# openvpn ## 安装前准备 ``` # 关闭selinux setenforce 0 sed -i '/^SELINUX=/c\SELINUX=disabled' /etc/selinux/config # 安装openssl和lzo,lzo用于压缩通讯数据加快传输速度 yum -y install openssl openssl-devel lzo # 安装epel源 yum install –y epel* ``` ## 安装及配置Openvpn和easy-rsa ``` # 安装openvpn和easy-rsa yum -y install openvpn easy-rsa ntpdate ntpdate asia.pool.ntp.org vim /etc/sysctl.conf net.ipv4.ip_forward = 1 sysctl -p ``` ## 配置easy-rsa-3.0 ``` 复制文件 [root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa [root@localhost ~]# cd /etc/openvpn/easy-rsa/3 [root@localhost 3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars ``` ## 创建一个新的PKI和CA ``` [root@localhost 3]# pwd /etc/openvpn/easy-rsa/3 [root@localhost 3]# ./easyrsa init-pki #创建空的pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki [root@localhost 3]# ./easyrsa build-ca nopass #创建新的CA,不使用密码 Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ......................+++ ................................................+++ writing new private key to '/etc/openvpn/easy-rsa/3/pki/private/ca.key.pClvaQ1GLD' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 回车 CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/3/pki/ca.crt ``` ## 创建服务端证书 ``` [root@localhost 3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ...........................+++ ..............................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/3/pki/private/server.key.wy7Q0fuG6A' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: 回车 Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/3/pki/reqs/server.req key: /etc/openvpn/easy-rsa/3/pki/private/server.key ``` ## 签约服务端证书 ``` [root@localhost 3]# ./easyrsa sign server server Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from ./openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Apr 7 14:54:08 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/server.crt ``` ## 创建Diffie-Hellman ``` [root@localhost 3]# ./easyrsa gen-dh ............................................................ DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem ``` 到这里服务端的证书就创建完了,然后创建客户端的证书。 ## 创建客户端证书 ``` 复制文件 [root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa [root@localhost ~]# cd /etc/openvpn/client/easy-rsa/3 [root@localhost 3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars 生成证书 [root@localhost 3]# pwd /etc/openvpn/client/easy-rsa/3 [root@localhost 3]# ./easyrsa init-pki #创建新的pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3/pki [root@localhost 3]# ./easyrsa gen-req dalin nopass #客户证书名为大林,木有密码 Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ....................................................+++ ............+++ writing new private key to '/etc/openvpn/client/easy-rsa/3/pki/private/dalin.key.FkrLzXH9Bm' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [dalin]: 回车 Keypair and certificate request completed. Your files are: req: /etc/openvpn/client/easy-rsa/3/pki/reqs/dalin.req key: /etc/openvpn/client/easy-rsa/3/pki/private/dalin.key 最后签约客户端证书 [root@localhost 3]# cd /etc/openvpn/easy-rsa/3 [root@localhost 3]# pwd /etc/openvpn/easy-rsa/3 [root@localhost 3]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3/pki/reqs/dalin.req dalin Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: dalin You may now use this name to perform signing operations on this request. [root@localhost 3]# ./easyrsa sign client dalin Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = dalin Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from ./openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'dalin' Certificate is to be certified until Apr 8 01:54:57 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/dalin.crt ``` ## 整理证书 现在所有的证书都已经生成完了,下面来整理一下。 ### 服务端所需要的文件 ``` [root@localhost ~]# mkdir /etc/openvpn/certs [root@localhost ~]# cd /etc/openvpn/certs/ [root@localhost certs]# cp /etc/openvpn/easy-rsa/3/pki/dh.pem . [root@localhost certs]# cp /etc/openvpn/easy-rsa/3/pki/ca.crt . [root@localhost certs]# cp /etc/openvpn/easy-rsa/3/pki/issued/server.crt . [root@localhost certs]# cp /etc/openvpn/easy-rsa/3/pki/private/server.key . [root@localhost certs]# ll 总用量 20 -rw-------. 1 root root 1172 4月 11 10:02 ca.crt -rw-------. 1 root root 424 4月 11 10:03 dh.pem -rw-------. 1 root root 4547 4月 11 10:03 server.crt -rw-------. 1 root root 1704 4月 11 10:02 server.key cd /etc/openvpn/ # 生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击) openvpn --genkey --secret certs/ta.key ``` ### 客户端所需的文件 ``` [root@localhost certs]# mkdir /etc/openvpn/client/dalin/ [root@localhost certs]# cp /etc/openvpn/easy-rsa/3/pki/ca.crt /etc/openvpn/client/dalin/ [root@localhost certs]# cp /etc/openvpn/easy-rsa/3/pki/issued/dalin.crt /etc/openvpn/client/dalin/ [root@localhost certs]# cp /etc/openvpn/client/easy-rsa/3/pki/private/dalin.key /etc/openvpn/client/dalin/ cp /etc/openvpn/certs/ta.key /etc/openvpn/client/xieys/ [root@localhost certs]# ll /etc/openvpn/client/dalin/ 总用量 16 -rw-------. 1 root root 1172 4月 11 10:07 ca.crt -rw-------. 1 root root 4431 4月 11 10:08 dalin.crt -rw-------. 1 root root 1704 4月 11 10:08 dalin.key -rw-------. 1 root root 1704 4月 11 10:08 ta.key ``` 其实这四个文件就够了,之前全下载下来是因为方便,然而这次懒得弄了,哈哈,编写服务端配置文件。顺便提一下再添加用户在./easyrsa gen-req这里开始就行了,像是吊销用户证书的命令都自己用./easyrsa --help去看吧,[GitHub](https://github.com/OpenVPN/easy-rsa/blob/v3.0.5/README.quickstart.md)项目地址 ## 服务器配置文件 ``` cd /etc/openvpn/ cp /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf /etc/openvpn/ [root@ecs-de49 openvpn]# cat server.conf port 11940 proto tcp dev tun ca certs/ca.crt cert certs/server.crt key certs/server.key # This file should be kept secret dh certs/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.0.0.0 255.0.0.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" client-to-client duplicate-cn keepalive 10 120 tls-auth certs/ta.key 0 # This file is secret comp-lzo persist-key persist-tun status openvpn-status.log log-append openvpn.log verb 5 # 生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击) openvpn --genkey --secret certs/ta.key ``` ## 启动服务以及配置 ``` [root@openvpn ~]# systemctl start openvpn@server [root@openvpn ~]# systemctl enable openvpn@server 配置iptables及转发 关闭firewall [root@openvpn ~]# systemctl stop firewalld.service //停止服务 [root@openvpn ~]# systemctl disable firewalld.service //禁止开启动 [root@openvpn ~]# firewall-cmd --state //查看状态 安装iptables,写入策略 iptables这里的话需要看自己的实际环境去操作,不要照搬,先说一下我这里的情况,我这个服务器是新装的,是放在公司内部的服务器,也不需要做什么端口限制和访问控制,所以我的操作如下。 [root@openvpn ~]# yum -y install iptables iptables-services iptables -I INPUT -p tcp --dport 11940 -m comment --comment "openvpn" -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE service iptables save [root@openvpn ~]# systemctl enable iptables.service Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. [root@openvpn ~]# systemctl start iptables.service [root@openvpn ~]# iptables -L -n [root@openvpn ~]# iptables -t nat -L -n ``` ## 创建客户端配置文件 ``` cd /etc/openvpn/client/dalin/ cp /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/client.conf client.ovpn [root@ecs-1ca4 dalin]# egrep -v '^#|^$|^;' client.ovpn client dev tun proto tcp #这里是外网的ip remote 119.8.114.128 11940 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert dalin.crt key dalin.key remote-cert-tls server tls-auth ta.key 1 comp-lzo verb 3 [root@ecs-1ca4 dalin]# tar -zcf dalin.tar.gz . ``` 导出客户端配置文件 安装openvpn软件 https://www.techspot.com/downloads/5182-openvpn.html 并将OpenVPN服务器上的dalin.tar.gz上传并解压到Windows客户端安装目录下的config文件夹(C:\Program Files\OpenVPN\config) ## 删除用户,吊销证书 ``` [root@openvpn ~]# cd /etc/openvpn/easy-rsa/3 [root@openvpn easy-rsa]# ./easyrsa revoke dalin Note: using Easy-RSA configuration from: ./vars Please confirm you wish to revoke the certificate with the following subject: subject= commonName = dalin Type the word 'yes' to continue, or any other input to abort. Continue with revocation: yes Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf Revoking Certificate 06. Data Base Updated IMPORTANT!!! Revocation was successful. You must run gen-crl and upload a CRL to your infrastructure in order to prevent the revoked cert from being accepted. [root@openvpn easy-rsa]# ./easyrsa gen-crl Note: using Easy-RSA configuration from: ./vars Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf An updated CRL has been created. CRL file: /etc/openvpn/easy-rsa/pki/crl.pem ``` 执行上述命令后用户证书不会被删除,只是更新了crl.pem文件,可以看到上面的提示,文件位置在/etc/openvpn/easy-rsa/pki/crl.pem,查看所有证书的的信息,阔以这样去看。 ``` [root@openvpn easy-rsa]# find /etc/openvpn/ -type f -name "index.txt" | xargs cat V 280825082643Z 01 unknown /CN=server R 280826061455Z 181211135800Z 03 unknown /CN=dalin ``` 列举了两个作对比,V为可用,R为注销,现在dalin的证书还是能连接到服务器,现在需要告知服务端crl.pem的位置,下面修改配置文件。 ``` [root@openvpn easy-rsa]# vim /etc/openvpn/server.conf crl-verify /etc/openvpn/easy-rsa/pki/crl.pem [root@openvpn easy-rsa]# systemctl restart openvpn@server ``` 这样就可以了,dalin现在就无法连接到服务器了,服务端日志。 ![img](/images/posts/20210515.png) ``` [root@openvpn easy-rsa]# cd /etc/openvpn/ [root@openvpn openvpn]# find . -type f -name "dalin.*" | xargs rm ```