OPS Notes By 枯木

Openvpn基本搭建实例

| Comments

OpenVPN是一个用于创建虚拟专用网络加密通道的软件包,最早由James Yonan编写。OpenVPN允许创建的VPN使用公开密钥、电子证书、或者用户名/密码来进行身份验证。

openvpn

准备软件:

本例以RHEL6.3为例

  • openvpn-2.3.1
  • lzo-2.06
  • [最新版本的openvpn-2.3.1官方不再集成easy-rsa] Note that easy-rsa is no longer bundled with OpenVPN source code archives. To get it, visit the easy-rsa page on GitHub, or download it from our Linux software repositories.
1

git clone https://github.com/OpenVPN/easy-rsa

软件安装

opensslopenssl-develpampam-devel安装

1

yum install openssl openssl-devel pam pam-devel -y

lzo-2.06安装

1

./configure && make && make install

openvpn-2.3.1安装

1

./configure && make && make install

相关配置

添加环境变量

~/.barc_profile文件中加入如下内容,命名根据实际需求修改:

1
2
3
4
5
6
7
8
9
10
11

export D=/etc/openvpn
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG=kumu
export KEY_OU=kumu
export KEY_NAME=kumu
export KEY_EMAIL=root@kumu

使新增环境变量生效并新建配置文件目录/etc/openvpn

1
2

# source ~/.barc_profile
# mkdir /etc/openvpn

:也可修改easy-rsa中的vars【/usr/local/src/openvpn/easy-rsa/easy-rsa/2.0/vars】,source生效

生成密钥

进入之前下载的easy-rsa目录

初始化PKI、生成证书:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

# pwd
/usr/local/src/openvpn/easy-rsa/easy-rsa/2.0
# ls
build-ca     build-key         build-key-server  clean-all      openssl-0.9.6.cnf  pkitool      vars
build-dh     build-key-pass    build-req         inherit-inter  openssl-0.9.8.cnf  revoke-full  whichopensslcnf
build-inter  build-key-pkcs12  build-req-pass    list-crl       openssl-1.0.0.cnf  sign-req
# cp openssl-1.0.0.cnf /etc/openvpn/openssl.cnf
# ./clean-all #初始化,清除原有不需要的文件
# ./build-ca  #一直回车即可
Generating a 1024 bit RSA private key
.......++++++
............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [kumu]:
Organizational Unit Name (eg, section) [kumu]:
Common Name (eg, your name or your server's hostname) [kumu CA]:
Name []:kumu
Email Address [root@kumu]:

生成Server端证书Server Key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

# ./build-key-server kumu_server #一路回车,密码处填写密码
Generating a 1024 bit RSA private key
....................................++++++
.........++++++
writing new private key to 'kumu_server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [kumu]:
Organizational Unit Name (eg, section) [kumu]:
Common Name (eg, your name or your server's hostname) [kumu_server]:
Name [kumu]:
Email Address [root@kumu]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123321  #输入密码
An optional company name []:kumu
Using configuration from /etc/openvpn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'BJ'
organizationName      :PRINTABLE:'kumu'
organizationalUnitName:PRINTABLE:'kumu'
commonName            :T61STRING:'kumu_server'
name                  :PRINTABLE:'kumu'
emailAddress          :IA5STRING:'root@kumu'
Certificate is to be certified until May 11 22:54:08 2023 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

生成Client端证书:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

# ./build-key kumu_client1  #一路回车,密码处填写密码
Generating a 1024 bit RSA private key
..++++++
.....................++++++
writing new private key to 'kumu_client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [kumu]:
Organizational Unit Name (eg, section) [kumu]:
Common Name (eg, your name or your server's hostname) [kumu_client1]:
Name [kumu]:
Email Address [root@kumu]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123321
An optional company name []:kumu
Using configuration from /etc/openvpn/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'BJ'
organizationName      :PRINTABLE:'kumu'
organizationalUnitName:PRINTABLE:'kumu'
commonName            :T61STRING:'kumu_client1'
name                  :PRINTABLE:'kumu'
emailAddress          :IA5STRING:'root@kumu'
Certificate is to be certified until May 11 23:01:12 2023 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# ls /etc/openvpn/keys/
01.pem  ca.key      index.txt.attr      kumu_client1.crt  kumu_server.crt  openvpn-status.log
02.pem  dh1024.pem  index.txt.attr.old  kumu_client1.csr  kumu_server.csr  serial
ca.crt  index.txt   index.txt.old       kumu_client1.key  kumu_server.key  serial.old

:生成其他客户端证书以此类推,名字不相同即可

证书加密:

1
2

# ./build-dh 
./build-dh: line 7: dhparam: command not found

出现如上问题,修改./build-dh命令中$OPENSSLopenssl即可,原因是默认/usr/local/src/openvpn/easy-rsa/easy-rsa/2.0/vars文件定义了OPENSSL=openssl,而笔者没有引用vars文件

1
2
3
4
5

# ./build-dh 
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
... ...
# openvpn --genkey --secret /etc/openvpn/keys/ta.key  #生成加密key

Server端配置文件修改:

1
2
3
4
5
6
7

# pwd
/usr/local/src/openvpn/openvpn-2.3.1/sample/sample-config-files
# ls 
client.conf  loopback-client  openvpn-shutdown.sh  server.conf         tls-home.conf         xinetd-server-config
firewall.sh  loopback-server  openvpn-startup.sh   static-home.conf    tls-office.conf
home.up      office.up        README               static-office.conf  xinetd-client-config
# cp server.conf /etc/openvpn/  #拷贝Server模板配置文件到配置目录

Server端配置文件内容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# grep -vE '^;|^$|^#' /etc/openvpn/server.conf 
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/kumu_server.crt
key /etc/openvpn/keys/kumu_server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.10.0 255.255.255.0" # 推送路由
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
status /etc/openvpn/keys/openvpn-status.log
verb 3

开启路由转发和启动Openvpn

开启路由转发

1

echo 1 > /proc/sys/net/ipv4/ip_forward #临时开启

或者修改/etc/sysctl.conf中net.ipv4.ip_forward = 1,执行sysctl -p永久生效

启动服务

1

openvpn --config /etc/openvpn/server.conf --daemon

Windows客户端连接配置

拷贝Server端生成的如下客户端证书到Windows软件安装目录OpenVPN\config

  • kumu_client1.crt
  • kumu_client1.key
  • ca.key
  • ta.key

OpenVPN\config目录中新建Client端配置文件client.ovpn

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

client
dev tun
proto udp
remote 10.2.0.110 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert kumu_client1.crt
key kumu_client1.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3

Win7/Win8以管理员身份启动Openvpn Windows客户端即可,基本的Windows安装这里不作介绍,如果正常,Openvpn Gui客户端显示绿色,ping测试无误,如下

1
2
3
4
5
6
7
8
9
10
11
12

C:\Users\kumu>ping 10.8.0.1  #测试VPN

正在 Ping 10.8.0.1 具有 32 字节的数据:
来自 10.8.0.1 的回复: 字节=32 时间<1ms TTL=64
来自 10.8.0.1 的回复: 字节=32 时间<1ms TTL=64
... ...
C:\Users\kumu>ping 192.168.10.19 #测试内网

正在 Ping 192.168.10.19 具有 32 字节的数据:
来自 192.168.10.19 的回复: 字节=32 时间=1ms TTL=64
来自 192.168.10.19 的回复: 字节=32 时间=2ms TTL=64
... ...

Linux客户端配置

安装参见Server端安装

相关配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# mkdir /etc/openvpn
# cp /usr/local/src/openvpn/openvpn-2.3.1/sample/sample-config-files/client.conf /etc/openvpn/
# grep -vE '^$|^#|^;' /etc/openvpn/client.conf
client
dev tun
proto udp
remote 10.2.0.110 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert kumu_client1.crt
key kumu_client1.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3

拷贝Server端生成的如下客户端证书到Linux客户端/etc/openvpn下(这里为了方便不再生成一套客户端证书了)

  • kumu_client1.crt
  • kumu_client1.key
  • ca.key
  • ta.key

启动Openvpn客户端服务

1

openvpn --config /etc/openvpn/client.conf --daemon

测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
... ...
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
192.168.10.0    10.8.0.5        255.255.255.0   UG    0      0        0 tun0
... ...
# ping 192.168.10.19
PING 192.168.10.19 (192.168.10.19) 56(84) bytes of data.
64 bytes from 192.168.10.19: icmp_seq=1 ttl=64 time=0.690 ms
64 bytes from 192.168.10.19: icmp_seq=2 ttl=64 time=1.21 ms
... ...

测试正常,无误!

–EOF–

Comments