CentOS7部署OpenVPN实现异地组网

近期和自己的团队接了点活干,但是团队又分布在不同的地方很分散,这就导致前端想要连后端的接口连不了,于是我就想了用OpenVPN将他们连起来,这样开发们就能很好的调试了。

一、环境

1、CentOS7
2、OpenVPN Server2.4.12
3、easy-rsa3.0.8
4、OpenVPN客户端2.5.7
5、用户认证脚本:下载地址 http://openvpn.se/files/other/checkpsw.sh

二、步骤

1、安装openvpn server和easy-rsa
1
yum -y install epel-release && yum -y install openvpn easy-rsa
2、创建OpenVPN相关的密钥
1
2
3
4
5
[root@localhost ~]# mkdir /etc/openvpn/easy-rsa/
[root@localhost ~]# cp -r /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa/
[root@localhost ~]# cp -r /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/vars
[root@localhost ~]# cd /etc/openvpn/easy-rsa/
[root@localhost easy-rsa]# vim vars
2.1、将下列参数取消注释,并改成下面的样子
1
2
3
4
5
6
7
set_var EASYRSA_DN      "cn_only"
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Jiangsu"
set_var EASYRSA_REQ_CITY "Suzhou"
set_var EASYRSA_REQ_ORG "IT"
set_var EASYRSA_REQ_EMAIL "adm@zwyk.com"
set_var EASYRSA_NS_SUPPORT "yes"
3、初始化、建立CA证书并创建服务器密钥
1
2
3
4
5
[root@localhost ~]# cd /etc/openvpn/easy-rsa/  
[root@localhost easy-rsa]# ./easyrsa init-pki
[root@localhost easy-rsa]# ./easyrsa build-ca nopass
[root@localhost easy-rsa]# ./easyrsa gen-req server nopass 直接回车
[root@localhost easy-rsa]# ./easyrsa sign-req server server 输入yes
4、创建客户端密钥
1
2
[root@localhost easy-rsa]# ./easyrsa gen-req client nopass 回车
[root@localhost easy-rsa]# ./easyrsa sign-req client client 输入yes
5、创建DH密钥
1
2
[root@localhost easy-rsa]# ./easyrsa gen-dh
[root@localhost easy-rsa]# /usr/sbin/openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key
6、生成证书撤销列表(CRL)密钥
1
[root@localhost easy-rsa]# ./easyrsa  gen-crl
7、复制证书文件和配置文件
1
2
3
4
5
6
7
8
9
10
11
[root@localhost easy-rsa]# cp -p pki/ca.crt /etc/openvpn/server/
[root@localhost easy-rsa]# cp -p pki/issued/server.crt /etc/openvpn/server/
[root@localhost easy-rsa]# cp -p pki/private/server.key /etc/openvpn/server/
[root@localhost easy-rsa]# cp -p ta.key /etc/openvpn/server/
[root@localhost easy-rsa]# cp -p pki/ca.crt /etc/openvpn/client/
[root@localhost easy-rsa]# cp -p pki/issued/client.crt /etc/openvpn/client/
[root@localhost easy-rsa]# cp -p pki/private/client.key /etc/openvpn/client/
[root@localhost easy-rsa]# cp -p ta.key /etc/openvpn/client/
[root@localhost easy-rsa]# cp pki/dh.pem /etc/openvpn/server/
[root@localhost easy-rsa]# cp pki/crl.pem /etc/openvpn/server/
[root@localhost easy-rsa]# cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/
8、编辑服务端配置文件
1
[root@localhost ~]# vim /etc/openvpn/server.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
local 0.0.0.0
port 7782
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key # This file should be kept secret
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/psw/ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 20
user root
group root
persist-key
persist-tun
status /etc/openvpn/logs/openvpn-status.log
log /etc/openvpn/logs/openvpn.log
log-append /etc/openvpn/logs/openvpn.log
verb 3
script-security 3
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
username-as-common-name
verify-client-cert none
9、创建日志文件夹、密码文件夹并赋权
1
2
3
[root@localhost ~]# mkdir -p /etc/openvpn/logs/
[root@localhost ~]# mkdir -p /etc/openvpn/psw/
[root@localhost ~]# chmod 777 /etc/openvpn/logs/
10、创建ipp文本来存放用户名和密码
1
2
3
[root@localhost ~]# cd /etc/openvpn/psw
[root@localhost psw]# touch ipp.txt
[root@localhost psw]# vim ipp.txt

ipp.txt内容格式如下

1
2
3
nihao nihao123456
haha haha123456
第一个是账户,然后空格,然后是密码

11、下载并修改用户认证脚本(官方提供的)
1
2
[root@localhost openvpn]# wget http://openvpn.se/files/other/checkpsw.sh
[root@localhost openvpn]# vim checkpsw.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw/ipp.txt"
LOG_FILE="/etc/openvpn/logs/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

赋予shell脚本执行权

1
[root@localhost openvpn]# chmod +x checkpsw.sh

12、修改openvpn.service
1
2
3
[root@localhost openvpn]# mv /usr/lib/systemd/system/openvpn@.service /usr/lib/systemd/system/openvpn.service 

[root@localhost openvpn]# vim /usr/lib/systemd/system/openvpn.service
1
2
3
4
5
6
7
8
9
10
11
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target

[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --config /etc/openvpn/server.conf

[Install]
WantedBy=multi-user.target
1
2
3
[root@localhost openvpn]# mv/usr/lib/systemd/system/openvpn-server@.service /usr/lib/systemd/system/openvpn-server.service

[root@localhost openvpn]# vim /usr/lib/systemd/system/openvpn.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[Unit]
Description=OpenVPN service for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure

[Install]
WantedBy=multi-user.target
13、设置openvpn开机自启
1
2
3
[root@localhost openvpn]# systemctl daemon-reload
[root@localhost openvpn]# systemctl enable openvpn
[root@localhost openvpn]# systemctl restart openvpn
14、配置客户端

在windows的openvpn客户端下的config文件夹里创建一个client.ovpn
然后在里面将下面内容填进去

1
2
3
4
5
6
7
8
9
10
11
12
13
14
client
dev tun
proto tcp
remote openvpn.zwyk.eu.org 7782
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
verb 4
auth-user-pass
auth-nocache

到服务器里将/etc/openvpn/client/里的ca.crt给拉取到本地并跟client.ovpn放在一起

三、总结

只需要将openvpn的安装包和client.ovpn、ca.crt一起丢给开发,开发安装好后输入账号密码连接上openvpn就可以互相调试接口了

四、扫一扫关注我吧

戴戴的Linux

文章目录
  1. 1. 近期和自己的团队接了点活干,但是团队又分布在不同的地方很分散,这就导致前端想要连后端的接口连不了,于是我就想了用OpenVPN将他们连起来,这样开发们就能很好的调试了。
  • 一、环境
  • 二、步骤
    1. 1、安装openvpn server和easy-rsa
    2. 2、创建OpenVPN相关的密钥
      1. 1. 2.1、将下列参数取消注释,并改成下面的样子
    3. 3、初始化、建立CA证书并创建服务器密钥
    4. 4、创建客户端密钥
    5. 5、创建DH密钥
    6. 6、生成证书撤销列表(CRL)密钥
    7. 7、复制证书文件和配置文件
    8. 8、编辑服务端配置文件
    9. 9、创建日志文件夹、密码文件夹并赋权
    10. 10、创建ipp文本来存放用户名和密码
    11. 11、下载并修改用户认证脚本(官方提供的)
    12. 12、修改openvpn.service
    13. 13、设置openvpn开机自启
    14. 14、配置客户端
  • 三、总结
  • 四、扫一扫关注我吧


  • 本站总访问量 本文总阅读量