未来往事本次部署的通过账户与密码进行认证,实现多人登录使用VPN,只需要分发固定的证书和用户名、密码就可以,简单快捷。
一、软件与规划网络
软件版本:
Centos7.6
easy-rsa 3.0.8
OpenVPN 2.4.9
网络环境规划:
VPN客户端地址段:10.98.1.0/24
VPN服务器网卡地址:10.99.1.253
VPN流量出设备NAT为10.99.1.253
二、基础环境配置
2.1、关闭SElinux
setenforce 0 sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config
2.2、开启内核转发
grep -qF "net.ipv4.ip_forward" /etc/sysctl.conf || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf sysctl -p
2.3、关闭Firewall防火墙
systemctl stop firewalld systemctl disable firewalld
三、服务器安装与部署
3.1、软件与环境安装
本文使用yum来安装openvpn,openvpn及其依赖的一些包在epel源上,首先先安装epel源。
yum -y update #更新软件包 yum install -y epel-release #安装epel源 yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel yum install -y easy-rsa #安装依赖包 yum install -y openvpn #安装openvpn
3.2、easy-rsa配置证书密钥
cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
#复制easy-rsa工具
find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
#复制vars.example并重命名vars
配置vars文件,文件也有该内容不过是注释的,可以直接再最后追加如下内容:
cat << EOF >> /etc/openvpn/server/easy-rsa/vars set_var EASYRSA_REQ_COUNTRY "CN" # 国家 set_var EASYRSA_REQ_PROVINCE "BJ" # 省 set_var EASYRSA_REQ_CITY "BeiJing" # 城市 set_var EASYRSA_REQ_ORG "Lin" # 组织 set_var EASYRSA_REQ_EMAIL "test@xxshell.com" # 邮箱 set_var EASYRSA_REQ_OU "Lin" # 拥有者 set_var EASYRSA_KEY_SIZE 2048 # 长度 set_var EASYRSA_ALGO rsa # 算法 set_var EASYRSA_CA_EXPIRE 36500 # CA证书过期时间,单位天 set_var EASYRSA_CERT_EXPIRE 36500 # 签发证书的有效期是多少天,单位天 EOF
生成证书与私钥:
./easyrsa init-pki ./easyrsa build-ca nopass #生成CA证书,需要填写组织名称,随便写。 ./easyrsa build-server-full server nopass ./easyrsa gen-dh openvpn --genkey --secret ta.key
3.3、创建日志存储与用户目录
mkdir -p /var/log/openvpn/ # 日志存放目录 mkdir -p /etc/openvpn/server/user # 用户管理目录 chown -R openvpn:openvpn /var/log/openvpn # 配置权限
3.4、创建用户名密码文件
echo 'vpnuser01 admin123456' >> /etc/openvpn/server/user/psw-file #后续添加用户直接在该文件下添加就可以; chmod 600 /etc/openvpn/server/user/psw-file chown openvpn:openvpn /etc/openvpn/server/user/psw-file
3.5、创建密码检查脚本
创建一个shell文件/etc/openvpn/server/user/checkpsw.sh,内容如下:
#!/bin/sh
PASSFILE="/etc/openvpn/server/user/psw-file"
LOG_FILE="/var/log/openvpn/password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1
赋予密码检查脚本权限:
chmod 700 /etc/openvpn/server/user/checkpsw.sh chown openvpn:openvpn /etc/openvpn/server/user/checkpsw.sh
3.7、创建OpenVPN服务器配置文件
编辑/etc/openvpn/server/server.conf文件,并写入以下内容:
(也可以复制一份模板文件进行改写,模板文件路径 /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf
port 10444 proto udp dev tun user openvpn group openvpn #配置证书信息 ca /etc/openvpn/server/easy-rsa/pki/ca.crt cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt key /etc/openvpn/server/easy-rsa/pki/private/server.key dh /etc/openvpn/server/easy-rsa/pki/dh.pem tls-auth /etc/openvpn/server/easy-rsa/ta.key 0 #配置账号密码的认证方式 auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env script-security 3 verify-client-cert none username-as-common-name client-to-client duplicate-cn #配置网络信息 server 10.98.1.0 255.255.255.0 push "route 10.99.1.0 255.255.255.0" push "route 172.16.0.9 255.255.255.255" compress lzo cipher AES-256-CBC keepalive 10 120 persist-key persist-tun verb 3 reneg-sec 0 #配置日志存放位置 log /var/log/openvpn/server.log log-append /var/log/openvpn/server.log status /var/log/openvpn/status.log
设置server.conf配置文件软链接,因为程序获取的配置文件为:.server.conf
cd /etc/openvpn/server/ ln -sf server.conf .service.conf
3.8、设置NAT规则或防火墙规则
需要配置一条NAT的规则,这里我使用的是iptables,下面也有firewalld的示例(网卡eth0名称根据实际修改),如果你VPN互访是通过路由通信则不需要配置NAT规则:
iptables:
systemctl stop firewalld systemctl disable firewalld #关闭firewalld防火墙 yum -y install iptables-services systemctl enable iptables.service systemctl start iptables.service iptables -t nat -A POSTROUTING -s 10.98.1.0/24 -o eth0 -j MASQUERADE #添加NAT规则 iptables-save iptables-save > /etc/sysconfig/iptables #保存iptable规则并开机自动加载 [root@Cloud_Pool_OpenVPN ~]# iptables -t nat -nvL #查看nat规则
firewalld(建议使用iptables):
#设置防火墙开机自启动 systemctl enable firewalld --now firewall-cmd --public --add-masquerade # 允许防火墙伪装IP firewall-cmd --public --add-port=10444/udp firewall-cmd --public --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.98.1.0/24 -o eth0 -j MASQUERADE firewall-cmd --reload
3.9、启动服务并设置开机自动启动
rpm -ql openvpn |grep service # 查看service名 /usr/lib/systemd/system/openvpn-client@.service /usr/lib/systemd/system/openvpn-server@.service /usr/lib/systemd/system/openvpn@.service systemctl start openvpn-server@.service.service # 启动 systemctl status openvpn-server@.service.service #检查服务状态 systemctl enable openvpn-server@.service.service #设置开机自启
四、Windows客户端配置
因为我们前面配置的是账号密码认证,所以我们只需要下载ca.crt、ta.key文件即可,从server上将生成的ca.crt、ta.key下载到客户端的配置文件config下。ca.crt在/etc/openvpn/server/easy-rsa/pki/下
在config目录(目录位置:C:\Users\[用户名]\OpenVPN\config\)下新建一个文件 client.ovpn,文件内容如下:
client proto udp dev tun auth-user-pass remote www.aalook.com 10444 ca ca.crt tls-auth ta.key 1 remote-cert-tls server cipher AES-256-CBC auth-nocache persist-tun persist-key reneg-sec 0 compress lzo verb 3 mute 10
配置完成就可以进行连接测试了:
参考文章:
https://www.jianshu.com/p/637b4123fc92
https://www.fandenggui.com/post/centos7-install-openvpn.html
TLS key negotiation failed to occur within 60 seconds (check your network connectivity)