菜单
一、openvpn安装
1、下载压缩包并解压
官方教程:https://openvpn.net/community-resources/installing-openvpn/
shell>tar xfz openvpn-[version].tar.gz2、安装所需要的依赖
shell>yun install openssl-devel
shell>yum install lzo-devel
shell>yum install pam-devel
shell>yum install gcc3、进入解压目录并编译安装
shell>cd [目录]
shell>./configure --prefix=/data/app/openvpn
shell>make & make install
-------------如果需要重新指定安装目录需要执行以下命令
shell>make clean如果出现“configure: error: no acceptable C compiler found in $PATH”
就执行“yum install gcc”
第二步:证书制作
第一步:下载压缩包
github地址,下载所需要的版本https://github.com/OpenVPN/easy-rsa
shell>wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz
shell>tar xfz EasyRSA-3.0.8.tgz
shell>mv EasyRSA-3.0.8 /data/app/EasyRSA
证书制作
----初始化pki目录------
[root@docker EasyRSA]# ./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /data/app/EasyRSA/pki
----复制vars文件------
[root@docker EasyRSA]# cp vars.example vars
[root@docker EasyRSA]# vim vars
创建根证书
-----[root@docker EasyRSA-3.0.8]# ./easyrsa build-ca nopass
---以上是不设置密码方式 下面是设置密码方式,并且server name为fox
[root@docker EasyRSA]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: /data/app/EasyRSA/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus
...............................+++
...+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:fox
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/data/app/EasyRSA/pki/ca.crt
创建服务端证书
该过程中需要输入common name,随意但是不要跟之前的根证书的一样
[root@docker EasyRSA-3.0.8]# ./easyrsa gen-req server nopass
---以上是不设置密码方式 下面是设置密码方式,并且server name为fox
[root@docker EasyRSA]# ./easyrsa gen-req server
Note: using Easy-RSA configuration from: /data/app/EasyRSA/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...............+++
....+++
writing new private key to '/data/app/EasyRSA/pki/easy-rsa-1798.FtQGak/tmp.0zaJWh'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:fox
Keypair and certificate request completed. Your files are:
req: /data/app/EasyRSA/pki/reqs/server.req
key: /data/app/EasyRSA/pki/private/server.key
签约服务端证书
该命令中.需要你确认生成,要输入yes,还需要你提供我们当时创建CA时候的密码。如果你忘记了密码,那你就重头开始再来一次吧。
[root@docker EasyRSA]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /data/app/EasyRSA/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = fox
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /data/app/EasyRSA/pki/easy-rsa-1826.K8j9Qd/tmp.IS3ABi
Enter pass phrase for /data/app/EasyRSA/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'fox'
Certificate is to be certified until Feb 25 08:01:07 2024 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /data/app/EasyRSA/pki/issued/server.crt创建Diffie-Hellman,确保key穿越不安全网络的命令
[root@docker EasyRSA]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /data/app/EasyRSA/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..................................+...........+...................................................................................+........................................+................+.....................................................................................................................................................................................................................................................................................++*++*
DH parameters of size 2048 created at /data/app/EasyRSA/pki/dh.pem
创建客户端证书
先复制文件到一个目录中
shell>mkdir client/
shell>cp -R /root/EasyRSA-3.0.8 client/创建客户端的key及生成证书
shell>./easyrsa gen-req fox-client nopass
[root@docker EasyRSA]# ./easyrsa gen-req fox-client nopass
Note: using Easy-RSA configuration from: /data/app/EasyRSA/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
......................+++
..............+++
writing new private key to '/data/app/EasyRSA/pki/easy-rsa-1971.k0NW34/tmp.uecaAL'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [fox-client]:fox-client
Keypair and certificate request completed. Your files are:
req: /data/app/EasyRSA/pki/reqs/fox-client.req
key: /data/app/EasyRSA/pki/private/fox-client.key将的到的fox-client.req导入然后签约证书
-----进入server端的目录
shell>cd /root/EasyRSA-3.0.8
shell>./easyrsa import-req /root/client/EasyRSA-3.0.8/pki/reqs/fox-client fox-client
[root@docker EasyRSA]# ./easyrsa sign client fox-client
Note: using Easy-RSA configuration from: /data/app/EasyRSA/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = fox-client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /data/app/EasyRSA/pki/easy-rsa-2058.Qh981n/tmp.GUEcsF
Enter pass phrase for /data/app/EasyRSA/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'fox-client'
Certificate is to be certified until Feb 25 08:11:38 2024 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /data/app/EasyRSA/pki/issued/fox-client.crt
----这里生成client所以必须为client,fox-client要与之前导入名字一致
整理文件,服务端证书放在openvpn根目录。客户端先保存在另外一个目录
服务端证书统一存放
[root@docker EasyRSA-3.0.8]# cp /data/app/EasyRSA/pki/ca.crt /data/app/openvpn/server/pass
[root@docker EasyRSA-3.0.8]# cp /data/app/EasyRSA/pki/private/server.key /data/app/openvpn/server/pass
[root@docker EasyRSA-3.0.8]# cp /data/app/EasyRSA//pki/issued/server.crt /data/app/openvpn/server/pass
[root@docker EasyRSA-3.0.8]# cp /data/app/EasyRSA//pki/dh.pem /data/app/openvpn/server/pass
客户端证书统一存放
[root@docker EasyRSA-3.0.8]# cp /data/app/EasyRSA/pki/ca.crt /data/app/openvpn/client/pass
[root@docker EasyRSA-3.0.8]# cp /data/app/EasyRSA/pki/issued/fox-client.crt /data/app/openvpn/client/pass
[root@docker EasyRSA-3.0.8]# cp /data/app/EasyRSA/pki/private/fox-client.key /data/app/openvpn/client/pass配置server.conf
https://github.com/OpenVPN/openvpn/tree/master/sample/sample-config-files
打开服务器的ip路由转发功能
shell>echo "net.ipv4.ip_forward= 1" >> /etc/sysctl.conf
shell> grep ipv4 /etc/sysctl.conf
shell>sysctl -p
shell>iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE创建ta.key文件(拒绝服务攻击证书文件)
shell>/data/app/openvpn/sbin/openvpn --genkey secret /data/app/openvpn/ta.key运行服务
shell>cd /data/app/openvpn
shell>./sbin/openvpn --daemon --config server.conf 查看openvpn是否启动
首先安装net-tools
shell>yum install net-tools
shell>netstat -lntup |grep 1194关闭防火墙或开放端口
shell>systemctl status firewall.server
shell>systemctl stop firewall.server
-----或者开放端口1194
shell>firewall-cmd --zone=public --add-port=1194/udp --permanent客户端配置
一、windows 客户端配置
本次使用的时最新版OpenvpnV3
1.1、下载客户端
https://openvpn.net/vpn-client/
1.2、 安装客户端
1.3、配置client.ovpn
https://github.com/OpenVPN/openvpn/tree/master/sample/sample-config-files
下载 client.conf 文件,并更改名称为client.ovpn。修改内容
1.4、把文件统一放在任意一个文件夹中
1.5、 打开客户端,引入.ovpn文件
