简介
一些组织需要实现跨地域的互相通信,如北京总公司和上海分公司之间进行网络互通,有如下两种方式:
一、专用网
在两个网络之间架设一条专用线路,但无需真正的铺设光缆之类的物理线路,可仍需向运营商申请租用专线,在这条专线上只传输自己组织之间的数据信息,此方式安全稳定,同时费用高昂。
二、VPN
Virtual Private Network,虚拟私有网络,或称为虚拟专用网。常用于在公用网络上实现专用网络功能,为了安全可进行加密。此方式在企业网络中广泛应用。VPN网关通过对数据包的加密和数据包的目标地址转换实现远程访问。可通过软、硬件多种方式实现。
VPN常见应用模式
点对站点 peer to site
站点到站点 site to site
OpenVPN
是Linux下开源的VPN应用,基于openssl库应用层VPN实现。
端口:1194/tcp 、1194/udp
使用场景
实现远程主机到内网连接。
实现多个远程主机之间的连接。
阿里云OpenVPN实验
Windows10作为客户端模拟公网环境
阿里云购买云服务器,选择按量收费。
安全组放开端口
阿里云模拟内网环境
主机名 | IP | 说明 |
vpnserver | xx.xx.xx.xx | OpenVPN公网地址 |
vpnserver | 172.30.0.96 | OpenVPN内网地址 |
主机名 | IP | 说明 |
web1 | 172.30.0.97 | 内网web服务器 |
web2 | 172.30.0.98 | 内网web服务器 |
web1、web2配置
[root@web1 ~]#yum -y install httpd && systemctl enable --now httpd && echo "This is web1 --- `hostname -I`" > /var/www/html/index.html
[root@web1 ~]#curl localhost
This is web1 --- 172.30.0.97
[root@web2 ~]#yum -y install httpd && systemctl enable --now httpd && echo "This is web2 --- `hostname -I`" > /var/www/html/index.html
[root@web2 ~]#curl localhost
This is web2 --- 172.30.0.98
vpnserver配置
所需软件包
- OpenVPN:Linux下开源的VPN应用
- easy-rsa:一个开源的证书管理工具,用于帮助用户生成和管理数字证书。其主要功能包括颁发证书,可以生成自签名数字证书或颁发由根证书颁发机构(CA)签名的数字证书。
准备证书相关文件
服务器端证书配置
准备相关配置文件
[root@vpnserver ~]#yum -y install openvpn easy-rsa
openvpn默认树形结构
[root@vpnserver ~]#tree /etc/openvpn/
/etc/openvpn/
├── client
└── server
准备证书颁发相关文件
[root@vpnserver ~]#cp -a /usr/share/easy-rsa/3/ /etc/openvpn/easy-rsa
[root@vpnserver ~]#tree /etc/openvpn/
/etc/openvpn/
├── client
├── easy-rsa
│ ├── easyrsa 脚本文件,用于管理和生成证书(CA、服务端、客户端)
│ ├── openssl-easyrsa.cnf 配置文件,用于指导easyrsa脚本如何生成证书
│ └── x509-types 包含一些证书类型的模板,这些模板定义了如何生成不同类型的证书
│ ├── ca CA(证书颁发机构)证书的模板
│ ├── client 客户端证书的模板
│ ├── code-signing 代码签名的证书模板
│ ├── COMMON 各种证书类型的通用设置和参数
│ ├── email 电子邮件加密的证书模板
│ ├── kdc Kerberos密钥分发中心证书的模板,通常用于网络认证
│ ├── server 服务器证书的模板
│ └── serverClient 服务端、客户端共用的模版
└── server
准备颁发证书相关变量的配置文件
[root@vpnserver ~]#cp -a /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa/vars
修改此配置文件
[root@vpnserver ~]#vim /etc/openvpn/easy-rsa/vars
set_var EASYRSA_CA_EXPIRE 36500 CA(证书颁发机构)的证书有效期为36500天
set_var EASYRSA_CERT_EXPIRE 3650 生成的服务器或客户端证书的有效期为3650天
初始化PKI,生成PKI相关目录和文件
[root@vpnserver ~]#cd /etc/openvpn/easy-rsa/
[root@vpnserver easy-rsa]#./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
[root@vpnserver easy-rsa]#tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
创建CA机构证书环境
生成自签名证书,无秘钥加密
[root@vpnserver ~]#cd /etc/openvpn/easy-rsa/
[root@vpnserver easy-rsa]#./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating RSA private key, 2048 bit long modulus (2 primes)
............................................+++++
.....................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt
[root@vpnserver easy-rsa]#tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── ca.crt CA(证书颁发机构)的证书文件,用于验证其他证书的根证书
│ ├── certs_by_serial 包含按序列号排序的已颁发的证书
│ ├── index.txt 证书的索引文件
│ ├── index.txt.attr
│ ├── issued 包含已颁发的证书
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ └── ca.key CA的私钥
│ ├── renewed 已续期的证书的相关文件
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── reqs
│ ├── revoked 已吊销的证书的相关文件
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── safessl-easyrsa.cnf
│ └── serial 包含一个名为serial的文件,通常用于跟踪下一个可用的证书序列号
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
创建服务端证书申请
创建服务器证书申请文件,其中server是文件前缀
[root@vpnserver easy-rsa]#./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating a RSA private key
..............................+++++
....................+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-28714.v1eQFV/tmp.Zm5CxB'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:openvpn-server.wenzi.com
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req 生成的请求文件
key: /etc/openvpn/easy-rsa/pki/private/server.key 生成的私钥文件
[root@vpnserver easy-rsa]#tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── ca.crt
│ ├── certs_by_serial
│ ├── index.txt
│ ├── index.txt.attr
│ ├── issued
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ ├── ca.key
│ │ └── server.key 私钥文件
│ ├── renewed
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── reqs
│ │ └── server.req 请求文件
│ ├── revoked
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── safessl-easyrsa.cnf
│ └── serial
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
颁发服务器端证书
查看帮助,生成的证书类型有哪些:client server serverclient ca
[root@vpnserver easy-rsa]#./easyrsa help sign
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
sign-req <type> <filename_base>
Sign a certificate request of the defined type. <type> must be a known
type such as 'client', 'server', 'serverClient', or 'ca' (or a user-added type.)
This request file must exist in the reqs/ dir and have a .req file
extension. See import-req below for importing reqs from other sources.
第一个server表示证书的类型,第二个server表示请求文件名的前缀
[root@vpnserver easy-rsa]#./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days: 可看到vars中指定的证书有效期
subject=
commonName = openvpn-server.wenzi.com
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes 输入yes,确认颁发
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-28770.Gaed2c/tmp.JZwh6j
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'openvpn-server.wenzi.com' 可看到给谁颁发的证书
Certificate is to be certified until Jan 27 12:00:46 2034 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt 生成的服务器证书
[root@vpnserver easy-rsa]#tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── ca.crt
│ ├── certs_by_serial
│ │ └── 8D217AE48CF7EE344618C9C84B3A7E4E.pem
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── issued
│ │ └── server.crt
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ ├── ca.key
│ │ └── server.key
│ ├── renewed
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── reqs
│ │ └── server.req
│ ├── revoked
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── safessl-easyrsa.cnf
│ ├── serial
│ └── serial.old
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
创建Diff-Hellman秘钥
[root@vpnserver easy-rsa]#./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.....................................................+..................................................................................+...............................................................................+..............................................................................................................................................................................................................................+...................................................+...........................................................+................................................................................................................................................................................................................................................+.........................................................................................................................................................................................................................................+...................................................+.............................................................+..............................+.....................................................................................................+..................................................................+...........................+..............................................................................................................................................................................................................++*++*++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
客户端证书配置
修改客户端证书有效期
客户端用户流动性较大,所以需要减少证书有效期。
将证书有效期改为180天
[root@vpnserver ~]#cd /etc/openvpn/easy-rsa/
[root@vpnserver easy-rsa]#vim vars
set_var EASYRSA_CERT_EXPIRE 180
给张三颁发证书
[root@vpnserver easy-rsa]#./easyrsa gen-req zhangsan nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating a RSA private key
.............+++++
......+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-28964.xNrIlV/tmp.aeznXJ'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [zhangsan]: 直接回车,默认是zhangsan
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/zhangsan.req 生成的申请文件
key: /etc/openvpn/easy-rsa/pki/private/zhangsan.key 生成的私钥文件
颁发客户端证书
[root@vpnserver easy-rsa]#./easyrsa sign client zhangsan
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 180 days:
subject=
commonName = zhangsan
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-28994.wKnDxl/tmp.F9sdYg
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'zhangsan'
Certificate is to be certified until Jul 28 12:20:10 2024 GMT (180 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/zhangsan.crt
[root@vpnserver easy-rsa]#tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── ca.crt
│ ├── certs_by_serial
│ │ ├── 8D217AE48CF7EE344618C9C84B3A7E4E.pem
│ │ └── FB3FEA562B22CBCF2E2DE39F7BBE26ED.pem
│ ├── dh.pem
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── issued
│ │ ├── server.crt
│ │ └── zhangsan.crt
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ ├── ca.key
│ │ ├── server.key
│ │ └── zhangsan.key
│ ├── renewed
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── reqs
│ │ ├── server.req
│ │ └── zhangsan.req
│ ├── revoked
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── safessl-easyrsa.cnf
│ ├── serial
│ └── serial.old
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
将CA和服务器证书相关文件复制到服务器相应目录
[root@vpnserver ~]#cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server/
[root@vpnserver ~]#cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/server/
[root@vpnserver ~]#cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/server/
[root@vpnserver ~]#cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server
[root@vpnserver ~]#tree /etc/openvpn/server/
/etc/openvpn/server/
├── ca.crt
├── dh.pem
├── server.crt
└── server.key
将客户端私钥和证书相关文件复制到服务器相应目录
每个客户端有一个单独文件夹
[root@vpnserver ~]#mkdir /etc/openvpn/client/zhangsan
[root@vpnserver ~]#find /etc/openvpn/easy-rsa/ -name "zhangsan*" -exec cp {} /etc/openvpn/client/zhangsan/ \;
[root@vpnserver ~]#cp -a /etc/openvpn/server/ca.crt /etc/openvpn/client/zhangsan/
[root@vpnserver ~]#ls /etc/openvpn/client/zhangsan/
ca.crt zhangsan.crt zhangsan.key zhangsan.req
配置OpenVPN服务器并启动服务
修改服务器端配置文件
利用官方提供的范例进行修改作为配置文件
[root@vpnserver ~]#cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/
[root@vpnserver ~]#vim /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.30.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
准备服务器日志相关目录
[root@vpnserver ~]#getent passwd openvpn
openvpn:x:990:986:OpenVPN:/etc/openvpn:/sbin/nologin
[root@vpnserver ~]#mkdir /var/log/openvpn
[root@vpnserver ~]#chown -R openvpn:openvpn /var/log/openvpn
[root@vpnserver ~]#ll -d /var/log/openvpn
drwxr-xr-x 2 openvpn openvpn 6 Jan 30 22:08 /var/log/openvpn
准备OpenVPN的Service文件
利用CentOS7中OpenVPN自带的Service文件,复制成新的Service文件
[root@vpnserver ~]#vim /usr/lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
[Install]
WantedBy=multi-user.target
[root@vpnserver ~]#systemctl daemon-reload
[root@vpnserver ~]#systemctl enable --now openvpn@server
看1194端口
[root@vpnserver ~]#ss -tunl
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 [::1]:323 [::]:*
tcp LISTEN 0 32 0.0.0.0:1194 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
自动多出了一个tun0,地址为10.8.0.1
[root@vpnserver ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:16:3e:10:74:fa brd ff:ff:ff:ff:ff:ff
inet 172.30.0.96/24 brd 172.30.0.255 scope global dynamic noprefixroute eth0
valid_lft 315338556sec preferred_lft 315338556sec
inet6 fe80::216:3eff:fe10:74fa/64 scope link
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::adff:a992:92db:b804/64 scope link stable-privacy
valid_lft forever preferred_lft forever
查看路由
[root@vpnserver ~]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.30.0.253 0.0.0.0 UG 100 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
172.30.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
配置SNAT
[root@vpnserver ~]#sysctl -a | grep ip_forward
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
[root@vpnserver ~]#vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@vpnserver ~]#sysctl -p
[root@vpnserver ~]#echo 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j MASQUERADE' >> /etc/rc.d/rc.local
[root@vpnserver ~]#chmod +x /etc/rc.d/rc.local
[root@vpnserver ~]#/etc/rc.d/rc.local
[root@vpnserver ~]#iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.8.0.0/24 !10.8.0.0/24
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
准备OpenVPN客户端配置
生成客户端用户的配置文件
后缀必须为 .ovpn
[root@vpnserver ~]#grep '^[[:alpha:]].*' /usr/share/doc/openvpn/sample/sample-config-files/client.conf
client
dev tun
proto udp
remote my-server-1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
以上述为模版修改配置文件
[root@vpnserver ~]#vim /etc/openvpn/client/zhangsan/client.ovpn
client
dev tun
proto tcp
remote 公网IP 1194 #生产中为OpenVPN服务器的域名(需要做A记录)。没域名写公网IP
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert zhangsan.crt
key zhangsan.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3 #此值不能随意指定,否则无法通信
compress lz4-v2 #此项在OpenVPN2.4.X版本使用,需要和服务器端保持一致,如不指定,默认使用comp-lz压缩
[root@vpnserver ~]#ll /etc/openvpn/client/zhangsan/
total 24
-rw------- 1 root root 1204 Jan 30 21:25 ca.crt
-rw-r--r-- 1 root root 237 Jan 30 23:26 client.ovpn
-rw------- 1 root root 4498 Jan 30 21:32 zhangsan.crt
-rw------- 1 root root 1704 Jan 30 21:32 zhangsan.key
-rw------- 1 root root 891 Jan 30 21:32 zhangsan.req
部署Windows的OpenVPN客户端
安装完OpenVPN后, 在服务器端将某个客户端用户的证书打包放置于 C:\Program Files\OpenVPN\config 目录。然后右击电脑右下角OpenVPN图标进行连接
CA证书
客户端证书
未连接时OpenVPN图标
连接图标变绿,可看到
Windows10客户端验证通信
从公网Windows10成功访问阿里云内网服务器
OpenVPN端验证
看日志可观察哪些用户连接OpenVPN。124.160.104.143是Windows的公网IP
当从Windows客户端ping内网172.30.0.76时,抓包发现
10.8.0.6是Windows客户端 OpenVPN TAP-Windows6 适配器的地址
OpenVPN管理
启用安全增强功能
防止DDoS攻击
OpenVPN服务器
一、生成一个秘钥ta.key,保存至server目录
openvpn --genkey --secret /etc/openvpn/server/ta.key
二、修改服务端配置文件
vim /etc/openvpn/server.conf
tls-auth /etc/openvpn/server/ta.key 0 #客户端为1,服务器端为0
三、将ta.key传递到客户端相关目录
windows为 C:\Program Files\OpenVPN\config
四,修改客户端配置文件
tls-auth ta.key 1
五、服务器端重启服务,若客户端没有ta.key时重启服务器端会报错
systemctl restart openvpn@server
设置客户端的私钥密码
新建一个用户magedu,并且设置证书密码
一、创建新用户对应的有密码的私钥和证书申请
cd /etc/openvpn/easy-rsa/
./easyrsa gen-req magedu 此过程中需要输入密码、确认密码
二、给新用户颁发用户证书
检查vars中证书有效期是否合理
./easyrsa sign client magedu
三、将用户的证书相关文件放在指定目录
mkdir /etc/openvpn/client/magedu
cp /etc/openvpn/easy-rsa/pki/issued/magedu.crt /etc/openvpn/client/magedu
cp /etc/openvpn/easy-rsa/pki/private/magedu.key /etc/openvpn/client/magedu
cp /etc/openvpn/server/{ca.crt,ta.key} /etc/openvpn/client/magedu/
四、编写客户端配置文件 magedu.ovpn
proto tcp
remote OpenVPN服务器地址 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert magedu.crt
key magedu.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2
五、将服务器端的magedu客户端的相关文件传给客户端主机相应目录
放置到windows客户端的 C:\Program Files\OpenVPN\config 目录下
账户证书管理
证书自动过期
过期时间由 /etc/openvpn/easy-rsa/vars 中 set_var EASYRSA_CERT_EXPIRE 90 控制。
服务器端日志会显示用户证书过期。 /var/log/openvpn/openvpn.log
证书手动注销
查看证书有效性
[root@vpnserver ~]#cat /etc/openvpn/easy-rsa/pki/index.txt
V 340127120046Z 8D217AE48CF7EE344618C9C84B3A7E4E unknown /CN=openvpn-server.wenzi.com
V 240728122010Z FB3FEA562B22CBCF2E2DE39F7BBE26ED unknown /CN=zhangsan
第一列为 V 表示有效,为 R 表示无效。
吊销指定用户的证书
cd /etc/openvpn/easy-rsa/
./easy-rsa revoke magedu
生成证书吊销列表
每次吊销证书后都要更新证书吊销列表文件,并且需要重启OpenVPN服务
cd /etc/openvpn/easy-rsa/
./easyrsa gen-crl
将吊销列表文件发布
vim /etc/openvpn/server.conf
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
systemctl restart openvpn@server.service