2017-03-20

openvpn install

基础服务安装

1	[root@plat1 srv]# yum -y install gcc gcc-c++

安装openssl

[root@plat1 srv]# ls -l openssl-1.0.1f.tar.gz
-rw-r--r--. 1 root root 4509212 10月 13 17:48 openssl-1.0.1f.tar.gz
[root@plat1 srv]# tar xzf openssl-1.0.1f.tar.gz
[root@plat1 srv]# cd openssl-1.0.1f
[root@plat1 openssl-1.0.1f]# ./config --prefix=/usr/local --openssldir=/usr/local/ssl && make && make install

安装lzo

[root@plat1 srv]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
[root@plat1 srv]# tar xzf lzo-2.03.tar.gz
[root@plat1 srv]# cd lzo-2.03
[root@plat1 lzo-2.03]# ./configure --prefix=/usr/local/lzo  && make && make install

[root@plat1 ~]# ln -s /usr/local/lzo/lib/liblzo2.a /usr/local/lzo/lib/liblzo.a
[root@plat1 ~]# ln -s /usr/local/lzo/lib/liblzo2.la /usr/local/lzo/lib/liblzo.la

安装openvpn

[root@plat1 srv]# ls -l openvpn-2.0.9.tar.gz
-rw-r--r--. 1 root root 669076 10月 13 17:24 openvpn-2.0.9.tar.gz
[root@plat1 srv]# tar xzf openvpn-2.0.9.tar.gz
[root@plat1 srv]# cd openvpn-2.0.9
[root@plat1 openvpn-2.0.9]# ./configure --prefix=/usr/local/openvpn --with-ssl-headers=/usr/local/ssl/include/openssl --with-ssl-lib=/usr/local/ssl/lib --with-lzo-headers=/usr/local/lzo/include/lzo --with-lzo-lib=/usr/local/lzo/lib
[root@plat1 openvpn-2.0.9]# make && make install

准备openvpn-server端认证环境

[root@plat1 openvpn-2.0.9]# mkdir /etc/openvpn
[root@plat1 openvpn-2.0.9]# cp -r easy-rsa  /etc/openvpn/
[root@plat1 openvpn-2.0.9]# cp sample-config-files/server.conf /etc/openvpn/
[root@plat1 openvpn-2.0.9]# cd /etc/openvpn/easy-rsa/2.0/

修改认证环境变量

[root@plat1 2.0]# vim vars
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BeiJing"
export KEY_ORG="OpenVPN ORG"
export KEY_EMAIL="smallasa@sina.com"
[root@plat1 2.0]# . ./vars

清理key目录
1
[root@plat1 2.0]# ./clean-all

生成CA证书

[root@plat1 2.0]# ./build-ca
Generating a 1024 bit RSA private key
............................++++++
......................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [OpenVPN ORG]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [OpenVPN ORG CA]:
Email Address [smallasa@sina.com]:

[root@plat1 2.0]# ls keys/
ca.crt  ca.key  index.txt  serial

[root@plat1 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
....+.......+..........+.................................................+...+..................................................................................................................+..................................................................................................................................+........................................+......................................................................................................................+..................................+..............+.................................+..............................................................................................+..................................+.......................+............................++*++*++*

[root@plat1 2.0]# ls keys/
ca.crt  ca.key  dh1024.pem  index.txt  serial

生成openvpn server端key

[root@plat1 2.0]# ./build-key-server test
Generating a 1024 bit RSA private key
.....++++++
....................................++++++
writing new private key to 'test.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [OpenVPN ORG]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [test]:
Email Address [smallasa@sina.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'BeiJing'
organizationName      :PRINTABLE:'OpenVPN ORG'
commonName            :PRINTABLE:'test'
emailAddress          :IA5STRING:'smallasa@sina.com'
Certificate is to be certified until Oct 11 10:30:42 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

将 openvpn server端生成的key拷贝到/etc/openvpn/目录

1 2	[root@plat1 2.0]# cd keys/ [root@plat1 keys]# cp ca.crt ca.key test.crt test.key dh1024.pem /etc/openvpn/

生成 openvpn client key(根据用户不同可以按此方法生成相应的用户key)

[root@plat1 2.0]# . ./vars
[root@plat1 2.0]# ./build-key client
Generating a 1024 bit RSA private key
......................++++++
...........................................................................++++++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [OpenVPN ORG]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) [client]:client
Email Address [smallasa@sina.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:smallasa
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'BJ'
localityName          :PRINTABLE:'BeiJing'
organizationName      :PRINTABLE:'OpenVPN ORG'
organizationalUnitName:PRINTABLE:'test'
commonName            :PRINTABLE:'client'
emailAddress          :IA5STRING:'smallasa@sina.com'
Certificate is to be certified until Oct 12 06:10:37 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

将用户key 和 ca证书打包,拷贝给用户

1
2
3

[root@plat1 2.0]# cd keys
[root@plat1 keys]# tar czf test.tar.gz test.* ca.*
[root@plat1 keys]# sz test.tar.gz

配置openvpn server端服务配置

[root@plat1 keys]# cd /etc/openvpn/
[root@plat1 openvpn]# mkdir /var/log/openvpn
[root@plat1 openvpn]# vim server.conf
local 10.10.16.3
port 1194
proto tcp
dev tun
ca ca.crt
cert test.crt
key test.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.16.0   255.255.255.0"
push "route 192.168.14.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
max-clients 30
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
verb 3

配置 openvpn server端防火墙和访问策略

1
2
3

[root@plat1 openvpn]# sed -i '/net.ipv4.ip_forward/s/0/1/g' /etc/sysctl.conf
[root@plat1 openvpn]# sysctl -w net.ipv4.ip_forward=1
[root@plat1 openvpn]# iptables -t nat -I POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

启动openvpn server服务

1	[root@plat1 openvpn]# /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf &

linux系统下openvpn客户端安装

[ec2-user@ip-192-168-110-244 ~]$ sudo su -
[root@ip-192-168-110-244 ~]# yum -y install openvpn
[root@ip-192-168-110-244 ~]# cd /etc/openvpn/
[root@ip-192-168-110-244 openvpn]# tar xzf test.tar.gz
[root@ip-192-168-110-244 openvpn]# ls -l
total 20
-rw-r--r-- 1 root     root     1245 Oct 13 18:27 ca.crt
-rw------- 1 root     root      916 Oct 13 18:27 ca.key
-rw-r--r-- 1 root     root     3815 Oct 14 14:10 client.crt
-rw-r--r-- 1 root     root      733 Oct 14 14:10 client.csr
-rw------- 1 root     root      916 Oct 14 14:10 client.key

修改openvpn client 配置文件

[root@ip-192-168-110-244 openvpn]# cat client.conf
client
dev tun
proto tcp
remote 124.127.242.73 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3

启动openvpn Client服务

1 2	[root@ip-192-168-110-244 ~]# cd /etc/openvpn/ [root@ip-192-168-110-244 openvpn]# /usr/sbin/openvpn --config /etc/openvpn/client.conf

进行测试

supervisor安装

1
2
3

[root@plat1 srv]# wget https://bootstrap.pypa.io/ez_setup.py -O - | python
[root@plat1 srv]# easy_install supervisor
[root@plat1 srv]# echo_supervisord_conf > /etc/supervisord.conf

使用supervisord支持openvpn

[root@plat1 srv]# cat /etc/supervisord.conf
[program:openvpn]
directory=/etc/openvpn
command=/usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf
process_name=%(program_name)s
numprocs=1
user=root
autorstart=true
autorestart=true
stdout_logfile=/tmp/supervisor_openvpn.log

supersord启动

1 2	[root@plat1 srv]# /usr/bin/supervisord -c /etc/supervisord.conf [root@plat1 openvpn]# supervisorctl reload