由于实际需要,需部署openvpn服务来实现远程安全访问。
官方下载地址:https://community.openvpn.net/openvpn/wiki/Downloads
安装部署
下载并解压
本文档演示2.6.2版本安装包部署
[root@cloud-master ~]# wget https://swupdate.openvpn.org/community/releases/openvpn-2.6.2.tar.gz
[root@cloud-master ~]# tar zxf openvpn-2.6.2.tar.gz
配置内核
[root@cloud-master ~]# vim /etc/sysctl.d/01-openvpn.conf
# 使用fq队列算法来提高网络性能。
net.core.default_qdisc=fq
# 设置TCP连接的最大队列长度。
net.core.somaxconn=21644
# 关闭反向路径过滤。
net.ipv4.conf.all.rp_filter=0
# 关闭反向路径过滤。
net.ipv4.conf.default.rp_filter=0
# 开启IP转发。
net.ipv4.ip_forward=1
# 使用BBR拥塞控制算法来提高TCP性能,内核版本4.9以上才能支持,否则注释。
#net.ipv4.tcp_congestion_control=bbr
# 开启TCP快速打开。
net.ipv4.tcp_fastopen=3
# 设置最大连接跟踪数目。
net.netfilter.nf_conntrack_max=1048576
[root@cloud-master ~]# sysctl -p /etc/sysctl.d/01-openvpn.conf
net.core.default_qdisc = fq
net.core.somaxconn = 21644
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.ip_forward = 1
net.ipv4.tcp_fastopen = 3
net.netfilter.nf_conntrack_max = 1048576
初始化依赖
[root@cloud-master ~]# yum -y install gcc lzo-devel pam-devel epel-release
[root@cloud-master ~]# yum -y install easy-rsa libnl3-devel libcap-ng-devel openssl-devel lz4-devel
编译安装
[root@cloud-master openvpn-2.6.2]# ./configure --prefix=/usr/local/openvpn --disable-dco
[root@cloud-master openvpn-2.6.2]# make && make install
配置服务端证书
拷贝easy-rsa
[root@cloud-master openvpn-2.6.2]# cp -r /usr/share/easy-rsa/3.0.8/ /usr/local/openvpn/easy-rsa
[root@cloud-master openvpn-2.6.2]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example /usr/local/openvpn/easy-rsa/vars
初始化pki
进入/usr/local/openvpn/easy-rsa/
进行操作
[root@cloud-master easy-rsa]# ./easyrsa init-pki
修改默认配置
在vars
文件中新增或修改如下内容:
- EASYRSA_REQ_COUNTRY:国家代码
- EASYRSA_REQ_PROVINCE:省份
- EASYRSA_REQ_CITY:城市
- EASYRSA_REQ_ORG:组织名称
- EASYRSA_REQ_EMAIL:电子邮件地址
- EASYRSA_REQ_OU:部门名称
- EASYRSA_CRL_DAYS: crl有效天数
[root@cloud-master easy-rsa]# vi vars
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Shanghai"
set_var EASYRSA_REQ_ORG "xianyun"
set_var EASYRSA_REQ_EMAIL "admin@lolicp.com"
set_var EASYRSA_REQ_OU "loli"
set_var EASYRSA_CRL_DAYS 365
set_var EASYRSA_CERT_EXPIRE 365
创建根证书
无密码
./easyrsa build-ca nopass
有密码生成
输入的密码需记住,否则无法签约证书
[root@cloud-master easy-rsa]# ./easyrsa build-ca
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ym68
Your new CA certificate file for publishing is at:
/usr/local/openvpn/easy-rsa/pki/ca.crt
创建服务器端证书
[root@cloud-master easy-rsa]# ./easyrsa gen-req server nopass
Common Name (eg: your user, host, or server name) [server]:ym68
Keypair and certificate request completed. Your files are:
req: /usr/local/openvpn/easy-rsa/pki/reqs/server.req
key: /usr/local/openvpn/easy-rsa/pki/private/server.key
创建crl
执行以下命令生成 CRL:
[root@cloud-master easy-rsa]# ./easyrsa gen-crl
Note: using Easy-RSA configuration from: /usr/local/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Using configuration from /usr/local/openvpn/easy-rsa/pki/easy-rsa-9813.s7A9zh/tmp.4jKoF8
Enter pass phrase for /usr/local/openvpn/easy-rsa/pki/private/ca.key:
An updated CRL has been created.
CRL file: /usr/local/openvpn/easy-rsa/pki/crl.pem
签约服务端证书
确认继续后输入CA所设的密码
[root@cloud-master easy-rsa]# ./easyrsa sign server server
Confirm request details: yes
Using configuration from /usr/local/openvpn/easy-rsa/pki/easy-rsa-76808.vH5im8/tmp.Tbd6gT
Enter pass phrase for /usr/local/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'ym68'
Certificate is to be certified until Jun 28 06:35:20 2025 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /usr/local/openvpn/easy-rsa/pki/issued/server.crt
创建Diffie-Hellman
[root@cloud-master easy-rsa]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /usr/local/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
DH parameters of size 2048 created at /usr/local/openvpn/easy-rsa/pki/dh.pem
创建ta.key文件
[root@cloud-master openvpn]# ./sbin/openvpn --genkey secret /usr/local/openvpn/ssl/ta.key
配置客户端证书
创建客户端证书
[root@cloud-master easy-rsa]# ./easyrsa gen-req y-client nopass
Keypair and certificate request completed. Your files are:
req: /usr/local/openvpn/easy-rsa/pki/reqs/y-client.req
key: /usr/local/openvpn/easy-rsa/pki/private/y-client.key
签约客户端证书
确认继续后输入CA所设的密码
[root@cloud-master easy-rsa]# ./easyrsa sign client y-client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /usr/local/openvpn/easy-rsa/pki/easy-rsa-80055.a7Yady/tmp.eOCkx8
Enter pass phrase for /usr/local/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'yadmin'
Certificate is to be certified until Jun 28 06:40:54 2025 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /usr/local/openvpn/easy-rsa/pki/issued/y-client.crt
吊销客户端证书
吊销后需要更新crl证书吊销列表
./easyrsa revoke 证书名字
./easyrsa gen-crl
拷贝证书
拷贝服务端证书
[root@cloud-master easy-rsa]# cp pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem pki/crl.pem ../ssl/
下载客户端证书
[root@cloud-master easy-rsa]# sz pki/ca.crt pki/issued/y-client.crt pki/private/y-client.key
启动openvpn
编辑server配置
port 1194
proto tcp
dev tun
ca /usr/local/openvpn/ssl/ca.crt
cert /usr/local/openvpn/ssl/server.crt
key /usr/local/openvpn/ssl/server.key
dh /usr/local/openvpn/ssl/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth /usr/local/openvpn/ssl/ta.key 0 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
# 验证证书状态
crl-verify /usr/local/openvpn/ssl/crl.pem
启动openvpn服务端
[root@cloud-master openvpn]# /usr/local/openvpn/sbin/openvpn --config /usr/local/openvpn/server.conf
系统服务启动
[root@lolicp ~]# vi /usr/lib/systemd/system/openvpn.service
[Unit]
Description=OpenVPN service
Documentation=https://lolicp.com
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/openvpn/sbin/openvpn --config /usr/local/openvpn/server.conf
#Restart=on-failure
Restart=always
RestartSec=3
[Install]
WantedBy=multi-user.target
执行启动
systemctl start openvpn
编辑客户端配置
编辑a.vopn文件,将ca、key、cert、ta.key证书密钥文件拷贝至配置文件下。
client
dev tun
proto tcp
remote 192.168.230.201 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert y-client.crt
key y-client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
报错记录
缺失lzo
configure: error: lzo enabled but missing
解决办法
yum -y install lzo-devel
缺失libpam
configure: error: libpam required but missing
解决办法
yum -y install pam-devel
libnl-genl-3.0错误
该报错缘由是libnl3-devel
版本低于3.4.0或未安装导致的报错。
configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config installed? Must be version 3.4.0 or newer for DCO
解决办法
[root@cloud-master openvpn-2.6.2]# yum -y update libnl3-devel
如无法安装3.4.0或更高版本,则禁用dco
./configure --disable-dco
libcap-ng错误
configure: error: libcap-ng package not found. Is the development package and pkg-config installed?
解决办法:
yum -y install libcap-ng-devel
OpenSSL错误
checking additionally if OpenSSL is available and version >= 1.0.2... configure: error: OpenSSL version too old
解决办法
yum -y install openssl-devel
LZ4错误
configure: error: No compatible LZ4 compression library found. Consider --disable-lz4
解决办法
yum -y install lz4-devel