一、简介
VPN直译就是虚拟专用通道,是提供给企业之间或者个人与公司之间安全数据传输的隧道,OpenVPN无疑是Linux下开源VPN的先锋,提供了良好的性能和友好的用户GUI。
OpenVPN大量使用了OpenSSL加密库中的SSLv3/TLSv1协议函数库。
OpenVPN 是一个基于 OpenSSL 库的应用层 VPN 实现。和传统 VPN 相比,它的优点是简单易用。
二、环境规划
openvpn 服务端 centos7
IP 192.168.31.168
双网卡
三、安装部署
1.配置yum源(安装epel)
参考地址:https://fedoraproject.org/wiki/EPEL
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum update yum repolist
2.生成证书
2.1.下载证书生成工具easy-rsa
yum -y install easy-rsa
2.2.创建证书环境目录
mkdir -p /opt/easy-rsa cp -a /usr/share/easy-rsa/3.0.8/* /opt/easy-rsa/ cp -a /usr/share/doc/easy-rsa-3.0.8/vars.example /opt/easy-rsa/vars
2.3.生成秘钥前,准备vars
文件
修改文件/opt/easy-rsa/vars
中的如下配置(要取消注释)
set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "Shanghai" set_var EASYRSA_REQ_CITY "Shanghai" set_var EASYRSA_REQ_ORG "lucifer" set_var EASYRSA_REQ_EMAIL "pc1107750981@163.com" set_var EASYRSA_NS_SUPPORT "yes"
2.4.初始化
在当前目录下创建pki
目录,用于存储证书
[root@openvpn easy-rsa]# cd /opt/easy-rsa/ [root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa init-pki Note: using Easy-RSA configuration from: /opt/easy-rsa/vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /opt/easy-rsa/pki
2.5.创建根证书
根证书用于ca对之后生成的server和client证书签名时使用。(输入两次密码,直接回车)
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa build-ca Note: using Easy-RSA configuration from: /opt/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus .....+++ ..........................................+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /opt/easy-rsa/pki/ca.crt
2.6.创建server端证书和私钥文件
nopass表示不加密私钥文件,生成过程中直接回车默认
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa gen-req server nopass Note: using Easy-RSA configuration from: /opt/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key ...........................+++ ........................................................................+++ writing new private key to '/opt/easy-rsa/pki/easy-rsa-1326.TIfM4D/tmp.rxSnIM' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: Keypair and certificate request completed. Your files are: req: /opt/easy-rsa/pki/reqs/server.req key: /opt/easy-rsa/pki/private/server.key
2.7.给server证书签名(输入yes,输入密码)
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa sign server server Note: using Easy-RSA configuration from: /opt/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 825 days: subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /opt/easy-rsa/pki/easy-rsa-1397.ds5qpo/tmp.lX0IFN Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Jun 3 14:02:46 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /opt/easy-rsa/pki/issued/server.crt
2.8.创建Diffie-Hellman文件,秘钥交换时的Diffie-Hellman算法
/opt/easy-rsa/easyrsa gen-dh
2.9.创建client端证书和私钥文件
nopass表示不加密私钥文件,生成过程中直接回车默认
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa gen-req client nopass Note: using Easy-RSA configuration from: /opt/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key ..................................................................+++ ...................................................................................................................+++ writing new private key to '/opt/easy-rsa/pki/easy-rsa-1761.HYs4Xv/tmp.z02JuI' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client]: Keypair and certificate request completed. Your files are: req: /opt/easy-rsa/pki/reqs/client.req key: /opt/easy-rsa/pki/private/client.key
2.10. 给client端证书签名(输入yes,输入密码)
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa sign client client Note: using Easy-RSA configuration from: /opt/easy-rsa/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 825 days: subject= commonName = client Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /opt/easy-rsa/pki/easy-rsa-1828.VwQHeF/tmp.eYqBSS Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client' Certificate is to be certified until Jun 3 14:09:37 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /opt/easy-rsa/pki/issued/client.crt
四、OpenVPN服务端部署
1.安装openvpn
软件
yum -y install openvpn
2.修改配置文件
自行创建配置文件/etc/openvpn/server.conf
,并加入如下配置
port 1194 #端口 proto udp #协议 dev tun #采用路由隧道模式tun ca ca.crt #ca证书文件位置 cert server.crt #服务端公钥名称 key server.key #服务端私钥名称 dh dh.pem #交换证书 server 10.8.0.0 255.255.255.0 #给客户端分配地址池,注意:不能和VPN服务器内网网段有相同 push "route 192.168.31.1 255.255.255.0" #允许客户端访问内网192.168.31.1网段 ifconfig-pool-persist ipp.txt #地址池记录文件位置 keepalive 10 120 #存活时间,10秒ping一次,120 如未收到响应则视为断线 max-clients 100 #最多允许100个客户端连接 status openvpn-status.log #日志记录位置 verb 3 #openvpn版本 client-to-client #客户端与客户端之间支持通信 log /var/log/openvpn.log #openvpn日志记录位置 persist-key #通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys。 persist-tun #检测超时后,重新启动VPN,一直保持tun是linkup的。否则网络会先linkdown然后再linkup duplicate-cn
3. 拷贝证书到openvpn主配置文件目录下
cp -a /opt/easy-rsa/pki/ca.crt /etc/openvpn/ cp -a /opt/easy-rsa/pki/issued/server.crt /etc/openvpn/ cp -a /opt/easy-rsa/pki/private/server.key /etc/openvpn/ cp -a /opt/easy-rsa/pki/dh.pem /etc/openvpn/
4 启动openvpn
systemctl -f enable openvpn@server.service systemctl start openvpn@server.service
五、OpenVPN客户端部署
1.安装OpenVPN客户端软件
这里是在windows环境下部署OpenVPN的客户端的,首先需要下载安装OpenVPN客户端软件
2.配置客户端
拷贝服务端生成的证书到OpenVPN安装目录的config
目录下
分别拷贝以下几个文件
/opt/easy-rsa/pki/ca.crt /opt/easy-rsa/pki/issued/client.crt /opt/easy-rsa/pki/private/client.key
3.编写客户端配置文件
在OpenVPN安装目录的config
目录下,新建一个client.ovpn
文件,在文件中添加如下配置:
client #指定当前VPN是客户端 dev tun #使用tun隧道传输协议 proto udp #使用udp协议传输数据 remote 192.168.31.168 1194 #openvpn服务器IP地址端口号 resolv-retry infinite #断线自动重新连接,在网络不稳定的情况下非常有用 nobind #不绑定本地特定的端口号 ca ca.crt #指定CA证书的文件路径 cert client.crt #指定当前客户端的证书文件路径 key client.key #指定当前客户端的私钥文件路径 verb 3 #指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细 persist-key #通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys persist-tun #检测超时后,重新启动VPN,一直保持tun是linkup的。否则网络会先linkdown然后再linkup
4.启动OpenVPN客户端软件
双击安装好后的OpenVPN软件,然后右键点击连接。
连接成功后,在托任务栏位置的OpenVPN图标会变绿色,则说明OpenVPN已经连接成功。
OpenVPN会分配一个IP地址给客户端,客户端会使用该虚拟网络IP地址与服务端进行通信。
4.1 Centos 7启用动VPN客户端
将配置文件client.ovpn 修改为 client.conf 上传到/etc/openvpn ,同时 将如下文件也上传到该目录,
ca.crt
client.crt
client.key
client.conf
4.2 启用openvpn client
systemctl -f enable openvpn@client.service systemctl start openvpn@client.service
4.3 查看接口
ip add #查看UP的接口
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.18 peer 10.8.0.17/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::9558:d1f0:9b36:3ba3/64 scope link flags 800
valid_lft forever preferred_lft forever
六、site to site router TAP方式配置
1. 配置文件中TAP 与 TUN的实际实例区别
tap俗称网桥模式,tun俗称路由模式,tap在二层,tun在三层,在实际应用中,其实以上这些知识概念,我是抄来的,具体的解释可以看以下参考链接。
下面将介绍在实际使用中的区别:
1、tap可以直接使用route这样的路由表命令,但不能用于手机设备。
2、tun可以用于手机,但不能使用route这样的路由表命令,压根无法穿透。
3、tap和tun的路由配置区别,tap往往结合路由表进行设定下一跳,而tun则往往要和iptables集合紧密来实现下一跳。
所以,如果想要组件VPN实现路由命令进行路由网关的多级跳转,那么需要搭建tap网桥模式。
如果使用了tun模式,那么悲剧的东西要来了,想要实现nat转发,那么你只能选择使用iptables来实现。
1.1 修改方法
server 端:
编辑 vim /etc/openvpn/server.conf 参数 dev tap
client 端:
编辑 vim /etc/openvpn/server.conf 参数 dev tap
修改完成后重启服务
systemctl restart openvpn@server.service
systemctl restart openvpn@client.service
2. 固定client 端IP (因采用路由方式时需要配置静态路由IP地址不能变,估需要固定)
编辑服务端 vim /etc/openvpn/ipp.txt
添加client,10.8.0.2 #此配置可将用户client的ip固定为10.8.0.2
保存退出重启client端
systemctl restart openvpn@client.service
通过研究ipp.txt文件设置有问题,设置以后不起做用。
其中上面的用户名应该为证书的CN名才对,若是想要不一样的客户端不一样的IP的方法,只能申请不一样的CN名的证书,否则没法实现。
3. 配置路由
临时路由:(重启后失效)
ip route add 192.168.8.0/24 via 10.8.0.2 dev tap0
永久路由:(对openvp tap接口不生效)
vim /etc/sysconfig/network-scripts/route-XXX #创建文件添加如下:
192.168.8.0/24 via 10.8.0.2
保存退出
启动脚本方式:
vim /etc/rc.local #编辑文件添加如下
vim /etc/rc.d/rc.local #同一个文件
ip route add 192.168.8.0/24 via 10.8.0.2 dev tap0
如果不生效检查以上两个文件 是否有执行权限,如没有添加
chmod +x rc.d/rc.local
sh方式(实践最好用的)
vim route.sh #创建sh文件
chmod +x route.sh # 给文件执行权限
vim /etc/rc.local #修改开机启动文件
添加如下内容sh /root/route.sh #增加开机执行.sh文件
参考:
https://www.hostloc.com/thread-6508-1-1.html
http://blog.shell909090.org/blog/archives/2724/
https://my.oschina.net/guol/blog/39924
https://blog.csdn.net/wsclinux/article/details/53289197
https://community.openvpn.net/openvpn/wiki/BridgingAndRouting(官方介绍)
https://community.openvpn.net/openvpn/wiki/BridgingOverview(官方介绍)