本文详细介绍了如何在Linux服务器上安装并配置OpenVPN,包括安装依赖、网络设置、时间同步、证书生成、服务端配置、启动OpenVPN服务。同时,还讲解了Windows和Linux客户端的配置方法,以及解决常见错误的方法。最后提到了证书吊销和CRL的使用。
安装步骤(服务器配置直接看第5步):
1,安装依赖组件
LSZ(一种无损压缩算法),PAM(一种可插入式的身份验证模块)
yum install -y gcc openssl-devel lzo-devel pam-devel2,网络设置
开启内核转发
# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
# sysctl -p
保证vpn地址池可路由出外网(为客户端分配172.16.30.0/24网段ip)
iptables -t nat -A POSTROUTING -s 172.16.30.0/24 -o eth0 -j MASQUERADE
设置openvpn服务端口通过
iptables -A INPUT -p UDP --dport 1194 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT注:云服务器默认不用设置,请在安全组中开始1194端口
内网其他机器执行,通过OpenVpn服务器转发流量数据
route add -net 192.168.10.0 netmask 255.255.255.0 gw 172.31.0.283,时间同步
客户端和服务器时间不统一将会无法连接
ntpdate asia.pool.ntp.org4,安装Openvpn服务端
wget http://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.gz
tar zxvf openvpn-2.4.3.tar.gz
cd openvpn-2.4.3
./configure --prefix=/usr/local/openvpn
make && make install5,配置服务端
主要有两个部分:
生成服务器和客户端所需的各种证书。
编写服务器和客户端所需的配置文件。
(1)下载easy-rsa,创建证书(这部分可以参考"easy-rsa 生成Openvpn证书"快速生成所有证书)。
Github 源码2.x
地址:https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip
cd
wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip
yum install -y unzip
unzip 2.x.zip
cp -rf easy-rsa-release-2.x/easy-rsa/ /usr/local/openvpn/
########创建CA证书########
#cd /usr/local/openvpn/easy-rsa/2.0
#source ./vars #初始化命令,用于设置后续命令所需的相关变量信息
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/openvpn/easy-rsa/2.0/keys
#./clean-all #清除之前创建的所有证书和密钥
#./build-ca #生成CA证书和密钥
Generating a 2048 bit RSA private key
...+++
...........................................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [California]:BJ
Locality Name (eg, city) [SanFrancisco]:BJ
Organization Name (eg, company) [Fort-Funston]:BJ
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:OPS
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:Openvpn_CA
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:
##我们的CA证书和密钥就已经生成成功了,生成的证书和密码默认均存放在当前目录keys。
[root@localhost 2.0]#ls keys/
ca.crt ca.key index.txt serial
############创建服务端证书#############
命令./build-key-server ServerName来生成客户端证书和密钥
[root@localhost 2.0]#./build-key-server server
Generating a 2048 bit RSA private key
............................+++
....................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [California]:BJ
Locality Name (eg, city) [SanFrancisco]:BJ
Organization Name (eg, company) [Fort-Funston]:BJ
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:OPS
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/open***/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'BJ'
organizationalUnitName:PRINTABLE:'OPS'
commonName :PRINTABLE:'server'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Aug 20 05:16:14 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]#ls ./keys/
01.pem ca.crt ca.key index.txt index.txt.attr index.txt.old serial serial.old server.crt server.csr server.key
############创建客户端证书###############
命令./build-key clientName来生成客户端证书和密钥
[root@localhost 2.0]#./build-key client1
Generating a 2048 bit RSA private key
........................................................+++
..................................................+++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [California]:BJ
Locality Name (eg, city) [SanFrancisco]:BJ
Organization Name (eg, company) [Fort-Funston]:BJ
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:OPS
Common Name (eg, your name or your server's hostname) [client1]:Openvpn_Client
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'BJ'
organizationalUnitName:PRINTABLE:'OPS'
commonName :T61STRING:'Client1'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Aug 20 05:34:01 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]#ls ./keys/
01.pem 02.pem ca.crt ca.key client1.crt client1.csr client1.key index.txt index.txt.attr index.txt.attr.old index.txt.old serial serial.old server.crt server.csr server.key
##########生成迪菲·赫尔曼交换密钥###########
命令为./build-dh(无需额外输入,耐心等待生成完毕即可)。迪菲·赫尔曼交换密钥是一种安全协议,用以对数据进行加密。
#./build-dh
###########生成TLS-auth密钥############
这一步骤是可选操作。Openvpn提供了TLS-auth功能,可以用来抵御Dos、UDP端口淹没攻击。出于安全考虑,你可以启用该功能;启用该功能,你需要执行命令openvpn --genkey --secret keys/ta.key来生成TLS-auth所需的密钥文件。
#/usr/local/openvpn/sbin/openvpn --genkey --secret keys/ta.key
到这里,我们的证书生成就告一段落了。如果你以后想要生成新的客户端或执行其他操作,只需要先执行命令./vars,然后执行相应的命令即可,例如./build-key client2。1:CA证书和密钥
2:服务器端证书和密钥。
3:客户端client1的证书和密钥,
4:迪菲·赫尔曼交换密钥 (如果你的KEY_SIZE=1024,则该文件名称为dh1024.pem)。
5:启用tls-auth所需的文件。
其中,服务器端需要用到的文件有:
ca.crt
ca.key
dh2048.pem (如果最初的变量KEY_SIZE设为1024,这里就是dh1024.pem)
server.crt
server.key
ta.key (如果不开启tls-auth,则无需该文件)
客户端client1需要用到的文件有:
ca.crt
client1.crt
client1.key (名称client1根据个人设置可能有所不同)
ta.key (如果不开启tls-auth,则无需该文件)
(2)编辑服务器所需的配置文件。
mkdir -p /usr/local/openvpn/config
cd /usr/local/openvpn/config
cp /usr/local/openvpn/easy-rsa/2.0/keys/{ca.crt,ca.key,server.crt,server.key,client1.crt,client1.key,dh2048.pem,ta.key} .
# ls
ca.crt ca.key dh2048.pem server.crt server.key
cp /root/openvpn-2.4.3/sample/sample-config-files/server.conf .
mkdir -p /var/log/openvpn #创建日志目录
# vim server.conf
port 11944
proto udp
dev tun
ca /usr/local/openvpn/config/ca.crt
cert /usr/local/openvpn/config/server.crt
key /usr/local/openvpn/config/server.key
dh /usr/local/openvpn/config/dh2048.pem
server 172.16.30.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.16.30.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
client-to-client
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 2
#如果需要开启用户名密码验证开启以下
#auth-user-pass-verify /usr/local/openvpn/checkpsw.sh via-env
#username-as-common-name
#verify-client-cert
#script-security 3语句注释:
port 11944 #指定监听的本机端口号
proto udp #指定采用的传输协议,可以选择tcp或udp
dev tun #指定创建的通信隧道类型,可选tun或tap,前者工作在三层(TCP/IP),后者工作2层(链路层)
ca /usr/local/openvpn/config/ca.crt #指定CA证书的文件路径
cert /usr/local/openvpn/config/server.crt #指定服务器端的证书文件路径
key /usr/local/openvpn/config/server.key #指定服务器端的私钥文件路径
dh /usr/local/openvpn/config/dh2048.pem #指定迪菲赫尔曼参数的文件路径
server 172.16.30.0 255.255.255.0 #指定虚拟局域网占用的IP地址段和子网掩码,此处配置的服务器自身占用172.16.30.1。
ifconfig-pool-persist ipp.txt #服务器自动给客户端分配IP后,客户端下次连接时,仍然采用上次的IP地址(第一次分配的IP保存在ipp.txt中,下一次分配其中保存的IP)。
push “redirect-gateway def1 bypass-dhcp” #如果启用,该命令将配置所有客户端通过vpn重定向其默认
#网络网关,导致所有IP流量(如Web浏览和#和DNS查找)通过vpn
push “dhcp-option DNS 8.8.8.8” #给客户端推送DNS
#tls-auth /usr/local/open***/config/ta.key 0 #开启TLS-auth,使用ta.key防御攻击。服务器端的第二个参数值为0,客户端的为1。
keepalive 10 120 #每10秒ping一次,连接超时时间设为120秒。
comp-lzo #开启vpn连接压缩,如果服务器端开启,客户端也必须开启
client-to-client #允许客户端与客户端相连接,默认情况下客户端只能与服务器相连接
persist-key
persist-tun #持久化选项可以尽量避免访问在重启时由于用户权限降低而无法访问的某些资源。
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log #日志保存路径
verb 4 #指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细
explicit-exit-notify 2 #服务端重启,客户端自动重连注意:
push “redirect-gateway def1 bypass-dhcp” 如果启用,该命令将配置所有客户端通过vpn重定向其默认网络网关,导致所有IP流量通过VPN。
client-config-dir ccd #指定文件,对客户端进行细粒度配置(单独给某个客户端推送路由等)。
TUN和TAP不一样,TUN是点对点的三层设备,工作在IP层,处理IP分组(本文采用tun方式,有兴趣可以尝试tap方式);TAP是虚拟以太网设备,工作在第二层,处理以太网帧。
6,启动Open
/usr/local/openvpn/sbin/openvpn /usr/local/openvpn/config/server.conf &7,windows客户端安装
创建配置文件并命名为 Client-VPN.ovpn,内容如下:
client
dev tun
proto udp
remote 云主机IP 11944
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
;tls-auth ta.key 1
;route 172.16.30.0 255.255.255.0
comp-lzo
verb 3将证书文件放到下 C:\Program Files\OpenVPN\config\HK
配置完毕即可连接
client #指定当前vpn是客户端
dev tun #必须与服务器端的保持一致
proto udp #必须与服务器端的保持一致
remote 47.52.57.XX 11944 #指定连接的远程服务器的实际IP地址和端口号
resolv-retry infinite #断线自动重新连接,在网络不稳定的情况下(例如:笔记本电>脑无线网络)非常有用。
nobind #不绑定特定的本地端口号
persist-key
persist-tun
ca ca.crt #指定CA证书的文件路径
cert client1.crt #指定当前客户端的证书文件路径
key client1.key #指定当前客户端的私钥文件路径
ns-cert-type server #指定采用服务器校验方式
tls-auth ta.key 1 #如果服务器设置了防御DoS等攻击的ta.key,则必须每个客户端开
启;如果未设置,则注释掉这一行,同服务端一致。
comp-lzo #启用压缩,与服务器保持一致
log-append /var/log/openvpn/openvpn.log
verb 4 #指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细8,linux客户端安装
安装依赖
# apt-get install libpam0g-dev libssl-dev
#wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
#tar zxvf lzo-2.06.tar.gz
#cd lzo-2.06/
#./configure --prefix=/usr/local/
#make && make install
安装和启动同服务端一样,配置文件如windows,证书文件如下:
#mkdir -p /usr/local/openvpn/config
#cd /usr/local/openvpv/config
# ls
ca.crt ca.key client1.crt client1.key client.conf dh2048.pem ta.key本文经授权后发布,本文观点不代表立场,文章出自:https://blog.csdn.net/love8753/article/details/120085535
