centos7下open--v!(p/n)部署
一,client-server 路由模式
使用tun,openssl,lzo压缩,启用转发,生成证书,关闭selinux 同步下时间 #1安装 yum -y install openvpn easy-rsa #2配置文件 cp /usr/share/doc/openvpn-2.4.7/sample/sample-configfiles/server.conf /etc/openvpn cp -r /usr/share/easy-rsa/ /etc/openvpn/ cp /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/easy-rsa/3.0.3/vars cd /etc/openvpn/easy-rsa/3.0.3/ 目录结构 ├── easyrsa ├── openssl-1.0.cnf ├── vars └── x509-types ├── ca ├── client ├── COMMON ├── san └── server #3创建PKI和CA签发机构 在/etc/openvpn/easy-rsa/3.0.3/目录下 ./easyrsa init-pki #初始化PKI,生成空目录 privata reqs #4创建CA机构 ./easyrsa build-ca nopass #有提示直接回车 ll /etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key #5创建服务端证书(私钥) ./easyrsa gen-req server nopass #生成服务端密钥及证书请求文件 ll /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key ll /etc/openvpn/easy-rsa/3.0.3/pki/reqs/server.req #6签发服务端证书 ./easyrsa sign server server ls /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt #7创建Diffie-Hellman,作为“对称加密”的密钥而被双方在后续数据传输中使用。 ./easyrsa gen-dh ll /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem #8客户端证书 cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easyrsa cp /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/client/easy-rsa/vars cd /etc/openvpn/client/easy-rsa/3.0.3 ./easyrsa init-pki #生成pki目录 客户端证书生成 ./easyrsa gen-req zhangshijie nopass #可配置密码+密钥 req: /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/zhangshijie.req key: /etc/openvpn/client/easy-rsa/3.0.3/pki/private/zhangshijie.key 签发客户端证书,进入主目录 cd /etc/openvpn/easy-rsa/3.0.3/ 导入客户端req文件 ./easyrsa import-req /etc/openvpn/client/easyrsa/3.0.3/pki/reqs/zhangshijie.req zhangshijie ./easyrsa sign client zhangshijie 生成 /etc/openvpn/easy-rsa/3.0.3/pki/issued/zhangshijie.crt #转移证书目录,服务器端证书密钥 mkdir /etc/openvpn/certs cd /etc/openvpn/certs/ cp /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem . cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt . cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt . cp /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key . ├── ca.crt ├── dh.pem ├── server.crt └── server.key 客户端公钥与私钥 mkdir /etc/openvpn/client/zhangshijie/ cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client/zhangshijie/ cp /etc/openvpn/easyrsa/3.0.3/pki/issued/zhangshijie.crt /etc/openvpn/client/zhangshijie/ cp /etc/openvpn/client/easyrsa/3.0.3/pki/private/zhangshijie.key /etc/openvpn/client/zhangshijie/ #server端配置文件 grep -v "#" /etc/openvpn/server.conf | grep -v "^$" local 172.20.134.25 #本机监听IP port 1194 proto tcp dev tun ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server.crt dh /etc/openvpn/certs/dh.pem server 192.168.36.0 255.255.255.0 #额外的网段 push "route 10.20.0.0 255.255.0.0" #在客户端push路由 keepalive 10 120 cipher AES-256-CBC max-clients 100 user nobody group nobody persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log verb 3 mute 20 # 启动 systemctl start openvpn@server ss -tnl 看端口监听 systemctl stop firewalld systemctl disable firewalld yum install iptables-services iptables -y systemctl enable iptables.service systemctl start iptables.service #清空已有规则 ~]# iptables -F ~]# iptables -X ~]# iptables -Z ~]# iptables -t nat -F ~]# iptables -t nat -X ~]# iptables -t nat -Z 路由转发 vim /etc/sysctl.conf net.ipv4.ip_forward = 1 sysctl -p iptables 规则 iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j #IP段为server 192.168.36.0 255.255.255.0 配置的ip段 iptables -A INPUT -p TCP --dport 1194 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT service iptables save iptables -vnL 日志目录 mkdir /var/log/openvpn chown nobody.nobody /var/log/openvpn #客户端配置文件 cd /etc/openvpn/client/zhangshijie grep -Ev "^(#|$|;)" /usr/share/doc/openvpn-2.4.7/sample/sample-config-files/client.conf client dev tun proto udp remote my-server-1-ip 1194 #填写server-ip resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client-name.crt key client-name.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC verb 3 tree /etc/openvpn/client/zhangshijie/ /etc/openvpn/client/zhangshijie/ ├── ca.crt ├── client.ovpn ├── zhangshijie.crt └── zhangshijie.key 客户端软件安装 ,使用管理员权限,安装完毕后设备管理器————查看网卡是否新添加tap适配器且驱动正常,注意版本号 将用户的公私钥配置文件复制到客户端的config目录里,启动程序测试 验证: cmd route -n ping 内网服务器 常见错误: #错误1: CreateFile failed on TAP device All TAP-Win32 adapters on this system are currently in use. 解决: 设备管理器---》属性---查看TAP device网卡驱动是否正常 卸载软件,重启机器,下载相应版本软件 https://build.openvpn.net/downloads/releases/latest/openvpn-install-latest-winxp-x86_64.exe #错误2: Route addition fallback to route.exe ERROR: Windows route add command failed [adaptive]: returned error code 1 解决: 这是在Vista/Win7/Win2003Win2008等系统中没有用管理员权限安装及启动OpenVPN GUI造成的, OpenVPN进程没有相应权限修改系统路由表。 解决方法是重新用管理员权限安装OpenVPN,并在启动OpenVPN GUI时右键选择使用管理员权限打开 某些会提示使用vista 以上版本兼容模式打开 #错误3: There are no TAP-Win32 adapters on this system. You should be able to create a TAP-Win32 adapter by going to Start -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter. 如果是Vista/Win7/Win10,用管理员权限执行 #### #### 觉得应该在内网添加到vpn-server的路由记录,于是试了下,添加之后可以在客户端访问,重启后没有该路由还是可以,想了想内网应该不用添加路由,数据是从内网网卡出去的,出网地址也是内网。
open--v--pn server 桥接模式
open--v---pn server路由模式 +口令认证 +mysql
各种模式
待续。。。。。。。