此篇會講到以下相關這幾個功能:
1. CentOS 7.0 啟動OpenVPN service.
2. 限制VPN Client只能連到公司內部的10.10.0.0/16 網段 (使用iptables)
3. 將ca.crt , client.crt , client.key , ta.key憑證包進.ovpn檔方便VPN Client使用者方便使用.
----------------------------以下開始安裝與設定OpenVPN------------------------------------
OpenVPN Server
由於openvpn沒有在預設的CentOS repository裡, 因此我們要先裝Enterprise Linux (EPEL) repository
# yum install epel-release
安裝OpenVPN
# yum install openvpn -y
安裝Easy RSA,之後要產生Key的
# yum install easy-rsa -y
複製server.conf的範例檔至openvpn設定檔目錄
# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
修改設定檔:
# vim /etc/openvpn/server.conf
-----------------------------------------
# CentOS 7上實體網卡的IP
local 192.168.250.1
# OpenVPN port
port 1194
# 此處我將預設的UDP改為TCP
proto tcp
# 建VPN tunnel的interface名稱
dev tun
# 路徑為/etc/openvpn/ca.crt
ca ca.crt
# 路徑為/etc/openvpn/server.crt
cert server.crt
# 路徑為/etc/openvpn/server.key
key server.key
# 此處使用預設
dh dh2048.pem
# 分派給VPN Client的IP range.
server 192.168.250.128 255.255.255.128
# 此處使用預設
ifconfig-pool-persist ipp.txt
# 此網段走VPN Gateway
push "route 10.10.0.0 255.255.0.0"
# VPN Client的Default Gateway以VPN Gateway為主
push "redirect-gateway def1 bypass-dhcp"
# 設定VPN Client的DNS
push "dhcp-option DNS 8.8.8.8"
# VPN Client與VPN Client之間可以互相連線
client-to-client
# 支援一組憑證可以多人使用並登入
duplicate-cn
# 偵測10秒是否idle, 若連續idle 120秒則斷線
keepalive 10 120
# 此處為server,所以設定為0,若是client就要設定為1
tls-auth ta.key 0
# 啟用連線壓縮
comp-lzo
# 最大連線數為50個clients
max-clients 50
# 此處使用預設
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
# 開啟log記錄
log openvpn.log
log-append openvpn.log
# log等級使用預設的3
verb 3
-----------------------------------------
建立Easy RSA要產生Key的目錄
# mkdir -p /etc/openvpn/easy-rsa/keys
複製Easy RSA範例檔至Easy RSA設定檔目錄
# cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
修改Easy RSA設定檔
# vim /etc/openvpn/easy-rsa/vars
-----------------------------------------
......
export KEY_COUNTRY="TW"
export KEY_PROVINCE="Taiwan"
export KEY_CITY="Hsinchu"
export KEY_ORG="DreamCompany"
export KEY_EMAIL="dreamtails@dreamtails.pixnet.net"
export KEY_OU="DreamCompany"
......
export KEY_NAME=“server"
......
export KEY_CN="openvpn.dreamtails.pixnet.net"
......
-----------------------------------------
以下為開始做建立憑證的動作:
# cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
# cd /etc/openvpn/easy-rsa
# source ./vars
# ./clean-all
# ./build-ca
-----------------------------------------
一直”Enter”..........
-----------------------------------------
# ./build-key-server server
-----------------------------------------
一直”Enter”..........直到以下訊息出現後再輸入
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<自行輸入>
An optional company name []:<自行輸入>
-----------------------------------------
# ./build-dh
# cd /etc/openvpn/easy-rsa/keys
# cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
# cd /etc/openvpn/easy-rsa
# ./build-key client
-----------------------------------------
一直”Enter”..........直到以下訊息出現後再輸入
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<自行輸入>(與上方server一致)
An optional company name []:<自行輸入>(與上方server一致)
-----------------------------------------
產生ta.key
# cd /etc/openvpn/
# openvpn --genkey --secret ta.key
安裝iptables的相關packages與設定iptables
# yum install iptables-services -y
# systemctl mask firewalld
# systemctl enable iptables
# systemctl stop firewalld
# systemctl start iptables
# iptables --flush
將Source IP range為192.168.250.128/25的IP做NAT後,並由eth0出去
# iptables -t nat -A POSTROUTING -s 192.168.250.128/25 -o eth0 -j MASQUERADE
# iptables-save > /etc/sysconfig/iptables
# vim /etc/sysctl.conf
-----------------------------------------
......
net.ipv4.ip_forward = 1
......
-----------------------------------------
# systemctl restart network.service
Enable並啟動OpenVPN service
# systemctl -f enable openvpn@server.service
# systemctl start openvpn@server.service
只允許VPN client可以連10.10.0.0 網段的機器,其他網段皆無法連結
# iptables -A FORWARD -i tun0 -s 192.168.250.128/25 -d 10.10.0.0/16 -j ACCEPT
# iptables -A FORWARD -i tun0 -s 192.168.250.128/25 -j DROP
# iptables-save > /etc/sysconfig/iptables
===============以上皆為OpenVPN server的設定==================
OpenVPN Client
方法一:
複製OpenVPN Server以下的這四個檔案至OpenVPN Client Devices上。
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key
/etc/openvpn/ta.key
並在OpenVPN Client Devices上新增一個.ovpn檔,內容如下:
-----------------------------------------
client
dev tun
proto tcp
remote 192.168.250.1 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
key-direction 1
ca /<PATH>/ca.crt
cert /<PATH>/client.crt
key /<PATH>/client.key
# 1指的是Client, 0指的是Server
tls-auth /<PATH>/ta.key 1
-----------------------------------------
最後,請用OpenVPN Connect開啟.ovpn檔就可以連到公司的內部10.10.0.0/16網段了。
或是使用以下的方法二也可以成功做到,我覺得方法二會比較方便Client users去使用,就是將所有的.crt與.key都加入到.ovpn檔裡。
方法二:
複製OpenVPN Server以下的這四個檔案.crt與.key的values至.ovpn上。
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/client.crt
/etc/openvpn/easy-rsa/keys/client.key
/etc/openvpn/ta.key
新增一個.ovpn檔,內容如下:
-----------------------------------------
client
dev tun
proto tcp
remote 192.168.250.1 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
# 插入ca.crt的key values.
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
# 插入client.crt的key values.
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
# 插入client.key的key values.
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
# 插入ta.key的key values.
-----END OpenVPN Static key V1-----
</tls-auth>
-----------------------------------------
未來只要將這個.ovpn檔給client users就可以連到公司內部的10.10.0.0/16網段。這個方法較能方便的提供users使用,因為只要給一個.ovpn檔即可。
引用至以下
1. http://cheaster.blogspot.tw/2009/11/openvpn-by-ssl.html
2. http://www.unixmen.com/install-openvpn-centos-7/
3. http://serverfault.com/questions/483941/generate-an-openvpn-profile-for-client-user-to-import
留言列表