时光不改's 记忆碎片

Ubuntu 18.04 下搭建openvpn

字数统计: 3.6k阅读时长: 18 min
2019/05/09 Share

Ubuntu 18.04 下搭建openvpn

1、安装Openvpn和EasyRSA

#先更新下软件,安装Openvpn

1
2
3
apt update
apt upgrade
apt install openvpn

#现在装easyrsa,现在是V3.0.6版本了

1
2
3
root@AX:~# cd
root@AX:~# wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-unix-3.0.6.tgz
root@AX:~# tar xvf EasyRSA-unix-3.0.6.tgz

2、配置Easyrsa及生成公钥

1
2
root@AX:~# cd EasyRSA-3.0.6/
root@AX:~/EasyRSA-3.0.6# cp vars.example vars

#拷贝模板并修改vars的参数

1
root@AX:~/EasyRSA-3.0.6#vim vars

#找到以下,取消注释

1
2
3
4
5
6
7
...
#set_var EASYRSA_REQ_COUNTRY "US"
#set_var EASYRSA_REQ_PROVINCE "California"
#set_var EASYRSA_REQ_CITY "San Francisco"
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL "me@example.net"
#set_var EASYRSA_REQ_OU "My Organizational Unit"

#稍作修改,改成类似下面我的配置

1
2
3
4
5
6
7
set_var EASYRSA_REQ_COUNTRY     "UK"
set_var EASYRSA_REQ_PROVINCE "LONDON"
set_var EASYRSA_REQ_CITY "London"
set_var EASYRSA_REQ_ORG "xxx"
set_var EASYRSA_REQ_EMAIL "xxx@xxx.co.uk"
set_var EASYRSA_REQ_OU "xxx Ltd"
...

#生成公钥

1
root@AX:~/EasyRSA-3.0.6# ./easyrsa init-pki

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.0g 2 Nov 2017
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/axing/EasyRSA-3.0.6/pki

root@AX:~/EasyRSA-3.0.6# ./easyrsa build-ca nopass

Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.0g 2 Nov 2017
Generating RSA private key, 2048 bit long modulus
....................+++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/home/axing/EasyRSA-3.0.6/pki/ca.crt

“nopass”参数是避免每次都要输入密码,可选项
这一步完成后,在pki目录下会生成ca.crt,pki/private目录下生成ca.key

3、生成服务器证书和加密文件

#这里的axvpn是我的服务器名称,可以使用默认server作为服务器名称

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@CFL-LD8-84:~/EasyRSA-3.0.6# ./easyrsa gen-req axvpn nopass

Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.0g 2 Nov 2017
Generating a 2048 bit RSA private key
....................+++
writing new private key to '/home/axing/EasyRSA-3.0.6/pki/private/axvpn.key.06St6HRfIZ'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Common Name (eg: your user, host, or server name) [axvpn]:
Keypair and certificate request completed. Your files are:
req: /home/axing/EasyRSA-3.0.6/pki/reqs/axvpn.req
key: /home/axing/EasyRSA-3.0.6/pki/private/axvpn.key

这里得到两个文件,在pki/private目录下,axvpn.req和axvpn.key
拷贝服务器私钥文件到openvpn配置文件目录下
root@AX:~/EasyRSA-3.0.6# cp pki/private/axvpn.key /etc/openvpn

4、生成公钥

因为同一台服务器即做CA服务器又做VPN服务器,自己给自己签发的时候会生成同名文件,先把服务器的请求文件改个名,再导入请求

1
2
root@AX:~/EasyRSA-3.0.6# mv pki/reqs/axvpn.req pki/reqs/axvpn2.req
root@AX:~/EasyRSA-3.0.6# ./easyrsa import-req pki/reqs/axvpn2.req axvpn

1
2
3
4
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.0g 2 Nov 2017
The request has been successfully imported with a short name of: axvpn
You may now use this name to perform signing operations on this request.

签发请求

1
root@CFL-LD8-84:~/EasyRSA-3.0.6# ./easyrsa sign-req server axvpn

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.0g 2 Nov 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 1080 days:
subject=
commonName = axvpn
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./safessl-easyrsa.cnf
Can't open /home/axing/EasyRSA-3.0.6/pki/index.txt.attr for reading, No such file or directory
139895844725184:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('/home/axing/EasyRSA-3.0.6/pki/index.txt.attr','r')
139895844725184:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'axvpn'
Certificate is to be certified until Dec 18 10:36:38 2021 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /home/axing/EasyRSA-3.0.6/pki/issued/axvpn.crt

这里有个错误提示,”Can’t open /home/axing/EasyRSA-3.0.6/pki/index.txt.attr for reading, No such file or directory“ 不过不影响使用,结果是把生成的axvpn.crt文件放到了pki/issued目录下。

把axvpn.crt文件和ca.crt文件一起复制到openvpn配置文件目录下

1
root@AX:~/EasyRSA-3.0.6# cp pki/ca.crt pki/issued/axvpn.crt /etc/openvpn/

生成加密文件(可选,可以提高VPN安全性),这个比较慢,需要稍等几分钟

1
root@AX:~/EasyRSA-3.0.6# ./easyrsa gen-dh

1
2
3
4
5
6
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.0g 2 Nov 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..................+..................
DH parameters of size 2048 created at /home/axing/EasyRSA-3.0.6/pki/dh.pem

在pki目录下生成一个dh.pem的文件,然后生成Diffie-Hellman

1
root@AX:~/EasyRSA-3.0.6# openvpn --genkey --secret ta.key

现在我们又有了一个ta.key文件,现在把这几个文件复制到openvpn的配置文件目录

1
root@AX:~/EasyRSA-3.0.6# cp ta.key pki/dh.pem /etc/openvpn/

现在服务器端就都准备好了。

5、生成客户端证书和密钥

建一个目录存放客户端文件

1
2
root@AX:~/EasyRSA-3.0.6# mkdir -p ~/client-conf/key
root@AX:~/EasyRSA-3.0.6# chmod -R 700 ~/client-conf/

给客户端起名client

1
root@CFL-LD8-84:~/EasyRSA-3.0.6# ./easyrsa gen-req client nopass

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.0g 2 Nov 2017
Generating a 2048 bit RSA private key
..........................+++
writing new private key to '/home/axing/EasyRSA-3.0.6/pki/private/client.key.wgjLsABJan'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:
Keypair and certificate request completed. Your files are:
req: /home/axing/EasyRSA-3.0.6/pki/reqs/client.req
key: /home/axing/EasyRSA-3.0.6/pki/private/client.key

现在pki下生成了client.req,pki/private下生成了client.key,把这个文件放到客户文件夹里

1
root@AX:~/EasyRSA-3.0.6# cp pki/private/client.key ~/client-conf/key/

跟服务器一样操作,因为会生成同样名称的文件,先改下文件名,再导入请求文件,最后签发请求。

1
root@AX:~/EasyRSA-3.0.6# ./easyrsa import-req pki/reqs/clienta.req client

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.0g 2 Nov 2017
The request has been successfully imported with a short name of: client
You may now use this name to perform signing operations on this request.

root@AX:~/EasyRSA-3.0.6# ./easyrsa sign-req client client

Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.0g 2 Nov 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 1080 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Dec 18 15:30:48 2021 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /home/axing/EasyRSA-3.0.6/pki/issued/client.crt

现在生成了client.crt文件
把这几个文件复制到客户文件目录中

1
2
root@AX:~/EasyRSA-3.0.6# cp pki/issued/client.crt ta.key pki/ca.crt ~/client-conf/key/
root@AX:~/EasyRSA-3.0.6# ls ~/client-conf/key/

1
2
ca.crt  client.crt  client.key  ta.key
`

到这一步,客户端文件就都准备好了。

6、配置openvpn服务,先把模板拷到配置文件目录

1
2
3
root@AX:~/EasyRSA-3.0.6# sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
root@AX:~/EasyRSA-3.0.6# gzip -d /etc/openvpn/server.conf.gz
root@AX:~/EasyRSA-3.0.6# vim /etc/openvpn/server.conf

下面是配置文件的一些修改,列举了可能用的到的

#监听的端口号,默认1194,如果要改的话防火墙也要相应修改。(可选)
port 1194

#TCP或UDP,如改成tcp的话,通常端口相应修改成443

1
2
;proto tcp
proto udp

#”dev tun” will create a routed IP tunnel,

1
2
;dev tap
dev tun

#设置SSL/TLS根证书(ca)、证书(cert)和私钥(key),记得我的服务器名是axvpn,这里也要相应修改 (必选)

1
2
3
ca ca.crt
cert axvpn.crt
key axvpn.key

#指定迪菲·赫尔曼参数。

#默认是dh2048.pem, 记得我们生成了dh.pem,改下 (必选)
dh dh.pem

#openvpn 所分配的IP段
server 192.168.0.0 255.255.255.0

#推送路由信息到客户端,以允许客户端能够连接到服务器背后的其他私有子网。 (可选)

#就是允许客户端访问VPN服务器自身所在的其他局域网

1
2
3
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "route 10.111.0.0 255.255.0.0"

#如果启用该指令,所有客户端的默认网关都将重定向到VPN,这将导致诸如web浏览器、DNS查询等所有客户端流量都经过VPN。(可选)

1
;push "redirect-gateway def1 bypass-dhcp"

#某些具体的Windows网络设置可以被推送到客户端,例如DNS或WINS服务器地址。(可选)

#下列地址来自opendns.com提供的Public DNS 服务器。

1
2
3
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 202.106.0.20"

# 如果有注释的话,取消这句的注释,再加一句 (必选)

1
2
tls-auth ta.key 0 # 该文件应该保密
key-direction 0

# 选择一个密码加密算法。
# 该配置项也必须复制到每个客户端配置文件中。
# 添加SHA256算法

1
2
cipher AES-256-CBC
auth SHA256

# 在完成初始化工作之后,降低OpenVPN守护进程的权限, (最好取消注释)
# 该指令仅限于非Windows系统中使用。

1
2
user nobody
group nobody

# Notify the client that when the server restarts so it
# can automatically reconnect.
# 如果协议改成了TCP,这里数值要改成0

1
explicit-exit-notify 1

7、调整服务器网络配置

首先设置允许ip转发,设置并使其生效

1
root@AX:~/EasyRSA-3.0.6# vim /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
# 取消注释
net.ipv4.ip_forward=1

#保存退出

1
root@AX:~/EasyRSA-3.0.6# sysctl -p

net.ipv4.ip_forward = 1

修改UFW防火墙配置,这之前要确认ubuntu启用了ufw,并做了初始设定(允许SSH等)

#确认网络接口名称,这里是ens3

1
root@AX:~/EasyRSA-3.0.6# ip route | grep def

default via 46.102.170.81 dev ens3 onlink
修改配置文件,在文件前面添加默认策略设置,以伪装vpn流量

1
root@AX:~/EasyRSA-3.0.6# vim /etc/ufw/before.rules

1
2
3
4
5
6
7
8
9
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0(changeto the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o ens3 -j MASQUERADE
COMMIT
# END OPENVPN RULES
...

保存退出。

修改防火墙规则,允许默认转发数据包,把”DROP”改成”ACCEPT”

1
root@AX:~/EasyRSA-3.0.6# vim /etc/default/ufw

DEFAULT_FORWARD_POLICY=”ACCEPT”
允许vpn流量通过防火墙

1
2
root@AX:~/EasyRSA-3.0.6# ufw allow 1194/udp
root@AX:~/EasyRSA-3.0.6# ufw allow openssh

我的防火墙看起来是这个样子的

1
root@AX:~/EasyRSA-3.0.6# ufw status

1
2
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 10.10.4.182
watch -d "iptables -t nat -nvL"

8、启动openvpn服务,创建开机启动

这里的@server是指使用server.conf配置文件。第一条命令没什么输出的话表示运行正常,再运行第二天命令设置开机启动。

1
2
root@AX:~/EasyRSA-3.0.6# systemctl start openvpn@server
root@AX:~/EasyRSA-3.0.6# systemctl enable openvpn@server.service

9、创建客户端配置文件

终于到最后一步了,拷个模板先,当然,名字随便起

1
root@AX:~/EasyRSA-3.0.6# cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf  ~/client-conf/axclient.conf

修改配置文件,要与server里的配置对应

1
root@AX:~/EasyRSA-3.0.6# vim ~/client-conf/axclient.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
...
remote xx.xx.xxx.xx 1194
;remote my-server-2 1194
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca

# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key

# If a tls-auth key is used on the server

# then every client must also have the key.
tls-auth ta.key 1
key-direction 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
auth SHA256
#很多文档都添加下面这些

# 这几行建议添加,如果是linux客户端而且有/etc/openvpn/update-resolv-conf文件就取消注释
# 如果不是就保持注释状态
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
保存退出。

按照说明建立一个sh脚本生成客户端配置文件

1
vim ~/client-configs/make_config.sh

复制以下内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn

修改权限:chmod 700 ~/client-configs/make_config.sh
运行脚本,生成客户端配置文件

1
2
cd ~/client-configs
./make_config.sh client

结语

所有步骤都没问题的话,会在~/client-configs/file文件夹中生成一个.ovpn文件,大功告成,可以使用了。

后期维护

生成windows客户端用户:

1
2
3
./easyrsa build-client-full lihj
cd EasyRSA-v3.0.6/
cp ta.key pki/ca.crt pki/issued/lihj.crt pki/private/lihj.key ~/client-conf/key_lihj

修改客户端配置文件

1
cp axclient.conf lihj.conf


KEY_DIR=~/client-conf/key_lihj
OUTPUT_DIR=~/client-conf/files
BASE_CONFIG=~/client-conf/lihj.conf

1
cp make_config.sh  make_config_lihj.sh

修改

ca ca.crt
cert lihj.crt
key lihj.key

1
./make_config_lihj.sh lihj

Openvpn 撤销签署的证书(删除用户)

https://wiki.archlinux.org/index.php/Easy-rsa

Revoking certificates and alerting the OpenVPN server

Revoke a certificate 撤销一个证书
Over time, it may become necessary to revoke a certificate thus denying access to the affected user(s). This example revokes the “client1” certificate.
On the CA machine:

cd /etc/easy-rsa
撤销命令revoke
easyrsa revoke client1
生成CRL文件(撤销证书的列表)
easyrsa gen-crl
This will produce the CRL file /etc/easy-rsa/pki/crl.pem that needs to be transferred to the OpenVPN server and made active there.

Alert the OpenVPN server
On the CA machine:

1
2
cp /etc/easy-rsa/pki/crl.pem /tmp
chown foo /tmp/crl.pem

On the OpenVPN machine, copy crl.pem and inform the server to read it:

1
2
mv /tmp/crl.pem /etc/openvpn
chown root:root /etc/openvpn/crl.pem

Edit /etc/openvpn/server.conf uncommenting the crl-verify directive, then restart openvpn@server.service to re-read it:

1
vi /etc/openvpn/server.conf

1
crl-verify /etc/openvpn/crl.pem

重启openvpn服务生效

1
2
systemctl stop openvpn@server
systemctl start openvpn@server

CATALOG
  1. 1. Ubuntu 18.04 下搭建openvpn
    1. 1.1. 1、安装Openvpn和EasyRSA
    2. 1.2. 2、配置Easyrsa及生成公钥
    3. 1.3. 3、生成服务器证书和加密文件
    4. 1.4. 4、生成公钥
    5. 1.5. 5、生成客户端证书和密钥
    6. 1.6. 6、配置openvpn服务,先把模板拷到配置文件目录
    7. 1.7. 7、调整服务器网络配置
    8. 1.8. 8、启动openvpn服务,创建开机启动
    9. 1.9. 9、创建客户端配置文件
    10. 1.10. 后期维护
      1. 1.10.1. 生成windows客户端用户:
      2. 1.10.2. Openvpn 撤销签署的证书(删除用户)