测试环境
CentOS Linux release 7.9.2009 (Core)
[root@instance-22tizof4 ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
安装软件
yum install -y easy-rsa openvpn openvpn-auth-ldap
检查是否下载好openvpn依赖
[root@openvpn ~]# rpm -qa |grep openvpn
openvpn-2.4.8-1.el7.x86_64
openvpn-auth-ldap-2.0.3-17.el7.x86_64
其中easy-rsa
主要用来给OpenVPN Server启动要用到的相关证书的生成。
1.创建工作目录用来存放生成证书中要用到的各种文件
mkdir /etc/openvpn/easy-rsa
2.准备证书生成相关文件
cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
3.准备生成证书用的CSR
相关配置
cat <<EOF > /etc/openvpn/easy-rsa/vars
#公司信息,根据情况自定义
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@example.net"
set_var EASYRSA_REQ_OU "My Organizational Unit"
#证书有效期
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650
EOF
4.生成CA
证书
cd /etc/openvpn/easy-rsa/
./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
./easyrsa build-ca
[root@openvpn easy-rsa]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase: #设置一个密码,下面给证书签名时会用到
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus
..................................................................................................................................................................................................................................................................+++
.................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:设置CN,直接回车使用默认:Easy-RSA CA
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt
5.生成服务端证书
./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.......................+++
........+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.VWbGpsGSpM'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:设置CN,直接回车使用默认:server
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key
6.使用CA
给服务端证书签名
./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #输入yes确认
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
#输入上边步骤4中生成CA时设置的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Apr 2 04:27:27 2030 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
7.生成DH
证书
./easyrsa gen-dh
8.生成ta密钥
openvpn --genkey --secret /etc/openvpn/ta.key
9.将生成的密钥和证书放在 /etc/openvpn/ 下方便管理
cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/
cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/
cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/
配置
1.配置服务文件
主配置文件:/etc/openvpn/server.conf
cat > /etc/openvpn/server.conf <<EOF
local 0.0.0.0
port 1194
proto udp
dev tun
user openvpn
group openvpn
ca ca.crt
cert server.crt
key server.key
dh dh.pem
#客户端地址池
server 192.168.255.0 255.255.255.0
#内网网段
push "route 172.16.0.0 255.240.0.0"
ifconfig-pool-persist ipp.txt
#心跳检测,10秒检测一次,2分钟内没有回应则视为断线
keepalive 10 120
#服务端值为0,客户端为1
tls-auth ta.key 0
cipher AES-256-CBC
#传输数据压缩
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
verify-client-cert none
EOF
2.配置LDAP
认证:/etc/openvpn/auth/ldap.conf
cat > /etc/openvpn/auth/ldap.conf <<EOF
<LDAP>
URL ldap://127.0.0.1
BindDN cn=root,dc=tan4j,dc=com
Password 密码
Timeout 15
TLSEnable no
FollowReferrals no
</LDAP>
<Authorization>
BaseDN "ou=users,dc=tan4j,dc=com"
SearchFilter "uid=%u"
RequireGroup false
<Group>
BaseDN "cn=users,dc=tan4j,dc=com"
SearchFilter "(objectClass=groupOfUniqueNames)"
MemberAttribute uniqueMember
</Group>
</Authorization>
EOF
启动服务
systemctl start openvpn@server
systemctl enable openvpn@server
开启内核转发和SNAT
开启内核转发
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
Iptables开启SNAT
iptables -t nat -A POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE
192.168.255.0/24 为openvpn
分给客户端的地址,即openvpn
配置文件中server 192.168.255.0 255.255.255.0
指定的。
客户端配置
client
dev tun
#协议与sever保持一致
proto udp
remote xx.xx.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
#与server保持一致
comp-lzo
explicit-exit-notify 1
verb 3
#开启密码认证
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
#将server上ca.crt文件内容拷贝过来
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#将server上ta.key文件内容拷贝到这里
-----END OpenVPN Static key V1-----
</tls-auth>
测试
通过openvpn连接成功,访问内网服务被拒绝.
防火墙对虚拟网络增加白名单放行
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.255.0/24" accept' --permanent
firewall-cmd --reload
测试服务可以通过内网访问.
Comments | NOTHING