1,更新系统使系统保存最新(这个过程可能会有点儿久)
apt-get update -y apt-get upgrade
2,安装openvpn和easy-rsa
apt-get install openvpn easy-rsa libssl-dev
3,使用easy-rsa来配置证书
cp -r /usr/share/easy-rsa /etc/openvpn/ cd /etc/openvpn/easy-rsa/ cp vars.example vars3.1.配置参数
vim vars直接在文件末尾添加如下信息:
set_var EASYRSA "$PWD" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY "INDIA" set_var EASYRSA_REQ_PROVINCE "Gujarat" set_var EASYRSA_REQ_CITY "Junagadh" set_var EASYRSA_REQ_ORG "Atlantic CERTIFICATE AUTHORITY" set_var EASYRSA_REQ_EMAIL "admin@atlantic.net" set_var EASYRSA_REQ_OU "Atlantic EASY CA" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 7500 set_var EASYRSA_CERT_EXPIRE 365 set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_NS_COMMENT "Atlantic CERTIFICATE AUTHORITY" set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" set_var EASYRSA_DIGEST "sha256"
备注:上面的配置文件中的REQ信息你也可以自定义成你自己的不改也行。添加完成后保存退出
3.2初始化PKI
./easyrsa init-pki输出:
Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki3.3构建证书颁发机构颁发证书
./easyrsa build-ca nopass
输出:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus (2 primes) .....................................................................................................+++++ ..................................................+++++ e is 65537 (0x010001) Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG 139636302492992:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/etc/openvpn/easy-rsa/pki/.rnd You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields, there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt备注:有提示输入的话直接回车。上面的命令将生成两个名为ca.key和ca.crt的文件。这些证书将用于对服务器和客户机的证书进行签名。
4,创建服务器证书文件
./easyrsa gen-req atlantic-server nopass输出:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Generating a RSA private key .............................+++++ ...+++++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/atlantic-server.key.IMonKybM0y' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [atlantic-server]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/atlantic-server.req key: /etc/openvpn/easy-rsa/pki/private/atlantic-server.key这将为服务器生成一个私钥和一个证书请求文件。
5,使用证书颁发机构签署服务器密钥
./easyrsa sign-req server atlantic-server输出:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 You are about to sign the following certi ficate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 365 days: subject= commonName = atlantic-server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'atlantic-server' Certificate is to be certified until Jun 29 11:43:05 2021 GMT (365 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/atlantic-server.crt5.1使用以下命令验证生成的证书文件
openssl verify -CAfile pki/ca.crt pki/issued/atlantic-server.crt输出:
pki/issued/atlantic-server.crt: OK5.2运行以下命令生成一个强Diffie-Hellman密钥,用于密钥
./easyrsa gen-dh输出:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ......................+...........................+............................................ DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem5.3创建所有证书文件后,将其复制到/etc/openvpn/server/目录
cp pki/ca.crt /etc/openvpn/server/ cp pki/dh.pem /etc/openvpn/server/ cp pki/private/atlantic-server.key /etc/openvpn/server/ cp pki/issued/atlantic-server.crt /etc/openvpn/server/
6,生成客户端证书和密钥文件
./easyrsa gen-req client nopass
输出:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 Generating a RSA private key ...+++++ ........+++++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.JmBal6cmr8' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/client.req key: /etc/openvpn/easy-rsa/pki/private/client.key6.1使用您的证书颁发机构证书签署客户端密钥
./easyrsa sign-req client client输出:
Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 365 days: subject= commonName = client Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client' Certificate is to be certified until Jun 29 11:46:58 2021 GMT (365 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt6.2将所有客户端证书和密钥文件复制到/etc/openvpn/client/目录
cp pki/ca.crt /etc/openvpn/client/ cp pki/issued/client.crt /etc/openvpn/client/ cp pki/private/client.key /etc/openvpn/client/
7,配置OpenVPN服务器
这里我就不去copy配置文件了直接创建。
vim /etc/openvpn/server.conf内容:
port 1194 proto udp dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/atlantic-server.crt key /etc/openvpn/server/atlantic-server.key dh /etc/openvpn/server/dh.pem server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 114.114.114.114" push "dhcp-option DNS 8.8.8.8" duplicate-cn cipher AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256- auth SHA512 auth-nocache keepalive 20 60 persist-key persist-tun compress lz4 daemon user nobody group nogroup log-append /var/log/openvpn.log verb 3备注:里面的字段可以根据自己的情况修改。
8,启动openvpn服务器并设置开机启动
systemctl start openvpn@server systemctl enable --now openvpn@server systemctl status openvpn@server如果服务正常启动我们可以一旦OpenVPN服务成功启动,它将创建一个名为tun0的新网络接口。您可以使用以下命令进行验证
ip a show tun0输出:
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::5f83:99a:30d:eb0/64 scope link stable-privacy valid_lft forever preferred_lft forever到这里我们的服务就已经搭建完成。
9,创建客户端配置文件
vim /etc/openvpn/client/client.ovpn
内容:
client dev tun proto udp remote your-vpn-server-ip 1194 ca ca.crt cert client.crt key client.key cipher AES-256-CBC auth SHA512 auth-nocache tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256- resolv-retry infinite compress lz4 nobind persist-key persist-tun mute-replay-warnings verb 3备注:主要配置需要和你服务端的配置一致。remote 为你的公网IP 或者域名都可以
10,配置本地网络防火墙使之能正常访问内网和公网
10.1开启IP转发
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf10.2使配置生效
sysctl -p10.3添加openvpn端口到防火墙白名单
ufw allow 1194/udp备注:如果你有其他端口需要放行也需要使用此命令进行添加,如果你是ssh上去的特别注意22端口 否则启用防火墙后你的ssh可能会连接不上。
10.4查找我们发送数据的默认网卡名称(后面做nat的时候需要用到)
ip route | grep default输出:
default via X.X.X.X dev eth0 proto static备注:你的IP和网卡应该和我的不一样。记住自己的网卡名称
10.5更新防火墙UFW规则添加NAT
vim /etc/ufw/before.rules内容:(注意需要在*filter之前添加,不能在末尾添加)
# START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to the public server interface eth0 -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE COMMIT # END OPENVPN RULES备注:注意这里的IP和网卡要和你自己配置的保持一致否则会无法正常上网。
10.6,现在让我们编辑ufw,默认情况下允许转发数据包
sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw10.7重载ufw
ufw reload备注如果你开始没有启用的话可以使用如下命令开启防火墙
ufw enable查看ufw防火墙状态
ufw status
UFW防火墙开机启动
systemctl enable --now ufw到这里我们在ubuntu20.4下就已经成功搭建好了openvpn。可以把/etc/openvpn/client目录打包下载到客户机上使用openvpn客户端进行连接了。
除特别注明外,本站所有文章均为博文家原创,转载请注明出处来自https://www.32e.top/system/linux/article-160.html
暂无评论