iProbe/Docs
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
Docs/openvpn/Centos中openvpn安装配置文档.md
iProbe ba848e218d first commit
2022-10-18 16:59:37 +08:00

246 lines
No EOL
6.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

***<font color="#FF0000">该文档使用openvpn路由模式</font><br />***
### 系统及角色
|角色|系统及版本|
|:---:|:---:|
|服务器端|CentOS 8|
|客户端|Windows 10|
### 软件及版本
|软件|版本|
|:---:|:---:|
|openvpn|2.4.10|
|easy-rsa|3.0.8|
## 安装必要软件
```bash
yum install -y epel-release
yum update -y
yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel
```
## 安装openvpn和easy-rsa
```bash
yum install -y openvpn easy-rsa
```
## 确定私有子网
*Server与Client的CVPN通信子网不与现有网络冲突*
默认: 10.8.0.0/16
## 配置证书密钥
*3.x版本easy-rsa配置过程如下*
```bash
cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
## 初始化证书生成环境
./easyrsa init-pki
## 无密码生成ca证书与私钥需要填写cn
./easyrsa build-ca nopass
## 生成server证书与私钥
./easyrsa build-server-full server nopass
## 生成client证书与私钥
./easyrsa build-client-full client1 nopass
./easyrsa build-client-full client2 nopass
## 生成dh.pem(可能需要几分钟)
./easyrsa gen-dh
## 生成ta.key
openvpn --genkey --secret ta.key
```
*2.x版本easy-rsa配置过程如下*
```bash
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-key client2
./build-dh
openvpn --genkey --secret ta.key
```
## 配置Server端
### 创建必要目录
```bash
# 日志存放目录
mkdir -p /var/log/openvpn/
# 用户管理目录
mkdir -p /etc/openvpn/server/user
# 配置权限
chown openvpn:openvpn /var/log/openvpn
```
### 创建Server配置文件
*编辑/etc/openvpn/server/server.conf*
```bash
#################################################
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# Comments are preceded with '#' or ';' #
#################################################
port 30003
proto tcp-server
## Enable the management interface
# management-client-auth
# management localhost 7505 /etc/openvpn/user/management-file
dev tun # TUN/TAP virtual network device
user openvpn
group openvpn
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
tls-auth /etc/openvpn/easy-rsa/ta.key 0
## Using System user auth.
# plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
## Using Script Plugins
auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env
script-security 3
# client-cert-not-required # Deprecated option
verify-client-cert
username-as-common-name
## Connecting clients to be able to reach each other over the VPN.
client-to-client
## Allow multiple clients with the same common name to concurrently connect.
duplicate-cn
# client-config-dir /etc/openvpn/server/ccd
# ifconfig-pool-persist ipp.txt
server 10.8.8.0 255.255.255.0
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 1.1.1.1"
push "route 172.19.0.0 255.255.0.0"
ifconfig-pool-persist ipp.txt
# comp-lzo - DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.
compress lzo
push "compress lzo"
# cipher AES-256-CBC
ncp-ciphers "AES-256-GCM:AES-128-GCM"
## In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited.
# explicit-exit-notify 1
keepalive 10 120
persist-key
persist-tun
verb 3
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log
```
创建软链接
***当前版本的openvpnsystem启动文件读取的配置文件为.service.conf***
```
cd /etc/openvpn/server
ln -sf server.conf .service.conf
```
其中checkpsw.sh文件(***检查密码脚本***)内容如下:
*/etc/openvpn/server/user/checkpsw.sh*
```bash
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/server/user/psw-file"
LOG_FILE="/var/log/openvpn/password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1
```
需要创建用户密码文件
*/etc/openvpn/server/user/psw-file*
```bash
# 格式如下
# username password
opm probe.cc
```
为psw-file配置权限
```bash
chmod 600 /etc/openvpn/server/user/psw-file
chown openvpn:openvpn /etc/openvpn/server/user/psw-file
```
ipp.txt文件内容如下
*与server.conf同一目录*
```bash
# 格式如下
# username,ip
opm,10.8.8.8
```
### 防火墙配置
```bash
firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --add-service=openvpn
# 或者添加自定义端口
# firewall-cmd --permanent --add-port=1194/tcp
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.8.0/24 -o eth0 -j MASQUERADE
firewall-cmd --reload
```
### 启动服务
```bash
# 查看service名称
rpm -ql openvpn |grep service
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/systemd/system/openvpn@.service
# 启动
systemctl start openvpn-server@.service.service
```
## 安装配置客户端
### 安装openvpn
*略*
## 配置客户端
***下载ca.crt,client1.crt,client1.key,ta.key到客户端配置文件目录***
*客户端配置文件client.ovpn文件内容如下*
```bash
#
client
proto tcp-client
dev tun
auth-user-pass
# 替换下行中的publicIP为openvpn服务端ip或者域名端口为服务端配置的端口
remote publicIP 30003
# 证书与私钥放在与client.ovpn同一目录下即可
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
auth-nocache
persist-tun
persist-key
compress lzo
verb 4
mute 10
```
## 其他
客户端配置文件及日志文件路径配置如下
1、右键点击桌面右下角的![avatar](./images/logo.png),在弹出的工具栏中先择"选项...",如下图
![avatar](./images/options.png)
2、在“OpenVPN - 设置”窗口,点击“高级”,选择配置文件文件夹及日志文件文件夹,如下图
![avatar](./images/set.png)
Reference in a new issue View git blame Copy permalink