差異處

這裏顯示兩個版本的差異處。

連向這個比對檢視

兩邊的前次修訂版 前次修改
下次修改		 前次修改
tech:openvpn [2013/05/19 20:43] – [設定與啟動 Server 端] jonathantech:openvpn [2019/04/16 13:30] (目前版本) jonathan_tsai
行 1: 行 1:
 +====== CentOS 6 安裝與設定 OpenVPN ======
 +  * OpenVPN 官方網站 : http://openvpn.net/
  
 +===== Server 端 =====
 +  * CentOS 6.6 x86_64
 +
 +==== 下載安裝最新版 OpenVPN 與相關 Lib ====
 +<code sh>
 +su - root
 +rpm -ivh http://mirror01.idc.hinet.net/EPEL/6/x86_64/epel-release-6-8.noarch.rpm
 +yum install kernel-devel openssl-devel gcc rpm-build
 +yum install lzo-devel pam-devel pkcs11-helper-devel openvpn easy-rsa
 +</code>
 +==== 設定虛擬網卡 tun0 與 NAT eth0 ====
 +<code sh>
 +mknod /dev/net/tun c 10 200
 +modprobe tun
 +echo 1 > /proc/sys/net/ipv4/ip_forward
 +vi /etc/sysctl.conf
 +</code><file>
 +:
 +# Controls IP packet forwarding
 +net.ipv4.ip_forward = 1
 +:
 +</file><code sh>
 +vi /etc/sysconfig/iptables
 +</code><file>
 +*nat
 +-A POSTROUTING -o eth0 -j MASQUERADE
 +COMMIT
 +*filter
 +:INPUT ACCEPT [0:0]
 +:FORWARD ACCEPT [0:0]
 +-A FORWARD -i tun0 -j ACCEPT
 +-A FORWARD -o tun0 -j ACCEPT
 +:OUTPUT ACCEPT [0:0]
 +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +-A INPUT -p icmp -j ACCEPT
 +-A INPUT -i lo -j ACCEPT
 +-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 +-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
 +-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
 +-A INPUT -j REJECT --reject-with icmp-host-prohibited
 +-A FORWARD -j REJECT --reject-with icmp-host-prohibited
 +COMMIT
 +</file><code sh>
 +service iptables restart
 +chkconfig iptables on
 +</code>
 +
 +==== 建立主機相關憑證檔案 ====
 +  * 確認使用的 openssl 為 1.0.0<code sh>
 +[root@openvpn 2.0]# rpm -q openssl
 +openssl-1.0.0-20.el6_2.3.x86_64
 +</code>
 +  * 建立 casrv 憑證管理者帳號與複製 easy-rsa 環境<code sh>
 +useradd casrv
 +passwd casrv
 +cp -a /usr/share/easy-rsa ~casrv/
 +cd ~casrv/
 +chown -R casrv:casrv easy-rsa/
 +</code>
 +  * 建立 openssl.cnf 連結<code sh>
 +su - casrv
 +cd easy-rsa/2.0/
 +ln -s openssl-1.0.0.cnf openssl.cnf
 +</code>
 +  * 編輯 vars 內容<code sh>
 +vi vars
 +</code><file>
 +:
 +export KEY_COUNTRY="TW"
 +export KEY_PROVINCE="Taiwan"
 +export KEY_CITY="Taipei"
 +export KEY_ORG="Trysoft Corp."
 +export KEY_EMAIL="changeme"
 +export KEY_EMAIL=changeme
 +export KEY_CN=OpenVPN
 +export KEY_NAME=changeme
 +export KEY_OU=Tech
 +:
 +</file>
 +  * 產生 Root CA <code sh>
 +. ./vars
 +./clean-all
 +./build-ca
 +</code><file>
 +[casrv@openvpn 2.0]% ./build-ca
 +Generating a 1024 bit RSA private key
 +:
 +:
 +Country Name (2 letter code) [US]:TW
 +State or Province Name (full name) [CA]:Taiwan
 +Locality Name (eg, city) [SanFrancisco]:Taipei
 +Organization Name (eg, company) [Fort-Funston]:Trysoft Corp.
 +Organizational Unit Name (eg, section) [changeme]:Tech
 +Common Name (eg, your name or your server's hostname) [changeme]:OpenVPN
 +Name [changeme]:OpenVPN
 +Email Address [[email protected]]:[email protected]
 +
 +</file>
 +  * 產生 Server CA <code sh>
 +./build-key-server server
 +</code><file>
 +[casrv@openvpn 2.0]% ./build-key-server server
 +Generating a 1024 bit RSA private key
 +:
 +:
 +Country Name (2 letter code) [US]:TW
 +State or Province Name (full name) [CA]:Taiwan
 +Locality Name (eg, city) [SanFrancisco]:Taipei
 +Organization Name (eg, company) [Fort-Funston]:Trysoft Corp.
 +Organizational Unit Name (eg, section) [changeme]:Tech
 +Common Name (eg, your name or your server's hostname) [server]:openvpn
 +Name [changeme]:
 +Email Address [[email protected]]:[email protected]
 +:
 +A challenge password []:
 +An optional company name []:
 +:
 +Certificate is to be certified until Apr  4 06:21:30 2022 GMT (3650 days)
 +Sign the certificate? [y/n]:y
 +:
 +1 out of 1 certificate requests certified, commit? [y/n]y
 +Write out database with 1 new entries
 +Data Base Updated
 +</file>
 +  * 產生 Diffie Hellman 參數 <code sh>
 +./build-dh
 +</code><file>
 +[casrv@openvpn 2.0]% ./build-dh
 +Generating DH parameters, 1024 bit long safe prime, generator 2
 +:
 +:
 +..++*++*++*
 +</file>
 +  * 產生 TLS-Auth Key <code sh>
 +openvpn --genkey --secret keys/ta.key
 +</code>
 +  * 所有產生的 key file 都會存放在 <code>
 +~casrv/easy-rsa/2.0/keys/
 +</code>
 +
 +==== 建立用戶憑證檔案 ====
 +  * Client CA <code sh>
 +su - casrv
 +cd easy-rsa/2.0/
 +source ./vars
 +./build-key client1
 +:
 +:
 +./build-key clientn
 +</code><file>
 +[casrv@openvpn 2.0]% ./build-key client1
 +Generating a 1024 bit RSA private key
 +:
 +writing new private key to 'client1.key'
 +-----
 +:
 +Country Name (2 letter code) [TW]:
 +State or Province Name (full name) [Taiwan]:
 +Locality Name (eg, city) [Taipei]:
 +Organization Name (eg, company) [Trysoft Corp.]:
 +Organizational Unit Name (eg, section) [Tech]:
 +Common Name (eg, your name or your server's hostname) [client1]:
 +Name [changeme]:Client1
 +Email Address [changeme]:[email protected]
 +:
 +A challenge password []:
 +An optional company name []:
 +:
 +Certificate is to be certified until Apr  4 06:36:36 2022 GMT (3650 days)
 +Sign the certificate? [y/n]:y
 +:
 +1 out of 1 certificate requests certified, commit? [y/n]y
 +Write out database with 1 new entries
 +Data Base Updated
 +
 +</file>
 +  * 所有產生的 key file 都會存放在 <code>
 +~casrv/easy-rsa/2.0/keys/
 +</code>
 +  * 已經產生 key 的清單可參考 index.txt<file>
 +V       220404062130Z           01      unknown /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech/CN=openvpn/name=changeme/[email protected]
 +V       220404063636Z           02      unknown /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech/CN=client1/name=Client1/[email protected]
 +:
 +:
 +</file>
 +
 +==== 廢止用戶憑證檔案 ====
 +  * 依照上一個程序先建立一個 client0 測試憑證然後再廢除
 +  * 廢除憑證的處理方式<code sh>
 +su - casrv
 +cd easy-rsa/2.0/
 +source ./vars
 +./revoke-full client0
 +</code><file>
 +[casrv@openvpn CA]$ ./revoke-full client0
 +Using configuration from /home/casrv/CA/openssl.cnf
 +Revoking Certificate 03.
 +Data Base Updated
 +Using configuration from /home/casrv/CA/openssl.cnf
 +client0.crt: C = TW, ST = Taiwan, L = Taipei, O = Trysoft Corp, OU = Tech, CN = client0, name = Client0, emailAddress = [email protected]
 +error 23 at 0 depth lookup:certificate revoked
 +</file>
 +  * 每次處理廢止憑證後, 必須將產生的 keys/crl.pem 複製到 /etc/openvpn/ 來更新廢止憑證清單<code sh>
 +su - root
 +cp ~casrv/easy-rsa/2.0/keys/crl.pem /etc/openvpn/
 +</code>或是建立 link 來讓 crl.pem 一致<code sh>
 +su -root
 +cd /etc/openvpn
 +ln /home/casrv/easy-rsa/2.0/keys/crl.pem .
 +</code>
 +
 +<note information>
 +  * 如果啟動檢查 CRL, 在 OpenVPN 更新至 2.4 之後, 會發現用戶端可能就無法連線.. 在 Server Log 會看到訊息<code>
 +Fri Apr 21 08:08:18 2017 60.248.245.177:50610 VERIFY ERROR: depth=0, error=CRL has expired: C=TW, ST=Taiwan, L=Tainan, O=xxxx OU=Sales, CN=xxx, name=xxx, [email protected]
 +Fri Apr 21 08:08:18 2017 60.248.245.177:50610 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
 +</code>
 +</note>
 +  * 可透過以下語法重新建立 crl.pem <code sh>
 +su - casrv
 +cd easy-rsa/2.0/
 +source ./vars
 +openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.pem -config ./openssl.cnf
 +</code>
 +  * 所產生出來的 CRL 內容大致如下 <code sh>
 +openssl crl -in crl.pem -text
 +</code><file>
 +Certificate Revocation List (CRL):
 +        Version 1 (0x0)
 +    Signature Algorithm: md5WithRSAEncryption
 +        Issuer: /C=TW/ST=Taiwan/L=Taipei/O=xxx Co., Ltd./OU=Tech/CN=OpenVPN/name=OpenVPN/[email protected]
 +        Last Update: Apr 21 02:16:30 2017 GMT
 +        Next Update: May 21 02:16:30 2017 GMT
 +Revoked Certificates:
 +    Serial Number: 05
 +        Revocation Date: Jun 25 05:06:21 2012 GMT
 +           :
 +    Serial Number: 0A
 +        Revocation Date: Dec 31 02:24:45 2015 GMT
 +    Signature Algorithm: md5WithRSAEncryption
 +         69:c4:45:ab:de:cf:ae:1f:e8:10:3c:03:12:5f:fd:47:fd:10:
 +           :
 +         bf:e3:fb:01:4a:11:ea:da:18:06:d1:5b:85:8b:da:c4:31:c8:
 +         df:81
 +-----BEGIN X509 CRL-----
 +MIIB3jCCAUcwDQYJKoZIhvcNAQEEBQAwgbExCzAJBgNVBAYTAlRXMQ8wDQYDVQQI
 +EwZUYWl3YW4xDzANBgNVBAcTBlRhaXBlaTEmMCQGA1UEChMdRXZlcnBsYXN0IE1h
 +:
 +vgzp3y49jtoXHn2YqioMaciGrOzCYxCrLcVWc/Y2v+P7AUoR6toYBtFbhYvaxDHI
 +34E=
 +-----END X509 CRL-----
 +</file>
 +  * 所以應該要加入 crontab 讓系統至少每個月能自動產生一份最新版的 crl.pem
 +
 +==== 設定與啟動 Server 端 ====
 +  * 安裝的 OpenVPN 版本為 2.3.6<code sh>
 +[root@openvpn openvpn]# rpm -q openvpn
 +openvpn-2.3.6-1.el6.x86_64
 +</code>
 +  * 規劃好 Listen TCP/443, 分配給 Client 的 IP 為 192.168.221.101 ~ 150
 +  * 設定相關參數檔<code sh>
 +cd /etc/openvpn
 +cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/
 +vi server.conf
 +</code><file>
 +dev tun
 +proto tcp
 +port 443
 +ca ca.crt
 +cert server.crt
 +key server.key
 +#crl-verify crl.pem
 +dh dh2048.pem
 +server 192.168.221.0 255.255.255.0
 +ifconfig-pool-persist ipp.txt
 +persist-key
 +persist-tun
 +status openvpn-status.log
 +verb 3
 +client-to-client
 +#push "dhcp-option DNS 192.168.11.242"
 +#push "route 192.168.11.0 255.255.255.0"
 +keepalive 10 120
 +tls-auth ta.key 0
 +cipher AES-128-CBC
 +comp-lzo
 +</file><code sh>
 +cd /etc/openvpn
 +cp ~casrv/easy-rsa/2.0/keys/dh2048.pem .
 +cp ~casrv/easy-rsa/2.0/keys/server.crt .
 +cp ~casrv/easy-rsa/2.0/keys/server.key .
 +cp ~casrv/easy-rsa/2.0/keys/ca.crt .
 +cp ~casrv/easy-rsa/2.0/keys/ta.key .
 +service openvpn start
 +chkconfig openvpn on
 +</code>
 +
 +===== 設定與啟動用戶端 =====
 +==== 安裝用戶端軟體 ====
 +  * 下載 http://openvpn.net/index.php/open-source/downloads.html (openvpn-2.2.2-install.exe)
 +  * openvpn裝完後在電腦網路連線裡會自動新增一個設備是Tap-Win32 Adapter V9的區域連線
 +
 +==== 用戶端憑證與設定檔 ==== 
 +  * 以下以 client1 為例
 +  * 在 OpenVPN 參數目錄 C:\Program Files\OpenVPN\config 內建立一個子目錄 ideas_tp
 +  * 取得 CA Server 所產生的 ca.crt / client1.key / client1.crt / ta.key 放入 C:\Program Files\OpenVPN\config\ideas_tp
 +  * 編輯 ideas_tp.ovpn <file>
 +# Specify that this is a client
 +client
 +
 +# Bridge device setting
 +dev tun
 +proto tcp
 +
 +# Host name and port for the server (default port is 1194)
 +# note: replace with the correct values your server set up
 +remote 175.98.155.2 443  # openvpn Server IP
 +remote-cert-tls server
 +
 +# Client does not need to bind to a specific local port
 +nobind
 +
 +# Keep trying to resolve the host name of OpenVPN server.
 +resolv-retry infinite
 +
 +# Preserve state across restarts
 +persist-key
 +persist-tun
 +
 +# SSL/TLS parameters - files created previously
 +ca ca.crt
 +cert client1.crt
 +key client1.key
 +
 +# Since we specified the tls-auth for server, we need it for the client
 +# note: 0 = server, 1 = client
 +tls-auth ta.key 1
 +
 +# Specify same cipher as server
 +cipher AES-128-CBC
 +
 +# Use compression
 +comp-lzo
 +
 +# Log verbosity (to help if there are problems)
 +verb 3
 +
 +</file>
 +
 +<note>
 +**如果要同時連上多個 OpenVPN Server, 那就要建立多個 Tap-Win32 Adapter V9的區域連線設備**
 +  - 在 Win7 以上需要使用 Administrator 的權限開啟命令提示字元(DOS 畫面)
 +  - 每執行以下語法一次就會增加一個 TAP 虛擬網卡<code sh>
 +"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
 +</code>
 +執行過程, 原本的 Tap-Win32 Adapter 可能會斷線
 +</note>
 +
 +  * 也可以將憑證檔案內容直接放入設定檔內.. Exp.ideas_tp.ovpn <file>
 +# Specify that this is a client
 +client
 +
 +# Bridge device setting
 +dev tun
 +proto tcp
 +
 +# Host name and port for the server (default port is 1194)
 +# note: replace with the correct values your server set up
 +remote 175.98.155.2 443  # openvpn Server IP
 +remote-cert-tls server
 +
 +# Client does not need to bind to a specific local port
 +nobind
 +
 +# Keep trying to resolve the host name of OpenVPN server.
 +resolv-retry infinite
 +
 +# Preserve state across restarts
 +persist-key
 +persist-tun
 +
 +# Specify same cipher as server
 +cipher AES-128-CBC
 +
 +# Use compression
 +comp-lzo
 +
 +# Log verbosity (to help if there are problems)
 +verb 3
 +
 +key-direction 1
 +# ca ca.crt
 +<ca>
 +-----BEGIN CERTIFICATE-----
 +...
 +-----END CERTIFICATE-----
 +</ca>
 +#cert client1.crt
 +<cert>
 +-----BEGIN CERTIFICATE-----
 +...
 +-----END CERTIFICATE-----
 +</cert>
 +#key client1.key
 +<key>
 +-----BEGIN RSA PRIVATE KEY-----
 +...
 +-----END RSA PRIVATE KEY-----
 +</key>
 +#tls-auth ta.key 1
 +<tls-auth>
 +-----BEGIN OpenVPN Static key V1-----
 +...
 +-----END OpenVPN Static key V1-----
 +</tls-auth>
 +
 +</file>
 +
 +==== 用戶端開機自動連上 OpenVPN ====
 +  * 在 Windows 的「設定」->「控制台」->「系統管理工具」->「服務」找到「OpenVPN Service」啟動類型改成自動
 +  * 服務啟動後會自動掃描在 C:\Program Files\OpenVPN\config 目錄內的 *.ovpn 設定檔, 但不會掃描子目錄內的 *.ovpn, 因此如果之前透過子目錄來區隔多組 VPN 設定檔要將 *.ovpn 複製出來, 然後在設定檔內對憑證檔指定相關路徑. Exp. <file>
 +:
 +# SSL/TLS parameters - files created previously
 +ca ideas_tp/ca.crt
 +cert ideas_tp/jonathan.crt
 +key ideas_tp/jonathan.key
 +:
 +</file>
 +
 +===== 參考網址 =====
 +  * http://www.openvpn.net/index.php/open-source/documentation/howto.html#install
 +  * http://www.openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html
 +  * http://openvpn.net/index.php/open-source/documentation/howto.html#startup
 +  * https://community.openvpn.net/openvpn/wiki/IOSinline
 +  * 另外方案 **[[tech/n2nvpn|n2n VPN 方案]]**
 +
 +{{tag>openvpn vpn ssl}}