一、介绍
OpenVPN是一个开源的、轻量级的、灵活的、跨平台虚拟私人网络(VPN)协议,它可以通过在公共互联网上建立安全的、经过加密保护的点到点或站点到站点连接,来进行远程访问或连接两个或多个私人网络。
OpenVPN是基于SSL/TLS协议的,它建立在TCP或UDP协议之上,因此是一种相当灵活的VPN协议。OpenVPN最初是由James Yonan于2001年创建的,它支持各种平台,包括Windows、macOS、Linux、iOS和Android等。OpenVPN可以在任何支持SSL/TLS协议的操作系统上运行(例如,大多数版本的Windows、Linux和Unix),并支持多种加密算法,如AES、DES、3DES、Blowfish和Camellia等。此外,OpenVPN还是一种高度可定制的协议,支持自定义端口、DNS和路由设置等。
OpenVPN的安全性源自它的加密技术,它使用了公开密钥加密(PKC)技术,该技术通过使用证书和密钥来验证连接的两端,从而保证数据传输的隐私和完整性。OpenVPN支持多重身份验证,例如用户名和密码、数字证书和双因素身份验证(如硬件令牌),这些都大大提高了数据的安全性。
总之,OpenVPN是一种强大的、安全的、具有灵活性和可扩展性的VPN协议,适用于多种应用场景,包括远程访问、远程办公、文件共享和多个位置的私人网络之间的连接等。
二、OpenVPN环境
| 系统 | CentOS 7.9 |
|---|---|
| 服务器内网IP | 192.168.2.101 |
| OpenVPN出口IP | 23.183.84.76 |
三、OpenVPN部署
3.1 下载安装包
1、关闭防火墙或开放端口
## 关闭防火墙
[root@localhost ~]# systemctl disable --now firewalld
## 开放端口
[root@localhost ~]# firewall-cmd --zone=public --add-port=1194/tcp --permanent
[root@localhost ~]# firewall-cmd --reload
## 公司防火墙或者路由器映射1194端口
2、关闭selinux
[root@localhost ~]# sed -i 's/enforcing/disabled/' /etc/selinux/config
[root@localhost ~]# setenforce 0
3、下载安装包
[root@localhost ~]# mkdir /home/artc
[root@localhost ~]# cd /home/artc
[root@localhost artc]# wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.6.tar.gz
[root@localhost artc]# wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.7/EasyRSA-3.1.7.tgz
3.2 安装OpenVPN
1、安装依赖环境
[root@localhost artc]# yum install -y vim wget gcc-c++ openssl openssl-devel net-tools lzo lzo-devel pam pam-devel
2、编译安装
[root@localhost artc]# tar -zxvf openvpn-2.5.6.tar.gz
[root@localhost artc]# cd openvpn-2.5.6
[root@localhost openvpn-2.5.6]# ./configure --prefix=/usr/local/openvpn/
[root@localhost openvpn-2.5.6]# make && make install
[root@localhost openvpn-2.5.6]# echo -e "PATH=\$PATH:/usr/local/openvpn/sbin" >> /etc/profile
[root@localhost openvpn-2.5.6]# source /etc/profile
3、检查安装是否成功
[root@localhost openvpn-2.5.6]# openvpn --version
OpenVPN 2.5.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 17 2023
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
3.3 安装EasyRSA
1、解压安装包
[root@localhost openvpn-2.5.6]# cd /home/artc
[root@localhost artc]# tar -zxvf EasyRSA-3.1.7.tgz
[root@localhost artc]# mv EasyRSA-3.1.7 /usr/local/EasyRSA
四、CA签发证书环境
4.1 EasyRSA服务端配置
#拷贝EasyRSA
[root@localhost artc]# cp -r /usr/local/EasyRSA /usr/local/openvpn/easy-rsa-server
[root@localhost artc]# cd /usr/local/openvpn/easy-rsa-server
#准备签发证书的默认变量文件
[root@localhost easy-rsa-server]# vim vars
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
## 设置CA证书有效期为100年 (单位天,根据需求设置时间)
set_var EASYRSA_CA_EXPIRE 36500
## 设置服务器证书为10年 (单位天,根据需求设置时间)
set_var EASYRSA_CERT_EXPIRE 3650
return 1
fi
4.1.1 创建CA机构
#初始化,执行此命令会生成pki目录
[root@localhost easy-rsa-server]# ./easyrsa init-pki
#创建CA机构,nopass代表不需要密码的意思
[root@localhost easy-rsa-server]# ./easyrsa build-ca nopass
## 默认直接回车就行,或者自己输入一个名字
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
## 出现这个代表成功
CA creation complete. Your new CA certificate is at:
* /usr/local/openvpn/easy-rsa-server/pki/ca.crt
4.1.2 创建服务器证书
创建服务端证书申请文件,OpenVPN区别参数标识
[root@localhost easy-rsa-server]# ./easyrsa gen-req anyrtc nopass
## 默认直接回车就行
Common Name (eg: your user, host, or server name) [anyrtc]:
签发服务端证书;anyrtc 是刚刚创建的参数标识
[root@localhost easy-rsa-server]# ./easyrsa sign server anyrtc
#输入yes
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
#服务端的证书文件
Certificate created at:
* /usr/local/openvpn/easy-rsa-server/pki/issued/anyrtc.crt
创建交互秘钥
[root@localhost easy-rsa-server]# ./easyrsa gen-dh
## 出现这个代表成功
DH parameters of size 2048 created at:
* /usr/local/openvpn/easy-rsa-server/pki/dh.pem
启用安全增强配置
[root@localhost easy-rsa-server]# openvpn --genkey tls-auth ta.key
4.2 OpenVPN服务端配置
4.2.1 创建用户
[root@localhost easy-rsa-server]# groupadd openvpn
[root@localhost easy-rsa-server]# useradd -M -s /sbin/nologin -g openvpn openvpn
4.2.2 创建证书存放目录
[root@localhost easy-rsa-server]# mkdir /usr/local/openvpn/certificate
4.2.3 创建日志存储目录
[root@localhost easy-rsa-server]# mkdir /usr/local/openvpn/logs
[root@localhost easy-rsa-server]# chown -R openvpn. /usr/local/openvpn/
4.2.4 将生成的证书复制到certificate目录
[root@localhost easy-rsa-server]# cp /usr/local/openvpn/easy-rsa-server/pki/ca.crt /usr/local/openvpn/certificate/
[root@localhost easy-rsa-server]# cp /usr/local/openvpn/easy-rsa-server/pki/issued/anyrtc.crt /usr/local/openvpn/certificate/
[root@localhost easy-rsa-server]# cp /usr/local/openvpn/easy-rsa-server/pki/private/anyrtc.key /usr/local/openvpn/certificate/
[root@localhost easy-rsa-server]# cp /usr/local/openvpn/easy-rsa-server/pki/dh.pem /usr/local/openvpn/certificate/
[root@localhost easy-rsa-server]# cp /usr/local/openvpn/easy-rsa-server/ta.key /usr/local/openvpn/certificate/
4.2.5 添加配置文件
[root@localhost easy-rsa-server]# vim /usr/local/openvpn/server.conf
## 默认端口
port 1194
## 默认协议
proto tcp
dev tun
## ca证书
ca /usr/local/openvpn/certificate/ca.crt
## 服务端证书
cert /usr/local/openvpn/certificate/anyrtc.crt
## 服务端私钥
key /usr/local/openvpn/certificate/anyrtc.key
## 交换秘钥
dh /usr/local/openvpn/certificate/dh.pem
## 分配给客户端的IP地址池 10.32.203.0是VPN要访问的IP段
server 10.32.203.0 255.255.255.0
## 设置内网路由(你要访问的资源网段)
push "route 192.168.1.0 255.255.255.0"
## 设置DNS
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
## lz4-v2压缩算法
compress lz4-v2
## lz4-v2客户端算法
push "compress lz4-v2"
## 最大客户端数
max-clients 1000
## 运行openvpn服务的用户和用户组
user openvpn
group openvpn
## 会话检测,每十秒测试一下,超过120秒没回应就认为对方down
keepalive 10 120
## 安全增强文件,0是服务端,1是客户端
tls-auth /usr/local/openvpn/certificate/ta.key 0
## 日志级别
verb 3
mute 20
#状态日志
status /usr/local/openvpn/logs/openvpn-status.log
log-append /usr/local/openvpn/logs/openvpn.log
4.2.6 配置IPv4内核转发
[root@localhost easy-rsa-server]# vim /etc/sysctl.conf
默认添加:
net.ipv4.ip_forward=1
## 重新加载参数
[root@localhost easy-rsa-server]# sysctl -p
4.2.7 添加防火墙转发规则
[root@localhost easy-rsa-server]# vim /etc/rc.d/rc.local
末尾添加: ## 分配给客户端的IP地址池
iptables -t nat -A POSTROUTING -s 10.32.203.0/24 -j MASQUERADE
## 加载
[root@localhost easy-rsa-server]# chmod +x /etc/rc.d/rc.local
[root@localhost easy-rsa-server]# /etc/rc.d/rc.local
4.2.8 开启自启动
[root@localhost easy-rsa-server]# vim /usr/lib/systemd/system/openvpn.service
[Unit]
Description=OpenVPN Server
After=network.target
After=syslog.target
[Service]
ExecStart=/usr/local/openvpn/sbin/openvpn --config /usr/local/openvpn/server.conf
ExecStop=killall openvpn
[Install]
WantedBy=multi-user.target
## 开机启动
[root@localhost easy-rsa-server]# systemctl enable --now openvpn.service
## 关闭开机自启动
[root@localhost easy-rsa-server]# systemctl disable --now openvpn.service
## 重启服务
[root@localhost easy-rsa-server]# systemctl restart openvpn.service
4.3 创建客户端申请证书
[root@localhost easy-rsa-server]# cp -r /usr/local/EasyRSA /usr/local/openvpn/easy-rsa-client
[root@localhost easy-rsa-server]# cd /usr/local/openvpn/easy-rsa-client
#初始化,执行此命令会生成pki目录
[root@localhost easy-rsa-client]# ./easyrsa init-pki
4.4 OpenVPN客户端配置
4.4.1 创建客户端用户目录
[root@localhost easy-rsa-client]# mkdir /usr/local/openvpn/client
[root@localhost easy-rsa-client]# cd /usr/local/openvpn/client
4.4.2 编辑脚本自动创建用户
[root@localhost client]# vim openvpn_anyrtc_user.sh
#!/bin/bash
## 导入functions
. /etc/init.d/functions
## OpenVPN出口IP
OPENVPN_SERVER=23.183.84.76
## OpenVPN出口端口
OPENVPN_PORT=1194
## 服务目录
OPENVPN_PREFIX=/usr/local/openvpn
## 当前位置
CurPath=$(pwd)
## 替换上一次签发的证书
remove_cert () {
rm -rf $CurPath/${OPENVPN_NAME}
find $OPENVPN_PREFIX -name "$OPENVPN_NAME.*" -delete
}
##
create_cert () {
cd $OPENVPN_PREFIX/easy-rsa-client/
./easyrsa gen-req ${OPENVPN_NAME} nopass <<EOF
EOF
cd $OPENVPN_PREFIX/easy-rsa-server/
sed -i "s/set_var EASYRSA_CERT_EXPIRE.*$/set_var EASYRSA_CERT_EXPIRE\t$OPENVPN_DATA/g" ./vars
./easyrsa import-req $OPENVPN_PREFIX/easy-rsa-client/pki/reqs/${OPENVPN_NAME}.req ${OPENVPN_NAME}
./easyrsa sign client ${OPENVPN_NAME} <<EOF
yes
EOF
mkdir $CurPath/${OPENVPN_NAME}
cp -rf $OPENVPN_PREFIX/easy-rsa-server/pki/issued/${OPENVPN_NAME}.crt $CurPath/${OPENVPN_NAME}
cp -rf $OPENVPN_PREFIX/easy-rsa-client/pki/private/${OPENVPN_NAME}.key $CurPath/${OPENVPN_NAME}
cp -rf $OPENVPN_PREFIX/certificate/{ca.crt,ta.key} $CurPath/${OPENVPN_NAME}
#生产客户端配置文件
cat > $CurPath/${OPENVPN_NAME}/client.ovpn <<EOF
client
dev tun
proto tcp
remote ${OPENVPN_SERVER} ${OPENVPN_PORT}
resolv-retry infinite
nobind
ca ca.crt
cert $OPENVPN_NAME.crt
key $OPENVPN_NAME.key
remote-cert-tls server
tls-auth ta.key 1
verb 3
compress lz4-v2
EOF
echo "证书存放路径:$CurPath/${OPENVPN_NAME},证书文件如下:"
echo -e "\E[1;32m******************************************************************\E[0m"
ls -l $CurPath/${OPENVPN_NAME}
echo -e "\E[1;32m******************************************************************\E[0m"
cd $CurPath/$OPENVPN_NAME
tar zcvf $OPENVPN_NAME-openvpn.tar.gz *
action "证书的打包文件已生成: ${OPENVPN_NAME}-openvpn.tar.gz"
chown openvpn. $OPENVPN_PREFIX -R && systemctl restart openvpn.service
}
read -p "请输入用户名(如:zhangsan): " OPENVPN_NAME
read -p "请输入证书的有效期(默认:90天): " OPENVPN_DATA
OPENVPN_DATA=${OPENVPN_DATA:=90}
remove_cert
create_cert
执行脚本
[root@localhost client]# sh openvpn_anyrtc_user.sh
请输入用户的姓名拼音(如:zhangsan): anyrtc
请输入证书的有效期(默认:90天): 3650
证书存放路径:/usr/local/openvpn/client/anyrtc,证书文件如下:
证书的打包文件已生成: anyrtc-openvpn.tar.gz [ 确定 ]
问题
## 连接失败重启服务
systemctl restart openvpn.service
五、客户端使用
下载地址
https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.5-I601.exe
1、双击安装,注意安装目录,剩下的可以一直下一步
2、找到安装目录下的config目录
3、将anyrtc-openvpn.tar.gz 拖到config下面解压
4、双击OpenVPN GUI程序
581
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
