-
Notifications
You must be signed in to change notification settings - Fork 0
Home
使用OpenVPN 搭建私人跨域局域网
部署环境:
Server端
一、网络环境
1.检查selinux的状态,保证其关闭
vi /etc/sysconfig/selinux
---------------
SELINUX=disabled
---------------
2.开启服务器端路由转发功能
vi /etc/sysctl.conf
---------------------
net.ipv4.ip_forward = 1
---------------------
sysctl -p
3.修改iptables规则:
设置nat转发:
注:保证VPN地址池可路由出外网
4.设置openvpn端口通过:
5.时间同步(重要):
二、安装依赖库
三、安装openvpn:
(http://openvpn.net/index.php/open-source/downloads.html最新源码包可以从这个网址下载)
#wget -c http://swupdate.openvpn.org/community/releases/openvpn-2.3.6.tar.gz #2015-03-28
复制模板到openvpn配置目录:
复制openvpn配置文件到主目录:
四、1.下载easy-rsa:
注:该包用来制作ca证书,服务端证书,客户端证书,openvpn2.3.0该版本源码不包含easy-rsa,所以需要单独下载安装用来配合openvpn实现证书生成。
cd /etc/openvpn/easy-rsa/easy-rsa/easyrsa3 #这里是easyrsa3版本,网上很多帖子都说是2.0,但是同一个下载方法显示的是3版本,所以这里就按照3版本的方式进行演示记录。
以下操作都在此目录下面(pwd:/etc/openvpn/easy-rsa/easyrsa3/)
2.编辑vars文件,根据自己环境配置
复制vars.example 为vars
cp vars.example vars
修改下面字段,命令:vi vars,然后修改,最后wq保存
set_var EASYRSA_REQ_COUNTRY “CN” #根据自己情况更改
set_var EASYRSA_REQ_PROVINCE “BeiJingShi”
set_var EASYRSA_REQ_CITY “BeiJing”
set_var EASYRSA_REQ_ORG “My_ORG”
set_var EASYRSA_REQ_EMAIL “[email protected]”
set_var EASYRSA_REQ_OU “APICloud_OpenVPN”
3./etc/openvpn/easy-rsa/easyrsa3/目录初始化:
#./easyrsa init-pki
==================================
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/src/easy-rsa-master/easyrsa3/pki
==================================
4.创建根证书
====================================================
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.......................................+++
..................................+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key'
Enter PEM pass phrase: apicloud
Verifying - Enter PEM pass phrase: apicloud --此密码是为了进行证书签名
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: apicloud
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
====================================================
注意:在上述部分需要输入PEM密码 PEM pass phrase,输入两次,此密码必须记住,不然以后不能为证书签名。还需要输入common name 通用名,这个你自己随便设置个独一无二的。
5.创建服务器端证书
====================================================
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
................+++
.....................................+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:admin --此名称随意但是不要跟之前的根证书的一样
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
====================================================
签约服务端证书:(将创建的服务端证书与CA证书签约)
===================================================
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = admin
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes --需要输入yes进行确定
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key: --需要输入CA证书密码apicloud
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'admin'
Certificate is to be certified until Mar 25 07:45:43 2025 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
================================================================
创建Diffie-Hellman,确保key穿越不安全网络的命令:
================================================
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
................+...................................+...................................+...
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
================================================
6.创建客户端证书 (pwd:/root/client/easy-rsa/easyrsa3)
进入root目录新建client文件夹,文件夹可随意命名,然后拷贝前面解压得到的easy-ras文件夹到client文件夹,进入下列目录
A:初始化目录:
==============================
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki
==============================
B:创建客户端key及生成证书(客户端密码)
========================================
Generating a 2048 bit RSA private key
...........................................+++
......+++
writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/qingbo.key'
Enter PEM pass phrase: --客户端证书密码qingbo
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [qingbo]:qingbo --客户端证书名称
Keypair and certificate request completed. Your files are:
req: /root/client/easy-rsa/easyrsa3/pki/reqs/qingbo.req
key: /root/client/easy-rsa/easyrsa3/pki/private/qingbo.key
========================================
C:将的到的qingbo.req导入然后签约证书
=======================
进入到/etc/openvpn/easy-rsa/easyrsa3/
cd /etc/openvpn/easy-rsa/easyrsa3/
导入req
./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/qingbo.req qingbo
------------------------------------
Note: using Easy-RSA configuration from: ./vars
The request has been successfully imported with a short name of: qingbo
You may now use this name to perform signing operations on this request.
------------------------------------
签约证书
./easyrsa sign client qingbo #这里生成client所以必须为client:qingbo要与之前导入名字一致
====================================
上面签约证书跟server类似,期间需要输入CA的密码
7.证书管理
A:生成的数字证书进行详细的了解
服务端:(etc/openvpn/easy-rsa/文件夹)
===================================
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
/etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
/etc/openvpn/easy-rsa/easyrsa3/pki/reqs/qingbo.req
/etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key
/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key
/etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
/etc/openvpn/easy-rsa/easyrsa3/pki/issued/qingbo.crt
====================================
客户端:(root/client/easy-rsa文件夹)
====================================
/root/client/easy-rsa/easyrsa3/pki/private/qingbo.key
/root/client/easy-rsa/easyrsa3/pki/reqs/qingbo.req #这个文件被我们导入到了服务端文件所以那里也有
/etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
====================================
B:将相应的文件拷贝到相应的位置
/etc/openvpn/ (ca.crt、server.key、server.crt、dh.pem)
================================
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn
================================
/etc/root/ (ca.crt、qingbo.crt、qingbo.key)
================================
# cd
# cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/qingbo.crt /root/client
# cp /root/client/easy-rsa/easyrsa3/pki/private/qingbo.key /root/client
================================
五、openvpn服务配置及启动
1.复制模板文件到/etc/openvpn/ (该步骤在源码编译的时候已操作)
# cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn/
2.修改server.conf
=====================================
local(跟自己vps IP)
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 8.8.8.8″
keepalive 10 120
comp-lzo
max-clients 10
persist-key
persist-tun
log /usr/local/openvpn/log/openvpn.log
log-append /usr/local/openvpn/log/openvpn.log
status /usr/local/opensvn/log/openvpn-status.log
verb 3
================================
3.启动openvpn服务
# /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf &
4.开机启动
# echo "/usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf > /dev/null 2>&1 &" >> /etc/rc.local
客户端配置:
一、安装WINDOWS客户端(WIN7 64bit)
1.下载客户端,安装路径D:\Program Files (x86)\OpenVPN
# http://vpntech.googlecode.com/files/openvpn-2.1.1-gui-1.0.3-install-cn-64bit.zip
2.将服务器端生成的客户端证书文件(ca.crt、qingbo.crt、qingbo.key)复制到客户端D:\Program Files\OpenVPN\config下.
三个文件是/root/client/下面的哦
3.在D:\Program Files\OpenVPN\config下创建client.ovpn文件
编译内容:
==========================
client
dev tun
proto udp
remote vps ip 1194 #主要这里修改成自己vps ip
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt #这里需要证书
cert qingbo.crt
key qingbo.key
comp-lzo
verb 3
二、启动客户端配置测试
http://www.iamle.com/archives/1322.html/comment-page-1
http://blog.csdn.net/yetyongjin/article/details/7412378
http://www.linuxidc.com/Linux/2014-11/109588.htm
http://www.linuxidc.com/Linux/2013-06/86118p2.htm http://swht1278.blog.51cto.com/7138082/1626004
开通 VPN 端对端通信 : service.conf ;client-to-client 改 client-to-client
无密码 登陆VPN
cd pki/private
openssl rsa -in XXXXX.key -out XXX-nopass.key