英文转自:http://www.unixmen.com/setup-openvpn-server-client-centos-6-5/
译文:istory85
简介***************************************************************************************************************************
openvpn是具有坚挺的,极高灵活性的,能够支持openssl库里面各种加密,认证和证书特点,通过一个简单TCP/UDP端口来确保IP通信安全的一种管道应用。Openvpn科技的James yonan开发了这种技术。
这篇文章简要的指引了我们在centos 6.5上边配置openvpn服务端,并且可以从一个远端成功进行连接。在这个实验中,两个centos 6.5系统分别作为VPN的服务端和客户端的角色。
1 – VPN服务端配置
在这里,我用一台centos 6.5作为VPN服务器,它分配了一个IP地址为192.168.1.2/24。
背景
centos默认的稳定源以及常用的163源等里面是没有openvpn并且缺乏它的运行库的。因此,我们需要安装“EPEL”源来满足此需求。
安装"EPEL"源请点击以下链接。· Install EPEL Repository On CentOS / RHEL / Scientific Linux 6
当然,本博客有更简单方法,请自行查找。
更新系统请使用以下命令:
安装OpenVPN软件
安装OpenVPN使用以下命令:
-
yum install openvpn easy-rsa
easy-rsa配置脚本默认是放在/usr/share/easy-rsa/这个路径。在其下创建一个keys文件夹。 把自带配置拷贝到新建文件夹下。
-
mkdir -p /etc/openvpn/easy-rsa/keys
-
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
创建CA证书和密钥
用vi编辑/etc/openvpn/easy-rsa/2.0/vars,
-
vi /etc/openvpn/easy-rsa/vars
另外,更改你自己的国家,省份,城市,邮箱等等。
-
......
-
export KEY_COUNTRY="IN"
-
export KEY_PROVINCE="TN"
-
export KEY_CITY="Erode"
-
export KEY_ORG="Unixmen"
-
export KEY_EMAIL="sk@unixmen.com"
-
export KEY_OU="server"
-
......
到 openvpn/easy-rsa 这个文件夹下:
-
cd /etc/openvpn/easy-rsa/
输入以下命令来初始化证书的授权中心。
-
cp openssl-1.0.0.cnf openssl.cnf
-
source ./vars
-
./clean-all
然后,创建CA证书和密钥:
输出范例:
-
Generating a 2048 bit RSA private key
-
......................................................+++
-
............................................................+++
-
writing new private key to 'ca.key'
-
-----
-
-
You are about to be asked to enter information that will be incorporated
-
into your certificate request.
-
What you are about to enter is what is called a Distinguished Name or a DN.
-
There are quite a few fields but you can leave some blank
-
For some fields there will be a default value,
-
If you enter '.', the field will be left blank.
-
-
-----
-
Country Name (2 letter code) [IN]: ----> Press Enter
-
State or Province Name (full name) [TN]: ----> Press Enter
-
Locality Name (eg, city) [Erode]: ----> Press Enter
-
Organization Name (eg, company) [Unixmen]: ----> Press Enter
-
Organizational Unit Name (eg, section) [server]: ----> Press Enter
-
Common Name (eg, your name or your server's hostname)[...] ----> Press Enter
-
Name[...] ----> Press Enter
-
Email Address[...] ----> Press Enter
我们现在已经创建了CA证书和密钥,然后创建服务端的证书和密钥。
-
./build-key-server server
输出范例:
-
Generating a 2048 bit RSA private key
-
....................+++
-
.............+++
-
writing new private key to 'server.key'
-
-----
-
You are about to be asked to enter information that will be incorporated
-
into your certificate request.
-
What you are about to enter is what is called a Distinguished Name or a DN.
-
There are quite a few fields but you can leave some blank
-
For some fields there will be a default value,
-
If you enter '.', the field will be left blank.
-
-----
-
Country Name (2 letter code) [IN]: ----> Press Enter
-
State or Province Name (full name) [TN]: ----> Press Enter
-
Locality Name (eg, city) [Erode]: ----> Press Enter
-
Organization Name (eg, company) [Unixmen]: ----> Press Enter
-
Organizational Unit Name (eg, section) [server]: ----> Press Enter
-
Common Name (eg, your name or your server's hostname) [server]: ----> Press Enter
-
Name [EasyRSA]: ----> Press Enter
-
Email Address [sk@unixmen.com]: ----> Press Enter
-
-
Please enter the following 'extra' attributes
-
to be sent with your certificate request
-
A challenge password []: ----> Press Enter
-
An optional company name []: ----> Press Enter
-
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
-
Check that the request matches the signature
-
Signature ok
-
The Subject's Distinguished Name is as follows
-
countryName :PRINTABLE:'IN'
-
stateOrProvinceName :PRINTABLE:'TN'
-
localityName :PRINTABLE:'Erode'
-
organizationName :PRINTABLE:'Unixmen'
-
organizationalUnitName:PRINTABLE:'server'
-
commonName :PRINTABLE:'server'
-
name :PRINTABLE:'EasyRSA'
-
emailAddress :IA5STRING:'sk@unixmen.com'
-
Certificate is to be certified until Mar 23 12:21:34 2024 GMT (3650 days)
-
Sign the certificate? [y/n]:y ----> Type Y and Press Enter
-
-
1 out of 1 certificate requests certified, commit? [y/n]y ----> Type Y and Press Enter
-
Write out database with 1 new entries
-
Data Base Updated
创建客户端的证书和密钥:
如果你想为每个客户端都创建证书和密钥,你必须把client参数替换为客户自己的ID。
输出范例:
-
Generating a 2048 bit RSA private key
-
.......+++
-
..................................................................................................+++
-
writing new private key to 'client.key'
-
----
-
You are about to be asked to enter information that will be incorporated
-
into your certificate request.
-
What you are about to enter is what is called a Distinguished Name or a DN.
-
There are quite a few fields but you can leave some blank
-
For some fields there will be a default value,
-
If you enter '.', the field will be left blank.
-
-----
-
Country Name (2 letter code) [IN]: ----> Press Enter
-
State or Province Name (full name) [TN]: ----> Press Enter
-
Locality Name (eg, city) [Erode]: ----> Press Enter
-
Organization Name (eg, company) [Unixmen]: ----> Press Enter
-
Organizational Unit Name (eg, section) [server]: ----> Press Enter
-
Common Name (eg, your name or your server's hostname) [client]: ----> Press Enter
-
Name [EasyRSA]: ----> Press Enter
-
Email Address [sk@unixmen.com]: ----> Press Enter
-
-
Please enter the following 'extra' attributes
-
to be sent with your certificate request
-
A challenge password []: ----> Press Enter
-
An optional company name []: ----> Press Enter
-
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
-
Check that the request matches the signature
-
Signature ok
-
The Subject's Distinguished Name is as follows
-
countryName :PRINTABLE:'IN'
-
stateOrProvinceName :PRINTABLE:'TN'
-
localityName :PRINTABLE:'Erode'
-
organizationName :PRINTABLE:'Unixmen'
-
organizationalUnitName:PRINTABLE:'server'
-
commonName :PRINTABLE:'client'
-
name :PRINTABLE:'EasyRSA'
-
emailAddress :IA5STRING:'sk@unixmen.com'
-
Certificate is to be certified until Mar 23 12:23:44 2024 GMT (3650 days)
-
Sign the certificate? [y/n]:y ----> Type Y and Press Enter
-
-
1 out of 1 certificate requests certified, commit? [y/n]y ----> Type Y and Press Enter
-
Write out database with 1 new entries
-
Data Base Updated
创建 迪菲 霍尔曼密钥交换参数
创建DH参数.
输出范例:
-
Generating DH parameters, 2048 bit long safe prime, generator 2
-
This is going to take a long time
必要的证书和密钥应该会生成在/etc/openvpn/easy-rsa/keys/文件夹里. 把它们拷贝到/etc/openvpn/文件夹里.
· ca.crt
· dh2048.pem
· server.crt
· server.key
切换到/etc/openvpn/easy-rsa/keys/这个目录并且把以下文件拷贝到/etc/openvpn/文件夹.
-
cd /etc/openvpn/easy-rsa/keys/
-
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/
之后,你必须拷贝所有的客户端的证书和密钥到远程的客户端里,这些文件是用来通过服务端认证的。在这个实验中,我们已经生成了一个客户端的证书和密钥,因此我们必须拷贝过去。
· ca.crt
· client.crt
· client.key
就我之前所述,我有另一个centos6.5系统上面运行着VPN客户端。确保在你的客户机上已经安装了openvpn包,然后拷贝所需要的客户端证书和密钥到你的客户端配置文件夹里。
-
scp ca.crt client.crt client.key root@192.168.1.101:/etc/openvpn
注意:如果任何人能够得到你的这些密钥,他们能够轻易的攻击并且完全控制你在你搭建的VPN环境中。
远程客户端访问服务端
-
. /etc/openvpn/easy-rsa/2.0/vars
-
. /etc/openvpn/easy-rsa/2.0/revoke-full client
上边命令可以移除得到证书的客户端。
配置VPN服务端
现在,我们需要配置下服务端. 把server.conf这个拷贝到/etc/openvpn/文件夹里。
-
cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/
使用vi编辑server.conf,
-
vi /etc/openvpn/server.conf
找到没有注释部分,添加命令让客户端找到服务端的路由。
-
# Substitute 2048 for 1024 if you are using
-
# 2048 bit keys.
-
dh dh2048.pem
-
push "redirect-gateway def1 bypass-dhcp"
-
另外,也可以自己更改DNS,这里用的是谷歌的DNS。
-
push "dhcp-option DNS 8.8.8.8"
-
push "dhcp-option DNS 8.8.4.4"
-
-
user nobody
-
group nobody
保存并退出。
之后我们需要拷贝并编辑client.conf文件。并且这文件应该在客户端里。首先拷贝文件到任意处 (例如. /home文件夹).
-
cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/client.conf /home/
编辑client.conf,
确定VPN主机名和IP地址:
-
# The hostname/IP and port of the server.
-
# You can have multiple remote entries
-
# to load balance between the servers.
-
remote 192.168.1.2 1194
这里的192.168.1.2是我的 VPN服务器的IP地址,然后,拷贝client.conf file到你的客户端系统。
-
scp /home/client.conf root@192.168.1.101:/etc/openvpn
IP转发和路由选择
编辑sysctl.conf文件,
把未注释地方值改为1。
-
# Controls IP packet forwarding
-
net.ipv4.ip_forward = 1
应用sysctl更改。
修改防火墙策略来让VPN通过:
-
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
保存防火墙更改:
-
service iptables save
-
service iptables restart
最后,启动服务并设置为开机自启:
-
service openvpn start
-
chkconfig openvpn on
这时,你的openvpn服务端应该运行了。下一步,我们来对客户端进行一些配置。
确认VPN(tun0)已经建立:
输出范例:
-
eth0 Link encap:Ethernet HWaddr 08:00:27:46:36:62
-
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
-
inet6 addr: fe80::a00:27ff:fe46:3662/64 Scope:Link
-
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-
RX packets:604 errors:0 dropped:0 overruns:0 frame:0
-
TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
-
collisions:0 txqueuelen:1000
-
RX bytes:44166 (43.1 KiB) TX bytes:14434 (14.0 KiB)
-
-
lo Link encap:Local Loopback
-
inet addr:127.0.0.1 Mask:255.0.0.0
-
inet6 addr: ::1/128 Scope:Host
-
UP LOOPBACK RUNNING MTU:16436 Metric:1
-
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
-
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
-
collisions:0 txqueuelen:0
-
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
-
-
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
-
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
-
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
-
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
-
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
-
collisions:0 txqueuelen:100
-
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
2 – VPN客户端配置
这里,使用了另一台centos6.5来当作VPN客户端,并且它使用192.168.1.101/24这个IP地址.
安装openvpn:
启动服务并且设置自启:
-
service openvpn start
-
chkconfig openvpn on
确认是否建立:
输出范例:
-
eth0 Link encap:Ethernet HWaddr 08:00:27:BE:25:49
-
inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0
-
inet6 addr: fe80::a00:27ff:febe:2549/64 Scope:Link
-
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-
RX packets:537 errors:0 dropped:0 overruns:0 frame:0
-
TX packets:387 errors:0 dropped:0 overruns:0 carrier:0
-
collisions:0 txqueuelen:1000
-
RX bytes:52177 (50.9 KiB) TX bytes:50170 (48.9 KiB)
-
-
lo Link encap:Local Loopback
-
inet addr:127.0.0.1 Mask:255.0.0.0
-
inet6 addr: ::1/128 Scope:Host
-
UP LOOPBACK RUNNING MTU:16436 Metric:1
-
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
-
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
-
collisions:0 txqueuelen:0
-
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
-
-
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
-
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
-
-
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
-
-
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
-
-
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
-
-
collisions:0 txqueuelen:100
-
-
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
-
-
从以上输出可以看出,VPN服务端已经自动分配了10.8.0.6这个地址给我的客户端。
测试连通性:
10.8.0.1是我的VPN服务端tun0地址。
输出范例:
-
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
-
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=9.61 ms
-
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=7.17 ms
-
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=4.87 ms
-
That’s it. Now the VPN server and client are ready. Connect to your VPN server securely. Happy
-
(责任编辑:IT) |