由于国内的网络限制,所以有时候查看谷歌的邮箱看不了,没办法只能通过vpn能够通过香港做vpn来收发邮件,这里就说一下vpn的作用,openvpn是一个开源的应用程序可以通过公共网络,建立OpenVPN实现一个虚拟的专用网来创建一个安全的连接,OpenVPN使用OpenSSL库提供加密,给予证书的验证机制,下面看看OpenVPN是如何搭建的。这里有一个前提是防火墙是关闭的。
[root@wulaoer ~]# wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
--2020-09-07 16:38:32-- http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
Resolving dl.fedoraproject.org (dl.fedoraproject.org)... 38.145.60.24, 38.145.60.23, 38.145.60.22
Connecting to dl.fedoraproject.org (dl.fedoraproject.org)|38.145.60.24|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14540 (14K) [application/x-rpm]
Saving to: pel-release-6-8.noarch.rpm
100%[============================================================================================================>] 14,540 31.6KB/s in 0.4s
2020-09-07 16:38:33 (31.6 KB/s) - pel-release-6-8.noarch.rpmsaved [14540/14540]
[root@wulaoer ~]# rpm -Uvh epel-release-6-8.noarch.rpm
warning: epel-release-6-8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing... ################################# [100%]
package epel-release-7-12.noarch (which is newer than epel-release-6-8.noarch) is already installed
安装openvpen依赖包,在openvpen服务端。
[root@wulaoer ~]# yum install -y lz4-devel lzo-devel pam-devel openssl-devel systemd-devel sqlite-devel
如果你的服务器是阿里云的需要安装一下依赖包,如果不是可以忽略。
[root@wulaoer ~]# yum install -y autoconf [root@wulaoer ~]# yum install -y automake [root@wulaoer ~]# yum install -y libtool libtool-ltdl
下载openvpen,并编译安装
[root@wulaoer ~]# wget https://github.com/OpenVPN/openvpn/archive/v2.4.9.tar.gz [root@wulaoer ~]# tar xf v2.4.9.tar.gz [root@wulaoer ~]# cd openvpn-2.4.9/ [root@wulaoer ~/openvpn-2.4.9]# autoreconf -i -v -f [root@wulaoer ~/openvpn-2.4.9]# ./configure --prefix=/usr/local/openvpn --enable-lzo --enable-lz4 --enable-crypto --enable-server --enable-plugins --enable-port-share --enable-iproute2 --enable-pf --enable-plugin-auth-pam --enable-pam-dlopen --enable-systemd [root@wulaoer ~/openvpn-2.4.9]# make && make install [root@wulaoer ~/openvpn-2.4.9]# ln -s /usr/local/openvpn/sbin/openvpn /usr/local/sbin/openvpn
下载生成证书文件,并配置服务端信息
[root@wulaoer ~]# wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.7.zip [root@wulaoer ~]# unzip v3.0.7.zip [root@wulaoer ~]# mv easy-rsa-3.0.7 easy [root@wulaoer ~]# mkdir -p /etc/openvpn/ [root@wulaoer ~]# cp -a easy /etc/openvpn/ [root@wulaoer ~]# cd /etc/openvpn/easy/easyrsa3/ [root@wulaoer easyrsa3]# cp vars.example vars [root@wulaoer easyrsa3]# vim vars .......................................... set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "HK" set_var EASYRSA_REQ_CITY "Hong Kong" set_var EASYRSA_REQ_ORG "Hong Hong vpn" set_var EASYRSA_REQ_EMAIL "me@example.net" set_var EASYRSA_REQ_OU "wulaoer" ...........................................
更多配置详解,请参考一下信息:
# 国家 set_var EASYRSA_REQ_COUNTRY "CN" # 省 set_var EASYRSA_REQ_PROVINCE "BJ" # 城市 set_var EASYRSA_REQ_CITY "BeiJing" # 组织 set_var EASYRSA_REQ_ORG "wulaoer" # 邮箱 set_var EASYRSA_REQ_EMAIL "wulaoer@test.com" # 拥有者 set_var EASYRSA_REQ_OU "wolf" # 长度 set_var EASYRSA_KEY_SIZE 2048 # 算法 set_var EASYRSA_ALGO rsa # CA证书过期时间,单位天 set_var EASYRSA_CA_EXPIRE 36500 # 签发证书的有效期是多少天,单位天 set_var EASYRSA_CERT_EXPIRE 36500
创建服务端和客户端证书
初始化与创建CA跟证书
[root@wulaoer easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: /etc/openvpn/easy/easyrsa3/vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy/easyrsa3/pki
初始化会创建pki目录,在pki目录下会生产一些证书文件
[root@wulaoer easyrsa3]# ./easyrsa build-ca Note: using Easy-RSA configuration from: /etc/openvpn/easy/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Enter New CA Key Passphrase: #这里是创建的证书签名密码,必须要记住,在以后创建客户端时需要用到 Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus ...........+++ .+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #回车 CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy/easyrsa3/pki/ca.crt
这里创建证书的签名,是为了方便以后在创建客户端时,需要用到,必须记住,Common Name时甚至一个vpn的通用名,方便识别,如果不创建可以回车。
[root@wulaoer easyrsa3]# ./easyrsa build-server-full server nopass Note: using Easy-RSA configuration from: /etc/openvpn/easy/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key ................+++ .......................+++ writing new private key to '/etc/openvpn/easy/easyrsa3/pki/easy-rsa-30525.DgAt5u/tmp.4xKrqS' ----- Using configuration from /etc/openvpn/easy/easyrsa3/pki/easy-rsa-30525.DgAt5u/tmp.wkrmSh Enter pass phrase for /etc/openvpn/easy/easyrsa3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Feb 6 03:13:46 2023 GMT (825 days) Write out database with 1 new entries Data Base Updated
为服务端生成本地带有签名的证书,nopass参数时生产一个无密码的证书,在生成的过程中会让你确认ca证书的密码,就是上面创建的证书密码。
[root@wulaoer easyrsa3]# ./easyrsa gen-dh Note: using Easy-RSA configuration from: /etc/openvpn/easy/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .................................................................................................................................................+.......+...................................................................+..................+...........................................+...............................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................+.............................................................+..................................................+..................................................................................................................+..................................................................................+.....................................................................+.........................................................................................+....+..........................................................+....+....................+....+.....................................+.................................................+................................................................+................................................++*++* DH parameters of size 2048 created at /etc/openvpn/easy/easyrsa3/pki/dh.pem
创建Diffie-Hellman,确保key可以穿越不安全的网络命令,时间会有点长,耐心等待一会。
创建客户端证书
创建客户端证书,根据自己需求创建不同的证书,可以使用密码或者个人带密码的证书。建议生产环境使用带密码的证书。
[root@wulaoer easyrsa3]# ./easyrsa build-client-full client nopass [root@wulaoer easyrsa3]# ./easyrsa build-client-full wulaoer #带密码证书,让你输入证书密码
生成一个ta.key文件,可以加强认证方式,防止攻击,在配置中起到此项(默认时启用的),并把ta.key放到/etc/openvpn/server目录下,这里要注意,客户端的配置必须要和服务端的配置一致。
[root@wulaoer easyrsa3]# openvpn --genkey --secret ta.key
整理服务端证书
[root@wulaoer easyrsa3]# mkdir -p /etc/openvpn/server/ [root@wulaoer easyrsa3]# cp -a pki/ca.crt /etc/openvpn/server/ [root@wulaoer easyrsa3]# cp -a pki/private/server.key /etc/openvpn/server/ [root@wulaoer easyrsa3]# cp -a pki/issued/server.crt /etc/openvpn/server/ [root@wulaoer easyrsa3]# cp -a pki/dh.pem /etc/openvpn/server/ [root@wulaoer easyrsa3]# cp -a ta.key /etc/openvpn/server/
服务端配置
[root@wulaoer easyrsa3]# cp /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf /etc/openvpn/server [root@wulaoer easyrsa3]# mkdir /var/log/openvpn/ [root@wulaoer easyrsa3]# grep '^[^#|;]' /etc/openvpn/server/server.conf # grep '^[^#|;]' server.conf local 0.0.0.0 port 1194 proto tcp dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/server.crt key /etc/openvpn/server/server.key # This file should be kept secret dh /etc/openvpn/server/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 172.16.10.0 255.255.255.0" keepalive 10 120 compress lz4-v2 push "compress lz4-v2" max-clients 1000 user nobody group nobody persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log verb 3
配置防火墙
不管防火墙是否启动,必须设置对iptables进行net配置,方便客户端请求的时候做转发。
[root@wulaoer easyrsa3]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE [root@wulaoer easyrsa3]# iptables-save > /etc/sysconfig/iptables [root@wulaoer easyrsa3]# iptables -L -n -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 10.8.0.0/24 0.0.0.0/0
如果配置错误,可以使用下面的命令做删除操作:
[root@wulaoer easyrsa3]# iptables -t nat -D POSTROUTING 1
开启转发操作
[root@wulaoer easyrsa3]# vim /etc/sysctl.conf ..................... net.ipv4.ip_forward = 1 ............................. [root@wulaoer easyrsa3]# sysctl -p vm.swappiness = 0 kernel.sysrq = 1 net.ipv4.neigh.default.gc_stale_time = 120 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.arp_announce = 2 net.ipv4.conf.lo.arp_announce = 2 net.ipv4.conf.all.arp_announce = 2 net.ipv4.ip_forward = 1 net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 1024 net.ipv4.tcp_synack_retries = 2
配置openvpen启动
配置openvpen系统启动文件
[root@wulaoer openvpn]# vim /usr/local/openvpn/lib/systemd/system/openvpn-server@.service ### 找到 ExecStart 这行,改为如下 ExecStart=/usr/local/openvpn/sbin/openvpn --config server.conf
配置openvpen开机自启动
[root@wulaoer openvpn]# cp -a /usr/local/openvpn/lib/systemd/system/openvpn-server@.service /usr/lib/systemd/system/openvpn.service [root@wulaoer openvpn]# systemctl enable openvpn.service
启动openvpen服务,并查看一下是否启用了1194端口
[root@wulaoer openvpn]# systemctl start openvpn.service [root@wulaoer openvpn]# netstat -tlnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 25194/openvpn
至此,openvpen服务已经部署完成,下面用客户端连接验证一下,是否正常。
我的是mac系统,不过不管什么系统的客户端连接的需要证书是一样的,下面是我的证书文件
client dev tun proto tcp remote 8.8.8.8 1194 resolv-retry infinite nobind ;user nobody ;group nobody persist-key persist-tun <ca> -----BEGIN CERTIFICATE----- openvpen server /etc/openvpn/server/ca.crt -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- openvpen client /etc/openvpn/easy/easyrsa3/pki/issued/wuyonghui.crt -----END CERTIFICATE----- </cert> <key> -----BEGIN ENCRYPTED PRIVATE KEY----- openvpen client /etc/openvpn/easy/easyrsa3/pki/private/wuyonghui.key -----END ENCRYPTED PRIVATE KEY----- </key> comp-lzo verb 3 auth SHA256 remote-cert-tls server
如果是window客户端也是需要这几个配置文件的,只是在服务器上下载下来后,写的是本地下载后的路径。我这里是mac就直接贴内容不用路径了。
下面验证一下,我这里就不贴内容了。这里注意,客户端不建议使用无密码登录,这样不安全。
您可以选择一种方式赞助本站
支付宝扫一扫赞助
微信钱包扫描赞助
赏