为了方便团队成员从异地访问开发环境,考虑使用OpenVPN搭建虚拟局域网。部署的环境和版本信息如下:

  • CentOS 7
  • OpenVPN

1.easy-rsa生成证书

这里下载easy-rsa。

 1unzip easy-rsa-old-master.zip
 2cd easy-rsa-old-master/easy-rsa/2.0
 3
 4ls
 5build-ca        build-key-pkcs12  inherit-inter      pkitool
 6build-dh        build-key-server  list-crl           revoke-full
 7build-inter     build-req         openssl-0.9.6.cnf  sign-req
 8build-key       build-req-pass    openssl-0.9.8.cnf  vars
 9build-key-pass  clean-all         openssl-1.0.0.cnf  whichopensslcnf
10
11ln -s openssl-1.0.0.cnf openssl.cnf

可修改vars文件中定义的变量用于生成证书的基本信息。下面生成CA证书:

1source vars
2./clean-all
3./build-ca

因为已经在var中填写了证书的基本信息,所以一路回车即可。生成证书如下:

1ls keys/
2ca.crt  ca.key  index.txt  serial

生成服务器端秘钥:

1./build-key-server server
2......
3Common Name (eg, your name or your server's hostname) [server]:
4A challenge password []:1234
5......
6
7ls keys
801.pem  ca.crt  ca.key  index.txt  index.txt.attr  index.txt.old  serial  serial.old  server.crt  server.csr  server.key

生成客户端证书:

1./build-key client
2......
3Common Name (eg, your name or your server's hostname) [client]:
4A challenge password []:1234
5......

Common Name用于区分客户端,不同的客户端应该有不同的名称。

Generating DH parameters:

1./build-dh
2
3ls keys/
401.pem  02.pem  ca.crt  ca.key  client.crt  client.csr  client.key  dh2048.pem  index.txt  index.txt.attr  index.txt.attr.old  index.txt.old  serial  serial.old  server.crt  server.csr  server.key

2.编译OpenVPN

2.1 安装依赖

pam-devel:

1yum install -y pam-devel

lzo:

1wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz
2tar -zxvf lzo-2.10.tar.gz
3cd lzo-2.10
4./configure --enable-shared 
5make 
6make install 

2.2 编译安装OpenVPN

下载OpenVPN源码:

1wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.4.tar.gz

编译安装OpenVPN:

1tar -zxvf openvpn-2.4.4.tar.gz
2cd openvpn-2.4.4
3./configure --prefix=/usr/local/openvpn
4make 
5make install

3.配置OpenVPN

创建配置文件目录和证书目录:

1mkdir -p /etc/openvpn
2mkdir -p /etc/openvpn/pki

生成tls-auth key并将其拷贝到证书目录中:

1/us/local/openvpn/sbin/openvpn --genkey --secret ta.key
2mv ta.key /etc/openvpn/pki

将签名生成的CA证书秘钥和服务端证书秘钥拷贝到证书目录中:

1cp ca.key ca.crt server.crt server.key dh2048.pem /etc/openvpn/pki/
2
3ls /etc/openvpn/pki/
4ca.crt  ca.key  dh2048.pem  server.crt  server.key

将OpenVPN源码下的配置文件sample/sample-config-files/server.conf拷贝到/etc/openvpn目录。

编辑服务端配置文件/etc/openvpn/server.conf:

 1local 192.168.1.2 # 服务端IP
 2port 1194
 3
 4proto tcp
 5dev tun
 6
 7ca /etc/openvpn/pki/ca.crt
 8cert /etc/openvpn/pki/server.crt
 9key /etc/openvpn/pki/server.key
10dh /etc/openvpn/pki/dh2048.pem
11
12server 10.8.0.0 255.255.255.0 # 分配给客户端的虚拟局域网段
13ifconfig-pool-persist ipp.txt
14
15# 推送路由和DNS到客户端
16push "route 192.168.1.0 255.255.255.0"
17push "redirect-gateway def1 bypass-dhcp"
18push "dhcp-option DNS 192.168.1.1"
19push "dhcp-option DNS 8.8.8.8"
20
21client-to-client
22
23keepalive 10 120
24
25tls-auth /etc/openvpn/pki/ta.key 0
26
27cipher AES-256-CBC
28
29comp-lzo
30
31max-clients 10
32
33user nobody
34group nobody
35
36persist-key
37persist-tun
38
39status /var/log/openvpn-status.log
40log  /var/log/openvpn.log
41log-append  /var/log/openvpn.log
42
43verb 3

确认内核已经开启路由转发功能:

1sysctl net.ipv4.ip_forward
2net.ipv4.ip_forward = 1

确认iptables filter表的FOWARD链是ACCEPT状态:

1iptables -nvL
2
3iptables -P FORWARD ACCEPT

添加iptables转发规则,对所有源地址(openvpn为客户端分配的地址)为10.8.0.0/24的数据包转发后进行源地址转换,伪装成openvpn服务器内网地址192.168.1.2, 这样VPN客户端就可以访问服务器内网的其他机器了。

1iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o em1 -j SNAT --to-source 192.168.1.2

创建openvpn的systemd unit文件:

 1cat > /etc/systemd/system/openvpn.service <<EOF
 2[Unit]
 3Description=openvpn
 4After=network.target
 5
 6[Service]
 7EnvironmentFile=-/etc/openvpn/openvpn
 8ExecStart=/usr/local/openvpn/sbin/openvpn \
 9       --config /etc/openvpn/server.conf
10Restart=on-failure
11Type=simple
12LimitNOFILE=65536
13
14[Install]
15WantedBy=multi-user.target
16EOF

启动并设置为开机启动:

1systemctl start openvpn
2systemctl enable openvpn

查看端口监听:

1netstat -nltp | grep 1194
2tcp        0      0 192.168.1.2:1194        0.0.0.0:*                           88462/openvpn

4.客户端连接测试

这里下载OPENVPN的windows客户端,安装完成后。 将以下证书和秘钥文件拷贝到安装目录中C:\Program Files\OpenVPN\config:

1ca.crt
2client.crt
3client.key
4ta.key

在这个目录下创建客户端的配置文件client.ovpn:

 1client
 2dev tun
 3proto tcp
 4remote xxx.xxx.xxx.xxx 11194
 5resolv-retry infinite
 6nobind
 7persist-key
 8persist-tun
 9
10ca ca.crt
11cert client.crt
12key client.key
13remote-cert-tls server
14tls-auth ta.key 1
15cipher AES-256-CBC
16
17comp-lzo
18verb 3
  • 其中 xxx.xxx.xxx.xxx 11194是外网IP和端口映射到了内网服务器的192.168.1.2 1194上。

接下来连接测试即可。

参考