VPN
1 基础知识
1.1 OpenVPN的介绍
OpenVPN是一个功能齐全的开源SSL VPN解决方案
OpenVPN能适应多种配置,包括远程访问、站点到站点VPN、WI-Fi安全以及负载均衡、故障转移和精细化功能
OpenVPN具有粒度访问控制,能达到复杂性和安全性的高度一致
OpenVPN可为中小企业和企业市场提供经济高效的轻量级替代方案
1.2 OpenVPN的特点
OpenVPN基于SSL安全模型(SSL是安全通讯行业的标准)
OpenVPN使用SSL/TLS实现OSI第二、三层的安全网络扩展(支持证书、智能卡或双因素认证等客户端身份验证方式)
OpenVPn允许结合防火墙规则对特定用户或组进行访问控制
2 最佳实践
2.1 系统环境
2.1.1 环境信息
hostname = openvpnser.cmdschool.org
interface = enp4s0f0
ipaddress = 192.168.0.250/24
gateway = 192.168.0.1
dns = 202.96.128.86 202.96.128.166
interface = enp4s0f1
ipaddress = 10.168.0.1/24
2.1.2 配置SELinux
setenforce 0 sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
2.1.3 配置epel源
yum install -y epel-release
2.2 软件安装
2.2.1 安装常用工具
yum install -y vim wget
2.2.2 配置ntp
yum install -y chrony
另外,建议设置时区,
timedatectl set-timezone Asia/Shanghai
2.2.3 安装openvpn软件包
yum install -y openvpn easy-rsa
2.3 配置服务端证书
2.3.1 部署秘钥目录
cp -r /usr/share/easy-rsa/ /etc/openvpn/server/
cd /etc/openvpn/server/easy-rsa/3.0
find /usr/ -type f -name "vars.example" -exec cp {} ./vars \;
2.3.2 创建新的PIK
./easyrsa init-pki
可见如下提示信息,
[...] Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.3/pki
2.3.3 创建CA证书
./easyrsa build-ca nopass
需根据以下向导完成配置,
[...] Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ser.cmdschool.org [...] Your new CA certificate file for publishing is at: /etc/openvpn/server/easy-rsa/3.0/pki/ca.crt
2.3.4 创建服务端证书
./easyrsa gen-req server nopass
需根据以下向导完成配置,
[...] Common Name (eg: your user, host, or server name) [server]:ser.cmdschool.org Keypair and certificate request completed. Your files are: req: /etc/openvpn/server/easy-rsa/3.0/pki/reqs/server.req key: /etc/openvpn/server/easy-rsa/3.0/pki/private/server.key
2.3.5 签署的服务端证书
./easyrsa sign server server
需根据以下向导完成配置,
[...] Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes [...] Certificate created at: /etc/openvpn/server/easy-rsa/3.0/pki/issued/server.crt
2.3.6 创建Diffie-Hellman
./easyrsa gen-dh
需根据以下向导完成配置,
[...] DH parameters of size 2048 created at /etc/openvpn/server/easy-rsa/3.0/pki/dh.pem
2.4 配置客户端证书环境
2.4.1 部署秘钥目录
cp -r /usr/share/easy-rsa/ /etc/openvpn/client/
cd /etc/openvpn/client/easy-rsa/3.0
find /usr/ -type f -name "vars.example" -exec cp {} ./vars \;
2.4.2 创建新的PIK
./easyrsa init-pki
可见如下提示信息,
[...] Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3.0.3/pki
2.5 签发客户端证书
2.5.1 声明客户端证书名称
clientName=will
2.5.2 创建客户端证书
cd /etc/openvpn/client/easy-rsa/3.0 ./easyrsa gen-req $clientName nopass
“clientName”关键字可替换成你的客户端名称,我们需要根据以下向导完成配置,
[...] Common Name (eg: your user, host, or server name) [will]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/clientName.req key: /etc/openvpn/client/easy-rsa/3.0.3/pki/private/clientName.key
2.5.3 签署客户端证书
cd /etc/openvpn/server/easy-rsa/3.0 ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0/pki/reqs/$clientName.req $clientName
“clientName”关键字可替换成你的客户端名称,可见如下显示,
[...] The request has been successfully imported with a short name of: will You may now use this name to perform signing operations on this request.
执行完导入,现在来签署客户端证书,
cd /etc/openvpn/server/easy-rsa/3.0 ./easyrsa sign client $clientName
“clientName”关键字可替换成你的客户端名称,可见如下显示,
[...] Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes [...] Certificate created at: /etc/openvpn/server/easy-rsa/3.0/pki/issued/will.crt
2.5.4 汇总客户端证书
cp /etc/openvpn/client/easy-rsa/3.0/pki/private/$clientName.key /etc/openvpn/client/ cp /etc/openvpn/server/easy-rsa/3.0/pki/issued/$clientName.crt /etc/openvpn/client/ cp /etc/openvpn/server/easy-rsa/3.0/pki/ca.crt /etc/openvpn/client/
注:以上三个证书客是户端配置所需的证书,请部署到OpenVPN客户端
2.6 配置服务端实例
2.6.1 创建实例文件夹
mkdir -p /etc/openvpn/{tcp,udp}
2.6.2 部署服务端证书
cp /etc/openvpn/server/easy-rsa/3.0/pki/ca.crt /etc/openvpn/server/ cp /etc/openvpn/server/easy-rsa/3.0/pki/private/server.key /etc/openvpn/server/ cp /etc/openvpn/server/easy-rsa/3.0/pki/issued/server.crt /etc/openvpn/server/ cp /etc/openvpn/server/easy-rsa/3.0/pki/dh.pem /etc/openvpn/server/
注:由于tcp与udp两个实例使用同一份服务端证书,便于管理起见,证书没有部署到实例文件夹,而是部署到server文件夹
2.6.3 增加配置tcp服务的文件
vim /etc/openvpn/tcp.conf
加入如下配置:
#local 192.168.0.128 port 1194 #proto udp proto tcp dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/server.crt key /etc/openvpn/server/server.key dh /etc/openvpn/server/dh.pem status /etc/openvpn/tcp/openvpn.status server 10.9.0.0 255.255.255.0 ifconfig-pool-persist /etc/openvpn/tcp/ipp.txt push "route 10.168.0.0 255.255.255.0" push "route 10.168.1.0 255.255.255.0" push "route 10.168.100.0 255.255.255.0" push "route 192.168.0.0 255.255.255.0" push "dhcp-option DNS 202.96.128.86" push "dhcp-option DNS 202.96.128.166" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" client-config-dir /etc/openvpn/server/ccd # route 10.168.2.0 255.255.255.0 client-to-client keepalive 10 120 #tls-auth ta.key 0 comp-lzo max-clients 100 user nobody group nobody persist-key persist-tun log /var/log/openvpn.log verb 3 mssfix 1300
以上使用需要注意,
– 参数“proto”声明OpenVPN服务端与客户端的通讯协议,可选值有“udp”和“tcp”
– 参数“dev”声明设备的类型“tun”(OSI第三层)、“tap”(OSI第二层)
– 参数“ca”声明证书颁发机构即根证书证书路径
– 参数“cert”声明服务器端公钥证书路径
– 参数“key”声明服务器端私钥证书路径
– 参数“dh”声明服务器端秘钥交换证书路径
– 参数“status”声明记录服务器端的状态文件
– 参数“server”声明使用的网段,服务器默认使用“.1”地址作为TUN/TAP的网关,其他的分配给客户端
– 参数“ifconfig-pool-persist”声明登录客户端与地址的记录文件路径
– 参数“push”声明推动到客户端操作(例如推送route、dhcp-option等)
– 参数“client-to-client”声明客户端到客户端可相互访问
– 参数“keepalive”声明服务端到客户端之间的断开超时时间
– 参数“tls-auth”声明TLS控制通道之上添加额外的HMAC身份验证层以减轻Dos攻击和TLS堆栈攻击(启用HMAC防火墙)
– 参数“comp-lzo”声明启用压缩,新版本由参数“compress”代替
– 参数“max-clients”声明最大并发的客户端数量
– 参数“user”声明VPN隧道的所有者用户
– 参数“group”声明VPN隧道的所有组
– 参数“persist-key”声明不通过SIGUSR1或“ping-restart”参数重读配置文件
– 参数“persist-tun”声明不通过SIGUSR1或“ping-restart”参数重启up/down脚本
– 参数“log”声明日志文件的路径
– 参数“verb”声明日志输出的详细级别,1-4正常范围、5包含数据包读写输出、6-11包含调试
– 参数“mssfix”声明VPN隧道的TCP恢复数据包的大小限制
2.6.4 增加配置udp服务的文件
vim /etc/openvpn/udp.conf
加入如下配置:
#local 192.168.0.128 port 1194 proto udp # proto tcp dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/server.crt key /etc/openvpn/server/server.key dh /etc/openvpn/server/dh.pem status /etc/openvpn/udp/openvpn.status server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /etc/openvpn/udp/ipp.txt push "route 10.168.0.0 255.255.255.0" push "route 10.168.1.0 255.255.255.0" push "route 10.168.100.0 255.255.255.0" push "route 192.168.0.0 255.255.255.0" push "dhcp-option DNS 202.96.128.86" push "dhcp-option DNS 202.96.128.166" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" client-config-dir /etc/openvpn/server/ccd route 10.168.1.0 255.255.255.0 client-to-client keepalive 10 120 #tls-auth ta.key 0 comp-lzo max-clients 100 user nobody group nobody persist-key persist-tun log /var/log/openvpn.log verb 3 mssfix 1300
根据以上配置,我们需要创建配置文件定义的目录,
mkdir -p /etc/openvpn/server/ccd
2.6.5 配置TCP与UDP实例服务控制脚本
cp /usr/lib/systemd/system/openvpn@.service /usr/lib/systemd/system/openvpn@tcp.service cp /usr/lib/systemd/system/openvpn@.service /usr/lib/systemd/system/openvpn@udp.service
修改完成,我们需要重载daemon才能使用,
systemctl daemon-reload
2.6.6 启动TCP与UDP服务并设置自启动
systemctl start openvpn@tcp.service systemctl start openvpn@udp.service systemctl enable openvpn@tcp.service systemctl enable openvpn@udp.service
如果启动服务有异常,请通过以下日志排错,
tail -f /var/log/messages tail -f /var/log/openvpn.log
2.7 配置iptables和路由
2.7.1 配置iptables
yum remove -y firewalld yum install -y iptables-services
以上使用iptables代替默认的firewalld后,你需要启动服务并配置服务自启动,
systemctl start iptables systemctl enable iptables
然后,通过如下命令修改iptables的通讯规则,
vim /etc/sysconfig/iptables
配置修改如下,
# Generated by iptables-save v1.4.7 on Tue Dec 8 14:59:26 2015 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 10.168.0.0/24 -o enp4s0f1 -j MASQUERADE -A POSTROUTING -s 10.168.0.0/24 -o tun0 -j MASQUERADE -A POSTROUTING -s 10.168.0.0/24 -o tun1 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o enp4s0f0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE -A POSTROUTING -s 192.168.0.0/24 -o tun1 -j MASQUERADE -A POSTROUTING -s 10.8.0.0/24 -o enp4s0f0 -j MASQUERADE -A POSTROUTING -s 10.8.0.0/24 -o enp4s0f1 -j MASQUERADE -A POSTROUTING -s 10.8.0.0/24 -o tun0 -j MASQUERADE -A POSTROUTING -s 10.9.0.0/24 -o enp4s0f0 -j MASQUERADE -A POSTROUTING -s 10.9.0.0/24 -o enp4s0f1 -j MASQUERADE -A POSTROUTING -s 10.9.0.0/24 -o tun1 -j MASQUERADE COMMIT # Completed on Tue Dec 8 14:59:26 2015 # Generated by iptables-save v1.4.7 on Tue Dec 8 14:59:26 2015 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i tun0 -j ACCEPT -A INPUT -i tun1 -j ACCEPT -A INPUT -i enp4s0f0 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5900:5910 -j ACCEPT -A INPUT -p udp -m udp --dport 123 -j ACCEPT -A INPUT -p udp -m udp --dport 1194 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT -A INPUT -p tcp -m tcp --dport 19765 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o enp4s0f1 -j ACCEPT -A FORWARD -o lo -j ACCEPT -A FORWARD -o tun0 -j ACCEPT -A FORWARD -o tun1 -j ACCEPT -A FORWARD -o enp4s0f0 -j ACCEPT COMMIT # Completed on Tue Dec 8 14:59:26 2015
配置文件修改后,需要重启服务是配置生效,
systemctl restart iptables
2.7.2 配置路由转发
echo 1 > /proc/sys/net/ipv4/ip_forward echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.d/99-sysctl.conf
2.8 配置OpenVPN客户端
2.8.1 Windows端的安装部署
请从以下链接下载并安装OpenVPN Windows客户端
https://openvpn.net/community-downloads/
客户端由于非本章重点,以上请自行下载安装,配置文件请
notepad C:\Program Files\OpenVPN\config\client.ovpn
配置修改如下,
############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote openvpnser.cmdschool.org 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) ;user nobody ;group nobody # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] ;http-proxy-retry # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert clientName.crt key clientName.key # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ;ns-cert-type server remote-cert-tls server # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20
以上使用需要注意,
– 参数“remote”声明远程主机名称(IP地址)、端口、协议
– 客户端证书“ca.crt”、“clientName.crt”、“clientName.key”请复制到“C:\Program Files\OpenVPN\config\”目录
2.8.2 Linux客户端配置
vim /etc/openvpn/client.conf
加入如下配置,
############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote openvpnser.cmdschool.org 1194 ;remote my-server-2 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) user nobody group nogroup # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert clientName.crt key clientName.key # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20
注:以上仅仅列出配置,其他请根据系统类型等参阅相关文件。
2.8.3 安卓端的安装部署
请从以下链接下载并安装OpenVPN 安卓客户端
https://github.com/schwabe/ics-openvpn
参阅文档:
==================
OpenVPN参数解析
—————
https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/#scripting-and-environmental-variables
参考手册
——————
https://openvpn.net/community-resources/#articles
https://openvpn.net/community-resources/#documentation
https://community.openvpn.net/openvpn/wiki
没有评论