# Centos7 安装openvpn by easy-rsa3.0
-----------------------------------------------------------------------------------------------------------------------------------------------------安装openvpn等所需要的软件
首先你应该有一个外网ip,否则一切都是空谈
yum install -y epel-releaseyum install -y openvpn easy-rsa openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfigserver端 制作证书,密钥等文件
- CA证书生产
[root@localhost ~]#cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/server.conf /etc/openvpn/ //复制服务端配置文件到配置文件目录[root@localhost ~]# cp /usr/share/doc/openvpn-2.4.7/sample/sample-config-files/server.conf /etc/op[root@localhost ~]# mkdir /etc/openvpn/easy-rsa[root@localhost ~]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/openvpn/easy-rsa/[root@localhost ~]# cd /etc/openvpn/easy-rsa/[root@localhost easy-rsa]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example var[root@localhost easy-rsa]# lseasyrsa openssl-1.0.cnf var x509-types[root@localhost easy-rsa]#vim vars #×××的相关配置,根据需要自定义,也可以忽略不设置 set_var EASYRSA_REQ_COUNTRY "CN" #国家set_var EASYRSA_REQ_PROVINCE "BJ" #省set_var EASYRSA_REQ_CITY "Beijing" #城市set_var EASYRSA_REQ_ORG "My ***" #组织set_var EASYRSA_REQ_EMAIL "disk@skyii.com" #邮箱set_var EASYRSA_REQ_OU "sky" #公司、组织 [root@localhost easy-rsa]# ./easyrsa init-pki #初始化pki,生成目录文件结构init-pki complete; you may now create a CA or requests.your newly created PKI dir is: /etc/openvpn/easy-rsa/pki[root@localhost easy-rsa]# lseasyrsa openssl-1.0.cnf pki var x509-types[root@localhost easy-rsa]# ./easyrsa build-ca #创建ca证书Note: using Easy-RSA configuration from: ./vars #使用vars文件里面配置的信息Generating a 2048 bit RSA private key.................+++........................................................................................+++writing new private key to '/etc/openvpn/easy-rsa/pki/private/ca.key.Lg8IKADc4Q'Enter PEM pass phrase: #设置ca密码(我此处是写的silence)Verifying - Enter PEM pass phrase: #再输一遍上面的密码-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #直接回车,就是默认的CA作为名字CA creation complete and you may now import and sign cert requests.Your new CA certificate file for publishing is at:/etc/openvpn/easy-rsa/pki/ca.crt #ca证书存放路径
- 服务端证书server.crt
[root@localhost easy-rsa]# ./easyrsa gen-req server nopass #nopass设置免证书密码,如果要设置密码可以取消此参数选项Note: using Easy-RSA configuration from: ./vars #使用vars文件里面配置的信息Generating a 2048 bit RSA private key.....................................+++................................................................................................+++writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.yuG9HRsSlU'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [server]: #直接回车,默认名字为serverKeypair and certificate request completed. Your files are:req: /etc/openvpn/easy-rsa/pki/reqs/server.reqkey: /etc/openvpn/easy-rsa/pki/private/server.key #密钥key的路径
- 证书签名
[root@localhost easy-rsa]# ./easyrsa sign server server #第二个server是只上面服务端证书的CN名字,我们用的默认server,随便写 Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yesUsing configuration from ./openssl-1.0.cnfEnter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: #输入上面ca证书生成时的密码(silence)Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName :PRINTABLE:'server'Certificate is to be certified until Jan 14 09:11:12 2029 GMT (3650 days)Write out database with 1 new entriesData Base UpdatedCertificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt #服务端证书路径
- dh证书
[root@localhost easy-rsa]# ./easyrsa gen-dh #创建Diffie-Hellman,时间有点长Note: using Easy-RSA configuration from: ./varsGenerating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time............................................................+...........................................................+.......................................................................................................+...........+..........................................................................................................................................................................................................................................................................+.......................................... DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem #dh证书路径
- ta密钥
cd /etc/openvpnopenvpn --genkey --secret ta.key客户端证书为了便于区别,我们把客户端使用的证书存放在新的路径。/etc/openvpn/client创建客户端证书[root@localhost client]# mkdir -p /etc/openvpn/client[root@localhost client]# cd /etc/openvpn/client[root@localhost client]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/openvpn/client[root@localhost client]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example ./vars[root@localhost client]# ./easyrsa init-pki[root@localhost client]# ./easyrsa gen-req client nopass #client为证书名,可自定义,nopass同样设置免密Generating a 2048 bit RSA private key.....................................................+++.................................+++writing new private key to '/etc/openvpn/client/pki/private/client.key.0rbEXauafe'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [client]:Keypair and certificate request completed. Your files are:req: /etc/openvpn/client/pki/reqs/client.reqkey: /etc/openvpn/client/pki/private/client.key #key路径client证书配置
- 对客户端证书签名
切换到服务端easy-rsa目录下:
cd /etc/openvpn/easy-rsa#导入req./easyrsa import-req /etc/openvpn/client/pki/reqs/client.req client./easyrsa sign client client #签名,第一个client是固定的参数表示客户端,第二个client指上面导入的客户端证书名Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = client Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes #输入'yes'Using configuration from ./openssl-1.0.cnfEnter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: #输入ca密码(silence)Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName :PRINTABLE:'client'Certificate is to be certified until Apr 13 14:37:17 2028 GMT (3650 days)Write out database with 1 new entriesData Base UpdatedCertificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt #最终客户端证书路径
- 修改配置文件
服务器端证书和密钥统一放到和server.conf一个目录下,便于配置
cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/
- 修改openvpn服务端配置文件server.conf
cat /etc/openvpn/server.conflocal 0.0.0.0port 1194 #指定端口proto tcp #指定协议(可以指定udp,udp比tcp快)dev tun #采用路由隧道模式ca ca.crt #ca证书位置,相对路径,表示ca.crt和server.conf要在同一目录cert server.crt #服务端证书key server.key #服务端keydh dh.pem #dh密钥server 10.8.0.0 255.255.255.0 #给客户端分配的地址池ifconfig-pool-persist ipp.txtpush "redirect-gateway def1 bypass-dhcp" #客户端网关使用openvpn服务器网关push "dhcp-option DNS 8.8.8.8" #指定dnspush "dhcp-option DNS 114.114.114.114"keepalive 10 120 #心跳检测,10秒检测一次,2分钟内没有回应则视为断线tls-auth ta.key 0 #服务端值为0,客户端为1cipher AES-256-CBCcomp-lzo #传输数据压缩persist-keypersist-tunstatus openvpn-status.logverb 3
- 启动openvpn
systemctl -f enable openvpn@server.service #设置启动文件systemctl start openvpn@server.service #启动openvpn的命令
- 客户端所需证书(下载保存到客户端和客户端配置文件同一目录下)
sz /etc/openvpn/easy-rsa/pki/issued/client.crt #在服务端证书生成目录下sz /etc/openvpn/client/pki/private/client.key #上面的客户端生成目录下sz /etc/openvpn/easy-rsa/pki/ca.crt #ca证书sz /etc/openvpn/ta.key下载到本地,window安装openvpen然后设置client.o***,在conf目录下面[root@localhost ~]# cat client.o*** clientdev tun proto tcp #和server端一致(可以使用udp比tcp快)remote xx.xx.xx.xx 1194 #指定服务端IP和端口resolv-retry infinitenobindpersist-keypersist-tunremote-cert-tls serverca ca.crt #ca证书cert client.crt #客户端证书key client.key #客户端密钥tls-auth ta.key 1 #ta密钥cipher AES-256-CBCcomp-lzo #传输内容压缩verb 3 windows客户端配置openvpn
下载openvpn-install-2.4.7-I601.exe
https://www.filecluster.com/downloads/Open×××.html
1.51cto.com/images/blog/201903/12/37f1c9605166ead931e7e40671d95a6c.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
找到openvpn的config目录把之前拷贝的证书放在里面
然后启动