簡單部署openvpn服務

openvpn原理

OpenVPN是一個用於創建虛擬專用網絡(Virtual Private Network)加密通道的免費開源軟件。使用OpenVPN可以方便地在家庭、辦公場所、住宿酒店等不同網絡訪問場所之間搭建類似於局域網的專用網絡通道。OpenVPN使用方便，運行性能優秀，支持Solaris、Linux 2.2+(Linux 2.2+表示Linux 2.2及以上版本，下同)、OpenBSD 3.0+、FreeBSD、NetBSD、Mac OS X、Android和Windows 2000+的操作系統，並且採用了高強度的數據加密，再加上其開源免費的特性，使得OpenVPN成爲中小型企業及個人的VPN首選產品。
OpenVPN的運行原理其實很簡單，其核心機制就是在OpenVPN服務器和客戶端所在的計算機上都安裝一個虛擬網卡(又稱虛擬網絡適配器)，並獲得一個對應的虛擬IP地址。OpenVPN的服務器和多個客戶端就可以通過虛擬網卡，使用這些虛擬IP進行相互訪問了。其中，OpenVPN服務器起到一個路由和控制的作用(相當於一個虛擬的路由器)。
在OpenVPN中，最常用的數據加密手段，就是採用SSL協議。使用SSL協議進行傳輸就需要相應的證書和密鑰，因此我們使用OpenVPN之前，還需要在服務器端生成相應的證書、密鑰

安裝openvpn

環境準備(CentOS 7)

配置base源和epel源(使用阿里雲的源)

curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

關閉防火牆和selinux

systemctl stop firewalld
systemctl disable firewalld
setenforce 0
getenforce

安裝openvpn server

yum install -y openvpn

安裝easy-rsa用來製作openvpn相關證書

# 自己上傳easy-rsa包
tar xf EasyRSA-2.2.2.tgz

製作相關證書

生成CA證書

mkdir -p /etc/openvpn/easy-rsa
cp -a /root/EasyRSA-2.2.2/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa

修改vars文件

vim /etc/openvpn/easy-rsa/vars
# 第64-69行
# 國家
export KEY_COUNTRY="CN"
# 城市
export KEY_PROVINCE="beijing"
# 地區
export KEY_CITY="changping"
# 組織
export KEY_ORG="oldbi"
# 郵箱
export KEY_EMAIL="[email protected]"
# 單位
export KEY_OU="oldbi"

用source命令使配置生效

source vars

清除所有證書相關內容

./clean-all

開始生成CA證書 一路回車即可

./build-ca

Generating a 2048 bit RSA private key
...................+++
..................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [changping]:
Organization Name (eg, company) [oldbi]:
Organizational Unit Name (eg, section) [oldbi]:
Common Name (eg, your name or your server's hostname) [oldbi CA]:
Name [EasyRSA]:
Email Address [[email protected]]:

生成server端證書和密鑰

./build-key-server vpnserver

Generating a 2048 bit RSA private key
...+++
.......+++
writing new private key to 'vpnserver.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [changping]:
Organization Name (eg, company) [oldbi]:
Organizational Unit Name (eg, section) [oldbi]:
Common Name (eg, your name or your server's hostname) [vpnserver]:
Name [EasyRSA]:
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456   ## 祕鑰保護的密碼，可以爲空
An optional company name []:oldbi ### 可選的組織名，可以爲空
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'beijing'
localityName          :PRINTABLE:'changping'
organizationName      :PRINTABLE:'oldbi'
organizationalUnitName:PRINTABLE:'oldbi'
commonName            :PRINTABLE:'vpnserver'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until May 13 09:20:40 2029 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

查看生成的文件

ll keys/

total 48
-rw-r--r-- 1 root root 5427 May 16 17:20 01.pem
-rw-r--r-- 1 root root 1688 May 16 17:19 ca.crt
-rw------- 1 root root 1704 May 16 17:19 ca.key
-rw-r--r-- 1 root root  127 May 16 17:20 index.txt
-rw-r--r-- 1 root root   21 May 16 17:20 index.txt.attr
-rw-r--r-- 1 root root    0 May 16 17:19 index.txt.old
-rw-r--r-- 1 root root    3 May 16 17:20 serial
-rw-r--r-- 1 root root    3 May 16 17:19 serial.old
-rw-r--r-- 1 root root 5427 May 16 17:20 vpnserver.crt
-rw-r--r-- 1 root root 1131 May 16 17:20 vpnserver.csr
-rw------- 1 root root 1704 May 16 17:20 vpnserver.key

創建迪菲·赫爾曼密鑰 生成傳輸進行祕鑰交換時用到的交換祕鑰協議文件

./build-dh

生成client客戶端證書和key

./build-key vpnclient

Generating a 2048 bit RSA private key
.........+++
.........+++
writing new private key to 'vpnclient.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [changping]:
Organization Name (eg, company) [oldbi]:
Organizational Unit Name (eg, section) [oldbi]:
Common Name (eg, your name or your server's hostname) [vpnclient]:
Name [EasyRSA]:
Email Address [[email protected]]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:oldbi
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'beijing'
localityName          :PRINTABLE:'changping'
organizationName      :PRINTABLE:'oldbi'
organizationalUnitName:PRINTABLE:'oldbi'
commonName            :PRINTABLE:'vpnclient'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until May 13 09:22:16 2029 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

查看生成的文件

ll /etc/openvpn/easy-rsa/keys

total 84
-rw-r--r-- 1 root root 5427 May 16 17:20 01.pem
-rw-r--r-- 1 root root 5305 May 16 17:22 02.pem
-rw-r--r-- 1 root root 1688 May 16 17:19 ca.crt
-rw------- 1 root root 1704 May 16 17:19 ca.key
-rw-r--r-- 1 root root  424 May 16 17:21 dh2048.pem
-rw-r--r-- 1 root root  254 May 16 17:22 index.txt
-rw-r--r-- 1 root root   21 May 16 17:22 index.txt.attr
-rw-r--r-- 1 root root   21 May 16 17:20 index.txt.attr.old
-rw-r--r-- 1 root root  127 May 16 17:20 index.txt.old
-rw-r--r-- 1 root root    3 May 16 17:22 serial
-rw-r--r-- 1 root root    3 May 16 17:20 serial.old
-rw-r--r-- 1 root root 5305 May 16 17:22 vpnclient.crt
-rw-r--r-- 1 root root 1131 May 16 17:22 vpnclient.csr
-rw------- 1 root root 1704 May 16 17:22 vpnclient.key
-rw-r--r-- 1 root root 5427 May 16 17:20 vpnserver.crt
-rw-r--r-- 1 root root 1131 May 16 17:20 vpnserver.csr
-rw------- 1 root root 1704 May 16 17:20 vpnserver.key

配置server端

vim /etc/openvpn/service.conf
# 添加以下內容
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/vpnserver.crt
key /etc/openvpn/easy-rsa/keys/vpnserver.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
push "route 172.16.1.0 255.255.255.0"
#地址池
ifconfig-pool-persist ipp.txt
keepalive 10 120
#開啓壓縮
comp-lzo
persist-key
persist-tun
#狀態日誌
status openvpn-status.log
#版本
verb 3
#允許客戶端之間相互通信
client-to-client
duplicate-cn
#日誌
log /var/log/openvpn.log

openvpn server端需要開啓ipv4轉發

# 臨時開啓
sysctl net.ipv4.ip_forward=1
# 永久開啓
echo "net.ipv4.ip_forward=1" >>/etc/sysctl.conf

做路由

在內網網段裏面的機器做路由

# 這是我的配置
# 前面的網段是openvpn server配置文件中定義的
# 後面的IP是openvpn server的內網網卡的IP
route add -net 10.8.0.0/24 gw 172.16.1.12
# 上一條命令指示一條一次性的命令
ip route
 10.0.0.0/24 via 172.16.1.12 dev eth0
 10.8.0.0/24 via 172.16.1.12 dev eth0
 172.16.1.0/24 dev eth1 proto kernel scope link src 172.16.1.13 metric 100
# 將上一條命令的結果的前兩條添加到一個文件中，文件時新創建的
echo "10.0.0.0/24 via 172.16.1.12 dev eth0" >>/etc/sysconfig/network-scripts/route-eth0
echo "10.8.0.0/24 via 172.16.1.12 dev eth0" >>/etc/sysconfig/network-scripts/route-eth0

配置windows端client的配置

先在server端操作

mkdir -p /etc/openvpn/client
cd /etc/openvpn/client
cp /etc/openvpn/easy-rsa/keys/vpnclient.* .
cp /etc/openvpn/easy-rsa/keys/ca.* .

vim client.ovpn
# 添加以下內容
client
dev tun
proto tcp
# 這個是openvpn server端的地址
remote 10.0.0.12 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert vpnclient.crt
key vpnclient.key
ns-cert-type server
comp-lzo
verb 3

client端的配置傳到windows機器上

使用sz命令將openvpn server端的client配置傳到windows電腦上，並且傳到openvpn windows端的配置目錄下。
openvpn windows 配置文件在你安裝目錄下的config目錄下。

openvpn windows端的安裝

下載一個openvpn-install-2.4.6-I602-windows客戶端.exe
雙擊安裝，一路下一步。
先上傳配置文件，後打開軟件。