Centos7下openVPN的安装与配置

发表于 2021-06-11 14:25:06.439,阅读数:1553

前言

因为公司本地服务资源不够,然后有需要相应的服务器进行Spring Cloud开发, 将nacos和部分服务部署到阿里云上,但因为线上的服务无法访问本地的服务,所以部署了一套openVPN,联通阿里云和本地的网络,下面的内容是根据记忆和相关参考教材整理,如有错误请在评论指出,本文教程仅提供学习工作使用,请勿非法使用

安装openvpn

# 安装源
yum -y install epel-release
# 安装openVPN
yum -y install openvpn

openVPN提供了一个简易初始化配置,将简易配置文件复制到配置文件夹

cp /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/server.conf /etc/openvpn/server

服务端证书

安装easy-rsa

yum install -y easy-rsa

然后将easy-rsa目录 copy到/etc/openvpn并添加可执行权限

cp -R /usr/share/easy-rsa/3.0.3/  /etc/openvpn/
cd /etc/openvpn/easy-rsa
chmod +x  *

修改/etc/openvpn/easy-rsa下的vars文件配置

export KEY_COUNTRY="CN"  国家
export KEY_PROVINCE="BJ"  省份
export KEY_CITY="Beijing"  城市
export KEY_ORG="xxxx" 组织
export KEY_EMAIL="xxxx@xxxx.com"  邮箱
export KEY_OU="xxxx.com"  单位

制作CA证书

[root@localhost easy-rsa]# ./easyrsa init-pki          #初始化pki,生成目录文件结构
[root@localhost easy-rsa]# ./easyrsa build-ca            #创建ca证书

Note: using Easy-RSA configuration from: ./vars            #使用vars文件里面配置的信息
Generating a 2048 bit RSA private key
.................+++
........................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/ca.key.Lg8IKADc4Q'
Enter PEM pass phrase:                  #设置ca密码
Verifying - Enter PEM pass phrase:      #再输一遍上面的密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:          #直接回车,就是默认的CA作为名字

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt        #ca证书存放路径

服务端证书server.crt

[root@localhost easy-rsa]# ./easyrsa gen-req server nopass   #nopass设置免证书密码,如果要设置密码可以取消此参数选项
Note: using Easy-RSA configuration from: ./vars       #使用vars文件里面配置的信息
Generating a 2048 bit RSA private key
.....................................+++
................................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.yuG9HRsSlU'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:    #直接回车,默认名字为server

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key              #密钥key的路径

证书签名、签约

[root@localhost easy-rsa]# ./easyrsa sign server server            #第二个server是只上面服务端证书的CN名字,我们用的默认server,根据实际证书名自行定义

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:            #输入上面ca证书生成时的密码(123456)
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'server'
Certificate is to be certified until May 22 03:23:38 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt          #服务端证书路径

DH证书

[root@localhost easy-rsa]# ./easyrsa gen-dh     #创建Diffie-Hellman,时间有点长
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
............................................................+...........................................................+.......................................................................................................+...........+..........................................................................................................................................................................................................................................................................+............................................................................................................+....................................................................................................+................................................................+.....................................................................................................................................................+............................................+............+......................................................................................+......................................................................+...........................+................................................................+...........................................................................................................++*++*

DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem      #dh证书路径

TA密钥

cd /etc/openvpn
openvpn --genkey --secret ta.key

将生成的证书密钥放到/etc/openvpn/server

cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server/

客户端证书

为了便于区别,我们把客户端使用的证书存放在新的路径。/etc/openvpn/client

[root@localhost client]# mkdir -p /etc/openvpn/client
[root@localhost client]# cd /etc/openvpn/client
[root@localhost client]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/openvpn/client
[root@localhost client]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example ./vars

创建客户端证书

[root@localhost client]# ./easyrsa init-pki
[root@localhost client]# ./easyrsa gen-req client nopass   #client为证书名,可自定义,nopass同样设置免密
Generating a 2048 bit RSA private key
.....................................................+++
.................................+++
writing new private key to '/etc/openvpn/client/pki/private/client.key.0rbEXauafe'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/pki/reqs/client.req
key: /etc/openvpn/client/pki/private/client.key               #key路径

对客户端证书签名、签约

#切换到服务端easy-rsa目录下:
cd /etc/openvpn/easy-rsa
#导入req
./easyrsa import-req /etc/openvpn/client/pki/reqs/client.req client
./easyrsa sign client client        #签名,第一个client是固定的参数表示客户端,第二个client指上面导入的客户端证书名
./easyrsa sign client client
Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

subject=
    commonName                = client


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes                                    #输入'yes'
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:   #输入ca密码(123456)
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'client'
Certificate is to be certified until Apr 13 14:37:17 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt     #最终客户端证书路径

服务启动

服务端:

复制openvpn提供的默认配置

cp /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf  /etc/openvpn/server/

编辑/etc/openvpn/server/server.conf文件,需要修改的内容如下

local 0.0.0.0       #监听ip
port 1194           #指定端口
proto udp            #指定协议
dev tun             #采用路由隧道模式
ca /etc/openvpn/server/ca.crt            #ca证书位置,相对路径,表示ca.crt和server.conf要在同一目录
cert /etc/openvpn/server/server.crt      #服务端证书
key /etc/openvpn/server/server.key       #服务端key
dh /etc/openvpn/server/dh.pem             #dh密钥
server 10.8.0.0 255.255.255.0        #给客户端分配的地址池
push "dhcp-option DNS 8.8.8.8"               #指定dns
push "dhcp-option DNS 114.114.114.114"
duplicate-cn

启动命令

/usr/sbin/openvpn --config /etc/openvpn/service/server.conf --daemon

日志默认路径/var/log/openvpn.log

openVPN命令说明

--daemon           # 后台运行
--cd               # 配置文件目录路径
--config           # 配置文件名称
--auth-user-pass   # 指定账号密码文件
--log-append       # 日志文件

添加openvpn开机启动

echo "/usr/sbin/openvpn --config /etc/openvpn/service/server.conf --daemon" >> /etc/rc.local

客户端:

设置客户端使用的配置文件

yum install -y openvpn  #linux客户端安装

cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/client.conf /etc/openvpn/client.ovpn
cat /etc/openvpn/client.ovpn
client
dev tun
proto udp             #和server端一致
remote 123.xxx.xxx.xxx 1194   #指定服务端IP和端口
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ca ca.crt          #ca证书
cert client.crt      #客户端证书
key client.key      #客户端密钥
tls-auth ta.key 1    #ta密钥
cipher AES-256-CBC
comp-lzo         #传输内容压缩
verb 3         #日志级别

客户端所需证书(下载保存到客户端和客户端配置文件同一目录下)

/etc/openvpn/easy-rsa/pki/issued/client.crt #在服务端证书生成目录下
/etc/openvpn/client/pki/private/client.key #上面的客户端生成目录下
/etc/openvpn/easy-rsa/pki/ca.crt #ca证书
/etc/openvpn/ta.key

windows客户端启动:

双击客户端图标运行

Linux客户端启动:

/usr/sbin/openvpn --daemon --cd /etc/openvpn --config client.ovpn --log-append /var/log/open

开启内核转发

[root@localhost]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#' /etc/sysctl.conf
[root@localhost]# sysctl -p

[root@localhost]# cat /etc/sysconfig/iptables               
# Generated by iptables-save v1.4.7 on Tue Dec 26 16:39:36 2017
*filter
:INPUT ACCEPT [1707:292253]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1615:1130954]
-A FORWARD -i tun+ -j ACCEPT 
COMMIT
# Completed on Tue Dec 26 16:39:36 2017
# Generated by iptables-save v1.4.7 on Tue Dec 26 16:39:36 2017
*nat
:PREROUTING ACCEPT [28:3113]
:POSTROUTING ACCEPT [16:960]
:OUTPUT ACCEPT [22:1365]
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT

#iptables -t nat -L -n
[root@localhost]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

常见问题

  1. 你得到如下错误信息: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). 这个错误指出客户端不能跟服务器建立网络链接.

    解决办法

    • 请确认客户端访问的服务器的机器名/IP和端口是正确的.
    • 如果你的OpenVPN服务器是单网卡并处在受保护的局域网中请确认你你的网关防火墙使用了正确的端口转发规则。比如你的OpenVPN机器的地址是192.168.4.4但处在防火墙保护下时刻监听着UDP协议1194的连接请求那么负责维护192.168.4.x子网的网关就会有一个端口转发策略即所有访问UDP协议1194端口的请求都被转发到192.168.4.4 。
    • 打开服务器的防火墙允许UDP协议1194端口连接进来或者不管是TCP还是UDP协议在服务器的配置文件中配置了。
  2. 你得到如下错误信息: Initialization Sequence Completed with errors – 这个错误可能发生在windows下a你没有启用DHCP客户端服务b你的XP SP2使用了某个第三方的个人防火墙。

    解决办法: 启动DHCP客户端服务或者你确认你的XP SP2正确使用了个人防火墙.

  3. 你虽然获得了Initialization Sequence Completed 的信息但ping测试还是失败了那就通常是在服务器或者客户端的防火墙阻止过滤了在TUN/TAP设备结构上的网络流量。

    解决办法: 关闭客户端的防火墙如果防火墙过滤了TUN/TAP设备端口的流量。比如在Windows XP SP2系统你可以到Windows 安全中心 -> Windows 防火墙 -> 高级 然后不要选择TAP-Win32 adapter设备 (即禁止TUN/TAP设备使用防火墙过滤 实质上就是告诉防火墙不要阻止VPN认证信息)。 同样在服务器端也要确认TUN/TAP设备不实用防火墙过滤 (也就是说在TUN/TAP接口上选择过滤是有一定的安全保障的. 具体请看下面一节的访问策略).

  4. 当以udp协议的配置文件启动的时候连接停止服务器的日志文件显示如下一行信息

    TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx
    

    不管怎么样这信息只在服务器端显示在客户端是不会显示相同的信息。

    解决办法: 你只拥有单向连接从客户端到服务器从服务器到客户端的连接被防火墙挡住 通常在客户端这边防火墙a可能是个运行在客户端的个人防火墙软件b或者服务客户端的NAT路由 网关被设置为从服务器端访问客户端的UDP协议包被阻挡返回。

  5. 不需要走全局流量,只需要转发服务器内部ip

    解决办法:

    修改server.conf,注掉下面的三项配置

    push "redirect-gateway def1 bypass-dhcp"     #客户端网关使用openvpn服务器网关
    push "dhcp-option DNS 8.8.8.8"               #指定dns
    push "dhcp-option DNS 114.114.114.114"
    

    添加下面的配置,

    push "route 192.168.1.0 255.255.255.0"  #服务器
    push "route 10.8.0.0 255.255.255.0"     #openvpn
    

相关资料来源

服务端和客户端配置中文详解:http://blog.joylau.cn/2020/05/28/OpenVPN-Config/ 参考教程: http://www.89cool.com/807.html#directory094381401688519765 https://www.linuxtech.cn/article/43/

Terly

面向openAI编程的程序员