SDB:OpenVPN 安装和设置
OpenVPN 是一款功能齐全的 SSL VPN(虚拟专用网络)软件,它使用行业标准的 SSL/TLS 协议实现 OSI 层 2 或 3 安全网络扩展,创建路由或桥接配置以及远程访问设施中的安全点对点或站点到站点的连接。
目的
本教程将指导您安装和设置 OpenVPN 服务器和客户端。
要求
TUN/TAP
必须安装并启用 TUN/TAP。要检查是否满足要求,请运行以下命令
cat /dev/net/tun
输出如下所示
cat: /dev/net/tun: 文件描述符状态不佳
安装 OpenVPN
使用 openSUSE 包管理器安装 OpenVPN
zypper in openvpn
安装 Easy-RSA
Easy-rsa 是一个基于 openssl 的密钥管理包。
使用 openSUSE 包管理器安装 OpenVPN
zypper in easy-rsa
生成证书和密钥
可以编辑文件 /etc/easy-rsa/vars 中的 EASYRSA_REQ_COUNTRY、EASYRSA_REQ_PROVINCE、EASYRSA_REQ_CITY、EASYRSA_REQ_ORG、EASYRSA_REQ_EMAIL 和 EASYRSA_REQ_OU(组织单位)的值(如果需要)。
可以增加 vars 中的 'EASYRSA_KEY_SIZE' 参数到 4096 以提高安全性。增加此值也会大大增加密钥生成过程的时间,但不会对带宽速度产生不利影响。本文档将使用默认的 2048。
要编辑任何文件或 vars 例如,请使用 vi
vim /etc/easy-rsa/vars
按字母 i 启用编辑模式,完成编辑后,按 Esc 键,然后按 :wq 保存并退出 vi 编辑器。
公钥基础设施 (PKI) 初始化
运行
easyrsa clean-all
(这等效于 'easyrsa init-pki')
应该输出
Note: using Easy-RSA configuration from: /etc/easy-rsa/vars WARNING!!! You are about to remove the EASYRSA_PKI at: /etc/easy-rsa/pki and initialize a fresh PKI here. Type the word 'yes' to continue, or any other input to abort. Confirm removal: yes init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/easy-rsa/pki
运行
easyrsa build-ca
或者,如果不想使用 CA 口令保护,可以使用 'nopass' 选项
easyrsa build-ca nopass
按 Enter 键接受默认值,或修改它们。
应该输出
Note: using Easy-RSA configuration from: /etc/easy-rsa/vars Generating a 2048 bit RSA private key ..............................................................+++ ...........................................+++ writing new private key to '/etc/easy-rsa/pki/private/ca.key.lyD9dCZFDq' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/easy-rsa/pki/ca.crt
为服务器生成证书和密钥
运行
easyrsa build-server-full server
Note: using Easy-RSA configuration from: /etc/easy-rsa/vars Generating a 2048 bit RSA private key ....................................+++ .................................................................................+++ writing new private key to '/etc/easy-rsa/pki/private/server.key.bO22znNIO3' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- Using configuration from /etc/easy-rsa/openssl-1.0.cnf Enter pass phrase for /etc/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Oct 2 22:25:40 2027 GMT (3650 days) Write out database with 1 new entries Data Base Updated
为 2 个客户端生成证书和密钥
要生成第一个客户端密钥,请运行
easyrsa build-client-full client1
Note: using Easy-RSA configuration from: /etc/easy-rsa/vars Generating a 2048 bit RSA private key .............+++ ............+++ writing new private key to '/etc/easy-rsa/pki/private/client1.key.dlwBEmx3SA' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- Using configuration from /etc/easy-rsa/openssl-1.0.cnf Enter pass phrase for /etc/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client1' Certificate is to be certified until Oct 2 22:28:58 2027 GMT (3650 days) Write out database with 1 new entries Data Base Updated
要生成第二个客户端密钥,请运行
easyrsa build-client-full client2
生成 Diffie Hellman 参数
运行
easyrsa gen-dh
输出如下所示
Note: using Easy-RSA configuration from: /etc/easy-rsa/vars Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..........................+.+....................... DH parameters of size 2048 created at /etc/easy-rsa/pki/dh.pem
密钥文件
每个客户端需要 3 个文件;ca.crt、clientX.crt 和 clientX.key。ca.crt 位于 '/etc/easy-rsa/pki/' 中,clientX.crt 位于'/etc/easy-rsa/pki/issued/' 中,clientX.key 位于 '/etc/easy-rsa/pki/private/' 中。将这些文件复制到客户端计算机。FileZilla 与 sftp 是传输文件的其中一种方法。
您可以从远程服务器提取这些文件的其他方法
Scp(安全复制);例如
scp user@<remote-server>:/path/to/file /local/path/to/store
Rsync 结合 ssh;例如
rsync -av -e "ssh -p 22" user@<remote-server>:/path/to/file /local/path/to/store
| 文件名 | 由谁需要 | 目的 | 秘密 |
|---|---|---|---|
| ca.crt | 服务器 + 所有客户端 | 根 CA 证书 | NO |
| ca.key | 仅密钥签名机器 | 根 CA 密钥 | 是 |
| dh{n}.pem | 仅服务器 | Diffie Hellman 参数 | NO |
| server.crt | 仅服务器 | 服务器证书 | NO |
| server.key | 仅服务器 | 服务器密钥 | 是 |
| client1.crt | 仅 client1 | Client1 证书 | NO |
| client1.key | 仅 client1 | Client1 密钥 | 是 |
| client2.crt | 仅 client2 | Client2 证书 | NO |
| client2.key | 仅 client2 | Client2 密钥 | 是 |
客户端配置
为每个客户端创建一个 client.conf 文件,内容如下
client remote 192.168.1.100 1194 ca "/path/to/ca.crt" cert "/path/to/client.crt" key "/path/to/client.key" comp-lzo yes cipher AES-256-CBC dev tun proto udp nobind auth-nocache script-security 2 persist-key persist-tun remote-cert-tls server
请注意,'192.168.1.100' 应该是运行 OpenVPN 的服务器的实际 IP 地址。此外,请为 cert、key 和路径替换适当的客户端名称。有关配置文件的更多信息,请参阅 http://openvpn.net/index.php/open-source/documentation/howto.html#examples。
服务器配置
编辑 openvpn 的配置
vim /etc/openvpn/server.conf
#change with your port port 1194 #You can use udp or tcp proto udp # "dev tun" will create a routed IP tunnel. dev tun topology subnet #Certificate Configuration #ca certificate ca /etc/easy-rsa/pki/ca.crt #Server Certificate cert /etc/easy-rsa/pki/issued/server.crt #Server Key and keep this is secret askpass /etc/easy-rsa/pki/private/server.pass key /etc/easy-rsa/pki/private/server.key #See the size a dh key in /etc/openvpn/keys/ dh /etc/easy-rsa/pki/dh.pem #Internal IP will get when already connect server 10.8.0.0 255.255.255.0 #this line will redirect all traffic through our OpenVPN push "redirect-gateway def1" push "route 192.168.0.0 255.255.255.0" #Provide DNS servers to the client, you can use goolge DNS push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" #Enable multiple client to connect with same key duplicate-cn cipher AES-256-CBC keepalive 20 60 comp-lzo persist-key persist-tun daemon #openvpn status log status /var/log/openvpn/openvpn-status.log #enable log log-append /var/log/openvpn/openvpn.log #Log Level verb 3
保存文件并退出 vi 编辑器。
防火墙配置
打开 UDP 端口 1194(YaST > 安全性和用户 > 防火墙 > 允许的服务)。
编辑 sysctl.conf
vim /etc/sysctl.conf
更改应反映
| net.ipv4.ip_forward = 1 |
|---|
保存文件并退出 vi 编辑器。
适用于 openSUSE Leap 15 及更高版本
使用 firewalld
#Open incoming connections to the server, if you haven't already done it with yast firewall-cmd --zone=public --add-service openvpn #Add tun0 to trusted zone. Device name may vary depending on how many VPNs and other services like VMs you're running firewall-cmd --zone=trusted --add-interface tun0 #Enable masquerading firewall-cmd --zone=trusted --add-masquerade #Swap the eth0 for your device or ip that traffic goes out of that you need NAT'd. firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE #once you're happy it's working, save with firewall-cmd --runtime-to-permanent
适用于 openSUSE Leap 42.3
使用 tun0 设备 ifup 启动 openVPN 服务
sudo wicked ifup tun0
启用防火墙规则以在启动时启动
vim /etc/rc.d/boot.local
# Allow traffic initiated from VPN to access LAN #iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT # Allow traffic initiated from VPN to access Internet iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT # Allow traffic initiated from LAN to access Internet #iptables -I FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT # Allow established traffic to pass back and forth iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Notice that -I is used, so when listing it (iptables -vxnL) it # will be reversed. This is intentional in this demonstration. # Masquerade traffic from VPN to Internet -- done in the nat table iptables -t nat -I POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE # Masquerade traffic from LAN to Internet #iptables -t nat -I POSTROUTING -o eth1 -s 192.168.0.0/24 -j MASQUERADE
如果使用 OpenVZ,添加以下内容
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.1.100
如果使用 KVM 或其他,添加以下内容
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
请注意,192.168.1.100 是服务器的 IP 地址,应更改为反映实际值。
启动 OpenVPN 并连接
启动 OpenVPN
systemctl start openvpn@server
启用 OpenVPN 服务以在启动时启动
systemctl enable openvpn@server
要测试连接,无需先重新启动,请运行以下命令
echo 1 > /proc/sys/net/ipv4/ip_forward
您还应该执行之前章节中制定的所有 iptables 规则。您可以逐个执行命令,或执行 '/etc/rc.d/boot.local'(请注意这一点)。
sh /etc/rc.d/boot.local
也可以从 Network Manager 应用程序导入配置。
强化 OpenVPN 安全性
请参阅:http://openvpn.net/index.php/open-source/documentation/howto.html#security