Install openvpn
yum install -y epel-release yum install -y openvpn easy-rsa openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig
After the above command is executed, there will be a directory of / etc/openvpn, where we usually put configuration files.
1. View the openvpn version:
[root@openvpn ~]# openvpn --version |head -n1 OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
2. Copy the server configuration file to the configuration file directory
[root@openvpn ~]# cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/server.conf /etc/openvpn/
Server certificate
ls /usr/share/easy-rsa/3.0.3/ #The easy-rsa 3 version only has the following files and directories, which is much less than the 2 version easyrsa openssl-1.0.cnf x509-types mkdir /etc/openvpn/easy-rsa cp -r /usr/share/easy-rsa/3.0.3/* /etc/openvpn/easy-rsa/
- ca certificate making
cd /etc/openvpn/easy-rsa [root@localhost easy-rsa]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example ./vars [root@localhost easy-rsa]# vim vars #Modify the relevant configuration of the certificate, customize it as needed, or ignore the unset set_var EASYRSA_REQ_COUNTRY "US" #Country set_var EASYRSA_REQ_PROVINCE "California" #province set_var EASYRSA_REQ_CITY "Shanghai" #City set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" #organization set_var EASYRSA_REQ_EMAIL "test@example.net" #mailbox set_var EASYRSA_REQ_OU "My Organizational Unit" #Company, organization [root@localhost easy-rsa]# ./easyrsa init-pki #Initialize pki and generate directory file structure [root@localhost easy-rsa]# ./easyrsa build-ca #Create ca certificate Note: using Easy-RSA configuration from: ./vars #Use the information configured in the vars file Generating a 2048 bit RSA private key .................+++ ........................................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/ca.key.Lg8IKADc4Q' Enter PEM pass phrase: #Set ca password (123456 I wrote here) Verifying - Enter PEM pass phrase: #Type in the password again ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #Enter directly, which is the default CA as the name CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt #ca certificate storage path
- Server certificate server.crt
1) . production certificate
[root@localhost easy-rsa]# ./easyrsa gen-req server nopass #nopass sets the certificate free password. If you want to set the password, you can cancel this parameter option Note: using Easy-RSA configuration from: ./vars #Use the information configured in the vars file Generating a 2048 bit RSA private key .....................................+++ ................................................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.yuG9HRsSlU' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: #Enter directly. The default name is server Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/server.req key: /etc/openvpn/easy-rsa/pki/private/server.key #Path of key key
2) . certificate signature, signing
[root@localhost easy-rsa]# ./easyrsa sign server server #The second server is only the CN name of the server certificate. We use the default server, which is defined according to the actual certificate name Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from ./openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: #Enter the password (123456) when the above ca certificate is generated Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'server' Certificate is to be certified until May 22 03:23:38 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt #Server certificate path
- dh certificate
[root@localhost easy-rsa]# ./easyrsa gen-dh #Diffie Hellman creation takes a little longer Note: using Easy-RSA configuration from: ./vars Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ............................................................+...........................................................+.......................................................................................................+...........+..........................................................................................................................................................................................................................................................................+............................................................................................................+....................................................................................................+................................................................+.....................................................................................................................................................+............................................+............+......................................................................................+......................................................................+...........................+................................................................+...........................................................................................................++*++* DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem #dh certificate path
- ta key
cd /etc/openvpn openvpn --genkey --secret ta.key
Client certificate
For the convenience of distinction, we store the certificate used by the client in a new path. /etc/openvpn/client
- Create client certificate
[root@localhost client]# mkdir -p /etc/openvpn/client [root@localhost client]# cd /etc/openvpn/client [root@localhost client]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/openvpn/client [root@localhost client]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example ./vars [root@localhost client]# ./easyrsa init-pki [root@localhost client]# ./easyrsa gen-req client nopass #client is the title of the certificate, which can be customized. nopass is also set to be secret free Generating a 2048 bit RSA private key .....................................................+++ .................................+++ writing new private key to '/etc/openvpn/client/pki/private/client.key.0rbEXauafe' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/client/pki/reqs/client.req key: /etc/openvpn/client/pki/private/client.key #key path
- Sign and sign the client certificate
#Switch to the easy RSA directory of the server: cd /etc/openvpn/easy-rsa #Import req ./easyrsa import-req /etc/openvpn/client/pki/reqs/client.req client ./easyrsa sign client client #Signature. The first client is a fixed parameter indicating the client. The second client is the client certificate name imported above ./easyrsa sign client client Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = client Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes #Input'yes' Using configuration from ./openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: #Enter ca password (123456) Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'client' Certificate is to be certified until Apr 13 14:37:17 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt #Final client certificate path
Modify profile
The server certificate and key are placed in the same directory as server.conf for easy configuration
cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/ cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/ cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/ cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/
1. Modify the openvpn server configuration file server.conf
cat /etc/openvpn/server.conf local 0.0.0.0 port 1194 #Designated port proto tcp #Designated agreement dev tun #Adopt route tunnel mode ca ca.crt #CA certificate location, relative path, indicating that ca.crt and server.conf should be in the same directory cert server.crt #Server certificate key server.key #Server key dh dh.pem #dh key server 10.8.0.0 255.255.255.0 #Address pool assigned to clients ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" #Client gateway uses openvpn server gateway push "dhcp-option DNS 8.8.8.8" #Specify dns push "dhcp-option DNS 114.114.114.114" keepalive 10 120 #Heartbeat detection, once every 10 seconds. If there is no response within 2 minutes, it is regarded as disconnection tls-auth ta.key 0 #Server value is 0, client is 1 cipher AES-256-CBC comp-lzo #Transmission data compression persist-key persist-tun status openvpn-status.log verb 3
2. Set the profile used by the client (used by the user client)
yum install -y openvpn #linux client installation cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/client.conf /etc/openvpn/client.ovpn cat /etc/openvpn/client.ovpn client dev tun proto tcp #Consistent with the server side remote 123.xxx.xxx.xxx 1194 #Specify server IP and port resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server ca ca.crt #ca certificate cert client.crt #Client certificate key client.key #Client key tls-auth ta.key 1 #ta key cipher AES-256-CBC comp-lzo #Transmission content compression verb 3 #log level
3. Certificate required by client (download and save to the same directory of client and client configuration file)
/Etc / OpenVPN / easy RSA / PKI / issued / client.crt
/etc/openvpn/client/pki/private/client.key
/Etc / OpenVPN / easy RSA / PKI / ca.crt × CA certificate
/etc/openvpn/ta.key
Service startup
Server:
server openvpn start
windows client:
Download the installation package and install by default;
http://www.fyluo.com/ueditor/php/upload/file/20180607/1528361410428080.rar
-
To create a client profile:
Put the configuration file client.ovpn in the C:\Program Files\OpenVPN\config directory of the client machine, and put the configuration file client.ovpn in the C: \ program files \ OpenVPN \ easy RSA \ keys directory of the server
client01.crt, client01.csr, client01.key, ca.key, ca.crt, ta.key files are copied to
Client C:\Program Files\OpenVPN\config directory (the above files are generated by the server, and the client needs to copy these 7 files from the server)
The client.ovpn configuration file is as follows:
-
client dev tun proto tcp remote server IP 8080 ;remote my-server-2 8080 ;remote-random resolv-retry infinite nobind user nobody group nobody ;route 192.168.0.0 255.255.252.0 persist-key persist-tun ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] ca ca.crt cert client.crt key client.key ns-cert-type server tls-auth ta.key 1 comp-lzo # Set log file verbosity. verb 4
-
The configuration file is as follows:
-
The client is connected as follows:
Double click the icon of the client to run (it's simpler, not described)
Linux client:
openvpn --daemon --cd /etc/openvpn --config client.ovpn --log-append /var/log/openvpn.log #Put it in the background
Firewall settings
Turn on kernel forwarding
[root@localhost]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#' /etc/sysctl.conf [root@localhost]# sysctl -p iptables -t nat -A POSTROUTING -d 172.20.4.0/24 -j SNAT --to-source 172.20.4.120 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE [root@kafka3 ~]# iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 0.0.0.0/0 172.20.4.0/24 to:172.20.4.120 MASQUERADE all -- 10.8.0.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination