CentOS7安装部署OpenVPN纯密码认证NAT模式

本文参考

1.https://www.jianshu.com/p/637b4123fc92

2.https://www.fandenggui.com/post/centos7-install-openvpn.html

1. 软件版本

CentOS – 7.9.2009

easy-rsa – 3.0.8

OpenVPN – 2.4.10

2.安装

这里安装启用epel源,采用yum的方式安装openvpn

#查看centos版本
cat /etc/redhat-release
#安装epel源
yum install -y epel-release
#安装依赖包
yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel
#安装easy-rsa
yum install -y easy-rsa
#安装openvpn
yum install -y openvpn

3. 配置

上面我们已经安装好了openvpn了,下面我们对openvpn进行配置。

3.1使用路由还是桥接?

建议使用路由,除非你有一些需要桥接的特定场景,例如:
VPN需要能够处理非ip协议,如IPX
通过VPN运行应用程序,该VPN依赖于网络广播(如局域网游戏)
希望允许跨VPN浏览Windows文件共享,而无需设置Samba或WINS服务器

异地办公的服务器需要通过ip地址反向链接客户端如dubbo

3.2确定私有子网

Server 与 Client 的VPN通道子网,不要与已有环境的网络冲突即可。
默认:10.8.0.0/16

3.3 配置证书密钥

我们通过yum方式安装的 easy-rsa 版本是3.0.8,直接从安装路径copy一份工具出来。这里用默认的 easy-rsa 3.0.6 来配置生成证书密钥。

#复制easy-rsa工具
cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/server/easy-rsa
cd /etc/openvpn/server/easy-rsa
#生成证书密钥 遇见提示回车默认
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
#下面这步可能要几分钟
./easyrsa gen-dh
openvpn --genkey --secret ta.key

3.4 配置 Server 端

3.4.1 创建使用的目录

# 日志存放目录
mkdir -p /var/log/openvpn/
# 用户管理目录
mkdir -p /etc/openvpn/server/user
# 配置权限
chown -R openvpn:openvpn /var/log/openvpn

3.4.2 创建Server配置文件

编辑/etc/openvpn/server/server.conf文件,并写入以下内容:
(也可以复制一份模板文件进行改写,模板文件路径 /usr/share/doc/openvpn-2.4.10/sample/sample-config-files/server.conf)

复制命令

cp /usr/share/doc/openvpn-2.4.10/sample/sample-config-files/server.conf /etc/openvpn/server/server.conf

编辑/etc/openvpn/server/server.conf如下

port 1194
proto tcp
dev tun
#dev tap0
user openvpn
group openvpn

#配置证书信息
ca /etc/openvpn/server/easy-rsa/pki/ca.crt
cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt
key /etc/openvpn/server/easy-rsa/pki/private/server.key
dh /etc/openvpn/server/easy-rsa/pki/dh.pem
tls-auth /etc/openvpn/server/easy-rsa/ta.key 0

#配置账号密码的认证方式
script-security 3
auth-user-pass-verify "/etc/openvpn/server/user/checkpsw.sh" via-env
verify-client-cert none
username-as-common-name
client-to-client
duplicate-cn

#配置网络信息
server 10.8.0.0 255.255.255.0
#server-bridge 10.24.11.254 255.255.255.0 10.24.11.10 10.24.11.190
client-to-client
push "dhcp-option DNS 10.24.11.250"
push "dhcp-option DNS 114.114.114.114"
push "route 10.24.11.0 255.255.255.0"
push "route 10.24.0.0 255.255.0.0"
push "route 172.20.0.0 255.255.0.0"
push "route 10.244.0.0 255.255.0.0"

compress lzo
cipher AES-256-CBC
keepalive 10 120
persist-key
persist-tun
verb 3

log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log

创建完配置文件后,需要做个配置文件的软连接,因为当前版本的 openvpn systemd 启动文件中读取的是.service.conf配置

cd /etc/openvpn/server/
ln -sf server.conf .service.conf

3.4.3 创建用户密码文件

格式是用户 密码以空格分割即可

echo 'mytest mytestpass' >> /etc/openvpn/server/user/psw-file
chmod 600 /etc/openvpn/server/user/psw-file
chown openvpn:openvpn /etc/openvpn/server/user/psw-file

3.4.4 创建密码检查脚本

新建一个shell文件/etc/openvpn/server/user/checkpsw.sh,内容如下:

#!/bin/sh

PASSFILE="/etc/openvpn/server/user/psw-file"
LOG_FILE="/var/log/openvpn/password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>  ${LOG_FILE}
  exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
  exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=
\"${password}\"." >> ${LOG_FILE}
exit 1

赋予可执行的权限

chmod 700 /etc/openvpn/server/user/checkpsw.sh
chown openvpn:openvpn /etc/openvpn/server/user/checkpsw.sh

3.4.5 防火墙配置

这里用firewall

#允许地址伪装SNAT
firewall-cmd --permanent --add-masquerade
# 或者添加1194端口
firewall-cmd --permanent  --add-port=1194/tcp
# 防火墙重新加载配置
firewall-cmd --reload

3.4.6 启动服务

# 查看service名
rpm -ql openvpn |grep service
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/systemd/system/openvpn@.service
# 启动
systemctl start openvpn-server@.service.service
# 开机自启
systemctl enable openvpn-server@.service.service

为什么有3个?从2.4开始 openvpn@.service废弃,改用带-client和-serever

3.5配置客户端

从server上将生成的ca.crt、ta.key文件下载到客户端config目录,

ca.crt 在 /etc/openvpn/server/easy-rsa/pki
ta.key 在 /etc/openvpn/server/easy-rsa 

客户端配置内容C:\Program Files\OpenVPN\config\client.ovpn如下:

client
proto tcp
dev tun
auth-user-pass
remote 10.24.11.243 1194
ca ca.crt
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
auth-nocache
persist-tun
persist-key
comp-lzo
verb 3
mute 10

保存退出之后,我们启动openvpn的客户端,然后输入账号密码即可登录。

证书配置集成

其中ca选项

ca ca.crt

替换成

<ca>
ca.crt证书内容
</ca>

其中tls-auth选项

tls-auth ta.key 1

替换成

key-direction 1
<tls-auth>
ta.key证书内容
</tls-auth>

4.常见问题

1.systemctl start openvpn-server@.service.service启动报错

按照教程建立软链接

cd /etc/openvpn/server/
ln -sf server.conf .service.conf

2.客户端反复出现链接TCP: connect to [AF_INET]10.24.11.242:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)

具体日志

客户端log C:\Program Files\OpenVPN\log\client.log
Sun Feb 14 21:41:11 2021 MANAGEMENT: >STATE:1613310071,TCP_CONNECT,,,
Sun Feb 14 21:41:21 2021 TCP: connect to [AF_INET]10.24.11.242:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
服务端log /var/log/openvpn/server.log
/sbin/ip route del 10.8.0.0/24
RTNETLINK answers: Operation not permitted
ERROR: Linux route delete command failed: external program exited with error status: 2
Closing TUN/TAP interface
/sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
RTNETLINK answers: Operation not permitted
Linux ip addr del failed: external program exited with error status: 2
SIGTERM[hard,] received, process exiting

编辑 /usr/lib/systemd/system/openvpn-server@.service 注释掉”LimitNPROC”行,命令如下

nano /usr/lib/systemd/system/openvpn-server@.service
注释"LimitNPROC"行
systemctl daemon-reload
systemctl restart openvpn-server@.service.service

3.认证失败,服务器日志 WARNING: Failed running command (–auth-user-pass-verify): could not execute external program

考虑直接执行脚本./checkpsw.sh看是否报错,若报错,执行

dos2unix checkpsw.sh
dos2unix psw-file

4.openvpn下载地址

OpenVPN 2.5.0 Download: https://www.techspot.com/downloads/5182-openvpn.html

5.启动报错systemd[1]: openvpn-server@.service.service: main process exited, code=exited, status=1/FAILURE

如果定义的端口大于1024,需要关闭SELINUX

nano /etc/selinux/config

将SELINUX=enforcing改为SELINUX=disabled保存

重启

reboot

发表评论

邮箱地址不会被公开。 必填项已用*标注