您当前的位置:首页 > 电脑百科 > 站长技术 > 服务器

OpenVPN搭建部署

时间:2020-10-28 12:52:45  来源:  作者:

一、为什么要搭建VPN

随着企业规模的发展,越来越多的远程办公需求将会产生,为支持远程办公,解决远程连接本地测试环境问题,可以使用开源软件搭建VPN解决,毕竟硬件的VPN不便宜,OpenVPN是个不错的选择,同时支持windowsmac OS。

二、安装OpenVPN

我使用的服务器操作系统是centos7.8,直接用yum安装。

yum install -y epel-release
yum install -y openvpn easy-rsa

安装完检查下版本,我的是OpenVPN 2.4.9

[root@test-vpn01 ~]# openvpn --version
OpenVPN 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020
library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>

三、制作证书

cd /etc/openvpn && cp -r /usr/share/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa/3/ 

创建vars文件,直接copy以下内容并添加可执行权限chmod +x vars

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "ID"
set_var EASYRSA_REQ_PROVINCE    "Jakarta"
set_var EASYRSA_REQ_CITY        "Jakarta"
set_var EASYRSA_REQ_ORG         "hakase-labs CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL       "openvpn@hakase-labs.io"
set_var EASYRSA_REQ_OU          "HAKASE-LABS EASY CA"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "HAKASE-LABS CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST          "sha256"

接着执行

./easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki
./easyrsa build-ca

......
Enter New CA Key Passphrase:        #输密码
Re-Enter New CA Key Passphrase:  #输密码
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Generating RSA private key, 2048 bit long modulus
................................................+++
...............................................................+++
e is 65537 (0x10001)
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:      

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3/pki/ca.crt
./easyrsa gen-req hakase-server nopass

......
Generating a 2048 bit RSA private key
.................................................................+++
................................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/easy-rsa-2911.3BE9Ih/tmp.Z1YEhj'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [hakase-server]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/hakase-server.req
key: /etc/openvpn/easy-rsa/3/pki/private/hakase-server.key

./easyrsa sign-req server hakase-server

......
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 365 days:

subject=
    commonName                = hakase-server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Unable to load config info from /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-3202.ARaxKb/tmp.WGDm1y
Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: #输入上面步骤的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'hakase-server'
Certificate is to be certified until Sep 30 09:54:49 2021 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/hakase-server.crt
openssl verify -CAfile pki/ca.crt pki/issued/hakase-server.crt
pki/issued/hakase-server.crt: OK

创建客户端密钥

./easyrsa gen-req client_01 nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Generating a 2048 bit RSA private key
...........+++
..........................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/easy-rsa-3386.pQq0xv/tmp.tHpyYU'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client_01]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/client_01.req
key: /etc/openvpn/easy-rsa/3/pki/private/client_01.key
./easyrsa sign-req client client_01

......
Request subject, to be signed as a client certificate for 365 days:

subject=
    commonName                = client_01


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-3446.iYLNHV/tmp.baYmMM
Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: #输入上面步骤的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client_01'
Certificate is to be certified until Sep 30 09:57:27 2021 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/client_01.crt
openssl verify -CAfile pki/ca.crt pki/issued/client_01.crt
pki/issued/client_01.crt: OK
./easyrsa gen-dh

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.........................................................+............+.............................................+.......................+
...................................+...........+.+.................+................................++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem

复制服务器密钥和证书

cp pki/ca.crt /etc/openvpn/server/
cp pki/issued/hakase-server.crt /etc/openvpn/server/
cp pki/private/hakase-server.key /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/

复制client_01密钥和证书

cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client_01.crt /etc/openvpn/client/
cp pki/private/client_01.key /etc/openvpn/client/

四、OpenVPN配置

添加servier配置文件

cd /etc/openvpn/ && vi service.conf

# OpenVPN Port, Protocol and the Tun
port 1194
proto udp
dev tun

# OpenVPN Server Certificate - CA, server key and certificate
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/hakase-server.crt
key /etc/openvpn/server/hakase-server.key

#DH and CRL key
dh /etc/openvpn/server/dh.pem
#注意本文没有跳过了丢消证书的检测
#crl-verify /etc/openvpn/server/crl.pem

# Network Configuration - Internal network
# Redirect all Connection through OpenVPN Server
# 配置分配的内网网段
server 192.168.200.128 255.255.255.128 
push "redirect-gateway def1"

# Using the DNS from https://dns.watch
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 114.114.114.114"

#Enable multiple client to connect with same Certificate key
duplicate-cn

# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache

# Other Configuration
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody

# OpenVPN Log
log-Append openvpn.log
status openvpn-status.log
verb 3

添加client配置文件

cd /etc/openvpn/client && vi client_01.ovpn

client
dev tun
proto udp
# 配置你公司的出口IP
remote 113.xx.xx.xx 1194

ca ca.crt
cert client_01.crt
key client_01.key

cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

增加路由转发的配置

# 用firewalld或iptables都可以,我这边用的是iptables
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE

启动OpenVPN服务

systemctl start openvpn@service
netstat -nlup | grep 1194
OpenVPN搭建部署

 

五、客户端配置

Windows客户端安装,下载安装openvpn客户端软件,自行搜索

找到软件安装路径,选择config目录,将/etc/openvpn下的client打包下载到本地,解压将证书文件全部拷过去。

OpenVPN搭建部署

 

双击桌面OpenVPN,右击图标,选择连接,连接成功会分配一个内网IP,说明已经成功连接到内网。

OpenVPN搭建部署

 


OpenVPN搭建部署

 

Mac OS客户端安装,下载安装客户端软件,http://down.i4t.com/Tunnelblick_3.8.1_build_5400.dmg,将客户端证书解压全部拷过去config, 直接点开client_01.ovpn就可以自动连接



Tags:OpenVPN   点击:()  评论:()
声明:本站部分内容及图片来自互联网,转载是出于传递更多信息之目的,内容观点仅代表作者本人,如有任何标注错误或版权侵犯请与我们联系(Email:2595517585@qq.com),我们将及时更正、删除,谢谢。
▌相关推荐
养成良好习惯,在安装前先更新一下软件包,多数软件包更新主要是修补漏洞。 更新 CentOS 软件包yum -y update虽然也是可以不进行更新直接安装。安装 OpenVPN 和...【详细内容】
2021-09-02  Tags: OpenVPN  点击:(105)  评论:(0)  加入收藏
VPN详解一、VPN介绍 什么是vpn?# VPN是虚拟专用网络的缩写,它是两个或多个物理网络(或设备)之间沟通互联网/公共网络创建的虚拟网络,可以为企业之间或者个人与企业之间提供安...【详细内容】
2021-09-02  Tags: OpenVPN  点击:(64)  评论:(0)  加入收藏
一、为什么要搭建VPN随着企业规模的发展,越来越多的远程办公需求将会产生,为支持远程办公,解决远程连接本地测试环境问题,可以使用开源软件搭建VPN解决,毕竟硬件的VPN不便宜,OpenV...【详细内容】
2020-10-28  Tags: OpenVPN  点击:(230)  评论:(0)  加入收藏
▌简易百科推荐
阿里云镜像源地址及安装网站地址https://developer.aliyun.com/mirror/centos?spm=a2c6h.13651102.0.0.3e221b111kK44P更新源之前把之前的国外的镜像先备份一下 切换到yumcd...【详细内容】
2021-12-27  干程序那些事    Tags:CentOS7镜像   点击:(1)  评论:(0)  加入收藏
前言在实现TCP长连接功能中,客户端断线重连是一个很常见的问题,当我们使用netty实现断线重连时,是否考虑过如下几个问题: 如何监听到客户端和服务端连接断开 ? 如何实现断线后重...【详细内容】
2021-12-24  程序猿阿嘴  CSDN  Tags:Netty   点击:(12)  评论:(0)  加入收藏
一. 配置yum源在目录 /etc/yum.repos.d/ 下新建文件 google-chrome.repovim /etc/yum.repos.d/google-chrome.repo按i进入编辑模式写入如下内容:[google-chrome]name=googl...【详细内容】
2021-12-23  有云转晴    Tags:chrome   点击:(7)  评论:(0)  加入收藏
一. HTTP gzip压缩,概述 request header中声明Accept-Encoding : gzip,告知服务器客户端接受gzip的数据 response body,同时加入以下header:Content-Encoding: gzip:表明bo...【详细内容】
2021-12-22  java乐园    Tags:gzip压缩   点击:(8)  评论:(0)  加入收藏
yum -y install gcc automake autoconf libtool makeadduser testpasswd testmkdir /tmp/exploitln -s /usr/bin/ping /tmp/exploit/targetexec 3< /tmp/exploit/targetls -...【详细内容】
2021-12-22  SofM    Tags:Centos7   点击:(7)  评论:(0)  加入收藏
Windows操作系统和Linux操作系统有何区别?Windows操作系统:需支付版权费用,(华为云已购买正版版权,在华为云购买云服务器的用户安装系统时无需额外付费),界面化的操作系统对用户使...【详细内容】
2021-12-21  卷毛琴姨    Tags:云服务器   点击:(6)  评论:(0)  加入收藏
参考资料:Hive3.1.2安装指南_厦大数据库实验室博客Hive学习(一) 安装 环境:CentOS 7 + Hadoop3.2 + Hive3.1 - 一个人、一座城 - 博客园1.安装hive1.1下载地址hive镜像路径 ht...【详细内容】
2021-12-20  zebra-08    Tags:Hive   点击:(9)  评论:(0)  加入收藏
以下是服务器安全加固的步骤,本文以腾讯云的CentOS7.7版本为例来介绍,如果你使用的是秘钥登录服务器1-5步骤可以跳过。1、设置复杂密码服务器设置大写、小写、特殊字符、数字...【详细内容】
2021-12-20  网安人    Tags:服务器   点击:(7)  评论:(0)  加入收藏
项目中,遇到了一个问题,就是PDF等文档不能够在线预览,预览时会报错。错误描述浏览器的console中,显示如下错误:nginx代理服务报Mixed Content: The page at ******** was loaded...【详细内容】
2021-12-17  mdong    Tags:Nginx   点击:(7)  评论:(0)  加入收藏
转自: https://kermsite.com/p/wt-ssh/由于格式问题,部分链接、表格可能会失效,若失效请访问原文密码登录 以及 通过密钥实现免密码登录Dec 15, 2021阅读时长: 6 分钟简介Windo...【详细内容】
2021-12-17  LaLiLi    Tags:SSH连接   点击:(16)  评论:(0)  加入收藏
相关文章
    无相关信息
最新更新
栏目热门
栏目头条