系统相关
首页 > 系统相关> > centos7.4+openvpn-2.4.4+easy-rsa-3.0

centos7.4+openvpn-2.4.4+easy-rsa-3.0

作者:互联网

【生产环境物理机安装】openvpn2.4.4服务搭建,并可以正常运行

 

服务器内网:172.31.33.64 openvpn:10.8.0.0

 

 

本机ifconfig

yum install epel-release

lsb_release -a

yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig makecache

yum install -y openvpn

yum install -y easy-rsa

#启动openvpn的用户

groupadd openvpn

useradd -g openvpn -M -s /sbin/nologin openvpn

mkdir /etc/openvpn/

cp -R /usr/share/easy-rsa/ /etc/openvpn/

cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn/

cp -r /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/easy-rsa/3.0/vars

vim /etc/openvpn/server.conf(配置文件如下:)

port 1194

proto tcp

dev tun

ca /etc/openvpn/easy-rsa/3.0/pki/ca.crt

cert /etc/openvpn/easy-rsa/3.0/pki/issued/wwwserver.crt

key /etc/openvpn/easy-rsa/3.0/pki/private/wwwserver.key

dh /etc/openvpn/easy-rsa/3.0/pki/dh.pem

tls-auth /etc/openvpn/ta.key 0

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 223.5.5.5"

push "dhcp-option DNS 114.114.114.114"

keepalive 10 120

cipher AES-256-CBC

comp-lzo

max-clients 50

user openvpn

group openvpn

persist-key

persist-tun

status openvpn-status.log

log-append  openvpn.log

verb 3

mute 20

vim /etc/openvpn/easy-rsa/3.0/vars

 

修改第45、65、76、84-89、97、105、113、117、134、139、171、180、192行:

set_var EASYRSA                 "$PWD"

set_var EASYRSA_PKI             "$EASYRSA/pki"

set_var EASYRSA_DN      "cn_only"

set_var EASYRSA_REQ_COUNTRY     "CN"

set_var EASYRSA_REQ_PROVINCE    "BEIJING"

set_var EASYRSA_REQ_CITY        "BEIJING"

set_var EASYRSA_REQ_ORG         "OpenVPN CERTIFICATE AUTHORITY"

set_var EASYRSA_REQ_EMAIL       "110@qq.com"

set_var EASYRSA_REQ_OU          "OpenVPN EASY CA"

set_var EASYRSA_KEY_SIZE        2048

set_var EASYRSA_ALGO            rsa

set_var EASYRSA_CA_EXPIRE       7000

set_var EASYRSA_CERT_EXPIRE     3650

set_var EASYRSA_NS_SUPPORT      "no"

set_var EASYRSA_NS_COMMENT      "OpenVPN CERTIFICATE AUTHORITY"

set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"

set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-1.0.cnf"

set_var EASYRSA_DIGEST          "sha256"

cd /etc/openvpn/easy-rsa/3.0

./easyrsa init-pki

./easyrsa build-ca

设置ca密码(输入两次):ca.com

创建CA、密码ca.com

./easyrsa gen-dh

openvpn --genkey --secret ta.key

cp -r ta.key /etc/openvpn/

创建服务端证书,生成请求,使用gen-req来生成req

./easyrsa  gen-req wwwserver

设置server密码(输入两次):openserver.com

创建服务端证书、密码openserver.com

签发证书,签约服务端证书

./easyrsa sign-req server wwwserver

输入yes签发证书,输入ca密码:ca.com

 

 

生成windows客户端用户:

./easyrsa build-client-full www001

#注意:生成客户端用户的时候会提示设置密码

#可以直按回车密码为空、也可以设置输入密码(如设置密码,客户端连接时需输入密码)

生成客户端证书,并设置密码(客户端连接时用)

查看客户端证书存放路径:

ls -l /etc/openvpn/easy-rsa/3.0/pki/issued/www001.crt

-rw-------. 1 root root 4517 Apr 16 00:30 /etc/openvpn/easy-rsa/3.0/pki/issued/www001.crt

 

ls -l /etc/openvpn/easy-rsa/3.0/pki/private/www001.key

-rw-------. 1 root root 1834 Apr 16 00:30 /etc/openvpn/easy-rsa/3.0/pki/private/www001.key

vim /etc/sysctl.conf

末尾加入

net.ipv4.ip_forward = 1

保存后执行:sysctl -p

Fairwall(0.4.4)执行:

防火墙列表

systemctl start firewalld.service

firewall-cmd --state

firewall-cmd --zone=public --list-all

firewall-cmd --add-service=openvpn --permanent

firewall-cmd --add-port=1194/ucp --permanent

firewall-cmd --add-port=22/tcp --permanent

firewall-cmd --add-source=10.8.0.0 --permanent

firewall-cmd --query-source=10.8.0.0 --permanent

firewall-cmd --add-masquerade --permanent

firewall-cmd --query-masquerade --permanent

firewall-cmd --reload

启动openvpn

systemctl start openvpn@server

启动时输入服务端证书密码:openserver.com

 

第一次启动的时候可能会提示,重新执行systemctl start openvpn@server输入密码即可

启动vpn,输入密码才能启动

网络信息,至此openvpn服务器安装完成

客户端openvpn版本为2.4.5(OpenVPN 2.4.5 x86_64)

windows 64位官网下载就可以,也可以到网盘下载

 

链接: https://pan.baidu.com/s/12Bsx3D2RQMSJfo33n-fUxA 密码: 3e6t

客户端需要的证书:www001.crt、www001.key、ca.crt、ta.key

存放到一个文件夹,然后将里边的文件夹拷贝到本地电脑

mkdir -p /etc/openvpn/client

cp -r /etc/openvpn/easy-rsa/3.0/pki/issued/www001.crt /etc/openvpn/client/

cp -r /etc/openvpn/easy-rsa/3.0/pki/private/www001.key /etc/openvpn/client/

cp -r /etc/openvpn/easy-rsa/3.0/pki/ca.crt /etc/openvpn/client/

cp -r /etc/openvpn/ta.key /etc/openvpn/client/

客户端配置文件www001.ovpn(ip换为openvpn服务器外网ip)

client

dev tun

proto tcp

resolv-retry infinite

nobind

remote 47.175.155.184 1194 

ns-cert-type server

comp-lzo

ca ca.crt

cert www001.crt

key www001.key

tls-auth ta.key 1

keepalive 10 120

persist-key

persist-tun

verb 5

redirect-gateway

route-method exe

route-delay 2

status www001-status.log

log-append www001.log

安装OpenVPN 2.4.5 x86_64后,清空config文件夹,将www001.crt、www001.key、ca.crt、ta.key、www001.ovpn放入config中,

 

 

image.png




①如生成证书时输错密码了(如www002用户),报如下错误

如新建用户www002时密码输错,导致生成客户端证书失败

 

 

如新建用户www002时密码输错,导致生成客户端证书失败

 

 

删除以下文件即可

 

rm -rf /etc/openvpn/easy-rsa/3.0/pki/reqs/www002.req

 

rm -rf /etc/openvpn/easy-rsa/3.0/pki/private/www002.key

②撤销证书(www001为例)

cd /etc/openvpn/easy-rsa/3.0

./easyrsa revoke www001

./easyrsa gen-crl

crl的路径

systemctl stop openvpn@server

systemctl start openvpn@server

image.png

标签:easy,www001,rsa,etc,3.0,openvpn,EASYRSA
来源: https://www.cnblogs.com/cheyunhua/p/10469989.html