一般只有路由器才支持的NAT穿越,但Openvpn也支持,在nat環境下使用openvpn,只需要一個在路由器上做一個端口映射即可。Openvpn還支持使證書加密數據傳輸,在安全性上遠勝於PPTP VPN,不過openvpn客戶端登錄只需要雙擊就可以連接服務器端,讓人覺得安全性低,可以配置openvpn使用證書和用戶名密碼雙重驗證登錄,註銷用戶賬號的時候,只要刪除密碼文件中的記錄即可。同樣地,增添用戶的時候,可以使用相同的數字證書,只需添加用戶名密碼記錄即可。
一、在開始之前請先配置配置好openvpn服務器和客戶端:
環境:CentOS Linux release 7.3.1611 (Core) + OpenVPN 2.4.3 x86_64
#設置本地時間同步:刪除其他時間服務節點 yum install -y ntp sed -i "s/server 0.centos.pool.ntp.org iburst/server cn.pool.ntp.org iburst/" /etc/ntp.conf sed -i "22,24d" /etc/ntp.conf systemctl disable chronyd.service systemctl stop chronyd.service systemctl enable ntpd.service systemctl start ntpd.service ntpdate asia.pool.ntp.org && hwclock -w #ntpdate time.windows.com && hwclock -w #連網更新時間,如果成功,將系統時間,寫入BOIS #hwclock -w 或 hwclock --systohc #可以做到crontab裏 #OpenVPN server 搭建部署 yum install epel-release yum install openvpn lzo-devel easy-rsa -y cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn cp -R /usr/share/easy-rsa/ /etc/openvpn cd /etc/openvpn/easy-rsa/2.0/ #egrep -v '^$|^#' vars export EASY_RSA="`pwd`" export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep" export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` export KEY_DIR="$EASY_RSA/keys" echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" export KEY_SIZE=2048 export CA_EXPIRE=3650 export KEY_EXPIRE=3650 export KEY_COUNTRY="CN" export KEY_PROVINCE="gd" export KEY_CITY="sz" export KEY_ORG="company" export KEY_EMAIL="[email protected]" export KEY_OU="company" export KEY_NAME="server" source vars ./clean-all ./build-ca ./build-key-server server ./build-dh ./build-key client #egrep -v '^;|^#|^$' /etc/openvpn/server.conf local 192.168.1.254 port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem server 10.10.10.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.1.0 255.255.255.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 192.168.1.253" push "dhcp-option DNS 114.114.114.114" client-to-client keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC comp-lzo max-clients 10 user nobody group nobody persist-key persist-tun status /var/log/openvpn-status.log log /var/log/openvpn.log verb 3 mute 20 #檢查是否安裝了iptables service iptables status #安裝iptables yum install -y iptables #升級iptables(安裝的最新版本則不需要) yum update iptables #安裝iptables-services yum install iptables-services #禁用/停止自帶的firewalld服務 systemctl stop firewalld systemctl mask firewalld #設置iptables iptables -L -n #先允許所有,不然有可能會杯具 iptables -P INPUT ACCEPT iptables -F iptables -X iptables -Z iptables -t nat -A POSTROUTING -o ens160 -j SNAT --to 192.168.1.254 iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -A FORWARD -i ens160 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i tun0 -o ens160 -j ACCEPT iptables -A FORWARD -s 10.10.10.0/24 -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT service iptables save service iptables restart
二、客戶端配置:
#client.ovpn client dev tun proto udp remote 192.168.1.12 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC comp-lzo verb 3
將.ca、.crt、.key三個文件合併到主配置文件中
將主配置文件中的下面三行刪除
ca ca.crt
cert test1.crt
key test1.key
在配置文件中添加
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
將.ca裏的內容複製到<ca> </ca>中
將.crt、.key都複製到相應的標籤中
最後在配置文件中添加:
auth-user-pass
三、修改openvpn服務主配置文件,添加如下內容,代表需要證書和用戶名密碼雙重驗證登錄
script-security 2 # Allow calling of built-in executables and user-defined scripts auth-user-pass-verify /etc/openvpn/checkpsw.sh via-file
四、添加賬戶密碼認證腳本:
cat /etc/openvpn/checkpsw.sh #!/bin/sh ########################################################### # This script will authenticate OpenVPN users against # a plain text file. The passfile should simply contain # one row per user with the username first followed by # one colon(:) and then the password. PASSFILE="/etc/openvpn/pass_file" LOG_FILE="/var/log/openvpn-password.log" TIME_STAMP=`date "+%F %T"` ########################################################### username=`head -1 $1` password=`tail -1 $1` if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk -F ":" '!/^;/&&!/^#/&&\$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password= \"${password}\"." >>${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1
五、準備用戶名和密碼認證文件,用戶名和密碼用空格隔開,同時確保openvpn啓動用戶可讀取該文件:
# cat pass_file test1:123456 test2:12345678 # chmod 400 pass_file # chown nobody.nobody pass_file