技术
成就梦想!

Linux安装部署OpenVPN

本次部署的通过账户与密码进行认证,实现多人登录使用VPN,只需要分发固定的证书和用户名、密码就可以,简单快捷。

一、软件与规划网络

软件版本:
Centos7.6
easy-rsa 3.0.8
OpenVPN 2.4.9
网络环境规划:
VPN客户端地址段:10.98.1.0/24
VPN服务器网卡地址:10.99.1.253
VPN流量出设备NAT为10.99.1.253

二、基础环境配置

2.1、关闭SElinux

setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config

2.2、开启内核转发

grep -qF "net.ipv4.ip_forward" /etc/sysctl.conf  || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

2.3、关闭Firewall防火墙

systemctl stop firewalld
systemctl disable firewalld

三、服务器安装与部署

3.1、软件与环境安装

本文使用yum来安装openvpn,openvpn及其依赖的一些包在epel源上,首先先安装epel源。

yum -y update
#更新软件包
yum install -y epel-release
#安装epel源
yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel
yum install -y easy-rsa
#安装依赖包
yum install -y openvpn
#安装openvpn

3.2、easy-rsa配置证书密钥

cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
#复制easy-rsa工具
find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
#复制vars.example并重命名vars

配置vars文件,文件也有该内容不过是注释的,可以直接再最后追加如下内容:

cat << EOF >> /etc/openvpn/server/easy-rsa/vars
set_var EASYRSA_REQ_COUNTRY     "CN"
# 国家
set_var EASYRSA_REQ_PROVINCE    "BJ"
# 省
set_var EASYRSA_REQ_CITY        "BeiJing"
# 城市
set_var EASYRSA_REQ_ORG         "Lin"
# 组织
set_var EASYRSA_REQ_EMAIL       "test@xxshell.com"
# 邮箱
set_var EASYRSA_REQ_OU          "Lin"
# 拥有者

set_var EASYRSA_KEY_SIZE        2048
# 长度
set_var EASYRSA_ALGO            rsa
# 算法

set_var EASYRSA_CA_EXPIRE      36500
# CA证书过期时间,单位天
set_var EASYRSA_CERT_EXPIRE    36500
# 签发证书的有效期是多少天,单位天
EOF

生成证书与私钥:

./easyrsa init-pki
./easyrsa build-ca nopass
#生成CA证书,需要填写组织名称,随便写。
./easyrsa build-server-full server nopass
./easyrsa gen-dh
openvpn --genkey --secret ta.key

3.3、创建日志存储与用户目录

mkdir -p /var/log/openvpn/
# 日志存放目录
mkdir -p /etc/openvpn/server/user
# 用户管理目录
chown -R openvpn:openvpn /var/log/openvpn
# 配置权限

3.4、创建用户名密码文件

echo 'vpnuser01 admin123456' >> /etc/openvpn/server/user/psw-file
#后续添加用户直接在该文件下添加就可以;
chmod 600 /etc/openvpn/server/user/psw-file
chown openvpn:openvpn /etc/openvpn/server/user/psw-file

3.5、创建密码检查脚本

创建一个shell文件/etc/openvpn/server/user/checkpsw.sh,内容如下:

#!/bin/sh

PASSFILE="/etc/openvpn/server/user/psw-file"
LOG_FILE="/var/log/openvpn/password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>  ${LOG_FILE}
  exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
  exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1

赋予密码检查脚本权限:

chmod 700 /etc/openvpn/server/user/checkpsw.sh
chown openvpn:openvpn /etc/openvpn/server/user/checkpsw.sh

3.7、创建OpenVPN服务器配置文件

编辑/etc/openvpn/server/server.conf文件,并写入以下内容:
(也可以复制一份模板文件进行改写,模板文件路径 /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf

port 10444
proto udp
dev tun
user openvpn
group openvpn

#配置证书信息
ca /etc/openvpn/server/easy-rsa/pki/ca.crt
cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt
key /etc/openvpn/server/easy-rsa/pki/private/server.key
dh /etc/openvpn/server/easy-rsa/pki/dh.pem
tls-auth /etc/openvpn/server/easy-rsa/ta.key 0

#配置账号密码的认证方式
auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env
script-security 3
verify-client-cert none
username-as-common-name
client-to-client
duplicate-cn

#配置网络信息
server 10.98.1.0 255.255.255.0
push "route 10.99.1.0 255.255.255.0"
push "route 172.16.0.9 255.255.255.255"

compress lzo
cipher AES-256-CBC
keepalive 10 120
persist-key
persist-tun
verb 3
reneg-sec 0

#配置日志存放位置
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log

设置server.conf配置文件软链接,因为程序获取的配置文件为:.server.conf

cd /etc/openvpn/server/
ln -sf server.conf .service.conf

3.8、设置NAT规则或防火墙规则

需要配置一条NAT的规则,这里我使用的是iptables,下面也有firewalld的示例(网卡eth0名称根据实际修改),如果你VPN互访是通过路由通信则不需要配置NAT规则
iptables:

systemctl stop firewalld
systemctl disable firewalld    #关闭firewalld防火墙

yum -y install iptables-services
systemctl enable iptables.service
systemctl start iptables.service

iptables -t nat -A POSTROUTING -s 10.98.1.0/24 -o eth0 -j MASQUERADE #添加NAT规则 
iptables-save
iptables-save > /etc/sysconfig/iptables   #保存iptable规则并开机自动加载 
[root@Cloud_Pool_OpenVPN ~]# iptables -t nat -nvL #查看nat规则

firewalld(建议使用iptables):

#设置防火墙开机自启动
systemctl enable firewalld --now
firewall-cmd --public --add-masquerade  # 允许防火墙伪装IP
firewall-cmd --public  --add-port=10444/udp
firewall-cmd --public --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.98.1.0/24 -o eth0 -j MASQUERADE
firewall-cmd --reload

3.9、启动服务并设置开机自动启动

rpm -ql openvpn |grep service
# 查看service名
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/systemd/system/openvpn@.service

systemctl start openvpn-server@.service.service
# 启动
systemctl status openvpn-server@.service.service
#检查服务状态
systemctl enable openvpn-server@.service.service
#设置开机自启

四、Windows客户端配置

因为我们前面配置的是账号密码认证,所以我们只需要下载ca.crt、ta.key文件即可,从server上将生成的ca.crtta.key下载到客户端的配置文件config下。ca.crt在/etc/openvpn/server/easy-rsa/pki/下
在config目录(目录位置:C:\Users\[用户名]\OpenVPN\config\)下新建一个文件 client.ovpn,文件内容如下:

client
proto udp
dev tun
auth-user-pass
remote www.aalook.com 10444
ca ca.crt
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
auth-nocache
persist-tun
persist-key
reneg-sec 0
compress lzo
verb 3
mute 10

配置完成就可以进行连接测试了:

参考文章:

https://www.jianshu.com/p/637b4123fc92

https://www.fandenggui.com/post/centos7-install-openvpn.html

赞(12)
未经允许不得转载:未来往事 » Linux安装部署OpenVPN

评论 10

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
  1. #1

    TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

    khalid5个月前 (05-14)回复
  2. #2

    博主您好,首先感谢您分享的文章,按照您的步骤部署遇到点问题,我是小白用户按照您的步骤走到3.5、创建密码检查脚本这里后面命令都不知道怎么配置,编写server.conf文件,老是写不进去,希望可以得到您的帮助,感谢!

    bopin2个月前 (08-16)回复
    • 使用vi 编辑器 vi [文件路径]
      按a开始编辑 粘贴
      esc 😡 #保存

      join2个月前 (08-16)回复
  3. #3

    Connecting to 10.225.225.22:22...
    Connection established.
    To escape to local shell, press 'Ctrl+Alt+]'.

    WARNING! The remote SSH server rejected X11 forwarding request.
    Last login: Tue Aug 16 23:31:53 2022 from 10.225.225.6
    [root@localhost ~]# cd /etc/openvpn/server/user/
    [root@localhost user]# ls
    checkpsw.sh psw-file
    [root@localhost user]# vi checkpsw.sh/

    #!/bin/sh

    PASSFILE="/etc/openvpn/server/user/psw-file"
    LOG_FILE="/var/log/openvpn/password.log"
    TIME_STAMP=`date "+%Y-%m-%d %T"`

    if [ ! -r "${PASSFILE}" ]; then
    echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
    exit 1
    fi
    CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
    if [ "${CORRECT_PASSWORD}" = "" ]; then
    echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=
    \"${password}\"." >> ${LOG_FILE}
    exit 1
    fi
    if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
    echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
    exit 0
    fi
    echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=
    \"${password}\"." >> ${LOG_FILE}
    exit 1

    粘贴进去后,按ESC结束输入,在按:输入wq保存并退出,提示如下:
    ~
    "checkpsw.sh/"
    E502: "checkpsw.sh/" is a directory
    Press ENTER or type command to continue

    bopin2个月前 (08-16)回复
    • vi checkpsw.sh/
      你多加了一个“/” 仔细检查保存提示

      join2个月前 (08-16)回复
  4. #4

    我把/去掉,在退出保存是还是同样的保存。

    Connecting to 10.225.225.22:22...
    Connection established.
    To escape to local shell, press 'Ctrl+Alt+]'.

    WARNING! The remote SSH server rejected X11 forwarding request.
    Last login: Tue Aug 16 23:43:44 2022 from 10.225.225.6
    [root@localhost ~]# cd /etc/openvpn/server/user/
    [root@localhost user]# ll
    总用量 4
    drwx------. 2 openvpn openvpn 54 8月 16 23:40 checkpsw.sh
    -rw-------. 1 openvpn openvpn 19 8月 16 22:33 psw-file
    [root@localhost user]# ls
    checkpsw.sh psw-file
    [root@localhost user]# cd checkpsw.sh
    [root@localhost checkpsw.sh]# vi
    [root@localhost checkpsw.sh]# cd ..
    [root@localhost user]# vi checkpsw.sh

    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    #!/bin/sh
    PASSFILE="/etc/openvpn/server/user/psw-file"
    LOG_FILE="/var/log/openvpn/password.log"
    TIME_STAMP=`date "+%Y-%m-%d %T"`

    if [ ! -r "${PASSFILE}" ]; then
    echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
    exit 1
    fi
    CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
    if [ "${CORRECT_PASSWORD}" = "" ]; then
    echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=
    \"${password}\"." >> ${LOG_FILE}
    exit 1
    fi
    if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
    echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
    exit 0
    fi
    echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=
    \"${password}\"." >> ${LOG_FILE}
    exit 1
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    "checkpsw.sh"
    E502: "checkpsw.sh" is a directory
    E194: No alternate file name to substitute for '#'
    Press ENTER or type command to continue

    bopin2个月前 (08-16)回复
    • 仔细看提示 你创建了一个相同名字的目录 先删除掉再vi

      join2个月前 (08-16)回复
  5. #5

    明天我在研究一下这个怎么创建shell文件吧,感谢支持,goognight

    bopin2个月前 (08-17)回复
  6. #6

    Tue Sep 20 11:17:30 2022 RESOLVE: Cannot resolve host address: http://www.aalook.com:10444 ()
    Tue Sep 20 11:17:30 2022 MANAGEMENT: >STATE:1663643850,RESOLVE,,,,,,

    鸣人2周前 (09-20)回复
    • 你需要改成你的服务器地址

      join2周前 (09-20)回复