0/24 -j ACCEPT firewall-cmd --reload ``` #### 启动OpenVPN服务器 ```bash systemctl start openvpn@server systemctl enable openvpn@server ``` #### 创建openVPN客户端的配置 ```bash vim /etc/openvpn/client/client01.ovpn ``` ``` client dev tun proto udp remote xx.xx.xx.xx 1194 #xx.xx.xx.xx配置为OpenVPN服务器所在网络的路由器公网IP，该地址为路由器的公网IP地址.端口可以自行修改,同路由器映射端口匹配即可 ca ca.crt cert client01.crt key client01.key cipher AES-256-CBC auth SHA512 auth-nocache tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 resolv-retry infinite compress lzo nobind persist-key persist-tun mute-replay-warnings verb 3 ``` #### 打包OpenVPN客户端配置 ```bash cd /etc/openvpn/ tar -czvf client01.tar.gz client/* scp root@xx.xx.xx.xx:/etc/openvpn/client01.tar.gz . ```   ### 配置路由器 ```bash 路由器添加端口映射:公网ip地址:1194---->OpenVPN的内网IP地址:1194 ```   ### OpenVPN客户端 #### 开启epel-release ```bash yum install epel-release -y ``` #### 安装OpenVPN ```bash yum install openvpn -y ``` #### 解压OpenVPN的配置 ```bash cd /etc/openvpn/ tar xvf client01.tar.gz ``` #### 拨号OpenVPN服务器 ```bash openvpn --config /etc/openvpn/client/client01.ovpn ``` ```bash Wed Jun 19 09:11:16 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 Wed Jun 19 09:11:16 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06 Wed Jun 19 09:11:16 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Wed Jun 19 09:11:16 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194 Wed Jun 19 09:11:16 2019 Socket Buffers: R=[212992->212992] S=[212992->212992] Wed Jun 19 09:11:16 2019 UDP link local: (not bound) Wed Jun 19 09:11:16 2019 UDP link remote: [AF_INET]xx.xx.xx.xx:1194 Wed Jun 19 09:11:16 2019 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=a82ea46b b556e79b Wed Jun 19 09:11:16 2019 VERIFY OK: depth=1, CN=Easy-RSA CA Wed Jun 19 09:11:16 2019 VERIFY OK: depth=0, CN=openvpn-server Wed Jun 19 09:11:16 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Wed Jun 19 09:11:16 2019 [openvpn-server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194 Wed Jun 19 09:11:17 2019 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1) Wed Jun 19 09:11:17 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 114.114.114.114,dhcp-option DNS 8.8.8.8,route 10.10.1.1,topology net30,ping 20,ping-restart 60,ifconfig 10.10.1.6 10.10.1.5,peer-id 0,cipher AES-256-GCM' Wed Jun 19 09:11:17 2019 OPTIONS IMPORT: timers and/or timeouts modified Wed Jun 19 09:11:17 2019 OPTIONS IMPORT: --ifconfig/up options modified Wed Jun 19 09:11:17 2019 OPTIONS IMPORT: route options modified Wed Jun 19 09:11:17 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed Jun 19 09:11:17 2019 OPTIONS IMPORT: peer-id set Wed Jun 19 09:11:17 2019 OPTIONS IMPORT: adjusting link_mtu to 1625 Wed Jun 19 09:11:17 2019 OPTIONS IMPORT: data channel crypto options modified Wed Jun 19 09:11:17 2019 Data Channel: using negotiated cipher 'AES-256-GCM' Wed Jun 19 09:11:17 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Jun 19 09:11:17 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Jun 19 09:11:17 2019 ROUTE_GATEWAY 172.19.239.253/255.255.240.0 IFACE=eth0 HWADDR=00:16:3e:02:88:cd Wed Jun 19 09:11:17 2019 TUN/TAP device tun0 opened Wed Jun 19 09:11:17 2019 TUN/TAP TX queue length set to 100 Wed Jun 19 09:11:17 2019 /sbin/ip link set dev tun0 up mtu 1500 Wed Jun 19 09:11:17 2019 /sbin/ip addr add dev tun0 local 10.10.1.6 peer 10.10.1.5 Wed Jun 19 09:11:17 2019 /sbin/ip route add xx.xx.xx.xx/32 via 172.19.239.253 Wed Jun 19 09:11:17 2019 /sbin/ip route add 0.0.0.0/1 via 10.10.1.5 Wed Jun 19 09:11:17 2019 /sbin/ip route add 128.0.0.0/1 via 10.10.1.5 Wed Jun 19 09:11:17 2019 /sbin/ip route add 10.10.1.1/32 via 10.10.1.5 Wed Jun 19 09:11:17 2019 Initialization Sequence Completed ``` #### 验证openVPN客户端拨号是否成功(`成功则显示为OpenVPN的所在网络的公网ip`) ```bash curl ifconfig.io ``` 参考: https://www.howtoforge.com/tutorial/how-to-install-openvpn-server-and-client-with-easy-rsa-3-on-centos-7/ https://www.howtoforge.com/tutorial/how-to-install-openvpn-on-centos-7/ #### `报错: VERIFY ERROR: depth=0, error=CRL has expired: CN=client` #### 解决方法: ```bash grep crl /etc/openvpn/server.conf #注销crl-verify ``` ``` #crl-verify /etc/openvpn/server/crl.pem ``` ```bash systemctl restart openvpn@server ```