运维
Centos 7环境部署OpenVPN实现远程连接LAN组建局域网
Openvpn安装部署
一、应用场景
Peer-to-PeerVPN(点对点连接),这种场景,将Internet两台机器(公网地址)使用VPN连接起来。
Remote AccessVPN(远程访问),该实现方案,旨在解决,移动办公,经常出差不在办公室的,公司生产环境连接。在这个场景种远程访问者一般没有公网IP,他们使用内网地址通过防火墙设备及逆行NAT转换后连接互联网。
SIte-to-SiteVPN(站点对站点连接) ,用于连接两个或者多个地域上不同的局域网LAN,每个LAN有一台OpenVPN服务器作为接入点,组成虚拟专用网络,使得不同LAN里面的主机和服务器都能够相互通讯。
二、openvpn安装部署
环境:
本次实验环境采用TUN模式Remote Access VPN,openvpn服务器共两张网卡:
| 角色 | 内网地址 | 外网地址 |
|---|---|---|
| client | 192.168.2.1(模拟) | |
| openvpn server | 192.168.3.1 | 192.168.2.7(模拟) |
| LB server | 192.168.3.2 |
步骤:
1、安装openvpn
[root@localhost ~]# yum -y install epel-re* [root@localhost ~]# yum install -y openvpn
2、安装open-rsa
[root@localhost ~]# wget https://github.com/OpenVPN/easy-rsa/archive/master.zip [root@localhost ~]# unzip master.zip [root@localhost ~]# mv easy-rsa-master/ easy-rsa [root@localhost ~]# cp -R easy-rsa/ /etc/openvpn/ [root@localhost ~]# cd /etc/openvpn/ [root@localhost openvpn]# ls client easy-rsa server
3、配置vars文件
[root@localhost ~]# cd /etc/openvpn/easy-rsa/easyrsa3/ [root@localhost easyrsa3]# cp vars.example vars [root@localhost easyrsa3]# vim vars #编辑修改一下内容为自己的信息 ....... set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "BJ" set_var EASYRSA_REQ_CITY "Beijing" set_var EASYRSA_REQ_ORG "Benet" set_var EASYRSA_REQ_EMAIL "[email protected]" set_var EASYRSA_REQ_OU "dynamic" .......
4、配置网卡
[root@localhost ~]# ip a
查看网卡信息如下:
1: eth0:: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:34:e5:d0 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.7/24 brd 192.168.2.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe34:e5d0/64 scope link
valid_lft forever preferred_lft forever
2: eth1:: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:34:e5:da brd ff:ff:ff:ff:ff:ff
inet6 fe80::20c:29ff:fe34:e5da/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]# cd /etc/sysconfig/network-scripts/ [root@localhost network-scripts]# cp ifcfg-eth0: ifcfg-eth1: [root@localhost network-scripts]# vim ifcfg-eth1:
TYPE=Ethernet
BOOTPROTO=static
IPADDR=192.168.3.1 #设置为内网地址
DNS1=114.114.114.114
GATEWAY=192.168.3.1
HWADDR=00:0c:29:34:e5:da #注意填写MAC地址
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eth1 #名字
DEVICE=eth1
ONBOOT=yes
[root@localhost network-scripts]# ip a
1: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:34:e5:d0 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.7/24 brd 192.168.2.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe34:e5d0/64 scope link
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:34:e5:da brd ff:ff:ff:ff:ff:ff
inet 192.168.3.1/24 brd 192.168.3.255 scope global eno33554984
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe34:e5da/64 scope link
valid_lft forever preferred_lft forever
三、创建server证书
步骤:
1、初始化目录
[root@localhost easyrsa3]# ls easyrsa openssl-easyrsa.cnf vars vars.example x509-types [root@localhost easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/easyrsa3/pki
2、创建CA证书
[root@localhost easyrsa3]# ./easyrsa build-ca Note: using Easy-RSA configuration from: ./vars Enter New CA Key Passphrase: #记住CA密码 Re-Enter New CA Key Passphrase: #重输 Generating RSA private key, 2048 bit long modulus ........................................+++ ..........+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:dynamic #为server起名 CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
3、创建服务器端证书
[root@localhost easyrsa3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ...+++ ..............................................................+++ writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key.kxIvU2Xkq4' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]:dynamic-server #为server起名 Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
4、签约服务端证书
[root@localhost easyrsa3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = dynamic-server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #输出yes
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #输出之前CA密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'dynamic-server'
Certificate is to be certified until May 14 13:07:30 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
5、创建数据穿越密钥
[root@localhost easyrsa3]# ./easyrsa gen-dh Note: using Easy-RSA configuration from: ./vars Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..............................................................................................................................................................................................+..........................................................................................+............................................................................................................................................................+......................................................................................................................................................................................................................................................................+.......+....................+...+.................................................................................................................................................+..........................................................................................................................................................+......................................................+..................................................................................................................................................................................................................+................................................................................+..........................................+.............................................................................................+..........................+.......................................................................+.........................+..........................+................................+.......................................................................................................................................................................................................................................................................................................................................................................................................................................+..................................................+..............................................+..................+.......................................................................................................................................................................................................................+................................................................................................................+.......................................................+.......................................................................................+.................+..................................................................+...........................................................................................................................................................................................................................................................................................+...................................................+................................................................................................................................................................................................................................+.........................+.+................................................................................................+........................................................................+....................................................................................................................................................................................................................+........+.......................................................................................++*++* DH parameters of size 2048 created at /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
四、创建client证书
步骤:
1、初始化目录
[root@localhost ~]# cd /etc/openvpn/client/ [root@localhost client]# cp -R /root/easy-rsa/ client [root@localhost client]# cd client/easyrsa3/ [root@localhost easyrsa3]# ls easyrsa openssl-easyrsa.cnf vars.example x509-types [root@localhost easyrsa3]# ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/client/client/easyrsa3/pki
2、创建客户端CA证书
[root@localhost easyrsa3]# ./easyrsa build-ca Enter New CA Key Passphrase: #输入客户端CA密码 Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus ................................................................................+++ ................................+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:dynamic CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/client/client/easyrsa3/pki/ca.crt
3、创建客户端证书
[root@localhost easyrsa3]# ./easyrsa gen-req client1 Generating a 2048 bit RSA private key ..............+++ .......................................................+++ writing new private key to '/etc/openvpn/client/client/easyrsa3/pki/private/client1.key.Kh0Vbn288c' Enter PEM pass phrase: #输入客户端CA密码,也是将来登录VPN客户密码! Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client1]:dynamic-client1 #起名字 Keypair and certificate request completed. Your files are: req: /etc/openvpn/client/client/easyrsa3/pki/reqs/client1.req key: /etc/openvpn/client/client/easyrsa3/pki/private/client1.key
4、导入客户端证书
[root@localhost easyrsa3]# cd /etc/openvpn/easy-rsa/easyrsa3/ [root@localhost easyrsa3]# ./easyrsa import-req /etc/openvpn/client/client/easyrsa3/pki/reqs/client1.req client1 Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: client1 You may now use this name to perform signing operations on this request.
5、签约客户端证书
[root@localhost easyrsa3]# ./easyrsa sign client client1
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
commonName = dynamic-client1
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #输入登录密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'dynamic-client1'
Certificate is to be certified until May 14 13:24:08 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/client1.crt
五、配置openvpn主配
步骤
1、拷贝证书文件
[root@localhost ~]# cd /etc/openvpn/easy-rsa/easyrsa3/pki/ [root@localhost pki]# ls ca.crt dh.pem index.txt.attr index.txt.old private serial certs_by_serial index.txt index.txt.attr.old issued reqs serial.old [root@localhost pki]# cp ca.crt /etc/openvpn/server/ [root@localhost pki]# cp private/server.key /etc/openvpn/server/ [root@localhost pki]# cp issued/server.crt /etc/openvpn/server/ [root@localhost pki]# cp dh.pem /etc/openvpn/server/ [root@localhost pki]# cp ca.crt /etc/openvpn/client/ [root@localhost pki]# cp issued/client1.crt /etc/openvpn/client/ [root@localhost pki]# cp /etc/openvpn/client/client/easyrsa3/pki/private/client1.key /etc/openvpn/client/ [root@localhost pki]# cd /etc/openvpn/server [root@localhost server]# ls ca.crt dh.pem server.crt server.key [root@localhost openvpn]# cd client/ [root@localhost client]# ls ca.crt client client1.crt client1.key [root@localhost ~]# cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/server.conf /etc/openvpn [root@localhost ~]# cd /etc/openvpn [root@localhost openvpn]# cp server.conf server.conf.bak [root@localhost openvpn]# egrep -v "^#|^;|^$" server.conf.bak > server.conf
2、配置server.conf
[root@localhost openvpn]# vim server.conf local 0.0.0.0 port 1194 proto tcp dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/server.crt key /etc/openvpn/server/server.key # This file should be kept secret dh /etc/openvpn/server/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 persist-key persist-tun status openvpn-status.log verb 3 comp-lzo push "redirect-gateway def1 bypass-dhcp" #client连接后使用server的网络环境 push "dhcp-option DNS 223.5.5.5" #经测试,需向client push DNS并且防火墙开启masquerade,client才能通过server访问互联网 client-to-client log /var/log/openvpn.log auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env client-cert-not-required username-as-common-name script-security 3
5、设置使用password登录详解
①修改服务器端配置:
# vim /etc/openvpn/server/server.conf 在配置文件最后面添加如下几行数据 script-security 3 system #允许通过环境变量将密码传递给脚本 auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env #提供一个用户名密码对 client-cert-not-required #不使用客户端证书,使用密码对 username-as-common-name #使用认证用户名,不使用证书的common name
②创建checkpsw.sh脚本,放在/etc/openvpn/路径下:
# vim /etc/openvpn/checkpsw.sh
#!/bin/sh ########################################################### # checkpsw.sh (C) 2004 Mathias Sundman <[email protected]> # # This script will authenticate OpenVPN users against # a plain text file. The passfile should simply contain # one row per user with the username first followed by # one or more space(s) or tab(s) and then the password. PASSFILE="/etc/openvpn/psw-file" LOG_FILE="/var/log/openvpn/openvpn-password.log" TIME_STAMP=`date "+%Y-%m-%d %T"` ########################################################### if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1
chmod +x /etc/openvpn/checkpsw.sh #设置权限 bash /etc/openvpn/checkpsw.sh #执行脚本
③创建psw-file文件:
# cd /etc/openvpn/server # echo "client password%1" > psw-file #创建账号密码,可以多行,每行一组 # chmod 400 psw-file #修改文件权限,我是用root权限执行的 或者使用 [root@loaclhost ~]# vim /etc/openvpn/psw-file client password
4、配置防火墙以及转发并启动openvpn
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-sysctl.conf
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
[root@localhost ~]# openvpn /etc/openvpn/server.conf &
[root@localhost ~]# ps -ef | grep vpn
root 38843 3316 0 21:48 pts/0 00:00:00 openvpn /etc/openvpn/server.conf
root 38909 38875 0 21:48 pts/1 00:00:00 grep --color=auto vpn
[root@localhost ~]# ss -anpt| grep 55555
LISTEN 0 1 *:55555 *:* users:(("openvpn",pid=38843,fd=6))
首先启动firewalld防火墙
systemctl status firewalld.service
查看有哪些服务已经在列表中允许通过:
# firewall-cmd --list-services
dhcpv6-client http https ssh
可以看到已经有了dhcpv6-client, http, https, ssh四项,接下来添加openvpn:
# firewall-cmd --add-service openvpn
success
# firewall-cmd --permanent --add-service openvpn
success
最后添加masquerade,测试开启此项,client才能通过server访问互联网:
# firewall-cmd --add-masquerade
success
# firewall-cmd --permanent --add-masquerade
success
以下命令用于确认masquerade是否添加成功:
# firewall-cmd --query-masquerade
yes
5. 启动服务,若实现开机自启动请将以下命令加入/etc/rc.d/rc.local并赋予rc.local可执行权限
openvpn --config /etc/openvpn/server/server.conf >> /dev/null 2>&1 &
6、启动openVPN服务端
systemctl start openvpn@server #启动openVPN systemctl stop openvpn@server #停止openVPN systemctl restart openvpn@server #重启openVPN
六、配置客户端
客户端环境:
步骤:
1、拷贝openvpn server中属于client的证书及密钥
[root@localhost ~]# cd /etc/openvpn/client/ [root@localhost client]# sz ca.crt client1.crt client1.key #sz到客户端openvpn客户端软件的config目录下
2、拷贝sample-config中client主配到config目录
3、配置client主文件
编辑client文件
client client dev tun proto tcp remote 110.109.50.100 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt auth-user-pass cert client1.crt key client1.key remote-cert-tls server cipher AES-256-CBC verb 3 comp-lzo reneg-sec 360000
4、连接vpn,输入客户端证书密码
5、测试连接
6、从客户端192.168.2.1通过VPN连接到局域网内网192.168.3.2的server本次只是实验环境,以模拟client连接internet公网地址到局域网中,生产环境中注意remote的地址填写,server主配中push可以设置连接到内网的网段。
本文由 podipod软库网 作者:DevOps 发表,转载请注明来源!
DevOps
文章:675 画廊:4 视频:10 商品:19 积分:3575•人心所向乃天命所归•
相关文章
