1. 闲不住的人首页
  2. 其它服务

CentOS7安装OpenVPN

生产环境中不论是托管在 IDC 机房的服务器还是托管在公有云上的服务器,通常只允许公司内网访问,那么我们不在公司的时候如果想访问公司内网,就需要用到 VPN,本文就演示如何在 CentOS7 系统上部署 OpenVPN 服务。

1. 环境说明

本次实验环境是运行在 VMware workstation 虚拟机中,操作系统版本为 CentOS-7.6.1810,一共需要两台虚拟机,一台虚拟机为 OpenVPN 服务器,一台模拟公司内网服务器,具体信息如下:

角色IP 地址
OpenVPN 服务器eth0: 192.168.101.100(模拟外网)
eth1: 172.18.0.10(模拟内网)
客户端192.168.101.9
公司内网Linux服务器172.18.0.11(网关172.18.0.10)

环境拓扑图如下:

OpenVPN安装拓扑图
OpenVPN安装拓扑图

2. 安装前准备

1、配置阿里云 YUM 镜像

[root@openvpn-101-100 ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
[root@openvpn-101-100 ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@openvpn-101-100 ~]# yum clean all
[root@openvpn-101-100 ~]# yum makecache

2、配置时间同步

[root@openvpn-101-100 ~]# yum -y install ntpdate
[root@openvpn-101-100 ~]# ntpdate ntp.aliyun.com

3、关闭 SELinux

[root@openvpn-101-100 ~]# vim /etc/sysconfig/selinux
SELINUX=disabled

3、安装 OpenVPN

[root@openvpn-101-100 ~]# yum -y install openssh-server lzo openssl openssl-devel openvpn NetworkManager-openvpn openvpn-auth-ldap zip unzip

3.1 安装 easy-rsa

该包用来制作ca证书,服务端证书,客户端证书。最新的为 easy-rsa3

[root@openvpn-101-100 ~]# wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
[root@openvpn-101-100 ~]# unzip master.zip

将解压得到的文件夹 easy-rsa-master 重命名为 easy-rsa

[root@openvpn-101-100 ~]# mv easy-rsa-master/ easy-rsa

然后将的到的 easy-ras 文件夹复制到 /etc/openvpn/ 目录下

[root@openvpn-101-100 ~]# cp -R easy-rsa/ /etc/openvpn/

3.2 编辑 vars 文件

此文件为制作证书时所使用到的配置文件。

1、先进入 /etc/openvpn/easy-rsa/easyrsa3 目录

[root@openvpn-101-100 ~]# cd /etc/openvpn/easy-rsa/easyrsa3/

2、复制 vars.example 为 vars

[root@openvpn-101-100 easyrsa3]# cp vars.example vars

3、修改下面字段命令,然后保存退出

[root@openvpn-101-100 easyrsa3]# vim vars
set_var EASYRSA_REQ_COUNTRY     "CN" ##国家
set_var EASYRSA_REQ_PROVINCE    "BeiJing" ##省份
set_var EASYRSA_REQ_CITY        "BeiJing" ##城市
set_var EASYRSA_REQ_ORG "opsbj" ##组织名称自定义
set_var EASYRSA_REQ_EMAIL       "510749025@qq.com" ##邮箱
set_var EASYRSA_REQ_OU          "Dynamic Times" 

4. 创建证书

4.1 创建服务端证书和 key

1、进入 /etc/openvpn/easy-rsa/easyrsa3/ 目录初始化

[root@openvpn-101-100 ~]# cd /etc/openvpn/easy-rsa/easyrsa3/
[root@openvpn-101-100 easyrsa3]# ./easyrsa init-p
easyrsa目录初始化
easyrsa目录初始化

2、创建根证书

注意这一步需要输入 PEM 密码 PEM pass phrase,输入两次。这个密码是自己创建的,一定要记住!我这里密码设置为: 123456

还需要起个名字,common name 通用名,自己起个不重名的就可以。

[root@openvpn-101-100 easyrsa3]# ./easyrsa build-ca

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase: ##设置密码
Re-Enter New CA Key Passphrase: ##重复输入密码
Generating RSA private key, 2048 bit long modulus
....................+++
...............+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:dynamic  ## 自定义一个名字

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
创建OpenVPN根证书
创建OpenVPN根证书

3、创建服务器端证书

这一步需要输入 server 的 common name,也是自己起一个不重名的就可以,如下:

[root@openvpn-101-100 easyrsa3]# ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
..................................................+++
.......+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key.BKg9lvKsJ7'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:dynamic-server ##自定义一个名字

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
创建OpenVPN服务端证书
创建OpenVPN服务端证书

4、签发服务端证书

[root@openvpn-101-100 easyrsa3]# ./easyrsa sign server server

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 1080 days:

subject=
    commonName                = dynamic-server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes ##输入 yes
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: ##输入生成CA证书的密码 123456
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'dynamic-server'
Certificate is to be certified until Mar 17 14:30:18 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
签发OpenVPN服务端证书
签发OpenVPN服务端证书

5、创建 Diffie-Hellman,确保 key 穿越不安全网络的命令

这一步就是等的时间稍微长一点,其他没啥特别的,如下:

[root@openvpn-101-100 easyrsa3]# ./easyrsa gen-dh

4.2 创建客户端证书及 key

1、 进入 root 目录新建 client 文件夹,文件夹可随意命名,然后拷贝前面解压得到的 easy-ras 文件夹到 client 文件夹,进入下列目录

[root@openvpn-101-100 easyrsa3]# cd /root/
[root@openvpn-101-100 ~]# mkdir client
[root@openvpn-101-100 ~]# cp -R easy-rsa/ client/
[root@openvpn-101-100 ~]# cd client/easy-rsa/easyrsa3/

2、初始化客户端目录

[root@openvpn-101-100 easyrsa3]# ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki

3、创建客户端key及生成证书

这里生成一个 testuser 的证书,也要输入密码,这个密码是之后客户端要用的,所以不要和之前的重复了。我这里为了简单,密码设置为:666666

[root@openvpn-101-100 easyrsa3]# ./easyrsa gen-req testuser

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.............+++
.............................................+++
writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/testuser.key.vPKic04NzX'
Enter PEM pass phrase: ##输入自定义密码 666666
Verifying - Enter PEM pass phrase: ##输入自定义密码 666666
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [testuser]: ##默认直接回车

Keypair and certificate request completed. Your files are:
req: /root/client/easy-rsa/easyrsa3/pki/reqs/testuser.req
key: /root/client/easy-rsa/easyrsa3/pki/private/testuser.key

4、将得到的 testuser.req 导入然后签约证书

[root@openvpn-101-100 easyrsa3]# cd /etc/openvpn/easy-rsa/easyrsa3/
[root@openvpn-101-100 easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/testuser.req testuser

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

The request has been successfully imported with a short name of: testuser
You may now use this name to perform signing operations on this request.

5、签发客户端证书

这里生成 client 所以必须为 client,testuser 要与之前导入名字一致,导入的时候会要求输入密码,这个密码是第一次设置的根证书的密码,不要输错。

[root@openvpn-101-100 easyrsa3]# ./easyrsa sign client testuser

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 1080 days:

subject=
    commonName                = testuser


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'testuser'
Certificate is to be certified until Mar 17 14:42:56 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/testuser.crt
签发OpenVPN客户端证书
签发OpenVPN客户端证书

5. 复制证书

这一步就是拷贝这些文件放入到相应位置。将下列文件放到 /etc/openvpn/ 目录执行命令

[root@openvpn-101-100 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn
[root@openvpn-101-100 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn
[root@openvpn-101-100 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn
[root@openvpn-101-100 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn

将下列文件放到/root/client 目录:

[root@openvpn-101-100 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /root/client
[root@openvpn-101-100 easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/testuser.crt /root/client
[root@openvpn-101-100 easyrsa3]# cp /root/client/easy-rsa/easyrsa3/pki/private/testuser.key /root/client

6. 设置 OpenVPN 配置文件

安装完 openvpn 以后默认提供了一个示例配置文件位于 /usr/share/doc/openvpn-2.3.14/sample/sample-config-files 目录下名为 server.conf,我们将这个文件复制到 /etc/openvpn 目录内

[root@openvpn-101-100 ~]# cp /usr/share/doc/openvpn-2.4.7/sample/sample-config-files/server.conf /etc/openvpn/

然后修改配置 server.conf 如下:

port 1194                     
proto tcp                   
dev tun
ca /etc/openvpn/ca.crt 
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# 分配内网地址的范围
push "route 172.18.0.0 255.255.0.0" 
push "dhcp-option DNS 114.114.114.114"
keepalive 10 120
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
verb 3

7、启动 OpenVPN 服务

[root@openvpn-101-100 ~]# openvpn --daemon --config /etc/openvpn/server.conf

8、配置内核转发和防火墙

[root@openvpn-101-100 ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@openvpn-101-100 ~]# sysctl -p
[root@openvpn-101-100 ~]# iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
[root@openvpn-101-100 ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -j MASQUERADE

9、配置 OpenVPN 客户端

OpenVPN 客户端,Windows 或者 Mac 都需要客户端证书以及一个名为 .ovpn 的配置文件。

1、创建 testuser.ovpn 文件

[root@openvpn-101-100 ~]# vim /root/client/testuser.ovpn
client
dev tun
proto tcp
remote 192.168.101.100 1194 //主要这里修改成自己 server端 ip
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt //这里需要证书
cert testuser.crt //这里是客户端证书
key testuser.key
comp-lzo
verb 3

2、下载证书和配置文件到客户端本地

[root@openvpn-101-100 ~]# cd /root/client/
[root@openvpn-101-100 client]# sz -y ca.crt testuser.crt testuser.key testuser.ovpn

3、将证书和配置文件放到 OpenVPN 目录

我这里使用的是 Mac 所以放到任何位置都可以,如果是 Windows 系统,则需要放置到 OpenVPN 安装目录:C:\Program Files\OpenVPN 下的 config 文件夹内然后就可以连接 OpenVPN 了。

4、连接测试

连接时需要输入客户端证书的密码

客户端连接OpenVPN
客户端连接OpenVPN

连接成功后会在本地网卡添加一个 IP 地址,是 OpenVPN 配置文件中设置的,server 10.8.0.0 255.255.255.0,Windows 下使用 ipconfig 命令查看,接下来我们尝试能否直接连接Linux 内网服务器:

OpenVPN客户端连接内网服务器
OpenVPN客户端连接内网服务器

到这里 OpenVPN 服务器就搭建好啦,有不对或者有疑问的地方欢迎各位帮忙指正,谢谢。

原创文章,作者:恩志,如若转载,请注明出处:https://www.xbzdr.com/263.html

zz进行回复 取消回复

电子邮件地址不会被公开。 必填项已用*标注

评论列表(4条)

  • zz
    zz 2019年4月17日 21:28

    windows 下openvpn 可以连接上,但是为什么不能连接到内网的机器?

    • 恩志哥
      恩志 回复 zz 2019年4月18日 09:11

      检查一下内核有没有开启路由转发功能,iptables 上面有没有做地址转换

  • 花开花落
    花开花落 2019年9月12日 17:59

    通过用户密码 访问怎么搞?

联系我们

在线咨询:点击这里给我发消息

邮件:510749025@qq.com

工作时间:周一至周五,9:30-18:30,节假日休息

QR code