CentOS搭建OpenVirtual Private Network详细教程
OpenVPN定义
- OpenVPN是一个用于创建虚拟专用网络加密通道的软件包,最早由James Yonan编写。OpenVPN允许创建的VPN使用公开密钥、电子证书、或者用户名/密码来进行身份验证。
- 它大量使用了OpenSSL加密库中的SSLv3/TLSv1协议函数库。
- 目前OpenVPN能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X与Microsoft Windows以及Android和iOS上运行,并包含了许多安全性的功能。它并不是一个基于Web的VPN软件,也不与IPsec及其他VPN软件包兼容。
OpenVPN原理
- OpenVPN的技术核心是虚拟网卡,其次是SSL协议实现。
- OpenVPN虚拟网卡。虚拟网卡是使用网络底层编程技术实现的一个驱动软件。安装此类程序后主机上会增加一个非真实的网卡,并可以像其它网卡一样进行配置。服务程序可以在应用层打开虚拟网卡,如果应用软件(如网络浏览器)向虚拟网卡发送数据,则服务程序可以读取到该数据。如果服务程序写合适的数据到虚拟网卡,应用软件也可以接收得到。虚拟网卡在很多的操作系统中都有相应的实现,这也是OpenVPN能够跨平台使用的一个重要原因。
- 在OpenVPN中,如果用户访问一个远程的虚拟地址(属于虚拟网卡配用的地址系列,区别于真实地址),则操作系统会通过路由机制将数据包(TUN模式)或数据帧(TAP模式)发送到虚拟网卡上,服务程序接收该数据并进行相应的处理后,会通过SOCKET从外网上发送出去。这完成了一个单向传输的过程,反之亦然。当远程服务程序通过SOCKET从外网上接收到数据,并进行相应的处理后,又会发送回给虚拟网卡,则该应用软件就可以接收到。
OpenVPN加密和身份验证
加密:OpenVPN使用OpenSSL库来加密数据与控制信息。这意味着,它能够使用任何OpenSSL支持的算法。它提供了可选的数据包HMAC功能以提高连接的安全性。此外,OpenSSL的硬件加速也能提高它的性能。2.3.0以后版本引入PolarSSL。
身份验证:OpenVPN提供了多种身份验证方式,用以确认连接双方的身份,包括:
① 预享私钥
② 第三方证书
③ 用户名/密码组合
预享密钥最为简单,但同时它只能用于创建点对点的VPN;基于PKI的第三方证书提供了最完善的功能,但是需要额外维护一个PKI证书系统。OpenVPN2.0后引入了用户名/口令组合的身份验证方式,它可以省略客户端证书,但是仍需要一份服务器证书用作加密。
环境介绍
声明,我的openvpn 是搭建在我自己的阿里云服务器上的
| 角色 | IP | 端口 | 系统版本 | 应用版本 |
|---|---|---|---|---|
| OpenVPN服务器 | xxx.xxx.xx.xxx | 5488 | CentOS release 7 | |
| Mac客户端 | Mac OS Catalina 10.15 | Tunnelblick | ||
| Windows客户端 | Windows 10 | openvpn-install-2.4.8 |
OpenVPN环境部署
openvpn服务器操作
安装openvpn
[root@openvpn ~]# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
[root@openvpn ~]# rpm -ivh epel-release-latest-7.noarch.rpm
[root@openvpn ~]# yum install openvpn.x86_64 openvpn-devel.x86_64 -y
安装easy-rsa
[root@openvpn ~]# wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
[root@openvpn ~]# unzip master.zip
[root@openvpn ~]# mv easy-rsa-master /etc/openvpn/easy-rsa
修改vars文件
[root@openvpn ~]# cd /etc/openvpn/easy-rsa/easyrsa3/
[root@openvpn easyrsa3]# cp -rf vars.example vars
#95行开始,修改完成后,保存退出
95 set_var EASYRSA_REQ_COUNTRY "US" #国家简写
96 set_var EASYRSA_REQ_PROVINCE "California" #省份
97 set_var EASYRSA_REQ_CITY "San Francisco" #城市
98 set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" #证书公司
99 set_var EASYRSA_REQ_EMAIL "me@example.net" #邮箱
100 set_var EASYRSA_REQ_OU "My Organizational Unit" #单位/公司/组织
创建服务端证书及key
1) 初始化证书
[root@openvpn easyrsa3]# pwd
/etc/openvpn/easy-rsa/easyrsa3
[root@openvpn easyrsa3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/easyrsa3/pki
2) 创建根证书
[root@openvpn easyrsa3]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013
Enter New CA Key Passphrase: #输入PEM密码 PEM pass phrase
Re-Enter New CA Key Passphrase: #确认密码,下面需要用到此密码,请记住
Generating RSA private key, 2048 bit long modulus
....+++
................................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:micvs #输入根证书名称,随意定义,要保证唯一性
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt[root@openvpn easyrsa3]# ./easyrsa build-caNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/varsUsing SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013Enter New CA Key Passphrase: #输入PEM密码 PEM pass phraseRe-Enter New CA Key Passphrase: #确认密码,下面需要用到此密码,请记住Generating RSA private key, 2048 bit long modulus....+++................................................................+++e is 65537 (0x10001)You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [Easy-RSA CA]:micvs #输入根证书名称,随意定义,要保证唯一性CA creation complete and you may now import and sign cert requests.Your new CA certificate file for publishing is at:/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
3) 创建服务器端证书
[root@openvpn easyrsa3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013
Generating a 2048 bit RSA private key
................................+++
............................................+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-24655.0CecxY/tmp.JP2nWa'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:micvs_server #输入服务器端证书名称,随意但不要与根证书名称一致
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
4)签约服务端证书
[root@openvpn easyrsa3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = micvs_server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #此处输入yes
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-27625.sSOPwt/tmp.541Apc
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #此处输入上面创建根证书时的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :T61STRING:'micvs_server'
Certificate is to be certified until Mar 7 02:38:27 2022 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
5) 创建Diffie-Hellman,确保key穿越不安全网络的命令
[root@openvpn easyrsa3]# ./easyrsa gen-dh
等待下面加载完毕即可。
创建客户端证书及key
OpenVPN服务器操作
1.进入root目录新建client文件夹,文件夹可随意命名,然后拷贝前面解压得到的easy-ras文件夹到client文件夹,进入下列目录
[root@openvpn easyrsa3]# cd /root/
[root@openvpn ~]# mkdir client
[root@openvpn ~]# cp -rf /etc/openvpn/easy-rsa client/
[root@openvpn ~]# cd /root/client/easy-rsa/easyrsa3/
2.客户端初始化证书
[root@openvpn easyrsa3]# ./easyrsa init-pki
3.创建客户端key及生成证书
记住生成是自己客户端登录输入的密码
[root@openvpn easyrsa3]# ./easyrsa gen-req micvs-client
Note: using Easy-RSA configuration from: /root/client/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013
Generating a 2048 bit RSA private key
..................................................................................................................................................+++
.................+++
writing new private key to '/root/client/easy-rsa/easyrsa3/pki/easy-rsa-12898.enFMNF/tmp.BDrS6b'
Enter PEM pass phrase: #输入客户端登录密码
Verifying - Enter PEM pass phrase: #确认密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [micvs-client]:micvs-client #输入客户端证书名称
Keypair and certificate request completed. Your files are:
req: /root/client/easy-rsa/easyrsa3/pki/reqs/micvs-client.req
key: /root/client/easy-rsa/easyrsa3/pki/private/micvs-client.key
4.导入客户端证书
[root@openvpn easyrsa3]# cd /etc/openvpn/easy-rsa/easyrsa3/
[root@openvpn easyrsa3]# pwd
/etc/openvpn/easy-rsa/easyrsa3
[root@openvpn easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/micvs-client.req micvs-client
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013
The request has been successfully imported with a short name of: micvs-client #导入成功
You may now use this name to perform signing operations on this request.
5.签约客户端证书
#micvs-client为客户端证书通用名
[root@openvpn easyrsa3]# ./easyrsa sign client micvs-client
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.1e-fips 11 Feb 2013
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = micvs-client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #输入yes
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-20006.9XhT6n/tmp.2AqahW
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #输入服务端PME密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'micvs-client'
Certificate is to be certified until Mar 7 02:54:12 2022 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/micvs-client.crt
移动服务端必要文件
移动服务端必要文件到/etc/openvpn下
ca的证书、服务端的证书、秘钥
[root@openvpn easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/ #移动CA证书
[root@openvpn easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn/ #移动服务端密钥
[root@openvpn easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn/ #移动服务端证书
[root@openvpn easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn/ #移动密钥交换协议文件
移动客户端必要文件
移动客户端必要文件到/etc/openvpn下
[root@openvpn easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /root/client/ #移动CA证书
[root@openvpn easyrsa3]# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/micvs-client.crt /root/client/ #移动客户端证书
[root@openvpn easyrsa3]# cp /root/client/easy-rsa/easyrsa3/pki/private/micvs-client.key /root/client/ #移动客户端密钥
修改配置文件
[root@openvpn easyrsa3]# rpm -ql openvpn |grep server.conf
/usr/share/doc/openvpn-2.4.8/sample/sample-config-files/roadwarrior-server.conf
/usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf #拷贝此文件到/etc/openvpn下
/usr/share/doc/openvpn-2.4.8/sample/sample-config-files/xinetd-server-config
[root@openvpn easyrsa3]# cp -rf /usr/share/doc/openvpn-2.4.8/sample/sample-config-files/server.conf /etc/openvpn/
[root@openvpn easyrsa3]# grep '^[^#|;]' /etc/openvpn/server.conf #修改如下
local 0.0.0.0 #监听地址
port 5488 #监听端口
proto tcp #监听协议
dev tun #采用隧道模式
ca /etc/openvpn/ca.crt #ca证书路径
cert /etc/openvpn/server.crt #服务器证书
key /etc/openvpn/server.key #服务器秘钥
dh /etc/openvpn/dh.pem #密钥交换协议文件
server 10.8.0.0 255.255.255.0 #给客户端分配地址池,注意:不能和VPN服务器内网网段有相同
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8" #dhcp分配dns
client-to-client #客户端之间互相通信
keepalive 10 120 #存活时间,10秒ping一次,120 如未收到响应则视为断线
cipher AES-256-CBC
max-clients 20 #最多允许 20 客户端连接
user openvpn #用户
group openvpn #用户组
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log #openvpn状态日志
log /var/log/openvpn/openvpn.log #openvpn启动关闭日志
verb 3 #日志级别
每个项目都会由一大堆介绍,上述修改,openvpn提供的server.conf已经全部提供,我们只需要去掉前面的注释#,然后修改我们自己的有关配置
yum安装openvpn默认会创建openvpn用户
[root@openvpn /]# chown -Rf openvpn.openvpn /etc/openvpn
[root@openvpn /]# chown -Rf openvpn.openvpn /var/log/openvpn
打开路由转发
[root@openvpn /]# sysctl -w net.ipv4.ip_forward=1net.ipv4.ip_forward = 1
[root@openvpn /]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@openvpn /]# sysctl -p
打开iptables并设置nat规则
[root@openvpn /]# yum install iptables.x86_64 iptables-devel.x86_64 -y
[root@openvpn /]# service iptables start
[root@openvpn /]# chkconfig --add iptables
[root@openvpn /]# chkconfig iptables on
[root@openvpn /]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
[root@openvpn /]# iptables -vnL -t nat
[root@openvpn /]# iptables-save >> /etc/sysconfig/iptables
启动openvpn服务
#这样启动是挂在前台的
[root@openvpn /]# openvpn /etc/openvpn/server.conf
#CentOS6启动
service openvpn start
#CentOS7启动
systemctl start openvpn
Mac 客户端连接
1.Mac客户端下载
github下载地址:https://github.com/Tunnelblick/Tunnelblick/releases/download/v3.8.1beta02/Tunnelblick_3.8.1beta02_build_5390.dmg
下载后进行安装
2.在Mac上任意位置创建一个专用目录
如下,我这里创建目录为openvpn
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-mmDkGRQC-1596014440619)(https://abcops.cn/wp-content/uploads/2019/12/1fc7595a5de5a1.jpg)]](https://i-blog.csdnimg.cn/blog_migrate/bf130ff55f069499a6212214de38c6e3.png)
3.拷贝客户端证书放置openvpn目录内
[root@openvpn /]# ls /root/client/
ca.crt easy-rsa micvs-client.crt micvs-client.key
[root@openvpn /]# sz /root/client/ca.crt
[root@openvpn /]# sz /root/client/micvs-client.*
4.将下载的客户端证书放到我们创建的openvpn目录内
5.创建一个以“ .ovpn ”结尾的文件,比如client.ovpn
.opvn文件内容如下
client
dev tun
proto tcp
remote IP 5488 #openvpn服务端地址及监听端口
resolv-retry infinite
cipher AES-256-CBC
nobind
persist-key
persist-tun
ca ca.crt #指定我们放在openvpn目录中的CA证书名称
cert micvs-client.crt #指定micvs客户端证书文件名称
key micvs-client.key #指定micvs客户端密钥文件名称
verb 3
6.启动openvpn客户端
启动我们装好的Tunnelblick
启动后点击VPN详情
7.将micvs-client.ovpn上传至客户端内
直接将文件拖动至客户端左侧内
8.选中需要连接的VPN
然后点击连接,输入我们在创建客户端证书时候设置的密码
9.连接成功后测试
查看本机地址是否多了一个10.8.0段地址
查看DNS是否变更为配置文件中的DNS
10.在百度输入IP是否变更为OpenVPN服务器的地址
11.测试能否正常上网,如果有问题,去看openvpn服务端的日志查明情况并解决
12.ping虚拟网络网关及OpenVPN同网段内网地址
Windows10客户端连接
1.Windows客户端下载
Windows客户端需要到外面下载,此处提供一个下载地址
点击下载
2.在Windows上任意位置创建一个专用目录
如下,我这里创建目录为openvpn/micvs
3.将服务器上的客户端证书拷贝至此目录内
[root@openvpn /]# ls /root/client/
ca.crt easy-rsa micvs-client.crt micvs-client.key
[root@openvpn /]# sz /root/client/ca.crt
[root@openvpn /]# sz /root/client/micvs-client.*
4.创建一个以“ .ovpn ”结尾的文件,比如client.ovpn
.opvn文件内容如下
client
dev tun
proto tcp
remote IP 5488 #openvpn服务端地址及监听端口
resolv-retry infinite
cipher AES-256-CBC
nobind
persist-key
persist-tun
ca ca.crt #指定我们放在openvpn目录中的CA证书名称
cert micvs-client.crt #指定micvs客户端证书文件名称
key micvs-client.key #指定micvs客户端密钥文件名称
verb 3
5. 安装openvpn
一如既往的next就可以
6.以管理员启动
7.右键导入配置文件
8.右键点击连接
然后输入我们在创建客户端证书时候设置的密码
9.查看IP地址
是否多了一个10网段的IP地址
10.测试网络
在百度输入IP地址查询,查看公网出口是否为OpenVPN服务端地址
扫一扫
420
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
