CentOS 6 安裝與設定 OpenVPN
- OpenVPN 官方網站 : http://openvpn.net/
Server 端
- CentOS 6.6 x86_64
下載安裝最新版 OpenVPN 與相關 Lib
su - root rpm -ivh http://mirror01.idc.hinet.net/EPEL/6/x86_64/epel-release-6-8.noarch.rpm yum install kernel-devel openssl-devel gcc rpm-build yum install lzo-devel pam-devel pkcs11-helper-devel openvpn easy-rsa
設定虛擬網卡 tun0 與 NAT eth0
mknod /dev/net/tun c 10 200 modprobe tun echo 1 > /proc/sys/net/ipv4/ip_forward vi /etc/sysctl.conf
: # Controls IP packet forwarding net.ipv4.ip_forward = 1 :
vi /etc/sysconfig/iptables
*nat -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] -A FORWARD -i tun0 -j ACCEPT -A FORWARD -o tun0 -j ACCEPT :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
service iptables restart chkconfig iptables on
建立主機相關憑證檔案
- 確認使用的 openssl 為 1.0.0
[root@openvpn 2.0]# rpm -q openssl openssl-1.0.0-20.el6_2.3.x86_64
- 建立 casrv 憑證管理者帳號與複製 easy-rsa 環境
useradd casrv passwd casrv cp -a /usr/share/easy-rsa ~casrv/ cd ~casrv/ chown -R casrv:casrv easy-rsa/
- 建立 openssl.cnf 連結
su - casrv cd easy-rsa/2.0/ ln -s openssl-1.0.0.cnf openssl.cnf
- 編輯 vars 內容
vi vars
: export KEY_COUNTRY="TW" export KEY_PROVINCE="Taiwan" export KEY_CITY="Taipei" export KEY_ORG="Trysoft Corp." export KEY_EMAIL="changeme" export KEY_EMAIL=changeme export KEY_CN=OpenVPN export KEY_NAME=changeme export KEY_OU=Tech :
- 產生 Root CA
. ./vars ./clean-all ./build-ca
[casrv@openvpn 2.0]% ./build-ca Generating a 1024 bit RSA private key : : Country Name (2 letter code) [US]:TW State or Province Name (full name) [CA]:Taiwan Locality Name (eg, city) [SanFrancisco]:Taipei Organization Name (eg, company) [Fort-Funston]:Trysoft Corp. Organizational Unit Name (eg, section) [changeme]:Tech Common Name (eg, your name or your server's hostname) [changeme]:OpenVPN Name [changeme]:OpenVPN Email Address [[email protected]]:[email protected]
- 產生 Server CA
./build-key-server server
[casrv@openvpn 2.0]% ./build-key-server server Generating a 1024 bit RSA private key : : Country Name (2 letter code) [US]:TW State or Province Name (full name) [CA]:Taiwan Locality Name (eg, city) [SanFrancisco]:Taipei Organization Name (eg, company) [Fort-Funston]:Trysoft Corp. Organizational Unit Name (eg, section) [changeme]:Tech Common Name (eg, your name or your server's hostname) [server]:openvpn Name [changeme]: Email Address [[email protected]]:[email protected] : A challenge password []: An optional company name []: : Certificate is to be certified until Apr 4 06:21:30 2022 GMT (3650 days) Sign the certificate? [y/n]:y : 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
- 產生 Diffie Hellman 參數
./build-dh
[casrv@openvpn 2.0]% ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 : : ..++*++*++*
- 產生 TLS-Auth Key
openvpn --genkey --secret keys/ta.key
- 所有產生的 key file 都會存放在
~casrv/easy-rsa/2.0/keys/
建立用戶憑證檔案
- Client CA
su - casrv cd easy-rsa/2.0/ source ./vars ./build-key client1 : : ./build-key clientn
[casrv@openvpn 2.0]% ./build-key client1 Generating a 1024 bit RSA private key : writing new private key to 'client1.key' ----- : Country Name (2 letter code) [TW]: State or Province Name (full name) [Taiwan]: Locality Name (eg, city) [Taipei]: Organization Name (eg, company) [Trysoft Corp.]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server's hostname) [client1]: Name [changeme]:Client1 Email Address [changeme]:[email protected] : A challenge password []: An optional company name []: : Certificate is to be certified until Apr 4 06:36:36 2022 GMT (3650 days) Sign the certificate? [y/n]:y : 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
- 所有產生的 key file 都會存放在
~casrv/easy-rsa/2.0/keys/
- 已經產生 key 的清單可參考 index.txt
V 220404062130Z 01 unknown /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech/CN=openvpn/name=changeme/[email protected] V 220404063636Z 02 unknown /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech/CN=client1/name=Client1/[email protected] : :
廢止用戶憑證檔案
- 依照上一個程序先建立一個 client0 測試憑證然後再廢除
- 廢除憑證的處理方式
su - casrv cd easy-rsa/2.0/ source ./vars ./revoke-full client0
[casrv@openvpn CA]$ ./revoke-full client0 Using configuration from /home/casrv/CA/openssl.cnf Revoking Certificate 03. Data Base Updated Using configuration from /home/casrv/CA/openssl.cnf client0.crt: C = TW, ST = Taiwan, L = Taipei, O = Trysoft Corp, OU = Tech, CN = client0, name = Client0, emailAddress = [email protected] error 23 at 0 depth lookup:certificate revoked
- 每次處理廢止憑證後, 必須將產生的 keys/crl.pem 複製到 /etc/openvpn/ 來更新廢止憑證清單
su - root cp ~casrv/easy-rsa/2.0/keys/crl.pem /etc/openvpn/
或是建立 link 來讓 crl.pem 一致
su -root cd /etc/openvpn ln /home/casrv/easy-rsa/2.0/keys/crl.pem .
- 如果啟動檢查 CRL, 在 OpenVPN 更新至 2.4 之後, 會發現用戶端可能就無法連線.. 在 Server Log 會看到訊息
Fri Apr 21 08:08:18 2017 60.248.245.177:50610 VERIFY ERROR: depth=0, error=CRL has expired: C=TW, ST=Taiwan, L=Tainan, O=xxxx OU=Sales, CN=xxx, name=xxx, [email protected] Fri Apr 21 08:08:18 2017 60.248.245.177:50610 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
- 可透過以下語法重新建立 crl.pem
su - casrv cd easy-rsa/2.0/ source ./vars openssl ca -gencrl -keyfile keys/ca.key -cert keys/ca.crt -out keys/crl.pem -config ./openssl.cnf
- 所產生出來的 CRL 內容大致如下
openssl crl -in crl.pem -text
Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: /C=TW/ST=Taiwan/L=Taipei/O=xxx Co., Ltd./OU=Tech/CN=OpenVPN/name=OpenVPN/[email protected] Last Update: Apr 21 02:16:30 2017 GMT Next Update: May 21 02:16:30 2017 GMT Revoked Certificates: Serial Number: 05 Revocation Date: Jun 25 05:06:21 2012 GMT : Serial Number: 0A Revocation Date: Dec 31 02:24:45 2015 GMT Signature Algorithm: md5WithRSAEncryption 69:c4:45:ab:de:cf:ae:1f:e8:10:3c:03:12:5f:fd:47:fd:10: : bf:e3:fb:01:4a:11:ea:da:18:06:d1:5b:85:8b:da:c4:31:c8: df:81 -----BEGIN X509 CRL----- MIIB3jCCAUcwDQYJKoZIhvcNAQEEBQAwgbExCzAJBgNVBAYTAlRXMQ8wDQYDVQQI EwZUYWl3YW4xDzANBgNVBAcTBlRhaXBlaTEmMCQGA1UEChMdRXZlcnBsYXN0IE1h : vgzp3y49jtoXHn2YqioMaciGrOzCYxCrLcVWc/Y2v+P7AUoR6toYBtFbhYvaxDHI 34E= -----END X509 CRL-----
- 所以應該要加入 crontab 讓系統至少每個月能自動產生一份最新版的 crl.pem
設定與啟動 Server 端
- 安裝的 OpenVPN 版本為 2.3.6
[root@openvpn openvpn]# rpm -q openvpn openvpn-2.3.6-1.el6.x86_64
- 規劃好 Listen TCP/443, 分配給 Client 的 IP 為 192.168.221.101 ~ 150
- 設定相關參數檔
cd /etc/openvpn cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/ vi server.conf
dev tun proto tcp port 443 ca ca.crt cert server.crt key server.key #crl-verify crl.pem dh dh2048.pem server 192.168.221.0 255.255.255.0 ifconfig-pool-persist ipp.txt persist-key persist-tun status openvpn-status.log verb 3 client-to-client #push "dhcp-option DNS 192.168.11.242" #push "route 192.168.11.0 255.255.255.0" keepalive 10 120 tls-auth ta.key 0 cipher AES-128-CBC comp-lzo
cd /etc/openvpn cp ~casrv/easy-rsa/2.0/keys/dh2048.pem . cp ~casrv/easy-rsa/2.0/keys/server.crt . cp ~casrv/easy-rsa/2.0/keys/server.key . cp ~casrv/easy-rsa/2.0/keys/ca.crt . cp ~casrv/easy-rsa/2.0/keys/ta.key . service openvpn start chkconfig openvpn on
設定與啟動用戶端
安裝用戶端軟體
- 下載 http://openvpn.net/index.php/open-source/downloads.html (openvpn-2.2.2-install.exe)
- openvpn裝完後在電腦網路連線裡會自動新增一個設備是Tap-Win32 Adapter V9的區域連線
用戶端憑證與設定檔
- 以下以 client1 為例
- 在 OpenVPN 參數目錄 C:\Program Files\OpenVPN\config 內建立一個子目錄 ideas_tp
- 取得 CA Server 所產生的 ca.crt / client1.key / client1.crt / ta.key 放入 C:\Program Files\OpenVPN\config\ideas_tp
- 編輯 ideas_tp.ovpn
# Specify that this is a client client # Bridge device setting dev tun proto tcp # Host name and port for the server (default port is 1194) # note: replace with the correct values your server set up remote 175.98.155.2 443 # openvpn Server IP remote-cert-tls server # Client does not need to bind to a specific local port nobind # Keep trying to resolve the host name of OpenVPN server. resolv-retry infinite # Preserve state across restarts persist-key persist-tun # SSL/TLS parameters - files created previously ca ca.crt cert client1.crt key client1.key # Since we specified the tls-auth for server, we need it for the client # note: 0 = server, 1 = client tls-auth ta.key 1 # Specify same cipher as server cipher AES-128-CBC # Use compression comp-lzo # Log verbosity (to help if there are problems) verb 3
如果要同時連上多個 OpenVPN Server, 那就要建立多個 Tap-Win32 Adapter V9的區域連線設備
- 在 Win7 以上需要使用 Administrator 的權限開啟命令提示字元(DOS 畫面)
- 每執行以下語法一次就會增加一個 TAP 虛擬網卡
"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
執行過程, 原本的 Tap-Win32 Adapter 可能會斷線
- 也可以將憑證檔案內容直接放入設定檔內.. Exp.ideas_tp.ovpn
# Specify that this is a client client # Bridge device setting dev tun proto tcp # Host name and port for the server (default port is 1194) # note: replace with the correct values your server set up remote 175.98.155.2 443 # openvpn Server IP remote-cert-tls server # Client does not need to bind to a specific local port nobind # Keep trying to resolve the host name of OpenVPN server. resolv-retry infinite # Preserve state across restarts persist-key persist-tun # Specify same cipher as server cipher AES-128-CBC # Use compression comp-lzo # Log verbosity (to help if there are problems) verb 3 key-direction 1 # ca ca.crt <ca> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </ca> #cert client1.crt <cert> -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- </cert> #key client1.key <key> -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- </key> #tls-auth ta.key 1 <tls-auth> -----BEGIN OpenVPN Static key V1----- ... -----END OpenVPN Static key V1----- </tls-auth>
用戶端開機自動連上 OpenVPN
- 在 Windows 的「設定」→「控制台」→「系統管理工具」→「服務」找到「OpenVPN Service」啟動類型改成自動
- 服務啟動後會自動掃描在 C:\Program Files\OpenVPN\config 目錄內的 *.ovpn 設定檔, 但不會掃描子目錄內的 *.ovpn, 因此如果之前透過子目錄來區隔多組 VPN 設定檔要將 *.ovpn 複製出來, 然後在設定檔內對憑證檔指定相關路徑. Exp.
: # SSL/TLS parameters - files created previously ca ideas_tp/ca.crt cert ideas_tp/jonathan.crt key ideas_tp/jonathan.key :
參考網址
- 另外方案 n2n VPN 方案