OpenVpn搭建

1.前提条件

在阿里云购买三台服务器,其中有一台服务器必须有一个公网ip

image-20230822095941197

2.搭建环境

# 一、环境概述:
# 专有网络:172.16.0.0/12
# 交换机(张家口):172.30.0.0/24
# 1.openvpn-server:公网(47.92.120.196)私网(172.30.0.1)
# 2.web01.magedu.org:私网(172.30.0.100)
# 2.web02.magedu.org:私网(172.30.0.200)

# 二、连接openvpn服务器
ssh root@47.92.100.196
[root@openvpn-server ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:16:3e:04:4a:08 brd ff:ff:ff:ff:ff:ff
    inet 172.30.0.1/24 brd 172.30.0.255 scope global dynamic eth0
       valid_lft 315358791sec preferred_lft 315358791sec
    inet6 fe80::216:3eff:fe04:4a08/64 scope link
       valid_lft forever preferred_lft forever
[root@openvpn-server ~]#
[root@openvpn-server ~]# curl ifconfig.me
47.92.120.196
# 这里看到的ip却只有一个172.30.0.1,没有47.92.120.196,通过curl ifocnfig.me才能看到,这是为什么?
这里就是DNAT的作用,在下面讲解一下DNAT和SNAT的区别。

# 直接通过ssh openvpn-server这台机器进行跳转到其他两台web服务器
ssh 172.30.0.100
[root@web01 ~]# yum -y install httpd;hostname > /var/www/html/index.html;systemctl enable --now httpd
[root@web02 ~]# curl 172.30.0.200
web02.magedu.org

ssh 172.30.0.200
[root@web01 ~]# yum -y install httpd;hostname > /var/www/html/index.html;systemctl enable --now httpd
[root@web01 ~]# curl 172.30.0.100
web01.magedu.org
[root@web01 ~]#

2.1 DNAT(Destination Network Address Translation)和 SNAT(Source Network Address Translation)

当我们谈论网络地址转换(NAT)时,通常会涉及两种主要类型:SNAT(源网络地址转换)和DNAT(目标网络地址转换)。这两种类型的NAT在实际网络中有广泛的应用。让我们详细了解每一种

SNAT(源网络地址转换)

  • 定义:SNAT 是用于更改数据包的源 IP 地址。常常用在出站流量中。
  • 使用场景:当私有网络内的设备需要访问外部网络(例如互联网)时,通常使用 SNAT。这允许多个内部设备共享一个公共IP地址进行出站连接。
  • 工作原理:例如,假设一个内部设备使用私有IP(如192.168.1.10)尝试访问互联网。路由器或防火墙将使用SNAT将源地址192.168.1.10更改为公共IP地址(例如203.0.113.10),然后将数据包转发到互联网。
  • 优势:可以节省IPv4地址空间,因为多个内部设备可以共享一个公共IP进行互联网访问。

a4bc44aa71169c5898e6ab2e7acbf60

DNAT(目标网络地址转换)

  • 定义:DNAT 用于更改数据包的目标 IP 地址。常常用在入站流量中。
  • 使用场景:当需要将来自外部网络(例如互联网)的请求路由到私有网络内的特定设备时,通常使用 DNAT。这通常用于让外部用户访问内部服务器,例如web服务器、FTP服务器等。
  • 工作原理:例如,假设有来自互联网的请求目标是一个公共IP地址(例如203.0.113.10)。路由器或防火墙会使用DNAT将目标地址更改为私有网络内的特定设备的IP地址(如192.168.1.10),然后将数据包转发到该设备。
  • 优势:允许外部用户访问私有网络内的服务,同时保持其他内部设备的隔离和安全。

ff1ad5ab9f668f11ab7f72f96ec4c30

总结

  • SNAT主要关心“从哪里来”(源地址),它修改源地址。
  • DNAT主要关心“要去哪里”(目标地址),它修改目标地址。

2.2 配置基于key验证

# 1.生成SSH密钥对:
[root@openvpn-server ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:xwBkc44wn2WmWiTZgRu5WLj54l7Envw/xS5Gfi6tOrI root@openvpn-server
The key's randomart image is:
+---[RSA 2048]----+
|   .+*B.=        |
|  . *B.%         |
|   = +* o        |
|  +.oo   o       |
|   .+   S.o      |
|  .+..  ..o      |
| . .=  o +       |
|  ..... * +      |
| .. Eoo=oB.      |
+----[SHA256]-----+

# 2.拷贝.ssh文件夹到其他两台机器上
[root@openvpn-server ~]# rsync  -av .ssh 172.30.0.100:/root/
[root@openvpn-server ~]# rsync  -av .ssh 172.30.0.200:/root/

# 3.使用ssh进行验证
这样就可以免密钥登录了,如果为了安全可以禁用密码登录
[root@openvpn-server ~]# vim /etc/ssh/sshd_config
# 添加下面内容
PasswordAuthentication no

2.3 安装openvpn和easy-rsa

# 查看openvpn版本
[root@openvpn-server ~]# yum list openvpn
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Installed Packages
openvpn.x86_64                                                                         2.4.12-1.el7                                                                         @epel
[root@openvpn-server ~]#

# 安装openvpn服务器端以及证书管理工具
[root@openvpn-server ~]# yum -y install openvpn easy-rsa

3.证书管理

3.1 准备配置文件环境

# 查看安装好的openvpn的版本
[root@openvpn-server ~]# rpm -qi openvpn
Name        : openvpn
Version     : 2.4.12
Release     : 1.el7
Architecture: x86_64
Install Date: Tue 22 Aug 2023 11:36:40 AM CST
Group       : Unspecified
Size        : 1286851
License     : GPLv2
Signature   : RSA/SHA256, Fri 18 Mar 2022 05:21:26 AM CST, Key ID 6a2faea2352c64e5
Source RPM  : openvpn-2.4.12-1.el7.src.rpm
Build Date  : Fri 18 Mar 2022 02:59:28 AM CST
Build Host  : buildvm-x86-10.iad2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : https://community.openvpn.net/
Bug URL     : https://bugz.fedoraproject.org/openvpn
Summary     : A full-featured SSL VPN solution
Description :
OpenVPN is a robust and highly flexible tunneling application that uses all
of the encryption, authentication, and certification features of the
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
port.  It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
for compression.
[root@openvpn-server ~]#

# 查看安装openvpn的文件列表
[root@openvpn-server ~]# rpm -ql openvpn
/etc/openvpn
/etc/openvpn/client
/etc/openvpn/server
/run/openvpn-client
/run/openvpn-server
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/systemd/system/openvpn@.service
/usr/lib/tmpfiles.d/openvpn.conf
/usr/lib64/openvpn
/usr/lib64/openvpn/plugins
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so
/usr/sbin/openvpn
/usr/share/doc/openvpn-2.4.12
/usr/share/doc/openvpn-2.4.12/AUTHORS
/usr/share/doc/openvpn-2.4.12/COPYING
/usr/share/doc/openvpn-2.4.12/COPYRIGHT.GPL
/usr/share/doc/openvpn-2.4.12/ChangeLog
/usr/share/doc/openvpn-2.4.12/Changes.rst
/usr/share/doc/openvpn-2.4.12/README
/usr/share/doc/openvpn-2.4.12/README.auth-pam
/usr/share/doc/openvpn-2.4.12/README.down-root
/usr/share/doc/openvpn-2.4.12/README.systemd
/usr/share/doc/openvpn-2.4.12/contrib
/usr/share/doc/openvpn-2.4.12/contrib/OCSP_check
/usr/share/doc/openvpn-2.4.12/contrib/OCSP_check/OCSP_check.sh
/usr/share/doc/openvpn-2.4.12/contrib/README
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00/README
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
/usr/share/doc/openvpn-2.4.12/contrib/pull-resolv-conf
/usr/share/doc/openvpn-2.4.12/contrib/pull-resolv-conf/client.down
/usr/share/doc/openvpn-2.4.12/contrib/pull-resolv-conf/client.up
/usr/share/doc/openvpn-2.4.12/management-notes.txt
/usr/share/doc/openvpn-2.4.12/sample
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/README
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/firewall.sh
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/home.up
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/loopback-client
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/loopback-server
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/office.up
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/openvpn-shutdown.sh
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/openvpn-startup.sh
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/roadwarrior-client.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/roadwarrior-server.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/static-home.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/static-office.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/tls-home.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/tls-office.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/xinetd-client-config
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/xinetd-server-config
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/auth-pam.pl
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/bridge-start
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/bridge-stop
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/ucn.pl
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/verify-cn
/usr/share/doc/openvpn-2.4.12/sample/sample-windows
/usr/share/doc/openvpn-2.4.12/sample/sample-windows/sample.ovpn
/usr/share/man/man8/openvpn.8.gz
/var/lib/openvpn

# 拷贝服务配置模板到/etc/openvpn,生成服务器配置文件
[root@openvpn-server ~]# cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/
[root@openvpn-server ~]# ll /etc/openvpn
total 20
drwxr-x--- 2 root openvpn  4096 Mar 18  2022 client
drwxr-x--- 2 root openvpn  4096 Mar 18  2022 server
-rw-r--r-- 1 root root    10784 Aug 22 13:53 server.conf
[root@openvpn-server ~]#


# 查看easy-rsa的文件列表
[root@openvpn-server ~]# rpm -ql easy-rsa
/usr/share/doc/easy-rsa-3.0.8
/usr/share/doc/easy-rsa-3.0.8/COPYING.md
/usr/share/doc/easy-rsa-3.0.8/ChangeLog
/usr/share/doc/easy-rsa-3.0.8/README.md
/usr/share/doc/easy-rsa-3.0.8/README.quickstart.md
/usr/share/doc/easy-rsa-3.0.8/vars.example
/usr/share/easy-rsa
/usr/share/easy-rsa/3
/usr/share/easy-rsa/3.0
/usr/share/easy-rsa/3.0.8
/usr/share/easy-rsa/3.0.8/easyrsa
/usr/share/easy-rsa/3.0.8/openssl-easyrsa.cnf
/usr/share/easy-rsa/3.0.8/x509-types
/usr/share/easy-rsa/3.0.8/x509-types/COMMON
/usr/share/easy-rsa/3.0.8/x509-types/ca
/usr/share/easy-rsa/3.0.8/x509-types/client
/usr/share/easy-rsa/3.0.8/x509-types/code-signing
/usr/share/easy-rsa/3.0.8/x509-types/email
/usr/share/easy-rsa/3.0.8/x509-types/kdc
/usr/share/easy-rsa/3.0.8/x509-types/server
/usr/share/easy-rsa/3.0.8/x509-types/serverClient
/usr/share/licenses/easy-rsa-3.0.8
/usr/share/licenses/easy-rsa-3.0.8/gpl-2.0.txt
[root@openvpn-server ~]#

# 准备证书签发相关文件
[root@openvpn-server ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server

[root@openvpn-server ~]# ll /etc/openvpn
total 24
drwxr-x--- 2 root openvpn  4096 Mar 18  2022 client
drwxr-xr-x 3 root root     4096 Aug 22 14:01 easy-rsa-server
drwxr-x--- 2 root openvpn  4096 Mar 18  2022 server
-rw-r--r-- 1 root root    10784 Aug 22 13:53 server.conf
[root@openvpn-server ~]#

# 准备签发证书相关变量的配置文件
[root@openvpn-server ~]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-server/3/vars

# 建议修改给CA和OpenVPN服务器颁发的证书的有效期,可适当加长
[root@openvpn-server ~]# vim /etc/openvpn/easy-rsa-server/3/vars
#CA的证书有效期默为为10年,可以适当延长,比如:36500天
#set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CA_EXPIRE 36500

#服务器证书默为为825天,可适当加长,比如:3650天
#set_var EASYRSA_CERT_EXPIRE 825
#将上面行修改为下面
set_var EASYRSA_CERT_EXPIRE 3650

3.2 准备证书相关文件

3.2.1 创建CA机构
# 进入easyrsa脚本所在的文件夹列表
[root@openvpn-server ~]# cd /etc/openvpn/easy-rsa-server/3/
[root@openvpn-server 3]# ls
easyrsa  openssl-easyrsa.cnf  vars  x509-types
[root@openvpn-server 3]#

# 初始化 Public Key Infrastructure (PKI)生成PKI相关目录和文件
[root@openvpn-server 3]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-server/3/pki
[root@openvpn-server 3]#tree pki
pki
├── openssl-easyrsa.cnf
├── private
├── reqs
└── safessl-easyrsa.cnf
2 directories, 2 files

# 创建CA机构
[root@openvpn-server 3]# ./easyrsa build-ca nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating RSA private key, 2048 bit long modulus
........................................................................+++
..............................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa-server/3/pki/ca.crt


[root@openvpn-server 3]#

# 查看文件列表
[root@openvpn-server 3]# tree pki -C
pki
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│   └── ca.key
├── renewed
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── reqs
├── revoked
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial

12 directories, 7 files
[root@openvpn-server 3]#

# 查看生成的CA证书
[root@openvpn-server 3]# openssl x509 -in pki/ca.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            bc:21:18:c8:d0:e9:f9:c0
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Easy-RSA CA
        Validity
            Not Before: Aug 22 06:42:24 2023 GMT
            Not After : Jul 29 06:42:24 2123 GMT
        Subject: CN=Easy-RSA CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a6:d4:e2:27:20:15:40:e4:9c:a8:dc:1e:ab:1c:
                    46:58:0d:50:63:56:8d:a5:98:55:35:30:74:f8:0c:
                    e8:98:47:de:e0:1e:64:9a:d6:79:05:86:a3:ad:6f:
                    7f:a9:7c:e5:0e:f5:16:16:3b:73:c0:45:aa:95:d8:
                    30:ea:2a:26:85:7b:b1:2f:2a:6e:ba:f1:e4:d2:f4:
                    d6:79:7c:31:b6:aa:17:fb:04:a2:a2:8d:7b:63:13:
                    99:8d:38:b2:e5:14:6e:30:ed:71:b0:89:c6:05:9e:
                    0b:80:3c:5c:d1:f2:25:3e:9a:b6:ec:fb:e1:f6:a7:
                    f7:ac:13:76:44:c4:de:d0:e0:14:04:09:1c:b6:d0:
                    62:8e:22:73:a1:6c:4f:dc:89:e5:1b:22:92:be:b8:
                    35:43:d7:83:ab:fd:95:65:c3:f5:9c:18:ee:ce:d1:
                    0f:fc:b1:b4:70:43:5b:ac:5c:79:5a:9b:cd:02:bf:
                    d3:f3:0a:b3:78:c3:6c:69:e7:ac:da:d7:91:75:11:
                    22:c8:ae:17:d3:96:4c:d1:27:c5:b5:3e:a4:18:65:
                    e0:3e:69:e8:a2:9a:f4:03:7d:9f:5c:62:c0:c5:d8:
                    d4:e5:6f:1c:bb:a4:8c:89:f5:91:44:03:c3:15:9d:
                    79:8f:04:3a:79:03:30:bc:43:4e:d8:56:9d:96:86:
                    8a:f5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                2D:77:F9:F5:B0:DD:E2:0E:4E:51:A7:CD:7F:83:26:FC:FA:53:C4:1E
            X509v3 Authority Key Identifier:
                keyid:2D:77:F9:F5:B0:DD:E2:0E:4E:51:A7:CD:7F:83:26:FC:FA:53:C4:1E
                DirName:/CN=Easy-RSA CA
                serial:BC:21:18:C8:D0:E9:F9:C0

            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         23:00:ff:38:24:f8:e2:09:4a:cd:58:ff:ab:08:73:51:60:bb:
         7f:92:67:bc:d0:31:a7:ca:95:1a:fd:a9:45:91:4f:3d:e9:58:
         a9:50:53:8f:49:c4:82:c0:59:d5:a6:ab:95:07:ec:d2:85:f3:
         bd:18:e8:32:8f:11:f0:c4:2d:41:0b:1d:8c:67:72:8b:c8:32:
         6a:e2:81:2a:0d:9e:0f:4c:21:f0:35:0f:dd:18:b0:4f:13:d9:
         12:26:f1:2e:f1:e1:0a:d0:a5:a1:18:ce:e0:2b:19:a9:07:43:
         00:dd:d8:3b:42:9d:6f:53:79:b1:2a:c0:58:ca:ab:9c:e7:c3:
         70:56:24:ee:da:3a:1d:77:6c:e1:f4:95:ba:72:91:ee:6b:68:
         31:d1:ac:7f:85:47:23:bb:49:6b:35:29:d2:78:01:73:59:75:
         20:5e:15:31:5a:dd:c4:73:18:f1:98:85:b8:34:70:ce:ba:dc:
         4c:0a:d1:0d:9b:f0:ca:57:5a:ce:0a:ea:24:0d:7b:a3:eb:8d:
         28:bf:07:43:e3:dc:83:ee:0a:cb:0f:49:9d:1b:26:27:0d:cb:
         f9:33:85:9f:3b:b7:c4:fe:6d:3a:73:3d:69:86:72:ed:f6:1c:
         d8:61:97:9f:44:81:ac:f1:bb:25:02:d5:00:aa:a8:76:d3:ae:
         37:6c:11:47
[root@openvpn-server 3]#
3.2.1 为openvpn服务器颁发证书
#创建服务器证书申请文件,其中server是文件前缀
[root@openvpn-server 3]# ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
...........+++
............................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa-server/3/pki/easy-rsa-1684.jLW8wL/tmp.nqY7jU'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:openvpn

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-server/3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa-server/3/pki/private/server.key


[root@openvpn-server 3]#

# [root@openvpn-server 3]# tree pki/ -C
pki/			#公钥基础设施的主目录,其中包含所有的证书、密钥、和其他相关文件。
├── ca.crt		#证书颁发机构(CA)的公共证书。它用于验证来自该CA签署的任何其他证书。
├── certs_by_serial #一个目录,其中包含由序列号索引的证书链接。它使得更容易地找到给定序列号的证书。
├── index.txt	#一个数据库文件,其中包含CA签发的所有证书的状态信息。
├── index.txt.attr	#与index.txt文件相关的属性文件。
├── issued		#一个目录,其中包含CA签发的所有证书。
├── openssl-easyrsa.cnf	#OpenVPN和easy-rsa的OpenSSL配置文件。
├── private	#一个目录,其中包含私钥。不应与其他人分享这些密钥。
│   ├── ca.key	#证书颁发机构(CA)的私钥。
│   └── server.key	#OpenVPN服务器的私钥。
├── renewed	#一个目录,其中包含续签的证书和密钥的相关数据。
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── reqs	# 一个目录,其中包含证书签名请求(CSR)文件。
│   └── server.req	#OpenVPN服务器的证书签名请求。
├── revoked	#一个目录,其中包含被撤销的证书和密钥的相关数据。
│   ├── certs_by_serial
│   ├── private_by_serial
│   └── reqs_by_serial
├── safessl-easyrsa.cnf	#另一个OpenSSL配置文件,可能是针对更安全的配置或特定的操作。
└── serial	#一个文件,它包含下一个证书的序列号。

12 directories, 9 files
[root@openvpn-server 3]#

#将上面server.req的申请,颁发server类型的证书
[root@openvpn-server 3]# ./easyrsa sign-req server server

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = openvpn


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes #输入yes
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-1886.heaNji/tmp.kGW5CF
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'openvpn'
Certificate is to be certified until Aug 19 07:13:37 2033 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt


[root@openvpn-server 3]#

# 创建 Diffie-Hellman 密钥
[root@openvpn-server 3]# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...............................................................................................................+......................................................................................................+.+......................................................................................................................................................................................................................................................................................................................................................................................+..........................................................................................................................................+................................................................................................++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa-server/3/pki/dh.pem


[root@openvpn-server 3]#

3.2.2 为客户端颁发证书
# 重新拷贝一份充当客户端环境
[root@openvpn-server openvpn]# cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa-client/
[root@openvpn-server openvpn]# cd /etc/openvpn/easy-rsa-client/3

# 生成证书申请所需目录pki和文件
[root@openvpn-server 3]# ./easyrsa init-pki

# 生成客户端用户的证书申请
[root@openvpn-server 3]# ./easyrsa gen-req xingyuyu nopass
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
...........................................................................................................+++
.....................................+++
writing new private key to '/etc/openvpn/easy-rsa-client/3/pki/easy-rsa-2122.AZW6ty/tmp.j15lap'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [xingyuyu]: #直接回车

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-client/3/pki/reqs/xingyuyu.req	#证书申请文件
key: /etc/openvpn/easy-rsa-client/3/pki/private/xingyuyu.key #私钥文件

[root@openvpn-server 3]# tree -C
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│   ├── openssl-easyrsa.cnf
│   ├── private
│   │   └── xingyuyu.key	#私钥文件
│   ├── reqs
│   │   └── xingyuyu.req	#证书申请文件
│   └── safessl-easyrsa.cnf
└── x509-types
    ├── ca
    ├── client
    ├── code-signing
    ├── COMMON
    ├── email
    ├── kdc
    ├── server
    └── serverClient

4 directories, 14 files
[root@openvpn-server 3]#

# 回到CA的相关目录,为客户端颁发证书
[root@openvpn-server 3]#cd /etc/openvpn/easy-rsa-server/3
# 将客户端用户的申请文件导入到CA的申请目录里面,说白了就是copy文件的过程,得加上前缀邢宇宇
[root@openvpn-server 3]# ./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/xingyuyu.req xingyuyu

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Easy-RSA error:

Unable to import: incorrect command syntax.
Run easyrsa without commands for usage and command help.

[root@openvpn-server 3]#

# 修改配置文件,刚才是为server颁发证书设置的是10年,但是现在为客户端颁发证书不能设置那么长的时间,所以需要修改
[root@openvpn-server 3]# vim vars
set_var EASYRSA_CERT_EXPIRE     180


# 签发证书
[root@openvpn-server 3]# ./easyrsa sign-req client xingyuyu

# 将CA和服务器证书相关文件复制到服务器相应的目录
[root@openvpn-server 3]# mkdir /etc/openvpn/certs
[root@openvpn-server 3]# cp /etc/openvpn/easy-rsa-server/3/pki/{ca.crt,dh.pem} /etc/openvpn/certs/
[root@openvpn-server 3]# cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
[root@openvpn-server 3]# cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs

# 将客户端用户所需要的相关文件放到相应的目录
[root@openvpn-server 3]# mkdir /etc/openvpn/client/xingyuyu/
[root@openvpn-server 3]# find /etc/openvpn/ \( -name "xingyuyu.key" -o -name "xingyuyu.crt" -o -name ca.crt \) -exec cp {} /etc/openvpn/client/xingyuyu/ \;
# find /etc/openvpn/: find 是一个在目录结构中搜索文件的命令。/etc/openvpn/ 是要开始搜索的目录。
−name"xingyuyu.key"−o−name"xingyuyu.crt"−o−nameca.crt: 这是一个复杂的表达式,用于匹配三种文件名。

-name "xingyuyu.key": 匹配名为 "xingyuyu.key" 的文件。
-o: 逻辑 OR 操作符,表示满足任何一个条件的文件都将被选中。
-name "xingyuyu.crt": 匹配名为 "xingyuyu.crt" 的文件。
-name ca.crt: 匹配名为 "ca.crt" 的文件。
整个表达式的意思是:找到任何名称为 "xingyuyu.key""xingyuyu.crt""ca.crt" 的文件。

-exec cp {} /etc/openvpn/client/xingyuyu/ ;:find 命令找到符合条件的文件时,它会对每个文件执行指定的操作。

-exec: 表示要对找到的文件执行一个操作。
cp {} /etc/openvpn/client/xingyuyu/: 是要执行的操作。其中 {} 是一个占位符,代表 find 命令找到的文件。所以,这个操作的意思是将找到的文件复制到 /etc/openvpn/client/xingyuyu/ 目录。
;: 表示 -exec 操作的结束。\是转义

4. 准备 OpenVPN 服务器配置文件

# 写入配置文件
[root@openvpn-server openvpn]# vim /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key # This file should be kept secret
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.30.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
[root@openvpn-server openvpn]#


#创建日志所在文件夹
[root@openvpn-server openvpn]# mkdir /var/log/openvpn
[root@openvpn-server openvpn]# chown openvpn.openvpn /var/log/openvpn/

# 开启网卡转发功能
[root@openvpn-server openvpn]# echo net.ipv4.ip_forward =1 >> /etc/sysctl.conf
[root@openvpn-server openvpn]# sysctl -p

# 使用openvpn,开启隧道默认的网段就是配置文件里面配置的网段,然后通过iptables配置以后将这个网段的地址指向内网地址
[root@openvpn-server openvpn]# echo "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE" >> /etc/rc.d/rc.local
[root@openvpn-server openvpn]# chmod +x /etc/rc.d/rc.local
[root@openvpn-server openvpn]# /etc/rc.d/rc.local
[root@openvpn-server openvpn]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       10.8.0.0/24          0.0.0.0/0
[root@openvpn-server openvpn]#

4.1 启动OpenVpn

# 这个文件默认Centos8没有,需要从CentOS7上拷贝
[root@openvpn-server openvpn]# vim /usr/lib/systemd/system/openvpn@.service
[root@openvpn-server openvpn]# ll /usr/sbin/openvpn
-rwxr-xr-x 1 root root 787232 Mar 18  2022 /usr/sbin/openvpn
[root@openvpn-server openvpn]#

# 启动
[root@openvpn-server openvpn]# systemctl daemon-reload
[root@openvpn-server openvpn]# systemctl enable --now openvpn@server
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
[root@openvpn-server openvpn]#

#查看网卡
[root@openvpn-server openvpn]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:16:3e:04:4a:08 brd ff:ff:ff:ff:ff:ff
    inet 172.30.0.1/24 brd 172.30.0.255 scope global dynamic eth0
       valid_lft 315348175sec preferred_lft 315348175sec
    inet6 fe80::216:3eff:fe04:4a08/64 scope link
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::ea53:4d53:6150:51d6/64 scope link flags 800
       valid_lft forever preferred_lft forever
[root@openvpn-server openvpn]#
#多了一个tun0的虚拟网卡,并且地址是10.8.0.1

5.准备 OpenVPN 服务器配置文件

#创建客户端的配置文件
[root@openvpn-server openvpn]# vim /etc/openvpn/client/xingyuyu/client.ovpn
client
dev tun
proto tcp
remote 39.100.98.155 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert xingyuyu.crt
key xingyuyu.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2

[root@openvpn-server openvpn]# tree /etc/openvpn/client/xingyuyu/
/etc/openvpn/client/xingyuyu/
├── ca.crt
├── client.ovpn
├── xingyuyu.crt
└── xingyuyu.key

0 directories, 4 files
[root@openvpn-server openvpn]#


#打包客户端用户所需的文件,这些文件需要导入到windows中的openvpn路径下才能使用
[root@openvpn-server ~]# cd /etc/openvpn/client/xingyuyu/
[root@openvpn-server ~]# tar cf /root/xingyuyu.tar ./
#将安装包解压,然后放到C:\Program Files\OpenVPN\config,就可以使用了

置文件
[root@openvpn-server openvpn]# vim /etc/openvpn/client/xingyuyu/client.ovpn
client
dev tun
proto tcp
remote 39.100.98.155 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert xingyuyu.crt
key xingyuyu.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2

[root@openvpn-server openvpn]# tree /etc/openvpn/client/xingyuyu/
/etc/openvpn/client/xingyuyu/
├── ca.crt
├── client.ovpn
├── xingyuyu.crt
└── xingyuyu.key

0 directories, 4 files
[root@openvpn-server openvpn]#

#打包客户端用户所需的文件,这些文件需要导入到windows中的openvpn路径下才能使用
[root@openvpn-server ~]# cd /etc/openvpn/client/xingyuyu/
[root@openvpn-server ~]# tar cf /root/xingyuyu.tar ./
#将安装包解压,然后放到C:\Program Files\OpenVPN\config,就可以使用了






Logo

旨在为数千万中国开发者提供一个无缝且高效的云端环境,以支持学习、使用和贡献开源项目。

更多推荐