原文地址:https://www.jianshu.com/p/5ae8a5fddc1b
使用EasyRsa3为OpenVPN生成密码-文档
http://openwrt.iteye.com/blog/2305318 https://www.cnblogs.com/dorothychai/p/4434624.html 下载地址:https://github.com/OpenVPN/easy-rsa
easy-rsa准备工作
下载地址:https://github.com/OpenVPN/easy-rsa cd /opt/tools/ unzip easy-rsa-3.0.3.zip cp -av /opt/tools/easy-rsa-3.0.3/easyrsa3 /etc/openvpn/easyrsa3_server cp -av /opt/tools/easy-rsa-3.0.3/easyrsa3 /etc/openvpn/easyrsa3_client vim /etc/openvpn/easyrsa3_server/vars vim /etc/openvpn/easyrsa3_client/vars ================================== if [ -z "$EASYRSA_CALLER" ]; then echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2 echo "This is no longer necessary and is disallowed. See the section called" >&2 echo "'How to use this file' near the top comments for more details." >&2 return 1 fi set_var EASYRSA "$PWD" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY "CN" #国家 set_var EASYRSA_REQ_PROVINCE "BEIJING" #省份 set_var EASYRSA_REQ_CITY "BEIJING" #城市 set_var EASYRSA_REQ_ORG "OpenVPN CERTIFICATE AUTHORITY" #组织 set_var EASYRSA_REQ_EMAIL "[email protected]" #管理员邮箱 set_var EASYRSA_REQ_OU "OpenVPN EASY CA" #部门 set_var EASYRSA_KEY_SIZE 2048 #key长度 set_var EASYRSA_ALGO rsa #key 类型 set_var EASYRSA_CA_EXPIRE 7000 set_var EASYRSA_CERT_EXPIRE 3650 set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_NS_COMMENT "OpenVPN CERTIFICATE AUTHORITY" set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf" set_var EASYRSA_DIGEST "sha256" ==================================
1.生成ca证书和服务器端证书
cd /etc/openvpn/easyrsa3_server (1.1)初始化,会在当前目录创建PKI目录,用于存储一些中间变量及最终生成的证书 ./easyrsa init-pki (1.2)创建根证书,首先会提示设置密码,用于ca对之后生成的server和client证书签名时使用,然后会提示设置Country Name,State or Province Name,Locality Name,Organization Name,Organizational Unit Name,Common Name,Email Address,可以键入回车使用默认的,也可以手动更改 ./easyrsa build-ca #根证书密码要记住, 给server端和客户端证书签名的时候会用到 (1.3)创建server端证书和private key,nopass表示不加密private key,然后会提示设置Country Name,State or Province Name,Locality Name,Organization Name,Organizational Unit Name,Common Name,Email Address,可以键入回车使用默认的,也可以手动更改 ./easyrsa gen-req wwwserver nopass #服务端不要设密码,不然启动服务还要输入密码 (1.4)给server端证书做签名,首先是对一些信息的确认,可以输入yes,然后输入build-ca时设置的那个密码 ./easyrsa sign server wwwserver (1.5)创建Diffie-Hellman,时间会有点长,耐心等待 ./easyrsa gen-dh
2.生成客户端证书
cd /etc/openvpn/easyrsa3_client (2.1)初始化,会在当前目录创建PKI目录,用于存储一些中间变量及最终生成的证书 ./easyrsa init-pki (2.2)创建client端证书和private key,nopass表示不加密private key,然后会提示设置Country Name,State or Province Name,Locality Name,Organization Name,Organizational Unit Name,Common Name,Email Address,可以键入回车使用默认的,也可以手动更改 ./easyrsa gen-req hui_client nopass #hui_client自定义 (2.3)回到制作server证书时的那个easyrsa3目录,导入client端证书,准备签名 cd /etc/openvpn/easyrsa3_server ./easyrsa import-req /etc/openvpn/easyrsa3_client/pki/reqs/hui_client.req hui_client #hui_client.req应该在刚才制作client端证书的easyrsa3_client/pki/reqs/下面 (2.4)给client端证书做签名,首先是对一些信息的确认,可以输入yes,然后输入build-ca时设置的那个密码 ./easyrsa sign client hui_client
3.整理服务端证书
mkdir -p /etc/openvpn/server_keys cp /etc/openvpn/easyrsa3_server/pki/ca.crt /etc/openvpn/server_keys/ \ && cp /etc/openvpn/easyrsa3_server/pki/private/wwwserver.key /etc/openvpn/server_keys/ \ && cp /etc/openvpn/easyrsa3_server/pki/issued/wwwserver.crt /etc/openvpn/server_keys/ \ && cp /etc/openvpn/easyrsa3_server/pki/dh.pem /etc/openvpn/server_keys/
4.整理client证书
mkdir /etc/openvpn/client_keys cp /etc/openvpn/easyrsa3_server/pki/ca.crt /etc/openvpn/client_keys/ \ && cp /etc/openvpn/easyrsa3_server/pki/issued/hui_client.crt /etc/openvpn/client_keys/ \ && cp /etc/openvpn/easyrsa3_client/pki/private/hui_client.key /etc/openvpn/client_keys/
安装openvpn
yum install epel-release -y yum install openssh-server lzo openssl openssl-devel openvpn NetworkManager-openvpn openvpn-auth-ldap -y #easy-rsa 这里用的是源码包 cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/ cd /etc/openvpn openvpn --genkey --secret ta.key #如果开启tls-auth执行这条命令 vim /etc/openvpn/server.conf ================================== port 1194 proto udp dev tun ca /etc/openvpn/server_keys/ca.crt # cert /etc/openvpn/server_keys/wwwserver.crt #wwwserver 根据生成的服务端证书改 key /etc/openvpn/server_keys/wwwserver.key #wwwserver 根据生成的服务端证书改 dh /etc/openvpn/server_keys/dh.pem #tls-auth /etc/openvpn/ta.key 0 server 10.8.0.0 255.255.255.0 #连接上来分配的Ip ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 223.5.5.5" #dns push "dhcp-option DNS 114.114.114.114" #dns keepalive 10 120 cipher AES-256-CBC comp-lzo max-clients 50 user openvpn group openvpn persist-key persist-tun status openvpn-status.log #相对路径 是相对于/etc/openvpn/server.conf log-append openvpn.log #相对路径 是相对于/etc/openvpn/server.conf verb 3 mute 20 ==================================
开启防火墙tcp 1194 端口并设置NAT共享上网:
[root@iZrj92wgxq1l7cxyym9mwzZ openvpn]# iptables -I INPUT -p tcp --dport 1194 -j ACCEPT [root@iZrj92wgxq1l7cxyym9mwzZ openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 还需开启tun 设备转发及同意请求的包(注:这里一定要用I 插入,网上都是A 加入到最底下,发现不能上网): iptables -I INPUT -i tun0 -j ACCEPT iptables -I FORWARD -i tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT 或者: iptables -I INPUT -i tun+ -j ACCEPT iptables -I FORWARD -i tun+ -j ACCEPT iptables -I FORWARD -i tun+ -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -i eth1 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT 开启内核转发。 编辑 /etc/sysctl.conf 文件,将 net.ipv4.ip_forward = 0 修改为:net.ipv4.ip_forward = 1 执行sysctl -p
启动openvpn
systemctl start openvpn@server
openvpn 固定客户端IP地扯
在使用openvpn的过程中,多台客户端连接上同一台openvpn服务器之后,客户端的的IP地扯经常变动,导致客户端之间无法正常通讯,openvpn的版本变动也导致了固定IP地扯的配置不同,用以下方法设置,客户端不管再怎么连接ip地扯都不会改变了 配置: 只需在服务端的server.conf配置文件中设置即可 mkdir -p /etc/openvpn/ip vim /etc/openvpn/server.conf #添加 client-config-dir /etc/openvpn/ip ip文件夹中的文件为对应客户端所使用的登录名称 [root@host1 ip]# cat /etc/openvpn/ip/hui_client ifconfig-push 10.8.0.17 10.8.0.18 注意: ifconfig-push 后面是紧跟着两个连续的成组IP地扯,以第一个为客户端的IP地扯 连续ip组列表 [ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18] [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38] [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58] [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78] [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98] [101,102] [105,106] [109,110] [113,114] [117,118] [121,122] [125,126] [129,130] [133,134] [137,138] [141,142] [145,146] [149,150] [153,154] [157,158] [161,162] [165,166] [169,170] [173,174] [177,178] [181,182] [185,186] [189,190] [193,194] [197,198] [201,202] [205,206] [209,210] [213,214] [217,218] [221,222] [225,226] [229,230] [233,234] [237,238] [241,242] [245,246] [249,250] [253,254]
客户端连接
/opt/openvpn/client_keys/ 将证书发送给客户端,客户端需要自己建立一个配置文件如下: windows 客户端为例(将证书都放置在这个目录下面): C:\Program Files (x86)\OpenVPN\config\ 然后创建文件open.ovpn client dev tun proto udp resolv-retry infinite nobind remote xxxxxxxxxxxx 1194 ns-cert-type server comp-lzo #tls-auth ta.key 1 开启tls-auth的时候注释掉 ca ca.crt cert hui_client.crt key hui_client.key keepalive 10 120 persist-key persist-tun verb 5 redirect-gateway route-method exe route-delay 2 status hui-status.log log-append hui.log 保存,启动openvpn客户端即可连接到server上了