企业openvpn搭建

悟空空心

已于 2023-12-20 14:20:43 修改

阅读量584

点赞数

CC 4.0 BY-SA版权

文章标签： linux 运维服务器

于 2022-12-27 14:21:04 首次发布

本文链接：https://blog.csdn.net/m0_56693018/article/details/128455288

1.下载加密制作证书得软件包easy-rsa。

[root@openvpn-test ~]# wget -P /data/tools http://down.i4t.com/easy-rsa.zip

[root@openvpn-test ~]# cd /data/tools/

[root@openvpn-test tools]# unzip easy-rsa.zip 解压软件包

[root@openvpn-test tools]# mkdir -p /etc/openvpn/easy-rsa/ 创建openvpn以及easy-rsa目录

[root@openvpn-test tools]# cp -r easy-rsa-old-master/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ 拷贝原目录下面文件到新目录

[root@openvpn-test tools]# cd /etc/openvpn/easy-rsa/

[root@openvpn-test easy-rsa]# vim vars 制作证书之前，先需要编辑vars文件

export KEY_COUNTRY="CN"

export KEY_PROVINCE="zhejiang"

export KEY_CITY="hangzhou"

export KEY_ORG="ctt"

export KEY_EMAIL="1782655122@qq.com"

#export KEY_EMAIL=mail@host.domain

##export KEY_CN=changeme

export KEY_NAME="ctt's openvpn"

export KEY_OU="ctt"

##export PKCS11_MODULE_PATH=changeme

##export PKCS11_PIN=1234

2.初始化环境，开始制作证书。

[root@openvpn-test easy-rsa]# source vars 使vars配置文件生效

[root@openvpn-test easy-rsa]# ./clean-all 此时会在easy-rsa目录下面生成keys目录

[root@openvpn-test easy-rsa]# ./build-ca 一路按回车键既可，因为前面填写了vars信息。（此时生成了根证书ca.crt和根密钥ca.key）

[root@openvpn-test easy-rsa]# ll keys/ 查看key目录下面已经生成了相应得ca证书

[root@openvpn-test easy-rsa]# ./build-dh 为服务器生成加密时得Diffie-Hellman文件，此时keys目录下面会生成dh2048.pem文件

3.yum安装openvpn，添加脚本

[root@openvpn-test openvpn]# curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo 安装openvpn需要先安装epel

[root@openvpn-test openvpn]# yum clean all && yum makecache 清理缓存

[root@openvpn-test openvpn]# yum install -y openvpn 安装openvpn

[root@openvpn-test openvpn]# cp -r /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/server.conf ./ 将server.conf拷贝到本目录下

[root@openvpn-test openvpn]# vim server.conf 修改server.conf致如下一样：

##置内网端口以及端口模式
port 5555
proto tcp
dev tun     ##生成虚拟网卡tun0
###配置证书位置
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/ca.crt
key /etc/openvpn/easy-rsa/keys/ca.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
###配置客户端获取的ip
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
##max-clients 500
###客户端日志
status  openvpn-status.log
verb 3
###配置可以访问的服务器网段，通过iptables进行路由转发
push "route 10.8.0.0 255.255.0.0"
push "route 172.18.0.0 255.255.0.0"
push "route 172.16.0.0 255.255.0.0"
push "route 192.168.0.0 255.255.0.0"
push "route 0.0.0.0 0.0.0.0"
###服务端日志
log /var/log/openvpn.log
###打开下面四条命令，说明打开了可以使用通过用户名密码访问。
script-security 3
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
client-cert-not-required
username-as-common-name

[root@openvpn-test openvpn]# chmod +x checkpsw.sh 上传checkpsw.sh 脚本，并且添加执行权限

[root@openvpn-test openvpn]# cat checkpsw.sh 脚本内容

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman 
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/etc/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

4.创建客户端ovpn，配置iptables

[root@openvpn-test openvpn]# cp -r /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/client.conf ./ 将客户端client.conf拷贝到本地

[root@openvpn-test openvpn]# mv client.conf client.ovpn 修改成.ovpn

[root@openvpn-test openvpn]# vim client.ovpn client.ovpn内容修改成如下：

client

dev tun

proto tcp

remote 183.129.189.109 5555 #服务器端外网地址和端口

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

comp-lzo

verb 3

auth-user-pass ##通过用户名密码访问的客户端ovpn必须添加的字段

[root@openvpn-test keys]# openvpn --genkey --secret ta.key 在keys目录下面执行此命令生成防攻击得ta密钥

[root@openvpn-test openvpn]# echo "net.ipv4.ip_forward = 1">>/etc/sysctl.conf 开启内核路由转发功能。

You have mail in /var/spool/mail/root

[root@openvpn-test openvpn]# sysctl -p

net.ipv4.ip_forward = 1

[root@openvpn-test openvpn]# yum install iptables-services -y 安装iptables服务

[root@openvpn-test openvpn]#systemctl start iptables

[root@openvpn-test openvpn]#systemctl enable iptables

[root@openvpn-test openvpn]# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 5555 -j ACCEPT 打开openvpn服务相关端口

[root@openvpn-test openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE 对客户端得流量转发到本机端口

[root@openvpn-test openvpn]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

[root@openvpn-test openvpn]# iptables -t nat -A POSTROUTING -s 10.8.241.0/24 -o eth0 -j MASQUERADE

[root@openvpn-test openvpn]# service iptables save 保存iptables配置

[root@openvpn-test openvpn]# vim /etc/sysconfig/iptables 将iptables下面的两条规则删除（这一步十分重要，否则openvpn即使连上也无法访问内网）

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

[root@openvpn-test openvpn]# cat /etc/sysconfig/iptables 最终iptables配置如下:

# sample configuration for iptables service

# # you can edit this manually or use system-config-firewall

# # please do not ask us to add additional ports/services to this default configuration

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 5555 -j ACCEPT

COMMIT

# # Completed on Mon Jan 28 13:47:22 2019

# # # Generated by iptables-save v1.4.21 on Mon Jan 28 13:47:22 2019

*nat

:PREROUTING ACCEPT [147:13294]

:INPUT ACCEPT [23:2998]

:OUTPUT ACCEPT [269:16140]

:POSTROUTING ACCEPT [269:16140]

-A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE

-A POSTROUTING -s 10.8.241.0/24 -o eth0 -j MASQUERADE

-A POSTROUTING -s 10.8.0.0/16 -j MASQUERADE

COMMIT

5.创建psw-file文件，开启openvpn，sz传证书到本地，做内外网端口映射，连接vpn。

[root@openvpn-test openvpn]# echo "ctt ctt123">> /etc/openvpn/psw-file 创建psw-file文件，并且创建用户名，密码

You have mail in /var/spool/mail/root

[root@openvpn-test openvpn]# cat psw-file

ctt ctt123

[root@openvpn-test openvpn]# openvpn /etc/openvpn/server.conf& 启动openvpn

[1] 29162

[root@openvpn-test openvpn]# ps aux|grep openvpn

root 29162 0.1 0.0 75668 4660 pts/1 S 15:13 0:00 openvpn /etc/openvpn/server.conf

root 29274 0.0 0.0 112708 976 pts/1 S+ 15:13 0:00 grep --color=auto openvpn

[root@openvpn-test openvpn]# sz client2.ovpn 上传证书到本地

[root@openvpn-test openvpn]# sz easy-rsa/keys/ca.crt

证书放到openvpn软件的config目录下面：

连接成功：

测试内网ping通：

vpn搭建那边往172.16.0.0网段推路由。同理路由器上也要做一条通往10.8.0.0的路由。

就此，用户名密码登录的openvpn搭建完成！！

cat /etc/systemd/system/openvpn.service
[Unit]
Description=openvpn service
After=network.target

[Service]
Type=simple
Environment="PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/java/jdk1.8.0_131/jre/bin"
User=root
Group=root
ExecStart=/usr/sbin/openvpn --config /etc/openvpn/server.conf
ExecStop=/bin/pkill openvpn
Restart=on-failure

[Install]
WantedBy=multi-user.target