OpenVPN生产环境中实战部署及客户端使用@H_696_19@
OpenVPN环境部署@H_502_9@
1、环境需求@H_696_19@
设备@H_696_19@ |
IP@H_696_19@ |
个人PC,VPN客户端@H_696_19@ |
eth0:192.168.119.0/24@H_696_19@ |
OpenVPN Server@H_696_19@ |
eth0:192.168.239.167;eth1:192.168.119.83@H_696_19@ |
局域网服务器@H_696_19@ |
eth0:192.168.239.165@H_696_19@ |
实现需求@H_696_19@ |
在远端通过VPN客户端对VPN Server后端多个servers直接访问,管理维护@H_696_19@ |
2、查看系统环境@H_696_19@
[root@Y-solin~]#cat/etc/redhat-release
CentOSrelease6.9(Final)
[root@Y-solin~]#uname-r
2.6.32-696.1.1.el6.x86_64
[root@Y-solin~]#uname-m
x86_64
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" src="http://s3.51cto.com/wyfs02/M02/92/CD/wKioL1kDC3uzoddSAAAyH8BOKuk815.jpg">@H_696_19@@H_696_19@@H_696_19@
4、配置VPN服务器时间同步@H_696_19@
(1)安装ntp@H_696_19@
[root@Y-solin~]#yuminstallntp
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" src="http://s3.51cto.com/wyfs02/M02/92/CE/wKiom1kDC3vC-2E4AABebsUWfV8945.jpg">@H_696_19@@H_696_19@@H_696_19@
(2)手动同步时间@H_696_19@
[root@Y-solin~]#/usr/sbin/ntPDAtepool.ntp.org
27Apr10:03:51ntPDAte[2387]:steptimeserver85.199.214.101offset7.719699sec
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" src="http://s3.51cto.com/wyfs02/M00/92/CE/wKiom1kDC3uAOKKOAAApi1qjMr4233.jpg">@H_696_19@@H_696_19@@H_696_19@
(3)加入定时任务@H_696_19@
[root@Y-solin~]#echo'#timesync'>>/var/spool/cron/root
[root@Y-solin~]#echo'*/5****/usr/sbin/ntpdatetiR_580_11845@e.windows.com>/dev/null2>&1'>>/var/spool/cron/root
[root@Y-solin~]#crontab-l
#timesync
*/5****/usr/sbin/ntpdatetiR_580_11845@e.windows.com>/dev/null2>&1
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" src="http://s3.51cto.com/wyfs02/M00/92/CD/wKioL1kDC3ziBzTiAAAxozIfk60572.jpg">@H_696_19@@H_696_19@@H_696_19@
安装openVPN相关依赖软件@H_502_9@
1、建立OpenVPN软件目录@H_696_19@
[root@Y-solin~]#mkdir-p/home/solin/opt/openvpm
[root@Y-solin~]#cd/home/solin/opt/openvpm
2、下载所需要的包@H_696_19@
(1)下载依赖包@H_696_19@
选择下载的版本:http://www.oberhumer.com/opensource/lzo/download/@H_696_19@
我这里选择了lzo-2.06:http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz@H_696_19@
[root@Y-solinopenvpm]#wget
http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" src="http://s3.51cto.com/wyfs02/M01/92/CE/wKiom1kDC3zSb0iTAACKxpeWNBM998.jpg">@H_696_19@@H_696_19@@H_696_19@
(2)下载OpenVPN@H_696_19@
选择下载版本:https://build.openvpn.net/downloads/releases/@H_696_19@
openvpn-2.4.0:https://build.openvpn.net/downloads/releases/openvpn-2.4.0.tar.gz@H_696_19@
这里选择了@H_696_19@
[root@Y-solinopenvpm]#wgetftp://ftp-osl.osuosl.org/.1/vectorlinux/VL64-7.0/source/sourceVL/openvpn/2.2.2/src/openvpn-2.2.2.tar.gz
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" src="http://s3.51cto.com/wyfs02/M02/92/CD/wKioL1kDC3yiDdRiAABYa4Hrzqk050.jpg">@H_696_19@@H_696_19@@H_696_19@
3、安装@H_696_19@
(1)编译安装vpn依赖@H_696_19@
[root@Y-solinopenvpm]#tarzxflzo-2.06.tar.gz
[root@Y-solinopenvpm]#cdlzo-2.06
[root@Y-solinlzo-2.06]#./configure
configure:ConfiguringLZO2.06
…
[root@Y-solinlzo-2.06]#make
makeall-am
make[1]:Enteringdirectory`/home/solin/opt/openvpm/lzo-2.06'
…
[root@Y-solinlzo-2.06]#makeinstall
make[1]:Enteringdirectory`/home/solin/opt/openvpm/lzo-2.06'
test-z"/usr/local/lib"||/bin/mkdir-p"/usr/local/lib"
…
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" src="http://s3.51cto.com/wyfs02/M01/92/CD/wKioL1kDC3zhb5PwAACXZ-xiugo836.jpg">@H_696_19@@H_696_19@@H_696_19@
(2)编译安装VPN@H_696_19@
[root@Y-solinopenvpm]#tarzxvfopenvpn-2.2.2.tar.gz
[root@Y-solinopenvpm]#cdopenvpn-2.2.2
[root@Y-solinopenvpn-2.2.2]#./configure--with-lzo-headers=/usr/local/ssl/include--with-lzo-lib=/usr/local/ssl/lib
checkingbuildsystemtype...x86_64-unkNown-linux-gnu
checkinghostsystemtype...x86_64-unkNown-linux-gnu
…
[root@Y-solinopenvpn-2.2.2]#echo$?
0
[root@Y-solinopenvpn-2.2.2]#make
makeall-recursive
make[1]:Enteringdirectory`/home/solin/opt/openvpm/openvpn-2.2.2'
…
[root@Y-solinopenvpn-2.2.2]#echo$?
0
[root@Y-solinopenvpn-2.2.2]#makeinstall
Makinginstallinimages
make[1]:Enteringdirectory`/home/solin/opt/openvpm/openvpn-2.2.2/images'
make[2]:Enteringdirectory`/home/solin/opt/openvpm/openvpn-2.2.2/images'
…
[root@Y-solinopenvpn-2.2.2]#echo$?
0
[root@Y-solinopenvpm]#ll/usr/local/sbin/openvpn
-rwxr-xr-x.1rootroot45711864月2714:40/usr/local/sbin/openvpn
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" src="http://s3.51cto.com/wyfs02/M00/92/CE/wKiom1kDC33zpKgAAACvTNpFh9c059.jpg">@H_696_19@@H_696_19@@H_696_19@
配置OpenVPN server建立CA(Certificate Authority)证书@H_502_9@
1、初始化配置@H_696_19@
[root@Y-solinopenvpn-2.2.2]#cdeasy-rsa/2.0/
[root@Y-solin2.0]#tail-6vars
exportKEY_EMAIL=mail@host.domain
exportKEY_CN=changeme
exportKEY_NAME=changeme
exportKEY_OU=changeme
exportPKCS11_MODULE_PATH=changeme
exportPKCS11_PIN=1234
[root@Y-solin2.0]#pwd
/home/solin/opt/openvpm/openvpn-2.2.2/easy-rsa/2.0
[root@Y-solin2.0]#cpvarsvars.solin.170427
[root@Y-solin2.0]#vivars
修改如下
#exportKEY_COUNTRY="US"
exportKEY_COUNTRY="CN"
#exportKEY_province="CA"
exportKEY_province="SH"
#exportKEY_CITY="SanFrancisco"
exportKEY_CITY="ShangHai"
#exportKEY_ORG="Fort-Funston"
exportKEY_ORG="Y-solin"
#exportKEY_EMAIL="me@myhost.mydomain"
exportKEY_EMAIL="yalsnlin@sina.com"
exportKEY_EMAIL=mail@host.domain
exportKEY_CN=changeme
#exportKEY_NAME=changeme
exportKEY_NAME=Y-solin
#exportKEY_OU=changeme
exportKEY_OU=BDCOM
exportPKCS11_MODULE_PATH=changeme
exportPKCS11_PIN=1234
[root@Y-solin2.0]#.vars
NOTE:Ifyourun./clean-all,Iwillbedoingarm-rfon/home/solin/opt/openvpm/openvpn-2.2.2/easy-rsa/2.0/keys
[root@Y-solin2.0]#./clean-all#清空所有CA
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" src="http://s3.51cto.com/wyfs02/M00/92/CD/wKioL1kDC32TnwWAAAAwUVoPyCA716.jpg">@H_696_19@@H_696_19@@H_696_19@
2、创建一个新的CA@H_696_19@
[root@Y-solin2.0]#./build-ca
Generatinga1024bitRSAprivatekey
.++++++
.++++++
wriTingnewprivatekeyto'ca.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
whatyouareabouttoenteriswhatiscalledaDisTinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
ForsomefieldstherewillbeaDefaultValue,Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercodE)[CN]:
StateorprovinceName(fullName)[SH]:
LocalityName(eg,city)[ShangHai]:
OrganizationName(eg,company)[Y-solin]:
OrganizationalUnitName(eg,section)[BDCOM]:
CommonName(eg,yournameoryourserver'shostName)[changeme]:Y-solin
Name[Y-solin]:
EmailAddress[mail@host.domain]:yalsnlin@sina.com
查看创建的CA证书
[root@Y-solin2.0]#ls-lkeys/
总用量12
-rw-r--r--.1rootroot13304月2715:58ca.crt
-rw-------.1rootroot9124月2715:58ca.key
-rw-r--r--.1rootroot04月2715:51index.txt
-rw-r--r--.1rootroot34月2715:51serial
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" src="http://s3.51cto.com/wyfs02/M02/92/CE/wKiom1kDC32wE72dAADHqyKoGGY266.jpg">@H_696_19@@H_696_19@@H_696_19@
@H_502_9@
生成服务器端证书和秘钥key文件@H_502_9@
@H_696_19@
1、生成一个服务端的证书@H_696_19@
[root@Y-solin2.0]#./build-key-serverserver
Generatinga1024bitRSAprivatekey
....................++++++
...........++++++
wriTingnewprivatekeyto'server.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
whatyouareabouttoenteriswhatiscalledaDisTinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
ForsomefieldstherewillbeaDefaultValue,yournameoryourserver'shostName)[server]:
Name[Y-solin]:
EmailAddress[mail@host.domain]:yalsnlin@sina.com
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Ach@R_489_8710@gepassword[]:bdyun
Anoptionalcompanyname[]:BDCOM
Usingconfigurationfrom/home/solin/opt/openvpm/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
checkthattherequestmatchesthesignature
Signatureok
TheSubject'sDisTinguishedNameisasfollows
countryName:PRINTABLE:'CN'
stateOrprovinceName:PRINTABLE:'SH'
localityName:PRINTABLE:'ShangHai'
organizationName:PRINTABLE:'Y-solin'
organizationalUnitName:PRINTABLE:'BDCOM'
commonName:PRINTABLE:'server'
name:PRINTABLE:'Y-solin'
emailAddress:IA5StriNG:'yalsnlin@sina.com'
CertificateistobecertifieduntilApr2508:13:482027GMT(3650days)
Signthecertificate?[y/n]:y
1outof1certificaterequestscertified,commit?[y/n]y
Writeoutdatabasewith1newentries
DataBaseupdated
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" width="650" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M00/92/CE/wKioL1kDDuHQlI36AACuwRRJoeY531.jpg">@H_696_19@@H_696_19@@H_696_19@
查看生成的CA证书@H_696_19@
[root@Y-solin2.0]#ls-lrtkeys/
总用量40
-rw-r--r--.1rootroot34月2715:51serial.old
-rw-r--r--.1rootroot04月2715:51index.txt.old
-rw-------.1rootroot9124月2715:58ca.key
-rw-r--r--.1rootroot13304月2715:58ca.crt
-rw-------.1rootroot9164月2716:13server.key
-rw-r--r--.1rootroot7734月2716:13server.csr
-rw-r--r--.1rootroot40294月2716:14server.crt
-rw-r--r--.1rootroot34月2716:14serial
-rw-r--r--.1rootroot214月2716:14index.txt.attr
-rw-r--r--.1rootroot1244月2716:14index.txt
-rw-r--r--.1rootroot40294月2716:1401.pem
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M00/92/CE/wKioL1kDDuHzmITxAACHufHfxi4505.jpg">@H_696_19@@H_696_19@@H_696_19@
生成客户端证书和key文件@H_502_9@
(1)生成客户端证书秘钥@H_696_19@
[root@Y-solin2.0]#./build-keysolin
Generatinga1024bitRSAprivatekey
.++++++
........................................++++++
wriTingnewprivatekeyto'solin.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
whatyouareabouttoenteriswhatiscalledaDisTinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
ForsomefieldstherewillbeaDefaultValue,yournameoryourserver'shostName)[solin]:
Name[Y-solin]:
EmailAddress[mail@host.domain]:yalsnlin@sina.com
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Ach@R_489_8710@gepassword[]:bdyun
Anoptionalcompanyname[]:BDCOM
Usingconfigurationfrom/home/solin/opt/openvpm/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
checkthattherequestmatchesthesignature
Signatureok
TheSubject'sDisTinguishedNameisasfollows
countryName:PRINTABLE:'CN'
stateOrprovinceName:PRINTABLE:'SH'
localityName:PRINTABLE:'ShangHai'
organizationName:PRINTABLE:'Y-solin'
organizationalUnitName:PRINTABLE:'BDCOM'
commonName:PRINTABLE:'solin'
name:PRINTABLE:'Y-solin'
emailAddress:IA5StriNG:'yalsnlin@sina.com'
CertificateistobecertifieduntilApr2508:30:572027GMT(3650days)
Signthecertificate?[y/n]:y
1outof1certificaterequestscertified,commit?[y/n]y
Writeoutdatabasewith1newentries
DataBaseupdated
[root@Y-solin2.0]#ls-lrtkeys/
总用量64
-rw-------.1rootroot9124月2715:58ca.key
-rw-r--r--.1rootroot13304月2715:58ca.crt
-rw-------.1rootroot9164月2716:13server.key
-rw-r--r--.1rootroot7734月2716:13server.csr
-rw-r--r--.1rootroot40294月2716:14server.crt
-rw-r--r--.1rootroot34月2716:14serial.old
-rw-r--r--.1rootroot1244月2716:14index.txt.old
-rw-r--r--.1rootroot214月2716:14index.txt.attr.old
-rw-r--r--.1rootroot40294月2716:1401.pem
-rw-------.1rootroot9204月2716:30solin.key
-rw-r--r--.1rootroot7694月2716:30solin.csr
-rw-r--r--.1rootroot39074月2716:31solin.crt
-rw-r--r--.1rootroot34月2716:31serial
-rw-r--r--.1rootroot214月2716:31index.txt.attr
-rw-r--r--.1rootroot2474月2716:31index.txt
-rw-r--r--.1rootroot39074月2716:3102.pem
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M00/92/CE/wKioL1kDEIahloaQAADZF-vNJI4212.jpg">@H_696_19@@H_696_19@@H_696_19@
(2)生成客户端拨号需要密码的证书秘钥@H_696_19@
[root@Y-solin2.0]#./build-key-passxiaodangjia
Generatinga1024bitRSAprivatekey
...........++++++
.........++++++
wriTingnewprivatekeyto'xiaodangjia.key'
EnterPEMpassphrase:
Verifying-EnterPEMpassphrase:
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
whatyouareabouttoenteriswhatiscalledaDisTinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
ForsomefieldstherewillbeaDefaultValue,yournameoryourserver'shostName)[xiaodangjia]:
Name[Y-solin]:
EmailAddress[mail@host.domain]:yalsnlin@sina.com
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Ach@R_489_8710@gepassword[]:bdyun
Anoptionalcompanyname[]:BDCOM
Usingconfigurationfrom/home/solin/opt/openvpm/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
checkthattherequestmatchesthesignature
Signatureok
TheSubject'sDisTinguishedNameisasfollows
countryName:PRINTABLE:'CN'
stateOrprovinceName:PRINTABLE:'SH'
localityName:PRINTABLE:'ShangHai'
organizationName:PRINTABLE:'Y-solin'
organizationalUnitName:PRINTABLE:'BDCOM'
commonName:PRINTABLE:'xiaodangjia'
name:PRINTABLE:'Y-solin'
emailAddress:IA5StriNG:'yalsnlin@sina.com'
CertificateistobecertifieduntilApr2608:26:542027GMT(3650days)
Signthecertificate?[y/n]:y
1outof1certificaterequestscertified,255);text-align:justify;">
生成generate diffie Hellman parameter@H_502_9@
生成传输进行秘钥交换时用到的交换秘钥协议文件@H_696_19@
[root@Y-solin2.0]#./build-dh
GeneratingDHparameters,1024bitlongsafeprime,generator2
Thisisgoing@R_77_10586@kealongtime
......
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" width="650" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M02/92/D0/wKiom1kDENeR3_XGAACsGiTPmw0970.jpg">@H_696_19@@H_696_19@@H_696_19@
查看生成的证书@H_696_19@
[root@Y-solin2.0]#pwd
/home/solin/opt/openvpm/openvpn-2.2.2/easy-rsa/2.0
[root@Y-solin2.0]#llkeys/
总用量84
-rw-r--r--.1rootroot40294月2716:1401.pem
-rw-r--r--.1rootroot39074月2716:3102.pem
-rw-r--r--.1rootroot39214月2716:3603.pem
-rw-r--r--.1rootroot13304月2715:58ca.crt
-rw-------.1rootroot9124月2715:58ca.key
-rw-r--r--.1rootroot2454月2716:44dh1024.pem
-rw-r--r--.1rootroot3764月2716:36index.txt
-rw-r--r--.1rootroot214月2716:36index.txt.attr
-rw-r--r--.1rootroot214月2716:31index.txt.attr.old
-rw-r--r--.1rootroot2474月2716:31index.txt.old
-rw-r--r--.1rootroot34月2716:36serial
-rw-r--r--.1rootroot34月2716:31serial.old
-rw-r--r--.1rootroot40294月2716:14server.crt
-rw-r--r--.1rootroot7734月2716:13server.csr
-rw-------.1rootroot9164月2716:13server.key
-rw-r--r--.1rootroot39074月2716:31solin.crt
-rw-r--r--.1rootroot7694月2716:30solin.csr
-rw-------.1rootroot9204月2716:30solin.key
-rw-r--r--.1rootroot39214月2716:36xiaodangjia.crt
-rw-r--r--.1rootroot7774月2716:36xiaodangjia.csr
-rw-------.1rootroot9164月2716:36xiaodangjia.key
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M01/92/CE/wKioL1kDENfAbkLHAAENnGVqMje815.jpg">@H_696_19@@H_696_19@@H_696_19@
配置服务端VPN配置文件server.conf(服务端模板配置文件)@H_502_9@
1、把所有的keys和配置文件拷贝到/etc/openvpn目录下@H_696_19@
[root@Y-solin2.0]#mkdir-p/etc/openvpn
[root@Y-solin2.0]#cp-a/home/solin/opt/openvpm/openvpn-2.2.2/easy-rsa/2.0/keys/etc/openvpn/
[root@Y-solin2.0]#cp-a/home/solin/opt/openvpm/openvpn-2.2.2/sample-config-files/*.conf/etc/openvpn/
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" width="650" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M02/92/CE/wKioL1kDESmDxmONAAC-s794gKw084.jpg">@H_696_19@@H_696_19@@H_696_19@
2、进入/etc/openvpn目录@H_696_19@
备份server.conf文件@H_696_19@
[root@Y-solin2.0]#cd/etc/openvpn/
[root@Y-solinopenvpn]#ll
总用量36
-rw-rw-r--.1500500342610月212010client.conf
drwx------.2rootroot40964月2716:44keys
-rw-rw-r--.15005001028810月212010server.conf
-rw-rw-r--.1500500174210月212010static-home.conf
-rw-rw-r--.1500500168810月212010static-office.conf
-rw-rw-r--.1500500193710月212010tls-home.conf
-rw-rw-r--.1500500194810月212010tls-office.conf
[root@Y-solinopenvpn]#cpserver.confserver.conf.solin.170427
过滤出默认开启的配置@H_696_19@
[root@Y-solinopenvpn]#pwd
/etc/openvpn
[root@Y-solinopenvpn]#egrep-v"^#|^$^|;"server.conf
port1194
protoudp
devtun
caca.crt
certserver.crt
keyserver.key#Thisfileshouldbekeptsecret
dhdh1024.pem
server10.8.0.0255.255.255.0
ifconfig-pool-persistipp.txt
keepalive10120
comp-lzo
persist-key
persist-tun
statusopenvpn-status.log
verb3
过滤内容追加到新文件@H_696_19@
[root@Y-solinopenvpn]#egrep-v"^#|^$|^;"server.conf>solin-vpn.conf
[root@Y-solinopenvpn]#catsolin-vpn.conf
port1194
protoudp
devtun
caca.crt
certserver.crt
keyserver.key#Thisfileshouldbekeptsecret
dhdh1024.pem
server10.8.0.0255.255.255.0
ifconfig-pool-persistipp.txt
keepalive10120
comp-lzo
persist-key
persist-tun
statusopenvpn-status.log
verb3
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" width="650" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M02/92/CE/wKioL1kDESqwLpa9AABh4VY7WTU092.jpg">@H_696_19@@H_696_19@
@H_696_19@
修改生成的配置文件@H_696_19@
[root@Y-solinopenvpn]#visolin-vpn.conf
修改如下
local192.168.119.96
port52115
prototcp
devtun
ca/etc/openvpn/keys/ca.crt
key/etc/openvpn/keys/server.key
cert/etc/openvpn/keys/server.crt
dh/etc/openvpn/keys/dh1024.pem
server10.8.0.0255.255.255.0
ifconfig-pool-persistipp.txt
keepalive10120
comp-lzo
persist-key
persist-tun
statusopenvpn-status.log
verb3
push"route192.168.239.0255.255.255.0"
client-to-client
log/var/log/openvpn.log
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M00/92/D0/wKiom1kDESqjaq1iAAB1EwPcHAk859.jpg">@H_696_19@@H_696_19@@H_696_19@
启动服务端的VPN服务@H_502_9@
0、取消防火墙对VPN(1194,52115)的拦截@H_696_19@
1、开启内核转发功能@H_696_19@
(1)修改sysctl.conf@H_696_19@
[root@Y-solinopenvpn]#vi/etc/sysctl.conf
修改
…
net.ipv4.ip_forWARD=1
…
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M00/92/D0/wKiom1kDESrQMoqhAAFmsd1RBOU708.png">@H_696_19@@H_696_19@@H_696_19@
(2)配置生效@H_696_19@
[root@Y-solinopenvpn]#sysctl-p
net.ipv4.ip_forWARD=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.accept_source_route=0
kernel.sysrq=0
kernel.core_uses_pid=1
net.ipv4.tcp_syncookies=1
kernel.msgmnb=65536
kernel.msgmax=65536
kernel.shmmax=68719476736
kernel.shmall=4294967296
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M00/92/CE/wKioL1kDESuAnYqoAABime-1xhg363.jpg">@H_696_19@@H_696_19@@H_696_19@
2、启动OpenVPN服务@H_696_19@
[root@Y-solinopenvpn]#/usr/local/sbin/openvpn--config/etc/openvpn/solin-vpn.conf&
[1]48435
3、检查VPN服务端口@H_696_19@
[root@Y-solinopenvpn]#netstat-lntup|grep52115
tcp00192.168.119.96:521150.0.0.0:*LISTEN50918/openvpn
[root@Y-solinopenvpn]#ps-ef|grepvpn
root509182392009:22pts/100:00:00/usr/local/sbin/openvpn--config/etc/openvpn/solin-vpn.conf
root509322392009:23pts/100:00:00grepvpn
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" width="650" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M01/92/D0/wKiom1kDESviI2-HAABEshcINJo704.jpg">@H_696_19@@H_696_19@@H_696_19@
4、设置开机自启动(两种方式)@H_696_19@
方式一:修改rc.local配置文件@H_696_19@
[root@Y-solinopenvpn]#echo"#starupopenvpnbysolinat170427">>/etc/rc.local
[root@Y-solinopenvpn]#echo"/usr/local/sbin/openvpn--config/etc/openvpn/solin-vpn.conf&">>/etc/rc.local
[root@Y-solinopenvpn]#tail-2/etc/rc.local
#starupopenvpnbysolinat170427
/usr/local/sbin/openvpn--config/etc/openvpn/solin-vpn.conf&
方式二:加入init.d目录下@H_696_19@
注:solin-vpn.conf必须修改为server.conf才可实现@H_696_19@
[root@Y-solinopenvpn]#cp/home/solin/opt/openvpm/openvpn-2.2.2/sample-scripts/openvpn.init/etc/init.d/openvpn
[root@Y-solinopenvpn]#chmod755/etc/init.d/openvpn
[root@Y-solinopenvpn]#chkconfigopenvpnon
[root@Y-solinopenvpn]#chkconfig--listopenvpn
openvpn0:关闭1:关闭2:启用3:启用4:启用5:启用6:关闭
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" width="650" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M00/92/D0/wKiom1kDEXyTgAnnAABMAeiabes223.jpg">@H_696_19@@H_696_19@@H_696_19@
到这里服务端完全配置完毕!@H_696_19@
安装WindowsVPN客户端配置VPN连接@H_502_9@
1、下载安装客户端@H_696_19@
官网下载:https://openvpn.net/index.PHP/download/58-open-source/downloads.html@H_696_19@
下载与OpenVPN服务端版本一致的Windows客户端,如果版本不一致可能会导致连接失败。@H_696_19@
我这里下载好了@H_696_19@
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M00/92/D0/wKiom1kDEX3QvltnAACFapXkbdU359.png">@H_696_19@@H_696_19@@H_696_19@
2、openvpn-2.2.2Windows客户端安装@H_696_19@
(1)双加开始安装@H_696_19@
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M00/92/CE/wKioL1kDEX2yEyGhAABxmykvvVY792.jpg">@H_696_19@@H_696_19@@H_696_19@
(2)按默认配置安装就可以了@H_696_19@
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M00/92/CE/wKioL1kDEX2iu7kkAABmc90u8_0870.jpg">@H_696_19@@H_696_19@@H_696_19@
3、客户端配置@H_696_19@
(1)备份client.conf配置文件@H_696_19@
[root@Y-solinopenvpn]#pwd
/etc/openvpn
[root@Y-solinopenvpn]#ll
总用量56
-rw-rw-r--.1500500342610月212010client.conf
-rw-------.1rootroot04月2814:13ipp.txt
drwx------.2rootroot40964月2809:09keys
-rw-------.1rootroot2324月2814:13openvpn-status.log
-rw-rw-r--.15005001028810月212010server.conf
-rw-r--r--.1rootroot102884月2717:15server.conf.solin.170427
-rw-r--r--.1rootroot4034月2809:20solin-vpn.conf
-rw-rw-r--.1500500174210月212010static-home.conf
-rw-rw-r--.1500500168810月212010static-office.conf
-rw-rw-r--.1500500193710月212010tls-home.conf
-rw-rw-r--.1500500194810月212010tls-office.conf
[root@Y-solinopenvpn]#cpclient.confclient.conf.solin.17.04.28
(2)过滤配置文件@H_696_19@
[root@Y-solinopenvpn]#egrep-v"^#|^;|^$"client.conf
client
devtun
protoudp
remotemy-server-11194
resolv-retryinfinite
nobind
persist-key
persist-tun
caca.crt
certclient.crt
keyclient.key
ns-cert-typeserver
comp-lzo
verb3
(3)过滤内容追加为新的文件@H_696_19@
[root@Y-solinopenvpn]#egrep-v"^#|^;|^$"client.conf>client-solin.conf
[root@Y-solinopenvpn]#catclient-solin.conf
client
devtun
protoudp
remotemy-server-11194
resolv-retryinfinite
nobind
persist-key
persist-tun
caca.crt
certclient.crt
keyclient.key
ns-cert-typeserver
comp-lzo
verb3
(4)生产环境下配置@H_696_19@
[root@Y-solinopenvpn]#viclient-solin.conf
[root@Y-solinopenvpn]#catclient-solin.conf
client
devtun
#protoudp
prototcp
#remotemy-server-11194
remote192.168.119.9652115
resolv-retryinfinite
nobind
persist-key
persist-tun
caca.crt
#certclient.crt
certsolin.crt
#keyclient.key
keysolin.key
ns-cert-typeserver
comp-lzo
verb3
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M01/92/D0/wKiom1kDEX7ANjmQAABkq9Eu3TA899.jpg">@H_696_19@@H_696_19@@H_696_19@
4、从服务器导出修改好的配置文件和证书文件@H_696_19@
在OpenVPN安装目录(我的OpenVPN安装目录:D:\Tools\OpenVPN\config)的config文件夹下,新建client-solin文件夹,把配置好的配置文件和证书文件放在该目录中@H_696_19@
[root@Y-solinopenvpn]#szclient-solin.confkeys/ca.crtkeys/solin.*keys/xiaodangjia.*
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" width="650" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M01/92/D0/wKiom1kDEX6D_o2AAABdmPlRCQY395.jpg">@H_696_19@@H_696_19@@H_696_19@
5、修改配置文件client-solin.conf和证书文件client-solin.ovpn@H_696_19@
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" width="650" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M01/92/CE/wKioL1kDEX7Q3X5BAABW8ZIxuBw305.jpg">@H_696_19@@H_696_19@@H_696_19@
@H_696_19@
6、同样的方式导出xiaodangjia配置文件和认证文件@H_696_19@
(1)在我的安装目录D:\Tools\OpenVPN\config下,创建client-xiaodangjia文件夹,导入配置文件和认证文件@H_696_19@
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M00/92/D0/wKiom1kDEX-xkyQfAACLFE2NnyY144.png">@H_696_19@@H_696_19@@H_696_19@
(2)连接拨号client-xiaodangjia,需要输入密码,连接成功@H_696_19@
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M02/92/D0/wKiom1kDEX_RSejBAAA9Z8oGl4w780.jpg">@H_696_19@@H_696_19@@H_696_19@
7、连接拨号@H_696_19@
(1)双加打开VPN
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M01/92/CE/wKioL1kDEX7AdHWXAAAdw0DOtjQ242.png">@H_696_19@@H_696_19@(2)拨号连接
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M02/92/D0/wKiom1kDEX6Q_3ORAAAE022qbKY973.png">@H_696_19@@H_696_19@(3)连接成功显示绿色
![CentOS 6.8 上OpenVPN部署和使用]( "CentOS 6.8 上OpenVPN部署和使用")
s.width=650;" src="http://img.code.cc/vcimg/static/loading.png" style="padding:0px;margin:0px;vertical-align:top;border:none;" src="http://s3.51cto.com/wyfs02/M02/92/CE/wKioL1kDEX_ipOBfAAAC5OF0lbg586.png">@H_696_19@@H_696_19@@H_696_19@
