软件版本
- Centos - 7.x
- easy-rsa - 3.0.3
- OpenVPN - 2.4.6
安装
建议安装启用epel源,采用yum的方式安装openvpn。
yum install -y epel-release yum update -y yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel yum install -y easy-rsa yum install -y openvpn
使用路由还是桥接?
建议使用路由,除非你有一些需要桥接的特定场景,例如:
- VPN需要能够处理非ip协议,如IPX
- 通过VPN运行应用程序,该VPN依赖于网络广播(如局域网游戏)
- 希望允许跨VPN浏览Windows文件共享,而无需设置Samba或WINS服务器
确定私有子网
Server 与 Client 的VPN通道子网,不要与已有环境的网络冲突即可。
默认:10.8.0.0/16
配置证书密钥
我们通过yum方式安装的 easy-rsa 版本是3.x,直接从安装路径copy一份工具出来。这里用默认的 easy-rsa 3.x 来配置生成证书密钥。
cp -rf /usr/share/easy-rsa/3.0.3 /etc/openvpn/server/easy-rsa cd /etc/openvpn/server/easy-rsa ./easyrsa init-pki ./easyrsa build-ca nopass ./easyrsa build-server-full server nopass ./easyrsa build-client-full client1 nopass ./easyrsa build-client-full client2 nopass ./easyrsa gen-dh openvpn --genkey --secret ta.key
补充:easy-rsa 2.x 执行方式(下载地址: https://github.com/OpenVPN/easy-rsa-old/releases)
. ./vars ./clean-all ./build-ca ./build-key-server server ./build-key client1 ./build-key client2 ./build-dh openvpn --genkey --secret ta.key
配置 Server 端
创建使用的目录
# 日志存放目录 mkdir -p /var/log/openvpn/ # 用户管理目录 mkdir -p /etc/openvpn/server/user # 配置权限 chown openvpn:openvpn /var/log/openvpn
创建Server配置文件
编辑/etc/openvpn/server/server.conf文件,并写入以下内容:
################################################# # This file is for the server side # # of a many-clients <-> one-server # # OpenVPN configuration. # # # # Comments are preceded with '#' or ';' # ################################################# port 1194 proto tcp-server ## Enable the management interface # management-client-auth # management localhost 7505 /etc/openvpn/user/management-file dev tun # TUN/TAP virtual network device user openvpn group openvpn ca /etc/openvpn/server/easy-rsa/pki/ca.crt cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt key /etc/openvpn/server/easy-rsa/pki/private/server.key dh /etc/openvpn/server/easy-rsa/pki/dh.pem tls-auth /etc/openvpn/server/easy-rsa/ta.key 0 ## Using System user auth. # plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login ## Using Script Plugins auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env script-security 3 # client-cert-not-required # Deprecated option verify-client-cert username-as-common-name ## Connecting clients to be able to reach each other over the VPN. client-to-client ## Allow multiple clients with the same common name to concurrently connect. duplicate-cn # client-config-dir /etc/openvpn/server/ccd # ifconfig-pool-persist ipp.txt server 10.8.0.0 255.255.255.0 push "dhcp-option DNS 114.114.114.114" push "dhcp-option DNS 1.1.1.1" push "route 10.93.0.0 255.255.255.0" # comp-lzo - DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead. compress lzo # cipher AES-256-CBC ncp-ciphers "AES-256-GCM:AES-128-GCM" ## In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited. # explicit-exit-notify 1 keepalive 10 120 persist-key persist-tun verb 3 log /var/log/openvpn/server.log log-append /var/log/openvpn/server.log status /var/log/openvpn/status.log
注意!!! 这里创建完配置文件后,需要做个配置文件的软连接,因为当前版本的 openvpn systemd 启动文件中读取的是.service.conf配置。
cd /etc/openvpn/server/ ln -sf server.conf .service.conf
创建用户密码文件
格式是用户 密码以空格分割即可
tee /etc/openvpn/server/user/psw-file << EOF mytest mytestpass EOF chmod 600 /etc/openvpn/server/user/psw-file chown openvpn:openvpn /etc/openvpn/server/user/psw-file
创建密码检查脚本
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/server/user/psw-file"
LOG_FILE="/var/log/openvpn/password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1
防火墙配置
firewall-cmd --permanent --add-masquerade firewall-cmd --permanent --add-service=openvpn # 或者添加自定义端口 # firewall-cmd --permanent --add-port=1194/tcp firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE firewall-cmd --reload
启动服务
# 查看service名 rpm -ql openvpn |grep service /usr/lib/systemd/system/openvpn-client@.service /usr/lib/systemd/system/openvpn-server@.service /usr/lib/systemd/system/openvpn@.service # 启动 systemctl start openvpn-server@.service.service
配置客户端
从server上将生成的ca.crt、client1.crt、client1.key、ta.key文件下载到客户端,客户端配置内容C:\Program Files\OpenVPN\config\client.ovpn如下:
# client proto tcp-client dev tun auth-user-pass remote yourserver.domain 1194 ca ca.crt cert client1.crt key client1.key tls-auth ta.key 1 remote-cert-tls server auth-nocache persist-tun persist-key compress lzo verb 4 mute 10
