1、实验环境
CentOS7.9
内网ens32:172.16.9.129
外网ens33:10.33.56.100
2、配置路由转发
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-sysctl.conf
sysctl -p
3、安装openvpn
yum -y install epel-release
yum -y install easy-rsa openssh-server lzo openssl openssl-devel openvpn NetworkManager-openvpn openvpn-auth-ldap iptables-services
4、生成证书文件
wget https://github.com/OpenVPN/easy-rsa-old/archive/2.3.3.tar.gz
tar -xf 2.3.3.tar.gz
mkdir -pv /etc/openvpn/easy-rsa/keys
cp easy-rsa-old-2.3.3/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
# 配置证书信息
cd /etc/openvpn/easy-rsa/
vi vars
# 替换尾部内容
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BJ"
export KEY_ORG="DevOps"
export KEY_EMAIL="[email protected]"
export KEY_CN="devops"
export KEY_NAME="devops"
export KEY_OU="devops"
export PKCS11_MODULE_PATH=devops
export PKCS11_PIN=1234
# 制作CA证书
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
source ./vars
./build-ca
# 制作Server端证书
./build-key-server server
# 制作防攻击的key文件和密钥文件
openvpn --genkey --secret keys/ta.key
./build-dh
# 制作Client端证书
./build-key client
# 复制证书文件到特定的配置路径下
cp keys/{dh2048.pem,ca.crt,server.crt,server.key,ta.key} /etc/openvpn/
# 如果中途异常,清空重新执行以上步骤
./clean-all
5、配置服务端
# 使用PAM和密码认证
tee /etc/openvpn/server.conf <<EOF
port 1194
proto udp
dev tap
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 192.168.56.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;learn-address ./script
client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
EOF
# 使用证书认证
tee /etc/openvpn/server.conf <<EOF
port 1194
proto tcp
dev tun0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/<MYSERVER>.crt
key /etc/openvpn/easy-rsa/keys/<MYSERVER>.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
log-append /var/log/openvpn
status /tmp/vpn.status 10
EOF
6、配置防火墙
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
/etc/rc.d/iptables save
7、启动服务
systemctl enable --now [email protected]
8、配置客户端
# 使用密码认证
client
dev tap
proto udp
remote <address> 1194
resolv-retry infinite
nobind
persist-tun
comp-lzo
verb 3
auth-user-pass passwd
ca ca.crt
备注:auth-user-pass 引用的 passwd 文件必须包含如下两行:
第一行 - username
第二行 - password
# 证书认证
client
remote <MYSERVER> 1194
dev tun0
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 2
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
备注:将ca.crt, client1.crt 和 client1.key复制到远程计算机
9、客户端工具
MAC:Tunnelblick标签:keys,部署,OpenVPN,rsa,CentOS7,etc,export,easy,openvpn From: https://blog.51cto.com/zzzhao/6133182
WINDOWS:OpenVPN Connect client