Openvpn服务器架设
公司的电话采用IPPBX+Yealink T21方式,为了方便外部办公室能够打进来,架设Openvpn服务器,下发证书方式让T21连接进来,实现外网免费打
架设openvpn服务器(centos 7.4+easy 3.0.3 +openvpn 2.4.7)
1、更换Yum,,改成aliyun yum update 然后 就yum ,不过我习惯把 selinux firewalld 关闭设置开机不启动
2、yum -y install openvpn easy-rsa net-tools lzo gcc openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig makecache epel-releas
3、cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa # 安装完了后,把2.7 3.0 3.0.3 的文件复制到文件目录
4、 因为文件中存在2.7 3.0 3.0.3 我会习惯先把2.7 3.0 删掉,保留3.0.3 ,进入3.0.3然后找到 var 文件,习惯cp var var.bak ,再编辑,vi如下图,,有些文章会说把45行,65行的注释去掉或者改下,因为行数太长了,直接改成现在这样,其它统统不要
5、编辑完成了后开始生成CA证书 ./easyrsa init-pki # 目录为/etc/openvpn/easy-rsa/3.0.3/ 如下图
6、创建服务器证书
7、服务器证书签约
8 、创建Diffie-Hellman
9、创建客户端证书 同样按上面的方法,把3.0.文件复制到/etc/openvpn/client/easy-rsa/目录下 记住生成客户端证书文件的目录是/etc/openvpn/client/easy-rsa/3.0.3
[root@localhost3.0.3]# /etc/openvpn/client/easy-rsa/3.0.3
[root@localhost 3.0.3]# ./easyrsa init-pki #创建新的pki
Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3.0.3/pki
[root@localhost 3.0.3]# ./easyrsa gen-req client nopass #客户证书名为client,无密码
Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key …………………………………………….+++ …………+++
writing new private key to ‘/etc/openvpn/client/easy-rsa/3.0.3/pki/private/client.key.FkrLzXH9Bm’ —– You are about to be asked to enter
information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’,
the field will be left blank. —– Common Name (eg: your user, host, or server name) [client]: 回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/client.req
key: /etc/openvpn/client/easy-rsa/3.0.3/pki/private/client.key
10 、签约客户端证书 所在目录 cd /etc/openvpn/easy-rsa/3.0.3
[root@localhost 3.0.]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.3/pki/reqs/client.req client # 签约客户端证书
[root@localhost 3.0.]# ./easyrsa sign client client
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes 记得回车YES
Using configuration from ./openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Apr 7 14:54:08 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.3/pki/issued/server.crt
11、接下来将目录整理,服务器证书放到/etc/openvpn/ client证书放在/etc/openvpn/client/ 编辑好server.conf client.conf
12、设置好后重启服务器再启动服务
13、vi /etc/sysctl.d/99-sysctl.conf #添加一行net.ipv4.ip_forward = 1
sysctl -p #查看结果
至此服务器就配置完了,电脑端就把相应的证书拷贝出来,连接验证通过即可
14、电脑上安装
15、安装好了后打开它所有的文件目录
16、将ca.crt ca.key等文件全部拷贝至config文件夹下
17、再将client.ovpn文件拷贝至此,编辑client.ovpn,参考client.conf 的配置,只是证书没有位置
保存后,点击连接后,即可连上公司内网
2 Comments
Denny
必须点赞👍,很骚很流弊!
1
完全看不懂撒