准备环境
web: 192.168.112.10/24 网关:192.168.112.20
openven: 192.168.112.20/24 1.1.1.1/24
client: 1.1.1.2/24 网关:1.1.1.1 --> 用来做网管机
拓扑图
(1)虚拟专用网络VPN案例web端配置
web网卡配置:
vi /etc/sysconfig/network-scripts/ifcfg-eno16777736
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
DEVICE=eno16777736
ONBOOT=yes
IPADDR=192.168.112.10
NETMASK=255.255.255.0
GATEWAY=192.168.112.20
(2) VPN网关服务器配置
openvpn网卡 配置
vi /etc/sysconfig/network-scripts/ifcfg-ens37
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=ens37
DEVICE=ens37
ONBOOT=yes
IPADDR=1.1.1.1
NETMASK=255.255.255.0
vi /etc/sysconfig/network-scripts/ifcfg-eno16777736
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
DEVICE=eno16777736
ONBOOT=yes
IPADDR=192.168.112.20
NETMASK=255.255.255.0
GATEWAY=192.168.112.2
安装openvpn
yum install -y openvpn easy-rsa
cp -r /usr/share/easy-rsa/3.0.8/ /etc/openvpn/easy-rsa
cp -r /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/vars
取消注释
vi /etc/openvpn/easy-rsa/vars
102 #set_var EASYRSA_REQ_COUNTRY "US"
103 #set_var EASYRSA_REQ_PROVINCE "California"
104 #set_var EASYRSA_REQ_CITY "San Francisco"
105 #set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
106 #set_var EASYRSA_REQ_EMAIL "me@example.net"
107 #set_var EASYRSA_REQ_OU "My Organizational Unit"
初始化pki,生成目录文件结构
cd /etc/openvpn/easy-rsa/
./easyrsa init-pki
创建ca证书
./easyrsa build-ca
创建server端证书和private key
./easyrsa gen-req server nopass
给server端证书做签名
./easyrsa sign server server
创建Diffie-Hellman
./easyrsa gen-dh
生成ta.key
cd /etc/openvpn
openvpn --genkey --secret ta.key
复制配置文件
cp -r /usr/share/easy-rsa/3.0.8/ /etc/openvpn/client/
cp -r /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/client/3.0.8/vars
cd /etc/openvpn/client/3.0.8
./easyrsa init-pki # 初始化pki,生成目录文件结构
./easyrsa build-ca # 创建ca证书
vim /etc/openvpn/client/3.0.8/vars
95 set_var EASYRSA_REQ_COUNTRY "US"
96 set_var EASYRSA_REQ_PROVINCE "California"
97 set_var EASYRSA_REQ_CITY "San Francisco"
98 set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
99 set_var EASYRSA_REQ_EMAIL "me@example.net"
100 set_var EASYRSA_REQ_OU "My Organizational Unit"
cd /etc/openvpn/client/3.0.8
cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/
./easyrsa gen-req client nopass #创建client端证书和private key
./easyrsa import-req /etc/openvpn/client/3.0.8/pki/reqs/client.req client # 客户签约
./easyrsa sign client client # 给client端证书做签名
修改server.conf文件
vi /etc/openvpn/server.conf
25 ;local 1.1.1.1
78 ca /etc/openvpn/ca.crt
79 cert /etc/openvpn/server.crt
80 key /etc/openvpn/server.key
86 dh /etc/openvpn/dh.pem
263 comp-lzo
209 client-to-client
添加路由转发
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
启动openvpn server端服务
systemctl -f enable openvpn@server
systemctl start openvpn@server
(3)Client配置
hostnamectl set-hostname client
bash
yum install -y openvpn easy-rsa
配置网卡
vi /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=1.1.1.2
NETMASK=255.255.255.0
GATEWAY=1.1.1.1
远程传输文件
cp -r /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf /etc/openvpn/
scp /etc/openvpn/ca.crt 1.1.1.2:/etc/openvpn/
scp /etc/openvpn/easy-rsa/pki/issued/client.crt 1.1.1.2:/etc/openvpn/
scp /etc/openvpn/client/pki/private/client.key 1.1.1.2:/etc/openvpn/
scp /etc/openvpn/ta.key 1.1.1.2:/etc/openvpn/
编辑client.conf文件
vi /etc/openvpn/client.conf
42 remote 1.1.1.1 1194
88 ca /etc/openvpn/ca.crt
89 cert /etc/openvpn/client.crt
90 key /etc/openvpn/client.key
systemctl start openvpn@client # 启动openvpn client端的服务