一,client-server 路由模式

centos7下open--v!(p/n)部署-LMLPHP

使用tun,openssl,lzo压缩,启用转发,生成证书,关闭selinux
同步下时间 #1安装
yum -y install openvpn easy-rsa
#2配置文件
cp /usr/share/doc/openvpn-2.4.7/sample/sample-configfiles/server.conf /etc/openvpn
cp -r /usr/share/easy-rsa/ /etc/openvpn/
cp /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/easy-rsa/3.0.3/vars cd /etc/openvpn/easy-rsa/3.0.3/ 目录结构
├── easyrsa
├── openssl-1.0.cnf
├── vars
└── x509-types
├── ca
├── client
├── COMMON
├── san
└── server #3创建PKI和CA签发机构
在/etc/openvpn/easy-rsa/3.0.3/目录下
./easyrsa init-pki #初始化PKI,生成空目录 privata reqs
#4创建CA机构
./easyrsa build-ca nopass #有提示直接回车
ll /etc/openvpn/easy-rsa/3.0.3/pki/private/ca.key
#5创建服务端证书(私钥)
./easyrsa gen-req server nopass #生成服务端密钥及证书请求文件
ll /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key
ll /etc/openvpn/easy-rsa/3.0.3/pki/reqs/server.req
#6签发服务端证书
./easyrsa sign server server
ls /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt
#7创建Diffie-Hellman,作为“对称加密”的密钥而被双方在后续数据传输中使用。
./easyrsa gen-dh
ll /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem
#8客户端证书
cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easyrsa
cp /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/client/easy-rsa/vars cd /etc/openvpn/client/easy-rsa/3.0.3
./easyrsa init-pki #生成pki目录
客户端证书生成
./easyrsa gen-req zhangshijie nopass #可配置密码+密钥
req: /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/zhangshijie.req
key: /etc/openvpn/client/easy-rsa/3.0.3/pki/private/zhangshijie.key
签发客户端证书,进入主目录
cd /etc/openvpn/easy-rsa/3.0.3/
导入客户端req文件
./easyrsa import-req /etc/openvpn/client/easyrsa/3.0.3/pki/reqs/zhangshijie.req zhangshijie ./easyrsa sign client zhangshijie
生成 /etc/openvpn/easy-rsa/3.0.3/pki/issued/zhangshijie.crt #转移证书目录,服务器端证书密钥
mkdir /etc/openvpn/certs
cd /etc/openvpn/certs/ cp /etc/openvpn/easy-rsa/3.0.3/pki/dh.pem .
cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt .
cp /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt .
cp /etc/openvpn/easy-rsa/3.0.3/pki/private/server.key . ├── ca.crt
├── dh.pem
├── server.crt
└── server.key 客户端公钥与私钥
mkdir /etc/openvpn/client/zhangshijie/
cp /etc/openvpn/easy-rsa/3.0.3/pki/ca.crt /etc/openvpn/client/zhangshijie/
cp /etc/openvpn/easyrsa/3.0.3/pki/issued/zhangshijie.crt /etc/openvpn/client/zhangshijie/
cp /etc/openvpn/client/easyrsa/3.0.3/pki/private/zhangshijie.key /etc/openvpn/client/zhangshijie/ #server端配置文件
grep -v "#" /etc/openvpn/server.conf | grep -v "^$"
local 172.20.134.25
#本机监听IP
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
dh /etc/openvpn/certs/dh.pem
server 192.168.36.0 255.255.255.0
#额外的网段
push "route 10.20.0.0 255.255.0.0"
#在客户端push路由
keepalive 10 120
cipher AES-256-CBC
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20 # 启动 systemctl start openvpn@server
ss -tnl 看端口监听
systemctl stop firewalld
systemctl disable firewalld
yum install iptables-services iptables -y
systemctl enable iptables.service
systemctl start iptables.service
#清空已有规则
~]# iptables -F
~]# iptables -X
~]# iptables -Z
~]# iptables -t nat -F
~]# iptables -t nat -X
~]# iptables -t nat -Z
路由转发
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
iptables 规则 iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j #IP段为server 192.168.36.0 255.255.255.0 配置的ip段
iptables -A INPUT -p TCP --dport 1194 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
service iptables save
iptables -vnL
日志目录
mkdir /var/log/openvpn
chown nobody.nobody /var/log/openvpn #客户端配置文件
cd /etc/openvpn/client/zhangshijie
grep -Ev "^(#|$|;)" /usr/share/doc/openvpn-2.4.7/sample/sample-config-files/client.conf
client
dev tun
proto udp
remote my-server-1-ip 1194
#填写server-ip
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client-name.crt
key client-name.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3 tree /etc/openvpn/client/zhangshijie/
/etc/openvpn/client/zhangshijie/
├── ca.crt
├── client.ovpn
├── zhangshijie.crt
└── zhangshijie.key 客户端软件安装 ,使用管理员权限,安装完毕后设备管理器————查看网卡是否新添加tap适配器且驱动正常,注意版本号
将用户的公私钥配置文件复制到客户端的config目录里,启动程序测试 验证: cmd route -n
ping 内网服务器 常见错误:
#错误1:
CreateFile failed on TAP device
All TAP-Win32 adapters on this system are currently in use.
解决:
设备管理器---》属性---查看TAP device网卡驱动是否正常
卸载软件,重启机器,下载相应版本软件
https://build.openvpn.net/downloads/releases/latest/openvpn-install-latest-winxp-x86_64.exe
#错误2:
Route addition fallback to route.exe
ERROR: Windows route add command failed [adaptive]: returned error code 1
解决:
这是在Vista/Win7/Win2003Win2008等系统中没有用管理员权限安装及启动OpenVPN GUI造成的,
OpenVPN进程没有相应权限修改系统路由表。
解决方法是重新用管理员权限安装OpenVPN,并在启动OpenVPN GUI时右键选择使用管理员权限打开 某些会提示使用vista 以上版本兼容模式打开 #错误3:
There are no TAP-Win32 adapters on this system. You should be able to create a TAP-Win32 adapter by going to
Start -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter.
如果是Vista/Win7/Win10,用管理员权限执行 ####
####
觉得应该在内网添加到vpn-server的路由记录,于是试了下,添加之后可以在客户端访问,重启后没有该路由还是可以,想了想内网应该不用添加路由,数据是从内网网卡出去的,出网地址也是内网。

  

open--v--pn server 桥接模式

open--v---pn server路由模式 +口令认证 +mysql

各种模式

待续。。。。。。。

05-29 00:37