一、制作证书:
- 安装证书:
yum -y install easy-rsa
- 2.*版本: a. 进入目录:
cd /usr/share/easy-rsa/2.*/
b. 确保vars中以下参数正确:vim vars
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_NAME="EasyRSA"
c. 使 vars 文件生效,并清除缓存:
. ./vars
. ./clean-all
d. 生成证书,Name [EasyRSA] 那一项写ca:
./build-ca
e. 生成服务器密钥和证书,在challenge password和optional company name处留空,Name [EasyRSA] 那一项写server,两个y选项选择y:
./build-key-server server
./build-dh
f. 生成客户端密钥和证书,在challenge password和optional company name处留空,Name [EasyRSA] 那一项写client,两个y选项选择y:
./build-key client
g. open***所需文件:
#server端
/usr/share/easy-rsa/2.*/keys/ca.crt
/usr/share/easy-rsa/2.*/keys/server.key
/usr/share/easy-rsa/2.*/keys/server.crt
/usr/share/easy-rsa/2.*/keys/dh.pem
#client端
/usr/share/easy-rsa/2.*/keys/ca.crt
/usr/share/easy-rsa/2.*/keys/client.crt
/usr/share/easy-rsa/2.*/keys/client.key
- 3.*版本: a. 创建文件夹:
mkdir /home/lee/{server,client}
b. 复制文件:
cp -arf /usr/share/easy-rsa/3.*/* /home/lee/server
cp -arf /usr/share/easy-rsa/3.*/* /home/lee/client
c. 进入server目录:
cd /home/lee/server
d. 初始化:
./easyrsa init-pki
e. 创建根证书(输入密码123456):
./easyrsa build-ca
f. 创建server端证书:
./easyrsa gen-req server nopass
g. 给server端证书签名:
./easyrsa sign server server
h. 创建dh:
./easyrsa gen-dh
i. 进入client目录:
cd /home/lee/client
j. 初始化:
./easyrsa init-pki
k. 创建client端证书:
./easyrsa gen-req client nopass
l. 回到server目录:
cd /home/lee/server
m. 导入client端证书:
./easyrsa import-req ../client/pki/reqs/client.req client
n. 给client端证书签名:
./easyrsa sign client client
o. open***所需文件:
#server端
/home/lee/server/pki/ca.crt
/home/lee/server/pki/private/server.key
/home/lee/server/pki/issued/server.crt
/home/lee/server/pki/dh.pem
#client端
/home/lee/server/pki/ca.crt
/home/lee/server/pki/issued/client.crt
/home/lee/client/pki/private/client.key
- 如果觉得制作证书太麻烦,我这里有现成的: a. 克隆:
git clone https://github.com/dollarphper/easy-rsa.git
b. 目录结构:
二、服务端配置:
- 安装open***
yum -y install open***
- 创建文件夹:
mkdir /etc/open***/{server,client}
- 复制证书文件:
cp /path/to/ca.crt /etc/open***/server/ca.crt
cp /path/to/server.crt /etc/open***/server/server.crt
cp /path/to/server.key /etc/open***/server/server.key
cp /path/to/dh.pem /etc/open***/server/dh.pem
- 进入open***目录:
cd /etc/open***/
- 修改配置文件:vim server.conf
port 1337
proto udp
dev tun
ca /etc/open***/server/ca.crt
cert /etc/open***/server/server.crt
key /etc/open***/server/server.key
dh /etc/open***/server/dh.pem
server 100.100.100.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 8.8.4.4"
duplicate-cn
keepalive 10 30
comp-lzo
persist-key
client-to-client
persist-tun
daemon
log-append /var/log/open***/open***.log
verb 3
script-security 3
auth-user-pass-verify /etc/open***/checkpwd.sh via-env
username-as-common-name
- 新建一个 log 文件:
mkdir -p /var/log/open***/
touch /var/log/open***/open***.log
touch /var/log/openvpn/passwd.log
- 创建密码验证脚本:vim checkpwd.sh
#!/bin/sh
PASSFILE="/etc/open***/passwd"
LOG_FILE="/var/log/open***/passwd.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
- 修改密码验证文件的权限:
chmod a+x checkpwd.sh
- 创建用户名、密码文件:vim passwd
lee 123456
- 配置iptables(以下为可选):
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source x.x.x.x
iptables -A INPUT -p udp --dport 1337 -j ACCEPT
iptables-save
- 配置sysctl:vim /etc/sysctl.conf
#添加
net.ipv4.ip_forward = 1
#重新加载
sysctl -p
- 配置selinux:
yum -y install policycoreutils-python
semanage port -a -t open***_port_t -p udp 1337
- 启动服务端open***服务:
systemctl start open***@server
三、客户端(linux)
- 安装open***:
yum -y install open***
- 从server端拷贝文件到client端:
scp root@x.x.x.x:/path/to/{ca.crt,client.crt,client.key} /etc/open***/
- 创建文件:vim /etc/open***/client.o***
client
dev tun
proto udp
remote x.x.x.x 1337
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
mute-replay-warnings
#ns-cert-type server
remote-cert-tls server
comp-lzo
ca /etc/open***/ca.crt
cert /etc/open***/client.crt
key /etc/open***/client.key
- 进入目录:
cd /etc/open***/
- 连接:
open*** client.o***
- 输入用户名、密码:
四、客户端(windows):
- 下载文件: a. 网站:https://open***.net/index.php/open-source/downloads.html b. 找到文件下载:
- 安装文件: 省略,全部勾选
- 把服务端生成的三个文件复制到安装目录下的config目录里面去:
- 在config目录下创建client.o***文件,内容如下:
client
dev tun
proto udp
remote 120.77.59.227 1337
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
mute-replay-warnings
remote-cert-tls server
comp-lzo
ca ca.crt
cert client.crt
key client.key
- 启动软件,连接***:
五、客户端(手机):
client
dev tun
proto udp
remote 192.168.8.81 1337
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
mute-replay-warnings
ns-cert-type server
comp-lzo
<ca>
内容
</ca>
<cert>
内容
</cert>
<key>
内容
</key>