CentOS 8 安装并配置实现OpenYPN服务器
Posted 白-胖-子
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CentOS 8 安装并配置实现OpenYPN服务器相关的知识,希望对你有一定的参考价值。
因关键词限制,请自动替换V
P
P
PN
V P P PN简介
V
P
P
PN Yirtual Private Network 虚拟私有网络
专用网络价格高昂,透过互联网假设私有的专用网络,用于在不安全的线路上进行安全的数据传输。
V
P
P
PN技术必须使用加密技术
OpenV P P PN
- 实现V P P PN的开源软件
- 在EPEL源中
- 比较适合个人用户临时连接内部服务器
yum provides openv$p$n
openv$p$n-2.4.11-1.el8.x86_64 : A full-featured SSL V$P$N
: solution
Repo : EPEL
Matched from:
Provide : openv$p$n = 2.4.11-1.el8
- 商业版功能更丰富和易用
- 免费版不要钱啊!
CentOS8安装OpenV P P PN
配置EPEL源
yum安装OpenV P P PN在EPEL源,首先需要配置好EPEL源
[EPEL]
name=EPEL
baseurl=https://mirrors.ustc.edu.cn/epel/$releasever/Everything/$basearch/
https://mirrors.huaweicloud.com/epel/$releasever/Everything/$basearch/
https://mirrors.cloud.tencent.com/epel/$releasever/Everything/$basearch/
https://mirrors.tuna.tsinghua.edu.cn/epel/$releasever/Everything/$basearch/
gpgcheck=1
gpgkey=https://mirrors.ustc.edu.cn/epel/RPM-GPG-KEY-EPEL-$releasever
yum安装OpenV P P PN和easy-rsa证书工具
- OpenV P P PN服务器端
yum -y install openv$p$n
- 证书管理工具
yum -y install easy-rsa
查看安装好的文件
rpm -ql openv$p$n
/etc/openv$p$n ## 主目录
/etc/openv$p$n/client ## 客户端目录
/etc/openv$p$n/server ## 服务器目录
……
/usr/lib/systemd/system/openv$p$n-client@.service
/usr/lib/systemd/system/openv$p$n-server@.service
/usr/lib/tmpfiles.d/openv$p$n.conf
/usr/lib64/openv$p$n
/usr/lib64/openv$p$n/plugins
/usr/lib64/openv$p$n/plugins/openv$p$n-plugin-auth-pam.so
/usr/lib64/openv$p$n/plugins/openv$p$n-plugin-down-root.so
/usr/sbin/openv$p$n ## 主程序
/usr/share/doc/openv$p$n
/usr/share/doc/openv$p$n/AUTHORS
/usr/share/doc/openv$p$n/COPYING
/usr/share/doc/openv$p$n/COPYRIGHT.GPL
/usr/share/doc/openv$p$n/ChangeLog
/usr/share/doc/openv$p$n/Changes.rst
/usr/share/doc/openv$p$n/README
/usr/share/doc/openv$p$n/README.auth-pam
/usr/share/doc/openv$p$n/README.down-root
/usr/share/doc/openv$p$n/README.systemd
/usr/share/doc/openv$p$n/contrib
/usr/share/doc/openv$p$n/contrib/OCSP_check
/usr/share/doc/openv$p$n/contrib/OCSP_check/OCSP_check.sh
/usr/share/doc/openv$p$n/contrib/README
/usr/share/doc/openv$p$n/contrib/openv$p$n-fwmarkroute-1.00
/usr/share/doc/openv$p$n/contrib/openv$p$n-fwmarkroute-1.00/README
/usr/share/doc/openv$p$n/contrib/openv$p$n-fwmarkroute-1.00/fwmarkroute.down
/usr/share/doc/openv$p$n/contrib/openv$p$n-fwmarkroute-1.00/fwmarkroute.up
/usr/share/doc/openv$p$n/contrib/pull-resolv-conf
/usr/share/doc/openv$p$n/contrib/pull-resolv-conf/client.down
/usr/share/doc/openv$p$n/contrib/pull-resolv-conf/client.up
/usr/share/doc/openv$p$n/management-notes.txt
/usr/share/doc/openv$p$n/sample
/usr/share/doc/openv$p$n/sample/sample-config-files ##模板配置文件
/usr/share/doc/openv$p$n/sample/sample-config-files/README ## 配置说明
/usr/share/doc/openv$p$n/sample/sample-config-files/client.conf
/usr/share/doc/openv$p$n/sample/sample-config-files/firewall.sh
/usr/share/doc/openv$p$n/sample/sample-config-files/home.up
/usr/share/doc/openv$p$n/sample/sample-config-files/loopback-client
/usr/share/doc/openv$p$n/sample/sample-config-files/loopback-server
/usr/share/doc/openv$p$n/sample/sample-config-files/office.up
/usr/share/doc/openv$p$n/sample/sample-config-files/openv$p$n-shutdown.sh
/usr/share/doc/openv$p$n/sample/sample-config-files/openv$p$n-startup.sh
/usr/share/doc/openv$p$n/sample/sample-config-files/roadwarrior-client.conf
/usr/share/doc/openv$p$n/sample/sample-config-files/roadwarrior-server.conf
/usr/share/doc/openv$p$n/sample/sample-config-files/server.conf
/usr/share/doc/openv$p$n/sample/sample-config-files/static-home.conf
/usr/share/doc/openv$p$n/sample/sample-config-files/static-office.conf
/usr/share/doc/openv$p$n/sample/sample-config-files/tls-home.conf
/usr/share/doc/openv$p$n/sample/sample-config-files/tls-office.conf
/usr/share/doc/openv$p$n/sample/sample-config-files/xinetd-client-config
/usr/share/doc/openv$p$n/sample/sample-config-files/xinetd-server-config
/usr/share/doc/openv$p$n/sample/sample-scripts
/usr/share/doc/openv$p$n/sample/sample-scripts/auth-pam.pl
/usr/share/doc/openv$p$n/sample/sample-scripts/bridge-start
/usr/share/doc/openv$p$n/sample/sample-scripts/bridge-stop
/usr/share/doc/openv$p$n/sample/sample-scripts/ucn.pl
/usr/share/doc/openv$p$n/sample/sample-scripts/verify-cn
/usr/share/doc/openv$p$n/sample/sample-windows
/usr/share/doc/openv$p$n/sample/sample-windows/sample.ov$p$n
/usr/share/man/man8/openv$p$n.8.gz
/var/lib/openv$p$n
rpm -ql easy-rsa
/usr/share/doc/easy-rsa
/usr/share/doc/easy-rsa/COPYING.md
/usr/share/doc/easy-rsa/ChangeLog
/usr/share/doc/easy-rsa/README.md
/usr/share/doc/easy-rsa/README.quickstart.md
/usr/share/doc/easy-rsa/vars.example
/usr/share/easy-rsa
/usr/share/easy-rsa/3
/usr/share/easy-rsa/3.0
/usr/share/easy-rsa/3.0.8
/usr/share/easy-rsa/3.0.8/easyrsa
/usr/share/easy-rsa/3.0.8/openssl-easyrsa.cnf
/usr/share/easy-rsa/3.0.8/x509-types
/usr/share/easy-rsa/3.0.8/x509-types/COMMON
/usr/share/easy-rsa/3.0.8/x509-types/ca
/usr/share/easy-rsa/3.0.8/x509-types/client
/usr/share/easy-rsa/3.0.8/x509-types/code-signing
/usr/share/easy-rsa/3.0.8/x509-types/email
/usr/share/easy-rsa/3.0.8/x509-types/kdc
/usr/share/easy-rsa/3.0.8/x509-types/server
/usr/share/easy-rsa/3.0.8/x509-types/serverClient
/usr/share/licenses/easy-rsa
/usr/share/licenses/easy-rsa/gpl-2.0.txt
准备相关配置文件
- 拷贝模板文件到主目录作为配置文件以待因需修改
cp /usr/share/doc/openv$p$n/sample/sample-config-files/server.conf /etc/openv$p$n/
- 准备证书签发相关文件
拷贝整个easy-rsa文件夹过去当作证书的文件夹
cp -r /usr/share/easy-rsa/ /etc/openv$p$n/easy-rsa-sever
- 准备签发证书相关变量的配置文件
cp /usr/share/doc/easy-rsa/vars.example /etc/openv$p$n/easy-rsa-sever/3/vars
- 修改vars文件中CA和OpenV P P PN服务器颁发证书的有效期
#设置CA证书有效期,默认为10年,可加长
#set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CA_EXPIRE 36500
#设置OpenV$P$N服务器证书有效期,默认为825天,可加长
#set_var EASYRSA_CERT_EXPIRE 825
set_var EASYRSA_CERT_EXPIRE 8250
准备证书签发相关文件
- 使用easy-rsa脚本创建供OpenV P P PN使用的证书服务器并颁发证书
进入脚本目录使用脚本生成
- 进入脚本目录
cd /etc/openv$p$n/easy-rsa-sever/3/
- 使用脚本生成pki目录及相关文件
./easyrsa init-pki
[root@C8-200 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openv$p$n/easy-rsa-sever/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openv$p$n/easy-rsa-sever/3/pki
创建CA机构
./easyrsa build-ca nopass
[root@C8-200 3]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openv$p$n/easy-rsa-sever/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
...+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:sun
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openv$p$n/easy-rsa-sever/3/pki/ca.crt
为OpenV P P PN服务器创建服务端证书申请
./easyrsa gen-req sun nopass
[root@C8-200 3]# ./easyrsa gen-req sun nopass
Note: using Easy-RSA configuration from: /etc/openv$p$n/easy-rsa-sever/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
..........+++++
............................................+++++
writing new private key to '/etc/openv$p$n/easy-rsa-sever/3/pki/easy-rsa-1635.xIdEVM/tmp.Yv9Ze5'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [sun]:
Keypair and certificate request completed. Your files are:
req: /etc/openv$p$n/easy-rsa-sever/3/pki/reqs/sun.req #生成请求文件
key: /etc/openv$p$n/easy-rsa-sever/3/pki/private/sun.key #生成私钥文件
为OpenV P P PN服务器签发证书
- 对sun.req的请求文件签发类型为server的证书
./easyrsa sign server sun
[root@C8-200 3]# ./easyrsa sign server sun
Note: using Easy-RSA configuration from: /etc/openv$p$n/easy-rsa-sever/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = sun
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openv$p$n/easy-rsa-sever/3/pki/easy-rsa-1686.l3Htxe/tmp.bO1hWE
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'sun'
Certificate is to be certified until Aug 13 22:59:57 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openv$p$n/easy-rsa-sever/3/pki/issued/sun.crt
创建 Diffie-Hellman 密钥
- 为保证OpenV P P PN传输过程中的数据安全,需要创建密钥以加密
./easyrsa gen-dh
./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openv$p$n/easy-rsa-sever/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.................+..##这里需要等一会##......................++*++*++*++*
DH parameters of size 2048 created at /etc/openv$p$n/easy-rsa-sever/3/pki/dh.pem
也可以使用openssl生成
openssl dhparam -out /etc/openv$p$n/dh2048.pem 2048
至此,服务器端已完成配置。
将CA和服务器证书相关文件拷贝至OpenV P P PN相应目录
- 创建专门放证书的文件夹
mkdir /etc/openv$p$n/certs
- 拷贝证书相关文件
cp /etc/openv$p$n/easy-rsa-sever/3/pki/{ca.crt,dh.pem} /etc/openv$p$n/certs/
cp /etc/openv$p$n/easy-rsa-sever/3/pki/issued/sun.crt /etc/openv$p$n/certs/
cp /etc/openv$p$n/easy-rsa-sever/3/pki/private/sun.key /etc/openv$p$n/certs/
准备OpenV P P PN服务器配置文件
配置文件参数说明
#server.conf文件中以#或;开头的行都为注释
[root@centos8 ~]#grep -Ev "^#|^$" /etc/openv$p$n/server.conf
;local a.b.c.d #本机监听IP,默认为本机所有IP
port 1194 #端口
;proto tcp #协议,生产推荐使用TCP
proto udp #默认协议
;dev tap #创建一个以太网隧道,以太网使用tap,一个tap设备允许完整的以太网帧通过Openv$p$n隧道,
可提供非ip协议的支持,比如IPX协议和AppleTalk协议,tap等同于一个以太网设备,它操作第二层数据包
如以太网数据帧。
dev tun #创建一个路由IP隧道,生产推存使用tun.互联网使用tun,一个tun设备大多时候,被用于基
于IP协议的通讯。tun模拟了网络层设备,操作第三层数据包比如IP数据封包。
;dev-node MyTap #TAP-Win32适配器。非windows不需要配置
ca ca.crt #ca证书文件
cert server.crt #服务器证书文件
key server.key #服务器私钥文件
dh dh2048.pem #dh参数文件
;topology subnet
server 10.123.223.0 255.255.255.0 #客户端连接后分配IP的地址池,服务器默认会占用第一个IP
10.8.0.1将做为客户端的网关
ifconfig-pool-persist ipp.txt #为客户端分配固定IP,不需要配置,建议注释
;server-bridge 10.123.223.4 255.255.255.0 10.123.223.50 10.123.223.100 #配置网桥模式,不需要配
置,建议注释
;server-bridge
;push "route 192.168.10.0 255.255.255.0" #给客户端生成的到达服务器后面网段的静态路由,
下一跳为openv$p$n服务器的10.8.0.1
;push "route 192.168.20.0 255.255.255.0" #推送路由信息到客户端,以允许客户端能够连接到
服务器背后的其它私有子网
;client-config-dir ccd #为指定的客户端添加路由,此路由通常是客户端后面的内网
网段而不是服务端的,也不需要设置
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script #运行外部脚本,创建不同组的iptables规则,无需配
置
;push "redirect-gateway def1 bypass-dhcp" #启用后,客户端所有流量都将通过V$P$N服务器,因此
生产一般无需配置此项
;push "dhcp-option DNS 208.67.222.222" #推送DNS服务器,不需要配置
;push "dhcp-option DNS 208.67.220.220"
;client-to-client #允许不同的client直接通信,不安全,生产环境一般无
需要配置
;duplicate-cn #多个用户共用一个证书,一般用于测试环境,生产环境
都是一个用户一个证书,无需开启
keepalive 10 120 #设置服务端检测的间隔和超时时间,默认为每10秒ping一次,如果 120
秒没有回应则认为对方已经down
tls-auth ta.key 0 #访止DoS等攻击的安全增强配置,可以使用以下命令来生成:openv$p$n --
genkey --secret ta.key #服务器和每个客户端都需要拥有该密钥的一个拷贝。第二个参数在服务器端应
该为’0’,在客户端应该为’1’
cipher AES-256-CBC #加密算法
;compress lz4-v2 #启用Openv$p$n2.4.X新版压缩算法
;push "compress lz4-v2" #推送客户端使用新版压缩算法,和下面的comp-lzo不要同时使用
;comp-lzo #旧户端兼容的压缩配置,需要客户端配置开启压缩,openv$p$n2.4.X等新版可以不
用开启
;max-clients 100 #最大客户端数
;user nobody #运行openv$p$n服务的用户和组
;group nobody
persist-key #重启V$P$N服务时默认会重新读取key文件,开启此配置后保留使用第一次的key文
件,生产环境无需开启
persist-tun #启用此配置后,当重启v$p$n服务时,一直保持tun或者tap设备是up的,否则会先
down然后再up,生产环境无需开启
status openv$p$n-status.log #openV$P$N状态记录文件,每分钟会记录一次
;log openv$p$n.log #第一种日志记录方式,并指定日志路径,log会在openv$p$n启动的时候清
空日志文件,不建议使用
;log-append openv$p$n.log #第二种日志记录方式,并指定日志路径,重启openv$p$n后在之前的日志后
面追加新的日志,生产环境建议使用
verb 3 #设置日志级别,0-9,级别越高记录的内容越详细,0 表示静默运行,只记
录致命错误,4 表示合理的常规用法,5 和 6 可以帮助调试连接错误。9 表示极度冗余,输出非常详细的日志
信息
;mute 20 #相同类别的信息只有前20条会输出到日志文件中
explicit-exit-notify 1 #通知客户端,在服务端重启后自动重新连接,仅能用于udp模式,tcp模式
不需要配置即可实现断开重新连接,且开启此项后tcp配置后将导致openv$p$n服务无法启动,所以tcp时必须不
能开启此项
修改OPenV P P PN配置文件
/etc/openV$P$N/server.conf
注释删掉,有用的留下
port 1194 ## 默认端口,不用改
proto tcp ## 此处指定使用tcp,保持V$P$N连接安全
dev tun ## 豚骨网络
ca /etc/openv$p$n/certs/ca.crt ## 指定服务器ca文件
cert /etc/openv$p$n/certs/sun.crt ## 指定服务器自签名证书
key /etc/openv$p$n/certs/sun.key # 指定服务器私钥
dh /etc/openv$p$n/certs/dh.pem # 德哈密码文件
server 10.123.223.0 255.255.255.0 # 指定 隧道里的IP
push "route 172.66.0.0 255.255.255.0" ## 指定出隧道后的路由
keepalive 10 120 ## 存活时间
cipher AES-256-CBC ## 加密方式
compress lz4-v2 ## 使用的压缩传输算法
push "compress lz4-v2"
max-clients 2048 ## 最大客户端链接数
user openv$p$n ## 属主
group openv$p$n ## 属组
status /var/log/openv$p$n/openv$p$n-status.log ## 状态日志
log-append /var/log/openv$p$n/openv$p$n.log ## 生产日志
verb 3
mute 20
mv /etc/openv$p$n/server.conf /etc/openv$p$n/server.conf.bak`date +%F`
cat > /etc/openv$p$n/server.conf << SUN
port 1194
proto tcp
dev tun
ca /etc/openv$p$n/certs/ca.crt
cert /etc/openv$p$n/certs/sun.crt
key /etc/openv$p$n/certs/sun.key # This file should be kept secret
dh /etc/openv$p$n/certs/dh.pem
server 10.123.223.0 255.255.255.0
push "route 172.66.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openv$p$n
group openv$p$n
status /var/log/openv$p$n/openv$p$n-status.log
log-append /var/log/openv$p$n/openv$p$n.log
verb 3
mute 20
SUN
创建日志目录
- 在配置文件中指定了日志文件,需要创建目录
mkdir /var/log/openv$p$n ; chown openv$p$n:openv$p$n /var/log/openv$p$n
准备iptables规则和内核参数
在OpenV P P PN服务器端开启ip_forward转发
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf ; sysctl -p
[root@C8-200 ~]# echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf ; sysctl -p
net.ipv4.ip_forward = 1
在iptable上添加SNAT规则并开机启用
echo 'iptables -t nat -A POSTROUTING -s 10.123.223.0/24 -j MASQUERADE' >> /etc/rc.d/rc.local
[root@C8-200 ~]# echo 'iptables -t nat -A POSTROUTING -s 10.123.223.0/24 -j MASQUERADE' >> /etc/rc.d/rc.local
[root@C8-200 ~]# iptables -t nat -A POSTROUTING -s 10.123.223.0/24 -j MASQUERADE
[root@C8-200 ~]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.123.223.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
启动OpenV P P PN服务
- CentOS8安装OpenV P P PN后并没有服务器文件openV P P PN@.service
- 可以从CentOS7中拷贝过来
- 或者参照CentOS7的格式创建一个
cat > /usr/lib/systemd/system/openv$p$n@.service << SUN
[Unit]
Description=OpenV$P$N Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openv$p$n --cd /etc/openv$p$n/ --config %i.conf
[Install]
WantedBy=multi-user.target
SUN
- 启动OpenV P P PN服务
systemctl daemon-reload
systemctl enable --now openv$p$n@server
#启动OpenV$P$N服务,注意service名称和文件名不一致
[root@C8-200 ~]# systemctl daemon-reload
[root@C8-200 ~]# systemctl enable --now openv$p$n@server
Created symlink /etc/systemd/system/multi-user.target.wants/openv$p$n@server.service → /usr/lib/systemd/system/openv$p$n@.service.
以上是关于CentOS 8 安装并配置实现OpenYPN服务器的主要内容,如果未能解决你的问题,请参考以下文章
CentOS 7安装 MySQL 8(RPM+Tar)+首次配置