美文网首页
Open魏皮恩部署方案

Open魏皮恩部署方案

作者: Linux丶晨星 | 来源:发表于2019-12-23 10:05 被阅读0次
    image.png

    一、服务端配置

    环境

    云服务器
    #Linux系统版本
    [root@open***-server open***]# cat /etc/redhat-release 
    CentOS Linux release 7.7.1908 (Core)
    #查看内网IP信息
    [root@open***-server open***]#  ifconfig eth0|awk 'NR==2{print $2}'
    172.16.1.90
    #查看公网IP信息
    [root@open***-server open***]# curl ifconfig.me
    59.110.215.165
    #配置yum源于eple源
    curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
    wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
    

    ①easy-rsa3生成证书

    #添加防火墙的内核参数
    echo 'net.ipv4.ip_forward=1 ' >>/etc/sysctl.conf && sysctl -p
    
    #下载需要的安装包
    yum install gcc gcc-c++ easy-rsa -y open*** openssl
    
    #将easy-rsa复制到open***目录下
    mkdir -p /etc/open***/easy-rsa
    \cp -a /usr/share/easy-rsa/3/* /etc/open***/easy-rsa/
    chown -R root:root /etc/open***/easy-rsa/
    cd /etc/open***/easy-rsa/
    
    [root@lcx01 easy-rsa]# ll ./
    total 76
    -rwxr-xr-x 1 root root 48730 Feb  2  2019 easyrsa
    -rw-r--r-- 1 root root  4651 Feb  2  2019 openssl-easyrsa.cnf
    drwx------ 4 root root  4096 Jan  2 18:24 pki
    drwxr-xr-x 2 root root  4096 Jan  2 18:14 x509-types
    
    #将vars.example复制一份到open***目录下,命名为vars
    cp -a /usr/share/doc/easy-rsa-3.0.6/vars.example ./vars
    
    #修改如下参数
    egrep -v '^#|^$' vars 
    set_var EASYRSA_REQ_COUNTRY "CH"
    set_var EASYRSA_REQ_PROVINCE    "BJ"
    set_var EASYRSA_REQ_CITY    "BJ"
    set_var EASYRSA_REQ_ORG "ZXZN"
    set_var EASYRSA_REQ_EMAIL   "245684979@qq.com"
    set_var EASYRSA_REQ_OU      "ZXZN"
    set_var EASYRSA_KEY_SIZE    2048
    set_var EASYRSA_CA_EXPIRE      3650 #默认有效10年
    set_var EASYRSA_NS_SUPPORT  "yes"   #如果client的配置文件中使用了ns-cert-type server则要打开此选项
    

    1. 生成服务端证书

    初始化目录

    初始化,会在当前目录创建PKI目录,用于存储一些中间变量及最终生成的证书

    [root@lcx01 easy-rsa]# ./easyrsa init-pki
    
    Note: using Easy-RSA configuration from: ./vars
    
    WARNING!!!
    
    You are about to remove the EASYRSA_PKI at: /etc/open***/easy-rsa/pki
    and initialize a fresh PKI here.
    
    Type the word 'yes' to continue, or any other input to abort.
      Confirm removal: yes  
    
    init-pki complete; you may now create a CA or requests.
    Your newly created PKI dir is: /etc/open***/easy-rsa/pki
    

    创建CA证书

    创建根证书,首先会提示设置密码,用于ca对之后生成的server和client证书签名时使用,然后会提示设置Country Name

    [root@lcx01 easy-rsa]# ./easyrsa build-ca
    
    Note: using Easy-RSA configuration from: ./vars
    
    Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
    
    Enter New CA Key Passphrase: #输入CA密钥密码
    Re-Enter New CA Key Passphrase: #再次输入CA密钥密码
    Generating RSA private key, 2048 bit long modulus
    ...............+++
    .........+++
    e is 65537 (0x10001)
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Common Name (eg: your user, host, or server name) [Easy-RSA CA]:***server #证书名称 
    
    CA creation complete and you may now import and sign cert requests.
    Your new CA certificate file for publishing is at:
    /etc/open***/easy-rsa/pki/ca.crt
    

    创建服务端证书

    创建server端证书和private.key,使用“nopass”参数不加密,服务器通常在没有密码输入的情况下启动。

    [root@lcx01 easy-rsa]# ./easyrsa gen-req ***server nopass
    Note: using Easy-RSA configuration from: ./vars
    
    Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
    Generating a 2048 bit RSA private key
    ...+++
    .....+++
    writing new private key to '/etc/open***/easy-rsa/pki/private/***server.key.XaqajZ9e3R'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Common Name (eg: your user, host, or server name) [***server]:
    
    Keypair and certificate request completed. Your files are:
    req: /etc/open***/easy-rsa/pki/reqs/***server.req
    key: /etc/open***/easy-rsa/pki/private/***server.key
    

    签约服务端证书

    给server端证书做签名,首先是对一些信息的确认,可以输入yes,然后输入build-ca时设置的那个密码

    [root@lcx01 easy-rsa]# ./easyrsa sign server ***server
    
    Note: using Easy-RSA configuration from: ./vars
    
    Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
    
    You are about to sign the following certificate.
    Please check over the details shown below for accuracy. Note that this request
    has not been cryptographically verified. Please be sure it came from a trusted
    source or that you have verified the request checksum with the sender.
    
    Request subject, to be signed as a server certificate for 1080 days:
    
    subject=
        commonName                = ***server
    
    Type the word 'yes' to continue, or any other input to abort.
      Confirm request details: yes  #yes确认
    Using configuration from /etc/open***/easy-rsa/pki/safessl-easyrsa.cnf
    Enter pass phrase for /etc/open***/easy-rsa/pki/private/ca.key:     #输入CA证书的密码
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    commonName            :ASN.1 12:'***server'
    Certificate is to be certified until Dec 17 10:49:15 2022 GMT (1080 days)
    
    Write out database with 1 new entries
    Data Base Updated
    
    Certificate created at: /etc/open***/easy-rsa/pki/issued/***server.crt
    

    创建迪菲・赫尔曼密钥

    生成传输进行秘钥交换时用到的交换秘钥协议文件,确保共享KEY安全穿越不安全网络的方法

    时间会有点长,耐心等待

    [root@lcx01 easy-rsa]# ./easyrsa gen-dh
    
    Note: using Easy-RSA configuration from: ./vars
    
    Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
    Generating DH parameters, 2048 bit long safe prime, generator 2
    This is going to take a long time
    ...+........................................................+.........................................................
    ......+................................................................................................................
    .........................................................................................................................
    .......................................+...............................................................................
    ................+......................................................................................................
    .........................................................................................................................
    ...+......................................................................++*++*
    
    DH parameters of size 2048 created at /etc/open***/easy-rsa/pki/dh.pem
    

    2. 创建客户端证书

    在easy-rsa目录下新建client目录,将easy-rsa的原生目录拷贝到此下

    mkdir /etc/open***/easy-rsa/client
    cd /etc/open***/easy-rsa/client
    cp -a /usr/share/easy-rsa/3/* /etc/open***/easy-rsa/client/
    

    初始化目录

    会在当前目录创建PKI目录,用于存储一些中间变量及最终生成的证书

    [root@lcx01 client]# ./easyrsa init-pki
    Note: using Easy-RSA configuration from: ./vars
    
    WARNING!!!
    
    You are about to remove the EASYRSA_PKI at: /etc/open***/easy-rsa/client/pki
    and initialize a fresh PKI here.
    
    Type the word 'yes' to continue, or any other input to abort.
      Confirm removal: yes
    
    init-pki complete; you may now create a CA or requests.
    Your newly created PKI dir is: /etc/open***/easy-rsa/client/pki
    

    创建客户端证书

    客户端证书和private key, 这里的client01是客户端的主机名

    [root@lcx01 client]# ./easyrsa gen-req client01
    Note: using Easy-RSA configuration from: ./vars
    
    Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
    Generating a 2048 bit RSA private key
    ................................+++
    ....+++
    writing new private key to '/etc/open***/easy-rsa/client/pki/private/client01.key.D7Td4Lia5M'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Common Name (eg: your user, host, or server name) [client01]:
    
    Keypair and certificate request completed. Your files are:
    req: /etc/open***/easy-rsa/client/pki/reqs/client01.req
    key: /etc/open***/easy-rsa/client/pki/private/client01.key
    

    导入客户端证书

    回到生成服务端证书时的easyrsa目录,导入client端证书,准备签名

    [root@lcx01 client]# cd ..
    [root@lcx01 easy-rsa]# ./easyrsa import-req ./client/pki/reqs/client01.req client01
    Note: using Easy-RSA configuration from: ./vars
    
    Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
    
    The request has been successfully imported with a short name of: client01
    You may now use this name to perform signing operations on this request.
    
    [root@lcx01 easy-rsa]# ll /etc/open***/easy-rsa/pki/reqs/
    total 8
    -rw------- 1 root root 891 Jan  2 19:16 client01.req
    -rw------- 1 root root 891 Jan  2 18:46 ***server.req
    

    签约客户端证书

    给客户端端证书做签名,首先是对一些信息的确认,可以输入yes,然后输入build-ca时设置的那个密码

    [root@lcx01 easy-rsa]# ./easyrsa sign client client01
    Note: using Easy-RSA configuration from: ./vars
    
    Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
    
    You are about to sign the following certificate.
    Please check over the details shown below for accuracy. Note that this request
    has not been cryptographically verified. Please be sure it came from a trusted
    source or that you have verified the request checksum with the sender.
    
    Request subject, to be signed as a client certificate for 1080 days:
    
    subject=
        commonName                = client01
    
    Type the word 'yes' to continue, or any other input to abort.
      Confirm request details: yes  #确认yes
    Using configuration from /etc/open***/easy-rsa/pki/safessl-easyrsa.cnf
    Enter pass phrase for /etc/open***/easy-rsa/pki/private/ca.key:     #输入CA证书密码
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    commonName            :ASN.1 12:'client01'
    Certificate is to be certified until Dec 17 11:17:42 2022 GMT (1080 days)
    
    Write out database with 1 new entries
    Data Base Updated
    
    Certificate created at: /etc/open***/easy-rsa/pki/issued/client01.crt
    

    注意:ca、server和client的Common Name最好不要设置为一样,不然open连接时会有问题*

    3. 服务端和客户端证书整理

    #open*** server端需要的是
    /etc/open***/easy-rsa/pki/ca.crt <制作server证书的文件>
    /etc/open***/easy-rsa/pki/private/***server.key <制作server证书的文件>
    /etc/open***/easy-rsa/pki/issued/***server.crt <制作server证书的文件>
    /etc/open***/easy-rsa/pki/dh.pem    <迪菲・赫尔曼密钥>
    
    #open*** client端需要的是
    /etc/open***/easy-rsa/pki/ca.crt <制作server证书的文件>
    /etc/open***/easy-rsa/pki/issued/client01.crt <制作client01证书的文件>
    /etc/open***/easy-rsa/client/pki/private/client01.key <制作client01证书的文件>
    

    4. 整理证书

    #服务端
    mkdir /etc/open***/keys
    cp -a /etc/open***/easy-rsa/pki/ca.crt /etc/open***/keys
    cp -a /etc/open***/easy-rsa/pki/private/ca.key /etc/open***/keys
    cp -a /etc/open***/easy-rsa/pki/private/***server.key /etc/open***/keys
    cp -a /etc/open***/easy-rsa/pki/issued/***server.crt /etc/open***/keys
    cp -a /etc/open***/easy-rsa/pki/dh.pem /etc/open***/keys
    
    [root@lcx01 open***]# ll keys/
    total 20
    -rw------- 1 root root 1164 Jan  2 18:40 ca.crt
    -rw------- 1 root root 1675 Jan  2 18:39 ca.key
    -rw------- 1 root root  424 Jan  2 18:52 dh.pem
    -rw------- 1 root root 4802 Jan  2 18:49 ***server.crt
    -rw------- 1 root root 1704 Jan  2 18:46 ***server.key
    
    
    #客户端
    mkdir /root/client01
    cp -a /etc/open***/easy-rsa/pki/ca.crt /root/client01/
    cp -a /etc/open***/easy-rsa/pki/private/ca.key /root/client01/
    cp -a /etc/open***/easy-rsa/pki/issued/client01.crt /root/client01/
    cp -a /etc/open***/easy-rsa/client/pki/private/client01.key /root/client01/
    cp -a /usr/share/doc/open***-2.4.8/sample/sample-config-files/client.conf /root/client01/client01.o***
    
    [root@lcx01 open***]# ll /root/client01/
    total 20
    -rw------- 1 root root 1164 Jan  2 18:40 ca.crt
    -rw------- 1 root root 4679 Jan  2 19:17 client01.crt
    -rw------- 1 root root 1704 Jan  2 19:04 client01.key
    -rw-r--r-- 1 root root 3585 Oct 30 20:37 client01.o***
    

    5. 创建第二份客户端证书

    cd /etc/open***/easy-rsa/client/
    ./easyrsa init-pki
    ./easyrsa gen-req client02
    cd ..
    ./easyrsa import-req ./client/pki/reqs/client02.req client02
    ./easyrsa sign client client02
    mkdir /root/client02
    cp -a /etc/open***/easy-rsa/pki/ca.crt /root/client02/
    cp -a /etc/open***/easy-rsa/pki/private/ca.key /root/client02/
    cp -a /etc/open***/easy-rsa/pki/issued/client02.crt /root/client02/
    cp -a /etc/open***/easy-rsa/client/pki/private/client02.key /root/client02/
    cp -a /usr/share/doc/open***-2.4.8/sample/sample-config-files/client.conf /root/client02/client02.conf
    
    [root@open***-server easy-rsa]# ll /root/client02/
    total 24
    -rw------- 1 root root 1151 Jan  3 14:18 ca.crt
    -rw------- 1 root root 1675 Jan  3 14:17 ca.key
    -rw-r--r-- 1 root root 3585 Oct 30 20:37 client02.conf
    -rw------- 1 root root 4665 Jan  3 14:51 client02.crt
    -rw------- 1 root root 1704 Jan  3 14:50 client02.key
    

    6. 修改服务端配置文件

    #拷贝一份服务端配置源文件
    cp /usr/share/doc/open***-2.4.8/sample/sample-config-files/server.conf /etc/open***/server.conf.bak
    cd /etc/open***/
    egrep -v '^;|^$|^#' server.conf.bak >server.conf
    
    
    #设置客户端固定IP的目录与文件
    #ccd目录用来设置客户端固定IP的作用,ccd目录下面的文件名要以客户端证书的名称命名
    #open***只支持255.255.255.252的子网,而且252的子网只有两个IP,2^2-2=2
    #所以要设置两个IP,一个分配给客户端,一个留给服务器用
    #ifconfig-push 10.8.0.1 10.8.0.2
    #ifconfig-push 10.8.0.5 10.8.0.6
    #ifconfig-push 10.8.0.9 10.8.0.10
    #ifconfig-push 10.8.0.13 10.8.0.14
    #ifconfig-push 10.8.0.17 10.8.0.18
    #...
    #ifconfig-push 10.8.0.249 10.8.0.250
    http://www.wendangku.net/doc/749ab13c580216fc700afd27.html
    
    mkdir ./ccd 
    vim ./ccd/client01
    ifconfig-push 10.8.0.5 10.8.0.6
    vim ./ccd/client02
    ifconfig-push 10.8.0.9 10.8.0.10
    

    ☆服务端配置文件详情

    [root@lcx01 open***]# cat server.conf
    #监听端口
    port 1194   
    #传输协议
    proto udp   
    #路由隧道模式
    dev tun     
    #ca证书路径路径,服务端和客户端都使用相同的CA证书
    ca     keys/ca.crt  
    #服务器证书路径路径,服务端和客户端指定各自的证书和密钥
    cert   keys/***server.crt   
    #服务器秘钥路径,可用以配置文件开始为根的相对路径,也可以使用绝对路径
    key    keys/***server.key  
    #密钥交换协议文件
    dh     keys/dh.pem      
    #给客户端分配地址池,注意:不能和***服务器内网网段有相同
    server 10.8.0.0 255.255.255.0   
    #客户端和VIP的对应表,当客户端重连时仍然分配原IP
    ifconfig-pool-persist ipp.txt   
    #推送路由信息到客户端,使客户端能够连接到服务器背后的其他私有子网
    push "route 192.168.1.0 255.255.255.0"
    push "route 10.0.0.0 255.255.255.0"
    push "route 172.16.1.0 255.255.255.0"
    #允许客户端之间互相访问,云服务器搭建***,公司和外地都是***客户端
    client-to-client
    #设置客户端固定IP的作用,ccd目录下面的文件名要以客户端证书的名称命名
    client-config-dir ccd
    #存活时间,10秒ping一次,如果120秒未收到响应则认为程连接已关闭
    keepalive 10 120
    #在***连接上启用压缩,服务端和客户端都必须采用相同配置
    comp-lzo
    #最大客户端连接数
    max-clients 100
    #加密算法
    cipher AES-256-CBC
    #降低open***守护进程的权限
    user nobody
    group nobody
    #保障重启时仍能保留一些状态
    persist-key
    persist-tun
    #输出短日志,每分钟刷新一次,以显示当前的客户端
    status open***-status.log
    #日志要记录的级别,值越大日志越详细 (0:只记录错误信息;4:记录普通信息;5/6:在连接出现问题时能帮助调试;9:显示所有信息,包括包头信息)
    verb 3
    #记录日志,重启open***后覆盖原log文件
    log /var/log/open***.log
    #相同信息的记录次数,连续出现20条后不再记录到日志中
    mute 20 
    #当服务端重启后,使客户端能自动重连
    explicit-exit-notify 1
    

    启动服务端

    systemctl restart open***@server.service
    systemctl enable open***@server.service
    systemctl status open***@server.service
    netstat -lntup|grep 1194
    ip a |grep tun0
    

    7. 修改windows客户端配置文件

    cd /root/client01
    
    #windows上是.o*** ;linux上是.conf
    cat ./client.o***   
    ns-cert-type server
    client  #指定为客户端
    dev tun
    proto udp
    remote 59.110.215.165 1194  #指定服务器(主机名或IP)以及端口号,可设置多个***服务器
    resolv-retry infinite       #启用自动重连,适合不稳定的网络环境
    nobind          #客户端默认不需要绑定本机特定的端口号
    persist-key
    persist-tun
    remote-cert-tls server
    cipher AES-256-CBC
    ca ca.crt
    cert client01.crt
    key client01.key
    comp-lzo
    verb 3
    
    cd ~/
    

    8. 下载客户端证书文件进行连接

    windows客户端安装在下文中

    yum install -y zip lrzsz
    zip -r client01.zip client01/*
    sz client01.zip
    

    解压到config下

    9. 删除过期的证书的方法

    #删除以下文件
    rm -rf /etc/open***/easy-rsa/pki/reqs/***server.req
    rm -rf /etc/open***/easy-rsa/pki/private/***server.key
    
    #撤消证书
    cd /etc/open***/easy-rsa/
    ./easyrsa revoke server
    ./easyrsa gen-crl
    
    #重启open***
    systemctl restart open***@server.service
    

    10. 一键安装脚本的方法

    此脚本建议在执行前拷贝出来仔细看一遍脚本过程,操作部分的流程跟文档大致一样,在生产服务端配置文件时候没有做客户端固定IP的功能,有需求可以适当添加需要的内容,推送路由信息到客户端的配置也没有生成,做了DNS解析与防火墙的一些规则。客户端文件命名规则为xxx.o***,如果要推送到linux客户端记得修改为xxx.conf。

    根据自身的生产需求还需要手动进行添加一些功能。我自己部署的过程虽然没有问题,但是较为繁琐,而且来回切换许多目录,容易导致杂乱。所以建议使用开源一键脚本。使用的easy-rsa版本也是最新的3.0.5。网上的许多博客都是easy-rsa2.x版本的,此版本据说有安全漏洞,所以建议学习一下easy-rsa3版一些生成证书的命令。

    下载Github上的开源open项目*

    #将下载的压缩包上传到服务器中并解压
    wget https://github.com/Nyr/open***-install/archive/master.zip
    unzip master.zip
    ls open***-install-master
    LICENSE.txt  open***-install.sh  README.md
    

    执行脚本,一直点点点:回车

    #需要输入服务端的公网ip地址
    #云服务器需要绑定其他端口,记得在安全组打开此端口
    [root@open*** open***-install-master]# bash open***-install.sh 
    Welcome to this open*** road warrior installer!
    
    I need to ask you a few questions before starting setup.
    You can use the default options and just press enter if you are ok with them.
    
    What IPv4 address should the open*** server bind to?
         1) 172.17.43.166
    IPv4 address [1]: 59.110.215.165
    59.110.215.165: invalid selection.
    IPv4 address [1]: 
    
    This server is behind NAT. What is the public IPv4 address or hostname?
    Public IPv4 address / hostname [114.249.225.46]: 59.110.215.165
    
    Which protocol do you want for open*** connections?
       1) UDP (recommended)
       2) TCP
    Protocol [1]: 1
    
    What port do you want open*** listening to?
    Port [1194]: 
    
    Which DNS do you want to use with the ***?
       1) Current system resolvers
       2) 1.1.1.1
       3) Google
       4) OpenDNS
       5) Verisign
    DNS [1]: 1
    
    Finally, tell me a name for the client certificate.
    Client name [client]: client <客户端证书名字,建议不要使用默认名称>
    
    Okay, that was all I needed. We are ready to set up your open*** server now.
    Press any key to continue... [回车]
    ...
    .....
    Finished!
    
    Your client configuration is available at: /root/client.o***
    If you want to add more clients, just run this script again!    
    

    **下载完成后显示下载到了 /root/client.o*****

    #下载到客户端
    sz /root/client.o***
    

    将下载的文件放到windows客户端的config下才可以使用open软件*

    修改服务端配置文件

    添加自己需求的功能参数配置,例如固定IP,生成日志等等

    [root@m01 ~]# vim /etc/open***/server/server.conf
    local 59.110.215.165 #监听地址,可以写 0.0.0.0 ,或者内网IP                 
    port 1194
    proto udp
    dev tun
    ca ca.crt
    cert server.crt
    key server.key
    dh dh.pem
    auth SHA512
    tls-crypt tc.key
    topology subnet
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "route 192.168.1.0 255.255.255.0"  #连通***可以访问的网段或者IP
    push "route 10.0.0.0 255.255.255.0"
    keepalive 10 120
    cipher AES-256-CBC
    user nobody
    group nobody
    persist-key
    persist-tun
    status open***-status.log
    verb 3
    crl-verify crl.pem
    explicit-exit-notify
    

    <font color=red>重启open服务</font>*

    systemctl restart open***-server@server.service 
    systemctl enable open***-server@server.service
    

    ②easy-rsa2生成证书

    此方法可行,建议使用easy-rsa3版本生成证书,与时俱进

    https://blog.51cto.com/ljohn/1961347

    yum install -y gcc gcc-c++ open***
    wget https://github.com/open***/easy-rsa/releases/download/2.2.2/EasyRSA-2.2.2.tgz
    tar xf EasyRSA-2.2.2.tgz -C /root/
    mv /root/EasyRSA-2.2.2 /root/easyrsa
    echo 'net.ipv4.ip_forward=1 ' >>/etc/sysctl.conf && sysctl -p
    
    cd /root/easyrsa/
    cp -a ./vars{,.bak}
    
    cat > vars <<EOF
    export KEY_SIZE=2048
    export KEY_COUNTRY="CN" 
    export KEY_PROVINCE="BJ"
    export KEY_CITY="BJ"
    export KEY_ORG="zxzn"
    export KEY_EMAIL="245684979@qq.com"
    export KEY_OU="zxzn"
    export KEY_NAME="zxzn"
    EOF
    
    chmod +x vars
    source vars
    
    ./clean-all
    ./build-ca zxzn***
    ./build-key-server ***server
    ./build-key ***client_01
    ./build-dh
    open*** --genkey --secret keys/ta.key
    
    #./build-key-pass ***zxzn \\需密码验证登录的证书
    
    
    #./keys/***client_01.crt
    #./keys/***client_01.key
    
    
    cp /usr/share/doc/open***-2.4.8/sample/sample-config-files/server.conf /etc/open***/server.conf.bak
    cd /etc/open***/
    egrep -v '^;|^$|^#' server.conf.bak >server.conf
    mkdir ./{keys,ccd}
    \cp -a /root/2_easyrsa/keys/{***server.crt,***server.key,ca.crt,dh2048.pem,ta.key} keys/
    
    vim server.conf
    port 1194
    proto udp
    dev tun
    ca  keys/ca.crt
    cert    keys/***server.crt
    key     keys/***server.key  # This file should be kept secret
    dh  keys/dh.pem
    server  10.8.0.0 255.255.255.0
    ifconfig-pool-persist ipp.txt
    push "route 192.168.1.0 255.255.255.0"
    push "route 10.0.0.0 255.255.255.0"
    push "route 172.16.1.0 255.255.255.0"
    keepalive 10 120
    client-to-client
    client-config-dir ccd
    cipher AES-256-CBC
    comp-lzo
    user nobody
    group nobody
    persist-key
    persist-tun
    status open***-status.log
    verb 3
    log /var/log/open***.log
    explicit-exit-notify 1
    
    mkdir ./ccd 
    vim ./ccd/client01
    ifconfig-push 10.8.0.5 10.8.0.6
    
    systemctl restart open***@server
    systemctl enable open***@server
    systemctl status open***@server
    netstat -lntup|grep 1194
    ip a |grep tun0
    

    二、windows客户端配置

    windows客户端下载

    运行

    解压sz下载的压缩包到config目录下

    打开服务端的安全组

    可以在服务端上进行一下访问内网IP测试,查看是否可以直接访问

    yum install nginx -y 
    systemctl restart nginx.service
    

    三、Linux客户端配置

    Linux的客户端和服务端安装方法相同,其配置方法和Windows的相同,只是文件扩展名有区别而已,Windows是.o***,Linux是 .conf

    编译 open*** 及解决相关依赖问题

    1. 同步服务器时间

    #服务端是阿里云的服务器,所以客户端要保证时间同步,如果时间不同步,客户端是无法连接服务器的
    [root@open***01 lzo-2.10]# crontab -e
    #/bin/bash-date
    */5 * * * *  /sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1
    

    2. 安装lzo组件

    cd /server/tools
    wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz
    tar xf lzo-2.10.tar.gz -C /usr/src/
    cd /usr/src/lzo-2.10/
    ./configure --enable-shared
    make && make install
    

    3. 编译安装open***

    cd /server/tools/
    wget https://swupdate.open***.org/community/releases/open***-2.4.8.tar.xz
    yum install openssl-devel pam-devel -y
    tar xf open***-2.4.8.tar.xz && cd open***-2.4.8/
    ./configure --prefix=/usr/local/open***
    make && make install
    ln -s  /usr/local/open***/sbin/open*** /usr/bin/open***
    

    4. 获取服务端的证书和文件

    mkdir /usr/local/open***/etc && cd /usr/local/open***/etc/
    rsync -avz root@59.110.215.165:/root/client02.zip ./
    unzip client02.zip
    
    #将之前生成的client02.o***客户端文件的后缀名改为.conf
    mv ./client02/client02.o*** ./client02/client02.conf
    
    cat /usr/local/open***/etc/client02/client02.conf
    ns-cert-type server                                            
    client  #指定为客户端
    dev tun
    proto udp
    remote 59.110.215.165 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca      /usr/local/open***/etc/***client_01/ca.crt
    cert    /usr/local/open***/etc/***client_01/***client_01.crt
    key     /usr/local/open***/etc/***client_01/***client_01.key
    remote-cert-tls server
    cipher AES-256-CBC
    comp-lzo
    verb 3
    

    5. 启动open***客户端

    #出现Completed就说明连接成功了
    open*** --config /usr/local/open***/etc/test01.conf
    #加一个参数,在后台运行
    open***  --daemon --config /usr/local/open***/etc/test01.conf
    
    #根据生产场景写入开机自启
    echo '/usr/bin/open*** --daemon --config /usr/local/open***/etc/client02/client02.conf' >> /etc/rc.d/rc.local
    chmod +x /etc/rc.d/rc.local
    
    ip a|grep tun0
    
    #注意:如果生成服务端证书时没有为private.key使用“nopass”参数不加密,那这里后台运行会卡住,需要输入密码。所以,生产需求需要连接linux客户端的话,在创建服务端证书时一定要使用"nopass"参数
    

    ifconfig时会多出一块网卡tun0

    tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
            inet 10.8.0.9  netmask 255.255.255.0  destination 10.8.0.3
            inet6 fe80::7077:955a:31de:c4b3  prefixlen 64  scopeid 0x20<link>
            unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
            RX packets 0  bytes 0 (0.0 B)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 3  bytes 144 (144.0 B)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    

    按相同步骤在服务端上生成新的客户端证书并下发到其他linux客户端上。

    此图是之前测试用的,IP与文档中的不同,只是为表明含义

    四、记录总结

    * 保证全国各地的局域网必须能够访问外网,才能连接云服务器
    * 云服务器搭建***,  公司和外地都是***客户端,然后就相当于在一个局域网了
    * 客户端都可以通过内网地址通讯,开启客户端之间允许通信,就行了
    * 开机自动让客户端向云服务器进行连接
    * windows上的客户端和linux上的客户端的安装
    * 异地客户端都连服务端,然后就相当于在一个局域网了,客户端都可以通过内网地址通讯
    * open***服务端也可以使用开源的一键安装脚本,脚本里面也是用easy-rsa随机生成的,生成客户端证书也是非常方便的。
    

    服务端配置客户端固定虚拟内网IP地址

    内网ip获取以后 本地会断开连接 ,客户端的ip地址总是dhcp自动分配的,内网ip地址不知道如何获取到则无法进行连接,所以要进行对客户端IP固定的配置。这里只做记录,具体配置文档中已配置

    mkdir -p /etc/open***/ccd
    cd /etc/open***/ccd/
    
    #ccd目录下面的文件名要以客户端证书的名称命名
    vim ***client_01
    ifconfig-push 10.8.0.5 10.8.0.6
    
    echo 'client-config-dir /etc/open***/ccd' >>/etc/open***/server.conf
    
    systemctl restart open***@server.service
    

    服务端配置文件用到的模块文件详解

    # To assign specific IP addresses to specific
    # clients or if a connecting client has a private
    # subnet behind it that should also have *** access,
    # use the subdirectory "ccd" for client-specific
    # configuration files (see man page for more info).
    ===================================================
    #为特定的IP地址分配特定的IP地址
    #个客户端,或者连接的客户端有私有客户端
    #后面的子网也应具有***访问权限,
    #将子目录“ ccd”用于特定于客户端的
    #配置文件(有关更多信息,请参见手册页)。
    
    
    # EXAMPLE: Suppose the client
    # having the certificate common name "Thelonious"
    # also has a small subnet behind his connecting
    # machine, such as 192.168.40.128/255.255.255.248.
    # First, uncomment out these lines:
    ;client-config-dir ccd
    ;route 192.168.40.128 255.255.255.248
    # Then create a file ccd/Thelonious with this line:
    #   iroute 192.168.40.128 255.255.255.248
    # This will allow Thelonious' private subnet to
    # access the ***.  This example will only work
    # if you are routing, not bridging, i.e. you are
    # using "dev tun" and "server" directives.
    ===================================================
    #示例:假设客户端
    #具有证书通用名称“ Thelonious”
    #在他的连接后面还有一个小子网
    #机器,例如192.168.40.128/255.255.255.248。
    #首先,取消注释以下行:
    ; client-config-dir ccd
    ;路由192.168.40.128 255.255.255.248
    #然后使用以下代码创建文件ccd / Thelonious:
    #iroute 192.168.40.128 255.255.255.248
    #这将允许Thelonious的专用子网
    #访问***。这个例子只会起作用
    #如果您正在路由而不是桥接,即您在
    #使用“ dev tun”和“ server”指令。
    
    
    # EXAMPLE: Suppose you want to give
    # Thelonious a fixed *** IP address of 10.9.0.1.
    # First uncomment out these lines:
    ;client-config-dir ccd
    ;route 10.9.0.0 255.255.255.252
    # Then add this line to ccd/Thelonious:
    #   ifconfig-push 10.9.0.1 10.9.0.2
    ===================================================
    #示例:假设您想给
    #克隆固定的*** IP地址10.9.0.1。
    #首先取消注释以下行:
    ; client-config-dir ccd
    ;路由10.9.0.0 255.255.255.252
    #然后将此行添加到ccd / Thelonious中:
    #ifconfig-push 10.9.0.1 10.9.0.2
    

    五、服务端配置参数

    duplicate-cn
    使用–duplicate-cn,允许两个具有相同公用名的连接,因此一个证书可以由多个连接/用户使用.
    如果没有–duplicate-cn,每个vpn证书必须拥有自己的CN,因此每个连接/用户都有一个唯一的证书.
    如果Client使用的CA的Common Name有重复了,或者说客户都使用相同的CA和keys连接VPN,一定要打开这个选项,否则只允许一个人连接VPN
    

    六、DNS和dnsmasq配置

    dnsmasq是一款小巧且方便地用于配置DNS服务器和DHCP服务器的工具,适用于小型网络,它提供了DNS解析功能和可选择的DHCP功能。

    #yum安装
    yum –y install dnsmasq
    cp /etc/dnsmasq.conf /etc/dnsmasq.conf.backup
    
    vim /etc/dnsmasq.conf
    #resolve-file定义dnsmasq从哪里获取上游DNS服务器的地址,默认/etc/resolv.conf
    resolv-file=/etc/resolv.dnsmasq.conf
    #表示严格按照resolv-file文件中的顺序从上到下进行DNS解析,直到第一个解析成功为止。
    strict-order
    #定义dnsmasq监听的地址,默认是监控本机(127.0.0.1)的所有网卡上。 如果想让局域网内的其他机器使用dnsmasq解析域名的话,需要添加本机的IP地址(10.240.0.1)
    listen-address=10.240.0.1
    listen-address=127.0.0.1
    #告诉dnsmasq使用DNS服务器进行解析
    server=223.5.5.5
    #为了防止DNS污染,我们使用bogus-nxdomain定义DNS解析的服务器。如果在阿里云服务器上配置dnsmasq,一定要启用此项。
    bogus-nxdomain=223.5.5.5
    #绑定了网卡之后会保证dnsmasq不去骚扰其他网卡,保证请求不乱发,仅监听指定的接口,一般跟interface一起使用
    bind-interfaces
    #记录dns查询日志
    log-queries
    #添加读取额外的 hosts 文件路径,可以多次指定。如果指定为目录,则读取目录中的所有文件。
    addn-hosts=/etc/dnsmasq.hosts
    #这个是重要的东西,设置dhcp的ip发配range,就是你的dhcp服务器分配多少个ip出来,ip的范围从哪里到哪里,默认是c类网段,所以简略了掩码,后面增加一个租约时间,dhcp分配的ip是有租约的,租约过了是需要回收的。
    dhcp-range=10.255.31.224,10.255.31.255,255.255.224.0,168h
    #3-->设置DNS服务器地址选项
    dhcp-option=3,10.240.0.1,221.12.33.227,8.8.8.8
    
    ------------------------------------
    systemctl restart dnsmasq.service 
    systemctl enable dnsmasq.service 
    
    strict-order
    listen-address=10.240.0.1
    interface=tun0
    server=223.5.5.5
    bind-interfaces
    dhcp-range=10.255.31.224,10.255.31.255,255.255.224.0,168h
    dhcp-option=3,10.240.0.1
    

    七、Docker部署openvpn

    1. 在openvpn服务端部署docker环境

    #配置docker源并下载
    curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
    wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo
    sed -i 's#download.docker.com#mirrors.tuna.tsinghua.edu.cn/docker-ce#g' /etc/yum.repos.d/docker-ce.repo
    yum install docker-ce -y
    
    #启动docker并查看版本
    systemctl restart docker
    systemctl enable docker
    docker version
    
    #配置docker镜像加速
    [root@openvpn docker]# cat  /etc/docker/daemon.json
    {
      "registry-mirrors": ["https://registry.docker-cn.com"]
    } 
    
    #搜索openvpn的官方镜像并拉取
    docker search openvpn
    docker pull kylemanna/openvpn:2.4
    
    #导出镜像的命令
    docker image ls
    docker image save -o docker_openvpn2.4.tar.gz kylemanna/openvpn:2.4
    
    #创建数据文件夹 
    mkdir -p /root/docker/ovpn-data
    
    #生成配置文件,118.89.231.144是当前服务器的公网IP
    docker run -v /root/docker/ovpn-data:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_genconfig -u udp://118.89.231.144 
    
    #生成秘钥文件
    docker run -v /root/docker/ovpn-data:/etc/openvpn --rm -it kylemanna/openvpn:2.4 ovpn_initpki
    输入私钥密码(输入时是看不见的):
    Enter PEM pass phrase:123456
    再输入一次:123456
    Verifying - Enter PEM pass phrase:
    输入CA证书的名称(我这里直接回车)
    Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
    输入刚才设置的私钥密码(输入完成后会再输入一次)
    Enter pass phrase for /etc/openvpn/pki/private/ca.key:123456
    
    #生成客户端用户,openvpn_test为客户端名称
    docker run -v /root/docker/ovpn-data:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full openvpn_test nopass
    输入设置的私钥密码:
    Enter pass phrase for /etc/openvpn/pki/private/ca.key:
    
    #生成客户端配置并导出客户端配置
    mkdir -p /root/docker/ovpn-data/conf
    docker run -v /root/docker/ovpn-data:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient openvpn_test > /root/docker/ovpn-data/conf/openvpn_test.ovpn
    
    #启动openvpn服务,1196端口为docker_vpn的映射外网端口,云服务器的安全组要打开此端口
    docker run --name openvpn -v /root/docker/ovpn-data:/etc/openvpn -d -p 1196:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn:2.4
    
    #检查容器是否启动成功
    docker ps -a
    netstat -lntup|grep 1196
    
    #将客户端证书下载到本地,docker的客户端配置默认中包含了公钥
    yum install lrzsz -y
    sz /root/docker/ovpn-data/conf/openvpn_test.ovpn
    

    2. 修改生成的服务端配置

    [root@openvpn ~]# cat /root/docker/ovpn-data/openvpn.conf
    server 192.168.255.0 255.255.255.0
    verb 3
    key /etc/openvpn/pki/private/118.89.231.144.key
    ca /etc/openvpn/pki/ca.crt
    cert /etc/openvpn/pki/issued/118.89.231.144.crt
    dh /etc/openvpn/pki/dh.pem
    tls-auth /etc/openvpn/pki/ta.key
    key-direction 0
    keepalive 10 60
    persist-key
    persist-tun
    
    proto udp
    # Rely on Docker to do port mapping, internally always 1194
    port 1194
    dev tun0
    status /tmp/openvpn-status.log
    
    user nobody
    group nogroup
    
    ### Route Configurations Below
    #route 192.168.254.0 255.255.255.0
    
    ### Push Configurations Below
    #push "block-outside-dns"
    #push "dhcp-option DNS 8.8.8.8"
    #push "dhcp-option DNS 8.8.4.4"
    push "route 172.17.0.0 255.255.0.0"
    duplicate-cn
    client-to-client
    

    3. 客户端配置修改

    将docker测试环境的端口映射到了1196,所以客户端配置中也要修改

    4. 创建用户脚本

    [root@openvpn docker]# cat user_create.sh 
    #!/bin/bash
    DATA='/root/docker/ovpn-data'
    
    echo '私钥密码为 123456'
    read -p "请输入你要创建的客户端名称: " NAME
    docker run -v $DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full $NAME nopass
    docker run -v $DATA:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient $NAME > $DATA/conf/"$NAME".ovpn
    echo "客户端配置已生成:" $DATA/conf/"$NAME".ovpn
    echo "如果要添加更多客户端,只需再次运行此脚本!"
    

    5. 删除用户脚本

    [root@openvpn docker]# cat user_delete.sh 
    #!/bin/bash
    DATA='/root/docker/ovpn-data'
    
    echo '私钥密码为 123456'
    read -p "请输入您要删除的客户端名称: " DNAME
    
    docker run -v $DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa revoke $DNAME
    docker run -v $DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa gen-crl
    docker run -v $DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -rf /etc/openvpn/pki/reqs/"$DNAME".req
    docker run -v $DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -rf /etc/openvpn/pki/private/"$DNAME".key
    docker run -v $DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -rf /etc/openvpn/pki/issued/"$DNAME".crt
    docker run -v $DATA:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -rf /etc/openvpn/conf/$DNAME.ovpn
    docker restart openvpn
    
    echo "客户端$[DNAME]已删除!"
    

    5. 客户端判断脚本

    写一个脚本,测试和正式环境的俩套证书配置文件,正式在外,测试在docker中,要把ip映射到外网,如果是测试环境就启动测试证书,如果是正式环境,就启动正式环境

    [root@CentOS8 ~]# cat vpn_restart.sh
    #!/bin/bash
    hostname=`hostname`
    path='/usr/local/openvpn/etc'
    IP=`ip addr |grep tun|awk -F'[ /]+' 'NR==2{print $3}'`
    #重启vpn,如果是生产环境则启动第一套客户端配置,如果是测试环境则启动第二套客户端测试配置
    
    cat << EOF
        `echo -e "\033[32m 1.生产环境\033[0m"`
        `echo -e "\033[33m 2.测试环境\033[0m"`
        `echo -e "\033[36m 3.退出\033[0m"`
    EOF
    
    read -p "请输入当前系统的环境【1】or【2】: " num
      if [ $num = "1" ];then
        pkill openvpn
        nohup /usr/bin/openvpn --config $path/$hostname/$hostname.conf >/dev/null 2>&1 &
        echo "请等待 生产环境正在启动....."
            b=''
          for ((i=0;$i<=50;i++));do
                    let jinshu=$i*2
                printf "[%-50s]%d%%\r" $b $jinshu
                sleep 0.2
                b=#$b
          done
        echo
        echo "$hostname 的虚拟IP地址是: `ip addr |grep tun|awk -F'[ /]+' 'NR==2{print $3}'`" > /tmp/$hostname.ip
        echo "$hostname 的虚拟IP地址是: `ip addr |grep tun|awk -F'[ /]+' 'NR==2{print $3}'`"
    
      elif [ $num = "2" ];then
        pkill openvpn
        nohup /usr/bin/openvpn --config /usr/local/openvpn/etc/openvpn_test.conf >/dev/null 2>&1 &
        echo "请等待 测试环境正在启动....."
            b=''
              for ((i=0;$i<=50;i++));do
                    let jinshu=$i*2
                    printf "[%-50s]%d%%\r" $b $jinshu
                    sleep 0.2
                    b=#$b
              done
            echo
        echo "$hostname 的虚拟IP地址是: `ip addr |grep tun|awk -F'[ /]+' 'NR==2{print $3}'`" > /tmp/$hostname.ip
        echo "$hostname 的虚拟IP地址是: `ip addr |grep tun|awk -F'[ /]+' 'NR==2{print $3}'`"
    
      elif [ $num = "3" ];then
        echo "即将退出...感谢使用!"
        sleep 1
        exit
    
      else
        echo "输入有误!请重新输入"
      fi
    
    image.png

    相关文章

      网友评论

          本文标题:Open魏皮恩部署方案

          本文链接:https://www.haomeiwen.com/subject/uefznctx.html