环境需求--------------------------------------------,现在小编就来说说关于LinuxCentOS生产环境部署OpenVPN,LinuxCentOS生产环境部署OpenVPN?下面内容希望能帮助到你,我们来一起看看吧!
LinuxCentOS生产环境部署OpenVPN,LinuxCentOS生产环境部署OpenVPN
环境需求
--------------------------------------------
设备 | IP
---------------------------------------------
笔记本 | 192.168.157.0/24
-----------------------------------------------
OpenvpnServer | eth0:192.168.157.63(外网) eth1:192.168.2.20(内网)
------------------------------------------------------------------------
IDC机房内部局域网服务器 | 192.168.2..0/24(IDC局域网server无外网IP又希望客户端在不同网络内能直接访问它)
------------------------------------------------------------------------
实现需求 |在远端通过VPN客户端拨号到VPNserver,然后对后端多个server直接访问,管理维护
-----------------------------------------------------------------------------------------------
实验环境:
[root@mode network-scripts]# uname -r
2.6.18-308.el5
[root@mode network-scripts]# uname -m
x86_64
[root@mode network-scripts]# cat /etc/redhat-release
CentOS release 5.8 (Final)
同步时间
[root@mode network-scripts]# /sbin/ntpdate pool.ntp.org
[root@mode network-scripts]# crontab -e
#sync time
*/10 * * * * /sbin/ntpdate pool.ntp.org >/dev/null 2>&1
安装openVPN依赖包
#wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
#[root@mode openvpn]# wget http://down1.chinaunix.net/distfiles/openvpn-2.1_rc4.tar.gz
lzo-2.02.tar.gz
openvpn-2.0.9.tar.gz
mkdir -p /home/jin/tools/openvpn
cd ../../../openvpn
tar xf lzo-2.02.tar.gz
cd lzo-2.02
./configure
make && make install
cd ../
#wget http://down1.chinaunix.net/distfiles/openvpn-2.1_rc4.tar.gz
tar openvpn-2.1_rc4.tar.gz
tar -xf openvpn-2.1_rc4.tar.gz
cd openvpn-2.1_rc4
ls
./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib
make && make install
echo $?
ll /usr/local/sbin/
[root@mode openvpn-2.1_rc4]# ll /usr/local/sbin/
total 1956
-rwxr-xr-x 1 root root 1995535 Jun 10 15:36 openvpn
[root@mode openvpn-2.1_rc4]# cd ..
建立CA证书
[root@mode openvpn-2.1_rc4]#
进入软件解压目录的2.0目录里
[root@mode 2.0]# pwd
/home/jin/tools/openvpn/openvpn-2.1_rc4/easy-rsa/2.0
[root@mode 2.0]# cp vars vars.bak
[root@mode 2.0]# vim vars vars #替换末尾6行内人
# Don't leave any of these fields blank.
export KEY_COUNTRY="CN"
export KEY_PROVINCE="SZ"
export KEY_CITY="ShenZheng"
export KEY_ORG="jin"
export KEY_EMAIL="it_jin@163.com"
[root@mode 2.0]# . vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/jin/tools/openvpn/openvpn-2.1_rc4/easy-rsa/2.0/keys
[root@mode 2.0]# ./clean-all
[root@mode 2.0]# ./build-ca
Generating a 1024 bit RSA private key
....................
..
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
state or Province Name (full name) [SZ]:
Locality Name (eg, city) [ShenZheng]:
Organization Name (eg, company) [jin]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [jin CA]:jin #官方说明此处必须填写
Email Address [it_jin@163.com]:
[root@mode 2.0]#
[root@mode 2.0]# ls -la keys/
total 20
drwx------ 2 root root 4096 Jun 10 15:54 .
drwxrwxrwx 3 1000 1000 4096 Jun 10 15:52 ..
-rw-r--r-- 1 root root 1143 Jun 10 15:54 ca.crt #证书
-rw------- 1 root root 887 Jun 10 15:54 ca.key #私钥
-rw-r--r-- 1 root root 0 Jun 10 15:52 index.txt
-rw-r--r-- 1 root root 3 Jun 10 15:52 serial
生成服务器端证书和秘钥key文件
[root@mode 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
................
...........................................
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SZ]:
Locality Name (eg, city) [ShenZheng]:
Organization Name (eg, company) [jin]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:server
Email Address [it_jin@163.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
Using configuration from /home/jin/tools/openvpn/openvpn-2.1_rc4/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SZ'
localityName :PRINTABLE:'ShenZheng'
organizationName :PRINTABLE:'jin'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'it_jin@163.com'
Certificate is to be certified until Jun 8 08:00:55 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@mode 2.0]#
查看生成的结果
[root@mode 2.0]# ls -la keys/
total 48
drwx------ 2 root root 4096 Jun 10 16:01 .
drwxrwxrwx 3 1000 1000 4096 Jun 10 15:52 ..
-rw-r--r-- 1 root root 3763 Jun 10 16:01 01.pem
-rw-r--r-- 1 root root 1143 Jun 10 15:54 ca.crt
-rw------- 1 root root 887 Jun 10 15:54 ca.key
-rw-r--r-- 1 root root 96 Jun 10 16:01 index.txt
-rw-r--r-- 1 root root 21 Jun 10 16:01 index.txt.attr
-rw-r--r-- 1 root root 0 Jun 10 15:52 index.txt.old
-rw-r--r-- 1 root root 3 Jun 10 16:01 serial
-rw-r--r-- 1 root root 3 Jun 10 15:52 serial.old
-rw-r--r-- 1 root root 3763 Jun 10 16:01 server.crt
-rw-r--r-- 1 root root 688 Jun 10 16:00 server.csr
-rw------- 1 root root 891 Jun 10 16:00 server.key
建立客户端证书和key文件
生成客户端证书和key文件 若建立多个客户端证书 则重复./build-key 客户端名(自定义),只需修改Common Name项和客户端名相同即可
每一个登录的VPN客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接,如果有多个人每个人需要建立一份证书
[root@mode 2.0]# ./build-key test
Generating a 1024 bit RSA private key
...................
...
writing new private key to 'test.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SZ]:
Locality Name (eg, city) [ShenZheng]:
Organization Name (eg, company) [jin]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) [test]:
Email Address [it_jin@163.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /home/jin/tools/openvpn/openvpn-2.1_rc4/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SZ'
localityName :PRINTABLE:'ShenZheng'
organizationName :PRINTABLE:'jin'
organizationalUnitName:PRINTABLE:'test'
commonName :PRINTABLE:'test'
emailAddress :IA5STRING:'it_jin@163.com'
Certificate is to be certified until Jun 8 08:13:02 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@mode 2.0]# ls -lrt keys/
。。。
test.key
-rw-r--r-- 1 root root 676 Jun 10 16:13 test.csr
-rw-r--r-- 1 root root 3665 Jun 10 16:13 test.crt
-rw-r--r-- 1 root root 3 Jun 10 16:13 serial
-rw-r--r-- 1 root root 21 Jun 10 16:13 index.txt.attr
-rw-r--r-- 1 root root 198 Jun 10 16:13 index.txt
-rw-r--r-- 1 root root 3665 Jun 10 16:13 02.pem
使用build-key-pass命令建立客户端证书和key
[root@mode 2.0]# ./build-key-pass girl
Generating a 1024 bit RSA private key
..........
...................................................................................................................................................
writing new private key to 'girl.key'
Enter PEM pass phrase: #敲入密码
Verifying - Enter PEM pass phrase: #密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SZ]:
Locality Name (eg, city) [ShenZheng]:
Organization Name (eg, company) [jin]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [girl]:girl
Email Address [it_jin@163.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
Using configuration from /home/jin/tools/openvpn/openvpn-2.1_rc4/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SZ'
localityName :PRINTABLE:'ShenZheng'
organizationName :PRINTABLE:'jin'
commonName :PRINTABLE:'girl'
emailAddress :IA5STRING:'it_jin@163.com'
Certificate is to be certified until Jun 8 08:19:28 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@mode 2.0]# ls -lrt keys/
...
girl.key
-rw-r--r-- 1 root root 684 Jun 10 16:19 girl.csr
-rw-r--r-- 1 root root 3 Jun 10 16:19 serial
-rw-r--r-- 1 root root 21 Jun 10 16:19 index.txt.attr
-rw-r--r-- 1 root root 292 Jun 10 16:19 index.txt
-rw-r--r-- 1 root root 3636 Jun 10 16:19 girl.crt
-rw-r--r-- 1 root root 3636 Jun 10 16:19 03.pem
最后生成generate diffie hellman parameters 秘钥交换
root@mode 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
............ ............................................................ ..................................................... ........................................................................................ ....................................... ...................................................... ...................................... .......................................... ........................................ . .......... ................... .......... ...... .................................................................................... ................................................. .......... .................................................................................................... .............................. .......................................................... ................. ........................ ...................... .... .. ........................ .................................................................................................................................................................................................... * * *
[root@mode 2.0]# ls -lrt keys/
total 84
。。。
-rw-r--r-- 1 root root 245 Jun 10 16:28 dh1024.pem
文件说明
ca.crt 服务端和客户端都必须有,做root ca certificate 非加密的
ca.key 机器的标识 root ca key 加密的
dh{n}.pem 服务端才有
server.crt 服务端才有
server.key 服务端才有
。。。客户端省略
创建openVPN服务端的配置文件,并把keys挪过来
[root@mode 2.0]# mkdir -p /etc/openvpn
[root@mode 2.0]# cp -a keys /etc/openvpn/
[root@mode openvpn-2.1_rc4]# cp -a sample-config-files/*.conf /etc/openvpn/ #配置文件也挪过来
[root@mode openvpn-2.1_rc4]# tree /etc/openvpn/
/etc/openvpn/
|-- client.conf
|-- keys
| |-- 01.pem
| |-- 02.pem
| |-- 03.pem
| |-- ca.crt
| |-- ca.key
| |-- dh1024.pem
| |-- girl.crt
| |-- girl.csr
| |-- girl.key
| |-- index.txt
| |-- index.txt.attr
| |-- index.txt.attr.old
| |-- index.txt.old
| |-- serial
| |-- serial.old
| |-- server.crt
| |-- server.csr
| |-- server.key
| |-- test.crt
| |-- test.csr
| `-- test.key
|-- server.conf
|-- static-home.conf
|-- static-office.conf
|-- tls-home.conf
`-- tls-office.conf
1 directory, 27 files
[root@mode openvpn-2.1_rc4]#
[root@mode openvpn]# ll
total 36
-rw-r--r-- 1 1000 1000 3427 Apr 26 2007 client.conf
drwx------ 2 root root 4096 Jun 10 16:28 keys
-rw-r--r-- 1 1000 1000 9970 Apr 26 2007 server.conf #服务端模板配置文件
-rw-r--r-- 1 1000 1000 1742 Apr 26 2007 static-home.conf
-rw-r--r-- 1 1000 1000 1688 Apr 26 2007 static-office.conf
-rw-r--r-- 1 1000 1000 1937 Apr 26 2007 tls-home.conf
-rw-r--r-- 1 1000 1000 1948 Apr 26 2007 tls-office.conf
[root@mode openvpn]# cp server.conf server.conf.bak
[root@mode openvpn]# egrep -v "^#|^$|;" server.conf >jin-vpn.conf
[root@mode openvpn]# less jin-vpn.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
######企业环境#####################
local 124.43.12.115
port 52115
push "route 10.0.0.0 255.255.255.0"
client-to-client
duplicate-cn
log /var/log/openvpn.log
###################################
[root@mode openvpn]# cat jin-vpn.conf
local 192.168.157.63
port 52115
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
push "route 192.168.2.20 255.255.255.0"
client-to-client
log /var/log/openvpn.log
启动VPN服务
[root@mode openvpn]# sed -i "s#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g" /etc/sysctl.conf
[root@mode openvpn]# sysctl -p
[root@mode openvpn]# /usr/local/sbin/openvpn --config /etc/openvpn/jin-vpn.conf &[1] 23754
[root@mode openvpn]# netstat -lntup |grep 52115
udp 0 0 192.168.157.63:52115 0.0.0.0:* 23754/openvpn
[root@mode openvpn]# ps -ef|grep vpn
root 23754 2527 0 17:06 pts/0 00:00:00 /usr/local/sbin/openvpn --config /etc/openvpn/jin-vpn.conf
root 23776 2527 0 17:07 pts/0 00:00:00 grep vpn
[root@mode openvpn]#
追加到rc.local
或者
[root@mode openvpn]# cp /home/jin/tools/openvpn/openvpn-2.1_rc4/sample-scripts/openvpn.init /etc/init.d/openvpnd
[root@mode openvpn]# chmod 755 /etc/init.d/openvpnd
[root@mode openvpn]# chkconfig openvpnd on
[root@mode openvpn]# chkconfig --list |grep openvpnd
openvpnd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@mode openvpn]#
客户端配置
[root@mode openvpn]# egrep -v "^#|^;|^$" client.conf >c-jin.conf
[root@mode openvpn]# vim c-jin.conf
client
client
dev tun
proto udp #和服务端一致
remote 192.168.157.63 52115 #服务端的公网IP
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt #
cert girl.crt #
key girl.key #
comp-lzo
"c-jin.conf" 13L, 157C written
[root@mode openvpn]# sz c-jin.conf
rz
正在开始 zmodem 传输。 按 Ctrl C 取消。
正在传输 c-jin.conf...
100% 157 bytes 157 bytes/s 00:00:01 0 错误
?]0;root@mode:/etc/openvpn[root@mode openvpn]#
把客户端配置文件下载到客户端的
C:\Program Files (x86)\OpenVPN\config\c-jin
改名为c-jin.ovpn
包含的文件为:
ca.crt
c-jin.ovpn
girl.crt
girl.key
测试连接
启动openVPN-gui 敲入密码
VPN服务添加路由使VPN服务器的其它内网机器可以访问
iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.2.20
,
