安裝部署:
CentOS 6.5
軟件FQ官網下載
#同步系統時間
yum install chrony -y
service chronyd start && chronyc sources && chkconfig chronyd on
或
yum install ntpdate -y
crontab添加
*/1 * * * * /usr/sbin/ntpdate 0.rhel.pool.ntp.org > /dev/null 2>&1
service crond restart
1、安裝依賴包:
yum install epel-release -y && echo "sslverify=false">>/etc/yum.conf
yum install openssl openssl-devel lzo lzo-devel pam pam-devel pam_mysql automake pkgconfig gcc gcc-c++
2、安裝openvpn
cd /usr/local/src/
tar -zxvf openvpn-2.4.4.tar.gz
cd openvpn-2.4.4
./configure --prefix=/opt/openvpn make && make install
cp -a sample/sample-config-files/server.conf /opt/openvpn/
#最好放在/opt/openvpn/下
cp -a distro/rpm/openvpn.init.d.rhel /etc/init.d/openvpn
#創建啓動腳本
ln -s /opt/openvpn/sbin/openvpn /usr/sbin/openvpn
#啓動腳本中會用到,也可以不執行此命令,直接在啓動腳本中修改
vi /etc/init.d/openvpn
#在85行,修改爲:work=/opt/openvpn
cd /opt/openvpn/ && mv server.conf server.conf.bak
vi server.conf #修改配置文件; ';'爲註釋
port 1195 #使用1195端口
proto tcp #使用tcp傳輸模式
dev tun #使用tun虛擬網卡設備(還有一種是Tap)
ca keys/ca.crt #指定server端證書路徑
cert keys/server.crt #指定server端證書路徑
key keys/server.key #Thisfile should be kept secret
dh keys/dh2048.pem
tls-auth keys/ta.key 0
cipher AES-256-CBC
server 10.8.0.0 255.255.255.0 #openvpn使用的網絡
push "route 10.8.0.0 255.255.0.0" #添加openvpn路由
#push "route 0.0.0.0 0.0.0.0"
ifconfig-pool-persist ipp.txt #客戶端連入後使用的IP地址池
push "dhcp-option DNS 61.134.1.4" #客戶端連入後使用的DNS
push "dhcp-option DNS 223.5.5.5"
keepalive 10 120 #保持VPN會話
comp-lzo #開啓Lzo數據壓縮
user nobody
group nobody
auth-user-pass-verify /opt/openvpn/checkpsw.sh via-env
script-security 3
client-cert-not-required
#不請求客戶的CA證書,使用User/Pass驗證,如果同時啓用證書和密碼認證,註釋掉該行
username-as-common-name
persist-key
persist-tun
verb 3
link-mtu 1500 #設置MTU連接數值
status logs/openvpn-status.log
log logs/openvpn.log
log-append logs/openvpn.log
mkdir logs #創建日誌目錄
mkdir keys #創建key目錄
######:
[root@vpn ~]# openvpn --help | grep -A 5 script-security
--script-security level mode : mode='execve' (default) or 'system', level=
0 -- strictly no calling of external programs
1 -- (default) only call built-ins such as ifconfig
2 -- allow calling of built-ins and scripts
3 -- allow password to be passed to scripts via env
--shaper n : Restrict output to peer to n bytes per second.
3、安裝easy-rsa,用來生成證書和密鑰:
cd /usr/local/src/
wget http://download.freenas.org/distfiles/easy-rsa-2.2.0_master.tar.gz
#http://download.freenas.org/distfiles/
tar -zxvf easy-rsa-2.2.0_master.tar.gz
cp -a easy-rsa-2.2.0_master/easy-rsa /opt/openvpn/
cd /opt/openvpn/easy-rsa/2.0/
mv vars vars.bak
vi vars #修改配置文件
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048 #修改爲2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN" #以下根據自己情況修改
export KEY_PROVINCE="ShaanXi"
export KEY_CITY="XA"
export KEY_ORG="yjz"
export KEY_EMAIL="[email protected]"
export KEY_CN=yjz
export KEY_NAME=yjz
export KEY_OU=yjz
ln -s openssl-1.0.0.cnf openssl.cnf
source vars
#全局變量
##生成證書,以下命令全部一直回車
./clean-all
#清空所有證書(keys目錄下)
./build-ca
#生成服務器ca證書
./build-key-server server
#生成服務端證書
./build-dh
#生成DH驗證文件(dh2048.pem)
openvpn --genkey --secret ta.key
#降低DDoS風險
./build-key client
#生成客戶端證書(建議以使用者命名)
4、設置外網訪問:
vim /etc/sysctl.conf #將net.ipv4.ip_forward = 0 改爲 1
sysctl -p
配置nat表將vpn網段IP轉發到server內網:很重要
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
#注意接口(eth0)是內網的接口,其它選項不要修改
iptables -A INPUT -p TCP --dport 1195 -j ACCEPT
#開啓防火牆1195端口
service iptables restart #POSTROUTING需要保存並重啓服務才能生效
chkconfig iptables on
5、啓動服務
#拷貝證書到/opt/openvpn/keys目錄下
cd /opt/openvpn/easy-rsa/2.0/keys/ cp -a ca.crt server.crt dh2048.pem server.key /opt/openvpn/keys
cd .. && cp ta.key /opt/openvpn/keys /etc/init.d/openvpn start chkconfig openvpn on
6、配置腳本+密碼文件控制方式
下載腳本,根據具體配置修改紅色部分
http://openvpn.se/files/other/checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <[email protected]>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/opt/openvpn/psw-file"
LOG_FILE="/opt/openvpn/logs/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
touch /opt/openvpn/logs/openvpn-password.log
chown nobody:nobody /opt/openvpn/logs/openvpn-password.log
密碼存放方式
在psw-file裏按”用戶名[空格或者tab]密碼“這種規則方式存放
touch /opt/openvpn/logs/psw-file
chown nobody:nobody /opt/openvpn/psw-file
cat /opt/openvpn/psw-file
test test
ipad ipad
8、windows客戶端配置:
下載:openvpn-install-2.4.4-I601.exe 點擊安裝,一直next,默認目錄安裝即可 一般會安裝到 C:/Program Files/OpenVPN/ 目錄下
創建client.ovpn文件: client dev tun proto tcp-client remote x.x.x.x 1195 #vpn服務端ip,這裏爲內網對應的公網IP,路由器映射至內網主機
remote-random
resolv-retry infinite
nobind
persist-key persist-tun
ca ca.crt
auth-user-pass
auth-nocache
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC #保持服務端和客戶端一致
comp-lzo
status openvpn-status.log
將client.ovpn文件放到C:/Program Files/OpenVPN/config目錄下
從VPN服務端下載ca.crt,ta.key證書 將ca.crt,ta.key證書放到C:/Program Files/OpenVPN/config目錄下
點擊桌面openvpn圖標,輸入相應的用戶名密碼即可