OpenVPN-2.4.7部署-创建-配置客户端证书

前面有一篇记录了openvpn2.3.4的部署，这次在使用最新版本2.4.7时用的easy-rsa 3.0在配置上和2.*的版本有些不一样，特此做个记录……

一、编译安装OpenVPN

编译或是yum安装openvpn都可以

1.1 安装依赖包、yum源

1	[root@localhost ~]# yum install openssl-devel lzo-devel pam-devel gcc

1	[root@localhost ~]# wget -O /etc/yum.repos.d/epel-7.repo http://mirrors.aliyun.com/repo/epel-7.repo

1.2 下载OpenVPN源码

1	[root@localhost ~]# wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.7.tar.gz

1.3 编译安装OpenVPN

[root@localhost ~]# tar xf openvpn-2.4.7.tar.gz
[root@localhost ~]# cd openvpn-2.4.7
[root@localhost ~]# ./configure --prefix=/etc/openvpn
[root@localhost ~]# make
[root@localhost ~]# make install

二、安装easy-rsa

1	[root@localhost ~]# yum -y install easy-rsa

三、配置服务端

3.1 复制文件

[root@localhost ~]# cp -r /usr/share/easy-rsa /etc/openvpn/
[root@localhost ~]# cd /etc/openvpn/easy-rsa/
[root@localhost easy-rsa]# cd 3.0.3/
[root@localhost 3.0.3]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
[root@localhost 3.0.3]# ls
easyrsa openssl-1.0.cnf vars x509-types

3.2 生成证书

创建一个新的PKI和CA

[root@localhost 3.0.3]# pwd
/etc/openvpn/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa init-pki
 
Note: using Easy-RSA configuration from: ./vars
 
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.3/pki
 
[root@localhost 3.0.3]# ./easyrsa build-ca
 
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.............................+++
........................................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key.IEMW9gptmK'
Enter PEM pass phrase:  #设置一个密码（用于ca对之后生成的server和client证书签名时使用，也可以直接回车表示不设置密码）
Verifying - Enter PEM pass phrase: #重复一遍
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:  #回车（可以键入回车使用默认的，也可以手动更改 ）
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3.0.3/pki/ca.crt
 
创建时nopass表示不加密 就不会提示Enter PEM pass phrase
例：[root@localhost 3.0.3]# ./easyrsa build-ca nopass

3.3 创建服务端证书

[root@localhost 3.0.3]# ./easyrsa gen-req server nopass
 
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
....................................................................................+++
...................................+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/server.key.7O6iK8N5ie'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:  #回车
 
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3.0.3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key

3.4 签约服务端证书

给server端证书做签名，首先是对一些信息的确认，可以输入yes，然后输入build-ca时设置的那个密码

[root@localhost 3.0.3]# ./easyrsa sign-req server server
 
Note: using Easy-RSA configuration from: ./vars
 
 
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
 
Request subject, to be signed as a server certificate for 3650 days:
 
subject=
commonName = server
 
 
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes  #输入yes确认信息
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key: #输入创建CA时设置的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'server'
Certificate is to be certified until Oct 9 09:39:51 2028 GMT (3650 days)
 
Write out database with 1 new entries
Data Base Updated
 
Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt

3.5 验证证书文件

使用OpenSSL命令验证证书文件，并确保没有错误。出现下面的信息就代表你前面所做的操作是没问题的

1 2	[root@localhost 3.0.3]# openssl verify -CAfile pki/ca.crt pki/issued/server.crt pki/issued/server.crt: OK

3.6 创建 Diffie-Hellman

时间会有点长，耐心等待

[root@localhost 3.0.3]# ./easyrsa gen-dh
 
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................................................
 
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem

3.7 服务端配置

[root@localhost 3.0.3]# vim /etc/openvpn/server.conf

port 11194
proto tcp
dev tun

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem

;ifconfig-pool-persist /etc/openvpn/ipp.txt
client-config-dir /etc/openvpn/ccd

server 10.8.0.0 255.255.255.0
push "route 10.8.0.1 255.255.255.0"
client-to-client

keepalive 20 120
comp-lzo

user openvpn
group openvpn

persist-key
persist-tun
status      openvpn-status.log
log-append  openvpn.log
verb 1
mute 20

这里client-config-dir /etc/openvpn/ccd 是客户端的ip范围配置文件

例如：

1 2	[root@localhost openvpn]# cat ccd/xfyun-bj-qa1 ifconfig-push 10.8.0.13 10.8.0.14

这里的地址段是255.255.255.252格式的，实例只有两个可用ip，在写配置的时候一定要计算好，否则连接后访问不了该vpn客户端

3.8 拷贝服务器证书

[root@localhost openvpn]# cp easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/server/
[root@localhost openvpn]# cp easy-rsa/3.0.3/pki/private/server.key /etc/openvpn/server/
[root@localhost openvpn]# cp easy-rsa/3.0.3/pki/issued/server.crt /etc/openvpn/server/
[root@localhost openvpn]# cp easy-rsa/3.0.3/pki/dh.pem /etc/openvpn/server/

3.9 创建运行用户

创建openvpn运行用户 openvpn

1	[root@localhost openvpn]# useradd -s /sbin/nologin openvpn

3.10 启动openvpn

1	[root@localhost openvpn]# nohup /etc/openvpn/sbin/openvpn --config /etc/openvpn/server.conf &

配置开机启动

1 2	[root@localhost openvpn]# echo "nohup /usr/sbin/openvpn --config /etc/openvpn/server.conf" >> /etc/rc.d/rc.local [root@localhost openvpn]# chmod +x /etc/rc.d/rc.local

或者：

[root@localhost openvpn]# cat /usr/lib/systemd/system/openvpn.service
[Service]
User=root
Group=root
ExecStart=/etc/openvpn/sbin/openvpn --config /etc/openvpn/server.conf

[Install]
WantedBy=multi-user.target

[Unit]
Description=openvpn
After=network.target

四、创建客户端证书

4.1 创建证书

[root@localhost 3.0.3]# cd /etc/openvpn/easy-rsa/3.0.3/
[root@localhost 3.0.3]# pwd
/etc/openvpn/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa gen-req haifly-bj-ops nopass      #客户证书名，无密码

########################### 生成信息 ###########################
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
....................................................+++
............+++

writing new private key to '/etc/openvpn/easy-rsa/3.0.3/pki/private/haifly-bj-ops.key.FkrLzXH9Bm'
-----

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,

If you enter '.', the field will be left blank.
-----

Common Name (eg: your user, host, or server name) [haifly-bj-ops]: 回车

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3.0.3/pki/reqs/haifly-bj-ops.req
key: /etc/openvpn/easy-rsa/3.0.3/pki/private/haifly-bj-ops.key

########################### 生成信息 ###########################

4.2 签约客户端证书

[root@localhost 3.0.3]# ./easyrsa sign-req client haifly-bj-ops
########################### 生成信息 ###########################

Note: using Easy-RSA configuration from: ./vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

subject=
    commonName                = client


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject Distinguished Name is as follows
commonName            :ASN.1 12:'client'
Certificate is to be certified until Apr  8 01:54:57 2028 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/haifly-bj-ops.crt

########################### 生成信息 ###########################

4.3 整理证书，把证书拷贝到客户端上

[root@localhost 3.0.3]# cd /etc/openvpn/client/
[root@localhost client]# cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt ./
[root@localhost client]# cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/haifly-bj-ops.crt ./
[root@localhost client]# cp /etc/openvpn/3.0.3/pki/private/haifly-bj-ops.key ./

五、配置客户端连接

5.1 配置linux客户端

安装客户端、配置

ca证书和密钥文件放在/etc/openvpn/key目录下

[root@haifly-bj-tools1 ~]# yum install -y openvpn
[root@haifly-bj-tools1 ~]# cd /etc/openvpn/
[root@haifly-bj-tools1 openvpn]# mkdir key
[root@haifly-bj-tools1 openvpn]# cat client.conf
client
remote 47.94.215.241 11194
proto tcp
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
ca key/ca.crt
cert key/xfyun-bj-tools1.crt
key key/xfyun-bj-tools1.key
redirect-gateway def1
ns-cert-type server
comp-lzo
verb 3
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

开启内核数据包转发功能

[root@haifly-bj-tools1 openvpn]# echo 1 >/proc/sys/net/ipv4/ip_forward
[root@haifly-bj-tools1 openvpn]# head -1 /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@haifly-bj-tools1 openvpn]# sysctl -p
[root@haifly-bj-tools1 openvpn]# sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0

启动VPN

1 2	[root@haifly-bj-tools1 openvpn]# /etc/init.d/openvpn start Starting openvpn: [ OK ]

配置开机自启动

1 2	[root@haifly-bj-tools1 openvpn]# echo "cd /etc/openvpn/" >> /etc/rc.d/rc.local [root@haifly-bj-tools1 openvpn]# echo "nohup openvpn --config client.conf &" >> /etc/rc.d/rc.local

如果使用了防火墙，需要配置iptables数据包转发

一般配置完成后客户端连接后和内网不通，因为没有配置iptables数据包NAT转发

一般先清空iptables策略，配置数据包转发后再添加其他策略（端口限制、IP限制等）

允许客户端ip 10.8.0.0/24网段的和内网通信

1	iptables -t nat -A POSTROUTING -s 10.8.0.0``/24` `-o eth0 -j MASQUERADE

限制指定客户端IP只能访问指定服务器或服务（上面那条不存在的情况下配置此条策略）

限制客户端IP 10.8.0.6 只能访问内网172.16.206.78服务器

1	iptables -t nat -A POSTROUTING -s 10.8.0.6``/30` `-o eth0 -d 172.16.206.78 -j MASQUERADE

允许VPN客户端的IP访问指定IP指定端口

iptables -t nat -A POSTROUTING -s 192.168.60.204``/30` `-o eth0 -p tcp --dport 8080 -d 172.16.203.120 -j MASQUERADE``-s 指定客户端IP ccd文件配置的静态IP``-p 指定协议``--dport 指定访问目标端口``-d 指定访问IP地址

查看iptables规则以序号形式显示

1	iptables -t nat -L -n --line-number

删除序号为几的策略

1	iptables -t nat -D POSTROUTING 1

5.2 配置windows客户端

客户端软件 openvpn-install-2.4.7-I603.exe

我这边是把客户端相关证书直接写到 client.ovpn 配置文件里，然后通过导入配置文件的方式加载进去

client
remote  47.94.215.241 11194
proto tcp
dev tun
resolv-retry infinite
nobind
persist-key

persist-tun
<ca>

</ca>
<cert>

</cert>
<key>

</key>

redirect-gateway def1
ns-cert-type server
comp-lzo
verb 3
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

然后点击桌面图标OpenVPN GUI连接

六、证书吊销

如果您的VPN服务器上有多个客户端证书，并且想撤消某些密钥，则只需使用easy-rsa命令撤消。

6.1 撤消客户端密钥

1	./easyrsa revoke xxxx

6.2 生成CRL密钥

1	./easyrsa gen-crl

在 pki 目录下会生成一个 crl.pem 文件

6.3 修改 server.conf 打开 crl-verify 选项

1
2
3

vim server.conf

crl-verify /etc/openvpn/easy-rsa/3/pki/crl.pem

6.4 重启 openvpn 服务

重启 openvpn 服务后再测试client端连接，已经连不上了，说明销户成功。

往后在吊销客户端证书只需要执行6.1 6.2 6.4步骤即可。