安装参考 http://qicheng0211.blog.51cto.com/3958621/1575273
http://freeloda.blog.51cto.com/2033581/1354858
一、环境
系统: CentOS 6.4x64最小化安装
eth0: 192.168.3.75 vpn server
eth1: 172.16.1.1 vpn server
win7: 192.168.3.76
client: 172.16.1.2 内网服务器
目的:用户通过win7能连接到内部网络172.16.1.0/24网段,且172.16.1.0/24能访问外网
二、安装yum源,同步时间
[root@vpn-server ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm [root@vpn-server ~]# sed -i 's@#b@b@g' /etc/yum.repos.d/epel.repo [root@vpn-server ~]# sed -i 's@mirrorlist@#mirrorlist@g' /etc/yum.repos.d/epel.repo [root@vpn-server ~]# yum install ntpdate -y [root@vpn-server ~]# echo "*/10 * * * * /usr/sbin/ntpdate asia.pool.ntp.org &>/dev/null" >/var/spool/cron/root [root@vpn-server ~]# crontab -l */10 * * * * /usr/sbin/ntpdate asia.pool.ntp.org &>/dev/null
三、安装基础软件
[root@vpn-server ~]# yum install openssl openssl-devel lzo -y
四、安装openvpn和easy-rsa
[root@vpn-server ~]# yum install openvpn easy-rsa -y #修改vars文件信息 [root@vpn-server 2.0]# pwd /usr/share/easy-rsa/2.0 [root@vpn-server 2.0]# vim vars #修改下面几项 export KEY_COUNTRY="CN" export KEY_PROVINCE="GUANGDONG" export KEY_CITY="GUANGZHOU" export KEY_ORG="MY COMPANY" export KEY_EMAIL="lyao@weyee.com" #重新加载环境变量 [root@vpn-server 2.0]# source vars #清除所有证书和相关文件 [root@vpn-server 2.0]# ./clean-all #生成新的根证书和根秘钥 [root@vpn-server 2.0]# ./build-ca #整个过程回车即可 Generating a 2048 bit RSA private key .....................................................+++ .........................................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: #这里的信息是我们在上面事先设置的 State or Province Name (full name) [GUANGDONG]: Locality Name (eg, city) [GUANGZHOU]: Organization Name (eg, company) [MY COMPANY]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [MY COMPANY CA]: Name [EasyRSA]: Email Address [lyao@weyee.com]:
给服务器端生成证书和秘钥
[root@vpn-server 2.0]# ./build-key-server server Generating a 2048 bit RSA private key .+++ ...........+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GUANGDONG]: Locality Name (eg, city) [GUANGZHOU]: Organization Name (eg, company) [MY COMPANY]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [lyao@weyee.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GUANGDONG' localityName :PRINTABLE:'GUANGZHOU' organizationName :PRINTABLE:'MY COMPANY' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'lyao@weyee.com' Certificate is to be certified until May 24 07:01:16 2025 GMT (3650 days) Sign the certificate? [y/n]:y #输入y 1 out of 1 certificate requests certified, commit? [y/n]y #输入y Write out database with 1 new entries Data Base Updated
给vpn客户端创建证书和秘钥,这里我们给win7创建
[root@vpn-server 2.0]# ./build-key win7 Generating a 2048 bit RSA private key .........................+++ .........................+++ writing new private key to 'win7.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GUANGDONG]: Locality Name (eg, city) [GUANGZHOU]: Organization Name (eg, company) [MY COMPANY]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [win7]: Name [EasyRSA]: Email Address [lyao@weyee.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GUANGDONG' localityName :PRINTABLE:'GUANGZHOU' organizationName :PRINTABLE:'MY COMPANY' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'win7' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'lyao@weyee.com' Certificate is to be certified until May 24 07:09:16 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
生成Diffie Hellman文件
#生成过程可能有点慢,等待一会就好 [root@vpn-server 2.0]# ./build-dh #生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击) [root@vpn-server 2.0]# openvpn --genkey --secret keys/ta.key
操作完成后查看keys路径下的文件
[root@vpn-server 2.0]# pwd /usr/share/easy-rsa/2.0 [root@vpn-server 2.0]# ll keys/ total 88 -rw-r--r-- 1 root root 5604 May 27 15:01 01.pem -rw-r--r-- 1 root root 5481 May 27 15:09 02.pem -rw-r--r-- 1 root root 1801 May 27 14:59 ca.crt -rw------- 1 root root 1708 May 27 14:59 ca.key -rw-r--r-- 1 root root 424 May 27 15:12 dh2048.pem -rw-r--r-- 1 root root 292 May 27 15:09 index.txt -rw-r--r-- 1 root root 21 May 27 15:09 index.txt.attr -rw-r--r-- 1 root root 21 May 27 15:01 index.txt.attr.old -rw-r--r-- 1 root root 147 May 27 15:01 index.txt.old -rw-r--r-- 1 root root 3 May 27 15:09 serial -rw-r--r-- 1 root root 3 May 27 15:01 serial.old -rw-r--r-- 1 root root 5604 May 27 15:01 server.crt -rw-r--r-- 1 root root 1098 May 27 15:01 server.csr -rw------- 1 root root 1704 May 27 15:01 server.key -rw------- 1 root root 636 May 27 15:14 ta.key -rw-r--r-- 1 root root 5481 May 27 15:09 win7.crt -rw-r--r-- 1 root root 1094 May 27 15:09 win7.csr -rw------- 1 root root 1704 May 27 15:09 win7.key
五、创建服务端配置文件
# 在openvpn的配置目录下新建一个keys目录
[root@vpn-server ~]# mkdir -p /etc/openvpn/keys
#将openvpn服务端需要用到的证书和秘钥复制到/etc/openvpn/keys目录下
[root@vpn-server ~]# cp /usr/share/easy-rsa/2.0/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/openvpn/keys/
[root@vpn-server ~]# ll /etc/openvpn/keys/
total 24
-rw-r--r-- 1 root root 1801 May 27 15:18 ca.crt
-rw-r--r-- 1 root root 424 May 27 15:18 dh2048.pem
-rw-r--r-- 1 root root 5604 May 27 15:18 server.crt
-rw------- 1 root root 1704 May 27 15:18 server.key
-rw------- 1 root root 636 May 27 15:18 ta.key
#复制服务端配置文件到/etc/openvpn
[root@vpn-server ~]# cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn/
#编辑server.conf文件参数
[root@vpn-server ~]# egrep -v "^#|^$|^;" /etc/openvpn/server.conf
#openvpn监听的端口
port 1194
#这里请使用tcp协议,不要使用udp
proto tcp
dev tun
#证书和秘钥的路径,我们放在/etc/openvpn/keys目录下
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh2048.pem
#这里是默认的虚拟局域网网段,不要和实际网段相同
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#这里因为我的内网是172.16.1.0/24网段的,所以我修改成172.16.1.0网段
push "route 172.16.1.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
#这是openvpn的日志文件,默认在/etc/openvpn/openvpn.log
status openvpn-status.log
#调试级别
verb 4 启动openvpn服务
#将openvpn添加到开机自启动 [root@vpn-server ~]# chkconfig openvpn on [root@vpn-server ~]# service openvpn start Starting openvpn: [ OK ] [root@vpn-server ~]# netstat -anpt |grep vpn tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 2889/openvpn #在iptables中放行tcp的1194端口 [root@vpn-server ~]# iptables -I INPUT -p tcp --dport 1194 -j ACCEPT [root@vpn-server ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
六、客户端安装及配置
Open××× 2.3.3 Windows 32位 安装文件:
http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.3-I002-i686.exe
Open××× 2.3.3 Windows 64位 安装文件:
http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.3-I002-x86_64.exe
将openvpn服务器上的ca.crt,win7.crt,win7.csr,win7.key,下载到C:\Program Files\Open×××\config目录下
新建客户端配置文件openvpn.ovpn
openvpn.ovpn 文件内容:
client dev tun # 改为tcp proto tcp remote 192.168.3.75 1194 # Open×××服务器的外网IP和端口 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert win7.crt # win7的证书 key win7.key # win7的密钥 ns-cert-type server # 去掉前面的注释 #tls-auth ta.key 1 comp-lzo verb 3
连接vpn-server
此时只能ping通vpn server的内网网卡即eth1:172.16.1.1,需要配置一SNAT才能ping通内网
#在filter表的FORWARD链中默认reject了转发请求 [root@vpn-server ~]# iptables -t fileter -F FORWARD [root@vpn-server ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 172.16.1.1 #打开路由转发功能 [root@vpn-server ~]# sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf [root@vpn-server ~]# sysctl -p net.ipv4.ip_forward = 1 #需要此项为1
测试结果显示能ping通服务器的eth1网卡和内网的服务器
在服务器端查看日志文件
[root@vpn-server ~]# cat /etc/openvpn/openvpn-status.log Open××× CLIENT LIST Updated,Wed May 27 16:55:27 2015 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since win7,192.168.3.76:33311,21385,16628,Wed May 27 16:36:07 2015 ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref 10.8.0.6,win7,192.168.3.2:33311,Wed May 27 16:52:52 2015 GLOBAL STATS Max bcast/mcast queue length,0 END
