admin 发表于 2019-9-5 17:00:01

linux下openvpn2.3.4服务器部署

二、部署openvpn    本次部署openvpn服务器,因为使用了最新的openvpn2.3.4,而这个包里面没有包含最重要的证书制作部分:easy-rsa    openvpn官网也给出明确说明:Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages    所以,我们需要事先下载好easyrsa,可以到GitHub上进行下载,配置过程将在下面第3步进行,本次部署使用了easy-rsa3,与easy-rsa2.0的操作完全不同,网上其它关于easy-rsa2.0的教程不适合本次部署    在部署openvpn之前,最好用ntpdate同步一下服务器的时间,否则生成证书的时间也不准确,会造成那个什么centificate error等的错误!
1、安装lzo
    lzo是致力于解压速度的一种数据压缩算法123# tar xf lzo-2.08.tar.gz# cd lzo-2.08# ./configure && make && make install2、安装openvpn1234567# tar xf openvpn-2.3.4.tar.gz# cd openvpn-2.3.4# ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib# make && make install# # which openvpn/usr/local/sbin/openvpn      #看到这里,说明安装openvpn成功3、配置easyrsa服务端    openvpn-2.3.4软件包不包含证书(ca证书,服务端证书,客户端证书)制作工具,所以还需要单独下载easy-rsa,最新的为easy-rsa3    Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages(来源openvpn官网)123456789101112# unzip easy-rsa-master.zip # mv easy-rsa-master easy-rsa# cp -R easy-rsa/ openvpn-2.3.4/# cd openvpn-2.3.4/easy-rsa/easyrsa3/# cp vars.example vars# vim varsset_var EASYRSA_REQ_COUNTRY "CN"set_var EASYRSA_REQ_PROVINCE "Beijing"set_var EASYRSA_REQ_CITY "Beijing"set_var EASYRSA_REQ_ORG "nmshuishui Certificate"set_var EASYRSA_REQ_EMAIL "353025240@qq.com"set_var EASYRSA_REQ_OU "My OpenVPN"4、创建服务端证书及key(1)初始化123456789# lseasyrsaopenssl-1.0.cnfvarsvars.examplex509-types# # ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki(2)创建根证书12345678910111213141516171819202122# ./easyrsa build-ca Note: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key.............................................+++........+++writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key'Enter PEM pass phrase:                      #输入密码,此密码用途证书签名Verifying - Enter PEM pass phrase:          #确认密码-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) :nmshuishui#输入一个Common Name CA creation complete and you may now import and sign cert requests.Your new CA certificate file for publishing is at:/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt(3)创建服务器端证书1234567891011121314151617181920# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key................................+++......+++writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) :nmshuishui-BJ#该Common Name一定不要与创建根证书时的                                                                        #Common Name一样,这是血与泪的教训Keypair and certificate request completed. Your files are:req: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.reqkey: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key(4)签约服务器端证书123456789101112131415161718192021222324252627282930# ./easyrsa sign server server Note: using Easy-RSA configuration from: ./varsYou are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject=    commonName                = nmshuishuiType the word 'yes' to continue, or any other input to abort.Confirm request details: yes      #输入yes继续Using configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnfEnter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入刚才创建根证书时的密码Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName            :PRINTABLE:'nmshuishui'Certificate is to be certified until Aug 21 14:18:49 2024 GMT (3650 days) Write out database with 1 new entriesData Base Updated Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt(5)创建Diffie-Hellman,确保key穿越不安全网络的命令:12345678# ./easyrsa gen-dh Note: using Easy-RSA configuration from: ./varsGenerating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time...................................................................................................................................................................................................................+..........................................................................................................................+..................................................+.....................................................+..................................................................................................................................+............+............................................................................................................+...+............+...............+..............................................+.........................+..................................+.................+............................................................+..................................+........................................................................................................................................+................................................................+.......................................+...................................................................................................................................................++*++* DH parameters of size 2048 created at /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem5、创建客户端证书(1)在根目录下建立client目录123# cd# mkdir client# cp -R easy-rsa/ client/(2)初始化123456789# cd client/easy-rsa/easyrsa3/# lseasyrsaopenssl-1.0.cnfvarsvars.examplex509-types# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki(3)创建客户端key及生成证书12345678910111213141516171819202122# ./easyrsa gen-req nmshuishui Note: using Easy-RSA configuration from: ./varsGenerating a 2048 bit RSA private key....................................................+++.................................................................................................................................................................................+++writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key'Enter PEM pass phrase:            #输入密码Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) :nmshuishui   #输入nmshuishui                      Keypair and certificate request completed. Your files are:req: /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.reqkey: /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key(4)将得到的nmshuishui.req导入并签约证书12345678910111213141516171819202122232425262728293031323334353637383940# cd openvpn-2.3.4/easy-rsa/easyrsa3/#   #导入req# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.req nmshuishui Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: nmshuishuiYou may now use this name to perform signing operations on this request. #   #签约证书# ./easyrsa sign client nmshuishui Note: using Easy-RSA configuration from: ./varsYou are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject=    commonName                = nmshuishuiType the word 'yes' to continue, or any other input to abort.Confirm request details: yes       #输入yesUsing configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnfEnter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入创建根证书时的密码Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName            :PRINTABLE:'nmshuishui'Certificate is to be certified until Aug 21 12:49:40 2024 GMT (3650 days) Write out database with 1 new entriesData Base Updated Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt   #签约成功(5)服务端及客户端生成的文件
服务端:(/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki)文件夹12345678/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/qingliu.req/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/qingliu.crt/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem客户端:(/root/client/easy-rsa)12/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key/root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.key   #这个文件被我们导入到了服务端文件,所以那里也有(6)拷贝服务器密钥及证书等到openvpn目录1234# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt openvpn-2.3.4/# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key openvpn-2.3.4/# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt openvpn-2.3.4/# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem openvpn-2.3.4/(7)拷贝客户端密钥及证书等到client目录123# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt /root/client # cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt /root/client# cp /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key /root/client(8)为服务端编写配置文件当安装好openvpn时候,它会提供一个server配置的文件例子1/root/openvpn-2.3.4/sample/sample-config-files/server.conf将此例子拷贝openvpn目录,然后配置123456789101112131415161718192021# cp openvpn-2.3.4/sample/sample-config-files/server.conf openvpn-2.3.4/# vim openvpn-2.3.4/server.conflocal 192.168.1.104    #(自己vps IP)port 1194proto udpdev tunca /root/openvpn-2.3.4/ca.crtcert /root/openvpn-2.3.4/server.crtkey /root/openvpn-2.3.4/server.key # This file should be kept secretdh /root/openvpn-2.3.4/dh.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 8.8.8.8"keepalive 10 120comp-lzomax-clients 100persist-keypersist-tunstatus openvpn-status.logverb 3(9)开启系统转发功能12345# vim /etc/sysctl.confnet.ipv4.ip_forward = 0改成 net.ipv4.ip_forward = 1# sysctl -p# sysctl -a | grep net.ipv4.ip_forwardnet.ipv4.ip_forward = 1(10)封装出去的数据包(eth0是你的vps外网的网卡):1/sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE三、下载openvpn客户端,并进行配置1、将客户端密钥及证书等拷出到windows备用123# cd client/# lsca.crteasy-rsanmshuishui.crtnmshuishui.key    #带后缀的这三个2、安装openvpn-gui工具
(1)将D:\Program Files (x86)\OpenVPN\sample-config\client.ovpn复制到D:\Program Files (x86)\OpenVPN\config(2)将从linux中拷贝出来的三个密钥及证书放到D:\Program Files (x86)\OpenVPN\config下(3)编辑D:\Program Files (x86)\OpenVPN\config\client.ovpn,修改为12345678910111213clientdev tunproto udpremote 192.168.1.104 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crt //这里需要证书cert nmshuishui.crtkey nmshuishui.keycomp-lzoverb 3

admin 发表于 2019-9-5 17:00:02

   1.2 准备 OpenVPN 安装目录

      因为此文件是使用源码安装,所以选择的程序安装目录为: /usr/local/openvpn 目录, 配置文件目录为/etc/openvpn 目录

      程序目录: /usr/local/openvpn

      配置目录: /etc/openvpn

2. 开始安装 OpenVPN

   2.1 编译 OpenVPN

      #cd /home/src/openvpn

      #tar zxvf lzo-2.03.tar.gz

      #cd lzo-2.03

      #./configure && make && make install

      编辑/etc/ld.so.conf

      #cat >> /etc/ld.so.conf << EOF

          /lib

          /lib64

          /usr/lib

          /usr/lib64

          /usr/local/lib

          /usr/local/lib64

          EOF

      编辑完后运行

      #ldconfig

      使动态连接库文件生效,接下来编译 openvpn

      # tar zxvf openvpn-2.0.9.tar.gz

      # cd openvpn-2.0.9

      # ./configure –prefix=/usr/local/openvpn && make && make install

      #tree /usr/local/openvpn

      应该有以下输出

      # tree /usr/local/openvpn/

      /usr/local/openvpn/

      |-- man

      | `-- man8

      |      `-- openvpn.8

      `-- sbin

      |-- key

      `-- openvpn

      3 directories, 3 files

3. 配置的 OpenVPN Server

   3.1 建立配置环境

       # mkdir -p /etc/openvpn

       # cp -R /home/src/openvpn/openvpn-2.0.9/easy-rsa /etc/openvpn

       # cd /etc/openvpn/easy-rsa/2.0/

       此目录下以许多程序及脚本, 以下为使用到的程序及脚本说明

       vars                  脚本, 是用来创建环境变量,设置所需要要的变量的脚本

       clean-all             脚本,是创建生成 ca 证书及密钥文件所需要的文件及目录

    build-ca         脚本, 生成 ca 证书(交互)

    build-dh         脚本, 生成 Diffie-Hellman 文件(交互)

    build-key-server   脚本, 生成服务器端密钥(交互)

    build-key          脚本, 生成客户端密钥(交互)

    pkitool            脚本, 直接使用 vars 的环境变量设置, 直接生成证书(非交互)

3.2 生成 CA 证书及密钥[注意字符输入不要出错]

    # . ../vars

    # chmod +rwx *

    初始化 keys 目录,创建生成 ca 证书及密钥文件所需要的文件和目录

    # ./clean-all

   编辑 vars 文件,生成环境变量, vars 里的参数根据自己需要改变.

   export KEY_SIZE=1024                     #生成密钥的位数

   export KEY_COUNTRY=CN                  #定义所在的国家编码, 2 个字符

   export KEY_PROVINCE=BeiJing            #定义所在的省份

   export KEY_CITY=BeiJing                  #定义所在的城市

   export KEY_ORG=”VPN Test org”            #定义所在的组织

   export KEY_OU=”VPN COM”                  #定义所在的单位

   export KEY_EMAIL=”china.client@gmail.com” #定义你的邮件地址

    修改好 vars 文件后就可以开始生成 ca 证书及密钥文件了!

    # source ./vars

    生成 Root Ca 证书, 用于签发 Server 和 Client 证书

    #./build-ca

    # ls keys

    可以看到已经生成了 ca.crt ca.key 文件

    生成 Diffie-Hellman 文件

    #./build_dh

    #ls -l keys/dh2048.pem

    可以看到生成了 2048 位的 Diffie-Hellman 文件

    生成服务器使用的 VPN server Ca 证书

    #./build-key-server server

    server 是你为 CA 证书起的一个名字, 以 server 名字为例,生成的服务器使用的 CA 证书文件为: server.crt server.key

    将生成的 CA 证书及密钥拷贝到/etc/openvpn 下

    #cp keys/{ca.crt,ca.key,server.crt, server.key, dh2048.pem} /etc/openvpn/

3.3 生成客户端 CA 证书及密钥

    生成客户端 CA 证书及密钥使用:build-key 程序即可

    #./build-key client

    将在 keys 目录下生成 client.crt client.csr client.key 三个客户端证书

    将 ca.crt ca.key client.crt client.csr client.key 五个文件打包,以备客户端 vpn 使用

    [root@client2.0]#tar zcvf client.vpn.key.tar.gz keys/{ca.crt,ca.key,client.crt,client.csr,client.key}

3.4 生成 openvpn 配置文件

    创建 openvpn 配置文件最好的方法是先看 openvpn 的样例文件,在源码目录下的 sample-config-files 下,本例为

    /home/src/openvpn/openvpn-2.0.9/sample-config-files

    服务器端配置文件名: server.conf

    客户端配置文件名为: client.conf

    可以根据需要修改.

    本例的配置文件 为:/etc/openvpn/openvpn.conf

   #########################################################################

   port 1723 #openvpn 默认端口为 1194

   proto tcp

       dev tun

       #########################################################################

       # ca 证书及服务器证书以所在的文件目录为准,本例是放在了/etc/openvpn 目录下,与配置文件相同目录

       #########################################################################

       ca ca.crt

       cert server.crt

       key server.key

       dh dh2048.pem

       server 172.16.0.0 255.255.0.0

       push "dhcp-option DNS 202.106.0.20"

       push "dhcp-option DNS 168.210.2.2"

       push "route 172.16.0.0 255.255.0.0"

       ifconfig-pool-persist ipp.txt

       keepalive 10 120

       comp-lzo

       user nobody

       group nobody

       persist-key

       persist-tun

       status /var/log/openvpn-status.log

       verb 3

       #Client 之间可以相互访问

       client-to-client

       #允许一个用户多次访问

       duplicate-cn

       log /var/log/openvpn.log

       log-append /var/log/openvpn.log

       #########################################################################

3.5 创建 openvpn 的启动脚本

      openvpn 的启动脚本在源码目录: sample-scripts 目录下

      文件名为: openvpn.init

      将 openvpn.ini 拷贝到/etc/init.d 下,并重新命名为 openvpn

      #cp -f /home/src/openvpn/openvpn-2.0.9/sample-scripts/openvpn.init /etc/init.d/openvpn

      因为是用源码编译安装并指定了目录,所以需要修改/etc/init.d/openvpn 的 69 行

       openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"

      修改为:

      openvpn_locations="/usr/local/openvpn/sbin/openvpn /usr/sbin/openvpn /usr/local/sbin/openvpn"

3.6 将 openvpn 添加到系统自启动

      # chkconfig –add openvpn

3.7 启动/停止 openvpn 服务

         启动 openvpn 服务

         #service openvpn start

         停止 openvpn 服务

         #service openvpn stop

admin 发表于 2019-9-5 17:00:03

安装 LZO 代码:
cd /lzo-2.02
./configure
make
make check
make install
安装 OpenVPN
代码:

cd /openvpn-2.0.5
./configure
# 或用指定dir: (注:下述命令, 应该在一行写完. 为了方便显示, 这里分成了四行)
# ./configure --with-lzo-headers=/usr/local/include
#--with-lzo-lib=/usr/local/lib
#--with-ssl-headers=/usr/local/include/openssl
#--with-ssl-lib=/usr/local/lib
make
make install
生成证书Key
初始化 PKI

(如果没有 export 命令也可以用 setenv 命令)

代码:

cd /openvpn-2.0.5/easy-rsa
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG="xiaohui.com"
export KEY_EMAIL="your-email xiaohui.com"
Build:
代码:

./clean-all
./build-ca

Generating a 1024 bit RSA private key
................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:xiaohui.com
Common Name (eg, your name or your server's hostname) []:server
Email Address xiaohui.com]:
# 建立 server key 代码: 代码:
./build-key-server server

Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:xiaohui.com
Common Name (eg, your name or your server's hostname) []:server
Email Address xiaohui.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:xiaohui.com
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName         :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'GD'
localityName          :PRINTABLE:'SZ'
organizationName      :PRINTABLE:'xiaohui.com'
organizationalUnitName:PRINTABLE:'xiaohui.com'
commonName            :PRINTABLE:'server'
emailAddress          :IA5STRING:'your-email xiaohui.com'
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? :y


1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
#生成客户端 key

代码:

./build-key client1
Generating a 1024 bit RSA private key
.....++++++
......++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:xiaohui.com
Common Name (eg, your name or your server's hostname) []:client1    #重要: 每个不同的 client 生成的证书, 名字必须不同.
Email Address xiaohui.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:xiaohui.com
Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName         :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'GD'
localityName          :PRINTABLE:'SZ'
organizationName      :PRINTABLE:'xiaohui.com'
organizationalUnitName:PRINTABLE:'xiaohui.com'
commonName            :PRINTABLE:'client1'
emailAddress          :IA5STRING:'your-email xiaohui.com'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? :y


1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
依次类推生成其他客户端证书/key

代码:

./build-key client2
./build-key client3
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
生成 Diffie Hellman 参数 。代码:
./build-dh
将 keys 下的所有文件打包下载到本地
代码:

tar -cf mykeys.tar /openvpn-2.0.5/easy-rsa/keys
cp mykeys.tar /home/xiaohui.comsys/public_html/mykeys.tar
将 mykeys.tar 移到 web public(绝对路径因人而异) 上, 然后用 http://www.a.com/mykeys.tar 方式将其下载到本地保存, 然后将其从server删除: 代码:
rm /home/xiaohui.comsys/public_html/mykeys.tar
也可以用其他方法把 key file搞到本地,例如 ftp.
创建服务端配置文件
从样例文件创建:

代码:

cd $dir/sample-config-files/ # 进入源代码解压目录下的sample-config-files子目录
cp server.conf /usr/local/etc# cp服务器配置文件到/usr/local/etc
vi /usr/local/etc/server.conf
我建立的server.conf 的内容稍后另附.
创建客户端配置文件
代码:

cd $dir/sample-config-files/#进入源代码解压目录下的sample-config-files子目录
cp client.conf /usr/local/etc#cp客户端配置文件到/usr/local/etc
vi /usr/local/etc/client.conf
我建立的client.conf 的内容稍后另附.
启动Openvpn: openvpn 代码:
/usr/local/sbin/openvpn --config /usr/local/etc/server.conf

admin 发表于 2019-9-6 10:55:09

二、部署openvpn

    本次部署openvpn服务器,因为使用了最新的openvpn2.3.4,而这个包里面没有包含最重要的证书制作部分:easy-rsa

    openvpn官网也给出明确说明:Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages

    所以,我们需要事先下载好easyrsa,可以到GitHub上进行下载,配置过程将在下面第3步进行,本次部署使用了easy-rsa3,与easy-rsa2.0的操作完全不同,网上其它关于easy-rsa2.0的教程不适合本次部署

    在部署openvpn之前,最好用ntpdate同步一下服务器的时间,否则生成证书的时间也不准确,会造成那个什么centificate error等的错误!

1、安装lzo

    lzo是致力于解压速度的一种数据压缩算法


# tar xf lzo-2.08.tar.gz
# cd lzo-2.08
# ./configure && make && make install
2、安装openvpn


# tar xf openvpn-2.3.4.tar.gz
# cd openvpn-2.3.4
# ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib
# make && make install
#
# which openvpn
/usr/local/sbin/openvpn      #看到这里,说明安装openvpn成功
3、配置easyrsa服务端

    openvpn-2.3.4软件包不包含证书(ca证书,服务端证书,客户端证书)制作工具,所以还需要单独下载easy-rsa,最新的为easy-rsa3

    Starting with openvpn-2.3_alpha2 easy-rsa is no longer part of the OpenVPN source or binary packages(来源openvpn官网)


# unzip easy-rsa-master.zip
# mv easy-rsa-master easy-rsa
# cp -R easy-rsa/ openvpn-2.3.4/
# cd openvpn-2.3.4/easy-rsa/easyrsa3/
# cp vars.example vars
# vim vars
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Beijing"
set_var EASYRSA_REQ_CITY "Beijing"
set_var EASYRSA_REQ_ORG "nmshuishui Certificate"
set_var EASYRSA_REQ_EMAIL "353025240@qq.com"
set_var EASYRSA_REQ_OU "My OpenVPN"
4、创建服务端证书及key

(1)初始化


# ls
easyrsaopenssl-1.0.cnfvarsvars.examplex509-types
#
# ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki
(2)创建根证书



# ./easyrsa build-ca

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.............................................+++
........+++
writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key'
Enter PEM pass phrase:                      #输入密码,此密码用途证书签名
Verifying - Enter PEM pass phrase:          #确认密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) :nmshuishui#输入一个Common Name

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt
(3)创建服务器端证书


# ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
................................+++
......+++
writing new private key to '/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) :nmshuishui-BJ#该Common Name一定不要与创建根证书时的
                                                                        #Common Name一样,这是血与泪的教训
Keypair and certificate request completed. Your files are:
req: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req
key: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key
(4)签约服务器端证书



# ./easyrsa sign server server

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = nmshuishui


Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes      #输入yes继续
Using configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入刚才创建根证书时的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'nmshuishui'
Certificate is to be certified until Aug 21 14:18:49 2024 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt
(5)创建Diffie-Hellman,确保key穿越不安全网络的命令:



# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................................................................................................................................................................................................................+..........................................................................................................................+..................................................+.....................................................+..................................................................................................................................+............+............................................................................................................+...+............+...............+..............................................+.........................+..................................+.................+............................................................+..................................+........................................................................................................................................+................................................................+.......................................+...................................................................................................................................................++*++*

DH parameters of size 2048 created at /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem
5、创建客户端证书

(1)在根目录下建立client目录


# cd
# mkdir client
# cp -R easy-rsa/ client/
(2)初始化


# cd client/easy-rsa/easyrsa3/
# ls
easyrsaopenssl-1.0.cnfvarsvars.examplex509-types
# ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki
(3)创建客户端key及生成证书



# ./easyrsa gen-req nmshuishui

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
....................................................+++
.................................................................................................................................................................................+++
writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key'
Enter PEM pass phrase:            #输入密码
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) :nmshuishui   #输入nmshuishui                     

Keypair and certificate request completed. Your files are:
req: /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.req
key: /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key
(4)将得到的nmshuishui.req导入并签约证书


# cd openvpn-2.3.4/easy-rsa/easyrsa3/
#   #导入req
# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.req nmshuishui

Note: using Easy-RSA configuration from: ./vars

The request has been successfully imported with a short name of: nmshuishui
You may now use this name to perform signing operations on this request.

#   #签约证书
# ./easyrsa sign client nmshuishui

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

subject=
    commonName                = nmshuishui


Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes       #输入yes
Using configuration from /root/openvpn-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key:    #输入创建根证书时的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'nmshuishui'
Certificate is to be certified until Aug 21 12:49:40 2024 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt   #签约成功
(5)服务端及客户端生成的文件

服务端:(/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki)文件夹


/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/reqs/qingliu.req
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/qingliu.crt
/root/openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem
客户端:(/root/client/easy-rsa)


/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key
/root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.key   #这个文件被我们导入到了服务端文件,所以那里也有
(6)拷贝服务器密钥及证书等到openvpn目录


# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt openvpn-2.3.4/
# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/private/server.key openvpn-2.3.4/
# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt openvpn-2.3.4/
# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/dh.pem openvpn-2.3.4/
(7)拷贝客户端密钥及证书等到client目录


# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/ca.crt /root/client
# cp openvpn-2.3.4/easy-rsa/easyrsa3/pki/issued/nmshuishui.crt /root/client
# cp /root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key /root/client
(8)为服务端编写配置文件

当安装好openvpn时候,它会提供一个server配置的文件例子

1
/root/openvpn-2.3.4/sample/sample-config-files/server.conf
将此例子拷贝openvpn目录,然后配置


# cp openvpn-2.3.4/sample/sample-config-files/server.conf openvpn-2.3.4/
# vim openvpn-2.3.4/server.conf
local 192.168.1.104    #(自己vps IP)
port 1194
proto udp
dev tun
ca /root/openvpn-2.3.4/ca.crt
cert /root/openvpn-2.3.4/server.crt
key /root/openvpn-2.3.4/server.key # This file should be kept secret
dh /root/openvpn-2.3.4/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
verb 3
(9)开启系统转发功能


# vim /etc/sysctl.conf
net.ipv4.ip_forward = 0改成 net.ipv4.ip_forward = 1
# sysctl -p
# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
(10)封装出去的数据包(eth0是你的vps外网的网卡):


/sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE

admin 发表于 2019-9-6 11:00:54

下载openvpn客户端,并进行配置

1、将客户端密钥及证书等拷出到windows备用


# cd client/
# ls
ca.crteasy-rsanmshuishui.crtnmshuishui.key    #带后缀的这三个

2、安装openvpn-gui工具

(1)将D:\Program Files (x86)\OpenVPN\sample-config\client.ovpn复制到D:\Program Files (x86)\OpenVPN\config

(2)将从linux中拷贝出来的三个密钥及证书放到D:\Program Files (x86)\OpenVPN\config下
页: [1]
查看完整版本: linux下openvpn2.3.4服务器部署