1. 安装Open***
shell>yum install -y epel-release
shell>yum install -y open*** easy-rsa openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig
2. 复制服务端配置文件到配置文件目录
shell>cp /usr/share/doc/open***-2.4.9/sample/sample-config-files/server.conf /etc/open***/
3. 服务端证书
shell>mkdir /etc/open***/easy-rsa
shell>cp -r /usr/share/easy-rsa/3.0.7/* /etc/open***/easy-rsa/
① CA证书制作
shell>cd /etc/open***/easy-rsa
shell>cp /usr/share/doc/easy-rsa-3.0.7/vars.example ./vars
#可按需修改vars文件中证书相关配置
set_var EASYRSA_REQ_COUNTRY "US" #国家
set_var EASYRSA_REQ_PROVINCE "California" #省
set_var EASYRSA_REQ_CITY "Shanghai" #城市
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" #组织
set_var EASYRSA_REQ_EMAIL "test@example.net" #邮箱
set_var EASYRSA_REQ_OU "My Organizational Unit" #公司、组织
shell>./easyrsa init-pki #初始化pki,生成目录文件结构
shell>./easyrsa build-ca #创建ca证书
Note: using Easy-RSA configuration from: ./vars #使用vars文件里面配置的信息
Generating a 2048 bit RSA private key
.................+++
........................................................................................+++
writing new private key to '/etc/open***/easy-rsa/pki/private/ca.key.Lg8IKADc4Q'
Enter PEM pass phrase: #设置ca密码
Verifying - Enter PEM pass phrase: #再输一遍上面的密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #直接回车,就是默认的CA作为名字
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/open***/easy-rsa/pki/ca.crt #ca证书存放路径
② 服务端证书请求文件制作
shell>./easyrsa gen-req server #nopass设置免证书密码,如果要设置密码可以取消此参数选项
Note: using Easy-RSA configuration from: ./vars #使用vars文件里面配置的信息
Generating a 2048 bit RSA private key
.....................................+++
................................................................................................+++
writing new private key to '/etc/open***/easy-rsa/pki/private/server.key.yuG9HRsSlU'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: #直接回车,默认名字为server
Keypair and certificate request completed. Your files are:
req: /etc/open***/easy-rsa/pki/reqs/server.req
key: /etc/open***/easy-rsa/pki/private/server.key #密钥key的路径
③ 服务端证书签名
shell>./easyrsa sign server server #第二个server是只上面服务端证书的CN名字,我们用的默认server,根据实际证书名自行定义
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/open***/easy-rsa/pki/private/ca.key: #输入上面ca证书生成时的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'server'
Certificate is to be certified until May 22 03:23:38 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/open***/easy-rsa/pki/issued/server.crt #服务端证书路径
④ dh证书
shell>./easyrsa gen-dh #创建Diffie-Hellman,时间有点长
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
............................................................+...........................................................+.......................................................................................................+...........+..........................................................................................................................................................................................................................................................................+............................................................................................................+....................................................................................................+................................................................+.....................................................................................................................................................+............................................+............+......................................................................................+......................................................................+...........................+................................................................+...........................................................................................................++*++*
DH parameters of size 2048 created at /etc/open***/pki/dh.pem #dh证书路径
⑤ ta秘钥
shell>cd /etc/open***
shell>open*** --genkey --secret ta.key
4. 客户端证书
① 客户端证书请求文件制作
shell>mkdir -p /etc/open***/client
shell>cd /etc/open***/client
shell>cp -r /usr/share/easy-rsa/3.0.3/* /etc/open***/client
shell>cp /usr/share/doc/easy-rsa-3.0.3/vars.example ./vars
shell>./easyrsa init-pki
shell>./easyrsa gen-req client #client为证书名,可自定义,nopass同样设置免密
Generating a 2048 bit RSA private key
.....................................................+++
.................................+++
writing new private key to '/etc/open***/client/pki/private/client.key.0rbEXauafe'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:
Keypair and certificate request completed. Your files are:
req: /etc/open***/client/pki/reqs/client.req
key: /etc/open***/client/pki/private/client.key #key路径
③ 客户端证书签名
#切换到服务端easy-rsa目录下:
shell>cd /etc/open***/easy-rsa
#导入req
shell>./easyrsa import-req /etc/open***/client/pki/reqs/client.req client
shell>./easyrsa sign client client #签名,第一个client是固定的参数表示客户端,第二个client指上面导入的客户端证书名
shell>./easyrsa sign client client
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #输入'yes'
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/open***/easy-rsa/pki/private/ca.key: #输入ca密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'client'
Certificate is to be certified until Apr 13 14:37:17 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/open***/easy-rsa/pki/issued/client.crt #最终客户端证书路径
5. 统一放置密钥
shell>cp /etc/open***/easy-rsa/pki/ca.crt /etc/open***/
shell>cp /etc/open***/easy-rsa/pki/private/server.key /etc/open***/
shell>cp /etc/open***/easy-rsa/pki/issued/server.crt /etc/open***/
shell>cp /etc/open***/easy-rsa/pki/dh.pem /etc/open***/
6. 编辑配置文件
① /etc/open***/server.conf
local x.x.x.x
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
ifconfig-pool-persist /etc/open***/ipp.txt
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 223.5.5.5"
keepalive 20 120
comp-lzo
persist-key
persist-tun
status open***-status.log
log-append open***.log
verb 3
mute 20
② /usr/share/doc/open***-2.4.10/sample/sample-config-files/client.conf
client
proto tcp
dev tun
remote x.x.x.x 1194
ca ca.crt
cert client.crt
key client.key
resolv-retry infinite
nobind
mute-replay-warnings
keepalive 20 120
comp-lzo
persist-key
persist-tun
status open***-status.log
log-append open***.log
verb 3
mute 20
7. 启动服务
shell>systemctl start open***@server
shell>systemd-tty-ask-password-agent
shell>systemctl start open***@server
8. 修改iptables规则
shell>iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
shell>iptables-save
#重启iptables并添加规则
shell>systemctl restart iptables.service
shell>iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE #NAT规则
9. 开启内核转发
shell>echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
shell>sysctl -p
10. 客户端测试
通过数据线将以下文件同步至手机
ca.crt
client.crt
client.key
client.o*** //client.conf修改后缀