歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux綜合 >> 學習Linux

Centos6.5搭建openvpn服務器

Centos6.5搭建openvpn服務器


Centos6.5搭建openvpn服務器


因為新版本openvpn裡面沒有包含最重要的證書制作部分:easy-rsa所以,需要事先下載好easyrsa,可以到GitHub上進行下載,配置過程將在下面第3步進行,本次部署使用了easy-rsa3,與easy-rsa2.0的操作完全不同,網上其它關於easy-rsa2.0的教程不適合本次部署

在部署openvpn之前,最好用ntpdate同步一下服務器的時間,否則生成證書的時間也不准確,會造成那個什麼centificate error等的錯誤!

1、安裝lzo

lzo是致力於解壓速度的一種數據壓縮算法

[root@vpn~]# wgethttp://www.oberhumer.com/opensource/lzo/download/lzo-2.09.tar.gz

[root@vpn~]#tarxflzo-2.09.tar.gz

[root@vpn~]#cdlzo-2.09

[[email protected]]#./configure&&make&&makeinstall

2、安裝openvpn

[root@vpn~]# yum install -yopenssl-devel

[root@vpn~]#wgethttps://swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.gz

[root@vpn~]# tar zxvfopenvpn-2.3.11.tar.gz

[root@vpn~]#cdopenvpn-2.3.11

[[email protected]]#./configure--with-lzo-headers=/usr/local/include/--with-lzo-lib=/usr/local/lib

[[email protected]]#make&&makeinstall

[[email protected]]#whichopenvpn

/usr/local/sbin/openvpn#看到這裡,說明安裝openvpn成功

3、配置easyrsa服務端

openvpn-2.3.11軟件包不包含證書(ca證書,服務端證書,客戶端證書)制作工具,所以還需要單獨下載easy-rsa,最新的為easy-rsa3

[root@vpn~]# wgethttps://github.com/OpenVPN/easy-rsa/archive/master.zip

[root@vpn~]#unzipmaster.zip

[root@vpn~]#mveasy-rsa-mastereasy-rsa

[root@vpn~]#cp-Reasy-rsa//usr/local/share/doc/openvpn/

[root@vpn~]# cd/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/

[root@vpneasyrsa3]#cpvars.examplevars

[root@vpneasyrsa3]#vimvars

set_varEASYRSA_REQ_COUNTRY"CN"

set_varEASYRSA_REQ_PROVINCE"Beijing"

set_varEASYRSA_REQ_CITY"Beijing"

set_varEASYRSA_REQ_ORG"qiangshCertificate"

set_varEASYRSA_REQ_EMAIL"[email protected]"

set_varEASYRSA_REQ_OU"MyOpenVPN"

4、創建服務端證書及key

(1)初始化

[root@vpneasyrsa3]#ls

easyrsaopenssl-1.0.cnfvarsvars.examplex509-types

[root@vpneasyrsa3]#

[root@vpneasyrsa3]#./easyrsainit-pki

Note: using Easy-RSAconfiguration from: ./vars

init-pki complete; you may nowcreate a CA or requests.

Your newly created PKI dir is:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki

(2)創建根證書

[root@vpneasyrsa3]#./easyrsabuild-ca

Note: using Easy-RSAconfiguration from: ./vars

Generating a 2048 bit RSA privatekey

..+++

..........................+++

writing new private key to'/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key.GiibbqFhXm'

Enter PEM pass phrase: #輸入密碼,此密碼用途證書簽名

Verifying - Enter PEM passphrase: #再次輸入密碼

-----

You are about to be asked toenter information that will be incorporated

into your certificate request.

What you are about to enter iswhat is called a Distinguished Name or a DN.

There are quite a few fields butyou can leave some blank

For some fields there will be adefault value,

If you enter '.', the field willbe left blank.

-----

Common Name (eg: your user, host,or server name) [Easy-RSA CA]:qiangsh #輸入一個Common Name

CA creation complete and you maynow import and sign cert requests.

Your new CA certificate file forpublishing is at:

/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt

(3)創建服務器端證書

[root@vpneasyrsa3]#./easyrsagen-reqservernopass

Note: using Easy-RSAconfiguration from: ./vars

Generating a 2048 bit RSA privatekey

.......................................+++

......................................+++

writing new private key to '/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key.MIGrh2B6S8'

-----

You are about to be asked toenter information that will be incorporated

into your certificate request.

What you are about to enter iswhat is called a Distinguished Name or a DN.

There are quite a few fields butyou can leave some blank

For some fields there will be adefault value,

If you enter '.', the field willbe left blank.

-----

Common Name (eg: your user, host,or server name) [server]:qiangsh-BJ #該Common Name一定不要與創建根證書時的一樣 !!!

Keypair and certificate requestcompleted. Your files are:

req:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req

key:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key

(4)簽約服務器端證書

[root@vpneasyrsa3]#./easyrsasignserverserver

Note: using Easy-RSAconfiguration from: ./vars

You are about to sign thefollowing certificate.

Please check over the detailsshown below for accuracy. Note that this request

has not been cryptographicallyverified. Please be sure it came from a trusted

source or that you have verifiedthe request checksum with the sender.

Request subject, to be signed asa server certificate for 3650 days:

subject=

commonName = qiangsh-BJ

Type the word 'yes' to continue,or any other input to abort.

Confirm request details:yes #輸入yes繼續

Using configuration from/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf

Enter pass phrase for/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #輸入剛才創建根證書時的密碼

Check that the request matchesthe signature

Signature ok

The Subject's Distinguished Nameis as follows

commonName :PRINTABLE:'qiangsh-BJ'

Certificate is to be certifieduntil Jun 6 07:19:45 2026 GMT (3650 days)

Write out database with 1 newentries

Data Base Updated

Certificate created at: /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt

(5)創建Diffie-Hellman,確保key穿越不安全網絡的命令:

[root@vpneasyrsa3]#./easyrsagen-dh

Note: using Easy-RSAconfiguration from: ./vars

Generating DH parameters, 2048bit long safe prime, generator 2

This is going to take a long time

..........................................................................+...........................+.............................................................+...........................+.................................................................................................................................................................................................................................................+...............................................................................................................................+..+.................................................................+..........................................................................................+..............+...............................................................................................................................................................................+........................................................................................+...............................................................................+................................................+..........++*++*

DH parameters of size 2048 created at/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh.pem

5、創建客戶端證書

(1)在根目錄下建立client目錄

[root@vpneasyrsa3]#cd

[root@vpn~]#mkdirclient

[root@vpn~]# cp -R /mnt/easy-rsa/ client/

(2)初始化

[root@vpn~]#cdclient/easy-rsa/easyrsa3/

[root@vpneasyrsa3]#ls

easyrsaopenssl-1.0.cnfvarsvars.examplex509-types

[root@vpneasyrsa3]#./easyrsainit-pki

Note:usingEasy-RSAconfigurationfrom:./vars

init-pkicomplete;youmaynowcreateaCAorrequests.

YournewlycreatedPKIdiris:/root/client/easy-rsa/easyrsa3/pki

(3)創建客戶端key及生成證書

[root@vpneasyrsa3]#./easyrsagen-reqqiangsh

Generating a 2048 bit RSA privatekey

.......................+++

........................................................+++

writing new private key to'/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key.LD7Wk6hmQq'

Enter PEM pass phrase: #輸入密碼

Verifying - Enter PEM passphrase: #再次輸入密碼

-----

You are about to be asked toenter information that will be incorporated

into your certificate request.

What you are about to enter iswhat is called a Distinguished Name or a DN.

There are quite a few fields butyou can leave some blank

For some fields there will be adefault value,

If you enter '.', the field willbe left blank.

-----

Common Name (eg: your user, host,or server name) [qiangsh]:qiangsh #輸入qiangsh

Keypair and certificate request completed.Your files are:

req:/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req

key:/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key

(4)將得到的qiangsh.req導入並簽約證書

[root@vpn~]# cd/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/

[root@vpneasyrsa3]##導入req

[root@vpneasyrsa3]#./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.reqqiangsh

Note: using Easy-RSAconfiguration from: ./vars

The request has been successfullyimported with a short name of: qiangsh

You may now use this name toperform signing operations on this request.

[root@vpneasyrsa3]##簽約證書

[root@vpneasyrsa3]#./easyrsasignclientqiangsh

Note: using Easy-RSAconfiguration from: ./vars

You are about to sign thefollowing certificate.

Please check over the detailsshown below for accuracy. Note that this request

has not been cryptographicallyverified. Please be sure it came from a trusted

source or that you have verifiedthe request checksum with the sender.

Request subject, to be signed asa client certificate for 3650 days:

subject=

commonName = qiangsh

Type the word 'yes' to continue,or any other input to abort.

Confirm request details:yes #輸入yes

Using configuration from/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf

Enter pass phrase for/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #輸入創建根證書時的密碼

Check that the request matchesthe signature

Signature ok

The Subject's Distinguished Nameis as follows

commonName :PRINTABLE:'qiangsh'

Certificate is to be certifieduntil Jun 6 07:50:02 2026 GMT (3650 days)

Write out database with 1 newentries

Data Base Updated

Certificate created at:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh.crt#簽約成功

(5)服務端及客戶端生成的文件

服務端:(/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/)文件夾

/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt

/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req

/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/qiangsh.req

/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key

/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key

/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt

/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh.crt

/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh.pem

客戶端:(/root/client/easy-rsa)

/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key

/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req #這個文件被我們導入到了服務端文件,所以那裡也有

(6)拷貝服務器密鑰及證書等到openvpn目錄

[root@vpn~]#cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt/usr/local/share/doc/openvpn/

[root@vpn~]#cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key/usr/local/share/doc/openvpn/

[root@vpn~]#cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt/usr/local/share/doc/openvpn/

[root@vpn~]#cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh.pem/usr/local/share/doc/openvpn/

(7)拷貝客戶端密鑰及證書等到client目錄

[root@vpn~]#cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt/root/client/

[root@vpn~]#cp/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh.crt/root/client/

[root@vpn~]# cp/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key /root/client/

(8)為服務端編寫配置文件

當安裝好openvpn時候,它會提供一個server配置的文件例子

將此例子拷貝openvpn目錄,然後配置

[root@vpn~]#cp/mnt/openvpn-2.3.11/sample/sample-config-files/server.conf/usr/local/share/doc/openvpn/

[root@vpn~]#vim/usr/local/share/doc/openvpn/server.conf

local192.168.1.100 #(自己vpsIP)

port1194

protoudp

devtun

ca/usr/local/share/doc/openvpn/ca.crt

cert/usr/local/share/doc/openvpn/server.crt

key/usr/local/share/doc/openvpn/server.key#Thisfileshouldbekeptsecret

dh/usr/local/share/doc/openvpn/dh.pem

server10.8.0.0255.255.255.0

ifconfig-pool-persistipp.txt

push"redirect-gatewaydef1bypass-dhcp"

push"dhcp-optionDNS8.8.8.8"

keepalive10120

comp-lzo

max-clients100

persist-key

persist-tun

statusopenvpn-status.log

verb3

(9)開啟系統轉發功能

[root@vpn~]#vim/etc/sysctl.conf

net.ipv4.ip_forward=0改成net.ipv4.ip_forward=1

[root@vpn~]#sysctl-p

[root@vpn~]#sysctl-a|grepnet.ipv4.ip_forward

net.ipv4.ip_forward=1

(10)封裝出去的數據包(eth0是你的vps外網的網卡):

/sbin/iptables-tnat-IPOSTROUTING-s10.8.0.0/255.255.255.0-oeth0-jMASQUERADE

三、下載openvpn客戶端,並進行配置

1、將客戶端密鑰及證書等拷出到windows備用

[root@vpn~]#cdclient/

[root@vpnclient]#ls

ca.crteasy-rsanmshuishui.crtnmshuishui.key#帶後綴的這三個

2、安裝openvpn-gui工具

(1)將C:\ProgramFiles\OpenVPN\sample-config\client.ovpn復制到C:\Program Files\OpenVPN\config

(2)將從linux中拷貝出來的三個密鑰及證書放到D:\Program Files (x86)\OpenVPN\config下

wKiom1dX5iHS_rdnAADeSTMGZT4528.png-wh_50

(3)編輯C:\ProgramFiles\OpenVPN\config\client.ovpn,修改為

client

devtun

protoudp

remote192.168.1.1001194

resolv-retryinfinite

nobind

persist-key

persist-tun

caca.crt//這裡需要證書

certqiangsh.crt

keyqiangsh.key

comp-lzo

verb3

四、啟動服務、測試

1、在vpn服務器上啟動openvpn服務

[root@vpn~]#/usr/local/sbin/openvpn --config /usr/local/share/doc/openvpn/server.conf &

[root@vpn~]#echo"/usr/local/sbin/openvpn--config /usr/local/share/doc/openvpn/server.conf &

">>/etc/rc.local#設為開機啟動

2、在openvpn-gui上右鍵Connect輸入密碼連接

wKioL1dX6CLCotfAAADWyGhjCis767.png-wh_50

3、查看vpn狀態

wKioL1dX6EzgLqzBAAD4549Y5zM979.png-wh_50

http://xxxxxx/Linuxjc/1134258.html TechArticle

Copyright © Linux教程網 All Rights Reserved