一、為什么要搭建VPN
隨著企業(yè)規(guī)模的發(fā)展,越來越多的遠程辦公需求將會產(chǎn)生,為支持遠程辦公,解決遠程連接本地測試環(huán)境問題,可以使用開源軟件搭建VPN解決,畢竟硬件的VPN不便宜,OpenVPN是個不錯的選擇,同時支持windows和mac OS。
二、安裝OpenVPN
我使用的服務器操作系統(tǒng)是centos7.8,直接用yum安裝。
yum install -y epel-release
yum install -y openvpn easy-rsa
安裝完檢查下版本,我的是OpenVPN 2.4.9
[root@test-vpn01 ~]# openvpn --version
OpenVPN 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <[email protected]>
三、制作證書
cd /etc/openvpn && cp -r /usr/share/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa/3/
創(chuàng)建vars文件,直接copy以下內容并添加可執(zhí)行權限chmod +x vars
set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "ID"
set_var EASYRSA_REQ_PROVINCE "Jakarta"
set_var EASYRSA_REQ_CITY "Jakarta"
set_var EASYRSA_REQ_ORG "hakase-labs CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "HAKASE-LABS EASY CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "HAKASE-LABS CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST "sha256"
接著執(zhí)行
./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki
./easyrsa build-ca
......
Enter New CA Key Passphrase: #輸密碼
Re-Enter New CA Key Passphrase: #輸密碼
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Generating RSA private key, 2048 bit long modulus
................................................+++
...............................................................+++
e is 65537 (0x10001)
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3/pki/ca.crt
./easyrsa gen-req hakase-server nopass
......
Generating a 2048 bit RSA private key
.................................................................+++
................................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/easy-rsa-2911.3BE9Ih/tmp.Z1YEhj'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [hakase-server]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/hakase-server.req
key: /etc/openvpn/easy-rsa/3/pki/private/hakase-server.key
./easyrsa sign-req server hakase-server
......
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 365 days:
subject=
commonName = hakase-server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Unable to load config info from /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-3202.ARaxKb/tmp.WGDm1y
Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: #輸入上面步驟的密碼
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'hakase-server'
Certificate is to be certified until Sep 30 09:54:49 2021 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/hakase-server.crt
openssl verify -CAfile pki/ca.crt pki/issued/hakase-server.crt
pki/issued/hakase-server.crt: OK
創(chuàng)建客戶端密鑰
./easyrsa gen-req client_01 nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Generating a 2048 bit RSA private key
...........+++
..........................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/easy-rsa-3386.pQq0xv/tmp.tHpyYU'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client_01]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/client_01.req
key: /etc/openvpn/easy-rsa/3/pki/private/client_01.key
./easyrsa sign-req client client_01
......
Request subject, to be signed as a client certificate for 365 days:
subject=
commonName = client_01
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
WARNING: can't open config file: /etc/openvpn/easy-rsa/3/pki/safessl-easyrsa.cnf
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-3446.iYLNHV/tmp.baYmMM
Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: #輸入上面步驟的密碼
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client_01'
Certificate is to be certified until Sep 30 09:57:27 2021 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/client_01.crt
openssl verify -CAfile pki/ca.crt pki/issued/client_01.crt
pki/issued/client_01.crt: OK
./easyrsa gen-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.........................................................+............+.............................................+.......................+
...................................+...........+.+.................+................................++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem
復制服務器密鑰和證書
cp pki/ca.crt /etc/openvpn/server/
cp pki/issued/hakase-server.crt /etc/openvpn/server/
cp pki/private/hakase-server.key /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
復制client_01密鑰和證書
cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client_01.crt /etc/openvpn/client/
cp pki/private/client_01.key /etc/openvpn/client/
四、OpenVPN配置
添加servier配置文件
cd /etc/openvpn/ && vi service.conf
# OpenVPN Port, Protocol and the Tun
port 1194
proto udp
dev tun
# OpenVPN Server Certificate - CA, server key and certificate
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/hakase-server.crt
key /etc/openvpn/server/hakase-server.key
#DH and CRL key
dh /etc/openvpn/server/dh.pem
#注意本文沒有跳過了丟消證書的檢測
#crl-verify /etc/openvpn/server/crl.pem
# Network Configuration - Internal network
# Redirect all Connection through OpenVPN Server
# 配置分配的內網(wǎng)網(wǎng)段
server 192.168.200.128 255.255.255.128
push "redirect-gateway def1"
# Using the DNS from https://dns.watch
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 114.114.114.114"
#Enable multiple client to connect with same Certificate key
duplicate-cn
# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
# Other Configuration
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody
# OpenVPN Log
log-Append openvpn.log
status openvpn-status.log
verb 3
添加client配置文件
cd /etc/openvpn/client && vi client_01.ovpn
client
dev tun
proto udp
# 配置你公司的出口IP
remote 113.xx.xx.xx 1194
ca ca.crt
cert client_01.crt
key client_01.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
增加路由轉發(fā)的配置
# 用firewalld或iptables都可以,我這邊用的是iptables
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE
啟動OpenVPN服務
systemctl start openvpn@service
netstat -nlup | grep 1194
五、客戶端配置
Windows客戶端安裝,下載安裝openvpn客戶端軟件,自行搜索
找到軟件安裝路徑,選擇config目錄,將/etc/openvpn下的client打包下載到本地,解壓將證書文件全部拷過去。
雙擊桌面OpenVPN,右擊圖標,選擇連接,連接成功會分配一個內網(wǎng)IP,說明已經(jīng)成功連接到內網(wǎng)。
Mac OS客戶端安裝,下載安裝客戶端軟件,http://down.i4t.com/Tunnelblick_3.8.1_build_5400.dmg,將客戶端證書解壓全部拷過去config, 直接點開client_01.ovpn就可以自動連接
