centos6.6安装OpenVPN
一、实验环境
OpenVPN server配置两张网卡hostonly配置10.1.1.1,vmnet1配置172.16.1.1
内网服务器配置一张网卡采用hostonly配置10.1.1.2
OpenVPN client配置一张网卡采用vmnet1配置172.16.1.2
二、安装依赖包
1.安装epel源
2.安装openssl、openssl-devel、lzo-devel
#yuminstallopensslopenssl-devellzo-devel
三、安装openvpn
1.下载软件包openvpn-2.0.9.tar.gz
2.编译安装
#tarxfopenvpn-2.0.9.tar.gz #cdopenvpn-2.0.9 #./configure--prefix=/usr/local/openvpn #make #makeinstall
3.创建相关目录
#cd/usr/local/openvpn #mkdir{etc,var} #mkdiretc/keys #mkdirvar/run
4.easy-rsa配置
#cp-rp/usr/local/src/openvpn-2.0.9/easy-rsa/usr/local/openvpn/etc/
5.创建CA证书和密钥
#cd/usr/local/openvpn/etc/easy-rsa/2.0 #设置变量 #vivars exportKEY_COUNTRY="CN" exportKEY_PROVINCE="FJ" exportKEY_CITY="FZ" exportKEY_ORG="Opr" exportKEY_EMAIL="opr@hnr.com" #source./vars#初始化证书的授权中心 #./clean-all#清除keys目录下面的文件 #./build-ca#创建ca证书 Generatinga1024bitRSAprivatekey ................................++++++ .....++++++ writingnewprivatekeyto'ca.key' ----- Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank. ----- CountryName(2lettercode)[CN]: StateorProvinceName(fullname)[FJ]: LocalityName(eg,city)[FZ]: OrganizationName(eg,company)[Opr]: OrganizationalUnitName(eg,section)[]:HB CommonName(eg,yournameoryourserver'shostname)[OprCA]:CA EmailAddress[opr@hnr.com]:
6.创建服务端证书和密钥
[root@localhost2.0]#./build-key-serverserver Generatinga1024bitRSAprivatekey ..............................++++++ .....................................++++++ writingnewprivatekeyto'server.key' ----- Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue,yournameoryourserver'shostname)[server]: EmailAddress[opr@hnr.com]: Pleaseenterthefollowing'extra'attributes tobesentwithyourcertificaterequest Achallengepassword[]: Anoptionalcompanyname[]: Usingconfigurationfrom/usr/local/openvpn/etc/easy-rsa/2.0/openssl.cnf Checkthattherequestmatchesthesignature Signatureok TheSubject'sDistinguishedNameisasfollows countryName:PRINTABLE:'CN' stateOrProvinceName:PRINTABLE:'FJ' localityName:PRINTABLE:'FZ' organizationName:PRINTABLE:'Opr' organizationalUnitName:PRINTABLE:'HB' commonName:PRINTABLE:'server' emailAddress:IA5STRING:'opr@hnr.com' CertificateistobecertifieduntilAug2702:13:132027GMT(3650days) Signthecertificate?[y/n]:y 1outof1certificaterequestscertified,commit?[y/n]y Writeoutdatabasewith1newentries DataBaseUpdated
7.创建客户端证书和密钥
[root@localhost2.0]#./build-keyhenairong Generatinga1024bitRSAprivatekey ..........++++++ ..................................++++++ writingnewprivatekeyto'henairong.key' ----- Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue,yournameoryourserver'shostname)[henairong]: EmailAddress[opr@hnr.com]:hnr@hnr.com Pleaseenterthefollowing'extra'attributes tobesentwithyourcertificaterequest Achallengepassword[]: Anoptionalcompanyname[]: Usingconfigurationfrom/usr/local/openvpn/etc/easy-rsa/2.0/openssl.cnf Checkthattherequestmatchesthesignature Signatureok TheSubject'sDistinguishedNameisasfollows countryName:PRINTABLE:'CN' stateOrProvinceName:PRINTABLE:'FJ' localityName:PRINTABLE:'FZ' organizationName:PRINTABLE:'Opr' organizationalUnitName:PRINTABLE:'HB' commonName:PRINTABLE:'henairong' emailAddress:IA5STRING:'hnr@hnr.com' CertificateistobecertifieduntilAug2702:15:282027GMT(3650days) Signthecertificate?[y/n]:y 1outof1certificaterequestscertified,commit?[y/n]y Writeoutdatabasewith1newentries DataBaseUpdated
8.创建迪菲霍尔曼密钥交换参数
# ./build-dh
9.复制服务端证书及相关密钥文件
#cd/usr/local/openvpn/etc/easy-rsa/2.0/keys/ #cpca.crtdh1024.pemserver.crtserver.key/usr/local/openvpn/etc/keys/
四、配置OpenVpn
1.提供服务端配置文件
#cp/usr/local/src/openvpn-2.0.9/sample-config-files/server.conf/usr/local/openvpn/etc/
#cd/usr/local/openvpn/etc/ #viserver.conf local172.16.1.1 port1194 prototcp devtun ca/usr/local/openvpn/etc/keys/ca.crt cert/usr/local/openvpn/etc/keys/server.crt key/usr/local/openvpn/etc/keys/server.key#Thisfileshouldbekeptsecret dh/usr/local/openvpn/etc/keys/dh1024.pem server192.168.100.0255.255.255.0#给客户端分配地址池,注意:不能和VPN服务器内网网段有相同 ifconfig-pool-persistipp.txt push"route10.1.1.0255.255.255.0"#允许客户端访问内网的网段 client-to-client keepalive10120 comp-lzo max-clients100 usernobody groupnobody persist-key persist-tun status/usr/local/openvpn/var/openvpn-status.log log/usr/local/openvpn/var/openvpn.log verb3 auth-user-pass-verify/usr/local/openvpn/etc/checkpsw.shvia-env username-as-common-name
3.提供用户密码账号验证配置
#vicheckpsw.sh #!/bin/sh ########################################################### #checkpsw.sh(C)2004MathiasSundman<mathias@openvpn.se> # #ThisscriptwillauthenticateOpenVPNusersagainst #aplaintextfile.Thepassfileshouldsimplycontain #onerowperuserwiththeusernamefirstfollowedby #oneormorespace(s)ortab(s)andthenthepassword. PASSFILE="/usr/local/openvpn/etc/psw-file" LOG_FILE="/usr/local/openvpn/var/openvpn-password.log" TIME_STAMP=`date"+%Y-%m-%d%T"` ########################################################### if[!-r"${PASSFILE}"];then echo"${TIME_STAMP}:Couldnotopenpasswordfile\"${PASSFILE}\"forreading.">>${LOG_FILE} exit1 fi CORRECT_PASSWORD=`awk'!/^;/&&!/^#/&&$1=="'${username}'"{print$2;exit}'${PASSFILE}` if["${CORRECT_PASSWORD}"=""];then echo"${TIME_STAMP}:Userdoesnotexist:username=\"${username}\",password=\"${password}\".">>${LOG_FILE} exit1 fi if["${password}"="${CORRECT_PASSWORD}"];then echo"${TIME_STAMP}:Successfulauthentication:username=\"${username}\".">>${LOG_FILE} exit0 fi echo"${TIME_STAMP}:Incorrectpassword:username=\"${username}\",password=\"${password}\".">>${LOG_FILE} exit1 #chmod+xcheckpsw.sh 提供账号密码文件 #vipsw-file #chmod400psw-file
4.配置服务脚本
修改文件权限 #chown-Rnobody.nobody/usr/local/openvpn 提供服务脚本 #cp-p/usr/local/src/openvpn-2.0.9/sample-scripts/openvpn.init/etc/init.d/openvpn 修改服务脚本 #vi/etc/init.d/openvpn openvpn="/usr/local/openvpn/sbin/openvpn" #PIDdirectory piddir="/usr/local/openvpn/var/run/openvpn" #Ourworkingdirectory work=/usr/local/openvpn/etc
5.启动服务
# service openvpn start
五、安装配置windows客户端
1.下载软件包
openvpn-install-2.3.11-I601-x86_64.exe
2.双机安装
从服务端下载刚才生产的客户端证书及密钥,CA证书
下载源码目录下客户端配置文件
/usr/local/src/openvpn-2.0.9/sample-config-files/client.conf
将以上文件复制到安装目录下
C:\Program Files\OpenVPN\config
client devtun prototcp remote172.16.1.11194 resolv-retryinfinite nobind persist-key persist-tun caca.crt certhenairong.crt keyhenairong.key comp-lzo verb3 auth-user-passpasswd
5.创建账号密码文件
C:\Program Files\OpenVPN\config\passwd
henairong
nihao123!
6.启动服务
以管理员身份运行
验证
在10.1.1.2远程主机上需要添加路由
# route add -net 192.168.100.0/24 gw 10.1.1.1
六、客户端证书吊销
#cd/usr/local/openvpn/etc/easy-rsa/2.0 #source./vars #./revoke-fullhenairong
修改openssl.conf注释如下几行
#[pkcs11_section] #engine_id=pkcs11 #dynamic_path=/usr/lib/engines/engine_pkcs11.so #MODULE_PATH=$ENV::PKCS11_MODULE_PATH #PIN=$ENV::PKCS11_PIN #init=0 [root@localhost2.0]#./revoke-fullhenairong Usingconfigurationfrom/usr/local/openvpn/etc/easy-rsa/2.0/openssl.cnf RevokingCertificate02. DataBaseUpdated Usingconfigurationfrom/usr/local/openvpn/etc/easy-rsa/2.0/openssl.cnf henairong.crt:C=CN,ST=FJ,L=FZ,O=Opr,OU=HB,CN=henairong,emailAddress=hnr@hnr.com error8at0depthlookup:CRLsignaturefailure 140167567640392:error:0D0C50A1:asn1encodingroutines:ASN1_item_verify:unknownmessagedigestalgorithm:a_verify.c:217:
这条命令执行完成之后, 会在 keys 目录下面, 生成一个 crl.pem 文件,这个文件中包含了吊销证书的名单。
成功注销某个证书之后,可以打开 keys/index.txt 文件,可以看到被注销的证书前面,已标记为R.
#vi/usr/local/openvpn/etc/server.conf crl-verify/usr/local/openvpn/etc/easy-rsa/2.0/keys/crl.pem
重启服务
# service openvpn restart