CentOS6.6安装OpenVPN

VPN基本概念

虚拟专用网VPN

功能：在不安全的公共网络上建立安全的专用网络，进行数据加密传输

VPN与隧道技术

隧道协议包括

乘客协议：被封装的协议，如PPP,SLIP

封装协议：隧道的建立、维持及断开，如L2TP、IPSec

承载协议：承载经过封装后的数据包的协议，如IP

实例部署

一、环境部署

内网主机(slave1) vpnserver(master) vpnclient(slave2)

192.168.1.0/24 192.168.1.1 202.102.1.2

202.102.1.1

在内网主机上指定网关：

[root@slave1 ~]# ip route

192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2

169.254.0.0/16 dev eth0 scope link metric 1002

default via 192.168.1.1 dev eth0

添加内、外网接口地址

[root@master ~]# ip addr show eth0

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:1f:e0:45 brd ff:ff:ff:ff:ff:ff

inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0

inet6 fe80::20c:29ff:fe1f:e045/64 scope link

valid_lft forever preferred_lft forever

[root@master ~]# ip addr show eth1

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:1f:e0:4f brd ff:ff:ff:ff:ff:ff

inet 202.102.1.1/24 brd 202.102.1.255 scope global eth1

inet6 fe80::20c:29ff:fe1f:e04f/64 scope link

valid_lft forever preferred_lft forever

[root@master ~]# ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.1

192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

[root@master ~]# echo 1 > /proc/sys/net/ipv4/ip_forward

二、CA证书签发

流程如下：创建CA / 为VPN Server签发证书 / 为VPN Client签发证书 / 生成密钥交换参数文件

1、CA配置　并为vpnserver和vpnclient生成私钥及签名证书　(在vpnserver端完成)

安装openvpn相关软件

[root@vpnserver OpenVPN]# rpm -ivh lzo-2.06-1.el6.rfx.x86_64.rpm //用于数据压缩

[root@vpnserver OpenVPN]# rpm -ivh openvpn-2.0.9-1.el6.rf.x86_64.rpm

生成CA私钥和证书文件：

[root@vpnserver OpenVPN]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/

[root@vpnserver easy-rsa]# ls

2.0 build-key build-req make-crl revoke-full

build-ca build-key-pass build-req-pass openssl.cnf sign-req

build-dh build-key-pkcs12 clean-all README vars

build-inter build-key-server list-crl revoke-crt Windows

[root@vpnserver easy-rsa]# chmod +x *

[root@vpnserver easy-rsa]# vim vars

export KEY_COUNTRY=CN

export KEY_PROVINCE=BJ

export KEY_CITY=BJ

export KEY_ORG="uplooking"

export KEY_EMAIL="ca@example.com"

[root@vpnserver easy-rsa]# source vars

NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn-2.0.9/easy-rsa/keys

[root@vpnserver easy-rsa]# ./clean-all #清除keys目录下以前的证书文件

[root@vpnserver easy-rsa]# ./build-ca #生成ca私钥和证书

Generating a 1024 bit RSA private key

..........................++++++

...........++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [uplooking]:

Organizational Unit Name (eg, section) []:jiaoxue

Common Name (eg, your name or your server's hostname) []: ca.example.com

Email Address [ca@example.com]:

[root@vpnserver easy-rsa]# ls//查看生成了keys目录

2.0 build-key-pass clean-all README Windows

build-ca build-key-pkcs12 keys revoke-crt

build-dh build-key-server list-crl revoke-full

build-inter build-req make-crl sign-req

build-key build-req-pass openssl.cnf vars

[root@vpnserver easy-rsa]# ls keys/

ca.crt ca.key index.txt serial

2、生成vpnserver的私钥和证书：

[root@vpnserver easy-rsa]# ./build-key-server vpnserver

Generating a 1024 bit RSA private key

..................................................++++++

.........................++++++

writing new private key to 'vpnserver.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [uplooking]:

Organizational Unit Name (eg, section) []:jiaoxue

Common Name (eg, your name or your server's hostname) []:vpnserver.example.com

Email Address [ca@example.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'BJ'

localityName :PRINTABLE:'BJ'

organizationName :PRINTABLE:'uplooking'

commonName :PRINTABLE:'vpnserver.example.com'

emailAddress :IA5STRING:'ca@example.com'

Certificate is to be certified until Jun 29 04:03:05 2023 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@vpnserver easy-rsa]# ls keys/

01.pem index.txt serial vicvpnserver.csr

ca.crt index.txt.attr serial.old vicvpnserver.key

ca.key index.txt.old vicvpnserver.crt

3、为每一个client生成的私钥和证书：

[root@vpnserver easy-rsa]# ./build-key client1

Generating a 1024 bit RSA private key

............................++++++

...................++++++

writing new private key to 'client1.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [uplooking]:

Organizational Unit Name (eg, section) []:jiaoxue

Common Name (eg, your name or your server's hostname) []: client1.example.com

Email Address [ca@example.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'BJ'

localityName :PRINTABLE:'BJ'

organizationName :PRINTABLE:'uplooking'

commonName :PRINTABLE:'client1.example.com'

emailAddress :IA5STRING:'ca@example.com'

Certificate is to be certified until Nov 6 11:38:59 2022 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

4、查看相关的证书和私钥

[root@vpnserver easy-rsa]# ls keys/

01.pem client1.crt index.txt.attr serial.old

02.pem client1.csr index.txt.attr.old vicvpnserver.crt

ca.crt client1.key index.txt.old vicvpnserver.csr

ca.key index.txt serial vicvpnserver.key

5、创建密钥协商参数文件

[root@vpnserver easy-rsa]# pwd

/usr/share/doc/openvpn-2.0.9/easy-rsa

[root@vpnserver easy-rsa]# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

...........+...+.........................+.........+........................+.........................+..........+....................+........................+

...........................+..................................+................................................+.............+............................+............

.....................+..+............+................................................................+.........................+...........................+.........

...........+.......................+.....................................+.................................................+...........................+.................

.......................+...........+..............................+....................................+......+..........................................................

.............................................+..............................................+.................+....................................+.......................

................................++*++*++*

三、VPN Server配置

前提：开启VPNServer 的ip_forward功能

1、检查相应的密钥文件

[root@master keys]# pwd

/usr/share/doc/openvpn-2.0.9/easy-rsa/keys

[root@master keys]# cp ca.crt vpnserver.crt vpnserver.key /etc/openvpn/

[root@master keys]# ls /etc/openvpn/

ca.crt vpnserver.crt vpnserver.key

[root@master easy-rsa]# cp keys/dh1024.pem /etc/openvpn/

2、配置VPN Server

[root@master ~]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/

//openvpn server配置文件

[root@master ~]# vim /etc/openvpn/server.conf

[root@master ~]# grep -P -v "^(#|;|$)" server.conf

local 202.102.1.1

port 1194

proto udp

dev tap

ca ca.crt

cert vpnserver.crt

key vpnserver.key # This file should be kept secret

dh dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.1.0 255.255.255.0"

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

verb 3

3、启动VPN服务器

[root@master ~]# service openvpn start

[root@master ~]# chkconfig openvpn on

[root@master ~]# ip addr sh tap0

13: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100

link/ether 12:31:8b:9a:e3:02 brd ff:ff:ff:ff:ff:ff

inet 10.8.0.1/24 brd 10.8.0.255 scope global tap0

inet6 fe80::1031:8bff:fe9a:e302/64 scope link

valid_lft forever preferred_lft forever

[root@master ~]# ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.1

10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.1

192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

四、VPN Client配置

1、基本环境准备

[root@slave2 ~]# ip addr show eth1

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:77:2a:a6 brd ff:ff:ff:ff:ff:ff

inet 202.102.1.2/24 brd 202.102.1.255 scope global eth1

inet6 fe80::20c:29ff:fe77:2aa6/64 scope link

valid_lft forever preferred_lft forever

[root@slave2 ~]# ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.2

192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.3

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

[root@slave2 OpenVPN]# rpm -ivh lzo-2.06-1.el6.rfx.x86_64.rpm

[root@slave2 OpenVPN]# rpm -ivh openvpn-2.0.9-1.el6.rf.x86_64.rpm

2、从vpnserver复制相应的密钥

[root@slave2 openvpn]# cd /etc/openvpn/

[root@slave2 openvpn]# ls c*

ca.crt client1.crt client1.key

3、配置vpnserver

[root@slave2 openvpn]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf /etc/openvpn/

[root@slave2 openvpn]# vi /etc/openvpn/client.conf

[root@slave2 openvpn]# grep -P -v "^(;|#|$)" client.conf

client

dev tap

proto udp

remote vpn.example.com 1194 #此FQDN必须对应vpnserver外网网卡的IP

resolv-retry infinite

nobind

user nobody

group nobody

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

comp-lzo

verb 3

4、启动并测试

[root@slave2 ~]# service openvpn restart

[root@slave2 ~]# chkconfig openvpn on

[root@slave2 ~]# ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:77:2a:9c brd ff:ff:ff:ff:ff:ff

inet 192.168.2.3/24 brd 192.168.2.255 scope global eth0

inet6 fe80::20c:29ff:fe77:2a9c/64 scope link

valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:77:2a:a6 brd ff:ff:ff:ff:ff:ff

inet 202.102.1.2/24 brd 202.102.1.255 scope global eth1

inet 172.16.80.58/24 scope global eth1

inet6 fe80::20c:29ff:fe77:2aa6/64 scope link

valid_lft forever preferred_lft forever

10: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100

link/ether c6:b9:f9:45:99:3a brd ff:ff:ff:ff:ff:ff

inet 10.8.0.2/24 brd 10.8.0.255 scope global tap0

inet6 fe80::c4b9:f9ff:fe45:993a/64 scope link

valid_lft forever preferred_lft forever

[root@slave2 ~]# ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.2

192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.3

192.168.1.0/24 via 10.8.0.1 dev tap0

10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.2

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

五、VPN 技术扩展

1、基于帐号方式验证

1). vim /etc/openvpn/server.conf 添加以下内容

#########auth password########

auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env

#client-cert-not-required

username-as-common-name

##############################

以上三行的内容分别表示：指定用户的认证脚本；不请求客户的CA证书，使用User/Pass验证，如果同时启用证书和密码认证，注释掉该行；使用客户提供的UserName作为Common Name

2). vim /etc/openvpn/checkpsw.sh 添加以下内容

#!/bin/sh

########################################################

# This script will authenticate OpenVPN users against

# a plain text file. The passfile should simply contain

# one row per user with the username first followed by

# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"

LOG_FILE="/var/log/openvpn-password.log"

TIME_STAMP=`date "+%Y-%m-%d %T"`

########################################################

if [ ! -r "${PASSFILE}" ]; then

echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}

exit 1

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then

echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

exit 1

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then

echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}

exit 0

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

exit 1

[root@node4 openvpn]# ll checkpsw.sh

-rwxr--r-- 1 root root 1191 Sep 17 23:52 checkpsw.sh

[root@node4 openvpn]# chown nobody.nobody checkpsw.sh

3). 建立用户名、密码的列表文件：/etc/openvpn/psw-file

文件的格式：用户名<Tab>密码

user1 pass

user2 pass

[root@node4 openvpn]#chmod 400 /etc/openvpn/psw-file

[root@node4 openvpn]#chown nobody.nobody /etc/openvpn/psw-file

4). 修改vpn客户端的配置文件

一是注释掉 (当然也可以不注释证书加密)

;cert client1.crt

;key client1.key

二是增加验证时询问用户名和密码

auth-user-pass

2、安装WidnowsVPN客户端

1). 从http://openvpn.se/files/上下载与openvpn服务器版本一致的Windows客户端“OpenVPN GUI For Windows”

a) 例如, 服务器装的是 OpenVPN 2.09, 那么下载的 OpenVPN GUI fow windows应该是: openvpn-2.0.9-gui-1.0.3-install.exe

2). 执行openvpn-2.0.9-gui-1.0.3-install.exe。一切采用默认设置。

3). 将ca.crt、client1.crt、client1.key复制到C:\Program Files\OpenVPN\config。（不同用户使用不同的证书，每个证书包括.crt和.key两个文件，如client2.crt和client2.key）

4). 在/root/openvpn-2.0.9/sample-config-files/client.conf 的基础上建立客户端配置文件，改名为C:\Program Files\OpenVPN\config\client.ovpn,即先在服务器上建立配置文件，然后再上传改名到客户机上。

a) proto udp改成proto tcp

b) remote那行改成

192.168.1.103 1194

c) ca那3行改为

ca ca.crt

cert client1.crt

key client1.key

d) 注释掉comp-lzo

连接：在右下角的openvpn图标上右击，选择“Connect”。正常情况下应该能够连接成功，分配正常的IP

(责任编辑：IT)

搜索

热门标签:

CentOS6.6安装OpenVPN