因为新版本openVpn里面没有包含最重要的证书制作部分:easy-rsa所以,需要事先下载好easyrsa,可以到GitHub上进行下载,配置过程将在下面第3步进行,本次部署使用了easy-rsa3,与easy-rsa2.0的操作完全不同,网上其它关于easy-rsa2.0的教程不适合本次部署
在部署openVpn之前,最好用ntpdate同步一下服务器的时间,否则生成证书的时间也不准确,会造成那个什么centificate error等的错误!
基础环境
#同步服务器时间
# crontab –e 添加脚本例子如下: */20 * * * * /usr/sbin/ntpdate 1.cn.pool.ntp.org //每20分钟执行一次
#关闭selinux
setenforce 0 sed -i '/^SELINUX=/c\SELINUX=disabled' /etc/selinux/config
#安装openssl和lzo,lzo用于压缩通讯数据加快传输速度.
yum -y install openssl openssl-devel lzo
#安装epel源
rpm -ivh http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm sed -i 's/^mirrorlist=https/mirrorlist=http/' /etc/yum.repos.d/epel.repo
1、安装open***
yum -y install open*** easy-rsa #修改基本信息 cd /usr/share/easy-rsa/2.0/ chmod +x * vim vars
[root@*** ~]# yum install -y openssl-devel [root@*** ~]# wget https://swupdate.open***.org/community/releases/open***-2.3.11.tar.gz [root@*** ~]# tar zxvf open***-2.3.11.tar.gz [root@*** ~]# cd open***-2.3.11 [root@*** open***-2.3.4]# ./configure --prefix=/usr/local/open*** --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib [root@*** open***-2.3.4]# make && make install [root@*** open***-2.3.4]# ln -s /usr/local/open***/sbin/open*** /usr/local/sbin/open*** [root@*** open***-2.3.4]# which open*** /usr/local/sbin/open*** # 看到这里,说明安装open***成功 |
3、配置easyrsa服务端
open***-2.3.11软件包不包含证书(ca证书,服务端证书,客户端证书)制作工具,所以还需要单独下载easy-rsa,最新的为easy-rsa3
[root@*** ~]# wget https://github.com/Open***/easy-rsa/archive/master.zip [root@*** ~]# unzip master.zip [root@*** ~]# mv easy-rsa-master easy-rsa [root@*** ~]# cp -R easy-rsa /usr/local/open***/ [root@*** ~]# cd /usr/local/open***/easy-rsa/easyrsa3/ [root@*** easyrsa3]# cp vars.example vars [root@*** easyrsa3]# vim vars set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "Beijing" set_var EASYRSA_REQ_CITY "Beijing" set_var EASYRSA_REQ_ORG "qiangshCertificate" set_var EASYRSA_REQ_EMAIL "503579266@qq.com" set_var EASYRSA_REQ_OU "My Open***" |
4、创建服务端证书及key
(1)初始化
[root@*** easyrsa3]# ls easyrsa openssl-1.0.cnf vars vars.example x509-types [root@*** easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /usr/local/open***/easy-rsa/easyrsa3/pki |
(2)创建根证书
[root@*** easyrsa3]# ./easyrsa build-ca Note: using Easy-RSAconfiguration from: ./vars Generating a 2048 bit RSA privatekey ..+++ ..........................+++ writing new private key to'/usr/local/open***/easy-rsa/easyrsa3/pki/private/ca.key.SueAMWTlxi' Enter PEM pass phrase: #输入密码,此密码用途证书签名 Verifying - Enter PEM passphrase: #再次输入密码 ----- You are about to be asked toenter information that will be incorporated into your certificate request. What you are about to enter iswhat is called a Distinguished Name or a DN. There are quite a few fields butyou can leave some blank For some fields there will be adefault value, If you enter '.', the field willbe left blank. ----- Common Name (eg: your user, host,or server name) [Easy-RSA CA]:ylsh #输入一个Common Name CA creation complete and you maynow import and sign cert requests. Your new CA certificate file forpublishing is at: /usr/local/open***/easy-rsa/easyrsa3/pki/ca.crt |
(3)创建服务器端证书
[root@*** easyrsa3]# ./easyrsa gen-req server nopass Note: using Easy-RSAconfiguration from: ./vars Generating a 2048 bit RSA privatekey .......................................+++ ......................................+++ writing new private key to '/usr/local/open***/easy-rsa/easyrsa3/pki/private/server.key.YyWK7tSjws' ----- You are about to be asked toenter information that will be incorporated into your certificate request. What you are about to enter iswhat is called a Distinguished Name or a DN. There are quite a few fields butyou can leave some blank For some fields there will be adefault value, If you enter '.', the field willbe left blank. ----- Common Name (eg: your user, host,or server name) [server]:ylsh-BJ #该Common Name一定不要与创建根证书时的一样 !!! Keypair and certificate requestcompleted. Your files are: req: /usr/local/open***/easy-rsa/easyrsa3/pki/reqs/server.req key: /usr/local/open***/easy-rsa/easyrsa3/pki/private/server.key |
(4)签约服务器端证书
[root@*** easyrsa3]# ./easyrsa sign server server Note: using Easy-RSAconfiguration from: ./vars You are about to sign thefollowing certificate. Please check over the detailsshown below for accuracy. Note that this request has not been cryptographicallyverified. Please be sure it came from a trusted source or that you have verifiedthe request checksum with the sender. Request subject, to be signed asa server certificate for 3650 days: subject= commonName = ylsh-BJ Type the word 'yes' to continue,or any other input to abort. Confirm request details:yes #输入yes继续 Using configuration from /usr/local/open***/easy-rsa/easyrsa3/openssl-1.0.cnf Enter pass phrase for /usr/local/open***/easy-rsa/easyrsa3/pki/private/ca.key: #输入刚才创建根证书时的密码 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'ylsh-BJ' Certificate is to be certified until Jun 11 04:01:47 2026 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /usr/local/open***/easy-rsa/easyrsa3/pki/issued/server.crt |
(5)创建Diffie-Hellman,确保key穿越不安全网络的命令:
[root@*** easyrsa3]# ./easyrsa gen-dh Note: using Easy-RSAconfiguration from: ./vars Generating DH parameters, 2048bit long safe prime, generator 2 This is going to take a long time ..........................................................................+...........................+.............................................................+...........................+.................................................................................................................................................................................................................................................+...............................................................................................................................+..+.................................................................+..........................................................................................+..............+...............................................................................................................................................................................+........................................................................................+...............................................................................+................................................+..........++*++* DH parameters of size 2048 created at /usr/local/open***/easy-rsa/easyrsa3/pki/dh.pem |
5、创建客户端证书
(1)在根目录下建立client目录
[root@*** easyrsa3]# cd [root@*** ~]# mkdir client [root@*** ~]# cp -R /home/sources/easy-rsa/ client/ |
(2)初始化
[root@*** ~]# cd client/easy-rsa/easyrsa3/ [root@*** easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki |
(3)创建客户端key及生成证书
[root@*** easyrsa3]# ./easyrsa gen-req qiangsh Generating a 2048 bit RSA privatekey .......................+++ ........................................................+++ writing new private key to'/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key.LD7Wk6hmQq' Enter PEM pass phrase: #输入密码 Verifying - Enter PEM passphrase: #再次输入密码 ----- You are about to be asked toenter information that will be incorporated into your certificate request. What you are about to enter iswhat is called a Distinguished Name or a DN. There are quite a few fields butyou can leave some blank For some fields there will be adefault value, If you enter '.', the field willbe left blank. ----- Common Name (eg: your user, host,or server name) [qiangsh]:qiangsh #输入qiangsh Keypair and certificate request completed.Your files are: req:/root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req key:/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key |
(4)将得到的qiangsh.req导入并签约证书
[root@*** ~]# cd /usr/local/open***/easy-rsa/easyrsa3/ [root@*** easyrsa3]#./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req qiangsh #导入req Note: using Easy-RSAconfiguration from: ./vars The request has been successfullyimported with a short name of: qiangsh You may now use this name toperform signing operations on this request. [root@*** easyrsa3]# ./easyrsa sign client qiangsh #签约证书 Note: using Easy-RSAconfiguration from: ./vars You are about to sign thefollowing certificate. Please check over the detailsshown below for accuracy. Note that this request has not been cryptographicallyverified. Please be sure it came from a trusted source or that you have verifiedthe request checksum with the sender. Request subject, to be signed asa client certificate for 3650 days: subject= commonName = qiangsh Type the word 'yes' to continue,or any other input to abort. Confirm request details:yes #输入yes Using configuration from/usr/local/share/doc/open***/easy-rsa/easyrsa3/openssl-1.0.cnf Enter pass phrase for/usr/local/share/doc/open***/easy-rsa/easyrsa3/pki/private/ca.key: #输入创建根证书时的密码 Check that the request matchesthe signature Signature ok The Subject's Distinguished Nameis as follows commonName :PRINTABLE:'qiangsh' Certificate is to be certifieduntil Jun 6 07:50:02 2026 GMT (3650 days) Write out database with 1 newentries Data Base Updated Certificate created at:/usr/local/share/doc/open***/easy-rsa/easyrsa3/pki/issued/qiangsh.crt # 签约成功 |
(5)服务端及客户端生成的文件
服务端:(/usr/local/share/doc/open***/easy-rsa/easyrsa3/pki/)文件夹
/usr/local/open***/easy-rsa/easyrsa3/pki/ca.crt /usr/local/open***/easy-rsa/easyrsa3/pki/reqs/server.req /usr/local/open***/easy-rsa/easyrsa3/pki/reqs/qiangsh.req /usr/local/open***/easy-rsa/easyrsa3/pki/private/ca.key /usr/local/open***/easy-rsa/easyrsa3/pki/private/server.key /usr/local/open***/easy-rsa/easyrsa3/pki/issued/server.crt /usr/local/open***/easy-rsa/easyrsa3/pki/issued/qiangsh.crt /usr/local/open***/easy-rsa/easyrsa3 /pki/dh.pem |
客户端:(/root/client/easy-rsa)
/root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key /root/client/easy-rsa/easyrsa3/pki/reqs/qiangsh.req # 这个文件被我们导入到了服务端文件,所以那里也有 |
(6)拷贝服务器密钥及证书等到open***目录
[root@*** ~]# cp /usr/local/open***/easy-rsa/easyrsa3/pki/ca.crt /usr/local/open***/ [root@*** ~]# cp /usr/local/open***/easy-rsa/easyrsa3/pki/private/server.key /usr/local/open***/ [root@*** ~]# cp /usr/local/open***/easy-rsa/easyrsa3/pki/issued/server.crt /usr/local/open***/ [root@*** ~]# cp /usr/local/open***/easy-rsa/easyrsa3/ pki/dh.pem /usr/local/open***/ |
(7)拷贝客户端密钥及证书等到client目录
[root@*** ~]# cp /usr/local/open***/easy-rsa/easyrsa3/pki/ca.crt /root/client/ [root@*** ~]# cp /usr/local/open***/easy-rsa/easyrsa3/pki/issued/qiangsh.crt /root/client/ [root@*** ~]# cp /root/client/easy-rsa/easyrsa3/pki/private/qiangsh.key /root/client/ |
(8)为服务端编写配置文件
当安装好open***时候,它会提供一个server配置的文件例子
将此例子拷贝open***目录,然后配置
[root@*** ~]# cp /home/sources/open***-2.3.11/sample/sample-config-files/server.conf /usr/local/open***/ [root@*** ~]# vim /usr/local/open***/server.conf local 192.168.1.100 #(自己vps IP) port 1194 proto udp dev tun ca /usr/local/open***/ca.crt cert /usr/local/open***/server.crt key /usr/local/open***/server.key dh /usr/local/open***/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" keepalive 10 120 comp-lzo max-clients 100 persist-key persist-tun status open***-status.log verb 3 |
(9)开启系统转发功能
[root@*** ~]# vim /etc/sysctl.conf net.ipv4.ip_forward = 0 改成 net.ipv4.ip_forward = 1 [root@*** ~]# sysctl -a | grep net.ipv4.ip_forward net.ipv4.ip_forward = 1 |
(10)封装出去的数据包(eth0是你的vps外网的网卡,否则无法上网):
/sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE |
三、下载open***客户端,并进行配置
1、将客户端密钥及证书等拷出到windows备用
[root@*** ~]# cd ~/client/ [root@*** client]# ls ca.crt easy-rsa qiangsh.crt qiangsh.key # 带后缀的这三个 |
2、安装open***-gui工具
(1)将C:\ProgramFiles\Open***\sample-config\client.o***复制到C:\Program Files\Open***\config
(2)将从linux中拷贝出来的三个密钥及证书放到D:\Program Files (x86)\Open***\config下
(3)编辑C:\ProgramFiles\Open***\config\client.o***,修改为
client dev tun proto udp remote 192.168.1.100 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt //这里需要证书 cert qiangsh.crt key qiangsh.key comp-lzo verb 3 |
四、启动服务、测试
1、在***服务器上启动open***服务
[root@*** ~]# /usr/local/sbin/open*** --config /usr/local/open***/server.conf & [root@*** ~]# echo "/usr/local/sbin/open*** --config /usr/local/open***/server.conf & " >>/etc/rc.local # 设为开机启动 |
2、在open***-gui上右键Connect输入密码连接
3、查看***状态
