未来往事的博客本次部署的通过账户与密码进行认证,实现多人登录使用VPN,只需要分发固定的证书和用户名、密码就可以,简单快捷。
一、软件与规划网络
软件版本:
Centos7.6
easy-rsa 3.0.8
OpenVPN 2.4.9
网络环境规划:
VPN客户端地址段:10.98.1.0/24
VPN服务器网卡地址:10.99.1.253
VPN流量出设备NAT为10.99.1.253
二、基础环境配置
2.1、关闭SElinux
setenforce 0 sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config
2.2、开启内核转发
grep -qF "net.ipv4.ip_forward" /etc/sysctl.conf || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf sysctl -p
2.3、关闭Firewall防火墙
systemctl stop firewalld systemctl disable firewalld
三、服务器安装与部署
3.1、软件与环境安装
本文使用yum来安装openvpn,openvpn及其依赖的一些包在epel源上,首先先安装epel源。
yum -y update #更新软件包 yum install -y epel-release #安装epel源 yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel yum install -y easy-rsa #安装依赖包 yum install -y openvpn #安装openvpn
3.2、easy-rsa配置证书密钥
cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
#复制easy-rsa工具
find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
#复制vars.example并重命名vars
配置vars文件,文件也有该内容不过是注释的,可以直接再最后追加如下内容:
cat << EOF >> /etc/openvpn/server/easy-rsa/vars set_var EASYRSA_REQ_COUNTRY "CN" # 国家 set_var EASYRSA_REQ_PROVINCE "BJ" # 省 set_var EASYRSA_REQ_CITY "BeiJing" # 城市 set_var EASYRSA_REQ_ORG "Lin" # 组织 set_var EASYRSA_REQ_EMAIL "[email protected]" # 邮箱 set_var EASYRSA_REQ_OU "Lin" # 拥有者 set_var EASYRSA_KEY_SIZE 2048 # 长度 set_var EASYRSA_ALGO rsa # 算法 set_var EASYRSA_CA_EXPIRE 36500 # CA证书过期时间,单位天 set_var EASYRSA_CERT_EXPIRE 36500 # 签发证书的有效期是多少天,单位天 EOF
生成证书与私钥:
./easyrsa init-pki ./easyrsa build-ca nopass #生成CA证书,需要填写组织名称,随便写。 ./easyrsa build-server-full server nopass ./easyrsa gen-dh openvpn --genkey --secret ta.key
3.3、创建日志存储与用户目录
mkdir -p /var/log/openvpn/ # 日志存放目录 mkdir -p /etc/openvpn/server/user # 用户管理目录 chown -R openvpn:openvpn /var/log/openvpn # 配置权限
3.4、创建用户名密码文件
echo 'vpnuser01 admin123456' >> /etc/openvpn/server/user/psw-file #后续添加用户直接在该文件下添加就可以; chmod 600 /etc/openvpn/server/user/psw-file chown openvpn:openvpn /etc/openvpn/server/user/psw-file
3.5、创建密码检查脚本
创建一个shell文件/etc/openvpn/server/user/checkpsw.sh,内容如下:
#!/bin/sh
PASSFILE="/etc/openvpn/server/user/psw-file"
LOG_FILE="/var/log/openvpn/password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1
赋予密码检查脚本权限:
chmod 700 /etc/openvpn/server/user/checkpsw.sh chown openvpn:openvpn /etc/openvpn/server/user/checkpsw.sh
3.7、创建OpenVPN服务器配置文件
编辑/etc/openvpn/server/server.conf文件,并写入以下内容:
(也可以复制一份模板文件进行改写,模板文件路径 /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf
port 10444 proto udp dev tun user openvpn group openvpn #配置证书信息 ca /etc/openvpn/server/easy-rsa/pki/ca.crt cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt key /etc/openvpn/server/easy-rsa/pki/private/server.key dh /etc/openvpn/server/easy-rsa/pki/dh.pem tls-auth /etc/openvpn/server/easy-rsa/ta.key 0 #配置账号密码的认证方式 auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env script-security 3 verify-client-cert none username-as-common-name client-to-client duplicate-cn #配置网络信息 server 10.98.1.0 255.255.255.0 push "route 10.99.1.0 255.255.255.0" push "route 172.16.0.9 255.255.255.255" compress lzo cipher AES-256-CBC keepalive 10 120 persist-key persist-tun verb 3 reneg-sec 0 #配置日志存放位置 log /var/log/openvpn/server.log log-append /var/log/openvpn/server.log status /var/log/openvpn/status.log
设置server.conf配置文件软链接,因为程序获取的配置文件为:.server.conf
cd /etc/openvpn/server/ ln -sf server.conf .service.conf
3.8、设置NAT规则或防火墙规则
需要配置一条NAT的规则,这里我使用的是iptables,下面也有firewalld的示例(网卡eth0名称根据实际修改),如果你VPN互访是通过路由通信则不需要配置NAT规则:
iptables:
iptables -t nat -A POSTROUTING -s 10.98.1.0/24 -o eth0 -j MASQUERADE iptables-save > /etc/sysconfig/iptables #保存iptable规则并开机自动加载 [[email protected]_Pool_OpenVPN ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 565 packets, 35712 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 34 packets, 8096 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 370 packets, 27300 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 370 packets, 27300 bytes) pkts bytes target prot opt in out source destination 531 27616 MASQUERADE all -- * ens192 10.98.1.0/24 0.0.0.0/0
firewalld(建议使用iptables):
#设置防火墙开机自启动 systemctl enable firewalld --now firewall-cmd --public --add-masquerade # 允许防火墙伪装IP firewall-cmd --public --add-port=10444/udp firewall-cmd --public --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.98.1.0/24 -o eth0 -j MASQUERADE firewall-cmd --reload
3.9、启动服务并设置开机自动启动
rpm -ql openvpn |grep service # 查看service名 /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/[email protected] systemctl start [email protected] # 启动 systemctl status [email protected] #检查服务状态 systemctl enable [email protected] #设置开机自启
四、Windows客户端配置
因为我们前面配置的是账号密码认证,所以我们只需要下载ca.crt、ta.key文件即可,从server上将生成的ca.crt、ta.key下载到客户端的配置文件config下。ca.crt在/etc/openvpn/server/easy-rsa/pki/下
在config目录(目录位置:C:\Users\[用户名]\OpenVPN\config\)下新建一个文件 client.ovpn,文件内容如下:
client proto udp dev tun auth-user-pass remote www.aalook.com 10444 ca ca.crt tls-auth ta.key 1 remote-cert-tls server cipher AES-256-CBC auth-nocache persist-tun persist-key reneg-sec 0 compress lzo verb 3 mute 10
配置完成就可以进行连接测试了:
参考文章:
https://www.jianshu.com/p/637b4123fc92
https://www.fandenggui.com/post/centos7-install-openvpn.html
