Centos配置Open?

OPEN？

要求服务器日志记录客户端登录时间、用户名，格式如“2022-08-10:

08:10:30 Successful authentication: username="vuser1"”;

日志文件存放至/var/log/openv.log 中；

创建用户 vuser1,密码为 123456，使用用户名密码认证，要求只

能与 InsideCli 客户端网段通信，允许访问 StorageSrv 主机上的

SAMBA 服务；

客户端 地址范围为 172.16.0.0/24，OPENVPN 使用 tcp 1194 端口号进行

工作。

---

一、安装，设置yum拓展（只能拓展才能安装）
 

[local]
name=local
baseurl=file:///mnt
gpgcheck=0
enabled=1
[kz]
name=local
baseurl=file:///root/kz
enabled=1
gpgcheck=0

[root@routersrv kz]# pwd
/root/kz
yum clean all 清除缓存
yum makecache 刷新
yum install openvpn easy-rsa -y -q 

二、配置证书

#复制证书制作文件
[root@routserv /]# cp -r /usr/share/easy-rsa/3/* /etc/openvpn/

#初始化
[root@routserv openvpn]# ./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki

#创建根证书
[root@routserv openvpn]# ./easyrsa build-ca nopass 
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating RSA private key, 2048 bit long modulus
...................................................................................................+++
.......................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt

#创建服务器端证书和密钥
[root@routserv openvpn]# ./easyrsa gen-req server server nopass
Ignoring unknown command option: 'server'
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
........................+++
.....................................................+++
writing new private key to '/etc/openvpn/pki/easy-rsa-1959.fieXq1/tmp.Ruh2zR'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/pki/reqs/server.req
key: /etc/openvpn/pki/private/server.key

#证书签名
[root@routserv openvpn]# ./easyrsa sign server server  
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
    commonName                = server
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes										//yes
Using configuration from /etc/openvpn/pki/easy-rsa-1985.1mB4Qo/tmp.AHtNf8
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Dec 11 10:29:26 2024 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/pki/issued/server.crt

#生成db.pem
[root@routserv openvpn]# ./easyrsa gen-dh
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..+................................+...

三、配置server文件

#复制模板文件
[root@routserv openvpn]# cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf  /etc/openvpn/
[root@routserv openvpn]# vim /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca pki/ca.crt
cert pki/issued/server.crt
key pki/private/server.key
dh pki/dh.pem
server 172.16.0.0 255.255.255.0
#tls-auth ta.key 0 # This file is secret		
#explicit-exit-notify 1						
#下四行用man openvpn查询
script-security 3								
auth-user-pass-verify /etc/openvpn/auth.sh via-env	
username-as-common-name										
client-cert-not-required								

四、配置登录日志认证脚本

[root@routserv openvpn]# vim /etc/openvpn/auth.sh
#!/bin/sh
PASSFILE="/etc/openvpn/user"
LOG_FILE="/var/log/openvpn.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
if [ ! -r "${PASSFILE}" ]; then
    echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
    exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
    echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
    exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
    echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
    exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

[root@routserv openvpn]# chmod +x /etc/openvpn/auth.sh 
[root@routserv openvpn]# vim /etc/openvpn/user
vpnuser1 123456
[root@routserv openvpn]# systemctl restart openvpn@server

五、客户端配置

#首先将服务器端的ca证书和client.conf传送到客户端
[root@outsidecli /]# apt install openvpn -y
[root@routserv openvpn]# scp  /etc/openvpn/pki/ca.crt [email protected]:/etc/openvpn
[root@routserv openvpn]# scp  /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf  [email protected]:/etc/openvpn

六、client.conf配置

[root@outsidecli /]# vim /etc/openvpn/client.conf 
client
dev tun
proto tcp
remote 81.6.63.254 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
#cert client.crt		
#key client.key					
#tls-auth ta.key 1			
remote-cert-tls server
cipher AES-256-GCM   //模式和服务器一样设置成GCM
verb 3 
auth-user-pass			//需要添加

[root@outsidecli /]# systemctl restart openvpn@client
Enter Auth Username: vpnuser1
Enter Auth Password: ******

七、验证

[root@outsidecli /]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:c3:f8:e1 brd ff:ff:ff:ff:ff:ff
    inet 81.6.63.110/24 brd 81.6.63.255 scope global ens33
       valid_lft forever preferred_lft forever
8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 172.16.0.6 peer 172.16.0.5/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::f7a:6f5:c062:fe1a/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
       
[root@routserv openvpn]# tail -f /var/log/openvpn.log 
2022-09-08 06:52:35: Successful authentication: username="vpnuser1".

八、排错

[root@outsidecli /]# systemctl status openvpn@client
● [email protected] - OpenVPN connection to client
   Loaded: loaded (/lib/systemd/system/[email protected]; enabled-runtime; vendor preset: enabled)
   Active: active (running) since Mon 2022-09-12 04:22:33 CST; 1min 20s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 9017 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 2281)
   Memory: 900.0K
   CGroup: /system.slice/system-openvpn.slice/[email protected]
           └─9017 /usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/open

9月 12 04:22:35 outsidecli ovpn-client[9017]: Data Channel: using negotiated cipher 'AES-256-GCM'
9月 12 04:22:35 outsidecli ovpn-client[9017]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256
9月 12 04:22:35 outsidecli ovpn-client[9017]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256
9月 12 04:22:35 outsidecli ovpn-client[9017]: ROUTE: default_gateway=UNDEF
9月 12 04:22:35 outsidecli ovpn-client[9017]: TUN/TAP device tun0 opened
9月 12 04:22:35 outsidecli ovpn-client[9017]: TUN/TAP TX queue length set to 100
9月 12 04:22:35 outsidecli ovpn-client[9017]: /sbin/ip link set dev tun0 up mtu 1500
9月 12 04:22:35 outsidecli ovpn-client[9017]: /sbin/ip addr add dev tun0 local 172.16.0.6 peer 172.16.0.5
9月 12 04:22:35 outsidecli ovpn-client[9017]: /sbin/ip route add 172.16.0.1/32 via 172.16.0.5
9月 12 04:22:35 outsidecli ovpn-client[9017]: Initialization Sequence Completed
lines 1-23/23 (END)
出现以上问题就是时间与服务器未匹配，设置时间同步即可