如何搭建基于astercc系统的OpenVPN

VPN服务器端:Centos 6.6(Final) (装有astercc系统) VPS的IP为:8.38.33.10

VPN客户端:Windows7 OpenVPN-GUI IP为:192.168.1.226

第一步:为VPS安装OpenVPN及所有所需软件

安装EPEL仓库

 wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm 
 rpm -Uvh epel-release-6-8.noarch.rpm 

安装OpenVPN

包含了 lzo 和 pkcs11-helper

 yum install openvpn 

安装Easy-rsa

该包用来制作ca证书,服务端证书,客户端证书。此版本为:easy-rsa3

 wget https://github.com/OpenVPN/easy-rsa/archive/master.zip 
 unzip master.zip 

解压完成后,将解压得到的文件夹easy-rsa-master重命名为easy-rsa:

 mv easy-rsa-master/ easy-rsa/ 

然后再将得到的easy-rsa文件夹复制到/etc/openvpn/目录下:

 cp -R easy-rsa/ /etc/openvpn/ 

安装Unzip和Zip

在安装Easy-rsa步骤中,假如在 “unzip master.zip” 时提示: -bash: unzip: command not found,则需要执行如下操作:

debian系统,就直接执行如下命令进行安装:

 apt-get install -y zip unzip 

centos系统,那就需要输入下面的命令进行安装:

 yum -y install zip unzip 

第二步:编辑vars文件,根据自己环境配置

首先进入/etc/openvpn/easy-rsa/easyrsa3目录:

 cd /etc/openvpn/easy-rsa/easyrsa3/ 

然后,在此目录下复制 vars.example 为 vars

 cp vars.example vars 

最后,根据自己VPS情况修改下面字段,命令:vi vars,然后进行修改,最后 :wq 退出并保存。注意:配置文件中以 “;” 和 “#” 开头的语句均表示注释,但 “;” 是用来注释可选配置的。

 set_var EASYRSA_REQ_COUNTRY "CN"
 set_var EASYRSA_REQ_PROVINCE "Liaoning"
 set_var EASYRSA_REQ_CITY "Dalian"
 set_var EASYRSA_REQ_ORG "Astercc Org"
 set_var EASYRSA_REQ_EMAIL "liuxl@astercc.com"
 set_var EASYRSA_REQ_OU "Support Unit" 

第三步:创建服务端证书及key

首先,进入/etc/openvpn/easy-rsa/easyrsa3/目录,进行初始化:

 cd /etc/openvpn/easy-rsa/easyrsa3/ 
 ./easyrsa init-pki 

然后,创建根证书,输入并确认密码,再输入common name:

 ./easyrsa build-ca 

如下:

 [root@astercc1 easyrsa3]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.............................................................+++
...........................................+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt 

注意:在上述部分需要输入PEM密码 PEM pass phrase,输入两次,此密码必须记住,不然以后不能为证书签名。还需要输入common name 通用名,这个你自己随便设置个独一无二的,我输入的:server。

再创建服务器端证书,输入Common Name:

 ./easyrsa gen-req server nopass 

如下:

 [root@astercc1 easyrsa3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.........+++
.....+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key 
该过程中需要输入common name,回车的话,确认为:server。

创建签约服务端证书:

 ./easyrsa sign server server 

如下:

 [root@astercc1 easyrsa3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName        = server

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName           :PRINTABLE:'server'
Certificate is to be certified until May 30 05:45:15 2025 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt 
该命令中.需要你确认生成 输入yes,还需要提供创建CA时候的密码。如果你忘记了密码,那就从第三步: ./easyrsa init-pki 开始,再来一次吧。

最后,创建Diffie-Hellman,确保key穿越不安全网络的命令,可能会执行很长时间,请耐心等待,不要中断:

 ./easyrsa gen-dh 

如下:

 [root@astercc1 easyrsa3]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
............+...............................................
...........................................................................
.....................................................................................
..............................................................+............................
......................................+...............+.....................++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem 

第四步:创建客户端证书

首先,进入root目录新建client文件夹,文件夹可随意命名,然后拷贝前面解压得到的easy-rsa文件夹到client文件夹,并进入到/root/client/easy-rsa/easyrsa3/ 目录:

 cd /root/
 mkdir client
 cp -R /etc/easy-rsa/ client/
 cd client/easy-rsa/easyrsa3/ 

然后进行初始化:

 ./easyrsa init-pki 

如下:

[root@astercc1 easyrsa3]# ./easyrsa  init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki 

再创建客户端key及生成证书(记住生成时自己输入的密码):

 ./easyrsa gen-req client1    //名字是自己定义的 

如下:

 [root@astercc1 easyrsa3]# ./easyrsa  gen-req  client1
Generating a 2048 bit RSA private key
...............+++
............................+++
writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/client1.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client1]:

Keypair and certificate request completed. Your files are:
req: /root/client/easy-rsa/easyrsa3/pki/reqs/client1.req
key: /root/client/easy-rsa/easyrsa3/pki/private/client1.key 

然后再将得到的client1.req导入,然后签约证书:

a.进入到/etc/openvpn/easy-rsa/easyrsa3/

 cd /etc/openvpn/easy-rsa/easyrsa3/ 

b.导入req

 ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/client1.req client1 

如下:

[root@astercc1 easyrsa3]# cd  /etc/openvpn/easy-rsa/easyrsa3/
[root@astercc1 easyrsa3]#
[root@astercc1 easyrsa3]#
[root@astercc1 easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/client1.req client1

Note: using Easy-RSA configuration from: ./vars

The request has been successfully imported with a short name of: client1
You may now use this name to perform signing operations on this request. 

c.签约证书

 ./easyrsa sign client client1 

如下:

 [root@astercc1 easyrsa3]# ./easyrsa sign client client1

Note: using Easy-RSA configuration from: ./vars

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

subject=
    commonName              =  client1

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'client1'
Certificate is to be certified until May 30 06:14:04 2025 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/client1.crt 

这里生成client,所以必须为client1,要与之前导入名字一致。上面签约证书跟server类似,但是期间还是要输入CA的密码。

最后看一下上面都生成了什么东西:

服务端:(/etc/openvpn/easy-rsa/easyrsa3/ 文件夹)

/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
/etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
/etc/openvpn/easy-rsa/easyrsa3/pki/reqs/client1.req
/etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key
/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
/etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
/etc/openvpn/easy-rsa/easyrsa3/pki/issued/client1.crt
/etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem

客户端:(/root/client/easy-rsa/easyrsa3/ 文件夹)

/root/client/easy-rsa/easyrsa3/pki/private/andy.key
/root/client/easy-rsa/easyrsa3/pki/reqs/andy.req          //这个文件被我们导入到了服务端文件所以那里也有

a.这一步就是拷贝这些文件放入到相应位置。将下列文件放到/etc/openvpn/ 目录下,执行命令:

 cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn
 cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn
 cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn
 cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn 

这样就将上述四个文件放入到了/etc/openvpn目录下。

b.这一步将下列文件放到/root/client/ 目录下,执行命令:

 cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /root/client
 cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/andy.crt /root/client
 cp /root/client/easy-rsa/easyrsa3/pki/private/andy.key /root/client 

这样就将上述三个文件复制到了/root/client目录下,包括:ca.crt、andy.crt、andy.key

第五步:为服务端编写配置文件

当你安装好了openvpn时候,他会提供一个server配置的文件例子,在 /usr/share/doc/openvpn-2.3.6/sample/sample-config-files 下会有一个server.conf文件,我们将这个文件复制到/etc/openvpn

 cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn 

然后修改配置 vi server.conf

如下:

 
local  a.b.c.d   (可不写)
port 1194  (端口号,可以自行定义,但定义完要在centos的 /etc/sysconfig/iptables 中加入端口语句,如:-A INPUT -p udp --dport 1194 -j ACCEPT,或者执行一条开启命令,但不加到iptables文件中:iptables -A INPUT -p udp --dport 1194 -j ACCEPT)
proto udp       # 服务器端 和 客户端的设置要一致    
dev tun       # 服务器端 和 客户端的设置要一致
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key       # This file should be kept secret
dh /etc/openvpn/dh.pem      # 以上4个均使用绝对路径
server 10.8.0.0 255.255.255.0     # 虚拟出来一个内部网段,用来VPN的
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"    # 网关重定向
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo    # 对数据传输进行压缩的参数,两端配置要一致
max-clients 100  # 最大客户端数,可以不写
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
log /etc/openvpn/openvpn.log
log-append  /etc/openvpn/openvpn.log
verb 4 
每个项目都会由一大堆介绍。上述修改,openvpn提供的server.conf已经全部提供,我们只需要去掉前面的注释 #(或;),然后修改成我们自己的有关配置。

开启 IP转发 和 NAT转发 功能:

 vim /etc/sysctl.conf 
将net.ipv4.ip_forward = 0 改成 net.ipv4.ip_forward = 1
 sysctl -p 
 iptables -t nat -A  POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 8.38.33.10 

第六步:下载openvpn客户端,并进行配置

首先,将VPS生成的 客户端证书和key文件(即:ca.crt client1.crt client1.key)下载到客户端电脑: 其次,去官网 https://openvpn.net/,下载并安装openvpn-2.3.6客户端。在安装目录 D:\Program Files\OpenVPN\sample-config 中找到 client.ovpn 文件,并将其复制到D:\Program Files\OpenVPN\config 下面 然后,对客户端进行配置,编辑 client.ovpn 文件。

如下:

 client
dev tun            # 服务器端 和 客户端的设置要一致
proto udp          # 服务器端 和 客户端的设置要一致
remote 8.38.33.10  1194         # 这里IP是VPS的外网IP 和端口号
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt             # 这里需要生成的CA证书,也可以注释掉这一行,用<ca>  </ca>将ca文件的内容全部嵌入进来
cert client1.crt
key client1.key
comp-lzo
verb 3 

第七步:测试排错

a.启动VPS上的OpenVPN服务,执行以下命令:

 service openvpn start 
如果出现:service start failed!! 运行 openvpn /etc/openvpn/server.conf 又可以运行,那么请试图删除/etc/openvpn/下的ipp.txt 和 openvpn-status.log后,再重新启动OpenVPN。

b.启动客户端 以管理员身份来运行OpenVPN-GUI启动,注意在启动后需要输入创建client1.key时候的密码,然后进入连接的界面。假如连接失败,请先把VPS的iptables停掉,执行如下命令,然后再连接:

 service iptables stop 

zh/实际案例指导/如何搭建基于astercc系统的openvpn.txt · 最后更改: 2017/12/12 11:05 (外部编辑)
Recent changes RSS feed Debian Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki