en
zh目录
如何搭建基于astercc系统的OpenVPN
VPN服务器端:Centos 6.6(Final) (装有astercc系统) VPS的IP为:8.38.33.10
VPN客户端:Windows7 OpenVPN-GUI IP为:192.168.1.226
第一步:为VPS安装OpenVPN及所有所需软件
安装EPEL仓库
wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm
安装OpenVPN
包含了 lzo 和 pkcs11-helper
yum install openvpn
安装Easy-rsa
该包用来制作ca证书,服务端证书,客户端证书。此版本为:easy-rsa3
wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip
解压完成后,将解压得到的文件夹easy-rsa-master重命名为easy-rsa:
mv easy-rsa-master/ easy-rsa/
然后再将得到的easy-rsa文件夹复制到/etc/openvpn/目录下:
cp -R easy-rsa/ /etc/openvpn/
安装Unzip和Zip
在安装Easy-rsa步骤中,假如在 “unzip master.zip” 时提示: -bash: unzip: command not found,则需要执行如下操作:
debian系统,就直接执行如下命令进行安装:
apt-get install -y zip unzip
centos系统,那就需要输入下面的命令进行安装:
yum -y install zip unzip
第二步:编辑vars文件,根据自己环境配置
首先进入/etc/openvpn/easy-rsa/easyrsa3目录:
cd /etc/openvpn/easy-rsa/easyrsa3/
然后,在此目录下复制 vars.example 为 vars
cp vars.example vars
最后,根据自己VPS情况修改下面字段,命令:vi vars,然后进行修改,最后 :wq 退出并保存。注意:配置文件中以 “;” 和 “#” 开头的语句均表示注释,但 “;” 是用来注释可选配置的。
set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "Liaoning" set_var EASYRSA_REQ_CITY "Dalian" set_var EASYRSA_REQ_ORG "Astercc Org" set_var EASYRSA_REQ_EMAIL "liuxl@astercc.com" set_var EASYRSA_REQ_OU "Support Unit"
第三步:创建服务端证书及key
首先,进入/etc/openvpn/easy-rsa/easyrsa3/目录,进行初始化:
cd /etc/openvpn/easy-rsa/easyrsa3/
./easyrsa init-pki
然后,创建根证书,输入并确认密码,再输入common name:
./easyrsa build-ca
如下:
[root@astercc1 easyrsa3]# ./easyrsa build-ca Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .............................................................+++ ...........................................+++ writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
注意:在上述部分需要输入PEM密码 PEM pass phrase,输入两次,此密码必须记住,不然以后不能为证书签名。还需要输入common name 通用名,这个你自己随便设置个独一无二的,我输入的:server。
再创建服务器端证书,输入Common Name:
./easyrsa gen-req server nopass
如下:
[root@astercc1 easyrsa3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .........+++ .....+++ writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key该过程中需要输入common name,回车的话,确认为:server。
创建签约服务端证书:
./easyrsa sign server server
如下:
[root@astercc1 easyrsa3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'server'
Certificate is to be certified until May 30 05:45:15 2025 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt
该命令中.需要你确认生成 输入yes,还需要提供创建CA时候的密码。如果你忘记了密码,那就从第三步: ./easyrsa init-pki 开始,再来一次吧。
最后,创建Diffie-Hellman,确保key穿越不安全网络的命令,可能会执行很长时间,请耐心等待,不要中断:
./easyrsa gen-dh
如下:
[root@astercc1 easyrsa3]# ./easyrsa gen-dh Note: using Easy-RSA configuration from: ./vars Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ............+............................................... ........................................................................... ..................................................................................... ..............................................................+............................ ......................................+...............+.....................++*++* DH parameters of size 2048 created at /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
第四步:创建客户端证书
首先,进入root目录新建client文件夹,文件夹可随意命名,然后拷贝前面解压得到的easy-rsa文件夹到client文件夹,并进入到/root/client/easy-rsa/easyrsa3/ 目录:
cd /root/ mkdir client cp -R /etc/easy-rsa/ client/ cd client/easy-rsa/easyrsa3/
然后进行初始化:
./easyrsa init-pki
如下:
[root@astercc1 easyrsa3]# ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki
再创建客户端key及生成证书(记住生成时自己输入的密码):
./easyrsa gen-req client1 //名字是自己定义的
如下:
[root@astercc1 easyrsa3]# ./easyrsa gen-req client1 Generating a 2048 bit RSA private key ...............+++ ............................+++ writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/client1.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client1]: Keypair and certificate request completed. Your files are: req: /root/client/easy-rsa/easyrsa3/pki/reqs/client1.req key: /root/client/easy-rsa/easyrsa3/pki/private/client1.key
然后再将得到的client1.req导入,然后签约证书:
a.进入到/etc/openvpn/easy-rsa/easyrsa3/
cd /etc/openvpn/easy-rsa/easyrsa3/
b.导入req
./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/client1.req client1
如下:
[root@astercc1 easyrsa3]# cd /etc/openvpn/easy-rsa/easyrsa3/ [root@astercc1 easyrsa3]# [root@astercc1 easyrsa3]# [root@astercc1 easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/client1.req client1 Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: client1 You may now use this name to perform signing operations on this request.
c.签约证书
./easyrsa sign client client1
如下:
[root@astercc1 easyrsa3]# ./easyrsa sign client client1
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
commonName = client1
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'client1'
Certificate is to be certified until May 30 06:14:04 2025 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/client1.crt
这里生成client,所以必须为client1,要与之前导入名字一致。上面签约证书跟server类似,但是期间还是要输入CA的密码。
最后看一下上面都生成了什么东西:
服务端:(/etc/openvpn/easy-rsa/easyrsa3/ 文件夹)
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/client1.req /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn/easy-rsa/easyrsa3/pki/issued/client1.crt /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
客户端:(/root/client/easy-rsa/easyrsa3/ 文件夹)
/root/client/easy-rsa/easyrsa3/pki/private/andy.key /root/client/easy-rsa/easyrsa3/pki/reqs/andy.req //这个文件被我们导入到了服务端文件所以那里也有
a.这一步就是拷贝这些文件放入到相应位置。将下列文件放到/etc/openvpn/ 目录下,执行命令:
cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn cp /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn cp /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem /etc/openvpn
这样就将上述四个文件放入到了/etc/openvpn目录下。
b.这一步将下列文件放到/root/client/ 目录下,执行命令:
cp /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt /root/client cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/andy.crt /root/client cp /root/client/easy-rsa/easyrsa3/pki/private/andy.key /root/client
这样就将上述三个文件复制到了/root/client目录下,包括:ca.crt、andy.crt、andy.key
第五步:为服务端编写配置文件
当你安装好了openvpn时候,他会提供一个server配置的文件例子,在 /usr/share/doc/openvpn-2.3.6/sample/sample-config-files 下会有一个server.conf文件,我们将这个文件复制到/etc/openvpn
cp /usr/share/doc/openvpn-2.3.6/sample/sample-config-files/server.conf /etc/openvpn
然后修改配置 vi server.conf
如下:
local a.b.c.d (可不写) port 1194 (端口号,可以自行定义,但定义完要在centos的 /etc/sysconfig/iptables 中加入端口语句,如:-A INPUT -p udp --dport 1194 -j ACCEPT,或者执行一条开启命令,但不加到iptables文件中:iptables -A INPUT -p udp --dport 1194 -j ACCEPT) proto udp # 服务器端 和 客户端的设置要一致 dev tun # 服务器端 和 客户端的设置要一致 ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key # This file should be kept secret dh /etc/openvpn/dh.pem # 以上4个均使用绝对路径 server 10.8.0.0 255.255.255.0 # 虚拟出来一个内部网段,用来VPN的 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" # 网关重定向 push "dhcp-option DNS 8.8.8.8" keepalive 10 120 comp-lzo # 对数据传输进行压缩的参数,两端配置要一致 max-clients 100 # 最大客户端数,可以不写 persist-key persist-tun status /etc/openvpn/openvpn-status.log log /etc/openvpn/openvpn.log log-append /etc/openvpn/openvpn.log verb 4每个项目都会由一大堆介绍。上述修改,openvpn提供的server.conf已经全部提供,我们只需要去掉前面的注释 #(或;),然后修改成我们自己的有关配置。
开启 IP转发 和 NAT转发 功能:
vim /etc/sysctl.conf将net.ipv4.ip_forward = 0 改成 net.ipv4.ip_forward = 1
sysctl -p
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to 8.38.33.10
第六步:下载openvpn客户端,并进行配置
首先,将VPS生成的 客户端证书和key文件(即:ca.crt client1.crt client1.key)下载到客户端电脑: 其次,去官网 https://openvpn.net/,下载并安装openvpn-2.3.6客户端。在安装目录 D:\Program Files\OpenVPN\sample-config 中找到 client.ovpn 文件,并将其复制到D:\Program Files\OpenVPN\config 下面 然后,对客户端进行配置,编辑 client.ovpn 文件。
如下:
client dev tun # 服务器端 和 客户端的设置要一致 proto udp # 服务器端 和 客户端的设置要一致 remote 8.38.33.10 1194 # 这里IP是VPS的外网IP 和端口号 resolv-retry infinite nobind persist-key persist-tun ca ca.crt # 这里需要生成的CA证书,也可以注释掉这一行,用<ca> </ca>将ca文件的内容全部嵌入进来 cert client1.crt key client1.key comp-lzo verb 3
第七步:测试排错
a.启动VPS上的OpenVPN服务,执行以下命令:
service openvpn start如果出现:service start failed!! 运行 openvpn /etc/openvpn/server.conf 又可以运行,那么请试图删除/etc/openvpn/下的ipp.txt 和 openvpn-status.log后,再重新启动OpenVPN。
b.启动客户端 以管理员身份来运行OpenVPN-GUI启动,注意在启动后需要输入创建client1.key时候的密码,然后进入连接的界面。假如连接失败,请先把VPS的iptables停掉,执行如下命令,然后再连接:
service iptables stop
