openvon安装

一、安装环境

1.阿里云centos7

2.关闭防火墙，selinux

临时关闭：setenforce 0

永久关闭：vim /etc/selinux/config

3.修改yum源

1）备份原有的yum源

2）下载对应版本的repo文件

centos7：wget http://mirrors.163.com/.help/CentOS7-Base-163.repo

centos6：wget http://mirrors.163.com/.help/CentOS6-Base-163.repo

这下载centos7的yum源

cd /etc/yum.repos.d/
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo cp CentOS6-Base-163.repo CentOS-Base.repo #运行以下命令生成缓存
yum clean all
yum makecache

4.配置时间同步

yum install ntp -y
ntpdate pool.ntp.org
echo '#tim sync by hua at 2016.6.22'>>/var/spool/cron/root
echo '*/10 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1'>>/var/spool/cron/root crontab -l

二、openvpn服务器安装和配置

从官网能知道安装依赖

1.安装openVPN相关的依赖软件

yum install openssl-devel openssl pam pam-devel lzo lzo-devel -y

2.创建/app下载安装

[root@database2019030517 app]#  git clone https://github.com/OpenVPN/openvpn.git
[root@database2019030517 app]#  git clone https://github.com/OpenVPN/easy-rsa.git

3.进入app目录，生成编译脚本configure

wget http://rpmfind.net/linux/centos/7.6.1810/os/x86_64/Packages/autoconf-2.69-11.el7.noarch.rpm
[root@database2019030517 app]# rpm -ivh autoconf-2.69-11.el7.noarch.rpm
[root@database2019030517 ~]#  yum install -y automake
[root@database2019030517 openvpn]# yum install -y libtool  libsysfs-dev
[root@database2019030517 openvpn]# autoreconf -i -v -f

执行configure脚本报错

报错一

checking for lz4.h... no
		usable LZ4 library or header not found, using version in src/compat/compat-lz4.*
checking git checkout... yes
configure: error: lzo enabled but missing

安装LZO

[root@database2019030517 lzo-2.10]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz
[root@database2019030517 lzo-2.10]# tar zxvf lzo-2.10.tar.gz
[root@database2019030517 lzo-2.10]# cd lzo-2.10
[root@database2019030517 lzo-2.10]# ./configure
[root@database2019030517 lzo-2.10]# make && make install

报错二

checking whether the compiler acceppts -Wall... yes
configure: error: libpam required but missin

安装pam-devel

yum install pam-devel

预编译

[root@database2019030517 openvpn]# ./configure --prefix=/app/openVPN

编译安装

[root@database2019030517 openvpn]# make
[root@database2019030517 openvpn]# make check
[root@database2019030517 openvpn]# make install

复制配置文件

[root@database2019030517 openVPN]# mkdir /app/openVPN/conf/
[root@database2019030517 openvpn]# cp sample/sample-config-files/{server,client}.conf /app/openVPN/conf/

4.配置 openvpn server-建立 CA 证书

easy-rsa，该包用来制作 ca 证书，服务端证书，客户端证书

如果执行过git clone https://github.com/OpenVPN/easy-rsa.git那么下面以#号开头的就不用弄了，包是一样的包

#yum install unzip -y
#wget -c https://github.com/OpenVPN/easy-rsa/archive/master.zip
#unzip master.zip
#mv easy-rsa-master easy-rsa
#cp -rf easy-rsa/ /app/
cd /data/app/easy-rsa/easyrsa3/

#一般情况下，默认的配置可以满足需求，也可以根据需要修改

cp vars.example vars

#1.修改 vars

vim vars +91

set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "BJ"
set_var EASYRSA_REQ_CITY        "Bei Jing"
set_var EASYRSA_REQ_ORG         "axyh" #组织名
set_var EASYRSA_REQ_EMAIL       "446693337@qq.com"
set_var EASYRSA_REQ_OU          "axyh" 部门名

#2创建服务端客户端证书

[root@test2019030517 easy-rsa]# cp -av easyrsa3/ easyrsa3_server
[root@test2019030517 easy-rsa]# cp -av easyrsa3/ easyrsa3_client

#3服务端证书

1、创建服务端证书

创建根证书，首先会提示设置密码，用于ca对之后生成的server和client证书签名时使用，然后会提示设置

[root@proxy2019030517 easyrsa3_client]# ./easyrsa init-pki

可以键入回车使用默认的

[root@test2019030517 easyrsa3_server]# ./easyrsa build-ca
#根证书密码要记住， 给server端和客户端证书签名的时候会用到(123456)

♦创建服务端证书server 设置无密码

[root@test2019030517 easyrsa3_server]# ./easyrsa gen-req server nopass

♦给server端证书做签名，首先是对一些信息的确认，可以输入yes，然后输入build-ca时设置的那个密码 (123456)

[root@test2019030517 easyrsa3_server]# ./easyrsa sign server server

 ♦创建Diffie-Hellman，时间会有点长，耐心等待 

[root@test2019030517 easyrsa3_server]# ./easyrsa gen-dh

 2、创建客户端证书

前戏

[root@proxy2019030517 easyrsa3_client]# ./easyrsa init-pki

。。。。。

[root@test2019030517 easyrsa3_client]# cd /data/app/easy-rsa/easyrsa3_client

 ♦创建client端证书和private key，nopass表示不加密private key

[root@test2019030517 easyrsa3_client]# ./easyrsa gen-req client nopass

 ♦回到制作server证书时的那个easyrsa3目录，导入client端证书，准备签名

[root@test2019030517 easyrsa3_server]# ./easyrsa import-req /data/app/easy-rsa/easyrsa3_client/pki/reqs/client.req client

 ♦给client端证书做签名，首先是对一些信息的确认，可以输入yes，然后输入build-ca时设置的那个密码 

[root@test2019030517 easyrsa3_server]# ./easyrsa sign client client

#4整理服务端证书/客户端证书

[root@test2019030517 openVPN]# mkdir /app/openVPN/server_keys/
[root@test2019030517 openVPN]# mkdir /app/openVPN/client_keys/

 ♦导入证书到server_keys

[root@test2019030517 pki]# cp /data/app/easy-rsa/easyrsa3_server/pki/ca.crt /app/openVPN/server_keys/
[root@test2019030517 pki]# cp /data/app/easy-rsa/easyrsa3_server/pki/private/server.key /app/openVPN/server_keys/
[root@test2019030517 pki]# cp /data/app/easy-rsa/easyrsa3_server/pki/issued/server.crt /app/openVPN/server_keys/
[root@test2019030517 pki]# cp /data/app/easy-rsa/easyrsa3_server/pki/dh.pem /app/openVPN/server_keys/

 ♦导入证书到client_keys

[root@test2019030517 pki]# cp /data/app/easy-rsa/easyrsa3_server/pki/ca.crt /app/openVPN/client_keys/
[root@test2019030517 pki]# cp /data/app/easy-rsa/easyrsa3_server/pki/issued/client.crt /app/openVPN/client_keys/
[root@test2019030517 pki]# cp /data/app/easy-rsa/easyrsa3_client/pki/private/client.key /app/openVPN/client_keys/

#5创建配置文件目录，导入样本文件

[root@test2019030517 pki]# mkdir /app/openVPN/conf
[root@test2019030517 pki]# cp /data/app/openvpn/sample/sample-config-files/{server,client}.conf /app/openVPN/conf/

#6配置server.conf

local 0.0.0.0

port 1194
proto tcp

dev tun

ca /app/openVPN/server_keys/ca.crt
cert /app/openVPN/server_keys/server.crt
key /app/openVPN/server_keys/server.key 

dh /app/openVPN/server_keys/dh.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"

keepalive 10 120

comp-lzo

max-clients 100

persist-key

persist-tun

status openvpn-status.log

verb 3

client-cert-not-required
username-as-common-name
auth-user-pass-verify /app/openVPN/checkpsw.sh via-env
script-security 3

#7编写/app/openVPN/checkpsw.sh

#!/bin/sh
########################################################### 

PASSFILE="/app/openVPN/psw-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

########################################################### 

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

♦更改权限 

[root@test2019030517 openVPN]# chmod 755 checkpsw.sh

 ♦创建账号密码文件

[root@test2019030517 openVPN]# cat psw-file
liuxueting liuxueting

#9启动svn

[root@test2019030517 sbin]# ./openvpn /app/openVPN/conf/server.conf &
[root@test2019030517 sbin]# ps -ef | grep openvpn
[root@test2019030517 sbin]# ss -lnt | grep 1194

#10打开防火墙策略，查看有无tun0网卡

[root@test2019030517 openVPN]#  iptables -I INPUT -p tcp --dport 1194 -j ACCEPT
[root@test2019030517 openVPN]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
[root@test2019030517 openVPN]# ifconfig
[root@test2019030517 openVPN]# iptables -I INPUT -i tun0 -j ACCEPT
[root@test2019030517 openVPN]# iptables -I FORWARD -i tun0 -j ACCEPT
[root@test2019030517 openVPN]# iptables -I FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@test2019030517 openVPN]# iptables -I FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

#11Centos 系统配置修改

#打开服务器的路由功能 vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
# 然后使内核参数生效:
sysctl -p
more /proc/sys/net/ipv4/ip_forward 值为1 就行

#12重启openvpn

kill杀掉进程在./openvpn /app/openVPN/conf/server.conf &

5.客户端连接/app/openVPN/client_keys

将证书、client.conf发送给客户端，客户端也可以自己建立一个配置文件如下：

windows 客户端为例（将证书都放置在这个目录下面）

C:\Program Files (x86)\OpenVPN\config\

然后将client.conf改名为client.ovpn

client

auth-user-pass

dev tun

proto tcp

remote 服务端ip 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert client.crt

key client.key

comp-lzo

verb 3

完了连接就好了