centos7安装配置easy..o

最新推荐文章于 2024-04-12 17:18:59 发布
最新推荐文章于 2024-04-12 17:18:59 发布
阅读量1.3k 收藏 7
点赞数 5
分类专栏: linux常用基础技能及服务
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/oToyix/article/details/109619118
版权

Centos7 安装配置o.. easy-rsa

一、环境:

[root@localhost 3]# cat /etc/redhat-release 
CentOS Linux release 7.8.2003 (Core)
[root@localhost ~]# uname -a
Linux localhost.localdomain 3.10.0-1127.el7.x86_64 #1 SMP Tue Mar 31 23:36:51 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost ~]# ifconfig 
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.36  netmask 255.255.252.0  broadcast 192.168.3.255
        inet6 fe80::c555:26f8:102b:a63e  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:85:b5:cc  txqueuelen 1000  (Ethernet)
        RX packets 2076  bytes 134117 (130.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 111  bytes 14420 (14.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4  bytes 340 (340.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 340 (340.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

二、前期准备

这里添加使用阿里base源及epel源

[root@localhost ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
[root@localhost ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@localhost ~]# yum clean all
Loaded plugins: fastestmirror
Cleaning repos: base epel extras updates
Cleaning up list of fastest mirrors
[root@localhost ~]# yum makecache

关闭selinux、firewalld,开启iptables

[root@localhost ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config 
[root@localhost ~]# setenforce 0
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@localhost ~]# yum install iptables* -y
[root@localhost ~]# rpm -qa|grep iptables
iptables-1.4.21-34.el7.x86_64
iptables-utils-1.4.21-34.el7.x86_64
iptables-devel-1.4.21-34.el7.x86_64
iptables-services-1.4.21-34.el7.x86_64
[root@localhost ~]# rpm -qa|grep iptables
iptables-1.4.21-34.el7.x86_64
iptables-utils-1.4.21-34.el7.x86_64
iptables-devel-1.4.21-34.el7.x86_64
iptables-services-1.4.21-34.el7.x86_64
[root@localhost ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@localhost ~]# systemctl start iptables
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -X
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE
[root@localhost ~]# iptables -A FORWARD -i tun+ -j ACCEPT
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@localhost ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service

开启端口转发功能

[root@localhost ~]# cat /etc/sysctl.conf 
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1

三、安装软件 open…、easy-rsa 及配置服务端信息

yum 安装open…、easy-rsa

[root@localhost ~]# yum install openvpn easy-rsa -y
[root@localhost ~]# rpm -qa|grep openvpn  
openvpn-2.4.9-1.el7.x86_64
[root@localhost ~]# rpm -qa|grep easy-rsa
easy-rsa-3.0.8-1.el7.noarch

复制加密程序目录 至 安装目录

[root@localhost ~]# cp -R /usr/share/easy-rsa/ /etc/openvpn/

创建加密文件vars至安装目录

[root@localhost ~]# cd /etc/openvpn/easy-rsa/3/
[root@localhost 3]# cat vars
#定义你所在的国家,2个字符
export KEY_COUNTRY="CN"

#定义你所在省份
export KEY_PROVINCE="huben"

#定义你所在的城市
export KEY_CITY="wuhan"

#定义你所在的组织
export KEY_ORG="talent"

#定义你的邮件地址
export KEY_EMAIL="631646620@qq.com"

#定义
export KEY_OU="My OpenVPN"

# X509 Subject Field
export KEY_NAME="EasyRSA"
[root@localhost 3]# 
Source ,让变量生效
[root@localhost 3]# source vars

复制服务主配置文件至ETC安装目录

[root@localhost 3]# cp /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf /etc/openvpn/

./easyrsa init-pki 清空证书等信息

[root@localhost 3]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki

创建ca.crt根证书

[root@localhost 3]# ./easyrsa build-ca

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase:  我这里密码为1q2w3e4r
Re-Enter New CA Key Passphrase: 
Generating RSA private key, 2048 bit long modulus
...+++
.+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:EasyRSACA

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3/pki/ca.crt

创建服务端 证书

[root@localhost 3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
..................+++
........................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/easy-rsa-12118.s82Ujn/tmp.dil5pH'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:server

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3/pki/private/server.key

签约服务端证书

[root@localhost 3]# ./easyrsa sign server server

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-12146.vTQHQs/tmp.SuIi6a
Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key:  第一步的密码1q2w3e4r
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Feb  9 09:28:38 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/server.crt

创建diffie-hellman,确保key穿越不安全网络的命令

[root@localhost 3]# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
................................................
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem

将下列文件放到/etc/openvpn/ 目录执行命令

[root@localhost 3]# cp /etc/openvpn/easy-rsa/3/pki/ca.crt /etc/openvpn/
[root@localhost 3]# cp /etc/openvpn/easy-rsa/3/pki/private/server.key /etc/openvpn/
[root@localhost 3]# cp /etc/openvpn/easy-rsa/3/pki/issued/server.crt /etc/openvpn/
[root@localhost 3]# cp /etc/openvpn/easy-rsa/3/pki/dh.pem /etc/openvpn/

编辑/etc/openvpn/server.conf

[root@localhost 3]# vim /etc/openvpn/server.conf 
port 1194
proto tcp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  # This file should be kept secret
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
verb 3

四、创建客户端登录帐户

至此,服务已经安装完成,下面添加登录用户信息,我这里就不写了,直接执行脚本添加,见下

#!/bin/bash
#author by yuejianyuan
#2020年11月6日 20:23:24
#auth to add openvpnusers
##########################
if [ $UID -ne 0 ];then
        echo -e '\033[33m ------------ Permission no enough, please use root ---------------\033[0m'
        exit 1
fi

if [ $# -ne 1 ];then
        echo -e '\033[33m ....执行脚本时,后面必须有且只能有1个用户,退出.... \033[0m'
        exit 1
fi

ECHO_0_1 () {
        if [ $? -ne 0 ];then
                echo '\033[33m ...执行失败,退出... \033[0m'
                exit 1
        fi
}

USERNAME=$1
SERVERIP="101.39.230.134"
SERVERPORT="64001"

rm -rf /root/client/*
mkdir -p /root/client 
echo -e '\033[32m...复制/usr/share/easy-rsa/目录至/root/client/目录下....\033[0m'
cd /root/client
cp -R /usr/share/easy-rsa/ /root/client/
sleep 1
cd easy-rsa/3/
echo -e '\033[32m ....清空用户生成规则...\033[0m'
./easyrsa init-pki
sleep 1
echo -e '\033[32m .....创建客户端用户'${USERNAME}' ,请小心输入并记录登录密码!!Common Name随便写,但不要与其他的重复.. \033[0m'
./easyrsa gen-req ${USERNAME}

#调用函数,如果上一条$?不为0,则退出
ECHO_0_1

echo "跳转至/etc目录"
cd /etc/openvpn/easy-rsa/3 && pwd

echo -e '\033[32m ....将'${USERNAME}'.req导入进此目录的 pki/reqs/目录下 \033[0m'
./easyrsa import-req /root/client/easy-rsa/3/pki/reqs/${USERNAME}.req ${USERNAME}
#调用函数,如果上一条$?不为0,则退出
ECHO_0_1

echo -e '\033[32m .....签约证书,请先输入yes。。。再输入。。。ca.key密码1q2w3e4r ...\033[0m'
./easyrsa sign client ${USERNAME}
#调用函数,如果上一条$?不为0,则退出
ECHO_0_1

echo -e '\033[32m ....将下列文件放到/root/client 目录下... \033[0m'
cp /etc/openvpn/easy-rsa/3/pki/ca.crt /root/client/
cp /etc/openvpn/easy-rsa/3/pki/issued/${USERNAME}.crt /root/client/
cp /root/client/easy-rsa/3/pki/private/${USERNAME}.key /root/client/

echo -e '\033[32m ....创建client.oppn文件...\033[0m'
cat>/root/client/client.ovpn<<-EOF
client
dev tun
proto tcp
remote ${SERVERIP} ${SERVERPORT}  #对应openvpn的外网ip以及开放端口
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt 
cert ${USERNAME}.crt
key ${USERNAME}.key
comp-lzo
ns-cert-type server
verb 3
EOF

cat /root/client/client.ovpn 
if [ $? -ne 0 ];then
        echo -e '\033[33m ....../root/client/client.ovpn 文件创建失败! 继续.... \033[0m'
fi
sleep 1

cd /root/client/
echo "打包/root/client目录下ca.crt、${USERNAME}.crt、${USERNAME}.key、client.ovpn文件,除了easy-rsa目录"
tar -czvf ${USERNAME}.tar.gz ./* --exclude=./easy-rsa
echo $?
sz ${USERNAME}.tar.gz
\cp ${USERNAME}.tar.gz /etc/openvpn/bak_tgz_userpassALL/
tar -tvf /etc/openvpn/bak_tgz_userpassALL/${USERNAME}.tar.gz

最后把 ${USERNAME}.tar.gz 下面的4个文件复制到客户端的config目录,即可

登录成功标志,图标变绿

启动、开机自启

systemctl start openvpn@server.service
systemctl enable openvpn@server.service

注:,如发现,客户端连接后,出口IP不对,则需要添加防火墙规则

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 18090 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 18090 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 18090 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT
iptables -A FORWARD -d 10.8.0.0/24 -i eth0 -j ACCEPT

iptables -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

-----------------------end

oToyix
关注
  • 5
    点赞
  • 7
    收藏
    觉得还不错? 一键收藏
  • 3
    评论
专栏目录
Open***与easy-rsa的安装配置
weixin_34015860的博客
01-12 2256
Yum源wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo安装基础包yum -y install openssl openssl-develyum -y install lzoyum -y install open*** easy-rsa修改vars文件cd /usr/share/easy-rs...
centos7安装与环境配置.docx
03-13
在本文中,我们将深入探讨如何在CentOS 7操作系统中进行安装以及后续的环境配置,特别是涉及用户创建、网络配置等方面的重要步骤。 首先,让我们从CentOS 7的安装开始。CentOS是一个基于RHEL(Red Hat Enterprise ...
centos 7安装openvpn服务端,以及用到的一些问题。
最新发布
wei042的博客
04-12 1259
安装centos 7系统,配置好局域网静态ip,然后在公司路由器配置端口映射,访问代理服务器,记录的ip地址是代理服务器的ip。
centos7安装OpenVPN GUI
m0_71817461的博客
09-04 759
centos7安装OpenVPN GUI
阿里云服务器配置CentOS7.4+Open***-2.4.5+easy-rsa-3.0
weixin_33882452的博客
05-10 415
一、安装open*** #yum install open***#yum install easy-rsa 二、生成证书 1、准备: # cp /usr/share/doc/open***-2.4.5/sample/sample-config-files/server.conf /etc/open***# cp -r /usr/share/easy-rsa/ /etc/open***# cp /u...
CentOS7搭建OpenVPN
gyfghh的博客
01-15 2313
参考文档。
centos7 安装open*** easy3.0教程
weixin_33873846的博客
05-20 590
Open××× 简介×××直译就是虚拟专用通道,是提供给企业之间或者个人与公司之间安全数据传输的隧道,Open×××无疑是Linux下开源×××的先锋,提供了良好的性能和友好的用户GUI,并且支持多平台。它大量使用了OpenSSL加密库中的SSLv3/TLSv1协议函数库。原理Open***的技术核心是虚拟网卡,其次是SSL协议实现,由于SSL协议在其它的词条中介绍的...
2021-10-10
xk0614的博客
10-10 950
Linux环境搭建openvpn2.X 一 实验环境介绍 1.1 软件版本 Centos版本:7.X openvpn版本:2.4.8 easy-rsa版本:2.0 客户端系统:window 10 Centos安装:略 1.2 网络拓扑 二 实验步骤 2.1openVPN证书制作 2.1.1配置vars文件 工具:easy-rsa 上传easy-rsa 解压缩easy-rsa [root@Centos7 ~]# unzip easy-rsa-old-ma
Centos 7 安装图形界面.docx
12-04
本文档是为了那些安装Centos7 mini版本的童鞋提供的,因为Centos7 mini最小安装是不提供桌面环境和组件,但是某些环境需要安装图形界面,方便童鞋操作,本文档讲述了如何通过配置本地yum源安装图形界面。
Centos7安装中文输入法.docx
08-20
"Centos7安装中文输入法" Centos7操作系统是许多开发者和服务器管理员的不二之选,但是在默认情况下,Centos7不支持中文输入法,这对中文用户造成了很大的不便。因此,安装中文输入法变得非常必要。下面将详细介绍...
关于新版CenterOS7配置redis出现iptables错误的解决方法
01-18
关于新版CenterOS7配置redis出现redisiptables错误的解决方法, 排除/etc/rc.d/init.d/iptables: No such file or directory 错误原因 , CentoOS7下配置redis并将端口通过防火墙解决方法;
centos7.tar.gz
07-31
这个名为"centos7.tar.gz"的压缩包,很可能是包含了与CentOS7系统相关的配置文件、软件包或者镜像文件,方便用户进行安装、维护或备份。 在Linux系统中,".tar.gz"是一种常见的文件打包格式,它结合了tar(用于打包...
redis在centos7安装配置.docx
05-18
Redis 在 CentOS 7 安装配置 Redis 是一个开源的、基于内存的数据结构存储系统,它可以用作数据库、消息队列、缓存等。下面是关于 Redis 在 CentOS 7 安装配置的知识点总结。 安装 Redis 前的准备工作 在安装 ...
/etc/rc.d/init.d/iptables: No such file or directory 错误原因
weixin_34396103的博客
08-24 3015
注:本文转载自cnblogs:一天学点的文章《/etc/rc.d/init.d/iptables: No such file or directory 错误原因》RedHat Enterprise Linux 7关闭防火墙方法在之前的版本中关闭防火墙等服务的命令是 1 service iptables stop 2 3 /etc/init.d/iptables stop在RHEL7中,...
vpn的搭建
weixin_63879600的博客
11-30 1461
vsn的搭建
RedHat Enterprise Linux 7关闭防火墙方法
kexianmiao的专栏
10-14 6635
在之前的版本中关闭防火墙等服务的命令是 service iptables stop /etc/init.d/iptables stop   在RHEL7中,其实没有这个服务 [root@rhel7 ~]# cat /etc/redhat-release  Red Hat Enterprise Linux Server release 7.0 (Maipo) [root
linux 安装 openvpn
weixin_48583780的博客
05-16 1463
openvpn linux
MySql 查看连接数和状态
热门推荐
oToyix的博客
07-14 1万+
查看链接信息 连接线程参数(thread variabls and status) 查看正在执行的链接进程信息 ----------------end
centos7安装mysql5.x
03-08
您好,我可以回答这个问题。CentOS 7 安装 MySQL 5.x 的步骤如下: 1. 打开终端,输入以下命令以安装 MySQL 5.x: sudo yum install mysql-server 2. 安装完成后,启动 MySQL 服务: sudo systemctl start mysqld 3. 设置 MySQL 服务开机自启: sudo systemctl enable mysqld 4. 运行 MySQL 安全脚本,设置 root 用户密码: sudo mysql_secure_installation 5. 按照提示输入密码并设置 MySQL 安全选项。 以上就是 CentOS 7 安装 MySQL 5.x 的步骤。希望能对您有所帮助。
评论 3
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值