Openvpn

    Linux VPN  评论

参考连接

https://www.fandenggui.com/post/centos7-install-openvpn.html#5-L50

https://openvpn.net/community-downloads/

https://my.oschina.net/u/3585265/blog/2221466

https://juejin.im/post/5b5985b1f265da0f875938d2

软件版本

  • Centos - 7.x
  • easy-rsa - 3.0.3
  • OpenVPN - 2.4.6

安装

建议安装启用epel源,采用yum的方式安装openvpn。

yum install -y epel-release 
yum update -y
yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel
yum install -y easy-rsa
yum install -y openvpn

确定私网

默认:172.20.0.0/17

配置证书

我们通过yum方式安装的 easy-rsa 版本是3.x,直接从安装路径copy一份工具出来。这里用默认的 easy-rsa 3.x 来配置生成证书密钥。

cp -rf /usr/share/easy-rsa/3.0.3 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-client-full client1 nopass
./easyrsa build-client-full client2 nopass
./easyrsa gen-dh

openvpn --genkey --secret ta.key

配置Server端

创建使用的目录

# 日志存放目录
mkdir -p /var/log/openvpn/
# 用户管理目录
mkdir -p /etc/openvpn/server/user
# 配置权限
chown openvpn:openvpn /var/log/openvpn

创建Server配置文件

port 1994
proto tcp-server
# Enable the management interface
# management-client-auth
# management localhost 7505 /etc/openvpn/user/management-file
dev tun     # TUN/TAP virtual network device
# user nobaby
# group nobaby

ca /etc/openvpn/server/easy-rsa/pki/ca.crt
cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt
key /etc/openvpn/server/easy-rsa/pki/private/server.key
dh /etc/openvpn/server/easy-rsa/pki/dh.pem
tls-auth /etc/openvpn/server/easy-rsa/ta.key 0

## Using System user auth. 
# plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
## Using Script Plugins
# auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env
# script-security 3 

# client-cert-not-required  # Deprecated option
verify-client-cert
# username-as-common-name
## Connecting clients to be able to reach each other over the VPN.
client-to-client

## Allow multiple clients with the same common name to concurrently connect.
duplicate-cn
# client-config-dir /etc/openvpn/server/ccd
# ifconfig-pool-persist ipp.txt
server 172.21.0.0 255.255.255.0
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 114.114.115.115"
push "route 172.20.0.0 255.255.128.0"

# comp-lzo - DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.
compress lzo
cipher AES-256-CBC
# ncp-ciphers "AES-256-GCM:AES-128-GCM"
## In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited.
# explicit-exit-notify 1
keepalive 10 120
persist-key
persist-tun
verb 3

log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log

注意!!! 这里创建完配置文件后,需要做个配置文件的软连接,因为当前版本的 openvpn systemd 启动文件中读取的是.service.conf配置。

cd /etc/openvpn/server/
ln -sf server.conf .service.conf

创建用户密码文件

格式是用户 密码以空格分割即可

tee /etc/openvpn/server/user/psw-file << EOF
mytest mytestpass
EOF
chmod 600 /etc/openvpn/server/user/psw-file
chown openvpn:openvpn /etc/openvpn/server/user/psw-file

防火墙配置

firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --add-service=openvpn
# 或者添加自定义端口
# firewall-cmd --permanent  --add-port=1994/tcp
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 172.20.0.0/17 -o eth0 -j MASQUERADE
firewall-cmd --reload

启动服务

# 查看service名
rpm -ql openvpn |grep service
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
# 启动
openvpn --config /etc/openvpn/server/server.conf
# 查看报错日志
tail -f /var/log/openvpn/server.log

配置客户端(win10)

  • 下载openvpn https://openvpn.net/community-downloads/
  • 从server上将生成的ca.crt、client1.crt、client1.key、ta.key文件下载到客户端,客户端配置内容C:\Program Files\OpenVPN\config\client.ovpn

配置client.ovpn

# 
client
proto tcp-client
dev tun
auth-user-pass
remote 210.14.159.141 1994
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
auth-nocache
persist-tun
persist-key
compress lzo
verb 4
mute 10

Linux OpenVPN 客户端连接配置

准备配置文件及证书文件

因为我们之前有安装过 OpenVPN 服务端,具体过程参见 OpenVPN 安装配置,在这里我们直接用它提供的配置文件即可。

注意: 我们之前安装的 OpenVPN 服务端集成了 LDAP 统一认证,所以我们不再需要服务端分配给客户端的证书及密钥,只需要配置文件及相应的 key 即可,还有就是我们需要新建账号密码文件 passwd 。

配置文件修改完成后, /etc/openvpn 目录结构如下所示:

[root@ns1 ~]# tree /etc/openvpn/
/etc/openvpn/
├── client
│   ├── ca.crt                    # 服务端提供
│   └── ta.key                    # 服务端提供
├── client.ovpn                    # 客户端配置文件
├── passwd                         # 账号密码文件,需要新建,第一行账号,第二行是密码
└── server
2 directories, 4 files

连接测试

配置完成后,我们用命令行相关命令进行测试,具体命令如下:

openvpn \
--daemon \
--cd /etc/openvpn \
--config client.ovpn \
--auth-user-pass /etc/openvpn/passwd \
--log-append /var/log/openvpn.log

命令参数说明:

--daemon           # 后台运行
--cd               # 配置文件目录路径
--config           # 配置文件名称
--auth-user-pass   # 指定账号密码文件
--log-append       # 日志文件
  • -end- -

QiOld Man