目录
OpenVPN 简介
VPN直译就是虚拟专用通道,是提供给企业之间或者个人与公司之间安全数据传输的隧道,OpenVPN无疑是Linux下开源VPN的先锋,提供了良好的性能和友好的用户GUI,并且支持多平台。
它大量使用了OpenSSL加密库中的SSLv3/TLSv1协议函数库。
原理
OpenVpn的技术核心是虚拟网卡,其次是SSL协议实现,由于SSL协议在其它的词条中介绍的比较清楚了,这里重点对虚拟网卡及其在OpenVpn的中的工作机理进行介绍:
虚拟网卡是使用网络底层编程技术实现的一个驱动软件,安装后在主机上多出现一个网卡,可以像其它网卡一样进行配置。服务程序可以在应用层打开虚拟网卡,如果应用软件(如IE)向虚拟网卡发送数据,则服务程序可以读取到该数据,如果服务程序写合适的数据到虚拟网卡,应用软件也可以接收得到。虚拟网卡在很多的操作系统下都有相应的实现,这也是OpenVpn能够跨平台一个很重要的理由。
在OpenVpn中,如果用户访问一个远程的虚拟地址(属于虚拟网卡配用的地址系列,区别于真实地址),则操作系统会通过路由机制将数据包(TUN模式)或数据帧(TAP模式)发送到虚拟网卡上,服务程序接收该数据并进行相应的处理后,通过SOCKET从外网上发送出去,远程服务程序通过SOCKET从外网上接收数据,并进行相应的处理后,发送给虚拟网卡,则应用软件可以接收到,完成了一个单向传输的过程,反之亦然。
加密
OpenVPN使用OpenSSL库加密数据与控制信息:它使用了OpenSSL的加密以及验证功能,意味着,它能够使用任何OpenSSL支持的算法。它提供了可选的数据包HMAC功能以提高连接的安全性。此外,OpenSSL的硬件加速也能提高它的性能。
OpenVPN 部署
环境
| 系统版本 | 内核版本 | OpenVPN 版本 | easy-rsa 版本 | |
|---|---|---|---|---|
| CentOS 7.5 | 5.0.5-1 | openvpn-2.4.7 | easy-rsa-3.0.3 |
- CentOS 系统使用最小化安装
- 网卡使用两块
- eth0: 192.168.1.64 # 模拟公网IP
- eth1: 172.16.1.10 # 模拟内网IP
- 关闭 selinux、iptables、firewalld、NetworkManager
安装
使用 yum 来安装 OpenVPN 和 easy-rsa ,所以需要使用epel源,否则会找不到包,我用的是阿里的epel源。
阿里云yum源地址为: https://opsx.alibaba.com/mirror
或者直接复制命令: wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo ,执行后就会自动下载epel源。
1. 安装依赖
yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig makecache2. 安装 OpenVPN
yum install -y openvpn easy-rsa3. 安装 OpenVPN
[root@openvpn ~]# rpm -qa | grep openvpn
openvpn-2.4.7-1.el7.x86_64
[root@openvpn ~]# rpm -qa | grep easy
easy-rsa-3.0.3-1.el7.noarch配置
1. 拷贝 easy-rsa
cp -R /usr/share/easy-rsa/ /etc/openvpn/2. 拷贝 easy-rsa 的读取信息的文件
cp -r /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/easy-rsa/3.0/vars3. 修改拷贝的 vars 文件
[root@openvpn ~]# cd /etc/openvpn/easy-rsa/3.0.3/
[root@openvpn 3.0.3]# cp vars vars.example # 备份一下
[root@openvpn 3.0.3]# ls
easyrsa openssl-1.0.cnf pki vars vars.example x509-types
[root@openvpn 3.0.3]# egrep '^set_var' vars # 把下面几行解注释
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "My Organizational Unit"3. 拷贝 默认 OpenVPN 配置文件到 OpenVPN 工作目录下
cp /usr/share/doc/openvpn-2.4.7/sample/sample-config-files/server.conf /etc/openvpn/服务端的 证书生成 和 配置
生成服务端证书
1. 初始化,生成新的pki目录结构
这一步初始化,会自动创建一个pki目录
[root@openvpn ~]# cd /etc/openvpn/easy-rsa/3.0.3/
[root@openvpn 3.0.3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.3/pki2. 生成CA根证书
使用 nopass 参数,创建时ca证书不要密码。
生成 ca.crt
[root@openvpn 3.0.3]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
....................................................+++
...............+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key.eaRLZMVt5B'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: # 这里需要回车,什么都不需要输入,因为在上面的vars文件中解注释的内容会自动填入。
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3.0.3/pki/ca.crt3. 生成密钥对和证书请求文件
同样使用 nopass 参数,使证书不要密码
生成 server.req 和 server.key
[root@openvpn 3.0.3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...................................................................+++
................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/server.key.nW3aKUSpAO'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: # 这里需要回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3.0.3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key
4. 用根证书CA与vpnserver.req文件签名,生成服务端证书
生成 server.crt
[root@openvpn 3.0.3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes # 这里需要输入 yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Apr 16 07:59:04 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt5. 创建Diffie Hellman参数
生成 dh.pem
[root@openvpn 3.0.3]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
# 这里会出现很多 点 和 加号 一直等到下面的提示出现
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem6. 把生成的服务端证书拷贝到工作目录下
cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key /etc/openvpn/server/OpenVPN 服务端配置文件
[root@openvpn 3.0.3]# cd /etc/openvpn/
[root@openvpn openvpn]# cat server.conf
# Sample OpenVPN 2.0
local 192.168.1.64
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
# 此IP端是客户端连接上来后获取的ip段
server 10.8.0.0 255.255.255.0
# 存放用户对应的虚10段的ip地址
ifconfig-pool-persist /etc/openvpn/ipp.txt
# 这里要填写服务端内网的网段,否则客户端连接上来后,无法访问服务端的内网
push "route 172.16.1.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
ifconfig-pool-persist ipp.txt
status /etc/openvpn/openvpn-status.log
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
verb 3
explicit-exit-notify 1OpenVPN 的启动关闭
启动 OpenVPN 服务
systemctl start openvpn@server
关闭 OpenVPN 服务
systemctl stop openvpn@server
开启 开机自动启动 OpenVPN 服务
systemctl enable openvpn@server
关闭 开机自动启动 OpenVPN 服务
systemctl disenable openvpn@server
客户端 证书生成 和 配置
生成客户端证书
1. 生成客户端的 密钥对 和 证书 请求文件
同样使用 nopass 参数,使证书不要密码
生成 client.req 和 client.key
[root@openvpn openvpn]# cd /etc/openvpn/easy-rsa/3.0.3/
[root@openvpn 3.0.3]# ./easyrsa gen-req client nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.................+++
..........................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/client.key.rTBHS5Ra17'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3.0.3/pki/reqs/client.req
key: /etc/openvpn/easy-rsa/3.0.3/pki/private/client.key2. 成功生成证书
刚才我们是用根证书CA签名生成服务器证书server.crt,现在以CA根证书和server.crt证书签名得到client.crt
生成 client.crt
[root@openvpn 3.0.3]# ./easyrsa sign client client
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Apr 16 08:41:12 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/client.crt客户端 链接配置
1. 首先下载客户端证书和ca证书
需要把刚刚生成的客户端证书和ca证书下载下来
使用 sz 命令下载
如果没有sz、rz 命令,需要使用命令 yum install lrzsz -y 来安装
sz /etc/openvpn/easy-rsa/3.0.3/pki/issued/client.crt
sz /etc/openvpn/easy-rsa/3.0.3/pki/private/client.key
sz /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt2. 客户端配置文件
下载后,在桌面创建一个 client 文件夹,把刚刚下载的三个证书都放进去
在 client 文件夹中,创建一个 client.ovpn 的文件,写入下面内容:
client
proto udp
dev tun
remote 192.168.1.64 1194
resolv-retry infinite
nobind
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
verb 3注意 client.ovpn 文件建议是用户的名字,不要重复,否则客户端会报错
3. 安装客户端连接软件
客户端下载地址: 点击下载
如果上面连接失效,可以使用百度云盘下载:云盘地址 提取码:y7fd
因为有VPN敏感字符,所以我把这三个字母删了,下载包名中只有 open .
下载好后,安装,很简单,下一步下一步。
安装好后,右键桌面 OpenVPN 图标选择属性,点击 打开文件位置,之后返回上一层安装目录,可以看到一个文件名为config 的文件夹,把刚刚创建的 client 文件夹拷贝到 config 文件夹下.
最后运行 OpenVPN,在桌面右下角可以看到一个小的电脑显示器图标,右键鼠标,点击链接即可。