— 1 —
背景
基于内外网隔离 网络审计 又因为最近疫情反复,很多小公司没有做好内外网网络隔离,也不能够远程办公。本文基于开源免费的openv**为大家提供一个参考。
由于网上的安装教程层次不齐,本文以第一视角one by one提供给大家
openv**实现的原理:openv**客户端通过证书及密钥的方式跟服务端建立安全的网络通信连接,然后创建虚拟网络,对服务目标内网进行静态路由的指定 从而达到网络层面的需求
— 2 —
服务器安装部署
2.1 安装openv**软件
第一:安装软件及开启内核路由转发功能
代码语言:javascript复制yum install openvpn easy-rsaecho "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p第二:准备目录配置文件
(easy-rsa-3.0.3 openv**-2.4.5 按具体的版本目录复制)
代码语言:javascript复制cp /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/easy-rsa/vars
cp /usr/share/doc/openvpn-2.4.5/sample/sample-config-files/server.conf /etc/openvpn/2.2 创建服务器端证书和key
1、目录初始化:
代码语言:javascript复制cd /etc/openvpn/easy-rsa/
./easyrsa init-pki2:创建根证书:
代码语言:javascript复制./easyrsa build-ca
Enter PEM pass phrase:
输入2次pem密码,并记住(输入的pem密码是openvpn,第4步有用);
........
回车后显示:创建成功提示
代码语言:javascript复制CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt3:创建服务器端证书:
代码语言:javascript复制./easyrsa gen-req server nopass
Common Name (eg: your user, host, or server name) [server]: (server)创建成功提示
代码语言:javascript复制Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key4:签署服务器端证书
代码语言:javascript复制./easyrsa sign server server
回车后,Confirm request details: (输入yes)
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: 输入第2步的密码创建成功提示
代码语言:javascript复制Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
commonName :ASN.1 12:‘server’
Certificate is to be certified until Apr 4 06:24:29 2038 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt5:创建Diffie-Hellman,确保key穿越不安全网络的命令:
代码语言:javascript复制./easyrsa gen-dh回车后,会1分钟左右后最后显示:
代码语言:javascript复制DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem注意这个时候 最好cp一份2048(有些版本不兼容问题)
代码语言:javascript复制cp dh.pem dh2048.pem6:生成ta密钥文件
代码语言:javascript复制openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key2.3 创建客户端证书及key
2.3.1 创建客户证书
代码语言:javascript复制mkdir /root/client
cd /root/client
cp -r /usr/share/easy-rsa/3.0.3/* ./
./easyrsa init-pki
./easyrsa gen-req client
Common Name (eg: your user, host, or server name) [client]: client(后面需要)创建成功提示
代码语言:javascript复制Keypair and certificate request completed. Your files are:
req: /root/client/pki/reqs/client.req
key: /root/client/pki/private/client.key2.3.2 将得到的clientone.req导入然后签约证书:(在服务端里的/easyrsa)
目录(/etc/openvpn/easy-rsa)
代码语言:javascript复制./easyrsa import-req /root/client/pki/reqs/client.req client创建成功提示
代码语言:javascript复制Note: using Easy-RSA configuration from: ./vars
The request has been successfully imported with a short name of: clientone
You may now use this name to perform signing operations on this request.2.3.3:签约证书(服务目录操作)
代码语言:javascript复制./easyrsa sign client client回车后,输入yes;
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key: (输入的是client)
代码语言:javascript复制Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
commonName :ASN.1 12:‘client’
Certificate is to be certified until Apr 4 16:38:37 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt复制相关文件
拷贝服务器端所需文件到各自位置
代码语言:javascript复制cp pki/ca.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/dh.pem /etc/openvpn/
cp /etc/openvpn/easy-rsa/ta.key /etc/openvpn/拷贝客户端所需文件到各种位置
代码语言:javascript复制cp pki/ca.crt /root/client/
cp pki/issued/client.crt /root/client/
cp /root/client/pki/private/client.key /root/client/
cp /etc/openvpn/easy-rsa/ta.key /root/client/修改openv** server.conf配置
代码语言:javascript复制egrep -v "^$|^#|^;" /etc/openvpn/server.confport 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1— 3 —
启动openv**服务
代码语言:javascript复制systemctl enable openvpn@server.service
systemctl start openvpn@server
systemctl status openvpn@server
写到最后:花在排版的时间远远比花的安装部署确认要多的多。希望对自己以后在小公司内部署openv** 有一个很好的总结,当然也希望对大家有帮忙和思考 。接下来我们讲一下更加宏观的网络层面的东西。这些非常基础,但是又不能没有。认知层面决定了我们运维的高度和考量。
