适用场景
-
个人电脑和公司办公网络互通
-
不同部门,分公司的网络互通
主机环境
主机角色 | 公网ip,内网ip,网关,子网 | 系统信息 |
---|---|---|
server(linux) | 公网地址,172.19.233.160,172.19.239.253,255.255.255.0 | centos7.9 |
client(linux) | 192.168.202.128,192.168.202.2,255.255.255.0 | ubuntu22.04 |
client(linux) | 192.168.202.129,192.168.202.2,255.255.255.0 | centos7.9 |
安装openvpn服务端(centos7.9)
repo源不能直接安装,需要下载rpm包
#安装vim和wget以及下载epel的rpm包
yum install -y vim wget
mkdir /tmp/openvpn
cd /tmp/openvpn
wget https://repo.huaweicloud.com/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm
yum update
#安装easy-rsa以及生成server和client的证书
yum install -y openssl lzo pam easy-rsa
mkdir /root/easy-rsa
cd /root/easy-rsa/
cp -a /usr/share/easy-rsa/3.0.8/* ./
cp -a /usr/share/doc/easy-rsa-3.0.8/vars.example ./vars
grep -v '^#' vars | grep -v ^$
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "SiChuan"
set_var EASYRSA_REQ_CITY "ChengDu"
set_var EASYRSA_REQ_ORG "aaaaaa"
set_var EASYRSA_REQ_EMAIL "admin.openvpn@aaaaaa.cn"
set_var EASYRSA_REQ_OU "aaa"
set_var EASYRSA_NS_SUPPORT "yes"
[root@iZf8z3xsyghofo5njspgavZ easy-rsa]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /root/easy-rsa/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/easy-rsa/pki
##生成ca根证书
[root@iZf8z3xsyghofo5njspgavZ easy-rsa]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: /root/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase: #输入密码
Re-Enter New CA Key Passphrase: #再次输入密码
Generating RSA private key, 2048 bit long modulus
.+++
......+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #直接回车或输入主机名
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/root/easy-rsa/pki/ca.crt
##生成服务端的证书和私钥
[root@iZf8z3xsyghofo5njspgavZ easy-rsa]# ./easyrsa build-server-full server nopass
Note: using Easy-RSA configuration from: /root/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...................................................................+++
.....+++
writing new private key to '/root/easy-rsa/pki/easy-rsa-27540.IzadnR/tmp.COc2PW'
-----
Using configuration from /root/easy-rsa/pki/easy-rsa-27540.IzadnR/tmp.KLkuTm
Enter pass phrase for /root/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Mar 13 12:26:56 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
##生成Diffie-Hellman算法需要的密钥文件
[root@iZf8z3xsyghofo5njspgavZ easy-rsa]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /root/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
................................+.......................................................................+..................................................................................................................................................................................................+.......................+..........+........+...................+.......................++*++*
DH parameters of size 2048 created at /root/easy-rsa/pki/dh.pem
##生成客户端的证书和私钥保存到本地,并传递到客户端
##在服务端生成客户端的证书和私钥,每多一个客户端就要多生成一份
[root@iZf8z3xsyghofo5njspgavZ easy-rsa]# ./easyrsa build-client-full client nopass
Note: using Easy-RSA configuration from: /root/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.....+++
...........................................................................................................................................+++
writing new private key to '/root/easy-rsa/pki/easy-rsa-27647.Iycjw0/tmp.20jrOv'
-----
Using configuration from /root/easy-rsa/pki/easy-rsa-27647.Iycjw0/tmp.KaU3pL
Enter pass phrase for /root/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Mar 13 12:36:10 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
#安装openvpn
yum install -y openvpn
#拷贝证书到/etc/openvpn/server/下面
ls /etc/openvpn/server/
[root@iZf8z3xsyghofo5njspgavZ easy-rsa]# cd /etc/openvpn/server/
[root@iZf8z3xsyghofo5njspgavZ server]# ls
[root@iZf8z3xsyghofo5njspgavZ server]# cp /root/easy-rsa/pki/ca.crt .
[root@iZf8z3xsyghofo5njspgavZ server]# cp /root/easy-rsa/pki/issued/server.crt .
[root@iZf8z3xsyghofo5njspgavZ server]# cp /root/easy-rsa/pki/private/server.key .
[root@iZf8z3xsyghofo5njspgavZ server]# cp /root/easy-rsa/pki/dh.pem .
[root@iZf8z3xsyghofo5njspgavZ server]# vim /etc/openvpn/server/server.conf
port 1194 #端口,默认1194,这里可以修改为其他的
proto udp #协议,可客户端一致,云上一定要打开此协议的端口
dev tun #采用路由隧道模式tun
ca ca.crt #ca证书文件位置
cert server.crt #服务端公钥名称
key server.key #服务端私钥名称
dh dh.pem #交换证书
server 10.8.0.0 255.255.255.0 #给客户端分配地址池,注意:不能和VPN服务器内网网段有相同
push "route 172.32.45.0 255.255.255.0" #允许客户端访问内网网段,这个可以通过查看服务端的route -n获取
ifconfig-pool-persist ipp.txt #地址池记录文件位置
keepalive 10 120 #存活时间,10秒ping一次,120 如未收到响应则视为断线
max-clients 10 #最多允许10个客户端连接
status openvpn-status.log #日志记录位置
verb 3 #openvpn版本
client-to-client #客户端与客户端之间支持通信
log /var/log/openvpn.log #openvpn日志记录位置
persist-key #通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys。
persist-tun #检测超时后,重新启动VPN,一直保持tun是linkup的。否则网络会先linkdown然后再linkup
duplicate-cn
comp-lzo #使用lzo压缩的通讯,服务端和客户端都必须配置
[root@iZf8z3xsyghofo5njspgavZ server]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@iZf8z3xsyghofo5njspgavZ server]# systemctl restart network
##暂时未确定是否必须配置
#临时关闭selinux
setenforce 0
#配置文件永久关闭 修改/etc/selinux/config 文件
SELINUX=disabled
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -I INPUT -p udp --dport 1194 -j ACCEPT ##端口和协议和server.conf一致
#保存规则并重启
service iptables save
systemctl restart iptables
#启动服务
[root@testc openvpn]# systemctl -f enable openvpn@server.service
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
#用systemctl启动暂时有问题,先手动启动看看
cd /etc/openvpn/server/
openvpn server.conf #新打开一个命令行,然后查看/var/log/openvpn.log日志
systemctl start openvpn@server.service
systemctl status openvpn@server.service
注意事项
云上部署openvpn服务端,一定要放开对应协议的端口即实例所在安全组设置。
安装openvpn客户端(ubuntu22.04)
#安装openvpn软件和route命令
apt update
apt install openvpn vim net-tools
#传递密钥文件 ca.crt client.key client.crt
ls /etc/openvpn/client/
#编写配置文件
vim /etc/openvpn/client/client.conf
client
dev tun
proto udp ##和服务端的协议需要一致
remote 公网ip地址 1194 #公网的ip以及端口
resolv-retry infinite
nobind
ca ca.crt
cert client.crt
key client.key
verb 3
persist-key
comp-lzo ##服务端客户端都要加
#生成service文件设置开机自启或手动启动步骤
cd /etc/openvpn/client
openvpn client.conf
systemctl -f enable openvpn@client.service
systemctl start openvpn@client
测试是否成功
可以在客户端直接查看是否在服务打开后查看ip a s看看是否新增了一个tun0
可以查看route -n看看是否有新增一条路由指向服务端的内部路由信息
也可直接ssh连接服务端所指向的内网某个主机,看看是否可以连接
参考文档
openVN安装搭建步骤,实现内网穿透_openvpn搭建-CSDN博客
【运维知识进阶篇】手把手教你搭建OpenVPN(保姆级教程)_openvpn客户端-CSDN博客