歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux綜合 >> 學習Linux

CentOS6.6安裝OpenVPN

CentOS6.6安裝OpenVPN


CentOS6.6安裝OpenVPN


VPN基本概念

虛擬專用網VPN

功能:在不安全的公共網絡上建立安全的專用網絡,進行數據加密傳輸

VPN與隧道技術

隧道協議包括

乘客協議:被封裝的協議,如PPP,SLIP

封裝協議:隧道的建立、維持及斷開,如L2TP、IPSec

承載協議:承載經過封裝後的數據包的協議,如IP

實例部署

一、環境部署

內網主機(slave1)vpnserver(master) vpnclient(slave2)

192.168.1.0/24 192.168.1.1 202.102.1.2

202.102.1.1

在內網主機上指定網關:

[root@slave1 ~]# ip route

192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2

169.254.0.0/16 dev eth0 scope link metric 1002

default via 192.168.1.1 dev eth0

添加內、外網接口地址

[root@master ~]# ip addr show eth0

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:1f:e0:45 brd ff:ff:ff:ff:ff:ff

inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0

inet6 fe80::20c:29ff:fe1f:e045/64 scope link

valid_lft forever preferred_lft forever

[root@master ~]# ip addr show eth1

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:1f:e0:4f brd ff:ff:ff:ff:ff:ff

inet 202.102.1.1/24 brd 202.102.1.255 scope global eth1

inet6 fe80::20c:29ff:fe1f:e04f/64 scope link

valid_lft forever preferred_lft forever

[root@master ~]# ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.1

192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

[root@master ~]# echo 1 > /proc/sys/net/ipv4/ip_forward

二、CA證書簽發

流程如下:創建CA/為VPN Server簽發證書 /為VPN Client簽發證書 / 生成密鑰交換參數文件

1、CA配置 並為vpnserver和vpnclient生成私鑰及簽名證書 (在vpnserver端完成)

安裝openvpn相關軟件

[root@vpnserver OpenVPN]# rpm -ivh lzo-2.06-1.el6.rfx.x86_64.rpm //用於數據壓縮

[root@vpnserver OpenVPN]# rpm -ivh openvpn-2.0.9-1.el6.rf.x86_64.rpm

生成CA私鑰和證書文件:

[root@vpnserver OpenVPN]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/

[root@vpnserver easy-rsa]# ls

2.0 build-key build-req make-crl revoke-full

build-ca build-key-pass build-req-pass openssl.cnf sign-req

build-dh build-key-pkcs12 clean-all README vars

build-inter build-key-server list-crl revoke-crt Windows

[root@vpnserver easy-rsa]# chmod +x *

[root@vpnserver easy-rsa]# vim vars

export KEY_COUNTRY=CN

export KEY_PROVINCE=BJ

export KEY_CITY=BJ

export KEY_ORG="uplooking"

export KEY_EMAIL="[email protected]"

[root@vpnserver easy-rsa]# source vars

NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn-2.0.9/easy-rsa/keys

[root@vpnserver easy-rsa]# ./clean-all #清除keys目錄下以前的證書文件

[root@vpnserver easy-rsa]# ./build-ca #生成ca私鑰和證書

Generating a 1024 bit RSA private key

..........................++++++

...........++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [uplooking]:

Organizational Unit Name (eg, section) []:jiaoxue

Common Name (eg, your name or your server's hostname) []: ca.example.com

Email Address [[email protected]]:

[root@vpnserver easy-rsa]# ls//查看生成了keys目錄

2.0 build-key-pass clean-all README Windows

build-ca build-key-pkcs12 keys revoke-crt

build-dh build-key-server list-crl revoke-full

build-inter build-req make-crl sign-req

build-key build-req-pass openssl.cnf vars

[root@vpnserver easy-rsa]# ls keys/

ca.crt ca.key index.txt serial

2、生成vpnserver的私鑰和證書:

[root@vpnserver easy-rsa]# ./build-key-server vpnserver

Generating a 1024 bit RSA private key

..................................................++++++

.........................++++++

writing new private key to 'vpnserver.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [uplooking]:

Organizational Unit Name (eg, section) []:jiaoxue

Common Name (eg, your name or your server's hostname) []:vpnserver.example.com

Email Address [[email protected]]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'BJ'

localityName :PRINTABLE:'BJ'

organizationName :PRINTABLE:'uplooking'

commonName :PRINTABLE:'vpnserver.example.com'

emailAddress :IA5STRING:'[email protected]'

Certificate is to be certified until Jun 29 04:03:05 2023 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@vpnserver easy-rsa]# ls keys/

01.pem index.txt serial vicvpnserver.csr

ca.crt index.txt.attr serial.old vicvpnserver.key

ca.key index.txt.old vicvpnserver.crt

3、為每一個client生成的私鑰和證書:

[root@vpnserver easy-rsa]# ./build-key client1

Generating a 1024 bit RSA private key

............................++++++

...................++++++

writing new private key to 'client1.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [uplooking]:

Organizational Unit Name (eg, section) []:jiaoxue

Common Name (eg, your name or your server's hostname) []: client1.example.com

Email Address [[email protected]]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'BJ'

localityName :PRINTABLE:'BJ'

organizationName :PRINTABLE:'uplooking'

commonName :PRINTABLE:'client1.example.com'

emailAddress :IA5STRING:'[email protected]'

Certificate is to be certified until Nov 6 11:38:59 2022 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

4、查看相關的證書和私鑰

[root@vpnserver easy-rsa]# ls keys/

01.pem client1.crt index.txt.attr serial.old

02.pem client1.csr index.txt.attr.old vicvpnserver.crt

ca.crt client1.key index.txt.old vicvpnserver.csr

ca.key index.txt serial vicvpnserver.key

5、創建密鑰協商參數文件

[root@vpnserver easy-rsa]# pwd

/usr/share/doc/openvpn-2.0.9/easy-rsa

[root@vpnserver easy-rsa]# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

...........+...+.........................+.........+........................+.........................+..........+....................+........................+

...........................+..................................+................................................+.............+............................+............

.....................+..+............+................................................................+.........................+...........................+.........

...........+.......................+.....................................+.................................................+...........................+.................

.......................+...........+..............................+....................................+......+..........................................................

.............................................+..............................................+.................+....................................+.......................

................................++*++*++*

三、VPN Server配置

前提:開啟VPNServer的ip_forward功能

1、檢查相應的密鑰文件

[root@master keys]# pwd

/usr/share/doc/openvpn-2.0.9/easy-rsa/keys

[root@master keys]# cp ca.crt vpnserver.crt vpnserver.key /etc/openvpn/

[root@master keys]# ls /etc/openvpn/

ca.crt vpnserver.crt vpnserver.key

[root@master easy-rsa]# cp keys/dh1024.pem /etc/openvpn/

2、配置VPN Server

[root@master ~]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/

//openvpn server配置文件

[root@master ~]# vim /etc/openvpn/server.conf

[root@master ~]# grep -P -v "^(#|;|$)" server.conf

local 202.102.1.1

port 1194

proto udp

dev tap

ca ca.crt

cert vpnserver.crt

key vpnserver.key # This file should be kept secret

dh dh1024.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.1.0 255.255.255.0"

keepalive 10 120

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

verb 3

3、啟動VPN服務器

[root@master ~]# service openvpn start

[root@master ~]# chkconfig openvpn on

[root@master ~]# ip addr sh tap0

13: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100

link/ether 12:31:8b:9a:e3:02 brd ff:ff:ff:ff:ff:ff

inet 10.8.0.1/24 brd 10.8.0.255 scope global tap0

inet6 fe80::1031:8bff:fe9a:e302/64 scope link

valid_lft forever preferred_lft forever

[root@master ~]# ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.1

10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.1

192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

四、VPN Client配置

1、基本環境准備

[root@slave2 ~]# ip addr show eth1

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:77:2a:a6 brd ff:ff:ff:ff:ff:ff

inet 202.102.1.2/24 brd 202.102.1.255 scope global eth1

inet6 fe80::20c:29ff:fe77:2aa6/64 scope link

valid_lft forever preferred_lft forever

[root@slave2 ~]# ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.2

192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.3

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

[root@slave2 OpenVPN]# rpm -ivh lzo-2.06-1.el6.rfx.x86_64.rpm

[root@slave2 OpenVPN]# rpm -ivh openvpn-2.0.9-1.el6.rf.x86_64.rpm

2、從vpnserver復制相應的密鑰

[root@slave2 openvpn]# cd /etc/openvpn/

[root@slave2 openvpn]# ls c*

ca.crt client1.crt client1.key

3、配置vpnserver

[root@slave2 openvpn]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf /etc/openvpn/

[root@slave2 openvpn]# vi /etc/openvpn/client.conf

[root@slave2 openvpn]# grep -P -v "^(;|#|$)" client.conf

client

dev tap

proto udp

remote vpn.example.com 1194 #此FQDN必須對應vpnserver外網網卡的IP

resolv-retry infinite

nobind

user nobody

group nobody

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

comp-lzo

verb 3

4、啟動並測試

[root@slave2 ~]# service openvpn restart

[root@slave2 ~]# chkconfig openvpn on

[root@slave2 ~]# ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:77:2a:9c brd ff:ff:ff:ff:ff:ff

inet 192.168.2.3/24 brd 192.168.2.255 scope global eth0

inet6 fe80::20c:29ff:fe77:2a9c/64 scope link

valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:77:2a:a6 brd ff:ff:ff:ff:ff:ff

inet 202.102.1.2/24 brd 202.102.1.255 scope global eth1

inet 172.16.80.58/24 scope global eth1

inet6 fe80::20c:29ff:fe77:2aa6/64 scope link

valid_lft forever preferred_lft forever

10: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100

link/ether c6:b9:f9:45:99:3a brd ff:ff:ff:ff:ff:ff

inet 10.8.0.2/24 brd 10.8.0.255 scope global tap0

inet6 fe80::c4b9:f9ff:fe45:993a/64 scope link

valid_lft forever preferred_lft forever

[root@slave2 ~]# ip route

202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.2

192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.3

192.168.1.0/24 via 10.8.0.1 dev tap0

10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.2

169.254.0.0/16 dev eth0 scope link metric 1002

169.254.0.0/16 dev eth1 scope link metric 1003

五、VPN技術擴展

1、基於帳號方式驗證

1). vim /etc/openvpn/server.conf添加以下內容

#########auth password########

auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env

#client-cert-not-required

username-as-common-name

##############################

以上三行的內容分別表示:指定用戶的認證腳本;不請求客戶的CA證書,使用User/Pass驗證,如果同時啟用證書和密碼認證,注釋掉該行;使用客戶提供的UserName作為Common Name

2). vim /etc/openvpn/checkpsw.sh添加以下內容

#!/bin/sh

########################################################

# checkpsw.sh (C) 2004 Mathias Sundman <[email protected]>

#

# This script will authenticate OpenVPN users against

# a plain text file. The passfile should simply contain

# one row per user with the username first followed by

# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"

LOG_FILE="/var/log/openvpn-password.log"

TIME_STAMP=`date "+%Y-%m-%d %T"`

########################################################

if [ ! -r "${PASSFILE}" ]; then

echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}

exit 1

fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then

echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

exit 1

fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then

echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}

exit 0

fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

exit 1

[root@node4 openvpn]# ll checkpsw.sh

-rwxr--r-- 1 root root 1191 Sep 17 23:52 checkpsw.sh

[root@node4 openvpn]# chown nobody.nobody checkpsw.sh

3).建立用戶名、密碼的列表文件:/etc/openvpn/psw-file

文件的格式:用戶名<Tab>密碼

user1 pass

user2 pass

[root@node4 openvpn]#chmod 400 /etc/openvpn/psw-file

[root@node4 openvpn]#chown nobody.nobody /etc/openvpn/psw-file

4).修改vpn客戶端的配置文件

一是注釋掉(當然也可以不注釋證書加密)

;cert client1.crt

;key client1.key

二是增加驗證時詢問用戶名和密碼

auth-user-pass

2、安裝WidnowsVPN客戶端

1).從http://openvpn.se/files/上下載與openvpn服務器版本一致的Windows客戶端“OpenVPN GUI For Windows”

a)例如,服務器裝的是OpenVPN 2.09,那麼下載的OpenVPN GUI fow windows應該是: openvpn-2.0.9-gui-1.0.3-install.exe

2).執行openvpn-2.0.9-gui-1.0.3-install.exe。一切采用默認設置。

3).將ca.crt、client1.crt、client1.key復制到C:\Program Files\OpenVPN\config。(不同用戶使用不同的證書,每個證書包括.crt和.key兩個文件,如client2.crt和client2.key)

4).在/root/openvpn-2.0.9/sample-config-files/client.conf的基礎上建立客戶端配置文件,改名為C:\Program Files\OpenVPN\config\client.ovpn,即先在服務器上建立配置文件,然後再上傳改名到客戶機上。

a) proto udp改成proto tcp

b) remote那行改成

192.168.1.103 1194

c) ca那3行改為

ca ca.crt

cert client1.crt

key client1.key

d)注釋掉comp-lzo

連接:在右下角的openvpn圖標上右擊,選擇“Connect”。正常情況下應該能夠連接成功,分配正常的IP

http://xxxxxx/Linuxjc/1156057.html TechArticle

Copyright © Linux教程網 All Rights Reserved