网站首页 > 技术教程 正文
1、安装easy-rsa:
[root@localhost ~]# yum install -y easy-rsa2、查看easy-rsa的安装路径:
[root@localhost ~]# rpm -ql easy-rsa
/usr/share/doc/easy-rsa-3.0.8
/usr/share/doc/easy-rsa-3.0.8/COPYING.md
/usr/share/doc/easy-rsa-3.0.8/ChangeLog
/usr/share/doc/easy-rsa-3.0.8/README.md
/usr/share/doc/easy-rsa-3.0.8/README.quickstart.md
/usr/share/doc/easy-rsa-3.0.8/vars.example
/usr/share/easy-rsa
/usr/share/easy-rsa/3
/usr/share/easy-rsa/3.0
/usr/share/easy-rsa/3.0.8
/usr/share/easy-rsa/3.0.8/easyrsa
/usr/share/easy-rsa/3.0.8/openssl-easyrsa.cnf
/usr/share/easy-rsa/3.0.8/x509-types
/usr/share/easy-rsa/3.0.8/x509-types/COMMON
/usr/share/easy-rsa/3.0.8/x509-types/ca
/usr/share/easy-rsa/3.0.8/x509-types/client
/usr/share/easy-rsa/3.0.8/x509-types/code-signing
/usr/share/easy-rsa/3.0.8/x509-types/email
/usr/share/easy-rsa/3.0.8/x509-types/kdc
/usr/share/easy-rsa/3.0.8/x509-types/server
/usr/share/easy-rsa/3.0.8/x509-types/serverClient
/usr/share/licenses/easy-rsa-3.0.8
/usr/share/licenses/easy-rsa-3.0.8/gpl-2.0.txt3、安装OpenVPN:
[root@localhost ~]# yum install -y openvpn4、复制easy-rsa到/etc/openvpn目录:
[root@localhost ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa5、复制easy-rsa配置文件到
/etc/openvpn/easy-rsa/3.0.8目录,并重命名为vars:
[root@localhost ~]# cp -r /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/3.0.8/vars
[root@localhost ~]# cd /etc/openvpn/easy-rsa/3.0.8/
[root@localhost 3.0.8]# ll
total 96
-rwxr-xr-x. 1 root root 76946 Jul 7 18:26 easyrsa
-rw-r--r--. 1 root root 4616 Jul 7 18:26 openssl-easyrsa.cnf
-rw-r--r--. 1 root root 8925 Jul 7 18:28 vars
drwxr-xr-x. 2 root root 122 Jul 7 18:26 x509-types
6、查看/etc/openvpn目录:
[root@localhost 3.0.8]# tree /etc/openvpn
/etc/openvpn
├── client
├── easy-rsa
│ ├── 3 -> 3.0.8
│ ├── 3.0 -> 3.0.8
│ └── 3.0.8
│ ├── easyrsa
│ ├── openssl-easyrsa.cnf
│ ├── vars
│ └── x509-types
│ ├── ca
│ ├── client
│ ├── code-signing
│ ├── COMMON
│ ├── email
│ ├── kdc
│ ├── server
│ └── serverClient
└── server
7 directories, 11 files7、修改证书文件首先要找到vars,里面有关于证书的一些参数,需要做调整。
我这边还试着根据老师的意思使用了source vars这个命令,但是现在的版本已经不再需要这个命令了。另外./clean all命令也不再需要了。
8、初始化:
[root@localhost 3.0.8]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.8/pki
[root@localhost 3.0.8]#
9、为了方便安装测试,这里使用nopass参数选择不要密码创建根证书:
[root@localhost 3.0.8]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating RSA private key, 2048 bit long modulus
........................................................................................................+++
.........................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3.0.8/pki/ca.crt
[root@localhost 3.0.8]#
如果没有nopass,那就需要输入密码和确认密码。
10、生成服务端证书和密钥文件:
[root@localhost 3.0.8]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.......................+++
................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.8/pki/easy-rsa-62985.c0ASOu/tmp.7U9tqs'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3.0.8/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3.0.8/pki/private/server.key
[root@localhost 3.0.8]#
11、给server端证书签名,提示confirm request details时,输入yes:
[root@localhost 3.0.8]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/3.0.8/pki/easy-rsa-63013.i3eDaQ/tmp.2xHYYf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Oct 10 10:57:47 2027 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.8/pki/issued/server.crt
[root@localhost 3.0.8]#
12、生成dh文件(密钥交换文件):客户端和服务端交换密钥文件。
[root@localhost 3.0.8]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........+..................+...............................................
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.8/pki/dh.pem
[root@localhost 3.0.8]#
13、生成tls认证密钥,ta.key是拒绝服务攻击的密钥文件:
[root@localhost 3.0.8]# openvpn --genkey --secret ta.key14、生成客户端证书和密钥文件:
[root@localhost 3.0.8]# ./easyrsa gen-req client nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...............................+++
.......................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.8/pki/easy-rsa-63114.noJf6D/tmp.X3EA7H'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3.0.8/pki/reqs/client.req
key: /etc/openvpn/easy-rsa/3.0.8/pki/private/client.key
[root@localhost 3.0.8]#15、注册客户端的证书,输入yes:
[root@localhost 3.0.8]# ./easyrsa sign client client
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/3.0.8/pki/easy-rsa-63141.w4cj2W/tmp.2dnZIu
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Oct 10 11:05:39 2027 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.8/pki/issued/client.crt
[root@localhost 3.0.8]#
到目前为止,我们生成了以下文件:
1、配置vars文件;
2、生成根证书文件ca.crt, 服务端和客户端都要使用
3、生成了服务端证书和密钥文件:server.crt server.key
4、生成了客户端证书和密钥文件:client.crt client.key
5、生成了密钥交换文件:dh.pem
6、生成了tls认证,拒绝服务攻击的密钥文件
15、查看当前生成的文件目录结构:
[root@localhost 3.0.8]# ll
total 104
-rwxr-xr-x. 1 root root 76946 Jul 7 18:26 easyrsa
-rw-r--r--. 1 root root 4616 Jul 7 18:26 openssl-easyrsa.cnf
drwx------. 8 root root 4096 Jul 7 19:05 pki
-rw-------. 1 root root 636 Jul 7 19:54 ta.key
-rw-r--r--. 1 root root 8887 Jul 7 18:40 vars
drwxr-xr-x. 2 root root 122 Jul 7 18:26 x509-types
[root@localhost 3.0.8]# tree pki
pki
├── ca.crt
├── certs_by_serial
│ ├── 686BFA2C81193B932A049ACE4A593ABB.pem
│ └── 97BA27C9399DAC138B24F96AE5B88753.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ ├── client.crt
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ ├── client.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── client.req
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 19 files
16、证书生成完毕,OpenVPN我们已经安装,然后开始配置OpenVPN服务端:
拷贝证书文件到/etc/openvpn目录下,之前的文章是拷贝到certs目录下,我看到有现成的client目录和server目录,那就把服务端的配置文件拷贝到server目录下,客户端的配置文件拷贝到client目录下:
[root@localhost 3.0.8]# cp ./pki/ca.crt /etc/openvpn/server/
[root@localhost 3.0.8]# cp ./pki/dh.pem /etc/openvpn/server/
[root@localhost 3.0.8]# cp ./pki/issued/server.crt /etc/openvpn/server/
[root@localhost 3.0.8]# cp ./pki/private/server.key /etc/openvpn/server/[root@localhost pki]# cd /etc/openvpn/server/
[root@localhost server]# ll
total 20
-rw-------. 1 root root 1172 Jul 7 19:29 ca.crt
-rw-------. 1 root root 424 Jul 7 19:29 dh.pem
-rw-------. 1 root root 4552 Jul 7 19:30 server.crt
-rw-------. 1 root root 1704 Jul 7 19:30 server.key
[root@localhost server]#17、拷贝配置文件模板文件到server.conf到/etc/openvpn/目录下:
[root@localhost server]# cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/
[root@localhost openvpn]# ll
total 12
drwxr-x---. 2 root openvpn 6 Mar 18 2022 client
drwxr-xr-x. 3 root root 39 Jul 7 18:26 easy-rsa
drwxr-x---. 2 root openvpn 70 Jul 7 19:30 server
-rw-r--r--. 1 root root 10784 Jul 7 19:32 server.conf查看openvpn的安装文件:
[root@localhost openvpn]# rpm -ql openvpn
/etc/openvpn
/etc/openvpn/client
/etc/openvpn/server
/run/openvpn-client
/run/openvpn-server
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/systemd/system/openvpn@.service
/usr/lib/tmpfiles.d/openvpn.conf
/usr/lib64/openvpn
/usr/lib64/openvpn/plugins
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so
/usr/sbin/openvpn
/usr/share/doc/openvpn-2.4.12
/usr/share/doc/openvpn-2.4.12/AUTHORS
/usr/share/doc/openvpn-2.4.12/COPYING
/usr/share/doc/openvpn-2.4.12/COPYRIGHT.GPL
/usr/share/doc/openvpn-2.4.12/ChangeLog
/usr/share/doc/openvpn-2.4.12/Changes.rst
/usr/share/doc/openvpn-2.4.12/README
/usr/share/doc/openvpn-2.4.12/README.auth-pam
/usr/share/doc/openvpn-2.4.12/README.down-root
/usr/share/doc/openvpn-2.4.12/README.systemd
/usr/share/doc/openvpn-2.4.12/contrib
/usr/share/doc/openvpn-2.4.12/contrib/OCSP_check
/usr/share/doc/openvpn-2.4.12/contrib/OCSP_check/OCSP_check.sh
/usr/share/doc/openvpn-2.4.12/contrib/README
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00/README
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
/usr/share/doc/openvpn-2.4.12/contrib/pull-resolv-conf
/usr/share/doc/openvpn-2.4.12/contrib/pull-resolv-conf/client.down
/usr/share/doc/openvpn-2.4.12/contrib/pull-resolv-conf/client.up
/usr/share/doc/openvpn-2.4.12/management-notes.txt
/usr/share/doc/openvpn-2.4.12/sample
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/README
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/firewall.sh
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/home.up
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/loopback-client
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/loopback-server
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/office.up
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/openvpn-shutdown.sh
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/openvpn-startup.sh
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/roadwarrior-client.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/roadwarrior-server.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/static-home.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/static-office.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/tls-home.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/tls-office.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/xinetd-client-config
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/xinetd-server-config
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/auth-pam.pl
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/bridge-start
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/bridge-stop
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/ucn.pl
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/verify-cn
/usr/share/doc/openvpn-2.4.12/sample/sample-windows
/usr/share/doc/openvpn-2.4.12/sample/sample-windows/sample.ovpn
/usr/share/man/man8/openvpn.8.gz
/var/lib/openvpn
[root@localhost openvpn]#18、修改server.conf配置文件:
1)修改证书的路径:
2)VPN拨号进来之后,系统会给它指定一个VPN的虚拟网段。
3)push段:VPN拨号的内网和企业真实的内网:
如果不加,拨号进来,是无法识别该网段的。
没有10.1,就不让你拨号。
拨号进来就是为了访问192.168.0.0企业内部的真实网段。
4)ta.key拒绝服务攻击的tls密钥文件:
5)加密算法:
19、修改路由转发功能:
[root@localhost openvpn]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@localhost openvpn]# sysctl -p
net.ipv4.ip_forward = 120、创建启动服务的脚本:
[root@localhost openvpn]# cat /lib/systemd/system/openvpn.service
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config /etc/openvpn/server.conf
[Install]
WantedBy=multi-user.target
[root@localhost openvpn]#我们可以使用openvpn --daemon --config server.conf命令来启动openvpn进程,然后通过kill命令杀进程。
21、设置OpenVPN开机自启动:
[root@localhost openvpn]# systemctl enable openvpn
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn.service to /usr/lib/systemd/system/openvpn.service.
[root@localhost openvpn]#22、启动OpenVPN:
[root@localhost openvpn]# systemctl start openvpn
[root@localhost openvpn]#
23、查看端口和进程:
[root@localhost openvpn]# lsof -i:1194
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
openvpn 63376 root 6u IPv4 83122 0t0 UDP *:openvpn
[root@localhost openvpn]# ps -ef |grep openvpn
root 63376 1 0 21:32 ? 00:00:00 /usr/sbin/openvpn --cd /etc/openvpn/ --config /etc/openvpn/server.conf
root 63408 62780 0 21:34 pts/1 00:00:00 grep --color=auto openvpn
[root@localhost openvpn]# netstat -lntup |grep openvpn
udp 0 0 0.0.0.0:1194 0.0.0.0:* 63376/openvpn
- 上一篇: 外国代理IP地址配置技巧:隐私与速度的平衡方案
- 下一篇: 解锁网络限制:Docker 代理配置攻略
猜你喜欢
- 2025-07-23 跨域问题解决方案:开发代理(本地开发跨域问题)
- 2025-07-23 在群晖NAS上搭建网站的完整指南(群晖nas部署)
- 2025-07-23 Nginx负载均衡:nginx.conf配置文件说明!
- 2025-07-23 如何利用HTTP代理IP池绕过网站反爬虫机制?
- 2025-07-23 搭建网站需要什么服务器(搭建网站需要电脑吗)
- 2025-07-23 基于 Linux 快速搭建企业级 DNS 服务器(Bind9 实战指南)
- 2025-07-23 告别网盘!手把手教你在家打造专属服务器
- 2025-07-23 想玩得稳、登得顺?游戏代理IP配置指南来了
- 2025-07-23 静态IP网络环境搭建实战教程:一步步教你稳定上线
- 2025-07-23 站群服务器搭建视频网站指南(站群服务器能建多少个网站)
欢迎 你 发表评论:
- 最近发表
-
- S7-1500PLC梯形图(LAD)基础指令——S_ODT接通延时定时器
- windows电脑如何设置定时关机?电脑设置定时关机的方法
- 编写水泵定时自动轮换PLC程序(给水泵一用一备自动轮换控制plc)
- PLC定时器与计数器的配合使用,看看可以达到什么效果
- 【分享】PLC定时停机实用八大招,请诸位谨慎使用!
- S7-200SAMRT定时器程序应用案例(s7_200定时器)
- 简思定时器程序设计范例:自动门控制
- PLC编程100例之延时On/Off 程序(plc延时1秒的延时程序)
- 如何实现Python+selenium在指定时间自动运行程序
- 「PLC编程案例」基于S7-1200 PLC感应手自动冲水装置程序设计
- 标签列表
-
- sd分区 (65)
- raid5数据恢复 (81)
- 地址转换 (73)
- 手机存储卡根目录 (55)
- tcp端口 (74)
- project server (59)
- 双击ctrl (55)
- 鼠标 单击变双击 (67)
- debugview (59)
- 字符动画 (65)
- flushdns (57)
- ps复制快捷键 (57)
- 清除系统垃圾代码 (58)
- web服务器的架设 (67)
- 16进制转换 (69)
- xclient (55)
- ps源文件 (67)
- filezilla server (59)
- 句柄无效 (56)
- word页眉页脚设置 (59)
- ansys实例 (56)
- 6 1 3固件 (59)
- sqlserver2000挂起 (59)
- vm虚拟主机 (55)
- config (61)
本文暂时没有评论,来添加一个吧(●'◡'●)