目录

openvpn

安装前准备

1
2
3
4
5
6
7
8
# 关闭selinux
setenforce 0
sed -i '/^SELINUX=/c\SELINUX=disabled' /etc/selinux/config
# 安装openssl和lzo,lzo用于压缩通讯数据加快传输速度
yum -y install openssl openssl-devel lzo

# 安装epel源
yum install –y epel*

安装及配置Openvpn和easy-rsa

1
2
3
4
5
6
7
8
# 安装openvpn和easy-rsa
yum -y install openvpn easy-rsa ntpdate 

ntpdate asia.pool.ntp.org
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

sysctl -p

配置easy-rsa-3.0

1
2
3
4
复制文件
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
[root@localhost ~]# cd /etc/openvpn/easy-rsa/3
[root@localhost 3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars

创建一个新的PKI和CA

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[root@localhost 3]# pwd
/etc/openvpn/easy-rsa/3
[root@localhost 3]# ./easyrsa init-pki  #创建空的pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki

[root@localhost 3]# ./easyrsa build-ca nopass #创建新的CA,不使用密码

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
......................+++
................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/private/ca.key.pClvaQ1GLD'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 回车

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3/pki/ca.crt

创建服务端证书

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
[root@localhost 3]# ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...........................+++
..............................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/private/server.key.wy7Q0fuG6A'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: 回车

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3/pki/private/server.key

签约服务端证书

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[root@localhost 3]# ./easyrsa sign server server

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Apr  7 14:54:08 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/server.crt

创建Diffie-Hellman

1
2
3
[root@localhost 3]# ./easyrsa gen-dh
............................................................
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem

到这里服务端的证书就创建完了,然后创建客户端的证书。

创建客户端证书

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
复制文件
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa
[root@localhost ~]# cd /etc/openvpn/client/easy-rsa/3
[root@localhost 3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars

生成证书
[root@localhost 3]# pwd
/etc/openvpn/client/easy-rsa/3
[root@localhost 3]# ./easyrsa init-pki #创建新的pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3/pki


[root@localhost 3]# ./easyrsa gen-req dalin nopass  #客户证书名为大林,木有密码

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
....................................................+++
............+++
writing new private key to '/etc/openvpn/client/easy-rsa/3/pki/private/dalin.key.FkrLzXH9Bm'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [dalin]: 回车

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/easy-rsa/3/pki/reqs/dalin.req
key: /etc/openvpn/client/easy-rsa/3/pki/private/dalin.key

最后签约客户端证书
[root@localhost 3]# cd /etc/openvpn/easy-rsa/3
[root@localhost 3]# pwd
/etc/openvpn/easy-rsa/3
[root@localhost 3]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3/pki/reqs/dalin.req dalin

Note: using Easy-RSA configuration from: ./vars

The request has been successfully imported with a short name of: dalin
You may now use this name to perform signing operations on this request.

[root@localhost 3]# ./easyrsa sign client dalin

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

subject=
    commonName                = dalin


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'dalin'
Certificate is to be certified until Apr  8 01:54:57 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/dalin.crt

整理证书

现在所有的证书都已经生成完了,下面来整理一下。

服务端所需要的文件

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
[root@localhost ~]# mkdir /etc/openvpn/certs
[root@localhost ~]# cd /etc/openvpn/certs/  
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3/pki/dh.pem .        
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3/pki/ca.crt .
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3/pki/issued/server.crt .
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3/pki/private/server.key .
[root@localhost certs]# ll
总用量 20
-rw-------. 1 root root 1172 4月  11 10:02 ca.crt
-rw-------. 1 root root  424 4月  11 10:03 dh.pem
-rw-------. 1 root root 4547 4月  11 10:03 server.crt
-rw-------. 1 root root 1704 4月  11 10:02 server.key
cd /etc/openvpn/
# 生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击)
openvpn --genkey --secret certs/ta.key

客户端所需的文件

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
[root@localhost certs]# mkdir /etc/openvpn/client/dalin/
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3/pki/ca.crt /etc/openvpn/client/dalin/
[root@localhost certs]# cp /etc/openvpn/easy-rsa/3/pki/issued/dalin.crt /etc/openvpn/client/dalin/
[root@localhost certs]# cp /etc/openvpn/client/easy-rsa/3/pki/private/dalin.key /etc/openvpn/client/dalin/
 cp /etc/openvpn/certs/ta.key /etc/openvpn/client/xieys/
[root@localhost certs]# ll /etc/openvpn/client/dalin/
总用量 16
-rw-------. 1 root root 1172 4月  11 10:07 ca.crt
-rw-------. 1 root root 4431 4月  11 10:08 dalin.crt
-rw-------. 1 root root 1704 4月  11 10:08 dalin.key
-rw-------. 1 root root 1704 4月  11 10:08 ta.key

其实这四个文件就够了,之前全下载下来是因为方便,然而这次懒得弄了,哈哈,编写服务端配置文件。顺便提一下再添加用户在./easyrsa gen-req这里开始就行了,像是吊销用户证书的命令都自己用./easyrsa –help去看吧,GitHub项目地址

服务器配置文件

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
cd /etc/openvpn/
cp /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf /etc/openvpn/
[root@ecs-de49 openvpn]# cat server.conf 
port 11940
proto tcp
dev tun
ca certs/ca.crt
cert certs/server.crt
key certs/server.key  # This file should be kept secret
dh certs/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.0.0.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth certs/ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 5



# 生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击)
openvpn --genkey --secret certs/ta.key

启动服务以及配置

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
[root@openvpn ~]# systemctl start openvpn@server
[root@openvpn ~]# systemctl enable openvpn@server
配置iptables及转发
关闭firewall
[root@openvpn ~]# systemctl stop firewalld.service    //停止服务
[root@openvpn ~]# systemctl disable firewalld.service //禁止开启动  
[root@openvpn ~]# firewall-cmd --state                //查看状态
安装iptables,写入策略
iptables这里的话需要看自己的实际环境去操作,不要照搬,先说一下我这里的情况,我这个服务器是新装的,是放在公司内部的服务器,也不需要做什么端口限制和访问控制,所以我的操作如下。
[root@openvpn ~]# yum -y install iptables iptables-services
iptables -I INPUT -p tcp --dport 11940 -m comment --comment "openvpn" -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
service iptables save
[root@openvpn ~]# systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@openvpn ~]# systemctl start iptables.service
[root@openvpn ~]# iptables -L -n
[root@openvpn ~]# iptables -t nat -L -n

创建客户端配置文件

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
cd  /etc/openvpn/client/dalin/
cp /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/client.conf client.ovpn
[root@ecs-1ca4 dalin]# egrep -v '^#|^$|^;' client.ovpn 
client
dev tun
proto tcp
#这里是外网的ip
remote 119.8.114.128 11940
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert dalin.crt
key dalin.key
remote-cert-tls server
tls-auth ta.key 1
comp-lzo
verb 3


[root@ecs-1ca4 dalin]# tar -zcf dalin.tar.gz .

导出客户端配置文件

安装openvpn软件

https://www.techspot.com/downloads/5182-openvpn.html

并将OpenVPN服务器上的dalin.tar.gz上传并解压到Windows客户端安装目录下的config文件夹(C:\Program Files\OpenVPN\config)

删除用户,吊销证书

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[root@openvpn ~]# cd /etc/openvpn/easy-rsa/3
[root@openvpn easy-rsa]# ./easyrsa revoke dalin


Note: using Easy-RSA configuration from: ./vars


Please confirm you wish to revoke the certificate with the following subject:

subject= 
    commonName                = dalin


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf
Revoking Certificate 06.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

[root@openvpn easy-rsa]# ./easyrsa gen-crl

Note: using Easy-RSA configuration from: ./vars
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

执行上述命令后用户证书不会被删除,只是更新了crl.pem文件,可以看到上面的提示,文件位置在/etc/openvpn/easy-rsa/pki/crl.pem,查看所有证书的的信息,阔以这样去看。

1
2
3
[root@openvpn easy-rsa]# find /etc/openvpn/ -type f -name "index.txt" | xargs cat
V    280825082643Z        01    unknown    /CN=server
R    280826061455Z    181211135800Z    03    unknown    /CN=dalin

列举了两个作对比,V为可用,R为注销,现在dalin的证书还是能连接到服务器,现在需要告知服务端crl.pem的位置,下面修改配置文件。

1
2
3
[root@openvpn easy-rsa]# vim /etc/openvpn/server.conf
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
[root@openvpn easy-rsa]# systemctl restart openvpn@server

这样就可以了,dalin现在就无法连接到服务器了,服务端日志。

/images/posts/20210515.png

1
2
[root@openvpn easy-rsa]# cd /etc/openvpn/
[root@openvpn openvpn]# find . -type f -name "dalin.*" | xargs rm