SteveDevin ACM ACG CS CV Security

OpenVPN 配置及使用

2019-05-01
SteveDevin

OpenVPN 配置及使用, 实习时整理的文档

安装

  1. EPEL(Extra Packages for Enterprise Linux)

    • 安装 EPEL

         sudo yum install epel-release
      
    • 若extras源未启用,则

         sudo yum --enablerepo=extras install epel-release
      
    • 检查EPEL源是否安装成功

         sudo yum repolist
      
  2. 安装 openvpn

     sudo yum install openvpn
    
  3. 安装 easy-rsa

     sudo yum install easy-rsa
    
  4. 配置 easy-rsa
    • 复制 easy-rsa 到openvpn安装目录

        cp -R /usr/share/easy-rsa/{$rsa_dir}/ /etc/openvpn/easy-rsa/
        #本次安装使用了3.0.3
      
    • 配置证书密钥

        cd /etc/openvpn/easy-rsa/
      
        ./easyrsa init-pki
        ./easyrsa build-ca nopass
        ./easyrsa build-server-full server nopass
        ./easyrsa build-client-full client1 nopass
        ./easyrsa build-client-full client2 nopass
        ./easyrsa gen-dh
      
        openvpn --genkey --secret ta.key
      
  5. 配置 openvpn
    • 创建所需目录

        #log
        mkdir -p /etc/openvpn/log/
        #user
        mkdir -p /etc/openvpn/server/user
        #ccd
        mkdir -p /etc/openvpn/server/ccd
      
    • 复制所需文件

        cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server/
        cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/server/
        cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/server/
        cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server/
        cp /etc/openvpn/easy-rsa/pki/ta.key /etc/openvpn/server/
      
    • 创建Server配置文件 server/server.conf

        #################################################
        # This file is for the server side              #
        # of a many-clients <-> one-server              #
        # OpenVPN configuration.                        #
        #                                               #
        # Comments are preceded with '#' or ';'         #
        #################################################
        port 11904
        proto udp
        ## Enable the management interface
        # management-client-auth
        # management localhost 7505 /etc/openvpn/user/management-file
        dev tun     # TUN/TAP virtual network device
        user nobody
        group nobody
        max-clients 20
        ca /etc/openvpn/server/ca.crt
        cert /etc/openvpn/server/server.crt
        key /etc/openvpn/server/server.key
        dh /etc/openvpn/server/dh.pem
        ## Using System user auth.
        # plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
        ## Using Script Plugins
        #auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env
        auth-user-pass-verify /etc/openvpn/server/user/auth.sh via-env
        script-security 3
        auth SHA512
        tls-auth /etc/openvpn/server/ta.key 0
        topology subnet
        # client-cert-not-required  # Deprecated option
        verify-client-cert
        username-as-common-name
        ## Connecting clients to be able to reach each other over the VPN.
        client-to-client
        ## Allow multiple clients with the same common name to concurrently connect.
        duplicate-cn
        # client-config-dir /etc/openvpn/server/ccd
        client-config-dir /etc/openvpn/server/ccd
        ifconfig-pool-persist /etc/openvpn/server/ipp.txt
        push "redirect-gatway def1 bypass-dhcp"
        ;server 10.8.1.0 255.255.255.0
        server 10.8.0.0 255.255.255.0
        push "dhcp-option DNS 8.8.8.8"
        #push "dhcp-option DNS 114.114.114.114"
        #push "dhcp-option DNS 1.1.1.1"
        push "route 10.93.0.0 255.255.255.0"
        ;route 10.8.1.0 255.255.255.0
        # comp-lzo - DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.
        compress lzo
        cipher AES-256-CBC
        ncp-ciphers "AES-256-GCM:AES-128-GCM"
        ## In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited.
        # explicit-exit-notify 1
        keepalive 5 20
        persist-key
        persist-tun
        verb 3
        log /etc/openvpn/log/server.log
        log-append /etc/openvpn/log/server.log
        status /etc/openvpn/log/status.log
        crl-verify server/crl.pem
      
    • 配置文件软连接

        cd /etc/openvpn/server/
        ln -sf server.conf .service.conf
      
    • 创建用户密码文件

        tee /etc/openvpn/server/user/psw-file << EOF
        mytest mytestpass
        EOF
        chmod 600 /etc/openvpn/server/user/psw-file
        chown openvpn:openvpn /etc/openvpn/server/user/psw-file
      
    • 防火墙配置

        firewall-cmd --permanent --add-masquerade
        firewall-cmd --permanent --add-service=openvpn
        # 或者添加自定义端口
        # firewall-cmd --permanent  --add-port=1194/tcp
        firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
        firewall-cmd --reload
      
    • 启动服务

        # 查看service名
        rpm -ql openvpn |grep service
        /usr/lib/systemd/system/openvpn-client@.service
        /usr/lib/systemd/system/openvpn-server@.service
        /usr/lib/systemd/system/openvpn@.service
        # 启动
        systemctl start openvpn-server@.service.service
      
    • 配置客户端 从server上将生成的ca.crt、client1.crt、client1.key、ta.key文件下载到客户端,客户端配置内容C:\Program Files\OpenVPN\config\client.ovpn如下:

        client
        proto tcp-client
        dev tun
        auth-user-pass
        remote yourserver.domain 1194
        ca ca.crt
        cert client1.crt
        key client1.key
        tls-auth ta.key 1
        remote-cert-tls server
        auth-nocache
        persist-tun
        persist-key
        compress lzo
        verb 4
        mute 10
      

使用

参考资料

  1. Install and Configure OpenVPN Server on RHEL / CentOS 8
  2. 完整CentOS搭建OpenVPN服务环境图文教程
  3. CentOS 配置 EPEL 软件源最新软件
  4. Centos7.x 安装Openvpn详解

Similar Posts

上一篇 netstat使用

下一篇 新的开始

Comments