OpenVPN服务端配置(linux)
easy-rsa #配置认证
Easy-RSA是一款用于生成和管理公共密钥基础设施(PKI)的开源工具。它是一种简单易用的证书管理工具,常用于创建和维护SSL/TLS证书,以及用于VPN等安全通信协议的证书。Easy-RSA是OpenVPN项目的一部分,用于创建OpenVPN服务器和客户端的证书。它通常作为OpenVPN安装包的一部分提供,但也可以单独下载和使用。
# easy-rsa #配置认证
安装需要epel源
#1. 下载生成证书的文件
yum install -y easy-rsa
#2. 准备vars,充当CA权威机构:
[root@loaclhost ~]# mkdir /opt/easy-rsa
[root@loaclhost ~]# cd /opt/easy-rsa/
[root@loaclhost easy-rsa]# cp -a /usr/share/easy-rsa/3.0.8/* ./
[root@loaclhost easy-rsa]# cp -a /usr/share/doc/easy-rsa-3.0.8/vars.example ./vars
[root@loaclhost easy-rsa]# > vars
[root@open easy-rsa]# cat vars
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Beijing"
set_var EASYRSA_REQ_CITY "Shanghai"
set_var EASYRSA_REQ_ORG "zqf"
set_var EASYRSA_REQ_EMAIL "zqf@qq.comm"
set_var EASYRSA_NS_SUPPORT "yes"
[root@loaclhost easy-rsa]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
1 directory, 11 files
#3.初始化,在当前目录创建PKI目录,用于存储证书
[root@loaclhost easy-rsa]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /opt/easy-rsa/pki
注意:使用Easy RSA配置来自:/opt/Easy RSA/vars
初始化pki完成;您现在可以创建一个CA或多个请求。
新创建的PKI目录是:/opt/easy rsa/PKI
[root@loaclhost easy-rsa]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 13 files
#4.创建根证书,会提示设置密码,用于ca对之后生成的server和client证书签名时使用,其他可默认
##温馨提示: 加上密码
[root@loaclhost easy-rsa]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase: ###设置一个密码
Re-Enter New CA Key Passphrase: ###重新输入
Generating RSA private key, 2048 bit long modulus
...................+++
...................................................................................................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: ##回车
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/opt/easy-rsa/pki/ca.crt
#证书名字及目录
#5.创建server端证书和私钥文件,nopass表示不加密私钥文件,其他可默认
[root@loaclhost easy-rsa]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
........+++
........+++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-2581.wJLqKY/tmp.TMOoWC'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/server.req ###证书请求文件
key: /opt/easy-rsa/pki/private/server.key ###私钥
#6.给server端证书签名,首先是对一些信息的确认,可以输入yes,然后创建ca根证书时设置的密码
[root@loaclhost easy-rsa]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes ##这里可以设置为yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-2608.rvTpJi/tmp.pmFLra
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: ##这里输入上面创建ca根证书时设置的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Mar 11 14:27:18 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /opt/easy-rsa/pki/issued/server.crt #证书文件
[root@loaclhost easy-rsa]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── ca.crt
│ ├── certs_by_serial
│ │ └── 7F07B2544DA42485C98FB6C2E732B545.pem
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── issued
│ │ └── server.crt
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ ├── ca.key
│ │ └── server.key
│ ├── renewed
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── reqs
│ │ └── server.req
│ ├── revoked
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── safessl-easyrsa.cnf
│ ├── serial
│ └── serial.old
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
14 directories, 25 files
#7.创建Diffie-Hellman文件,秘钥交换时的Diffie-Hellman算法
[root@m01 easy-rsa]# ./easyrsa gen-dh
#服务端的 ca证书 服务端证书(公钥)和私钥
├── pki
│ ├── ca.crt #ca证书
│ ├── private
│ │ └── server.key #服务端证书(公钥)
│ ├── issued
│ │ └── server.crt #服务端私钥
│ ├── dh.pem #认证算法
#8.创建client端证书和私钥文件,nopass表示不加密私钥文件,其他可默认
[root@loaclhost easy-rsa]# ./easyrsa gen-req client nopass
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...................+++
....................................................................................................................+++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-18006.Cmpkvw/tmp.p4Jruv'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]: #回车
Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/client.req
key: /opt/easy-rsa/pki/private/client.key
#9.给client端证书签名,首先是对一些信息的确认,可以输入yes,然后创建ca根证书时设置的密码
[root@loaclhost easy-rsa]# ./easyrsa sign client client
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes ###输入yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-18034.AHTUFX/tmp.D1jsbd
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: ##输入上面所设置的密码
目前为止的目录结构及主要内容
[root@m01 /opt/easy-rsa]# tree
├── easyrsa #管理命令
├── pki
│ ├── ca.crt #ca证书 服务端与客户端都是用
│ ├── dh.pem #认证算法 服务端
│ ├── issued
│ │ ├── client.crt #客户端证书
│ │ └── server.crt #服务端证书
│ ├── private
│ │ ├── ca.key
│ │ ├── client.key #客户端私钥
│ │ └── server.key #服务端私钥
安装openvpn
[root@open openvpn]# cat server.conf
local 0.0.0.0 # 监听所有网络接口上的连接
port 1194 # 使用端口 1194,这是 OpenVPN 的默认端口
proto udp # 使用 UDP 协议
dev tun # 创建一个 TUN 虚拟网络设备(类似于点对点连接)
ca ca.crt # 指定 CA 证书文件路径
cert server.crt # 指定服务器证书文件路径
key server.key # 指定服务器私钥文件路径
dh dh.pem # 指定 Diffie-Hellman 参数文件路径
server 10.8.0.0 255.255.255.0 # 为客户端分配 IP 地址,使用子网 10.8.0.0/24
ifconfig-pool-persist ipp.txt # 持久化 IP 分配,记录在 ipp.txt 文件中
push "route 172.17.130.0 255.255.255.0" # 将路由 172.17.130.0/24 推送到客户端
auth-user-pass-verify checkpsw.sh via-env # 使用脚本 checkpsw.sh 验证用户名和密码,并通过环境变量传递
script-security 3 # 允许执行外部脚本
username-as-common-name # 使用用户名作为 Common Name (CN)
client-to-client # 允许客户端之间的直接通信
topology subnet # 使用子网拓扑
keepalive 10 120 # 设置心跳检测,每 10 秒发送一次,超时时间为 120 秒
cipher AES-256-GCM # 使用 AES-256-GCM 加密算法
comp-lzo # 启用 LZO 压缩
max-clients 100 # 最大客户端数量为 100
user openvpn # 运行 OpenVPN 的用户为 openvpn
group openvpn # 运行 OpenVPN 的组为 openvpn
persist-key # 持久化密钥
persist-tun # 持久化 TUN 设备
status /var/log/openvpn/openvpn-status.log # 状态日志文件路径
log /var/log/openvpn/openvpn.log # 日志文件路径
verb 3 # 日志详细级别为 3
#脚本文件:
[root@open openvpn]# cat checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
###########################################################
PASSFILE="/etc/openvpn/user_passwd.txt"
LOG_FILE="/var/log/openvpn/openvpn-login.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file "${PASSFILE}" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username="${username}", password="${password}"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username="${username}"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username="${username}", password="${password}"." >> ${LOG_FILE}
exit 1
#设置用户和用户名的文件:
[root@open openvpn]# cat user_passwd.txt
local 1qaz!QAZ
ubuntu 1qaz!QAZ
ops 1qaz!QAZ
mysql01 1qaz!QAZ
mysql02 1qaz!QAZ
prometheus 1qaz!QAZ
elk01 1qaz!QAZ
elk02 1qaz!QAZ
elk03 1qaz!QAZ
nginx01 1qaz!QAZ
yewu01 1qaz!QAZ
yewu02 1qaz!QAZ
docker 1qaz!QAZ
#复制证书及密钥
[root@loaclhost openvpn]# cp /opt/easy-rsa/pki/ca.crt /etc/openvpn/
[root@loaclhost openvpn]# cp /opt/easy-rsa/pki/issued/server.crt /opt/easy-rsa/pki/private/server.key /etc/openvpn/
[root@loaclhost openvpn]# cp /opt/easy-rsa/pki/dh.pem /etc/openvpn/
#启动
[root@loaclhost openvpn]# systemctl start openvpn@server
[root@loaclhost openvpn]# systemctl enable openvpn@server
OpenVPN客户端
windows客户端
#windows
下载windows客户端的openvpn软件
C:\Program Files\OpenVPN\config ##配置文件默认是在这个目录下
把在服务端生成的客户端密钥上传到这个目录下:
pki/ca.crt
pki/issued/client.crt
pki/private/client.key
##这三个客户端文件上面已经在服务端生成了,是客户端的密钥,拷贝到windows的config目录下即可
client.ovpn #client.conf ##这个是客户端配置文件,需要自己配置
client # 指定这是一个 OpenVPN 客户端配置
dev tun # 使用 TUN 设备,这个需要和服务端一致
proto udp # 使用 UDP 协议进行通信
remote 39.105.13.209 1194 # 连接到 IP 地址为 39.105.13.209 的服务器,使用端口 1194
resolv-retry infinite # 如果连接失败,无限次重试
nobind # 不绑定到特定的本地端口,让系统自动分配
ca ca.crt # 指定 CA 证书文件路径
cert client.crt # 指定客户端证书文件路径
key client.key # 指定客户端私钥文件路径
verb 3 # 设置日志详细级别为 3(更多信息)
persist-key # 保持密钥在内存中,以便于重新连接时使用
comp-lzo # 启用 LZO 压缩
auth-user-pass #从文件或标准输入读取用户名和密码 ,启用账户密码验证
route 192.168.99.23 #添加路由到本机,能够访问服务端的私网ip
配置完直接连接即可
opevpn linux客户端
1. 下载openvpn
2. 把在服务端生成的客户端密钥上传到/etc/openvpn目录下:
pki/ca.crt
pki/issued/client.crt
pki/private/client.key
root@zhang:~# cat /etc/openvpn/client.conf
client
dev tun
proto udp
remote 39.105.13.209 1194
resolv-retry infinite
nobind
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
verb 3
persist-key
comp-lzo
auth-user-pass
route 192.168.99.23 #添加路由到本机,能够访问服务端的私网ip
openvpn --config /etc/openvpn/client.ovpn --daemon --log-append /var/log/openvpn.log