要求服务器日志记录客户端登录时间、用户名,格式如“2022-08-10: 08:10:30 Successful authentication: username="vpnuser1"”;
日志文件存放至/var/log/openvpn.log 中;
创建用户 vpnuser1,密码为 123456,使用用户名密码认证,要求只能与 InsideCli 客户端网段通信,允许访问 StorageSrv 主机上的 SAMBA 服务;
VPN 地址范围为 172.16.0.0/24,OPENVPN 使用 tcp 1194 端口号进行工作。
安装:
[root@routesrv ~]# yum install openvpn easy-rsa -y
将easyRsa(证书制作工具)复制到/etc/openvpn
[root@routesrv ~]# cp -rf /usr/share/easy-rsa/3/* /etc/openvpn/
创建证书文件(注意所有证书没有密码)
初始化,程序将自动创建pki目录:
[root@routesrv ~]# cd /etc/openvpn/
[root@routesrv openvpn]# ./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki
[root@routesrv openvpn]#
生成根证书 nopass表示不对ca加密:(直接回车)
[root@routesrv openvpn]# ./easyrsa build-ca nopass
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating RSA private key, 2048 bit long modulus
............................................+++
.....................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt
[root@routesrv openvpn]#
服务器证书生成 Common Name直接回车使用默认名称:server
[root@routesrv openvpn]# ./easyrsa gen-req server nopass
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...............+++
.......................................+++
writing new private key to '/etc/openvpn/pki/easy-rsa-15746.IHk5zU/tmp.1tZRyT'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/pki/reqs/server.req
key: /etc/openvpn/pki/private/server.key
[root@routesrv openvpn]#
签署服务器证书:(输入yes)
[root@routesrv openvpn]# ./easyrsa sign-req server server
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/pki/easy-rsa-15773.OwXZdU/tmp.K05m4j
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Feb 13 06:07:59 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/pki/issued/server.crt
[root@routesrv openvpn]#
生成dh.pem:
[root@routesrv openvpn]# ./easyrsa gen-dh
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.........+............+....+.........................................................................................................................................+................++*++*
DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem
[root@routesrv openvpn]#
tls密钥生成:
[root@routesrv openvpn]# openvpn --genkey --secret ta.key
客户端证书生成:
[root@routesrv openvpn]# ./easyrsa gen-req client nopass
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.+++
....................................................................+++
writing new private key to '/etc/openvpn/pki/easy-rsa-15860.KisxJN/tmp.UdLmjk'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/pki/reqs/client.req
key: /etc/openvpn/pki/private/client.key
[root@routesrv openvpn]#
配置服务器端(server)
复制模板文件:
[root@routesrv openvpn]# cp /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/server.conf /etc/openvpn/
[root@routesrv openvpn]# ll
总用量 104
drwxr-x---. 2 root openvpn 6 4月 21 2021 client
-rwxr-xr-x. 1 root root 76946 11月 11 14:04 easyrsa
-rw-r--r--. 1 root root 4616 11月 11 14:04 openssl-easyrsa.cnf
drwx------. 8 root root 4096 11月 11 14:10 pki
drwxr-x---. 2 root openvpn 6 4月 21 2021 server
-rw-r--r--. 1 root root 10784 11月 11 14:12 server.conf
-rw-------. 1 root root 636 11月 11 14:09 ta.key
drwxr-xr-x. 2 root root 122 11月 11 14:04 x509-types
[root@routesrv openvpn]#
编辑服务器文件:
[root@routesrv openvpn]# vim server.conf
port 1194 # 32行
proto tcp # 35行
dev tun # 53行
ca pki/ca.crt # 78行
cert pki/issued/server.crt # 79行
key pki/private/server.key # 80行
dh pki/dh.pem # 85行
server 172.16.0.0 255.255.255.0 # 101行
#tls-auth ta.key 0 # This file is secret # 244行进行注释
#explicit-exit-notify 1 # 315行进行注释
# 末尾添加
script-security 3
auth-user-pass-verify /etc/openvpn/auth.sh via-env
username-as-common-name
client-cert-not-required
ip addr show | grep 172
# tls-auth ta.key 0 # This file is secret # 244行进行注释
# explicit-exit-notify 1 # 315行进行注释
# 末尾添加内容
script-security 3
auth-user-pass-verify /etc/openvpn/auth.sh via-env
username-as-common-name
client-cert-not-required
配置用户认证加日志:
[root@routesrv openvpn]# vim auth.sh
#!/bin/sh
PASSFILE="/etc/openvpn/user"
LOG_FILE="/var/log/openvpn.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
赋予权限:
[root@routesrv openvpn]# chmod +x auth.sh
添加用户:中间是空格
[root@routesrv openvpn]# cat user
vpnuser1 123456
[root@routesrv openvpn]#
启动服务:
[root@routesrv openvpn]# systemctl restart openvpn@server
查看服务器状态:
[root@routesrv openvpn]# systemctl status openvpn@server
安装openvpn:
root@outsidecli:~# apt install openvpn -y
远程传入证书和配置文件:
[root@routesrv openvpn]# scp pki/ca.crt root@81.6.63.110:/etc/openvpn
The authenticity of host '81.6.63.110 (81.6.63.110)' can't be established.
ECDSA key fingerprint is SHA256:aHK7i3gsbgmMuEp37r/9wYK7TUB8KOcDcFEsOU8g38E.
ECDSA key fingerprint is MD5:85:34:04:99:3e:51:cc:8e:83:44:50:77:fa:02:50:92.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '81.6.63.110' (ECDSA) to the list of known hosts.
root@81.6.63.110's password:
ca.crt 100% 1172 525.6KB/s 00:00
[root@routesrv openvpn]#
[root@routesrv openvpn]# scp /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/client.conf root@81.6.63.110:/etc/openvpn
root@81.6.63.110's password:
client.conf 100% 3585 3.5MB/s 00:00
[root@routesrv openvpn]#
编辑客户端配置文件:
root@outsidecli:~# vim /etv/openvpn/client.conf
client # 16行
dev tun # 24行
proto tcp # 36行
remote 81.6.63.254 1194 # 42行
resolv-retry infinite # 54行
nobind # 58行
persist-key # 65行
persist-tun # 66行
ca ca.crt # 88行
#cert client.crt # 89行注释
#key client.key # 90行注释
#tls-auth ta.key 1 # 108行注释
remote-cert-tls server # 104行
cipher AES-256-GCM # 116行
verb 3 # 124行
auth-user-pass # 末尾添加用户认证
启动客户端:
查看网络状态:
如果出现如下:(进行时间同步即可恢复)