環境版本
[root@test ~]# lsb_release -aLSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOSDescription: CentOS Linux release 7.4.1708 (Core)
Release: 7.4.1708Codename: Core
open***-2.4.5-1.el7.x86_64
easy-rsa-3.0.3-1.el7.noarch123456789
安裝
關閉selinux
yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig makecache
yum install -y open***
yum install -y easy-rsagroupadd open***
useradd -g open*** -M -s /sbin/nologin open***
mkdir /etc/open***/cp -R /usr/share/easy-rsa/ /etc/open***/cp /usr/share/doc/open***-2.4.5/sample/sample-config-files/server.conf /etc/open***/cp -r /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/open***/easy-rsa/3.0/vars1234567891011
配置文件
/etc/open***/server.conf
port 1194proto udp
dev tun
ca /etc/open***/easy-rsa/3.0/pki/ca.crt
cert /etc/open***/easy-rsa/3.0/pki/issued/wwwserver.crt
key /etc/open***/easy-rsa/3.0/pki/private/wwwserver.key
dh /etc/open***/easy-rsa/3.0/pki/dh.pem
tls-auth /etc/open***/ta.key 0server 10.8.1.0 255.255.255.0ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 223.5.5.5"push "dhcp-option DNS 114.114.114.114"keepalive 10 120cipher AES-256-CBCcomp-lzomax-clients 50user open***group open***
persist-keypersist-tunstatus open***-status.loglog-append open***.logverb 3mute 2012345678910111213141516171819202122232425
/etc/open***/easy-rsa/3.0/vars
去掉一下參數前面的#號
set_var EASYRSA "$PWD"set_var EASYRSA_PKI "$EASYRSA/pki"set_var EASYRSA_DN "cn_only"set_var EASYRSA_REQ_COUNTRY "CN"set_var EASYRSA_REQ_PROVINCE "BEIJING"set_var EASYRSA_REQ_CITY "BEIJING"set_var EASYRSA_REQ_ORG "Open××× CERTIFICATE AUTHORITY"set_var EASYRSA_REQ_EMAIL "[email protected]"set_var EASYRSA_REQ_OU "Open××× EASY CA"set_var EASYRSA_KEY_SIZE 2048set_var EASYRSA_ALGO rsaset_var EASYRSA_CA_EXPIRE 7000set_var EASYRSA_CERT_EXPIRE 3650set_var EASYRSA_NS_SUPPORT "no"set_var EASYRSA_NS_COMMENT "Open××× CERTIFICATE AUTHORITY"set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"set_var EASYRSA_DIGEST "sha256"123456789101112131415161718
證書的創建
cd /etc/open***/easy-rsa/3.0./easyrsa init-pki初始化,會在當前目錄創建PKI目錄,用於存儲一些中間變量及最終生成的證書
./easyrsa build-ca創建根證書,首先會提示設置密碼,用於ca對之後生成的server和client證書籤名時使用,然後會提示設置Country Name,State or Province Name,Locality Name,Organization Name,Organizational Unit Name,Common Name,Email Address,可以鍵入回車使用默認的,也可以手動更改
設置ca密碼(輸入兩次):ca.com123456
./easyrsa gen-dh
open*** --genkey --secret ta.keycp -r ta.key /etc/open***/123
創建服務端證書,生成請求,使用gen-req來生成req,創建server端證書和private key,可以使用nopass表示不加密private key,然後會提示設置Country Name,State or Province Name,Locality Name,Organization Name,Organizational Unit Name,Common Name,Email Address,可以鍵入回車使用默認的,也可以手動更改
./easyrsa gen-req wwwserver
設置server密碼(輸入兩次):openserver.com123
創建服務端證書、密碼openserver.com
簽發證書,簽約服務端證書,給server端證書做簽名,首先是對一些信息的確認,可以輸入yes,然後輸入build-ca時設置的那個密碼
./easyrsa sign-req server wwwserver
輸入yes簽發證書,輸入ca密碼:ca.com
生成windows客戶端用戶:
./easyrsa build-client-full testname#注意:生成客戶端用戶的時候會提示設置密碼#可以直按回車密碼爲空、也可以設置輸入密碼(如設置密碼,客戶端連接時需輸入密碼)123
生成客戶端證書,並設置密碼(客戶端連接時用)
[root@gitlab ~]# ll /etc/open***/easy-rsa/3.0/pki/private/testname.key-rw------- 1 root root 1834 Apr 25 15:48 /etc/open***/easy-rsa/3.0/pki/private/testname.key
[root@gitlab ~]# ll /etc/open***/easy-rsa/3.0/pki/issued/testname.crt-rw------- 1 root root 4438 Apr 25 15:48 /etc/open***/easy-rsa/3.0/pki/issued/testname.crt1234
操作系統設置
vim /etc/sysctl.conf
末尾加入
net.ipv4.ip_forward = 1保存後執行:sysctl -psystemctl start firewalld.service
firewall-cmd --state
firewall-cmd --zone=public --list-allfirewall-cmd --add-service=open*** --permanent
firewall-cmd --add-port=1194/tcp --permanent
firewall-cmd --add-port=1194/udp --permanent
firewall-cmd --add-port=22/tcp --permanent
firewall-cmd --add-source=10.8.0.0 --permanent
firewall-cmd --query-source=10.8.0.0 --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --query-masquerade --permanent
firewall-cmd --reload
可以根據自己的需求開放端口123456789101112131415161718
啓動open***
systemctl start open***@server
啓動時輸入服務端證書密碼:openserver.com
第一次啓動的時候可能會提示,重新執行systemctl start open***@server輸入密碼即可
客戶端配置
客戶端open***版本2.4.5
鏈接:https://pan.baidu.com/s/13ngQs9WSpQ0ZER5Q9lR-kg 密碼:kisi
客戶端需要的證書:testname.crt、testname.key、ca.crt、ta.key
get /etc/open***/easy-rsa/3.0/pki/private/testname.keyget /etc/open***/easy-rsa/3.0/pki/issued/testname.crtget /etc/open***/easy-rsa/3.0/pki/ca.crtget /etc/open***/ta.key12345
客戶端配置文件testname.o***(ip換爲open***服務器外網ip)
client
dev tun
proto udp
resolv-retry infinite
nobind
remote 47.175.155.184 1194 ns-cert-type server
comp-lzoca ca.crt
cert testname.crt
key testname.key
tls-auth ta.key 1keepalive 10 120persist-keypersist-tunverb 5redirect-gatewayroute-method exe
route-delay 2status testname-status.loglog-append testname.log123456789101112131415161718192021
安裝Open××× 2.4.5 x86_64後,清空config文件夾,將testname.crt、testname.key、ca.crt、ta.key、testname.o***放入config目錄中,
配置完成後啓動,如果有設置密碼的話輸入密碼即可。
備註
1、如果需要創建其他用戶的話,按照上面的方式創建客戶端證書即可
2、客戶端證書生成失敗,刪除文件即可
rm -rf /etc/open***/easy-rsa/3.0/pki/reqs/username.req
rm -rf /etc/open***/easy-rsa/3.0/pki/private/username.key
3、刪除用戶證書
cd /etc/open***/easy-rsa/3.0
./easyrsa revoke username
生成CRL文件(撤銷證書的列表)
./easyrsa gen-crl123
4、服務啓停
systemctl stop open***@server
systemctl start open***@server