制作证书:
- 安装:
yum -y install easy-rsa - 创建文件夹:
mkdir server mkdir client - 拷贝文件:
\cp -a /usr/share/easy-rsa/3.*/* /path/to/server \cp -a /usr/share/easy-rsa/3.*/* /path/to/client - 进入server目录:
cd server - 初始化:
./easyrsa init-pki - 创建根证书(需输入密码):
./easyrsa build-ca - 创建server端证书:
./easyrsa gen-req server nopass - 给server端证书签名:
./easyrsa sign server server - 创建dh:
./easyrsa gen-dh - 进入client目录:
cd client - 初始化:
./easyrsa init-pki - 创建client端证书:
./easyrsa gen-req client nopass - 回到server目录:
cd server - 导入client端证书:
./easyrsa import-req /path/to/client/pki/reqs/client.req client - 给client端证书签名:
./easyrsa sign client client - 所需文件:
# server端 server/pki/ca.crt server/pki/private/server.key server/pki/issued/server.crt server/pki/dh.pem # client端 server/pki/ca.crt server/pki/issued/client.crt client/pki/private/client.key
- 安装:
服务端:
- 安装:
yum -y install openvpn - 创建文件夹:
mkdir /etc/openvpn/{server,client} - 复制证书文件:
cp /path/to/ca.crt /etc/openvpn/server/ca.crt cp /path/to/server.crt /etc/openvpn/server/server.crt cp /path/to/server.key /etc/openvpn/server/server.key cp /path/to/dh.pem /etc/openvpn/server/dh.pem - 进入openvpn目录:
cd /etc/openvpn - 修改配置文件:
vim server.confport 1337 proto udp dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/server.crt key /etc/openvpn/server/server.key dh /etc/openvpn/server/dh.pem server 100.100.100.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 114.114.114.114" push "dhcp-option DNS 8.8.4.4" duplicate-cn keepalive 10 30 comp-lzo persist-key client-to-client persist-tun daemon log-append /var/log/openvpn/openvpn.log verb 3 script-security 3 auth-user-pass-verify /etc/openvpn/checkpwd.sh via-env username-as-common-name - 创建日志文件:
mkdir -p /var/log/openvpn touch /var/log/openvpn/openvpn.log touch /var/log/openvpn/passwd.log - 创建密码验证脚本:
vim checkpwd.sh#!/bin/sh PASSFILE="/etc/openvpn/passwd" LOG_FILE="/var/log/openvpn/passwd.log" TIME_STAMP=`date "+%Y-%m-%d %T"` if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 - 修改密码验证文件的权限:
chmod +x checkpwd.sh - 创建用户名、密码文件:
vim passwdtest_user test_pass - 启动:
systemctl start openvpn@server
- 安装:
客户端:
- 安装openvpn:
yum -y install openvpn - 从server端拷贝文件:
scp root@x.x.x.x:/path/to/{ca.crt,client.crt,client.key} /etc/openvpn/ - 创建配置文件:
vim /etc/open/client.ovpnclient dev tun proto udp remote x.x.x.x 1337 resolv-retry infinite nobind persist-key persist-tun auth-user-pass mute-replay-warnings remote-cert-tls server comp-lzo ca /etc/openvpn/ca.crt cert /etc/openvpn/client.crt key /etc/openvpn/client.key - 进入目录:
cd /etc/openvpn/ - 连接(需输入用户名和密码):
openvpn client.ovpn
- 安装openvpn:
文档更新时间: 2024-04-20 10:57 作者:lee
