Install OpenVPN in CentOS6.6

Install OpenVPN in CentOS6.6

VPN basic concepts

VPN

Function: establishes a secure private network on an insecure public network for encrypted data transmission.

VPN and tunneling Technology

Tunnel protocols include

Passenger Protocol: encapsulated protocol, such as PPP and SLIP

Encapsulation protocols: establish, maintain, and disconnect tunnels, such as L2TP and IPSec

Bearer Protocol: the protocol that carries encapsulated data packets, such as IP

Instance deployment

I. Environment deployment

Intranet host (slave1) vpnserver (master) vpnclient (slave2)

192.168.1.0/24 192.168.1.1 202.102.1.2

202.102.1.1

Specify the gateway on the Intranet Host:

[Root @ slave1 ~] # Ip route

192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2

169.254.0.0/16 dev eth0 scope link metric 1002

Default via 192.168.1.1 dev eth0

Add Intranet and Internet interface addresses

[Root @ master ~] # Ip addr show eth0

2: eth0: <BROADCAST, MULTICAST, UP, LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

Link/ether 00: 0c: 29: 1f: e0: 45 brd ff: ff

Inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0

Inet6 fe80: 20c: 29ff: fe1f: e045/64 scope link

Valid_lft forever preferred_lft forever

[Root @ master ~] # Ip addr show eth1

3: eth1: <BROADCAST, MULTICAST, UP, LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

Link/ether 00: 0c: 29: 1f: e0: 4f brd ff: ff

Inet 202.102.1.1/24 brd 202.102.1.255 scope global eth1

Inet6 fe80: 20c: 29ff: fe1f: e04f/64 scope link

Valid_lft forever preferred_lft forever

[Root @ master ~] # Ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.1

192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

[Root @ master ~] # Echo 1>/proc/sys/net/ipv4/ip_forward

Ii. CA certificate issuance

The process is as follows: Create a CA, issue a certificate for the VPN Server, issue a certificate for the VPN Client, and generate a key exchange parameter file.

1. Configure the CA and generate the private key and signature certificate for the vpnserver and vpnclient (completed on the vpnserver side)

Install openvpn Software

[Root @ vpnserver OpenVPN] # rpm-ivh lzo-2.06-1.el6.rfx.x86_64.rpm // for Data Compression

[Root @ vpnserver OpenVPN] # rpm-ivh openvpn-2.0.9-1.el6.rf.x86_64.rpm

Generate the CA private key and Certificate file:

[Root @ vpnserver OpenVPN] # cd/usr/share/doc/openvpn-2.0.9/easy-rsa/

[Root @ vpnserver easy-rsa] # ls

2.0 build-key build-req make-crl revoke-full

Build-ca build-key-pass build-req-pass openssl. cnf sign-req

Build-dh build-key-pkcs12 clean-all README vars

Build-inter build-key-server list-crl revoke-crt Windows

[Root @ vpnserver easy-rsa] # chmod + x *

[Root @ vpnserver easy-rsa] # vim vars

Export KEY_COUNTRY = CN

Export KEY_PROVINCE = BJ

Export KEY_CITY = BJ

Export KEY_ORG = "uplooking"

Export KEY_EMAIL = "ca@example.com"

[Root @ vpnserver easy-rsa] # source vars

NOTE: when you run./clean-all, I will be doing a rm-rf on/usr/share/doc/openvpn-2.0.9/easy-rsa/keys

[Root @ vpnserver easy-rsa] #./clean-all # Clear previous certificate files under the keys directory

[Root @ vpnserver easy-rsa] #./build-ca # generate the ca private key and Certificate

Generating a 1024 bit RSA private key

...

...

Writing new private key to 'Ca. key'

-----

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [uplooking]:

Organizational Unit Name (eg, section) []: jiaoxue

Common Name (eg, your name or your server's hostname) []: ca.example.com

Email Address [ca@example.com]:

[Root @ vpnserver easy-rsa] # ls // view the generated keys directory

2.0 build-key-pass clean-all README Windows

Build-ca build-key-pkcs12 keys revoke-crt

Build-dh build-key-server list-crl revoke-full

Build-inter build-req make-crl sign-req

Build-key build-req-pass openssl. cnf vars

[Root @ vpnserver easy-rsa] # ls keys/

Ca. crt ca. key index.txt serial

2. Generate the private key and certificate of the vpnserver:

[Root @ vpnserver easy-rsa] #./build-key-server vpnserver

Generating a 1024 bit RSA private key

........................................ .......... ++

...

Writing new private key to 'vpnserver. key'

-----

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [uplooking]:

Organizational Unit Name (eg, section) []: jiaoxue

Common Name (eg, your name or your server's hostname) []: vpnserver.example.com

Email Address [ca@example.com]:

Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from/usr/share/doc/openvpn-2.0.9/easy-rsa/openssl. cnf

Check that the request matches the signature

Signature OK

The Subject's Distinguished Name is as follows

CountryName: PRINTABLE: 'cn'

StateOrProvinceName: PRINTABLE: 'bj'

LocalityName: PRINTABLE: 'bj'

OrganizationName: PRINTABLE: 'uplooking'

CommonName: PRINTABLE: 'vpnserver .example.com'

EmailAddress: IA5STRING: 'Ca @ example.com'

Certificate is to be certified until Jun 29 04:03:05 2023 GMT (3650 days)

Sign the certificate? [Y/n]: y

1 out of 1 certificate requests certified, commit? [Y/n] y

Write out database with 1 new entries

Data Base Updated

[Root @ vpnserver easy-rsa] # ls keys/

01. pem index.txt serial vicvpnserver. csr

Ca. crt index.txt. attr serial. old vicvpnserver. key

Ca. key index.txt. old vicvpnserver. crt

3. Private keys and certificates generated for each client:

[Root @ vpnserver easy-rsa] #./build-key client1

Generating a 1024 bit RSA private key

...

...

Writing new private key to 'client1. key'

-----

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [uplooking]:

Organizational Unit Name (eg, section) []: jiaoxue

Common Name (eg, your name or your server's hostname) []: client1.example.com

Email Address [ca@example.com]:

Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from/usr/share/doc/openvpn-2.0.9/easy-rsa/openssl. cnf

Check that the request matches the signature

Signature OK

The Subject's Distinguished Name is as follows

CountryName: PRINTABLE: 'cn'

StateOrProvinceName: PRINTABLE: 'bj'

LocalityName: PRINTABLE: 'bj'

OrganizationName: PRINTABLE: 'uplooking'

CommonName: PRINTABLE: 'client1 .example.com'

EmailAddress: IA5STRING: 'Ca @ example.com'

Certificate is to be certified until Nov 6 11:38:59 2022 GMT (3650 days)

Sign the certificate? [Y/n]: y

1 out of 1 certificate requests certified, commit? [Y/n] y

Write out database with 1 new entries

Data Base Updated

4. View related certificates and private keys

[Root @ vpnserver easy-rsa] # ls keys/

01. pem client1.crt index.txt. attr serial. old

02. pem client1.csr index.txt. attr. old vicvpnserver. crt

Ca. crt client1.key index.txt. old vicvpnserver. csr

Ca. key index.txt serial vicvpnserver. key

5. Create a key negotiation parameter file

[Root @ vpnserver easy-rsa] # pwd

/Usr/share/doc/openvpn-2.0.9/easy-rsa

[Root @ vpnserver easy-rsa] #./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

........... +... + ......................... + ......... + ........................ + ......................... + .......... + .................... + ........................ +

........................... + .................................. + ....................................... ......... + ............. + ............................ + ............

..................... + .. + ............ + ....................................... ......................... + ......................... + ........................... + .........

........... + ....................... + ..................................... + ....................................... .......... + ........................... + .................

....................... + ........... + .............................. + .................................... + ...... + ....................................... ...................

........................................ ..... + ....................................... ....... + ................. + .................................... + .......................

................................ ++ *

Iii. VPN Server Configuration

Prerequisite: Enable the ip_forward function of VPNServer.

1. Check the corresponding key file

[Root @ master keys] # pwd

/Usr/share/doc/openvpn-2.0.9/easy-rsa/keys

[Root @ master keys] # cp ca. crt vpnserver. crt vpnserver. key/etc/openvpn/

[Root @ master keys] # ls/etc/openvpn/

Ca. crt vpnserver. crt vpnserver. key

[Root @ master easy-rsa] # cp keys/dh1024.pem/etc/openvpn/

2. Configure the VPN Server

[Root @ master ~] # Cp/usr/share/doc/openvpn-2.0.9/sample-config-files/server. conf/etc/openvpn/

// Openvpn server configuration file

[Root @ master ~] # Vim/etc/openvpn/server. conf

[Root @ master ~] # Grep-P-v "^ (# |; | $)" server. conf

Local 202.102.1.1

Port 1194

Proto udp

Dev tap

Ca. crt

Cert vpnserver. crt

Key vpnserver. key # This file shocould be kept secret

Dh dh1024.pem

Server 10.8.0.0 255.255.255.0

Ifconfig-pool-persist ipp.txt

Push "route 192.168.1.0 255.255.255.0"

Keepalive 10 120

Comp-lzo

User nobody

Group nobody

Persist-key

Persist-tun

Status openvpn-status.log

Verb 3

3. Start the VPN Server

[Root @ master ~] # Service openvpn start

[Root @ master ~] # Chkconfig openvpn on

[Root @ master ~] # Ip addr sh tap0

13: tap0: <BROADCAST, MULTICAST, UP, LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100

Link/ether 12: 31: 8b: 9a: e3: 02 brd ff: ff

Inet 10.8.0.1/24 brd 10.8.0.255 scope global tap0

Inet6 fe80: 1031: 8bff: fe9a: e302/64 scope link

Valid_lft forever preferred_lft forever

[Root @ master ~] # Ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.1

10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.1

192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

Iv. VPN Client Configuration

1. Prepare the Basic Environment

[Root @ slave2 ~] # Ip addr show eth1

3: eth1: <BROADCAST, MULTICAST, UP, LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

Link/ether 00: 0c: 29: 77: 2a: a6 brd ff: ff

Inet 202.102.1.2/24 brd 202.102.1.255 scope global eth1

Inet6 fe80: 20c: 29ff: fe77: 2aa6/64 scope link

Valid_lft forever preferred_lft forever

[Root @ slave2 ~] # Ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.2

192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.3

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

[Root @ slave2 OpenVPN] # rpm-ivh lzo-2.06-1.el6.rfx.x86_64.rpm

[Root @ slave2 OpenVPN] # rpm-ivh openvpn-2.0.9-1.el6.rf.x86_64.rpm

2. Copy the corresponding key from vpnserver

[Root @ slave2 openvpn] # cd/etc/openvpn/

[Root @ slave2 openvpn] # ls c *

Ca. crt client1.crt client1.key

3. Configure vpnserver

[Root @ slave2 openvpn] # cp/usr/share/doc/openvpn-2.0.9/sample-config-files/client. conf/etc/openvpn/

[Root @ slave2 openvpn] # vi/etc/openvpn/client. conf

[Root @ slave2 openvpn] # grep-P-v "^ (; |#| $)" client. conf

Client

Dev tap

Proto udp

Remote vpn.example.com 1194 # This FQDN must correspond to the IP address of the vpnserver Internet Nic

Resolv-retry infinite

Nobind

User nobody

Group nobody

Persist-key

Persist-tun

Ca. crt

Cert client. crt

Key client. key

Comp-lzo

Verb 3

4. Start and Test

[Root @ slave2 ~] # Service openvpn restart

[Root @ slave2 ~] # Chkconfig openvpn on

[Root @ slave2 ~] # Ip addr

1: lo: <LOOPBACK, UP, LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN

Link/loopback 00: 00: 00: 00: 00: 00 brd 00: 00: 00: 00: 00: 00

Inet 127.0.0.1/8 scope host lo

Inet6: 1/128 scope host

Valid_lft forever preferred_lft forever

2: eth0: <BROADCAST, MULTICAST, UP, LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

Link/ether 00: 0c: 29: 77: 2a: 9c brd ff: ff

Inet 192.168.2.3/24 brd 192.168.2.255 scope global eth0

Inet6 fe80: 20c: 29ff: fe77: 2a9c/64 scope link

Valid_lft forever preferred_lft forever

3: eth1: <BROADCAST, MULTICAST, UP, LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

Link/ether 00: 0c: 29: 77: 2a: a6 brd ff: ff

Inet 202.102.1.2/24 brd 202.102.1.255 scope global eth1

Inet 172.16.80.58/24 scope global eth1

Inet6 fe80: 20c: 29ff: fe77: 2aa6/64 scope link

Valid_lft forever preferred_lft forever

10: tap0: <BROADCAST, MULTICAST, UP, LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100

Link/ether c6: b9: f9: 45: 99: 3a brd ff: ff

Inet 10.8.0.2/24 brd 10.8.0.255 scope global tap0

Inet6 fe80: c4b9: f9ff: fe45: 993a/64 scope link

Valid_lft forever preferred_lft forever

[Root @ slave2 ~] # Ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.2

192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.3

192.168.1.0/24 via 10.8.0.1 dev tap0

10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.2

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

V. VPN technology expansion

1. Account-based verification

1) Add the following content to vim/etc/openvpn/server. conf:

######### Auth password ########

Auth-user-pass-verify/etc/openvpn/checkpsw. sh via-env

# Client-cert-not-required

Username-as-common-name

##############################

The content of the preceding three rows indicates that the User's authentication script is specified, and User/Pass authentication is used without requesting the client's CA certificate. If both the certificate and password authentication are enabled, comment out the line; use the UserName provided by the customer as the Common Name

2) Add the following content to vim/etc/openvpn/checkpsw. sh:

#! /Bin/sh

######################################## ################

# Checkpsw. sh (C) 2004 Mathias Sundman <mathias@openvpn.se>

#

# This script will authenticate OpenVPN users against

# A plain text file. The passfile shoshould simply contain

# One row per user with the username first followed

# One or more space (s) or tab (s) and then the password.

PASSFILE = "/etc/openvpn/psw-file"

LOG_FILE = "/var/log/openvpn-password.log"

TIME_STAMP = 'date "+ % Y-% m-% d % T "'

######################################## ################

If [! -R "$ {PASSFILE}"]; then

Echo "$ {TIME_STAMP}: cocould not open password file \" $ {PASSFILE} \ "for reading." >$ {LOG_FILE}

Exit 1

Fi

CORRECT_PASSWORD = 'awk '! /^ ;/&&! /^ #/& $1 = "'$ {username}'" {print $2; exit} '$ {PASSFILE }'

If ["$ {CORRECT_PASSWORD}" = ""]; then

Echo "$ {TIME_STAMP}: User does not exist: username = \" $ {username} \ ", password = \" $ {password }\". ">>$ {LOG_FILE}

Exit 1

Fi

If ["$ {password}" = "$ {CORRECT_PASSWORD}"]; then

Echo "$ {TIME_STAMP}: Successful authentication: username = \" $ {username} \ "." >>$ {LOG_FILE}

Exit 0

Fi

Echo "$ {TIME_STAMP}: Incorrect password: username = \" $ {username} \ ", password = \" $ {password} \ "." >$ {LOG_FILE}

Exit 1

[Root @ node4 openvpn] # ll checkpsw. sh

-Rwxr -- r -- 1 root 1191 Sep 17 23:52 checkpsw. sh

[Root @ node4 openvpn] # chown nobody. nobody checkpsw. sh

3) create a user name and password list file:/etc/openvpn/psw-file

File Format: User Name <Tab> Password

User1 pass

User2 pass

[Root @ node4 openvpn] # chmod 400/etc/openvpn/psw-file

[Root @ node4 openvpn] # chown nobody. nobody/etc/openvpn/psw-file

4) modify the configuration file of the vpn Client

One is to comment out (of course, you can also not comment out the certificate encryption)

; Cert client1.crt

; Key client1.key

The second is to add the user name and password for verification.

Auth-user-pass

2. Install the WidnowsVPN Client

1). Download openvpn GUI For Windows from http://openvpn.se/files/from the Windows client that corresponds to openvpnserver"

A) For example, the server is installed with OpenVPN 2.09, then the downloaded OpenVPN GUI fow windows should be: openvpn-2.0.9-gui-1.0.3-install.exe

22.16.execute openvpn-2.0.9-gui-1.0.3-install.exe. Use the default settings.

3) Copy ca. crt, client1.crt, and client1.key to C: \ Program Files \ OpenVPN \ config. (Different users use different certificates. Each certificate contains two files:. crt and. key, such as client2.crt and client2.key)

4 ). in/root/openvpn-2.0.9/sample-config-files/client. create a client configuration file based on conf and change it to C: \ Program Files \ OpenVPN \ config \ client. ovpn: Create a configuration file on the server, and then upload it to the client.

A) Change proto udp to proto tcp

B) Change the remote line

192.168.1.103 1194

C) Change the three lines of ca

Ca. crt

Cert client1.crt

Key client1.key

D) Comment out comp-lzo.

Connection: Right-click the openvpn icon in the lower right corner and select Connect ". Normally, the connection is successful and a normal IP address is allocated.