CentOS 6 安裝與設定 OpenVPN

• OpenVPN 官方網站 : http://openvpn.net/

• CentOS 6.6 x86_64

su - root
rpm -ivh http://mirror01.idc.hinet.net/EPEL/6/x86_64/epel-release-6-8.noarch.rpm
yum install kernel-devel openssl-devel gcc rpm-build
yum install lzo-devel pam-devel pkcs11-helper-devel openvpn easy-rsa

mknod /dev/net/tun c 10 200
modprobe tun
echo 1 > /proc/sys/net/ipv4/ip_forward
vi /etc/sysctl.conf

:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
:

vi /etc/sysconfig/iptables

*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -o tun0 -j ACCEPT
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

service iptables restart
chkconfig iptables on

• 確認使用的 openssl 為 1.0.0

  [root@openvpn 2.0]# rpm -q openssl
  openssl-1.0.0-20.el6_2.3.x86_64

• 建立 casrv 憑證管理者帳號與複製 easy-rsa 環境

  useradd casrv
  passwd casrv
  cp -a /usr/share/easy-rsa ~casrv/
  cd ~casrv/
  chown -R casrv:casrv easy-rsa/

• 建立 openssl.cnf 連結

  su - casrv
  cd easy-rsa/2.0/
  ln -s openssl-1.0.0.cnf openssl.cnf

• 編輯 vars 內容

  vi vars

  :
  export KEY_COUNTRY="TW"
  export KEY_PROVINCE="Taiwan"
  export KEY_CITY="Taipei"
  export KEY_ORG="Trysoft Corp."
  export KEY_EMAIL="changeme"
  export KEY_EMAIL=changeme
  export KEY_CN=OpenVPN
  export KEY_NAME=changeme
  export KEY_OU=Tech
  :

• 產生 Root CA

  . ./vars
  ./clean-all
  ./build-ca

  [casrv@openvpn 2.0]% ./build-ca
  Generating a 1024 bit RSA private key
  :
  :
  Country Name (2 letter code) [US]:TW
  State or Province Name (full name) [CA]:Taiwan
  Locality Name (eg, city) [SanFrancisco]:Taipei
  Organization Name (eg, company) [Fort-Funston]:Trysoft Corp.
  Organizational Unit Name (eg, section) [changeme]:Tech
  Common Name (eg, your name or your server's hostname) [changeme]:OpenVPN
  Name [changeme]:OpenVPN
  Email Address [[email protected]]:[email protected]
  

• 產生 Server CA

  ./build-key-server server

  [casrv@openvpn 2.0]% ./build-key-server server
  Generating a 1024 bit RSA private key
  :
  :
  Country Name (2 letter code) [US]:TW
  State or Province Name (full name) [CA]:Taiwan
  Locality Name (eg, city) [SanFrancisco]:Taipei
  Organization Name (eg, company) [Fort-Funston]:Trysoft Corp.
  Organizational Unit Name (eg, section) [changeme]:Tech
  Common Name (eg, your name or your server's hostname) [server]:openvpn
  Name [changeme]:
  Email Address [[email protected]]:[email protected]
  :
  A challenge password []:
  An optional company name []:
  :
  Certificate is to be certified until Apr  4 06:21:30 2022 GMT (3650 days)
  Sign the certificate? [y/n]:y
  :
  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
  Data Base Updated

• 產生 Diffie Hellman 參數

  ./build-dh

  [casrv@openvpn 2.0]% ./build-dh
  Generating DH parameters, 1024 bit long safe prime, generator 2
  :
  :
  ..++*++*++*

• 產生 TLS-Auth Key

  openvpn --genkey --secret keys/ta.key

• 所有產生的 key file 都會存放在

  ~casrv/easy-rsa/2.0/keys/

• Client CA

  su - casrv
  cd easy-rsa/2.0/
  source ./vars
  ./build-key client1
  :
  :
  ./build-key clientn

  [casrv@openvpn 2.0]% ./build-key client1
  Generating a 1024 bit RSA private key
  :
  writing new private key to 'client1.key'
  -----
  :
  Country Name (2 letter code) [TW]:
  State or Province Name (full name) [Taiwan]:
  Locality Name (eg, city) [Taipei]:
  Organization Name (eg, company) [Trysoft Corp.]:
  Organizational Unit Name (eg, section) [Tech]:
  Common Name (eg, your name or your server's hostname) [client1]:
  Name [changeme]:Client1
  Email Address [changeme]:[email protected]
  :
  A challenge password []:
  An optional company name []:
  :
  Certificate is to be certified until Apr  4 06:36:36 2022 GMT (3650 days)
  Sign the certificate? [y/n]:y
  :
  1 out of 1 certificate requests certified, commit? [y/n]y
  Write out database with 1 new entries
  Data Base Updated
  

• 所有產生的 key file 都會存放在

  ~casrv/easy-rsa/2.0/keys/

• 已經產生 key 的清單可參考 index.txt

  V       220404062130Z           01      unknown /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech/CN=openvpn/name=changeme/[email protected]
  V       220404063636Z           02      unknown /C=TW/ST=Taiwan/L=Taipei/O=Trysoft Corp./OU=Tech/CN=client1/name=Client1/[email protected]
  :
  :

• 依照上一個程序先建立一個 client0 測試憑證然後再廢除
• 廢除憑證的處理方式

  su - casrv
  cd easy-rsa/2.0/
  source ./vars
  ./revoke-full client0

  [casrv@openvpn CA]$ ./revoke-full client0
  Using configuration from /home/casrv/CA/openssl.cnf
  Revoking Certificate 03.
  Data Base Updated
  Using configuration from /home/casrv/CA/openssl.cnf
  client0.crt: C = TW, ST = Taiwan, L = Taipei, O = Trysoft Corp, OU = Tech, CN = client0, name = Client0, emailAddress = [email protected]
  error 23 at 0 depth lookup:certificate revoked

• 每次處理廢止憑證後, 必須將產生的 keys/crl.pem 複製到 /etc/openvpn/ 來更新廢止憑證清單

  su - root
  cp ~casrv/easy-rsa/2.0/keys/crl.pem /etc/openvpn/

  或是建立 link 來讓 crl.pem 一致

  su -root
  cd /etc/openvpn
  ln /home/casrv/easy-rsa/2.0/keys/crl.pem .

• 可透過以下語法重新建立 crl.pem

  su - casrv
  cd easy-rsa/2.0/
  source ./vars
  openssl ca  -gencrl -keyfile keys/ca.key -cert keys/ca.crt  -out keys/crl.pem -config ./openssl.cnf

• 所產生出來的 CRL 內容大致如下

  openssl crl -in crl.pem -text

  Certificate Revocation List (CRL):
          Version 1 (0x0)
      Signature Algorithm: md5WithRSAEncryption
          Issuer: /C=TW/ST=Taiwan/L=Taipei/O=xxx Co., Ltd./OU=Tech/CN=OpenVPN/name=OpenVPN/[email protected]
          Last Update: Apr 21 02:16:30 2017 GMT
          Next Update: May 21 02:16:30 2017 GMT
  Revoked Certificates:
      Serial Number: 05
          Revocation Date: Jun 25 05:06:21 2012 GMT
             :
      Serial Number: 0A
          Revocation Date: Dec 31 02:24:45 2015 GMT
      Signature Algorithm: md5WithRSAEncryption
           69:c4:45:ab:de:cf:ae:1f:e8:10:3c:03:12:5f:fd:47:fd:10:
             :
           bf:e3:fb:01:4a:11:ea:da:18:06:d1:5b:85:8b:da:c4:31:c8:
           df:81
  -----BEGIN X509 CRL-----
  MIIB3jCCAUcwDQYJKoZIhvcNAQEEBQAwgbExCzAJBgNVBAYTAlRXMQ8wDQYDVQQI
  EwZUYWl3YW4xDzANBgNVBAcTBlRhaXBlaTEmMCQGA1UEChMdRXZlcnBsYXN0IE1h
  :
  vgzp3y49jtoXHn2YqioMaciGrOzCYxCrLcVWc/Y2v+P7AUoR6toYBtFbhYvaxDHI
  34E=
  -----END X509 CRL-----

• 所以應該要加入 crontab 讓系統至少每個月能自動產生一份最新版的 crl.pem

• 安裝的 OpenVPN 版本為 2.3.6

  [root@openvpn openvpn]# rpm -q openvpn
  openvpn-2.3.6-1.el6.x86_64

• 規劃好 Listen TCP/443, 分配給 Client 的 IP 為 192.168.221.101 ~ 150
• 設定相關參數檔

  cd /etc/openvpn
  cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/
  vi server.conf

  dev tun
  proto tcp
  port 443
  ca ca.crt
  cert server.crt
  key server.key
  #crl-verify crl.pem
  dh dh2048.pem
  server 192.168.221.0 255.255.255.0
  ifconfig-pool-persist ipp.txt
  persist-key
  persist-tun
  status openvpn-status.log
  verb 3
  client-to-client
  #push "dhcp-option DNS 192.168.11.242"
  #push "route 192.168.11.0 255.255.255.0"
  keepalive 10 120
  tls-auth ta.key 0
  cipher AES-128-CBC
  comp-lzo

  cd /etc/openvpn
  cp ~casrv/easy-rsa/2.0/keys/dh2048.pem .
  cp ~casrv/easy-rsa/2.0/keys/server.crt .
  cp ~casrv/easy-rsa/2.0/keys/server.key .
  cp ~casrv/easy-rsa/2.0/keys/ca.crt .
  cp ~casrv/easy-rsa/2.0/keys/ta.key .
  service openvpn start
  chkconfig openvpn on

• 下載 http://openvpn.net/index.php/open-source/downloads.html (openvpn-2.2.2-install.exe)
• openvpn裝完後在電腦網路連線裡會自動新增一個設備是Tap-Win32 Adapter V9的區域連線

• 以下以 client1 為例
• 在 OpenVPN 參數目錄 C:\Program Files\OpenVPN\config 內建立一個子目錄 ideas_tp
• 取得 CA Server 所產生的 ca.crt / client1.key / client1.crt / ta.key 放入 C:\Program Files\OpenVPN\config\ideas_tp
• 編輯 ideas_tp.ovpn

  # Specify that this is a client
  client
  
  # Bridge device setting
  dev tun
  proto tcp
  
  # Host name and port for the server (default port is 1194)
  # note: replace with the correct values your server set up
  remote 175.98.155.2 443  # openvpn Server IP
  remote-cert-tls server
  
  # Client does not need to bind to a specific local port
  nobind
  
  # Keep trying to resolve the host name of OpenVPN server.
  resolv-retry infinite
  
  # Preserve state across restarts
  persist-key
  persist-tun
  
  # SSL/TLS parameters - files created previously
  ca ca.crt
  cert client1.crt
  key client1.key
  
  # Since we specified the tls-auth for server, we need it for the client
  # note: 0 = server, 1 = client
  tls-auth ta.key 1
  
  # Specify same cipher as server
  cipher AES-128-CBC
  
  # Use compression
  comp-lzo
  
  # Log verbosity (to help if there are problems)
  verb 3
  

• 也可以將憑證檔案內容直接放入設定檔內.. Exp.ideas_tp.ovpn

  # Specify that this is a client
  client
  
  # Bridge device setting
  dev tun
  proto tcp
  
  # Host name and port for the server (default port is 1194)
  # note: replace with the correct values your server set up
  remote 175.98.155.2 443  # openvpn Server IP
  remote-cert-tls server
  
  # Client does not need to bind to a specific local port
  nobind
  
  # Keep trying to resolve the host name of OpenVPN server.
  resolv-retry infinite
  
  # Preserve state across restarts
  persist-key
  persist-tun
  
  # Specify same cipher as server
  cipher AES-128-CBC
  
  # Use compression
  comp-lzo
  
  # Log verbosity (to help if there are problems)
  verb 3
  
  key-direction 1
  # ca ca.crt
  <ca>
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
  </ca>
  #cert client1.crt
  <cert>
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
  </cert>
  #key client1.key
  <key>
  -----BEGIN RSA PRIVATE KEY-----
  ...
  -----END RSA PRIVATE KEY-----
  </key>
  #tls-auth ta.key 1
  <tls-auth>
  -----BEGIN OpenVPN Static key V1-----
  ...
  -----END OpenVPN Static key V1-----
  </tls-auth>
  

• 在 Windows 的「設定」→「控制台」→「系統管理工具」→「服務」找到「OpenVPN Service」啟動類型改成自動
• 服務啟動後會自動掃描在 C:\Program Files\OpenVPN\config 目錄內的 *.ovpn 設定檔, 但不會掃描子目錄內的 *.ovpn, 因此如果之前透過子目錄來區隔多組 VPN 設定檔要將 *.ovpn 複製出來, 然後在設定檔內對憑證檔指定相關路徑. Exp.

  :
  # SSL/TLS parameters - files created previously
  ca ideas_tp/ca.crt
  cert ideas_tp/jonathan.crt
  key ideas_tp/jonathan.key
  :

• http://www.openvpn.net/index.php/open-source/documentation/howto.html#install
• http://www.openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html
• http://openvpn.net/index.php/open-source/documentation/howto.html#startup
• https://community.openvpn.net/openvpn/wiki/IOSinline
• 另外方案 n2n VPN 方案