centos 7 使用easyrsa3安装openvpn
2018-11-19 03:54:06
2-minute read
安装必要的软件包:
yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel
wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm
yum install -y pkcs11-helper pkcs11-helper-devel
确认已安装:
rpm -qa lzo lzo-devel openssl openssl-devel pam pam-devel pkcs11-helper pkcs11-helper-devel
安装openvpn和easy
yum install epel-release
yum install openvpn easy-rsa -y
配置文件:
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
创建目录:
mkdir -p /etc/openvpn/easy-rsa
cp -rf /usr/share/easy-rsa/3.0.3/* /etc/openvpn/easy-rsa
增加vars
vi /etc/openvpn/easy-rsa/vars
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="CN"
export KEY_PROVINCE="SH"
export KEY_CITY="Shanghai"
export KEY_ORG="XXX"
export KEY_EMAIL="admin@xxx.com"
export KEY_OU="Tech Dept"
# X509 Subject Field
export KEY_NAME="server"
ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
进入目录:
cd /etc/openvpn/easy-rsa
source ./vars
初始化
./easyrsa init-pki
创建根证书:
./easyrsa build-ca
输入ca证书密码,自定义
创建服务端证书
./easyrsa gen-req server nopass
签约服务端证书
./easyrsa sign server server
创建Diffie-Hellman,确保key穿越不安全网络的命令
./easyrsa gen-dh
创建用户/客户端证书
./easyrsa gen-req user1 nopass
签约客户端证书
./easyrsa sign client user1
输入ca证书密码
修改openvpn配置文件
vi /etc/openvpn/server.conf
如下内容:
# ip为vpn服务器需要对外暴露的ip
local <ip>
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
# vpn网段ip
server 10.8.0.0 255.255.255.0
# vpn服务端所在内网的网段路由,很关键
push "route 192.168.3.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
comp-lzo
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
软连接
ln -s easy-rsa/pki/private/server.key server.key
ln -s easy-rsa/pki/issued/server.crt server.crt
ln -s easy-rsa/pki/dh.pem dh2048.pem
启动
systemctl start openvpn@server.service
systemctl -f enable openvpn@server.service
客户端配置文件
client
dev tun
proto tcp
remote <vpn server ip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert user1.crt
key user1-nopass.key
开启ip地址转发
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
启动防火墙
systemctl start firewalld
配置防火墙规则,启用伪装ip地址
firewall-cmd --permanent --add-service openvpn
firewall-cmd --permanent --add-masquerade
# enp2s0是vpn服务器对应内网网段的出口网卡,根据自己实际情况调整
firewall-cmd --permanent --direct --passthrough ipv4 -t nat POSTROUTING -o enp2s0 -j MASQUERADE -s 10.8.0.0/24
firewall-cmd --reload
启动openvpn服务
systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service
新建用户:
./easyrsa gen-req user2 nopass
./easyrsa sign client user2
需要输入ca证书的密码