OpenVPN-2.4.7部署-创建-配置客户端证书

admin

前面有一篇记录了openvpn2.3.4的部署，这次在使用最新版本2.4.7时用的easy-rsa 3.0在配置上和2.*的版本有些不一样，特此做个记录......

一、编译安装OpenVPN

编译或是yum安装openvpn都可以

1.1 安装依赖包、yum源

[root@localhost ~]# yum install openssl-devel lzo-devel pam-devel gcc

[root@localhost ~]# wget -O /etc/yum.repos.d/epel-7.repo  http://mirrors.aliyun.com/repo/epel-7.repo

1.2 下载OpenVPN源码

[root@localhost ~]# wget https://swupdate.openvpn.org/com ... penvpn-2.4.7.tar.gz

1.3 编译安装OpenVPN

[root@localhost ~]# tar xf openvpn-2.4.7.tar.gz [root@localhost ~]# cd openvpn-2.4.7 [root@localhost ~]# ./configure --prefix=/etc/openvpn [root@localhost ~]# make [root@localhost ~]# make install

二、安装easy-rsa

[root@localhost ~]# yum -y install easy-rsa

三、配置服务端3.1 复制文件

[root@localhost ~]# cp -r /usr/share/easy-rsa /etc/openvpn/ [root@localhost ~]# cd /etc/openvpn/easy-rsa/ [root@localhost easy-rsa]# cd 3.0.3/ [root@localhost 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars [root@localhost 3.0.3]# ls easyrsa openssl-1.0.cnf vars x509-types

3.2 生成证书

创建一个新的PKI和CA

[root@localhost 3.0.3]# pwd /etc/openvpn/easy-rsa/3.0.3 [root@localhost 3.0.3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.3/pki [root@localhost 3.0.3]# ./easyrsa build-ca Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .............................+++ ........................................................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key.IEMW9gptmK' Enter PEM pass phrase:  #设置一个密码（用于ca对之后生成的server和client证书签名时使用，也可以直接回车表示不设置密码） Verifying - Enter PEM pass phrase: #重复一遍 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:  #回车（可以键入回车使用默认的，也可以手动更改 ） CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt 创建时nopass表示不加密 就不会提示Enter PEM pass phrase 例：[root@localhost 3.0.3]# ./easyrsa build-ca nopass

3.3 创建服务端证书

[root@localhost 3.0.3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ....................................................................................+++ ...................................+++ writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/server.key.7O6iK8N5ie' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]:  #回车 Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/3.0.3/pki/reqs/server.req key: /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key

3.4 签约服务端证书

给server端证书做签名，首先是对一些信息的确认，可以输入yes，然后输入build-ca时设置的那个密码

[root@localhost 3.0.3]# ./easyrsa sign-req server server Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes  #输入yes确认信息 Using configuration from ./openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key: #输入创建CA时设置的密码 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName RINTABLE:'server' Certificate is to be certified until Oct 9 09:39:51 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt

3.5 验证证书文件

使用命令验证证书文件，并确保没有错误。出现下面的信息就代表你前面所做的操作是没问题的OpenSSL

[root@localhost 3.0.3]# openssl verify -CAfile pki/ca.crt pki/issued/server.crt pki/issued/server.crt: OK

3.6 创建 Diffie-Hellman

时间会有点长，耐心等待

[root@localhost 3.0.3]# ./easyrsa gen-dh Note: using Easy-RSA configuration from: ./vars Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ................................................... DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem

3.7 服务端配置

[root@localhost 3.0.3]# vim /etc/openvpn/server.conf port 11194 proto tcp dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/server.crt key /etc/openvpn/server/server.key dh /etc/openvpn/server/dh.pem ;ifconfig-pool-persist /etc/openvpn/ipp.txt client-config-dir /etc/openvpn/ccd server 10.8.0.0 255.255.255.0 push "route 10.8.0.1 255.255.255.0" client-to-client keepalive 20 120 comp-lzo user openvpn group openvpn persist-key persist-tun status      openvpn-status.log log-append  openvpn.log verb 1 mute 20

这里client-config-dir /etc/openvpn/ccd 是客户端的ip范围配置文件

例如：

[root@localhost openvpn]# cat ccd/xfyun-bj-qa1 ifconfig-push 10.8.0.13 10.8.0.14

这里的地址段是255.255.255.252格式的，实例只有两个可用ip，在写配置的时候一定要计算好，否则连接后访问不了该vpn客户端

3.8 拷贝服务器证书

[root@localhost openvpn]# cp easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/server/ [root@localhost openvpn]# cp easy-rsa/3.0.3/pki/private/server.key /etc/openvpn/server/ [root@localhost openvpn]# cp easy-rsa/3.0.3/pki/issued/server.crt /etc/openvpn/server/ [root@localhost openvpn]# cp easy-rsa/3.0.3/pki/dh.pem /etc/openvpn/server/

3.9 创建运行用户

创建openvpn运行用户 openvpn

[root@localhost openvpn]# useradd -s /sbin/nologin openvpn

3.10 启动openvpn

[root@localhost openvpn]# nohup /etc/openvpn/sbin/openvpn --config /etc/openvpn/server.conf &

配置开机启动

[root@localhost openvpn]# echo "nohup /usr/sbin/openvpn --config /etc/openvpn/server.conf" >> /etc/rc.d/rc.local [root@localhost openvpn]# chmod +x /etc/rc.d/rc.local

或者：

[root@localhost openvpn]# cat /usr/lib/systemd/system/openvpn.service [Service] User=root Group=root ExecStart=/etc/openvpn/sbin/openvpn --config /etc/openvpn/server.conf [Install] WantedBy=multi-user.target [Unit] Description=openvpn After=network.target

四、创建客户端证书4.1 创建证书

[root@localhost 3.0.3]# cd /etc/openvpn/easy-rsa/3.0.3/ [root@localhost 3.0.3]# pwd /etc/openvpn/easy-rsa/3.0.3 [root@localhost 3.0.3]# ./easyrsa gen-req haifly-bj-ops nopass      #客户证书名，无密码 ########################### 生成信息 ########################### Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ....................................................+++ ............+++ writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/haifly-bj-ops.key.FkrLzXH9Bm' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [haifly-bj-ops]: 回车 Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/3.0.3/pki/reqs/haifly-bj-ops.req key: /etc/openvpn/easy-rsa/3.0.3/pki/private/haifly-bj-ops.key ########################### 生成信息 ###########################

4.2 签约客户端证书

[root@localhost 3.0.3]# ./easyrsa sign-req client haifly-bj-ops ########################### 生成信息 ########################### Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject=     commonName                = client Type the word 'yes' to continue, or any other input to abort.   Confirm request details: yes Using configuration from ./openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject Distinguished Name is as follows commonName            :ASN.1 12:'client' Certificate is to be certified until Apr  8 01:54:57 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/haifly-bj-ops.crt ########################### 生成信息 ###########################

4.3 整理证书，把证书拷贝到客户端上

[root@localhost 3.0.3]# cd /etc/openvpn/client/ [root@localhost client]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt ./ [root@localhost client]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/haifly-bj-ops.crt ./ [root@localhost client]# cp /etc/openvpn/3.0.3/pki/private/haifly-bj-ops.key ./

五、配置客户端连接5.1 配置linux客户端

安装客户端、配置

ca证书和密钥文件放在/etc/openvpn/key目录下

[root@haifly-bj-tools1 ~]# yum install -y openvpn [root@haifly-bj-tools1 ~]# cd /etc/openvpn/ [root@haifly-bj-tools1 openvpn]# mkdir key [root@haifly-bj-tools1 openvpn]# cat client.conf client remote 47.94.215.241 11194 proto tcp dev tun resolv-retry infinite nobind persist-key persist-tun ca key/ca.crt cert key/xfyun-bj-tools1.crt key key/xfyun-bj-tools1.key redirect-gateway def1 ns-cert-type server comp-lzo verb 3 route 0.0.0.0 192.0.0.0 net_gateway route 64.0.0.0 192.0.0.0 net_gateway route 128.0.0.0 192.0.0.0 net_gateway route 192.0.0.0 192.0.0.0 net_gateway

开启内核数据包转发功能

[root@haifly-bj-tools1 openvpn]# echo 1 >/proc/sys/net/ipv4/ip_forward [root@haifly-bj-tools1 openvpn]# head -1 /etc/sysctl.conf net.ipv4.ip_forward = 1 [root@haifly-bj-tools1 openvpn]# sysctl -p [root@haifly-bj-tools1 openvpn]# sysctl -a | grep ip_forward net.ipv4.ip_forward = 1 net.ipv4.ip_forward_use_pmtu = 0

启动VPN

[root@haifly-bj-tools1 openvpn]# /etc/init.d/openvpn start Starting openvpn: [ OK ]

配置开机自启动

[root@haifly-bj-tools1 openvpn]# echo "cd /etc/openvpn/" >> /etc/rc.d/rc.local [root@haifly-bj-tools1 openvpn]# echo "nohup openvpn --config client.conf &" >> /etc/rc.d/rc.local

如果使用了防火墙，需要配置iptables数据包转发

一般配置完成后客户端连接后和内网不通，因为没有配置iptables数据包NAT转发

一般先清空iptables策略，配置数据包转发后再添加其他策略（端口限制、IP限制等）

允许客户端ip 10.8.0.0/24网段的和内网通信

iptables -t nat -A POSTROUTING -s 10.8.0.0``/24` `-o eth0 -j MASQUERADE

限制指定客户端IP只能访问指定服务器或服务（上面那条不存在的情况下配置此条策略）

限制客户端IP 10.8.0.6 只能访问内网172.16.206.78服务器

iptables -t nat -A POSTROUTING -s 10.8.0.6``/30` `-o eth0 -d 172.16.206.78 -j MASQUERADE

允许VPN客户端的IP访问指定IP指定端口

iptables -t nat -A POSTROUTING -s 192.168.60.204``/30` `-o eth0 -p tcp --dport 8080 -d 172.16.203.120 -j MASQUERADE``-s 指定客户端IP ccd文件配置的静态IP``-p 指定协议``--dport 指定访问目标端口``-d 指定访问IP地址

查看iptables规则以序号形式显示

iptables -t nat -L -n --line-number

删除序号为几的策略

iptables -t nat -D POSTROUTING 1

5.2 配置windows客户端

客户端软件 openvpn-install-2.4.7-I603.exe

我这边是把客户端相关证书直接写到 client.ovpn 配置文件里，然后通过导入配置文件的方式加载进去

client remote  47.94.215.241 11194 proto tcp dev tun resolv-retry infinite nobind persist-key persist-tun <ca> </ca> <cert> </cert> <key> </key> redirect-gateway def1 ns-cert-type server comp-lzo verb 3 route 0.0.0.0 192.0.0.0 net_gateway route 64.0.0.0 192.0.0.0 net_gateway route 128.0.0.0 192.0.0.0 net_gateway route 192.0.0.0 192.0.0.0 net_gateway

然后点击桌面图标连接OpenVPN GUI

六、证书吊销

如果您的VPN服务器上有多个客户端证书，并且想撤消某些密钥，则只需使用easy-rsa命令撤消。

6.1 撤消客户端密钥

./easyrsa revoke xxxx

6.2 生成CRL密钥

./easyrsa gen-crl

在 pki 目录下会生成一个 crl.pem 文件

6.3 修改 server.conf 打开 crl-verify 选项

vim server.conf crl-verify /etc/openvpn/easy-rsa/3/pki/crl.pem

6.4 重启 openvpn 服务

重启 openvpn 服务后再测试client端连接，已经连不上了，说明销户成功。

往后在吊销客户端证书只需要执行6.1 6.2 6.4步骤即可。