CentOS7安装部署OpenVPN-未来往事的博客

本次部署的通过账户与密码进行认证，实现多人登录使用VPN，只需要分发固定的证书和用户名、密码就可以，简单快捷。

一、软件与规划网络

软件版本：
Centos7.6
easy-rsa 3.0.8
OpenVPN 2.4.9
网络环境规划：
VPN客户端地址段：10.98.1.0/24
VPN服务器网卡地址：10.99.1.253
VPN流量出设备NAT为10.99.1.253

二、基础环境配置

2.1、关闭SElinux

setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config

1 2	setenforce 0 sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config

2.2、开启内核转发

grep -qF "net.ipv4.ip_forward" /etc/sysctl.conf  || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

1 2	grep -qF "net.ipv4.ip_forward" /etc/sysctl.conf \|\| echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf sysctl -p

2.3、关闭Firewall防火墙

systemctl stop firewalld
systemctl disable firewalld

1 2	systemctl stop firewalld systemctl disable firewalld

三、服务器安装与部署

3.1、软件与环境安装

本文使用yum来安装openvpn，openvpn及其依赖的一些包在epel源上，首先先安装epel源。

yum -y update
#更新软件包
yum install -y epel-release
#安装epel源
yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel
yum install -y easy-rsa
#安装依赖包
yum install -y openvpn
#安装openvpn

yum -y update

#更新软件包

yum install -y epel-release

#安装epel源

yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel

yum install -y easy-rsa

#安装依赖包

yum install -y openvpn

#安装openvpn

3.2、easy-rsa配置证书密钥

cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
#复制easy-rsa工具
find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
#复制vars.example并重命名vars

cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/server/easy-rsa

cd /etc/openvpn/server/easy-rsa

#复制easy-rsa工具

find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars

#复制vars.example并重命名vars

配置vars文件，文件也有该内容不过是注释的，可以直接再最后追加如下内容：

cat << EOF >> /etc/openvpn/server/easy-rsa/vars
set_var EASYRSA_REQ_COUNTRY     "CN"
# 国家
set_var EASYRSA_REQ_PROVINCE    "BJ"
# 省
set_var EASYRSA_REQ_CITY        "BeiJing"
# 城市
set_var EASYRSA_REQ_ORG         "Lin"
# 组织
set_var EASYRSA_REQ_EMAIL       "test@xxshell.com"
# 邮箱
set_var EASYRSA_REQ_OU          "Lin"
# 拥有者

set_var EASYRSA_KEY_SIZE        2048
# 长度
set_var EASYRSA_ALGO            rsa
# 算法

set_var EASYRSA_CA_EXPIRE      36500
# CA证书过期时间，单位天
set_var EASYRSA_CERT_EXPIRE    36500
# 签发证书的有效期是多少天，单位天
EOF

cat << EOF >> /etc/openvpn/server/easy-rsa/vars

set_var EASYRSA_REQ_COUNTRY "CN"

# 国家

set_var EASYRSA_REQ_PROVINCE "BJ"

# 省

set_var EASYRSA_REQ_CITY "BeiJing"

# 城市

set_var EASYRSA_REQ_ORG "Lin"

# 组织

set_var EASYRSA_REQ_EMAIL "test@xxshell.com"

# 邮箱

set_var EASYRSA_REQ_OU "Lin"

# 拥有者

set_var EASYRSA_KEY_SIZE 2048

# 长度

set_var EASYRSA_ALGO rsa

# 算法

set_var EASYRSA_CA_EXPIRE 36500

# CA证书过期时间，单位天

set_var EASYRSA_CERT_EXPIRE 36500

# 签发证书的有效期是多少天，单位天

EOF

生成证书与私钥：

./easyrsa init-pki
./easyrsa build-ca nopass
#生成CA证书，需要填写组织名称，随便写。
./easyrsa build-server-full server nopass
./easyrsa gen-dh
openvpn --genkey --secret ta.key

./easyrsa init-pki

./easyrsa build-ca nopass

#生成CA证书，需要填写组织名称，随便写。

./easyrsa build-server-full server nopass

./easyrsa gen-dh

openvpn --genkey --secret ta.key

3.3、创建日志存储与用户目录

mkdir -p /var/log/openvpn/
# 日志存放目录
mkdir -p /etc/openvpn/server/user
# 用户管理目录
chown -R openvpn:openvpn /var/log/openvpn
# 配置权限

mkdir -p /var/log/openvpn/

# 日志存放目录

mkdir -p /etc/openvpn/server/user

# 用户管理目录

chown -R openvpn:openvpn /var/log/openvpn

# 配置权限

3.4、创建用户名密码文件

echo 'vpnuser01 admin123456' >> /etc/openvpn/server/user/psw-file
#后续添加用户直接在该文件下添加就可以；
chmod 600 /etc/openvpn/server/user/psw-file
chown openvpn:openvpn /etc/openvpn/server/user/psw-file

echo 'vpnuser01 admin123456' >> /etc/openvpn/server/user/psw-file

#后续添加用户直接在该文件下添加就可以；

chmod 600 /etc/openvpn/server/user/psw-file

chown openvpn:openvpn /etc/openvpn/server/user/psw-file

3.5、创建密码检查脚本

创建一个shell文件/etc/openvpn/server/user/checkpsw.sh，内容如下：

#!/bin/sh

PASSFILE="/etc/openvpn/server/user/psw-file"
LOG_FILE="/var/log/openvpn/password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>  ${LOG_FILE}
  exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
  exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1

#!/bin/sh

PASSFILE="/etc/openvpn/server/user/psw-file"

LOG_FILE="/var/log/openvpn/password.log"

TIME_STAMP=`date "+%Y-%m-%d %T"`

if [ ! -r "${PASSFILE}" ]; then

echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}

exit 1

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then

echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=

\"${password}\"." >> ${LOG_FILE}

exit 1

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then

echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}

exit 0

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=

\"${password}\"." >> ${LOG_FILE}

exit 1

赋予密码检查脚本权限：

chmod 700 /etc/openvpn/server/user/checkpsw.sh
chown openvpn:openvpn /etc/openvpn/server/user/checkpsw.sh

1 2	chmod 700 /etc/openvpn/server/user/checkpsw.sh chown openvpn:openvpn /etc/openvpn/server/user/checkpsw.sh

3.7、创建OpenVPN服务器配置文件

编辑/etc/openvpn/server/server.conf文件，并写入以下内容:
(也可以复制一份模板文件进行改写，模板文件路径 /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf

port 10444
proto udp
dev tun
user openvpn
group openvpn

#配置证书信息
ca /etc/openvpn/server/easy-rsa/pki/ca.crt
cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt
key /etc/openvpn/server/easy-rsa/pki/private/server.key
dh /etc/openvpn/server/easy-rsa/pki/dh.pem
tls-auth /etc/openvpn/server/easy-rsa/ta.key 0

#配置账号密码的认证方式
auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env
script-security 3
verify-client-cert none
username-as-common-name
client-to-client
duplicate-cn

#配置网络信息
server 10.98.1.0 255.255.255.0
push "route 10.99.1.0 255.255.255.0"
push "route 172.16.0.9 255.255.255.255"

compress lzo
cipher AES-256-CBC
keepalive 10 120
persist-key
persist-tun
verb 3
reneg-sec 0

#配置日志存放位置
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log

port 10444

proto udp

dev tun

user openvpn

group openvpn

#配置证书信息

ca /etc/openvpn/server/easy-rsa/pki/ca.crt

cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt

key /etc/openvpn/server/easy-rsa/pki/private/server.key

dh /etc/openvpn/server/easy-rsa/pki/dh.pem

tls-auth /etc/openvpn/server/easy-rsa/ta.key 0

#配置账号密码的认证方式

auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env

script-security 3

verify-client-cert none

username-as-common-name

client-to-client

duplicate-cn

#配置网络信息

server 10.98.1.0 255.255.255.0

push "route 10.99.1.0 255.255.255.0"

push "route 172.16.0.9 255.255.255.255"

compress lzo

cipher AES-256-CBC

keepalive 10 120

persist-key

persist-tun

verb 3

reneg-sec 0

#配置日志存放位置

log /var/log/openvpn/server.log

log-append /var/log/openvpn/server.log

status /var/log/openvpn/status.log

设置server.conf配置文件软链接，因为程序获取的配置文件为：.server.conf

cd /etc/openvpn/server/
ln -sf server.conf .service.conf

1 2	cd /etc/openvpn/server/ ln -sf server.conf .service.conf

3.8、设置NAT规则或防火墙规则

需要配置一条NAT的规则，这里我使用的是iptables，下面也有firewalld的示例（网卡eth0名称根据实际修改）：
iptables：

iptables -t nat -A POSTROUTING -s 10.98.1.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
#保存iptable规则并开机自动加载
[root@Cloud_Pool_OpenVPN ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 565 packets, 35712 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 34 packets, 8096 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 370 packets, 27300 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 370 packets, 27300 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  531 27616 MASQUERADE  all  --  *      ens192  10.98.1.0/24         0.0.0.0/0

iptables -t nat -A POSTROUTING -s 10.98.1.0/24 -o eth0 -j MASQUERADE

iptables-save > /etc/sysconfig/iptables

#保存iptable规则并开机自动加载

[root@Cloud_Pool_OpenVPN ~]# iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 565 packets, 35712 bytes)

pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 34 packets, 8096 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 370 packets, 27300 bytes)

pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 370 packets, 27300 bytes)

pkts bytes target prot opt in out source destination

531 27616 MASQUERADE all -- * ens192 10.98.1.0/24 0.0.0.0/0

firewalld：

firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --add-service=openvpn
# 或者添加自定义端口
firewall-cmd --permanent  --add-port=10444/udp
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.98.1.0/24 -o eth0 -j MASQUERADE
firewall-cmd --reload

firewall-cmd --permanent --add-masquerade

firewall-cmd --permanent --add-service=openvpn

# 或者添加自定义端口

firewall-cmd --permanent --add-port=10444/udp

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.98.1.0/24 -o eth0 -j MASQUERADE

firewall-cmd --reload

3.9、启动服务并设置开机自动启动

rpm -ql openvpn |grep service
# 查看service名
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/systemd/system/openvpn@.service

systemctl start openvpn-server@.service.service
# 启动
systemctl status openvpn-server@.service.service
#检查服务状态
systemctl enable openvpn-server@.service.service
#设置开机自启

rpm -ql openvpn |grep service

# 查看service名

/usr/lib/systemd/system/openvpn-client@.service

/usr/lib/systemd/system/openvpn-server@.service

/usr/lib/systemd/system/openvpn@.service

systemctl start openvpn-server@.service.service

# 启动

systemctl status openvpn-server@.service.service

#检查服务状态

systemctl enable openvpn-server@.service.service

#设置开机自启

四、Windows客户端配置

因为我们前面配置的是账号密码认证，所以我们只需要下载ca.crt、ta.key文件即可，从server上将生成的ca.crt、ta.key下载到客户端的配置文件config下。ca.crt在/etc/openvpn/server/easy-rsa/pki/下
在config目录（目录位置：C:\Users\[用户名]\OpenVPN\config\）下新建一个文件 client.ovpn，文件内容如下：

client
proto udp
dev tun
auth-user-pass
remote www.aalook.com 10444
ca ca.crt
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
auth-nocache
persist-tun
persist-key
reneg-sec 0
compress lzo
verb 3
mute 10

client

proto udp

dev tun

auth-user-pass

remote www.aalook.com 10444

ca ca.crt

tls-auth ta.key 1

remote-cert-tls server

cipher AES-256-CBC

auth-nocache

persist-tun

persist-key

reneg-sec 0

compress lzo

verb 3

mute 10

配置完成就可以进行连接测试了：

参考文章：

https://www.jianshu.com/p/637b4123fc92

https://www.fandenggui.com/post/centos7-install-openvpn.html

CentOS7安装部署OpenVPN

一、软件与规划网络

二、基础环境配置

2.1、关闭SElinux

2.2、开启内核转发

2.3、关闭Firewall防火墙

三、服务器安装与部署

3.1、软件与环境安装

3.2、easy-rsa配置证书密钥

3.3、创建日志存储与用户目录

3.4、创建用户名密码文件

3.5、创建密码检查脚本

3.7、创建OpenVPN服务器配置文件

3.8、设置NAT规则或防火墙规则

3.9、启动服务并设置开机自动启动

四、Windows客户端配置

相关推荐

评论抢沙发

热门标签

一、软件与规划网络

二、基础环境配置

2.1、关闭SElinux

2.2、开启内核转发

2.3、关闭Firewall防火墙

三、服务器安装与部署

3.1、软件与环境安装

3.2、easy-rsa配置证书密钥

3.3、创建日志存储与用户目录

3.4、创建用户名密码文件

3.5、创建密码检查脚本

3.7、创建OpenVPN服务器配置文件

3.8、设置NAT规则或防火墙规则

3.9、启动服务并设置开机自动启动

四、Windows客户端配置

相关推荐

评论 抢沙发

热门标签

评论抢沙发