centos7搭建openvpn服务器使用(账号和密码方式)

声明: 本人搭建openvpn目的是用于腾讯云服务和轻量级服务之间内网打通。

制作证书

安装easy-rsa和openvpn软件包

yum install openvpn easy-rsa

创建目录，并复制easy-rsa 目录

//注意easy-rsa的版本号，你的有可能不一样
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/vars
cp -r /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa/

修改vars文件内容

vim /etc/openvpn/easy-rsa/vars

set_var EASYRSA_REQ_COUNTRY     "US"
set_var EASYRSA_REQ_PROVINCE    "California"
set_var EASYRSA_REQ_CITY        "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL       "me@example.net"
set_var EASYRSA_REQ_OU          "My Organizational Unit"

初始化证书目录

[root@VM-16-13-centos openvpn]# cd /etc/openvpn/easy-rsa/
[root@VM-16-13-centos easy-rsa]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

创建CA根证书

[root@VM-16-13-centos easy-rsa]# ./easyrsa build-ca

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus
......+++
.................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:xxxx

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

创建服务器端证书，执行命令一路回车

[root@VM-16-13-centos easy-rsa]# ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.......................+++
.............................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-1988.wDsY3E/tmp.zoeolo'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key

签署服务器端证书

回车后输入yes，还需输入之前创建CA根证书设置的密码，如未设置直接回车

[root@VM-16-13-centos easy-rsa]# ./easyrsa sign server server

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-2217.3drugz/tmp.tiWj9c
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
140610955376528:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Feb 15 06:03:02 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt

生成加密交换时的Diffie-Hellman文件，会生成一个pem后缀文件，生成过程比较慢

[root@VM-16-13-centos easy-rsa]# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......................................+............................................................................................................................++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

配置openvpn 服务

配置服务参数

vim /etc/openvpn/server.conf


# 以下配置可直接复制
local 0.0.0.0     #监听地址
port 1194 #监听端口
proto tcp #监听协议
dev tun #采用路由隧道模式

# 相关证书配置路径
ca /etc/openvpn/easy-rsa/pki/ca.crt  #ca证书路径
cert /etc/openvpn/easy-rsa/pki/issued/server.crt #服务器证书
key /etc/openvpn/easy-rsa/pki/private/server.key # This file should be kept secret 服务器秘钥
dh /etc/openvpn/easy-rsa/pki/dh.pem #密钥交换协议文件

server 10.8.0.0 255.255.255.0    # 虚拟网段 #给客户端分配地址池，注意：不能和VPN服务器内网网段有相同

client-to-client    # 客户端互通
keepalive 10 120 #存活时间，10秒ping一次,120 如未收到响应则视为断线
comp-lzo #传输数据压缩

cipher AES-256-CBC
persist-key
persist-tun

status logs/openvpn-status.log  # 状态日志路径
log-append logs/openvpn.log     # 运行日志
verb 3                          # 调试信息级别

client-config-dir /etc/openvpn/ccd  # 固定IP分配配置目录，见下面讲解

script-security 2
auth-user-pass-verify /etc/openvpn/checkpwd.sh via-file    # 密码验证脚本
username-as-common-name
verify-client-cert none

创建用户账号和密码的配置

vim /etc/openvpn/pwd-file

# 文件内容为
# 每一行代表一个用户，账号和密码以空格分开
client1 123456
client2 123456
client3 123456

给用户client1分配固定IP为10.8.0.57

mkdir /etc/openvpn/ccd
cd  /etc/openvpn/ccd

# 文件名称需以用户账号命名
touch /etc/openvpn/ccd/client1
vi /etc/openvpn/ccd/client1

#文件内容
ifconfig-push 10.8.0.57 10.8.0.58

创建密码验证脚本

touch /etc/openvpn/checkpwd.sh
chmod +x checkpwd.sh
vi /etc/openvpn/checkpwd.sh

# 脚本内容

#!/bin/bash

PASSFILE="/etc/openvpn/pwd-file"
LOG_FILE="/etc/openvpn/logs/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

readarray -t lines < $1
username=${lines[0]}
password=${lines[1]}

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

开启内核路由转发功能

echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
sysctl -p

配置防火墙

# 开放tcp 1194端口
firewall-cmd --zone=public --add-port=1194/tcp --permanent
# 重新加载防火墙使其生效
firewall-cmd --reload
# 查看防火墙规则是否配置成功
firewall-cmd --list-all

启动openvpn服务器

mkdir /etc/openvpn/logs # 创建log路径

openvpn /etc/openvpn/server.conf &
或者
systemctl start openvpn@server    # 启动服务
systemctl status openvpn@server   # 查看状态
systemctl stop openvpn@server     # 停止服务

执行start启动服务命令后，使用status命令查询状态，如果Active: failed，请到/etc/openvpn/logs/openvpn.log目录下查看日志，基本打印的错误消息挺全的，可借此排查错误，另外记得如果开启了防火墙要把openvpn配置的端口开放，并且有的服务商还在他们自己控制台有安全策略，如果服务启动了连接很久都连接不上可以往这些方面思考一下

配置openvpn客户端

创建客户端配置文件(client.ovpn)

client
dev tun
proto tcp
remote xxx.xxx.xx.xx 1194    # openvpn远程服务器的IP和端口
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-CBC
comp-lzo
verb 4
auth-user-pass     # 添加此配置客户端连接时会弹出密码框
# auth-user-pass   password.txt  # 在文件设置账户密码
# 证书配置
ca ca.crt

需要把CA证书copy到client.ovpn同一个目录下。

客户端client.ovpn导入之后连接提示错误，修改client.ovpn文件后需要在重新导入openvpn中。

参考 ：

https://sevennight.cc/2020/04/18/centos7_install_open_xxx.html

https://article.itxueyuan.com/vMEMO