制作证书:
- 安装:
yum -y install easy-rsa
- 创建文件夹:
mkdir server mkdir client
- 拷贝文件:
\cp -a /usr/share/easy-rsa/3.*/* /path/to/server \cp -a /usr/share/easy-rsa/3.*/* /path/to/client
- 进入server目录:
cd server
- 初始化:
./easyrsa init-pki
- 创建根证书(需输入密码):
./easyrsa build-ca
- 创建server端证书:
./easyrsa gen-req server nopass
- 给server端证书签名:
./easyrsa sign server server
- 创建dh:
./easyrsa gen-dh
- 进入client目录:
cd client
- 初始化:
./easyrsa init-pki
- 创建client端证书:
./easyrsa gen-req client nopass
- 回到server目录:
cd server
- 导入client端证书:
./easyrsa import-req /path/to/client/pki/reqs/client.req client
- 给client端证书签名:
./easyrsa sign client client
- 所需文件:
# server端 server/pki/ca.crt server/pki/private/server.key server/pki/issued/server.crt server/pki/dh.pem # client端 server/pki/ca.crt server/pki/issued/client.crt client/pki/private/client.key
- 安装:
服务端:
- 安装:
yum -y install openvpn
- 创建文件夹:
mkdir /etc/openvpn/{server,client}
- 复制证书文件:
cp /path/to/ca.crt /etc/openvpn/server/ca.crt cp /path/to/server.crt /etc/openvpn/server/server.crt cp /path/to/server.key /etc/openvpn/server/server.key cp /path/to/dh.pem /etc/openvpn/server/dh.pem
- 进入openvpn目录:
cd /etc/openvpn
- 修改配置文件:
vim server.conf
port 1337 proto udp dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/server.crt key /etc/openvpn/server/server.key dh /etc/openvpn/server/dh.pem server 100.100.100.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 114.114.114.114" push "dhcp-option DNS 8.8.4.4" duplicate-cn keepalive 10 30 comp-lzo persist-key client-to-client persist-tun daemon log-append /var/log/openvpn/openvpn.log verb 3 script-security 3 auth-user-pass-verify /etc/openvpn/checkpwd.sh via-env username-as-common-name
- 创建日志文件:
mkdir -p /var/log/openvpn touch /var/log/openvpn/openvpn.log touch /var/log/openvpn/passwd.log
- 创建密码验证脚本:
vim checkpwd.sh
#!/bin/sh PASSFILE="/etc/openvpn/passwd" LOG_FILE="/var/log/openvpn/passwd.log" TIME_STAMP=`date "+%Y-%m-%d %T"` if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1
- 修改密码验证文件的权限:
chmod +x checkpwd.sh
- 创建用户名、密码文件:
vim passwd
test_user test_pass
- 启动:
systemctl start openvpn@server
- 安装:
客户端:
- 安装openvpn:
yum -y install openvpn
- 从server端拷贝文件:
scp root@x.x.x.x:/path/to/{ca.crt,client.crt,client.key} /etc/openvpn/
- 创建配置文件:
vim /etc/open/client.ovpn
client dev tun proto udp remote x.x.x.x 1337 resolv-retry infinite nobind persist-key persist-tun auth-user-pass mute-replay-warnings remote-cert-tls server comp-lzo ca /etc/openvpn/ca.crt cert /etc/openvpn/client.crt key /etc/openvpn/client.key
- 进入目录:
cd /etc/openvpn/
- 连接(需输入用户名和密码):
openvpn client.ovpn
- 安装openvpn:
文档更新时间: 2024-04-20 10:57 作者:lee