由于实际需要,需部署openvpn服务来实现远程安全访问。
官方下载地址:https://community.openvpn.net/openvpn/wiki/Downloads

安装部署

下载并解压

本文档演示2.6.2版本安装包部署

[root@cloud-master ~]# wget https://swupdate.openvpn.org/community/releases/openvpn-2.6.2.tar.gz
[root@cloud-master ~]# tar zxf openvpn-2.6.2.tar.gz
配置内核
[root@cloud-master ~]# vim /etc/sysctl.d/01-openvpn.conf
# 使用fq队列算法来提高网络性能。
net.core.default_qdisc=fq
# 设置TCP连接的最大队列长度。
net.core.somaxconn=21644
# 关闭反向路径过滤。
net.ipv4.conf.all.rp_filter=0
# 关闭反向路径过滤。
net.ipv4.conf.default.rp_filter=0
# 开启IP转发。
net.ipv4.ip_forward=1
# 使用BBR拥塞控制算法来提高TCP性能,内核版本4.9以上才能支持,否则注释。
#net.ipv4.tcp_congestion_control=bbr
# 开启TCP快速打开。
net.ipv4.tcp_fastopen=3
# 设置最大连接跟踪数目。
net.netfilter.nf_conntrack_max=1048576
[root@cloud-master ~]# sysctl -p /etc/sysctl.d/01-openvpn.conf
net.core.default_qdisc = fq
net.core.somaxconn = 21644
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.ip_forward = 1
net.ipv4.tcp_fastopen = 3
net.netfilter.nf_conntrack_max = 1048576
初始化依赖
[root@cloud-master ~]# yum -y install gcc lzo-devel pam-devel epel-release
[root@cloud-master ~]# yum -y install easy-rsa libnl3-devel libcap-ng-devel openssl-devel lz4-devel
编译安装
[root@cloud-master openvpn-2.6.2]# ./configure --prefix=/usr/local/openvpn --disable-dco
[root@cloud-master openvpn-2.6.2]# make && make install

配置服务端证书

拷贝easy-rsa
[root@cloud-master openvpn-2.6.2]# cp -r /usr/share/easy-rsa/3.0.8/ /usr/local/openvpn/easy-rsa
[root@cloud-master openvpn-2.6.2]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example /usr/local/openvpn/easy-rsa/vars
初始化pki

进入/usr/local/openvpn/easy-rsa/进行操作

[root@cloud-master easy-rsa]# ./easyrsa init-pki
修改默认配置

vars文件中新增或修改如下内容:

  • EASYRSA_REQ_COUNTRY:国家代码
  • EASYRSA_REQ_PROVINCE:省份
  • EASYRSA_REQ_CITY:城市
  • EASYRSA_REQ_ORG:组织名称
  • EASYRSA_REQ_EMAIL:电子邮件地址
  • EASYRSA_REQ_OU:部门名称
  • EASYRSA_CRL_DAYS: crl有效天数
[root@cloud-master easy-rsa]# vi vars 
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Shanghai"
set_var EASYRSA_REQ_ORG "xianyun"
set_var EASYRSA_REQ_EMAIL "admin@lolicp.com"
set_var EASYRSA_REQ_OU "loli"
set_var EASYRSA_CRL_DAYS 365
set_var EASYRSA_CERT_EXPIRE 365
创建根证书
无密码
./easyrsa build-ca nopass
有密码生成

输入的密码需记住,否则无法签约证书

[root@cloud-master easy-rsa]# ./easyrsa build-ca
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ym68
Your new CA certificate file for publishing is at:
/usr/local/openvpn/easy-rsa/pki/ca.crt
创建服务器端证书
[root@cloud-master easy-rsa]# ./easyrsa gen-req server nopass
Common Name (eg: your user, host, or server name) [server]:ym68

Keypair and certificate request completed. Your files are:
req: /usr/local/openvpn/easy-rsa/pki/reqs/server.req
key: /usr/local/openvpn/easy-rsa/pki/private/server.key
创建crl

执行以下命令生成 CRL:

[root@cloud-master easy-rsa]# ./easyrsa gen-crl

Note: using Easy-RSA configuration from: /usr/local/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Using configuration from /usr/local/openvpn/easy-rsa/pki/easy-rsa-9813.s7A9zh/tmp.4jKoF8
Enter pass phrase for /usr/local/openvpn/easy-rsa/pki/private/ca.key:

An updated CRL has been created.
CRL file: /usr/local/openvpn/easy-rsa/pki/crl.pem
签约服务端证书

确认继续后输入CA所设的密码

[root@cloud-master easy-rsa]# ./easyrsa sign server server
  Confirm request details: yes
Using configuration from /usr/local/openvpn/easy-rsa/pki/easy-rsa-76808.vH5im8/tmp.Tbd6gT
Enter pass phrase for /usr/local/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'ym68'
Certificate is to be certified until Jun 28 06:35:20 2025 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /usr/local/openvpn/easy-rsa/pki/issued/server.crt
创建Diffie-Hellman
[root@cloud-master easy-rsa]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /usr/local/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
DH parameters of size 2048 created at /usr/local/openvpn/easy-rsa/pki/dh.pem
创建ta.key文件
[root@cloud-master openvpn]# ./sbin/openvpn --genkey secret /usr/local/openvpn/ssl/ta.key

配置客户端证书

创建客户端证书
[root@cloud-master easy-rsa]# ./easyrsa gen-req y-client nopass
Keypair and certificate request completed. Your files are:
req: /usr/local/openvpn/easy-rsa/pki/reqs/y-client.req
key: /usr/local/openvpn/easy-rsa/pki/private/y-client.key
签约客户端证书

确认继续后输入CA所设的密码

[root@cloud-master easy-rsa]# ./easyrsa sign client y-client
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /usr/local/openvpn/easy-rsa/pki/easy-rsa-80055.a7Yady/tmp.eOCkx8
Enter pass phrase for /usr/local/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'yadmin'
Certificate is to be certified until Jun 28 06:40:54 2025 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /usr/local/openvpn/easy-rsa/pki/issued/y-client.crt
吊销客户端证书

吊销后需要更新crl证书吊销列表

./easyrsa revoke 证书名字
./easyrsa gen-crl

拷贝证书

拷贝服务端证书
[root@cloud-master easy-rsa]# cp pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem pki/crl.pem ../ssl/
下载客户端证书
[root@cloud-master easy-rsa]# sz pki/ca.crt pki/issued/y-client.crt pki/private/y-client.key

启动openvpn

编辑server配置
port 1194
proto tcp
dev tun
ca /usr/local/openvpn/ssl/ca.crt
cert /usr/local/openvpn/ssl/server.crt
key /usr/local/openvpn/ssl/server.key
dh /usr/local/openvpn/ssl/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth /usr/local/openvpn/ssl/ta.key 0 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
# 验证证书状态
crl-verify /usr/local/openvpn/ssl/crl.pem
启动openvpn服务端
[root@cloud-master openvpn]# /usr/local/openvpn/sbin/openvpn --config /usr/local/openvpn/server.conf
系统服务启动
[root@lolicp ~]# vi /usr/lib/systemd/system/openvpn.service

[Unit]
Description=OpenVPN service
Documentation=https://lolicp.com
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/openvpn/sbin/openvpn --config /usr/local/openvpn/server.conf
#Restart=on-failure
Restart=always
RestartSec=3

[Install]
WantedBy=multi-user.target

执行启动

systemctl start openvpn

编辑客户端配置

编辑a.vopn文件,将ca、key、cert、ta.key证书密钥文件拷贝至配置文件下。

client
dev tun
proto tcp
remote 192.168.230.201 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert y-client.crt
key y-client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

报错记录

缺失lzo
configure: error: lzo enabled but missing

解决办法

yum -y install lzo-devel
缺失libpam
configure: error: libpam required but missing

解决办法

yum -y install pam-devel
libnl-genl-3.0错误

该报错缘由是libnl3-devel版本低于3.4.0或未安装导致的报错。

configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config installed? Must be version 3.4.0 or newer for DCO

解决办法

[root@cloud-master openvpn-2.6.2]# yum -y update libnl3-devel

如无法安装3.4.0或更高版本,则禁用dco

./configure --disable-dco
libcap-ng错误
configure: error: libcap-ng package not found. Is the development package and pkg-config installed?

解决办法:

yum -y install libcap-ng-devel
OpenSSL错误
checking additionally if OpenSSL is available and version >= 1.0.2... configure: error: OpenSSL version too old

解决办法

yum -y install openssl-devel
LZ4错误
configure: error: No compatible LZ4 compression library found. Consider --disable-lz4

解决办法

yum -y install lz4-devel
END

本文标题:Centos7上OpenVPN2.6服务安装部署

本文作者:宇宙最帅的男人

本文链接:https://lolicp.com/linux/202326135.html

版权声明:转载或者引用本文内容请注明来源及原作者,本文著作权归 (lolicp.com) 所有。

除非另有说明,本作品采用知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议

最后修改:2024 年 07 月 19 日
如果觉得我的文章对你有用,请随意赞赏