前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >网络系统管理Linux环境——ROUTERSRV之OPENVPN

网络系统管理Linux环境——ROUTERSRV之OPENVPN

作者头像
冷影玺
修改2024-09-14 13:45:16
3130
修改2024-09-14 13:45:16
举报
文章被收录于专栏:冷影玺

题目要求

服务器RouterSrv上的工作任务

5. OPENVPN

要求服务器日志记录客户端登录时间、用户名,格式如“2022-08-10: 08:10:30 Successful authentication: username="vpnuser1"”;

日志文件存放至/var/log/openvpn.log 中;

创建用户 vpnuser1,密码为 123456,使用用户名密码认证,要求只能与 InsideCli 客户端网段通信,允许访问 StorageSrv 主机上的 SAMBA 服务;

VPN 地址范围为 172.16.0.0/24,OPENVPN 使用 tcp 1194 端口号进行工作。

项目实施

服务器配置

安装:

代码语言:javascript
复制
[root@routesrv ~]# yum install openvpn easy-rsa -y

将easyRsa(证书制作工具)复制到/etc/openvpn

代码语言:javascript
复制
[root@routesrv ~]# cp -rf /usr/share/easy-rsa/3/* /etc/openvpn/

创建证书文件(注意所有证书没有密码)

初始化,程序将自动创建pki目录:

代码语言:javascript
复制
[root@routesrv ~]# cd /etc/openvpn/
[root@routesrv openvpn]# ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki


[root@routesrv openvpn]#

生成根证书 nopass表示不对ca加密:(直接回车)

代码语言:javascript
复制
[root@routesrv openvpn]# ./easyrsa build-ca nopass
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating RSA private key, 2048 bit long modulus
............................................+++
.....................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt


[root@routesrv openvpn]#

服务器证书生成 Common Name直接回车使用默认名称:server

代码语言:javascript
复制
[root@routesrv openvpn]# ./easyrsa gen-req server nopass
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
...............+++
.......................................+++
writing new private key to '/etc/openvpn/pki/easy-rsa-15746.IHk5zU/tmp.1tZRyT'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/pki/reqs/server.req
key: /etc/openvpn/pki/private/server.key


[root@routesrv openvpn]#

签署服务器证书:(输入yes)

代码语言:javascript
复制
[root@routesrv openvpn]# ./easyrsa sign-req server server
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/pki/easy-rsa-15773.OwXZdU/tmp.K05m4j
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Feb 13 06:07:59 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/pki/issued/server.crt


[root@routesrv openvpn]#

生成dh.pem:

代码语言:javascript
复制
[root@routesrv openvpn]# ./easyrsa gen-dh
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.........+............+....+.........................................................................................................................................+................++*++*

DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem


[root@routesrv openvpn]#

tls密钥生成:

代码语言:javascript
复制
[root@routesrv openvpn]# openvpn --genkey --secret ta.key

客户端证书生成:

代码语言:javascript
复制
[root@routesrv openvpn]# ./easyrsa gen-req client nopass
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.+++
....................................................................+++
writing new private key to '/etc/openvpn/pki/easy-rsa-15860.KisxJN/tmp.UdLmjk'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/pki/reqs/client.req
key: /etc/openvpn/pki/private/client.key


[root@routesrv openvpn]#

配置服务器端(server)

复制模板文件:

代码语言:javascript
复制
[root@routesrv openvpn]# cp /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/server.conf /etc/openvpn/
代码语言:javascript
复制
[root@routesrv openvpn]# ll
总用量 104
drwxr-x---. 2 root openvpn     6 4月  21 2021 client
-rwxr-xr-x. 1 root root    76946 11月 11 14:04 easyrsa
-rw-r--r--. 1 root root     4616 11月 11 14:04 openssl-easyrsa.cnf
drwx------. 8 root root     4096 11月 11 14:10 pki
drwxr-x---. 2 root openvpn     6 4月  21 2021 server
-rw-r--r--. 1 root root    10784 11月 11 14:12 server.conf
-rw-------. 1 root root      636 11月 11 14:09 ta.key
drwxr-xr-x. 2 root root      122 11月 11 14:04 x509-types
[root@routesrv openvpn]#

编辑服务器文件:

代码语言:javascript
复制
[root@routesrv openvpn]# vim server.conf


port 1194       # 32行
proto tcp       # 35行
dev tun     # 53行
ca pki/ca.crt   # 78行
cert pki/issued/server.crt      # 79行
key pki/private/server.key      # 80行
dh pki/dh.pem       # 85行
server 172.16.0.0 255.255.255.0     # 101行
#tls-auth ta.key 0 # This file is secret    # 244行进行注释
#explicit-exit-notify 1                     # 315行进行注释
# 末尾添加
script-security 3
auth-user-pass-verify /etc/openvpn/auth.sh via-env
username-as-common-name
client-cert-not-required
代码语言:javascript
复制
ip addr show | grep 172
代码语言:javascript
复制
# tls-auth ta.key 0 # This file is secret	# 244行进行注释
# explicit-exit-notify 1		# 315行进行注释
# 末尾添加内容
script-security 3
auth-user-pass-verify /etc/openvpn/auth.sh via-env
username-as-common-name
client-cert-not-required

配置用户认证加日志:

代码语言:javascript
复制
[root@routesrv openvpn]# vim auth.sh
代码语言:javascript
复制
#!/bin/sh
PASSFILE="/etc/openvpn/user"
LOG_FILE="/var/log/openvpn.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

if [ ! -r "${PASSFILE}" ]; then
    echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
    exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then
    echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
    exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
    echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
    exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

赋予权限:

代码语言:javascript
复制
[root@routesrv openvpn]# chmod +x auth.sh

添加用户:中间是空格

代码语言:javascript
复制
[root@routesrv openvpn]# cat user
vpnuser1 123456
[root@routesrv openvpn]#

启动服务:

代码语言:javascript
复制
[root@routesrv openvpn]# systemctl restart openvpn@server

查看服务器状态:

代码语言:javascript
复制
[root@routesrv openvpn]# systemctl status openvpn@server

客户端配置

安装openvpn:

代码语言:javascript
复制
root@outsidecli:~# apt install openvpn -y

远程传入证书和配置文件:

代码语言:javascript
复制
[root@routesrv openvpn]# scp pki/ca.crt root@81.6.63.110:/etc/openvpn
The authenticity of host '81.6.63.110 (81.6.63.110)' can't be established.
ECDSA key fingerprint is SHA256:aHK7i3gsbgmMuEp37r/9wYK7TUB8KOcDcFEsOU8g38E.
ECDSA key fingerprint is MD5:85:34:04:99:3e:51:cc:8e:83:44:50:77:fa:02:50:92.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '81.6.63.110' (ECDSA) to the list of known hosts.
root@81.6.63.110's password:
ca.crt                                                       100% 1172   525.6KB/s   00:00
[root@routesrv openvpn]#
[root@routesrv openvpn]# scp /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/client.conf root@81.6.63.110:/etc/openvpn
root@81.6.63.110's password:
client.conf                                                  100% 3585     3.5MB/s   00:00
[root@routesrv openvpn]#

编辑客户端配置文件:

代码语言:javascript
复制
root@outsidecli:~# vim /etv/openvpn/client.conf
代码语言:javascript
复制
client      # 16行
dev tun     # 24行
proto tcp   # 36行
remote 81.6.63.254 1194     # 42行
resolv-retry infinite       # 54行
nobind          # 58行
persist-key     # 65行
persist-tun     # 66行
ca ca.crt       # 88行
#cert client.crt    # 89行注释
#key client.key     # 90行注释
#tls-auth ta.key 1  # 108行注释
remote-cert-tls server  # 104行
cipher AES-256-GCM      # 116行
verb 3      # 124行
auth-user-pass      # 末尾添加用户认证

启动客户端:

查看网络状态:

如果出现如下:(进行时间同步即可恢复)

本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2023-03-19,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  • 题目要求
    • 服务器RouterSrv上的工作任务
      • 5. OPENVPN
  • 项目实施
    • 服务器配置
      • 客户端配置
      相关产品与服务
      VPN 连接
      VPN 连接(VPN Connections)是一种基于网络隧道技术,实现本地数据中心与腾讯云上资源连通的传输服务,它能帮您在 Internet 上快速构建一条安全、可靠的加密通道。VPN 连接具有配置简单,云端配置实时生效、可靠性高等特点,其网关可用性达到 99.95%,保证稳定、持续的业务连接,帮您轻松实现异地容灾、混合云部署等复杂业务场景。
      领券
      问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档