CentOS7安装openvpn

本文主要记录了如何在centos7上安装openvpn。

需求

1
2
3
4
5
客户端:
localIP:172.30.2.3
服务端:
localIP:172.56.20.3
publicIP:104.223.123.6

安装基础环境

1
2
3
4
# yum install gcc
# yum install gcc-c++
# yum install openssl*
# yum install pam-devel.x86_64

安装lzo

1
2
3
4
5
# tar -xvzf lzo-2.03.tar.gz
# cd lzo-2.03
# ./configure
# make
# make install

安装openvpn

1
2
3
4
5
6
7
# tar -xvzf openvpn-2.2.2.tar.gz
# cd openvpn-2.2.2/
# ./configure --prefix=/usr/local/ --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib
# make
# make install
查看结果
# openvpn --version

配置服务端

以上步骤openvpn已安装完成,需在两台服务器上执行,下面配置服务端,在服务端机器上执行。

配置生成证书工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
openvpn的源码包自带生成证书的工具easy-rsa
# mkdir -p /etc/openvpn
# cp -R /opt/openvpn/openvpn-2.2.2/easy-rsa /etc/openvpn
# cd /etc/openvpn/easy-rsa/2.0
# chmod +rwx ./vars
配置证书信息(根据实际情况修改)
# vim vars
export KEY_SIZE=2048
export KEY_COUNTRY="CN"
export KEY_PROVINCE="HZ"
export KEY_CITY="HangZhou"
export KEY_ORG="awifi"
export KEY_EMAIL="awifi@189.cn"
export KEY_EMAIL=awifi@189.cn
export KEY_CN=awifi
export KEY_NAME=awifi
export KEY_OU=awifi
export PKCS11_MODULE_PATH=awifi
export PKCS11_PIN=1234
生效配置文件并清理keys文件夹
# source vars
# ./clean-all

生成ca证书

1
2
3
4
# ./build-ca  (一路回车)
查看生成的证书
# ls keys
ca.crt ca.key index.txt serial

生成服务器证书和秘钥文件

1
# ./build-key-server openvpn-server   (openvpn-server表示秘钥文件名称,一路回车,最后出现Sign the certificate?以及1 out of 1 certificate requests certified, commit?输入y)
1
2
3
查看生成的证书
# ls keys/
01.pem ca.crt ca.key index.txt index.txt.attr openvpn-server.crt openvpn-server.csr openvpn-server.key serial

生成客户端证书

1
2
3
4
5
# ./build-key openvpn-client  (openvpn-client表示证书文件名称,一路回车,最后出现Sign the certificate?以及1 out of 1 certificate requests certified, commit?输入y)
查看生成的证书
# ls keys/openvpn-client*
openvpn-client.crt openvpn-client.csr openvpn-client.key
如果有多个客户端,也需要通过该方式生成新的证书文件,也有多个客户端共享证书的方法,请自行查阅。

生成Diffie-Hellman文件

1
# ./build-dh

防止恶意攻击,生成secret

1
# openvpn --genkey --secret keys/ta.key

配置服务端

1
2
3
4
5
6
7
8
9
10
11
12
13
拷贝所有的证书到/etc/openvpn/
# cp -ap keys /etc/openvpn/
拷贝服务端配置文件模板到/etc/openvpn/
# cp /opt/openvpn/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/
修改配置文件
# cd /etc/openvpn/
# vim server.conf
port 51220
proto tcp
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/openvpn-server.crt
key /etc/openvpn/keys/openvpn-server.key
log /var/log/openvpn.log

开启允许服务转发

1
2
3
4
# sysctl -p
# echo -e "###OpenVPN ADD\nnet.ipv4.conf.default.accept_source_route = 1\nnet.ipv4.conf.default.rp_filter = 0\nnet.ipv4.ip_forward = 1" >> /etc/sysctl.conf
# sysctl -p
net.ipv4.ip_forward = 1

启动服务端

1
2
3
4
# nohup /usr/local/sbin/openvpn --config /etc/openvpn/server.conf &
查看端口
# netstat -lntup | grep vpn
tcp 0 0 0.0.0.0:51220 0.0.0.0:* LISTEN 23741/openvpn

配置客户端

接下来配置客户端,在客户端机器上执行

修改配置文件

1
2
3
4
5
6
7
8
9
10
11
将服务端生成的ca.crt  openvpn-client.crt  openvpn-client.key 拷贝到客户端的/etc/openvpn目录下
拷贝客户端配置文件
# cp /opt/openvpn/openvpn-2.2.2/sample-config-files/client.conf /etc/openvpn/
修改客户端配置client.conf
# vim client.conf
proto tcp
remote 104.223.123.6 51220
ca /etc/openvpn/ca.crt
cert /etc/openvpn/openvpn-client.crt
key /etc/openvpn/openvpn-client.key
remote填写服务端的公网IP以及端口

启动客户端

1
2
3
4
5
6
# nohup /usr/local/sbin/openvpn --config /etc/openvpn/client.conf &
查看启动日志
# tail -f nohup.out
...
Initialization Sequence Completed
出现Initialization Sequence Completed表示连接成功

测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
查看服务端产生了一个vpn IP:
# ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 12 bytes 826 (826.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 796 (796.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
客户端也同样被分配了一个vpn IP:
# ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 14 bytes 1362 (1.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22 bytes 1527 (1.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
在客户端ping服务端的10.8.0.1,可以ping通,表示配置成功。
# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=5.49 ms
ulysses wechat
订阅+