CentOS6.5下编译安装openvpn

2023-08-24 14:48:46

linux服务端配置

查看版本号，修改主机名，设置时间同步

[root@meinv01 ~]# uname -r
2.6.32-431.el6.x86_64
[root@meinv01 ~]# cat /etc/redhat-release 
CentOS release 6.5 (Final)
[root@meinv01 ~]# crontab -l
#time update by root
*/5 * * * * /usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1
[root@meinv01 ~]# date
2019年 01月 29日 星期二 11:03:17 CST
[root@meinv01 ~]# hostname openvpnserver
[root@meinv01 ~]# vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=meinv01
NETWORKING=yes
"/etc/sysconfig/network" 2L, 38C written
[root@meinv01 ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
"/etc/hosts" 2L, 172C 已写入
[root@meinv01 ~]# logout
[oldboy@meinv01 ~]$ logout

创建openvpn软件目录，并上传软件

[oldboy@openvpnserver ~]$ sudo su -
[root@openvpnserver ~]# mkdir -p /home/oldboy/tools
[root@openvpnserver ~]# cd /home/oldboy/tools/
[root@openvpnserver tools]# mkdir openvpn
[root@openvpnserver tools]# cd openvpn/
[root@openvpnserver openvpn]# pwd
/home/oldboy/tools/openvpn
[root@openvpnserver openvpn]# rz -y
rz waiting to receive.
???a? zmodem ′???￡ °′ Ctrl+C ???￡
??′?? lzo-2.06.tar.gz...
100% 569 KB 569 KB/s 00:00:01 0 ′?
??′?? openvpn-2.2.2.tar.gz...
??′?? openvpn-2.2.2.tar.gz...
100% 889 KB 889 KB/s 00:00:01 0 ′?
?
[root@openvpnserver openvpn]# ls
lzo-2.06.tar.gz openvpn-2.2.2.tar.gz

关闭防火墙，关闭selinux，内核需开启ip_forward转发

[root@openvpnserver openvpn]# /etc/init.d/iptables stop
[root@openvpnserver openvpn]# /etc/init.d/iptables status
iptables：未运行防火墙。
[root@openvpnserver openvpn]# grep -i ip_forward /etc/sysctl.conf 
net.ipv4.ip_forward = 0
[root@openvpnserver openvpn]# sed -i 's#net.ipv4.ip_forward = 0#net.ipv4.ip_forward = 1#g' /etc/sysctl.conf 
[root@openvpnserver openvpn]# grep -i ip_forward /etc/sysctl.conf  
net.ipv4.ip_forward = 1
[root@openvpnserver openvpn]# sysctl -p

解压lzo软件，编译安装lzo软件（实验所实验的lzo软件版本为2.06）

[root@openvpnserver openvpn]# ls
lzo-2.06.tar.gz openvpn-2.2.2.tar.gz
[root@openvpnserver openvpn]# tar xf lzo-2.06.tar.gz 
[root@openvpnserver openvpn]# cd lzo-2.06
[root@openvpnserver lzo-2.06]# ./configure
[root@openvpnserver lzo-2.06]# make && make install

解压openvpn软件，下载安装openvpn依赖的软件，然后安装openvpn软件（实验使用的openvpn软件版本为2.2.2）

[root@openvpnserver lzo-2.06]# cd ../
[root@openvpnserver openvpn]# rpm -qa|grep openvpn
[root@openvpnserver openvpn]# ls
lzo-2.06 lzo-2.06.tar.gz openvpn-2.2.2.tar.gz
[root@openvpnserver openvpn]# tar xf openvpn-2.2.2.tar.gz 
[root@openvpnserver openvpn]# cd openvpn-2.2.2
[root@openvpnserver openvpn-2.2.2]# yum install -y openssl*
[root@openvpnserver openvpn-2.2.2]# rpm -qa|grep openssl     #<==保证以下依赖软件安装完毕
openssl-static-1.0.1e-57.el6.x86_64
openssl-1.0.1e-57.el6.x86_64
openssl-devel-1.0.1e-57.el6.x86_64
openssl-perl-1.0.1e-57.el6.x86_64
openssl098e-0.9.8e-20.el6.centos.1.x86_64
[root@openvpnserver openvpn-2.2.2]# ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib 
[root@openvpnserver openvpn-2.2.2]# make && make install
[root@openvpnserver openvpn-2.2.2]# echo $?
0

生成服务端CA证书（CA证书为服务端和客户端共用）

[root@openvpnserver openvpn-2.2.2]# cd ../
[root@openvpnserver openvpn]# which openvpn
/usr/local/sbin/openvpn
[root@openvpnserver openvpn]# ll /usr/local/sbin/openvpn 
-rwxr-xr-x 1 root root 2545307 1月 29 11:21 /usr/local/sbin/openvpn
[root@openvpnserver openvpn]# cd openvpn-2.2.2/easy-rsa/2.0
[root@openvpnserver 2.0]# pwd
/home/oldboy/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0
[root@openvpnserver 2.0]# ls
build-ca build-key-server Makefile revoke-full
build-dh build-req openssl-0.9.6.cnf sign-req
build-inter build-req-pass openssl-0.9.8.cnf vars
build-key clean-all openssl-1.0.0.cnf whichopensslcnf
build-key-pass inherit-inter pkitool
build-key-pkcs12 list-crl README
[root@openvpnserver 2.0]# cp vars vars.bak  #<==操作前备份
[root@openvpnserver 2.0]# vi vars   
[root@openvpnserver 2.0]# tail -12 vars   #<==修改为如下，根据实际情况修改即可
# Don't leave any of these fields blank.
export KEY_COUNTRY="CN"
export KEY_PROVINCE="GZ"
export KEY_CITY="GuangZhou"
export KEY_ORG="oldboy"
export KEY_EMAIL="2570583786@qq.com"
export KEY_EMAIL=2570583786@qq.com
export KEY_CN=CN
export KEY_NAME=oldboy
export KEY_OU=oldboy
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
[root@openvpnserver 2.0]# source vars    #<==注意：新开窗口，或者切换路径，重新回到此目录，使用其他命令，必须使用source重新加载此文件
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/oldboy/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/keys
[root@openvpnserver 2.0]# ./clean-all    #<==清空安装软件时系统附带的文件
[root@openvpnserver 2.0]# ./build-ca    #<==创建服务端客户端公用的CA证书命令（由于在前面定义了vars文件，所以此步骤直接回车即可）

Generating a 1024 bit RSA private key
..++++++
....................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GZ]:
Locality Name (eg, city) [GuangZhou]:
Organization Name (eg, company) [oldboy]:
Organizational Unit Name (eg, section) [oldboy]:
Common Name (eg, your name or your server's hostname) [CN]:
Name [oldboy]:
Email Address [2570583786@qq.com]:
[root@openvpnserver 2.0]# ll keys/         #<==实际上生成了这些文件
总用量 12
-rw-r--r-- 1 root root 1310 1月 29 11:42 ca.crt        <==CA证书
-rw------- 1 root root 916 1月 29 11:42 ca.key         <==加密的CA证书密钥文件
-rw-r--r-- 1 root root 0 1月 29 11:38 index.txt
-rw-r--r-- 1 root root 3 1月 29 11:38 serial

生成服务端证书和密钥

[root@openvpnserver 2.0]# ./build-key-server server     #<==此命令用于生成服务端证书和密钥文件，也是一直回车，最后2个y确认即可
Generating a 1024 bit RSA private key
.++++++
..................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GZ]:
Locality Name (eg, city) [GuangZhou]:
Organization Name (eg, company) [oldboy]:
Organizational Unit Name (eg, section) [oldboy]:
Common Name (eg, your name or your server's hostname) [server]:
Name [oldboy]:
Email Address [2570583786@qq.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:oldboy
Using configuration from /home/oldboy/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GZ'
localityName :PRINTABLE:'GuangZhou'
organizationName :PRINTABLE:'oldboy'
organizationalUnitName:PRINTABLE:'oldboy'
commonName :PRINTABLE:'server'
name :PRINTABLE:'oldboy'
emailAddress :IA5STRING:'2570583786@qq.com'
Certificate is to be certified until Jan 26 03:45:49 2029 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@openvpnserver 2.0]# ll keys/
总用量 40
-rw-r--r-- 1 root root 4007 1月 29 11:46 01.pem
-rw-r--r-- 1 root root 1310 1月 29 11:42 ca.crt
-rw------- 1 root root 916 1月 29 11:42 ca.key
-rw-r--r-- 1 root root 124 1月 29 11:46 index.txt
-rw-r--r-- 1 root root 21 1月 29 11:46 index.txt.attr
-rw-r--r-- 1 root root 0 1月 29 11:38 index.txt.old
-rw-r--r-- 1 root root 3 1月 29 11:46 serial
-rw-r--r-- 1 root root 3 1月 29 11:38 serial.old
-rw-r--r-- 1 root root 4007 1月 29 11:46 server.crt      #<==服务端证书
-rw-r--r-- 1 root root 773 1月 29 11:45 server.csr
-rw------- 1 root root 916 1月 29 11:45 server.key       #<==服务端加密密钥

生成客户端证书和密钥

[root@openvpnserver 2.0]# ./build-key test    #<==此命令用于生成客户端证书和密钥文件，也是回车最后2个y确认即可
Generating a 1024 bit RSA private key
.............++++++
....++++++
writing new private key to 'test.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GZ]:
Locality Name (eg, city) [GuangZhou]:
Organization Name (eg, company) [oldboy]:
Organizational Unit Name (eg, section) [oldboy]:
Common Name (eg, your name or your server's hostname) [test]:
Name [oldboy]:
Email Address [2570583786@qq.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
Using configuration from /home/oldboy/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GZ'
localityName :PRINTABLE:'GuangZhou'
organizationName :PRINTABLE:'oldboy'
organizationalUnitName:PRINTABLE:'oldboy'
commonName :PRINTABLE:'test'
name :PRINTABLE:'oldboy'
emailAddress :IA5STRING:'2570583786@qq.com'
Certificate is to be certified until Jan 26 03:50:58 2029 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@openvpnserver 2.0]# ll keys/
[root@openvpnserver 2.0]# ./build-key-pass ett     #此命令用于生成带密码的客户端证书和密钥（客户端登录时需要输入密码验证正确才可以链接服务端）
Generating a 1024 bit RSA private key
........++++++
.........................................++++++
writing new private key to 'ett.key'
Enter PEM pass phrase:                      #2次输入密码，然后一直回车，最后2个y确认即可
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

生成openvpn密钥协议交换文件（此步骤必须做）　　

[root@openvpnserver 2.0]# ./build-dh 
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.....................................................................................+.................+..........................................+.............+.......................................+.........+......+.....+................................................................................+.+.....................................................++*++*++*
[root@openvpnserver 2.0]# ll keys/dh1024.pem
-rw-r--r-- 1 root root  245 1月  29 11:57 dh1024.pem

openvpn服务端防护，使用以下命令生成一个文件

[root@openvpnserver 2.0]# openvpn --genkey --secret keys/ta.key

创建存放密钥文件的目录，将以上生成的文件拷贝到新目录下，并拷贝服务端文件到新目录下，并编辑服务端配置文件

[root@openvpnserver 2.0]# mkdir /etc/openvpn   #<==创建存放服务端配置文件的密钥的固定目录
[root@openvpnserver 2.0]# pwd
/home/oldboy/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0
[root@openvpnserver 2.0]# cp -ap keys /etc/openvpn/   #<==拷贝所有密钥文件到新目录
[root@openvpnserver sample-config-files]# pwd
/home/oldboy/tools/openvpn/openvpn-2.2.2/sample-config-files
[root@openvpnserver sample-config-files]# cp  server.conf  /etc/openvpn/  
[root@openvpnserver sample-config-files]# cd /etc/openvpn/
[root@openvpnserver openvpn]# vim server.conf 
[root@openvpnserver openvpn]# egrep -v "^$|^;|^#" server.conf   #修改服务端配置文件中内容如下
local 10.0.0.5                              #服务端的外网IP地址
port 52115　　　　　　　　　　　　　　　　　　　 #侦听的端口
proto tcp                                   默认为udp协议，生产环境建议使用tcp
dev tun
ca /etc/openvpn/keys/ca.crt                 #这里建议使用绝对路径
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key       
dh /etc/openvpn/keys/dh1024.pem            #密钥协议交换文件
server 10.8.0.0 255.255.255.0              #服务端分配给客户端的IP网段
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.255.0"      #服务端推送至客户端的内网的路由网段（服务端内网网卡的所在网段）
client-to-client                           #是否允许所有拨号的客户端进行通信
keepalive 10 120        
comp-lzo
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log     #openvpn服务状态信息
log /etc/openvpn/openvpn.log               #定义openvpn日志文件所在路径
verb 3

切换目录到，拷贝客户端文件到 /etc/openvpn/keys 下，并修改客户端文件内容为如下

[root@openvpnserver sample-config-files]# pwd
/home/oldboy/tools/openvpn/openvpn-2.2.2/sample-config-files
[root@openvpnserver sample-config-files]# cp  client.conf  /etc/openvpn/keys/
[root@openvpnserver openvpn]# cd /etc/openvpn/keys/
[root@openvpnserver keys]# vim client.conf    #<==修改内容保存为如下
client
dev tun
proto tcp
remote 10.0.0.5 52115
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt    #<==客户端使用此文件，只需修改这里2行client字符为对应生成的客户端名字即可
key client.key     #
ns-cert-type server
comp-lzo
verb 3

启动服务端openvpn服务（2种方式）

第一种：（后台方式启动）

[root@openvpnserver keys]# /usr/local/sbin/openvpn --config /etc/openvpn/server.conf &    #<==后台启动
[root@openvpnserver keys]# netstat -lntup|grep openvpn   #有进程pid文件说明安装没有出错
tcp        0      0 10.0.0.5:52115              0.0.0.0:*                   LISTEN      16301/openvpn       
[root@openvpnserver keys]# ifconfig    #<==虚拟多出来的网卡
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:3237 errors:0 dropped:0 overruns:0 frame:0
TX packets:2887 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
[root@openvpnserver keys]# echo '/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &' >>/etc/rc.local  #<==加入开机自启动

第二种：（init管理）

切换目录，拷贝脚本（注意：此步骤如果要保证成功，/etc/openvpn/ 目录下只能保留一个server.conf的，不能保留任何其他以*.conf结尾的文件，否则，启动服务会失败）

[root@openvpnserver openvpn-2.2.2]# cd sample-scripts/
[root@openvpnserver sample-scripts]# ls
auth-pam.pl bridge-start bridge-stop openvpn.init ucn.pl verify-cn
[root@openvpnserver sample-scripts]# cp openvpn.init /etc/init.d/openvpn
[root@openvpnserver openvpn]# chkconfig --add openvpn
[root@openvpnserver openvpn]# chkconfig --level 3 openvpn on
[root@openvpnserver openvpn]# ll /etc/init.d/openvpn 
-rwx------ 1 root root 5481 1月 29 15:16 /etc/init.d/openvpn
[root@openvpnserver openvpn]# pkill openvpn
[root@openvpnserver openvpn]# /etc/init.d/openvpn start
正在启动 openvpn： [确定]
[root@openvpnserver openvpn]# netstat -lntup|grep openvpn
tcp 0 0 10.0.0.5:52115 0.0.0.0:* LISTEN 16509/openvpn 
[root@openvpnserver openvpn]# lsof -i :52115
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
openvpn 16509 root 5u IPv4 27792 0t0 TCP 10.0.0.5:52115 (LISTEN)
[root@openvpnserver openvpn]# /etc/init.d/openvpn restart
正在关闭openvpn： [确定]
正在启动 openvpn： [确定]
[root@openvpnserver openvpn]# lsof -i :52115
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
openvpn 16552 root 5u IPv4 27984 0t0 TCP 10.0.0.5:52115 (LISTEN)

至此，服务端配置基本完成！　

windows客户端配置

下载openvpn客户端软件，默认安装路径安装即可，然后在linux服务端下载（公用CA证书，客户端证书crt和密钥文件key，还有客户端conf文件）

到客户端openvpn安装目录下的config文件夹内，创建文件夹，以拨号客户端名字命名文件夹

[root@openvpnserver keys]# ll       #下载以下文件至Windows客户端openvpn软件安装目录config下
-rw-r--r-- 1 root root 3426 1月  29 12:20 client.conf
-rw-r--r-- 1 root root 1310 1月  29 11:42 ca.crt
-rw-r--r-- 1 root root 3879 1月 29 11:51 test.crt
-rw-r--r-- 1 root root 741 1月 29 11:50 test.csr
-rw------- 1 root root 916 1月 29 11:50 test.key

将client.conf 文件中内容改为以下，并更改扩展名为 test.ovpn

client
dev tun
proto tcp
remote 10.0.0.5 52115
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert test.crt
key test.key
ns-cert-type server
comp-lzo
verb 3

打开openvpn GUI，使用test用户登录验证拨号成功

其他：

要想客户端访问内网网段，还需添加路由表，解决办法：

在linux客户端手工添加网关，或添加默认路由
在openvpn服务端添加NAT映射等

码农公寓

相关文章