OpenVPN Server搭建及使用客户端证书认证

环境准备

CentOS7

1
2

[root@openvpn ~]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)

安装软件

1

yum install -y easy-rsa openvpn openvpn-auth-ldap

1
2
3

[root@openvpn ~]# rpm -qa |grep openvpn
openvpn-2.4.8-1.el7.x86_64
openvpn-auth-ldap-2.0.3-17.el7.x86_64

其中easy-rsa主要用来给OpenVPN Server启动要用到的相关证书的生成。

服务端证书生成

为了简化证书生成流程这里使用easy-rsa工具包。

1. 先创建一个工作目录用来存放生成证书中要用到的各种文件

   1	mkdir /etc/openvpn/easy-rsa

2. 准备证书生成相关文件

   1	cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/

3. 准备生成证书用的CSR相关配置

   1 2 3 4 5 6 7 8 9 10 11 12

   cat <<EOF > /etc/openvpn/easy-rsa/vars #公司信息，根据情况自定义 set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "California" set_var EASYRSA_REQ_CITY "San Francisco" set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" set_var EASYRSA_REQ_EMAIL "me@example.net" set_var EASYRSA_REQ_OU "My Organizational Unit" #证书有效期 set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 3650 EOF

4. 生成CA证书

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

   [root@openvpn easy-rsa]# cd /etc/openvpn/easy-rsa/ [root@openvpn easy-rsa]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki ./easyrsa build-ca [root@openvpn easy-rsa]# ./easyrsa build-ca Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Enter New CA Key Passphrase:#设置一个密码，下面给证书签名时会用到，这里我设置为：888888 Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus ..................................................................................................................................................................................................................................................................+++ .................+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:设置CN，直接回车使用默认:Easy-RSA CA CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt

5. 生成服务端证书

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

   [root@openvpn easy-rsa]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key .......................+++ ........+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.VWbGpsGSpM' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]:设置CN，直接回车使用默认:server Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/server.req key: /etc/openvpn/easy-rsa/pki/private/server.key

6. 使用CA给服务端证书签名

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

   [root@openvpn easy-rsa]# ./easyrsa sign server server Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes #输入yes确认 Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:#输入上边步骤4中生成CA时设置的密码 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Apr 2 04:27:27 2030 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt

7. 生成DH证书

   1 2 3 4 5 6 7 8 9 10 11

   [root@openvpn easy-rsa]# ./easyrsa gen-dh Note: using Easy-RSA configuration from: ./vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .................................... DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

8. 生成ta密钥

   1	openvpn --genkey --secret /etc/openvpn/ta.key

9. 将server端证书和密钥都统一放到/etc/openvpn/目录下，方便管理和配置。

   1 2 3 4 5 6 7 8 9 10 11 12 13 14

   [root@openvpn openvpn]# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/ [root@openvpn openvpn]# cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/ [root@openvpn openvpn]# cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/ [root@openvpn openvpn]# cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/ [root@openvpn openvpn]# ls -l total 36 -rw------- 1 root root 1172 Apr 4 12:52 ca.crt drwxr-x--- 2 root openvpn 4096 Nov 1 20:11 client -rw------- 1 root root 424 Apr 4 12:52 dh.pem drwxr-xr-x 4 root root 4096 Apr 4 12:27 easy-rsa drwxr-x--- 2 root openvpn 4096 Nov 1 20:11 server -rw------- 1 root root 4547 Apr 4 12:52 server.crt -rw------- 1 root root 1704 Apr 4 12:52 server.key -rw------- 1 root root 636 Apr 4 12:50 ta.key

客户端证书生成

生成证书

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

[root@openvpn easy-rsa]# ./easyrsa gen-req xnile nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
..................+++
..........+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-13661.rmfNmd/tmp.mJ9AJb'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [xnile]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/xnile.req
key: /etc/openvpn/easy-rsa/pki/private/xnile.key

记住这个文件/etc/openvpn/easy-rsa/pki/private/xnile.key路径，下边会用到。

签名

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

# 签名
[root@openvpn easy-rsa]# ./easyrsa sign-req client xnile

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

subject=
    commonName                = xnile


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-13784.sXpDIp/tmp.XXJ1dH
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'xnile'
Certificate is to be certified until May 11 09:23:36 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/xnile.crt

证书文件/etc/openvpn/easy-rsa/pki/issued/xnile.crt,下边会用到

配置

主配置文件：/etc/openvpn/server.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

[root@openvpn ~]# cat > /etc/openvpn/server.conf <<EOF
local 0.0.0.0
port 1194
proto udp
dev tun
user openvpn
group openvpn
ca ca.crt
cert server.crt
key server.key
dh dh.pem
#客户端地址池
server 192.168.255.0 255.255.255.0
#内网网段
push "route 172.16.0.0 255.240.0.0"
ifconfig-pool-persist ipp.txt
#心跳检测，10秒检测一次，2分钟内没有回应则视为断线
keepalive 10 120
#服务端值为0，客户端为1
tls-auth ta.key 0
cipher AES-256-CBC
#传输数据压缩
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
EOF

启动服务

1
2

systemctl start openvpn@server
systemctl enable openvpn@server

开启内核转发和SNAT

开启内核转发

1
2

echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf

Iptables开启SNAT

1

iptables -t nat -A POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE

192.168.255.0/24 为openvpn分给客户端的地址，即openvpn配置文件中server 192.168.255.0 255.255.255.0指定的。

客户端配置文件

创建客户端配置文件xnile.ovpn

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

client
dev tun   
proto udp
remote XX.XX.XX.XX 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
#CA证书
ca ca.crt
#客户端证书
cert xnile.crt
#客户端密钥
key xnile.key
#ta密钥
tls-auth ta.key 1
cipher AES-256-CBC

将所需要的证书从server端下放到xnile.ovpn所在的当前目录。

合并客户端配置为一个文件

将证书文件整合到一个配置文件方便发给同事。

xnile.ovpn

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

client
dev tun
#协议与sever保持一致  
proto udp
#server ip
remote xx.xx.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
#与server保持一致
comp-lzo
#加密算法,与server保持一致
cipher AES-256-CBC
verb 3
<ca>
-----BEGIN CERTIFICATE-----
#将server上ca.crt文件内容拷贝过来
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#将server上ta.key文件内容拷贝到这里
-----END OpenVPN Static key V1-----
</tls-auth>
<cert>
#将server上的/etc/openvpn/easy-rsa/pki/issued/xnile.crt文件内容拷贝到这里
</cert>
<key>
#将server上的/etc/openvpn/easy-rsa/pki/private/xnile.key文件内容拷贝到这里
</key>

客户端证书吊销

吊销证书

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

[root@openvpn easy-rsa]# ./easyrsa revoke xnile

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


Please confirm you wish to revoke the certificate with the following subject:

subject=
    commonName                = xnile


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-29699.iPB54p/tmp.1vPzJZ
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Revoking Certificate F3037A17C769418D2C306D707D08DF68.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

生成crl.pem文件，里边包含吊销证书的名单。

1
2
3
4
5
6
7
8
9

[root@openvpn easy-rsa]# ./easyrsa gen-crl

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-29928.SKlj1B/tmp.YUVsGH
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

在主配置文件中引入crl.pem文件

1

[root@openvpn easy-rsa]# echo "crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/server.conf

重启服务生效，客户端就无法连接了。

1

systemctl restart openvpn@server

吊销以后，如果又想撤销操作，可以编辑/etc/openvpn/easy-rsa/pki/index.txt文件，删除对应的行，再执行./easyrsa gen-crl更新crl.pem文件，重启服务生效。

1
2

V	300511085047Z		5B56FE89E9EAE090BE79DFD5C7E0FB03	unknown	/CN=server
R	300512013319Z	200514013348Z	F3037A17C769418D2C306D707D08DF68	unknown	/CN=xnile

参考

http://www.wallcopper.com/linux/3197.html

https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md

https://blog.csdn.net/weixin_34037515/article/details/92719770

https://segmentfault.com/a/1190000019502850