CentOS 7安裝OpenVPN,新版本easy-rsa 3.0配置
阿新 • • 發佈:2018-12-09
一、安裝openvpn
1.更新軟體包
yum -y update
2.安裝openvpn和easy-rsa
yum -y install openvpn easy-rsa
3.複製easy-rsa檔案
[[email protected] ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
[[email protected] ~]# cd /etc/openvpn/easy-rsa/
[[email protected] easy-rsa]# \rm 3 3.0
[[email protected] easy-rsa]# cd 3.0.3/
[[email protected] 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
二、生成CA證書
1.建立一個新的 PKI 和 CA [[email protected] 3.0.3]# ./easyrsa init-pki 2.建立新的CA,不使用密碼 [[email protected] 3.0.3]# ./easyrsa build-ca nopass ########################### 生成資訊 ########################### Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ......................+++ ................................................+++ writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key.pClvaQ1GLD' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 回車 CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt ########################### 生成資訊 ###########################
三、建立服務端證書
1.建立服務端證書
[[email protected] 3.0.3]# ./easyrsa gen-req server nopass
########################### 生成資訊 ###########################
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...........................+++
..............................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/server.key.wy7Q0fuG6A'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: 回車
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3.0.3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key
########################### 生成資訊 ###########################
2.簽約服務端證書
[ [email protected] 3.0.3]# ./easyrsa sign server server
########################### 生成資訊 ###########################
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Apr 7 14:54:08 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt
########################### 生成資訊 ###########################
3.建立 Diffie-Hellman
[[email protected] 3.0.3]# ./easyrsa gen-dh
............................................................
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem
4.整理證書
[[email protected] ~]# cd /etc/openvpn
[[email protected] openvpn]# cp easy-rsa/3.0.3/pki/dh.pem .
[[email protected] openvpn]# cp easy-rsa/3.0.3/pki/ca.crt .
[[email protected] openvpn]# cp easy-rsa/3.0.3/pki/issued/server.crt .
[[email protected] openvpn]# cp easy-rsa/3.0.3/pki/private/server.key .
四、建立客戶端證書
1.複製檔案
[[email protected] ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/client
[[email protected] ~]# cd /etc/openvpn/client/easy-rsa/
[[email protected] easy-rsa]# \rm 3 3.0
[[email protected] easy-rsa]# cd 3.0.3/
[[email protected] 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
2.生成客戶端證書
[[email protected] 3.0.3]# ./easyrsa init-pki #建立新的pki
########################### 生成資訊 ###########################
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3.0.3/pki
[[email protected] 3.0.3]# ./easyrsa gen-req client nopass #客戶證書名,無密碼
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
....................................................+++
............+++
writing new private key to '/etc/openvpn/client/easy-rsa/3.0.3/pki/private/client.key.FkrLzXH9Bm'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]: 回車
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/client.req
key: /etc/openvpn/client/easy-rsa/3.0.3/pki/private/client.key
########################### 生成資訊 ###########################
3.簽約客戶端證書
[[email protected] 3.0.3]# cd /etc/openvpn/easy-rsa/3.0.3/
[[email protected] 3.0.3]# pwd
/etc/openvpn/easy-rsa/3.0.3
[[email protected] 3.0.3]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/client.req client
########################### 生成資訊 ###########################
Note: using Easy-RSA configuration from: ./vars
The request has been successfully imported with a short name of: client
You may now use this name to perform signing operations on this request.
[[email protected] 3.0.3]# ./easyrsa sign client client
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Apr 8 01:54:57 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/client.crt
########################### 生成資訊 ###########################
4.整理證書
[[email protected] 3.0.3]# mkdir /etc/openvpn/client
[[email protected] client]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client .
[[email protected] client]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/client.crt .
[[email protected] client]# cp /etc/openvpn/client/easy-rsa/3.0.3/pki/private/dalin.key .
五、配置檔案
1.伺服器配置檔案
[[email protected] ~]# vi /etc/openvpn/server.conf
########################### 配置資訊 ###########################
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
server 10.8.0.0 255.255.255.0
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 20 120
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 1
mute 20
########################### 配置資訊 ###########################
2.客戶端配置檔案
[[email protected] ~]# vi /etc/openvpn/cilent/cilent.ovpn
########################### 配置資訊 ###########################
client
remote 伺服器IP 1194
proto udp
dev tun
comp-lzo
ca ca.crt
cert client.crt
key client.key
route-delay 2
route-method exe
redirect-gateway def1
dhcp-option DNS 8.8.8.8
dhcp-option DNS 8.8.4.4
dhcp-option DNS 4.2.2.1
dhcp-option DNS 4.2.2.2
verb 3
########################### 配置資訊 ###########################
六、啟動OpenVPN和埠轉發
1.啟動OpenVPN
[[email protected] ~]# systemctl start [email protected]
2.安裝iptables
[roo[email protected] ~]# yum -y install iptables iptables-services
3.新增策略
[[email protected] ~]# vi /etc/sysconfig/iptables
..................
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
新增:-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
..................
4.開啟埠
[[email protected] ~]# systemctl restart iptables.service
[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
5.開啟轉發
[[email protected] ~]# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
[[email protected] ~]# sysctl -p
七、開機啟動
1.在centos7中,/etc/rc.d/rc.local的許可權被降低了,賦予其可執行許可權
[[email protected] ~]# chmod +x /etc/rc.d/rc.local
2.新增啟動指令碼
[[email protected] ~]# vi /etc/rc.d/rc.local
## OpenVPN
systemctl restart [email protected]
systemctl restart iptables.service
iptables -F
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
sysctl -p