使用者工具

網站工具


tech:openvpn

CentOS 6 安裝與設定 OpenVPN

Server 端

  • CentOS 6.6 x86_64

下載安裝最新版 OpenVPN 與相關 Lib

su - root
rpm -ivh http://mirror01.idc.hinet.net/EPEL/6/x86_64/epel-release-6-8.noarch.rpm
yum install kernel-devel openssl-devel gcc rpm-build
yum install lzo-devel pam-devel pkcs11-helper-devel openvpn easy-rsa

設定虛擬網卡 tun0 與 NAT eth0

mknod /dev/net/tun c 10 200
modprobe tun
echo 1 > /proc/sys/net/ipv4/ip_forward
vi /etc/sysctl.conf
:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
:
vi /etc/sysconfig/iptables
*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o tun0 -j ACCEPT
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
service iptables restart
chkconfig iptables on

建立主機相關憑證檔案

  • 確認使用的 openssl 為 1.0.0
    [[email protected] 2.0]# rpm -q openssl
    openssl-1.0.0-20.el6_2.3.x86_64
  • 建立 casrv 憑證管理者帳號與複製 easy-rsa 環境
    useradd casrv
    passwd casrv
    cp -a /usr/share/easy-rsa ~casrv/
    cd ~casrv/
    chown -R casrv:casrv easy-rsa/
  • 建立 openssl.cnf 連結
    su - casrv
    cd easy-rsa/2.0/
    ln -s openssl-1.0.0.cnf openssl.cnf
  • 編輯 vars 內容
    vi vars
    :
    export KEY_COUNTRY="TW"
    export KEY_PROVINCE="Taiwan"
    export KEY_CITY="Taipei"
    export KEY_ORG="Trysoft Corp."
    export KEY_EMAIL="changeme"
    export KEY_EMAIL=changeme
    export KEY_CN=OpenVPN
    export KEY_NAME=changeme
    export KEY_OU=Tech
    :
  • 產生 Root CA
    . ./vars
    ./clean-all
    ./build-ca
    [[email protected] 2.0]% ./build-ca
    Generating a 1024 bit RSA private key
    :
    :
    Country Name (2 letter code) [US]:TW
    State or Province Name (full name) [CA]:Taiwan
    Locality Name (eg, city) [SanFrancisco]:Taipei
    Organization Name (eg, company) [Fort-Funston]:Trysoft Corp.
    Organizational Unit Name (eg, section) [changeme]:Tech
    Common Name (eg, your name or your server's hostname) [changeme]:OpenVPN
    Name [changeme]:OpenVPN
    Email Address [[email protected]]:[email protected]
    
  • 產生 Server CA
    ./build-key-server server
    [[email protected] 2.0]% ./build-key-server server
    Generating a 1024 bit RSA private key
    :
    :
    Country Name (2 letter code) [US]:TW
    State or Province Name (full name) [CA]:Taiwan
    Locality Name (eg, city) [SanFrancisco]:Taipei
    Organization Name (eg, company) [Fort-Funston]:Trysoft Corp.
    Organizational Unit Name (eg, section) [changeme]:Tech
    Common Name (eg, your name or your server's hostname) [server]:openvpn
    Name [changeme]:
    Email Address [[email protected]]:[email protected]
    :
    A challenge password []:
    An optional company name []:
    :
    Certificate is to be certified until Apr  4 06:21:30 2022 GMT (3650 days)
    Sign the certificate? [y/n]:y
    :
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
  • 產生 Diffie Hellman 參數
    ./build-dh
    [[email protected] 2.0]% ./build-dh
    Generating DH parameters, 1024 bit long safe prime, generator 2
    :
    :
    ..++*++*++*
  • 產生 TLS-Auth Key
    openvpn --genkey --secret keys/ta.key
  • 所有產生的 key file 都會存放在
    ~casrv/easy-rsa/2.0/keys/

建立用戶憑證檔案

  • Client CA
    su - casrv
    cd easy-rsa/2.0/
    source ./vars
    ./build-key client1
    :
    :
    ./build-key clientn
    [[email protected] 2.0]% ./build-key client1
    Generating a 1024 bit RSA private key
    :
    writing new private key to 'client1.key'
    -----
    :
    Country Name (2 letter code) [TW]:
    State or Province Name (full name) [Taiwan]:
    Locality Name (eg, city) [Taipei]:
    Organization Name (eg, company) [Trysoft Corp.]:
    Organizational Unit Name (eg, section) [Tech]:
    Common Name (eg, your name or your server's hostname) [client1]:
    Name [changeme]:Client1
    Email Address [changeme]:[email protected]
    :
    A challenge password []:
    An optional company name []:
    :
    Certificate is to be certified until Apr  4 06:36:36 2022 GMT (3650 days)
    Sign the certificate? [y/n]:y
    :
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    
  • 所有產生的 key file 都會存放在
    ~casrv/easy-rsa/2.0/keys/
  • 已經產生 key 的清單可參考 index.txt
    V       220404062130Z           01      unknown /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech/CN=openvpn/name=changeme/[email protected]
    V       220404063636Z           02      unknown /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech/CN=client1/name=Client1/[email protected]
    :
    :

廢止用戶憑證檔案

  • 依照上一個程序先建立一個 client0 測試憑證然後再廢除
  • 廢除憑證的處理方式
    su - casrv
    cd easy-rsa/2.0/
    source ./vars
    ./revoke-full client0
    [[email protected] CA]$ ./revoke-full client0
    Using configuration from /home/casrv/CA/openssl.cnf
    Revoking Certificate 03.
    Data Base Updated
    Using configuration from /home/casrv/CA/openssl.cnf
    client0.crt: C = TW, ST = Taiwan, L = Taipei, O = Trysoft Corp, OU = Tech, CN = client0, name = Client0, emailAddress = [email protected]
    error 23 at 0 depth lookup:certificate revoked
  • 每次處理廢止憑證後, 必須將產生的 keys/crl.pem 複製到 /etc/openvpn/ 來更新廢止憑證清單
    su - root
    cp ~casrv/easy-rsa/2.0/keys/crl.pem /etc/openvpn/

    或是建立 link 來讓 crl.pem 一致

    su -root
    cd /etc/openvpn
    ln /home/casrv/easy-rsa/2.0/keys/crl.pem .
  • 如果啟動檢查 CRL, 在 OpenVPN 更新至 2.4 之後, 會發現用戶端可能就無法連線.. 在 Server Log 會看到訊息
    Fri Apr 21 08:08:18 2017 60.248.245.177:50610 VERIFY ERROR: depth=0, error=CRL has expired: C=TW, ST=Taiwan, L=Tainan, O=xxxx OU=Sales, CN=xxx, name=xxx, [email protected]
    Fri Apr 21 08:08:18 2017 60.248.245.177:50610 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
  • 可透過以下語法重新建立 crl.pem
    su - casrv
    cd easy-rsa/2.0/
    source ./vars
    openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.pem -config ./openssl.cnf
  • 所產生出來的 CRL 內容大致如下
    openssl crl -in crl.pem -text
    Certificate Revocation List (CRL):
            Version 1 (0x0)
        Signature Algorithm: md5WithRSAEncryption
            Issuer: /C=TW/ST=Taiwan/L=Taipei/O=xxx Co., Ltd./OU=Tech/CN=OpenVPN/name=OpenVPN/[email protected]
            Last Update: Apr 21 02:16:30 2017 GMT
            Next Update: May 21 02:16:30 2017 GMT
    Revoked Certificates:
        Serial Number: 05
            Revocation Date: Jun 25 05:06:21 2012 GMT
               :
        Serial Number: 0A
            Revocation Date: Dec 31 02:24:45 2015 GMT
        Signature Algorithm: md5WithRSAEncryption
             69:c4:45:ab:de:cf:ae:1f:e8:10:3c:03:12:5f:fd:47:fd:10:
               :
             bf:e3:fb:01:4a:11:ea:da:18:06:d1:5b:85:8b:da:c4:31:c8:
             df:81
    -----BEGIN X509 CRL-----
    MIIB3jCCAUcwDQYJKoZIhvcNAQEEBQAwgbExCzAJBgNVBAYTAlRXMQ8wDQYDVQQI
    EwZUYWl3YW4xDzANBgNVBAcTBlRhaXBlaTEmMCQGA1UEChMdRXZlcnBsYXN0IE1h
    :
    vgzp3y49jtoXHn2YqioMaciGrOzCYxCrLcVWc/Y2v+P7AUoR6toYBtFbhYvaxDHI
    34E=
    -----END X509 CRL-----
  • 所以應該要加入 crontab 讓系統至少每個月能自動產生一份最新版的 crl.pem

設定與啟動 Server 端

  • 安裝的 OpenVPN 版本為 2.3.6
    [[email protected] openvpn]# rpm -q openvpn
    openvpn-2.3.6-1.el6.x86_64
  • 規劃好 Listen TCP/443, 分配給 Client 的 IP 為 192.168.221.101 ~ 150
  • 設定相關參數檔
    cd /etc/openvpn
    cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/
    vi server.conf
    dev tun
    proto tcp
    port 443
    ca ca.crt
    cert server.crt
    key server.key
    #crl-verify crl.pem
    dh dh2048.pem
    server 192.168.221.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    client-to-client
    #push "dhcp-option DNS 192.168.11.242"
    #push "route 192.168.11.0 255.255.255.0"
    keepalive 10 120
    tls-auth ta.key 0
    cipher AES-128-CBC
    comp-lzo
    cd /etc/openvpn
    cp ~casrv/easy-rsa/2.0/keys/dh2048.pem .
    cp ~casrv/easy-rsa/2.0/keys/server.crt .
    cp ~casrv/easy-rsa/2.0/keys/server.key .
    cp ~casrv/easy-rsa/2.0/keys/ca.crt .
    cp ~casrv/easy-rsa/2.0/keys/ta.key .
    service openvpn start
    chkconfig openvpn on

設定與啟動用戶端

安裝用戶端軟體

用戶端憑證與設定檔

  • 以下以 client1 為例
  • 在 OpenVPN 參數目錄 C:\Program Files\OpenVPN\config 內建立一個子目錄 ideas_tp
  • 取得 CA Server 所產生的 ca.crt / client1.key / client1.crt / ta.key 放入 C:\Program Files\OpenVPN\config\ideas_tp
  • 編輯 ideas_tp.ovpn
    # Specify that this is a client
    client
    
    # Bridge device setting
    dev tun
    proto tcp
    
    # Host name and port for the server (default port is 1194)
    # note: replace with the correct values your server set up
    remote 175.98.155.2 443  # openvpn Server IP
    remote-cert-tls server
    
    # Client does not need to bind to a specific local port
    nobind
    
    # Keep trying to resolve the host name of OpenVPN server.
    resolv-retry infinite
    
    # Preserve state across restarts
    persist-key
    persist-tun
    
    # SSL/TLS parameters - files created previously
    ca ca.crt
    cert client1.crt
    key client1.key
    
    # Since we specified the tls-auth for server, we need it for the client
    # note: 0 = server, 1 = client
    tls-auth ta.key 1
    
    # Specify same cipher as server
    cipher AES-128-CBC
    
    # Use compression
    comp-lzo
    
    # Log verbosity (to help if there are problems)
    verb 3
    
如果要同時連上多個 OpenVPN Server, 那就要建立多個 Tap-Win32 Adapter V9的區域連線設備
  1. 在 Win7 以上需要使用 Administrator 的權限開啟命令提示字元(DOS 畫面)
  2. 每執行以下語法一次就會增加一個 TAP 虛擬網卡
    "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901

執行過程, 原本的 Tap-Win32 Adapter 可能會斷線

  • 也可以將憑證檔案內容直接放入設定檔內.. Exp.ideas_tp.ovpn
    # Specify that this is a client
    client
    
    # Bridge device setting
    dev tun
    proto tcp
    
    # Host name and port for the server (default port is 1194)
    # note: replace with the correct values your server set up
    remote 175.98.155.2 443  # openvpn Server IP
    remote-cert-tls server
    
    # Client does not need to bind to a specific local port
    nobind
    
    # Keep trying to resolve the host name of OpenVPN server.
    resolv-retry infinite
    
    # Preserve state across restarts
    persist-key
    persist-tun
    
    # Specify same cipher as server
    cipher AES-128-CBC
    
    # Use compression
    comp-lzo
    
    # Log verbosity (to help if there are problems)
    verb 3
    
    key-direction 1
    # ca ca.crt
    <ca>
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    </ca>
    #cert client1.crt
    <cert>
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    </cert>
    #key client1.key
    <key>
    -----BEGIN RSA PRIVATE KEY-----
    ...
    -----END RSA PRIVATE KEY-----
    </key>
    #tls-auth ta.key 1
    <tls-auth>
    -----BEGIN OpenVPN Static key V1-----
    ...
    -----END OpenVPN Static key V1-----
    </tls-auth>
    

用戶端開機自動連上 OpenVPN

  • 在 Windows 的「設定」→「控制台」→「系統管理工具」→「服務」找到「OpenVPN Service」啟動類型改成自動
  • 服務啟動後會自動掃描在 C:\Program Files\OpenVPN\config 目錄內的 *.ovpn 設定檔, 但不會掃描子目錄內的 *.ovpn, 因此如果之前透過子目錄來區隔多組 VPN 設定檔要將 *.ovpn 複製出來, 然後在設定檔內對憑證檔指定相關路徑. Exp.
    :
    # SSL/TLS parameters - files created previously
    ca ideas_tp/ca.crt
    cert ideas_tp/jonathan.crt
    key ideas_tp/jonathan.key
    :

參考網址

tech/openvpn.txt · 上一次變更: 2019/04/16 13:30 由 jonathan_tsai