====== CentOS 6 安裝與設定 OpenVPN ======
* OpenVPN 官方網站 : http://openvpn.net/
===== Server 端 =====
* CentOS 6.6 x86_64
==== 下載安裝最新版 OpenVPN 與相關 Lib ====
su - root
rpm -ivh http://mirror01.idc.hinet.net/EPEL/6/x86_64/epel-release-6-8.noarch.rpm
yum install kernel-devel openssl-devel gcc rpm-build
yum install lzo-devel pam-devel pkcs11-helper-devel openvpn easy-rsa
==== 設定虛擬網卡 tun0 與 NAT eth0 ====
mknod /dev/net/tun c 10 200
modprobe tun
echo 1 > /proc/sys/net/ipv4/ip_forward
vi /etc/sysctl.conf
:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
:
vi /etc/sysconfig/iptables
*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o tun0 -j ACCEPT
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
service iptables restart
chkconfig iptables on
==== 建立主機相關憑證檔案 ====
* 確認使用的 openssl 為 1.0.0
[root@openvpn 2.0]# rpm -q openssl
openssl-1.0.0-20.el6_2.3.x86_64
* 建立 casrv 憑證管理者帳號與複製 easy-rsa 環境
useradd casrv
passwd casrv
cp -a /usr/share/easy-rsa ~casrv/
cd ~casrv/
chown -R casrv:casrv easy-rsa/
* 建立 openssl.cnf 連結
su - casrv
cd easy-rsa/2.0/
ln -s openssl-1.0.0.cnf openssl.cnf
* 編輯 vars 內容
vi vars
:
export KEY_COUNTRY="TW"
export KEY_PROVINCE="Taiwan"
export KEY_CITY="Taipei"
export KEY_ORG="Trysoft Corp."
export KEY_EMAIL="changeme"
export KEY_EMAIL=changeme
export KEY_CN=OpenVPN
export KEY_NAME=changeme
export KEY_OU=Tech
:
* 產生 Root CA
. ./vars
./clean-all
./build-ca
[casrv@openvpn 2.0]% ./build-ca
Generating a 1024 bit RSA private key
:
:
Country Name (2 letter code) [US]:TW
State or Province Name (full name) [CA]:Taiwan
Locality Name (eg, city) [SanFrancisco]:Taipei
Organization Name (eg, company) [Fort-Funston]:Trysoft Corp.
Organizational Unit Name (eg, section) [changeme]:Tech
Common Name (eg, your name or your server's hostname) [changeme]:OpenVPN
Name [changeme]:OpenVPN
Email Address [mail@host.domain]:openvpn@ichiayi.com
* 產生 Server CA
./build-key-server server
[casrv@openvpn 2.0]% ./build-key-server server
Generating a 1024 bit RSA private key
:
:
Country Name (2 letter code) [US]:TW
State or Province Name (full name) [CA]:Taiwan
Locality Name (eg, city) [SanFrancisco]:Taipei
Organization Name (eg, company) [Fort-Funston]:Trysoft Corp.
Organizational Unit Name (eg, section) [changeme]:Tech
Common Name (eg, your name or your server's hostname) [server]:openvpn
Name [changeme]:
Email Address [mail@host.domain]:jonathan@ichiayi.com
:
A challenge password []:
An optional company name []:
:
Certificate is to be certified until Apr 4 06:21:30 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
:
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
* 產生 Diffie Hellman 參數
./build-dh
[casrv@openvpn 2.0]% ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
:
:
..++*++*++*
* 產生 TLS-Auth Key
openvpn --genkey --secret keys/ta.key
* 所有產生的 key file 都會存放在
~casrv/easy-rsa/2.0/keys/
==== 建立用戶憑證檔案 ====
* Client CA
su - casrv
cd easy-rsa/2.0/
source ./vars
./build-key client1
:
:
./build-key clientn
[casrv@openvpn 2.0]% ./build-key client1
Generating a 1024 bit RSA private key
:
writing new private key to 'client1.key'
-----
:
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Taiwan]:
Locality Name (eg, city) [Taipei]:
Organization Name (eg, company) [Trysoft Corp.]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) [client1]:
Name [changeme]:Client1
Email Address [changeme]:client1@ichiayi.com
:
A challenge password []:
An optional company name []:
:
Certificate is to be certified until Apr 4 06:36:36 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
:
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
* 所有產生的 key file 都會存放在
~casrv/easy-rsa/2.0/keys/
* 已經產生 key 的清單可參考 index.txt
V 220404062130Z 01 unknown /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech/CN=openvpn/name=changeme/emailAddress=openvpn@ichiayi.com
V 220404063636Z 02 unknown /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech/CN=client1/name=Client1/emailAddress=client1@ichiayi.com
:
:
==== 廢止用戶憑證檔案 ====
* 依照上一個程序先建立一個 client0 測試憑證然後再廢除
* 廢除憑證的處理方式
su - casrv
cd easy-rsa/2.0/
source ./vars
./revoke-full client0
[casrv@openvpn CA]$ ./revoke-full client0
Using configuration from /home/casrv/CA/openssl.cnf
Revoking Certificate 03.
Data Base Updated
Using configuration from /home/casrv/CA/openssl.cnf
client0.crt: C = TW, ST = Taiwan, L = Taipei, O = Trysoft Corp, OU = Tech, CN = client0, name = Client0, emailAddress = client0@ichiayi.com
error 23 at 0 depth lookup:certificate revoked
* 每次處理廢止憑證後, 必須將產生的 keys/crl.pem 複製到 /etc/openvpn/ 來更新廢止憑證清單
su - root
cp ~casrv/easy-rsa/2.0/keys/crl.pem /etc/openvpn/
或是建立 link 來讓 crl.pem 一致
su -root
cd /etc/openvpn
ln /home/casrv/easy-rsa/2.0/keys/crl.pem .
* 如果啟動檢查 CRL, 在 OpenVPN 更新至 2.4 之後, 會發現用戶端可能就無法連線.. 在 Server Log 會看到訊息
Fri Apr 21 08:08:18 2017 60.248.245.177:50610 VERIFY ERROR: depth=0, error=CRL has expired: C=TW, ST=Taiwan, L=Tainan, O=xxxx OU=Sales, CN=xxx, name=xxx, emailAddress=xxx@mail.xxx.com.tw
Fri Apr 21 08:08:18 2017 60.248.245.177:50610 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
* 可透過以下語法重新建立 crl.pem
su - casrv
cd easy-rsa/2.0/
source ./vars
openssl ca -gencrl -keyfile keys/ca.key -cert keys/ca.crt -out keys/crl.pem -config ./openssl.cnf
* 所產生出來的 CRL 內容大致如下
openssl crl -in crl.pem -text
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: /C=TW/ST=Taiwan/L=Taipei/O=xxx Co., Ltd./OU=Tech/CN=OpenVPN/name=OpenVPN/emailAddress=jonathan@xxx.com.tw
Last Update: Apr 21 02:16:30 2017 GMT
Next Update: May 21 02:16:30 2017 GMT
Revoked Certificates:
Serial Number: 05
Revocation Date: Jun 25 05:06:21 2012 GMT
:
Serial Number: 0A
Revocation Date: Dec 31 02:24:45 2015 GMT
Signature Algorithm: md5WithRSAEncryption
69:c4:45:ab:de:cf:ae:1f:e8:10:3c:03:12:5f:fd:47:fd:10:
:
bf:e3:fb:01:4a:11:ea:da:18:06:d1:5b:85:8b:da:c4:31:c8:
df:81
-----BEGIN X509 CRL-----
MIIB3jCCAUcwDQYJKoZIhvcNAQEEBQAwgbExCzAJBgNVBAYTAlRXMQ8wDQYDVQQI
EwZUYWl3YW4xDzANBgNVBAcTBlRhaXBlaTEmMCQGA1UEChMdRXZlcnBsYXN0IE1h
:
vgzp3y49jtoXHn2YqioMaciGrOzCYxCrLcVWc/Y2v+P7AUoR6toYBtFbhYvaxDHI
34E=
-----END X509 CRL-----
* 所以應該要加入 crontab 讓系統至少每個月能自動產生一份最新版的 crl.pem
==== 設定與啟動 Server 端 ====
* 安裝的 OpenVPN 版本為 2.3.6
[root@openvpn openvpn]# rpm -q openvpn
openvpn-2.3.6-1.el6.x86_64
* 規劃好 Listen TCP/443, 分配給 Client 的 IP 為 192.168.221.101 ~ 150
* 設定相關參數檔
cd /etc/openvpn
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/
vi server.conf
dev tun
proto tcp
port 443
ca ca.crt
cert server.crt
key server.key
#crl-verify crl.pem
dh dh2048.pem
server 192.168.221.0 255.255.255.0
ifconfig-pool-persist ipp.txt
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
#push "dhcp-option DNS 192.168.11.242"
#push "route 192.168.11.0 255.255.255.0"
keepalive 10 120
tls-auth ta.key 0
cipher AES-128-CBC
comp-lzo
cd /etc/openvpn
cp ~casrv/easy-rsa/2.0/keys/dh2048.pem .
cp ~casrv/easy-rsa/2.0/keys/server.crt .
cp ~casrv/easy-rsa/2.0/keys/server.key .
cp ~casrv/easy-rsa/2.0/keys/ca.crt .
cp ~casrv/easy-rsa/2.0/keys/ta.key .
service openvpn start
chkconfig openvpn on
===== 設定與啟動用戶端 =====
==== 安裝用戶端軟體 ====
* 下載 http://openvpn.net/index.php/open-source/downloads.html (openvpn-2.2.2-install.exe)
* openvpn裝完後在電腦網路連線裡會自動新增一個設備是Tap-Win32 Adapter V9的區域連線
==== 用戶端憑證與設定檔 ====
* 以下以 client1 為例
* 在 OpenVPN 參數目錄 C:\Program Files\OpenVPN\config 內建立一個子目錄 ideas_tp
* 取得 CA Server 所產生的 ca.crt / client1.key / client1.crt / ta.key 放入 C:\Program Files\OpenVPN\config\ideas_tp
* 編輯 ideas_tp.ovpn
# Specify that this is a client
client
# Bridge device setting
dev tun
proto tcp
# Host name and port for the server (default port is 1194)
# note: replace with the correct values your server set up
remote 175.98.155.2 443 # openvpn Server IP
remote-cert-tls server
# Client does not need to bind to a specific local port
nobind
# Keep trying to resolve the host name of OpenVPN server.
resolv-retry infinite
# Preserve state across restarts
persist-key
persist-tun
# SSL/TLS parameters - files created previously
ca ca.crt
cert client1.crt
key client1.key
# Since we specified the tls-auth for server, we need it for the client
# note: 0 = server, 1 = client
tls-auth ta.key 1
# Specify same cipher as server
cipher AES-128-CBC
# Use compression
comp-lzo
# Log verbosity (to help if there are problems)
verb 3
**如果要同時連上多個 OpenVPN Server, 那就要建立多個 Tap-Win32 Adapter V9的區域連線設備**
- 在 Win7 以上需要使用 Administrator 的權限開啟命令提示字元(DOS 畫面)
- 每執行以下語法一次就會增加一個 TAP 虛擬網卡
"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
執行過程, 原本的 Tap-Win32 Adapter 可能會斷線
* 也可以將憑證檔案內容直接放入設定檔內.. Exp.ideas_tp.ovpn
# Specify that this is a client
client
# Bridge device setting
dev tun
proto tcp
# Host name and port for the server (default port is 1194)
# note: replace with the correct values your server set up
remote 175.98.155.2 443 # openvpn Server IP
remote-cert-tls server
# Client does not need to bind to a specific local port
nobind
# Keep trying to resolve the host name of OpenVPN server.
resolv-retry infinite
# Preserve state across restarts
persist-key
persist-tun
# Specify same cipher as server
cipher AES-128-CBC
# Use compression
comp-lzo
# Log verbosity (to help if there are problems)
verb 3
key-direction 1
# ca ca.crt
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
#cert client1.crt
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
#key client1.key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
#tls-auth ta.key 1
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
==== 用戶端開機自動連上 OpenVPN ====
* 在 Windows 的「設定」->「控制台」->「系統管理工具」->「服務」找到「OpenVPN Service」啟動類型改成自動
* 服務啟動後會自動掃描在 C:\Program Files\OpenVPN\config 目錄內的 *.ovpn 設定檔, 但不會掃描子目錄內的 *.ovpn, 因此如果之前透過子目錄來區隔多組 VPN 設定檔要將 *.ovpn 複製出來, 然後在設定檔內對憑證檔指定相關路徑. Exp.
:
# SSL/TLS parameters - files created previously
ca ideas_tp/ca.crt
cert ideas_tp/jonathan.crt
key ideas_tp/jonathan.key
:
===== 參考網址 =====
* http://www.openvpn.net/index.php/open-source/documentation/howto.html#install
* http://www.openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html
* http://openvpn.net/index.php/open-source/documentation/howto.html#startup
* https://community.openvpn.net/openvpn/wiki/IOSinline
* 另外方案 **[[tech/n2nvpn|n2n VPN 方案]]**
{{tag>openvpn vpn ssl}}