centos 6.3编译安装Open×××服务
Open×××是一款在Linux网关服务器使用的开源的×××软件,顾名思义,其实就是用来打通一条安全的虚拟专用通道,实现用户远程办公,获取内网资源。
该软件可跨平台在在Linux、xBSD、Mac OS X与Windows间使用,并利用openssl作为加密库,使用加密证书或用户名/密码来实现身份验证,是一款不可多得的开源×××解决方案。
我们做这个实验的目的就是模拟线上常见的公司外出人员在外需要访问公司内网OA,实现远程办公自动化。
解决方案:
系统环境:Centos6.3 x64
Open×××:openvpn-2.3.6.tar.gz
vpn server:eth0:10.124.151.245 117.78.9.254
vpn client:192.168.1.100
intranet server:172.24.30.10
route
client Internet vpnserver 公司内网
部署环境:
Server端
一、网络环境
1.检查selinux的状态,保证其关闭
vi /etc/sysconfig/selinux
---------------
SELINUX=disabled
---------------
2.开启服务器端路由转发功能
vi /etc/sysctl.conf
---------------------
net.ipv4.ip_forward = 1
---------------------
sysctl -p
3.修改iptables规则:
设置nat转发:
注:保证×××地址池可路由出外网
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# service iptables save
4.设置openvpn端口通过:
# iptables -A INPUT -p TCP --dport 1194 -j ACCEPT
# iptables -A INPUT -p TCP --dport 7505 -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# service iptables save
5.时间同步(重要):
# ntpdate asia.pool.ntp.org
二、安装依赖库
# yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig
三、安装openvpn:
(http://openvpn.net/index.php/open-source/downloads.html最新源码包可以从这个网址下载)
#wget -c http://swupdate.openvpn.org/community/releases/openvpn-2.3.6.tar.gz #2015-03-28
# tar zxvf openvpn-2.3.0.tar.gz
# cd openvpn-2.3.0
# ./configure --prefix=/usr/local/openvpn
# make && make install
# mkdir -p /etc/openvpn
复制模板到openvpn配置目录:
# cp -Rf sample /etc/openvpn/
复制openvpn配置文件到主目录:
# cp /etc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/
四、1.下载easy-rsa:
注:该包用来制作ca证书,服务端证书,客户端证书,openvpn2.3.0该版本源码不包含easy-rsa,所以需要单独下载安装用来配合openvpn实现证书生成。
# wget -c https://github.com/Open×××/easy-rsa/archive/master.zip
# unzip master #yum -y install unzip
# cp -Rf easy-rsa-master /etc/openvpn/easy-rsa
# cd /etc/openvpn/easy-rsa/easy-rsa/easyrsa3 #这里是easyrsa3版本,网上很多帖子都说是2.0,但是同一个下载方法显示的是3版本,所以这里就按照3版本的方式进行演示记录。
-----------------------------
以下操作都在此目录下面(pwd:/etc/openvpn/easy-rsa/easyrsa3/)
-----------------------------
2.编辑vars文件,根据自己环境配置
复制vars.example 为vars
cp vars.example vars
修改下面字段,命令:vi vars,然后修改,最后wq保存
set_var EASYRSA_REQ_COUNTRY “CN” #根据自己情况更改
set_var EASYRSA_REQ_PROVINCE “BeiJingShi”
set_var EASYRSA_REQ_CITY “BeiJing”
set_var EASYRSA_REQ_ORG “My_ORG”
set_var EASYRSA_REQ_EMAIL “qingbo.song@apicloud.com”
set_var EASYRSA_REQ_OU “APICloud_Open×××”
3./etc/openvpn/easy-rsa/easyrsa3/目录初始化:
#./easyrsa init-pki
==================================
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/src/easy-rsa-master/easyrsa3/pki
==================================
4.创建根证书
# ./easyrsa build-ca
====================================================
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.......................................+++
..................................+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key'
Enter PEM pass phrase: apicloud
Verifying - Enter PEM pass phrase: apicloud --此密码是为了进行证书签名
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: apicloud
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
====================================================
注意:在上述部分需要输入PEM密码 PEM pass phrase,输入两次,此密码必须记住,不然以后不能为证书签名。还需要输入common name 通用名,这个你自己随便设置个独一无二的。
5.创建服务器端证书
# ./easyrsa gen-req server nopass
====================================================
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
................+++
.....................................+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:admin --此名称随意但是不要跟之前的根证书的一样
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
====================================================
签约服务端证书:(将创建的服务端证书与CA证书签约)
# ./easyrsa sign server server
===================================================
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = admin
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes --需要输入yes进行确定
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: --需要输入CA证书密码apicloud
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'admin'
Certificate is to be certified until Mar 25 07:45:43 2025 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
================================================================
创建Diffie-Hellman,确保key穿越不安全网络的命令:
# ./easyrsa gen-dh
================================================
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
................+...................................+...................................+...
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
================================================
6.创建客户端证书 (pwd:/root/client/easy-rsa/easyrsa3)
进入root目录新建client文件夹,文件夹可随意命名,然后拷贝前面解压得到的easy-ras文件夹到client文件夹,进入下列目录
# cd /root/
# mkdir client
# cp -Rf /usr/local/src/easy-rsa-master /root/client/easy-rsa
# cd /root/client/easy-rsa/easyrsa3/
A:初始化目录:
# ./easyrsa init-pki
==============================
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki
==============================
B:创建客户端key及生成证书(客户端密码)
# ./easyrsa gen-req qingbo #名字自己定义
========================================
Generating a 2048 bit RSA private key
...........................................+++
......+++
writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/qingbo.key'
Enter PEM pass phrase: --客户端证书密码qingbo
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [qingbo]:qingbo --客户端证书名称
Keypair and certificate request completed. Your files are:
req: /root/client/easy-rsa/easyrsa3/pki/reqs/qingbo.req
key: /root/client/easy-rsa/easyrsa3/pki/private/qingbo.key
========================================
C:将的到的qingbo.req导入然后签约证书
=======================
进入到/etc/openvpn/easy-rsa/easyrsa3/
cd /etc/openvpn/easy-rsa/easyrsa3/
导入req
./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/qingbo.req qingbo
------------------------------------
Note: using Easy-RSA configuration from: ./vars
The request has been successfully imported with a short name of: qingbo
You may now use this name to perform signing operations on this request.
------------------------------------
签约证书
./easyrsa sign client qingbo #这里生成client所以必须为client:qingbo要与之前导入名字一致
====================================
上面签约证书跟server类似,期间需要输入CA的密码
7.证书管理
A:生成的数字证书进行详细的了解
服务端:(etc/openvpn/easy-rsa/文件夹)
===================================
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
/etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
/etc/openvpn/easy-rsa/easyrsa3/pki/reqs/qingbo.req
/etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key
/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
/etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
/etc/openvpn/easy-rsa/easyrsa3/pki/issued/qingbo.crt
====================================
客户端:(root/client/easy-rsa文件夹)
====================================
/root/client/easy-rsa/easyrsa3/pki/private/qingbo.key
/root/client/easy-rsa/easyrsa3/pki/reqs/qingbo.req #这个文件被我们导入到了服务端文件所以那里也有
/etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
====================================
B:将相应的文件拷贝到相应的位置
/etc/openvpn/ (ca.crt、server.key、server.crt、dh.pem)
================================
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn
================================
/etc/root/ (ca.crt、qingbo.crt、qingbo.key)
================================
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /root/client
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/qingbo.crt /root/client
# cp /root/client/easy-rsa/easyrsa3/pki/private/qingbo.key /root/client
================================
五、openvpn服务配置及启动
1.复制模板文件到/etc/openvpn/ (该步骤在源码编译的时候已操作)
# cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn/
2.修改server.conf
=====================================
local 119.255.41.233(跟自己vps IP)
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 8.8.8.8″
keepalive 10 120
comp-lzo
max-clients 10
persist-key
persist-tun
log /usr/local/openvpn/log/openvpn.log
log-append /usr/local/openvpn/log/openvpn.log
status /usr/local/opensvn/log/openvpn-status.log
verb 3
================================
3.启动openvpn服务
# /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf &
4.开机启动
# echo "/usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf > /dev/null 2>&1 &" >> /etc/rc.local
报错:(怎么办?)
======================================
Sat Mar 28 17:39:45 2015 Open××× 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 28 2015
Sat Mar 28 17:39:45 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03
Sat Mar 28 17:39:45 2015 Diffie-Hellman initialized with 2048 bit key
Sat Mar 28 17:39:45 2015 Socket Buffers: R=[229376->131072] S=[229376->131072]
Sat Mar 28 17:39:45 2015 TCP/UDP: Socket bind failed on local address [AF_INET]119.255.41.233:1194: Cannot assign requested address
Sat Mar 28 17:39:45 2015 Exiting due to fatal error
======================================
客户端配置:
一、安装WINDOWS客户端(WIN7 64bit)
1.下载客户端,安装路径D:\Program Files (x86)\Open×××
# http://vpntech.googlecode.com/files/openvpn-2.1.1-gui-1.0.3-install-cn-64bit.zip
2.将服务器端生成的客户端证书文件(ca.crt、qingbo.crt、qingbo.key)复制到客户端D:\Program Files\Open×××\config下.
三个文件是/root/client/下面的哦
3.在D:\Program Files\Open×××\config下创建client.ovpn文件
编译内容:
==========================
client
dev tun
proto udp
remote 119.255.41.233 1194 #主要这里修改成自己vps ip
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt #这里需要证书
cert qingbo.crt
key qingbo.key
comp-lzo
verb 3
二、启动客户端配置测试
报错:
==================================
Options error: --dh fails with '/etc/opensvn/dh.pem': No such file or directory
Options error: --ca fails with '/etc/opensvn/ca.crt': No such file or directory
Options error: --cert fails with '/etc/opensvn/server.crt': No such file or directory
Options error: --key fails with '/etc/opensvn/server.key': No such file or directory
Options error: --status fails with '/usr/local/opensvn/log/openvpn-status.log': No such file or directory
=================================
http://www.iamle.com/archives/1322.html/comment-page-1