openvpn3.0搭建
安装软件包展开
环境就是新装 CentOS7.4,使用阿里云的 epel 源和常规源,不知道别的源有没有更新这个包,不废话,直接安装软件包。
[root@localhost ~]# yum -y install openvpn easy-rsa
看这里,如果是 2.2 的,直接去看这里吧。
配置 easy-rsa-3.0
复制文件
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa [root@localhost ~]# cd /etc/openvpn/easy-rsa/ [root@localhost easy-rsa]# \rm 3 3.0 [root@localhost easy-rsa]# cd 3.0.3/ [root@localhost 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
这里说明一下,正常来说 easy-rsa-3.0.3 安装完之后,vars.example 文件在 /usr/share/doc/easy-rsa-3.0.3/ 目录,至于有些人说找不到这个文件,我暂时还没遇到过,可能你的安装方式和我不一致,或版本不同,不做深究,过。
创建一个新的 PKI 和 CA
[root@localhost 3.0.3]# pwd /etc/openvpn/easy-rsa/3.0.3 [root@localhost 3.0.3]# ./easyrsa init-pki #创建空的pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.3/pki [root@localhost 3.0.3]# ./easyrsa build-ca nopass #创建新的CA,不使用密码 Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ......................+++ ................................................+++ writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key.pClvaQ1GLD' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 回车 CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt创建服务端证书
[root@localhost 3.0.3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ...........................+++ ..............................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/server.key.wy7Q0fuG6A' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: 回车 Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/3.0.3/pki/reqs/server.req key: /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key签约服务端证书
[root@localhost 3.0.3]# ./easyrsa sign server server Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from ./openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Apr 7 14:54:08 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt创建 Diffie-Hellman展开目录
[root@localhost 3.0.3]# ./easyrsa gen-dh ............................................................ DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem到这里服务端的证书就创建完了,然后创建客户端的证书。
创建客户端证书展开目录
复制文件展开目录
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa [root@localhost ~]# cd /etc/openvpn/client/easy-rsa/ [root@localhost easy-rsa]# \rm 3 3.0 [root@localhost easy-rsa]# cd 3.0.3/ [root@localhost 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars生成证书展开目录
[root@localhost 3.0.3]# pwd /etc/openvpn/client/easy-rsa/3.0.3 [root@localhost 3.0.3]# ./easyrsa init-pki #创建新的pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3.0.3/pki [root@localhost 3.0.3]# ./easyrsa gen-req dalin nopass #客户证书名为大林,木有密码 Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ....................................................+++ ............+++ writing new private key to '/etc/openvpn/client/easy-rsa/3.0.3/pki/private/dalin.key.FkrLzXH9Bm' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [dalin]: 回车 Keypair and certificate request completed. Your files are: req: /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/dalin.req key: /etc/openvpn/client/easy-rsa/3.0.3/pki/private/dalin.key最后签约客户端证书展开目录
[root@localhost 3.0.3]# cd /etc/openvpn/easy-rsa/3.0.3/ [root@localhost 3.0.3]# pwd /etc/openvpn/easy-rsa/3.0.3 [root@localhost 3.0.3]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/dalin.req dalin Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: dalin You may now use this name to perform signing operations on this request. [root@localhost 3.0.3]# ./easyrsa sign client dalin Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = dalin Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from ./openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'dalin' Certificate is to be certified until Apr 8 01:54:57 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/dalin.crt整理证书
现在所有的证书都已经生成完了,下面来整理一下。
服务端所需要的文件
[root@localhost ~]# mkdir /etc/openvpn/certs [root@localhost ~]# cd /etc/openvpn/certs/ [root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem . [root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt . [root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt . [root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key . [root@localhost certs]# ll 总用量 20 -rw-------. 1 root root 1172 4月 11 10:02 ca.crt -rw-------. 1 root root 424 4月 11 10:03 dh.pem -rw-------. 1 root root 4547 4月 11 10:03 server.crt -rw-------. 1 root root 1704 4月 11 10:02 server.key 客户端所需的文件
[root@localhost certs]# mkdir /etc/openvpn/client/dalin/ [root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client/dalin/ [root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/dalin.crt /etc/openvpn/client/dalin/ [root@localhost certs]# cp /etc/openvpn/client/easy-rsa/3.0.3/pki/private/dalin.key /etc/openvpn/client/dalin/ [root@localhost certs]# ll /etc/openvpn/client/dalin/ 总用量 16 -rw-------. 1 root root 1172 4月 11 10:07 ca.crt -rw-------. 1 root root 4431 4月 11 10:08 dalin.crt -rw-------. 1 root root 1704 4月 11 10:08 dalin.key其实这三个文件就够了,之前全下载下来是因为方便,然而这次懒得弄了,哈哈,编写服务端配置文件。顺便提一下再添加用户在./easyrsa gen-req 这里开始就行了,像是吊销用户证书的命令都自己用./easyrsa --help 去看吧,GitHub 项目地址
服务器配置文件
[root@localhost ~]# vim /etc/openvpn/server.conf local 192.168.1.113 port 1194 proto tcp dev tun ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server.crt key /etc/openvpn/certs/server.key dh /etc/openvpn/certs/dh.pem ifconfig-pool-persist /etc/openvpn/ipp.txt server 17.166.221.0 255.255.255.0 push "route 192.168.1.0 255.255.255.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 223.5.5.5" push "dhcp-option DNS 223.6.6.6" client-to-client keepalive 20 120 comp-lzo #duplicate-cn user openvpn group openvpn persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 1 mute 20启动服务展开
启动服务
[root@localhost ~]# systemctl start openvpn@server
更多精彩
