1、安装前准备
# 关闭selinux
setenforce 0
sed -i '/^SELINUX=/c\SELINUX=disabled' /etc/selinux/config
# 安装openssl和lzo,lzo用于压缩通讯数据加快传输速度
yum -y install openssl openssl-devel
yum -y install lzo
# 安装epel源
rpm -ivh http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm
sed -i 's/^mirrorlist=https/mirrorlist=http/' /etc/yum.repos.d/epel.repo
2、安装及配置OpenVPN和easy-rsa
# 安装openvpn和easy-rsa
yum -y install openvpn easy-rsa
# 修改vars文件
cd /usr/share/easy-rsa/2.0/
vim vars
# 修改注册信息,比如公司地址、公司名称、部门名称等。
export KEY_COUNTRY="CN"
export KEY_PROVINCE="Shanghai"
export KEY_CITY="Shanghai"
export KEY_ORG="suredata"
export KEY_EMAIL="xiabing@suredata.com"
export KEY_OU="suredataUnit"
# 初始化环境变量
source vars
# 清除keys目录下所有与证书相关的文件
# 下面步骤生成的证书和密钥都在/usr/share/easy-rsa/2.0/keys目录里
./clean-all
# 生成根证书ca.crt和根密钥ca.key(一路按回车即可)
./build-ca
# 为服务端生成证书和密钥(一路按回车,直到提示需要输入y/n时,输入y再按回车)
./build-key-server server
# 创建迪菲·赫尔曼密钥,会生成dh2048.pem文件(生成过程比较慢,不要去中断它)
./build-dh
# 生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击)
openvpn --genkey --secret keys/ta.key
3、创建服务器端配置文件
# 在openvpn的配置目录下新建一个keys目录
mkdir /etc/openvpn/keys
# 将需要用到的openvpn证书和密钥复制一份到刚创建好的keys目录中
cp /usr/share/easy-rsa/2.0/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/openvpn/keys/
# 复制一份服务器端配置文件模板server.conf到/etc/openvpn/
cp /usr/share/doc/openvpn-2.4.3/sample/sample-config-files/server.conf /etc/openvpn/
# 查看server.conf里的配置参数
grep '[#;]' /etc/openvpn/server.conf
# 编辑server.conf
vi /etc/openvpn/server.conf
以下是我本地的配置,供参考
port 1194
proto udp
dev tun
# 路径前面加keys,全路径为/etc/openvpn/keys/ca.crt
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
dh keys/dh2048.pem
# 默认虚拟局域网网段,不要和实际的局域网冲突即可
server 10.8.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.0.0"
keepalive 10 120
cipher BF-CBC
comp-lzo
persist-key
persist-tun
# OpenVPN的状态日志,默认为/etc/openvpn/openvpn-status.log
status openvpn-status.log
# OpenVPN的运行日志,默认为/etc/openvpn/openvpn.log
log-append openvpn.log
# 改成verb 5可以多查看一些调试信息
verb 5
explicit-exit-notify 1
# 可以让客户端之间相互访问直接通过openvpn程序转发,根据需要设置
#client-to-client
# 如果客户端都使用相同的证书和密钥连接VPN,一定要打开这个选项,否则每个证书只允许一个人连接VPN
#duplicate-cn
4、配置内核和防火墙,启动服务
# 开启路由转发功能
sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf
sysctl -p
# 配置防火墙,别忘记保存
iptables -I INPUT -p udp --dport 1194 -m comment --comment "openvpn" -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j MASQUERADE
service iptables save
# 启动openvpn并设置为开机启动
service openvpn start
chkconfig openvpn on
5、生成客户端证书及配置文件
# 为客户端生成证书和密钥(一路按回车,直到提示需要输入y/n时,输入y再按回车,一共两次)
/usr/share/easy-rsa/2.0/build-key client1
# 客户端配置文件生成
客户端配置文件示例:
client
dev tun
proto udp
remote 58.247.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
keysize 128
verb 5
<ca>
-----BEGIN CERTIFICATE-----
ca.crt 内容
-----END CERTIFICATE-----
</ca>
<cert>
6a:1f:62:81
-----BEGIN CERTIFICATE-----
client1.crt 内容
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
client1.key 内容
-----END PRIVATE KEY-----
</key>
6、下面贴出自动生成客户端证书和配置的脚本
openvpn_user.sh 脚本内容:
vi openvpn_user.sh
以下是脚本内容,供参考
#! /bin/bash
para_num=$#
operation=$1
vpn_user=$2
function help()
{
echo './openvpn_user.sh add username(vpn username)'
echo './openvpn_user.sh del username(vpn username)'
}
function add_user()
{
if [ -f /usr/share/easy-rsa/2.0/keys/$vpn_user.crt ];then
echo "$vpn_user already exist!"
exit 1
else
cd /usr/share/easy-rsa/2.0/
source ./vars
/suredata/bin/vpn_expect.expect $vpn_user
cd /usr/share/easy-rsa/2.0/keys
generate_client_conf
cp /root/user_data/${vpn_user}/${vpn_user}.ovpn /suredata/bin/weblog/
echo "===============================success=================================="
echo "add vpn user: $vpn_user success!"
echo "===============================success=================================="
fi
}
function del_user()
{
cd /usr/share/easy-rsa/2.0/
source ./vars
/usr/share/easy-rsa/2.0/revoke-full $vpn_user
rm -rf /usr/share/easy-rsa/2.0/keys/${vpn_user}.*
rm -rf /suredata/bin/weblog/${vpn_user}.*
echo "================================success================================"
echo "del vpn user: $vpn_user success!"
echo "================================success================================"
}
function generate_client_conf()
{
# client path
mkdir -p /root/user_data/$vpn_user
user_path=/root/user_data/$vpn_user
client_file=${user_path}/${vpn_user}.ovpn
client_crt_file=/usr/share/easy-rsa/2.0/keys/${vpn_user}.crt
client_key_file=/usr/share/easy-rsa/2.0/keys/${vpn_user}.key
ca_crt_file=/usr/share/easy-rsa/2.0/keys/ca.crt
echo "client" > ${client_file}
echo "dev tun" >> ${client_file}
echo "proto udp" >> ${client_file}
echo "remote 58.247.125.141 1194" >> ${client_file}
echo "resolv-retry infinite" >> ${client_file}
echo "nobind" >> ${client_file}
echo "persist-key" >> ${client_file}
echo "persist-tun" >> ${client_file}
echo "comp-lzo" >> ${client_file}
echo "keysize 128" >> ${client_file}
echo "verb 5" >> ${client_file}
echo "<ca>" >> ${client_file}
cat ${ca_crt_file} >> ${client_file}
echo "</ca>" >> ${client_file}
echo "<cert>" >> ${client_file}
tail -n 31 ${client_crt_file} >> ${client_file}
echo "</cert>" >> ${client_file}
echo "<key>" >> ${client_file}
cat ${client_key_file} >> ${client_file}
echo "</key>" >> ${client_file}
}
function main()
{
if [ $para_num -ne 2 ];then
echo "para is illegal!"
help
exit 1
else
if [ $operation = "add" ];then
add_user
elif [ $operation = "del" ];then
del_user
else
echo 'operation only support add | del'
help
exit 1
fi
fi
}
main
/suredata/bin/vpn_expect.expect //自动生成客户端证书expect脚本
以下是脚本内容,供参考
#!/usr/bin/expect -f
if $argc<1 {
puts stderr "Usage: $argv0 need argv.\n"
exit 1
}
set vpnuser [lindex $argv 0]
set path /usr/share/easy-rsa/2.0
spawn $path/build-key $vpnuser
expect "*"
send "\r"
expect "*"
send "\r"
expect "*"
send "\r"
expect "*"
send "\r"
expect "*"
send "\r"
expect "*"
send "\r"
expect "*"
send "\r"
expect "*"
send "\r"
expect "*"
send "\r"
expect "*"
send "\r"
expect "*"
send "y\r"
expect "*"
send "y\r"
expect eof
exit
网友评论