zhengyshan 2013-06-16
2年前自己还是小白的时候就在老单位连总部OA时用过OpenVPN这个客户端,感觉还挺好用,而且觉得以后项目应该也能用得上,SO google了网上大量零碎资料,折腾了大半天,按照自己的理解就整理了如下文档,给有兴趣的朋友分享一下。
最近一直想把自己的短板,也就是Linux编程这块好好研究下。。
不扯了,开始干活。。
-------------------华丽的分割线-----------------------
OpenVPN是一款在Linux网关服务器使用的开源的VPN软件,顾名思义,其实就是用来打通一条安全的虚拟专用通道,实现用户远程办公,获取内网资源。
该软件可跨平台在在Linux、xBSD、Mac OS X与Windows间使用,并利用openssl作为加密库,使用加密证书或用户名/密码来实现身份验证,是一款不可多得的开源VPN解决方案。
我们做这个实验的目的就是模拟线上常见的公司外出人员在外需要访问公司内网OA,实现远程办公自动化。
解决方案:
系统环境:CentOS6.3 x64
OPENVPN: openvpn-2.3.0
vpn server: eth0:192.168.100.90,eth1:172.24.30.1
vpn client: 192.168.100.34
intranet server: 172.24.30.10
部署环境:
1.启动并清空iptables规则
# iptables -t NAT -F
# iptables -F
# service iptables save
# service iptables restart
2.关闭SELINUX
# setenforce 0
# vi /etc/sysconfig/selinux
---------------
SELINUX=disabled
---------------
server端:
一.网络设置
1.开启服务器端路由转发功能
# vi /etc/sysctl.conf
---------------------
net.ipv4.ip_forward = 1
---------------------
# sysctl -p
2.设置nat转发:
注:保证VPN地址池可路由出外网
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
3.设置openvpn端口通过:
# iptables -A INPUT -p TCP --dport 1194 -j ACCEPT
# iptables -A INPUT -p TCP --dport 7505 -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
3.时间同步(重要):
# ntpdate asia.pool.ntp.org
二.安装依赖库
# yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig
三.安装openvpn:
# wget -c http://swupdate.openvpn.org/community/releases/openvpn-2.3.0.tar.gz
# tar zxvf openvpn-2.3.0.tar.gz
# cd openvpn-2.3.0
# ./configure --prefix=/usr/local/openvpn
# make && make install
# mkdir -p /etc/openvpn
复制模板到openvpn配置目录:
# cp -rf sample /etc/openvpn/
复制openvpn配置文件到主目录:
# cp /etc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/
# cd ..
四.下载easy-rsa:
注:该包用来制作ca证书,服务端证书,客户端证书,openvpn2.3.0该版本源码不包含easy-rsa,所以需要单独下载安装用来配合openvpn实现证书生成。
# wget -c https://github.com/OpenVPN/easy-rsa/archive/master.zip
# unzip master
# mv easy-rsa-master easy-rsa
# cp -rf easy-rsa /etc/openvpn
# cd /etc/openvpn/easy-rsa/easy-rsa/2.0
修改证书变量
# vi vars
修改如下参数
注:在后面生成服务端ca证书时,这里的配置会作为缺省配置
---------------------
export KEY_COUNTRY="CN"
export KEY_PROVINCE="SX"
export KEY_CITY="Xian"
export KEY_ORG="example"
export KEY_EMAIL="[email protected]"
---------------------
做SSL配置文件软链:
# ln -s openssl-1.0.0.cnf openssl.cnf
修改vars文件可执行并调用
# chmod +x vars
# source ./vars
-----------------
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/easy-rsa/2.0/keys
-----------------
注:也就是如果执行./clean-all,就会清空/etc/openvpn/easy-rsa/easy-rsa/2.0/keys下所有文件
开始配置证书:
1.清空原有证书:
# ./clean-all
注:下面这个命令在第一次安装时可以运行,以后在添加完客户端后慎用,因为这个命令会清除所有已经生成的证书密钥,和上面的提示对应
2.生成服务器端ca证书
./build-ca
注:由于之前做过缺省配置,这里一路回车即可
3.生成服务器端密钥证书, 后面这个openvpn.example.com就是服务器名,也可以自定义
./build-key-server openvpn.example.com
---------------------------
Generating a 2048 bit RSA private key
...................................................+++
..................................+++
writing new private key to 'openvpn.example.com.key'
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SX]:
Locality Name (eg, city) [Xian]:
Organization Name (eg, company) [example]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname)
[openvpn.example.com]:
Name [EasyRSA]:
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:example
Using configuration from /etc/openvpn/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SX'
localityName :PRINTABLE:'Xian'
organizationName :PRINTABLE:'example'
commonName :PRINTABLE:'openvpn.example.com'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Jun 10 21:58:49 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
---------------------------
4.生成所需客户端证书密钥文件:
# ./build-key client1
# ./build-key client2
注:这里与生成服务端证书配置类似,中间一步提示输入服务端密码,其他按照缺省提示一路回车即可。
5.再生成diffie hellman参数,用于增强openvpn安全性(生成需要漫长等待)
# ./build-dh
6.打包keys
# tar zcvf keys.tar.gz keys/
7.终端发送到客户端备用
# yum install lrzsz -y
# sz keys.tar.gz