系统环境
[root@node01 ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [root@node01 ~]# uname -r 3.10.0-327.el7.x86_64 [root@node01 ~]# getenforce Disabled
更新yum源
##更新Base源 ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo ##更新epel源 ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
安装软件包
[root@node01 ~]# yum -y install openvpn easy-rsa
看这里,如果是 2.2 的可以参考另一篇文字https://www.xionghaier.cn/?p=337
配置 easy-rsa-3.0
复制文件
[root@node01 ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
[root@node01 ~]# cd /etc/openvpn/easy-rsa/
[root@node01 easy-rsa]# \rm 3 3.0 #删除软连接目录
[root@node01 easy-rsa]# cd 3.0.3/
[root@node01 3.0.3]# find / -type f -name "vars.example"|xargs cp -t . && mv vars.example vars
[root@node01 3.0.3]# ls
easyrsa openssl-1.0.cnf vars x509-types
[root@node01 3.0.3]# tree .
.
├── easyrsa
├── openssl-1.0.cnf
├── vars
└── x509-types
├── ca
├── client
├── COMMON
├── san
└── server
1 directory, 8 files
生成证书
创建一个新的 PKI 和 CA证书
[root@node01 3.0.3]# ./easyrsa init-pki ###创建空的pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.3/pki [root@node01 3.0.3]# ./easyrsa build-ca nopass ###创建新的CA,不使用密码 Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ...+++ ....................+++ writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key.jLD7qrTaCY' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:回车 CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt
创建服务端证书
[root@node01 3.0.3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .......................+++ ...........+++ writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/server.key.CB0dYz0h8K' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/3.0.3/pki/reqs/server.req key: /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key
签约服务端证书
[root@node01 3.0.3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until May 8 01:59:11 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt
生成DH验证文件Diffie-Hellman
[root@node01 3.0.3]# ./easyrsa gen-dh
##注生成diffie hellman参数用于增强openvpn安全性生成需要漫长等待时间
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................................+...................................................+.......................
.....................................................................................................+..+......
.+..............................................................................................+..............
.............................+...++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem
到这里服务端的证书就创建完了,然后创建客户端的证书。
创建客户端证书
复制文件
[root@node01 ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa [root@node01 ~]# cd /etc/openvpn/client/easy-rsa/ [root@node01 easy-rsa]# \rm 3 3.0 [root@node01 easy-rsa]# cd 3.0.3/ [root@node01 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars [root@node01 3.0.3]# tree . . ├── easyrsa ├── openssl-1.0.cnf ├── vars └── x509-types ├── ca ├── client ├── COMMON ├── san └── server 1 directory, 8 files
生成证书
[root@node01 3.0.3]# pwd /etc/openvpn/client/easy-rsa/3.0.3 [root@node01 3.0.3]# ./easyrsa init-pki #创建新的pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3.0.3/pki [root@node01 3.0.3]# ./easyrsa gen-req wangmazi nopass #客户证书名为王麻子,没有密码 Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ......................+++ ........................+++ writing new private key to '/etc/openvpn/client/easy-rsa/3.0.3/pki/private/wangmazi.key.msHOTrO0vN' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [wangmazi]:回车 Keypair and certificate request completed. Your files are: req: /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/wangmazi.req key: /etc/openvpn/client/easy-rsa/3.0.3/pki/private/wangmazi.key
最后签约客户端证书
[root@node01 3.0.3]# cd /etc/openvpn/easy-rsa/3.0.3/ [root@node01 3.0.3]# pwd /etc/openvpn/easy-rsa/3.0.3 [root@node01 3.0.3]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/wangmazi.req wangmazi Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: wangmazi You may now use this name to perform signing operations on this request. 大致意思为: 该请求已成功导入,名称为:王麻子 现在可以使用此名称来执行此请求的签名操作。 [root@node01 3.0.3]# ./easyrsa sign client wangmazi Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = wangmazi Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from ./openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'wangmazi' Certificate is to be certified until May 8 02:44:40 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/wangmazi.crt
整理证书
服务端所需要的文件
[root@node01 3.0.3]# mkdir /etc/openvpn/certs [root@node01 3.0.3]# cd /etc/openvpn/certs [root@node01 certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem . [root@node01 certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt . [root@node01 certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt . [root@node01 certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key . [root@node01 certs]# ll total 20 -rw------- 1 root root 1172 May 11 11:55 ca.crt -rw------- 1 root root 424 May 11 11:55 dh.pem -rw------- 1 root root 4547 May 11 11:55 server.crt -rw------- 1 root root 1704 May 11 11:55 server.key
客户端所需的文件
[root@node01 certs]# mkdir /etc/openvpn/client/wangmazi/ [root@node01 certs]# cd /etc/openvpn/client/wangmazi/ [root@node01 wangmazi]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt . [root@node01 wangmazi]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/wangmazi.crt . [root@node01 wangmazi]# cp /etc/openvpn/client/easy-rsa/3.0.3/pki/private/wangmazi.key . [root@node01 wangmazi]# ll total 16 -rw------- 1 root root 1172 May 11 11:57 ca.crt -rw------- 1 root root 4438 May 11 11:58 wangmazi.crt -rw------- 1 root root 1704 May 11 11:58 wangmazi.key
说明:再次添加其他用户从生成客户端证书./easyrsa gen-req
开始就可了
服务器配置文件
[root@node01 ~]# vim /etc/openvpn/server.conf local 118.190.201.68 port 1194 proto tcp dev tun ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server.crt key /etc/openvpn/certs/server.key dh /etc/openvpn/certs/dh.pem ifconfig-pool-persist /etc/openvpn/ipp.txt server 10.8.0.0 255.255.255.0 push "route 172.16.1.0 255.255.255.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 223.5.5.5" push "dhcp-option DNS 223.6.6.6" client-to-client keepalive 20 120 comp-lzo #duplicate-cn user openvpn group openvpn persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 1 mute 20
启动服务
启动服务
[root@node01 ~]# systemctl start openvpn@server [root@node01 ~]# lsof -i:1194 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME openvpn 16113 openvpn 6u IPv4 84651 0t0 TCP 118.190.201.68:openvpn (LISTEN)
配置iptables及转发
关闭防火墙
[root@node01 ~]# systemctl stop firewalld.service //停止服务 [root@node01 ~]# systemctl disable firewalld.service //禁止开启动 [root@node01 ~]# firewall-cmd --state //查看状态
安装iptables,写入策略,开启1194及22端口
22端口已默认开启
[root@node01 ~]# yum -y install iptables iptables-services [root@node01 ~]# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT [root@node01 ~]# iptables-save # Generated by iptables-save v1.4.21 on Fri May 11 12:24:24 2018 *filter :INPUT ACCEPT [20:1560] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [11:1192] -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT COMMIT # Completed on Fri May 11 12:24:24 2018 ###重启iptables并添加规则 [root@node01 ~]# systemctl restart iptables.service [root@node01 ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE #NAT规则
开启内核转发
[root@node01 ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf [root@node01 ~]# sysctl -p net.ipv4.ip_forward = 1
编辑client.ovpn文件
[root@node01 openvpn]# vim client.ovpn client proto udp dev tun remote 118.0.0.0 1194 ca ca.crt cert client.crt key client.key resolv-retry infinite nobind mute-replay-warnings keepalive 20 120 comp-lzo user openvpn group openvpn persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 3 mute 20
./easyrsa
命令小结
创建一个新的PKI和CA
./easyrsa init-pki
./easyrsa build-ca
签约客户端证书
./easyrsa gen-req EntityName
./easyrsa import-req /tmp/path/to/import.req EntityName ##将请求(.req文件)传输到CA系统并导入它。这里给出的名称是任意的,只用于命名请求文件。
将请求标记为正确的类型。这个例子使用一个客户端类型
./easyrsa sign-req client EntityName
撤销证书并创建CRL
这是特定于CA的任务。
要永久吊销已颁发的证书,请提供导入期间使用的简称:
./easyrsa revoke EntityName
要创建一个更新的CRL,其中包含到目前为止所有已撤销的证书
./easyrsa gen-crl
DH params可以通过以下方式生成
./easyrsa gen-dh ##生成Diffie-Hellman(DH)参数
显示请求或证书的详细信息
./easyrsa show-req EntityName
./easyrsa show-cert EntityName
更改私钥密码短语
RSA和EC私钥可以重新加密,因此根据密钥类型,可以使用以下命令之一提供新的密码短语
./easyrsa set-rsa-pass EntityName
./easyrsa set-ec-pass EntityName
或者,可以使用’nopass
‘标志完全删除密码。详情请查阅命令帮助。
测试
参考https://www.xionghaier.cn/?p=337
如无特殊说明,文章均为本站原创,转载请注明出处
- 转载请注明来源:基于easy-rsa-3.0搭建VPN服务之OpenVPN
- 本文永久链接地址:https://www.xionghaier.cn/archives/367.html