Centos7搭建OPEN
一,安装服务
1,安装open
[root@ c7-41 ~] yum -y install epel-re*
[root@ c7-41 ~] yum -y install open
[root@ c7-41 ~] rpm -qa |grep open
open-2.4.8-1.el7.x86_64
2,安装open-rsa
[root@ c7-41 ~] wget https://github.com/OpenVPN/easy-rsa/archive/master.zip #下载
[root@ c7-41 ~] unzip master.zip #解压
[root@ c7-41 ~] mv easy-rsa-master/ easy-rsa
[root@ c7-41 ~] cp -R easy-rsa/ /etc/open/
[root@ c7-41 ~] ls /etc/open/
client easy-rsa server
3,配置vars文件
[root@ c7-41 ~] cd /etc/open/easy-rsa/easyrsa3/
[root@ c7-41 easyrsa3] cp vars.example vars
[root@ c7-41 easyrsa3] cat >>vars<<EOF
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "BJ"
set_var EASYRSA_REQ_CITY "Beijing"
set_var EASYRSA_REQ_ORG "Benet"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "dynamic"
EOF
二,创建server证书
4,初始化目录
[root@ c7-41 easyrsa3] ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/open/easy-rsa/easyrsa3/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/open/easy-rsa/easyrsa3/pki
5,创建CA证书
[root@ c7-41 easyrsa3] ./easyrsa build-ca
Note: using Easy-RSA configuration from: /etc/open/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase: #123456
Re-Enter New CA Key Passphrase: #123456
Generating RSA private key, 2048 bit long modulus
................................................+++
.+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:dynamic #拥有者
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/open/easy-rsa/easyrsa3/pki/ca.crt
6,创建服务端证书
[root@ c7-41 easyrsa3] ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/open/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.....+++
.........................................................................................................+++
writing new private key to '/etc/open/easy-rsa/easyrsa3/pki/easy-rsa-1997.WQm9ot/tmp.KN2Hts'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: #dynamic-server
Keypair and certificate request completed. Your files are:
req: /etc/open/easy-rsa/easyrsa3/pki/reqs/server.req
key: /etc/open/easy-rsa/easyrsa3/pki/private/server.key
7,签约服务端证书
[root@ c7-41 easyrsa3] ./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/open/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = dynamic-server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: #yes
Using configuration from /etc/open/easy-rsa/easyrsa3/pki/easy-rsa-2023.n85PSv/tmp.XjwFLm
Enter pass phrase for /etc/open/easy-rsa/easyrsa3/pki/private/ca.key: #123456 ca密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'dynamic-server'
Certificate is to be certified until Aug 8 06:42:27 2022 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/open/easy-rsa/easyrsa3/pki/issued/server.crt
8,创建数据穿越密钥
[root@ c7-41 easyrsa3] ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/open/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time #时间会有点长
...............................................................+....................................................................................................................................................................................................................................................................+...........................................+....................+..............................................................................................................++*++*
DH parameters of size 2048 created at /etc/open/easy-rsa/easyrsa3/pki/dh.pem
三,创建client证书
9,初始化目录
[root@ c7-41 easyrsa3] cd /etc/open/client/
[root@ c7-41 client] cp -R /root/easy-rsa/ client
[root@ c7-41 client] cd client/easyrsa3/
[root@ c7-41 easyrsa3] ls
easyrsa openssl-easyrsa.cnf vars.example x509-types
[root@ c7-41 easyrsa3] ./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/open/client/client/easyrsa3/pki
10,创建客户端CA证书
[root@ c7-41 easyrsa3] ./easyrsa build-ca
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase: #123456
Re-Enter New CA Key Passphrase: #123456
Generating RSA private key, 2048 bit long modulus
...............................................+++
......+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #dynamic
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/open/client/client/easyrsa3/pki/ca.crt
11,创建客户端证书
[root@ c7-41 easyrsa3] ./easyrsa gen-req client1
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
........................................................+++
.....+++
writing new private key to '/etc/open/client/client/easyrsa3/pki/easy-rsa-2206.uzz9W3/tmp.Zk3AAg'
Enter PEM pass phrase: #123456
Verifying - Enter PEM pass phrase: #123456
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client1]: #dynamic-client1
Keypair and certificate request completed. Your files are:
req: /etc/open/client/client/easyrsa3/pki/reqs/client1.req
key: /etc/open/client/client/easyrsa3/pki/private/client1.key
12,导入客户端证书
[root@ c7-41 easyrsa3] cd /etc/open/easy-rsa/easyrsa3/
[root@ c7-41 easyrsa3] ./easyrsa import-req /etc/open/client/client/easyrsa3/pki/reqs/client1.req client1
Note: using Easy-RSA configuration from: /etc/open/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: client1
You may now use this name to perform signing operations on this request.
13,签约客户端证书
[root@ c7-41 easyrsa3] ./easyrsa sign client client1
Note: using Easy-RSA configuration from: /etc/open/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = dynamic-client1
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: #yes
Using configuration from /etc/open/easy-rsa/easyrsa3/pki/easy-rsa-2286.nEJsJH/tmp.8rGYcb
Enter pass phrase for /etc/open/easy-rsa/easyrsa3/pki/private/ca.key: #123456
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'dynamic-client1'
Certificate is to be certified until Aug 8 07:03:05 2022 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/open/easy-rsa/easyrsa3/pki/issued/client1.crt
四,配置open
14,拷贝证书文件
[root@ c7-41 easyrsa3] cd /etc/open/easy-rsa/easyrsa3/pki/
[root@ c7-41 pki] cp ca.crt /etc/open/server/
[root@ c7-41 pki] cp private/server.key /etc/open/server/
[root@ c7-41 pki] cp issued/server.crt /etc/open/server/
[root@ c7-41 pki] cp dh.pem /etc/open/server/
[root@ c7-41 pki] cp ca.crt /etc/open/client/
[root@ c7-41 pki] cp issued/client1.crt /etc/open/client/
[root@ c7-41 pki] cp /etc/open/client/client/easyrsa3/pki/private/client1.key /etc/open/client/
[root@ c7-41 pki] ls /etc/open/server/
ca.crt dh.pem server.crt server.key
[root@ c7-41 pki] ls /etc/open/client/
ca.crt client client1.crt client1.key
五,配置server.conf
15,超链接配置文件server.conf
[root@ c7-41 pki] cp /usr/share/doc/open-2.4.8/sample/sample-config-files/server.conf /etc/open/
[root@ c7-41 pki] cd /etc/open/
[root@ c7-41 open] cp server.conf server.conf.bak
[root@ c7-41 open] egrep -v "^#|^;|^$" server.conf.bak > server.conf
[root@ c7-41 open] vim server.conf
[root@ c7-41 open] cat server.conf
local 0.0.0.0 #填写自己openVPN服务器的ip,默认侦听服务器上所有的ip
port 55555 #侦听端口,默认1194
proto tcp #端口协议,默认udp,也可以开启tcp方便映射转发
dev tun #默认创建一个路由ip隧道
ca /etc/open/server/ca.crt #根证书
cert /etc/open/server/server.crt #证书
key /etc/open/server/server.key #私钥文件
dh /etc/open/server/dh.pem
server 10.8.0.0 255.255.255.0 #设置服务器模式,提供一个VPN子网
push "route 172.16.1.0 255.255.255.0" #推送路由信息到客户端,允许客户端能够连接到服务器背后的其他私有子网
ifconfig-pool-persist ipp.txt #指定用于记录客户端和虚拟ip地址的关联联系的文件
keepalive 10 120 #keepalive指令将导致类似于ping命令被来回发送
persist-key
persist-tun
status open-status.log #状态日志
verb 3 #日志级别0-9 ,等级越高,记录越多
comp-lzo #在VPN连接上启用压缩
client-to-client #允许客户端之间沟通
log /var/log/open.log
16,配置firewalld转发并启动
[root@ c7-41 open] systemctl stop firewalld
[root@ c7-41 open] echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/99-sysctl.conf
[root@ c7-41 open] sysctl -p
net.ipv4.ip_forward = 1
[root@ c7-41 open] open --daemon --config /etc/open/server.conf
[root@ c7-41 open] echo "open --daemon --config /etc/open/server.conf">>/etc/rc.d/rc.local
[root@ c7-41 open] ll /etc/rc.d/rc.local
-rw-r--r--. 1 root root 524 May 5 15:42 /etc/rc.d/rc.local
[root@ c7-41 open] chmod +x /etc/rc.d/rc.local
[root@ c7-41 open] ll /etc/rc.d/rc.local
-rwxr-xr-x. 1 root root 524 May 5 15:42 /etc/rc.d/rc.local
[root@ c7-41 open] ps -ef | grep open
root 12749 1 0 15:42 ? 00:00:00 open --daemon --config /etcopen/server.conf
root 17999 1699 0 15:42 pts/0 00:00:00 grep --color=auto open
[root@ c7-41 open] ss -anpt| grep 55555
LISTEN 0 32 *:55555 *:* users:(("open",pid=12749,fd=6))
17,安装客户端(win-10系统)
18,客户端证书下载
[root@ c7-41 open] cd /etc/open/client/
[root@ c7-41 client] sz ca.crt client1.crt client1.key #传送至openVPN客户端软件的config目录下
拷贝sample-config中的client.o到config目录下
19,配置client.opvn
client
dev tun
proto tcp
remote 10.0.0.41 55555 #修改成openVPN服务器的ip和openVPN端口
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
20,客户方连接测试
