OpenVPN部署，实现访问云服务器的内网

本教程不描述如何FQ

一、OpenVPN服务端部署

$ yum -y install net-tools lzo lzo-devel openssl-devel pam-devel gcc gcc-c++ make unzip
$ wget https://files01.tchspt.com/temp/openvpn-2.4.6.tar.gz
$ tar xvf openvpn-2.4.6.tar.gz -C /usr/local/src
$ cd /usr/local/src/openvpn-2.4.6/
$ ./configure --prefix=/usr/local/openvpn
$ make && make install
​
$ mkdir /etc/openvpn
$ cp -r /usr/local/src/openvpn-2.4.6/sample /etc/openvpn/
$ cp /etc/openvpn/sample/sample-config-files/server.conf /etc/openvpn
​
$ cd
$ wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
$ unzip master.zip
$ mv easy-rsa-master easy-rsa
$ cp -r easy-rsa /etc/openvpn/
$ cd /etc/openvpn/easy-rsa/easyrsa3/
$ cp vars.example  vars
$ chmod +x vars
#   cn_only  - use just a CN value
#   org      - use the "traditional" Country/Province/City/Org/OU/email/CN format
    set_var EASYRSA_DN              "org"
    set_var EASYRSA_REQ_COUNTRY     "CN"
    set_var EASYRSA_REQ_PROVINCE    "Zhejiang"
    set_var EASYRSA_REQ_CITY        "Hangzhou"
    set_var EASYRSA_REQ_ORG         "Qygame Certificate"
    set_var EASYRSA_REQ_EMAIL       "m17608418893@163.com"
    set_var EASYRSA_REQ_OU          "My OpenVPN"
    ···
    set_var EASYRSA_NS_SUPPORT      "yes"

1.初始化，在当前目录创建PKI目录

用于存储一些中间变量以及最终生成的证书

$ cd /etc/openvpn/easy-rsa/easyrsa3/
$ ./easyrsa init-pki
​
Note: using Easy-RSA configuration from: ./vars
​
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/easyrsa3/pki

2.创建根证书

用于ca对之后生成的server和client证书签名时使用

$ ./easyrsa build-ca
Note: using Easy-RSA configuration from: ./vars
​
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
​
Enter New CA Key Passphrase:                # 设定密码，后面签约证书时需要
Re-Enter New CA Key Passphrase:             # 确认密码
Generating RSA private key, 2048 bit long modulus
..........+++
........................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:                              #默认回车
State or Province Name (full name) [Zhejiang]:                   #默认回车
Locality Name (eg, city) [Hangzhou]:                            #默认回车
Organization Name (eg, company) [Qygame Certificate]:             #默认回车
Organizational Unit Name (eg, section) [My OpenVPN]:              #默认回车
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:   #默认回车
Email Address [m17608418893@163.com]:                           #默认回车
​
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt

3.创建server端证书和private key

nopass表示不加密的private key

$ ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
​
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.....................+++
..+++
writing new private key to '/etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key.gXRjSM1RHn'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:                               #默认回车
State or Province Name (full name) [Zhejiang]:                    #默认回车
Locality Name (eg, city) [Hangzhou]:                             #默认回车
Organization Name (eg, company) [Qygame Certificate]:              #默认回车
Organizational Unit Name (eg, section) [My OpenVPN]:               #默认回车
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:    #默认回车
Email Address [m17608418893@163.com]:                             #默认回车
​
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/easyrsa3/pki/private/server.key

　　

4.给server端证书做签名

$ ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
​
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
​
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
​
Request subject, to be signed as a server certificate for 1080 days:
​
subject=
    countryName               = CN
    stateOrProvinceName       = Zhejiang
    localityName              = Hangzhou
    organizationName          = Qygame Certificate
    organizationalUnitName    = My OpenVPN
    commonName                = server
    emailAddress              = m17608418893@163.com
​
​
Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/easyrsa3/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/easyrsa3/pki/private/ca.key:
                                                               #输入创建CA证书时的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :ASN.1 12:'Zhejiang'
localityName          :ASN.1 12:'Hangzhou'
organizationName      :ASN.1 12:'Qygame Certificate'
organizationalUnitName:ASN.1 12:'My OpenVPN'
commonName            :ASN.1 12:'server'
emailAddress          :IA5STRING:'m17608418893@163.com'
Certificate is to be certified until Jan 29 06:02:34 2022 GMT (1080 days)
​
Write out database with 1 new entries
Data Base Updated
​
Certificate created at: /etc/openvpn/easy-rsa/easyrsa3/pki/issued/server.crt

　　

5.创建Diffie-Hellman，确保key穿越不安全网络的命令

$ ./easyrsa gen-dh

　　

6.创建客户端证书

$ mkdir /root/openvpn_users
$ cp  -r /etc/openvpn/easy-rsa/easyrsa3/ /root/openvpn_users
$ cd /root/openvpn_users/easyrsa3/
$ rm -rf pki
​
# 初始化
$ ./easyrsa init-pki
​
Note: using Easy-RSA configuration from: ./vars
​
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/openvpn_users/easy-rsa/easyrsa3/pki
​
# 创建客户端key以及生成证书（生成的是自己输入的密码，client为自定义名字）
$ ./easyrsa gen-req client nopass
​
# 切换到Server证书目录下，将client.req导入，然后签约证书
$ cd /etc/openvpn/easy-rsa/easyrsa3/
$ ./easyrsa import-req /root/openvpn_users/easyrsa3/pki/reqs/client.req client1
​
# 用户签约
$ ./easyrsa sign client client1
​
# 查看生成的文件
$ ls /etc/openvpn/easy-rsa/easyrsa3/pki/reqs/
client1.req  server.req
$ ls /etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
/etc/openvpn/easy-rsa/easyrsa3/pki/ca.crt
$ ls /etc/openvpn/easy-rsa/easyrsa3/pki/private/
ca.key  server.key
$ ls /etc/openvpn/easy-rsa/easyrsa3/pki/issued/
server.crt  client1.crt
$ ls /etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
/etc/openvpn/easy-rsa/easyrsa3/pki/dh.pem
$ ls /root/openvpn_users/easy-rsa/easyrsa3/pki/private/
client.key
$ ls /root/openvpn_users/easy-rsa/easyrsa3/pki/reqs/
client.req
​
# 拷贝服务器证书到/etc/openvpn目录
$ cd /etc/openvpn/easy-rsa/easyrsa3/
$ cp pki/ca.crt /etc/openvpn/
$ cp pki/private/server.key  /etc/openvpn
$ cp pki/issued/server.crt /etc/openvpn/
$ cp pki/dh.pem /etc/openvpn/
​
# Client证书（集中在一个文件夹，给VPN用户使用）
$ mkdir /root/users/client1 -p
$ cd /root/users/client1/
$ cp /etc/openvpn/ca.crt .
$ cp /etc/openvpn/easy-rsa/easyrsa3/pki/issued/client1.crt .
$ cp /root/openvpn_users/easyrsa3/pki/private/client.key .
$ ls
ca.crt  vpn.crt  vpn.key

　　

7.生成ta.key

$ vim /etc/profile
export PATH=/usr/local/openvpn/sbin/:$PATH
$ source /etc/profile
$ /usr/local/openvpn/sbin/openvpn --genkey --secret ta.key
$ cp ta.key /etc/openvpn/
$ cp ta.key /root/users/client1/

　　

8.修改Server端配置文件

$ vim /etc/openvpn/server.conf
     # 申明本机使用的IP地址，也可以不说明
     local 192.168.1.142
     # 申明使用的端口，默认1194
     port 1194
     # 申明使用的协议，默认使用UDP，如果使用HTTP proxy，必须使用TCP协议,如果采用了tcp,需要注释最后的--explicit-exit-notify     can only be used with --proto udp
     proto tcp
     # 申明使用的设备可选tap和tun，tap是二层设备，支持链路层协议。
     dev tun
     # 指定ca证书的路径
     ca /etc/openvpn/ca.crt
     # 指定server.crt路径
     cert /etc/openvpn/server.crt
     # 指定server.key路径
     key /etc/openvpn/server.key
     # 指定dh.pem路径
     dh /etc/openvpn/dh.pem
     # 为VPN客户端指定分配的网络地址（自己根据规划分配）
     server 10.10.10.0 255.255.255.0
     # 定义客户端和虚拟ip地址之间的关系。特别是在openvpn重启时,再次连接的客户端将依然被分配和断开之前的IP地址
     ifconfig-pool-persist ipp.txt
     # 向客户端push网关,在进行FQ时会使用到
     ;push "redirect-gateway def1 bypass-dhcp"
     # 向客户端push DNS
     push "dhcp-option DNS 114.114.114.114"
     # 让客户端彼此可以互相访问
     client-to-client
     # 定义openvpn一个证书在同一时刻是否允许多个客户端接入，默认没有启用
     duplicate-cn
     # 记录日志，每次重新启动openvpn后删除原有的log信息。也可以自定义log的位置。默认是在/etc/openvpn/目录下
     log openvpn.log
     # 此处客户端配置文件中该参数需要改为 tls-auth sec.key 1
     tls-auth   /etc/openvpn/ta.key 0
     comp-lzo
     auth md5
      cipher AES-256-CBC
      max-clients 100
      keepalive 10 120
      persist-key
      persist-tun
      status openvpn-status.log
      verb 3

9.启动VPN

$ openvpn --config /etc/openvpn/server.conf &

　　

二、客户端配置(Windows)

1.下载客户端

下载客户端Windows

2.安装客户端

1.双击下载包开始安装，Next

2.点击I Agree

3.勾选上 EasyRSA 2 Certificate Management Scripts

4.Install

默认安装位置不要改变

5.等待安装

6.安装完成，Next

7.完成

3.下载证书文件

将之前存放在/root/users/client1中的四个文件下载到客户端，并存放在C:\Program Files\OpenVPN\config目录下

4.创建client.ovpn

client
dev tun
proto udp
remote 10.0.8.28 1194  #主要这里修改成自己server ip  端口
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt               #这里需要证书
cert vpn.crt
key  vpn.key
auth md5
cipher AES-256-CBC
tls-auth ta.key 1
comp-lzo
verb 3

　　

5.连接OpenVPN

点击桌面的OpnVPN GUI,桌面的右下角出现一个带锁的小电脑图标

右键带锁的电脑

选择Connect

等待如上桌面自动消失，再次观察刚才带锁的电脑，绿了则表示成功

============================================2019.4.6修改===============================================

连接图标显示为绿色，但是内网仍然ping不通，查看日志，报错内容如下：

Sat Apr 06 07:38:58 2019 ERROR: Windows route add command failed [adaptive]: returned error code 1
Sat Apr 06 07:38:58 2019 C:\WINDOWS\system32\route.exe ADD 172.16.1.0 MASK 255.255.255.0 172.16.1.5
Sat Apr 06 07:38:58 2019 ROUTE: route addition failed using CreateIpForwardEntry: 拒绝访问。   [status=5 if_index=12]
Sat Apr 06 07:38:58 2019 Route addition via IPAPI failed [adaptive]
Sat Apr 06 07:38:58 2019 Route addition fallback to route.exe
Sat Apr 06 07:38:58 2019 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Sat Apr 06 07:38:58 2019 ERROR: Windows route add command failed [adaptive]: returned error code 1
Sat Apr 06 07:38:58 2019 Initialization Sequence Completed
Sat Apr 06 07:38:58 2019 MANAGEMENT: >STATE:1554507538,CONNECTED,SUCCESS,172.16.1.6,1.1.1.1,4396,192.168.0.8,59294

　　解析：

此问题原因是在windows主机上没有权限去创建路由表，所以在运行时，我们需要指定以管理员身份去运行OpenVPN GUI.

6.简单测试

Win+R 输入cmd，进行如下测试

结果如上测试正常

<-----------------------------2019.4.9补充------------------------------------>

三、Linux客户端

$ yum -y install epel-release
$ yum -y install openvpn

　　安装完成之后，将之前的客户端配置文件上传到/etc/openvpn/client目录下

$ pwd
/etc/openvpn/client
$ ls
ca.crt  client.crt  client.key  client.ovpn  ta.key

　　运行

$ openvpn --daemon --config /etc/openvpn/client/client.ovpn --log-append /var/log/openvpn.log

　　

四、报错

1.编译报错-1

$ yum -y install lz4-devel

　　

2.编译报错-2

$ yum -y install net-tools

3.编译报错-3

$ yum -y install lzo-devel

4.运行报错-1

在运行服务端时，出现Could not determine IPv4/IPv6 protocol. Using AF_INET

可以在server.conf文件中指定proto时指定为tcp4/udp4，强制使用IPv4连接

5.运行报错-2

开启了tls-auth时，报错，检查你的client的秘钥文件

6.连接报错-3

成功连接上OpenVPN之后，ping内网发现不通

1.修改配置文件

$ vim /etc/openvpn/server.conf
# 向客户端推送的路由信息，假如客户端的IP地址为10.8.0.2，要访问10.0.0.0网段的话
push "route 10.0.0.0 255.0.0.0"     #VPN内网网段

2.修改iptables（附图的172.16.1.0/24应该为10.10.10.0/24，这是后面截得图，只做一个效果参考）

$ iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
$ iptables -nL -t nat

3.再次测试

------------------------------------------->2019年4月2日  更改   <------------------------------------------------

按照上述方式可以通过openvpn的秘钥进行连接，但是如果一旦仅仅是获取了秘钥就可以进行连接，显然这是非常不安全的，所以需要，开启双因素认证，有秘钥的同时需要输入正确的账号密码才可以连接，这也可以从一定程度上保证如果有同事离职，及时他保留了秘钥文件，但是没有账号密码的话，依然无法登陆

1.修改openvpn配置文件

auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
username-as-common-name
script-security 3

2.检查账户密码脚本

$ vim /etc/openvpn/checkpsw.sh#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

给执行权限

$ chmod +x /etc/openvpn/checkpsw.sh

3.创建用户和密码认证文件

账户和密码空格隔开

$ vim /etc/openvpn/psw-file
test  123456

4.客户端.ovpn文件配置

在客户端的.ovpn文件中添加

auth-user-pass

PS：欢迎各位指正，如有疑惑也可以留言，如果软件包下不到也可以留下邮箱，私发给你。