Centos7. 7. Configure OpenVPN

Time:2022-5-16
OpenVPN is an open source application that allows you to create a secure private network over the public Internet
OpenVPN implements a virtual private network (VPN) to create a secure connection.
OpenVPN is an open source application that allows you to create a secure private network over the public Internet.
OpenVPN implements a virtual private network (VPN) to create a secure connection. OpenVPN uses the OpenSSL library to provide encryption. It provides several authentication mechanisms, such as certificate based, pre shared key and user name / password authentication.
1. Close SELinux
[[email protected] ~]# sed -i '/^SELINUX/s/enforcing/disabled/g' /etc/selinux/config
[[email protected] ~]# setenforce 0
2. Install EPEL warehouse, OpenVPN and easy RSA
[[email protected] ~]# yum -y install epel-release && yum -y install openvpn easy-rsa
3. Create OpenVPN related keys

Create an easy RSA folder under the / etc / OpenVPN folder and copy the relevant files into it

[[email protected] ~]# mkdir /etc/openvpn/easy-rsa/ 
[[email protected] ~]# cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
[[email protected] ~]# cp -p /usr/share/doc/easy-rsa-3.0.6/vars.example /etc/openvpn/easy-rsa/vars

We will create CA keys, server and client keys, DH and CRL, PEM and TLS authentication keys TA key。

[[email protected] easy-rsa]# cd /etc/openvpn/easy-rsa/
4. Initialize and establish CA certificate
 [[email protected] easy-rsa]# ./easyrsa init-pki
 [[email protected] easy-rsa]# ./easyrsa build-ca nopass
5. Create server key

Create a server key with the name Server1 key

[ [email protected]  easy-rsa]# ./ Easyrsa Gen req Server1 nopass enter

Adding the nopass option means that you do not need to add a password for the key.
Signing Server1 key with CA certificate

[ [email protected]  easy-rsa]# ./ Easyrsa sign req server Server1 enter yes
6. Create client key

Create a client key with the name client1 key

[ [email protected]  easy-rsa]# ./ Easyrsa Gen req client1 nopass enter

Signing client1 key with CA certificate

[ [email protected]  easy-rsa]# ./ Easyrsa sign req client client1 enter yes
7. Create DH key

Generate a 2048 bit key based on the vars configuration file created at the top

[[email protected] easy-rsa]# ./easyrsa gen-dh
8. Create TLS authentication key
[[email protected] easy-rsa]# openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key
9. Generate certificate revocation list (CRL) key

The key revocation list (CRL) is used to revoke the client key. If there are multiple client certificates on the server and you want to delete a key, just use/ Easyrsa revoke name this command can be revoked.

Generate CRL key:

[[email protected] easy-rsa]# ./easyrsa  gen-crl
10. Copy certificate file

Copy CA certificate, TA Key and server certificate and key to / etc / OpenVPN / server folder

[[email protected] easy-rsa]# cp -p pki/ca.crt /etc/openvpn/server/
[[email protected] easy-rsa]# cp -p pki/issued/server1.crt /etc/openvpn/server/
[[email protected] easy-rsa]# cp -p pki/private/server1.key /etc/openvpn/server/
[[email protected] easy-rsa]# cp -p ta.key /etc/openvpn/server/

Copy CA certificate, TA Key and client certificate and key to / etc / OpenVPN / client folder

[[email protected] easy-rsa]# cp -p pki/ca.crt /etc/openvpn/client/
[[email protected] easy-rsa]# cp -p pki/issued/client1.crt /etc/openvpn/client/
[[email protected] easy-rsa]# cp -p pki/private/client1.key /etc/openvpn/client/
[[email protected] easy-rsa]# cp -p ta.key /etc/openvpn/client/

Copy DH pem , crl. PEM to / etc / OpenVPN / client folder

[[email protected] easy-rsa]# cp pki/dh.pem /etc/openvpn/server/
[[email protected] easy-rsa]# cp pki/crl.pem /etc/openvpn/server/
11. Write configuration files for the server

When OpenVPN is installed, it will provide an example of server configuration file. There will be a server under / usr / share / Doc / openvpn-2.3.2 / sample / sample config files Conf file, we copy this file to / etc / OpenVPN /.

[[email protected] easy-rsa]# cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn/

[[email protected] easy-rsa]# vim /etc/openvpn/server.conf

  Local 0.0.0.0 # listening address
  Port 1194 # listening port
  Proto TCP # sniffing protocol
  Dev Tun # adopts routing tunnel mode
  Ca / etc / OpenVPN / server / ca.crt #ca certificate path
  cert /etc/openvpn/server/server1. CRT # server certificate
  key /etc/openvpn/server/serve1r. Key # this file should be kept secret
  dh /etc/openvpn/server/dh. PEM # key exchange protocol file
  Server 10.8.0.0 255.255.255.0 # assigns an address pool to the client. Note: it cannot be the same as the intranet segment of the VPN server
  ifconfig-pool-persist ipp.txt
  Push "redirect gateway def1 bypass DHCP" # to the gateway
  Push "DHCP option DNS 8.8.8.8" #dhcp allocation DNS
  Client to client # clients communicate with each other
  Keepalive 10 120 # survival time: Ping once every 10 seconds. If 120 does not receive a response, it will be regarded as disconnected
  Comp LZO # transmission data compression
  Max clients 100 # allows up to 100 clients to connect
  User OpenVPN # user
  Group OpenVPN # user group
  persist-key
  persist-tun
  status /var/log/openvpn/openvpn-status.log
  log         /var/log/openvpn/openvpn.log
  verb 3

You can comment out these two lines

#explicit-exit-notify 1
#tls-auth ta.key 1
12. Settings after configuration
[[email protected] easy-rsa]# mkdir /var/log/openvpn

[[email protected] easy-rsa]# chown -R openvpn.openvpn /var/log/openvpn/

[[email protected] easy-rsa]# chown -R openvpn.openvpn /etc/openvpn/*
13. Iptables set NAT rules and turn on routing forwarding
[ [email protected] Easy rsa]# iptables - t NAT - a postrouting - s 10.8.0.0/24 - O ens33 (network card adjusted according to actual situation) - J masquerade

[[email protected] easy-rsa]# iptables -vnL -t nat

[ [email protected]  easy-rsa]# vim /etc/sysctl. Conf // turn on route forwarding

 net.ipv4.ip_forward = 1

[[email protected] easy-rsa]# sysctl -p
14. Open OpenVPN service
[ [email protected]  easy-rsa]#  openvpn /etc/openvpn/server. Conf start service
15. Configure Windows client to automatically connect to VPN (mode 1)

Download OpenVPN GUI
Extract the installation and configure the client side configuration file
The configuration file is in the server / usr / share / Doc / openvpn-2.4.11/sample/sample-config-files/ with the name clent conf

[[email protected] easy-rsa]# cd /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/
[[email protected] sample-config-files]#  sz client.conf 

Download from the server to the config directory of the OpenVPN installation directory of the Windows client (‘c: \ program files \ OpenVPN \ config \), and modify the file name to client ovpn

Modify the client locally in the Windows client Ovpn file

client
dev tun
Proto TCP // change to TCP
remote xxx. xxx. xxx. XXX 1194 // the external network IP and port, IP and domain name of OpenVPN server are OK
resolv-retry infinite
nobind
persist-key
persist-tun
ca 'C:\Program Files\OpenVPN\config\ca.crt'
cert 'C:\Program Files\OpenVPN\config\client1. Certificate of CRT '// client1
key 'C:\Program Files\OpenVPN\config\client1. Key '// the key of client1
comp-lzo
verb 3

Connect the ca.crt client1.0 of the server crt client1. Key download to the config directory of the local penvpn installation directory of the client (‘c: \ program files \ OpenVPN \ config \)

16. Start Windows client

After opening the client, right-click the client directly in the taskbar and click Connect to automatically obtain the IP assigned by the server.

17. Configure the Windows client to connect to VPN by user name / password (mode 2)

First, we need to write a user authentication script (the script is provided by the OpenVPN official website)

vim /etc/openvpn/checkpsw.sh

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman 
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/etc/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>     ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then 
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then 
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\",     password=\"${password}\"." >> ${LOG_FILE}
exit 1

Next, give the script execution permission

 [[email protected] easy-rsa]# chmod 755 /etc/openvpn/checkpsw.sh

Now let’s configure the user password file / etc / OpenVPN / PSW file
cat /etc/openvpn/psw-file

abcdocker 123456
abc 123456
test test   
#The user name is in the front and the password is in the back. Separate with spaces in the middle

Next, we need to modify the OpenVPN server Conf, add the following configuration at the end of the configuration file.

cat >>/etc/openvpn/server.conf<<EOF
script-security 3
auth-user-pass-verify /etc/openvpn/checkpsw. SH via env # specifies the user authentication script
username-as-common-name
verify-client-cert none
EOF

#In service Conf last line added

Next, we need to modify the client ovpn。

client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca 'C:\Program Files\OpenVPN\config\ca.crt'
; cert 'C:\Program Files\OpenVPN\config\client1. CRT '# notes
; key 'C:\Program Files\OpenVPN\config\client1. Key '# comment
;tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
Auth user pass # uses the user name and password to log in to the OpenVPN server


#It mainly annotates the CRT and key path, and adds a line auth user pass.

Next, let’s restart OpenVPN.

[ [email protected] Easy rsa]# netstat - untlp | grep 1194 ## find PID of OpenVPN
[ [email protected] Easy rsa]# kill XXXX ## kill OpenVPN process PID
[ [email protected]  easy-rsa]#  openvpn /etc/openvpn/server. Conf ## start service

When the client reopens and then clicks connect, the user name authentication window will pop up. Enter the created user.

Centos7. 7. Configure OpenVPN

image.png
Centos7. 7. Configure OpenVPN

image.png