OpenVPN 部署
准备OpenVPN环境
#配置yum源
[root@OPEN-VPN yum.repos.d]#vim base.repo
[BaseOS]
name=BaseOS
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/BaseOS/x86_64/os/
http://mirrors.163.com/rocky/$releasever/BaseOS/x86_64/os/
https://mirrors.nju.edu.cn/rocky/$releasever/BaseOS/x86_64/os/
https://mirrors.sjtug.sjtu.edu.cn/rocky/$releasever/BaseOS/x86_64/os/
"base.repo" 48L, 2062C 1,1 Top
[BaseOS]
name=BaseOS
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/BaseOS/x86_64/os/
http://mirrors.163.com/rocky/$releasever/BaseOS/x86_64/os/
https://mirrors.nju.edu.cn/rocky/$releasever/BaseOS/x86_64/os/
https://mirrors.sjtug.sjtu.edu.cn/rocky/$releasever/BaseOS/x86_64/os/
http://mirrors.sdu.edu.cn/rocky/$releasever/BaseOS/x86_64/os/
gpgcheck=0
[AppStream]
name=AppStream
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/AppStream/x86_64/os/
http://mirrors.163.com/rocky/$releasever/AppStream/x86_64/os/
https://mirrors.nju.edu.cn/rocky/$releasever/AppStream/x86_64/os/
https://mirrors.sjtug.sjtu.edu.cn/rocky/$releasever/AppStream/x86_64/os/
http://mirrors.sdu.edu.cn/rocky/$releasever/AppStream/x86_64/os/
gpgcheck=0
[extras]
name=extras
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/extras/$basearch/os
http://mirrors.163.com/rocky/$releasever/extras/$basearch/os
https://mirrors.nju.edu.cn/rocky/$releasever/extras/$basearch/os
https://mirrors.sjtug.sjtu.edu.cn/rocky/$releasever/extras/$basearch/os
http://mirrors.sdu.edu.cn/rocky/$releasever/extras/$basearch/os
gpgcheck=0
enabled=1
[PowerTools]
name=CentOS-$releasever - PowerTools
baseurl=https://mirrors.aliyun.com/rockylinux/$releasever/PowerTools/$basearch/os/
http://mirrors.163.com/rocky/$releasever/PowerTools/$basearch/os/
http://mirrors.sdu.edu.cn/rocky/$releasever/PowerTools/$basearch/os/
https://mirrors.sjtug.sjtu.edu.cn/rocky/$releasever/PowerTools/$basearch/os/
http://mirrors.sdu.edu.cn/rocky/$releasever/PowerTools/$basearch/os/
gpgcheck=0
enabled=0
[epel]
name=EPEL
baseurl=https://mirror.tuna.tsinghua.edu.cn/epel/$releasever/Everything/$basearch
https://mirrors.cloud.tencent.com/epel/$releasever/Everything/$basearch
https://mirrors.huaweicloud.com/epel/$releasever/Everything/$basearch
https://mirrors.aliyun.com/epel/$releasever/Everything/$basearch
gpgcheck=0
enabled=1
#查看版本
[root@OPEN-VPN ~]#yum list openvpn
Last metadata expiration check: 0:03:06 ago on Fri 19 Aug 2022 07:40:19 PM CST.
Available Packages
openvpn.x86_64 2.4.12-1.el8 epel
[root@OPEN-VPN ~]#yum list easy-rsa
Last metadata expiration check: 0:02:49 ago on Fri 19 Aug 2022 07:40:19 PM CST.
Available Packages
easy-rsa.noarch 3.0.8-1.el8
安装OpenVPN和证书管理工具easy-rsa
#查看版本
[root@OPEN-VPN ~]#yum list openvpn
Last metadata expiration check: 0:03:06 ago on Fri 19 Aug 2022 07:40:19 PM CST.
Available Packages
openvpn.x86_64 2.4.12-1.el8 epel
[root@OPEN-VPN ~]#yum list easy-rsa
Last metadata expiration check: 0:02:49 ago on Fri 19 Aug 2022 07:40:19 PM CST.
Available Packages
easy-rsa.noarch 3.0.8-1.el8 epel
#安装openvpn和easy-rsa
[root@OPEN-VPN ~]#yum -y install openvpn
Last metadata expiration check: 0:05:32 ago on Fri 19 Aug 2022 07:40:19 PM CST.
Dependencies resolved.
===========================================================================================================
Package Architecture Version Repository Size
===========================================================================================================
Installing:
openvpn x86_64 2.4.12-1.el8 epel 545 k
Installing dependencies:
pkcs11-helper x86_64 1.22-7.el8 epel 64 k
Transaction Summary
===========================================================================================================
Install 2 Packages
Total download size: 609 k
Installed size: 1.4 M
Downloading Packages:
(1/2): pkcs11-helper-1.22-7.el8.x86_64.rpm 12 kB/s | 64 kB 00:05
(2/2): openvpn-2.4.12-1.el8.x86_64.rpm 85 kB/s | 545 kB 00:06
-------------------------------------------------------------------------------------------------------------------------------------------------
Total 94 kB/s | 609 kB 00:06
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : pkcs11-helper-1.22-7.el8.x86_64 1/2
Running scriptlet: openvpn-2.4.12-1.el8.x86_64 2/2
Installing : openvpn-2.4.12-1.el8.x86_64 2/2
Running scriptlet: openvpn-2.4.12-1.el8.x86_64 2/2
Verifying : openvpn-2.4.12-1.el8.x86_64 1/2
Verifying : pkcs11-helper-1.22-7.el8.x86_64 2/2
Installed:
openvpn-2.4.12-1.el8.x86_64 pkcs11-helper-1.22-7.el8.x86_64
Complete!
[root@OPEN-VPN ~]#yum -y install easy-rsa
Last metadata expiration check: 0:06:01 ago on Fri 19 Aug 2022 07:40:19 PM CST.
Dependencies resolved.
=================================================================================================================================================
Package Architecture Version Repository Size
=================================================================================================================================================
Installing:
easy-rsa noarch 3.0.8-1.el8 epel 47 k
Transaction Summary
=================================================================================================================================================
Install 1 Package
Total download size: 47 k
Installed size: 120 k
Downloading Packages:
easy-rsa-3.0.8-1.el8.noarch.rpm 11 kB/s | 47 kB 00:04
-------------------------------------------------------------------------------------------------------------------------------------------------
Total 11 kB/s | 47 kB 00:04
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : easy-rsa-3.0.8-1.el8.noarch 1/1
Verifying : easy-rsa-3.0.8-1.el8.noarch 1/1
Installed:
easy-rsa-3.0.8-1.el8.noarch
Complete!
查看包中的文件
[root@OPEN-VPN yum.repos.d]#rpm -qi openvpn easy-rsa
Name : openvpn
Version : 2.4.12
Release : 1.el8
Architecture: x86_64
Install Date: Fri 19 Aug 2022 07:45:59 PM CST
Group : Unspecified
Size : 1310067
License : GPLv2
Signature : RSA/SHA256, Fri 18 Mar 2022 05:21:34 AM CST, Key ID 21ea45ab2f86d6a1
Source RPM : openvpn-2.4.12-1.el8.src.rpm
Build Date : Fri 18 Mar 2022 03:01:23 AM CST
Build Host : buildvm-x86-26.iad2.fedoraproject.org
Relocations : (not relocatable)
Packager : Fedora Project
Vendor : Fedora Project
URL : https://community.openvpn.net/
Bug URL : https://bugz.fedoraproject.org/openvpn
Summary : A full-featured SSL VPN solution
Description :
OpenVPN is a robust and highly flexible tunneling application that uses all
of the encryption, authentication, and certification features of the
OpenSSL library to securely tunnel IP networks over a single UDP or TCP
port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
for compression.
Name : easy-rsa
Version : 3.0.8
Release : 1.el8
Architecture: noarch
Install Date: Fri 19 Aug 2022 07:46:25 PM CST
Group : Unspecified
Size : 122756
License : GPLv2
Signature : RSA/SHA256, Thu 10 Sep 2020 09:23:22 PM CST, Key ID 21ea45ab2f86d6a1
Source RPM : easy-rsa-3.0.8-1.el8.src.rpm
Build Date : Thu 10 Sep 2020 09:20:42 PM CST
Build Host : buildvm-s390x-23.s390.fedoraproject.org
Relocations : (not relocatable)
Packager : Fedora Project
Vendor : Fedora Project
URL : https://github.com/OpenVPN/easy-rsa
Bug URL : https://bugz.fedoraproject.org/easy-rsa
Summary : Simple shell based CA utility
Description :
This is a small RSA key management package, based on the openssl
command line tool, that can be found in the easy-rsa subdirectory
of the OpenVPN distribution. While this tool is primary concerned
with key management for the SSL VPN application space, it can also
be used for building web certificates.
[root@OPEN-VPN yum.repos.d]#rpm -ql openvpn
/etc/openvpn
/etc/openvpn/client
/etc/openvpn/server
/run/openvpn-client
/run/openvpn-server
/usr/lib/.build-id
/usr/lib/.build-id/66
/usr/lib/.build-id/66/bd0dab2368dc0d844282225cb7f20f1db4bd9b
/usr/lib/.build-id/9e
/usr/lib/.build-id/9e/360159708bfe37bf6bbae0fa9facffbd2556dc
/usr/lib/.build-id/ca
/usr/lib/.build-id/ca/29127991f2fbcd366ca4d99df93d6d333eebcd
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/tmpfiles.d/openvpn.conf
/usr/lib64/openvpn
/usr/lib64/openvpn/plugins
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so
/usr/sbin/openvpn
/usr/share/doc/openvpn
/usr/share/doc/openvpn/AUTHORS
/usr/share/doc/openvpn/COPYING
/usr/share/doc/openvpn/COPYRIGHT.GPL
/usr/share/doc/openvpn/ChangeLog
/usr/share/doc/openvpn/Changes.rst
/usr/share/doc/openvpn/README
/usr/share/doc/openvpn/README.auth-pam
/usr/share/doc/openvpn/README.down-root
/usr/share/doc/openvpn/README.systemd
/usr/share/doc/openvpn/contrib
/usr/share/doc/openvpn/contrib/OCSP_check
/usr/share/doc/openvpn/contrib/OCSP_check/OCSP_check.sh
/usr/share/doc/openvpn/contrib/README
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00/README
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
/usr/share/doc/openvpn/contrib/pull-resolv-conf
/usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down
/usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up
/usr/share/doc/openvpn/management-notes.txt
/usr/share/doc/openvpn/sample
/usr/share/doc/openvpn/sample/sample-config-files
/usr/share/doc/openvpn/sample/sample-config-files/README
/usr/share/doc/openvpn/sample/sample-config-files/client.conf
/usr/share/doc/openvpn/sample/sample-config-files/firewall.sh
/usr/share/doc/openvpn/sample/sample-config-files/home.up
/usr/share/doc/openvpn/sample/sample-config-files/loopback-client
/usr/share/doc/openvpn/sample/sample-config-files/loopback-server
/usr/share/doc/openvpn/sample/sample-config-files/office.up
/usr/share/doc/openvpn/sample/sample-config-files/openvpn-shutdown.sh
/usr/share/doc/openvpn/sample/sample-config-files/openvpn-startup.sh
/usr/share/doc/openvpn/sample/sample-config-files/roadwarrior-client.conf
/usr/share/doc/openvpn/sample/sample-config-files/roadwarrior-server.conf
/usr/share/doc/openvpn/sample/sample-config-files/server.conf
/usr/share/doc/openvpn/sample/sample-config-files/static-home.conf
/usr/share/doc/openvpn/sample/sample-config-files/static-office.conf
/usr/share/doc/openvpn/sample/sample-config-files/tls-home.conf
/usr/share/doc/openvpn/sample/sample-config-files/tls-office.conf
/usr/share/doc/openvpn/sample/sample-config-files/xinetd-client-config
/usr/share/doc/openvpn/sample/sample-config-files/xinetd-server-config
/usr/share/doc/openvpn/sample/sample-scripts
/usr/share/doc/openvpn/sample/sample-scripts/auth-pam.pl
/usr/share/doc/openvpn/sample/sample-scripts/bridge-start
/usr/share/doc/openvpn/sample/sample-scripts/bridge-stop
/usr/share/doc/openvpn/sample/sample-scripts/ucn.pl
/usr/share/doc/openvpn/sample/sample-scripts/verify-cn
/usr/share/doc/openvpn/sample/sample-windows
/usr/share/doc/openvpn/sample/sample-windows/sample.ovpn
/usr/share/man/man8/openvpn.8.gz
/var/lib/openvpn
[root@OPEN-VPN yum.repos.d]#rpm -ql easy-rsa
/usr/share/doc/easy-rsa
/usr/share/doc/easy-rsa/COPYING.md
/usr/share/doc/easy-rsa/ChangeLog
/usr/share/doc/easy-rsa/README.md
/usr/share/doc/easy-rsa/README.quickstart.md
/usr/share/doc/easy-rsa/vars.example
/usr/share/easy-rsa
/usr/share/easy-rsa/3
/usr/share/easy-rsa/3.0
/usr/share/easy-rsa/3.0.8
/usr/share/easy-rsa/3.0.8/easyrsa
/usr/share/easy-rsa/3.0.8/openssl-easyrsa.cnf
/usr/share/easy-rsa/3.0.8/x509-types
/usr/share/easy-rsa/3.0.8/x509-types/COMMON
/usr/share/easy-rsa/3.0.8/x509-types/ca
/usr/share/easy-rsa/3.0.8/x509-types/client
/usr/share/easy-rsa/3.0.8/x509-types/code-signing
/usr/share/easy-rsa/3.0.8/x509-types/email
/usr/share/easy-rsa/3.0.8/x509-types/kdc
/usr/share/easy-rsa/3.0.8/x509-types/server
/usr/share/easy-rsa/3.0.8/x509-types/serverClient
/usr/share/licenses/easy-rsa
/usr/share/licenses/easy-rsa/gpl-2.0.txt
准备相关配置文件
#准备证书相关文件
[root@OPEN-VPN yum.repos.d]#cp -r /usr/share/easy-rsa/3/ /etc/openvpn/easy-rsa
[root@OPEN-VPN yum.repos.d]#tree /etc/openvpn/easy-rsa/
/etc/openvpn/easy-rsa/
├── easyrsa
├── openssl-easyrsa.cnf
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
1 directory, 10 files
#准备颁发证书相关变量的配置文件
[root@OPEN-VPN yum.repos.d]#cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa/vars
[root@OPEN-VPN yum.repos.d]#tree /etc/openvpn/easy-rsa/
/etc/openvpn/easy-rsa/
├── easyrsa
├── openssl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
1 directory, 11 files
#设置CA和OpenVPN服务器的证书有效期,可适当加长
[root@OPEN-VPN yum.repos.d]#vim /etc/openvpn/easy-rsa/vars
#set_var EASYRSA_CA_EXPIRE 3650 CA证书有效期默认3650天,现设置为36500天
set_var EASYRSA_CA_EXPIRE 36500
#set_var EASYRSA_CERT_EXPIRE 825 服务器证书有效期默认为825天,设置为36500天
set_var EASYRSA_CERT_EXPIRE 36500
[root@OPEN-VPN yum.repos.d]#tree /etc/openvpn/
/etc/openvpn/
├── client
├── easy-rsa
│ ├── easyrsa
│ ├── openssl-easyrsa.cnf
│ ├── vars
│ └── x509-types
│ ├── ca
│ ├── client
│ ├── code-signing
│ ├── COMMON
│ ├── email
│ ├── kdc
│ ├── server
│ └── serverClient
└── server
准备证书相关文件
初始化PKI和CA颁发机构环境
#证书脚本的使用帮助
[root@OPEN-VPN easy-rsa]#cd /etc/openvpn/easy-rsa/
[root@OPEN-VPN easy-rsa]#./easyrsa
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Easy-RSA 3 usage and overview
USAGE: easyrsa [options] COMMAND [command-options]
A list of commands is shown below. To get detailed usage and help for a
command, run:
./easyrsa help COMMAND
For a listing of options that can be supplied before the command, use:
./easyrsa help options
Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.
init-pki
build-ca [ cmd-opts ]
gen-dh
gen-req <filename_base> [ cmd-opts ]
sign-req <type> <filename_base>
build-client-full <filename_base> [ cmd-opts ]
build-server-full <filename_base> [ cmd-opts ]
revoke <filename_base> [cmd-opts]
renew <filename_base> [cmd-opts]
build-serverClient-full <filename_base> [ cmd-opts ]
gen-crl
update-db
show-req <filename_base> [ cmd-opts ]
show-cert <filename_base> [ cmd-opts ]
show-ca [ cmd-opts ]
import-req <request_file_path> <short_basename>
export-p7 <filename_base> [ cmd-opts ]
export-p8 <filename_base> [ cmd-opts ]
export-p12 <filename_base> [ cmd-opts ]
set-rsa-pass <filename_base> [ cmd-opts ]
set-ec-pass <filename_base> [ cmd-opts ]
upgrade <type>
DIRECTORY STATUS (commands would take effect on these locations)
EASYRSA: /etc/openvpn/easy-rsa
PKI: /etc/openvpn/easy-rsa/pki
#初始化PKI生成PKI相关目录和文件
[root@OPEN-VPN easy-rsa]#./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
[root@OPEN-VPN easy-rsa]#tree /etc/openvpn/
/etc/openvpn/
├── client
├── easy-rsa
│ ├── easyrsa
│ ├── openssl-easyrsa.cnf
│ ├── pki
│ │ ├── openssl-easyrsa.cnf
│ │ ├── private
│ │ ├── reqs
│ │ └── safessl-easyrsa.cnf
│ ├── vars
│ └── x509-types
│ ├── ca
│ ├── client
│ ├── code-signing
│ ├── COMMON
│ ├── email
│ ├── kdc
│ ├── server
│ └── serverClient
└── server
7 directories, 13 files
创建 CA 机构证书环境
[root@OPEN-VPN easy-rsa]#./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................................+++++
.....................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Open-CA #命名
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt
[root@OPEN-VPN easy-rsa]#tree pki
pki
├── ca.crt #ca证书
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ └── ca.key #私钥
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 7 files
#查看生成CA相关的文件
[root@OPEN-VPN easy-rsa]#cat pki/serial
01
[root@OPEN-VPN easy-rsa]#ll pki/index.txt
-rw------- 1 root root 0 Aug 19 20:14 pki/index.txt
[root@OPEN-VPN easy-rsa]#cat pki/serial
01
[root@OPEN-VPN easy-rsa]#ll pki/ca.crt pki/private/ca.key
-rw------- 1 root root 1188 Aug 19 20:15 pki/ca.crt
-rw------- 1 root root 1675 Aug 19 20:14 pki/private/ca.key
#查看生成的自签名证书
[root@OPEN-VPN easy-rsa]#cat pki/ca.crt
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgIUMdFoxeJZrUtYTQDXWHrQelYWVBgwDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHT3Blbi1DQTAgFw0yMjA4MTkxMjE1MTFaGA8yMTIyMDcy
NjEyMTUxMVowEjEQMA4GA1UEAwwHT3Blbi1DQTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAOEfNDLI2ab9OQ8pYqKR5/lhT+ckgWRbKRu0Na7BEEEleEz9
GGTjMCBgWOP8TIw0QNNcpwE9p+YOMyqIhsk5UApj8MubIhjtVx5uisuvB2t5dFiC
ZCGqJeZINUqJBGHRIgkHF/OXTPzOwk9P8eokM9QZwMkHZ1kCEXM/kW7LER/jZZ43
IT70rJ79RPL7zZ4f2f4jPseZ3UgLDSzhIlXbcqIeJnfoTYdWq4CIeD46EPfQCVU0
U8BQacXK+A9yAAyVRpZdTXR9fxXTrzO1gHv9QMTi0Ku2+Fw5YLXgJOnOUUekRbO3
I3SWOeI4iPYqSIdpdnAuzIQ6RzM3ulVclX+hw4kCAwEAAaOBjDCBiTAdBgNVHQ4E
FgQUmO8Qp8SVS+No7LaN87pekH78doMwTQYDVR0jBEYwRIAUmO8Qp8SVS+No7LaN
87pekH78doOhFqQUMBIxEDAOBgNVBAMMB09wZW4tQ0GCFDHRaMXiWa1LWE0A11h6
0HpWFlQYMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUA
A4IBAQC4bYVWgEGJp4S8WV8c0EXL6v7u8HZUML3vJ1jV50ochY86CQoUhkVpTuZf
SNUCDmQNYvuvRfRfLQ08EaVr9EAOsafGVbw8Rybs39MHJ2gsa4tXzzGw6yOCBYPB
tbm1i0ownHCS9vfFIljAf7bWftjSy4EB86r47etPBY35iDKl/q1EBSLlJL61DuO1
lsAHjmnoZ7L9q8odmVzheZIq4MZyIUKF00hI25fg3JmcxK6AIZJnrOa7mDH+/DdY
iNtFefCXaEvO4/5YWjRQ1XY23Svk0MBsglxxfYFXafUiG/DWogZQ87AKfEYcsMC0
5A991Jo115Kps1IcUs+NF8lPah+Z
-----END CERTIFICATE-----
[root@OPEN-VPN easy-rsa]#openssl x509 -in pki/ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
31:d1:68:c5:e2:59:ad:4b:58:4d:00:d7:58:7a:d0:7a:56:16:54:18
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Open-CA
Validity
Not Before: Aug 19 12:15:11 2022 GMT
Not After : Jul 26 12:15:11 2122 GMT
Subject: CN = Open-CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e1:1f:34:32:c8:d9:a6:fd:39:0f:29:62:a2:91:
e7:f9:61:4f:e7:24:81:64:5b:29:1b:b4:35:ae:c1:
10:41:25:78:4c:fd:18:64:e3:30:20:60:58:e3:fc:
4c:8c:34:40:d3:5c:a7:01:3d:a7:e6:0e:33:2a:88:
86:c9:39:50:0a:63:f0:cb:9b:22:18:ed:57:1e:6e:
8a:cb:af:07:6b:79:74:58:82:64:21:aa:25:e6:48:
35:4a:89:04:61:d1:22:09:07:17:f3:97:4c:fc:ce:
c2:4f:4f:f1:ea:24:33:d4:19:c0:c9:07:67:59:02:
11:73:3f:91:6e:cb:11:1f:e3:65:9e:37:21:3e:f4:
ac:9e:fd:44:f2:fb:cd:9e:1f:d9:fe:23:3e:c7:99:
dd:48:0b:0d:2c:e1:22:55:db:72:a2:1e:26:77:e8:
4d:87:56:ab:80:88:78:3e:3a:10:f7:d0:09:55:34:
53:c0:50:69:c5:ca:f8:0f:72:00:0c:95:46:96:5d:
4d:74:7d:7f:15:d3:af:33:b5:80:7b:fd:40:c4:e2:
d0:ab:b6:f8:5c:39:60:b5:e0:24:e9:ce:51:47:a4:
45:b3:b7:23:74:96:39:e2:38:88:f6:2a:48:87:69:
76:70:2e:cc:84:3a:47:33:37:ba:55:5c:95:7f:a1:
c3:89
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
98:EF:10:A7:C4:95:4B:E3:68:EC:B6:8D:F3:BA:5E:90:7E:FC:76:83
X509v3 Authority Key Identifier:
keyid:98:EF:10:A7:C4:95:4B:E3:68:EC:B6:8D:F3:BA:5E:90:7E:FC:76:83
DirName:/CN=Open-CA
serial:31:D1:68:C5:E2:59:AD:4B:58:4D:00:D7:58:7A:D0:7A:56:16:54:18
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
b8:6d:85:56:80:41:89:a7:84:bc:59:5f:1c:d0:45:cb:ea:fe:
ee:f0:76:54:30:bd:ef:27:58:d5:e7:4a:1c:85:8f:3a:09:0a:
14:86:45:69:4e:e6:5f:48:d5:02:0e:64:0d:62:fb:af:45:f4:
5f:2d:0d:3c:11:a5:6b:f4:40:0e:b1:a7:c6:55:bc:3c:47:26:
ec:df:d3:07:27:68:2c:6b:8b:57:cf:31:b0:eb:23:82:05:83:
c1:b5:b9:b5:8b:4a:30:9c:70:92:f6:f7:c5:22:58:c0:7f:b6:
d6:7e:d8:d2:cb:81:01:f3:aa:f8:ed:eb:4f:05:8d:f9:88:32:
a5:fe:ad:44:05:22:e5:24:be:b5:0e:e3:b5:96:c0:07:8e:69:
e8:67:b2:fd:ab:ca:1d:99:5c:e1:79:92:2a:e0:c6:72:21:42:
85:d3:48:48:db:97:e0:dc:99:9c:c4:ae:80:21:92:67:ac:e6:
bb:98:31:fe:fc:37:58:88:db:45:79:f0:97:68:4b:ce:e3:fe:
58:5a:34:50:d5:76:36:dd:2b:e4:d0:c0:6c:82:5c:71:7d:81:
57:69:f5:22:1b:f0:d6:a2:06:50:f3:b0:0a:7c:46:1c:b0:c0:
b4:e4:0f:7d:d4:9a:35:d7:92:a9:b3:52:1c:52:cf:8d:17:c9:
4f:6a:1f:99
准备服务端证书环境
#创建服务端证书申请
[root@OPEN-VPN easy-rsa]#./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating a RSA private key
.............+++++
..................................................................................................................................................+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-2676.Q3r6LY/tmp.OL1u7X'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:OpenVPN
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key
[root@OPEN-VPN easy-rsa]#tree pki/
pki/
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key #密钥文件
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req #申请文件
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 9 files
#颁发服务端证书
[root@OPEN-VPN easy-rsa]#./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 36500 days:
subject=
commonName = OpenVPN
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-2758.W5coEX/tmp.KdpHqF
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'OpenVPN'
Certificate is to be certified until Jul 26 12:26:27 2122 GMT (36500 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
[root@OPEN-VPN easy-rsa]#tree pki
pki
├── ca.crt
├── certs_by_serial
│ └── A8DDBD8D92EBA8975E0B51FAEF80AEB8.pem #Openvpn服务器证书
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt #Openvpn服务器证书
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 14 files
[root@OPEN-VPN easy-rsa]#cat pki/issued/server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a8:dd:bd:8d:92:eb:a8:97:5e:0b:51:fa:ef:80:ae:b8
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Open-CA
Validity
Not Before: Aug 19 12:26:27 2022 GMT
Not After : Jul 26 12:26:27 2122 GMT
Subject: CN=OpenVPN
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9f:49:70:c3:ff:a8:e8:9d:be:ed:bc:08:b5:2c:
93:31:7c:65:2e:a5:a3:03:5f:41:37:8a:1c:10:27:
6d:b8:aa:dc:4e:a5:4b:cd:59:fe:70:36:8b:59:20:
e6:40:6d:b7:e1:2d:34:09:b5:55:23:b8:0b:cd:7a:
89:c6:73:1c:05:00:b4:a2:dd:75:1d:ee:9e:f4:fa:
bd:bd:5b:9c:43:7b:35:4c:e2:f9:f5:b7:79:ae:59:
7b:31:1e:71:a7:ef:4a:db:2d:c5:9e:15:91:04:d2:
58:86:4b:cf:bf:27:90:c3:19:ce:bf:3d:4c:17:af:
00:13:f1:1c:56:20:92:ee:df:76:5e:ec:97:30:98:
99:2f:5b:1e:53:39:48:21:be:40:4a:f4:a6:58:a6:
ef:cc:c0:c1:99:0f:46:49:44:df:df:52:85:6d:f7:
04:01:86:e1:27:6c:c0:f2:47:a6:26:40:88:26:b0:
1e:db:ec:6b:38:32:6b:33:59:24:62:87:2a:21:66:
63:e1:74:ce:2f:50:24:8b:27:2b:2c:21:8d:76:c0:
42:6e:a4:f6:1f:d4:c6:41:b6:2c:80:45:01:c7:86:
20:11:cc:4f:86:67:65:8e:ca:42:d2:1d:ea:c5:eb:
23:ea:09:df:6e:8a:e9:b3:66:ac:fc:ff:f1:5a:78:
77:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
B3:6C:AF:C8:3D:44:42:A8:B1:7B:2F:75:78:E3:02:9C:4B:E7:4C:7E
X509v3 Authority Key Identifier:
keyid:98:EF:10:A7:C4:95:4B:E3:68:EC:B6:8D:F3:BA:5E:90:7E:FC:76:83
DirName:/CN=Open-CA
serial:31:D1:68:C5:E2:59:AD:4B:58:4D:00:D7:58:7A:D0:7A:56:16:54:18
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:OpenVPN
Signature Algorithm: sha256WithRSAEncryption
82:69:37:35:ca:3a:38:47:ce:e1:e9:b3:48:17:b8:ba:a3:22:
66:97:54:7c:cd:1f:35:bb:ce:81:35:35:70:6c:de:05:37:4a:
16:ec:57:7d:e8:b7:81:bc:75:f8:e5:6b:20:32:dd:87:22:f4:
8f:68:44:f3:86:ed:b4:ff:46:1d:c1:ed:b5:03:49:17:cf:27:
0d:f2:a6:a2:9c:aa:5f:29:09:6f:0c:46:86:77:37:01:cc:1b:
b8:67:c5:02:a6:b2:66:be:88:52:e5:ba:34:2b:63:12:87:2e:
9a:52:4b:05:28:97:08:59:a4:78:16:0d:24:20:1d:d9:3d:42:
d1:52:21:4d:ee:1f:28:6f:01:91:79:53:4d:de:66:95:86:60:
63:f6:c2:e9:d3:69:61:32:a3:2c:c9:10:e1:9b:b0:95:be:36:
40:c9:67:b4:89:f7:c2:43:5f:a9:24:70:38:9c:71:46:ef:ff:
eb:ee:d4:8e:27:c4:55:b8:03:46:fe:e8:25:a3:94:68:ff:f5:
4f:5d:5a:72:71:01:01:84:92:8c:06:bd:85:de:56:ad:dc:95:
3c:69:0d:53:ac:e7:83:3e:fe:07:4a:95:bf:e0:c2:0d:e3:9e:
9d:76:44:2c:f2:59:2c:70:07:44:ea:a3:84:8d:3b:08:27:c2:
83:ae:e6:fe
-----BEGIN CERTIFICATE-----
MIIDZDCCAkygAwIBAgIRAKjdvY2S66iXXgtR+u+ArrgwDQYJKoZIhvcNAQELBQAw
EjEQMA4GA1UEAwwHT3Blbi1DQTAgFw0yMjA4MTkxMjI2MjdaGA8yMTIyMDcyNjEy
MjYyN1owEjEQMA4GA1UEAwwHT3BlblZQTjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAJ9JcMP/qOidvu28CLUskzF8ZS6lowNfQTeKHBAnbbiq3E6lS81Z
/nA2i1kg5kBtt+EtNAm1VSO4C816icZzHAUAtKLddR3unvT6vb1bnEN7NUzi+fW3
ea5ZezEecafvStstxZ4VkQTSWIZLz78nkMMZzr89TBevABPxHFYgku7fdl7slzCY
mS9bHlM5SCG+QEr0plim78zAwZkPRklE399ShW33BAGG4SdswPJHpiZAiCawHtvs
azgyazNZJGKHKiFmY+F0zi9QJIsnKywhjXbAQm6k9h/UxkG2LIBFAceGIBHMT4Zn
ZY7KQtId6sXrI+oJ326K6bNmrPz/8Vp4d0ECAwEAAaOBsjCBrzAJBgNVHRMEAjAA
MB0GA1UdDgQWBBSzbK/IPURCqLF7L3V44wKcS+dMfjBNBgNVHSMERjBEgBSY7xCn
xJVL42jsto3zul6Qfvx2g6EWpBQwEjEQMA4GA1UEAwwHT3Blbi1DQYIUMdFoxeJZ
rUtYTQDXWHrQelYWVBgwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWg
MBIGA1UdEQQLMAmCB09wZW5WUE4wDQYJKoZIhvcNAQELBQADggEBAIJpNzXKOjhH
zuHps0gXuLqjImaXVHzNHzW7zoE1NXBs3gU3ShbsV33ot4G8dfjlayAy3Yci9I9o
RPOG7bT/Rh3B7bUDSRfPJw3ypqKcql8pCW8MRoZ3NwHMG7hnxQKmsma+iFLlujQr
YxKHLppSSwUolwhZpHgWDSQgHdk9QtFSIU3uHyhvAZF5U03eZpWGYGP2wunTaWEy
oyzJEOGbsJW+NkDJZ7SJ98JDX6kkcDiccUbv/+vu1I4nxFW4A0b+6CWjlGj/9U9d
WnJxAQGEkowGvYXeVq3clTxpDVOs54M+/gdKlb/gwg3jnp12RCzyWSxwB0Tqo4SN
OwgnwoOu5v4=
-----END CERTIFICATE-----
[root@OPEN-VPN easy-rsa]#cat pki/serial
A8DDBD8D92EBA8975E0B51FAEF80AEB9
[root@OPEN-VPN easy-rsa]#cat pki/index.txt
V 21220726122627Z A8DDBD8D92EBA8975E0B51FAEF80AEB8 unknown /CN=OpenVPN
[root@OPEN-VPN easy-rsa]#cat pki/serial.old
a8ddbd8d92eba8975e0b51faef80aeb8
创建 Diffie-Hellman 密钥
#创建 Diffie-Hellman 密钥
[root@OPEN-VPN easy-rsa]#./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
............................................................................................................................+.......................................................+........................................................................................................................................................................................+...........................+...........................................................+................................... .......+......................+..............................................................................................+......................................................................................................................................................................................................................................................................................................................................+.............................................................................................................................................................................................................................+..............+................................................................+..+...............................................................+..........+........................++*++*++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
#产看生成文件
[root@OPEN-VPN easy-rsa]# ll pki/dh.pem
-rw------- 1 root root 424 Aug 19 20:31 pki/dh.pem
[root@OPEN-VPN easy-rsa]#cat pki/dh.pem
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA8wCXPyhcgLE/7Q+RX1NsHZlnZNtOUYFVCGgfGYukETo60KjlXLc/
EgSRTXIaF7KNo1mtm6JYMR2N0yau1OF8anSHbfqyhci/uUvVnpiqC6xKsJDXQzW4
sbaS+uaaVjaVdSrSyk0RzhV5N8Z4f5byo66sPpT4/p3RhUaoZ8+qrJsf+2yb7D/N
Yrd98SNzuQJ8WLESUXIF3rbBXYyDDIJ75RGHgOu4T66t00jLHqDHTzrAtw08zNQA
zofa9y+eK1FJd71wb3IE9GZ79KlGGsDeOYFUhespe8HTFxALsm0zlMNcXm14UQh2
p5++8Yv96pqSYAARbBzLcG7a3C12X5RJqwIBAg==
-----END DH PARAMETERS-----
准备客户端证书环境
#客户端证书有效时间设置
[root@OPEN-VPN easy-rsa]#vim /etc/openvpn/easy-rsa/vars
set_var EASYRSA_CERT_EXPIRE 100
#注意此处设置是修改之前服务器端的有效时间
#创建客户端证书申请
[root@OPEN-VPN easy-rsa]#./easyrsa gen-req shuhong nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating a RSA private key
..................................+++++
..............+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-2953.gKUfYX/tmp.EZeleA'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [shuhong]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/shuhong.req
key: /etc/openvpn/easy-rsa/pki/private/shuhong.key
[root@OPEN-VPN easy-rsa]#tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── ca.crt
│ ├── certs_by_serial
│ │ └── A8DDBD8D92EBA8975E0B51FAEF80AEB8.pem
│ ├── dh.pem
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── issued
│ │ └── server.crt
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ ├── ca.key
│ │ ├── server.key
│ │ └── shuhong.key #密钥文件
│ ├── renewed
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── reqs
│ │ ├── server.req
│ │ └── shuhong.req #申请文件
│ ├── revoked
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── safessl-easyrsa.cnf
│ ├── serial
│ └── serial.old
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
14 directories, 28 files
#颁发客户端证书
[root@OPEN-VPN easy-rsa]#./easyrsa sign client shuhong
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 100 days:
subject=
commonName = shuhong
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-3020.QXbOnw/tmp.VzgvZy
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'shuhong'
Certificate is to be certified until Nov 27 12:39:37 2022 GMT (100 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/shuhong.crt
[root@OPEN-VPN easy-rsa]#tree pki
pki
├── ca.crt
├── certs_by_serial
│ ├── 116207B3A862F7D08C3CE1B78AC5482D.pem
│ └── A8DDBD8D92EBA8975E0B51FAEF80AEB8.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ ├── server.crt
│ └── shuhong.crt #证书文件
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ ├── server.key
│ └── shuhong.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── server.req
│ └── shuhong.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 19 files
[root@OPEN-VPN easy-rsa]#cat pki/issued/shuhong.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
11:62:07:b3:a8:62:f7:d0:8c:3c:e1:b7:8a:c5:48:2d
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Open-CA
Validity
Not Before: Aug 19 12:39:37 2022 GMT
Not After : Nov 27 12:39:37 2022 GMT
Subject: CN=shuhong
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b6:9e:3c:1e:f2:1f:32:1e:d8:6d:12:30:d2:e7:
80:82:dc:8d:5f:7d:d6:63:f3:04:fe:4b:f4:e9:6a:
27:f1:b7:d6:c8:5e:51:56:a9:68:1b:a3:98:ba:5d:
8a:30:3e:0b:4b:c7:1d:bf:f7:d4:ad:45:4e:aa:55:
39:7f:06:82:bf:04:af:64:80:19:47:31:80:e9:3e:
5a:f8:5c:af:71:2d:8e:ad:e7:e4:4e:12:18:b1:e4:
fd:a9:4a:0e:4d:34:83:ee:89:bf:cd:da:6d:df:b6:
8a:d6:9b:03:71:0a:fd:56:77:ec:58:24:61:86:8c:
ca:fe:83:f7:ee:54:34:74:4a:3f:79:e2:bd:32:3c:
d8:b7:bd:5b:07:a0:18:97:cb:7d:5d:5e:91:f7:5b:
95:d1:fc:e6:2b:06:86:2a:34:ee:ca:e8:69:e0:55:
3a:a0:41:d0:3f:8f:7e:83:61:0d:49:1e:3d:75:37:
b1:b2:aa:63:0c:3d:07:4a:31:81:2a:b7:b4:1a:39:
72:34:5e:91:7a:7d:b1:94:cb:40:66:a8:7f:18:03:
57:73:bd:03:93:8c:52:41:c2:aa:a5:06:79:04:d0:
bb:ff:5c:7f:fd:75:50:73:96:33:09:b0:32:53:8b:
79:b3:81:6d:55:69:9a:94:3c:87:11:7c:20:10:21:
df:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
B1:3D:6A:E0:3B:C1:BD:4C:28:B1:4E:E2:89:A5:CF:13:33:D1:92:93
X509v3 Authority Key Identifier:
keyid:98:EF:10:A7:C4:95:4B:E3:68:EC:B6:8D:F3:BA:5E:90:7E:FC:76:83
DirName:/CN=Open-CA
serial:31:D1:68:C5:E2:59:AD:4B:58:4D:00:D7:58:7A:D0:7A:56:16:54:18
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
a7:c3:f0:0e:e1:e6:fe:6a:59:7e:d5:3a:3e:0d:89:1f:71:cb:
8f:cb:2b:91:fd:08:1c:16:b8:63:75:89:87:f5:87:83:6e:10:
b0:a8:87:41:5d:e0:9e:01:18:2f:c4:2f:21:9a:ad:63:4d:43:
9e:3a:c3:2d:40:74:08:84:4d:5a:b0:a0:31:1c:94:48:e1:44:
1e:8e:36:b7:23:2e:f8:bf:75:89:2b:f8:02:ec:39:b4:ef:38:
81:46:38:3d:64:b7:b8:d1:2b:8a:e5:b4:02:77:d1:19:f8:3d:
e5:ec:f3:e8:3c:6c:1d:02:79:fc:a8:a7:95:cf:a2:72:29:13:
be:d7:82:a2:6c:10:d2:f9:65:34:1d:60:26:be:2a:d0:5f:85:
05:70:47:fa:31:c2:4d:b0:1f:8f:e3:e1:82:42:90:02:b1:44:
3a:dc:19:aa:28:ff:a2:ae:2c:11:8c:b9:56:2c:21:5a:7f:4c:
22:df:38:70:9e:71:a7:26:6a:9e:4d:48:6a:a8:1a:ed:46:fb:
f2:fa:4b:ec:78:44:d6:e6:e7:3d:40:22:93:68:ff:ce:6c:48:
25:90:3d:cb:fc:8d:57:03:60:60:59:c5:b2:10:00:87:d8:61:
13:9c:83:c6:77:df:1c:2e:b1:b2:fb:46:ba:a7:b0:50:23:c0:
41:b6:37:66
-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIQEWIHs6hi99CMPOG3isVILTANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQDDAdPcGVuLUNBMB4XDTIyMDgxOTEyMzkzN1oXDTIyMTEyNzEyMzkz
N1owEjEQMA4GA1UEAwwHc2h1aG9uZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALaePB7yHzIe2G0SMNLngILcjV991mPzBP5L9OlqJ/G31sheUVapaBuj
mLpdijA+C0vHHb/31K1FTqpVOX8Ggr8Er2SAGUcxgOk+Wvhcr3Etjq3n5E4SGLHk
/alKDk00g+6Jv83abd+2itabA3EK/VZ37FgkYYaMyv6D9+5UNHRKP3nivTI82Le9
WwegGJfLfV1ekfdbldH85isGhio07sroaeBVOqBB0D+PfoNhDUkePXU3sbKqYww9
B0oxgSq3tBo5cjRekXp9sZTLQGaofxgDV3O9A5OMUkHCqqUGeQTQu/9cf/11UHOW
MwmwMlOLebOBbVVpmpQ8hxF8IBAh32cCAwEAAaOBnjCBmzAJBgNVHRMEAjAAMB0G
A1UdDgQWBBSxPWrgO8G9TCixTuKJpc8TM9GSkzBNBgNVHSMERjBEgBSY7xCnxJVL
42jsto3zul6Qfvx2g6EWpBQwEjEQMA4GA1UEAwwHT3Blbi1DQYIUMdFoxeJZrUtY
TQDXWHrQelYWVBgwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0G
CSqGSIb3DQEBCwUAA4IBAQCnw/AO4eb+all+1To+DYkfccuPyyuR/QgcFrhjdYmH
9YeDbhCwqIdBXeCeARgvxC8hmq1jTUOeOsMtQHQIhE1asKAxHJRI4UQejja3Iy74
v3WJK/gC7Dm07ziBRjg9ZLe40SuK5bQCd9EZ+D3l7PPoPGwdAnn8qKeVz6JyKRO+
14KibBDS+WU0HWAmvirQX4UFcEf6McJNsB+P4+GCQpACsUQ63BmqKP+iriwRjLlW
LCFaf0wi3zhwnnGnJmqeTUhqqBrtRvvy+kvseETW5uc9QCKTaP/ObEglkD3L/I1X
A2BgWcWyEACH2GETnIPGd98cLrGy+0a6p7BQI8BBtjdm
-----END CERTIFICATE-----
将CA和服务器证书相关文件复制到服务器相应的目录
[root@OPEN-VPN easy-rsa]#cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server/
[root@OPEN-VPN easy-rsa]#cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/server/
[root@OPEN-VPN easy-rsa]#cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/server/
[root@OPEN-VPN easy-rsa]#cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server/
[root@OPEN-VPN easy-rsa]#ll /etc/openvpn/server/
total 20
-rw------- 1 root root 1188 Aug 19 20:43 ca.crt
-rw------- 1 root root 424 Aug 19 20:44 dh.pem
-rw------- 1 root root 4598 Aug 19 20:43 server.crt
-rw------- 1 root root 1704 Aug 19 20:44 server.key
将客户端私钥与证书相关文件复制到服务器相关的目录
[root@OPEN-VPN easy-rsa]#find /etc/openvpn/easy-rsa/ -name "shuhong.key" -o -name "shuhong.crt" -o -name ca.crt
/etc/openvpn/easy-rsa/pki/private/shuhong.key
/etc/openvpn/easy-rsa/pki/issued/shuhong.crt
/etc/openvpn/easy-rsa/pki/ca.crt
[root@OPEN-VPN easy-rsa]#find /etc/openvpn/easy-rsa \( -name "shuhong.key" -o -name "shuhong.crt" -o -name ca.crt \) -exec cp {} /etc/openvpn/client/shuhong/ \;
[root@OPEN-VPN easy-rsa]#ll /etc/openvpn/client/shuhong/
total 16
-rw------- 1 root root 1188 Aug 19 20:49 ca.crt
-rw------- 1 root root 4473 Aug 19 20:49 shuhong.crt
-rw------- 1 root root 1704 Aug 19 20:49 shuhong.key配置 OpenVPN 服务器并启动服务
服务器端配置文件说明
[root@OPEN-VPN easy-rsa]#cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/
[root@OPEN-VPN easy-rsa]#grep -Ev "^#|^$" /etc/openvpn/server.conf
;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
;topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20
explicit-exit-notify 1
修改服务器端配置文件
[root@OPEN-VPN easy-rsa]#vim /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key # This file should be kept secret
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
准备服务器日志相关目录
[root@OPEN-VPN easy-rsa]#getent passwd openvpn
openvpn:x:994:991:OpenVPN:/etc/openvpn:/sbin/nologin
[root@OPEN-VPN easy-rsa]#mkdir /var/log/openvpn
[root@OPEN-VPN easy-rsa]#chown openvpn:openvpn /var/log/openvpn
[root@OPEN-VPN easy-rsa]#ll -d /var/log/openvpn/
drwxr-xr-x 2 openvpn openvpn 6 Aug 19 20:56 /var/log/openvpn/
启动 OpenVPN 服务
#准备 OpenVPN 服务的service文件
#centos8缺失文件,需要从centos7拷贝过来
[root@OPEN-VPN easy-rsa]#rpm -ql openvpn |grep systemd
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/share/doc/openvpn/README.systemd
[root@OPEN-VPN easy-rsa]# ll /usr/lib/systemd/system/ |grep openvpn
-rw-r--r-- 1 root root 702 Mar 18 02:59 openvpn-client@.service
-rw-r--r-- 1 root root 914 Mar 18 02:59 openvpn-server@.service
-rw-r--r-- 1 root root 244 Aug 19 21:17 openvpn@.service #拷贝此文件过来
[root@OPEN-VPN easy-rsa]# cat /usr/lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
[Install]
WantedBy=multi-user.target
[root@OPEN-VPN easy-rsa]#systemctl daemon-reload
[root@OPEN-VPN easy-rsa]#systemctl enable --now openvpn@server
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /usr/lib/systemd/system/openvpn@.service.
#查看服务状态
[root@OPEN-VPN easy-rsa]#systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2022-08-19 21:22:45 CST; 1min 25s ago
Main PID: 3538 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 11175)
Memory: 1.2M
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─3538 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Aug 19 21:22:45 OPEN-VPN.com systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Aug 19 21:22:45 OPEN-VPN.com systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@OPEN-VPN easy-rsa]#ss -ntlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 100 127.0.0.1:25 0.0.0.0:* users:(("master",pid=1522,fd=16))
LISTEN 0 32 0.0.0.0:1194 0.0.0.0:* users:(("openvpn",pid=3538,fd=8))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1049,fd=4))
LISTEN 0 100 [::1]:25 [::]:* users:(("master",pid=1522,fd=17))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1049,fd=6))
[root@OPEN-VPN easy-rsa]#cat /var/log/openvpn/openvpn.log
Fri Aug 19 21:22:45 2022 OpenVPN 2.4.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 17 2022
Fri Aug 19 21:22:45 2022 library versions: OpenSSL 1.1.1k FIPS 25 Mar 2021, LZO 2.08
Fri Aug 19 21:22:45 2022 WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail
Fri Aug 19 21:22:45 2022 WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
Fri Aug 19 21:22:45 2022 Diffie-Hellman initialized with 2048 bit key
Fri Aug 19 21:22:45 2022 ROUTE_GATEWAY 10.0.0.2/255.255.255.0 IFACE=eth0 HWADDR=00:0c:29:51:16:b6
Fri Aug 19 21:22:45 2022 TUN/TAP device tun0 opened
Fri Aug 19 21:22:45 2022 TUN/TAP TX queue length set to 100
Fri Aug 19 21:22:45 2022 /sbin/ip link set dev tun0 up mtu 1500
Fri Aug 19 21:22:45 2022 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Fri Aug 19 21:22:45 2022 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Fri Aug 19 21:22:45 2022 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Aug 19 21:22:45 2022 Socket Buffers: R=[87380->87380] S=[16384->16384]
Fri Aug 19 21:22:45 2022 Listening for incoming TCP connection on [AF_INET][undef]:1194
Fri Aug 19 21:22:45 2022 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Fri Aug 19 21:22:45 2022 TCPv4_SERVER link remote: [AF_UNSPEC]
Fri Aug 19 21:22:45 2022 GID set to openvpn
Fri Aug 19 21:22:45 2022 UID set to openvpn
Fri Aug 19 21:22:45 2022 MULTI: multi_init called, r=256 v=256
Fri Aug 19 21:22:45 2022 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Fri Aug 19 21:22:45 2022 MULTI: TCP INIT maxclients=2048 maxevents=2052
Fri Aug 19 21:22:45 2022 Initialization Sequence Completed
[root@OPEN-VPN easy-rsa]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:51:16:b6 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.154/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe51:16b6/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:51:16:c0 brd ff:ff:ff:ff:ff:ff
inet 172.25.254.128/24 brd 172.25.254.255 scope global dynamic noprefixroute eth1
valid_lft 1546sec preferred_lft 1546sec
inet6 fe80::1dc0:cf48:556f:afd6/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::8036:20a0:df8f:4eab/64 scope link stable-privacy
valid_lft forever preferred_lft forever
[root@OPEN-VPN easy-rsa]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.2 0.0.0.0 UG 100 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
172.25.254.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
开启openvpn服务器的路由转发功能及配置iptables
[root@OPEN-VPN shuhong]#vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
[root@OPEN-VPN shuhong]#sysctl -p
net.ipv4.ip_forward = 1
[root@OPEN-VPN shuhong]#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source 10.0.0.154
准备 OpenVPN 客户端配置文件
生成客户端用户的配置文件
[root@OPEN-VPN easy-rsa]#grep '^[[:alpha:]].*' /usr/share/doc/openvpn/sample/sample-config-files/client.conf > /etc/openvpn/client/shuhong/client.ovpn
[root@OPEN-VPN /]#vim etc/openvpn/client/shuhong/client.ovpn
client
dev tun
proto tcp
remote 172.25.254.128 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2实现 OpenVPN 客户端
Windows 安装 OpenVPN 客户端
官方客户端下载地址:
https://openvpn.net/community-downloads/
Windows 客户端配置准备
[root@OPEN-VPN /]#cd /etc/openvpn/client/shuhong/
[root@OPEN-VPN shuhong]#ll
total 28
-rw------- 1 root root 1188 Aug 19 20:49 ca.crt
-rw------- 1 root root 4473 Aug 19 20:49 client.crt
-rw------- 1 root root 1704 Aug 19 20:49 client.key
-rw-r--r-- 1 root root 233 Aug 19 21:33 client.ovpn
-rw-r--r-- 1 root root 5629 Aug 19 21:39 shuhong.zip
[root@OPEN-VPN shuhong]#zip shuhong.zip /etc/openvpn/client/shuhong/*
[root@OPEN-VPN shuhong]#sz shuhong.zip
将客户端文件放入windows的openvpn的config文件夹中
测试链接
打开windows的openvpn
使用cmd命令及访问web服务测试
Openvpn管理
启动安全增强功能
[root@OPEN-VPN ~]#openvpn --genkey --secret /etc/openvpn/server/ta.key
[root@OPEN-VPN ~]#cat /etc/openvpn/server/ta.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
58aa52d580d44f0f33af5550e2363625
d1ce12d8b82a561f8326a924642c7118
32af0a1271a62ab31588b053609e0ef1
aae88540dec0d131cd2713f4c92e49bc
777a032a30ec0456447c6f762784b3f3
7478fcd69c0b3e728a4fad7cc185fcb1
9b673bbd8abc960587b7f761a9682eba
bc03eb736dffbb06c1398607abaf8460
9e4c7e9874c1b74ce95d186b466963fd
0a69db81086bc518886aeb1f8ce010f4
cef7242118cb901098f6773c9eb64e50
76b2b6fe12d4899a0693f0a78fd9dd25
9230616abf7ac11747c3fad7d262357f
e102176e165a470983191142aa703e02
324cb469710c9dfb7a721826b42e3586
e196c311d2c3b9a8655c5172576236aa
-----END OpenVPN Static key V1-----
[root@OPEN-VPN ~]#cp /etc/openvpn/server/ta.key /etc/openvpn/client/shuhong/ta.key
[root@OPEN-VPN ~]#ll /etc/openvpn/client/shuhong/
total 32
-rw------- 1 root root 1188 Aug 19 20:49 ca.crt
-rw------- 1 root root 4473 Aug 19 20:49 client.crt
-rw------- 1 root root 1704 Aug 19 20:49 client.key
-rw-r--r-- 1 root root 233 Aug 19 21:33 client.ovpn
-rw-r--r-- 1 root root 5629 Aug 19 21:39 shuhong.zip
-rw------- 1 root root 636 Aug 20 08:42 ta.key
[root@OPEN-VPN ~]#vim /etc/openvpn/client/shuhong/client.ovpn
tls-auth ta.key 1
[root@OPEN-VPN ~]#vim /etc/openvpn/server.conf
tls-auth /etc/openvpn/server/ta.key 0
[root@OPEN-VPN ~]#systemctl restart openvpn@server.service
[root@OPEN-VPN ~]#systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2022-08-20 08:45:24 CST; 47s ago
Main PID: 4571 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 11175)
Memory: 1.1M
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─4571 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Aug 20 08:45:24 OPEN-VPN.com systemd[1]: openvpn@server.service: Succeeded.
Aug 20 08:45:24 OPEN-VPN.com systemd[1]: Stopped OpenVPN Robust And Highly Flexible Tunneling Application On server.
Aug 20 08:45:24 OPEN-VPN.com systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Aug 20 08:45:24 OPEN-VPN.com systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@OPEN-VPN shuhong]#ll
total 24
-rw------- 1 root root 1188 Aug 19 20:49 ca.crt
-rw------- 1 root root 4473 Aug 19 20:49 client.crt
-rw------- 1 root root 1704 Aug 19 20:49 client.key
-rw-r--r-- 1 root root 233 Aug 20 08:44 client.ovpn
-rw------- 1 root root 636 Aug 20 08:42 ta.key
[root@OPEN-VPN shuhong]#
[root@OPEN-VPN shuhong]#zip shuhong.zip *
adding: ca.crt (deflated 27%)
adding: client.crt (deflated 45%)
adding: client.key (deflated 23%)
adding: client.ovpn (deflated 28%)
adding: ta.key (deflated 39%)
[root@OPEN-VPN shuhong]#ll
total 32
-rw------- 1 root root 1188 Aug 19 20:49 ca.crt
-rw------- 1 root root 4473 Aug 19 20:49 client.crt
-rw------- 1 root root 1704 Aug 19 20:49 client.key
-rw-r--r-- 1 root root 233 Aug 20 08:44 client.ovpn
-rw-r--r-- 1 root root 5938 Aug 20 08:47 shuhong.zip
-rw------- 1 root root 636 Aug 20 08:42 ta.key
[root@OPEN-VPN shuhong]#sz shuhong.zip
[root@OPEN-VPN shuhong]#tail -f /var/log/openvpn/*
==> /var/log/openvpn/openvpn.log <==
Sat Aug 20 08:49:12 2022 172.25.254.1:52935 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sat Aug 20 08:49:12 2022 172.25.254.1:52935 [shuhong] Peer Connection Initiated with [AF_INET]172.25.254.1:52935
Sat Aug 20 08:49:12 2022 shuhong/172.25.254.1:52935 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sat Aug 20 08:49:12 2022 shuhong/172.25.254.1:52935 MULTI: Learn: 10.8.0.6 -> shuhong/172.25.254.1:52935
Sat Aug 20 08:49:12 2022 shuhong/172.25.254.1:52935 MULTI: primary virtual IP for shuhong/172.25.254.1:52935: 10.8.0.6
Sat Aug 20 08:49:13 2022 shuhong/172.25.254.1:52935 PUSH: Received control message: 'PUSH_REQUEST'
Sat Aug 20 08:49:13 2022 shuhong/172.25.254.1:52935 SENT CONTROL [shuhong]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,compress lz4-v2,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sat Aug 20 08:49:13 2022 shuhong/172.25.254.1:52935 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Aug 20 08:49:13 2022 shuhong/172.25.254.1:52935 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Aug 20 08:49:13 2022 shuhong/172.25.254.1:52935 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
==> /var/log/openvpn/openvpn-status.log <==
OpenVPN CLIENT LIST
Updated,Sat Aug 20 08:53:27 2022
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
shuhong,172.25.254.1:52935,16604,4553,Sat Aug 20 08:49:12 2022
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,shuhong,172.25.254.1:52935,Sat Aug 20 08:49:12 2022
GLOBAL STATS
Max bcast/mcast queue length,1
END
设置客户端的私钥密码增强安全性
#新建一个账户wing,并且设置证书密码,提高证书及登录VPN的安全性
[root@OPEN-VPN easy-rsa]#pwd
/etc/openvpn/easy-rsa
[root@OPEN-VPN easy-rsa]#./easyrsa gen-req wing
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Generating a RSA private key
...........+++++
.......................................+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-4682.ncTvFz/tmp.qiKy83'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [wing]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/wing.req
key: /etc/openvpn/easy-rsa/pki/private/wing.key
[root@OPEN-VPN easy-rsa]#./easyrsa sign client wing
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 100 days:
subject=
commonName = wing
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-4711.Law9Ho/tmp.YmJlmu
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'wing'
Certificate is to be certified until Nov 28 00:58:28 2022 GMT (100 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/wing.crt
[root@OPEN-VPN easy-rsa]#cp pki/issued/wing.crt /etc/openvpn/client/wing/
[root@OPEN-VPN easy-rsa]#cp pki/private/wing.key /etc/openvpn/client/wing/
[root@OPEN-VPN easy-rsa]#cp /etc/openvpn/server/{ca.crt,ta.key} /etc/openvpn/client/wing/
[root@OPEN-VPN easy-rsa]#cp /etc/openvpn/client/shuhong/client.ovpn /etc/openvpn/client/wing/
[root@OPEN-VPN easy-rsa]#ll /etc/openvpn/client/wing/
total 24
-rw------- 1 root root 1188 Aug 20 09:03 ca.crt
-rw-r--r-- 1 root root 233 Aug 20 09:04 client.ovpn
-rw------- 1 root root 636 Aug 20 09:03 ta.key
-rw------- 1 root root 4470 Aug 20 09:02 wing.crt
-rw------- 1 root root 1854 Aug 20 09:02 wing.key
[root@OPEN-VPN easy-rsa]#cd /etc/openvpn/client/wing/
[root@OPEN-VPN wing]#mv wing.crt client.crt
[root@OPEN-VPN wing]#mv wing.key client.key
[root@OPEN-VPN wing]#ll
total 24
-rw------- 1 root root 1188 Aug 20 09:03 ca.crt
-rw------- 1 root root 4470 Aug 20 09:02 client.crt
-rw------- 1 root root 1854 Aug 20 09:02 client.key
-rw-r--r-- 1 root root 233 Aug 20 09:04 client.ovpn
-rw------- 1 root root 636 Aug 20 09:03 ta.key
[root@OPEN-VPN wing]#zip wing.zip *
adding: ca.crt (deflated 27%)
adding: client.crt (deflated 45%)
adding: client.key (deflated 24%)
adding: client.ovpn (deflated 28%)
adding: ta.key (deflated 39%)
[root@OPEN-VPN wing]#ll
total 32
-rw------- 1 root root 1188 Aug 20 09:03 ca.crt
-rw------- 1 root root 4470 Aug 20 09:02 client.crt
-rw------- 1 root root 1854 Aug 20 09:02 client.key
-rw-r--r-- 1 root root 233 Aug 20 09:04 client.ovpn
-rw------- 1 root root 636 Aug 20 09:03 ta.key
-rw-r--r-- 1 root root 6045 Aug 20 09:07 wing.zip
[root@OPEN-VPN wing]#sz wing.zip
账户证书管理
#证书手动注销
#查看当前证书的有效性,证书有效为V,无效为R
[root@OPEN-VPN wing]#cat /etc/openvpn/easy-rsa/pki/index.txt
V 21220726122627Z A8DDBD8D92EBA8975E0B51FAEF80AEB8 unknown /CN=OpenVPN
V 221127123937Z 116207B3A862F7D08C3CE1B78AC5482D unknown /CN=shuhong
V 221128005828Z 8BAB14A8BA75754630460E45A543ACB7 unknown /CN=wing
#吊销指定的用户的证书
[root@OPEN-VPN wing]#cd /etc/openvpn/easy-rsa/
[root@OPEN-VPN easy-rsa]#./easyrsa revoke wing
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Please confirm you wish to revoke the certificate with the following subject:
subject=
commonName = wing
Type the word 'yes' to continue, or any other input to abort.
Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-4998.iPNltG/tmp.evGxMm
Revoking Certificate 8BAB14A8BA75754630460E45A543ACB7.
Data Base Updated
IMPORTANT!!!
Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.
[root@OPEN-VPN easy-rsa]#cat /etc/openvpn/easy-rsa/pki/index.txt
V 21220726122627Z A8DDBD8D92EBA8975E0B51FAEF80AEB8 unknown /CN=OpenVPN
V 221127123937Z 116207B3A862F7D08C3CE1B78AC5482D unknown /CN=shuhong
R 221128005828Z 220820011319Z 8BAB14A8BA75754630460E45A543ACB7 unknown /CN=wing
#生成证书吊销列表
#每次吊销证书后都需要更新证书吊销列表文件,并且需要重启OpenVPN服务
[root@OPEN-VPN easy-rsa]#./easyrsa gen-crl
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-5044.xlCh5R/tmp.ar9LFJ
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
#将吊销列表文件发布
#第一次吊销证时需要编辑配置文件调用吊销证书的文件,后续吊销无需此步
[root@OPEN-VPN easy-rsa]#vim /etc/openvpn/server.conf
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem
[root@OPEN-VPN easy-rsa]#systemctl restart openvpn@server.service
实现用户密码认证
#修改服务端配置
[root@OPEN-VPN easy-rsa]#vim /etc/openvpn/server.conf
# 添加三行,实现服务端支持密码认证方式
script-security 3 # 允许使用自定义脚本
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env #指定自定义脚本路径
username-as-common-name #开启用户密码验证
#创建自定义脚本
#官方脚本下载:http://openvpn.se/files/other/checkpsw.sh
[root@OPEN-VPN openvpn]#ll
total 8
-rw-r--r-- 1 root root 1191 Feb 8 2022 checkpsw.sh
drwxr-x--- 4 root openvpn 33 Aug 20 08:59 client
drwxr-xr-x 4 root root 89 Aug 19 21:35 easy-rsa
drwxr-x--- 2 root openvpn 84 Aug 20 08:41 server
-rw-r--r-- 1 root root 664 Aug 20 09:22 server.conf
[root@OPEN-VPN openvpn]#vim checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=date "+%Y-%m-%d %T"
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
[root@OPEN-VPN openvpn]#chmod +x checkpsw.sh
[root@OPEN-VPN openvpn]#cat > /etc/openvpn/psw-file << EOF
> shuhong 123456
> wing 654321
> EOF
[root@OPEN-VPN openvpn]#ll
total 12
-rwxr-xr-x 1 root root 1191 Feb 8 2022 checkpsw.sh
drwxr-x--- 4 root openvpn 33 Aug 20 08:59 client
drwxr-xr-x 4 root root 89 Aug 19 21:35 easy-rsa
-rw-r--r-- 1 root root 27 Aug 20 09:24 psw-file
drwxr-x--- 2 root openvpn 84 Aug 20 08:41 server
-rw-r--r-- 1 root root 664 Aug 20 09:22 server.conf
[root@OPEN-VPN openvpn]#systemctl restart openvpn@server.service
#修改客户端配置
[root@OPEN-VPN openvpn]#vim /etc/openvpn/client/shuhong/client.ovpn
#加下面一行,可以支持用户密码认证
auth-user-pass
[root@OPEN-VPN shuhong]#zip shuhong.zip *
adding: ca.crt (deflated 27%)
adding: client.crt (deflated 45%)
adding: client.key (deflated 23%)
adding: client.ovpn (deflated 28%)
adding: ta.key (deflated 39%)
[root@OPEN-VPN shuhong]#ll
total 32
-rw------- 1 root root 1188 Aug 19 20:49 ca.crt
-rw------- 1 root root 4473 Aug 19 20:49 client.crt
-rw------- 1 root root 1704 Aug 19 20:49 client.key
-rw-r--r-- 1 root root 248 Aug 20 09:26 client.ovpn
-rw-r--r-- 1 root root 5949 Aug 20 09:27 shuhong.zip
-rw------- 1 root root 636 Aug 20 08:42 ta.key
