2020-04-27

1.安装密钥⽣成⼯具
1 yum install easy-rsa -y

2.准备var⽂件

mkdir /opt/easy-rsa
cp -a /usr/share/easy-rsa/3.0.7/* /opt/easy-rsa/
cat >>/opt/easy-rsa/vars<

3.⽣成初始化证书

cd /opt/easy-rsa/
#1.初始化,在当前⽬录创建PKI⽬录,⽤于存储证书
./easyrsa init-pki
#2.创建根证书,会提示设置密码,⽤于ca对之后⽣成的server和client证书签名时使⽤,其他可默
认
./easyrsa build-ca
#3.创建server端证书和私钥⽂件,nopass表示不加密私钥⽂件,其他可默认
./easyrsa gen-req server nopass
#4.给server端证书签名,⾸先是对⼀些信息的确认,可以输⼊yes,然后创建ca根证书时设置的密码
./easyrsa sign server server
#5.创建Diffie-Hellman⽂件,秘钥交换时的Diffie-Hellman算法
./easyrsa gen-dh
#6.创建client端证书和私钥⽂件,nopass表示不加密私钥⽂件,其他可默认

./easyrsa gen-req client nopass
#7.给client端证书签名 ⾸先是对⼀些信息的确认,可以输⼊yes,然后创建ca根证书时设置的密码
./easyrsa sign client client

有需要密码   回车

Confirm request details: #输⼊yes
...
Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: #输⼊ca证书密码

4.安装openvpn
yum install openvpn -y
5.编写服务端配置⽂件
/etc/openvpn/server.conf

port 1194 #端⼝
proto tcp #协议
dev tun #采⽤路由隧道模式tun
ca /etc/openvpn/server/ca.crt #ca证书位置
cert /etc/openvpn/server/server.crt #服务端公钥名称
key /etc/openvpn/server/server.key #服务端私钥名称
dh /etc/openvpn/server/dh.pem #交换证书
server 10.8.0.0 255.255.255.0 #给客户端分配地址,注意:不能和vpn内⽹⽹段有相同
push "route 172.16.1.0 255.255.255.0" #允许客户端访问呢内⽹172.16.1.0⽹段
ifconfig-pool-persist /etc/openvpn/logs/ipp.txt #地址池记录⽂件位置
keepalive 10 120 #存活时间,10秒ping⼀次,120如未收到响应则视为断线
max-clients 100 #最多允许100个客户端连接
status /etc/openvpn/logs/openvpn-status.log #⽇志记录位置
verb 3 #openvpn版本
client-to-client #客户端与客户端之间⽀持通信
log /etc/openvpn/logs/openvpn.log #openvpn⽇志记录位置
persist-key #通过keepalive检测超时后,重新启动vpn,不重新读取
persist-tun #检测超时后,重新启动vpn,⼀直保持tun是linkup的,
duplicate-cn #因此⼀个证书可以由多个连接/⽤户使⽤

mkdir /etc/openvpn/logs -p

\cp /opt/easy-rsa/pki/ca.crt /etc/openvpn/server/
\cp /opt/easy-rsa/pki/issued/server.crt /etc/openvpn/server/
\cp /opt/easy-rsa/pki/private/server.key /etc/openvpn/server/
\cp /opt/easy-rsa/pki/dh.pem /etc/openvpn/server/

\cp /opt/easy-rsa/pki/ca.crt /etc/openvpn/client/
\cp /opt/easy-rsa/pki/private/client.key /etc/openvpn/client/
\cp /opt/easy-rsa/pki/issued/client.crt /etc/openvpn/client/

echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
sysctl -p
systemctl restart network

systemctl enable [email protected]
systemctl start [email protected]

客户端client.ovpn

client
dev tun
proto tcp                           
remote 10.0.0.51 1194
resolv-retry infinite
nobind
ca ca.crt
cert client.crt
key  client.key
verb 3
persist-key
persist-tun

将系统客户端证书拷贝到windows客户端conf下
scp [email protected]:/etc/openvpn/client/ca.crt .
scp [email protected]:/etc/openvpn/client/client.crt .
scp [email protected]:/etc/openvpn/client/client.key .

客户端增加用户

客户端client.ovpn

client
dev tun
proto tcp                           
remote 10.0.0.51 1194
resolv-retry infinite
nobind
ca ca.crt
cert client.crt
key  client.key
verb 3
persist-key
persist-tun
auth-user-pass pass.txt             增加

客户端加文件pass.txt

sun 123456

服务端设置账号密码

[root@sql easy-rsa]# cat /etc/openvpn/checkpsw.sh 
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman 
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/etc/openvpn/logs/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>  ${LOG_FILE}
  exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=

\"${password}\"." >> ${LOG_FILE}
  exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=

\"${password}\"." >> ${LOG_FILE}

服务端密码文件
[root@sql easy-rsa]# cat /etc/openvpn/psw-file
sun 123456

mkdir /etc/openvpn/ccd/ -p
cat >/etc/openvpn/ccd/zhangya < ifconfig-push 10.8.0.9 10.8.0.10
EOF

服务端配置

[root@sql easy-rsa]# cat /etc/openvpn/server.conf 
port 1194 #端⼝
proto tcp #协议
dev tun #采⽤路由隧道模式tun
ca /etc/openvpn/server/ca.crt #ca证书位置
cert /etc/openvpn/server/server.crt #服务端公钥名称
key /etc/openvpn/server/server.key #服务端私钥名称
dh /etc/openvpn/server/dh.pem #交换证书
server 10.8.0.0 255.255.255.0 #给客户端分配地址,注意:不能和vpn内⽹⽹段有相同
push "route 172.16.1.0 255.255.255.0" #允许客户端访问呢内⽹172.16.1.0⽹段
ifconfig-pool-persist /etc/openvpn/logs/ipp.txt #地址池记录⽂件位置
keepalive 10 120 #存活时间,10秒ping⼀次,120如未收到响应则视为断线
max-clients 100 #最多允许100个客户端连接
status /etc/openvpn/logs/openvpn-status.log #⽇志记录位置
verb 3 #openvpn版本
client-to-client #客户端与客户端之间⽀持通信
log /etc/openvpn/logs/openvpn.log #openvpn⽇志记录位置
persist-key #通过keepalive检测超时后,重新启动vpn,不重新读取
persist-tun #检测超时后,重新启动vpn,⼀直保持tun是linkup的,
duplicate-cn #因此⼀个证书可以由多个连接/⽤户使⽤
client-config-dir ccd
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
client-cert-not-required
username-as-common-name
script-security 3

然后客户端配置

client
dev tun
proto tcp                           
remote 10.0.0.51 1194
resolv-retry infinite
nobind
ca ca.crt
cert client.crt
key  client.key
verb 3
persist-key
persist-tun
auth-user-pass pass.txt

pass.txt
sun 123456

重启网卡

连接