OpenVPN搭建

vpn

字数统计: 1.8k阅读时长: 9 min

 2017/07/17   Share

因业务需求，需要搭建私密网络，所以理所当然需要需要搭建vpn，在所有的vpn解决方法中当然首选OpenVPN,在折腾了许久后，总算是可以用了，下面是自己的搭建记录。

OpenVPN

OpenVPN是可以用于创建虚拟专用网络加密通道的免费开源软件。使用vpn可以在不同地点不同的网络之间搭建类似于局域网的专用网络通道，OpenVPN使用方便，运行性能优秀，且支持多平台，并且采用了高强度的数据加密，再加上其开源免费的特性，是搭建vpn的理想的开源的产品。

当然介于我们GWF保护我们的网络环境，OpenVPN的官网也是被阻止访问的，本人通过shadowsocks翻墙出去访问了解的OpenVPN信息。

服务器安装配置

安装epel源

~]# cat /etc/yum.repos.d/epel.repo
[epel]
name=epel
baseurl=https://mirrors.aliyun.com/epel/6Server/x86_64
enable=1
gpgcheck=0
cost=2000

安装openvpn
1
yum install -y openvpn easy-rsa

easy-rsa配置

1	~]# mkdir -p /etc/openvpn/easy-rsa/keys
2	~]# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

创建CA证书和秘钥

~]# vim /etc/openvpn/easy-rsa/vars     #修改自己的国家，省份，城市，邮箱等...
...
export KEY_COUNTRY='CN'
export KEY_PROVINCE='ZJ'
export KEY_CITY='HZ'
export KEY_ORG='GM'
export KEY_EMAIL='admin@123.com'
export KEY_OU='tech'
...

~]# source /etc/openvpn/easy-rsa/vars  #初始化证书授权中心
~]# cd /etc/openvpn/easy-rsa
~]# ./clean_all    #清理keys目录下的文件
~]# ./build-ca     #创建ca证书
Generating a 1024 bit RSA private key
.++++++
......................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ZJ]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [GM]:
Organizational Unit Name (eg, section) [tech]:
Common Name (eg, your name or your server's hostname) [GM CA]:
Name [changeme]:
Email Address [mail@host.domain]:

创建服务器的证书和密钥

~]# ./build-key-server server
.....++++++
.................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ZJ]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [GM]:
Organizational Unit Name (eg, section) [tech]:
Common Name (eg, your name or your server's hostname) [server]:
Name [changeme]:
Email Address [mail@host.domain]:
  
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'ZJ'
localityName          :PRINTABLE:'HZ'
organizationName      :PRINTABLE:'GM'
organizationalUnitName:PRINTABLE:'tech'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Mar 28 03:05:21 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
  
  
  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
Data Base Update

创建客户端的证书和密钥

./build-key client1

Generating a 1024 bit RSA private key
...++++++
...............++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ZJ]:
Locality Name (eg, city) [HZ]:
Organization Name (eg, company) [GM]:
Organizational Unit Name (eg, section) [tech]:
Common Name (eg, your name or your server's hostname) [client1]:    #根据证书来区别不同客户端
Name [changeme]:
Email Address [mail@host.domain]:
  
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'ZJ'
localityName          :PRINTABLE:'HZ'
organizationName      :PRINTABLE:'tech'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'client1'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Mar 28 03:21:06 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
  
  
  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
Data Base Updated

创建迪菲霍尔曼密钥交换参数
1
~]# ./build-dh

拷贝服务器证书、密钥

1	~]# cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,dh2048.pem,ca.crt} /etc/openvpn

配置vpn服务端

~]# cp /usr/share/doc/openvpn-2.3.*/sample/sample-config-files/server.conf /etc/openvpn/
~]# cat /etc/openvpn/server.conf | grep "^[^#|^;]"
local 0.0.0.0    #监听地址
port 1194      #监听端口
proto tcp      #监听协议
dev tun      #采用路由隧道模式
ca ca.crt  #ca证书路径
cert server.crt    #服务器证书
key server.key    # This file should be kept secret 服务器密钥
dh dh2048.pem  #密钥交换协议文件
server 10.8.0.0 255.255.255.0        #给客户端分配地址池，注意：不能和VPN服务器内网网段有相同
ifconfig-pool-persist ipp.txt
push "route 192.168.20.0 255.255.255.0"  #允许客户端访问内网 20.0 的网段。
push"dhcp-option DNS 8.8.8.8"              #dhcp分配dns
client-to-client    #客户端之间互相通信
keepalive 10 120  #存活时间，10秒ping一次,120 如未收到响应则视为断线
comp-lzo        #传输数据压缩
max-clients 100  #最多允许 100 客户端连接
user openvpn        #用户
group openvpn      #用户组
persist-key
persist-tun
status        /var/log/openvpn/openvpn-status.log
log        /var/log/openvpn/openvpn.log
verb 3

iptables配置

~]# iptables -F
~]# iptables -X
配置openvpn的nat功能，将所有网段的包转发到eth0口上：
~]# iptables -t nat -A POSTROUTING  -o eth0 -j MASQUERADE
添加FORWARD白名单：
~]# iptables -A FORWARD -i tun+ -j ACCEPT
开启系统的路由功能
~]# echo "1" > /proc/sys/net/ipv4/ip_forward 
~]# service iptables save
~]# service iptables restart

配置客户端

~]# cp /usr/share/doc/openvpn-2.3.*/sample/sample-config-files/client.conf   /etc/openvpn/client.ovpn
修改客户端配置文件
~]#  cat server.conf | grep "^[^#|^;]"
client
dev tun
proto tcp     //改为tcp
remote 203.195.xxx.xxx 1194       //OpenVPN服务器的外网IP和端口
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt    //client1的证书
cert client.crt
key client.key    //client1的密钥
ns-cert-type server
comp-lzo
verb 3

openvpn客户端配置

拷贝服务器端的/etc/openvpn/easy-rsa/{ca.crt,client.crt,client.key}和/etc/openvpn/client.ovpn到客户端的主机
下载openvpn客户端安装
windows客户端
 mac客户端
把刚才复制过来的几个文件拷贝到openvpn客户端安装目录下面的config目录里面
启动OpenVPN GUI
在电脑右下角的openvpn图标上右击，选择“Connect”。正常情况下应该能够连接成功，分配正常的IP。

原文作者：Zhang Jusene

原文链接：http://jusene.github.io/2017/07/17/openvpn/

发表日期：July 17th 2017, 8:08:59 pm

更新日期：November 30th 2019, 1:54:24 am

Next Post

MogileFS 分布式存储
Previous Post

MongoDB副本集与MongoDB分片

CATALOG

1. OpenVPN
1. 1.1. 服务器安装配置
2. 1.2. openvpn客户端配置



1	~]# cat /etc/yum.repos.d/epel.repo
2	[epel]
3	name=epel
4	baseurl=https://mirrors.aliyun.com/epel/6Server/x86_64
5	enable=1
6	gpgcheck=0
7	cost=2000

1	~]# vim /etc/openvpn/easy-rsa/vars #修改自己的国家，省份，城市，邮箱等...
2	...
3	export KEY_COUNTRY='CN'
4	export KEY_PROVINCE='ZJ'
5	export KEY_CITY='HZ'
6	export KEY_ORG='GM'
7	export KEY_EMAIL='admin@123.com'
8	export KEY_OU='tech'
9	...
10
11	~]# source /etc/openvpn/easy-rsa/vars #初始化证书授权中心
12	~]# cd /etc/openvpn/easy-rsa
13	~]# ./clean_all #清理keys目录下的文件
14	~]# ./build-ca #创建ca证书
15	Generating a 1024 bit RSA private key
16	.++++++
17	......................++++++
18	writing new private key to 'ca.key'
19	-----
20	You are about to be asked to enter information that will be incorporated
21	into your certificate request.
22	What you are about to enter is what is called a Distinguished Name or a DN.
23	There are quite a few fields but you can leave some blank
24	For some fields there will be a default value,
25	If you enter '.', the field will be left blank.
26	-----
27	Country Name (2 letter code) [CN]:
28	State or Province Name (full name) [ZJ]:
29	Locality Name (eg, city) [HZ]:
30	Organization Name (eg, company) [GM]:
31	Organizational Unit Name (eg, section) [tech]:
32	Common Name (eg, your name or your server's hostname) [GM CA]:
33	Name [changeme]:
34	Email Address [mail@host.domain]:

1	~]# ./build-key-server server
2	.....++++++
3	.................++++++
4	writing new private key to 'server.key'
5	-----
6	You are about to be asked to enter information that will be incorporated
7	into your certificate request.
8	What you are about to enter is what is called a Distinguished Name or a DN.
9	There are quite a few fields but you can leave some blank
10	For some fields there will be a default value,
11	If you enter '.', the field will be left blank.
12	-----
13	Country Name (2 letter code) [CN]:
14	State or Province Name (full name) [ZJ]:
15	Locality Name (eg, city) [HZ]:
16	Organization Name (eg, company) [GM]:
17	Organizational Unit Name (eg, section) [tech]:
18	Common Name (eg, your name or your server's hostname) [server]:
19	Name [changeme]:
20	Email Address [mail@host.domain]:
21
22	Please enter the following 'extra' attributes
23	to be sent with your certificate request
24	A challenge password []:
25	An optional company name []:
26	Using configuration from /etc/easy-rsa/2.0/openssl.cnf
27	Check that the request matches the signature
28	Signature ok
29	The Subject's Distinguished Name is as follows
30	countryName :PRINTABLE:'CN'
31	stateOrProvinceName :PRINTABLE:'ZJ'
32	localityName :PRINTABLE:'HZ'
33	organizationName :PRINTABLE:'GM'
34	organizationalUnitName:PRINTABLE:'tech'
35	commonName :PRINTABLE:'server'
36	name :PRINTABLE:'changeme'
37	emailAddress :IA5STRING:'mail@host.domain'
38	Certificate is to be certified until Mar 28 03:05:21 2022 GMT (3650 days)
39	Sign the certificate? [y/n]:y
40
41
42	1 out of 1 certificate requests certified, commit? [y/n]y
43	Write out database with 1 new entries
44	Data Base Update

1	./build-key client1
2
3	Generating a 1024 bit RSA private key
4	...++++++
5	...............++++++
6	writing new private key to 'client1.key'
7	-----
8	You are about to be asked to enter information that will be incorporated
9	into your certificate request.
10	What you are about to enter is what is called a Distinguished Name or a DN.
11	There are quite a few fields but you can leave some blank
12	For some fields there will be a default value,
13	If you enter '.', the field will be left blank.
14	-----
15	Country Name (2 letter code) [CN]:
16	State or Province Name (full name) [ZJ]:
17	Locality Name (eg, city) [HZ]:
18	Organization Name (eg, company) [GM]:
19	Organizational Unit Name (eg, section) [tech]:
20	Common Name (eg, your name or your server's hostname) [client1]: #根据证书来区别不同客户端
21	Name [changeme]:
22	Email Address [mail@host.domain]:
23
24	Please enter the following 'extra' attributes
25	to be sent with your certificate request
26	A challenge password []:
27	An optional company name []:
28	Using configuration from /etc/easy-rsa/2.0/openssl.cnf
29	Check that the request matches the signature
30	Signature ok
31	The Subject's Distinguished Name is as follows
32	countryName :PRINTABLE:'CN'
33	stateOrProvinceName :PRINTABLE:'ZJ'
34	localityName :PRINTABLE:'HZ'
35	organizationName :PRINTABLE:'tech'
36	organizationalUnitName:PRINTABLE:'changeme'
37	commonName :PRINTABLE:'client1'
38	name :PRINTABLE:'changeme'
39	emailAddress :IA5STRING:'mail@host.domain'
40	Certificate is to be certified until Mar 28 03:21:06 2022 GMT (3650 days)
41	Sign the certificate? [y/n]:y
42
43
44	1 out of 1 certificate requests certified, commit? [y/n]y
45	Write out database with 1 new entries
46	Data Base Updated

1	~]# cp /usr/share/doc/openvpn-2.3.*/sample/sample-config-files/server.conf /etc/openvpn/
2	~]# cat /etc/openvpn/server.conf \| grep "^[^#\|^;]"
3	local 0.0.0.0 #监听地址
4	port 1194 #监听端口
5	proto tcp #监听协议
6	dev tun #采用路由隧道模式
7	ca ca.crt #ca证书路径
8	cert server.crt #服务器证书
9	key server.key # This file should be kept secret 服务器密钥
10	dh dh2048.pem #密钥交换协议文件
11	server 10.8.0.0 255.255.255.0 #给客户端分配地址池，注意：不能和VPN服务器内网网段有相同
12	ifconfig-pool-persist ipp.txt
13	push "route 192.168.20.0 255.255.255.0" #允许客户端访问内网 20.0 的网段。
14	push"dhcp-option DNS 8.8.8.8" #dhcp分配dns
15	client-to-client #客户端之间互相通信
16	keepalive 10 120 #存活时间，10秒ping一次,120 如未收到响应则视为断线
17	comp-lzo #传输数据压缩
18	max-clients 100 #最多允许 100 客户端连接
19	user openvpn #用户
20	group openvpn #用户组
21	persist-key
22	persist-tun
23	status /var/log/openvpn/openvpn-status.log
24	log /var/log/openvpn/openvpn.log
25	verb 3

1	~]# iptables -F
2	~]# iptables -X
3	配置openvpn的nat功能，将所有网段的包转发到eth0口上：
4	~]# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
5	添加FORWARD白名单：
6	~]# iptables -A FORWARD -i tun+ -j ACCEPT
7	开启系统的路由功能
8	~]# echo "1" > /proc/sys/net/ipv4/ip_forward
9	~]# service iptables save
10	~]# service iptables restart

1	~]# cp /usr/share/doc/openvpn-2.3.*/sample/sample-config-files/client.conf /etc/openvpn/client.ovpn
2	修改客户端配置文件
3	~]# cat server.conf \| grep "^[^#\|^;]"
4	client
5	dev tun
6	proto tcp //改为tcp
7	remote 203.195.xxx.xxx 1194 //OpenVPN服务器的外网IP和端口
8	resolv-retry infinite
9	nobind
10	persist-key
11	persist-tun
12	ca ca.crt //client1的证书
13	cert client.crt
14	key client.key //client1的密钥
15	ns-cert-type server
16	comp-lzo
17	verb 3