openvpn2.1.2搭建安装篇(1)
安装openvpn:cd /usr/local下载lzo压缩模块,用于压缩传输的数据:
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz tar xf lzo-2.06.tar.gz cd lzo-2.06 ./configure make && make install cd ..
由于openvpn依赖于openssl,因此安装:
yum install -y openssl* https://openvpn.net/release/openvpn-2.1.2.tar.gz tar xf openvpn-2.1.2.tar.gz cd openvpn-2.1.2 ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib make && make install cd ..
需要指定lzo模块的路径
https://openvpn.net/release/建立证书:由于客户端和服务器是公用一个ca证书,先创建此证书
cd /usr/local/openvpn-2.1.2/easy-rsa/2.0/ cp vars vars`date +%T-%F` vim vars
修改
export KEY_COUNTRY="CN" export KEY_PROVINCE="shanghai" export KEY_CITY="Shanghai" export KEY_ORG="Fort-Funston" export KEY_EMAIL="usertzc@163.com" [root@node 2.0]# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys [root@node 2.0]#
运行clean-all将会清楚keys所有文件,第一次需要执行
[root@node 2.0]# ./clean-all 生成ca [root@node 2.0]# ./build-ca Generating a 1024 bit RSA private key ....................................++++++ ...++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [shanghai]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:linuxea Name []: Email Address [usertzc@163.com]: [root@node 2.0]#
将会生成ca文件,如下:
[root@node 2.0]# ll keys/ total 12 -rw-r--r-- 1 root root 1220 Mar 10 06:42 ca.crt -rw------- 1 root root 916 Mar 10 06:42 ca.key -rw-r--r-- 1 root root 0 Mar 10 06:40 index.txt -rw-r--r-- 1 root root 3 Mar 10 06:40 serial [root@node 2.0]#
生成server key
[root@node 2.0]# ./build-key-server server
一路回车,y即可生成如下:
[root@node 2.0]# ll keys/ total 40 -rw-r--r-- 1 root root 3882 Mar 10 06:46 01.pem -rw-r--r-- 1 root root 1220 Mar 10 06:42 ca.crt -rw------- 1 root root 916 Mar 10 06:42 ca.key -rw-r--r-- 1 root root 111 Mar 10 06:46 index.txt -rw-r--r-- 1 root root 21 Mar 10 06:46 index.txt.attr -rw-r--r-- 1 root root 0 Mar 10 06:40 index.txt.old -rw-r--r-- 1 root root 3 Mar 10 06:46 serial -rw-r--r-- 1 root root 3 Mar 10 06:40 serial.old -rw-r--r-- 1 root root 3882 Mar 10 06:46 server.crt -rw-r--r-- 1 root root 676 Mar 10 06:46 server.csr -rw------- 1 root root 916 Mar 10 06:46 server.key
生成客户端证书和秘钥文件:
[root@node 2.0]# ./build-key linuxeacom
一路回车,y即可生成内容如下:
[root@node 2.0]# ll keys/ total 64 -rw-r--r-- 1 root root 3882 Mar 10 06:46 01.pem -rw-r--r-- 1 root root 3769 Mar 10 06:50 02.pem -rw-r--r-- 1 root root 1220 Mar 10 06:42 ca.crt -rw------- 1 root root 916 Mar 10 06:42 ca.key -rw-r--r-- 1 root root 226 Mar 10 06:50 index.txt -rw-r--r-- 1 root root 21 Mar 10 06:50 index.txt.attr -rw-r--r-- 1 root root 21 Mar 10 06:46 index.txt.attr.old -rw-r--r-- 1 root root 111 Mar 10 06:46 index.txt.old -rw-r--r-- 1 root root 3769 Mar 10 06:50 linuxeacom.crt -rw-r--r-- 1 root root 684 Mar 10 06:50 linuxeacom.csr -rw------- 1 root root 916 Mar 10 06:50 linuxeacom.key -rw-r--r-- 1 root root 3 Mar 10 06:50 serial -rw-r--r-- 1 root root 3 Mar 10 06:46 serial.old -rw-r--r-- 1 root root 3882 Mar 10 06:46 server.crt -rw-r--r-- 1 root root 676 Mar 10 06:46 server.csr -rw------- 1 root root 916 Mar 10 06:46 server.key
生成秘钥协议文件在keys下
-rw-r--r-- 1 root root 245 Mar 10 06:56 dh1024.pem [root@node 2.0]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .......................................................................................+.............+..........+.....................+.......................+...+...............+........+.................+...........+......+..................................+....+..............................................................................+............................................+..+................................+.......................................................................................................................................+..+........................................................................+.++*++*++* [root@node 2.0]#
创建配置文件和证书目录
[root@node ~]# mkdir /etc/openvpn
复制文件到/etc/openvpn下
[root@node 2.0]# cp -ap keys /etc/openvpn/ [root@node 2.0]# cp /usr/local/openvpn-2.1.2/sample-config-files/* /etc/openvpn/
为了方便起见,过滤冒号,#号和空格
[root@node openvpn]# mv server.conf server.conf.bak [root@node openvpn]# grep -vE "^;|#|^$" server.conf.bak >> ./server.conf local openvpn地址 port 1194 端口 proto udp 协议 dev tun ca ca.crt 证书 cert server.crt 证书 dh dh1024.pem 验证 server 10.8.0.0 255.255.255.0 客户端的ip ifconfig-pool-persist ipp.txt keepalive 10 120 10秒钟ping一次,120秒未收到回复则认为客户端断开 comp-lzo persist-key 当超时,重新启动保持上一次使用的key persist-tun 通过keepalive检测vpn超时,重新启动vpn后,保持tun或者tap设备自带连接状态 status openvpn-status.log 日志 verb 3 日志级别冗余 [root@node openvpn]#
修改后的配置文件如下:
[root@node openvpn]# vim server.conf local 10.0.0.4 port 1194 proto tcp dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem server 172.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 log /var/log/openvpn.log
调试服务器环境
iptables [root@node openvpn]# iptables -A INPUT -p tcp --dport 1194 -j ACCEPT [root@node openvpn]# setenforce 0 setenforce: SELinux is disabled
打开内核转发
[root@node openvpn]# sed -ri 's@(.*_fo.*= ).*@11@g' /etc/sysctl.conf [root@node openvpn]# sysctl -p
启动:指定配置文件启动
[root@node openvpn]# /usr/local/openvpn-2.1.2/ --config /etc/openvpn/server.conf
开机启动:
echo '/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &' >>/etc/rc.local
也可以复制脚本启动:
[root@node openvpn]# cp /usr/local/openvpn-2.1.2/sample-scripts/openvpn.init /etc/init.d/openvpn [root@node openvpn]# chmod +X /etc/init.d/openvpn [root@node openvpn]# chkconfig --add openvpn
启动脚本需要修改:将*.conf改成server.conf,这里主要是由于配置文件过多,读取错误配置文件导致,所以这里需要明确指明使用哪个配置文件启动
for c in `/bin/ls server.conf 2>/dev/null`; do [root@node openvpn]# ps -ef|grep vpn root 2934 1 0 08:01 ? 00:00:00 /usr/local/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn root 2950 2011 0 08:02 pts/0 00:00:00 grep vpn [root@node openvpn]#
客户端使用:https://openvpn.net/release/openvpn-2.1.2-install.exe下载ca.crt linuxeacom.crt linuxeacom.key到windows安装目录C:Program Files (x86)OpenVPNconfig下,并且在config下创建linuxea目录,将ca.crt linuxeacom.crt linuxeacom.key复制到linuxea中
将修改好的配置文件下载到C:Program Files (x86)OpenVPNconfiglinuxeacom下叫做Linuxeacom.ovpn,内容如下:客户端配置文件:
[root@node openvpn]# egrep -v "^#|^;|^$" client.conf client dev tun proto tcp tcp协议 remote 10.0.0.4 1194 服务端地址 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert linuxeacom.crt 用户的key key linuxeacom.key ns-cert-type server comp-lzo verb 3
登录后查看日志:
[root@node openvpn]# cat /var/log/openvpn.log Thu Mar 10 08:42:01 2016 MULTI: multi_create_instance called Thu Mar 10 08:42:01 2016 Re-using SSL/TLS context Thu Mar 10 08:42:01 2016 LZO compression initialized Thu Mar 10 08:42:01 2016 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Thu Mar 10 08:42:01 2016 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Thu Mar 10 08:42:01 2016 Local Options hash (VER=V4): 'c0103fa8' Thu Mar 10 08:42:01 2016 Expected Remote Options hash (VER=V4): '69109d17' Thu Mar 10 08:42:01 2016 TCP connection established with 10.0.0.3:59364 Thu Mar 10 08:42:01 2016 TCPv4_SERVER link local: [undef] Thu Mar 10 08:42:01 2016 TCPv4_SERVER link remote: 10.0.0.3:59364 Thu Mar 10 08:42:01 2016 10.0.0.3:59364 TLS: Initial packet from 10.0.0.3:59364, sid=698dad12 0424ce72 Thu Mar 10 08:42:01 2016 10.0.0.3:59364 VERIFY OK: depth=1, /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=linuxea/emailAddress=usertzc@163.com Thu Mar 10 08:42:01 2016 10.0.0.3:59364 VERIFY OK: depth=0, /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=linuxeacom/emailAddress=usertzc@163.com Thu Mar 10 08:42:01 2016 10.0.0.3:59364 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Mar 10 08:42:01 2016 10.0.0.3:59364 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Mar 10 08:42:01 2016 10.0.0.3:59364 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Mar 10 08:42:01 2016 10.0.0.3:59364 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Mar 10 08:42:01 2016 10.0.0.3:59364 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Thu Mar 10 08:42:01 2016 10.0.0.3:59364 [linuxeacom] Peer Connection Initiated with 10.0.0.3:59364 Thu Mar 10 08:42:01 2016 linuxeacom/10.0.0.3:59364 MULTI: Learn: 10.8.0.6 -> linuxeacom/10.0.0.3:59364 Thu Mar 10 08:42:01 2016 linuxeacom/10.0.0.3:59364 MULTI: primary virtual IP for linuxeacom/10.0.0.3:59364: 10.8.0.6 Thu Mar 10 08:42:03 2016 linuxeacom/10.0.0.3:59364 PUSH: Received control message: 'PUSH_REQUEST' Thu Mar 10 08:42:03 2016 linuxeacom/10.0.0.3:59364 SENT CONTROL [linuxeacom]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
如果拨不上,请查看驱动是否安装,配置是否出错
