centos 6.3編譯安裝OpenVPN服務
centos 6.3編譯安裝OpenVPN服務
OpenVPN是一款在Linux閘道伺服器使用的開源的VPN軟體,顧名思義,其實就是用來打通一條安全的虛擬專用通道,實現使用者遠程辦公,擷取內網資源。
該軟體可跨平台在在Linux、xBSD、Mac OS X與Windows間使用,並利用openssl作為加密庫,使用加密認證或使用者名稱/密碼來實現身分識別驗證,是一款不可多得的開源VPN解決方案。
我們做這個實驗的目的就是類比線上常見的公司外出人員在外需要訪問公司內網OA,實現遠程辦公自動化。
解決方案:
系統內容:Centos6.3 x64
OpenVPN:openvpn-2.3.6.tar.gz
vpn server:eth0:10.124.151.245 117.78.9.254
vpn client:192.168.1.100
intranet server:172.24.30.10
route
client Internet vpnserver 公司內網
部署環境:
Server端
一、網路環境
1.檢查selinux的狀態,保證其關閉
vi /etc/sysconfig/selinux
---------------
SELINUX=disabled
---------------
2.開啟伺服器端路由轉寄功能
vi /etc/sysctl.conf
---------------------
net.ipv4.ip_forward = 1
---------------------
sysctl -p
3.修改iptables規則:
設定nat轉寄:
註:保證VPN位址集區可路由出外網
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# service iptables save
4.設定openvpn連接埠通過:
# iptables -A INPUT -p TCP --dport 1194 -j ACCEPT
# iptables -A INPUT -p TCP --dport 7505 -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# service iptables save
5.時間同步(重要):
# ntpdate asia.pool.ntp.org
二、安裝依賴庫
# yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig
三、安裝openvpn:
(http://openvpn.net/index.php/open-source/downloads.html最新源碼包可以從這個網址下載)
#wget -c http://swupdate.openvpn.org/community/releases/openvpn-2.3.6.tar.gz #2015-03-28
# tar zxvf openvpn-2.3.0.tar.gz
# cd openvpn-2.3.0
# ./configure --prefix=/usr/local/openvpn
# make && make install
# mkdir -p /etc/openvpn
複製模板到openvpn配置目錄:
# cp -Rf sample /etc/openvpn/
複製openvpn設定檔到主目錄:
# cp /etc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/
四、1.下載easy-rsa:
註:該包用來製作ca認證,服務端認證,用戶端認證,openvpn2.3.0該版本源碼不包含easy-rsa,所以需要單獨下載安裝用來配合openvpn實現認證產生。
# wget -c https://github.com/OpenVPN/easy-rsa/archive/master.zip
# unzip master #yum -y install unzip
# cp -Rf easy-rsa-master /etc/openvpn/easy-rsa
# cd /etc/openvpn/easy-rsa/easy-rsa/easyrsa3 #這裡是easyrsa3版本,網上很多文章都說是2.0,但是同一個下載方法顯示的是3版本,所以這裡就按照3版本的方式進行示範記錄。
-----------------------------
以下操作都在此目錄下面(pwd:/etc/openvpn/easy-rsa/easyrsa3/)
-----------------------------
2.編輯vars檔案,根據自己環境配置
複製vars.example 為vars
cp vars.example vars
修改下面欄位,命令:vi vars,然後修改,最後wq儲存
set_var EASYRSA_REQ_COUNTRY “CN” #根據自己情況更改
set_var EASYRSA_REQ_PROVINCE “BeiJingShi”
set_var EASYRSA_REQ_CITY “BeiJing”
set_var EASYRSA_REQ_ORG “My_ORG”
set_var EASYRSA_REQ_EMAIL “qingbo.song@apicloud.com”
set_var EASYRSA_REQ_OU “APICloud_OpenVPN”
3./etc/openvpn/easy-rsa/easyrsa3/目錄初始化:
#./easyrsa init-pki
==================================
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/src/easy-rsa-master/easyrsa3/pki
==================================
4.建立根憑證
# ./easyrsa build-ca
====================================================
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.......................................+++
..................................+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key'
Enter PEM pass phrase: apicloud
Verifying - Enter PEM pass phrase: apicloud --此密碼是為了進行認證簽名
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: apicloud
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
====================================================
注意:在上述部分需要輸入PEM密碼 PEM pass phrase,輸入兩次,此密碼必須記住,不然以後不能為認證簽名。還需要輸入common name 通用名,這個你自己隨便設定個獨一無二的。
5.建立伺服器端認證
# ./easyrsa gen-req server nopass
====================================================
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
................+++
.....................................+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:admin --此名稱隨意但是不要跟之前的根憑證的一樣
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
====================================================
簽約服務端認證:(將建立的服務端認證與CA認證簽約)
# ./easyrsa sign server server
===================================================
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = admin
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes --需要輸入yes進行確定
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: --需要輸入CA認證密碼apicloud
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'admin'
Certificate is to be certified until Mar 25 07:45:43 2025 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
================================================================
建立Diffie-Hellman,確保key穿越不安全網路的命令:
# ./easyrsa gen-dh
================================================
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
................+...................................+...................................+...
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
================================================
6.建立用戶端認證 (pwd:/root/client/easy-rsa/easyrsa3)
進入root目錄建立client檔案夾,檔案夾可隨意命名,然後拷貝前面解壓得到的easy-ras檔案夾到client檔案夾,進入下列目錄
# cd /root/
# mkdir client
# cp -Rf /usr/local/src/easy-rsa-master /root/client/easy-rsa
# cd /root/client/easy-rsa/easyrsa3/
A:初始化目錄:
# ./easyrsa init-pki
==============================
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki
==============================
B:建立用戶端key及產生認證(用戶端密碼)
# ./easyrsa gen-req qingbo #名字自己定義
========================================
Generating a 2048 bit RSA private key
...........................................+++
......+++
writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/qingbo.key'
Enter PEM pass phrase: --用戶端認證密碼qingbo
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [qingbo]:qingbo --用戶端認證名稱
Keypair and certificate request completed. Your files are:
req: /root/client/easy-rsa/easyrsa3/pki/reqs/qingbo.req
key: /root/client/easy-rsa/easyrsa3/pki/private/qingbo.key
========================================
C:將的到的qingbo.req匯入然後簽約認證
=======================
進入到/etc/openvpn/easy-rsa/easyrsa3/
cd /etc/openvpn/easy-rsa/easyrsa3/
匯入req
./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/qingbo.req qingbo
------------------------------------
Note: using Easy-RSA configuration from: ./vars
The request has been successfully imported with a short name of: qingbo
You may now use this name to perform signing operations on this request.
------------------------------------
簽約認證
./easyrsa sign client qingbo #這裡產生client所以必須為client:qingbo要與之前置入名字一致
====================================
上面簽約認證跟server類似,期間需要輸入CA的密碼
7.認證管理
A:產生的數位憑證進行詳細的瞭解
服務端:(etc/openvpn/easy-rsa/檔案夾)
===================================
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
/etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
/etc/openvpn/easy-rsa/easyrsa3/pki/reqs/qingbo.req
/etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key
/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
/etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
/etc/openvpn/easy-rsa/easyrsa3/pki/issued/qingbo.crt
====================================
用戶端:(root/client/easy-rsa檔案夾)
====================================
/root/client/easy-rsa/easyrsa3/pki/private/qingbo.key
/root/client/easy-rsa/easyrsa3/pki/reqs/qingbo.req #這個檔案被我們匯入到了服務端檔案所以那裡也有
/etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
====================================
B:將相應的檔案拷貝到相應的位置
/etc/openvpn/ (ca.crt、server.key、server.crt、dh.pem)
================================
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn
================================
/etc/root/ (ca.crt、qingbo.crt、qingbo.key)
================================
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /root/client
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/qingbo.crt /root/client
# cp /root/client/easy-rsa/easyrsa3/pki/private/qingbo.key /root/client
================================
五、openvpn服務配置及啟動
1.複製模板檔案到/etc/openvpn/ (該步驟在源碼編譯的時候已操作)
# cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn/
2.修改server.conf
=====================================
local 119.255.41.233(跟自己vps IP)
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 8.8.8.8″
keepalive 10 120
comp-lzo
max-clients 10
persist-key
persist-tun
log /usr/local/openvpn/log/openvpn.log
log-append /usr/local/openvpn/log/openvpn.log
status /usr/local/opensvn/log/openvpn-status.log
verb 3
================================
3.啟動openvpn服務
# /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf &
4.開機啟動
# echo "/usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf > /dev/null 2>&1 &" >> /etc/rc.local
報錯:(怎麼辦?)
======================================
Sat Mar 28 17:39:45 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 28 2015
Sat Mar 28 17:39:45 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Sat Mar 28 17:39:45 2015 Diffie-Hellman initialized with 2048 bit key
Sat Mar 28 17:39:45 2015 Socket Buffers: R=[229376->131072] S=[229376->131072]
Sat Mar 28 17:39:45 2015 TCP/UDP: Socket bind failed on local address [AF_INET]119.255.41.233:1194: Cannot assign requested address
Sat Mar 28 17:39:45 2015 Exiting due to fatal error
======================================
用戶端配置:
一、安裝WINDOWS用戶端(WIN7 64bit)
1.下載用戶端,安裝路徑D:\Program Files (x86)\OpenVPN
# http://vpntech.googlecode.com/files/openvpn-2.1.1-gui-1.0.3-install-cn-64bit.zip
2.將伺服器端產生的用戶端認證檔案(ca.crt、qingbo.crt、qingbo.key)複製到用戶端D:\Program Files\OpenVPN\config下.
三個檔案是/root/client/下面的哦
3.在D:\Program Files\OpenVPN\config下建立client.ovpn檔案
編譯內容:
==========================
client
dev tun
proto udp
remote 119.255.41.233 1194 #主要這裡修改成自己vps ip
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt #這裡需要認證
cert qingbo.crt
key qingbo.key
comp-lzo
verb 3
二、啟動用戶端配置測試
報錯:
==================================
Options error: --dh fails with '/etc/opensvn/dh.pem': No such file or directory
Options error: --ca fails with '/etc/opensvn/ca.crt': No such file or directory
Options error: --cert fails with '/etc/opensvn/server.crt': No such file or directory
Options error: --key fails with '/etc/opensvn/server.key': No such file or directory
Options error: --status fails with '/usr/local/opensvn/log/openvpn-status.log': No such file or directory
=================================
參考:http://hatustudio.com/system/%E5%AE%8C%E6%95%B4centos%E6%90%AD%E5%BB%BAopenvpn%E6%9C%8D%E5%8A%A1%E7%8E%AF%E5%A2%83%E5%9B%BE%E6%96%87%E6%95%99%E7%A8%8B-1414.html
http://www.iamle.com/archives/1322.html/comment-page-1
http://blog.csdn.net/yetyongjin/article/details/7412378
http://www.linuxidc.com/Linux/2014-11/109588.htm
http://www.linuxidc.com/Linux/2013-06/86118p2.htm
本文出自 “守望海豚” 部落格,請務必保留此出處http://swht1278.blog.51cto.com/7138082/1626004
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
