2. Linux

OpenVPN搭建部署 Linux教程 安全防御


# 安装OpenVPN

yum install -y epel-release

yum install -y openvpn easy-rsa

openvpn --version


# 制作证书

cd /etc/openvpn && cp -r /usr/share/easy-rsa /etc/openvpn/

cd /etc/openvpn/easy-rsa/3/ 

vim  vars

set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "ID"
set_var EASYRSA_REQ_PROVINCE    "Jakarta"
set_var EASYRSA_REQ_CITY        "Jakarta"
set_var EASYRSA_REQ_ORG         "hakase-labs CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL       "openvpn@hakase-labs.io"
set_var EASYRSA_REQ_OU          "HAKASE-LABS EASY CA"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       7500
set_var EASYRSA_CERT_EXPIRE     365
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "HAKASE-LABS CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST          "sha256"

chmod +x vars

./easyrsa init-pki

./easyrsa build-ca

./easyrsa gen-req hakase-server nopass

./easyrsa sign-req server hakase-server

openssl verify -CAfile pki/ca.crt pki/issued/hakase-server.crt


创建客户端密钥

./easyrsa gen-req client_01 nopass


./easyrsa sign-req client client_01


openssl verify -CAfile pki/ca.crt pki/issued/client_01.crt


./easyrsa gen-dh


---复制服务器密钥和证书

cp pki/ca.crt /etc/openvpn/server/

cp pki/issued/hakase-server.crt /etc/openvpn/server/

cp pki/private/hakase-server.key /etc/openvpn/server/

cp pki/dh.pem /etc/openvpn/server/

---复制client_01密钥和证书

cp pki/ca.crt /etc/openvpn/client/

cp pki/issued/client_01.crt /etc/openvpn/client/

cp pki/private/client_01.key /etc/openvpn/client/


# OpenVPN配置

---添加servier配置文件

cd /etc/openvpn/ && vi service.conf

# OpenVPN Port, Protocol and the Tun
port 1194
proto udp
dev tun
# OpenVPN Server Certificate - CA, server key and certificate
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/hakase-server.crt
key /etc/openvpn/server/hakase-server.key
#DH and CRL key
dh /etc/openvpn/server/dh.pem
#注意本文没有跳过了丢消证书的检测
#crl-verify /etc/openvpn/server/crl.pem
# Network Configuration - Internal network
# Redirect all Connection through OpenVPN Server
# 配置分配的内网网段
server 192.168.200.128 255.255.255.128 
push "redirect-gateway def1"
# Using the DNS from https://dns.watch
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 114.114.114.114"
#Enable multiple client to connect with same Certificate key
duplicate-cn
# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
# Other Configuration
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody
# OpenVPN Log
log-append openvpn.log
status openvpn-status.log
verb 3

---添加client配置文件

cd /etc/openvpn/client && vi client_01.ovpn

client
dev tun
proto udp
# 配置你公司的出口IP
remote 113.xx.xx.xx 1194
ca ca.crt
cert client_01.crt
key client_01.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3

---增加路由转发的配置

-用firewalld或iptables都可以,我这边用的是iptables

sysctl -w net.ipv4.ip_forward=1

iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE


---启动OpenVPN服务

systemctl start openvpn@service

netstat -nlup | grep 1194


# 客户端配置

-找到软件安装路径,选择config目录,将/etc/openvpn下的client打包下载到本地,解压将证书文件全部拷过去。

-双击桌面OpenVPN,右击图标,选择连接,连接成功会分配一个内网IP,说明已经成功连接到内网。


签名:这个人很懒,什么也没有留下!
收藏的用户(0 X
正在加载信息~
猜你喜欢:
最新回复 (0)
返回
发新帖
作者最近主题:
热门主题: