Centos 7环境部署OpenVPN实现远程连接LAN组建局域网

DevOps 运维 2019-04-14 共18100字

5.43K 0 0

MarginNote 3 - Mac端PDF阅读批注工具激活码价格：￥69.00

赤友 NTFS for Mac 助手 - 磁盘硬盘格式读写软件注册激活码价格：￥35.00

Centos 7环境部署OpenVPN实现远程连接LAN组建局域网

Openvpn安装部署

一、应用场景

Peer-to-Peer VPN(点对点连接)，这种场景，将Internet 两台机器（公网地址）使用VPN连接起来。
Remote Access VPN(远程访问)，该实现方案，旨在解决，移动办公，经常出差不在办公室的，公司生产环境连接。在这个场景种远程访问者一般没有公网IP，他们使用内网地址通过防火墙设备及逆行NAT转换后连接互联网。
SIte-to-Site VPN(站点对站点连接) ，用于连接两个或者多个地域上不同的局域网LAN，每个LAN有一台OpenVPN服务器作为接入点，组成虚拟专用网络，使得不同LAN里面的主机和服务器都能够相互通讯。

二、openvpn安装部署

环境：
本次实验环境采用TUN模式`Remote` `Access` `VPN`，`openvpn`服务器共两张网卡：

角色	内网地址	外网地址
client		192.168.2.1(模拟)
openvpn server	192.168.3.1	192.168.2.7(模拟)
LB server	192.168.3.2

步骤：

1、安装openvpn

[[email protected] ~]# yum -y install epel-re*
[[email protected] ~]# yum install -y openvpn

2、安装open-rsa

[[email protected] ~]# wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
[[email protected] ~]# unzip master.zip
[[email protected] ~]# mv easy-rsa-master/ easy-rsa
[[email protected] ~]# cp -R easy-rsa/ /etc/openvpn/
[[email protected] ~]# cd /etc/openvpn/
[[email protected] openvpn]# ls
client  easy-rsa  server

3、配置vars文件

[[email protected] ~]# cd /etc/openvpn/easy-rsa/easyrsa3/
[[email protected] easyrsa3]# cp vars.example vars
[[email protected] easyrsa3]# vim vars
#编辑修改一下内容为自己的信息
.......
set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "BJ"
set_var EASYRSA_REQ_CITY        "Beijing"
set_var EASYRSA_REQ_ORG         "Benet"
set_var EASYRSA_REQ_EMAIL       "[email protected]"
set_var EASYRSA_REQ_OU          "dynamic"
.......

4、配置网卡

[[email protected] ~]# ip a

查看网卡信息如下：

1: eth0:: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:34:e5:d0 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.7/24 brd 192.168.2.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe34:e5d0/64 scope link
valid_lft forever preferred_lft forever
2: eth1:: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:34:e5:da brd ff:ff:ff:ff:ff:ff
inet6 fe80::20c:29ff:fe34:e5da/64 scope link
valid_lft forever preferred_lft forever

[[email protected] ~]# cd /etc/sysconfig/network-scripts/
[[email protected] network-scripts]# cp ifcfg-eth0: ifcfg-eth1:
[[email protected] network-scripts]# vim ifcfg-eth1:

TYPE=Ethernet
BOOTPROTO=static
IPADDR=192.168.3.1 #设置为内网地址
DNS1=114.114.114.114
GATEWAY=192.168.3.1
HWADDR=00:0c:29:34:e5:da #注意填写MAC地址
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eth1 #名字
DEVICE=eth1
ONBOOT=yes

[[email protected] network-scripts]# ip a

1: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:34:e5:d0 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.7/24 brd 192.168.2.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe34:e5d0/64 scope link
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:34:e5:da brd ff:ff:ff:ff:ff:ff
inet 192.168.3.1/24 brd 192.168.3.255 scope global eno33554984
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe34:e5da/64 scope link
valid_lft forever preferred_lft forever

三、创建server证书

步骤：

1、初始化目录

[[email protected] easyrsa3]# ls
easyrsa  openssl-easyrsa.cnf  vars  vars.example  x509-types
[[email protected] easyrsa3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/easyrsa3/pki

2、创建CA证书

[[email protected] easyrsa3]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: ./vars
Enter New CA Key Passphrase:     #记住CA密码
Re-Enter New CA Key Passphrase:      #重输
Generating RSA private key, 2048 bit long modulus
........................................+++
..........+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:dynamic  #为server起名
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt

3、创建服务器端证书

[[email protected] easyrsa3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...+++
..............................................................+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key.kxIvU2Xkq4'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:dynamic-server    #为server起名
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key

4、签约服务端证书

[[email protected] easyrsa3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
    commonName                = dynamic-server
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes    #输出yes
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:   #输出之前CA密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'dynamic-server'
Certificate is to be certified until May 14 13:07:30 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt

5、创建数据穿越密钥

[[email protected] easyrsa3]# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..............................................................................................................................................................................................+..........................................................................................+............................................................................................................................................................+......................................................................................................................................................................................................................................................................+.......+....................+...+.................................................................................................................................................+..........................................................................................................................................................+......................................................+..................................................................................................................................................................................................................+................................................................................+..........................................+.............................................................................................+..........................+.......................................................................+.........................+..........................+................................+.......................................................................................................................................................................................................................................................................................................................................................................................................................................+..................................................+..............................................+..................+.......................................................................................................................................................................................................................+................................................................................................................+.......................................................+.......................................................................................+.................+..................................................................+...........................................................................................................................................................................................................................................................................................+...................................................+................................................................................................................................................................................................................................+.........................+.+................................................................................................+........................................................................+....................................................................................................................................................................................................................+........+.......................................................................................++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem

四、创建client证书

步骤：

1、初始化目录

[[email protected] ~]# cd /etc/openvpn/client/
[[email protected] client]# cp -R /root/easy-rsa/ client
[[email protected] client]# cd client/easyrsa3/
[[email protected] easyrsa3]# ls
easyrsa  openssl-easyrsa.cnf  vars.example  x509-types
[[email protected] easyrsa3]# ./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/client/easyrsa3/pki

2、创建客户端CA证书

[[email protected] easyrsa3]# ./easyrsa build-ca

Enter New CA Key Passphrase:     #输入客户端CA密码
Re-Enter New CA Key Passphrase: 
Generating RSA private key, 2048 bit long modulus
................................................................................+++
................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:dynamic

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/client/client/easyrsa3/pki/ca.crt

3、创建客户端证书

[[email protected] easyrsa3]# ./easyrsa gen-req client1

Generating a 2048 bit RSA private key
..............+++
.......................................................+++
writing new private key to '/etc/openvpn/client/client/easyrsa3/pki/private/client1.key.Kh0Vbn288c'
Enter PEM pass phrase:    #输入客户端CA密码，也是将来登录VPN客户密码！
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client1]:dynamic-client1    #起名字

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/client/easyrsa3/pki/reqs/client1.req
key: /etc/openvpn/client/client/easyrsa3/pki/private/client1.key

4、导入客户端证书

[[email protected] easyrsa3]# cd /etc/openvpn/easy-rsa/easyrsa3/
[[email protected] easyrsa3]# ./easyrsa import-req /etc/openvpn/client/client/easyrsa3/pki/reqs/client1.req client1

Note: using Easy-RSA configuration from: ./vars

The request has been successfully imported with a short name of: client1
You may now use this name to perform signing operations on this request.

5、签约客户端证书

[[email protected] easyrsa3]# ./easyrsa sign client client1
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
    commonName                = dynamic-client1
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:    #输入登录密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'dynamic-client1'
Certificate is to be certified until May 14 13:24:08 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/client1.crt

五、配置openvpn主配

步骤

1、拷贝证书文件

[[email protected] ~]# cd /etc/openvpn/easy-rsa/easyrsa3/pki/
[[email protected] pki]# ls

ca.crt           dh.pem     index.txt.attr      index.txt.old  private  serial
certs_by_serial  index.txt  index.txt.attr.old  issued         reqs     serial.old
[[email protected] pki]# cp ca.crt /etc/openvpn/server/
[[email protected] pki]# cp private/server.key /etc/openvpn/server/
[[email protected] pki]# cp issued/server.crt /etc/openvpn/server/
[[email protected] pki]# cp dh.pem /etc/openvpn/server/

[[email protected] pki]# cp ca.crt /etc/openvpn/client/
[[email protected] pki]# cp issued/client1.crt /etc/openvpn/client/
[[email protected] pki]# cp /etc/openvpn/client/client/easyrsa3/pki/private/client1.key /etc/openvpn/client/

[[email protected] pki]# cd /etc/openvpn/server
[[email protected] server]# ls

ca.crt  dh.pem  server.crt  server.key
[[email protected] openvpn]# cd client/
[[email protected] client]# ls

ca.crt  client  client1.crt  client1.key
[[email protected] ~]# cp /usr/share/doc/openvpn-2.4.6/sample/sample-config-files/server.conf /etc/openvpn
[[email protected] ~]# cd /etc/openvpn
[[email protected] openvpn]# cp server.conf server.conf.bak
[[email protected] openvpn]# egrep -v "^#|^;|^$" server.conf.bak > server.conf

2、配置server.conf

[[email protected] openvpn]# vim server.conf
local 0.0.0.0
port 1194
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key  # This file should be kept secret
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3
comp-lzo
push "redirect-gateway def1 bypass-dhcp"  #client连接后使用server的网络环境
push "dhcp-option DNS 223.5.5.5"         #经测试，需向client push DNS并且防火墙开启masquerade，client才能通过server访问互联网
client-to-client
log /var/log/openvpn.log
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
client-cert-not-required
username-as-common-name
script-security 3

5、设置使用password登录详解
①修改服务器端配置：

# vim /etc/openvpn/server/server.conf
在配置文件最后面添加如下几行数据
script-security 3 system     #允许通过环境变量将密码传递给脚本   
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env   #提供一个用户名密码对
client-cert-not-required             #不使用客户端证书，使用密码对
username-as-common-name              #使用认证用户名，不使用证书的common name

②创建checkpsw.sh脚本，放在/etc/openvpn/路径下：

# vim /etc/openvpn/checkpsw.sh

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <[email protected]>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
  
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
  
###########################################################
  
if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi
  
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
  
if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi
  
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi
  
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

chmod +x /etc/openvpn/checkpsw.sh  #设置权限
bash /etc/openvpn/checkpsw.sh  #执行脚本

③创建psw-file文件：

# cd /etc/openvpn/server
# echo "client  password%1" > psw-file        #创建账号密码，可以多行，每行一组
# chmod 400 psw-file                   #修改文件权限，我是用root权限执行的
或者使用
[[email protected] ~]# vim /etc/openvpn/psw-file
client    password

4、配置防火墙以及转发并启动openvpn

[[email protected] ~]# systemctl stop firewalld 
[[email protected] ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-sysctl.conf
[[email protected] ~]# sysctl -p
net.ipv4.ip_forward = 1
[[email protected] ~]# openvpn /etc/openvpn/server.conf &
[[email protected] ~]# ps -ef | grep vpn
root      38843   3316  0 21:48 pts/0    00:00:00 openvpn /etc/openvpn/server.conf
root      38909  38875  0 21:48 pts/1    00:00:00 grep --color=auto vpn
[[email protected] ~]# ss -anpt| grep 55555
LISTEN     0      1            *:55555                    *:*                   users:(("openvpn",pid=38843,fd=6))
首先启动firewalld防火墙
systemctl status firewalld.service
查看有哪些服务已经在列表中允许通过：
# firewall-cmd --list-services
dhcpv6-client http https ssh
可以看到已经有了dhcpv6-client, http, https, ssh四项，接下来添加openvpn：
# firewall-cmd --add-service openvpn
success
# firewall-cmd --permanent --add-service openvpn
success
最后添加masquerade，测试开启此项，client才能通过server访问互联网:
# firewall-cmd --add-masquerade
success
# firewall-cmd --permanent --add-masquerade
success
以下命令用于确认masquerade是否添加成功：
# firewall-cmd --query-masquerade
yes

5. 启动服务，若实现开机自启动请将以下命令加入/etc/rc.d/rc.local并赋予rc.local可执行权限

openvpn --config /etc/openvpn/server/server.conf >> /dev/null 2>&1 &

6、启动openVPN服务端

systemctl start [email protected]  #启动openVPN
systemctl stop [email protected]  #停止openVPN
systemctl restart [email protected]  #重启openVPN

六、配置客户端

客户端环境：

Centos 7环境部署OpenVPN实现远程连接LAN组建局域网

步骤：

1、拷贝openvpn server中属于client的证书及密钥

[[email protected] ~]# cd /etc/openvpn/client/
[[email protected] client]# sz ca.crt client1.crt client1.key #sz到客户端openvpn客户端软件的config目录下

2、拷贝sample-config中client主配到config目录
Centos 7环境部署OpenVPN实现远程连接LAN组建局域网
3、配置client主文件
编辑client文件

client
client
dev tun
proto tcp
remote 110.109.50.100 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
auth-user-pass
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
comp-lzo
reneg-sec 360000

4、连接vpn，输入客户端证书密码 Centos 7环境部署OpenVPN实现远程连接LAN组建局域网
5、测试连接
6、从客户端192.168.2.1通过VPN连接到局域网内网192.168.3.2的server本次只是实验环境，以模拟client连接internet公网地址到局域网中，生产环境中注意remote的地址填写，server主配中push可以设置连接到内网的网段。