Centos7 openssl installation configuration server + client
In CentOS 7 environment structures, OpenVPN service, the Windows client, Linux client through OpenVPN service access the back-end machines,
1, environmental requirements
OpenVPN software version
Linux installation: openvpn - 2.4.9. Tar. Gz # making address: https://github.com/OpenVPN/openvpn
Linux installation: easy - rsa - 3.0.7. Tar. Gz # making address: https://github.com/OpenVPN/easy-rsa
Widows installation: openvpn - install - 2.4.9 - I601 - Win10. Exe # openvpn website
If widows to install software on the official visit to fail, then can be downloaded from the following address:
https://www.techspot.com/downloads/5182-openvpn.html
IP environment needs to have the network or through the protective wall can be to do the network IP proxy
2, VPN server configuration requirements:
OpenVPN machine configuration necessary amendments:
Open forward capability and effective
# # don't have this configuration, add
Grep 'net. Ipv4. Ip_forward=1'/etc/sysctl. Conf | | echo 'net. Ipv4. Ip_forward=1' & gt;> The/etc/sysctl. Conf
Sysctl -p
The iptables configuration
# # to add the following configuration
Iptables -t NAT - A 10.8.1.0/24 POSTROUTING - s - d 172.17.0.0/16 - o eth0 -j MASQUERADE # add forwarding strategy, -s is to set up virtual IP segment of VPN, the 3-d server network environment is to set up IP
The iptables - save & gt; The/etc/sysconfig/iptables # save forwarding strategy
NAT # iptables - L - n - t view set strategy
Reason: after the VPN client connection, the default allocation 10.8.0.0/24 subnet address, can't directly access web01 or web02 machine [] that there are two 172.16.10.0/24 segment, so need to configure NAT iptables,
Delete the above command iptables configuration information as follows, : compared to normal access and abnormal access
Iptables NAT - t - D POSTROUTING 1
Time synchronization system time and hardware:
Crontab -l
10 * * */* */usr/sbin/ntpdate ntp1.aliyun.com & gt;/dev/null 2 & gt; & 1
Ll/etc/localtime # use Shanghai time
33 Mar 9 03:59 LRWXRWXRWX. 1 root root/etc/localtime - & gt; The/usr/share/zoneinfo/Asia/Shanghai
Hwclock -- show # to check the hardware time
The hwclock -- systohc # system time synchronization to hardware
Note: if time is not synchronized, then login VPN access there may be a problem,
3, the server install openvpn service
Install depend on package
Yum install - y lz4 - devel lzo - devel PAM - devel openssl devel - systemd - devel sqlite - devel
Ali server needs to install the following packages other
Yum install - y autoconf automake libtool libtool - LTDL
Download openvpn from making the source code package and extract the compilation after installation, finally establish a soft connection
Wget https://github.com/OpenVPN/openvpn/archive/v2.4.9.tar.gz
The mv v2.4.9. Tar. Gz openvpn - 2.4.9. Tar. Gz
The tar xf openvpn - 2.4.9. Tar. Gz
CD openvpn 2.4.9/
Autoreconf - I - v - f
./configure -- prefix=/usr/local/openvpn - enable - lzo - enable - lz4 - enable -- crypto - enable server, enable - plugins, enable - port - share - enable - iproute2, enable the zanu-pf, enable the plugin - auth - PAM, enable - PAM - dlopen - enable - systemd
Make & amp; & Make install
Ln -s/usr/local/openvpn/sbin/openvpn/usr/local/sbin/openvpn
Configuration file change
# vim/usr/local/openvpn/lib/systemd/system/openvpn - server @. Service
# # # to find ExecStart this line, to the following
ExecStart=/usr/local/openvpn/sbin/openvpn -- config server. The conf
Since the launch of configuration system service and boot
Cp - a/usr/local/openvpn/lib/systemd/system/openvpn - server @. Service/usr/lib/systemd/system/openvpn. Service
Systemctl enable openvpn. Service
4, the service side generated certificate
Easy - rsa download and configuration changes
Download easy - rsa and extract the
CD/root/
Wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.7.tar.gz
The mv v3.0.7. Tar. Gz easy - rsa - 3.0.7. Tar. Gz
The tar xf easy - rsa - 3.0.7. Tar. Gz
According to easy - rsa - 3.0.7/easyrsa3/vars. The example files are generated global configuration file vars
CD easy - rsa - 3.0.7/easyrsa3
Cp - a vars. Example vars
Modify vars file, according to the need to remove the comment, and modify the corresponding values; Or directly at the end of the file add the following information:
# country
Set_var EASYRSA_REQ_COUNTRY "CN"
# province
Set_var EASYRSA_REQ_PROVINCE "BJ"
# city
Set_var EASYRSA_REQ_CITY "BeiJing"
# organization
"Zhang" set_var EASYRSA_REQ_ORG
# mailbox
Set_var EASYRSA_REQ_EMAIL "[email protected]
"# owner
Set_var EASYRSA_REQ_OU "what ZJ had
"
The length of the #
Set_var EASYRSA_KEY_SIZE 2048
# algorithm
Set_var EASYRSA_ALGO rsa
# CA certificate expiration time, unit day
Set_var EASYRSA_CA_EXPIRE 36500
# issue the certificate is valid for how many days, the unit day
Set_var EASYRSA_CERT_EXPIRE 36500
Generate a service client and the client certificate
Initialization and create CA root
./easyrsa init - pki
Enter yes
Initialization, created PKI directory in the current directory to store some intermediate variable and the resulting certificate
./easyrsa build - ca
Instructions: in this part of the need to enter the PEM password PEM pass phrase, input twice, this password must remember, otherwise later can't for certificate signing,
Also need to enter a common name common name, such as: openvpen, the casual setting your own unique,
Generate the server certificate:
./easyrsa build server - full server nopass
Generated certificate for the server to and signed at the local, nopass parameters generated a password-less certificate; In this process will allow you to confirm the ca password
Create diffie-hellman, ensure the key through unsafe network command, time will a little longer and wait
./easyrsa gen - dh
Generate client certificate:
Generate multiple client certificate
/root/easy - rsa - 3.0.7/easyrsa3
./easyrsa build - the client - full client nopass # password-less, is not recommended in practical application, the client has a password can improve security
./easyrsa build - the client - full zhangsan # allows you to enter a password first, need to input the PEM password, after subsequent VPN connection will use the
./easyrsa build - the client - full lisi
./easyrsa build - the client - full wangwu
Generate a certificate for the client and sign your name on the local, nopass parameters to generate a password-less certificate; In this process will allow you to confirm the ca password
In order to improve the safety, generate ta.621 key
Openvpn - genkey - secret ta.621 key
Strengthen authentication way, the attack, if a configuration file to enable the (is enabled by default), you need to execute the above command, and the ta. The key in the/etc/openvpn directory server, the configuration file server the second parameter is 0, the client also want to have this file, and the client. The second parameter for the instructions in the conf 1, [with the configuration of a service, the client must also be]
Arrange the server certificate
The mkdir -p/etc/openvpn/server/
Cp - a pki/ca. CRT/etc/openvpn/server/
Cp - a pki/private/server. The key/etc/openvpn/server/
Cp - a pki/issued/server. The CRT/etc/openvpn/server/
nullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnull
