如何基于CentOS 7部署OpenVPN?

VPN

1 基础知识

1.1 OpenVPN的介绍

OpenVPN是一个功能齐全的开源SSL VPN解决方案
OpenVPN能适应多种配置,包括远程访问、站点到站点VPN、WI-Fi安全以及负载均衡、故障转移和精细化功能
OpenVPN具有粒度访问控制,能达到复杂性和安全性的高度一致
OpenVPN可为中小企业和企业市场提供经济高效的轻量级替代方案

1.2 OpenVPN的特点

OpenVPN基于SSL安全模型(SSL是安全通讯行业的标准)
OpenVPN使用SSL/TLS实现OSI第二、三层的安全网络扩展(支持证书、智能卡或双因素认证等客户端身份验证方式)
OpenVPn允许结合防火墙规则对特定用户或组进行访问控制

2 最佳实践

2.1 系统环境

2.1.1 环境信息

hostname = openvpnser.cmdschool.org
interface = enp4s0f0
ipaddress = 192.168.0.250/24
gateway = 192.168.0.1
dns = 202.96.128.86 202.96.128.166

interface = enp4s0f1
ipaddress = 10.168.0.1/24

2.1.2 配置epel源

yum install -y epel-release

2.2 软件安装

2.2.1 安装常用工具

yum install -y vim wget

2.2.2 配置ntp

yum install -y chrony

另外,建议设置时区,

timedatectl set-timezone Asia/Shanghai

2.2.3 安装openvpn软件包

yum install -y openvpn easy-rsa

2.3 配置服务端证书

2.3.1 部署秘钥目录

cp -r /usr/share/easy-rsa/ /etc/openvpn/server/
cd /etc/openvpn/server/easy-rsa/3.0
find /usr/ -type f -name "vars.example" -exec cp {} ./vars \;

2.3.2 创建新的PIK

./easyrsa init-pki

可见如下提示信息,

[...]
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.3/pki

2.3.3 创建CA证书

./easyrsa build-ca nopass

需根据以下向导完成配置,

[...]
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ser.cmdschool.org
[...]
Your new CA certificate file for publishing is at:
/etc/openvpn/server/easy-rsa/3.0/pki/ca.crt

2.3.4 创建服务端证书

./easyrsa gen-req server nopass

需根据以下向导完成配置,

[...]
Common Name (eg: your user, host, or server name) [server]:ser.cmdschool.org

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/server/easy-rsa/3.0/pki/reqs/server.req
key: /etc/openvpn/server/easy-rsa/3.0/pki/private/server.key

2.3.5 签署的服务端证书

./easyrsa sign server server

需根据以下向导完成配置,

[...]
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
[...]
Certificate created at: /etc/openvpn/server/easy-rsa/3.0/pki/issued/server.crt

2.3.6 创建Diffie-Hellman

./easyrsa gen-dh

需根据以下向导完成配置,

[...]
DH parameters of size 2048 created at /etc/openvpn/server/easy-rsa/3.0/pki/dh.pem

2.4 配置并签发客户端证书

2.4.1 部署秘钥目录

cp -r /usr/share/easy-rsa/ /etc/openvpn/client/
cd /etc/openvpn/client/easy-rsa/3.0
find /usr/ -type f -name "vars.example" -exec cp {} ./vars \;

2.4.2 创建新的PIK

./easyrsa init-pki

可见如下提示信息,

[...]
Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3.0.3/pki

2.4.3 创建客户端证书

clientName=will
./easyrsa gen-req $clientName nopass

“clientName”关键字可替换成你的客户端名称,我们需要根据以下向导完成配置,

[...]
Common Name (eg: your user, host, or server name) [will]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/clientName.req
key: /etc/openvpn/client/easy-rsa/3.0.3/pki/private/clientName.key

2.4.4 签署客户端证书

clientName=will
cd /etc/openvpn/server/easy-rsa/3.0
./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0/pki/reqs/$clientName.req $clientName

“clientName”关键字可替换成你的客户端名称,可见如下显示,

[...]
The request has been successfully imported with a short name of: will
You may now use this name to perform signing operations on this request.

执行完导入,现在来签署客户端证书,

clientName=will
./easyrsa sign client $clientName

“clientName”关键字可替换成你的客户端名称,可见如下显示,

[...]
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
[...]
Certificate created at: /etc/openvpn/server/easy-rsa/3.0/pki/issued/will.crt

2.4.5 汇总客户端证书

clientName=will
cp /etc/openvpn/client/easy-rsa/3.0/pki/private/$clientName.key /etc/openvpn/client/
cp /etc/openvpn/server/easy-rsa/3.0/pki/issued/$clientName.crt /etc/openvpn/client/
cp /etc/openvpn/server/easy-rsa/3.0/pki/ca.crt /etc/openvpn/client/

注:以上三个证书客是户端配置所需的证书,请部署到OpenVPN客户端

2.5 配置服务端实例

2.5.1 创建实例文件夹

mkdir -p /etc/openvpn/{tcp,udp}

2.5.2 部署服务端证书

cp /etc/openvpn/server/easy-rsa/3.0/pki/ca.crt /etc/openvpn/server/
cp /etc/openvpn/server/easy-rsa/3.0/pki/private/server.key /etc/openvpn/server/
cp /etc/openvpn/server/easy-rsa/3.0/pki/issued/server.crt /etc/openvpn/server/
cp /etc/openvpn/server/easy-rsa/3.0/pki/dh.pem /etc/openvpn/server/

注:由于tcp与udp两个实例使用同一份服务端证书,便于管理起见,证书没有部署到实例文件夹,而是部署到server文件夹

2.5.3 增加配置tcp服务的文件

vim /etc/openvpn/tcp.conf

加入如下配置:

#local 192.168.0.128
port 1194
#proto udp
proto tcp
dev tun

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem

status /etc/openvpn/tcp/openvpn.status
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/tcp/ipp.txt

push "route 10.168.0.0 255.255.255.0"
push "route 10.168.1.0 255.255.255.0"
push "route 10.168.100.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 202.96.128.86"
push "dhcp-option DNS 202.96.128.166"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

client-config-dir /etc/openvpn/server/ccd
# route 10.168.2.0 255.255.255.0

client-to-client
keepalive 10 120
#tls-auth ta.key 0
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
log         /var/log/openvpn.log
verb 3
mssfix 1300

以上使用需要注意,
– 参数“proto”声明OpenVPN服务端与客户端的通讯协议,可选值有“udp”和“tcp”
– 参数“dev”声明设备的类型“tun”(OSI第三层)、“tap”(OSI第二层)
– 参数“ca”声明证书颁发机构即根证书证书路径
– 参数“cert”声明服务器端公钥证书路径
– 参数“key”声明服务器端私钥证书路径
– 参数“dh”声明服务器端秘钥交换证书路径
– 参数“status”声明记录服务器端的状态文件
– 参数“server”声明使用的网段,服务器默认使用“.1”地址作为TUN/TAP的网关,其他的分配给客户端
– 参数“ifconfig-pool-persist”声明登录客户端与地址的记录文件路径
– 参数“push”声明推动到客户端操作(例如推送route、dhcp-option等)
– 参数“client-to-client”声明客户端到客户端可相互访问
– 参数“keepalive”声明服务端到客户端之间的断开超时时间
– 参数“tls-auth”声明TLS控制通道之上添加额外的HMAC身份验证层以减轻Dos攻击和TLS堆栈攻击(启用HMAC防火墙)
– 参数“comp-lzo”声明启用压缩,新版本由参数“compress”代替
– 参数“max-clients”声明最大并发的客户端数量
– 参数“user”声明VPN隧道的所有者用户
– 参数“group”声明VPN隧道的所有组
– 参数“persist-key”声明不通过SIGUSR1或“ping-restart”参数重读配置文件
– 参数“persist-tun”声明不通过SIGUSR1或“ping-restart”参数重启up/down脚本
– 参数“log”声明日志文件的路径
– 参数“verb”声明日志输出的详细级别,1-4正常范围、5包含数据包读写输出、6-11包含调试
– 参数“mssfix”声明VPN隧道的TCP恢复数据包的大小限制

2.5.4 增加配置udp服务的文件

vim /etc/openvpn/udp.conf

加入如下配置:

#local 192.168.0.128
port 1194
proto udp
# proto tcp
dev tun

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem

status /etc/openvpn/udp/openvpn.status
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/udp/ipp.txt

push "route 10.168.0.0 255.255.255.0"
push "route 10.168.1.0 255.255.255.0"
push "route 10.168.100.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 202.96.128.86"
push "dhcp-option DNS 202.96.128.166"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

client-config-dir /etc/openvpn/server/ccd
route 10.168.1.0 255.255.255.0

client-to-client
keepalive 10 120
#tls-auth ta.key 0
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
log         /var/log/openvpn.log
verb 3
mssfix 1300

根据以上配置,我们需要创建配置文件定义的目录,

mkdir -p /etc/openvpn/server/ccd

2.5.5 配置TCP与UDP实例服务控制脚本

cp /usr/lib/systemd/system/openvpn@.service /usr/lib/systemd/system/openvpn@tcp.service
cp /usr/lib/systemd/system/openvpn@.service /usr/lib/systemd/system/openvpn@udp.service

修改完成,我们需要重载daemon才能使用,

systemctl daemon-reload

2.5.6 启动TCP与UDP服务并设置自启动

systemctl start openvpn@tcp.service
systemctl start openvpn@udp.service
systemctl enable openvpn@tcp.service
systemctl enable openvpn@udp.service

如果启动服务有异常,请通过以下日志排错,

tail -f /var/log/messages
tail -f /var/log/openvpn.log

2.6 配置iptables和路由

2.6.1 配置iptables

yum remove -y firewalld
yum install -y iptables-services

以上使用iptables代替默认的firewalld后,你需要启动服务并配置服务自启动,

systemctl start iptables
systemctl enable iptables

然后,通过如下命令修改iptables的通讯规则,

vim /etc/sysconfig/iptables

配置修改如下,

# Generated by iptables-save v1.4.7 on Tue Dec  8 14:59:26 2015
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s  10.168.0.0/24 -o enp4s0f1 -j MASQUERADE
-A POSTROUTING -s  10.168.0.0/24 -o tun0 -j MASQUERADE
-A POSTROUTING -s  10.168.0.0/24 -o tun1 -j MASQUERADE
-A POSTROUTING -s  192.168.0.0/24 -o enp4s0f0 -j MASQUERADE
-A POSTROUTING -s  192.168.0.0/24 -o tun0 -j MASQUERADE
-A POSTROUTING -s  192.168.0.0/24 -o tun1 -j MASQUERADE
-A POSTROUTING -s  10.8.0.0/24 -o enp4s0f0 -j MASQUERADE
-A POSTROUTING -s  10.8.0.0/24 -o enp4s0f1 -j MASQUERADE
-A POSTROUTING -s  10.8.0.0/24 -o tun0 -j MASQUERADE
-A POSTROUTING -s  10.9.0.0/24 -o enp4s0f0 -j MASQUERADE
-A POSTROUTING -s  10.9.0.0/24 -o enp4s0f1 -j MASQUERADE
-A POSTROUTING -s  10.9.0.0/24 -o tun1 -j MASQUERADE
COMMIT
# Completed on Tue Dec  8 14:59:26 2015
# Generated by iptables-save v1.4.7 on Tue Dec  8 14:59:26 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -i tun1 -j ACCEPT
-A INPUT -i enp4s0f0 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900:5910 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 19765 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o enp4s0f1 -j ACCEPT
-A FORWARD -o lo -j ACCEPT
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -o tun1 -j ACCEPT
-A FORWARD -o enp4s0f0 -j ACCEPT
COMMIT
# Completed on Tue Dec  8 14:59:26 2015

配置文件修改后,需要重启服务是配置生效,

systemctl restart iptables

2.6.2 配置路由转发

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 'net.ipv4.ip_forward = 0' >> /etc/sysctl.d/99-sysctl.conf

2.7 配置OpenVPN客户端

2.7.1 Windows端的安装部署

请从以下链接下载并安装OpenVPN Windows客户端
https://openvpn.net/community-downloads/
客户端由于非本章重点,以上请自行下载安装,配置文件请

notepad C:\Program Files\OpenVPN\config\client.ovpn

配置修改如下,

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote openvpnser.cmdschool.org 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;http-proxy-retry

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert clientName.crt
key clientName.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

以上使用需要注意,
– 参数“remote”声明远程主机名称(IP地址)、端口、协议
– 客户端证书“ca.crt”、“clientName.crt”、“clientName.key”请复制到“C:\Program Files\OpenVPN\config\”目录

2.7.2 Linux客户端配置

vim /etc/openvpn/client.conf

加入如下配置,

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote openvpnser.cmdschool.org 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert clientName.crt
key clientName.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

注:以上仅仅列出配置,其他请根据系统类型等参阅相关文件。

2.7.3 安卓端的安装部署

请从以下链接下载并安装OpenVPN 安卓客户端
https://github.com/schwabe/ics-openvpn

参阅文档:
==================

OpenVPN参数解析
—————
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/#scripting-and-environmental-variables

参考手册
——————
https://openvpn.net/community-resources/#articles
https://openvpn.net/community-resources/#documentation
https://community.openvpn.net/openvpn/wiki

没有评论

发表评论