OpenVpn 最新版部署

发表于 分类于 阅读次数:

安装

1、yum方式(推荐)

推荐使用yum方式安装,因为之前曾经发生过莫名其妙服务自己停止的情况。

1
2
yum install openvpn open-ssl -y
yum install easy-rsa openssl  -y

2、编译安装

1
2
3
4
5
6
7
8
9
10
11
12
13
yum install pam-devel open-ssl -y

cd /usr/src
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
tar zxvf lzo-2.06.tar.gz
cd lzo-2.06
./configure --prefix=/usr/local/
make && make install

cd /usr/src
tar -zxvf openvpn-2.4.6.tar.gz
 cd openvpn-2.4.6
./configure --prefix=/usr/local/openvpn --with-lzo-lib=/usr/local/lzo/lib --with-lzo-headers=/usr/local/lzo/include/

证书配置

当前配置是按照编译安装的目录,yum安装目录在/etc/openvpn

创建 PKI 和 CA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

[root@localhost 3.0.3]# pwd
/etc/openvpn/server
[root@localhost 3.0.3]# cp -r  /usr/share/easy-rsa .
[root@localhost 3.0.3]# rm 3 3.0 
[root@localhost 3.0.3]# cd /etc/openvpn/server/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa init-pki  #创建空的pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.3/pki

[root@localhost 3.0.3]# ./easyrsa build-ca nopass #创建新的CA,不使用密码

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
......................+++
................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key.pClvaQ1GLD'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 回车

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3.0.3/pki/ca.crt

创建服务端证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[root@localhost 3.0.3]# ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...........................+++
..............................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/server.key.wy7Q0fuG6A'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: 回车

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3.0.3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key

签约服务端证书

注意操作目录是在server目录里的 /etc/openvpn/server/easy-rsa/3.0.3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[root@localhost 3.0.3]# ./easyrsa sign server server

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Apr  7 14:54:08 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt

创建 Diffie-Hellman

1
2
3
[root@localhost 3.0.3]# ./easyrsa gen-dh
............................................................
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem

创建客户端证书

复制文件

1
2
3
4
5
cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa
cd /etc/openvpn/client/easy-rsa/
rm 3 3.0
cd 3.0.3/
find /usr/share/doc/easy-rsa-3.0.3/vars.example -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars

生成证书

操作目录 /etc/openvpn/server/easy-rsa/3.0.3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[root@localhost 3.0.3]# pwd
/etc/openvpn/client/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa init-pki #创建新的pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3.0.3/pki
[root@localhost 3.0.3]# ./easyrsa gen-req joy01 nopass  #客户证书名为joy01,木有密码

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
....................................................+++
............+++
writing new private key to '/etc/openvpn/client/easy-rsa/3.0.3/pki/private/joy01.key.FkrLzXH9Bm'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [joy01]: 回车

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/joy01.req
key: /etc/openvpn/client/easy-rsa/3.0.3/pki/private/joy01.key

签约客户端证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
[root@localhost 3.0.3]# cd /etc/openvpn/server/easy-rsa/3.0.3/
[root@localhost 3.0.3]# pwd
/etc/openvpn/server/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/joy01.req joy01

Note: using Easy-RSA configuration from: ./vars

The request has been successfully imported with a short name of: joy01
You may now use this name to perform signing operations on this request.

[root@localhost 3.0.3]# ./easyrsa sign client joy01

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

subject=
    commonName                = joy01


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'joy01'
Certificate is to be certified until Apr  8 01:54:57 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/joy01.crt

整理证书

server 端证书

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@localhost ~]# mkdir /etc/openvpn/certs
[root@localhost ~]# cd /etc/openvpn/certs/
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem .
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt .
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt .
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key .
[root@localhost certs]# ll
总用量 20
-rw-------. 1 root root 1172 4月  11 10:02 ca.crt
-rw-------. 1 root root  424 4月  11 10:03 dh.pem
-rw-------. 1 root root 4547 4月  11 10:03 server.crt
-rw-------. 1 root root 1704 4月  11 10:02 server.key

client 端

1
2
3
4
5
6
7
8
9
[root@localhost certs]# mkdir /etc/openvpn/client/joy01/
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client/joy01/
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/joy01.crt /etc/openvpn/client/joy01/
[root@localhost certs]# cp /etc/openvpn/client/easy-rsa/3.0.3/pki/private/joy01.key /etc/openvpn/client/joy01/
[root@localhost certs]# ll /etc/openvpn/client/joy01/
总用量 16
-rw-------. 1 root root 1172 4月  11 10:07 ca.crt
-rw-------. 1 root root 4431 4月  11 10:08 joy01.crt
-rw-------. 1 root root 1704 4月  11 10:08 joy01.key

配置

Server

一切操作只需要在服务器,client不需要!!!

开启转发

1
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf

验证

1
sysctl -p

iptables

清空防火墙

1
2
3
iptables -F
iptables -X
ipatbles -Z

接下来的配置之前需要先了解以下概念:

  • NAT 的原理 简单的说就是当内网主机访问外网时,当内网主机的数据包要通过路由器时,路由器将数据包中的源内网 IP 地址改为路由器上的公网 IP 地址,同时记录下该数据包的消息;当外网服务器响应这次由内而外发出的请求或数据交换时,当外网服务器发出的数据包经过路由器时,原本是路由器上的公网 IP 地址被路由器改为内网 IP 。

    • SNAT是source networkaddress translation的缩写,即源地址目标转换。比如,多个PC机使用ADSL路由器共享上网,每个PC机都配置了内网IP,PC机访问外部网络的时候,路由器将数据包的报头中的源地址替换成路由器的ip,当外部网络的服务器比如网站web服务器接到访问请求的时候,他的日志记录下来的是路由器的ip地址,而不是pc机的内网ip,这是因为,这个服务器收到的数据包的报头里边的“源地址”,已经被替换了,所以叫做SNAT,基于源地址的地址转换。
    • DNAT是destination networkaddress translation的缩写,即目标网络地址转换,典型的应用是,有个web服务器放在内网配置内网ip,前端有个防火墙配置公网ip,互联网上的访问者使用公网ip来访问这个网站,当访问的时候,客户端发出一个数据包,这个数据包的报头里边,目标地址写的是防火墙的公网ip,防火墙会把这个数据包的报头改写一次,将目标地址改写成web服务器的内网ip,然后再把这个数据包发送到内网的web服务器上,这样,数据包就穿透了防火墙,并从公网ip变成了一个对内网地址的访问了,即DNAT,基于目标的网络地址转换。
    • MASQUERADE,地址伪装,属于nat的一种。算是snat中的一种特例,可以实现自动化的snat。MASQUERADE是用发送数据的网卡上的IP来替换源IP,因此,对于那些IP不固定的场合,比如拨号网络或者通过dhcp分配IP的情况下,就得用MASQUERADE。

  • 如果内网主机访问外网而经过路由时,源 IP 会发生改变,这种变更行为就是 SNAT;反之,当外网的数据经过路由发往内网主机时,数据包中的目的 IP (路由器上的公网 IP) 将修改为内网 IP,这种变更行为就是 DNAT 。与 SNAT 和 DNAT所对应的两个链分别是 POSTROUTING和PREROUTING。

    • POSTROUTING是源地址转换,要把你的内网地址转换成公网地址才能让你上网。
    • PREROUTING是目的地址转换,要把别人的公网IP换成你们内部的IP,才让访问到你们内部受防火墙保护的机器

综上所述,简单理解就是从服务器网卡获取当前IP来做SNAT。

1
2
3
4
5
6
7
8
9
10
11
12

iptables -A FORWARD -s 172.16.0.0/24 -j ACCEPT  
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT  

#检查
iptables  -t  nat  -nL

#转发
iptables -t nat -A POSTROUTING -s 172.16.0.0/24  -j MASQUERADE
  or
iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE

检查FORWARD

检查MASQUERADE

配置文件

server端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
client-to-client
duplicate-cn
keepalive 10 120

;cipher BF-CBC
;cipher AES-128-CBC
;cipher DES-EDE3-CBC


comp-lzo
;max-clients 100
log         openvpn.log
status openvpn-status.log
verb 3
mute 20

“redirect-gateway def1 bypass-dhcp”的目的是在所有客戶端的默认网络都重定向到服务器,它的目的就是客户端在使用不同的私有地址时可以确保能连上OpenVPN服务器。
但是如果有时候客户端无法正常上网,那么就得换种方式。push "route 10.110.1.0 255.255.255.0"就像这样推送服务器的路由。

如果想使用固定IP,那么就开启"client-config-dir ccd"

  • 在服务器端创建ccd目录
  • 按照用户名创建文件,类似”ifconfig-push 10.8.0.18 255.255.255.0”

client端

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
client
dev tun
proto udp
remote 服务器外网IP
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert xiajie.crt
key xiajie.key
comp-lzo
verb 3
redirect-gateway def1

启动

1
2
systemctl -f enable openvpn@server
systemctl start openvpn@server

服务检查

服务器端

### 客户端(Windows)

疑难杂症

  • 客户端直接无法访问,虚拟IP不通,内网不通
    检查服务器端配置文件client-to-client
  • 如果还是不通,或者无法访问外网,检查push "redirect-gateway def1 bypass-dhcp"是否注释或者有没有推送路由。
  • 如果追求速度就选择UDP,如果选择可靠质量就选择TCP。