centos7安装配置easy..o
邵伟
一、环境:
[root@localhost 3]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
[root@localhost ~]# uname -a
Linux localhost.localdomain 3.10.0-1127.el7.x86_64 #1 SMP Tue Mar 31 23:36:51 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.36 netmask 255.255.252.0 broadcast 192.168.3.255
inet6 fe80::c555:26f8:102b:a63e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:85:b5:cc txqueuelen 1000 (Ethernet)
RX packets 2076 bytes 134117 (130.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 111 bytes 14420 (14.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4 bytes 340 (340.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 340 (340.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
二、前期准备
这里添加使用阿里base源及epel源
[root@localhost ~]# wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
[root@localhost ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
[root@localhost ~]# yum clean all
Loaded plugins: fastestmirror
Cleaning repos: base epel extras updates
Cleaning up list of fastest mirrors
[root@localhost ~]# yum makecache
关闭selinux、firewalld,开启iptables
[root@localhost ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config
[root@localhost ~]# setenforce 0
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@localhost ~]# yum install iptables* -y
[root@localhost ~]# rpm -qa|grep iptables
iptables-1.4.21-34.el7.x86_64
iptables-utils-1.4.21-34.el7.x86_64
iptables-devel-1.4.21-34.el7.x86_64
iptables-services-1.4.21-34.el7.x86_64
[root@localhost ~]# rpm -qa|grep iptables
iptables-1.4.21-34.el7.x86_64
iptables-utils-1.4.21-34.el7.x86_64
iptables-devel-1.4.21-34.el7.x86_64
iptables-services-1.4.21-34.el7.x86_64
[root@localhost ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@localhost ~]# systemctl start iptables
[root@localhost ~]# iptables -F
[root@localhost ~]# iptables -X
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE
[root@localhost ~]# iptables -A FORWARD -i tun+ -j ACCEPT
[root@localhost ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@localhost ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
开启端口转发功能
[root@localhost ~]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
[root@localhost ~]# sysctl -p
net.ipv4.ip_forward = 1
三、安装软件 open…、easy-rsa 及配置服务端信息
yum 安装open…、easy-rsa
[root@localhost ~]# yum install openvpn easy-rsa -y
[root@localhost ~]# rpm -qa|grep openvpn
openvpn-2.4.9-1.el7.x86_64
[root@localhost ~]# rpm -qa|grep easy-rsa
easy-rsa-3.0.8-1.el7.noarch
复制加密程序目录 至 安装目录
[root@localhost ~]# cp -R /usr/share/easy-rsa/ /etc/openvpn/
创建加密文件vars至安装目录
[root@localhost ~]# cd /etc/openvpn/easy-rsa/3/
[root@localhost 3]# cat vars
#定义你所在的国家,2个字符
export KEY_COUNTRY="CN"
#定义你所在省份
export KEY_PROVINCE="huben"
#定义你所在的城市
export KEY_CITY="wuhan"
#定义你所在的组织
export KEY_ORG="talent"
#定义你的邮件地址
export KEY_EMAIL="631646620@qq.com"
#定义
export KEY_OU="My OpenVPN"
# X509 Subject Field
export KEY_NAME="EasyRSA"
[root@localhost 3]#
Source ,让变量生效
[root@localhost 3]# source vars
复制服务主配置文件至ETC安装目录
[root@localhost 3]# cp /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf /etc/openvpn/
./easyrsa init-pki 清空证书等信息
[root@localhost 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki
创建ca.crt根证书
[root@localhost 3]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase: 我这里密码为1q2w3e4r
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus
...+++
.+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:EasyRSACA
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3/pki/ca.crt
创建服务端 证书
[root@localhost 3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
..................+++
........................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/easy-rsa-12118.s82Ujn/tmp.dil5pH'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:server
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3/pki/private/server.key
签约服务端证书
[root@localhost 3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-12146.vTQHQs/tmp.SuIi6a
Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: 第一步的密码1q2w3e4r
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Feb 9 09:28:38 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/server.crt
创建diffie-hellman,确保key穿越不安全网络的命令
[root@localhost 3]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
................................................
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem
将下列文件放到/etc/openvpn/ 目录执行命令
[root@localhost 3]# cp /etc/openvpn/easy-rsa/3/pki/ca.crt /etc/openvpn/
[root@localhost 3]# cp /etc/openvpn/easy-rsa/3/pki/private/server.key /etc/openvpn/
[root@localhost 3]# cp /etc/openvpn/easy-rsa/3/pki/issued/server.crt /etc/openvpn/
[root@localhost 3]# cp /etc/openvpn/easy-rsa/3/pki/dh.pem /etc/openvpn/
编辑/etc/openvpn/server.conf
[root@localhost 3]# vim /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
verb 3
四、创建客户端登录帐户
至此,服务已经安装完成,下面添加登录用户信息,我这里就不写了,直接执行脚本添加,见下
#!/bin/bash
#author by yuejianyuan
#2020年11月6日 20:23:24
#auth to add openvpnusers
##########################
if [ $UID -ne 0 ];then
echo -e '\033[33m ------------ Permission no enough, please use root ---------------\033[0m'
exit 1
fi
if [ $# -ne 1 ];then
echo -e '\033[33m ....执行脚本时,后面必须有且只能有1个用户,退出.... \033[0m'
exit 1
fi
ECHO_0_1 () {
if [ $? -ne 0 ];then
echo '\033[33m ...执行失败,退出... \033[0m'
exit 1
fi
}
USERNAME=$1
SERVERIP="101.39.230.134"
SERVERPORT="64001"
rm -rf /root/client/*
mkdir -p /root/client
echo -e '\033[32m...复制/usr/share/easy-rsa/目录至/root/client/目录下....\033[0m'
cd /root/client
cp -R /usr/share/easy-rsa/ /root/client/
sleep 1
cd easy-rsa/3/
echo -e '\033[32m ....清空用户生成规则...\033[0m'
./easyrsa init-pki
sleep 1
echo -e '\033[32m .....创建客户端用户'${USERNAME}' ,请小心输入并记录登录密码!!Common Name随便写,但不要与其他的重复.. \033[0m'
./easyrsa gen-req ${USERNAME}
#调用函数,如果上一条$?不为0,则退出
ECHO_0_1
echo "跳转至/etc目录"
cd /etc/openvpn/easy-rsa/3 && pwd
echo -e '\033[32m ....将'${USERNAME}'.req导入进此目录的 pki/reqs/目录下 \033[0m'
./easyrsa import-req /root/client/easy-rsa/3/pki/reqs/${USERNAME}.req ${USERNAME}
#调用函数,如果上一条$?不为0,则退出
ECHO_0_1
echo -e '\033[32m .....签约证书,请先输入yes。。。再输入。。。ca.key密码1q2w3e4r ...\033[0m'
./easyrsa sign client ${USERNAME}
#调用函数,如果上一条$?不为0,则退出
ECHO_0_1
echo -e '\033[32m ....将下列文件放到/root/client 目录下... \033[0m'
cp /etc/openvpn/easy-rsa/3/pki/ca.crt /root/client/
cp /etc/openvpn/easy-rsa/3/pki/issued/${USERNAME}.crt /root/client/
cp /root/client/easy-rsa/3/pki/private/${USERNAME}.key /root/client/
echo -e '\033[32m ....创建client.oppn文件...\033[0m'
cat>/root/client/client.ovpn<<-EOF
client
dev tun
proto tcp
remote ${SERVERIP} ${SERVERPORT} #对应openvpn的外网ip以及开放端口
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert ${USERNAME}.crt
key ${USERNAME}.key
comp-lzo
ns-cert-type server
verb 3
EOF
cat /root/client/client.ovpn
if [ $? -ne 0 ];then
echo -e '\033[33m ....../root/client/client.ovpn 文件创建失败! 继续.... \033[0m'
fi
sleep 1
cd /root/client/
echo "打包/root/client目录下ca.crt、${USERNAME}.crt、${USERNAME}.key、client.ovpn文件,除了easy-rsa目录"
tar -czvf ${USERNAME}.tar.gz ./* --exclude=./easy-rsa
echo $?
sz ${USERNAME}.tar.gz
\cp ${USERNAME}.tar.gz /etc/openvpn/bak_tgz_userpassALL/
tar -tvf /etc/openvpn/bak_tgz_userpassALL/${USERNAME}.tar.gz
最后把 ${USERNAME}.tar.gz 下面的4个文件复制到客户端的config目录,即可
登录成功标志,图标变绿
启动、开机自启
systemctl start openvpn@server.service
systemctl enable openvpn@server.service
注:,如发现,客户端连接后,出口IP不对,则需要添加防火墙规则
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 18090 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 18090 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 18090 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT
iptables -A FORWARD -d 10.8.0.0/24 -i eth0 -j ACCEPT
iptables -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-----------------------end
类似资料: