openvpn服务端搭建


参考资料
https://phoenixnap.com/kb/openvpn-centos 安装参考
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage?cf_chl_jschl_tk=2ef2ce429812b6af8d89764730f64a2224053560-1616146799-0-ARxFX2pRsifexhxoXrH8mPbj7faD8nxJaECGR0kQgNEolVczUZJURwhSuvt8-7CF0Dmlj9IkjC19L9J10MEz21fQEq-W7qjdfNvw56Pl8guyYk6FlOkJiYH1mJu2drhcD4Z23JxhPDDHWNPIwgozsiY6oQMHpaZC-QN0_XuWsqZxX2msLn6NyxWA0by8CfTvbyAKd2uzJjwbwRdvqW1hHlCFew3FUJuxwNDbvMmUAlfyHL-81IqBKzBkbUfyafzC9EG56emXf5v6YxLbBvQwaCW1vx-Fl4prSIGoKoqwmxrPoiRXqJZVP7pXwKVhcw-0FcVk_XEPzxP60yaP4el5J0eN9rDv1ztCs3yj0ScfIf5_ 官方文档主要是找askpass参数
https://forums.openvpn.net/viewtopic.php?t=26024 别人的提问
https://openvpn.net/community-resources/how-to/#openvpn-quickstart 官方安装文档通过源码安装

1:Install OpenVPN

yum -y install epel*
yum -y update 

yum install -y openvpn




2:Install Easy RSA

yum install -y wget
wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.8.tar.gz

tar -xf v3.0.8.tar.gz
cd /etc/openvpn/
mkdir /etc/openvpn/easy-rsa
mv /root/easy-rsa-3.0.8 /etc/openvpn/easy-rsa


3:Configure OpenVPN 配置openvpn

cp -r /usr/share/doc/openvpn-2.4.10/sample/sample-config-files/server.conf  /etc/openvpn/

find / -name server.conf

/etc/openvpn/server.conf
/usr/share/doc/openvpn-2.4.10/sample/sample-config-files/server.conf
/usr/share/doc/NetworkManager/examples/server.conf


vi /etc/openvpn/server.conf
要设置基本配置,需要通过删除分号来取消对以下行的注释。
To set up the basic configuration, you need to uncomment the following lines by removing the semicolons.

topology subnet (makes the OpenVPN installation function as a subnetwork)
push "redirect-gateway def1 bypass-dhcp" (instructs the client to redirect traffic through the OpenVPN server)
push "dhcp-option DNS 208.67.222.222" (uses an OpenDNS resolver to connect to OpenVPN)
push "dhcp-option DNS 208.67.220.220" (uses an OpenDNS resolver to connect to OpenVPN)
user nobody (runs OpenVPN with no privileges)
group nobody (runs OpenVPN with no privileges)

Then, generate a static encryption key to enable TLS authentication. To do that, locate the line tls-auth ta.key 0 and comment it by adding ; in front of it. Then, add a new line under it:
然后,生成一个静态加密密钥以启用TLS身份验证。为此,找到tls auth行助教钥匙0并在其前面添加;对其进行注释。然后,在下面添加新行:
tls-auth ta.key 0 # This file is secret  这个配置在在server.conf 文件中,根据以上这句话需要添加; 注释,他不是命令

[root@master easy-rsa]# tls-crypt myvpn.tlsauth
-bash: tls-crypt: 未找到命令
在server.conf文件中添加这个
tls-crypt myvpn.tlsauth

配置文件指定要用于连接到OpenVPN的DNS服务器。默认情况下,它被设置为使用OpenDNS解析器,这就是我们离开它的方式。

 The configuration file specifies which DNS servers to use to connect to OpenVPN. By default, it is set to use OpenDNS resolvers, which is how we left it. Alternatively, you can change it to different DNS resolvers by modifying the push "dhcp-option DNS 208.67.222.222" and push "dhcp-option DNS 208.67.220.220" lines.
 
 
Save and exit the configuration file.

Finally, generate the static encryption key specified in the file with the command:

最后生成一个静态的加密的key通过以下命令
openvpn --genkey --secret /etc/openvpn/myvpn.tlsauth
ls
client  easy-rsa  myvpn.tlsauth  server  server.conf  server.conf.bak
cat myvpn.tlsauth 
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
45a69a183da20a8f7e7b17b0276786bd
b57d725692dc4200ec0f3024dc9da266
ac8c4ffb676db52cd17c5249b2eb8aeb
91c2e344218a7c183b92f588cace5a28
253f0f387d3d878e1f3023a52974c7c7
0f5fec0398ae041ac291fd133b70cac1
5fe6e54c13fdc25fa33af8b51aa7ba12
5fd6cae5ac8d385c61d0b1d5af445052
6cd825b30822dfa895b1944f6017b336
335cbf71ad99445054f51d1695f48400
009dbe69dc90d5033493b8b297872691
cfa4b3be751a03db85a8a7fe5ff4ebc4
2c518df59f26250468782532d0acf63c
4b4f98a93f533cdb363cf8e4763a8dc0
521c0afed8d137f08152eaa971c1428a
d1e0e97ed473d02e7bccfd4e38b20ed7
-----END OpenVPN Static key V1-----


4: 生成密钥和证书

Generate Keys and Certificates

cd /etc/openvpn/easy-rsa/easyrsa3
 ls
easyrsa  openssl-easyrsa.cnf  vars.example  x509-types

cp vars.example vars
vim vars 
Scroll through the file and find the lines listed below.
滚动文件并找到下面列出的行。
#set_var EASYRSA_REQ_COUNTRY "US"
#set_var EASYRSA_REQ_PROVINCE "California"
#set_var EASYRSA_REQ_CITY "San Francisco"
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL "me@example.net"
#set_var EASYRSA_REQ_OU "My Organizational Unit"
通过删除#取消对行的注释,并用您的信息替换默认值
set_var EASYRSA_REQ_COUNTRY     "US" 国家
set_var EASYRSA_REQ_PROVINCE    "California" 省份
set_var EASYRSA_REQ_CITY        "San Francisco" 市级单位
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" 
set_var EASYRSA_REQ_EMAIL       "me@example.net" 邮箱
set_var EASYRSA_REQ_OU          "My Organizational Unit" 组织


set_var EASYRSA_REQ_COUNTRY     "China"
set_var EASYRSA_REQ_PROVINCE    "ZeJiang"
set_var EASYRSA_REQ_CITY        "HangZhou"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL       "m15088694571@163.com"
set_var EASYRSA_REQ_OU          "Persional"

set-var  KEY_NAME  "server"
set-var  KEY_CN  "openvpn.yourdomain.com"



然后,找到指定密钥名称的行并将其更改为“server”:
Then, find the line specifying the KEY_NAME and change it to "server":
没有找到,就添加
set_var KEY_NAME  "server" 密钥名称
set_var  KEY_CN  "openvpn.yourdomain.com" 域名
#set_var EASYRSA_KEY_SIZE       2048

[root@master easyrsa3]# ./easyrsa clean-all

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/easyrsa3/pki

ls /etc/openvpn/easy-rsa/easyrsa3/pki
openssl-easyrsa.cnf  private  reqs  safessl-easyrsa.cnf

You will be asked to set a CA Key Passphrase and a common name for your CA.
系统将要求您为CA设置CA密钥密码短语和公用名称。

[root@master easyrsa3]# ./easyrsa build-ca

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase: 
Re-Enter New CA Key Passphrase: 
Error reading password from BIO
Error getting password

Easy-RSA error:

Failed create CA private key

[root@master easyrsa3]# ./easyrsa build-ca

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase:  这里需要输入密码1234(随便)
Re-Enter New CA Key Passphrase: 
Generating RSA private key, 2048 bit long modulus
.............................................+++
.................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 直接回车
 
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt

To skip password authentication each time you sign your certificates, you can use the ./easyrsa build-ca nopass command.
./easyrsa build-ca nopass 使用这个命令不需要输入密码


5:为服务器创建密钥和证书:
[root@master easyrsa3]# ./easyrsa build-server-full server

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
........................+++
.......+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-48737.zw5a7
r/tmp.aqGMia'Enter PEM pass phrase:1234
Verifying - Enter PEM pass phrase:1234
-----
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-48737.zw5a7r/t
mp.Q5pEoVEnter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:
139858593519504:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:
You must type in 4 to 1023 charactersEnter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:1234
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Jun 22 08:25:11 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated



Next, generate a Diffie-Hellman key exchange file by running:
接下来,运行以下命令生成Diffie-Hellman密钥交换文件:





[root@master easyrsa3]# ./easyrsa gen-dh

....................................................................................................................................+............................................................................+..........................................................................+............................................................................................................................................................................+.........+.........++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem



您还需要为每个客户机提供证书。在服务器上生成它们,然后在客户端计算机上复制它们。
使用以下命令,我们为client1创建证书和密钥。您可以使用您选择的名称修改命令。


[root@master easyrsa3]# ./easyrsa build-client-full client1

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
......+++
..................................+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-48964.d7rv5
O/tmp.pvCyVV'Enter PEM pass phrase:1234
Verifying - Enter PEM pass phrase:1234
-----
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/easy-rsa-48964.d7rv5O/t
mp.rWFiYSEnter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:1234
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client1'
Certificate is to be certified until Jun 22 08:27:41 2023 GMT (825 days)

Write out database with 1 new entries
Data Base Updated



一旦您生成了密钥和证书,就可以将它们从pki复制到openvpn目录中。为此,请通过运行以下操作导航到pki目录:

cd /etc/openvpn/easy-rsa/easyrsa3/pki
[root@master pki]# ls
ca.crt           index.txt.attr      openssl-easyrsa.cnf  revoked
certs_by_serial  index.txt.attr.old  private              safessl-easyrsa.cnf
dh.pem           index.txt.old       renewed              serial
index.txt        issued              reqs                 serial.old


[root@master pki]# cp ca.crt dh.pem /etc/openvpn
[root@master pki]# cd private/
[root@master private]# cp ca.key server.key /etc/openvpn
[root@master private]# ls /etc/openvpn/
ca.crt  client  easy-rsa       server       server.conf.bak
ca.key  dh.pem  myvpn.tlsauth  server.conf  server.key


 Firewall and Routing Configuration
 防火墙和路由配置
 
 [root@master private]# systemctl start  firewalld
[root@master private]# firewall-cmd --get-active-zones
public
  interfaces: ens33
[root@master private]# firewall-cmd --zone=public --add-service openvpn
success

[root@master private]# firewall-cmd --zone=public --add-service openvpn --permanent
success[root@master private]# firewall-cmd --list-services --zone=public
dhcpv6-client openvpn ssh


[root@master private]# firewall-cmd --add-masquerade
success
[root@master private]# firewall-cmd --add-masquerade --permanent
success
[root@master private]# firewall-cmd --query-masquerade
yes


Routing the Configuration

[root@master private]# VAR=$(ip route get 208.67.222.222 | awk 'NR==1 {print $(NF-2
)}')[root@master private]# echo $VAR
ens33
[root@master private]# firewall-cmd --permanent --direct --passthrough ipv4 -t nat 
-A POSTROUTING -s 10.8.0.0/24 -o $VAR -j MASQUERADEsuccess
[root@master private]# firewall-cmd --reload
success
[root@master private]# vi /etc/sysctl.conf



net.ipv4.ip_forward = 1


 Start OpenVPN
 
 
 [root@master private]# systemctl -f start openvpn@server.service
Job for openvpn@server.service failed because the control process exited with error code. See "systemctl status openvpn@server.service" and "journalctl -xe" for details.
[root@master private]# systemctl -f status  openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since 五 2021-03-19 16:50:35 CST; 3s ago
  Process: 63976 ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf (code=exited, status=1/FAILURE)
 Main PID: 63976 (code=exited, status=1/FAILURE)

3月 19 16:50:35 master systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
3月 19 16:50:35 master openvpn[63976]: Options error: --dh fails with 'dh2048.pem': No such file or directory (errno=2)
3月 19 16:50:35 master openvpn[63976]: Options error: --cert fails with 'server.crt': No such file or directory (errno=2)
3月 19 16:50:35 master openvpn[63976]: Options error: Please correct these errors.
3月 19 16:50:35 master openvpn[63976]: Use --help for more information.
3月 19 16:50:35 master systemd[1]: openvpn@server.service: main process exited, code=exited, status=1/FAILURE
3月 19 16:50:35 master systemd[1]: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server.
3月 19 16:50:35 master systemd[1]: Unit openvpn@server.service entered failed state.
3月 19 16:50:35 master systemd[1]: openvpn@server.service failed.


[root@master pki]# pwd
/etc/openvpn/easy-rsa/easyrsa3/pki
[root@master pki]# ls issued/
client1.crt  server.crt


cp issued/server.crt /etc/openvpn 

cd /etc/openvpn 
cp dh.pem dh2048.pem 

[root@master pki]# systemctl -f start   openvpn@server.service
[root@master pki]# 
Broadcast message from root@master (Fri 2021-03-19 17:02:13 CST):

Password entry required for 'Enter Private Key Password:' (PID 64678).
Please enter password with the systemd-tty-ask-password-agent tool!


[root@master pki]# systemctl -f status  openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)
   Active: active (running) since 五 2021-03-19 17:02:13 CST; 12s ago
 Main PID: 64677 (openvpn)
   Status: "Pre-connection initialization successful"
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           ├─64677 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
           └─64678 /usr/bin/systemd-ask-password --icon network-vpn Enter Private Key Password:

3月 19 17:02:13 master systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
3月 19 17:02:13 master openvpn[64677]: Fri Mar 19 17:02:13 2021 OpenVPN 2.4.10 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] b...on Dec  9 2020
3月 19 17:02:13 master openvpn[64677]: Fri Mar 19 17:02:13 2021 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
3月 19 17:02:13 master openvpn[64677]: Fri Mar 19 17:02:13 2021 Diffie-Hellman initialized with 2048 bit key
3月 19 17:02:13 master systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.




 openvpn ERROR: Failed retrieving username or password
 
 
 
 [root@master openvpn]# egrep -v "^$|^#|^;" server.conf 
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-crypt myvpn.tlsauth
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1


--askpass [file]
Get certificate password from console or file before we daemonize.
For the extremely security conscious, it is possible to protect your private key with a password. Of course this means that every time the OpenVPN daemon is started you must be there to type the password. The --askpass option allows you to start OpenVPN from the command line. It will query you for a password before it daemonizes. To protect a private key with a password you should omit the -nodes option when you use the openssl command line tool to manage certificates and private keys.

If file is specified, read the password from the first line of file. Keep in mind that storing your password in a file to a certain extent invalidates the extra security provided by using an encrypted key.


创建文件
/etc/openvpn/stdin.tx
vim server.conf 
askpass "/etc/openvpn/stdin.txt"



egrep -v "^$|^#|^;" server.conf 
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
askpass "/etc/openvpn/stdin.txt"
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-crypt myvpn.tlsauth
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

完美解决--ok
[root@master openvpn]# systemctl -f status  openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Applicatio
n On server   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor prese
t: disabled)   Active: active (running) since 五 2021-03-19 17:54:45 CST; 7min ago
 Main PID: 67900 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─67900 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf

3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 Could not det...ET
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 Socket Buffer...2]
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 UDPv4 link lo...94
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 UDPv4 link re...C]
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 GID set to nobody
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 UID set to nobody
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 MULTI: multi_...56
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 IFCONFIG POOL...=0
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 IFCONFIG POOL LIST
3月 19 17:54:45 master openvpn[67900]: Fri Mar 19 17:54:45 2021 Initializatio...ed
Hint: Some lines were ellipsized, use -l to show in full.

推荐阅读更多精彩内容