1.添加epel源
yum install epel-release
2.安裝openv pn及easy-rsa,該包用來製作ca證書,服務端證書,客戶端證書
yum install openv pn easy-rsa -y
3.查看openv pn及easy-rsa版本
openv pn --version
OpenV PN 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenV PN Inc <sales@openv pn.net>
4.在目錄/etc/openv pn/下創建client/ server/兩個目錄,
查看ls /usr/share/easy-rsa/
3 3.0 3.0.7
5.easy-rsa配置
轉到/etc/openv pn目錄下,將easy-rsa腳本複製到此目錄下
cd /etc/openv pn/
cp -r /usr/share/easy-rsa/ .
然後,跳轉到/etc/openv pn/easy-rsa/3/目錄並創建vars文件,複製粘貼一下內容,並保存
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Beijing"
set_var EASYRSA_REQ_CITY "Beijing"
set_var EASYRSA_REQ_ORG "Sunki"
set_var EASYRSA_REQ_EMAIL "sunki@****.com"
set_var EASYRSA_REQ_OU "My OpenV PN"
然後增加權限 chmod +x vars
6.構建openv pn密鑰
使用"easyras"命令行構建CA祕鑰,服務端客戶端祕鑰,DH和CRL PEM文件
切換到/etc/openv pn/easy-rsa/3目錄
6.1 初始化PKI目錄 ./easyrsa init-pki
6.2 構建ca祕鑰./easyrsa build-ca
注意:記住建立ca祕鑰是的密碼,後面要用到,如果忘記只能從ca祕鑰這一步重新開始!!!
7.構建服務器祕鑰
7.1 現在我們構建服務器祕鑰,構建名可自行定義,這裏我們就用"server"
注意:"nopass=選項",用於禁用"server"祕鑰的密碼 ./easyrsa gen-req server nopass
7.2 使CA證書籤署"server"祕鑰 ./easyrsa sign-req server server
已創建的所有服務器證書祕鑰:
服務器證書位於:/etc/openv pn/easy-rsa/3/pki/issued/server.crt
服務器私鑰位於:/etc/openv pn/easy-rsa/3/pki/private/server.key
8.創建客戶端祕鑰
8.1 創建一個生成名爲"client01"的新客戶端祕鑰 ./easyrsa gen-req client01 nopass
8.2 使用ca證書籤署"client01"祕鑰./easyrsa sign-req client client01
8.3 生成 Diffie-Hellman祕鑰。 此操作將花費大量的時間,具體取決於我們選擇的祕鑰長度和服務器上的可用 ./easyrsa gen-dh 時間有點長需要耐心等待
9.複製證書文件
複製服務器祕鑰和證書
cp /etc/openvpn/easy-rsa/3/pki/ca.crt /etc/openvpn/server
cp /etc/openvpn/easy-rsa/3/pki/issued/server.crt /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/3/pki/private/server.key /etc/openvpn/server
複製client01祕鑰和證書
cp /etc/openvpn/easy-rsa/3/pki/ca.crt /etc/openvpn/client/
cp /etc/openvpn/easy-rsa/3/pki/issued/client01.crt /etc/openvpn/client/
cp /etc/openvpn/easy-rsa/3/pki/private/client01.key /etc/openvpn/client/
複製DH祕鑰
cp /etc/openvpn/easy-rsa/3/pki/dh.pem /etc/openvpn/server/
檢查文件是否複製完成,查看/etc/openvpn/server/和/etc/openvpn/client/目錄
10.配置openvpn
若需要開啓tls-auth,需要執行cd /etc/openvpn
執行 openvpn --genkey --secret ta.key
在/etc/openvpn/目錄下創建server.conf配置文件
vim server.conf
port 18711
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key # This file should be kept secret
dh /etc/openvpn/server/dh.pem
server 192.168.10.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route 192.168.10.0 255.255.255.0"
#client-config-dir /etc/openvpn/ccd
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openv pn.log
verb 5
sndbuf 0
rcvbuf 0
push "sndbuf 393216"
push "rcvbuf 393216"
script-security 3
reneg-sec 0
11.啓動端口轉發並配置路由
開啓路由轉發內核模塊
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
生效 sysctl -p
net.ipv4.ip_forward = 1
關閉防火牆
systemctl stop firewalld
setenforce 0
12.啓動openvpn服務
systemctl start openv pn@server
13.客戶端配置config.ov pn
client
dev tun
proto tcp
remote *.*.*.* 18711
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert /client01.crt
key client01.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
使用openv pn客戶端工具連接就可以使用,若需要訪問數據庫則只需使用地址192.168.10.1即可