易陆发现论坛

 找回密码
 开始注册
查看: 351|回复: 1
收起左侧

centos操作系统为企业搭建稳固的SSL VPN服务

[复制链接]
发表于 2020-1-19 08:52:01 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有帐号?开始注册

x
一、OpenVPN是靠虚拟的TUN/TAP设备实现SSL VPN的,因此内核必须支持TUN/TAP设备模块,这个配置选项在2.6.x内核中,位于Device Drivers ->Network device support 菜单中,全称是Universal TUN/TAP device driver support ,通常在标准内核 中,会以模块方式提供,在Open VPN启动时,它会自动加载此模块,因此不需要手工加载此模块。9 t9 N4 d% G1 \; ]4 R: ^2 L# t
[root@www.linuxidc.com 2.6.18-238.12.1.el5-i686]# pwd+ `: n1 C& |  E  U9 r& f  y% o
/usr/src/kernels/2.6.18-238.12.1.el5-i686
& \7 e2 y+ w/ u* Z' d/ z! L3 M[root@www.linuxidc.com 2.6.18-238.12.1.el5-i686]# make menuconfig  #打开内核菜单5 l  @' ], d. d/ X! y4 f  d
Device Drivers  --->            ( G5 S5 R) r/ F# V/ [# u" m0 r, K" j
Network device support  --->      
6 n$ g. `2 N% _9 n<M> Universal TUN/TAP device driver support     #<M>即表示以模块化加载到内核中

; C+ K( i( b% D8 c二、在安装OpenVPN之前,还需要安装一些支持包,包括OpenSSL开发库和LZO压缩开发库+ p7 j. ]# J2 ^+ Y$ Q9 i
1、可使用yum安装OpenSSL开发库,但需要手工下载并安装LZO开发包。
% Y; V: z" i9 }# I, A; @#yum install  openssl  & ^$ X# F+ d+ x: A! m$ _# v
# yum install openssl-devel
#yum install pam-devel
2、可到 http://www.oberhumer.com/opensource/lzo/ 下载LZO
, c2 l2 }( f' y0 r6 `# tar -zxvf lzo-2.10.tar.gz 1 z4 Q$ ~9 a4 Y8 r( H
# cd lzo-2.10
( S8 K( @: N, P' H) F9 R1 [, K* P#./configure
) N9 f1 K* w% _7 t5 z- i# make
9 R5 G+ @" R/ @/ V# make install
三、配置SSL VPN服务) \- A6 `3 E, u, f/ N4 X5 k
1、到  http://openvpn.net/release/ 下载openvpn-2.0.9.tar.gz并安装' N% a0 f6 j5 X2 F
# tar -zxvf openvpn-2.1.1.tar.gz 0 J0 v+ y8 l- f/ I
# cd openvpn-2.1.1
. ~( m) Q/ ?# j% H* r1 J' V) D+ N[root@webbs168x openvpn-2.1.1]# ./configure --prefix=/usr/local/openvpn
4 B9 r6 c- i3 w& H$ f1 z  W2 H[root@webbs168x openvpn-2.1.1]# make   `& W0 F/ h( }9 k
[root@webbs168x openvpn-2.1.1]# make install* x3 m" [' Z3 F1 s; ?
[root@webbs168x openvpn-2.1.1]#cp -p sample-scripts/openvpn.init /etc/init.d/openvpn  j4 g% W6 B+ ?0 M( X) v5 \  o
[root@webbs168x openvpn-2.1.1]# chkconfig --add openvpn
: p, ?% I  {  ~5 o0 R: j$ C! {: ][root@webbs168x openvpn-2.1.1]# service openvpn status  #查看服务状态
6 l* z+ B6 C/ A) t% |openvpn: service not started; G: d0 u3 J  o) D0 p- x
& }+ F# Z) Q7 u, L; ^
# chkconfig --list openvpn8 F* j# H  D* W0 U: P4 ?
openvpn         0:off   1:off   2:on    3:on    4:on    5:on    6:off
2、开启IP转发功能6 k! J: W: O* H
#vi /etc/sysctl.conf
  H# a" |# D4 P4 L' vnet.ipv4.ip_forward = 1
; F. c! D+ I. Z+ j# K/ k# sysctl -p
. o- V" T/ D6 x% k* ]1 C3、定义OpenVPN的配置目录为/etc/openvpn,把服务器配置文件定义为/etc/openvpn/server.conf- d, f  T, `; X+ V' Q& V% R  c
OpenVPN是一个SSL VPN实现,因此,认证中最重要的是服务器和客户端的SSL证书管理,如果管理员之前没有SSL证书发布机制,那么可以使用OpenVPN附带的一组工具来完成所有的工作。
# W! b  h% A8 l/ Q8 {在/root/openvpn-2.1.1中,有一个easy-rsa目录,这下面就是一些一成和管理SSL证书的工具,以下为生成证书操作。
% g- }8 z5 B, A3 `' u4 [* n8 c. b#mkdir -p /etc/openvpn7 o- A7 t) s: o, F# E4 \4 {, i
#cp -p sample-config-files/server.conf /etc/openvpn/   #将样本配置文件复制到/etc/openvpn/,后面再做修改
4、修改vars文件变量,设置国家代码、省份、地市、机构名单、单位名称邮件等
) h) M/ ~3 c' b- i* I#cd easy-rsa/
; O0 ^8 z4 J0 p4 w# grep -v "#" vars . S" A8 e/ n" P! c
export D=`pwd`" ]& V1 g3 O0 z
export KEY_CONFIG=$D/openssl.cnf! o0 T* H* g6 T3 t, }
export KEY_DIR=$D/keys
% Y, W2 F- E( [  X, _1 ?echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
' L4 P0 {: G( v# F' F0 Kexport KEY_SIZE=10247 q% o* H: Q+ T$ I
export KEY_COUNTRY=CN; U  g. |  j9 n) x
export KEY_PROVINCE=GD+ l  N9 u3 P8 E2 J8 C
export KEY_CITY=SZ5 |8 `8 i" e2 C1 z
export KEY_ORG="DIC"
; e5 o0 O( g, Yexport KEY_EMAIL="tghfly222@126.com"
; S$ {. e& J- R, j$ _easy-rsa# source vars9 Q% a3 z6 t! e4 @' @' \) ]8 [
NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/src/openvpn-2.0.9/easy-rsa/keys  #提示可使用./clean-all清除所有包括CA在内的所有证书
5、使用clean-all脚本清除包括CA在内的所有证书,再创建CA证书。# l# [& F0 m( M- x; s( T
[root@www.linuxidc.com easy-rsa]# ./clean-all   #先清除证书,再创建证书
6 K6 O$ l; V) _1 y" V. w[root@www.linuxidc.com easy-rsa]# ./build-ca  #创建CA证书: e1 ^  v7 i. f& L3 H8 b! d( n
Generating a 1024 bit RSA private key
* W6 A  U( R' v6 o! V8 i..........++++++8 }. @7 `6 y8 H
................++++++
/ C, i( O+ _% k1 Q6 `; g: Awriting new private key to 'ca.key'- Q7 U, l2 w: M9 r. d
-----! B& c+ e$ `* {5 z6 A) R8 f4 k
You are about to be asked to enter information that will be incorporated
0 |. U8 R2 j+ U2 W( A7 Q0 |/ zinto your certificate request.
+ s& q( f& I4 a  C' X2 UWhat you are about to enter is what is called a Distinguished Name or a DN.2 o  x- ]1 \$ F" E
There are quite a few fields but you can leave some blank% R1 c! t* r1 i, {% d! `
For some fields there will be a default value,5 B  v; U8 q4 r
If you enter '.', the field will be left blank., ]7 X) k4 F0 @( w0 i
-----! V1 ^9 l' C+ M
Country Name (2 letter code) [CN]:
, ?4 F' ^; N! EState or Province Name (full name) [GD]:
8 h0 d5 G6 w* ELocality Name (eg, city) [SZ]:7 {2 g6 P* h. n8 {6 }+ C
Organization Name (eg, company) [DIC]:+ B4 v8 V% z! v% ~  q) }1 T3 o4 x
Organizational Unit Name (eg, section) []:
7 L$ r! f' a$ x7 F/ K! G5 MCommon Name (eg, your name or your server's hostname) []:dic172   #服务器主机名
' D# V3 k5 ^+ \5 c) m+ NEmail Address [tghfly222@126.com]:
6、创建服务器密钥。0 f0 F+ E6 p8 v: M
[root@www.linuxidc.com easy-rsa]# ./build-key-server server  #创建服务器端密钥
5 J1 ?, v. u2 |& o1 F3 vGenerating a 1024 bit RSA private key
7 _/ ~8 a( Y8 i3 o# h3 z4 X; Q$ ^............................................++++++, K* }! ?- S0 G1 w! p% t* z
....++++++
' D6 h- E  u! B5 _8 k$ [writing new private key to 'server.key'
3 j( D% _  J% }* C% G5 X3 H' J6 D-----% t+ k! f6 d8 |! e: E% z# s+ S
You are about to be asked to enter information that will be incorporated
1 t5 z* K+ n" Q6 binto your certificate request.
( y1 q, c% ?: f5 j* mWhat you are about to enter is what is called a Distinguished Name or a DN.! W4 j: F5 ^8 w
There are quite a few fields but you can leave some blank
3 R8 ^# U9 U1 }4 K  v& U5 b' U+ `3 {For some fields there will be a default value,
+ @6 [" ^2 d# l. `" \7 B; ]If you enter '.', the field will be left blank.
$ Q5 c! }' I/ r- R/ v-----
2 b. ]7 Y% ?& @7 pCountry Name (2 letter code) [CN]:9 r' h- {# W8 G" Y( u* ]
State or Province Name (full name) [GD]:
9 e4 R, ?7 J9 e6 c" {4 W8 @Locality Name (eg, city) [SZ]:% N+ q0 @/ _0 \  @8 x  m- a
Organization Name (eg, company) [DIC]:
' v+ D8 D3 {7 [1 J- \( b- JOrganizational Unit Name (eg, section) []:, D2 n6 Y0 ^0 f" Y/ L# W
Common Name (eg, your name or your server's hostname) []:dic172  #服务器主机名
. x" \, t4 Z+ U3 UEmail Address [tghfly222@126.com]:
Please enter the following 'extra' attributes; S. [2 ~+ d# c* f+ f% c
to be sent with your certificate request& F' W3 P3 D9 \, N
A challenge password []:dic1725 h1 {+ q' F! }/ z) o8 z
An optional company name []:dic1724 P6 O) I, ^& l2 s% p. V
Using configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf
- s: u* O% C. n+ e6 A& ^Check that the request matches the signature
. l" s( D; W7 }+ ]& L! g8 [Signature ok
2 y) x7 y! U' U7 rThe Subject's Distinguished Name is as follows
" J% l$ N) m! R) U. ]- t( XcountryName           :PRINTABLE:'CN'
# X! W& x. n: j( U- F0 DstateOrProvinceName   :PRINTABLE:'GD'
  O1 M3 U# L/ S+ v5 ~2 elocalityName          :PRINTABLE:'SZ'
# U5 I" n: U, z* @* ~3 TorganizationName      :PRINTABLE:'DIC'
; g* M- V- i5 d' FcommonName            :PRINTABLE:'dic172'
: d* D* E" }. i5 T9 T8 J5 I* KemailAddress          :IA5STRING:'tghfly222@126.com'8 S9 ~. I, F& b
Certificate is to be certified until Jul 16 05:51:08 2021 GMT (3650 days)" [2 q! b6 Z0 J0 c5 i1 Y
Sign the certificate? [y/n]:y
+ W( r$ Q* f" {! p' S# u" w1 out of 1 certificate requests certified, commit? [y/n]y
6 p$ m$ l' V3 c3 eWrite out database with 1 new entries! _) @1 b/ m/ b! f# c
Data Base Updated
7 P5 m3 f5 r* e, q3 z+ l7、创建客户端密钥,客户端密钥名可随意命名。
( J: n+ ~- A! i[root@www.linuxidc.com easy-rsa]# ./build-key client! E) y: c) K, L# S
Generating a 1024 bit RSA private key
- d1 P2 o: l9 d$ z.....++++++; O4 m) @6 C5 }) C
.......................++++++
- g9 |1 n% J6 m8 ~$ ?# \writing new private key to 'client.key'
) j$ p$ i3 `7 x-----
5 N' f3 k0 x2 {7 M3 Q+ k9 ^You are about to be asked to enter information that will be incorporated
0 [8 v8 Z' l0 \$ j7 j/ g  ^into your certificate request.: o7 {) h& t& E9 a- ?* @: H
What you are about to enter is what is called a Distinguished Name or a DN.$ B2 r' r" S! F
There are quite a few fields but you can leave some blank
: l. d, z3 C  g- nFor some fields there will be a default value,, _9 Z3 D. y+ {. a: I: v% }
If you enter '.', the field will be left blank.# V5 W2 O7 l3 K. [4 O  t( J' k
-----
' C* f$ _* a  y7 ^  c0 E* Q/ bCountry Name (2 letter code) [CN]:; J  j8 ^  J* M+ o- ?
State or Province Name (full name) [GD]:9 _" S! K! B8 E# V1 D9 e
Locality Name (eg, city) [SZ]:
# \" d3 K" \' Y$ x" hOrganization Name (eg, company) [DIC]:
2 C9 R, H$ |' v. |Organizational Unit Name (eg, section) []:0 n) t  _$ z9 b
Common Name (eg, your name or your server's hostname) []:tgh  #不同客户端,命名绝不能一样, A6 T- p& e* Y% H) H
Email Address [tghfly222@126.com]:
Please enter the following 'extra' attributes
$ g# |4 C7 A' D: lto be sent with your certificate request
: W3 @* P0 u  O, |A challenge password []:dic172% b* b6 D' e- _
An optional company name []:dic172
) c: n- G( l) {- w2 Y% t; F: KUsing configuration from /usr/src/openvpn-2.0.9/easy-rsa/openssl.cnf. Y* V' f" d8 |$ @( X
Check that the request matches the signature1 \( G* c2 U* m; a
Signature ok; j$ x" X' X# `/ {' C: m
The Subject's Distinguished Name is as follows# L+ {: k* H4 D( ?: f
countryName           :PRINTABLE:'CN'
6 D8 N8 P& j* b$ t# i8 i4 B2 E$ L8 MstateOrProvinceName   :PRINTABLE:'GD'
! Z1 T. J# ]/ v8 r9 @7 J" QlocalityName          :PRINTABLE:'SZ'
" W7 `6 c) _* T7 P+ ZorganizationName      :PRINTABLE:'DIC'
: V& Y+ I' J* K7 YcommonName            :PRINTABLE:'tgh': k& `& i! J9 ^9 \, s
emailAddress          :IA5STRING:'tghfly222@126.com'
1 a+ X; u- P$ pCertificate is to be certified until Jul 16 05:52:27 2021 GMT (3650 days)
0 w" v% H, P% q4 M. E) @+ o, ZSign the certificate? [y/n]:y

0 I6 Q2 d/ m1 _) K8 I1 out of 1 certificate requests certified, commit? [y/n]y( s, P* o: q7 C% ?3 e) F* q+ `
Write out database with 1 new entries
, F5 V; O. R! c& \Data Base Updated
8、创建dhDiffie-Hellman )密钥算法文件4 R, h1 T& X, I) R" Q
[root@www.linuxidc.com easy-rsa]# ./build-dh
+ K! H# O8 M. R. c8 f/ ~; rGenerating DH parameters, 1024 bit long safe prime, generator 2
5 P$ j- Q8 h  `' WThis is going to take a long time+ g- L1 X' V! {0 g: `
...+.......+.....+........................+......................+.....+...........................+..........+.......+.................................................+.....................+............+..............................................+..........................................................+..............................+...........................+..+.....+......++*++*++*
9、生成  tls-auth 密钥 ,tls-auth密钥可以为点对点的VPN连接提供了进一步的安全验证,如果选择使用这一方式,服务器端和客户端都必须拥有该密钥文件。
* T% e. R' q0 g3 Q: |& ?4 ?[root@www.linuxidc.com easy-rsa]# openvpn --genkey --secret keys/ta.key   
2 R- v/ y" @- P1 b: y; l[root@www.linuxidc.com easy-rsa]# cp -rp keys/ /etc/openvpn/    #将证书文件复制到/etc/openvpn/   
10、修改server.conf配置文件
2 E  k$ R0 o, p; U0 o[root@www.linuxidc.com openvpn]# grep -v "#" server.conf
local 192.168.161.172     #服务器所使用的IP
/ a. r: J4 i1 u: U. }) lport 1194                      #使用1194端口# _  I8 d3 l. r2 R+ C
proto udp                      #使用UDP协议+ M9 N1 Y/ k- A0 h! _
dev tun                         #使用tun设备1 Z. J) i* t$ e1 a3 R4 Y
ca /etc/openvpn/keys/ca.crt    #指定CA证书文件路径
$ V0 Y' ~/ h( W- Kcert /etc/openvpn/keys/server.crt. M% G& ]; f6 {
dh /etc/openvpn/keys/dh1024.pem; T; c; n6 b2 k
tls-auth /etc/openvpn/keys/ta.key 0; R* i* [" q0 j  F4 f
server 172.16.10.0 255.255.255.0   #VPN客户端拨入后,所获得的IP地址池; K5 k7 ~8 h: p( R
ifconfig-pool-persist ipp.txt/ ]3 H* ~4 b$ d2 f3 e: t
push "dhcp-option DNS 202.96.134.133"   #客户端所获得的DNS' ?4 j1 N$ y1 H5 _8 ~2 [9 C
client-to-client
( w: p  J# b- ?0 \0 i5 t( fkeepalive 10 1206 s9 p# ?6 C- d  p. V  y' r
comp-lzo5 c; I1 l2 x9 ?) L9 G
persist-key. V/ T# Z% b- c5 o' X$ J. B
persist-tun) w: a* C$ v3 v2 X
status openvpn-status.log& Q' u, q1 \) ^" j" q* y" k
verb 3
; M6 r. I0 R- ~$ Kmute 20
[root@www.linuxidc.com openvpn-2.0.9]# service openvpn start
- X$ ~& I- x2 S9 w4 kStarting openvpn: [  OK  ]& R  ~$ @- u- D0 \7 N; j5 N. U
[root@www.linuxidc.com openvpn-2.0.9]# netstat -anp |grep :1194
; H6 B6 E( d" y" M- W" M% Cudp        0      0 192.168.161.172:1194        0.0.0.0:*                               25162/openvpn   
7 E/ W; C) R) w3 K# R+ [" G
四、在XP客户端配置SSL VPN(客户端IP 192.168.163.96)
# _, P. X/ B: A0 v1、到http://openvpn.se/files/install_packages/下载openvpn-2.0.9-gui-1.0.3-install.exe
! N  u0 T/ u, O  n+ l; B4 O* ]/ G/ e2、安装openvpn-2.0.9-gui-1.0.3-install.exe,一路next。由于只是做客户端使用,不必安装OpenVPN Service
* Y6 g: R# }1 ]9 Q! L' ?; T8 Q
安装完成后,在任务栏会新增加一个OpenVPN GUI和本地连接图标。
3、配置客户端,把服务器上/etc/openvpn/keys/ca.*,client.*,ta.* 复制客户端C:\Program Files\OpenVPN\config下;再从C:\Program Files\OpenVPN\sample-config复制一个客户端配置样本文件client.ovpn到C:\Program Files\OpenVPN\config下。# ^) Y6 P! u0 Z( d2 ]
' a; x8 ]2 r" h9 G
4、修改client.ovpn文件如下并保存。
+ m- o9 ?  b' U3 H( x6 u3 Uclient5 g) s/ a* X% j  C
dev tun
+ n2 \  s0 t& J. q  P# xproto udp$ ~5 b# M$ _7 O6 ]; n7 o0 L
remote 192.168.161.172 1194
. Z/ P& K. ^5 E7 R7 s! xresolv-retry infinite& }2 H' [+ A2 Z( p$ X, N
nobind7 ^) u5 K( c+ d( |+ }/ ^5 G
ca ca.crt3 _4 P  G: P6 H1 w: ~+ I
cert client.crt
- R: S* h- G4 o3 i; Dkey client.key
" j3 }4 ^5 O* L8 l9 Atls-auth ta.key 1
8 A7 Q4 I. a1 I0 I" P" Q% C) [comp-lzo
2 V& s% x' N5 w7 r0 ]4 u" |1 lverb 3
$ \5 o+ A; o( \: w* z; B0 H" D) |) {8 Emute 20
6 X* Q+ z5 _1 I& y; f' t5、启动连接。右击右下角的OpenVPN GUI图标,连接
6、连接成功后,图标如下。到此,SSL VPN服务就配置好了。
您需要登录后才可以回帖 登录 | 开始注册

本版积分规则

关闭

站长推荐上一条 /4 下一条

如有购买积分卡请联系497906712

QQ|返回首页|Archiver|手机版|小黑屋|易陆发现 点击这里给我发消息

GMT+8, 2020-4-4 23:56 , Processed in 0.068188 second(s), 24 queries .

Powered by 龙睿 bbs168x X3.2

© 2001-2020 Comsenz Inc.

快速回复 返回顶部 返回列表