Centos6.5搭建openvpn服务器

zhaorong · 发表于 linux教程 2017-3-17 16:56:33


	因为新版本openvpn里面没有包含最重要的证书制作部分：easy-rsa所以，需要事先下载好easyrsa，可以到GitHub上进行下载，配置过程将在下面第3步进行，本次部署使用了easy-rsa 3，与easy-rsa2.0的操作完全不同，网上其它关于easy-rsa2.0的教程不适合本次部署在部署openvpn之前，最好用ntpdate同步一下服务器的时间，否则生成证书的时间也不准确，会造成那个什么centificate error等的错误！ 1、安装lzo lzo是致力于解压速度的一种数据压缩算法 [root@vpn ~]# wgethttp://www.oberhumer.com/opensource/lzo/download/lzo-2.09.tar.gz [root@vpn ~]# tar xf lzo-2.09.tar.gz [root@vpn ~]# cd lzo-2.09 [root@vpn lzo-2.09]# ./configure && make && make install 复制代码 2、安装openvpn [root@vpn ~]# yum install -yopenssl-devel [root@vpn ~]# wgethttps://swupdate.openvpn.org/community/releases/openvpn-2.3.11.tar.gz [root@vpn ~]# tar zxvfopenvpn-2.3.11.tar.gz [root@vpn ~]# cd openvpn-2.3.11 [root@vpn openvpn-2.3.4]# ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib [root@vpn openvpn-2.3.4]# make && make install [root@vpn openvpn-2.3.4]# which openvpn /usr/local/sbin/openvpn #看到这里，说明安装openvpn成功复制代码 3、配置easyrsa服务端 openvpn-2.3.11软件包不包含证书（ca证书，服务端证书，客户端证书）制作工具，所以还需要单独下载easy-rsa，最新的为easy-rsa3 [root@vpn ~]# wgethttps://github.com/OpenVPN/easy-rsa/archive/master.zip [root@vpn ~]# unzipmaster.zip [root@vpn ~]# mv easy-rsa-master easy-rsa [root@vpn ~]# cp -R easy-rsa/ /usr/local/share/doc/openvpn/ [root@vpn ~]# cd/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/ [root@vpn easyrsa3]# cp vars.example vars [root@vpn easyrsa3]# vim vars set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "Beijing" set_var EASYRSA_REQ_CITY "Beijing" set_var EASYRSA_REQ_ORG "qiangshCertificate" set_var EASYRSA_REQ_EMAIL "503579266@qq.com" set_var EASYRSA_REQ_OU "My OpenVPN" 复制代码 4、创建服务端证书及key （1）初始化 [root@vpn easyrsa3]# ls easyrsa openssl-1.0.cnf vars vars.example x509-types [root@vpn easyrsa3]# [root@vpn easyrsa3]# ./easyrsa init-pki Note: using Easy-RSAconfiguration from: ./vars init-pki complete; you may nowcreate a CA or requests. Your newly created PKI dir is:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki 复制代码（2）创建根证书 [root@vpn easyrsa3]# ./easyrsa build-ca Note: using Easy-RSAconfiguration from: ./vars Generating a 2048 bit RSA privatekey ..+++ ..........................+++ writing new private key to'/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key.GiibbqFhXm' Enter PEM pass phrase: #输入密码，此密码用途证书签名 Verifying - Enter PEM passphrase: #再次输入密码 ----- You are about to be asked toenter information that will be incorporated into your certificate request. What you are about to enter iswhat is called a Distinguished Name or a DN. There are quite a few fields butyou can leave some blank For some fields there will be adefault value, If you enter '.', the field willbe left blank. ----- Common Name (eg: your user, host,or server name) [Easy-RSA CA]:qiangsh #输入一个Common Name CA creation complete and you maynow import and sign cert requests. Your new CA certificate file forpublishing is at: /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt 复制代码（3）创建服务器端证书 [root@vpn easyrsa3]# ./easyrsa gen-req server nopass Note: using Easy-RSAconfiguration from: ./vars Generating a 2048 bit RSA privatekey .......................................+++ ......................................+++ writing new private key to '/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key.MIGrh2B6S8' ----- You are about to be asked toenter information that will be incorporated into your certificate request. What you are about to enter iswhat is called a Distinguished Name or a DN. There are quite a few fields butyou can leave some blank For some fields there will be adefault value, If you enter '.', the field willbe left blank. ----- Common Name (eg: your user, host,or server name) [server]:qiangsh-BJ #该Common Name一定不要与创建根证书时的一样！！！ Keypair and certificate requestcompleted. Your files are: req:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req key:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key 复制代码（4）签约服务器端证书 [root@vpn easyrsa3]# ./easyrsa sign server server Note: using Easy-RSAconfiguration from: ./vars You are about to sign thefollowing certificate. Please check over the detailsshown below for accuracy. Note that this request has not been cryptographicallyverified. Please be sure it came from a trusted source or that you have verifiedthe request checksum with the sender. Request subject, to be signed asa server certificate for 3650 days: subject= commonName = qiangsh-BJ Type the word 'yes' to continue,or any other input to abort. Confirm request details:yes #输入yes继续 Using configuration from/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf Enter pass phrase for/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #输入刚才创建根证书时的密码 Check that the request matchesthe signature Signature ok The Subject's Distinguished Nameis as follows commonName :PRINTABLE:'qiangsh-BJ' Certificate is to be certifieduntil Jun 6 07:19:45 2026 GMT (3650 days) Write out database with 1 newentries Data Base Updated Certificate created at: /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt 复制代码（5）创建Diffie-Hellman，确保key穿越不安全网络的命令： [root@vpn easyrsa3]# ./easyrsa gen-dh Note: using Easy-RSAconfiguration from: ./vars Generating DH parameters, 2048bit long safe prime, generator 2 This is going to take a long time ..........................................................................+...........................+.............................................................+...........................+.................................................................................................................................................................................................................................................+...............................................................................................................................+..+.................................................................+..........................................................................................+..............+...............................................................................................................................................................................+........................................................................................+...............................................................................+................................................+..........++++ DH parameters of size 2048 created at/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh.pem 复制代码 5、创建客户端证书（1）在根目录下建立client目录 [root@vpn easyrsa3]# cd [root@vpn ~]# mkdir client [root@vpn ~]# cp -R /mnt/easy-rsa/ client/ 复制代码（2）初始化 [root@vpn ~]# cd client/easy-rsa/easyrsa3/ [root@vpn easyrsa3]# ls easyrsa openssl-1.0.cnf vars vars.example x509-types [root@vpn easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki 复制代码（3）创建客户端key及生成证书 [root@vpn easyrsa3]# ./easyrsa gen-req qiangsh Generating a 2048 bit RSA privatekey .......................+++ ........................................................+++ writing new private key to'/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key.LD7Wk6hmQq' Enter PEM pass phrase: #输入密码 Verifying - Enter PEM passphrase: #再次输入密码 ----- You are about to be asked toenter information that will be incorporated into your certificate request. What you are about to enter iswhat is called a Distinguished Name or a DN. There are quite a few fields butyou can leave some blank For some fields there will be adefault value, If you enter '.', the field willbe left blank. ----- Common Name (eg: your user, host,or server name) [qiangsh]:qiangsh #输入qiangsh Keypair and certificate request completed.Your files are: req:/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req key:/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key 复制代码（4）将得到的qiangsh.req导入并签约证书 [root@vpn ~]# cd/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/ [root@vpn easyrsa3]# #导入req [root@vpn easyrsa3]#./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.reqqiangsh Note: using Easy-RSAconfiguration from: ./vars The request has been successfullyimported with a short name of: qiangsh You may now use this name toperform signing operations on this request. [root@vpn easyrsa3]# #签约证书 [root@vpn easyrsa3]# ./easyrsa sign client qiangsh Note: using Easy-RSAconfiguration from: ./vars You are about to sign thefollowing certificate. Please check over the detailsshown below for accuracy. Note that this request has not been cryptographicallyverified. Please be sure it came from a trusted source or that you have verifiedthe request checksum with the sender. Request subject, to be signed asa client certificate for 3650 days: subject= commonName = qiangsh Type the word 'yes' to continue,or any other input to abort. Confirm request details:yes #输入yes Using configuration from/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf Enter pass phrase for/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: #输入创建根证书时的密码 Check that the request matchesthe signature Signature ok The Subject's Distinguished Nameis as follows commonName :PRINTABLE:'qiangsh' Certificate is to be certifieduntil Jun 6 07:50:02 2026 GMT (3650 days) Write out database with 1 newentries Data Base Updated Certificate created at:/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh.crt #签约成功复制代码（5）服务端及客户端生成的文件服务端：（/usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/）文件夹 /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/reqs/qiangsh.req /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh.crt /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh.pem 复制代码客户端：（/root/client/easy-rsa） /root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key /root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req #这个文件被我们导入到了服务端文件，所以那里也有复制代码（6）拷贝服务器密钥及证书等到openvpn目录 [root@vpn ~]# cp /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /usr/local/share/doc/openvpn/ [root@vpn ~]# cp /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /usr/local/share/doc/openvpn/ [root@vpn ~]# cp /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /usr/local/share/doc/openvpn/ [root@vpn ~]# cp /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /usr/local/share/doc/openvpn/ 复制代码（7）拷贝客户端密钥及证书等到client目录 [root@vpn ~]# cp /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /root/client/ [root@vpn ~]# cp /usr/local/share/doc/openvpn/easy-rsa/easyrsa3/pki/issued/qiangsh.crt /root/client/ [root@vpn ~]# cp/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key /root/client/ 复制代码（8）为服务端编写配置文件当安装好openvpn时候，它会提供一个server配置的文件例子将此例子拷贝openvpn目录，然后配置 [root@vpn ~]# cp /mnt/openvpn-2.3.11/sample/sample-config-files/server.conf /usr/local/share/doc/openvpn/ [root@vpn ~]# vim /usr/local/share/doc/openvpn/server.conf local 192.168.1.100 #（自己vps IP） port 1194 proto udp dev tun ca /usr/local/share/doc/openvpn/ca.crt cert /usr/local/share/doc/openvpn/server.crt key /usr/local/share/doc/openvpn/server.key # This file should be kept secret dh /usr/local/share/doc/openvpn/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" keepalive 10 120 comp-lzo max-clients 100 persist-key persist-tun status openvpn-status.log verb 3 复制代码（9）开启系统转发功能 [root@vpn ~]# vim /etc/sysctl.conf net.ipv4.ip_forward = 0 改成 net.ipv4.ip_forward = 1 [root@vpn ~]# sysctl -p [root@vpn ~]# sysctl -a \| grep net.ipv4.ip_forward net.ipv4.ip_forward = 1 复制代码（10）封装出去的数据包（eth0是你的vps外网的网卡）： /sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE 复制代码三、下载openvpn客户端，并进行配置 1、将客户端密钥及证书等拷出到windows备用 [root@vpn ~]# cd client/ [root@vpn client]# ls ca.crt easy-rsa nmshuishui.crt nmshuishui.key #带后缀的这三个复制代码 2、安装openvpn-gui工具（1）将C:\ProgramFiles\OpenVPN\sample-config\client.ovpn复制到C:\Program Files\OpenVPN\config （2）将从linux中拷贝出来的三个密钥及证书放到D:\Program Files (x86)\OpenVPN\config下（3）编辑C:\ProgramFiles\OpenVPN\config\client.ovpn，修改为 client dev tun proto udp remote 192.168.1.100 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt //这里需要证书 cert qiangsh.crt key qiangsh.key comp-lzo verb 3 复制代码四、启动服务、测试 1、在vpn服务器上启动openvpn服务 [ root@vpn ~]#/usr/local/sbin/openvpn --config /usr/local/share/doc/openvpn/server.conf & [root@vpn ~]# echo "/usr/local/sbin/openvpn--config /usr/local/share/doc/openvpn/server.conf & " >>/etc/rc.local #设为开机启动复制代码 2、在openvpn-gui上右键Connect输入密码连接 3、查看vpn状态

微信扫一扫 分享朋友圈

Centos6.5搭建openvpn服务器

微信扫一扫分享朋友圈