1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
# 一、环境概述:
# 专有网络:172.16.0.0/12
# 交换机(张家口):172.19.0.0/24
# 1.openvpn-server:公网(106.14.141.66)私网(172.19.95.187)
# 2.web01.magedu.org:私网(172.19.95.188)
# 3.web02.magedu.org:私网(172.19.95.189)
更新主机名称
ssh root@106.14.141.66
hostnamectl
sudo hostnamectl set-hostname openvpn-server
hostnamectl
ssh 172.19.95.188
hostnamectl
sudo hostnamectl set-hostname web01.magedu.org
hostnamectl
ssh 172.19.95.189
hostnamectl
sudo hostnamectl set-hostname web02.magedu.org
hostnamectl
# 二、连接openvpn服务器
[root@openvpn-server ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:16:3e:3d:05:a6 brd ff:ff:ff:ff:ff:ff
inet 172.19.95.187/20 brd 172.19.95.255 scope global dynamic eth0
valid_lft 315359301sec preferred_lft 315359301sec
inet6 fe80::216:3eff:fe3d:5a6/64 scope link
valid_lft forever preferred_lft forever
[root@openvpn-server ~]# curl ipinfo.io
{
"ip": "106.14.141.66",
"city": "Shanghai",
"region": "Shanghai",
"country": "CN",
"loc": "31.2222,121.4581",
"org": "AS37963 Hangzhou Alibaba Advertising Co.,Ltd.",
"postal": "200000",
"timezone": "Asia/Shanghai",
"readme": "https://ipinfo.io/missingauth"
}
# 直接通过ssh openvpn-server这台机器进行跳转到其他两台web服务器
[root@openvpn-server ~]# ssh 172.19.95.188
[root@web01 ~]# yum -y install httpd;hostname > /var/www/html/index.html;systemctl enable --now httpd
[root@web01 ~]# curl 172.19.95.188
web01.magedu.org
[root@openvpn-server ~]# ssh 172.19.95.189
[root@web02 ~]# yum -y install httpd;hostname > /var/www/html/index.html;systemctl enable --now httpd
[root@web02 ~]# curl 172.19.95.189
web02.magedu.org
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
| # 1.生成SSH密钥对:
[root@openvpn-server ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:2NquKkp19blO6Nz5jS3xiaJidXaLe4ncFn1NQ3ljpPQ root@openvpn-server
The key's randomart image is:
+---[RSA 2048]----+
| ....|
| . o=.|
| . .oEo|
| .o. . ..|
| . .. So . .o|
| . . +.o.+ . ..|
| . o.=o= B o |
|. . oo.+=.O+o |
|.. .o.o=o=*o.o |
+----[SHA256]-----+
# 2.拷贝.ssh文件夹到其他两台机器上
[root@openvpn-server ~]# rsync -av .ssh 172.19.95.188:/root/
root@172.19.95.188's password:
sending incremental file list
.ssh/
.ssh/id_rsa
.ssh/id_rsa.pub
.ssh/known_hosts
sent 2,723 bytes received 77 bytes 509.09 bytes/sec
total size is 2,430 speedup is 0.87
[root@openvpn-server ~]# rsync -av .ssh 172.19.95.189:/root/
root@172.19.95.189's password:
sending incremental file list
.ssh/
.ssh/authorized_keys
.ssh/id_rsa
.ssh/id_rsa.pub
.ssh/known_hosts
sent 2,762 bytes received 96 bytes 635.11 bytes/sec
total size is 2,430 speedup is 0.85
|
1
2
3
4
5
| # 查看openvpn版本
[root@openvpn-server ~]# yum list openvpn
# 安装openvpn服务器端以及证书管理工具
[root@openvpn-server ~]# yum -y install openvpn easy-rsa
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
| # 查看安装好的openvpn的版本
[root@openvpn-server ~]# rpm -qi openvpn
Name : openvpn
Version : 2.4.12
Release : 1.el7
Architecture: x86_64
Install Date: Mon Aug 19 11:33:42 2024
Group : Unspecified
Size : 1286851
License : GPLv2
Signature : RSA/SHA256, Fri Mar 18 05:21:26 2022, Key ID 6a2faea2352c64e5
Source RPM : openvpn-2.4.12-1.el7.src.rpm
Build Date : Fri Mar 18 02:59:28 2022
Build Host : buildvm-x86-10.iad2.fedoraproject.org
Relocations : (not relocatable)
Packager : Fedora Project
Vendor : Fedora Project
URL : https://community.openvpn.net/
Bug URL : https://bugz.fedoraproject.org/openvpn
Summary : A full-featured SSL VPN solution
Description :
OpenVPN is a robust and highly flexible tunneling application that uses all
of the encryption, authentication, and certification features of the
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
for compression.
# 查看安装openvpn的文件列表
[root@openvpn-server ~]# rpm -ql openvpn
/etc/openvpn
/etc/openvpn/client
/etc/openvpn/server
/run/openvpn-client
/run/openvpn-server
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/systemd/system/openvpn@.service
/usr/lib/tmpfiles.d/openvpn.conf
/usr/lib64/openvpn
/usr/lib64/openvpn/plugins
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so
/usr/sbin/openvpn
/usr/share/doc/openvpn-2.4.12
/usr/share/doc/openvpn-2.4.12/AUTHORS
/usr/share/doc/openvpn-2.4.12/COPYING
/usr/share/doc/openvpn-2.4.12/COPYRIGHT.GPL
/usr/share/doc/openvpn-2.4.12/ChangeLog
/usr/share/doc/openvpn-2.4.12/Changes.rst
/usr/share/doc/openvpn-2.4.12/README
/usr/share/doc/openvpn-2.4.12/README.auth-pam
/usr/share/doc/openvpn-2.4.12/README.down-root
/usr/share/doc/openvpn-2.4.12/README.systemd
/usr/share/doc/openvpn-2.4.12/contrib
/usr/share/doc/openvpn-2.4.12/contrib/OCSP_check
/usr/share/doc/openvpn-2.4.12/contrib/OCSP_check/OCSP_check.sh
/usr/share/doc/openvpn-2.4.12/contrib/README
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00/README
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
/usr/share/doc/openvpn-2.4.12/contrib/pull-resolv-conf
/usr/share/doc/openvpn-2.4.12/contrib/pull-resolv-conf/client.down
/usr/share/doc/openvpn-2.4.12/contrib/pull-resolv-conf/client.up
/usr/share/doc/openvpn-2.4.12/management-notes.txt
/usr/share/doc/openvpn-2.4.12/sample
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/README
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/firewall.sh
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/home.up
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/loopback-client
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/loopback-server
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/office.up
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/openvpn-shutdown.sh
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/openvpn-startup.sh
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/roadwarrior-client.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/roadwarrior-server.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/static-home.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/static-office.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/tls-home.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/tls-office.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/xinetd-client-config
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/xinetd-server-config
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/auth-pam.pl
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/bridge-start
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/bridge-stop
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/ucn.pl
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/verify-cn
/usr/share/doc/openvpn-2.4.12/sample/sample-windows
/usr/share/doc/openvpn-2.4.12/sample/sample-windows/sample.ovpn
/usr/share/man/man8/openvpn.8.gz
/var/lib/openvpn
[root@openvpn-server ~]#
# 拷贝服务配置模板到/etc/openvpn,生成服务器配置文件
[root@openvpn-server ~]# cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/
[root@openvpn-server ~]# ll /etc/openvpn
total 20
drwxr-x--- 2 root openvpn 4096 Mar 18 2022 client
drwxr-x--- 2 root openvpn 4096 Mar 18 2022 server
-rw-r--r-- 1 root root 10784 Aug 19 11:36 server.conf
# 查看easy-rsa的文件列表
[root@openvpn-server ~]# rpm -ql easy-rsa
/usr/share/doc/easy-rsa-3.0.8
/usr/share/doc/easy-rsa-3.0.8/COPYING.md
/usr/share/doc/easy-rsa-3.0.8/ChangeLog
/usr/share/doc/easy-rsa-3.0.8/README.md
/usr/share/doc/easy-rsa-3.0.8/README.quickstart.md
/usr/share/doc/easy-rsa-3.0.8/vars.example
/usr/share/easy-rsa
/usr/share/easy-rsa/3
/usr/share/easy-rsa/3.0
/usr/share/easy-rsa/3.0.8
/usr/share/easy-rsa/3.0.8/easyrsa
/usr/share/easy-rsa/3.0.8/openssl-easyrsa.cnf
/usr/share/easy-rsa/3.0.8/x509-types
/usr/share/easy-rsa/3.0.8/x509-types/COMMON
/usr/share/easy-rsa/3.0.8/x509-types/ca
/usr/share/easy-rsa/3.0.8/x509-types/client
/usr/share/easy-rsa/3.0.8/x509-types/code-signing
/usr/share/easy-rsa/3.0.8/x509-types/email
/usr/share/easy-rsa/3.0.8/x509-types/kdc
/usr/share/easy-rsa/3.0.8/x509-types/server
/usr/share/easy-rsa/3.0.8/x509-types/serverClient
/usr/share/licenses/easy-rsa-3.0.8
/usr/share/licenses/easy-rsa-3.0.8/gpl-2.0.txt
# 准备证书签发相关文件
[root@openvpn-server ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
[root@openvpn-server ~]# ll /etc/openvpn
total 24
drwxr-x--- 2 root openvpn 4096 Mar 18 2022 client
drwxr-xr-x 3 root root 4096 Aug 19 11:39 easy-rsa-server
drwxr-x--- 2 root openvpn 4096 Mar 18 2022 server
-rw-r--r-- 1 root root 10784 Aug 19 11:36 server.conf
# 准备签发证书相关变量的配置文件
[root@openvpn-server ~]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-server/3/vars
# 建议修改给CA和OpenVPN服务器颁发的证书的有效期,可适当加长
[root@openvpn-server ~]# vim /etc/openvpn/easy-rsa-server/3/vars
#CA的证书有效期默为为10年,可以适当延长,比如:36500天
#set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CA_EXPIRE 36500
#服务器证书默为为825天,可适当加长,比如:3650天
#set_var EASYRSA_CERT_EXPIRE 825
#将上面行修改为下面
set_var EASYRSA_CERT_EXPIRE 3650
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
| # 进入easyrsa脚本所在的文件夹列表
[root@openvpn-server ~]# cd /etc/openvpn/easy-rsa-server/3/
[root@openvpn-server 3]# ls
easyrsa openssl-easyrsa.cnf vars x509-types
[root@openvpn-server 3]#
# 初始化 Public Key Infrastructure (PKI)生成PKI相关目录和文件
[root@openvpn-server 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-server/3/pki
[root@openvpn-server 3]#tree pki
pki
├── openssl-easyrsa.cnf
├── private
├── reqs
└── safessl-easyrsa.cnf
2 directories, 2 files
# 创建CA机构
[root@openvpn-server 3]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating RSA private key, 2048 bit long modulus
........................................................................+++
..............................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa-server/3/pki/ca.crt
[root@openvpn-server 3]#
# 查看文件列表
[root@openvpn-server 3]# tree pki -C
pki
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ └── ca.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 7 files
[root@openvpn-server 3]#
# 查看生成的CA证书
[root@openvpn-server 3]# openssl x509 -in pki/ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
bc:21:18:c8:d0:e9:f9:c0
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Easy-RSA CA
Validity
Not Before: Aug 22 06:42:24 2023 GMT
Not After : Jul 29 06:42:24 2123 GMT
Subject: CN=Easy-RSA CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a6:d4:e2:27:20:15:40:e4:9c:a8:dc:1e:ab:1c:
46:58:0d:50:63:56:8d:a5:98:55:35:30:74:f8:0c:
e8:98:47:de:e0:1e:64:9a:d6:79:05:86:a3:ad:6f:
7f:a9:7c:e5:0e:f5:16:16:3b:73:c0:45:aa:95:d8:
30:ea:2a:26:85:7b:b1:2f:2a:6e:ba:f1:e4:d2:f4:
d6:79:7c:31:b6:aa:17:fb:04:a2:a2:8d:7b:63:13:
99:8d:38:b2:e5:14:6e:30:ed:71:b0:89:c6:05:9e:
0b:80:3c:5c:d1:f2:25:3e:9a:b6:ec:fb:e1:f6:a7:
f7:ac:13:76:44:c4:de:d0:e0:14:04:09:1c:b6:d0:
62:8e:22:73:a1:6c:4f:dc:89:e5:1b:22:92:be:b8:
35:43:d7:83:ab:fd:95:65:c3:f5:9c:18:ee:ce:d1:
0f:fc:b1:b4:70:43:5b:ac:5c:79:5a:9b:cd:02:bf:
d3:f3:0a:b3:78:c3:6c:69:e7:ac:da:d7:91:75:11:
22:c8:ae:17:d3:96:4c:d1:27:c5:b5:3e:a4:18:65:
e0:3e:69:e8:a2:9a:f4:03:7d:9f:5c:62:c0:c5:d8:
d4:e5:6f:1c:bb:a4:8c:89:f5:91:44:03:c3:15:9d:
79:8f:04:3a:79:03:30:bc:43:4e:d8:56:9d:96:86:
8a:f5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
2D:77:F9:F5:B0:DD:E2:0E:4E:51:A7:CD:7F:83:26:FC:FA:53:C4:1E
X509v3 Authority Key Identifier:
keyid:2D:77:F9:F5:B0:DD:E2:0E:4E:51:A7:CD:7F:83:26:FC:FA:53:C4:1E
DirName:/CN=Easy-RSA CA
serial:BC:21:18:C8:D0:E9:F9:C0
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
23:00:ff:38:24:f8:e2:09:4a:cd:58:ff:ab:08:73:51:60:bb:
7f:92:67:bc:d0:31:a7:ca:95:1a:fd:a9:45:91:4f:3d:e9:58:
a9:50:53:8f:49:c4:82:c0:59:d5:a6:ab:95:07:ec:d2:85:f3:
bd:18:e8:32:8f:11:f0:c4:2d:41:0b:1d:8c:67:72:8b:c8:32:
6a:e2:81:2a:0d:9e:0f:4c:21:f0:35:0f:dd:18:b0:4f:13:d9:
12:26:f1:2e:f1:e1:0a:d0:a5:a1:18:ce:e0:2b:19:a9:07:43:
00:dd:d8:3b:42:9d:6f:53:79:b1:2a:c0:58:ca:ab:9c:e7:c3:
70:56:24:ee:da:3a:1d:77:6c:e1:f4:95:ba:72:91:ee:6b:68:
31:d1:ac:7f:85:47:23:bb:49:6b:35:29:d2:78:01:73:59:75:
20:5e:15:31:5a:dd:c4:73:18:f1:98:85:b8:34:70:ce:ba:dc:
4c:0a:d1:0d:9b:f0:ca:57:5a:ce:0a:ea:24:0d:7b:a3:eb:8d:
28:bf:07:43:e3:dc:83:ee:0a:cb:0f:49:9d:1b:26:27:0d:cb:
f9:33:85:9f:3b:b7:c4:fe:6d:3a:73:3d:69:86:72:ed:f6:1c:
d8:61:97:9f:44:81:ac:f1:bb:25:02:d5:00:aa:a8:76:d3:ae:
37:6c:11:47
[root@openvpn-server 3]#
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
| #创建服务器证书申请文件,其中server是文件前缀
[root@openvpn-server 3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...........+++
............................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa-server/3/pki/easy-rsa-1684.jLW8wL/tmp.nqY7jU'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:openvpn
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-server/3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa-server/3/pki/private/server.key
[root@openvpn-server 3]#
# [root@openvpn-server 3]# tree pki/ -C
pki/ #公钥基础设施的主目录,其中包含所有的证书、密钥、和其他相关文件。
├── ca.crt #证书颁发机构(CA)的公共证书。它用于验证来自该CA签署的任何其他证书。
├── certs_by_serial #一个目录,其中包含由序列号索引的证书链接。它使得更容易地找到给定序列号的证书。
├── index.txt #一个数据库文件,其中包含CA签发的所有证书的状态信息。
├── index.txt.attr #与index.txt文件相关的属性文件。
├── issued #一个目录,其中包含CA签发的所有证书。
├── openssl-easyrsa.cnf #OpenVPN和easy-rsa的OpenSSL配置文件。
├── private #一个目录,其中包含私钥。不应与其他人分享这些密钥。
│ ├── ca.key #证书颁发机构(CA)的私钥。
│ └── server.key #OpenVPN服务器的私钥。
├── renewed #一个目录,其中包含续签的证书和密钥的相关数据。
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs # 一个目录,其中包含证书签名请求(CSR)文件。
│ └── server.req #OpenVPN服务器的证书签名请求。
├── revoked #一个目录,其中包含被撤销的证书和密钥的相关数据。
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf #另一个OpenSSL配置文件,可能是针对更安全的配置或特定的操作。
└── serial #一个文件,它包含下一个证书的序列号。
12 directories, 9 files
[root@openvpn-server 3]#
#将上面server.req的申请,颁发server类型的证书
[root@openvpn-server 3]# ./easyrsa sign-req server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = openvpn
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #输入yes
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-1886.heaNji/tmp.kGW5CF
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'openvpn'
Certificate is to be certified until Aug 19 07:13:37 2033 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt
[root@openvpn-server 3]#
# 创建 Diffie-Hellman 密钥
[root@openvpn-server 3]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...............................................................................................................+......................................................................................................+.+......................................................................................................................................................................................................................................................................................................................................................................................+..........................................................................................................................................+................................................................................................++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa-server/3/pki/dh.pem
[root@openvpn-server 3]#
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
| # 重新拷贝一份充当客户端环境
[root@openvpn-server openvpn]# cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa-client/
[root@openvpn-server openvpn]# cd /etc/openvpn/easy-rsa-client/3
# 生成证书申请所需目录pki和文件
[root@openvpn-server 3]# ./easyrsa init-pki
# 生成客户端用户的证书申请
[root@openvpn-server 3]# ./easyrsa gen-req xingyuyu nopass
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...........................................................................................................+++
.....................................+++
writing new private key to '/etc/openvpn/easy-rsa-client/3/pki/easy-rsa-2122.AZW6ty/tmp.j15lap'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [xingyuyu]: #直接回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-client/3/pki/reqs/xingyuyu.req #证书申请文件
key: /etc/openvpn/easy-rsa-client/3/pki/private/xingyuyu.key #私钥文件
[root@openvpn-server 3]# tree -C
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ └── xingyuyu.key #私钥文件
│ ├── reqs
│ │ └── xingyuyu.req #证书申请文件
│ └── safessl-easyrsa.cnf
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 14 files
[root@openvpn-server 3]#
# 回到CA的相关目录,为客户端颁发证书
[root@openvpn-server 3]#cd /etc/openvpn/easy-rsa-server/3
# 将客户端用户的申请文件导入到CA的申请目录里面,说白了就是copy文件的过程,得加上前缀邢宇宇
[root@openvpn-server 3]# ./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/xingyuyu.req xingyuyu
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Easy-RSA error:
Unable to import: incorrect command syntax.
Run easyrsa without commands for usage and command help.
[root@openvpn-server 3]#
# 修改配置文件,刚才是为server颁发证书设置的是10年,但是现在为客户端颁发证书不能设置那么长的时间,所以需要修改
[root@openvpn-server 3]# vim vars
set_var EASYRSA_CERT_EXPIRE 180
# 签发证书
[root@openvpn-server 3]# ./easyrsa sign-req client xingyuyu
# 将CA和服务器证书相关文件复制到服务器相应的目录
[root@openvpn-server 3]# mkdir /etc/openvpn/certs
[root@openvpn-server 3]# cp /etc/openvpn/easy-rsa-server/3/pki/{ca.crt,dh.pem} /etc/openvpn/certs/
[root@openvpn-server 3]# cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
[root@openvpn-server 3]# cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs
# 将客户端用户所需要的相关文件放到相应的目录
[root@openvpn-server 3]# mkdir /etc/openvpn/client/xingyuyu/
[root@openvpn-server 3]# find /etc/openvpn/ \( -name "xingyuyu.key" -o -name "xingyuyu.crt" -o -name ca.crt \) -exec cp {} /etc/openvpn/client/xingyuyu/ \;
# find /etc/openvpn/: find 是一个在目录结构中搜索文件的命令。/etc/openvpn/ 是要开始搜索的目录。
−name"xingyuyu.key"−o−name"xingyuyu.crt"−o−nameca.crt: 这是一个复杂的表达式,用于匹配三种文件名。
-name "xingyuyu.key": 匹配名为 "xingyuyu.key" 的文件。
-o: 逻辑 OR 操作符,表示满足任何一个条件的文件都将被选中。
-name "xingyuyu.crt": 匹配名为 "xingyuyu.crt" 的文件。
-name ca.crt: 匹配名为 "ca.crt" 的文件。
整个表达式的意思是:找到任何名称为 "xingyuyu.key"、"xingyuyu.crt" 或 "ca.crt" 的文件。
-exec cp {} /etc/openvpn/client/xingyuyu/ ;: 当 find 命令找到符合条件的文件时,它会对每个文件执行指定的操作。
-exec: 表示要对找到的文件执行一个操作。
cp {} /etc/openvpn/client/xingyuyu/: 是要执行的操作。其中 {} 是一个占位符,代表 find 命令找到的文件。所以,这个操作的意思是将找到的文件复制到 /etc/openvpn/client/xingyuyu/ 目录。
;: 表示 -exec 操作的结束。\是转义
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
| # 写入配置文件
[root@openvpn-server openvpn]# vim /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key # This file should be kept secret
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.30.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
[root@openvpn-server openvpn]#
#创建日志所在文件夹
[root@openvpn-server openvpn]# mkdir /var/log/openvpn
[root@openvpn-server openvpn]# chown openvpn.openvpn /var/log/openvpn/
# 开启网卡转发功能
[root@openvpn-server openvpn]# echo net.ipv4.ip_forward =1 >> /etc/sysctl.conf
[root@openvpn-server openvpn]# sysctl -p
# 使用openvpn,开启隧道默认的网段就是配置文件里面配置的网段,然后通过iptables配置以后将这个网段的地址指向内网地址
[root@openvpn-server openvpn]# echo "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE" >> /etc/rc.d/rc.local
[root@openvpn-server openvpn]# chmod +x /etc/rc.d/rc.local
[root@openvpn-server openvpn]# /etc/rc.d/rc.local
[root@openvpn-server openvpn]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.8.0.0/24 0.0.0.0/0
[root@openvpn-server openvpn]#
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| # 这个文件默认Centos8没有,需要从CentOS7上拷贝
[root@openvpn-server openvpn]# vim /usr/lib/systemd/system/openvpn@.service
[root@openvpn-server openvpn]# ll /usr/sbin/openvpn
-rwxr-xr-x 1 root root 787232 Mar 18 2022 /usr/sbin/openvpn
[root@openvpn-server openvpn]#
# 启动
[root@openvpn-server openvpn]# systemctl daemon-reload
[root@openvpn-server openvpn]# systemctl enable --now openvpn@server
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
[root@openvpn-server openvpn]#
#查看网卡
[root@openvpn-server openvpn]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:16:3e:04:4a:08 brd ff:ff:ff:ff:ff:ff
inet 172.30.0.1/24 brd 172.30.0.255 scope global dynamic eth0
valid_lft 315348175sec preferred_lft 315348175sec
inet6 fe80::216:3eff:fe04:4a08/64 scope link
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::ea53:4d53:6150:51d6/64 scope link flags 800
valid_lft forever preferred_lft forever
[root@openvpn-server openvpn]#
#多了一个tun0的虚拟网卡,并且地址是10.8.0.1
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| #创建客户端的配置文件
[root@openvpn-server openvpn]# vim /etc/openvpn/client/xingyuyu/client.ovpn
client
dev tun
proto tcp
remote 39.100.98.155 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert xingyuyu.crt
key xingyuyu.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2
[root@openvpn-server openvpn]# tree /etc/openvpn/client/xingyuyu/
/etc/openvpn/client/xingyuyu/
├── ca.crt
├── client.ovpn
├── xingyuyu.crt
└── xingyuyu.key
0 directories, 4 files
[root@openvpn-server openvpn]#
#打包客户端用户所需的文件,这些文件需要导入到windows中的openvpn路径下才能使用
[root@openvpn-server ~]# cd /etc/openvpn/client/xingyuyu/
[root@openvpn-server ~]# tar cf /root/xingyuyu.tar ./
#将安装包解压,然后放到C:\Program Files\OpenVPN\config,就可以使用了
|