openvpn部署

公网（外网）：所有人都可以访问的

内网：局域网，只有在特定的范围内可以访问。别人访问不到

系统环境：Centos7.9

1. VPN简介

它可以将不同地理位置的网络环境连接起来，例如：你在在家里可以通过它去访问公司的内网

常用的还有pptp、l2tp等等。我准备使用openvpn是因为它是加密的，支持的加密协议也比较丰富

2. 通信协议

pptp：点对点隧道协议

wan口是公网的

lan口是本地的网段

l2tp：第二层隧道协议，支持隧道加密

都是通过ppp协议来进行封装的

pptp只能在两端之间建立单一的隧道，l2tp能够在两端建立隧道

3. openvpn的部署

安装依赖

yum install -y bash-completion vim lrzsz wget expect net-tools nc nmap tree dos2unix htop iftop iotop unzip telnet sl psmisc nethogs glances bc ntpdate openldap-devel
复制

安装: 一个是服务，另一个是证书

yum -y install openvpn easy-rsa
复制

创建服务器需要的证书和密钥

[root@sql01 ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/
[root@sql01 ~]# cp  /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/3.0.8/vars
复制

初始化pki文件

[root@sql01 ~]# cd /etc/openvpn/easy-rsa/3.0.8/
[root@sql01 3.0.8]# ./easyrsa init-pki
复制

创建服务器ca证书，先不设置密码

[root@sql01 3.0.8]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating RSA private key, 2048 bit long modulus
.................................+++
........................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
\-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:openvpn
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3.0.8/pki/ca.crt
复制

创建私钥文件和证书请求文件，一路回车

[root@sql01 3.0.8]# ./easyrsa gen-req openvpn nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...................................................+++
..........................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.8/pki/easy-rsa-12161.blsqg1/tmp.Llzm25'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
\-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
\-----
Common Name (eg: your user, host, or server name) [openvpn]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3.0.8/pki/reqs/openvpn.req
key: /etc/openvpn/easy-rsa/3.0.8/pki/private/openvpn.key
复制

证书签名，对证书确认，生成最终的证书文件

[root@sql01 3.0.8]# ./easyrsa sign server openvpn 
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
  commonName        = openvpn
Type the word 'yes' to continue, or any other input to abort.
 Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/3.0.8/pki/easy-rsa-12193.kc2G21/tmp.tJj1yA
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName      :ASN.1 12:'openvpn'
Certificate is to be certified until Apr 23 03:36:00 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.8/pki/issued/openvpn.crt
复制

在生成一个最终的pem文件，这个pem文件包含了证书，公钥私钥，根证书

[root@sql01 3.0.8]# ./easyrsa gen-dh  # dh是一个算法的名字
复制

生成ta

openvpn --genkey --secret ta.key
复制

文件详情

ca证书：/etc/openvpn/easy-rsa/3.0.8/pki/ca.crt
openvpn的key文件：/etc/openvpn/easy-rsa/3.0.8/pki/private/openvpn.key
/etc/openvpn/easy-rsa/3.0.8/pki/issued/openvpn.crt
/etc/openvpn/easy-rsa/3.0.8/pki/dh.pem
复制

统一拷贝到/etc/openvpn/server目录下

[root@sql01 3.0.8]# cp /etc/openvpn/easy-rsa/3.0.8/pki/dh.pem /etc/openvpn/server/
[root@sql01 3.0.8]# cp /etc/openvpn/easy-rsa/3.0.8/pki/ca.crt /etc/openvpn/server/
[root@sql01 3.0.8]# cp /etc/openvpn/easy-rsa/3.0.8/pki/private/openvpn.key /etc/openvpn/server/
[root@sql01 3.0.8]# cp /etc/openvpn/easy-rsa/3.0.8/pki/issued/openvpn.crt /etc/openvpn/server/
复制

修改openvpn的配置文件

cp /usr/share/doc/openvpn-2.4.10/sample/sample-config-files/server.conf /etc/openvpn/
vim /etc/openvpn/server.conf
local 10.0.0.71 # 监听地址
port 1194    # 监听端口
proto tcp    # tcp协议
;proto udp
;dev tap
dev tun     # 隧道模式
;dev-node MyTap 
\# 证书文件
ca server/ca.crt
cert server/server.crt
key server/server.key # This file should be kept secret
dh server/dh.pem
server 10.8.0.0 255.255.255.0 #分配的网段地址
push "route 192.168.10.0 255.255.255.0" 路由
keepalive 10 120    # 多久不使用 就自动断开
status openvpn-status.log  # 日志文件
log-append openvpn.log
mute 20 # 重复日志限额
explicit-exit-notify 1 # 关闭自动连接
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
复制

开启内核转发

net.ipv4.ip_forward = 1
复制

编写启动openvpn的脚本

也可以使用openvpn@server

systemctl start openvpn@server
复制

4. 客户端连接

客户端下载地址：https://openvpn.net/download-open-vpn/

生成客户端密钥

./easyrsa gen-req client nopass
复制

签发证书

./easyrsa sign client client
复制

整理配置文件

[root@sql01 3.0.8]# cp /etc/openvpn/easy-rsa/3.0.8/pki/issued/client.crt /etc/openvpn/client/
[root@sql01 3.0.8]# cp /etc/openvpn/easy-rsa/3.0.8/pki/private/client.key /etc/openvpn/client/
[root@sql01 3.0.8]#cp /etc/openvpn/easy-rsa/3.0.8/pki/ca.crt /etc/openvpn/client/  
复制

如上 三个配置文件，还得导出到配置文件中使用，使用.ovpn的文件

client
dev tun
proto tcp
remote 112.17.166.1 1194  #  112.17.166.1是外网地址
resolv-retry infinite
nobind
persist-key
persist-tun
;ca ca.pem
;cert hangzhou_clientcert.pem
;key hangzhou_clientkey.pem
;tls-auth ta.key 1
comp-lzo
auth-user-pass
cipher AES-256-CBC
verb 3
复制

想要与其它服务器通信，还需要在防火墙中配置转发

iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o ens37 -j MASQUERADE
复制

10.8.1.0/24是你vpn中配置的网段，ens37是你主机内的网卡名称