需求:
我司有一个企业公网固定ip,内部有一个小型局域网环境,地址是192.168.1.x,公司有几台kvm局域网服务器,上边部署着git、svn、yapi、jenkins、以及开发环境等,现在需要通过企业路由器的路由设置和虚拟服务器功能配合公司内网服务器上搭建的openvpn服务,即使周末在家或者出门在外也能通过vpn方式也连接到公司内网环境进行办公
实操步骤
说明:
1.服务器是centos7系统
2.公司有固定的企业公网IP
3.路由器为企业路由器
一、路由器配置
1.静态路由配置
目的地址:就是openvpn配置文件默认的10.8.0.0地址
下一跳:就是openvpn服务器IP地址
2.虚拟服务器
外部端口:就是外部可以通过公网ip访问的端口(自定义)
内部端口:就是内网服务器上openvpn的端口(自定义)
内部服务器ip:就是openvpn服务器的ip
ps:效果就是通过外部映射的端口能访问到你内部端口服务,类似于一个公网服务器nginx代理了一个内网服务器服务
二、安装openvpn服务
1.开启路由转发
临时开启
echo 1 > /proc/sys/net/ipv4/ip_forward永久开启
vim /etc/sysctl.conf
添加
net.ipv4.ip_forward = 1
生效
sysctl -p2.yum安装vpn服务
1.配置epel源用来yum下载openvpn
wget https://repo.huaweicloud.com/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm2.安装依赖
yum install -y openssl lzo pam3.yum源安装openvpn
yum install -y openvpnps:如果上面yum安装openvpn时找不到openvpn的包可以选择性执行以下命令
清理和重建缓存
yum clean all
yum makecache或者
yum update4.查看默认程序安装目录
root@vm-openvpn-83 openvpn-2.4.12]# which openvpn
/usr/sbin/openvpn5.查看默认安装文件目录
/usr/share/doc/openvpn-2.4.12/
[root@vm-openvpn-83 ~]# cd /usr/share/doc/openvpn-2.4.12/
[root@vm-openvpn-83 openvpn-2.4.12]# ls
AUTHORS Changes.rst COPYING management-notes.txt README.auth-pam README.systemd
ChangeLog contrib COPYRIGHT.GPL README README.down-root sample如果跟我上述不一样的可以用命令查看自己的安装目录
[root@vm-openvpn-83 openvpn-2.4.12]# rpm -ql openvpn
/etc/openvpn
/etc/openvpn/client
/etc/openvpn/server
/run/openvpn-client
/run/openvpn-server
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/systemd/system/openvpn@.service
/usr/lib/tmpfiles.d/openvpn.conf
/usr/lib64/openvpn
/usr/lib64/openvpn/plugins
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so
/usr/sbin/openvpn
/usr/share/doc/openvpn-2.4.12
/usr/share/doc/openvpn-2.4.12/AUTHORS
/usr/share/doc/openvpn-2.4.12/COPYING
/usr/share/doc/openvpn-2.4.12/COPYRIGHT.GPL
/usr/share/doc/openvpn-2.4.12/ChangeLog三、安装证书服务
1.yum安装证书
yum install -y easy-rsa2.查看默认安装目录文件列表
rpm -ql easy-rsa
[root@vm-openvpn-83 openvpn-2.4.12]# rpm -ql easy-rsa
/usr/share/doc/easy-rsa-3.0.8
/usr/share/doc/easy-rsa-3.0.8/COPYING.md
/usr/share/doc/easy-rsa-3.0.8/ChangeLog
/usr/share/doc/easy-rsa-3.0.8/README.md
/usr/share/doc/easy-rsa-3.0.8/README.quickstart.md
/usr/share/doc/easy-rsa-3.0.8/vars.example
/usr/share/easy-rsa
/usr/share/easy-rsa/3
/usr/share/easy-rsa/3.0
/usr/share/easy-rsa/3.0.8
/usr/share/easy-rsa/3.0.8/easyrsa
/usr/share/easy-rsa/3.0.8/openssl-easyrsa.cnf
/usr/share/easy-rsa/3.0.8/x509-types
/usr/share/easy-rsa/3.0.8/x509-types/COMMON
/usr/share/easy-rsa/3.0.8/x509-types/ca
/usr/share/easy-rsa/3.0.8/x509-types/client
/usr/share/easy-rsa/3.0.8/x509-types/code-signing
/usr/share/easy-rsa/3.0.8/x509-types/email
/usr/share/easy-rsa/3.0.8/x509-types/kdc
/usr/share/easy-rsa/3.0.8/x509-types/server
/usr/share/easy-rsa/3.0.8/x509-types/serverClient
/usr/share/licenses/easy-rsa-3.0.8
/usr/share/licenses/easy-rsa-3.0.8/gpl-2.0.txt或者
[root@vm-openvpn-83 openvpn-2.4.12]# whereis easy-rsa
easy-rsa: /usr/share/easy-rsa3.拷贝证书程序
把easy证书程序拷贝到/etc/openvpn目录下,为了方便管理
[root@vm-openvpn-83 ~]# cd /usr/share/easy-rsa
[root@vm-openvpn-83 easy-rsa]# cp -r 3.0.8 /etc/openvpn/easy-rsa3四、生成证书
ps:我建议先把证书生成程序里边的这三个参数调长,默认是1年,以免一年后证书到期找麻烦,我这里都调整了3650
vim /etc/openvpn/easy-rsa3/easyrsa
set_var EASYRSA_CA_EXPIRE
set_var EASYRSA_CERT_EXPIRE
set_var EASYRSA_CRL_DAYS
1.初始化
[root@vm-openvpn-83 easy-rsa3]# cd /etc/openvpn/easy-rsa3
[root@vm-openvpn-83 easy-rsa3]# ./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa3/pki2.生成ca证书
[root@vm-openvpn-83 easy-rsa3]# ./easyrsa build-ca nopass
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating RSA private key, 2048 bit long modulus
..........+++
................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:回车默认
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa3/pki/ca.crt命令作用:这个命令用于构建或初始化一个证书授权中心(CA)。在OpenVPN或任何需要TLS/SSL加密通信的系统中,CA是一个信任的根,用于签发和验证服务器和客户端的证书。当你运行这个命令时,它会要求你输入一些信息,如CA的名称、有效期等,然后生成CA的私钥和证书。
生成的证书的作用:CA证书是信任的起点,它用于签署其他证书(如服务器证书和客户端证书),以证明这些证书是由受信任的CA签发的。客户端和服务器在建立TLS连接时会验证对方证书的签名是否由受信任的CA签发。
3.生成服务端证书
生成server证书
[root@vm-openvpn-83 easy-rsa3]# ./easyrsa gen-req server nopass
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
..................+++
..........................................................+++
writing new private key to '/etc/openvpn/easy-rsa3/pki/easy-rsa-88592.Ngm3AY/tmp.VuPJ1E'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:回车默认
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa3/pki/private/server.key命令作用:这个命令用于生成服务器端的证书请求(CSR,Certificate Signing Request)。在生成CSR时,通常会要求输入一些信息,如国家、组织、常见名称(CN,通常是服务器的域名或IP地址)等。然而,通过添加nopass参数,这个命令会生成一个不加密的私钥,并且在生成CSR时不会要求输入密码。
生成的证书请求的作用:CSR是一个包含公钥和证书请求者信息的文件,它发送给CA(证书授权中心)以请求签名。在OpenVPN环境中,服务器端的CSR用于请求CA签发一个服务器证书,以便服务器能够安全地与客户端进行通信。
签发server证书
[root@vm-openvpn-83 easy-rsa3]# ./easyrsa sign-req server server
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes 输入yes回车
Using configuration from /etc/openvpn/easy-rsa3/pki/easy-rsa-88618.0GjPLv/tmp.cWUiBi
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Jul 21 06:01:45 2034 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa3/pki/issued/server.crt命令作用:这个命令(或其等效命令)用于签署之前生成的服务器证书请求。当执行此命令时,它会使用CA的私钥对CSR进行签名,从而生成一个有效的服务器证书。这个过程中,可能需要输入CA的密码(如果CA私钥被加密了的话),但在这个例子中,由于CSR是使用nopass参数生成的,所以签署过程可能不需要额外的密码输入(这取决于EasyRSA的具体配置和版本)。
生成的服务器证书的作用:服务器证书是服务器身份的证明,它包含了服务器的公钥和由CA签发的签名。当客户端尝试连接到服务器时,它会验证服务器证书的签名是否由受信任的CA签发,并检查证书中的信息是否与服务器相匹配。如果验证成功,客户端和服务器就可以使用证书中的公钥和私钥进行安全的加密通信。
4.生成gen-dh
ps:这个过程可能比较长耐心等待
[root@vm-openvpn-83 easy-rsa3]# ./easyrsa gen-dh
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................................................................................
.................................+.................................................
.+......+..............................+...........................................
...........+.+.................................................++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa3/pki/dh.pem命令作用:这个命令用于生成Diffie-Hellman(DH)参数。在TLS握手过程中,DH密钥交换用于在两个通信方之间安全地协商一个共享密钥,这个密钥将用于后续的加密通信。
生成的参数的作用:DH参数是TLS握手中密钥交换阶段的关键部分,它们帮助双方在不泄露私钥的情况下协商出一个安全的共享密钥。
5.生成crl
[root@vm-openvpn-83 easy-rsa3]# ./easyrsa gen-crl
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Using configuration from /etc/openvpn/easy-rsa3/pki/easy-rsa-89460.KBhnzA/tmp.AgqxBR
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa3/pki/crl.pem命令作用:这个命令用于生成或更新证书吊销列表(CRL)。CRL是一个包含了已经被CA吊销的证书序列号的列表。当客户端或服务器验证对方证书时,它们会检查该证书是否已被列入CRL中。
生成的列表的作用:CRL提供了一种机制,允许CA撤销已经签发的证书,即使这些证书在有效期内。这对于撤销丢失的私钥、证书被滥用等情况非常重要。
6.拷贝证书文件到指定目录
为了方便管理我把证书等文件拷贝证书到yum安装openvpn时自动生成的/etc/openvpn/目录下
cp /etc/openvpn/easy-rsa3/pki/issued/server.crt /etc/openvpn/server/
cp /etc/openvpn/easy-rsa3/pki/private/server.key /etc/openvpn/server/
cp /etc/openvpn/easy-rsa3/pki/ca.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa3/pki/dh.pem /etc/openvpn/
cp /etc/openvpn/easy-rsa3/pki/crl.pem /etc/openvpn/五、配置openvpn server
1.拷贝openvpn自带的server配置文件
cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/server/2.修改server配置文件
vim /etc/openvpn/server/server.conf
local 0.0.0.0 #监ip
port 1194 #监听端口自定义
proto udp #我这里采用udp
dev tun #路由模式
ca /etc/openvpn/ca.crt #ca文件
cert /etc/openvpn/server/server.crt #服务器证书
key /etc/openvpn/server/server.key # This file should be kept secret
dh /etc/openvpn/dh.pem #dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" #根据自己公司网络的实际情况自定义,我司的网关地址是192.168.1.1
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status /etc/openvpn/log/openvpn-status.log #自定义
log /etc/openvpn/log/openvpn.log #自定义
log-append /etc/openvpn/log/openvpn.log #自定义
verb 4
explicit-exit-notify 1
crl-verify /etc/openvpn/crl.pem #crl.pem文件六、启动openvpn服务
1.指定配置文件启动openvpn服务
/usr/sbin/openvpn --daemon --config /etc/openvpn/server/server.conf2.查看进程
[root@vm-openvpn-83 openvpn]# ps aux|grep openvpn
root 90878 0.0 0.0 75028 2536 ? Ss 15:04 0:00 /usr/sbin/openvpn --daemon --config /etc/openvpn/server/server.conf
root 90914 0.0 0.0 112824 988 pts/0 S+ 15:04 0:00 grep --color=auto openvpn查看网卡多了一块tun0的vpn网卡
[root@vm-openvpn-83 log]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.83 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::d362:f83d:cb3f:d62f prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:00:f0:6a txqueuelen 1000 (Ethernet)
RX packets 604454 bytes 706302612 (673.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 99565 bytes 9249494 (8.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 68 bytes 5908 (5.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 68 bytes 5908 (5.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::631e:378f:f8de:11dc prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0七、客户端证书
ps:我这里生成的是以test为名字的客户端证书
1.生成客户端证书
[root@vm-openvpn-83 easy-rsa3]# ./easyrsa gen-req test nopass
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
........................................................+++
....+++
writing new private key to '/etc/openvpn/easy-rsa3/pki/easy-rsa-88703.rsWvtb/tmp.vRLiVf'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [test]:回车默认
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa3/pki/reqs/test.req
key: /etc/openvpn/easy-rsa3/pki/private/test.key2.签发客户端证书
[root@vm-openvpn-83 easy-rsa3]# ./easyrsa sign-req client test
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
commonName = test
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes 这里输入yes回车
Using configuration from /etc/openvpn/easy-rsa3/pki/easy-rsa-88729.FfHtlP/tmp.FIjiBO
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'test'
Certificate is to be certified until Jul 21 06:18:16 2034 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa3/pki/issued/test.crt八、客户端连接
1.创建客户端用户目录
mkdir /etc/openvpn/client/test2.拷贝刚生成的ca、crt、key等认证文件到用户目录
cp /etc/openvpn/ca.crt /etc/openvpn/client/test
cp /etc/openvpn/easy-rsa3/pki/issued/test.crt /etc/openvpn/client/test
cp /etc/openvpn/easy-rsa3/pki/private/test.key /etc/openvpn/client/test3.拷贝客户端配置文件
cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf /etc/openvpn/client/test4.更改配置内容
client
dev tun
proto udp
remote 0.0.0.0 1194 #0.0.0.0改为自己公司的外网ip地址
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt #ca证书地址
cert test.crt #crt地址
key test.key #key地址
tls-client
cipher AES-256-CBC
comp-lzo
verb 35.打包目录传给用户
cd /etc/openvpn/client/
tar zcf .tar.gz test6.用户端下载安装openvpn客户端软件(我这边是windows11)
下载地址:https://openvpn.net/community-downloads/
右键软件打开文件所在目录找到config,默认安一般在:C:\Program Files\OpenVPN\config,把服务器上打包的四个文件拷贝到该目录即可
双击打开openvpn客户端软件在电脑右下角隐藏软件里找到电脑图标右键连接即可
连接成功后会弹出分配地址
并呈现绿色状态
日志
九、客户端证书自动化生成脚本
ps:前提是上边的配置目录都跟我一样,如不一样请根据实际情况更改
vim /etc/openvpn/client/create_user.sh
#!/bin/bash
# 检查是否提供了足够的参数
if [ -z "$1" ]; then
echo "错误:请提供VPN用户名作为第一个参数。"
echo "用法:./create-user.sh 用户名"
exit 1
fi
#VPN用户名
username=$1
##提示
echo "############出现这段时保持默认回车############
Common Name (eg: your user, host, or server name) [$username]:
"
echo "############出现这段时输入yes回车############
Type the word 'yes' to continue, or any other input to abort.
Confirm request details:
"
#创建证书
cd /etc/openvpn/easy-rsa3
./easyrsa gen-req $username nopass
./easyrsa sign-req client $username
#创建用户目录
cd /etc/openvpn/client
mkdir -p $username
#将用户客户端配置文件、用户证书、服务端ca证书copy到用户目录
cp ./client.ovpn ./$username/$username.ovpn
sed -i "s#username#$username#g" ./$username/$username.ovpn
cp /etc/openvpn/ca.crt ./$username/
cp /etc/openvpn/easy-rsa3/pki/issued/${username}.crt $username
cp /etc/openvpn/easy-rsa3/pki/private/${username}.key $username
#拷贝使用文档
#cp /etc/openvpn/VPN安装使用说明.docx ./$username/
#拷贝电脑安装包
#cp /etc/openvpn/vpn安装包.tar.gz ./$username/
tar zcf $username.tar.gz $username例如创建用户user1执行脚本如下:
sh create_user.sh user1
