1 OpenVPN 簡介
1.1 VPN 介紹
專用網:專用網就是在兩個網路(例如,北京和廣州)之間架設一條專用線路,但是它并不需要真正地去鋪設光纜之類的物理線路。雖然沒有親自去鋪設,但是需要向電信運營商申請租用專線,在這條專用的線路上只傳輸自己的資訊,所以安全穩定,同時也費用高昂
VPN:Virtual Private Network,虛擬私有網路,又稱為虛擬專用網路,用于在不安全的線路上安全的傳輸數據。
1.2 OpenVPN
OpenVPN:一個實現 VPN 的開源軟體,OpenVPN 是一個健壯的、高度靈活的 VPN 守護進程。它支持 SSL/TLS 安全、Ethernet bridging、經由代理的 TCP 或 UDP 隧道和 NAT。另外,它也支持動態 IP 地址以及 DHCP,可伸縮性足以支持數百或數千用戶的使用場景,同時可移植至大多數主流操作系統平臺上。
官網:https://openvpn.net
GitHub 地址:https://github.com/OpenVPN/openvpn
OpenVPN 示意圖
2 OpenVPN 部署
2.1 準備 OpenVPN 部署環境
官文文檔: https://openvpn.net/community-resources/how-to/
可選擇以下兩套環境之一實現 OpenVPN
2.1.1 環境 1: 阿里云 OpenVPN 實戰環境
準備阿里云網路實驗環境
1 阿里云創建專有網路
指定城市和可用區
網段名稱zhang-net1和地址段172.16.0.0/12
交換機名稱zhang-net1-sw1 可用區A IPv4地址段172.30.0.0/24
安全組開放22端口
2 創建openvpn服務器有公網IP的實例1個
3 創建局域網的服務器無公網IP的實例2個
4 重設所有實例密碼
5 修改安全組打開 1194/tcp/udp端口
準備完成的實例環境
倆臺內網 Web 服務器可以不設置網關
防火墻規則配置
2.1.2 環境 2: 局域網 OpenVPN 實戰環境
共四臺主機
1 openvpn server:
CentOS 8.2
eth0:10.0.0.8/24 NAT模式,模擬公網IP
eth1:172.30.0.1/24 僅主機模式,私網IP
2 內網主機兩臺
第一臺主機
eth0:172.30.0.100/24 僅主機模式,私網IP,無需網關
第二臺主機
eth0:172.30.0.200/24 僅主機模式,私網IP,無需網關
3 Windows 客戶端
Windows 10
2.2 安裝 OpenVPN 軟體包
2.2.1 查看版本
2.2.1.1 查看官網的 OpenVPN 的版本
訪問官網:https://openvpn.net
2.2.1.2 在不同 OS 上查看 OpenVPN 版本
CentOS 系統上的 EPEL 源 OpenVPN 版本比 Ubuntu 的倉庫中版本更新,以下選擇在 CentOS8 上部署 OpenVPN
范例: CentOS 查看 OpenVPN 版本
[11:58:01 root@openvpn-server ~]#yum list openvpn
Repository epel is listed more than once in the configuration
Extra Packages for Enterprise Linux Modular 8 - x86_64 153 kB/s | 537 kB 00:03
Available Packages
openvpn.x86_64 2.4.10-1.el8 epel
[12:03:21 root@openvpn-server ~]#yum list easy-rsa
Repository epel is listed more than once in the configuration
Last metadata expiration check: 0:00:32 ago on Tue 26 Jan 2021 12:03:20 PM CST.
Available Packages
easy-rsa.noarch 3.0.8-1.el8 epel
2.2.2 安裝 OpenVPN
2.2.2.1 安裝 OpenVPN 和證書工具
#OpenVPN服務器端
[12:03:52 root@openvpn-server ~]#yum install -y openvpn
#證書管理工具
[12:05:19 root@openvpn-server ~]#yum install -y easy-rsa
2.2.2.2 查看包中相關文件
[12:06:00 root@openvpn-server ~]#rpm -ql openvpn
[12:06:08 root@openvpn-server ~]#rpm -ql easy-rsa
2.2.2.3 準備相關配置文件
#生成服務器配置文件
[12:06:38 root@openvpn-server ~]#cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/
#準備證書簽發相關文件
[12:08:04 root@openvpn-server ~]#cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
#準備簽發證書相關變量的配置文件
[12:09:41 root@openvpn-server ~]#cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-server/3/vars
#建議修改給CA和OpenVPN服務器頒發的證書的有效期,可適當加長
[12:10:40 root@openvpn-server ~]#vim /etc/openvpn/easy-rsa-server/3/vars
#CA的證書有效期默為為10年,可以適當延長,比如:36500天
#set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CA_EXPIRE 36500
#服務器證書默為為825天,可適當加長,比如:3650天
#set_var EASYRSA_CERT_EXPIRE 825
set_var EASYRSA_CERT_EXPIRE 3650
[12:13:37 root@openvpn-server ~]#tree /etc/openvpn/
/etc/openvpn/
├── client
├── easy-rsa-server
│ ├── 3 -> 3.0.8
│ ├── 3.0 -> 3.0.8
│ └── 3.0.8
│ ├── easyrsa
│ ├── openssl-easyrsa.cnf
│ ├── vars
│ └── x509-types
│ ├── ca
│ ├── client
│ ├── code-signing
│ ├── COMMON
│ ├── email
│ ├── kdc
│ ├── server
│ └── serverClient
├── server
└── server.conf
7 directories, 12 files
2.3 準備證書相關文件
2.3.1 初始化 PKI 和 CA 簽發機構環境
2.3.1.1 腳本 easyrsa 幫助用法
[12:13:44 root@openvpn-server ~]#cd /etc/openvpn/easy-rsa-server/3
[12:15:01 root@openvpn-server 3]#pwd
/etc/openvpn/easy-rsa-server/3
[12:15:13 root@openvpn-server 3]#file ./easyrsa
./easyrsa: POSIX shell script, ASCII text executable
[12:15:20 root@openvpn-server 3]#./easyrsa
2.3.1.2 初始化 PKI 生成 PKI 相關目錄和文件
[12:15:24 root@openvpn-server 3]#cd /etc/openvpn/easy-rsa-server/3
[12:16:02 root@openvpn-server 3]#pwd
/etc/openvpn/easy-rsa-server/3
[12:16:06 root@openvpn-server 3]#ls
easyrsa openssl-easyrsa.cnf vars x509-types
#初始化數據,在當前目錄下生成pki目錄及相關文件
[12:16:07 root@openvpn-server 3]#./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-server/3/pki
[12:16:32 root@openvpn-server 3]#tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 13 files
2.3.2 創建 CA 機構
[12:17:24 root@openvpn-server 3]#cd /etc/openvpn/easy-rsa-server/3
[12:17:26 root@openvpn-server 3]#tree pki/
pki/
├── openssl-easyrsa.cnf
├── private
├── reqs
└── safessl-easyrsa.cnf
2 directories, 2 files
[12:17:30 root@openvpn-server 3]#./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................................................................................................................................................................+++++
....................................................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----------------------------------------------
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #接受默認值,直接回車
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa-server/3/pki/ca.crt #生成自簽名的證書文件
[12:17:51 root@openvpn-server 3]#tree pki/
pki/
├── ca.crt #生成自簽名的證書文件
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ └── ca.key #生成私鑰文件
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 7 files
#生成CA相關的文件
[12:18:56 root@openvpn-server 3]#cat pki/serial
01
[12:19:56 root@openvpn-server 3]#ll pki/index.txt
-rw------- 1 root root 0 Jan 26 12:17 pki/index.txt
[12:20:04 root@openvpn-server 3]#ll pki/ca.crt pki/private/ca.key
-rw------- 1 root root 1204 Jan 26 12:17 pki/ca.crt
-rw------- 1 root root 1679 Jan 26 12:17 pki/private/ca.key
[12:20:27 root@openvpn-server 3]#cat pki/ca.crt
-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIUEH1WvM8tOv4gvppxJPKExDdhpzgwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjEwMTI2MDQxNzUxWhgPMjEy
MTAxMDIwNDE3NTFaMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxZ0WEH0wzonl/AyMjAmZLCUy/lnGF2x1kWf1
ALLkyHke11YcLcc4jE3mAmSd4B8/PG6mTdtQNye3C0QBLJ4ts+g8mIFe3rGhA55O
qXea0vkKsztDxxoByTV+oGXPOAscTMApOiUP4l1Zk4Zxp8WJtlxkHfcKl3nVpKuH
QM3RDURxjp485dyc1I2K3IBoM2KwghKRburfeN2DqxCUZyM6WZQ8k9O25p4DEM9M
dSuizmiffA1Uoj5lVeH1wm1nGJjblXe/VuojYpUMlWVvIypyEy+52z6Ocd4QV8Mj
GD34BU0KT2xL9OG+MEknqMq/YJW4fMQFuj6ktZanIhPIvMjV8wIDAQABo4GQMIGN
MB0GA1UdDgQWBBQoyNfaufa2jaECRtJ+9ve4X5qANDBRBgNVHSMESjBIgBQoyNfa
ufa2jaECRtJ+9ve4X5qANKEapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFBB9
VrzPLTr+IL6acSTyhMQ3Yac4MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0G
CSqGSIb3DQEBCwUAA4IBAQBnRWrY/2cYbtwdlKBupDmquWZwNFTOQJkrs/yDSwYi
mpmqrGQTMTn9nsyRm0kIEP2gNQHdlSUF2IP0axuRn6Cg3i44WQaLpRc/pf4kmoOX
AFJLNVgBv5xuB3CZYwLWTTHCo+r/ubwAQULWNLYbQ1HX5cpZ71W3Zy4MWJLGS3g+
xhdAs/vgYxMaoCQ/M9DE7EDe05IIFq3TEo9ganYM0VikRpfPWnnQTScXARQL8R2T
z7PfPDZfrDJSv7fA33T6nDi2xwdqiZUxtaiD15rCp56FprpvxSQvuPt/0TEm8T0R
zz//1nTdDTl/Let4RYT0VuVQm3xC4p1UThatACewiDEg
-----END CERTIFICATE-----
[12:20:42 root@openvpn-server 3]#openssl x509 -in pki/ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
10:7d:56:bc:cf:2d:3a:fe:20:be:9a:71:24:f2:84:c4:37:61:a7:38
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Easy-RSA CA
Validity
Not Before: Jan 26 04:17:51 2021 GMT
Not After : Jan 2 04:17:51 2121 GMT
Subject: CN = Easy-RSA CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c5:9d:16:10:7d:30:ce:89:e5:fc:0c:8c:8c:09:
99:2c:25:32:fe:59:c6:17:6c:75:91:67:f5:00:b2:
e4:c8:79:1e:d7:56:1c:2d:c7:38:8c:4d:e6:02:64:
9d:e0:1f:3f:3c:6e:a6:4d:db:50:37:27:b7:0b:44:
01:2c:9e:2d:b3:e8:3c:98:81:5e:de:b1:a1:03:9e:
4e:a9:77:9a:d2:f9:0a:b3:3b:43:c7:1a:01:c9:35:
7e:a0:65:cf:38:0b:1c:4c:c0:29:3a:25:0f:e2:5d:
59:93:86:71:a7:c5:89:b6:5c:64:1d:f7:0a:97:79:
d5:a4:ab:87:40:cd:d1:0d:44:71:8e:9e:3c:e5:dc:
9c:d4:8d:8a:dc:80:68:33:62:b0:82:12:91:6e:ea:
df:78:dd:83:ab:10:94:67:23:3a:59:94:3c:93:d3:
b6:e6:9e:03:10:cf:4c:75:2b:a2:ce:68:9f:7c:0d:
54:a2:3e:65:55:e1:f5:c2:6d:67:18:98:db:95:77:
bf:56:ea:23:62:95:0c:95:65:6f:23:2a:72:13:2f:
b9:db:3e:8e:71:de:10:57:c3:23:18:3d:f8:05:4d:
0a:4f:6c:4b:f4:e1:be:30:49:27:a8:ca:bf:60:95:
b8:7c:c4:05:ba:3e:a4:b5:96:a7:22:13:c8:bc:c8:
d5:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
28:C8:D7:DA:B9:F6:B6:8D:A1:02:46:D2:7E:F6:F7:B8:5F:9A:80:34
X509v3 Authority Key Identifier:
keyid:28:C8:D7:DA:B9:F6:B6:8D:A1:02:46:D2:7E:F6:F7:B8:5F:9A:80:34
DirName:/CN=Easy-RSA CA
serial:10:7D:56:BC:CF:2D:3A:FE:20:BE:9A:71:24:F2:84:C4:37:61:A7:38
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
67:45:6a:d8:ff:67:18:6e:dc:1d:94:a0:6e:a4:39:aa:b9:66:
70:34:54:ce:40:99:2b:b3:fc:83:4b:06:22:9a:99:aa:ac:64:
13:31:39:fd:9e:cc:91:9b:49:08:10:fd:a0:35:01:dd:95:25:
05:d8:83:f4:6b:1b:91:9f:a0:a0:de:2e:38:59:06:8b:a5:17:
3f:a5:fe:24:9a:83:97:00:52:4b:35:58:01:bf:9c:6e:07:70:
99:63:02:d6:4d:31:c2:a3:ea:ff:b9:bc:00:41:42:d6:34:b6:
1b:43:51:d7:e5:ca:59:ef:55:b7:67:2e:0c:58:92:c6:4b:78:
3e:c6:17:40:b3:fb:e0:63:13:1a:a0:24:3f:33:d0:c4:ec:40:
de:d3:92:08:16:ad:d3:12:8f:60:6a:76:0c:d1:58:a4:46:97:
cf:5a:79:d0:4d:27:17:01:14:0b:f1:1d:93:cf:b3:df:3c:36:
5f:ac:32:52:bf:b7:c0:df:74:fa:9c:38:b6:c7:07:6a:89:95:
31:b5:a8:83:d7:9a:c2:a7:9e:85:a6:ba:6f:c5:24:2f:b8:fb:
7f:d1:31:26:f1:3d:11:cf:3f:ff:d6:74:dd:0d:39:7f:2d:eb:
78:45:84:f4:56:e5:50:9b:7c:42:e2:9d:54:4e:16:ad:00:27:
b0:88:31:20
2.3.3 創建服務端證書申請
[12:21:19 root@openvpn-server 3]#cd /etc/openvpn/easy-rsa-server/3
[12:22:15 root@openvpn-server 3]#pwd
/etc/openvpn/easy-rsa-server/3
#創建服務器證書申請文件,其中server是文件前綴
[12:21:19 root@openvpn-server 3]#cd /etc/openvpn/easy-rsa-server/3
[12:22:15 root@openvpn-server 3]#pwd
/etc/openvpn/easy-rsa-server/3
[12:28:59 root@openvpn-server 3]#./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
........................................................................................................+++++
....+++++
writing new private key to '/etc/openvpn/easy-rsa-server/3/pki/easy-rsa-11496.syBWUN/tmp.KB9HvC'
------------------------------------------------------------------------------------------------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----------------------------------------------
Common Name (eg: your user, host, or server name) [server]: 接受Common Name默認
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-server/3/pki/reqs/server.req #生成的申請文件
key: /etc/openvpn/easy-rsa-server/3/pki/private/server.key #生成的私鑰文件
[12:29:17 root@openvpn-server 3]#tree pki/
pki/
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key #私鑰文件
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req #申請文件
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 9 files
2.3.4 簽發服務端證書
2.3.4.1 查看頒發證書命令用法
[12:23:55 root@openvpn-server 3]#cd /etc/openvpn/easy-rsa-server/3
[12:25:06 root@openvpn-server 3]#./easyrsa help sign
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
sign-req
Sign a certificate request of the defined type. must be a known
type such as 'client', 'server', 'serverClient', or 'ca' (or a user-added type.)
This request file must exist in the reqs/ dir and have a .req file
extension. See import-req below for importing reqs from other sources.
2.3.4.2 頒發服務端證書
#將上面server.req的申請,頒發server類型的證書
[12:30:25 root@openvpn-server 3]#./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
vars文件指定的有效期
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #輸入yes回車
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-11533.UjZ9m9/tmp.xGm4NL
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Jan 24 04:31:32 2031 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt
#生成服務器證書文件
2.3.4.3 驗證結果
[12:31:32 root@openvpn-server 3]#cd /etc/openvpn/easy-rsa-server/3
[12:32:54 root@openvpn-server 3]#tree pki/
pki/
├── ca.crt
├── certs_by_serial
│ └── 5D3B930AA9D6B0AF69E65FA76C6251C4.pem #服務器證書文件
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt #服務器證書文件
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 14 files
[12:32:57 root@openvpn-server 3]#diff pki/certs_by_serial/5D3B930AA9D6B0AF69E65FA76C6251C4.pem pki/issued/server.crt
[12:34:24 root@openvpn-server 3]#ll !*
ll pki/certs_by_serial/5D3B930AA9D6B0AF69E65FA76C6251C4.pem pki/issued/server.crt
-rw------- 1 root root 4608 Jan 26 12:31 pki/certs_by_serial/5D3B930AA9D6B0AF69E65FA76C6251C4.pem
-rw------- 1 root root 4608 Jan 26 12:31 pki/issued/server.crt
#證書相關文件
[12:34:35 root@openvpn-server 3]#cat pki/serial
5D3B930AA9D6B0AF69E65FA76C6251C5
[12:35:09 root@openvpn-server 3]#cat pki/index.txt
V 310124043132Z 5D3B930AA9D6B0AF69E65FA76C6251C4 unknown /CN=server
[12:35:29 root@openvpn-server 3]#cat pki/serial.old
5d3b930aa9d6b0af69e65fa76c6251c4
2.3.5 創建 Diifie-Hellman 密鑰
2.3.5.1 Diffie-Hellman 算法
Diffie-Hellman 密鑰交換方法,由惠特菲爾德·迪菲(Bailey Whitfield Diffie)、馬丁·赫爾曼
(Martin Edward Hellman)于1976年發表。它是一種安全協議,讓雙方在完全沒有對方任何預先資訊的
條件下通過不安全信道建立起一個密鑰,這個密鑰一般作為“對稱加密”的密鑰而被雙方在后續數據傳輸中使
用。DH數學原理是base離散對數問題。做類似功能的還有非對稱加密類算法,如:RSA。其應用非常廣泛,在
SSH、VPN、Https等都有應用。
wiki參考鏈接: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
2.3.5.2 創建 Diffie-Hellman 密鑰
[12:35:32 root@openvpn-server 3]#cd /etc/openvpn/easy-rsa-server/3
[12:37:16 root@openvpn-server 3]#pwd
/etc/openvpn/easy-rsa-server/3
#方法1
[12:37:18 root@openvpn-server 3]#./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................+ #需要等一會
DH parameters of size 2048 created at /etc/openvpn/easy-rsa-server/3/pki/dh.pem
#查看生成的文件
[12:37:54 root@openvpn-server 3]#ll pki/dh.pem
-rw------- 1 root root 424 Jan 26 12:37 pki/dh.pem
[12:38:53 root@openvpn-server 3]#cat pki/dh.pem
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAypLcHbOieMk67cANDM+IBDD0w6SP3vJ9vY4Bz58SX017qLI9qLSD
CCRWIF7Y57zVHkqrXHsVJpSXZPBGTWPKg6LsMYrSrQctxajikAzkA2xqlezJquFz
oGkhR9P1xkA7Kbj0+w0/0lOxkPuVq6WbqSa2JBNaYmOzXRz1I4BZnR0CCKoI/WMB
WZ2cTeQcVI1AYqN9prOwWZwXZks420RUmnDXAL7BtvfElyKtgiZXPzQpiF4Psjhb
gNAwBnHJiV1vj1dTLg6CtU9e+yuk7nuz+74OhF3y2jfF3odg+7ZGWNlkoMP1wq6Z
eONjJO9n3cxLInPXDhJ4NfbwTh6LOKQ6YwIBAg==
-----END DH PARAMETERS-----
#方法2
[12:39:01 root@openvpn-server 3]#openssl dhparam -out /root/dh2048.pem 2048
2.3.6 準備客戶端證書環境
上面服務端證書配置完成,下面是配置客戶端證書
[13:48:50 root@openvpn-server ~]#cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
#可選
[13:49:30 root@openvpn-server ~]#cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-client/3/vars
[13:50:40 root@openvpn-server ~]#cd /etc/openvpn/easy-rsa-client/3
[13:50:53 root@openvpn-server 3]#pwd
/etc/openvpn/easy-rsa-client/3
[13:50:54 root@openvpn-server 3]#ls
easyrsa openssl-easyrsa.cnf vars x509-types
[13:50:57 root@openvpn-server 3]#tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
1 directory, 11 files
#生成證書申請所需目錄pki和文件
[13:52:04 root@openvpn-server 3]#tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 13 files
2.3.7 創建客戶端證書申請
[13:52:08 root@openvpn-server 3]#cd /etc/openvpn/easy-rsa-client/3
[13:52:41 root@openvpn-server 3]#pwd
/etc/openvpn/easy-rsa-client/3
[13:52:45 root@openvpn-server 3]#./easyrsa gen-req zhangzhuo nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
....+++++
......+++++
writing new private key to '/etc/openvpn/easy-rsa-client/3/pki/easy-rsa-11853.FRpJUj/tmp.Jr13E6'
------------------------------------------------------------------------------------------------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----------------------------------------------
Common Name (eg: your user, host, or server name) [zhangzhuo]: #接受默認回車
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-client/3/pki/reqs/zhangzhuo.req #申請證書文件
key: /etc/openvpn/easy-rsa-client/3/pki/private/zhangzhuo.key #私鑰文件
#生成兩個新文件
[13:53:11 root@openvpn-server 3]#tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ └── zhangzhuo.key
│ ├── reqs
│ │ └── zhangzhuo.req
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 15 files
2.3.8 簽發客戶端證書
[13:54:22 root@openvpn-server 3]#cd /etc/openvpn/easy-rsa-server/3
[13:54:54 root@openvpn-server 3]#pwd
/etc/openvpn/easy-rsa-server/3
#將客戶端證書請求文件復制到CA的工作目錄
[13:55:38 root@openvpn-server 3]#./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/zhangzhuo.req zhangzhuo
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
The request has been successfully imported with a short name of: zhangzhuo
You may now use this name to perform signing operations on this request.
[13:55:45 root@openvpn-server 3]#tree pki/
pki/
├── ca.crt
├── certs_by_serial
│ └── 5D3B930AA9D6B0AF69E65FA76C6251C4.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── server.req
│ └── zhangzhuo.req #導入文件
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 16 files
[13:56:13 root@openvpn-server 3]#ll pki/reqs/zhangzhuo.req /etc/openvpn/easy-rsa-client/3/pki/reqs/zhangzhuo.req
-rw------- 1 root root 891 Jan 26 13:53 /etc/openvpn/easy-rsa-client/3/pki/reqs/zhangzhuo.req
-rw------- 1 root root 891 Jan 26 13:55 pki/reqs/zhangzhuo.req
#修改給客戶端頒發的證書的有效期
[13:57:19 root@openvpn-server 3]#vim vars
set_var EASYRSA_CERT_EXPIRE 180 #修改之前的3650為180
#簽發客戶端證書
[13:58:41 root@openvpn-server 3]#./easyrsa sign client zhangzhuo
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 180 days:
subject=
commonName = zhangzhuo
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #輸入yes后回車
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-11993.LhxZXn/tmp.Fl00WC
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'zhangzhuo'
Certificate is to be certified until Jul 25 05:59:46 2021 GMT (180 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/zhangzhuo.crt
#證書文件
[13:59:46 root@openvpn-server 3]#tree pki/
pki/
├── ca.crt
├── certs_by_serial
│ ├── 5D3B930AA9D6B0AF69E65FA76C6251C4.pem
│ └── 8EB7E418B1FE1715BCBB73A513498893.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ ├── server.crt
│ └── zhangzhuo.crt #生成客戶端證書
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── server.req
│ └── zhangzhuo.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 18 files
[14:01:01 root@openvpn-server 3]#cat pki/index.txt
V 310124043132Z 5D3B930AA9D6B0AF69E65FA76C6251C4 unknown /CN=server
V 210725055946Z 8EB7E418B1FE1715BCBB73A513498893 unknown /CN=zhangzhuo
[14:01:47 root@openvpn-server 3]#ll pki/issued/
total 16
-rw------- 1 root root 4608 Jan 26 12:31 server.crt
-rw------- 1 root root 4499 Jan 26 13:59 zhangzhuo.crt
[14:01:57 root@openvpn-server 3]#ll pki/certs_by_serial/
total 16
-rw------- 1 root root 4608 Jan 26 12:31 5D3B930AA9D6B0AF69E65FA76C6251C4.pem
-rw------- 1 root root 4499 Jan 26 13:59 8EB7E418B1FE1715BCBB73A513498893.pem
2.3.9 將 CA 和服務器證書相關文件復制到服務器相應的目錄
[14:03:01 root@openvpn-server ~]#mkdir /etc/openvpn/certs
[14:03:11 root@openvpn-server ~]#cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/
[14:03:43 root@openvpn-server ~]#cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
[14:04:05 root@openvpn-server ~]#cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/
[14:04:24 root@openvpn-server ~]#cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/
[14:04:41 root@openvpn-server ~]#ll /etc/openvpn/certs/
total 20
-rw------- 1 root root 1204 Jan 26 14:03 ca.crt
-rw------- 1 root root 424 Jan 26 14:04 dh.pem
-rw------- 1 root root 4608 Jan 26 14:04 server.crt
-rw------- 1 root root 1704 Jan 26 14:04 server.key
2.3.10 將客戶端私鑰與證書相關文件復制到服務器相關的目錄
[14:04:59 root@openvpn-server ~]#mkdir /etc/openvpn/client/zhangzhuo
[14:06:59 root@openvpn-server ~]#find /etc/openvpn/ -name "zhangzhuo.key" -o -name "zhangzhuo.crt" -o -name "ca.crt"
/etc/openvpn/easy-rsa-server/3.0.8/pki/issued/zhangzhuo.crt
/etc/openvpn/easy-rsa-server/3.0.8/pki/ca.crt
/etc/openvpn/easy-rsa-client/3.0.8/pki/private/zhangzhuo.key
/etc/openvpn/certs/ca.crt
[14:08:50 root@openvpn-server ~]#find /etc/openvpn/ \( -name "zhangzhuo.key" -o -name "zhangzhuo.crt" -o -name "ca.crt" \) -exec cp {} /etc/openvpn/client/zhangzhuo \;
[14:09:08 root@openvpn-server ~]#ll /etc/openvpn/client/zhangzhuo/
total 16
-rw------- 1 root root 1204 Jan 26 14:09 ca.crt
-rw------- 1 root root 4499 Jan 26 14:09 zhangzhuo.crt
-rw------- 1 root root 1704 Jan 26 14:09 zhangzhuo.key
2.4 準備 OpenVPN 服務器配置文件
2.4.1 服務器端配置文件說明
#server.conf文件中以#或;開頭的行都為注釋
[root@centos8 ~]#grep -Ev "^#|^$" /etc/openvpn/server.conf
;local a.b.c.d #本機監聽IP,默認為本機所有IP
port 1194 #端口
;proto tcp #協議,生產推薦使用TCP
proto udp #默認協議
;dev tap #創建一個以太網隧道,以太網使用tap,一個tap設備允許完整的以太網幀通過Openvpn隧道,可提供非ip協議的支持,比如IPX協議和AppleTalk協議,tap等同于一個以太網設備,它操作第二層數據包如以太網數據幀。
dev tun #創建一個路由IP隧道,生產推存使用tun.互聯網使用tun,一個tun設備大多時候,被用于基于IP協議的通訊。tun模擬了網路層設備,操作第三層數據包比如IP數據封包。
;dev-node MyTap #TAP-Win32適配器。非windows不需要配置
ca ca.crt #ca證書文件
cert server.crt #服務器證書文件
key server.key #服務器私鑰文件
dh dh2048.pem #dh參數文件
;topology subnet
server 10.8.0.0 255.255.255.0 #客戶端連接后分配IP的地址池,服務器默認會占用第一個IP10.8.0.1將做為客戶端的網關
ifconfig-pool-persist ipp.txt #為客戶端分配固定IP,不需要配置,建議注釋
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 #配置網橋模式,不需要配置,建議注釋
;server-bridge
;push "route 192.168.10.0 255.255.255.0" #給客戶端生成的到達服務器后面網段的靜態路由,下一跳為openvpn服務器的10.8.0.1
;push "route 192.168.20.0 255.255.255.0" #推送路由資訊到客戶端,以允許客戶端能夠連接到服務器背后的其它私有子網
;client-config-dir ccd #為指定的客戶端添加路由,此路由通常是客戶端后面的內網網段而不是服務端的,也不需要設置
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script #運行外部腳本,創建不同組的iptables規則,無需配置
;push "redirect-gateway def1 bypass-dhcp" #啟用后,客戶端所有流量都將通過VPN服務器,因此生產一般無需配置此項
;push "dhcp-option DNS 208.67.222.222" #推送DNS服務器,不需要配置
;push "dhcp-option DNS 208.67.220.220"
;client-to-client #允許不同的client直接通信,不安全,生產環境一般無需要配置
;duplicate-cn #多個用戶共用一個證書,一般用于測試環境,生產環境都是一個用戶一個證書,無需開啟
keepalive 10 120 #設置服務端檢測的間隔和超時時間,默認為每10秒ping一次,如果 120秒沒有回應則認為對方已經down
tls-auth ta.key 0 #訪止DoS等攻擊的安全增強配置,可以使用以下命令來生成:openvpn --
genkey --secret ta.key #服務器和每個客戶端都需要擁有該密鑰的一個拷貝。第二個參數在服務器端應該為’0’,在客戶端應該為’1’
cipher AES-256-CBC #加密算法
;compress lz4-v2 #啟用Openvpn2.4.X新版壓縮算法
;push "compress lz4-v2" #推送客戶端使用新版壓縮算法,和下面的comp-lzo不要同時使用
;comp-lzo #舊戶端兼容的壓縮配置,需要客戶端配置開啟壓縮,openvpn2.4.X等新版可以不用開啟
;max-clients 100 #最大客戶端數
;user nobody #運行openvpn服務的用戶和組
;group nobody
persist-key #重啟VPN服務時默認會重新讀取key文件,開啟此配置后保留使用第一次的key文件,生產環境無需開啟
persist-tun #啟用此配置后,當重啟vpn服務時,一直保持tun或者tap設備是up的,否則會先down然后再up,生產環境無需開啟
status openvpn-status.log #openVPN狀態記錄文件,每分鐘會記錄一次
;log openvpn.log #第一種日志記錄方式,并指定日志路徑,log會在openvpn啟動的時候清空日志文件,不建議使用
;log-append openvpn.log #第二種日志記錄方式,并指定日志路徑,重啟openvpn后在之前的日志后面追加新的日志,生產環境建議使用
verb 3 #設置日志級別,0-9,級別越高記錄的內容越詳細,0 表示靜默運行,只記錄致命錯誤,4 表示合理的常規用法,5 和 6 可以幫助調試連接錯誤。9 表示極度冗余,輸出非常詳細的日志資訊
;mute 20 #相同類別的資訊只有前20條會輸出到日志文件中
explicit-exit-notify 1 #通知客戶端,在服務端重啟后自動重新連接,僅能用于udp模式,tcp模式不需要配置即可實現斷開重新連接,且開啟此項后tcp配置后將導致openvpn服務無法啟動,所以tcp時必須不能開啟此項
2.4.2 修改服務器端配置文件
[14:09:29 root@openvpn-server ~]#vim /etc/openvpn/server.conf
port 1194 #開啟端口
proto tcp #使用的協議還可以使用udp
dev tun #創建一個路由IP隧道
ca /etc/openvpn/certs/ca.crt #ca證書文件位置
cert /etc/openvpn/certs/server.crt #服務證書文件位置
key /etc/openvpn/certs/server.key #服務私鑰文件位置
dh /etc/openvpn/certs/dh.pem #dh參數文件,也就是密鑰交換算法文件
server 10.0.0.0 255.255.255.0 #客戶端連接后分配IP的地址池
push "route 172.30.0.0 255.255.255.0" #給客戶端生成的到達服務器后面網段的靜態路由
keepalive 10 120 #設置服務端檢測的間隔和超時時間
cipher AES-256-CBC #加密算法
compress lz4-v2 #啟用Openvpn2.4.X新版壓縮算法
push "compress lz4-v2" #推送客戶端使用新版壓縮算法
max-clients 2048 #最大客戶端數
user openvpn #運行openvpn服務的用戶和組
group openvpn
status /var/log/openvpn/openvpn-status.log #openVPN狀態記錄文件,每分鐘會記錄一次
log-append /var/log/openvpn/openvpn.log #第二種日志記錄方式
verb 3 #設置日志級別
mute 20 #相同類別的資訊只有前20條會輸出到日志文件中
#準備目志相關目錄
[14:22:29 root@openvpn-server ~]#getent passwd openvpn
openvpn:x:988:985:OpenVPN:/etc/openvpn:/sbin/nologin
[14:23:02 root@openvpn-server ~]#mkdir /var/log/openvpn
[14:23:31 root@openvpn-server ~]#chown openvpn: /var/log/openvpn
[14:23:41 root@openvpn-server ~]#ll -d /var/log/openvpn/
drwxr-xr-x 2 openvpn openvpn 6 Jan 26 14:23 /var/log/openvpn/
2.5 準備 iptables 規則和內核參數
#在服務器開啟ip_forward轉發功能
[14:23:59 root@openvpn-server ~]#echo net.ipv4.ip_forward = 1 >>/etc/sysctl.conf
[14:25:03 root@openvpn-server ~]#sysctl -p
#添加SNAT規則
[14:26:28 root@openvpn-server ~]#echo "iptables -t nat -APOSTROUTING -s 10.0.0.0/24 -j MASQUERADE" >>/etc/rc.d/rc.local
[14:27:11 root@openvpn-server ~]#chmod +x /etc/rc.d/rc.local
[14:29:03 root@openvpn-server ~]#/etc/rc.d/rc.local
[14:29:20 root@openvpn-server ~]#iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.0.0.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2.6 啟動 OpenVPN 服務
2.6.1 啟動 OpenVPN 服務
[14:33:01 root@centos7 ~]#rpm -ql openvpn | grep systemd
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/share/doc/openvpn-2.4.10/README.systemd
#centos8缺失unit文件,從Centos7復制文件
[14:29:21 root@openvpn-server ~]#rpm -ql openvpn | grep systemd
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/share/doc/openvpn/README.systemd
[14:33:18 root@centos7 ~]#cat /usr/lib/systemd/system/[email protected]
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
[Install]
WantedBy=multi-user.target
[14:34:46 root@centos7 ~]#scp /lib/systemd/system/[email protected] 39.98.146.209:/lib/systemd/system/
#啟動OpenVPN服務,注意service名稱和文件名不一致
[14:54:27 root@openvpn-server ~]#systemctl daemon-reload
[14:54:33 root@openvpn-server ~]#systemctl enable --now openvpn@server
Created symlink /etc/systemd/system/multi-user.target.wants/[email protected] → /usr/lib/systemd/system/[email protected].
2.6.2 查看服務狀態
[14:54:42 root@openvpn-server ~]#systemctl status openvpn@server
● [email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-01-26 14:54:42 CST; 29s ago
Main PID: 13647 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 22788)
Memory: 1.3M
CGroup: /system.slice/system-openvpn.slice/[email protected]
└─13647 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Jan 26 14:54:42 openvpn-server systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Applicati>
Jan 26 14:54:42 openvpn-server systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Applicatio>
#注意端口號
[14:55:33 root@openvpn-server ~]#ss -ntlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 32 0.0.0.0:1194 0.0.0.0:* users:(("openvpn",pid=13647,fd=7))
LISTEN 0 128 0.0.0.0:5355 0.0.0.0:* users:(("systemd-resolve",pid=963,fd=13))
LISTEN 0 128 0.0.0.0:111 0.0.0.0:* users:(("systemd",pid=1,fd=59))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1009,fd=5))
LISTEN 0 128 [::]:5355 [::]:* users:(("systemd-resolve",pid=963,fd=15))
LISTEN 0 128 [::]:111 [::]:* users:(("systemd",pid=1,fd=66))
[14:55:52 root@openvpn-server ~]#cat /var/log/openvpn/openvpn.log
[14:56:20 root@openvpn-server ~]#ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:16:3e:14:71:66 brd ff:ff:ff:ff:ff:ff
inet 172.30.0.1/24 brd 172.30.0.255 scope global dynamic noprefixroute eth0
valid_lft 315348625sec preferred_lft 315348625sec
inet6 fe80::216:3eff:fe14:7166/64 scope link
valid_lft forever preferred_lft forever
4: tun0: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::6f54:d0a2:9870:cc6b/64 scope link stable-privacy
valid_lft forever preferred_lft forever
[14:56:36 root@openvpn-server ~]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.30.0.253 0.0.0.0 UG 100 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
172.30.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
驗證 tun 網卡設備
2.7 準備 OpenVPN 客戶端配置文件
2.7.1 客戶端默認范例配置文件說明
[14:59:50 root@openvpn-server ~]#grep -Ev "^(#|;)|^$" /usr/share/doc/openvpn/sample/sample-config-files/client.conf
client #聲明自己是個客戶端
dev tun #接口類型,必須和服務端保持一致
proto udp #協議類型,必須和服務端保持一致
remote my-server-1 1194 #server端的ip和端口,可以寫域名但是需要可以解析成IP
resolv-retry infinite #如果是寫的server端的域名,那么就始終解析,如果域名發生變化,會重新連接到新的域名對應的IP
nobind #本機不綁定監聽端口,客戶端是隨機打開端口連接到服務端的1194
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server #指定采用服務器證書校驗方式
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
2.7.2 生成客戶端用戶的配置文件
#生成客戶端文件,文件后綴必須為.ovpn
[15:00:09 root@openvpn-server ~]#grep -Ev "^(#|;)|^$" /usr/share/doc/openvpn/sample/sample-config-files/client.conf >/etc/openvpn/client/zhangzhuo/client.ovpn
#修改配置文件,內容如下
[15:02:26 root@openvpn-server ~]#vim /etc/openvpn/client/zhangzhuo/client.ovpn
[15:04:30 root@openvpn-server ~]#cat /etc/openvpn/client/zhangzhuo/client.ovpn
client
dev tun
proto tcp
remote 39.98.146.209 1194 #生產中為OpenVPN公網IP
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert zhangzhuo.crt
key zhangzhuo.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3 #此值不能隨意指定,否則無法通信
compress lz4-v2 #此項在OpenVPN2.4.X版本使用,需要和服務器端保持一致,不指定默認comp-lz壓縮
2.8 Windows 配置部署 OpenVPN 客戶端
2.8.1 Windows 安裝 OpenVPN 客戶端
官方客戶端下載地址:
https://openvpn.net/community-downloads/
下載安裝就可以了
2.8.2 Windows 客戶端配置準備
#在服務器打包證書并下載發送給windows客戶端
[15:04:58 root@openvpn-server ~]#cd /etc/openvpn/client/zhangzhuo/
[15:08:34 root@openvpn-server zhangzhuo]#pwd
/etc/openvpn/client/zhangzhuo
[15:08:38 root@openvpn-server zhangzhuo]#tar cf zhangzhuo.tar ./
tar: ./zhangzhuo.tar: file is the archive; not dumped
[15:09:12 root@openvpn-server zhangzhuo]#ll
total 40
-rw------- 1 root root 1204 Jan 26 14:09 ca.crt
-rw-r--r-- 1 root root 237 Jan 26 15:04 client.ovpn
-rw------- 1 root root 4499 Jan 26 14:09 zhangzhuo.crt
-rw------- 1 root root 1704 Jan 26 14:09 zhangzhuo.key
-rw-r--r-- 1 root root 20480 Jan 26 15:09 zhangzhuo.tar
[15:09:13 root@openvpn-server zhangzhuo]#tar -tf zhangzhuo.tar
./
./zhangzhuo.crt
./ca.crt
./zhangzhuo.key
./client.ovpn
放置到 windows 客戶端的 C:\Program Files\OpenVPN\config 目錄下
開打 OpenVPN GUI
進行連接
綠色之后就表示連接正常
2.8.4 Windows 客戶端驗證通信
2.8.4.1 在 Windows 客戶端測試訪問 OpenVPN 后端服務器
后端服務器顯示是來自于 OpenVPN 服務器的連接
2.8.4.2 觀察 OpenVPN 服務器日志
[15:18:52 root@openvpn-server zhangzhuo]#tail /var/log/openvpn/openvpn.log -f -n0
Tue Jan 26 15:18:57 2021 TCP connection established with [AF_INET]110.17.5.83:20328
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 TLS: Initial packet from [AF_INET]110.17.5.83:20328, sid=0f61dc6f b6fc7583
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 VERIFY OK: depth=0, CN=zhangzhuo
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 peer info: IV_VER=2.4.10
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 peer info: IV_PLAT=win
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 peer info: IV_PROTO=2
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 peer info: IV_NCP=2
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 peer info: IV_LZ4=1
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 peer info: IV_LZ4v2=1
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 peer info: IV_LZO=1
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 peer info: IV_COMP_STUB=1
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 peer info: IV_COMP_STUBv2=1
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 peer info: IV_TCPNL=1
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 peer info: IV_GUI_VER=OpenVPN_GUI_11
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Jan 26 15:18:58 2021 110.17.5.83:20328 [zhangzhuo] Peer Connection Initiated with [AF_INET]110.17.5.83:20328
Tue Jan 26 15:18:58 2021 zhangzhuo/110.17.5.83:20328 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Tue Jan 26 15:18:58 2021 zhangzhuo/110.17.5.83:20328 MULTI: Learn: 10.8.0.6 -> zhangzhuo/110.17.5.83:20328
Tue Jan 26 15:18:58 2021 zhangzhuo/110.17.5.83:20328 MULTI: primary virtual IP for zhangzhuo/110.17.5.83:20328: 10.8.0.6
Tue Jan 26 15:18:59 2021 zhangzhuo/110.17.5.83:20328 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jan 26 15:18:59 2021 zhangzhuo/110.17.5.83:20328 SENT CONTROL [zhangzhuo]: 'PUSH_REPLY,route 172.30.0.0 255.255.255.0,compress lz4-v2,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Tue Jan 26 15:18:59 2021 zhangzhuo/110.17.5.83:20328 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Jan 26 15:18:59 2021 zhangzhuo/110.17.5.83:20328 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jan 26 15:18:59 2021 zhangzhuo/110.17.5.83:20328 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2.8.4.3 驗證 OpenVPN 服務器連接狀態
[15:19:10 root@openvpn-server zhangzhuo]#ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 36 172.30.0.1:22 110.17.5.83:20645
ESTAB 0 0 172.30.0.1:1194 110.17.5.83:20328
ESTAB 0 0 172.30.0.1:47816 100.100.30.26:80
2.8.4.4 驗證 Windows 客戶端的 IP 地址
2.8.4.5 驗證 Windows 客戶端的路由表
