CentOS 7.X 搭建Openvpn

环境:CentOS Linux release 7.3.1611 (Core)

查看os版本命令

[root@vpn ~]# cat  /etc/redhat-releaseCentOS Linux release 7.3.1611 (Core)

1. openvpn生成秘钥工具(需要epel源)

[root@vpn ~]# yum -y install easy-rsa

2. 生成秘钥之前,需要装备vars文件

[root@vpn ~]# mkdir /opt/easy-rsa
[root@vpn ~]# cd /opt/easy-rsa
[root@vpn easy-rsa]# /usr/bin/cp -a /usr/share/easy-rsa/3.0.7/* ./
[root@vpn easy-rsa]# lseasyrsa  openssl-easyrsa.cnf  x509-types
[root@vpn easy-rsa]# /usr/bin/cp -a /usr/share/doc/easy-rsa-3.0.7/vars.example ./vars
[root@vpn easy-rsa]# lseasyrsa  openssl-easyrsa.cnf  vars  x509-types

3. 修改配置文件脚本

[root@vpn easy-rsa]# vim vars    #有的系统默认没有安装vim,使用vi也可以同样操作  
#本来就有
if [ -z "$EASYRSA_CALLER" ]; then
        echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
        echo "This is no longer necessary and is disallowed. See the section called" >&2
        echo "'How to use this file' near the top comments for more details." >&2
        return 1
fi
 #新添加的
set_var EASYRSA_DN    "cn_only"
set_var EASYRSA_REQ_COUNTRY     "CN"                #所在的国家
set_var EASYRSA_REQ_PROVINCE    "Shanghai"          #所在的省份
set_var EASYRSA_REQ_CITY        "Shanghai"          #所在的城市
set_var EASYRSA_REQ_ORG         "ctkj"              #所在的组织
set_var EASYRSA_REQ_EMAIL       "hltxtec@163.com"   #邮箱地址
set_var EASYRSA_NS_SUPPORT      "yes" 

4. 初始化生成证书

4.1 初始化,在当前目录下创建PKI目录,用于存储证书

[root@vpn easy-rsa]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
​
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /opt/easy-rsa/pki

4.2 创建根证书,会提示设置密码,用于ca对之后生成的server和client证书签名时使用,其他可默认

[root@vpn easy-rsa]# ./easyrsa build-ca
​
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
​
Enter New CA Key Passphrase:          #输入两次一样的密码
Re-Enter New CA Key Passphrase:       #输入两次一样的密码
Generating RSA private key, 2048 bit long modulus
....................................+++
.................................................................................................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:   
#默认回车
​
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/opt/easy-rsa/pki/ca.crt

4.3 创建server端证书和私钥文件,nopass表示不加密私钥文件,其他可默认

[root@vpn easy-rsa]# ./easyrsa gen-req server nopass
​
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
..........................+++
.........................+++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-15975.B2DzNe/tmp.OuCzLY'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
#默认回车
​
Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/server.req
key: /opt/easy-rsa/pki/private/server.key

4.4 给server端证书签名,首先是对一些信息的确认,可以输入yes,然后创建ca根证书设置的密码

[root@vpn easy-rsa]# ./easyrsa sign server server
​
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
..........................+++
.........................+++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-15975.B2DzNe/tmp.OuCzLY'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
​
Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/server.req
key: /opt/easy-rsa/pki/private/server.key
​
​
[root@zhanglei easy-rsa]# ./easyrsa sign server server
​
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
​
​
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
​
Request subject, to be signed as a server certificate for 825 days:
​
subject
=
    commonName                = server
​
​
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes      #输入yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-16158.ZTuZi5/tmp.QFCYUD
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:    #创建ca根证书设置的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'
server
'
Certificate is to be certified until Sep 21 03:03:26 2022 GMT (825 days)
​
Write out database with 1 new entries
Data Base Updated
​
Certificate created at: /opt/easy-rsa/pki/issued/server.crt
​
​
-----在此之前的操作是,创建公私钥,公钥加密,私钥解密-----方式是算法

4.5 创建diffie-hellman文件,秘钥交换时的diffie-hellman算法

[root@vpn easy-rsa]# ./easyrsa gen-dh              #较长时间
​
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.............+........................................+.............................................+.........................+...............................................................................+...............................................................................................................................................................................................+..............................................................................................................................................................................................+..........................................................................................................................................................................+.........................................................................+..........................................+...................................................+......................................................................................................+....................................................+..................................................................+...........................................................+.......................+.................+.+..............+.......................................................+.....................................................................+...........................................................................................................................................................................................................................+............................................................................................................................................................................................................................................................................+...............................................................................................................................................................................................................................................................................................................................................++*++*
​
DH parameters of size 2048 created at /opt/easy-rsa/pki/dh.pem
​

4.6 创建client端证书和私钥文件,nopass表示不加密私钥文件,其他可默认

[root@vpn easy-rsa]# ./easyrsa gen-req client nopass
​
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
...+++
......................................................................+++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-17066.jAS7v4/tmp.YMnb1v'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:
#默认回车
​
Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/client.req
key: /opt/easy-rsa/pki/private/client.key

4.7 给client端证书签名,首先是对一些信息的确认,可以输入yes,然后创建ca根证书时设置的密码

[root@vpn easy-rsa]# ./easyrsa sign client client
​
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
​
​
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
​
Request subject, to be signed as a client certificate for 825 days:
​
subject=
    commonName                = client
​
​
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes     #输入yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-17206.93dGK9/tmp.OcicD2
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:     #创建ca根证书设置的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client'
Certificate is to be certified until Sep 21 03:10:23 2022 GMT (825 days)
​
Write out database with 1 new entries
Data Base Updated
​
Certificate created at: /opt/easy-rsa/pki/issued/client.crt
​

5. 安装openvpn

[root@vpn easy-rsa]#  yum -y install openvpn

6. 配置

[root@vpn easy-rsa]# cd /etc/openvpn/
[root@vpn openvpn]# ls
client  server
[root@vpn openvpn]# vim server.conf
port 1194                    			#端口
proto udp                   			#协议
dev tun                        			#采用路由隧道模式tun
ca ca.crt                       		#ca证书文件位置
cert server.crt              			#服务端公钥名称
key server.key             				#服务端私钥名称
dh dh.pem                  				#交换证书
server 10.8.0.0 255.255.255.0           #给客户端分配地址池,注意:不要和vpn服务器内网网段有相同
push "route 172.16.1.0 255.255.255.0"   #允许客户端访问内网172.16.1.0网段  
ifconfig-pool-persist ipp.txt           #地址池记录文件位置
keepalive 10 120                        #存活时间,10秒ping一次,120 如未收到响应则视为断线
max-clients 100                         #最多允许100个客户端连接
status openvpn-status.log               #日志记录位置
verb 3                                  #openvpn版本
client-to-client                        #客户端与客户端之间支持通信
log /var/log/openvpn.log                #openvpn日志记录位置
persist-key                             #通过keepalived检测超时后,重新启动vpn,不重新读取keys,保留第一次使用的keys
persist-tun                             #检测超时后,重新启动vpn,一直保持tun是linkup的,否则网络会先linkdown再linkup
duplicate-cn

7. 根据配置文件中的文件定义,需要进行拷贝文件

[root@vpn openvpn]# cp /opt/easy-rsa/pki/ca.crt ./  
[root@vpn openvpn]# cp /opt/easy-rsa/pki/issued/server.crt ./  
[root@vpn openvpn]# cp /opt/easy-rsa/pki/private/server.key ./
[root@vpn openvpn]# cp /opt/easy-rsa/pki/dh.pem ./

8. 配置openvpn需要先开启转发功能

[root@vpn openvpn]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@vpn openvpn]# systemctl restart network
​
[root@vpn openvpn]# sysctl -p
net.ipv4.ip_forward = 1

9. 启动openvpn

[root@openvpn openvpn]# systemctl enable -f openvpn@server  #设置启动文件
[root@openvpn openvpn]# systemctl start openvpn@server  #启动openvpn服务

推广图片.jpg

文章发布自:刘俊辉的个人博客,转载请注明出处,谢谢!