Centos7安装OpenVpn
- 安装epel源
yum install -y epel-release
- 安装依赖包
yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel
- 安装easy-rsa openvpn
yum install -y easy-rsa openvpn
上列操作已经完成openvpn安装
- 配置证书密钥
#复制easy-rsa工具
cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
- 生成证书密钥
#遇见提示回车默认
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa gen-dh
openvpn --genkey --secret ta.key
- 配置server端
# 日志存放目录
mkdir -p /var/log/openvpn/
# 用户管理目录
mkdir -p /etc/openvpn/server/user
# 配置权限
chown -R openvpn:openvpn /var/log/openvpn
- 创建Server配置文件
编辑/etc/openvpn/server/server.conf文件,并写入以下内容:
(也可以复制一份模板文件进行改写,模板文件路径 /usr/share/doc/openvpn-2.4.10/sample/sample-config-files/server.conf)
复制命令
cp /usr/share/doc/openvpn-2.4.10/sample/sample-config-files/server.conf /etc/openvpn/server.conf
编辑/etc/openvpn/server.conf如下
port 1194
proto udp
dev tun
#dev tap0
user openvpn
group openvpn
#配置证书信息
ca /etc/openvpn/server/easy-rsa/pki/ca.crt
cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt
key /etc/openvpn/server/easy-rsa/pki/private/server.key
dh /etc/openvpn/server/easy-rsa/pki/dh.pem
#tls-auth /etc/openvpn/server/easy-rsa/ta.key 0
#配置账号密码的认证方式
script-security 3
auth-user-pass-verify "/etc/openvpn/server/user/checkpsw.sh" via-env
verify-client-cert none
username-as-common-name
client-to-client
duplicate-cn
#配置网络信息
server 10.8.0.0 255.255.255.0
client-to-client
push "dhcp-option DNS 114.114.114.114"
push "route 10.8.0.0 255.255.255.0"
compress lzo
cipher AES-256-CBC
keepalive 10 120
persist-key
persist-tun
verb 3
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log
client-config-dir /etc/openvpn/ccd
- 创建用户密码文件
# 格式是用户 密码以空格分割即可
echo 'mytest mytestpass' >> /etc/openvpn/server/user/psw-file
chmod 600 /etc/openvpn/server/user/psw-file
chown openvpn:openvpn /etc/openvpn/server/user/psw-file
- 创建密码检查脚本
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/server/user/psw-file"
LOG_FILE="/var/log/openvpn/password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
- 予可执行的权限
chmod 700 /etc/openvpn/server/user/checkpsw.sh
chown openvpn:openvpn /etc/openvpn/server/user/checkpsw.sh
- 客户端指定IP
mkdir /etc/openvpn/ccd
cd ccd
vim mytest 写入以下内容
ifconfig-push 10.8.0.20 10.8.0.21
- 启动服务
# 查看service名
rpm -ql openvpn |grep service
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/systemd/system/openvpn@.service
#启动服务端
systemctl start openvpn@server
启动客户端
- 配置客户端
从server上将生成的ca.crt、ta.key文件下载到客户端config目录,
ca.crt 在 /etc/openvpn/server/easy-rsa/pki
ta.key 在 /etc/openvpn/server/easy-rsa
客户端配置内容C:\Program Files\OpenVPN\config\client.ovpn如下:
client
proto udp
dev tun
auth-user-pass
remote 10.24.11.243 1194
ca ca.crt
remote-cert-tls server
cipher AES-256-CBC
auth-nocache
persist-tun
persist-key
comp-lzo
verb 3
mute 10
保存退出之后,我们启动openvpn的客户端,然后输入账号密码即可登录。
证书配置集成
其中ca选项
ca ca.crt
替换成
<ca>
ca.crt证书内容
</ca>
