CentOS 6.6 x64简单搭建openvpn
时间:2015-07-18 02:17 来源:51cto.com 作者:IT
一、OpenVPN简介
OpenVPN 是一个基于 OpenSSL 库的应用层 VPN 实现。和传统 VPN 相比,它的优点是简单易用。
OpenVPN允许参与建立VPN的单点使用共享金钥,电子证书,或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库中的SSLv3/TLSv1 协议函式库。OpenVPN能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X与Windows 2000/XP/Vista上运行,并包含了许多安全性的功能。它并不是一个基于Web的VPN软件,也不与IPsec及其他VPN软件包兼容。
OpenVPN2.0后引入了用户名/口令组合的身份验证方式,它可以省略客户端证书,但是仍有一份服务器证书需要被用作加密。 OpenVPN所有的通信都基于一个单一的IP端口, 默认且推荐使用UDP协议通讯,同时TCP也被支持。OpenVPN连接能通过大多数的代理服务器,并且能够在NAT的环境中很好地工作。服务端具有向客 户端“推送”某些网络配置信息的功能,这些信息包括:IP地址、路由设置等。OpenVPN提供了两种虚拟网络接口:通用Tun/Tap驱动,通过它们, 可以建立三层IP隧道,或者虚拟二层以太网,后者可以传送任何类型的二层以太网络数据。传送的数据可通过LZO算法压缩。在选择协议时候,需要注意2个加密隧道之间的网络状况,如有高延迟或者丢包较多的情况下,请选择TCP协议作为底层协议,UDP协议由于存在无连接和重传机制,导致要隧道上层的协议进行重传,效率非常低下。
二、OpenVPN的安装
OpenVPN服务器
内外地址:10.0.0.41
外网地址:211.152.xx.xx
本地客户端
网段:192.168.0.0
本机IP:192.168.0.125
1、安装前的准备工作
请关闭防火墙和selinux,简单的安装方法就是使用yum安装,首先我们应该先安装epel软件仓库。
# rpm -ivh http://mirrors.ustc.edu.cn/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm
网络设置
1.开启服务器端路由转发功能
# vi /etc/sysctl.conf
---------------------
net.ipv4.ip_forward = 1
---------------------
# sysctl -p
设置nat转发:
注:保证VPN地址池可路由出外网
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
2、安装openvpn,他会自动解决依赖关系
# yum install openvpn -y
3、安装好之后我们查看安装了哪些文件
[root@vpn ~]# rpm -ql openvpn
/etc/openvpn
/etc/rc.d/init.d/openvpn
/usr/lib64/openvpn
/usr/lib64/openvpn/plugin
/usr/lib64/openvpn/plugin/lib
/usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so
/usr/lib64/openvpn/plugin/lib/openvpn-down-root.so
/usr/lib64/openvpn/plugins
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so
/usr/sbin/openvpn
/usr/share/doc/openvpn-2.3.7
/usr/share/doc/openvpn-2.3.7/AUTHORS
/usr/share/doc/openvpn-2.3.7/COPYING
/usr/share/doc/openvpn-2.3.7/COPYRIGHT.GPL
/usr/share/doc/openvpn-2.3.7/INSTALL
/usr/share/doc/openvpn-2.3.7/PORTS
/usr/share/doc/openvpn-2.3.7/README
/usr/share/doc/openvpn-2.3.7/README.auth-pam
/usr/share/doc/openvpn-2.3.7/README.down-root
/usr/share/doc/openvpn-2.3.7/contrib
/usr/share/doc/openvpn-2.3.7/contrib/OCSP_check
/usr/share/doc/openvpn-2.3.7/contrib/OCSP_check/OCSP_check.sh
/usr/share/doc/openvpn-2.3.7/contrib/README
/usr/share/doc/openvpn-2.3.7/contrib/multilevel-init.patch
/usr/share/doc/openvpn-2.3.7/contrib/openvpn-fwmarkroute-1.00
/usr/share/doc/openvpn-2.3.7/contrib/openvpn-fwmarkroute-1.00/README
/usr/share/doc/openvpn-2.3.7/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
/usr/share/doc/openvpn-2.3.7/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
/usr/share/doc/openvpn-2.3.7/contrib/pull-resolv-conf
/usr/share/doc/openvpn-2.3.7/contrib/pull-resolv-conf/client.down
/usr/share/doc/openvpn-2.3.7/contrib/pull-resolv-conf/client.up
/usr/share/doc/openvpn-2.3.7/sample
/usr/share/doc/openvpn-2.3.7/sample/Makefile
/usr/share/doc/openvpn-2.3.7/sample/Makefile.am
/usr/share/doc/openvpn-2.3.7/sample/Makefile.in
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/README
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/client.conf
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/firewall.sh
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/home.up
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/loopback-client
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/loopback-server
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/office.up
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/openvpn-shutdown.sh
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/openvpn-startup.sh
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/roadwarrior-client.conf
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/roadwarrior-server.conf
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/server.conf
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/static-home.conf
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/static-office.conf
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/tls-home.conf
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/tls-office.conf
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/xinetd-client-config
/usr/share/doc/openvpn-2.3.7/sample/sample-config-files/xinetd-server-config
/usr/share/doc/openvpn-2.3.7/sample/sample-keys
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/.gitignore
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/README
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/ca.crt
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/ca.key
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/client-ec.crt
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/client-ec.key
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/client-pass.key
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/client.crt
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/client.key
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/client.p12
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/dh2048.pem
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/gen-sample-keys.sh
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/openssl.cnf
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/server-ec.crt
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/server-ec.key
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/server.crt
/usr/share/doc/openvpn-2.3.7/sample/sample-keys/server.key
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/defer
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/defer/README
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/defer/build
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/defer/simple.c
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/defer/simple.def
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/defer/winbuild
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/log
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/log/build
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/log/log.c
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/log/log_v3.c
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/log/winbuild
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/simple
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/simple/README
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/simple/build
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/simple/simple.c
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/simple/simple.def
/usr/share/doc/openvpn-2.3.7/sample/sample-plugins/simple/winbuild
/usr/share/doc/openvpn-2.3.7/sample/sample-scripts
/usr/share/doc/openvpn-2.3.7/sample/sample-scripts/auth-pam.pl
/usr/share/doc/openvpn-2.3.7/sample/sample-scripts/bridge-start
/usr/share/doc/openvpn-2.3.7/sample/sample-scripts/bridge-stop
/usr/share/doc/openvpn-2.3.7/sample/sample-scripts/ucn.pl
/usr/share/doc/openvpn-2.3.7/sample/sample-scripts/verify-cn
/usr/share/doc/openvpn-2.3.7/sample/sample-windows
/usr/share/doc/openvpn-2.3.7/sample/sample-windows/sample.ovpn
/usr/share/man/man8/openvpn.8.gz
/usr/share/openvpn
/var/run/openvpn
三、OpenVPN的配置
首先把主要配置文件复制到/etc/openvpn
# cp /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/server.conf /etc/openvpn/
网上有很多是编译安装的VPN,也主要讲解了如何生成证书,我这里就不掩饰证书创建的过程了,因为我们安装的openvpn里面自带了测试的证书等等,如果想自建证书的话请看本篇附录
# vim /etc/openvpn/server.conf
注:可按照默认模板配置,本例为自定义配置文件:
--------------------------
# 设置监听IP,默认是监听所有IP
;local a.b.c.d
# 设置监听端口,必须要对应的在防火墙里面打开
port 1194
# 设置用TCP还是UDP协议?(用UDP会比较快些)
;proto tcp
proto tcp
# 设置创建tun的路由IP通道,还是创建tap的以太网通道
# 路由IP容易控制,所以推荐使用它;但如果如IPX等必须
# 使用第二层才能通过的通讯,则可以用tap方式,tap也
# 就是以太网桥接
;dev tap
dev tun
# Windows需要给网卡一个名称,这里设置,linux不需要
;dev-node MyTap
# 这里是重点,必须指定SSL/TLS root certificate (ca),
# certificate(cert), and private key (key)
# ca文件是服务端和客户端都必须使用的,但不需要ca.key
# 服务端和客户端指定各自的.crt和.key
# 请注意路径,可以使用以配置文件开始为根的相对路径,
# 也可以使用绝对路径
# 请小心存放.key密钥文件
ca /usr/share/doc/openvpn-2.3.7/sample/sample-keys/ca.crt
cert /usr/share/doc/openvpn-2.3.7/sample/sample-keys/server.crt
key /usr/share/doc/openvpn-2.3.7/sample/sample-keys/server.key
# This file should be kept secret
# 指定Diffie hellman parameters.
dh /usr/share/doc/openvpn-2.3.7/sample/sample-keys/dh2048.pem
# 配置VPN使用的网段,OpenVPN会自动提供基于该网段的DHCP
# 服务,但不能和任何一方的局域网段重复,保证唯一
# 这里我选择默认
server 10.8.0.0 255.255.255.0
# 维持一个客户端和virtual IP的对应表,以方便客户端重新
# 连接可以获得同样的IP
ifconfig-pool-persist ipp.txt
# 配置为以太网桥模式,但需要使用系统的桥接功能
# 这里不需要使用
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# 为客户端创建对应的路由,以另其通达公司网内部服务器
# 但记住,公司网内部服务器也需要有可用路由返回到客户端
# 这里主要填写openvpn所在局域网的网段,我的openvpn所在的局域网是10.0.0.0
# 如果你的openvpn所在的局域网是其他的网段,下面请填写其他网段
;push "route 192.168.20.0 255.255.255.0"
push "route 10.0.0.0 255.255.255.0"
# 为特定的客户端指定IP或指定路由,该路由通常是客户端后面的
# 内网网段,而不是服务端连接的网段
# ccd是/etc/openvpn下的目录,其中建有希望限制的客户端Common
# Name为文件名的文件,并通过下面的命令写入固定IP地址
# 例如Common Name为client1,则在/etc/openvpn/ccd/client1写有:
# ifconfig-push 10.9.0.1 10.9.0.2
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# 为可以对不同的客户端设置防火墙等权限
# 可以让其自动运行对应脚本,可参考man
;learn-address ./script
# 若客户端希望所有的流量都通过VPN传输,则可以使用该语句
# 其会自动改变客户端的网关为VPN服务器,推荐关闭
# 一旦设置,请小心服务端的DHCP设置问题
# 如果需要抓取所以连接VPN客户端的流量信息,需要开启
;push "redirect-gateway def1 bypass-dhcp" 所有数据都通过VPN
# 用OpenVPN的DHCP功能为客户端提供指定的DNS、WINS等
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
# 默认客户端之间是不能直接通讯的,除非把下面的语句注释掉
client-to-client
# 如果您希望有相同Common Name的客户端都可以登陆
# 也可以注释下面的语句,推荐每个客户端都使用不用的Common Name
# 常用于测试,开启的话,一个证书可以多个客户端连接
;duplicate-cn
# 设置服务端检测的间隔和超时时间
keepalive 10 120
# 下面是一些对安全性增强的措施
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be 0
# on the server and 1 on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# 使用lzo压缩的通讯,服务端和客户端都必须配置
comp-lzo
# 设置最大用户数
;max-clients 100
# 让OpenVPN以nobody用户和组来运行(安全)
;user nobody
;group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# 输出短日志,每分钟刷新一次,以显示当前的客户端
status /var/log/openvpn/openvpn-status.log
# 缺省日志会记录在系统日志中,但也可以导向到其他地方
# 建议调试的使用先不要设置,调试完成后再定义
# 只能使用其中的一个,log会每次启动前先清楚日志,log-append会对数据追加
;log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
# 设置日志的级别
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
--------------------------
四、OpenVPN的启动
# service openvpn start
[root@vpn ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2381/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1425/master
tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 12947/openvpn
五、客户端的安装
1.下载客户端,并默认安装:
http://vpntech.googlecode.com/files/openvpn-2.1.1-gui-1.0.3-install-cn-64bit.zip
2.将服务端内ca.crt、client.crt、client.key、client.conf复制到客户端C:\Program Files (x86)\OpenVPN\config下.
3.把client.conf改名为client.ovpn
内容如下:
-----------------------
# 定义是一个客户端
client
# 定义使用路由IP模式,与服务端一致
;dev tap
dev tun
# 定义Windows下使用的网卡名称,linux不需要
;dev-node MyTap
# 定义使用的协议,与服务端一致
;proto tcp
proto tcp
# 指定服务端地址和端口,可以用多行指定多台服务器
# 实现负载均衡(从上往下尝试)
remote 211.152.x.x 1194
;remote my-server-2 1194
# 若上面配置了多台服务器,让客户端随机连接
;remote-random
# 解析服务器域名
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# 客户端不需要绑定端口
# Most clients do not need to bind to
# a specific local port number.
nobind
# 也是为了让Openvpn也nobody运行(安全)
# 注意:Windows不能设置
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# 若客户端通过HTTP Proxy,在这里设置
# 要使用Proxy,不能使用UDP为VPN的通讯协议
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# 无线网络有很多多余的头文件,设置忽略它
;mute-replay-warnings
# 重点,就是指定ca和客户端的证书
ca ca.crt
cert client.crt
key client.key
# 如果服务端打开了PAM认证模块,客户端需要另其有效
;auth-user-pass
# 一些安全措施
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# 使用lzo压缩,与服务端一致
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
-----------------------
5.连接:
在右下角的openvpn图标上右击,选择“Connect”,若能正常分配IP,则连接成功。
我获取的IP是10.8.0.6
先去看一下我们的路由信息
因为我们使用了push "route 10.0.0.0 255.255.255.0" ,所以openvpn给我们推送了一条路由信息,我们在查看一下openvpn上面的IP信息
那我们去ping一下服务器的内外IP,还有服务器内外外的另一台设备,看看是否可以连入机房内网
事实证明我们的配置是成功的!
附录
下载密钥制作工具easy_rsa 2:
wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip
解压easy_rsa并拷贝到/etc/openvpn:
unzip 2.x.zip
mv easy-rsa-release-2.x/ /etc/openvpn/
编辑easy-rsa的vars文件,设定相关变量信息:
cd /etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0
vim vars
export KEY_COUNTRY="CN"
export KEY_PROVINCE="Shanghai"
export KEY_CITY="Shanghai"
export KEY_ORG="Comratings"
export KEY_EMAIL="ADMIN@Comratings.COM"
export KEY_OU="MyOpenVPN"
编辑完之后,保存退出。
将刚才编辑的vars文件,执行如下命令:
source vars
./clean-all
./build-ca
创建服务器的证书和密钥:
./build-key-server OpenVPN_Server
[root@cloud 2.0]# ./build-key-server OpenVPN_Server
Generating a 2048 bit RSA private key
.................................+++
............+++
writing new private key to 'OpenVPN_Server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [XIAOCUI]:
Organizational Unit Name (eg, section) [MyOpenVPN]:
Common Name (eg, your name or your server's hostname) [OpenVPN_Server]:
Name [EasyRSA]:
Email Address [ADMIN@ XIAOCUI.COM]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BEIJING'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:' XIAOCUI '
organizationalUnitName:PRINTABLE:'MyOpenVPN'
commonName :T61STRING:'OpenVPN_Server'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'ADMIN@ XIAOCUI.COM'
Certificate is to be certified until May 2 07:49:13 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
创建客户端的证书和密钥:
./build-key client-user-test1
[root@cloud 2.0]# ./build-key client-user-test1
Generating a 2048 bit RSA private key
....................+++
...............................................................................+++
writing new private key to 'client-user-cuiyuanrong.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [XIAOCUI]:
Organizational Unit Name (eg, section) [MyOpenVPN]:
Common Name (eg, your name or your server's hostname) [client-user-test1]:
Name [EasyRSA]:
Email Address [ADMIN@XIAOCUI.COM]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BEIJING'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'XIAOCUI'
organizationalUnitName:PRINTABLE:'MyOpenVPN'
commonName :PRINTABLE:'client-user-test1'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'ADMIN@XIAOCUI.COM'
Certificate is to be certified until May 2 07:53:17 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
创建Diffie Hellman 参数:
./build-dh
(责任编辑:IT)
一、OpenVPN简介 OpenVPN 是一个基于 OpenSSL 库的应用层 VPN 实现。和传统 VPN 相比,它的优点是简单易用。 OpenVPN允许参与建立VPN的单点使用共享金钥,电子证书,或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库中的SSLv3/TLSv1 协议函式库。OpenVPN能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X与Windows 2000/XP/Vista上运行,并包含了许多安全性的功能。它并不是一个基于Web的VPN软件,也不与IPsec及其他VPN软件包兼容。 OpenVPN2.0后引入了用户名/口令组合的身份验证方式,它可以省略客户端证书,但是仍有一份服务器证书需要被用作加密。 OpenVPN所有的通信都基于一个单一的IP端口, 默认且推荐使用UDP协议通讯,同时TCP也被支持。OpenVPN连接能通过大多数的代理服务器,并且能够在NAT的环境中很好地工作。服务端具有向客 户端“推送”某些网络配置信息的功能,这些信息包括:IP地址、路由设置等。OpenVPN提供了两种虚拟网络接口:通用Tun/Tap驱动,通过它们, 可以建立三层IP隧道,或者虚拟二层以太网,后者可以传送任何类型的二层以太网络数据。传送的数据可通过LZO算法压缩。在选择协议时候,需要注意2个加密隧道之间的网络状况,如有高延迟或者丢包较多的情况下,请选择TCP协议作为底层协议,UDP协议由于存在无连接和重传机制,导致要隧道上层的协议进行重传,效率非常低下。
二、OpenVPN的安装
OpenVPN服务器 内外地址:10.0.0.41 外网地址:211.152.xx.xx
本地客户端 网段:192.168.0.0 本机IP:192.168.0.125
1、安装前的准备工作 请关闭防火墙和selinux,简单的安装方法就是使用yum安装,首先我们应该先安装epel软件仓库。 # rpm -ivh http://mirrors.ustc.edu.cn/fedora/epel/6/x86_64/epel-release-6-8.noarch.rpm 网络设置 1.开启服务器端路由转发功能 # vi /etc/sysctl.conf --------------------- net.ipv4.ip_forward = 1 --------------------- # sysctl -p
设置nat转发: 注:保证VPN地址池可路由出外网 # iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
2、安装openvpn,他会自动解决依赖关系 # yum install openvpn -y 3、安装好之后我们查看安装了哪些文件 [root@vpn ~]# rpm -ql openvpn /etc/openvpn /etc/rc.d/init.d/openvpn /usr/lib64/openvpn /usr/lib64/openvpn/plugin /usr/lib64/openvpn/plugin/lib /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so /usr/lib64/openvpn/plugin/lib/openvpn-down-root.so /usr/lib64/openvpn/plugins /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so /usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so /usr/sbin/openvpn /usr/share/doc/openvpn-2.3.7 /usr/share/doc/openvpn-2.3.7/AUTHORS /usr/share/doc/openvpn-2.3.7/COPYING /usr/share/doc/openvpn-2.3.7/COPYRIGHT.GPL /usr/share/doc/openvpn-2.3.7/INSTALL /usr/share/doc/openvpn-2.3.7/PORTS /usr/share/doc/openvpn-2.3.7/README /usr/share/doc/openvpn-2.3.7/README.auth-pam /usr/share/doc/openvpn-2.3.7/README.down-root /usr/share/doc/openvpn-2.3.7/contrib /usr/share/doc/openvpn-2.3.7/contrib/OCSP_check /usr/share/doc/openvpn-2.3.7/contrib/OCSP_check/OCSP_check.sh /usr/share/doc/openvpn-2.3.7/contrib/README /usr/share/doc/openvpn-2.3.7/contrib/multilevel-init.patch /usr/share/doc/openvpn-2.3.7/contrib/openvpn-fwmarkroute-1.00 /usr/share/doc/openvpn-2.3.7/contrib/openvpn-fwmarkroute-1.00/README /usr/share/doc/openvpn-2.3.7/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down /usr/share/doc/openvpn-2.3.7/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up /usr/share/doc/openvpn-2.3.7/contrib/pull-resolv-conf /usr/share/doc/openvpn-2.3.7/contrib/pull-resolv-conf/client.down /usr/share/doc/openvpn-2.3.7/contrib/pull-resolv-conf/client.up /usr/share/doc/openvpn-2.3.7/sample /usr/share/doc/openvpn-2.3.7/sample/Makefile /usr/share/doc/openvpn-2.3.7/sample/Makefile.am /usr/share/doc/openvpn-2.3.7/sample/Makefile.in /usr/share/doc/openvpn-2.3.7/sample/sample-config-files /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/README /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/client.conf /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/firewall.sh /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/home.up /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/loopback-client /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/loopback-server /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/office.up /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/openvpn-shutdown.sh /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/openvpn-startup.sh /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/roadwarrior-client.conf /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/roadwarrior-server.conf /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/server.conf /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/static-home.conf /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/static-office.conf /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/tls-home.conf /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/tls-office.conf /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/xinetd-client-config /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/xinetd-server-config /usr/share/doc/openvpn-2.3.7/sample/sample-keys /usr/share/doc/openvpn-2.3.7/sample/sample-keys/.gitignore /usr/share/doc/openvpn-2.3.7/sample/sample-keys/README /usr/share/doc/openvpn-2.3.7/sample/sample-keys/ca.crt /usr/share/doc/openvpn-2.3.7/sample/sample-keys/ca.key /usr/share/doc/openvpn-2.3.7/sample/sample-keys/client-ec.crt /usr/share/doc/openvpn-2.3.7/sample/sample-keys/client-ec.key /usr/share/doc/openvpn-2.3.7/sample/sample-keys/client-pass.key /usr/share/doc/openvpn-2.3.7/sample/sample-keys/client.crt /usr/share/doc/openvpn-2.3.7/sample/sample-keys/client.key /usr/share/doc/openvpn-2.3.7/sample/sample-keys/client.p12 /usr/share/doc/openvpn-2.3.7/sample/sample-keys/dh2048.pem /usr/share/doc/openvpn-2.3.7/sample/sample-keys/gen-sample-keys.sh /usr/share/doc/openvpn-2.3.7/sample/sample-keys/openssl.cnf /usr/share/doc/openvpn-2.3.7/sample/sample-keys/server-ec.crt /usr/share/doc/openvpn-2.3.7/sample/sample-keys/server-ec.key /usr/share/doc/openvpn-2.3.7/sample/sample-keys/server.crt /usr/share/doc/openvpn-2.3.7/sample/sample-keys/server.key /usr/share/doc/openvpn-2.3.7/sample/sample-plugins /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/defer /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/defer/README /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/defer/build /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/defer/simple.c /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/defer/simple.def /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/defer/winbuild /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/log /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/log/build /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/log/log.c /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/log/log_v3.c /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/log/winbuild /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/simple /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/simple/README /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/simple/build /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/simple/simple.c /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/simple/simple.def /usr/share/doc/openvpn-2.3.7/sample/sample-plugins/simple/winbuild /usr/share/doc/openvpn-2.3.7/sample/sample-scripts /usr/share/doc/openvpn-2.3.7/sample/sample-scripts/auth-pam.pl /usr/share/doc/openvpn-2.3.7/sample/sample-scripts/bridge-start /usr/share/doc/openvpn-2.3.7/sample/sample-scripts/bridge-stop /usr/share/doc/openvpn-2.3.7/sample/sample-scripts/ucn.pl /usr/share/doc/openvpn-2.3.7/sample/sample-scripts/verify-cn /usr/share/doc/openvpn-2.3.7/sample/sample-windows /usr/share/doc/openvpn-2.3.7/sample/sample-windows/sample.ovpn /usr/share/man/man8/openvpn.8.gz /usr/share/openvpn /var/run/openvpn
三、OpenVPN的配置 首先把主要配置文件复制到/etc/openvpn # cp /usr/share/doc/openvpn-2.3.7/sample/sample-config-files/server.conf /etc/openvpn/ 网上有很多是编译安装的VPN,也主要讲解了如何生成证书,我这里就不掩饰证书创建的过程了,因为我们安装的openvpn里面自带了测试的证书等等,如果想自建证书的话请看本篇附录 # vim /etc/openvpn/server.conf 注:可按照默认模板配置,本例为自定义配置文件: -------------------------- # 设置监听IP,默认是监听所有IP ;local a.b.c.d # 设置监听端口,必须要对应的在防火墙里面打开 port 1194 # 设置用TCP还是UDP协议?(用UDP会比较快些) ;proto tcp proto tcp # 设置创建tun的路由IP通道,还是创建tap的以太网通道 # 路由IP容易控制,所以推荐使用它;但如果如IPX等必须 # 使用第二层才能通过的通讯,则可以用tap方式,tap也 # 就是以太网桥接 ;dev tap dev tun # Windows需要给网卡一个名称,这里设置,linux不需要 ;dev-node MyTap # 这里是重点,必须指定SSL/TLS root certificate (ca), # certificate(cert), and private key (key) # ca文件是服务端和客户端都必须使用的,但不需要ca.key # 服务端和客户端指定各自的.crt和.key # 请注意路径,可以使用以配置文件开始为根的相对路径, # 也可以使用绝对路径 # 请小心存放.key密钥文件 ca /usr/share/doc/openvpn-2.3.7/sample/sample-keys/ca.crt cert /usr/share/doc/openvpn-2.3.7/sample/sample-keys/server.crt key /usr/share/doc/openvpn-2.3.7/sample/sample-keys/server.key # This file should be kept secret
# 指定Diffie hellman parameters. dh /usr/share/doc/openvpn-2.3.7/sample/sample-keys/dh2048.pem
# 配置VPN使用的网段,OpenVPN会自动提供基于该网段的DHCP # 服务,但不能和任何一方的局域网段重复,保证唯一 # 这里我选择默认 server 10.8.0.0 255.255.255.0
# 维持一个客户端和virtual IP的对应表,以方便客户端重新 # 连接可以获得同样的IP ifconfig-pool-persist ipp.txt
# 配置为以太网桥模式,但需要使用系统的桥接功能 # 这里不需要使用 ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# 为客户端创建对应的路由,以另其通达公司网内部服务器 # 但记住,公司网内部服务器也需要有可用路由返回到客户端 # 这里主要填写openvpn所在局域网的网段,我的openvpn所在的局域网是10.0.0.0 # 如果你的openvpn所在的局域网是其他的网段,下面请填写其他网段 ;push "route 192.168.20.0 255.255.255.0" push "route 10.0.0.0 255.255.255.0"
# 为特定的客户端指定IP或指定路由,该路由通常是客户端后面的 # 内网网段,而不是服务端连接的网段 # ccd是/etc/openvpn下的目录,其中建有希望限制的客户端Common # Name为文件名的文件,并通过下面的命令写入固定IP地址 # 例如Common Name为client1,则在/etc/openvpn/ccd/client1写有: # ifconfig-push 10.9.0.1 10.9.0.2 ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248
# 为可以对不同的客户端设置防火墙等权限 # 可以让其自动运行对应脚本,可参考man ;learn-address ./script
# 若客户端希望所有的流量都通过VPN传输,则可以使用该语句 # 其会自动改变客户端的网关为VPN服务器,推荐关闭 # 一旦设置,请小心服务端的DHCP设置问题 # 如果需要抓取所以连接VPN客户端的流量信息,需要开启 ;push "redirect-gateway def1 bypass-dhcp" 所有数据都通过VPN
# 用OpenVPN的DHCP功能为客户端提供指定的DNS、WINS等 ;push "dhcp-option DNS 10.8.0.1" ;push "dhcp-option WINS 10.8.0.1"
# 默认客户端之间是不能直接通讯的,除非把下面的语句注释掉 client-to-client
# 如果您希望有相同Common Name的客户端都可以登陆 # 也可以注释下面的语句,推荐每个客户端都使用不用的Common Name # 常用于测试,开启的话,一个证书可以多个客户端连接 ;duplicate-cn
# 设置服务端检测的间隔和超时时间 keepalive 10 120
# 下面是一些对安全性增强的措施 # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be 0 # on the server and 1 on the clients. ;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES
# 使用lzo压缩的通讯,服务端和客户端都必须配置 comp-lzo
# 设置最大用户数 ;max-clients 100
# 让OpenVPN以nobody用户和组来运行(安全) ;user nobody ;group nobody
# The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun
# 输出短日志,每分钟刷新一次,以显示当前的客户端 status /var/log/openvpn/openvpn-status.log
# 缺省日志会记录在系统日志中,但也可以导向到其他地方 # 建议调试的使用先不要设置,调试完成后再定义 # 只能使用其中的一个,log会每次启动前先清楚日志,log-append会对数据追加 ;log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log
# 设置日志的级别 # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3
# Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20 -------------------------- 四、OpenVPN的启动
# service openvpn start [root@vpn ~]# netstat -tlnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2381/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1425/master tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 12947/openvpn
五、客户端的安装
1.下载客户端,并默认安装: http://vpntech.googlecode.com/files/openvpn-2.1.1-gui-1.0.3-install-cn-64bit.zip
2.将服务端内ca.crt、client.crt、client.key、client.conf复制到客户端C:\Program Files (x86)\OpenVPN\config下. 3.把client.conf改名为client.ovpn 内容如下: ----------------------- # 定义是一个客户端 client
# 定义使用路由IP模式,与服务端一致 ;dev tap dev tun
# 定义Windows下使用的网卡名称,linux不需要 ;dev-node MyTap
# 定义使用的协议,与服务端一致 ;proto tcp proto tcp
# 指定服务端地址和端口,可以用多行指定多台服务器 # 实现负载均衡(从上往下尝试) remote 211.152.x.x 1194 ;remote my-server-2 1194
# 若上面配置了多台服务器,让客户端随机连接 ;remote-random
# 解析服务器域名 # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite
# 客户端不需要绑定端口 # Most clients do not need to bind to # a specific local port number. nobind
# 也是为了让Openvpn也nobody运行(安全) # 注意:Windows不能设置 ;user nobody ;group nobody
# Try to preserve some state across restarts. persist-key persist-tun # 若客户端通过HTTP Proxy,在这里设置 # 要使用Proxy,不能使用UDP为VPN的通讯协议 ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # 无线网络有很多多余的头文件,设置忽略它 ;mute-replay-warnings # 重点,就是指定ca和客户端的证书 ca ca.crt cert client.crt key client.key # 如果服务端打开了PAM认证模块,客户端需要另其有效 ;auth-user-pass # 一些安全措施 # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ;ns-cert-type server
# If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1
# Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x
# 使用lzo压缩,与服务端一致 comp-lzo
# Set log file verbosity. verb 3 # Silence repeating messages ;mute 20 ----------------------- 5.连接: 在右下角的openvpn图标上右击,选择“Connect”,若能正常分配IP,则连接成功。 我获取的IP是10.8.0.6
先去看一下我们的路由信息
因为我们使用了push "route 10.0.0.0 255.255.255.0" ,所以openvpn给我们推送了一条路由信息,我们在查看一下openvpn上面的IP信息
事实证明我们的配置是成功的! 附录 下载密钥制作工具easy_rsa 2: wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip 解压easy_rsa并拷贝到/etc/openvpn: unzip 2.x.zip mv easy-rsa-release-2.x/ /etc/openvpn/ 编辑easy-rsa的vars文件,设定相关变量信息: cd /etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0 vim vars export KEY_COUNTRY="CN" export KEY_PROVINCE="Shanghai" export KEY_CITY="Shanghai" export KEY_ORG="Comratings" export KEY_EMAIL="ADMIN@Comratings.COM" export KEY_OU="MyOpenVPN" 编辑完之后,保存退出。 将刚才编辑的vars文件,执行如下命令: source vars ./clean-all ./build-ca 创建服务器的证书和密钥: ./build-key-server OpenVPN_Server [root@cloud 2.0]# ./build-key-server OpenVPN_Server Generating a 2048 bit RSA private key .................................+++ ............+++ writing new private key to 'OpenVPN_Server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BEIJING]: Locality Name (eg, city) [BEIJING]: Organization Name (eg, company) [XIAOCUI]: Organizational Unit Name (eg, section) [MyOpenVPN]: Common Name (eg, your name or your server's hostname) [OpenVPN_Server]: Name [EasyRSA]: Email Address [ADMIN@ XIAOCUI.COM]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BEIJING' localityName :PRINTABLE:'BEIJING' organizationName :PRINTABLE:' XIAOCUI ' organizationalUnitName:PRINTABLE:'MyOpenVPN' commonName :T61STRING:'OpenVPN_Server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'ADMIN@ XIAOCUI.COM' Certificate is to be certified until May 2 07:49:13 2025 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
创建客户端的证书和密钥: ./build-key client-user-test1
[root@cloud 2.0]# ./build-key client-user-test1 Generating a 2048 bit RSA private key ....................+++ ...............................................................................+++ writing new private key to 'client-user-cuiyuanrong.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BEIJING]: Locality Name (eg, city) [BEIJING]: Organization Name (eg, company) [XIAOCUI]: Organizational Unit Name (eg, section) [MyOpenVPN]: Common Name (eg, your name or your server's hostname) [client-user-test1]: Name [EasyRSA]: Email Address [ADMIN@XIAOCUI.COM]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa-release-2.x/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BEIJING' localityName :PRINTABLE:'BEIJING' organizationName :PRINTABLE:'XIAOCUI' organizationalUnitName:PRINTABLE:'MyOpenVPN' commonName :PRINTABLE:'client-user-test1' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'ADMIN@XIAOCUI.COM' Certificate is to be certified until May 2 07:53:17 2025 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
创建Diffie Hellman 参数: ./build-dh (责任编辑:IT) |