Open那啥的搭建文档

公司之前那个鬼人安装了1个不用用户密码认证就能登录的，然后他跑了，这破玩意搭建就到我身上了，我一开始也没弄过，折腾了3天终于给他搞定了。
后来TM的能连上了，服务器登录不了，配置没啥问题，后来逼得我看日志，我这知道怎么回事，终于没毛病了。赶紧给记录下来。

这是准备工作，先给安装一下，准备下东西。

OpenVPN install document

yum install openvpn

yum install easy-rsa

mkdir /etc/openvpn/easy-rsa && cd /etc/openvpn/easy-rsa

cp -r /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa/

cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/vars
1
2
3
4
5
6
7
8
9
10
11

这个东西要改改，这里应该还有个可以改证书时间的东西，我没改，你们可以找找

vim /etc/openvpn/easy-rsa/vars

set_var EASYRSA_DN      "cn_only"
set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "Beijing"
set_var EASYRSA_REQ_CITY        "Beijing"
set_var EASYRSA_REQ_ORG "cabpo.net"
set_var EASYRSA_REQ_EMAIL       "hans.zhang@cabpo.net"
set_var EASYRSA_REQ_OU          "cabpo"
1
2
3
4
5
6
7
8
9

初始化创建pki目录用于存储证书

/etc/openvpn/easy-rsa/easyrsa init-pki

[root@ecs-226177 easy-rsa]# /etc/openvpn/easy-rsa/easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
1
2
3
4
5
6
7
8

创建根证书，根证书用于ca对之后生成的server和client证书签名时使用

/etc/openvpn/easy-rsa/easyrsa build-ca

[root@ecs-226177 easy-rsa]# /etc/openvpn/easy-rsa/easyrsa build-ca

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase: (输入自定义密码)
Re-Enter New CA Key Passphrase: (输入自定义密码)
Generating RSA private key, 2048 bit long modulus
........................+++
.....................................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:(回车)

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

创建server端证书和密钥文件(nopass表示不加密密钥文件，生成过程中直接默认回车)

/etc/openvpn/easy-rsa/easyrsa gen-req server nopass

[root@ecs-226177 easy-rsa]# /etc/openvpn/easy-rsa/easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
......................................................................+++
.............+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-19178.xyEJwt/tmp.NTyyFh'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:(回车)

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

给server端证书签名

/etc/openvpn/easy-rsa/easyrsa sign server server

[root@ecs-226177 easy-rsa]# /etc/openvpn/easy-rsa/easyrsa sign server server

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-19206.WkkjHk/tmp.giM6Ps
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:(输入自定义的CA密码,如果忘记就再来一遍)
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Oct  1 06:52:05 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt #证书位置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

创建Diffie-Hellman文件，密钥交换时的Diffie-Hellman算法

/etc/openvpn/easy-rsa/easyrsa gen-dh

[root@ecs-226177 easy-rsa]# /etc/openvpn/easy-rsa/easyrsa gen-dh

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..+....................................................+.......+.................................................................................................................................................................................................+..............................................+...........................+.............................+................................................................................................................................+...........................................................................................................+................................................................................+..............................................................................................................................................+........................................+..........+................................................................................................................................................................................................................................................+...........................................+.........................................................................................+...................................................+.....................................................................................................................................................................................................................................+............................................................................................................................................................................................................................+.....+..........................................................................................................+.......+........................+.........................................................................................................................................................+...................+..........+..................+...............................+..................................................................................+............+...........................................................................+..........+............................................................................+..........................................+.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+....................+...............................+..............+..........................................................................+.....................................................................................................................+....................................+.........................................................................................................................................+........................+...............................................+...............................+..............+...................................................................................................................................................................................................................................+..............................................+............................................................................+.....................................................................................................+....................................................................+.+...............................................................................+.....................................................................................+....................+...............................................................................................................................................................................................................................................................................................................................+................+....................................................................+.........................................................................................................................................................................................................................................+........................................................................+...........................+.................................+......................................................................................................................................................................................+...............+....................++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
1
2
3
4
5
6
7
8
9
10
11

创建client端证书和密钥文件(nopass表示不加密密钥文件，生成过程中直接默认回车)

/etc/openvpn/easy-rsa/easyrsa gen-req client nopass

[root@ecs-226177 easy-rsa]# /etc/openvpn/easy-rsa/easyrsa gen-req client nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.................................................................................................................+++
........................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-19354.8qb3q9/tmp.KMQYGU'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:(默认回车)

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/client.req
key: /etc/openvpn/easy-rsa/pki/private/client.key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

给client端证书签名

/etc/openvpn/easy-rsa/easyrsa sign client client

[root@ecs-226177 easy-rsa]# /etc/openvpn/easy-rsa/easyrsa sign client client

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = client


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes(这里要输入yes)
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-19420.6Lzvxz/tmp.EzirLF
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:(输入自定义的CA密码)
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client'
Certificate is to be certified until Oct  1 07:07:29 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

创建TLS认证密钥

openvpn --genkey --secret /etc/openvpn/ta.key

[root@ecs-226177 openvpn]# openvpn --genkey --secret /etc/openvpn/ta.key
[root@ecs-226177 openvpn]# ls
client  easy-rsa  server  ta.key
1
2
3
4
5

将生成的密钥进行集中存储。并且修改server.conf配置文件指向密钥的路径

mkdir /etc/openvpn/server_keys

cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server_keys/

cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/server_keys/

cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/server_keys/

cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server_keys/

cp /etc/openvpn/ta.key /etc/openvpn/server_keys/
1
2
3
4
5
6
7
8
9
10
11

创建server.conf

vim /etc/openvpn/server.conf
local 10.0.1.192
# 监听本机端口
port 11194
# 指定采用的传输协议,可选tcp或udp
proto tcp
# 指定创建的通信隧道类型,可选tun或tap
dev tun
# 指定CA证书的文件路径
ca /etc/openvpn/server_keys/ca.crt
# 指定服务器端的证书文件路径
cert /etc/openvpn/server_keys/server.crt
# 指定服务器端的私钥文件路径
key /etc/openvpn/server_keys/server.key
# 指定迪菲赫尔曼参数的文件路径,也就是交换证书
dh /etc/openvpn/server_keys/dh.pem
# 安全问题
cipher AES-256-CBC
# 给客户端分配地址池,注意:不能和VPN服务器内网网段有相同 这个一定得注意
# 比如你的eth0 10.0.1.192  你再添加下面的10.8 这个路由就出错了
server 10.8.0.0 255.255.255.0
# 允许客户端访问内网网段
# push "route 10.8.0.0 255.255.0.0"
# 服务器自动给客户端分配IP后,客户端下次连接时,仍然采用上次的IP地址"第一次分配的IP保存在ipp.txt中,下一次分配其中保存的IP"
push "redirect-gateway def1 bypass-dhcp"      #给网关
push "dhcp-option DNS 114.114.114.114"        #dhcp分配dns
ifconfig-pool-persist ipp.txt
# 存活时间,10秒ping一次,120如未收到响应则视为断线
keepalive 10 120
# 最多允许100个客户端连接
max-clients 100
# 日志记录位置
status openvpn-status.log
#openvpn版本
verb 3
# 允许客户端与客户端相连接,默认情况下客户端只能与服务器相连接
client-to-client
# openvpn日志记录位置
log /var/log/openvpn.log
# 通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys
persist-key
#检测超时后,重新启动VPN,一直保持tun是linkup的.否则网络会先linkdown然后再linkup
persist-tun
#开启TLS-auth,使用ta.key防御攻击.服务器端的第二个参数值为0,客户端的为1
tls-auth /etc/openvpn/server_keys/ta.key 0
# 新增配置
#允许使用自定义脚本
script-security 3
# 脚本路径
auth-user-pass-verify /etc/openvpn/check.sh via-env
# 用户密码登陆方式验证
username-as-common-name
# 则代表只使用用户名密码方式验证登录，如果不加，则代表需要证书和用户名密码双重验证登录
client-cert-not-required
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

做密码验证还要密码脚本和账号密码文件

[root@openvpn ~]# vim  /etc/openvpn/check.sh
#!/bin/sh
###########################################################
PASSFILE="/etc/openvpn/openvpnpass"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
 
if [ ! -r "${PASSFILE}" ]; then
    echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
    exit 1
fi
 
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
 
if [ "${CORRECT_PASSWORD}" = "" ]; then
    echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
    exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
    echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
    exit 0
fi
 
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

chmod 755 check.sh

echo 'hans zhang870731' > psw-file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

新用户直接写到这里就可以了

[root@ecs-226177 openvpn]# openvpn --config server.conf --daemon
[root@ecs-226177 openvpn]# ps -ef | grep openvpn
root     19766     1  0 16:06 ?        00:00:00 openvpn --config server.conf --daemon
root     19795 18724  0 16:06 pts/0    00:00:00 grep --color=auto openvpn

[root@ecs-226177 log]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.46  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::f816:3eff:fec2:1a48  prefixlen 64  scopeid 0x20<link>
        ether fa:16:3e:c2:1a:48  txqueuelen 1000  (Ethernet)
        RX packets 73989  bytes 72395781 (69.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 93019  bytes 7348052 (7.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2
        inet6 fe80::3a6b:5910:d875:982e  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

# 建立防火墙规则
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# 或者这样写规则
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.0.1.192
1
2
3
4

建立客户端配置文件

client.ovpn


#指定当前VPN是客户端
client
#使用tun隧道传输协议
dev tun
#使用udp协议传输数据
proto tcp
#openvpn服务器IP地址端口号
remote 94.74.107.137 1194
#断线自动重新连接，在网络不稳定的情况下非常有用
resolv-retry infinite
#不绑定本地特定的端口号
nobind
cipher AES-256-CBC #安全问题
#指定CA证书的文件路径
ca ca.crt
#指定当前客户端的证书文件路径
cert client.crt
#指定当前客户端的私钥文件路径
key client.key
#指定日志文件的记录详细级别，可选0-9，等级越高日志内容越详细
verb 3
#通过keepalive检测超时后，重新启动VPN，不重新读取keys，保留第一次使用的keys
persist-key
#检测超时后，重新启动VPN，一直保持tun是linkup的。否则网络会先linkdown然后再linkup
persist-tun
#使用ta.key防御攻击。服务器端的第二个参数值为0，客户端的为1
tls-auth ta.key 1
auth-user-pass
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

还得把ca.crt client.key client.cert ta.key 和client.ovpn放到一个目录就可以了

相关阅读:
java毕业设计衣依服装销售平台Mybatis+系统+数据库+调试部署
 node-xlsx - 简单几行代码处理导入、导出 excel 表格数据，免费开源的 javascript 工具库
 C语言之自定义类型_结构体篇（2）
学习笔记——网络管理与运维——SNMP(SNMP原理)
「UI开发」DevExpress WPF Pivot Grid组件可轻松实现多维数据分析！（一）
利用Nginx正向代理实现局域网电脑访问外网
 SpringBoot2.0（mybatis-plus常见的增删改查和分页）
代码随想录算法训练营19期第53天
 进程与线程的相爱相杀
 数组的API
原文地址：https://blog.csdn.net/hans99812345/article/details/125545380