首页 » VPN » 正文

openvpn阿里云

环境:
VPN服务端:
外网IP:公网IP
内网IP:10.171.87.226
虚拟IP:192.168.9.0
客户端IP:192.168.1.106
服务器操作系统:
cat /etc/redhat-release
CentOS release 6.5 (Final)
关闭selinux
setenforce 0
sed -i ‘/^SELINUX=/c\SELINUX=disabled’ /etc/selinux/config
安装openssl和lzo,lzo用于压缩通讯数据加快传输速度
一般使用这个来添加源
yum -y install epel-release
yum -y install openvpn easy-rsa openssl openssl-devel lzo
修改vars文件
cd /usr/share/easy-rsa/2.0/
mkdir /etc/openvpn/easy-rsa
cp -r * /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa/
vim vars //大概在64行
#修改注册信息,比如公司地址、公司名称、部门名称等。
export KEY_COUNTRY=”CN” //国家
export KEY_PROVINCE=”Shandong” //省
export KEY_CITY=”Qingdao” //城市
export KEY_ORG=”MyOrganization” //公司名称
export KEY_EMAIL=”me@myhost.mydomain” //邮箱
export KEY_OU=”MyOrganizationalUnit” //组织单位

### 以下是实际配置内容(人人信)
export KEY_COUNTRY=”CN”
export KEY_PROVINCE=”BJ”
export KEY_CITY=”BJ”
export KEY_ORG=”rrx”
export KEY_EMAIL=”mazhenguo@rrx360.com”
export KEY_OU=”yunweibu”
初始化环境变量
source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys
清除keys目录下所有与证书相关的文件,下面步骤生成的证书和密钥都在/usr/share/easy-rsa/2.0/keys目录里
./clean-all
生成根证书ca.crt和根密钥ca.key(一路按回车即可)
#./build-ca
Generating a 2048 bit RSA private key
….+++
……………..+++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [rrx]:
Organizational Unit Name (eg, section) [yunweibu]:
Common Name (eg, your name or your server’s hostname) [rrx CA]:
Name [EasyRSA]:
Email Address [mazhenguo@rrx360.com]:
为服务端生成证书和密钥(一路按回车,直到提示需要输入y/n时,输入y再按回车,一共两次)server名字是可以改动的
#./build-key-server server

Generating a 2048 bit RSA private key
……………………………………………….+++
………..+++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [rrx]:
Organizational Unit Name (eg, section) [yunweibu]:
Common Name (eg, your name or your server’s hostname) [server]:
Name [EasyRSA]:
Email Address [mazhenguo@rrx360.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’BJ’
localityName :PRINTABLE:’BJ’
organizationName :PRINTABLE:’rrx’
organizationalUnitName:PRINTABLE:’yunweibu’
commonName :PRINTABLE:’server’
name :PRINTABLE:’EasyRSA’
emailAddress :IA5STRING:’mazhenguo@rrx360.com’
Certificate is to be certified until Nov 19 12:40:21 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
每一个登陆的VPN客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接,下面建立2份,为客户端生成证书和密钥(一路按回车,直到提示需要输入y/n时,输入y再按回车,一共两次)
#./build-key client
Generating a 2048 bit RSA private key
…………………………………………………..+++
……………..+++
writing new private key to ‘client.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [rrx]:
Organizational Unit Name (eg, section) [yunweibu]:
Common Name (eg, your name or your server’s hostname) [client]:
Name [EasyRSA]:
Email Address [mazhenguo@rrx360.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’BJ’
localityName :PRINTABLE:’BJ’
organizationName :PRINTABLE:’rrx’
organizationalUnitName:PRINTABLE:’yunweibu’
commonName :PRINTABLE:’client’
name :PRINTABLE:’EasyRSA’
emailAddress :IA5STRING:’mazhenguo@rrx360.com’
Certificate is to be certified until Nov 19 12:41:17 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#./build-key client1
Generating a 2048 bit RSA private key
……………………………………………+++
……………………………………………………………+++
writing new private key to ‘client1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [rrx]:
Organizational Unit Name (eg, section) [yunweibu]:
Common Name (eg, your name or your server’s hostname) [client1]:
Name [EasyRSA]:
Email Address [mazhenguo@rrx360.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’BJ’
localityName :PRINTABLE:’BJ’
organizationName :PRINTABLE:’rrx’
organizationalUnitName:PRINTABLE:’yunweibu’
commonName :PRINTABLE:’client1′
name :PRINTABLE:’EasyRSA’
emailAddress :IA5STRING:’mazhenguo@rrx360.com’
Certificate is to be certified until Nov 19 12:42:06 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
创建迪菲·赫尔曼密钥,会生成dh2048.pem文件(生成过程比较慢,在此期间不要去中断它)
./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
……………………………………………………………..
…………………………………..++*++*
生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击)
openvpn –genkey –secret keys/ta.key
创建服务器端配置文件,在openvpn的配置目录下新建一个keys目录
mkdir /etc/openvpn/keys
将需要用到的openvpn证书和密钥复制一份到刚创建好的keys目录中
cp keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/openvpn/keys/
复制一份服务器端配置文件模板server.conf到/etc/openvpn/
cp /usr/share/doc/openvpn-2.3.13/sample/sample-config-files/server.conf /etc/openvpn/
查看server.conf里的配置参数
grep ‘^[^#;]’ /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

编辑server.conf
cd /etc/openvpn/
cp server.conf server.conf.bak
vim /etc/openvpn/server.conf
port 1194
改成tcp,默认使用udp,如果使用HTTP Proxy,必须使用tcp协议
proto tcp
dev tun
路径前面加keys,全路径为/etc/openvpn/keys/ca.crt
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh2048.pem
# 默认虚拟局域网网段,不要和实际的局域网冲突即可
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# 10.0.0.0/8是我这台VPN服务器所在的内网的网段,读者应该根据自身实际情况进行修改
push “route 10.0.0.0 255.0.0.0” //可以加可以不加
push “redirect-gateway def1 bypass-dhcp”
client-config-dir ccd
# 可以让客户端之间相互访问直接通过openvpn程序转发,根据需要设置
client-to-client
# 如果客户端都使用相同的证书和密钥连接VPN,一定要打开这个选项,否则每个证书只允许一个人连接VPN
duplicate-cn
keepalive 10 120
tls-auth keys/ta.key 0 # This file is secret
comp-lzo
persist-key
persist-tun
# OpenVPN的状态日志,默认为/etc/openvpn/openvpn-status.log
status openvpn-status.log
# OpenVPN的运行日志,默认为/etc/openvpn/openvpn.log
log-append openvpn.log
# 改成verb 5可以多查看一些调试信息
verb 5

###人人信配置
port 1194
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh2048.pem
server 192.168.90.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
push “redirect-gateway def1 bypass-dhcp”
client-to-client
duplicate-cn
keepalive 10 120
tls-auth keys/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 5
#explicit-exit-notify 1
#增加如下内容删除用户
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
开启路由转发功能
sed -i ‘/net.ipv4.ip_forward/s/0/1/’ /etc/sysctl.conf
sysctl -p
启动openvpn并设置为开机启动
mkdir /etc/openvpn/ccd
service openvpn start
chkconfig openvpn on
创建客户端配置文件
复制一份client.conf模板命名为client.ovpn
cp /usr/share/doc/openvpn-2.3.13/sample/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn
# 编辑client.ovpn
vim /etc/openvpn/easy-rsa/keys/client.ovpn
client
dev tun
# 改为tcp
proto tcp
# OpenVPN服务器的外网IP和端口
remote 203.195.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
# client1的证书
cert client1.crt
# client1的密钥
key client1.key
ns-cert-type server
# 去掉前面的注释
tls-auth ta.key 1
comp-lzo
verb 3

人人信配置:
client
dev tun
proto tcp
remote 123.56.247.48 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
客户端连接配置:
将OpenVPN服务器上的client.ovpn、ca.crt、client1.crt、client1.key、ta.key上传到Windows客户端安装目录下的config文件夹(C:\Program Files\OpenVPN\config)

客户端在连接时,一定要右键以管理员身份运行
http://www.centoscn.com/CentosServer/test/2014/1120/4153.html
centos安装vpn客户端
#yum install openvpn
将服务端的ZIP和ta.key的包下载到/etc/openvpn/目录下,
修改client.ovpn,修改里面的ca.crt、client.crt、client.key、ta.key 路径
启动VPN
openvpn /etc/openvpn/client.ovpn //看实时日志
openvpn /etc/openvpn/client.ovpn > /dev//null & //后台运行
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -I INPUT -p tcp –dport 1194 -m comment –comment “openvpn” -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.90.0/24 -j MASQUERADE
service iptables save

### 以下未操作

配置防火墙,别忘记保存
这里22口是ssh的端口,因为我准备配置OUTPUT的方向默认为ACCEPT,所以只要给22口写上进入允许就可以了
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
配置默认过滤策略。这里一定要在打开22口后配置,否则配完后直接就断了
iptables -P INPUT DROP //增加这个的无法ping通服务器的外网IP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
允许openvpn的端口连接,这里1194是我设置的openvpn的连接端口,各位同学根据自己的情况修改。
iptables -A INPUT -p tcp –dport 1194 -j ACCEPT
将所有192.168.10.0网段的包转发到eth0口
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
添加FORWARD白名单
iptables -A FORWARD -i tun+ -j ACCEPT
允许虚拟网段的所有连接
iptables -A INPUT -s 192.168.10.0/24 -j ACCEPT
保持已经建立的连接(否则服务器无法上网)
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

以下配置也可以
iptables -I INPUT -p tcp –dport 1194 -m comment –comment “openvpn” -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.90.0/24 -j MASQUERADE
service iptables save

### 在服务端使用脚本创建用户(未操作):

1、将python升级到2.7以后的版本
mkdir /home/tools
cd /home/tools
vim pythonupdate.sh
#!/bin/sh
#define variable
Tools_Dir=”/usr/local/src”
Python_Dir=”/usr/local/python”
Log_File=”/tmp/tri_install.log”
Err_Log=”/tmp/tri_install_err.log”

install_python(){
printf “Install Python,Please wait…\n”
#judge
[ -d $Python_Dir ] || mkdir $Python_Dir -p
#install python2.7 must update python-devel
yum -y install python-devel* >>$Log_File 2>&1
#install python
cd $Tools_Dir
wget http://www.python.org/ftp/python/2.7.5/Python-2.7.5.tgz >>$Log_File 2>&1
tar zxf Python-2.7.5.tgz >>$Log_File 2>&1
cd Python-2.7.5
./configure –enable-shared –prefix=$Python_Dir >>$Log_File 2>&1
[ $? -ne 0 ] && tail -30 $Log_File |tee -a $Err_Log && exit 1;
make >>$Log_File 2>&1
[ $? -ne 0 ] && tail -30 $Log_File |tee -a $Err_Log && exit 1;
make install >>$Log_File 2>&1
[ $? -ne 0 ] && tail -30 $Log_File |tee -a $Err_Log && exit 1;
ln -s $Python_Dir /usr/local/python
rename python python2.6_bak /usr/bin/python
ln -s /usr/local/python/bin/python /usr/bin/python
ln -s /usr/local/python/lib/libpython2.7.so /usr/lib
#modifiy yum command content
sed -i ‘s@^#!/usr/bin/python$@#!/usr/bin/python2.6@g’ /usr/bin/yum
#load python2.7 lib
echo “$Python_Dir/lib/” > /etc/ld.so.conf.d/python2.7.conf
ldconfig
printf “Install Python Success\n”
}

install_python

chmod +x pythonupdate.sh
./pythonupdate.sh
在新的xshell可以查看安装进度
tail -f /tmp/tri_install.log

#安装 python-setuptools
wget http://peak.telecommunity.com/dist/ez_setup.py
python ez_setup.py
显示出类似 Finished processing dependencies for setuptools==0.6c11 说明安装成功。
# pip 下载
wget “https://pypi.python.org/packages/source/p/pip/pip-1.5.4.tar.gz#md5=834b2904f92d46aaa333267fb1c922bb” –no-check-certificate
# pip 安装
tar -xzvf pip-1.5.4.tar.gz
cd pip-1.5.4
python setup.py install
显示出类似Finished processing dependencies for pip==1.5.4说明安装成功
#如果出现没有某个模块,请使用下面的命令安装
/usr/local/python/bin/pip install ptyprocess

cd /usr/bin/
#上传gen_new_key,手动上传。

chmod +x gen_new_key

#修改第41行,将原来的192.168.70改成192.168.90

gen_new_key -u mazhenguo2 -p “192.168.5”
跟这个IP,就用这条命令不变,只改一下name
添加完成后,在/etc/openvpn目录 下面会出现一个包。
2016-01-23 20:28:54,336 INFO: Generate new key for user “mazhenguo2” success!!
2016-01-23 20:28:54,340 INFO: distribute IP “192.168.5.5&192.168.5.6” to user “mazhenguo2”
cd /etc/openvpn/
把这个包下载到本地,你安装的openvpn目录里的config目录里,
注意,这个包里面只有4个文件,需要将ta.key也要复制进去,一共五个文件。

### 删除用户

cd /etc/openvpn/easy-rsa/
./revoke-full mazhenguo
#删除成功后有类似于如下的提示
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
ERROR:Already revoked, serial number 04
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
mazhenguo.crt: C = CN, ST = BJ, L = BJ, O = YUCHENG, OU = yunweibu, CN = mazhenguo, name = EasyRSA, emailAddress = mazhenguo@ahyc.cn
error 23 at 0 depth lookup:certificate revoked

source vars

确认下server.conf是否增加了如下内容
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
service openvpn restart

### 给openvpn客户分配固定的IP,不使用DHCP

在/etc/openvpn/server.conf中增加\
client-config-dir /etc/openvpn/ccd
然后在 /etc/openvpn/ccd目录中放针对每个客户端的个性化配置文件。
文件名就用客户端名 生成key的时候输入的 “Common Name” 名字
比如要设置客户端 liushiwei为 192.168.2.24
只要在 /etc/openvpn/ccd/liushiwei文件中包含一行:
ifconfig-push 192.168.2.24 255.255.255.0
就可以了

### 配置文件仅供参考

服务端配置文件仅供参考
port 1194
proto tcp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 192.168.70.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 10.10.0.0 255.255.0.0”
push “route 192.168.5.0 255.255.255.0”
push “route 192.168.5.200 255.255.255.255”
push “route 192.168.5.31 255.255.255.255”
client-config-dir ccd
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
================================================================================================================================
客户端配置文件仅供参考
client
dev tun
proto tcp
remote 119.254.64.133 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3

发表评论