[root@localhost ~]# yum install -y easy-rsa
[root@localhost ~]# echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf[root@localhost ~]# sysctl -pnet.ipv4.ip_forward = 1
[root@localhost ~]# systemctl stop firewalld && systemctl disable firewalldRemoved symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.[root@localhost ~]#
[root@localhost ~]# yum install -y openvpn
[root@localhost ~]# rpm -ql easy-rsa
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
[root@localhost ~]# cp -r /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/3.0.8/vars
[root@localhost ~]# tree /etc/openvpn/etc/openvpn├── client├── easy-rsa│ ├── 3 -> 3.0.8│ ├── 3.0 -> 3.0.8│ └── 3.0.8│ ├── easyrsa│ ├── openssl-easyrsa.cnf│ ├── vars│ └── x509-types│ ├── ca│ ├── client│ ├── code-signing│ ├── COMMON│ ├── kdc│ ├── server│ └── serverClient└── server7 directories, 11 files
[root@localhost 3.0.8]# ./easyrsa init-pkiNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/varsinit-pki complete; you may now create a CA or requests.Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.8/pki
[root@localhost 3.0.8]# ./easyrsa build-ca nopassNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/varsUsing SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017Generating RSA private key, 2048 bit long modulus...........................................................+++...................+++e is 65537 (0x10001)You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [Easy-RSA CA]:openvpnCA creation complete and you may now import and sign cert requests.Your new CA certificate file for publishing is at:/etc/openvpn/easy-rsa/3.0.8/pki/ca.crt
[root@localhost 3.0.8]# ./easyrsa gen-req server nopassNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/varsUsing SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017Generating a 2048 bit RSA private key....................................................................+++..........................................................................+++writing new private key to '/etc/openvpn/easy-rsa/3.0.8/pki/easy-rsa-64175.jmZTqN/tmp.8T6ZJH'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg: your user, host, or server name) [server]:openvpnKeypair and certificate request completed. Your files are:req: /etc/openvpn/easy-rsa/3.0.8/pki/reqs/server.reqkey: /etc/openvpn/easy-rsa/3.0.8/pki/private/server.key
[root@localhost 3.0.8]# ./easyrsa sign server serverNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/varsUsing SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017You are about to sign the following certificate.Please check over the details shown below for accuracy. Note that this requesthas not been cryptographically verified. Please be sure it came from a trustedsource or that you have verified the request checksum with the sender.Request subject, to be signed as a server certificate for 825 days:subject=commonName = openvpnType the word 'yes' to continue, or any other input to abort.Confirm request details: yesUsing configuration from /etc/openvpn/easy-rsa/3.0.8/pki/easy-rsa-64203.JCprI0/tmp.eXYBQRCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName :ASN.1 12:'openvpn'Certificate is to be certified until Oct 6 16:48:16 2027 GMT (825 days)Write out database with 1 new entriesData Base UpdatedCertificate created at: /etc/openvpn/easy-rsa/3.0.8/pki/issued/server.crt
[root@localhost 3.0.8]# ./easyrsa gen-dhNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/varsUsing SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017Generating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time...............................+.......................................................................................................................................................................................................................................................................................................++*++*DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.8/pki/dh.pem
[root@localhost 3.0.8]# openvpn --genkey --secret ta.key
[root@localhost 3.0.8]# lltotal 104-rwxr-xr-x. 1 root root 76946 Jul 4 00:13 easyrsa-rw-r--r--. 1 root root 4616 Jul 4 00:13 openssl-easyrsa.cnfdrwx------. 8 root root 4096 Jul 4 00:49 pki-rw-------. 1 root root 636 Jul 4 00:52 ta.key-rw-r--r--. 1 root root 8887 Jul 4 00:31 varsdrwxr-xr-x. 2 root root 122 Jul 4 00:13 x509-types[root@localhost 3.0.8]# tree pkipki├── ca.crt # ca根证书、服务端和客户端都需要用├── certs_by_serial│ └── 8708CB5FFA86BA7A8CCC3F9BDA3C381C.pem├── dh.pem # 认证算法 服务端├── index.txt├── index.txt.attr├── index.txt.attr.old├── index.txt.old├── issued│ └── server.crt # 服务端证书├── openssl-easyrsa.cnf├── private│ ├── ca.key│ └── server.key # 服务端私钥├── renewed│ ├── certs_by_serial│ ├── private_by_serial│ └── reqs_by_serial├── reqs│ └── server.req├── revoked│ ├── certs_by_serial│ ├── private_by_serial│ └── reqs_by_serial├── safessl-easyrsa.cnf├── serial└── serial.old12 directories, 15 files
[root@localhost ~]# mkdir /etc/openvpn/certs[root@localhost 3.0.8]# cp ./pki/ca.crt /etc/openvpn/certs[root@localhost 3.0.8]# cp ./pki/dh.pem /etc/openvpn/certs[root@localhost 3.0.8]# cp ./pki/issued/server.crt /etc/openvpn/certs[root@localhost 3.0.8]# cp ./pki/private/server.key /etc/openvpn/certs[root@localhost 3.0.8]# cp ta.key /etc/openvpn/certs
[root@localhost 3.0.8]# cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/
[root@localhost 3.0.8]# cd /etc/openvpn[root@localhost openvpn]# lltotal 12drwxr-xr-x. 2 root root 84 Jul 4 00:58 certsdrwxr-x---. 2 root openvpn 6 Mar 18 2022 clientdrwxr-xr-x. 3 root root 39 Jul 4 00:13 easy-rsadrwxr-x---. 2 root openvpn 6 Mar 18 2022 server-rw-r--r--. 1 root root 10784 Jul 4 01:01 server.conf[root@localhost openvpn]# vim server.conf
#监听本机ip地址 local 0.0.0.0 #(这里填本机地址) #监控本机端口号 port 1194 #指定采用的传输协议,可以选择tcp或udp proto tcp #指定创建的通信隧道类型,可选tun或tap,window服务器必须是tap dev tun #指CA证书的文件路径 ca /etc/openvpn/certs/ca.crt #指定服务器端的证书文件路径 cert /etc/openvpn/certs/server.crt #指定服务器端的私钥文件路径 key /etc/openvpn/certs/server.key dh /etc/openvpn/certs/dh.pem #指定虚拟局域网占用的IP地址段和子网掩码,不能和服务器eth0同网段 server 10.8.0.0 255.255.255.0 #服务器自动给客户端分配IP后,客户端下次连接时,仍然采用上次的IP地址(第一次 分配的IP保存在ipp.txt中,下一次分配其中保存的IP)。 ifconfig-pool-persist ipp.txt #自动推送客户端上的网关及DHCP,此项开启了流量转发,有这项才能使用服务器代理上 网 push "redirect-gateway def1 bypass-dhcp" #OpenVPN的DHCP功能为客户端提供指定的 DNS、WINS 等 push "dhcp-option DNS 114.114.114.114" #允许客户端与客户端相连接,默认情况下客户端只能与服务器相连接 client-to-client #允许同一个客户端证书多次登录,看需配置#duplicate-cn#每10秒ping一次,连接超时时间设为120秒 keepalive 10 120 #开启TLS-auth,使用ta.key防御攻击。服务器端的第二个参数值为0,客户端的为1。 tls-auth /etc/openvpn/certs/ta.key 0 #加密认证算法,2.4之前是AES-256-CBCcipher AES-256-GCM#使用lzo压缩的通讯,服务端和客户端都必须配置 comp-lzo #最大连接用户 max-clients 100 #定义运行的用户和组,openvpn用户是安装的时候系统自动创建的 user openvpn group openvpn #重启时仍保留一些状态 persist-keypersist-tun #输出短日志,每分钟刷新一次,以显示当前的客户端 status /var/log/openvpn-status.log #日志保存路径 log /etc/openvpn/log/openvpn.log log-append /etc/openvpn/log/openvpn.log #指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细 verb 3 #相同信息的数量,如果连续出现 20 条相同的信息,将不记录到日志中 mute 20 #下面这项只能udp连接开启 #explicit-exit-notify 1 #设置tls最低版本为1.3,连接的客户端如果是2.4以下则配置为1.0 tls-version-min 1.3
[root@localhost openvpn]# cat /lib/systemd/system/openvpn.service[Unit]Description=OpenVPN Robust And Highly Flexible Tunneling Application On %IAfter=network.target[Service]Type=notifyPrivateTmp=trueExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config /etc/openvpn/server.conf[Install]WantedBy=multi-user.target
[root@localhost openvpn]# systemctl enable openvpnCreated symlink from /etc/systemd/system/multi-user.target.wants/openvpn.service to /usr/lib/systemd/system/openvpn.service.
[root@localhost openvpn]# systemctl start openvpn
[root@localhost openvpn]# netstat -atunlp |grep openvpntcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 64435/openvpn[root@localhost openvpn]# lsof -i:1194COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEopenvpn 64435 openvpn 6u IPv4 76576 0t0 TCP *:openvpn (LISTEN)[root@localhost openvpn]#[root@localhost openvpn]#[root@localhost openvpn]# ps -ef |grep openvpnopenvpn 64435 1 0 01:22 ? 00:00:00 /usr/sbin/openvpn --cd /etc/openvpn/ --config /etc/openvpn/server.confroot 64470 1454 0 01:24 pts/0 00:00:00 grep --color=auto openvpn
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/12115.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
微信支付宝扫一扫,打赏作者吧~休息一下~~
萌ICP备20248119号
