OpenVPN is an open source application that allows you to create a secure private network over the public Internet
OpenVPN implements a virtual private network (VPN) to create a secure connection.
OpenVPN is an open source application that allows you to create a secure private network over the public Internet.
OpenVPN implements a virtual private network (VPN) to create a secure connection. OpenVPN uses the OpenSSL library to provide encryption. It provides several authentication mechanisms, such as certificate based, pre shared key and user name / password authentication.
1. Close SELinux
[[email protected] ~]# sed -i '/^SELINUX/s/enforcing/disabled/g' /etc/selinux/config
[[email protected] ~]# setenforce 0
2. Install EPEL warehouse, OpenVPN and easy RSA
[[email protected] ~]# yum -y install epel-release && yum -y install openvpn easy-rsa
3. Create OpenVPN related keys
Create an easy RSA folder under the / etc / OpenVPN folder and copy the relevant files into it
[[email protected] ~]# mkdir /etc/openvpn/easy-rsa/
[[email protected] ~]# cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
[[email protected] ~]# cp -p /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easy-rsa/vars
We will create CA keys, server and client keys, DH and CRL, PEM and TLS authentication keys TA key。
[[email protected] easy-rsa]# cd /etc/openvpn/easy-rsa/
4. Initialize and establish CA certificate
[[email protected] easy-rsa]# ./easyrsa init-pki
[[email protected] easy-rsa]# ./easyrsa build-ca nopass
5. Create server key
Create a server key with the name Server1 key
[ [email protected] easy-rsa]# ./ Easyrsa Gen req Server1 nopass enterAdding the nopass option means that you do not need to add a password for the key.
Signing Server1 key with CA certificate
[ [email protected] easy-rsa]# ./ Easyrsa sign req server Server1 enter yes6. Create client key
Create a client key with the name client1 key
[ [email protected] easy-rsa]# ./ Easyrsa Gen req client1 nopass enterSigning client1 key with CA certificate
[ [email protected] easy-rsa]# ./ Easyrsa sign req client client1 enter yes7. Create DH key
Generate a 2048 bit key based on the vars configuration file created at the top
[[email protected] easy-rsa]# ./easyrsa gen-dh
8. Create TLS authentication key
[[email protected] easy-rsa]# openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key
9. Generate certificate revocation list (CRL) key
The key revocation list (CRL) is used to revoke the client key. If there are multiple client certificates on the server and you want to delete a key, just use/ Easyrsa revoke name this command can be revoked.
Generate CRL key:
[[email protected] easy-rsa]# ./easyrsa gen-crl
10. Copy certificate file
Copy CA certificate, TA Key and server certificate and key to / etc / OpenVPN / server folder
[[email protected] easy-rsa]# cp -p pki/ca.crt /etc/openvpn/server/
[[email protected] easy-rsa]# cp -p pki/issued/server1.crt /etc/openvpn/server/
[[email protected] easy-rsa]# cp -p pki/private/server1.key /etc/openvpn/server/
[[email protected] easy-rsa]# cp -p ta.key /etc/openvpn/server/
Copy CA certificate, TA Key and client certificate and key to / etc / OpenVPN / client folder
[[email protected] easy-rsa]# cp -p pki/ca.crt /etc/openvpn/client/
[[email protected] easy-rsa]# cp -p pki/issued/client1.crt /etc/openvpn/client/
[[email protected] easy-rsa]# cp -p pki/private/client1.key /etc/openvpn/client/
[[email protected] easy-rsa]# cp -p ta.key /etc/openvpn/client/
Copy DH pem , crl. PEM to / etc / OpenVPN / client folder
[[email protected] easy-rsa]# cp pki/dh.pem /etc/openvpn/server/
[[email protected] easy-rsa]# cp pki/crl.pem /etc/openvpn/server/
11. Write configuration files for the server
When OpenVPN is installed, it will provide an example of server configuration file. There will be a server under / usr / share / Doc / openvpn-2.3.2 / sample / sample config files Conf file, we copy this file to / etc / OpenVPN /.
[[email protected] easy-rsa]# cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn/
[[email protected] easy-rsa]# vim /etc/openvpn/server.conf
Local 0.0.0.0 # listening address
Port 1194 # listening port
Proto TCP # sniffing protocol
Dev Tun # adopts routing tunnel mode
Ca / etc / OpenVPN / server / ca.crt #ca certificate path
cert /etc/openvpn/server/server1. CRT # server certificate
key /etc/openvpn/server/serve1r. Key # this file should be kept secret
dh /etc/openvpn/server/dh. PEM # key exchange protocol file
Server 10.8.0.0 255.255.255.0 # assigns an address pool to the client. Note: it cannot be the same as the intranet segment of the VPN server
ifconfig-pool-persist ipp.txt
Push "redirect gateway def1 bypass DHCP" # to the gateway
Push "DHCP option DNS 8.8.8.8" #dhcp allocation DNS
Client to client # clients communicate with each other
Keepalive 10 120 # survival time: Ping once every 10 seconds. If 120 does not receive a response, it will be regarded as disconnected
Comp LZO # transmission data compression
Max clients 100 # allows up to 100 clients to connect
User OpenVPN # user
Group OpenVPN # user group
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3You can comment out these two lines
#explicit-exit-notify 1
#tls-auth ta.key 1
12. Settings after configuration
[[email protected] easy-rsa]# mkdir /var/log/openvpn
[[email protected] easy-rsa]# chown -R openvpn.openvpn /var/log/openvpn/
[[email protected] easy-rsa]# chown -R openvpn.openvpn /etc/openvpn/*
13. Iptables set NAT rules and turn on routing forwarding
[ [email protected] Easy rsa]# iptables - t NAT - a postrouting - s 10.8.0.0/24 - O ens33 (network card adjusted according to actual situation) - J masquerade
[[email protected] easy-rsa]# iptables -vnL -t nat
[ [email protected] easy-rsa]# vim /etc/sysctl. Conf // turn on route forwarding
net.ipv4.ip_forward = 1
[[email protected] easy-rsa]# sysctl -p14. Open OpenVPN service
[ [email protected] easy-rsa]# openvpn /etc/openvpn/server. Conf start service15. Configure Windows client to automatically connect to VPN (mode 1)
Download OpenVPN GUI
Extract the installation and configure the client side configuration file
The configuration file is in the server / usr / share / Doc / openvpn-2.4.11/sample/sample-config-files/ with the name clent conf
[[email protected] easy-rsa]# cd /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/
[[email protected] sample-config-files]# sz client.conf
Download from the server to the config directory of the OpenVPN installation directory of the Windows client (‘c: \ program files \ OpenVPN \ config \), and modify the file name to client ovpn
Modify the client locally in the Windows client Ovpn file
client
dev tun
Proto TCP // change to TCP
remote xxx. xxx. xxx. XXX 1194 // the external network IP and port, IP and domain name of OpenVPN server are OK
resolv-retry infinite
nobind
persist-key
persist-tun
ca 'C:\Program Files\OpenVPN\config\ca.crt'
cert 'C:\Program Files\OpenVPN\config\client1. Certificate of CRT '// client1
key 'C:\Program Files\OpenVPN\config\client1. Key '// the key of client1
comp-lzo
verb 3Connect the ca.crt client1.0 of the server crt client1. Key download to the config directory of the local penvpn installation directory of the client (‘c: \ program files \ OpenVPN \ config \)
16. Start Windows client
After opening the client, right-click the client directly in the taskbar and click Connect to automatically obtain the IP assigned by the server.
17. Configure the Windows client to connect to VPN by user name / password (mode 2)
First, we need to write a user authentication script (the script is provided by the OpenVPN official website)
vim /etc/openvpn/checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/etc/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
Next, give the script execution permission
[[email protected] easy-rsa]# chmod 755 /etc/openvpn/checkpsw.sh
Now let’s configure the user password file / etc / OpenVPN / PSW file
cat /etc/openvpn/psw-file
abcdocker 123456
abc 123456
test test
#The user name is in the front and the password is in the back. Separate with spaces in the middleNext, we need to modify the OpenVPN server Conf, add the following configuration at the end of the configuration file.
cat >>/etc/openvpn/server.conf<<EOF
script-security 3
auth-user-pass-verify /etc/openvpn/checkpsw. SH via env # specifies the user authentication script
username-as-common-name
verify-client-cert none
EOF
#In service Conf last line addedNext, we need to modify the client ovpn。
client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca 'C:\Program Files\OpenVPN\config\ca.crt'
; cert 'C:\Program Files\OpenVPN\config\client1. CRT '# notes
; key 'C:\Program Files\OpenVPN\config\client1. Key '# comment
;tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
Auth user pass # uses the user name and password to log in to the OpenVPN server
#It mainly annotates the CRT and key path, and adds a line auth user pass.Next, let’s restart OpenVPN.
[ [email protected] Easy rsa]# netstat - untlp | grep 1194 ## find PID of OpenVPN
[ [email protected] Easy rsa]# kill XXXX ## kill OpenVPN process PID
[ [email protected] easy-rsa]# openvpn /etc/openvpn/server. Conf ## start serviceWhen the client reopens and then clicks connect, the user name authentication window will pop up. Enter the created user.
