server端配置:
1、完成linux主机基础配置,网络、selinux、iptables等
2、安装依赖包:
yum install -y lz4-devel lzo-devel pam-devel openssl-devel systemd-devel sqlite-devel
3、安装编译所需软件程序:
yum install -y autoconf automake libtool libtool-ltdl make
4、下载源码,编译与安装程序,设置软链接:
wget https://github.com/OpenVPN/openvpn/archive/v2.4.9.tar.gz mv v2.4.9.tar.gz openvpn-2.4.9.tar.gz tar xf openvpn-2.4.9.tar.gz cd openvpn-2.4.9/ autoreconf -i -v -f ./configure --prefix=/usr/local/openvpn --enable-lzo --enable-lz4 --enable-crypto --enable-server --enable-plugins --enable-port-share --enable-iproute2 --enable-pf --enable-plugin-auth-pam --enable-pam-dlopen --enable-systemd make && make install ln -s /usr/local/openvpn/sbin/openvpn /usr/local/sbin/openvpn
5、指定server端配置文件:
vim /usr/local/openvpn/lib/systemd/system/openvpn-server@.service ### 找到 ExecStart 这行,注释原有配置,添加如下,server.conf文件为server端的配置文件 ExecStart=/usr/local/openvpn/sbin/openvpn --config server.conf
6、配置系统环境,配置开机自启程序:
cp -a /usr/local/openvpn/lib/systemd/system/openvpn-server@.service /usr/lib/systemd/system/openvpn.service systemctl enable openvpn.service
7、使用easy-rsa生成证书:
wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.7.tar.gz mv v3.0.7.tar.gz easy-rsa-3.0.7.tar.gz tar xf easy-rsa-3.0.7.tar.gz
8、根据easy-rsa-3.0.7/easyrsa3/vars.example文件生成全局配置文件vars
cd easy-rsa-3.0.7/easyrsa3 cp -a vars.example vars
9、修改vars配置文件,添加组织信息:
vim vars 再文件末尾添加如下信息,可自行修改: # 国家 set_var EASYRSA_REQ_COUNTRY "CN" # 省 set_var EASYRSA_REQ_PROVINCE "BJ" # 城市 set_var EASYRSA_REQ_CITY "BeiJing" # 组织 set_var EASYRSA_REQ_ORG "zhang" # 邮箱 set_var EASYRSA_REQ_EMAIL "zhang@test.com" # 拥有者 set_var EASYRSA_REQ_OU "ZJ" # 长度 set_var EASYRSA_KEY_SIZE 2048 # 算法 set_var EASYRSA_ALGO rsa # CA证书过期时间,单位天 set_var EASYRSA_CA_EXPIRE 36500 # 签发证书的有效期是多少天,单位天 set_var EASYRSA_CERT_EXPIRE 36500
10、生成服务端证书,初始化与创建CA根证书:
./easyrsa init-pki #输入两次PEM密码 PEM pass phrase,自行设置该密码用于后期签署客户端证书 ./easyrsa build-ca #输入组织名称,自行设置即可,如openvpn、name等
11、生成服务端证书:
./easyrsa build-server-full server nopass #生成过程中需要输入PEM密码,即上面设置的密码 ./easyrsa gen-dh #等待即可
12、生成ta.key(可提高安全性):
openvpn --genkey --secret ta.key
13、组织server端证书与配置文件:
mkdir -p /etc/openvpn/server/ #创建server路径文件夹 cp -a pki/ca.crt /etc/openvpn/server/ cp -a pki/private/server.key /etc/openvpn/server/ cp -a pki/issued/server.crt /etc/openvpn/server/ cp -a pki/dh.pem /etc/openvpn/server/ cp -a ta.key /etc/openvpn/server/ touch /etc/openvpn/server/server.conf #创建主配置文件
14、编辑主配置文件:
vim /etc/openvpn/server/server.conf
添加如下配置:
local 0.0.0.0 port 1194 #端口可自行定义 proto tcp dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/server.crt key /etc/openvpn/server/server.key dh /etc/openvpn/server/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt ;client-to-client duplicate-cn #允许一个用户账号,多终端登录 keepalive 10 120 tls-auth /etc/openvpn/server/ta.key 0 cipher AES-256-CBC compress lz4-v2 push "compress lz4-v2" ;comp-lzo max-clients 1000 user nobody group nobody persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log verb 3 ;explicit-exit-notify 1
15、启动服务端程序
systemctl start openvpn.service [root@izuf64ta6x9o7ecc1dn0pmz ~]# systemctl status openvpn.service ● openvpn.service Loaded: loaded (/usr/lib/systemd/system/openvpn.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2020-09-22 21:14:25 CST; 2 days ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Main PID: 23452 (openvpn) Status: "Initialization Sequence Completed" CGroup: /system.slice/openvpn.service └─23452 /usr/local/openvpn/sbin/openvpn --config server.conf Sep 22 21:14:25 izuf64ta6x9o7ecc1dn0pmz systemd[1]: Stopped openvpn.service. Sep 22 21:14:25 izuf64ta6x9o7ecc1dn0pmz systemd[1]: Starting openvpn.service... Sep 22 21:14:25 izuf64ta6x9o7ecc1dn0pmz systemd[1]: Started openvpn.service. 查看监听端口,已经改为11940: [root@izuf64ta6x9o7ecc1dn0pmz ~]# netstat -lnpt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 969/nginx: master p tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 969/nginx: master p tcp 0 0 0.0.0.0:22333 0.0.0.0:* LISTEN 32353/sshd tcp 0 0 127.0.0.1:32000 0.0.0.0:* LISTEN 9668/java tcp 0 0 0.0.0.0:11940 0.0.0.0:* LISTEN 23452/openvpn tcp6 0 0 :::3306 :::* LISTEN 1542/mysqld [root@izuf64ta6x9o7ecc1dn0pmz ~]#
至此,服务器端配置完成。
客户端配置:
1、首先在服务器上添加用户,生成密钥证书信息:
进入之前easy-rsa-3.0.7/easyrsa3文件夹:
./easyrsa build-client-full zhangsan #zhangsan就是要添加的用户的名字,自行更改
windows客户端:
1、使用下载工具,将easy-rsa-3.0.7/easyrsa文件夹下的ca.crt、ca.key、ta.key、zhangsan.crt、zhangsan.key
文件下载到windows本地,安装客户端程序,将上述文件拷贝到C:\Program Files\OpenVPN\config(默认路径)下。创建zhangsan.ovpn文件,使用文本编辑器打开。
2、添加客户端配置文件信息并保存:
client dev tun proto tcp4 remote your_ip 11940 resolv-retry infinite nobind ;user nobody ;group nobody persist-key persist-tun ca ca.crt cert zhangsan.crt key zhangsan.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC compress lz4-v2 verb 3 ;mute 20
4、打开主程序,尝试连接即可,可以看到已经获取到了ip地址:
linux客户端:
1、客户端生成证书信息都一样。
使用下载工具,将easy-rsa-3.0.7/easyrsa文件夹下的ca.crt、ca.key、ta.key、zhangsan.crt、zhangsan.key
文件下载到linux本地。
2、在linux客户端安装openvpn,见上文服务器安装过程
3、指定客户端配置文件:
vim /usr/local/openvpn/lib/systemd/system/openvpn-server@.service ### 找到 ExecStart 这行,注释原有配置,添加如下,client.conf文件为client端的配置文件 WorkingDirectory=/etc/openvpn/client #指定目录 ExecStart=/usr/local/openvpn/sbin/openvpn --config client.conf
3、配置客户端配置文件,并将生成的证书拷贝至/etc/openvpn/client/文件夹:
mkdir -p /etc/openvpn/client/ #创建client路径文件夹 touch /etc/openvpn/client/client.conf #创建主配置文件 看起来应该是这样(centos7为本人创建的用户名): [root@localhost ~]# ls /etc/openvpn/client/ ca.crt ca.key centos7.conf centos7.crt centos7.key centos7.req pass.txt ta.key
4、编辑主配置文件:
[root@localhost ~]# cat /etc/openvpn/centos7/centos7.conf client dev tun proto tcp remote you_ip 11940 #自行修改服务器ip与端口 resolv-retry infinite nobind user nobody group nobody persist-key persist-tun ca ca.crt cert centos7.crt key centos7.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC compress lz4-v2 verb 3 ;mute 20 route 10.1.1.0 255.255.255.0 vpn_gateway route 10.1.2.0 255.255.255.0 net_gateway ;auth-user-pass pass.txt
5、启动服务:
systemctl start openvpn.service [root@localhost ~]# systemctl status openvpn.service ● openvpn.service Loaded: loaded (/usr/lib/systemd/system/openvpn.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2020-09-24 10:33:18 CST; 23h ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Main PID: 6346 (openvpn) Status: "Initialization Sequence Completed" Tasks: 1 Memory: 1.1M CGroup: /system.slice/openvpn.service └─6346 /usr/local/openvpn/sbin/openvpn --config centos7.conf Sep 25 08:34:27 localhost.localdomain openvpn[6346]: Fri Sep 25 08:34:27 2020 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 E...t RSA Sep 25 09:34:27 localhost.localdomain openvpn[6346]: Fri Sep 25 09:34:27 2020 VERIFY OK: depth=1, CN=Easy-RSA CA Sep 25 09:34:27 localhost.localdomain openvpn[6346]: Fri Sep 25 09:34:27 2020 VERIFY KU OK Sep 25 09:34:27 localhost.localdomain openvpn[6346]: Fri Sep 25 09:34:27 2020 Validating certificate extended key usage Sep 25 09:34:27 localhost.localdomain openvpn[6346]: Fri Sep 25 09:34:27 2020 ++ Certificate has EKU (str) TLS Web Server Au...ation Sep 25 09:34:27 localhost.localdomain openvpn[6346]: Fri Sep 25 09:34:27 2020 VERIFY EKU OK Sep 25 09:34:27 localhost.localdomain openvpn[6346]: Fri Sep 25 09:34:27 2020 VERIFY OK: depth=0, CN=server Sep 25 09:34:27 localhost.localdomain openvpn[6346]: Fri Sep 25 09:34:27 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' in...t key Sep 25 09:34:27 localhost.localdomain openvpn[6346]: Fri Sep 25 09:34:27 2020 Incoming Data Channel: Cipher 'AES-256-GCM' in...t key Sep 25 09:34:27 localhost.localdomain openvpn[6346]: Fri Sep 25 09:34:27 2020 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 E...t RSA Hint: Some lines were ellipsized, use -l to show in full.
查看获取的IP地址:tun0网卡
本文仅代表it Header立场 禁止转载,引用请注明出处:https://www.itheader.com/1102.html
