题目要求

服务器RouterSrv上的工作任务

5.  OPENVPN

要求服务器日志记录客户端登录时间、用户名,格式如“2022-08-10: 08:10:30 Successful authentication: username="vpnuser1"”;

日志文件存放至/var/log/openvpn.log 中;

创建用户 vpnuser1,密码为 123456,使用用户名密码认证,要求只能与 InsideCli 客户端网段通信,允许访问 StorageSrv 主机上的 SAMBA 服务;

VPN 地址范围为 172.16.0.0/24,OPENVPN 使用 tcp 1194 端口号进行工作。

项目实施

服务器配置

安装:

[root@routesrv ~]# yum install openvpn easy-rsa -y

将easyRsa(证书制作工具)复制到/etc/openvpn

[root@routesrv ~]# cp -rf /usr/share/easy-rsa/3/* /etc/openvpn/

创建证书文件(注意所有证书没有密码

初始化,程序将自动创建pki目录:

[root@routesrv ~]# cd /etc/openvpn/
[root@routesrv openvpn]# ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki


[root@routesrv openvpn]#

生成根证书 nopass表示不对ca加密:(直接回车

[root@routesrv openvpn]# ./easyrsa build-ca nopass
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating RSA private key, 2048 bit long modulus
............................................+++
.....................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt


[root@routesrv openvpn]#

服务器证书生成 Common Name直接回车使用默认名称:server

[root@routesrv openvpn]# ./easyrsa gen-req server nopass
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
...............+++
.......................................+++
writing new private key to '/etc/openvpn/pki/easy-rsa-15746.IHk5zU/tmp.1tZRyT'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/pki/reqs/server.req
key: /etc/openvpn/pki/private/server.key


[root@routesrv openvpn]#

签署服务器证书:(输入yes

[root@routesrv openvpn]# ./easyrsa sign-req server server
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/pki/easy-rsa-15773.OwXZdU/tmp.K05m4j
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Feb 13 06:07:59 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/pki/issued/server.crt


[root@routesrv openvpn]#

生成dh.pem:

[root@routesrv openvpn]# ./easyrsa gen-dh
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.........+............+....+.........................................................................................................................................+................++*++*

DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem


[root@routesrv openvpn]#

tls密钥生成:

[root@routesrv openvpn]# openvpn --genkey --secret ta.key

客户端证书生成:

[root@routesrv openvpn]# ./easyrsa gen-req client nopass
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.+++
....................................................................+++
writing new private key to '/etc/openvpn/pki/easy-rsa-15860.KisxJN/tmp.UdLmjk'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/pki/reqs/client.req
key: /etc/openvpn/pki/private/client.key


[root@routesrv openvpn]#

配置服务器端(server

复制模板文件:

[root@routesrv openvpn]# cp /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/server.conf /etc/openvpn/
[root@routesrv openvpn]# ll
总用量 104
drwxr-x---. 2 root openvpn     6 4月  21 2021 client
-rwxr-xr-x. 1 root root    76946 11月 11 14:04 easyrsa
-rw-r--r--. 1 root root     4616 11月 11 14:04 openssl-easyrsa.cnf
drwx------. 8 root root     4096 11月 11 14:10 pki
drwxr-x---. 2 root openvpn     6 4月  21 2021 server
-rw-r--r--. 1 root root    10784 11月 11 14:12 server.conf
-rw-------. 1 root root      636 11月 11 14:09 ta.key
drwxr-xr-x. 2 root root      122 11月 11 14:04 x509-types
[root@routesrv openvpn]#

编辑服务器文件:

[root@routesrv openvpn]# vim server.conf


port 1194       # 32行
proto tcp       # 35行
dev tun     # 53行
ca pki/ca.crt   # 78行
cert pki/issued/server.crt      # 79行
key pki/private/server.key      # 80行
dh pki/dh.pem       # 85行
server 172.16.0.0 255.255.255.0     # 101行
#tls-auth ta.key 0 # This file is secret    # 244行进行注释
#explicit-exit-notify 1                     # 315行进行注释
# 末尾添加
script-security 3
auth-user-pass-verify /etc/openvpn/auth.sh via-env
username-as-common-name
client-cert-not-required

网络系统管理Linux环境——ROUTERSRV之OPENVPN_服务器

网络系统管理Linux环境——ROUTERSRV之OPENVPN_服务器_02

ip addr show | grep 172
# tls-auth ta.key 0 # This file is secret	# 244行进行注释
# explicit-exit-notify 1		# 315行进行注释
# 末尾添加内容
script-security 3
auth-user-pass-verify /etc/openvpn/auth.sh via-env
username-as-common-name
client-cert-not-required

配置用户认证加日志:

[root@routesrv openvpn]# vim auth.sh
#!/bin/sh
PASSFILE="/etc/openvpn/user"
LOG_FILE="/var/log/openvpn.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

if [ ! -r "${PASSFILE}" ]; then
    echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
    exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then
    echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
    exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
    echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
    exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

赋予权限:

[root@routesrv openvpn]# chmod +x auth.sh

添加用户:中间是空格

[root@routesrv openvpn]# cat user
vpnuser1 123456
[root@routesrv openvpn]#

启动服务:

[root@routesrv openvpn]# systemctl restart openvpn@server

查看服务器状态:

[root@routesrv openvpn]# systemctl status openvpn@server

网络系统管理Linux环境——ROUTERSRV之OPENVPN_服务器_03

客户端配置

安装openvpn:

root@outsidecli:~# apt install openvpn -y

远程传入证书和配置文件:

[root@routesrv openvpn]# scp pki/ca.crt root@81.6.63.110:/etc/openvpn
The authenticity of host '81.6.63.110 (81.6.63.110)' can't be established.
ECDSA key fingerprint is SHA256:aHK7i3gsbgmMuEp37r/9wYK7TUB8KOcDcFEsOU8g38E.
ECDSA key fingerprint is MD5:85:34:04:99:3e:51:cc:8e:83:44:50:77:fa:02:50:92.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '81.6.63.110' (ECDSA) to the list of known hosts.
root@81.6.63.110's password:
ca.crt                                                       100% 1172   525.6KB/s   00:00
[root@routesrv openvpn]#
[root@routesrv openvpn]# scp /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/client.conf root@81.6.63.110:/etc/openvpn
root@81.6.63.110's password:
client.conf                                                  100% 3585     3.5MB/s   00:00
[root@routesrv openvpn]#

编辑客户端配置文件:

root@outsidecli:~# vim /etv/openvpn/client.conf
client      # 16行
dev tun     # 24行
proto tcp   # 36行
remote 81.6.63.254 1194     # 42行
resolv-retry infinite       # 54行
nobind          # 58行
persist-key     # 65行
persist-tun     # 66行
ca ca.crt       # 88行
#cert client.crt    # 89行注释
#key client.key     # 90行注释
#tls-auth ta.key 1  # 108行注释
remote-cert-tls server  # 104行
cipher AES-256-GCM      # 116行
verb 3      # 124行
auth-user-pass      # 末尾添加用户认证

网络系统管理Linux环境——ROUTERSRV之OPENVPN_客户端_04

网络系统管理Linux环境——ROUTERSRV之OPENVPN_服务器_05

启动客户端:

网络系统管理Linux环境——ROUTERSRV之OPENVPN_客户端_06

查看网络状态:

网络系统管理Linux环境——ROUTERSRV之OPENVPN_服务器_07

如果出现如下:(进行时间同步即可恢复)

网络系统管理Linux环境——ROUTERSRV之OPENVPN_服务器_08

OPENVPN评分标准

(1) 测试 VPN 用户验证(在 outsidecli 上执行 systemctl restart openvpn@client; 然后输入用户密码截图;然后再执行 systemctl status openvpn@client); 【每个点 2 分, 共 6 分】

评分要点:

用户认证后, 能看到服务状态为 running, 而且显示 Initialzation Sequence Completed

网络系统管理Linux环境——ROUTERSRV之OPENVPN_服务器_09

(2) 然后查看 VPN 日志(routersrv 执行 tail -f /var/log/openvpn.log) ; 【2 分】

评分要点:

存在登陆成功的条目, 和题目要求格式一致即可得分

网络系统管理Linux环境——ROUTERSRV之OPENVPN_服务器_10