一、证书制作
1、复制密钥生成文件EasyRSA-2.2.2到服务器目录
2、解压文件并给与777权限
[root@localhost ~]# unzip EasyRSA-2.2.2.zip[root@localhost ~]# chmod -R 777 EasyRSA-2.2.2
3、修改vars配置文件
[root@localhost EasyRSA-2.2.2]# vim vars[root@localhost EasyRSA-2.2.2]# grep -Ev '^#|^$' varsexport EASY_RSA="`pwd`"export OPENSSL="openssl"export PKCS11TOOL="pkcs11-tool"export GREP="grep"export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`export KEY_DIR="$EASY_RSA/keys"echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIRexport PKCS11_MODULE_PATH="dummy"export PKCS11_PIN="dummy"export KEY_SIZE=2048export CA_EXPIRE=3650export KEY_EXPIRE=3650export KEY_COUNTRY="cn" #国家export KEY_PROVINCE="henan" #省export KEY_CITY="zhengzhou" #城市export KEY_ORG="xinan" #组织export KEY_EMAIL="3037800336@qq.com" #邮箱export KEY_OU="xinan" #公司、组织export KEY_NAME="EasyRSA"[root@localhost EasyRSA-2.2.2]# source varsNOTE: If you run ./clean-all, I will be doing a rm -rf on /root/EasyRSA-2.2.2/keys#刷新环境并更新配置,以后的密钥文件都放在keys目录下[root@localhost EasyRSA-2.2.2]# ./clean-all[root@localhost EasyRSA-2.2.2]# lsbuild-ca build-key-pass build-req keys openssl-1.0.0.cnf varsbuild-dh build-key-pkcs12 build-req-pass list-crl pkitool whichopensslcnfbuild-inter build-key-server clean-all openssl-0.9.6.cnf revoke-fullbuild-key build-ner inherit-inter openssl-0.9.8.cnf sign-req
4、生成根证书和密钥
ca.crt ca.key
[root@localhost EasyRSA-2.2.2]# ./build-caGenerating a 2048 bit RSA private key..+++......+++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [cn]:State or Province Name (full name) [henan]:Locality Name (eg, city) [zhengzhou]:Organization Name (eg, company) [xinan]:Organizational Unit Name (eg, section) [xinan]:Common Name (eg, your name or your server's hostname) [xinan CA]:Name [EasyRSA]:Email Address [3037800336@qq.com]:[root@localhost EasyRSA-2.2.2]# ls keysca.crt ca.key index.txt serial
5、生成服务端证书和密钥
server.crt server.key
[root@localhost EasyRSA-2.2.2]# ./build-key-server serverGenerating a 2048 bit RSA private key........................................................+++...............................................+++writing new private key to 'server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [cn]:State or Province Name (full name) [henan]:Locality Name (eg, city) [zhengzhou]:Organization Name (eg, company) [xinan]:Organizational Unit Name (eg, section) [xinan]:Common Name (eg, your name or your server's hostname) [server]:Name [EasyRSA]:Email Address [3037800336@qq.com]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /root/EasyRSA-2.2.2/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'cn'stateOrProvinceName :PRINTABLE:'henan'localityName :PRINTABLE:'zhengzhou'organizationName :PRINTABLE:'xinan'organizationalUnitName:PRINTABLE:'xinan'commonName :PRINTABLE:'server'name :PRINTABLE:'EasyRSA'emailAddress :IA5STRING:'3037800336@qq.com'Certificate is to be certified until Jul 5 00:52:45 2031 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@localhost EasyRSA-2.2.2]# ls keys01.pem ca.crt ca.key index.txt index.txt.attr index.txt.old serial serial.old server.crt server.csr server.key
6、生成客户端证书和密钥
client.key client.crt
[root@localhost EasyRSA-2.2.2]# ./build-key clientGenerating a 2048 bit RSA private key..........................+++...................................+++writing new private key to 'client.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [cn]:State or Province Name (full name) [henan]:Locality Name (eg, city) [zhengzhou]:Organization Name (eg, company) [xinan]:Organizational Unit Name (eg, section) [xinan]:Common Name (eg, your name or your server's hostname) [client]:Name [EasyRSA]:Email Address [3037800336@qq.com]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /root/EasyRSA-2.2.2/openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'cn'stateOrProvinceName :PRINTABLE:'henan'localityName :PRINTABLE:'zhengzhou'organizationName :PRINTABLE:'xinan'organizationalUnitName:PRINTABLE:'xinan'commonName :PRINTABLE:'client'name :PRINTABLE:'EasyRSA'emailAddress :IA5STRING:'3037800336@qq.com'Certificate is to be certified until Jul 5 00:55:35 2031 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@localhost EasyRSA-2.2.2]# ls keys/01.pem ca.crt client.crt client.key index.txt.attr index.txt.old serial.old server.csr02.pem ca.key client.csr index.txt index.txt.attr.old serial server.crt server.key
7、生成密钥交换文件
dh2048.pem
[root@localhost EasyRSA-2.2.2]# ./build-dhGenerating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time............................................................+.............................................+................................+...................................................................+..........................+..................................................................................................+..................................................................................................................+.....+..+........+.+.......[root@localhost EasyRSA-2.2.2]# ls keys01.pem ca.crt client.crt client.key index.txt index.txt.attr.old serial server.crt server.key02.pem ca.key client.csr dh2048.pem index.txt.attr index.txt.old serial.old server.csr
二、配置OpenVPN服务端
1、安装OpenVPN并修改配置文件
[root@localhost EasyRSA-2.2.2]# cd /etc/yum.repos.d/[root@localhost yum.repos.d]# curl -o epel.repo http://mirrors.aliyun.com/repo/epel-7.repo% Total % Received % Xferd Average Speed Time Time Time CurrentDload Upload Total Spent Left Speed100 664 100 664 0 0 10639 0 --:--:-- --:--:-- --:--:-- 10709[root@localhost yum.repos.d]# lsCentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo epel.repoCentOS-CR.repo CentOS-Media.repo CentOS-x86_64-kernel.repoCentOS-Debuginfo.repo CentOS-Sources.repo docker-ce.repo[root@localhost yum.repos.d]# yum clean all && yum makecache[root@localhost yum.repos.d]# yum -y install openvpn#配置openvpn 配置文件在/etc/openvpn[root@localhost yum.repos.d]# cd /etc/openvpn/[root@localhost openvpn]# mkdir keys[root@localhost keys]# cd /root/EasyRSA-2.2.2/keys#复制证书文件[root@localhost keys]# cp {server.crt,server.key,ca.crt,dh2048.pem} /etc/openvpn/keys[root@localhost keys]# cd /etc/openvpn/keys[root@localhost keys]# lsca.crt dh2048.pem server.crt server.key#复制配置文件[root@localhost keys]# cp /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/server.conf ../[root@localhost keys]# vim ../server.conf[root@localhost keys]# grep -Ev '^#|^$' ../server.conf;local a.b.c.dport 1194;proto tcpproto udp;dev tapdev tun;dev-node MyTapca keys/ca.crtcert keys/server.crtkey keys/server.key # This file should be kept secretdh keys/dh2048.pem;topology subnetserver 10.0.1.0 255.255.255.0 #客户端进来以后分配的地址网段ifconfig-pool-persist ipp.txt;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100;server-bridge;push "route 192.168.10.0 255.255.255.0";push "route 192.168.20.0 255.255.255.0"push "route 10.0.1.0 255.255.255.0" #添加路由规则要跟上面的分配网段一致push "route 192.168.0.0 255.255.255.0" #添加内网路由规则;client-config-dir ccd;route 192.168.40.128 255.255.255.248;client-config-dir ccd;route 10.9.0.0 255.255.255.252;learn-address ./script;push "redirect-gateway def1 bypass-dhcp";push "dhcp-option DNS 208.67.222.222";push "dhcp-option DNS 208.67.220.220";client-to-client;duplicate-cnkeepalive 10 120tls-auth keys/ta.key 0 #拒绝服务攻击文件cipher AES-256-GCM #加密模式;compress lz4-v2;push "compress lz4-v2";comp-lzo;max-clients 100;user nobody;group nobodypersist-keypersist-tunstatus openvpn-status.log;log openvpn.log;log-append openvpn.logverb 3;mute 20explicit-exit-notify 1#启用路由转发[root@localhost keys]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf[root@localhost keys]# sysctl -pnet.ipv4.ip_forward = 1
2、建立ta.key文件(拒绝服务攻击证书文件)
[root@localhost keys]# openvpn --genkey --secret ta.key[root@localhost keys]# lsca.crt dh2048.pem server.crt server.key ta.key
3、启动openvpn服务
[root@localhost openvpn]# cd /etc/openvpn/[root@localhost openvpn]# openvpn --daemon --config server.conf[root@localhost openvpn]# netstat -tlnup | grep 1194udp 0 0 0.0.0.0:1194 0.0.0.0:* 20157/openvpn
若有收获,就点个赞吧
0 人点赞
