共计 8865 个字符,预计需要花费 23 分钟才能阅读完成。
# Centos7 安装 openvpn by easy-rsa3.0
-----------------------------------------------------------------------------------------------------------------------------------------------------
安装 openvpn 等所需要的软件
首先你应该有一个外网 ip,否则一切都是空谈
yum install -y epel-release
yum install -y openvpn easy-rsa openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig
server 端 制作证书,密钥等文件
- CA 证书生产
[root@localhost ~]#cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/server.conf /etc/openvpn/ // 复制服务端配置文件到配置文件目录
[root@localhost ~]# cp /usr/share/doc/openvpn-2.4.7/sample/sample-config-files/server.conf /etc/op
[root@localhost ~]# mkdir /etc/openvpn/easy-rsa
[root@localhost ~]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/openvpn/easy-rsa/
[root@localhost ~]# cd /etc/openvpn/easy-rsa/
[root@localhost easy-rsa]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example var
[root@localhost easy-rsa]# ls
easyrsa openssl-1.0.cnf var x509-types
[root@localhost easy-rsa]#vim vars #×××的相关配置,根据需要自定义,也可以忽略不设置
set_var EASYRSA_REQ_COUNTRY "CN" #国家
set_var EASYRSA_REQ_PROVINCE "BJ" #省
set_var EASYRSA_REQ_CITY "Beijing" #城市
set_var EASYRSA_REQ_ORG "My ***" #组织
set_var EASYRSA_REQ_EMAIL "disk@skyii.com" #邮箱
set_var EASYRSA_REQ_OU "sky" #公司、组织
[root@localhost easy-rsa]# ./easyrsa init-pki #初始化 pki,生成目录文件结构
init-pki complete; you may now create a CA or requests.
your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
[root@localhost easy-rsa]# ls
easyrsa openssl-1.0.cnf pki var x509-types
[root@localhost easy-rsa]# ./easyrsa build-ca #创建 ca 证书
Note: using Easy-RSA configuration from: ./vars #使用 vars 文件里面配置的信息
Generating a 2048 bit RSA private key
.................+++
........................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/ca.key.Lg8IKADc4Q'
Enter PEM pass phrase: #设置 ca 密码 (我此处是写的 silence)
Verifying - Enter PEM pass phrase: #再输一遍上面的密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #直接回车,就是默认的 CA 作为名字
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt #ca 证书存放路径
- 服务端证书 server.crt
[root@localhost easy-rsa]# ./easyrsa gen-req server nopass #nopass 设置免证书密码,如果要设置密码可以取消此参数选项
Note: using Easy-RSA configuration from: ./vars #使用 vars 文件里面配置的信息
Generating a 2048 bit RSA private key
.....................................+++
................................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.yuG9HRsSlU'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: #直接回车,默认名字为 server
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key #密钥 key 的路径
- 证书签名
[root@localhost easy-rsa]# ./easyrsa sign server server #第二个 server 是只上面服务端证书的 CN 名字,我们用的默认 server, 随便写
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: #输入上面 ca 证书生成时的密码(silence)Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'server'
Certificate is to be certified until Jan 14 09:11:12 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt #服务端证书路径
- dh 证书
[root@localhost easy-rsa]# ./easyrsa gen-dh #创建 Diffie-Hellman,时间有点长
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
............................................................+...........................................................+.......................................................................................................+...........+..........................................................................................................................................................................................................................................................................+..........................................
DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem #dh 证书路径
- ta 密钥
cd /etc/openvpn
openvpn --genkey --secret ta.key
客户端证书
为了便于区别,我们把客户端使用的证书存放在新的路径。/etc/openvpn/client
创建客户端证书
[root@localhost client]# mkdir -p /etc/openvpn/client
[root@localhost client]# cd /etc/openvpn/client
[root@localhost client]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/openvpn/client
[root@localhost client]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example ./vars
[root@localhost client]# ./easyrsa init-pki
[root@localhost client]# ./easyrsa gen-req client nopass #client 为证书名,可自定义,nopass 同样设置免密
Generating a 2048 bit RSA private key
.....................................................+++
.................................+++
writing new private key to '/etc/openvpn/client/pki/private/client.key.0rbEXauafe'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/pki/reqs/client.req
key: /etc/openvpn/client/pki/private/client.key #key 路径
client 证书配置
- 对客户端证书签名
切换到服务端 easy-rsa 目录下:
cd /etc/openvpn/easy-rsa
#导入 req
./easyrsa import-req /etc/openvpn/client/pki/reqs/client.req client
./easyrsa sign client client #签名, 第一个 client 是固定的参数表示客户端,第二个 client 指上面导入的客户端证书名
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #输入 'yes'
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: #输入 ca 密码(silence)Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'client'
Certificate is to be certified until Apr 13 14:37:17 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt #最终客户端证书路径
- 修改配置文件
服务器端证书和密钥统一放到和 server.conf 一个目录下,便于配置
cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/
cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/
- 修改 openvpn 服务端配置文件 server.conf
cat /etc/openvpn/server.conf
local 0.0.0.0
port 1194 #指定端口
proto tcp #指定协议 (可以指定 udp,udp 比 tcp 快)
dev tun #采用路由隧道模式
ca ca.crt #ca 证书位置,相对路径,表示 ca.crt 和 server.conf 要在同一目录
cert server.crt #服务端证书
key server.key #服务端 key
dh dh.pem #dh 密钥
server 10.8.0.0 255.255.255.0 #给客户端分配的地址池
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp" #客户端网关使用 openvpn 服务器网关
push "dhcp-option DNS 8.8.8.8" #指定 dns
push "dhcp-option DNS 114.114.114.114"
keepalive 10 120 #心跳检测,10 秒检测一次,2 分钟内没有回应则视为断线
tls-auth ta.key 0 #服务端值为 0,客户端为 1
cipher AES-256-CBC
comp-lzo #传输数据压缩
persist-key
persist-tun
status openvpn-status.log
verb 3
- 启动 openvpn
systemctl -f enable openvpn@server.service #设置启动文件
systemctl start openvpn@server.service #启动 openvpn 的命令
- 客户端所需证书 (下载保存到客户端和客户端配置文件同一目录下)
sz /etc/openvpn/easy-rsa/pki/issued/client.crt #在服务端证书生成目录下
sz /etc/openvpn/client/pki/private/client.key #上面的客户端生成目录下
sz /etc/openvpn/easy-rsa/pki/ca.crt #ca 证书
sz /etc/openvpn/ta.key
下载到本地,window 安装 openvpen 然后设置 client.o***, 在 conf 目录下面
[root@localhost ~]# cat client.o***
client
dev tun
proto tcp #和 server 端一致 (可以使用 udp 比 tcp 快)
remote xx.xx.xx.xx 1194 #指定服务端 IP 和端口
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ca ca.crt #ca 证书
cert client.crt #客户端证书
key client.key #客户端密钥
tls-auth ta.key 1 #ta 密钥
cipher AES-256-CBC
comp-lzo #传输内容压缩
verb 3
windows 客户端配置 openvpn
下载 openvpn-install-2.4.7-I601.exe
https://www.filecluster.com/downloads/Open×××.html
1.51cto.com/images/blog/201903/12/37f1c9605166ead931e7e40671d95a6c.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
找到 openvpn 的 config 目录把之前拷贝的证书放在里面
然后启动
正文完
