发布时间:2018-02-07 19:27:45编辑:admin阅读(7340)
OpenVPN 是一个基于 OpenSSL 库的应用层 VPN 实现。和传统 VPN 相比,它的优点是简单易用。
允许参与建立VPN的单点使用共享金钥,电子证书,或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库中的SSLv3/TLSv1 协议函式库。OpenVPN能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X与Windows 2000/XP/Vista上运行,并包含了许多安全性的功能。
线上有一台阿里云服务器,搭建了PPTP VPN,公司网络访问正常的,但是部分开发人员,在家里使用长城宽带无法连接VPN
其他宽带是正常的。为了解决这个问题,搭建了openvpn,经开发测试,果然可以登录openvpn,可以访问线上数据库了。
centos7安装过程如下:
安装开发编译环境
# yum install -y gcc gcc-c++ openssl openssl-devel vim
安装pam
# yum install pam-devel -y # yum clean all
安装lzo组件
# tar zxvf lzo-2.10.tar.gz -C /usr/src/ # cd /usr/src/lzo-2.10/ # ./configure --enable-shared # make && make install
安装openvpn
由于openvpn百度下载不到了,需要google搜索访问官网下载才可以
我放到百度网盘了
链接:https://pan.baidu.com/s/1dTDbUe 密码:o8uo
# cd /root # tar zxvf openvpn-2.4.4.tar.gz -C /usr/src/ # cd /usr/src/openvpn-2.4.4/ # ./configure --prefix=/usr/local/openvpn # make && make install
解压easy-rsa,将目录复制到openvpn目录,用来生成密钥的
# cd /root # tar zxvf easy-rsa-2.2.2.tar.gz -C /usr/src/ # cd /usr/src/easy-rsa-2.2.2/ # cp -R easy-rsa /usr/local/openvpn/ # cd /usr/local/openvpn/easy-rsa/2.0/
编辑环境变量
vim vars
主要修改最后几行内容,主要就是国家,省,市,组织
export KEY_COUNTRY="CN" export KEY_PROVINCE="Shanghai" export KEY_CITY="Shanghai" export KEY_ORG="Shanghai"
加载变量
[root@localhost 2.0]# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/openvpn/easy-rsa/2.0/keys
删除默认的所有密钥文件
# ./clean-all
创建本地CA,一路回车就行了,遇到[y/n]的时候,输入y就可以了
[root@localhost 2.0]# ./build-ca Generating a 2048 bit RSA private key ...............+++ ..+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Shanghai]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [Shanghai]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [Shanghai CA]: Name [EasyRSA]: Email Address [me@myhost.mydomain]: [root@localhost 2.0]#
创建证书颁发机构,前面几个一路回车,出现[y/n]的时候,输入y然后回车
[root@localhost 2.0]# ./build-key-server server Generating a 2048 bit RSA private key ........................+++ ..............+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Shanghai]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [Shanghai]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [me@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/local/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'Shanghai' localityName :PRINTABLE:'Shanghai' organizationName :PRINTABLE:'Shanghai' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'me@myhost.mydomain' Certificate is to be certified until Feb 5 09:17:01 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
创建生成DH参数这个需要几分钟的时间,如果服务器配置够好,几十秒就完成了。
[root@localhost 2.0]# ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ...............................................................+...
生成客户端证书,每个OpenVPN用户都有独立的证书,这里的client是客户端名称,名称可以是开发人员的名字全拼
[root@localhost 2.0]# ./build-key client Generating a 2048 bit RSA private key .......+++ .........................................................................................................+++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Shanghai]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [Shanghai]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [client]: Name [EasyRSA]: Email Address [me@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/local/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'Shanghai' localityName :PRINTABLE:'Shanghai' organizationName :PRINTABLE:'Shanghai' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'client' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'me@myhost.mydomain' Certificate is to be certified until Feb 5 09:58:34 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
新建openvpn配置文件
[root@localhost ~]# mkdir /usr/local/openvpn/etc [root@localhost ~]# vim /usr/local/openvpn/etc/server.conf
内容如下:
#运行端口 port 444 #传输协议 proto tcp #tap模式掩码是/24,客户端有254个。tun模式掩码是/30的,客户端只能有一个 dev tap #以下四个文件是认证的文件 ca /usr/local/openvpn/easy-rsa/2.0/keys/ca.crt cert /usr/local/openvpn/easy-rsa/2.0/keys/server.crt key /usr/local/openvpn/easy-rsa/2.0/keys/server.key dh /usr/local/openvpn/easy-rsa/2.0/keys/dh2048.pem #虚拟网卡网段,这个是分配给客户端的地址,不要和内网网段重复。 server 192.168.10.0 255.255.255.0 #记录客户端IP地址分配情况 ifconfig-pool-persist /usr/local/openvpn/ipp.txt #指定内网的路由,如果有多个,可以多写几条 push "route 10.20.10.0 255.255.255.0" push "route 10.20.20.0 255.255.255.0" push "route 10.20.30.0 255.255.255.0" #指定首选DNS服务器 push "dhcp-option DNS 202.96.209.133" #指定辅助DNS服务器 push "dhcp-option DNS 202.96.209.5" #客户端之间相互通信 client-to-client #连接超时时间 #keepalive 10 120 comp-lzo persist-key persist-tun verb 3 #运行用户 user nobody #运行组 group nobody
启动openvpn
# /usr/local/openvpn/sbin/openvpn --daemon --config /usr/local/openvpn/etc/server.conf
查看端口
[root@localhost ~]# netstat -anpt | grep openvpn tcp 0 0 0.0.0.0:444 0.0.0.0:* LISTEN 20545/openvpn
到这里为止OpenVPN就配置好了,接下来我们设置外网访问。
安装iptables
# yum install -y iptables-services
创建snat策略
--to-source 是openvpn服务器的内网IP地址
SNAT(源地址转换)当192.168.10.0/24访问10.20.10.0/24网段时,转化成10.20.10.1,这样就可以访问10.20.10.0/24的网段
因为VPC网络有3个网段,所以加了3条
# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -d 10.20.10.0/24 -j SNAT --to-source 10.20.10.1 # iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -d 10.20.20.0/24 -j SNAT --to-source 10.20.10.1 # iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -d 10.20.30.0/24 -j SNAT --to-source 10.20.10.1
保存iptables策略
# service iptables save
查看iptables的nat策略,是否存在
# iptables -t nat -L
开启路由转发功能
# vi /etc/sysctl.conf
找到net.ipv4.ip_forward = 0
改成net.ipv4.ip_forward = 1保存。
然后执行这个命令。
# sysctl -p
如果是经典网络,需要在阿里云ECS的安全组策略->入方向,添加444端口访问
下一篇介绍windows客户端的使用
http://www.py3study.com/Article/details/id/145.html
上一篇: MySQL审计
下一篇: openvpn windows客户端使用
47743
46233
37107
34625
29227
25882
24743
19861
19414
17906
5713°
6312°
5832°
5885°
6981°
5827°
5842°
6358°
6313°
7670°