2023-11-04

CentOS7部署OpenVPN实现异地组网

近期和自己的团队接了点活干，但是团队又分布在不同的地方很分散，这就导致前端想要连后端的接口连不了，于是我就想了用OpenVPN将他们连起来，这样开发们就能很好的调试了。

一、环境

1、CentOS7
2、OpenVPN Server2.4.12
3、easy-rsa3.0.8
4、OpenVPN客户端2.5.7
5、用户认证脚本：下载地址 http://openvpn.se/files/other/checkpsw.sh

二、步骤

1、安装openvpn server和easy-rsa

1	yum -y install epel-release && yum -y install openvpn easy-rsa

2、创建OpenVPN相关的密钥

[root@localhost ~]# mkdir /etc/openvpn/easy-rsa/
[root@localhost ~]# cp -r /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa/
[root@localhost ~]# cp -r /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/vars
[root@localhost ~]# cd /etc/openvpn/easy-rsa/
[root@localhost easy-rsa]# vim vars

2.1、将下列参数取消注释，并改成下面的样子

set_var EASYRSA_DN      "cn_only"
set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "Jiangsu"
set_var EASYRSA_REQ_CITY        "Suzhou"
set_var EASYRSA_REQ_ORG         "IT"
set_var EASYRSA_REQ_EMAIL       "adm@zwyk.com"
set_var EASYRSA_NS_SUPPORT      "yes"

3、初始化、建立CA证书并创建服务器密钥

[root@localhost ~]# cd /etc/openvpn/easy-rsa/  
[root@localhost easy-rsa]# ./easyrsa init-pki  
[root@localhost easy-rsa]# ./easyrsa build-ca nopass  
[root@localhost easy-rsa]# ./easyrsa gen-req server nopass 直接回车  
[root@localhost easy-rsa]# ./easyrsa sign-req server server 输入yes

4、创建客户端密钥

1 2	[root@localhost easy-rsa]# ./easyrsa gen-req client nopass 回车 [root@localhost easy-rsa]# ./easyrsa sign-req client client 输入yes

5、创建DH密钥

1 2	[root@localhost easy-rsa]# ./easyrsa gen-dh [root@localhost easy-rsa]# /usr/sbin/openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key

6、生成证书撤销列表(CRL)密钥

1	[root@localhost easy-rsa]# ./easyrsa gen-crl

7、复制证书文件和配置文件

[root@localhost easy-rsa]# cp -p pki/ca.crt /etc/openvpn/server/
[root@localhost easy-rsa]# cp -p pki/issued/server.crt /etc/openvpn/server/
[root@localhost easy-rsa]# cp -p pki/private/server.key /etc/openvpn/server/
[root@localhost easy-rsa]# cp -p ta.key /etc/openvpn/server/
[root@localhost easy-rsa]# cp -p pki/ca.crt /etc/openvpn/client/
[root@localhost easy-rsa]# cp -p pki/issued/client.crt /etc/openvpn/client/
[root@localhost easy-rsa]# cp -p pki/private/client.key /etc/openvpn/client/
[root@localhost easy-rsa]# cp -p ta.key /etc/openvpn/client/
[root@localhost easy-rsa]# cp pki/dh.pem /etc/openvpn/server/
[root@localhost easy-rsa]# cp pki/crl.pem /etc/openvpn/server/
[root@localhost easy-rsa]# cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/

8、编辑服务端配置文件

1	[root@localhost ~]# vim /etc/openvpn/server.conf

local 0.0.0.0
port 7782
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key  # This file should be kept secret
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/psw/ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 20
user root
group root
persist-key
persist-tun
status /etc/openvpn/logs/openvpn-status.log
log         /etc/openvpn/logs/openvpn.log
log-append  /etc/openvpn/logs/openvpn.log
verb 3
script-security 3
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
username-as-common-name
verify-client-cert none

9、创建日志文件夹、密码文件夹并赋权

1
2
3

[root@localhost ~]# mkdir -p /etc/openvpn/logs/
[root@localhost ~]# mkdir -p /etc/openvpn/psw/
[root@localhost ~]# chmod 777 /etc/openvpn/logs/

10、创建ipp文本来存放用户名和密码

1
2
3

[root@localhost ~]# cd /etc/openvpn/psw
[root@localhost psw]# touch ipp.txt
[root@localhost psw]# vim ipp.txt

ipp.txt内容格式如下

1
2
3

nihao nihao123456
haha haha123456
第一个是账户，然后空格，然后是密码

11、下载并修改用户认证脚本（官方提供的)

1 2	[root@localhost openvpn]# wget http://openvpn.se/files/other/checkpsw.sh [root@localhost openvpn]# vim checkpsw.sh

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw/ipp.txt"
LOG_FILE="/etc/openvpn/logs/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then 
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then 
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

赋予shell脚本执行权

1	[root@localhost openvpn]# chmod +x checkpsw.sh

12、修改openvpn.service

1
2
3

[root@localhost openvpn]# mv /usr/lib/systemd/system/openvpn@.service /usr/lib/systemd/system/openvpn.service 

[root@localhost openvpn]# vim /usr/lib/systemd/system/openvpn.service

[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target

[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --config /etc/openvpn/server.conf

[Install]
WantedBy=multi-user.target

1
2
3

[root@localhost openvpn]# mv/usr/lib/systemd/system/openvpn-server@.service /usr/lib/systemd/system/openvpn-server.service

[root@localhost openvpn]# vim /usr/lib/systemd/system/openvpn.service

[Unit]
Description=OpenVPN service for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure

[Install]
WantedBy=multi-user.target

13、设置openvpn开机自启

1
2
3

[root@localhost openvpn]# systemctl daemon-reload
[root@localhost openvpn]# systemctl enable openvpn
[root@localhost openvpn]# systemctl restart openvpn

14、配置客户端

在windows的openvpn客户端下的config文件夹里创建一个client.ovpn
然后在里面将下面内容填进去

client
dev tun
proto tcp
remote openvpn.zwyk.eu.org 7782
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
verb 4
auth-user-pass
auth-nocache

到服务器里将/etc/openvpn/client/里的ca.crt给拉取到本地并跟client.ovpn放在一起

三、总结

只需要将openvpn的安装包和client.ovpn、ca.crt一起丢给开发，开发安装好后输入账号密码连接上openvpn就可以互相调试接口了

四、扫一扫关注我吧

戴戴的Linux

本文标题:CentOS7部署OpenVPN实现异地组网

文章作者:StephenJose_Dai

发布时间:2023年11月04日 - 13时22分

最后更新:2023年11月04日 - 14时41分

原始链接:https://daishenghui.club/2023/11/04/categories/Linux/CentOS7部署OpenVPN实现异地组网/

文章转载许可协议： "署名-非商用-相同方式共享 3.0" 转载请保留原文链接及作者。