1 简介
VPN(Virtual Private Network)直译就是虚拟专用通道,是提供给企业之间或者个人与公司之间安全数据传输的隧道。
OpenVPN无疑是Linux下开源VPN的先锋,提供了良好的性能和友好的用户GUI。该软件最早由James Yonan编写。OpenVPN允许参与建立VPN的单点使用预设的私钥,第三方证书,或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库,以及SSLv3/TLSv1协议。OpenVPN能在Linux、xBSD、Mac OS X与Windows上运行。
详细介绍可参考我的其它文章:【 http://blog.csdn.net/jesseyoung/article/details/41693083】
2 环境准备
公网ip:121.40.135.148
内网ip:10.171.255.202
操作系统:centos6.5
3 安装openvpn及easy-rsa
3.1 安装openvpn及easy-rsa
其中easy-rsa为openvpn证书制作工具。
可以看到有生成key的各种组件。
openvpn的配置路径为/etc/openvpn
3.2 配置easy-rsa
主要修改配置文件vars
其中:KEY_COUNTRY定义国家,KEY_PROVINCE定义省份,KEY_CITY定义城市,KEY_ORG定义所在组织,KEY_EMAIL定义电子邮件,KEY_OU定义所在单位。
使修改的配置生效
3.3.1 生成ca证书
ca证书, 用于签发 Server 和 Client 证书
3.3.2 生成服务器端证书
3.3.3 生成客户端证书
3.3.4 生成 Diffie-Hellman 文件
dh2048.pem为diffie hellman文件,SSL/TLS server需要使用的一个文件,用于增强openvpn安全性,生成需要一段时间。
3.3.5 生成ta.key
ta.key使用OpenVPN生成:openvpn --genkey --secret keys/ta.key。是为了防止恶意攻击(如DoS、UDP port flooding)而生成的一个"HMAC firewall"。
在key目录下执行:
3.3.6 配置openvpn服务器
拷贝证书到openvpn配置目录
4.1 清空防火墙默认策略并重启iptables
修改:net.ipv4.ip_forward = 1
---------------------
注:保证VPN地址池可路由出外网
注:这里提一下,INPUT策略是执行后即时生效的,POSTROUTING需要保存并重启服务才能生效
5 开启openvpn服务
5.1 启动方式1:
6 客户端配置及连接
6.1 客户端配置
从服务器拷贝ca.crt aliyunClient.crt aliyunClient.key ta.key 到客户端(如windows 8)
在客户端创建文件aliyun.ovpn,并编辑
6.2.1 在客户端openvpn安装目录下创建文件夹:aliyun
将文件ca.crt aliyunClient.crt aliyunClient.key ta.key aliyun.ovpn拷贝到C:\Program Files\OpenVPN\config\aliyun目录下
6.2.2 启动openvpn客户端进行连接
连接成功!
6.2.3 通过SecureCRT访问内网
访问内网成功!
VPN(Virtual Private Network)直译就是虚拟专用通道,是提供给企业之间或者个人与公司之间安全数据传输的隧道。
OpenVPN无疑是Linux下开源VPN的先锋,提供了良好的性能和友好的用户GUI。该软件最早由James Yonan编写。OpenVPN允许参与建立VPN的单点使用预设的私钥,第三方证书,或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库,以及SSLv3/TLSv1协议。OpenVPN能在Linux、xBSD、Mac OS X与Windows上运行。
详细介绍可参考我的其它文章:【 http://blog.csdn.net/jesseyoung/article/details/41693083】
2 环境准备
公网ip:121.40.135.148
内网ip:10.171.255.202
操作系统:centos6.5
3 安装openvpn及easy-rsa
3.1 安装openvpn及easy-rsa
其中easy-rsa为openvpn证书制作工具。
[root@iZ23vn3rqxnZ /]# yum install openvpn easy-rsa[root@iZ23vn3rqxnZ 2.0]# ls /usr/share/easy-rsa/2.0可以看到有生成key的各种组件。
openvpn的配置路径为/etc/openvpn
3.2 配置easy-rsa
主要修改配置文件vars
[root@iZ23vn3rqxnZ 2.0]# vi /usr/share/easy-rsa/2.0/vars其中:KEY_COUNTRY定义国家,KEY_PROVINCE定义省份,KEY_CITY定义城市,KEY_ORG定义所在组织,KEY_EMAIL定义电子邮件,KEY_OU定义所在单位。
使修改的配置生效
[root@iZ23vn3rqxnZ 2.0]# source /usr/share/easy-rsa/2.0/vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys[root@iZ23vn3rqxnZ 2.0]# /usr/share/easy-rsa/2.0/clean-all 3.3.1 生成ca证书
ca证书, 用于签发 Server 和 Client 证书
[root@iZ23vn3rqxnZ 2.0]# /usr/share/easy-rsa/2.0/build-ca
Generating a 2048 bit RSA private key
....................................................................+++
...............................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: ----> 直接回车
State or Province Name (full name) [SH]: ----> 直接回车
Locality Name (eg, city) [ShangHai]: ----> 直接回车
Organization Name (eg, company) [Company]: ----> 直接回车
Organizational Unit Name (eg, section) [MyOrganization]: ----> 直接回车
Common Name (eg, your name or your server's hostname) [Company CA]: ----> 直接回车
Name [EasyRSA]: ----> 直接回车
Email Address [[email protected]]: ----> 直接回车
可以看到key文件夹下多出如下几个文件
[root@iZ23vn3rqxnZ 2.0]# ls /usr/share/easy-rsa/2.0/keys/3.3.2 生成服务器端证书
[root@iZ23vn3rqxnZ 2.0]# /usr/share/easy-rsa/2.0/build-key-server aliyunServer
Generating a 2048 bit RSA private key
...................................................................................+++
.........................................................................................+++
writing new private key to 'aliyunServer.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: ----> 直接回车
State or Province Name (full name) [SH]: ----> 直接回车
Locality Name (eg, city) [ShangHai]: ----> 直接回车
Organization Name (eg, company) [Company]: ----> 直接回车
Organizational Unit Name (eg, section) [MyOrganization]: ----> 直接回车
Common Name (eg, your name or your server's hostname) [aliyunServer]: ----> 直接回车
Name [EasyRSA]: ----> 直接回车
Email Address [[email protected]]: ----> 直接回车
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'ShangHai'
organizationName :PRINTABLE:'Company'
organizationalUnitName:PRINTABLE:'MyOrganization'
commonName :PRINTABLE:'aliyunServer'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Nov 29 07:31:54 2024 GMT (3650 days)
Sign the certificate? [y/n]:y ----> 选择y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
1 out of 1 certificate requests certified, commit? [y/n]y ----> 选择y
Write out database with 1 new entries
Data Base Updated[root@iZ23vn3rqxnZ 2.0]# ls /usr/share/easy-rsa/2.0/keys/3.3.3 生成客户端证书
[root@iZ23vn3rqxnZ 2.0]# /usr/share/easy-rsa/2.0/build-key aliyunClient
Generating a 2048 bit RSA private key
................................................................................+++
........+++
writing new private key to 'aliyunClient.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: ----> 直接回车
State or Province Name (full name) [SH]: ----> 直接回车
Locality Name (eg, city) [ShangHai]: ----> 直接回车
Organization Name (eg, company) [Company]: ----> 直接回车
Organizational Unit Name (eg, section) [MyOrganization]: ----> 直接回车
Common Name (eg, your name or your server's hostname) [aliyunClient]: ----> 直接回车
Name [EasyRSA]: ----> 直接回车
Email Address [[email protected]]: ----> 直接回车
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'ShangHai'
organizationName :PRINTABLE:'Company'
organizationalUnitName:PRINTABLE:'MyOrganization'
commonName :PRINTABLE:'aliyunClient'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Nov 29 07:35:56 2024 GMT (3650 days)
Sign the certificate? [y/n]:y ----> 选择y
1 out of 1 certificate requests certified, commit? [y/n]y ----> 选择y
Write out database with 1 new entries
Data Base Updated[root@iZ23vn3rqxnZ 2.0]# ls /usr/share/easy-rsa/2.0/keys/3.3.4 生成 Diffie-Hellman 文件
dh2048.pem为diffie hellman文件,SSL/TLS server需要使用的一个文件,用于增强openvpn安全性,生成需要一段时间。
[root@iZ23vn3rqxnZ 2.0]# /usr/share/easy-rsa/2.0/build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time[root@iZ23vn3rqxnZ 2.0]# ls /usr/share/easy-rsa/2.0/keys/3.3.5 生成ta.key
ta.key使用OpenVPN生成:openvpn --genkey --secret keys/ta.key。是为了防止恶意攻击(如DoS、UDP port flooding)而生成的一个"HMAC firewall"。
在key目录下执行:
[root@iZ23vn3rqxnZ keys]# openvpn --genkey --secret ta.key[root@iZ23vn3rqxnZ keys]# ls3.3.6 配置openvpn服务器
拷贝证书到openvpn配置目录
[root@iZ23vn3rqxnZ ~]# cd /usr/share/easy-rsa/2.0/keys
[root@iZ23vn3rqxnZ keys]# cp dh2048.pem aliyunServer.crt aliyunServer.key ca.crt ta.key /etc/openvpn/[root@iZ23vn3rqxnZ keys]# cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/[root@iZ23vn3rqxnZ ~]# cat /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/aliyunServer.crt
key /etc/openvpn/aliyunServer.key
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
push "route 10.171.255.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 192.168.55.25"
;push "dhcp-option DNS 8.8.8.8"
client-to-client
;duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/ta.key
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
;log-append openvpn.log
verb 3
script-security 3
#client-connect "/bin/bash /etc/openvpn/connect.sh"
#client-disconnect "/bin/bash /etc/openvpn/disconnect.sh"
;mute 204.1 清空防火墙默认策略并重启iptables
[root@iZ23vn3rqxnZ ~]# iptables -t nat -F
[root@iZ23vn3rqxnZ ~]# iptables -F
[root@iZ23vn3rqxnZ ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@iZ23vn3rqxnZ ~]# service iptables restart[root@iZ23vn3rqxnZ ~]# setenforce 0
setenforce: SELinux is disabled
[root@iZ23vn3rqxnZ ~]# vi /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
~[root@iZ23vn3rqxnZ ~]# vi /etc/sysctl.conf修改:net.ipv4.ip_forward = 1
---------------------
[root@iZ23vn3rqxnZ ~]# sysctl -p注:保证VPN地址池可路由出外网
[root@iZ23vn3rqxnZ ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE[root@iZ23vn3rqxnZ ~]# iptables -A INPUT -p TCP --dport 1194 -j ACCEPT
[root@iZ23vn3rqxnZ ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT注:这里提一下,INPUT策略是执行后即时生效的,POSTROUTING需要保存并重启服务才能生效
[root@iZ23vn3rqxnZ ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@iZ23vn3rqxnZ ~]# service iptables restart5 开启openvpn服务
5.1 启动方式1:
[root@iZ23vn3rqxnZ openvpn]# /usr/sbin/openvpn --config /etc/openvpn/server.conf &[root@iZ23vn3rqxnZ openvpn]# /etc/init.d/openvpn start
Starting openvpn: [ OK ]
[2]+ Killed /usr/sbin/openvpn --config /etc/openvpn/server.conf
[root@iZ23vn3rqxnZ openvpn]# /etc/init.d/openvpn status
Status written to /var/log/messages
[root@iZ23vn3rqxnZ openvpn]# ps -ef | grep openvpn
nobody 4277 1 0 22:06 ? 00:00:00 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --cd /etc/openvpn --config server.conf
root 4336 32542 0 22:07 pts/0 00:00:00 grep openvpn[root@iZ23vn3rqxnZ openvpn]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3E:00:25:9D
inet addr:10.171.255.202 Bcast:10.171.255.255 Mask:255.255.248.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:314920 errors:0 dropped:0 overruns:0 frame:0
TX packets:1776 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:13278386 (12.6 MiB) TX bytes:142114 (138.7 KiB)
Interrupt:165
eth1 Link encap:Ethernet HWaddr 00:16:3E:00:52:83
inet addr:121.40.135.148 Bcast:121.40.135.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5232537 errors:0 dropped:0 overruns:0 frame:0
TX packets:10996 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:233006762 (222.2 MiB) TX bytes:1095851 (1.0 MiB)
Interrupt:164
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)6 客户端配置及连接
6.1 客户端配置
从服务器拷贝ca.crt aliyunClient.crt aliyunClient.key ta.key 到客户端(如windows 8)
在客户端创建文件aliyun.ovpn,并编辑
# 定义是一个客户端
client
# 定义使用路由IP模式,与服务端一致
;dev tap
dev tun
# 定义Windows下使用的网卡名称,linux不需要
;dev-node MyTap
# 定义使用的协议,与服务端一致
;proto tcp
proto tcp
# 指定服务端地址和端口,可以用多行指定多台服务器
# 实现负载均衡(从上往下尝试)
remote 121.40.135.148 1194
;remote my-server-2 1194
# 若上面配置了多台服务器,让客户端随机连接
;remote-random
# 解析服务器域名
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# 客户端不需要绑定端口
# Most clients do not need to bind to
# a specific local port number.
nobind
# 也是为了让Openvpn也nobody运行(安全)
# 注意:Windows不能设置
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# 若客户端通过HTTP Proxy,在这里设置
# 要使用Proxy,不能使用UDP为VPN的通讯协议
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# 无线网络有很多多余的头文件,设置忽略它
;mute-replay-warnings
# 重点,就是指定ca和客户端的证书
ca ca.crt
cert aliyunClient.crt
key aliyunClient.key
# 如果服务端打开了PAM认证模块,客户端需要另其有效
;auth-user-pass
# 一些安全措施
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# 使用lzo压缩,与服务端一致
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 206.2.1 在客户端openvpn安装目录下创建文件夹:aliyun
将文件ca.crt aliyunClient.crt aliyunClient.key ta.key aliyun.ovpn拷贝到C:\Program Files\OpenVPN\config\aliyun目录下
6.2.2 启动openvpn客户端进行连接
连接成功!
6.2.3 通过SecureCRT访问内网
访问内网成功!
****************************************************************************************
原文地址:http://blog.csdn.net/jesseyoung/article/details/41684705
博客主页:http://blog.csdn.net/jesseyoung
****************************************************************************************