参考资料
https://phoenixnap.com/kb/openvpn-centos 安装参考
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage?cf_chl_jschl_tk=2ef2ce429812b6af8d89764730f64a2224053560-1616146799-0-ARxFX2pRsifexhxoXrH8mPbj7faD8nxJaECGR0kQgNEolVczUZJURwhSuvt8-7CF0Dmlj9IkjC19L9J10MEz21fQEq-W7qjdfNvw56Pl8guyYk6FlOkJiYH1mJu2drhcD4Z23JxhPDDHWNPIwgozsiY6oQMHpaZC-QN0_XuWsqZxX2msLn6NyxWA0by8CfTvbyAKd2uzJjwbwRdvqW1hHlCFew3FUJuxwNDbvMmUAlfyHL-81IqBKzBkbUfyafzC9EG56emXf5v6YxLbBvQwaCW1vx-Fl4prSIGoKoqwmxrPoiRXqJZVP7pXwKVhcw-0FcVk_XEPzxP60yaP4el5J0eN9rDv1ztCs3yj0ScfIf5_ 官方文档主要是找askpass参数
https://forums.openvpn.net/viewtopic.php?t=26024 别人的提问
https://openvpn.net/community-resources/how-to/#openvpn-quickstart 官方安装文档通过源码安装
1:Install OpenVPN
yum -y install epel*
yum -y update
yum install -y openvpn
2:Install Easy RSA
yum install -y wget
wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.8.tar.gz
tar -xf v3.0.8.tar.gz
cd /etc/openvpn/
mkdir /etc/openvpn/easy-rsa
mv /root/easy-rsa-3.0.8 /etc/openvpn/easy-rsa
3:Configure OpenVPN 配置openvpn
cp -r /usr/share/doc/openvpn-2.4.10/sample/sample-config-files/server.conf /etc/openvpn/
find / -name server.conf
/etc/openvpn/server.conf
/usr/share/doc/openvpn-2.4.10/sample/sample-config-files/server.conf
/usr/share/doc/NetworkManager/examples/server.conf
vi /etc/openvpn/server.conf
要设置基本配置,需要通过删除分号来取消对以下行的注释。
To set up the basic configuration, you need to uncomment the following lines by removing the semicolons.
topology subnet (makes the OpenVPN installation function as a subnetwork)
push "redirect-gateway def1 bypass-dhcp" (instructs the client to redirect traffic through the OpenVPN server)
push "dhcp-option DNS 208.67.222.222" (uses an OpenDNS resolver to connect to OpenVPN)
push "dhcp-option DNS 208.67.220.220" (uses an OpenDNS resolver to connect to OpenVPN)
user nobody (runs OpenVPN with no privileges)
group nobody (runs OpenVPN with no privileges)
Then, generate a static encryption key to enable TLS authentication. To do that, locate the line tls-auth ta.key 0 and comment it by adding ; in front of it. Then, add a new line under it:
然后,生成一个静态加密密钥以启用TLS身份验证。为此,找到tls auth行助教钥匙0并在其前面添加;对其进行注释。然后,在下面添加新行:
tls-auth ta.key 0 # This file is secret 这个配置在在server.conf 文件中,根据以上这句话需要添加; 注释,他不是命令
[root@master easy-rsa]# tls-crypt myvpn.tlsauth
-bash: tls-crypt: 未找到命令
在server.conf文件中添加这个
tls-crypt myvpn.tlsauth
配置文件指定要用于连接到OpenVPN的DNS服务器。默认情况下,它被设置为使用OpenDNS解析器,这就是我们离开它的方式。
The configuration file specifies which DNS servers to use to connect to OpenVPN. By default, it is set to use OpenDNS resolvers, which is how we left it. Alternatively, you can change it to different DNS resolvers by modifying the push "dhcp-option DNS 208.67.222.222" and push "dhcp-option DNS 208.67.220.220" lines.
Save and exit the configuration file.
Finally, generate the static encryption key specified in the file with the command:
最后生成一个静态的加密的key通过以下命令
openvpn --genkey --secret /etc/openvpn/myvpn.tlsauth
ls
client easy-rsa myvpn.tlsauth server server.conf server.conf.bak
cat myvpn.tlsauth
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
45a69a183da20a8f7e7b17b0276786bd
b57d725692dc4200ec0f3024dc9da266
ac8c4ffb676db52cd17c5249b2eb8aeb
91c2e344218a7c183b92f588cace5a28
253f0f387d3d878e1f3023a52974c7c7
0f5fec0398ae041ac291fd133b70cac1
5fe6e54c13fdc25fa33af8b51aa7ba12
5fd6cae5ac8d385c61d0b1d5af445052
6cd825b30822dfa895b1944f6017b336
335cbf71ad99445054f51d1695f48400
009dbe69dc90d5033493b8b297872691
cfa4b3be751a03db85a8a7fe5ff4ebc4
2c518df59f26250468782532d0acf63c
4b4f98a93f533cdb363cf8e4763a8dc0
521c0afed8d137f08152eaa971c1428a
d1e0e97ed473d02e7bccfd4e38b20ed7
-----END OpenVPN Static key V1-----
4: 生成密钥和证书
Generate Keys and Certificates
cd /etc/openvpn/easy-rsa/easyrsa3
ls
easyrsa openssl-easyrsa.cnf vars.example x509-types
cp vars.example vars
vim vars
Scroll through the file and find the lines listed below.
滚动文件并找到下面列出的行。
#set_var EASYRSA_REQ_COUNTRY "US"
#set_var EASYRSA_REQ_PROVINCE "California"
#set_var EASYRSA_REQ_CITY "San Francisco"
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL "me@example.net"
#set_var EASYRSA_REQ_OU "My Organizational Unit"
通过删除#取消对行的注释,并用您的信息替换默认值
set_var EASYRSA_REQ_COUNTRY "US" 国家
set_var EASYRSA_REQ_PROVINCE "California" 省份
set_var EASYRSA_REQ_CITY "San Francisco" 市级单位
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@example.net" 邮箱
set_var EASYRSA_REQ_OU "My Organizational Unit" 组织
set_var EASYRSA_REQ_COUNTRY "China"
set_var EASYRSA_REQ_PROVINCE "ZeJiang"
set_var EASYRSA_REQ_CITY "HangZhou"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "m15088694571@163.com"
set_var EASYRSA_REQ_OU "Persional"
set-var KEY_NAME "server"
set-var KEY_CN "openvpn.yourdomain.com"
然后,找到指定密钥名称的行并将其更改为“server”:
Then, find the line specifying the KEY_NAME and change it to "server":
没有找到,就添加
set_var KEY_NAME "server" 密钥名称
set_var KEY_CN "openvpn.yourdomain.com" 域名
#set_var EASYRSA_KEY_SIZE 2048
[root@master easyrsa3]# ./easyrsa clean-all
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/easyrsa3/pki
ls /etc/openvpn/easy-rsa/easyrsa3/pki
openssl-easyrsa.cnf private reqs safessl-easyrsa.cnf
You will be asked to set a CA Key Passphrase and a common name for your CA.
系统将要求您为CA设置CA密钥密码短语和公用名称。
[root@master easyrsa3]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Error reading password from BIO
Error getting password
Easy-RSA error:
Failed create CA private key
[root@master easyrsa3]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase: 这里需要输入密码1234(随便)
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus
.............................................+++
.................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 直接回车
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
To skip password authentication each time you sign your certificates, you can use the ./easyrsa build-ca nopass command.
./easyrsa build-ca nopass 使用这个命令不需要输入密码
5:为服务器创建密钥和证书:
[root@master easyrsa3]# ./easyrsa build-server-full server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
........................+++
.......+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-48737.zw5a7
r/tmp.aqGMia'Enter PEM pass phrase:1234
Verifying - Enter PEM pass phrase:1234
-----
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-48737.zw5a7r/t
mp.Q5pEoVEnter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:
139858593519504:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:
You must type in 4 to 1023 charactersEnter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:1234
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Jun 22 08:25:11 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Next, generate a Diffie-Hellman key exchange file by running:
接下来,运行以下命令生成Diffie-Hellman密钥交换文件:
[root@master easyrsa3]# ./easyrsa gen-dh
....................................................................................................................................+............................................................................+..........................................................................+............................................................................................................................................................................+.........+.........++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
您还需要为每个客户机提供证书。在服务器上生成它们,然后在客户端计算机上复制它们。
使用以下命令,我们为client1创建证书和密钥。您可以使用您选择的名称修改命令。
[root@master easyrsa3]# ./easyrsa build-client-full client1
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
......+++
..................................+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-48964.d7rv5
O/tmp.pvCyVV'Enter PEM pass phrase:1234
Verifying - Enter PEM pass phrase:1234
-----
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-48964.d7rv5O/t
mp.rWFiYSEnter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:1234
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client1'
Certificate is to be certified until Jun 22 08:27:41 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
一旦您生成了密钥和证书,就可以将它们从pki复制到openvpn目录中。为此,请通过运行以下操作导航到pki目录:
cd /etc/openvpn/easy-rsa/easyrsa3/pki
[root@master pki]# ls
ca.crt index.txt.attr openssl-easyrsa.cnf revoked
certs_by_serial index.txt.attr.old private safessl-easyrsa.cnf
dh.pem index.txt.old renewed serial
index.txt issued reqs serial.old
[root@master pki]# cp ca.crt dh.pem /etc/openvpn
[root@master pki]# cd private/
[root@master private]# cp ca.key server.key /etc/openvpn
[root@master private]# ls /etc/openvpn/
ca.crt client easy-rsa server server.conf.bak
ca.key dh.pem myvpn.tlsauth server.conf server.key
Firewall and Routing Configuration
防火墙和路由配置
[root@master private]# systemctl start firewalld
[root@master private]# firewall-cmd --get-active-zones
public
interfaces: ens33
[root@master private]# firewall-cmd --zone=public --add-service openvpn
success
[root@master private]# firewall-cmd --zone=public --add-service openvpn --permanent
success[root@master private]# firewall-cmd --list-services --zone=public
dhcpv6-client openvpn ssh
[root@master private]# firewall-cmd --add-masquerade
success
[root@master private]# firewall-cmd --add-masquerade --permanent
success
[root@master private]# firewall-cmd --query-masquerade
yes
Routing the Configuration
[root@master private]# VAR=$(ip route get 208.67.222.222 | awk 'NR==1 {print $(NF-2
)}')[root@master private]# echo $VAR
ens33
[root@master private]# firewall-cmd --permanent --direct --passthrough ipv4 -t nat
-A POSTROUTING -s 10.8.0.0/24 -o $VAR -j MASQUERADEsuccess
[root@master private]# firewall-cmd --reload
success
[root@master private]# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
Start OpenVPN
[root@master private]# systemctl -f start openvpn@server.service
Job for openvpn@server.service failed because the control process exited with error code. See "systemctl status openvpn@server.service" and "journalctl -xe" for details.
[root@master private]# systemctl -f status openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since 五 2021-03-19 16:50:35 CST; 3s ago
Process: 63976 ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf (code=exited, status=1/FAILURE)
Main PID: 63976 (code=exited, status=1/FAILURE)
3月 19 16:50:35 master systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
3月 19 16:50:35 master openvpn[63976]: Options error: --dh fails with 'dh2048.pem': No such file or directory (errno=2)
3月 19 16:50:35 master openvpn[63976]: Options error: --cert fails with 'server.crt': No such file or directory (errno=2)
3月 19 16:50:35 master openvpn[63976]: Options error: Please correct these errors.
3月 19 16:50:35 master openvpn[63976]: Use --help for more information.
3月 19 16:50:35 master systemd[1]: openvpn@server.service: main process exited, code=exited, status=1/FAILURE
3月 19 16:50:35 master systemd[1]: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server.
3月 19 16:50:35 master systemd[1]: Unit openvpn@server.service entered failed state.
3月 19 16:50:35 master systemd[1]: openvpn@server.service failed.
[root@master pki]# pwd
/etc/openvpn/easy-rsa/easyrsa3/pki
[root@master pki]# ls issued/
client1.crt server.crt
cp issued/server.crt /etc/openvpn
cd /etc/openvpn
cp dh.pem dh2048.pem
[root@master pki]# systemctl -f start openvpn@server.service
[root@master pki]#
Broadcast message from root@master (Fri 2021-03-19 17:02:13 CST):
Password entry required for 'Enter Private Key Password:' (PID 64678).
Please enter password with the systemd-tty-ask-password-agent tool!
[root@master pki]# systemctl -f status openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)
Active: active (running) since 五 2021-03-19 17:02:13 CST; 12s ago
Main PID: 64677 (openvpn)
Status: "Pre-connection initialization successful"
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
├─64677 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
└─64678 /usr/bin/systemd-ask-password --icon network-vpn Enter Private Key Password:
3月 19 17:02:13 master systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
3月 19 17:02:13 master openvpn[64677]: Fri Mar 19 17:02:13 2021 OpenVPN 2.4.10 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] b...on Dec 9 2020
3月 19 17:02:13 master openvpn[64677]: Fri Mar 19 17:02:13 2021 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
3月 19 17:02:13 master openvpn[64677]: Fri Mar 19 17:02:13 2021 Diffie-Hellman initialized with 2048 bit key
3月 19 17:02:13 master systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
openvpn ERROR: Failed retrieving username or password
[root@master openvpn]# egrep -v "^$|^#|^;" server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-crypt myvpn.tlsauth
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
--askpass [file]
Get certificate password from console or file before we daemonize.
For the extremely security conscious, it is possible to protect your private key with a password. Of course this means that every time the OpenVPN daemon is started you must be there to type the password. The --askpass option allows you to start OpenVPN from the command line. It will query you for a password before it daemonizes. To protect a private key with a password you should omit the -nodes option when you use the openssl command line tool to manage certificates and private keys.
If file is specified, read the password from the first line of file. Keep in mind that storing your password in a file to a certain extent invalidates the extra security provided by using an encrypted key.
创建文件
/etc/openvpn/stdin.tx
vim server.conf
askpass "/etc/openvpn/stdin.txt"
egrep -v "^$|^#|^;" server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
askpass "/etc/openvpn/stdin.txt"
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-crypt myvpn.tlsauth
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
完美解决--ok
[root@master openvpn]# systemctl -f status openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Applicatio
n On server Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor prese
t: disabled) Active: active (running) since 五 2021-03-19 17:54:45 CST; 7min ago
Main PID: 67900 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─67900 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 Could not det...ET
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 Socket Buffer...2]
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 UDPv4 link lo...94
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 UDPv4 link re...C]
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 GID set to nobody
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 UID set to nobody
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 MULTI: multi_...56
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 IFCONFIG POOL...=0
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 IFCONFIG POOL LIST
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 Initializatio...ed
Hint: Some lines were ellipsized, use -l to show in full.
网友评论