1 OpenVPN架构及说明
1.1 简要说明
现在很多企业都有移动办公的需求,希望出差员工,如同在公司内部一样可以访问公司的相关资源,很多企业直接购买商业VPN产品或者通过购买防火墙内的SCVPN授权方式满足此需求,在本章节将用开源软件OpenVPN实现此功能。
1.2 架构图
上图为架构图,本次准备在阿里云购买三台ECS。
特别提示:阿里云ECS是按量收费的,如果没有免费试用资格,建议先购买并创建好第一台带公网地址的ECS实例,完成服务器端的所有配置后,再购买并创建两台用于Web的ECS实例,快速简单配置后就可以测试VPN的效果,时间很短内可以完成整个任务并释放掉阿里云的ECS,节省成本。
共四台主机(三台服务器及一台客户端机器)
1 OpenVPN Server:
CentOS 8.5
eth1:112.124.7.200 公网IP阿里ECS主机自带
eth0:172.16.40.254/20 仅主机模式,私网IP及地址段
tun0:10.8.0.1
2 内网主机两台
第一台主机 Web1
CentOS 8.5
eth0:172.16.40.100/20 私网IP,可以不配网关
第二台主机 Web2
CentOS 8.5
eth0:172.16.40.200/20 私网IP,可以不配网关
特别说明:模拟内网的两台WEB服务器,它们的网卡IP地址和OpenVPN Server在同一个子网内,WIN10客户端是SNAT成IP172.16.40.254,与内网通信,可以无需网关,但是在很多公司是有三层交换大型网络,其要依据具体情况做相关的设置和路由配置等。
3 Windows客户端机器
Windows10
2 阿里云搭建OpenVPN环境准备
购买过程略去,下面简要介绍ECS实例和基础配置。
2.1 ECS实例
三台实例主机,红框是确定为OpenVPN Server的服务器
2.2 ECS安全规则配置
默认VPN的端口无法访问,修改网络防火墙规则,添加1规则实现1194/TCP/UDP端口允许通过
3 服务器端OpenVPN软件包安装
3.1 OpenVPN版本
3.1.1 官网及OpenVPN版本
OpenVPN:一个实现VPN的开源软件,OpenVPN 是一个健壮的、高度灵活的 VPN 守护进程。它支持SSL/TLS 安全、Ethernet bridging、经由代理的 TCP 或 UDP 隧道和 NAT。另外,它也支持动态 IP 地址以及DHCP,可伸缩性足以支持数百或数千用户的使用场景,同时可移植至大多数主流操作系统平台上。
GitHub地址:https://github.com/OpenVPN/openvpn
3.1.2 CentOS8.5自带的OpenVPN版本
说明:本次阿里CentOS8.5实例创建后,直接yum查看和安装均报404错误,最终通过替换/etc/yum.repos.d/base.repo文件后解决。
CentOS 查看OpenVPN版本
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# yum list openvpn
Last metadata expiration check: 8:05:32 ago on Thu 10 Feb 2022 01:10:01 AM CST.
Available Packages
openvpn.x86_64 2.4.11-1.el8 EPEL
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# yum list easy-rsa
Last metadata expiration check: 8:05:55 ago on Thu 10 Feb 2022 01:10:01 AM CST.
Available Packages
easy-rsa.noarch 3.0.8-1.el8 EPEL
[root@iZbp1383wskma7aq6jbfgcZ ~]#
3.2 安装OpenVPN
3.2.1 安装OpenVPN和证书工具
# openvpn服务器端软件和证书工具
[root@iZbp1383wskma7aq6jbfgcZ ~]# yum -y install openvpn easy-rsa
3.2.2 查看包中相关文件
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# rpm -qi openvpn easy-rsa
Name : openvpn
Version : 2.4.11
Release : 1.el8
Architecture: x86_64
Install Date: Thu 10 Feb 2022 09:17:33 AM CST
Group : Unspecified
Size : 1307433
License : GPLv2
Signature : RSA/SHA256, Wed 21 Apr 2021 10:11:33 PM CST, Key ID 21ea45ab2f86d6a1
Source RPM : openvpn-2.4.11-1.el8.src.rpm
Build Date : Wed 21 Apr 2021 10:04:02 PM CST
Build Host : buildhw-x86-14.iad2.fedoraproject.org
Relocations : (not relocatable)
Packager : Fedora Project
Vendor : Fedora Project
URL : https://community.openvpn.net/
Bug URL : https://bugz.fedoraproject.org/openvpn
Summary : A full-featured SSL VPN solution
Description :
OpenVPN is a robust and highly flexible tunneling application that uses all
of the encryption, authentication, and certification features of the
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
for compression.
Name : easy-rsa
Version : 3.0.8
Release : 1.el8
Architecture: noarch
Install Date: Thu 10 Feb 2022 09:17:33 AM CST
Group : Unspecified
Size : 122756
License : GPLv2
Signature : RSA/SHA256, Thu 10 Sep 2020 09:23:22 PM CST, Key ID 21ea45ab2f86d6a1
Source RPM : easy-rsa-3.0.8-1.el8.src.rpm
Build Date : Thu 10 Sep 2020 09:20:42 PM CST
Build Host : buildvm-s390x-23.s390.fedoraproject.org
Relocations : (not relocatable)
Packager : Fedora Project
Vendor : Fedora Project
URL : https://github.com/OpenVPN/easy-rsa
Bug URL : https://bugz.fedoraproject.org/easy-rsa
Summary : Simple shell based CA utility
Description :
This is a small RSA key management package, based on the openssl
command line tool, that can be found in the easy-rsa subdirectory
of the OpenVPN distribution. While this tool is primary concerned
with key management for the SSL VPN application space, it can also
be used for building web certificates.
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# rpm -ql openvpn
/etc/openvpn
/etc/openvpn/client
/etc/openvpn/server
/run/openvpn-client
/run/openvpn-server
/usr/lib/.build-id
/usr/lib/.build-id/18
/usr/lib/.build-id/18/a6602b682bee9327f8a254188e270349898ab1
/usr/lib/.build-id/26
/usr/lib/.build-id/26/b7acb96c927678621ec0d416a3e73c436f6fbc
/usr/lib/.build-id/5b
/usr/lib/.build-id/5b/f591de13b621aef596a3a1f3d38c04565aa050
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/tmpfiles.d/openvpn.conf
/usr/lib64/openvpn
/usr/lib64/openvpn/plugins
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so
/usr/sbin/openvpn
/usr/share/doc/openvpn
/usr/share/doc/openvpn/AUTHORS
/usr/share/doc/openvpn/COPYING
/usr/share/doc/openvpn/COPYRIGHT.GPL
/usr/share/doc/openvpn/ChangeLog
/usr/share/doc/openvpn/Changes.rst
/usr/share/doc/openvpn/README
/usr/share/doc/openvpn/README.auth-pam
/usr/share/doc/openvpn/README.down-root
/usr/share/doc/openvpn/README.systemd
/usr/share/doc/openvpn/contrib
/usr/share/doc/openvpn/contrib/OCSP_check
/usr/share/doc/openvpn/contrib/OCSP_check/OCSP_check.sh
/usr/share/doc/openvpn/contrib/README
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00/README
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
/usr/share/doc/openvpn/contrib/pull-resolv-conf
/usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down
/usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up
/usr/share/doc/openvpn/management-notes.txt
/usr/share/doc/openvpn/sample
/usr/share/doc/openvpn/sample/sample-config-files
/usr/share/doc/openvpn/sample/sample-config-files/README
/usr/share/doc/openvpn/sample/sample-config-files/client.conf
/usr/share/doc/openvpn/sample/sample-config-files/firewall.sh
/usr/share/doc/openvpn/sample/sample-config-files/home.up
/usr/share/doc/openvpn/sample/sample-config-files/loopback-client
/usr/share/doc/openvpn/sample/sample-config-files/loopback-server
/usr/share/doc/openvpn/sample/sample-config-files/office.up
/usr/share/doc/openvpn/sample/sample-config-files/openvpn-shutdown.sh
/usr/share/doc/openvpn/sample/sample-config-files/openvpn-startup.sh
/usr/share/doc/openvpn/sample/sample-config-files/roadwarrior-client.conf
/usr/share/doc/openvpn/sample/sample-config-files/roadwarrior-server.conf
/usr/share/doc/openvpn/sample/sample-config-files/server.conf
/usr/share/doc/openvpn/sample/sample-config-files/static-home.conf
/usr/share/doc/openvpn/sample/sample-config-files/static-office.conf
/usr/share/doc/openvpn/sample/sample-config-files/tls-home.conf
/usr/share/doc/openvpn/sample/sample-config-files/tls-office.conf
/usr/share/doc/openvpn/sample/sample-config-files/xinetd-client-config
/usr/share/doc/openvpn/sample/sample-config-files/xinetd-server-config
/usr/share/doc/openvpn/sample/sample-scripts
/usr/share/doc/openvpn/sample/sample-scripts/auth-pam.pl
/usr/share/doc/openvpn/sample/sample-scripts/bridge-start
/usr/share/doc/openvpn/sample/sample-scripts/bridge-stop
/usr/share/doc/openvpn/sample/sample-scripts/ucn.pl
/usr/share/doc/openvpn/sample/sample-scripts/verify-cn
/usr/share/doc/openvpn/sample/sample-windows
/usr/share/doc/openvpn/sample/sample-windows/sample.ovpn
/usr/share/man/man8/openvpn.8.gz
/var/lib/openvpn
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# rpm -ql easy-rsa
/usr/share/doc/easy-rsa
/usr/share/doc/easy-rsa/COPYING.md
/usr/share/doc/easy-rsa/ChangeLog
/usr/share/doc/easy-rsa/README.md
/usr/share/doc/easy-rsa/README.quickstart.md
/usr/share/doc/easy-rsa/vars.example
/usr/share/easy-rsa
/usr/share/easy-rsa/3
/usr/share/easy-rsa/3.0
/usr/share/easy-rsa/3.0.8
/usr/share/easy-rsa/3.0.8/easyrsa
/usr/share/easy-rsa/3.0.8/openssl-easyrsa.cnf
/usr/share/easy-rsa/3.0.8/x509-types
/usr/share/easy-rsa/3.0.8/x509-types/COMMON
/usr/share/easy-rsa/3.0.8/x509-types/ca
/usr/share/easy-rsa/3.0.8/x509-types/client
/usr/share/easy-rsa/3.0.8/x509-types/code-signing
/usr/share/easy-rsa/3.0.8/x509-types/email
/usr/share/easy-rsa/3.0.8/x509-types/kdc
/usr/share/easy-rsa/3.0.8/x509-types/server
/usr/share/easy-rsa/3.0.8/x509-types/serverClient
/usr/share/licenses/easy-rsa
/usr/share/licenses/easy-rsa/gpl-2.0.txt
[root@iZbp1383wskma7aq6jbfgcZ </sub>]#
3.2.3 准备相关配置文件
# 借鉴的方式构建服务器配置文件
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/
# 准备证书签发文件
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
# 准备签发证书相关变量的配置文件
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-server/3/vars
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# vim /etc/openvpn/easy-rsa-server/3/vars
# Choose a size in bits for your keypairs. The recommended value is 2048. Using
# 2048-bit keys is considered more than sufficient for many years into the
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
# generation take much longer. Values up to 4096 should be accepted by most
# software. Only used when the crypto alg is rsa (see below.)
#set_var EASYRSA_KEY_SIZE 2048
# The default crypto mode is rsa; ec can enable elliptic curve support.
# Note that not all software supports ECC, so use care when enabling it.
# Choices for crypto alg are: (each in lower-case)
# * rsa
# * ec
# * ed
#set_var EASYRSA_ALGO rsa
# Define the named curve, used in ec & ed modes:
#set_var EASYRSA_CURVE secp384r1
# In how many days should the root CA key expire?
#set_var EASYRSA_CA_EXPIRE 3650 此处CA的证书有效期默为为10年,可修改成100年
set_var EASYRSA_CA_EXPIRE 36500
# In how many days should certificates expire?
#set_var EASYRSA_CERT_EXPIRE 825 服务器证书默认是825天,修改为10年
set_var EASYRSA_CERT_EXPIRE 3650
# How many days until the next CRL publish date? Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.
#set_var EASYRSA_CRL_DAYS 180
# How many days before its expiration date a certificate is allowed to be
# renewed?
#set_var EASYRSA_CERT_RENEW 30
# Random serial numbers by default, set to no for the old incremental serial numbers
#
#set_var EASYRSA_RAND_SN "yes"
# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
# is "no" to discourage use of deprecated extensions. If you require this
# feature to use with --ns-cert-type, set this to "yes" here. This support
# should be replaced with the more modern --remote-cert-tls feature. If you do
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
# this defined to "no". When set to "yes", server-signed certs get the
"/etc/openvpn/easy-rsa-server/3.0.8/vars" 223L, 8999C written
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# tree /etc/openvpn/
/etc/openvpn/
├── client
├── easy-rsa-server
│ ├── 3 -> 3.0.8
│ ├── 3.0 -> 3.0.8
│ └── 3.0.8
│ ├── easyrsa
│ ├── openssl-easyrsa.cnf
│ ├── vars
│ └── x509-types
│ ├── ca
│ ├── client
│ ├── code-signing
│ ├── COMMON
│ ├── email
│ ├── kdc
│ ├── server
│ └── serverClient
├── server
└── server.conf
7 directories, 12 files
[root@iZbp1383wskma7aq6jbfgcZ </sub>]#
4 制作证书及准备文件
4.1 初始化PKI和CA签发机构环境
4.1.1 脚本easyrsa帮助用法
[root@iZbp1383wskma7aq6jbfgcZ ~]# cd /etc/openvpn/easy-rsa-server/3/
[root@iZbp1383wskma7aq6jbfgcZ 3]# pwd
/etc/openvpn/easy-rsa-server/3
[root@iZbp1383wskma7aq6jbfgcZ 3]# file ./easyrsa
./easyrsa: POSIX shell script, ASCII text executable
[root@iZbp1383wskma7aq6jbfgcZ 3]# ./easyrsa
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Easy-RSA 3 usage and overview
USAGE: easyrsa [options] COMMAND [command-options]
A list of commands is shown below. To get detailed usage and help for a
command, run:
./easyrsa help COMMAND
For a listing of options that can be supplied before the command, use:
./easyrsa help options
Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.
init-pki
build-ca [ cmd-opts ]
gen-dh
gen-req <filename_base> [ cmd-opts ]
sign-req <type> <filename_base>
build-client-full <filename_base> [ cmd-opts ]
build-server-full <filename_base> [ cmd-opts ]
revoke <filename_base> [cmd-opts]
renew <filename_base> [cmd-opts]
build-serverClient-full <filename_base> [ cmd-opts ]
gen-crl
update-db
show-req <filename_base> [ cmd-opts ]
show-cert <filename_base> [ cmd-opts ]
show-ca [ cmd-opts ]
import-req <request_file_path> <short_basename>
export-p7 <filename_base> [ cmd-opts ]
export-p8 <filename_base> [ cmd-opts ]
export-p12 <filename_base> [ cmd-opts ]
set-rsa-pass <filename_base> [ cmd-opts ]
set-ec-pass <filename_base> [ cmd-opts ]
upgrade <type>
DIRECTORY STATUS (commands would take effect on these locations)
EASYRSA: /etc/openvpn/easy-rsa-server/3.0.8
PKI: /etc/openvpn/easy-rsa-server/3/pki
[root@iZbp1383wskma7aq6jbfgcZ 3]#
4.1.2 初始化PKI生成PKI相关目录和文件
[root@iZbp1383wskma7aq6jbfgcZ 3]# pwd
/etc/openvpn/easy-rsa-server/3
[root@iZbp1383wskma7aq6jbfgcZ 3]# ls
easyrsa openssl-easyrsa.cnf vars x509-types
[root@iZbp1383wskma7aq6jbfgcZ 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-server/3/pki
[root@iZbp1383wskma7aq6jbfgcZ 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 13 files
[root@iZbp1383wskma7aq6jbfgcZ 3]#
4.2 创建CA机构
[root@iZbp1383wskma7aq6jbfgcZ 3]# cd /etc/openvpn/easy-rsa-server/3
[root@iZbp1383wskma7aq6jbfgcZ 3]# tree pki
pki
├── openssl-easyrsa.cnf
├── private
├── reqs
└── safessl-easyrsa.cnf
2 directories, 2 files
[root@iZbp1383wskma7aq6jbfgcZ 3]#
[root@iZbp1383wskma7aq6jbfgcZ 3]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating RSA private key, 2048 bit long modulus (2 primes)
...............+++++
.+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #回车确认接受默认值,实际生产中可以按需修改
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa-server/3/pki/ca.crt #生成自签名的证书文件
[root@iZbp1383wskma7aq6jbfgcZ 3]# tree pki
pki
├── ca.crt #生成自签名的证书文件
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ └── ca.key #生成私钥文件
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 7 files
#生成CA相关的文件
[root@iZbp1383wskma7aq6jbfgcZ 3]# cat pki/serial
01
[root@iZbp1383wskma7aq6jbfgcZ 3]# ll pki/index.txt
-rw------- 1 root root 0 Feb 10 09:32 pki/index.txt
[root@iZbp1383wskma7aq6jbfgcZ 3]# ll pki/ca.crt pki/private/ca.key
-rw------- 1 root root 1204 Feb 10 09:32 pki/ca.crt
-rw------- 1 root root 1679 Feb 10 09:32 pki/private/ca.key
#查看生成的自签名证书
[root@iZbp1383wskma7aq6jbfgcZ 3]# cat pki/ca.crt
-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIUf7K4TXQmK7188VHmrgn9nNyJNbEwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwIBcNMjIwMjEwMDEzMjQ2WhgPMjEy
MjAxMTcwMTMyNDZaMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqFPfTDspDjCsQdGOYBeCkJyKbp5Udboj9Z/Y
Eu3VYyXMgB++4NplxOR4EGMc7aQ5WoDeYkQgo5UabWtpBE5dmFfsdfT8hA92GNwS
ps9YUR+ME/uHRwlITg7FGPX+F92dWWw3C+0cImtEBbNzwHl88epc8raIq56b37Xw
EpxuLvzzIRx8NrIj08aXCpLgQYowBl+gh+QZjwLPmTJ6LXz85YBRkKVZb813bW7o
68bYGM75BrUcAq4j2xmlYT1i0rWYy3GEexuxPxRh39k47oxVmikGMMl2zQH0V/CK
tQvuRCBYjzmEhj4isv0gbxW51FJEaKNSw55Bs+zy4s9ij59lpwIDAQABo4GQMIGN
MB0GA1UdDgQWBBT1MPKUDGCXnDPzgggDawPPdSbD+TBRBgNVHSMESjBIgBT1MPKU
DGCXnDPzgggDawPPdSbD+aEapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFH+y
uE10Jiu9fPFR5q4J/ZzciTWxMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0G
CSqGSIb3DQEBCwUAA4IBAQAQiC8thLDWEbsIPHAdhkg9pmbeYVJO6QNPMb6lyKy5
Q02Rqq9uLKJLdm86+RYywrR9TT1+awIPXU7SxMqVmURxYXwevAkw/n5GH6EPO5ei
hUpA7MjKHrYXvAjN9zUjmRjgiMKIoEgymtImvw0/gbLtlq/YM219PqF1OzI5xkHQ
HmG6aFAUT/mHOo/n+QflM3NVHXO5jGxRqeaAs2ZRT6tVPM3WWZJG9nlClTvMH27V
qEtsAcWFtcWI3JUfCST3hLnujHVrc56dfdlsrz5QZujnuWro1ZkVPiSPLB96UFLA
TLxLhssb9yfonOnolGThVjNDy8JZxBtUaB02cewZ2e1a
-----END CERTIFICATE-----
[root@iZbp1383wskma7aq6jbfgcZ 3]# openssl x509 -in pki/ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7f:b2:b8:4d:74:26:2b:bd:7c:f1:51:e6:ae:09:fd:9c:dc:89:35:b1
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Easy-RSA CA
Validity
Not Before: Feb 10 01:32:46 2022 GMT
Not After : Jan 17 01:32:46 2122 GMT
Subject: CN = Easy-RSA CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a8:53:df:4c:3b:29:0e:30:ac:41:d1:8e:60:17:
82:90:9c:8a:6e:9e:54:75:ba:23:f5:9f:d8:12:ed:
d5:63:25:cc:80:1f:be:e0:da:65:c4:e4:78:10:63:
1c:ed:a4:39:5a:80:de:62:44:20:a3:95:1a:6d:6b:
69:04:4e:5d:98:57:ec:75:f4:fc:84:0f:76:18:dc:
12:a6:cf:58:51:1f:8c:13:fb:87:47:09:48:4e:0e:
c5:18:f5:fe:17:dd:9d:59:6c:37:0b:ed:1c:22:6b:
44:05:b3:73:c0:79:7c:f1:ea:5c:f2:b6:88:ab:9e:
9b:df:b5:f0:12:9c:6e:2e:fc:f3:21:1c:7c:36:b2:
23:d3:c6:97:0a:92:e0:41:8a:30:06:5f:a0:87:e4:
19:8f:02:cf:99:32:7a:2d:7c:fc:e5:80:51:90:a5:
59:6f:cd:77:6d:6e:e8:eb:c6:d8:18:ce:f9:06:b5:
1c:02:ae:23:db:19:a5:61:3d:62:d2:b5:98:cb:71:
84:7b:1b:b1:3f:14:61:df:d9:38:ee:8c:55:9a:29:
06:30:c9:76:cd:01:f4:57:f0:8a:b5:0b:ee:44:20:
58:8f:39:84:86:3e:22:b2:fd:20:6f:15:b9:d4:52:
44:68:a3:52:c3:9e:41:b3:ec:f2:e2:cf:62:8f:9f:
65:a7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
F5:30:F2:94:0C:60:97:9C:33:F3:82:08:03:6B:03:CF:75:26:C3:F9
X509v3 Authority Key Identifier:
keyid:F5:30:F2:94:0C:60:97:9C:33:F3:82:08:03:6B:03:CF:75:26:C3:F9
DirName:/CN=Easy-RSA CA
serial:7F:B2:B8:4D:74:26:2B:BD:7C:F1:51:E6:AE:09:FD:9C:DC:89:35:B1
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
10:88:2f:2d:84:b0:d6:11:bb:08:3c:70:1d:86:48:3d:a6:66:
de:61:52:4e:e9:03:4f:31:be:a5:c8:ac:b9:43:4d:91:aa:af:
6e:2c:a2:4b:76:6f:3a:f9:16:32:c2:b4:7d:4d:3d:7e:6b:02:
0f:5d:4e:d2:c4:ca:95:99:44:71:61:7c:1e:bc:09:30:fe:7e:
46:1f:a1:0f:3b:97:a2:85:4a:40:ec:c8:ca:1e:b6:17:bc:08:
cd:f7:35:23:99:18:e0:88:c2:88:a0:48:32:9a:d2:26:bf:0d:
3f:81:b2:ed:96:af:d8:33:6d:7d:3e:a1:75:3b:32:39:c6:41:
d0:1e:61:ba:68:50:14:4f:f9:87:3a:8f:e7:f9:07:e5:33:73:
55:1d:73:b9:8c:6c:51:a9:e6:80:b3:66:51:4f:ab:55:3c:cd:
d6:59:92:46:f6:79:42:95:3b:cc:1f:6e:d5:a8:4b:6c:01:c5:
85:b5:c5:88:dc:95:1f:09:24:f7:84:b9:ee:8c:75:6b:73:9e:
9d:7d:d9:6c:af:3e:50:66:e8:e7:b9:6a:e8:d5:99:15:3e:24:
8f:2c:1f:7a:50:52:c0:4c:bc:4b:86:cb:1b:f7:27:e8:9c:e9:
e8:94:64:e1:56:33:43:cb:c2:59:c4:1b:54:68:1d:36:71:ec:
19:d9:ed:5a
[root@iZbp1383wskma7aq6jbfgcZ 3]#
4.3 创建服务端证书申请
[root@iZbp1383wskma7aq6jbfgcZ 3]# pwd
/etc/openvpn/easy-rsa-server/3
[root@iZbp1383wskma7aq6jbfgcZ 3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating a RSA private key
.......+++++
.......................................+++++
writing new private key to '/etc/openvpn/easy-rsa-server/3/pki/easy-rsa-26875.P9md3Z/tmp.RugRF7'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: #回车确认用默认值
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-server/3/pki/reqs/server.req #生成请求文件
key: /etc/openvpn/easy-rsa-server/3/pki/private/server.key #生成私钥文件
[root@iZbp1383wskma7aq6jbfgcZ 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key #生成的私钥文件
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req #生成的请求文件
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 9 files
[root@iZbp1383wskma7aq6jbfgcZ 3]#
4.4 签发服务器证书
4.4.1 查看颁发证书命令用法
[root@iZbp1383wskma7aq6jbfgcZ 3]# pwd
/etc/openvpn/easy-rsa-server/3
[root@iZbp1383wskma7aq6jbfgcZ 3]# ./easyrsa help sign
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
sign-req <type> <filename_base>
Sign a certificate request of the defined type. <type> must be a known
type such as 'client', 'server', 'serverClient', or 'ca' (or a user-added type.)
This request file must exist in the reqs/ dir and have a .req file
extension. See import-req below for importing reqs from other sources.
4.4.2 颁发服务端证书
#将上面server.req的申请,颁发server类型的证书
[root@iZbp1383wskma7aq6jbfgcZ 3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days: #vars文件指定的有效期
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #输入yes回车
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-26916.yxAMxi/tmp.PUQ2zS
Check that the request matches the signature
Signature ok
The Subject''s Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Feb 8 01:39:43 2032 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt
#生成服务器证书文件
4.4.3 验证结果
[root@iZbp1383wskma7aq6jbfgcZ 3]# cd /etc/openvpn/easy-rsa-server/3
[root@iZbp1383wskma7aq6jbfgcZ 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
│ └── 8C87842BE5B41C0654CFC48F46493635.pem #服务器证书文件
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt #服务器证书文件
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 14 files
[root@iZbp1383wskma7aq6jbfgcZ 3]#
[root@iZbp1383wskma7aq6jbfgcZ 3]# diff pki/certs_by_serial/8C87842BE5B41C0654CFC48F46493635.pem pki/issued/server.crt
[root@iZbp1383wskma7aq6jbfgcZ 3]# ll !*
ll pki/certs_by_serial/8C87842BE5B41C0654CFC48F46493635.pem pki/issued/server.crt
-rw------- 1 root root 4608 Feb 10 09:39 pki/certs_by_serial/8C87842BE5B41C0654CFC48F46493635.pem
-rw------- 1 root root 4608 Feb 10 09:39 pki/issued/server.crt
[root@iZbp1383wskma7aq6jbfgcZ 3]# cat pki/issued/server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8c:87:84:2b:e5:b4:1c:06:54:cf:c4:8f:46:49:36:35
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Easy-RSA CA
Validity
Not Before: Feb 10 01:39:43 2022 GMT
Not After : Feb 8 01:39:43 2032 GMT
Subject: CN=server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b1:d3:e9:40:98:8e:bf:36:ba:66:1b:aa:c8:c7:
92:d0:3e:92:ad:87:a2:06:d4:ef:b9:e0:e8:e9:dc:
ca:86:c1:9c:54:bd:89:c2:e4:49:04:98:93:73:4f:
a4:e7:42:13:af:ed:f1:a7:a1:27:dd:a9:c3:cb:f4:
e4:40:f4:64:cd:d2:a1:f8:b6:ae:14:e9:e3:3f:0f:
f2:a2:28:da:4d:4e:5a:b7:bb:e9:d3:80:27:48:b3:
bd:cd:c5:c7:f0:3e:73:16:e4:e9:f2:5b:ba:15:c4:
43:63:21:09:90:f3:30:eb:d2:89:f3:c8:ec:03:35:
0f:2e:1b:e2:57:05:93:f3:b0:2b:fa:ff:18:2f:bb:
58:b6:a0:26:8c:7f:49:45:ad:b0:17:07:4c:14:24:
93:56:4d:af:ec:b8:6a:57:a7:8b:25:59:bc:1e:34:
70:b0:7d:af:97:99:f0:88:75:ce:c8:df:d3:e6:92:
94:57:a7:a1:f2:4e:2a:79:bc:7d:a0:fd:16:5a:85:
39:fd:96:90:65:dd:71:f2:23:79:7c:cf:27:8b:37:
bf:c5:f3:f8:b7:f4:e1:50:b9:98:20:84:54:4b:28:
59:19:c3:38:f5:29:2f:66:20:11:10:3b:ac:89:e9:
44:81:bc:e0:da:59:d0:d1:84:75:64:cc:19:ec:fa:
50:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
24:AE:6D:AF:94:48:5F:FE:07:A2:04:E7:59:95:7B:EC:D7:9D:4A:C1
X509v3 Authority Key Identifier:
keyid:F5:30:F2:94:0C:60:97:9C:33:F3:82:08:03:6B:03:CF:75:26:C3:F9
DirName:/CN=Easy-RSA CA
serial:7F:B2:B8:4D:74:26:2B:BD:7C:F1:51:E6:AE:09:FD:9C:DC:89:35:B1
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:server
Signature Algorithm: sha256WithRSAEncryption
49:3d:62:7c:62:b0:79:8f:4c:c0:27:e2:2e:f4:38:fc:07:e2:
5f:6f:52:42:60:0a:fa:75:52:f7:98:8a:05:36:25:50:11:cb:
5e:8f:e6:e1:e4:8e:77:81:46:b5:43:3c:eb:08:35:53:e7:44:
a4:e3:95:92:9d:df:8f:ad:82:51:2c:13:cc:41:19:2c:08:21:
8e:16:b9:02:20:40:59:00:9e:b0:ea:28:c0:46:9a:4a:3c:ce:
14:62:e3:22:b1:38:e2:c6:cd:bc:5f:63:61:2e:0a:97:62:a1:
c0:f7:44:dd:89:d6:37:25:18:f7:df:94:6b:a8:40:c1:a0:91:
e1:13:f6:a9:a7:7a:be:81:0e:0a:42:dc:d5:37:7a:5c:f3:6a:
1f:e3:4c:03:5b:73:87:d0:f4:09:7a:c7:0e:b0:00:b8:f9:0c:
e1:61:c2:7a:67:7a:bf:b9:ce:3e:95:34:2c:0f:e0:dc:52:00:
da:02:42:5e:e9:c0:9d:41:2f:38:a9:67:64:1b:49:62:b0:67:
f6:0f:c3:23:08:8f:ec:17:5d:4b:e6:57:38:55:01:da:0a:4d:
f3:92:ad:d9:a9:9b:68:ab:cb:ac:c3:05:9a:f7:0b:7d:b8:15:
ca:c5:57:49:9f:8f:c4:90:e7:2c:16:65:66:e6:f4:96:b0:34:
b0:9d:a8:3d
-----BEGIN CERTIFICATE-----
MIIDaDCCAlCgAwIBAgIRAIyHhCvltBwGVM/Ej0ZJNjUwDQYJKoZIhvcNAQELBQAw
FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjIwMjEwMDEzOTQzWhcNMzIwMjA4
MDEzOTQzWjARMQ8wDQYDVQQDDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCx0+lAmI6/NrpmG6rIx5LQPpKth6IG1O+54Ojp3MqGwZxUvYnC
5EkEmJNzT6TnQhOv7fGnoSfdqcPL9ORA9GTN0qH4tq4U6eM/D/KiKNpNTlq3u+nT
gCdIs73NxcfwPnMW5OnyW7oVxENjIQmQ8zDr0onzyOwDNQ8uG+JXBZPzsCv6/xgv
u1i2oCaMf0lFrbAXB0wUJJNWTa/suGpXp4slWbweNHCwfa+XmfCIdc7I39PmkpRX
p6HyTip5vH2g/RZahTn9lpBl3XHyI3l8zyeLN7/F8/i39OFQuZgghFRLKFkZwzj1
KS9mIBEQO6yJ6USBvODaWdDRhHVkzBns+lCVAgMBAAGjgbUwgbIwCQYDVR0TBAIw
ADAdBgNVHQ4EFgQUJK5tr5RIX/4HogTnWZV77NedSsEwUQYDVR0jBEowSIAU9TDy
lAxgl5wz84IIA2sDz3Umw/mhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR/
srhNdCYrvXzxUeauCf2c3Ik1sTATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8E
BAMCBaAwEQYDVR0RBAowCIIGc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IBAQBJPWJ8
YrB5j0zAJ+Iu9Dj8B+Jfb1JCYAr6dVL3mIoFNiVQEctej+bh5I53gUa1QzzrCDVT
50Sk45WSnd+PrYJRLBPMQRksCCGOFrkCIEBZAJ6w6ijARppKPM4UYuMisTjixs28
X2NhLgqXYqHA90TdidY3JRj335RrqEDBoJHhE/app3q+gQ4KQtzVN3pc82of40wD
W3OH0PQJescOsAC4+QzhYcJ6Z3q/uc4+lTQsD+DcUgDaAkJe6cCdQS84qWdkG0li
sGf2D8MjCI/sF11L5lc4VQHaCk3zkq3ZqZtoq8uswwWa9wt9uBXKxVdJn4/EkOcs
FmVm5vSWsDSwnag9
-----END CERTIFICATE-----
[root@iZbp1383wskma7aq6jbfgcZ 3]#
#证书相关文件
[root@iZbp1383wskma7aq6jbfgcZ 3]# cat pki/serial
8C87842BE5B41C0654CFC48F46493636
[root@iZbp1383wskma7aq6jbfgcZ 3]# cat pki/index.txt
V 320208013943Z 8C87842BE5B41C0654CFC48F46493635 unknown /CN=server
[root@iZbp1383wskma7aq6jbfgcZ 3]# cat pki/serial.old
8c87842be5b41c0654cfc48f46493635
[root@iZbp1383wskma7aq6jbfgcZ 3]#
4.5 创建Diffie-Hellman 密钥
4.5.1 Diffie-Hellman 算法
Diffie-Hellman 密钥交换方法,由惠特菲尔德·迪菲(Bailey Whitfield Diffie)、马丁·赫尔曼
(Martin Edward Hellman)于1976年发表。它是一种安全协议,让双方在完全没有对方任何预先信息的
条件下通过不安全信道建立起一个密钥,这个密钥一般作为“对称加密”的密钥而被双方在后续数据传输中使
用。DH数学原理是base离散对数问题。做类似功能的还有非对称加密类算法,如:RSA。其应用非常广泛,在
SSH、VPN、Https等都有应用。
4.5.2 创建 Diffie-Hellman 密钥
[root@iZbp1383wskma7aq6jbfgcZ 3]# cd /etc/openvpn/easy-rsa-server/3
[root@iZbp1383wskma7aq6jbfgcZ 3]# pwd
/etc/openvpn/easy-rsa-server/3
[root@iZbp1383wskma7aq6jbfgcZ 3]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................................... # 需要等待蛮长时间
..........................+.............................
DH parameters of size 2048 created at /etc/openvpn/easy-rsa-server/3/pki/dh.pem
[root@iZbp1383wskma7aq6jbfgcZ 3]# ll pki/dh.pem
-rw------- 1 root root 424 Feb 10 09:46 pki/dh.pem
[root@iZbp1383wskma7aq6jbfgcZ 3]# cat !*
cat pki/dh.pem
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAwyNjVDpIBR0GayccEjZuwORsFd0MD/RXJ5WJqD4p7mxUWSnjxy08
BgwfHVe87ZHPa+CSsBjzTfXJhC8w9deYThY6vnXtHkcFQpVYPtH3G1308mUQ4uTz
Jd3m3cnPLd3pC5JsFBHbjwZz+XfaDCvmyB2iRnKgcORFFDZydJvK9ocOR+cSVYMW
QYvSRvQ72040iVvJjt+hGuAnkAoHFyEoyYQzkJOioer/S3k/EU903Qa0jdzYCxDY
kgkwQpu4XXnBPhZ2dsD9aNkfe9iWe5Nybtm+pOlHPBMcD8MBtZhsv+nRPk2mgI9R
O0q1gj9SZCNaNsPyBQMwG6304AmfW4V3wwIBAg==
-----END DH PARAMETERS-----
至此完成了服务端证书配置,下面开始配置客户端证书。
4.6 准备客户端证书环境
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn//easy-rsa-client/3/vars
[root@iZbp1383wskma7aq6jbfgcZ ~]# cd /etc/openvpn//easy-rsa-client/3/
[root@iZbp1383wskma7aq6jbfgcZ 3]# pwd
/etc/openvpn/easy-rsa-client/3
[root@iZbp1383wskma7aq6jbfgcZ 3]# ls
easyrsa openssl-easyrsa.cnf vars x509-types
[root@iZbp1383wskma7aq6jbfgcZ 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
1 directory, 11 files
[root@iZbp1383wskma7aq6jbfgcZ 3]#
#生成证书申请所需目录pki和文件
[root@iZbp1383wskma7aq6jbfgcZ 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-client/3/pki #创建了新目录
[root@iZbp1383wskma7aq6jbfgcZ 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki #创建的新目录
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 13 files
4.7 创建客户端证书申请
[root@iZbp1383wskma7aq6jbfgcZ 3]# cd /etc/openvpn/easy-rsa-client/3
[root@iZbp1383wskma7aq6jbfgcZ 3]# pwd
/etc/openvpn/easy-rsa-client/3
[root@iZbp1383wskma7aq6jbfgcZ 3]# ./easyrsa gen-req summer nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating a RSA private key
................+++++
......................+++++
writing new private key to '/etc/openvpn/easy-rsa-client/3/pki/easy-rsa-27362.GZr9lG/tmp.lerDzt'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [summer]: #确定填好信息后回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-client/3/pki/reqs/summer.req #客户端私钥文件
key: /etc/openvpn/easy-rsa-client/3/pki/private/summer.key #客户端证书申请文件
#生成两个新文件
[root@iZbp1383wskma7aq6jbfgcZ 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ └── summer.key #客户端私钥文件
│ ├── reqs
│ │ └── summer.req #客户端证书申请文件
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 15 files
[root@iZbp1383wskma7aq6jbfgcZ 3]#
4.8 签发客户端证书
[root@iZbp1383wskma7aq6jbfgcZ ~]# cd /etc/openvpn/easy-rsa-server/3
[root@iZbp1383wskma7aq6jbfgcZ 3]# ./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/summer.req summer
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
The request has been successfully imported with a short name of: summer
You may now use this name to perform signing operations on this request.
[root@iZbp1383wskma7aq6jbfgcZ 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
│ └── 8C87842BE5B41C0654CFC48F46493635.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── server.req
│ └── summer.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 16 files
[root@iZbp1383wskma7aq6jbfgcZ 3]#
[root@iZbp1383wskma7aq6jbfgcZ 3]# ll pki/reqs/summer.req /etc/openvpn/easy-rsa-client/3/pki/reqs/summer.req
-rw------- 1 root root 887 Feb 10 13:13 /etc/openvpn/easy-rsa-client/3/pki/reqs/summer.req
-rw------- 1 root root 887 Feb 10 13:50 pki/reqs/summer.req
[root@iZbp1383wskma7aq6jbfgcZ 3]#
[root@iZbp1383wskma7aq6jbfgcZ 3]#
#修改给客户端颁发证书的有效期,下面这个文件是用来控制证书文件的,服务器也是这个文件
[root@iZbp1383wskma7aq6jbfgcZ 3]# vim vars
#建议修改给客户端颁发证书的有效期180天,其他不需要修改
#set_var EASYRSA_CERT_EXPIRE 825
set_var EASYRSA_CERT_EXPIRE 180
[root@iZbp1383wskma7aq6jbfgcZ 3]# ./easyrsa sign client summer
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 180 days:
subject=
commonName = summer
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #输入yes 确认回车
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-27545.pVzVp2/tmp.CGIvwo
Check that the request matches the signature
Signature ok
The Subject''s Distinguished Name is as follows
commonName :ASN.1 12:'summer'
Certificate is to be certified until Aug 9 05:56:13 2022 GMT (180 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/summer.crt #证书文件
[root@iZbp1383wskma7aq6jbfgcZ 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── ca.crt
│ ├── certs_by_serial
│ │ ├── 76CD47600F811D9DEFB77604E331F281.pem
│ │ └── 8C87842BE5B41C0654CFC48F46493635.pem
│ ├── dh.pem
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── issued
│ │ ├── server.crt #前面生成的服务器端证书
│ │ └── summer.crt #生成的客户端证书
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ ├── ca.key
│ │ └── server.key
│ ├── renewed
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── reqs
│ │ ├── server.req
│ │ └── summer.req
│ ├── revoked
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── safessl-easyrsa.cnf
│ ├── serial
│ └── serial.old
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
14 directories, 29 files
[root@iZbp1383wskma7aq6jbfgcZ 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
│ ├── 76CD47600F811D9DEFB77604E331F281.pem
│ └── 8C87842BE5B41C0654CFC48F46493635.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ ├── server.crt
│ └── summer.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── server.req
│ └── summer.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 18 files
[root@iZbp1383wskma7aq6jbfgcZ 3]# cat pki/index.txt
V 320208013943Z 8C87842BE5B41C0654CFC48F46493635 unknown /CN=server
V 220809055613Z 76CD47600F811D9DEFB77604E331F281 unknown /CN=summer
[root@iZbp1383wskma7aq6jbfgcZ 3]# ll pki/issued/
total 16
-rw------- 1 root root 4608 Feb 10 09:39 server.crt
-rw------- 1 root root 4492 Feb 10 13:56 summer.crt
[root@iZbp1383wskma7aq6jbfgcZ 3]# ll pki/certs_by_serial/
total 16
-rw------- 1 root root 4492 Feb 10 13:56 76CD47600F811D9DEFB77604E331F281.pem
-rw------- 1 root root 4608 Feb 10 09:39 8C87842BE5B41C0654CFC48F46493635.pem
[root@iZbp1383wskma7aq6jbfgcZ 3]# cat pki/issued/summer.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
76:cd:47:60:0f:81:1d:9d:ef:b7:76:04:e3:31:f2:81
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Easy-RSA CA
Validity
Not Before: Feb 10 05:56:13 2022 GMT
Not After : Aug 9 05:56:13 2022 GMT
Subject: CN=summer
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e5:4c:c6:0d:01:23:67:b6:81:3b:bb:3f:ef:ce:
31:40:bb:2d:dc:09:dc:8f:b8:ed:3f:39:c7:13:7b:
37:90:f5:cc:86:76:4b:c4:60:44:1b:73:96:f7:35:
c2:40:08:9a:73:cf:b8:6c:14:6c:30:e2:48:c7:08:
17:bc:36:05:bc:9d:7c:ae:31:23:61:cf:9f:3d:6e:
88:49:90:60:75:7b:3a:89:fb:ab:98:f9:47:a1:dd:
ec:8f:13:70:71:90:c3:8b:a9:c5:fd:dd:1c:0e:d9:
b7:38:3f:cc:34:08:01:d1:2d:92:11:bb:61:e3:ea:
ab:38:d5:1a:be:3b:e0:65:fb:fa:d6:62:75:e4:e0:
8e:86:a6:e6:7c:07:17:f7:35:58:e4:71:de:c6:3c:
37:df:dc:9b:bd:aa:0f:4c:ee:c1:27:2c:f9:73:54:
6e:b3:d6:53:5e:b4:07:fe:0f:d4:80:0a:8f:30:d1:
d7:ad:a7:12:49:f8:ce:b1:a5:e8:cf:60:ed:ff:bf:
53:75:6e:07:74:3f:1d:68:87:3a:f3:f8:bf:74:c6:
52:cb:b0:57:d2:d1:39:c2:e6:c9:2c:45:d9:db:5c:
97:25:f7:a6:9b:60:12:83:9e:5c:1c:7d:4c:fa:a3:
42:d1:16:a2:c0:48:cf:7c:b3:35:8d:80:2a:37:9a:
b6:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
94:E0:49:12:C2:64:AE:96:84:AB:DF:9E:23:3B:12:50:C1:BE:67:8E
X509v3 Authority Key Identifier:
keyid:F5:30:F2:94:0C:60:97:9C:33:F3:82:08:03:6B:03:CF:75:26:C3:F9
DirName:/CN=Easy-RSA CA
serial:7F:B2:B8:4D:74:26:2B:BD:7C:F1:51:E6:AE:09:FD:9C:DC:89:35:B1
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
a6:bb:e7:15:f2:b2:4e:98:41:0c:4c:bf:6d:a3:48:eb:de:8f:
86:4d:a3:d1:87:d3:5a:97:37:aa:47:8e:30:1b:d2:1b:5c:c5:
6f:a7:eb:c0:39:88:ef:6a:f4:6a:f7:04:84:46:ec:e3:20:ed:
a6:07:df:96:75:87:73:0f:0e:43:f1:93:ce:b9:8a:fe:1c:b8:
96:ff:51:80:d8:8a:15:48:1b:a4:14:aa:42:45:55:75:05:46:
50:eb:98:1a:41:58:17:f0:28:42:2e:04:d5:6b:aa:64:fc:6d:
cd:32:c8:6f:62:de:c7:a7:b1:c2:ba:2e:5d:45:da:b6:df:91:
00:90:56:36:00:63:eb:cf:eb:2f:1a:04:ca:36:7d:7f:ca:56:
c9:95:e2:95:fa:79:c4:39:90:3a:cf:da:0e:77:56:b2:3c:fa:
b4:13:07:c5:5a:9f:26:b2:45:74:0b:14:a3:c7:28:8f:31:ed:
bd:83:67:31:ab:c5:a9:ce:da:07:79:08:cf:8a:a0:66:79:0c:
39:07:53:a8:c5:01:20:43:67:c7:85:17:97:7b:c7:15:67:1d:
96:11:e0:4b:73:30:0e:ca:0a:0d:92:d5:14:b8:7a:c0:37:01:
cb:4d:78:a8:4a:93:83:13:46:ae:91:a2:a0:e1:36:63:65:27:
fa:d5:8c:64
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIQds1HYA+BHZ3vt3YE4zHygTANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yMjAyMTAwNTU2MTNaFw0yMjA4MDkw
NTU2MTNaMBExDzANBgNVBAMMBnN1bW1lcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAOVMxg0BI2e2gTu7P+/OMUC7LdwJ3I+47T85xxN7N5D1zIZ2S8Rg
RBtzlvc1wkAImnPPuGwUbDDiSMcIF7w2BbydfK4xI2HPnz1uiEmQYHV7Oon7q5j5
R6Hd7I8TcHGQw4upxf3dHA7Ztzg/zDQIAdEtkhG7YePqqzjVGr474GX7+tZideTg
joam5nwHF/c1WORx3sY8N9/cm72qD0zuwScs+XNUbrPWU160B/4P1IAKjzDR162n
Ekn4zrGl6M9g7f+/U3VuB3Q/HWiHOvP4v3TGUsuwV9LROcLmySxF2dtclyX3pptg
EoOeXBx9TPqjQtEWosBIz3yzNY2AKjeatpkCAwEAAaOBojCBnzAJBgNVHRMEAjAA
MB0GA1UdDgQWBBSU4EkSwmSuloSr354jOxJQwb5njjBRBgNVHSMESjBIgBT1MPKU
DGCXnDPzgggDawPPdSbD+aEapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFH+y
uE10Jiu9fPFR5q4J/ZzciTWxMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQE
AwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAprvnFfKyTphBDEy/baNI696Phk2j0YfT
Wpc3qkeOMBvSG1zFb6frwDmI72r0avcEhEbs4yDtpgfflnWHcw8OQ/GTzrmK/hy4
lv9RgNiKFUgbpBSqQkVVdQVGUOuYGkFYF/AoQi4E1WuqZPxtzTLIb2Lex6exwrou
XUXatt+RAJBWNgBj68/rLxoEyjZ9f8pWyZXilfp5xDmQOs/aDndWsjz6tBMHxVqf
JrJFdAsUo8cojzHtvYNnMavFqc7aB3kIz4qgZnkMOQdTqMUBIENnx4UXl3vHFWcd
lhHgS3MwDsoKDZLVFLh6wDcBy014qEqTgxNGrpGioOE2Y2Un+tWMZA==
-----END CERTIFICATE-----
[root@iZbp1383wskma7aq6jbfgcZ 3]#
4.9 将CA和服务器证书相关文件复制到服务器相应的目录
[root@iZbp1383wskma7aq6jbfgcZ 3]#
[root@iZbp1383wskma7aq6jbfgcZ 3]# mkdir /etc/openvpn/certs
[root@iZbp1383wskma7aq6jbfgcZ 3]# cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/
[root@iZbp1383wskma7aq6jbfgcZ 3]# cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
[root@iZbp1383wskma7aq6jbfgcZ 3]# cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/
[root@iZbp1383wskma7aq6jbfgcZ 3]# cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/
[root@iZbp1383wskma7aq6jbfgcZ 3]# ll /etc/openvpn/certs/
total 20
-rw------- 1 root root 1204 Feb 10 13:59 ca.crt
-rw------- 1 root root 424 Feb 10 14:01 dh.pem
-rw------- 1 root root 4608 Feb 10 14:00 server.crt
-rw------- 1 root root 1704 Feb 10 14:00 server.key
[root@iZbp1383wskma7aq6jbfgcZ 3]#
[root@iZbp1383wskma7aq6jbfgcZ 3]#
4.10 将客户端私钥与证书相关文件复制到服务器相关的目录
[root@iZbp1383wskma7aq6jbfgcZ 3]# mkdir /etc/openvpn/client/summer/
[root@iZbp1383wskma7aq6jbfgcZ 3]# find /etc/openvpn/ -name "summer.key" -o -name "summer.crt" -o -name ca.crt
/etc/openvpn/easy-rsa-server/3.0.8/pki/issued/summer.crt
/etc/openvpn/easy-rsa-server/3.0.8/pki/ca.crt
/etc/openvpn/easy-rsa-client/3.0.8/pki/private/summer.key
/etc/openvpn/certs/ca.crt
#将上面/etc/openvpn/easy-rsa-server/3.0.8/pki/下的三个文件复制到下面的目录内
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# ll /etc/openvpn/client/summer/
total 16
-rw------- 1 root root 1204 Feb 10 14:06 ca.crt
-rw------- 1 root root 4492 Feb 10 14:18 summer.crt
-rw------- 1 root root 1704 Feb 10 14:06 summer.key
[root@iZbp1383wskma7aq6jbfgcZ </sub>]#
5 OpenVPN服务器端配置文件
5.1 服务器端配置文件说明
#server.conf文件中以#和;开头的行都是注释,#开头为说明性注释,;开头为配置性注释。
#通过grep命令筛选出配置性行,并对之进行解读
[root@centos8 ~]#grep -Ev "^#|^$" /etc/openvpn/server.conf
;local a.b.c.d #主机本地监听IP,默认为本机所有网卡上配置的IP
port 1194 #OpenVPN默认TCP/UDP端口
;proto tcp #工作的协议,推荐使用TCP,也可以用UDP,TCP的连接更可靠
proto udp #OpenVPN服务器的配置文件默认的协议是UDP,建议修改成proto tcp
;dev tap #创建以太网隧道,tap设备允许完整的以太网帧通过Openvpn的隧道,特性就是可支持IPX和AppleTalk这类非ip协议,tap可以理解未操作二层数据包的以太网设备。
dev tun #创建路由IP隧道,基于IP协议的通讯;允许三层IP数据封包通过隧道,现在大多互联网都使用tun,推存使用tun模式
;dev-node MyTap #TAP-Win32适配器。非windows系统下不配置
ca ca.crt #ca证书文件及路径,要配置正确
cert server.crt #服务器证书文件及路径
key server.key #服务器私钥文件及路径
dh dh2048.pem #dh密钥交换方法的参数文件
;topology subnet
server 10.8.0.0 255.255.255.0 #客户端连接后分配IP地址池,服务器端默认会被分配第一个IP,按照此配置10.8.0.1将作为客户端的网关
ifconfig-pool-persist ipp.txt #为客户端分配固定IP的文件,一般不需要配置
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 #配置网桥模式,注释掉不配置
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0" #推送路由信息给客户端,确保其具有到达服务器后面网段的静态路由,下一跳为openvpn服务器的隧道接口地址10.8.0.1,这个配置在内网为三层交换网络时候要配置,以允许客户端能够连接到服务器背后的其它私有子网。
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd #为指定的客户端添加自身后端的内网网段而不是服务端的路由,不需要设置
;route 10.9.0.0 255.255.255.252
;learn-address ./script #运行外部脚本,创建不同组的iptables规则,不需要配置
;push "redirect-gateway def1 bypass-dhcp" #启用后,客户端所有流量都将通过VPN服务器,客户端无法本地上网,是否能上网取决于openvpn服务器端的策略配置,一般无需配置此项
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220" #推送DNS服务器,不需要配置
;client-to-client #允许不同的client通过建立的隧道直接通信,一般不需要配置
;duplicate-cn #多用户共用一个证书,测试可允许,生产环境都是一个用户一个证书,不需要开启
keepalive 10 120 #设置服务端检测间隔和超时时间,默认为每10秒ping一次,如果 120秒没有回应则认为对方已经down掉
tls-auth ta.key 0 #防止DoS等攻-击的安全增强配置,可以使用以下命令来生成:openvpn --genkey --secret ta.key #服务器和每个客户端都需要拥有该密钥的一个拷贝。第二个参数在服务器端应该为’0’,在客户端应该为’1’
cipher AES-256-CBC #加密算法
;compress lz4-v2 #开启即为启用Openvpn2.4.X新版压缩算法,建议开启
;push "compress lz4-v2" #推送客户端使用新版压缩算法,不和下面的comp-lzo同时开启
;comp-lzo #旧版本的客户端兼容的压缩算法配置,需客户端开启压缩,openvpn2.4.X等新版可不用开启
;max-clients 100 #最大客户端连接数
;user nobody #运行openvpn服务的用户
;group nobody #运行openvpn服务的组
persist-key #重启VPN服务时默认会重新读取key文件,开启此项后保留并使用第一次的key文件,无需开启
persist-tun #启用此项后,重启vpn服务时,一直保持tun或tap是up的,否则会先down然后再up,无需开启
status openvpn-status.log #openVPN状态记录文件,默认每分钟会记录一次
;log openvpn.log #第一种日志记录方式,并指定日志路径,log会在openvpn启动时清空日志文件,建议不启用
;log-append openvpn.log #第二种日志记录方式,并指定日志路径,重启openvpn后在之前的日志后面追加新的日志,建议使用此项
verb 3 #设置日志级别,0-9,级别越高记录的内容越详细,0表示静默运行,只记录致命错误,4表示合理的常规用法,5和6可以帮助调试连接错误。9表示极度冗余,输出非常详细的日志信息
;mute 20 #相同类别的信息只有前20条会输出到日志文件中
explicit-exit-notify 1 #在udp模式下通知客户端,在服务端重启后自动重新连接;tcp模式不需配置即可实现断开重新连接,开启此项后将导致openvpn服务无法启动,所以tcp时必须不能开启此项
5.2 修改服务器端配置文件
# 备份默认的配置文件,并编辑
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# cp /etc/openvpn/server.conf /etc/openvpn/server.conf.bak
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# vim /etc/openvpn/server.conf
# 修改后的配置文件(仅列出了生效的配置项)
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# grep '^[a-Z].*' /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt #路径按照上面构建证书时设定的
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key # This file should be kept secret
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.16.40.0 255.255.255.0" #OpenVPN服务器后端的网段
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 100
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
[root@iZbp1383wskma7aq6jbfgcZ </sub>]#
# 创建用户名和组、创建日志等相关的目录
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# getent passwd openvpn
openvpn:x:989:985:OpenVPN:/etc/openvpn:/sbin/nologin
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# mkdir /var/log/openvpn
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# chown openvpn.openvpn /var/log/openvpn
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# ll -d /var/log/openvpn
drwxr-xr-x 2 openvpn openvpn 6 Feb 10 17:06 /var/log/openvpn
[root@iZbp1383wskma7aq6jbfgcZ ~]#
6 配置OpenVPN服务器内核参数和iptables规则
#查看sysctl.conf
[root@iZbp1383wskma7aq6jbfgcZ <sub>]#
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# cat /etc/sysctl.conf
vm.swappiness = 0
kernel.sysrq = 1
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_slow_start_after_idle = 0
#修改sysctl.conf,并重新引导
[root@iZbp1383wskma7aq6jbfgcZ <sub>]#
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# sysctl -p
vm.swappiness = 0
kernel.sysrq = 1
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.ip_forward = 1
#配置SNAT规则,所有客户端都被NAT成openvpn的内口IP地址与内网通信
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# echo 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE' >> /etc/rc.d/rc.local
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# chmod +x /etc/rc.d/rc.local
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# /etc/rc.d/rc.local
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.8.0.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@iZbp1383wskma7aq6jbfgcZ <sub>]#
[root@iZbp1383wskma7aq6jbfgcZ </sub>]#
7 启动OpenVPN服务
7.1 启动 OpenVPN 服务
# 查看openvpn的服务列表,CentOS8.5下没有openvpn@.service文件,缺少相关的unit
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# rpm -ql openvpn|grep systemd
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/share/doc/openvpn/README.systemd
[root@iZbp1383wskma7aq6jbfgcZ </sub>]#
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# cat /usr/lib/systemd/system/openvpn@.service
cat: /usr/lib/systemd/system/openvpn@.service: No such file or directory
#创建openvpn@.service文件,并配置
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# vim /usr/lib/systemd/system/openvpn@.service
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# cat /usr/lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
[Install]
WantedBy=multi-user.target
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# systemctl status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# systemctl daemon-reload
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# systemctl enable --now openvpn@server
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /usr/lib/systemd/system/openvpn@.service.
[root@iZbp1383wskma7aq6jbfgcZ ~]# systemctl status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2022-02-10 17:15:27 CST; 3s ago
Main PID: 28057 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 11411)
Memory: 1.2M
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─28057 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Feb 10 17:15:27 iZbp1383wskma7aq6jbfgcZ systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On s>
Feb 10 17:15:27 iZbp1383wskma7aq6jbfgcZ systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On se>
7.2 查看服务状态
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# ss -ntlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 32 0.0.0.0:1194 0.0.0.0:* users:(("openvpn",pid=28057,fd=8))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1049,fd=5))
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# cat /var/log/openvpn/openvpn.log
Thu Feb 10 17:15:27 2022 OpenVPN 2.4.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021
Thu Feb 10 17:15:27 2022 library versions: OpenSSL 1.1.1k FIPS 25 Mar 2021, LZO 2.08
Thu Feb 10 17:15:27 2022 WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
Thu Feb 10 17:15:27 2022 WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
Thu Feb 10 17:15:27 2022 Diffie-Hellman initialized with 2048 bit key
Thu Feb 10 17:15:27 2022 ROUTE_GATEWAY 172.16.47.253/255.255.240.0 IFACE=eth0 HWADDR=00:16:3e:09:61:a9
Thu Feb 10 17:15:27 2022 TUN/TAP device tun0 opened
Thu Feb 10 17:15:27 2022 TUN/TAP TX queue length set to 100
Thu Feb 10 17:15:27 2022 /sbin/ip link set dev tun0 up mtu 1500
Thu Feb 10 17:15:27 2022 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Thu Feb 10 17:15:27 2022 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Thu Feb 10 17:15:27 2022 Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Feb 10 17:15:27 2022 Socket Buffers: R=[87380->87380] S=[16384->16384]
Thu Feb 10 17:15:27 2022 Listening for incoming TCP connection on [AF_INET][undef]:1194
Thu Feb 10 17:15:27 2022 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Thu Feb 10 17:15:27 2022 TCPv4_SERVER link remote: [AF_UNSPEC]
Thu Feb 10 17:15:27 2022 GID set to openvpn
Thu Feb 10 17:15:27 2022 UID set to openvpn
Thu Feb 10 17:15:27 2022 MULTI: multi_init called, r=256 v=256
Thu Feb 10 17:15:27 2022 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Feb 10 17:15:27 2022 MULTI: TCP INIT maxclients=100 maxevents=104
Thu Feb 10 17:15:27 2022 Initialization Sequence Completed
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:16:3e:09:61:a9 brd ff:ff:ff:ff:ff:ff
inet 172.16.40.254/20 brd 172.16.47.255 scope global dynamic noprefixroute eth0
valid_lft 315330940sec preferred_lft 315330940sec
inet6 fe80::216:3eff:fe09:61a9/64 scope link
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::1e09:b687:82bd:f377/64 scope link stable-privacy
valid_lft forever preferred_lft forever
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.47.253 0.0.0.0 UG 100 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
172.16.32.0 0.0.0.0 255.255.240.0 U 100 0 0 eth0
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::1e09:b687:82bd:f377 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5 bytes 240 (240.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@iZbp1383wskma7aq6jbfgcZ </sub>]#
8 准备OpenVPN客户端配置文件
8.1 客户端默认范例配置文件说明
[root@centos8 ~]#grep '^[[:alpha:]].*' /usr/share/doc/openvpn/sample/sample-config-files/client.conf
client #声明是客户端
dev tun #接口类型,必须和服务端配置保持一致
proto udp #协议类型,必须和服务端配置保持一致
remote my-server-1 1194 #server端的ip和端口,可写域名,但需做好解析
resolv-retry infinite #如果写的server端的域名,那就始终解析,如果域名发生变化,会重新连接到新的域名对应的IP
nobind #本机不指定端口,客户端是随机打开端口连接到服务端的1194
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server #指定采用服务器证书校验方式
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
8.2 生成客户端用户的配置文件
9 Win10部署OpenVPN客户端
9.1 Win10 安装 OpenVPN 客户端
官方客户端下载地址:https://openvpn.net/community-downloads/
# 在WIN10下准备好下面这个文件,并双击安装,看提示点击下一步就可以完成安装
openvpn-install-2.4.9-I601-Win10.exe
9.2 Win10 客户端配置准备
9.2.1 打包客户端配置文件
total 0
drwxr-xr-x 2 root root 75 Feb 10 17:37 summer
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# ll /etc/openvpn/client/summer/
total 20
-rw------- 1 root root 1204 Feb 10 14:06 ca.crt
-rw-r--r-- 1 root root 229 Feb 10 17:37 client.ovpn
-rw------- 1 root root 4492 Feb 10 14:18 summer.crt
-rw------- 1 root root 1704 Feb 10 14:06 summer.key
#在openvpn服务器上打包好证书等文件,下载到windows客户端,放置到windows客户端的C:\Program Files\OpenVPN\config 目录下
[root@iZbp1383wskma7aq6jbfgcZ ~]# cd /etc/openvpn/client/summer/
[root@iZbp1383wskma7aq6jbfgcZ summer]# pwd
/etc/openvpn/client/summer
[root@iZbp1383wskma7aq6jbfgcZ summer]# tar cf summer.tar ./
tar: ./summer.tar: file is the archive; not dumped
[root@iZbp1383wskma7aq6jbfgcZ summer]# ll
total 40
-rw------- 1 root root 1204 Feb 10 14:06 ca.crt
-rw-r--r-- 1 root root 229 Feb 10 17:37 client.ovpn
-rw------- 1 root root 4492 Feb 10 14:18 summer.crt
-rw------- 1 root root 1704 Feb 10 14:06 summer.key
-rw-r--r-- 1 root root 20480 Feb 10 17:50 summer.tar
[root@iZbp1383wskma7aq6jbfgcZ summer]# tar tf summer.tar ./
./
./ca.crt
./summer.key
./summer.crt
./client.ovpn
[root@iZbp1383wskma7aq6jbfgcZ summer]#
9.2.2 Win10下使用客户端证书及配置文件
将打包好的summer.tar文件,复制到Win10客户端的C:\Program Files\OpenVPN\config 目录下
9.3 Win10 客户端建立OpenVPN连接
在Win10 桌面上或者程序内,双击打开OpenVPN GUI,下图右边为OpenVPN GUI快捷方式,左边是运行后的任务栏内图标,默认是白色,右键点击“连接”后变成绿色,表示连接成功。
9.4 构建两台Web服务器测试VPN效果
9.4.1 VPN连通初步测试
在完成上面所有的配置后,VPN连接正常情况下,在客户端机器上应该是可以PING通OpenVPN的内网卡的IP地址(此试验地址为:172.16.40.254)的,这个时候我们可以开始购买阿里云另外两台ECS,并构建Web网站,测试VPN的效果。
C:\>ping 172.16.40.254
正在 Ping 172.16.40.254 具有 32 字节的数据:
来自 172.16.40.254 的回复: 字节=32 时间=15ms TTL=64
来自 172.16.40.254 的回复: 字节=32 时间=15ms TTL=64
来自 172.16.40.254 的回复: 字节=32 时间=14ms TTL=64
来自 172.16.40.254 的回复: 字节=32 时间=14ms TTL=64
172.16.40.254 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 14ms,最长 = 15ms,平均 = 14ms
C:\>
9.4.2 模拟内网应用的两台Web构建
9.4.2.1 解决阿里云ECS 404报错
本次碰到阿里云ECS实例CentOS8.5 yum源报404错误问题,通过替换yum.repos.d下的源得以解决。
本次碰到阿里云ECS实例CentOS8.5 yum源报404错误问题,通过替换yum.repos.d下的源得以解决。
[root@iZbp1a4374akk25r88s2wmZ <sub>]# yum -y install httpd
Invalid configuration value: failovermethod=priority in /etc/yum.repos.d/CentOS-Linux-epel.repo; Configuration: OptionBinding with id "failovermethod" does not exist
CentOS Linux 8 - AppStream 21 kB/s | 2.3 kB 00:00
Errors during downloading metadata for repository 'appstream':
- Status code: 404 for http://mirrors.cloud.aliyuncs.com/centos/8/AppStream/x86_64/os/repodata/repomd.xml (IP: 100.100.2.148)
Error: Failed to download metadata for repo 'appstream': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
[root@iZbp1a4374akk25r88s2wmZ </sub>]# ll /etc/yum.repos.d/
total 52
-rw-r--r-- 1 root root 728 Dec 28 23:02 CentOS-Linux-AppStream.repo
-rw-r--r-- 1 root root 713 Dec 28 23:02 CentOS-Linux-BaseOS.repo
-rw-r--r-- 1 root root 1139 Dec 28 23:02 CentOS-Linux-ContinuousRelease.repo
-rw-r--r-- 1 root root 318 Dec 28 23:02 CentOS-Linux-Debuginfo.repo
-rw-r--r-- 1 root root 741 Dec 28 23:02 CentOS-Linux-Devel.repo
-rw-r--r-- 1 root root 226 Dec 28 23:02 CentOS-Linux-epel.repo
-rw-r--r-- 1 root root 713 Dec 28 23:02 CentOS-Linux-Extras.repo
-rw-r--r-- 1 root root 728 Dec 28 23:02 CentOS-Linux-FastTrack.repo
-rw-r--r-- 1 root root 749 Dec 28 23:02 CentOS-Linux-HighAvailability.repo
-rw-r--r-- 1 root root 693 Dec 28 23:02 CentOS-Linux-Media.repo
-rw-r--r-- 1 root root 715 Dec 28 23:02 CentOS-Linux-Plus.repo
-rw-r--r-- 1 root root 733 Dec 28 23:02 CentOS-Linux-PowerTools.repo
-rw-r--r-- 1 root root 898 Dec 28 23:02 CentOS-Linux-Sources.repo
[root@iZbp1a4374akk25r88s2wmZ <sub>]# tar -zcf yum.repos.d.tar.gz /etc/yum.repos.d/ .
[root@iZbp1a4374akk25r88s2wmZ </sub>]# ll
total 36
-rw-r--r-- 1 root root 36660 Feb 10 19:33 yum.repos.d.tar.gz
[root@iZbp1a4374akk25r88s2wmZ <sub>]# rm -rf /etc/yum.repos.d/*
[root@iZbp1a4374akk25r88s2wmZ </sub>]# ll /etc/yum.repos.d/
total 0
[root@iZbp1a4374akk25r88s2wmZ <sub>]# vim /etc/yum.repos.d/base.repo
[root@iZbp1a4374akk25r88s2wnZ </sub>]# cat /etc/yum.repos.d/base.repo
[BaseOS]
name=BaseOS
baseurl=https://mirrors.aliyun.com/centos/$releasever/BaseOS/$basearch/os/
https://repo.huaweicloud.com/centos/$releasever/BaseOS/$basearch/os/
https://mirrors.cloud.tencent.com/centos/$releasever/BaseOS/$basearch/os/
https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/BaseOS/$basearch/os/
http://mirrors.163.com//centos/$releasever/BaseOS/$basearch/os/
http://mirrors.sohu.com/centos/$releasever/BaseOS/$basearch/os/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enable=1
[AppStream]
name=AppStream
baseurl=https://mirrors.aliyun.com/centos/$releasever/AppStream/$basearch/os/
https://repo.huaweicloud.com/centos/$releasever/AppStream/$basearch/os/
https://mirrors.cloud.tencent.com/centos/$releasever/AppStream/$basearch/os/
https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/AppStream/$basearch/os/
http://mirrors.163.com/centos/$releasever/AppStream/$basearch/os/
http://mirrors.sohu.com/centos/$releasever/AppStream/$basearch/os/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enable=1
[EPEL]
name=EPEL
baseurl=https://mirrors.aliyun.com/epel/$releasever/Everything/$basearch/
https://repo.huaweicloud.com/epel/$releasever/Everything/$basearch/
https://mirrors.cloud.tencent.com/epel/$releasever/Everything/$basearch/
https://mirrors.tuna.tsinghua.edu.cn/epel/$releasever/Everything/$basearch/
https://mirrors.sohu.com/fedora-epel/$releasever/Everything/$basearch/
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/epel/RPM-GPG-KEY-EPEL-$releasever
enable=1
[extras]
name=extras
baseurl=https://mirrors.aliyun.com/centos/$releasever/extras/$basearch/os/
https://repo.huaweicloud.com/centos/$releasever/extras/$basearch/os/
https://mirrors.cloud.tencent.com/centos/$releasever/extras/$basearch/os/
https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/extras/$basearch/os/
http://mirrors.163.com/centos/$releasever/extras/$basearch/os/
http://mirrors.sohu.com/centos/$releasever/extras/$basearch/os/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=1
[centosplus]
name=centosplus
baseurl=https://mirrors.aliyun.com/centos/$releasever/centosplus/$basearch/os/
https://repo.huaweicloud.com/centos/$releasever/centosplus/$basearch/os/
https://mirrors.cloud.tencent.com/centos/$releasever/centosplus/$basearch/os/
https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/centosplus/$basearch/os/
http://mirrors.163.com/centos/$releasever/centosplus/$basearch/os/
http://mirrors.sohu.com/centos/$releasever/centosplus/$basearch/os/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
[root@iZbp1a4374akk25r88s2wnZ ~]# yum clean all
9.4.2.2 创建并配置Web服务器
# web1 172.16.40.100 创建
[root@web1]# yum -y install httpd;hostname -I > /var/www/html/index.html;systemctl enable --now httpd
[root@web1]# echo '这台是阿里云的ip地址 172.16.40.100 内网主机' >> /var/www/html/index.html
# web2 172.16.40.200 创建
[root@web1]# yum -y install httpd;hostname -I > /var/www/html/index.html;systemctl enable --now httpd
[root@web1]# echo '这台是阿里云的ip地址 172.16.40.200 内网主机' >> /var/www/html/index.html
9.5 Win10 客户端验证通信
9.5.1 在Win10 客户端测试到OpenVPN后端服务器连通情况
# web1 172.16.40.100
C:\>ping 172.16.40.100
正在 Ping 172.16.40.100 具有 32 字节的数据:
来自 172.16.40.100 的回复: 字节=32 时间=15ms TTL=63
来自 172.16.40.100 的回复: 字节=32 时间=15ms TTL=63
来自 172.16.40.100 的回复: 字节=32 时间=15ms TTL=63
来自 172.16.40.100 的回复: 字节=32 时间=15ms TTL=63
172.16.40.100 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 15ms,最长 = 15ms,平均 = 15ms
C:\>curl 172.16.40.100
172.16.40.100
这台是阿里云的ip地址 172.16.40.100 内网主机
# web2 172.16.40.200
C:\>ping 172.16.40.200
正在 Ping 172.16.40.200 具有 32 字节的数据:
来自 172.16.40.200 的回复: 字节=32 时间=15ms TTL=63
来自 172.16.40.200 的回复: 字节=32 时间=15ms TTL=63
来自 172.16.40.200 的回复: 字节=32 时间=15ms TTL=63
来自 172.16.40.200 的回复: 字节=32 时间=15ms TTL=63
172.16.40.200 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 15ms,最长 = 15ms,平均 = 15ms
C:\>curl 172.16.40.200
这台是阿里云的ip地址 172.16.40.200 内网主机
9.5.2 观察OpenVPN服务器日志
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# tail /var/log/openvpn/openvpn.log -f -n0
Thu Feb 10 18:16:06 2022 summer/221.226.197.142:45671 Connection reset, restarting [-1]
Thu Feb 10 18:16:06 2022 summer/221.226.197.142:45671 SIGUSR1[soft,connection-reset] received, client-instance restarting
Thu Feb 10 18:16:11 2022 TCP connection established with [AF_INET]221.226.197.142:45939
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 TLS: Initial packet from [AF_INET]221.226.197.142:45939, sid=7b3f81c8 4155afea
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 VERIFY OK: depth=1, CN=Easy-RSA CA
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 VERIFY OK: depth=0, CN=summer
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 peer info: IV_VER=2.4.9
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 peer info: IV_PLAT=win
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 peer info: IV_PROTO=2
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 peer info: IV_NCP=2
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 peer info: IV_LZ4=1
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 peer info: IV_LZ4v2=1
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 peer info: IV_LZO=1
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 peer info: IV_COMP_STUB=1
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 peer info: IV_COMP_STUBv2=1
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 peer info: IV_TCPNL=1
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 peer info: IV_GUI_VER=OpenVPN_GUI_11
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Feb 10 18:16:12 2022 221.226.197.142:45939 [summer] Peer Connection Initiated with [AF_INET]221.226.197.142:45939
Thu Feb 10 18:16:12 2022 summer/221.226.197.142:45939 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Thu Feb 10 18:16:12 2022 summer/221.226.197.142:45939 MULTI: Learn: 10.8.0.6 -> summer/221.226.197.142:45939
Thu Feb 10 18:16:12 2022 summer/221.226.197.142:45939 MULTI: primary virtual IP for summer/221.226.197.142:45939: 10.8.0.6
Thu Feb 10 18:16:13 2022 summer/221.226.197.142:45939 PUSH: Received control message: 'PUSH_REQUEST'
Thu Feb 10 18:16:13 2022 summer/221.226.197.142:45939 SENT CONTROL [summer]: 'PUSH_REPLY,route 172.16.40.0 255.255.255.0,compress lz4-v2,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Thu Feb 10 18:16:13 2022 summer/221.226.197.142:45939 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Feb 10 18:16:13 2022 summer/221.226.197.142:45939 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Feb 10 18:16:13 2022 summer/221.226.197.142:45939 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
[root@iZbp1383wskma7aq6jbfgcZ </sub>]# cat /var/log/openvpn/openvpn-status.log
OpenVPN CLIENT LIST
Updated,Thu Feb 10 18:36:18 2022
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
summer,221.226.197.142:45939,37334,8514,Thu Feb 10 18:16:11 2022
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,summer,221.226.197.142:45939,Thu Feb 10 18:31:40 2022
GLOBAL STATS
Max bcast/mcast queue length,1
END
[root@iZbp1383wskma7aq6jbfgcZ ~]#
9.5.3 验证OpenVPN服务器连接状态
[root@iZbp1383wskma7aq6jbfgcZ <sub>]# ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
ESTAB 0 464 172.16.40.254:22 221.226.197.142:45910
ESTAB 0 0 172.16.40.254:22 221.226.197.142:44005
ESTAB 0 0 172.16.40.254:22 221.226.197.142:45335
ESTAB 0 96 172.16.40.254:22 221.226.197.142:43023
ESTAB 0 0 172.16.40.254:22 221.226.197.142:43557
ESTAB 0 0 172.16.40.254:22 221.226.197.142:42241
ESTAB 0 0 10.8.0.1:22 10.8.0.6:2748
ESTAB 0 0 172.16.40.254:55118 100.100.30.25:80
ESTAB 0 0 172.16.40.254:1194 221.226.197.142:45939
ESTAB 0 0 172.16.40.254:22 221.226.197.142:44567
[root@iZbp1383wskma7aq6jbfgcZ </sub>]#
9.5.4 验证 Win10 客户端的 IP地址
C:\>ipconfig
Windows IP 配置
以太网适配器 以太网:
IPv4 地址 . . . . . . . . . . . . : 192.168.244.123
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . : fe80::1%20
192.168.244.254
未知适配器 本地连接 2:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::2471:e8a5:b410:f11b%33
IPv4 地址 . . . . . . . . . . . . : 10.8.0.6
子网掩码 . . . . . . . . . . . . : 255.255.255.252
默认网关. . . . . . . . . . . . . :
C:\>
9.5.5 验证Win10 客户端的路由表
C:\>route print
IPv4 路由表
===========================================================================
活动路由:
网络目标 网络掩码 网关 接口 跃点数
0.0.0.0 0.0.0.0 192.168.244.254 192.168.244.123 25
10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 281
10.8.0.4 255.255.255.252 在链路上 10.8.0.6 281
10.8.0.6 255.255.255.255 在链路上 10.8.0.6 281
10.8.0.7 255.255.255.255 在链路上 10.8.0.6 281
127.0.0.0 255.0.0.0 在链路上 127.0.0.1 331
127.0.0.1 255.255.255.255 在链路上 127.0.0.1 331
127.255.255.255 255.255.255.255 在链路上 127.0.0.1 331
172.16.40.0 255.255.255.0 10.8.0.5 10.8.0.6 281
192.168.244.0 255.255.255.0 在链路上 192.168.244.123 281
192.168.244.123 255.255.255.255 在链路上 192.168.244.123 281
192.168.244.255 255.255.255.255 在链路上 192.168.244.123 281
224.0.0.0 240.0.0.0 在链路上 127.0.0.1 331
224.0.0.0 240.0.0.0 在链路上 192.168.244.123 281
224.0.0.0 240.0.0.0 在链路上 10.8.0.6 281
255.255.255.255 255.255.255.255 在链路上 127.0.0.1 331
255.255.255.255 255.255.255.255 在链路上 192.168.244.123 281
255.255.255.255 255.255.255.255 在链路上 10.8.0.6 281
===========================================================================
9.5.6 验证Web1和Web2访问
9.5.6.1 在WIN10客户机上通过浏览器访问web1
9.5.6.2 在WIN10客户机上通过浏览器访问web2