技术
成就梦想!

CentOS7安装部署OpenVPN

本次部署的通过账户与密码进行认证,实现多人登录使用VPN,只需要分发固定的证书和用户名、密码就可以,简单快捷。

一、软件与规划网络

软件版本:
Centos7.6
easy-rsa 3.0.8
OpenVPN 2.4.9
网络环境规划:
VPN客户端地址段:10.98.1.0/24
VPN服务器网卡地址:10.99.1.253
VPN流量出设备NAT为10.99.1.253

二、基础环境配置

2.1、关闭SElinux

setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config

2.2、开启内核转发

grep -qF "net.ipv4.ip_forward" /etc/sysctl.conf  || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

2.3、关闭Firewall防火墙

systemctl stop firewalld
systemctl disable firewalld

三、服务器安装与部署

3.1、软件与环境安装

本文使用yum来安装openvpn,openvpn及其依赖的一些包在epel源上,首先先安装epel源。

yum -y update
#更新软件包
yum install -y epel-release
#安装epel源
yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel
yum install -y easy-rsa
#安装依赖包
yum install -y openvpn
#安装openvpn

3.2、easy-rsa配置证书密钥

cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
#复制easy-rsa工具
find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
#复制vars.example并重命名vars

配置vars文件,文件也有该内容不过是注释的,可以直接再最后追加如下内容:

cat << EOF >> /etc/openvpn/server/easy-rsa/vars
set_var EASYRSA_REQ_COUNTRY     "CN"
# 国家
set_var EASYRSA_REQ_PROVINCE    "BJ"
# 省
set_var EASYRSA_REQ_CITY        "BeiJing"
# 城市
set_var EASYRSA_REQ_ORG         "Lin"
# 组织
set_var EASYRSA_REQ_EMAIL       "[email protected]"
# 邮箱
set_var EASYRSA_REQ_OU          "Lin"
# 拥有者

set_var EASYRSA_KEY_SIZE        2048
# 长度
set_var EASYRSA_ALGO            rsa
# 算法

set_var EASYRSA_CA_EXPIRE      36500
# CA证书过期时间,单位天
set_var EASYRSA_CERT_EXPIRE    36500
# 签发证书的有效期是多少天,单位天
EOF

生成证书与私钥:

./easyrsa init-pki
./easyrsa build-ca nopass
#生成CA证书,需要填写组织名称,随便写。
./easyrsa build-server-full server nopass
./easyrsa gen-dh
openvpn --genkey --secret ta.key

3.3、创建日志存储与用户目录

mkdir -p /var/log/openvpn/
# 日志存放目录
mkdir -p /etc/openvpn/server/user
# 用户管理目录
chown -R openvpn:openvpn /var/log/openvpn
# 配置权限

3.4、创建用户名密码文件

echo 'vpnuser01 admin123456' >> /etc/openvpn/server/user/psw-file
#后续添加用户直接在该文件下添加就可以;
chmod 600 /etc/openvpn/server/user/psw-file
chown openvpn:openvpn /etc/openvpn/server/user/psw-file

3.5、创建密码检查脚本

创建一个shell文件/etc/openvpn/server/user/checkpsw.sh,内容如下:

#!/bin/sh

PASSFILE="/etc/openvpn/server/user/psw-file"
LOG_FILE="/var/log/openvpn/password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>  ${LOG_FILE}
  exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
  exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1

赋予密码检查脚本权限:

chmod 700 /etc/openvpn/server/user/checkpsw.sh
chown openvpn:openvpn /etc/openvpn/server/user/checkpsw.sh

3.7、创建OpenVPN服务器配置文件

编辑/etc/openvpn/server/server.conf文件,并写入以下内容:
(也可以复制一份模板文件进行改写,模板文件路径 /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf

port 10444
proto udp
dev tun
user openvpn
group openvpn

#配置证书信息
ca /etc/openvpn/server/easy-rsa/pki/ca.crt
cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt
key /etc/openvpn/server/easy-rsa/pki/private/server.key
dh /etc/openvpn/server/easy-rsa/pki/dh.pem
tls-auth /etc/openvpn/server/easy-rsa/ta.key 0

#配置账号密码的认证方式
auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env
script-security 3
verify-client-cert none
username-as-common-name
client-to-client
duplicate-cn

#配置网络信息
server 10.98.1.0 255.255.255.0
push "route 10.99.1.0 255.255.255.0"
push "route 172.16.0.9 255.255.255.255"

compress lzo
cipher AES-256-CBC
keepalive 10 120
persist-key
persist-tun
verb 3
reneg-sec 0

#配置日志存放位置
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log

设置server.conf配置文件软链接,因为程序获取的配置文件为:.server.conf

cd /etc/openvpn/server/
ln -sf server.conf .service.conf

3.8、设置NAT规则或防火墙规则

需要配置一条NAT的规则,这里我使用的是iptables,下面也有firewalld的示例(网卡eth0名称根据实际修改),如果你VPN互访是通过路由通信则不需要配置NAT规则
iptables:

iptables -t nat -A POSTROUTING -s 10.98.1.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
#保存iptable规则并开机自动加载
[[email protected]_Pool_OpenVPN ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 565 packets, 35712 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 34 packets, 8096 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 370 packets, 27300 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 370 packets, 27300 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  531 27616 MASQUERADE  all  --  *      ens192  10.98.1.0/24         0.0.0.0/0

firewalld(建议使用iptables):

#设置防火墙开机自启动
systemctl enable firewalld --now
firewall-cmd --public --add-masquerade  # 允许防火墙伪装IP
firewall-cmd --public  --add-port=10444/udp
firewall-cmd --public --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.98.1.0/24 -o eth0 -j MASQUERADE
firewall-cmd --reload

3.9、启动服务并设置开机自动启动

rpm -ql openvpn |grep service
# 查看service名
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]

systemctl start [email protected]
# 启动
systemctl status [email protected]
#检查服务状态
systemctl enable [email protected]
#设置开机自启

四、Windows客户端配置

因为我们前面配置的是账号密码认证,所以我们只需要下载ca.crt、ta.key文件即可,从server上将生成的ca.crtta.key下载到客户端的配置文件config下。ca.crt在/etc/openvpn/server/easy-rsa/pki/下
在config目录(目录位置:C:\Users\[用户名]\OpenVPN\config\)下新建一个文件 client.ovpn,文件内容如下:

client
proto udp
dev tun
auth-user-pass
remote www.aalook.com 10444
ca ca.crt
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
auth-nocache
persist-tun
persist-key
reneg-sec 0
compress lzo
verb 3
mute 10

配置完成就可以进行连接测试了:

参考文章:

https://www.jianshu.com/p/637b4123fc92

https://www.fandenggui.com/post/centos7-install-openvpn.html

赞(2)
未经允许不得转载:未来往事的博客 » CentOS7安装部署OpenVPN

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址