安装openvpn软件包
root@Server:~# apt-get install openvpn
//开启系统路由转发
root@Server:~# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
root@Server:~# sysctl -p
net.ipv4.ip_forward = 1
配置easy-rsa
//为vpn创建ca、服务器证书、客户端证书
//进入easy-rsa目录,复制vars样例文件,修改证书信息
root@Server:~# cd /usr/share/easy-rsa/
root@Server:/usr/share/easy-rsa# ls
easyrsa openssl-easyrsa.cnf vars.example x509-types
root@Server:/usr/share/easy-rsa# mv vars.example vars
root@Server:/usr/share/easy-rsa# vim vars
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "ZJ"
set_var EASYRSA_REQ_CITY "Hangzhou"
set_var EASYRSA_REQ_ORG "Chinaskills"
set_var EASYRSA_REQ_EMAIL "test@Chinaskills.com"
set_var EASYRSA_REQ_OU "Test OpenVPN"
//pki目录初始化
root@Server:/usr/share/easy-rsa# ./easyrsa init-pki
//创建CA根证书,输入两次pem密码,输入通用名
root@Server:/usr/share/easy-rsa# ./easyrsa build-ca
NEnter New CA Key Passphrase:密码
Re-Enter New CA Key Passphrase:密码
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:CA for test OpenVPN
//为vpn服务端创建证书,输入通用名称,自动创建密钥
root@Server:/usr/share/easy-rsa# ./easyrsa gen-req server nopass
Common Name (eg: your user, host, or server name[server]:Server-OpenVPN
//CA签发服务端证书,输入yes,输入CA的pem密码即可
root@Server:/usr/share/easy-rsa# ./easyrsa sign server server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Enter pass phrase for /usr/share/easy-rsa/pki/private/ca.key:密码
//创建diffie-Hellman,需等待片刻
root@Server:/usr/share/easy-rsa# ./easyrsa gen-dh
创建客户端证书
//创建文件夹客户端证书配置,将主目录的easyrsa及配置文件复制进客户端文件夹
root@Server:/usr/share/easy-rsa# mkdir forclient
root@Server:/usr/share/easy-rsa# cp easyrsa openssl-easyrsa.cnf forclient/
root@Server:/usr/share/easy-rsa# cd forclient/
//执行pki初始化
root@Server:/usr/share/easy-rsa/forclient# ./easyrsa init-pki
//创建客户端密钥及证书,输入自定密码及通用名称
root@Server:/usr/share/easy-rsa/forclient# ./easyrsa gen-req client
Enter PEM pass phrase:密码
Verifying - Enter PEM pass phrase:密码
Common Name (eg: your user, host, or server name) [client]:OpenVPN for Client
//切换至原目录,执行证书导入到CA
root@Server:/usr/share/easy-rsa/forclient# cd ..
root@Server:/usr/share/easy-rsa# ./easyrsa import-req forclient/pki/reqs/client.req client
//签发客户端证书,输入yes确认密码
root@Server:/usr/share/easy-rsa# ./easyrsa sign client <client名称>
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Enter pass phrase for /usr/share/easy-rsa/pki/private/ca.key:密码
//确保目录中有这些证书密钥文件
root@Server:/usr/share/easy-rsa# tree
.
├── forclient //存放客户端文件夹
│ └── pki
│ ├── private
│ │ └── client.key //客户端私钥
│ ├── reqs
│ └── client.req //客户端证书
├── pki //CA的pki文件夹
│ ├── ca.crt //CA根证书
│ ├── dh.pem //DH文件
│ ├── issued
│ │ ├── client.crt //客户证书(从命令中导入)
│ │ └── server.crt //服务端证书
│ ├── private
├── ca.key //CA的私钥
└── server.key //服务端私钥
//将所有需要用的证书私钥文件复制整理到指定文件夹下(可不做,但后续配置中注意文件路径)
//服务端文件
root@Server:/usr/share/easy-rsa# mkdir -p /CA/server /CA/client
root@Server:/usr/share/easy-rsa# cp pki/ca.crt /CA/server/
root@Server:/usr/share/easy-rsa# cp pki/issued/server.crt /CA/server/
root@Server:/usr/share/easy-rsa# cp pki/private/server.key /CA/server/
root@Server:/usr/share/easy-rsa# cp pki/dh.pem /CA/server/
//客户端文件
root@Server:/usr/share/easy-rsa# cp forclient/pki/private/client.key /CA/client/
root@Server:/usr/share/easy-rsa# cp pki/issued/client.crt /CA/client/
root@Server:/usr/share/easy-rsa# cp pki/ca.crt /CA/client/
root@Server:/CA# tree
. //具体文件如下,不可缺少
├── client
│ ├── ca.crt
│ ├── client.crt
│ └── client.key
└── server
├── ca.crt
├── dh.pem
├── server.crt
└── server.key
2 directories, 7 files
服务端配置
//找到配置文件模板,gunzip解压复制到配置文件目录下
root@Server:/CA# cd /usr/share/doc/openvpn/examples/sample-config-files/
root@Server:/usr/share/doc/openvpn/examples/sample-config-files# gunzip -d server.conf.gz
root@Server:/usr/share/doc/openvpn/examples/sample-config-files# cp server.conf /etc/openvpn/
root@Server:/etc/openvpn# vim server.conf
local 192.168.10.3
port 1194
proto tcp
dev tun
ca /CA/server/ca.crt
cert /CA/server/server.crt
key /CA/server/server.key
dh /CA/server/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
comp-lzo
max-clients 100
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
注释最后一行
客户端配置
//安装openvpn软件,从CAserver上获取所需的文件(参考client树状图)
root@Client:/CA# apt-get install openvpn
root@Client:~# mkdir /CA && cd /CA
root@Client:/CA# sftp root@10.10.100.10
root@10.10.100.10 s password:
Connected to root@10.10.100.10.
sftp> cd /CA/client/
sftp> ls
ca.crt client.crt client.key
sftp> get *
//复制client客户端配置模板,编辑
root@Client:/usr/share/doc/openvpn/examples/sample-config-files# cp client.conf /etc/openvpn/
root@Client:/etc/openvpn# vim client.conf
client
dev tun
proto tcp
remote 10.10.100.10 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /CA/ca.crt
cert /CA/client.crt
key /CA/client.key
comp-lzo
verb 3
启动连接OpenVPN
//服务端启动openvpn服务
root@Server:/etc/openvpn# systemctl restart openvpn@server.service
#客户端启动连接,命令后跟&运行在后台
root@Client:/etc/openvpn# openvpn --config client.conf
。。。。。
Enter Private Key Password: **** //输入私钥密码
。。。。。
Sun Oct 18 04:51:43 2020 Initialization Sequence Completed //安装连接完成
//连接成功后,出现tun0接口
root@Client:~# ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5
inet6 fe80::7613:f6cd:57a6:d056 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 1 bytes 48 (48.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 74 bytes 5286 (5.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
某国赛题目中:
VPN客户拨号使用命令systemctl start openvpn@SERVER03;
这里@是指/etc/openvpn下面对应的conf文件名
当然停止和注销服务就是
sudo systemctl stop openvpn@client.service
sudo systemctl disable openvpn@client.service
查看服务状态是
sudo systemctl status openvpn@client.service
即配置客户端证书时,客户端名称为SERVER03,创建用户证书时加参数nopass