0%

Openvpn服务器搭建

一、前言

OpenVPN是一个基于 OpenSSL 库的应用层 VPN 实现,和传统 VPN 相比,它的优点是简单易用、安全稳定。此次基于centos7.3系统编译安装,使用udp协议自定义端口,搭建的目的是为了能实现通过证书+账户密码双重认证的方法,登录到阿里云VPC内部,对服务器进行配置管理。


  • 准备工具
1
2
3
Easy-rsa.zip  //秘钥制作工具
Lzo-2.0.6.tar.gz //依赖包
Openvpn-2.3.3.tar.gz //安装包
  • 网段
1
2
3
openvpn主机ip : 172.xx.xx.xx
外网ip: 100.100.100.100
vpn网段:20.8.8.0

二、安装Openvpn

2.1 安装依赖包

pam-devel是安装openvpn必要的依赖包

1
[root@test ~]# yum  -y  install  unzip ntpdate  pam-devel  openssl  openssl-devel

2.2 上传包文件

1
2
3
4
通过ssh连接上openvpn服务器,把3个文件拷贝到/usr/local/目录下,并分别解压
[root@test local]# unzip easy-rsa.zip #asy-rsa证书制作工具
[root@test local]# tar -zxvf lzo-2.06.tar.gz #lzo-2.0.6.tar.gz依赖包
[root@test local]# tar -zxvf openvpn-2.3.3.tar.gz

2.3 创建安装目录

1
2
3
[root@test local]# mkdir  -p  /usr/local/openvpn/conf   #于存放配置文件
[root@test local]# mkdir –p /usr/local/openvpn/log #于存放日志文件
[root@test local]# mkdir -p /usr/local/openvpn/easy-rsa #密钥生成工具及密钥

2.4 开始安装openvpn

进入/usr/local/目录下

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@test local]# cd   lzo-2.06
[root@test lzo-2.06]# ./configure --prefix=/usr #装依赖库
[root@test lzo-2.06]#make && make install
[root@test lzo-2.06]# /sbin/ldconfig #置运行时动态链接库
[root@test local]# cd openvpn-2.3.3
[root@test openvpn-2.3.3]# ./configure --prefix=/usr/local/openvpn/
[root@test openvpn-2.3.3]# make && make install
[root@testopenvpn-2.3.3]#cd sample/sample-config-files/
[root@test sample-config-files]# cp server.conf /usr/local/openvpn/conf/ #贝配置文件
[root@test local]# cd easy-rsa/2.0/
[root@test 2.0]# cp -rf * /usr/local/openvpn/easy-rsa/
[root@test 2.0]# cd /usr/local/openvpn/easy-rsa/
[root@test easy-rsa]# chmod +x *

三、配置openvpn

3.1 配置Vars文件及生成服务端证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
[root@test ~]# cd  /usr/local/openvpn/easy-rsa/
[root@test easy-rsa]# vim vars #配置vars文件(证书的默认配置)
export KEY_SIZE=2048 #加密位数,太大增加CPU负载
export CA_EXPIRE=3650 #证书有效期,这里是10年
export KEY_EXPIRE=365 #秘钥有效期
export KEY_COUNTRY="CN" #国家
export KEY_PROVINCE="SH" #省份
export KEY_CITY="Shanghai" #所在城市
export KEY_ORG="yunwei" # 组织单位
export KEY_EMAIL="yunwei@book.cn" #邮箱地址
export KEY_OU="Yunwei" #组织容器可以随便填写
export KEY_NAME="VPNServer" #名称可以随便填写
[root@test easy-rsa]# source vars #使配置生效
下面开始制作根证书CA:
[root@test easy-rsa]# ./clean-all #初始化
[root@test easy-rsa]# ./build-ca #创建根证书,一路回车
Generating a 2048 bit RSA private key
..................................+++
...............................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [Shanghai]:
Organization Name (eg, company) [yunwei]:
Organizational Unit Name (eg, section) [Yunwei]:
Common Name (eg, your name or your server's hostname) [yunwei CA]:
Name [EasyServer]:
Email Address [yunwei@book.cn]:
创建服务器端证书server和秘钥:
[root@test easy-rsa]# ./build-key-server server #一路回车默认,最后输入y确认
Generating a 2048 bit RSA private key
...........+++
....+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [Shanghai]:
Organization Name (eg, company) [yunwei]:
Organizational Unit Name (eg, section) [Yunwei]:
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyServer]:
Email Address [yunwei@book.cn]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/local/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'Shanghai'
organizationName :PRINTABLE:'yunwei'
organizationalUnitName:PRINTABLE:'Yunwei'
commonName :PRINTABLE:'server'
name :PRINTABLE:'EasyServer'
emailAddress :IA5STRING:'yunwei@book.cn'
Certificate is to be certified until Apr 15 15:35:32 2019 GMT (365 days)
Sign the certificate? [y/n]:y #输入y
1 out of 1 certificate requests certified, commit? [y/n] y #输入y
Write out database with 1 new entries
[root@test easy-rsa]# ./build-dh #创建dh2048加密协商文件
[root@test easy-rsa]#
[root@testeasy-rsa]#../sbin/openvpn --genkey --secret /usr/local/openvpn/easy-rsa/keys/ta.key #生成防Dos攻击的文件

3.2 配置openvpn server文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[root@test ~]# vim  /usr/local/openvpn/conf/server.conf
Local 172.xx.xx.xx #本机监听地址
port 2294 #自定义端口号
proto udp #使用udp协议
dev tun #tun是ip层的点对点协议,建议使用tun
#证书若没放在conf下,需要指定路径
ca /usr/local/openvpn/easy-rsa/keys/ca.crt
cert /usr/local/openvpn/easy-rsa/keys/server.crt
key /usr/local/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /usr/local/openvpn/easy-rsa/keys/dh2048.pem
server 20.8.8.0 255.255.255.0 #服务器vpn网段地址
#防止openvpn重新启动后“忘记”Client曾经使用过的IP地址
ifconfig-pool-persist /usr/local/openvpn/log/ipp.txt
#通过VPN Server往Client push路由,client通过pull指令获得
push "route 20.8.8.0 255.255.255.0"
push "route 172.xx.xx.0 255.255.255.0"
push "dhcp-option DNS 223.5.5.5" #指定DNS地址
push "dhcp-option DNS 8.8.8.8"
client-to-client
#和keys连接VPN,一定要打开这个选项,否则只允许一个人连接VPN
duplicate-cn
keepalive 10 120
comp-lzo #对数据进行压缩
max-clients 10 #支持客户端数
通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys
persist-key
#通过keepalive检测超时后,重新启动VPN,一直保持tun或者tap设备是linkup的,否则网络连接会先linkdown然后linkup
persist-tun
status /usr/local/openvpn/log/openvpn-status.log #日志路径
log-append /usr/local/openvpn/log/openvpn.log
verb 3

四、用户密码+证书验证配置

4.1 创建客户端用户

1
2
[root@test ~]# cd  /usr/local/openvpn/easy-rsa/
[root@test easy-rsa]# ./build-key book #创建用户book,方法同server端

备注:执行后会在keys文件夹下,生成3个文件,book.crt、book.csr(mac电脑不需要这个文件)、book.key,另外加上同目录下的ca.crt、ca.key、ta.key和dh2048.pem7个文件一起打包,即是客户端所需要的所有文件,添加其它用户也是同样的方法


4.2 配置账户密码验证

  • vim /usr/local/openvpn/conf/server.conf
1
2
3
4
5
6
tls-auth  /usr/local/openvpn/easy-rsa/keys/ta.key 0  #server端是0 ,客户端为1
auth-user-pass-verify /usr/local/openvpn/easy-rsa/checkpsw.sh via-env
#密码验证的脚本文件放在此目录下,稍后创建脚本
script-security 3
username-as-common-name
;client-cert-not-required #如果只想账户密码验证,就开启这句
  • vim checkpsw.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#创建账户密码认证的脚本文件:checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/usr/local/openvpn/easy-rsa/psw-file" //指定保存账户和密码的文件
LOG_FILE="/usr/local/openvpn/log/openvpn-password.log"//保存日志文件
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
1
2
3
创建保存账户密码的文件: psw-file
[root@test easy-rsa]#vi psw-file
book 123456 //账户+空格+密码格式保存

4.3 注销用户客户端

如果同事离职了,需要注销证书

1
2
3
4
[root@test easy-rsa]# ./revoke-full book   //注销用户book
这个时候还是可以利用此证书登录服务器的,在server.conf下增加一行
crl-verify /usr/local/openvpn/easy-rsa/keys/crl.pem
再重启下openvpn服务即可

4.4 启动openvpn

1
2
3
4
5
[root@test~]# /usr/local/openvpn/sbin/openvpn   --config  /usr/local/openvpn/conf/server.conf   &
[root@test~]#ps –ef |grep openvpn
root 1013 1 0 Apr13 ? 00:00:04 /usr/local/openvpn/sbin/openvpn --config /usr/local/openvpn/conf/server.conf
[root@test~]# netstat -ntlup //由此可见端口已在监听
Udp 0 0 172.xx.xx.xx:2294 0.0.0.0:* 1013/openvpn

五、配置防火墙

5.1 开启路由转发

1
2
3
[root@test ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1 #将值改为1保存
[root@test ~]# sysctl -p #执行生效

5.2 配置iptables NAT转发

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[root@test ~]# systemctl  stop  firewalld.service
[root@test ~]# systemctl disable firewalld.service
[root@test ~]# yum install -y iptables-services
[root@test ~]# systemctl enable iptables
[root@test ~]# iptables -F #清空iptables配置规则
[root@test ~]# iptables -X
[root@test ~]# iptables -P OUTPUT ACCEPT
[root@test ~]# iptables -P FORWARD ACCEPT
[root@test ~]# iptables -A INPUT -i lo -j ACCEPT
[root@test ~]# iptables -A OUTPUT -o lo -j ACCEPT
[root@test ~]#iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@test ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[root@test ~]# iptables -A INPUT -p udp --dport 2294 -j ACCEPT
#对vpn网段进行转发
[root@test ~]# iptables -t nat -A POSTROUTING -o eth0 -s 20.8.8.0/24 -j MASQUERADE
#把内部主机端口的流量指定到出口ip
[root@test ~]# iptables -t nat -A PREROUTING -s 100.100.100.100 -p udp -m udp --dport 2294 -j DNAT --to-destination 172.xx.xx.xx:2294
[root@test ~]#service iptables save
[root@test ~]#service iptables restart

六、客户端配置文件

  • 打开client.ovpn配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Client
dev tun
proto udp
remote 100.100.100.100 2294
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert book.crt #这里是指定用户证书,名字要和拷贝过来的文件一致
key book.key
ns-cert-type server
comp-lzo
verb 3
tls-auth ta.key 1 #这里客户端为1
auth-user-pass #这里要加上,用户密码验证

坚持原创技术分享,您的支持将鼓励我继续创作!
-------------本文结束感谢您的阅读-------------