115天前2021-07-01 13:32:02 |    抢沙发  325 
最近家里搭建了一台nas想着每次ssh有点儿麻烦优势也需要访问一下内网的其他资源,于是就想搭建一个vpn,想想之前给公司搭建过一个openvpn于是就开始折腾了。前期在百度各种搜,出来的都是一些垃圾基本都不行,要吗就是直接跑别人的脚本,没啥意思。于是就去国外的站点找。下面将我测试通过的ubuntu20.04下搭建openvpn服务器的详细方法写出来供大家参考。

1,更新系统使系统保存最新(这个过程可能会有点儿久)

apt-get update -y
apt-get upgrade

2,安装openvpn和easy-rsa

apt-get install openvpn easy-rsa libssl-dev

3,使用easy-rsa来配置证书

cp -r /usr/share/easy-rsa /etc/openvpn/
cd /etc/openvpn/easy-rsa/
cp vars.example vars
3.1.配置参数
vim vars
直接在文件末尾添加如下信息:
set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "INDIA"
set_var EASYRSA_REQ_PROVINCE    "Gujarat"
set_var EASYRSA_REQ_CITY        "Junagadh"
set_var EASYRSA_REQ_ORG         "Atlantic CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL     "admin@atlantic.net"
set_var EASYRSA_REQ_OU          "Atlantic EASY CA"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE      7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT  "no"
set_var EASYRSA_NS_COMMENT            "Atlantic CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST          "sha256"

备注:上面的配置文件中的REQ信息你也可以自定义成你自己的不改也行。添加完成后保存退出


3.2初始化PKI

./easyrsa init-pki
输出:
Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
3.3构建证书颁发机构颁发证书
./easyrsa build-ca nopass

输出:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020

Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................................................................+++++
..................................................+++++
e is 65537 (0x010001)
Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
139636302492992:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/etc/openvpn/easy-rsa/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields, there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt
备注:有提示输入的话直接回车。上面的命令将生成两个名为ca.key和ca.crt的文件。这些证书将用于对服务器和客户机的证书进行签名。

4,创建服务器证书文件

./easyrsa gen-req atlantic-server nopass
输出:
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Generating a RSA private key
.............................+++++
...+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/atlantic-server.key.IMonKybM0y'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [atlantic-server]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/atlantic-server.req
key: /etc/openvpn/easy-rsa/pki/private/atlantic-server.key
这将为服务器生成一个私钥和一个证书请求文件。

5,使用证书颁发机构签署服务器密钥

./easyrsa sign-req server atlantic-server
输出:
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020

You are about to sign the following certi
ficate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 365 days:

subject=
commonName                = atlantic-server

Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'atlantic-server'
Certificate is to be certified until Jun 29 11:43:05 2021 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/atlantic-server.crt
5.1使用以下命令验证生成的证书文件
openssl verify -CAfile pki/ca.crt pki/issued/atlantic-server.crt
输出:
pki/issued/atlantic-server.crt: OK
5.2运行以下命令生成一个强Diffie-Hellman密钥,用于密钥
./easyrsa gen-dh
输出:
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......................+...........................+............................................

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
5.3创建所有证书文件后,将其复制到/etc/openvpn/server/目录
cp pki/ca.crt /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
cp pki/private/atlantic-server.key /etc/openvpn/server/
cp pki/issued/atlantic-server.crt /etc/openvpn/server/

6,生成客户端证书和密钥文件

./easyrsa gen-req client nopass

输出:

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020
Generating a RSA private key
...+++++
........+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.JmBal6cmr8'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/client.req
key: /etc/openvpn/easy-rsa/pki/private/client.key
6.1使用您的证书颁发机构证书签署客户端密钥
./easyrsa sign-req client client
输出:
Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 365 days:

subject=
commonName                = client

Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client'
Certificate is to be certified until Jun 29 11:46:58 2021 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt
6.2将所有客户端证书和密钥文件复制到/etc/openvpn/client/目录
cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/

7,配置OpenVPN服务器

这里我就不去copy配置文件了直接创建。

vim /etc/openvpn/server.conf
内容:
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/atlantic-server.crt
key /etc/openvpn/server/atlantic-server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"

push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 8.8.8.8"
duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-
auth SHA512
auth-nocache
keepalive 20 60
persist-key
persist-tun
compress lz4
daemon
user nobody
group nogroup
log-append /var/log/openvpn.log
verb 3
备注:里面的字段可以根据自己的情况修改。

8,启动openvpn服务器并设置开机启动

systemctl start openvpn@server
systemctl enable --now openvpn@server
systemctl status openvpn@server
如果服务正常启动我们可以一旦OpenVPN服务成功启动,它将创建一个名为tun0的新网络接口。您可以使用以下命令进行验证
ip a show tun0
输出:
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state 
UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::5f83:99a:30d:eb0/64 scope link stable-privacy
valid_lft forever preferred_lft forever
到这里我们的服务就已经搭建完成。

9,创建客户端配置文件

vim /etc/openvpn/client/client.ovpn

内容:

client
dev tun
proto udp
remote your-vpn-server-ip 1194
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-
resolv-retry infinite
compress lz4
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
备注:主要配置需要和你服务端的配置一致。remote 为你的公网IP 或者域名都可以

10,配置本地网络防火墙使之能正常访问内网和公网

10.1开启IP转发
sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
10.2使配置生效
sysctl -p
10.3添加openvpn端口到防火墙白名单
ufw allow 1194/udp
备注:如果你有其他端口需要放行也需要使用此命令进行添加,如果你是ssh上去的特别注意22端口 否则启用防火墙后你的ssh可能会连接不上。


10.4查找我们发送数据的默认网卡名称(后面做nat的时候需要用到)

ip route | grep default
输出:
default via X.X.X.X dev eth0 proto static
备注:你的IP和网卡应该和我的不一样。记住自己的网卡名称


10.5更新防火墙UFW规则添加NAT

vim /etc/ufw/before.rules
内容:(注意需要在*filter之前添加,不能在末尾添加)
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to the public server interface eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
备注:注意这里的IP和网卡要和你自己配置的保持一致否则会无法正常上网。


10.6,现在让我们编辑ufw,默认情况下允许转发数据包

sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
10.7重载ufw
ufw reload
备注如果你开始没有启用的话可以使用如下命令开启防火墙
ufw enable
查看ufw防火墙状态
ufw status

UFW防火墙开机启动

systemctl enable --now ufw
到这里我们在ubuntu20.4下就已经成功搭建好了openvpn。可以把/etc/openvpn/client目录打包下载到客户机上使用openvpn客户端进行连接了。

发表评论

暂无评论

登录

忘记密码 ?

切换登录

注册

扫一扫二维码分享