centos 6.3编译安装OpenVPN服务

centos 6.3编译安装OpenVPN服务


OpenVPN是一款在Linux网关服务器使用的开源的VPN软件,顾名思义,其实就是用来打通一条安全的虚拟专用通道,实现用户远程办公,获取内网资源。


该软件可跨平台在在Linux、xBSD、Mac OS X与Windows间使用,并利用openssl作为加密库,使用加密证书或用户名/密码来实现身份验证,是一款不可多得的开源VPN解决方案。


我们做这个实验的目的就是模拟线上常见的公司外出人员在外需要访问公司内网OA,实现远程办公自动化。


解决方案:

   系统环境:Centos6.3 x64

   OpenVPN:openvpn-2.3.6.tar.gz

   vpn server:eth0:10.124.151.245  117.78.9.254

   vpn client:192.168.1.100

   intranet server:172.24.30.10

                         route

client    Internet      vpnserver       公司内网


部署环境:

Server端

一、网络环境

1.检查selinux的状态,保证其关闭

  vi /etc/sysconfig/selinux

    ---------------

    SELINUX=disabled

    ---------------

2.开启服务器端路由转发功能

  vi /etc/sysctl.conf

    ---------------------

    net.ipv4.ip_forward = 1

    ---------------------

 sysctl -p

3.修改iptables规则:

  设置nat转发:

  注:保证VPN地址池可路由出外网

  # iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

  # service iptables save

4.设置openvpn端口通过:

  # iptables -A INPUT -p TCP --dport 1194 -j ACCEPT

  # iptables -A INPUT -p TCP --dport 7505 -j ACCEPT

  # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  # service iptables save

5.时间同步(重要):

  # ntpdate asia.pool.ntp.org

 

二、安装依赖库

  # yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig

三、安装openvpn:

  (http://openvpn.net/index.php/open-source/downloads.html最新源码包可以从这个网址下载)

  #wget -c http://swupdate.openvpn.org/community/releases/openvpn-2.3.6.tar.gz #2015-03-28

  # tar zxvf openvpn-2.3.0.tar.gz

  # cd openvpn-2.3.0

  # ./configure --prefix=/usr/local/openvpn

  # make && make install

  # mkdir -p /etc/openvpn

  复制模板到openvpn配置目录:

  # cp -Rf sample /etc/openvpn/

  复制openvpn配置文件到主目录:

  # cp /etc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/

四、1.下载easy-rsa:

  注:该包用来制作ca证书,服务端证书,客户端证书,openvpn2.3.0该版本源码不包含easy-rsa,所以需要单独下载安装用来配合openvpn实现证书生成。

  # wget -c https://github.com/OpenVPN/easy-rsa/archive/master.zip

  # unzip master #yum -y install unzip 

  # cp -Rf easy-rsa-master /etc/openvpn/easy-rsa

  # cd /etc/openvpn/easy-rsa/easy-rsa/easyrsa3 #这里是easyrsa3版本,网上很多帖子都说是2.0,但是同一个下载方法显示的是3版本,所以这里就按照3版本的方式进行演示记录。

  -----------------------------

  以下操作都在此目录下面(pwd:/etc/openvpn/easy-rsa/easyrsa3/)

  -----------------------------

  2.编辑vars文件,根据自己环境配置

  复制vars.example 为vars

    cp vars.example vars

  修改下面字段,命令:vi vars,然后修改,最后wq保存

  set_var EASYRSA_REQ_COUNTRY “CN” #根据自己情况更改

  set_var EASYRSA_REQ_PROVINCE “BeiJingShi”

  set_var EASYRSA_REQ_CITY “BeiJing”

  set_var EASYRSA_REQ_ORG “My_ORG”

  set_var EASYRSA_REQ_EMAIL “[email protected]

  set_var EASYRSA_REQ_OU “APICloud_OpenVPN”

  3./etc/openvpn/easy-rsa/easyrsa3/目录初始化:

  #./easyrsa init-pki

  ==================================

  init-pki complete; you may now create a CA or requests.

  Your newly created PKI dir is: /usr/local/src/easy-rsa-master/easyrsa3/pki

  ==================================

  4.创建根证书

  # ./easyrsa build-ca

  ====================================================

    Note: using Easy-RSA configuration from: ./vars

    Generating a 2048 bit RSA private key

    .......................................+++

    ..................................+++

    writing new private key to ‘/etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key‘

    Enter PEM pass phrase:  apicloud

    Verifying - Enter PEM pass phrase: apicloud  --此密码是为了进行证书签名

    -----

    You are about to be asked to enter information that will be incorporated

    into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter ‘.‘, the field will be left blank.

    -----

    Common Name (eg: your user, host, or server name) [Easy-RSA CA]: apicloud

    

    CA creation complete and you may now import and sign cert requests.

    Your new CA certificate file for publishing is at:

    /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt

  ====================================================

  注意:在上述部分需要输入PEM密码 PEM pass phrase,输入两次,此密码必须记住,不然以后不能为证书签名。还需要输入common name 通用名,这个你自己随便设置个独一无二的。

  5.创建服务器端证书

  # ./easyrsa gen-req server nopass

  ====================================================

    Note: using Easy-RSA configuration from: ./vars

    Generating a 2048 bit RSA private key

    ................+++

    .....................................+++

    writing new private key to ‘/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key‘

    -----

    You are about to be asked to enter information that will be incorporated

    into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter ‘.‘, the field will be left blank.

    -----

    Common Name (eg: your user, host, or server name) [server]:admin  --此名称随意但是不要跟之前的根证书的一样

    

    Keypair and certificate request completed. Your files are:

    req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req

    key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key

  ====================================================

  签约服务端证书:(将创建的服务端证书与CA证书签约)

  # ./easyrsa sign server server

  =================================================== 

    Note: using Easy-RSA configuration from: ./vars

    

    You are about to sign the following certificate.

    Please check over the details shown below for accuracy. Note that this request

    has not been cryptographically verified. Please be sure it came from a trusted

    source or that you have verified the request checksum with the sender.

    

    Request subject, to be signed as a server certificate for 3650 days:

    

    subject=

        commonName                = admin

    

    

    Type the word ‘yes‘ to continue, or any other input to abort.

      Confirm request details: yes  --需要输入yes进行确定

    Using configuration from /etc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf

    Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: --需要输入CA证书密码apicloud

    Check that the request matches the signature

    Signature ok

    The Subject‘s Distinguished Name is as follows

    commonName            :PRINTABLE:‘admin‘

    Certificate is to be certified until Mar 25 07:45:43 2025 GMT (3650 days)

    

    Write out database with 1 new entries

    Data Base Updated

    

    Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt

  ================================================================

  创建Diffie-Hellman,确保key穿越不安全网络的命令:

  # ./easyrsa gen-dh

  ================================================

    Note: using Easy-RSA configuration from: ./vars

    Generating DH parameters, 2048 bit long safe prime, generator 2

    This is going to take a long time

    ................+...................................+...................................+...

    DH parameters of size 2048 created at /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem

  ================================================

  6.创建客户端证书 (pwd:/root/client/easy-rsa/easyrsa3)

  进入root目录新建client文件夹,文件夹可随意命名,然后拷贝前面解压得到的easy-ras文件夹到client文件夹,进入下列目录

  # cd /root/

  # mkdir client 

  # cp -Rf /usr/local/src/easy-rsa-master /root/client/easy-rsa

  # cd /root/client/easy-rsa/easyrsa3/

  A:初始化目录:

  # ./easyrsa init-pki

  ==============================

   init-pki complete; you may now create a CA or requests.

   Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki

  ==============================

  B:创建客户端key及生成证书(客户端密码)

  # ./easyrsa gen-req qingbo #名字自己定义

  ========================================

    Generating a 2048 bit RSA private key

    ...........................................+++

    ......+++

    writing new private key to ‘/root/client/easy-rsa/easyrsa3/pki/private/qingbo.key‘

    Enter PEM pass phrase: --客户端证书密码qingbo

    Verifying - Enter PEM pass phrase:

    -----

    You are about to be asked to enter information that will be incorporated

    into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter ‘.‘, the field will be left blank.

    -----

    Common Name (eg: your user, host, or server name) [qingbo]:qingbo --客户端证书名称

    

    Keypair and certificate request completed. Your files are:

    req: /root/client/easy-rsa/easyrsa3/pki/reqs/qingbo.req

    key: /root/client/easy-rsa/easyrsa3/pki/private/qingbo.key

  ========================================

  C:将的到的qingbo.req导入然后签约证书

  =======================

  进入到/etc/openvpn/easy-rsa/easyrsa3/

    cd /etc/openvpn/easy-rsa/easyrsa3/

  导入req

    ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/qingbo.req qingbo

     ------------------------------------

     Note: using Easy-RSA configuration from: ./vars

     The request has been successfully imported with a short name of: qingbo

     You may now use this name to perform signing operations on this request.

     ------------------------------------

  签约证书

    ./easyrsa sign client qingbo  #这里生成client所以必须为client:qingbo要与之前导入名字一致    

  ====================================

      上面签约证书跟server类似,期间需要输入CA的密码

  7.证书管理

  A:生成的数字证书进行详细的了解

     服务端:(etc/openvpn/easy-rsa/文件夹)

     ===================================

    /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt

    /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req

    /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/qingbo.req

    /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key

    /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key

    /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt

    /etc/openvpn/easy-rsa/easyrsa3/pki/issued/qingbo.crt

    ====================================

    客户端:(root/client/easy-rsa文件夹)

    ====================================

    /root/client/easy-rsa/easyrsa3/pki/private/qingbo.key

    /root/client/easy-rsa/easyrsa3/pki/reqs/qingbo.req #这个文件被我们导入到了服务端文件所以那里也有

    /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem

    ====================================

  B:将相应的文件拷贝到相应的位置

    /etc/openvpn/  (ca.crt、server.key、server.crt、dh.pem)

    ================================

    # cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn

    # cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn

    # cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn

    # cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn

    ================================

    /etc/root/   (ca.crt、qingbo.crt、qingbo.key)

    ================================

    # cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /root/client

    # cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/qingbo.crt /root/client

    # cp /root/client/easy-rsa/easyrsa3/pki/private/qingbo.key /root/client

    ================================

五、openvpn服务配置及启动

   1.复制模板文件到/etc/openvpn/ (该步骤在源码编译的时候已操作)

    # cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn/

   2.修改server.conf

    =====================================

local 119.255.41.233(跟自己vps IP)

port 1194

proto udp

dev tun

ca /etc/openvpn/ca.crt

cert /etc/openvpn/server.crt

key /etc/openvpn/server.key # This file should be kept secret

dh /etc/openvpn/dh.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push “redirect-gateway def1 bypass-dhcp”

push “dhcp-option DNS 8.8.8.8″

keepalive 10 120

comp-lzo

max-clients 10

persist-key

persist-tun

log         /usr/local/openvpn/log/openvpn.log

log-append /usr/local/openvpn/log/openvpn.log

status /usr/local/opensvn/log/openvpn-status.log

verb 3

    ================================

    3.启动openvpn服务

      # /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf &

    4.开机启动

      # echo "/usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf > /dev/null 2>&1 &" >> /etc/rc.local

 

报错:(怎么办?)

======================================

Sat Mar 28 17:39:45 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 28 2015

Sat Mar 28 17:39:45 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03

Sat Mar 28 17:39:45 2015 Diffie-Hellman initialized with 2048 bit key

Sat Mar 28 17:39:45 2015 Socket Buffers: R=[229376->131072] S=[229376->131072]

Sat Mar 28 17:39:45 2015 TCP/UDP: Socket bind failed on local address [AF_INET]119.255.41.233:1194: Cannot assign requested address

Sat Mar 28 17:39:45 2015 Exiting due to fatal error

======================================     

客户端配置:

一、安装WINDOWS客户端(WIN7 64bit)

   1.下载客户端,安装路径D:\Program Files (x86)\OpenVPN

    # http://vpntech.googlecode.com/files/openvpn-2.1.1-gui-1.0.3-install-cn-64bit.zip

   2.将服务器端生成的客户端证书文件(ca.crt、qingbo.crt、qingbo.key)复制到客户端D:\Program Files\OpenVPN\config下.

     三个文件是/root/client/下面的哦

   3.在D:\Program Files\OpenVPN\config下创建client.ovpn文件

     编译内容:

     ==========================

client

dev tun

proto udp

remote 119.255.41.233 1194 #主要这里修改成自己vps ip

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt #这里需要证书

cert qingbo.crt

key qingbo.key

comp-lzo

verb 3

二、启动客户端配置测试


报错:

==================================

Options error: --dh fails with ‘/etc/opensvn/dh.pem‘: No such file or directory

Options error: --ca fails with ‘/etc/opensvn/ca.crt‘: No such file or directory

Options error: --cert fails with ‘/etc/opensvn/server.crt‘: No such file or directory

Options error: --key fails with ‘/etc/opensvn/server.key‘: No such file or directory

Options error: --status fails with ‘/usr/local/opensvn/log/openvpn-status.log‘: No such file or directory

=================================



参考:http://hatustudio.com/system/%E5%AE%8C%E6%95%B4centos%E6%90%AD%E5%BB%BAopenvpn%E6%9C%8D%E5%8A%A1%E7%8E%AF%E5%A2%83%E5%9B%BE%E6%96%87%E6%95%99%E7%A8%8B-1414.html 

http://www.iamle.com/archives/1322.html/comment-page-1 

http://blog.csdn.net/yetyongjin/article/details/7412378 

http://www.linuxidc.com/Linux/2014-11/109588.htm 

http://www.linuxidc.com/Linux/2013-06/86118p2.htm 

本文出自 “守望海豚” 博客,请务必保留此出处http://swht1278.blog.51cto.com/7138082/1626004

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。