企业级CentOS7-OpenVPN网络隧道实战

2018年11月6日10:50:43 1 3,478 views

一、OpenVPN介绍

OpenVPN是一个开源应用程序,可以通过公共Internet创建一个专用网络。在我们开始之前,我们首先需要安装Enterprise Linux(EPEL)存储库的额外包。下面就是关于如何在CentOS 7上设置Client和OpenVPN服务器的教程。
企业级CentOS7-OpenVPN网络隧道实战

二、Openvpn工作原理

① OpenVPN的技术核心是虚拟网卡,其次是SSL协议实现。

② OpenVPN中的虚拟网卡

  虚拟网卡是使用网络底层编程技术实现的一个驱动软件。安装此类程序后主机上会增加一个非真实的网卡,并可以像其它网卡一样进行配置。服务程序可以在应用层打开虚拟网卡,如果应用软件(如网络浏览器)向虚拟网卡发送数据,则服务程序可以读取到该数据。如果服务程序写合适的数据到虚拟网卡,应用软件也可以接收得到。虚拟网卡在很多的操作系统中都有相应的实现,这也是OpenVPN能够跨平台使用的一个重要原因。

  在OpenVPN中,如果用户访问一个远程的虚拟地址(属于虚拟网卡配用的地址系列,区别于真实地址),则操作系统会通过路由机制将数据包(TUN模式)或数据帧(TAP模式)发送到虚拟网卡上,服务程序接收该数据并进行相应的处理后,会通过SOCKET从外网上发送出去。这完成了一个单向传输的过程,反之亦然。当远程服务程序通过SOCKET从外网上接收到数据,并进行相应的处理后,又会发送回给虚拟网卡,则该应用软件就可以接收到。

三、环境说明

一台服务器,2块网卡 1内1外,可以上外网

[root@node03 ~]# ip a|grep  "scope global"|awk -F '[ /]+' '{print $3}'|head -1
192.168.56.13 #内网地址
[root@node03 ~]# curl ifconfig.me
203.93.25.8  #外网地址
[root@node03 ~]# cat /etc/redhat-release 
CentOS Linux release 7.4.1708 (Core) 
[root@node03 ~]# uname -a
Linux node03 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

四、server端配置

1.安装EPEL套件库

 yum -y install epel-release

2.安装 OpenVPN
首先我们需要安装OpenVPN。我们还将安装Easy RSA来生成我们的SSL密钥对,这将保护我们的VPN连接。

yum install -y openvpn easy-rsa   libssl-dev openssl
[root@node03 easy-rsa]# vi /usr/share/doc/easy-rsa-3.0.3/vars.example
export KEY_COUNTRY=”CN”
export KEY_PROVINCE="Beijing"
export KEY_CITY="Beijing"
export KEY_ORG="douge"
export KEY_EMAIL="598759292@qq.com"
export KEY_OU="dgstack"
注意:以上内容,我们也可以使用系统默认的,也就是说不进行修改也是可以使用的。
然后使用source vars命令使其生效,如下:
source vars

3,生成密钥及证书的前置条件
3.1.创建密钥与证书储存目录,并且准备好要产生密钥与证书的相关文件:

[root@node01 ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/
[root@node03 ~]# cd /etc/openvpn/easy-rsa/
[root@node03 easy-rsa]# ls
3  3.0  3.0.3
[root@node03 easy-rsa]# \rm 3 3.0
[root@node03 easy-rsa]# cd 3.0.3/
[root@node03 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
[root@node03 3.0.3]# ls
easyrsa  openssl-1.0.cnf  vars  x509-types

3.2 生产证书
创建1个新的pki和ca

[root@node03 3.0.3]# pwd
/etc/openvpn/easy-rsa/3.0.3
[root@node03 3.0.3]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.3/pki
[root@node03 3.0.3]# ./easyrsa build-ca

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...................+++
.......+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key.CZQUjkGyxP'
Enter PEM pass phrase:  #设置一个密码(用于ca对之后生产server与client证书签名时使用)
Verifying - Enter PEM pass phrase: #重复一遍
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:  #回车(可以键入回车使用默认的,也可以手动更改)

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3.0.3/pki/ca.crt
如果您想在"创建ca时不加密",就输入下面 nopass表示不加密 就不会提示 Enter PEM pass phrase
例:[root@node03 3.0.3]#./easyrsa build-ca nopass

4.创建服务端证书

[root@node03 3.0.3]# ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.....................+++
.......+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/server.key.PFx5iTbV51'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: "回车"

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3.0.3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key

5,签约服务端证书
给server端证书做签名,首先是对一些信息的确认,可以输入yes,然后输入build-ca时设置的那个密码

[root@node03 3.0.3]# ./easyrsa sign server server

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes    #输入yes确认信息
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key: #输入创建CA时设置的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Nov  2 05:42:00 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt

6,创建Diffie-hellman
时间会有点长,耐心等待

[root@node03 3.0.3]# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem

生成ta密钥文件

openvpn --genkey --secret /etc/openvpn/ta.key

五、client端客户配置

7,创建客户端证书
复制文件

[root@node03 3.0.3]# mkdir /etc/openvpn/client/
[root@node03 3.0.3]# cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa
[root@node03 3.0.3]# cd /etc/openvpn/client/easy-rsa
[root@node03 easy-rsa]# ll
总用量 0
lrwxrwxrwx 1 root root  5 11月  5 13:49 3 -> 3.0.3
lrwxrwxrwx 1 root root  5 11月  5 13:49 3.0 -> 3.0.3
drwxr-xr-x 3 root root 62 11月  5 13:49 3.0.3
[root@node03 easy-rsa]# \rm 3 3.0
[root@node03 easy-rsa]# cd 3.0.3/
[root@node03 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
[root@node03 3.0.3]# 

8,初始化,会在当前目录创建PKI目录,用于存储一些中间变量及最终生成的证书

[root@node03 3.0.3]# pwd 
/etc/openvpn/client/easy-rsa/3.0.3
[root@node03 3.0.3]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3.0.3/pki

9,生成证书 再添加用户,从这里开始就OK。

[root@node03 3.0.3]# ./easyrsa gen-req wang nopass  #客户端证书名为 wang,nopass表示不加密 private key

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
..........................................................................................................+++
.......+++
writing new private key to '/etc/openvpn/client/easy-rsa/3.0.3/pki/private/wang.key.uIiu7kbnub'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [wang]: #回车(可以键入回车使用默认的,也可以手动更改)

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/wang.req
key: /etc/openvpn/client/easy-rsa/3.0.3/pki/private/wang.key

10,签约客户端证书

[root@node03 3.0.3]# cd /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs
[root@node03 reqs]# mv wang.req qiu.req
[root@node03 3.0.3]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/qiu.req wang

Note: using Easy-RSA configuration from: ./vars

The request has been successfully imported with a short name of: wang
You may now use this name to perform signing operations on this request.

企业级CentOS7-OpenVPN网络隧道实战
11, 创建CA证书

[root@node03 3.0.3]# ./easyrsa build-ca

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.....................................................................................................................+++
..................................+++
writing new private key to '/etc/openvpn/client/easy-rsa/3.0.3/pki/private/ca.key.rdzXr6B1GV'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Verify failure
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:"qiuyuetao"
[root@node03 3.0.3]# ./easyrsa sign client wang

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

subject=
    commonName                = wang


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes "输入yes确认信息"
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/client/easy-rsa/3.0.3/pki/private/ca.key: "#输入 build-ca时设置的那个密码"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'wang'
Certificate is to be certified until Nov  2 07:55:01 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/client/easy-rsa/3.0.3/pki/issued/wang.crt

注意:ca、server和client的common name最好不要设置为一样,我没有验证,不过网上有人说设置一样后,openvpn连接时会有问题

六、整理所需文件

1,服务端所需

[root@node03 3.0.3]# mkdir /etc/openvpn/certs
[root@node03 3.0.3]# cd /etc/openvpn/certs
[root@node03 certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem  ./
[root@node03 certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt  ./
[root@node03 certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt ./
[root@node03 certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key ./
[root@node03 certs]# cp /etc/openvpn/ta.key  ./
[root@node03 certs]# ls
ca.crt  dh.pem  server.crt  server.key ta.key

2,客户端所需

[root@node03 certs]# mkdir /etc/openvpn/client/wang
[root@node03 certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client/wang/
[root@node03 certs]# cp /etc/openvpn/client/easy-rsa/3.0.3/pki/issued/wang.crt  /etc/openvpn/client/wang/
[root@node03 certs]# cp /etc/openvpn/client/easy-rsa/3.0.3/pki/private/wang.key /etc/openvpn/client/wang/
[root@node03 wang]# cp /etc/openvpn/ta.key  ./
[root@node03 wang]# ls
ca.crt  ta.key  wang.crt  wang.key

总用量 16
-rw------- 1 root root 1172 11月  5 16:11 ca.crt
-rw------- 1 root root 4418 11月  5 16:13 wang.crt
-rw------- 1 root root 1704 11月  5 16:13 wang.key

七、为服务端编写配置文件

7.1 将oepnvpn提供的server配置文件例子,下会有一个server。conf文件,我们将这个文件复制到/etc/openvpn

[root@node03 certs]# rpm -ql openvpn|grep server.conf
[root@node03 certs]# cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/server.conf /etc/openvpn/

企业级CentOS7-OpenVPN网络隧道实战
7.2 修改配置文件

vim /etc/openvpn/server.conf
local 0.0.0.0     #监听地址
port 1194     #监听端口
proto tcp     #监听协议
dev tun     #采用路由隧道模式
ca /etc/openvpn/certs/ca.crt      #ca证书路径
cert /etc/openvpn/certs/server.crt       #服务器证书
key /etc/openvpn/certs/server.key  # This file should be kept secret 服务器秘钥
dh /etc/openvpn/certs/dh.pem     #密钥交换协议文件
server 10.8.0.0 255.255.255.0     #给客户端分配地址池,注意:不能和VPN服务器内网网段有相同
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"      #给网关
push "dhcp-option DNS 8.8.8.8"        #dhcp分配dns
client-to-client       #客户端之间互相通信
keepalive 10 120       #存活时间,10秒ping一次,120 如未收到响应则视为断线
comp-lzo      #传输数据压缩
max-clients 100     #最多允许 100 客户端连接
user openvpn       #用户
group openvpn      #用户组
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
verb 3

每个项目都会由一大堆介绍,上述修改,openvpn提供的server.conf已经全部提供,我们只需要去掉前面的注释#,然后修改我们自己的有关配置

7.3 配置后的设置

[root@node03 openvpn]# mkdir /var/log/openvpn
[root@node03 openvpn]# chown -R openvpn.openvpn /var/log/openvpn/
[root@node03 openvpn]# chown -R openvpn.openvpn /etc/openvpn

八、配置iptables规则及内核转发

[root@node03 openvpn]# yum install iptables -y
[root@along ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

[root@along ~]# iptables -vnL -t nat

[root@along ~]# vim /etc/sysctl.conf //打开路由转发

net.ipv4.ip_forward = 1

[root@along ~]# sysctl -p

九、开启openvpn服务

[root@node03 openvpn]# openvpn  /etc/openvpn/server.conf ##开启服务
[root@node03 ~]# ss -lntup|grep 1194
#如果开启后没有打开1194 端口,说明开启服务失败,可能是配置文件有错,也有可能是权限不够,自己查询日志解决。

企业级CentOS7-OpenVPN网络隧道实战
企业级CentOS7-OpenVPN网络隧道实战

十、客户端连接openvpn

openvpn客户端下载
我的是win7,下载文件后,双击安装,全部默认即可
然后从服务器将客户端的证书全部下载放到Openvpn的config目录下,并将sample-config 目录下的client按照下面修改,复制到config下

client
dev tun
proto tcp
remote 192.168.56.13 1194 #服务器外网ip
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert wang.crt
key wang.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

企业级CentOS7-OpenVPN网络隧道实战
启用客户端
(1)启动,注意启动需以管理员权限启动
企业级CentOS7-OpenVPN网络隧道实战

企业级CentOS7-OpenVPN网络隧道实战
企业级CentOS7-OpenVPN网络隧道实战

  • QQ精品交流群
  • weinxin
  • 微信公众号
  • weinxin
admin

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

目前评论:1   其中:访客  1   博主  0

    • avatar 爱学习 2

      终于找到能部署成功的文档了