1、配置yum源
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum update
yum repolist
2、下载证书生成工具easy-rsa
yum -y install easy-rsa
3、创建证书环境目录
- 如果没有vars模板,直接创建、
mkdir -p /opt/easy-rsa
cp -a /usr/share/easy-rsa/3.0.8/* /opt/easy-rsa/
cp -a /usr/share/doc/easy-rsa-3.0.8/vars.example /opt/easy-rsa/vars
4、生成秘钥前,准备vars文件
- vim /opt/easy-rsa/vars
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Guangzhou"
set_var EASYRSA_REQ_CITY "Guangzhou"
set_var EASYRSA_REQ_ORG "change"
set_var EASYRSA_REQ_EMAIL "change@163.com"
set_var EASYRSA_NS_SUPPORT "yes"
5、初始化
[root@openvpn easy-rsa]# cd /opt/easy-rsa/
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa init-pki
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /opt/easy-rsa/pki
6、创建根证书(记住ca证书密码)
- 根证书用于ca对之后生成的server和client证书签名时使用。(输入两次密码,直接回车)
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa build-ca
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus
.....+++
..........................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/opt/easy-rsa/pki/ca.crt
7、创建server端证书和私钥文件
- nopass表示不加密私钥文件,生成过程中直接回车默认
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...........................+++
........................................................................+++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-1326.TIfM4D/tmp.rxSnIM'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/server.req
key: /opt/easy-rsa/pki/private/server.key
8、给server证书签名(输入yes,输入ca证书密码)
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa sign server server
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-1397.ds5qpo/tmp.lX0IFN
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Jun 3 14:02:46 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /opt/easy-rsa/pki/issued/server.crt
9、创建Diffie-Hellman文件,秘钥交换时的Diffie-Hellman算法
[root@openvpn easy-rsa]#/opt/easy-rsa/easyrsa gen-dh
10、创建client端证书和私钥文件
- nopass表示不加密私钥文件,生成过程中直接回车默认
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa gen-req client nopass
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
..................................................................+++
...................................................................................................................+++
writing new private key to '/opt/easy-rsa/pki/easy-rsa-1761.HYs4Xv/tmp.z02JuI'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:
Keypair and certificate request completed. Your files are:
req: /opt/easy-rsa/pki/reqs/client.req
key: /opt/easy-rsa/pki/private/client.key
11、给client端证书签名(输入yes,输入ca证书密码)
[root@openvpn easy-rsa]# /opt/easy-rsa/easyrsa sign client client
Note: using Easy-RSA configuration from: /opt/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /opt/easy-rsa/pki/easy-rsa-1828.VwQHeF/tmp.eYqBSS
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Jun 3 14:09:37 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /opt/easy-rsa/pki/issued/client.crt
12、安装openvpn
yum -y install openvpn
13、修改配置文件 DNS是我自建服务器,如没有可以注释
port 1994
#端口
proto udp
#协议
dev tun
#采用路由隧道模式tun
ca ca.crt
#ca证书文件位置
cert server.crt
#服务端公钥名称
key server.key
#服务端私钥名称
dh dh.pem
#交换证书
server 10.8.0.0 255.255.255.0
#给客户端分配地址池,注意:不能和VPN服务器内网网段有相同
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.100.1.100"
#配置dns服务器
ifconfig-pool-persist ipp.txt
#地址池记录文件位置
keepalive 10 120
#存活时间,10秒ping一次,120 如未收到响应则视为断线
max-clients 100
#最多允许100个客户端连接
status openvpn-status.log
#日志记录位置
verb 3
#openvpn日志版本
client-to-client
#客户端与客户端之间支持通信
log /var/log/openvpn.log
#openvpn日志记录位置
persist-key
#通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys。
persist-tun
#检测超时后,重新启动VPN,一直保持tun是linkup的。否则网络会先linkdown然后再linkup
duplicate-cn
14、拷贝证书到openvpn主配置文件目录下
cp -a /opt/easy-rsa/pki/ca.crt /etc/openvpn/
cp -a /opt/easy-rsa/pki/issued/server.crt /etc/openvpn/
cp -a /opt/easy-rsa/pki/private/server.key /etc/openvpn/
cp -a /opt/easy-rsa/pki/dh.pem /etc/openvpn/
15、启动设置自动启动
systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service
16、配置客户端
拷贝服务端生成的证书到OpenVPN安装目录的config目录下
/opt/easy-rsa/pki/ca.crt
/opt/easy-rsa/pki/issued/client.crt
/opt/easy-rsa/pki/private/client.key
- 编写客户端配置文件 配置文件可以直接使用尖括号ca、/ca写入
client
#指定当前VPN是客户端
dev tun
#使用tun隧道传输协议
proto udp
#使用udp协议传输数据
remote xx.xx.xx.xx 1994
#openvpn服务器IP地址端口号
resolv-retry infinite
#断线自动重新连接,在网络不稳定的情况下非常有用
nobind
#不绑定本地特定的端口号
ca ca.crt
#指定CA证书的文件路径
cert client.crt
#指定当前客户端的证书文件路径
key client.key
#指定当前客户端的私钥文件路径
verb 3
#指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细
persist-key
#通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys
persist-tun
#检测超时后,重新启动VPN,一直保持tun是linkup的。否则网络会先linkdown然后再linkup
17、开启ipv4转发
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
18、防火墙放行
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables-save
注意事项
1、如果是内网机器 需要通过路由器nat转发到指定内网机器端口
2、请记住根证书ca密码
3、开启端口转发和放行内网段IP