Centos7 安裝open*** by easy-rsa3.0及windows客戶端連接×××

Centos7 安裝open*** by easy-rsa3.0

-----------------------------------------------------------------------------------------------------------------------------------------------------

安裝open***等所需要的軟件

首先你應該有一個外網ip，否則一切都是空談

yum install -y epel-release
yum install -y open*** easy-rsa openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig

server端 製作證書，密鑰等文件

• CA證書生產

[root@localhost ~]#cp /usr/share/doc/open***-2.4.6/sample/sample-config-files/server.conf /etc/open***/      //複製服務端配置文件到配置文件目錄
[root@localhost ~]# cp /usr/share/doc/open***-2.4.7/sample/sample-config-files/server.conf /etc/op
[root@localhost ~]# mkdir /etc/open***/easy-rsa
[root@localhost ~]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/open***/easy-rsa/
[root@localhost ~]# cd /etc/open***/easy-rsa/
[root@localhost easy-rsa]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example var
[root@localhost easy-rsa]# ls
easyrsa  openssl-1.0.cnf  var  x509-types
[root@localhost easy-rsa]#vim vars        #×××的相關配置，根據需要自定義，也可以忽略不設置

set_var EASYRSA_REQ_COUNTRY     "CN"                                      #國家
set_var EASYRSA_REQ_PROVINCE    "BJ"                                       #省
set_var EASYRSA_REQ_CITY               "Beijing"                                #城市
set_var EASYRSA_REQ_ORG               "My ***"                               #組織
set_var EASYRSA_REQ_EMAIL            "[email protected]"                  #郵箱
set_var EASYRSA_REQ_OU                  "sky"                                     #公司、組織

[root@localhost easy-rsa]# ./easyrsa init-pki                                        #初始化pki，生成目錄文件結構
init-pki complete; you may now create a CA or requests.
your newly created PKI dir is: /etc/open***/easy-rsa/pki
[root@localhost easy-rsa]# ls
easyrsa  openssl-1.0.cnf  pki  var  x509-types

[root@localhost easy-rsa]# ./easyrsa build-ca                                      #創建ca證書
Note: using Easy-RSA configuration from: ./vars                                  #使用vars文件裏面配置的信息
Generating a 2048 bit RSA private key
.................+++
........................................................................................+++
writing new private key to '/etc/open***/easy-rsa/pki/private/ca.key.Lg8IKADc4Q'
Enter PEM pass phrase:                                                                      #設置ca密碼(我此處是寫的silence)
Verifying - Enter PEM pass phrase:                                                     #再輸一遍上面的密碼
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:         #直接回車，就是默認的CA作爲名字
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/open***/easy-rsa/pki/ca.crt                                                                     #ca證書存放路徑

---

---

• 服務端證書server.crt

[root@localhost easy-rsa]# ./easyrsa gen-req server nopass          #nopass設置免證書密碼，如果要設置密碼可以取消此參數選項
Note: using Easy-RSA configuration from: ./vars                             #使用vars文件裏面配置的信息
Generating a 2048 bit RSA private key
.....................................+++
................................................................................................+++
writing new private key to '/etc/open***/easy-rsa/pki/private/server.key.yuG9HRsSlU'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:                     #直接回車，默認名字爲server
Keypair and certificate request completed. Your files are:
req: /etc/open***/easy-rsa/pki/reqs/server.req
key: /etc/open***/easy-rsa/pki/private/server.key                                          #密鑰key的路徑

---

• 證書籤名

[root@localhost easy-rsa]# ./easyrsa sign server server                    #第二個server是隻上面服務端證書的CN名字，我們用的默認server,隨便寫

Note: using Easy-RSA configuration from: ./vars

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
    commonName                = server

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/open***/easy-rsa/pki/private/ca.key:            #輸入上面ca證書生成時的密碼（silence）
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'server'
Certificate is to be certified until Jan 14 09:11:12 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/open***/easy-rsa/pki/issued/server.crt          #服務端證書路徑

---

• dh證書

[root@localhost easy-rsa]# ./easyrsa gen-dh                                                 #創建Diffie-Hellman，時間有點長
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
............................................................+...........................................................+.......................................................................................................+...........+..........................................................................................................................................................................................................................................................................+..........................................

DH parameters of size 2048 created at /etc/open***/pki/dh.pem                 #dh證書路徑

• ta密鑰

cd /etc/open***
open*** --genkey --secret ta.key
客戶端證書
爲了便於區別，我們把客戶端使用的證書存放在新的路徑。/etc/open***/client

創建客戶端證書
[root@localhost client]# mkdir -p /etc/open***/client
[root@localhost client]# cd /etc/open***/client
[root@localhost client]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/open***/client
[root@localhost client]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example ./vars
[root@localhost client]# ./easyrsa init-pki
[root@localhost client]# ./easyrsa gen-req client nopass               #client爲證書名，可自定義，nopass同樣設置免密
Generating a 2048 bit RSA private key
.....................................................+++
.................................+++
writing new private key to '/etc/open***/client/pki/private/client.key.0rbEXauafe'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:
Keypair and certificate request completed. Your files are:
req: /etc/open***/client/pki/reqs/client.req
key: /etc/open***/client/pki/private/client.key                                #key路徑

---

client證書配置

• 對客戶端證書籤名

#切換到服務端easy-rsa目錄下：

cd /etc/open***/easy-rsa
#導入req
./easyrsa import-req /etc/open***/client/pki/reqs/client.req client
./easyrsa sign client client        #簽名,第一個client是固定的參數表示客戶端，第二個client指上面導入的客戶端證書名
Note: using Easy-RSA configuration from: ./vars

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

subject=
    commonName                = client

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes                                                            #輸入'yes'
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/open***/easy-rsa/pki/private/ca.key:      #輸入ca密碼（silence）
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :PRINTABLE:'client'
Certificate is to be certified until Apr 13 14:37:17 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/open***/easy-rsa/pki/issued/client.crt     #最終客戶端證書路徑

---

• 修改配置文件

服務器端證書和密鑰統一放到和server.conf一個目錄下，便於配置

cp /etc/open***/easy-rsa/pki/ca.crt /etc/open***/
cp /etc/open***/easy-rsa/pki/private/server.key /etc/open***/
cp /etc/open***/easy-rsa/pki/issued/server.crt /etc/open***/
cp /etc/open***/easy-rsa/pki/dh.pem /etc/open***/

• 修改open***服務端配置文件server.conf

cat /etc/open***/server.conf
local 0.0.0.0
port 1194                       #指定端口
proto tcp                        #指定協議(可以指定udp，udp比tcp快)
dev tun                          #採用路由隧道模式
ca ca.crt                        #ca證書位置，相對路徑，表示ca.crt和server.conf要在同一目錄
cert server.crt                #服務端證書
key server.key               #服務端key
dh dh.pem                     #dh密鑰
server 10.8.0.0 255.255.255.0                                          #給客戶端分配的地址池
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"                       #客戶端網關使用open***服務器網關
push "dhcp-option DNS 8.8.8.8"               #指定dns
push "dhcp-option DNS 114.114.114.114"
keepalive 10 120                                                                #心跳檢測，10秒檢測一次，2分鐘內沒有迴應則視爲斷線
tls-auth ta.key 0                                                                  #服務端值爲0，客戶端爲1
cipher AES-256-CBC
comp-lzo                                                                            #傳輸數據壓縮
persist-key
persist-tun
status open***-status.log
verb 3

---

• 啓動open***

systemctl -f enable open***@server.service              #設置啓動文件
systemctl start open***@server.service                     #啓動open***的命令

• 客戶端所需證書(下載保存到客戶端和客戶端配置文件同一目錄下)

sz /etc/open***/easy-rsa/pki/issued/client.crt                   #在服務端證書生成目錄下
sz /etc/open***/client/pki/private/client.key                      #上面的客戶端生成目錄下
sz /etc/open***/easy-rsa/pki/ca.crt                                   #ca證書
sz /etc/open***/ta.key
下載到本地，window安裝openvpen然後設置client.o***,在conf目錄下面

---

[root@localhost ~]# cat client.o*** 
client
dev tun   
proto tcp                                          #和server端一致(可以使用udp比tcp快)
remote xx.xx.xx.xx 1194                 #指定服務端IP和端口
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ca ca.crt                                           #ca證書
cert client.crt                                    #客戶端證書
key client.key                                   #客戶端密鑰
tls-auth ta.key 1                               #ta密鑰
cipher AES-256-CBC
comp-lzo                                         #傳輸內容壓縮
verb 3  

---

---

windows客戶端配置open***

下載open***-install-2.4.7-I601.exe

https://www.filecluster.com/downloads/Open×××.html

找到open***的config目錄把之前拷貝的證書放在裏面

然後啓動