Openvpn服务介绍(小节1)
一. Openvpn基础环境(小节1)
| 主机名 | IP地址 |
|---|---|
| Openvpm server | (桥接)192.168.1.101、(仅主机)10.0.1.101 |
| Web1 | (仅主机)10.0.1.102 |
| Web2 | (仅主机)10.0.1.103 |
网卡:桥接、仅主机
Open-server 双网卡
[root@openvpn-server ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=static
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=192.168.1.101
PREFIX=24
GATEWAY=192.168.1.1
DNS1=223.5.5.5
[root@openvpn-server ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
BOOTPROTO=static
NAME=eth1
DEVICE=eth1
ONBOOT=yes
IPADDR=10.0.1.101
PREFIX=16
Open-web1和Open-web2桥接网卡
网卡配置信息
[root@openvpn-web1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=static
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=10.0.1.102
PREFIX=16
[root@openvpn-web1 ~]# systemctl restart network
[root@openvpn-web2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=static
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=10.0.1.103
PREFIX=16
[root@openvpn-web2 ~]# systemctl restart network
实验开始:
Open-server
1.1 安装OpenVPN
#需要安装epel源
[root@openvpn-server ~]# yum install -y epel-release****
#安装openvpn及证书生成工具
[root@openvpn-server ~]# yum install -y openvpn easy-rsa
[root@openvpn-server ~]# rpm -ql easy-rsa
[root@openvpn-server ~]# rpm -ql openvpn
1.2 生成OpenVPN srever配置文件
[root@openvpn-server ~]# cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/server.conf
#CA证书
[root@openvpn-server ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/
#此文件是软连接
[root@openvpn-server ~]# ll /etc/openvpn/easy-rsa/
total 0
lrwxrwxrwx 1 root root 5 Nov 23 12:13 3 -> 3.0.8
lrwxrwxrwx 1 root root 5 Nov 23 12:13 3.0 -> 3.0.8
drwxr-xr-x 3 root root 66 Nov 23 12:13 3.0.8
[root@openvpn-server ~]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/3/vars
查看目录结构
[root@openvpn-server ~]# cd /etc/openvpn/easy-rsa/3
[root@openvpn-server 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
1 directory, 11 files
1.3 创建PKI和CA签发机构
[root@openvpn-server 3]# pwd
/etc/openvpn/easy-rsa/3
#初始化PKI
[root@openvpn-server 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars <--此目录要提前拷贝过来
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki <--PKI目录位置
[root@openvpn-server 3]# ll /etc/openvpn/easy-rsa/3/pki
total 16
-rw------- 1 root root 4616 Nov 23 12:43 openssl-easyrsa.cnf
drwx------ 2 root root 6 Nov 23 12:43 private <--保存私钥的目录
drwx------ 2 root root 6 Nov 23 12:43 reqs <--生成申请签名文件目录
-rw------- 1 root root 4660 Nov 23 12:43 safessl-easyrsa.cnf
#再次查看目录结构、发生了变化
[root@openvpn-server 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 13 files
1.4 创建CA机构
[root@openvpn-server 3]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating RSA private key, 2048 bit long modulus
..................................+++
..............................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: <--回车
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3/pki/ca.crt <--新的CA证书位置
#验证CA私钥(CA证书不要泄露)
[root@openvpn-server 3]# ll pki/ca.crt
-rw------- 1 root root 1172 Nov 23 12:52 pki/ca.crt
1.5 创建OpenVPN服务端证书(私钥)
[root@openvpn-server 3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
............................................+++
..........+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/easy-rsa-6808.D57gR5/tmp.XJU4Fj'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: <--回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/server.req <--需要对此文件签名
key: /etc/openvpn/easy-rsa/3/pki/private/server.key
1.6 缺乏OpenVPN服务端证书
[root@openvpn-server 3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes <--输入yes确认
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-6862.DB2keF/tmp.laoir6
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Feb 25 05:11:20 2025 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/server.crt <--证书所在位置
验证生成的OpenVPN服务端公钥后期把这个发给用户
[root@openvpn-server 3]# ll /etc/openvpn/easy-rsa/3/pki/issued/server.crt
-rw------- 1 root root 4547 Nov 23 13:11 /etc/openvpn/easy-rsa/3/pki/issued/server.crt
1.7 创建Diffle-Hellman
[root@openvpn-server 3]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..................+.........................................+...................................+...................++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem
#验证
[root@openvpn-server 3]# ll /etc/openvpn/easy-rsa/3/pki/dh.pem
-rw------- 1 root root 424 Nov 23 13:48 /etc/openvpn/easy-rsa/3/pki/dh.pem
OpenVPN服务端完成,开始配置客户端。
1.8 创建客户端证书
拷贝客户端签名证书文件
[root@openvpn-server 3]# cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa-client
[root@openvpn-server 3]# cp -r /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/client/easy-rsa-client/3/vars
生成pki目录
#进到客户端目录
[root@openvpn-server 3]# pwd
/etc/openvpn/client/easy-rsa-client/3
#生成PKI目录
[root@openvpn-server 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/client/easy-rsa-client/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/easy-rsa-client/3/pki
#验证pki目录
[root@openvpn-server 3]# ll pki/
total 16
-rw------- 1 root root 4616 Nov 23 14:06 openssl-easyrsa.cnf
drwx------ 2 root root 6 Nov 23 14:06 private
drwx------ 2 root root 6 Nov 23 14:06 reqs
-rw------- 1 root root 4800 Nov 23 14:06 safessl-easyrsa.cnf
生成客户端证书
[root@openvpn-server 3]# ./easyrsa gen-req sun nopass
Note: using Easy-RSA configuration from: /etc/openvpn/client/easy-rsa-client/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...............................+++
.........+++
writing new private key to '/etc/openvpn/client/easy-rsa-client/3/pki/easy-rsa-7200.MGU8lW/tmp.3pZifU'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [sun]: <--回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/easy-rsa-client/3/pki/reqs/sun.req
key: /etc/openvpn/client/easy-rsa-client/3/pki/private/sun.key
验证证书文件
[root@openvpn-server 3]# tree /etc/openvpn/client/easy-rsa-client/3/pki/
/etc/openvpn/client/easy-rsa-client/3/pki/
├── openssl-easyrsa.cnf
├── private
│ └── sun.key
├── reqs
│ └── sun.req
└── safessl-easyrsa.cnf
2 directories, 4 files
1.9 签发用户证书
#切换到CA证书目录
[root@openvpn-server 3]# cd /etc/openvpn/easy-rsa/3/
#导入指定用户req文件
[root@openvpn-server 3]# ./easyrsa import-req /etc/openvpn/client/easy-rsa-client/3/pki/reqs/sun.req sun
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: sun
You may now use this name to perform signing operations on this request.
会导入到此
[root@openvpn-server 3]# ll pki/reqs/
total 8
-rw------- 1 root root 887 Nov 23 13:02 server.req
-rw------- 1 root root 883 Nov 23 14:15 sun.req <--
签发用户证书
[root@openvpn-server 3]# ./easyrsa sign client sun
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = sun
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes <--输入yes继续
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-7302.35mjGX/tmp.3QFKAn
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'sun'
Certificate is to be certified until Feb 25 06:19:45 2025 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/sun.crt <--签发完成后,放在此位置
#验证一下(下面证书是一对)
[root@openvpn-server 3]# ll /etc/openvpn/easy-rsa/3/pki/issued/sun.crt
-rw------- 1 root root 4425 Nov 23 14:19 /etc/openvpn/easy-rsa/3/pki/issued/sun.crt
[root@openvpn-server 3]# ll /etc/openvpn/client/easy-rsa-client/3/pki/private/sun.key
-rw------- 1 root root 1704 Nov 23 14:10 /etc/openvpn/client/easy-rsa-client/3/pki/private/sun.key
1.10 复制证书到证书目录
#证书目录
[root@openvpn-server 3]# mkdir /etc/openvpn/certs
[root@openvpn-server 3]# cd /etc/openvpn/certs
#证书交换
[root@openvpn-server certs]# cp /etc/openvpn/easy-rsa/3/pki/dh.pem ./
#CA公钥
[root@openvpn-server certs]# cp /etc/openvpn/easy-rsa/3/pki/ca.crt ./
#openvpn公钥
[root@openvpn-server certs]# cp /etc/openvpn/easy-rsa/3/pki/issued/server.crt ./
#openvpn私钥
[root@openvpn-server certs]# cp /etc/openvpn/easy-rsa/3/pki/private/server.key ./
#查看当前目录结构
[root@openvpn-server certs]# tree ./
./
├── ca.crt
├── dh.pem
├── server.crt
└── server.key
0 directories, 4 files
1.11 客户端公钥与私钥
[root@openvpn-server certs]# mkdir /etc/openvpn/client/sun/
[root@openvpn-server certs]# cd /etc/openvpn/client/sun/
#CA公钥
[root@openvpn-server sun]# cp /etc/openvpn/easy-rsa/3/pki/ca.crt ./
#用户公钥
[root@openvpn-server sun]# cp /etc/openvpn/easy-rsa/3/pki/issued/sun.crt ./
#用户私钥
[root@openvpn-server sun]# cp /etc/openvpn/client/easy-rsa-client/3/pki/private/sun.key ./
检查一下
[root@openvpn-server sun]# ll
total 16
-rw------- 1 root root 1172 Nov 23 14:58 ca.crt
-rw------- 1 root root 4425 Nov 23 14:59 sun.crt
-rw------- 1 root root 1704 Nov 23 15:06 sun.key
1.12 修改server端配置文件
[root@openvpn-server sun]# vim /etc/openvpn/server.conf
...
# Which local IP address should OpenVPN
# listen on? (optional)
local 192.168.1.101 <--本机监听IP
# TCP or UDP server?
proto tcp <--协议、注释掉udp、使用tcp
#proto udp
# the firewall for the TUN/TAP interface.
#dev tap <--二层设备、通常使用局域网
dev tun <--三层设备、互联网
#;dev-node MyTap <--非windows不需要
#文件所在位置
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
#;topology subnet <--网络拓扑,不需要配置
server 10.8.0.0 255.255.248.0 <--客户端连接后分配IP地址池,服务器默认会占用第一个IP10.8.0.1
#ifconfig-pool-persist ipp.txt <--为客户端分配固定IP,不需要配置
#;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 <--配置网桥模式、不需要
#;server-bridge <--网桥、不需要
push "route 10.0.0.0 255.255.0.0" <--给客户端生成的静态路由表,下一条openvpn服务器的10.8.0.1
push "route 192.168.20.0 255.255.255.0"
#;client-config-dir ccd <--为指导客户端添加路由、也不需要设置
#;route 192.168.40.128 255.255.255.248
#;client-config-dir ccd
#;route 10.9.0.0 255.255.255.252
#;learn-address ./script <--运行外部脚本,创建不同组的iptables规则,不配置
#;push "redirect-gateway def1 bypass-dhcp" <--启用后,客户端所有流量将通过VPN服务器,因此不需要配置
#;push "dhcp-option DNS 208.67.222.222" <--推送DNS服务器,不需要配置
#;push "dhcp-option DNS 208.67.220.220"
client-to-client <--可以直接通信,可加可不加
#;duplicate-cn <--多个用户共用一个证书,一般用于测试环境,生产环境都是一个用户一个证书
keepalive 10 120 <--设置服务端检测的间隔和超时时间,默认为每10秒ping一次,如果120秒没有回应则认为对方已经down
#tls-auth ta.key <--可使用以下命令来生成:openvpn -g enkey -secret ta.key #服务器和每个客户端都需要拥有该密钥的一个拷贝。第二个数在服务器端应该为'0',在客户端应该为'1'
cipher AES-256-CBC <--加密算法(客户端必须和服务端一致)
#;compress lz4-v2 <--启用压缩
#;push "compress lz4-v2"
#;comp-lzo <--可兼容旧的压缩算法、需要客户端配置开启压缩
max-clients 4096 <--最大客户端数
user nobody <--openvpn服务的用户和组
group nobody
persist-key <--重启VPN服务,保留使用第一次的keys文件
persist-tun <--重启VPN服务,一直保持tun是up的,负责会先openvpn启动的时候情况日志文件
status /var/log/openvpn/openvpn-status.log <--OpenVPN状态记录文件,每分钟记录一次
#;log openvpn.log <--日志记录方式和路径,log会在openvpn每次重启时清空日志文件
log-append /var/log/openvpn/openvpn.log <--此选项会在openvpn重启后在之前的日志后面,追加新的日志
verb 9 <--设置日志级别、0-9、级别越高记录的内容越详细
mute 20 <--相同类别的信息只有20条会输出到日志文件中
#explicit-exit-notify 1 <--通知客户端,在服务端重启后可以自动重新连接,仅能用于udp模式,tcp模式不需要配置即可实现断开重连接
创建openvpn日志目录、并修改权限
[root@openvpn-server ~]# mkdir /var/log/openvpn
[root@openvpn-server ~]# chown nobody.nobody /var/log/openvpn -R
最终openvpn server端配置内容 可点此下载
[root@openvpn-server ~]# grep "^[a-Z]" /etc/openvpn/server.conf local 192.168.1.101 port 1194 proto tcp dev tun ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server.crt key /etc/openvpn/certs/server.key dh /etc/openvpn/certs/dh.pem server 10.8.0.0 255.255.248.0 push "route 10.0.0.0 255.255.0.0" push "route 192.168.20.0 255.255.255.0" client-to-client keepalive 10 120 cipher AES-256-CBC max-clients 4096 user nobody group nobody persist-key persist-tun status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 9 mute 20
1.13 客户端配置文件
#客户端后缀为.ovpn
[root@openvpn-server ~]# grep -Ev "^(#|$|;)" /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf > /etc/openvpn/client/sun/client.ovpn
查看目录内容
[root@openvpn-server ~]# tree /etc/openvpn/client/sun/
/etc/openvpn/client/sun/
├── ca.crt
├── client.ovpn
├── sun.crt
└── sun.key
0 directories, 4 files
1.14 启动openvpn服务
#关闭防火墙、并禁止开机启动
[root@openvpn-server ~]# systemctl stop firewalld
[root@openvpn-server ~]# systemctl disable firewalld
#安装包
[root@openvpn-server ~]# yum install -y iptables-services iptables
#启动并设置为开机启动
[root@openvpn-server ~]# systemctl start iptables.service
[root@openvpn-server ~]# systemctl enable iptables.service
#清空已有规则
[root@openvpn-server ~]# iptables -F
[root@openvpn-server ~]# iptables -X
[root@openvpn-server ~]# iptables -Z
[root@openvpn-server ~]# iptables -t nat -F
[root@openvpn-server ~]# iptables -t nat -X
[root@openvpn-server ~]# iptables -t nat -Z
#开启路由转发
[root@openvpn-server sun]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
#使路由转发生效
[root@openvpn-server sun]# sysctl -p
net.ipv4.ip_forward = 1
创建iptables规则:
#伪装
[root@openvpn-server sun]# iptables -t nat -A POSTROUTING -s 10.8.0.0/21 -j MASQUERADE
#访问1194端口的允许
[root@openvpn-server sun]# iptables -A INPUT -p TCP --dport 1194 -j ACCEPT
[root@openvpn-server sun]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#保存iptables规则
[root@openvpn-server sun]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
iptables规则信息
[root@openvpn-server sun]# iptables -vnL
Chain INPUT (policy ACCEPT 60 packets, 10137 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
201 13849 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 145 packets, 14134 bytes)
pkts bytes target prot opt in out source destination
[root@openvpn-server sun]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 8 packets, 2399 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 8 packets, 2399 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 307 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 8 packets, 307 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.8.0.0/21 0.0.0.0/0
启动openvpn服务
[root@openvpn-server sun]# systemctl start openvpn@server
[root@openvpn-server sun]# systemctl enable openvpn@server
#查看openvpn端口号1194
[root@openvpn-server sun]# ss -ntlp |grep 1194
LISTEN 0 32 192.168.1.101:1194 *:* users:(("openvpn",pid=19484,fd=5))
查看网卡设备
[root@openvpn-server sun]# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::4faa:72b2:2d73:6e3b prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
查看openvpn日志不要报错
[root@openvpn-server sun]# tail -f /var/log/openvpn/openvpn.log Fri Nov 25 11:21:58 2022 Socket Buffers: R=[87380->87380] S=[16384->16384] Fri Nov 25 11:21:58 2022 Listening for incoming TCP connection on [AF_INET]192.168.1.101:1194 Fri Nov 25 11:21:58 2022 TCPv4_SERVER link local (bound): [AF_INET]192.168.1.101:1194 Fri Nov 25 11:21:58 2022 TCPv4_SERVER link remote: [AF_UNSPEC] Fri Nov 25 11:21:58 2022 GID set to nobody Fri Nov 25 11:21:58 2022 UID set to nobody Fri Nov 25 11:21:58 2022 MULTI: multi_init called, r=256 v=256 Fri Nov 25 11:21:58 2022 IFCONFIG POOL: base=10.8.0.4 size=510, ipv6=0 Fri Nov 25 11:21:58 2022 MULTI: TCP INIT maxclients=4096 maxevents=4100 Fri Nov 25 11:21:58 2022 Initialization Sequence Completed
1.15 Windows PC安装openvpn客户端
官方客户端下载地址: openvpn.net/community-d…
非官方地址: sourceforge.net/projects/se…
在win10主机中安装(桥接网卡)
openvpn-server
打包
[root@openvpn-server sun]# cd /etc/openvpn/client/sun/
[root@openvpn-server sun]# ll
total 20
-rw------- 1 root root 1172 Nov 25 10:27 ca.crt
-rw-r--r-- 1 root root 210 Nov 25 10:34 client.ovpn
-rw------- 1 root root 4425 Nov 25 10:27 sun.crt
-rw------- 1 root root 1704 Nov 25 10:27 sun.key
[root@openvpn-server sun]# cat client.ovpn
client
dev tun
proto tcp <--
remote 192.168.1.101 1194 <--
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert sun.crt <--注意名称
key sun.key <--注意名称
remote-cert-tls server
#tls-auth ta.key 1 <--
cipher AES-256-CBC
verb 3
[root@openvpn-server sun]# tar czvf sun.tar.gz ./*
./ca.crt
./client.ovpn
./sun.crt
./sun.key
#拖下来、传给对方
[root@openvpn-server sun]# sz czvf sun.tar.gz
win10
解压 sun.tar.gz
连接
windows+r输入cmd
查看IP地址
实现跨网段连接
此时也在此主机中用Xshell跨网段连接
[c:\~]$ ssh 10.0.1.103
[c:\~]$ Connecting to 10.0.1.103:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
WARNING! The remote SSH server rejected X11 forwarding request.
Last login: Sat Nov 26 14:30:33 2022 from 10.0.1.102
[root@openvpn-web2 ~]# netstat -tanlp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4765/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 5023/master
tcp 0 52 10.0.1.103:22 10.0.1.101:50615 ESTABLISHED 18631/sshd: root@pt
tcp6 0 0 :::22 :::* LISTEN 4765/sshd
tcp6 0 0 ::1:25 :::* LISTEN 5023/master
完成
