SRE文档
- 场景
openvpn使用场景
a) 企业员工远程办公,通过远程VPN连接到公司的服务器,访问公司ERP、OA等系统。IT技术人员通过VPN远程连接到机房进行系统维护。
b) 总部与分支机构之间联通,打通分支与总部的连接
c) 多IDC机房之间的互联,实现多机房之间的互联互通,数据共享,文件传送
注意:OpenVPN适用于功能性实现,对于大流量大带宽应用,建议使用点对点专线实现互联
#一、安装
WARNING
For warning
由于不同环境及软件版本命令使用略有差异,特别是 easy-rsa 的使用在 2.0 和 3.0 的差别有点大
尽管不同环境及软件版本命令使用略有所差异,但是整个搭建过程都是一致的:
安装相关软件—>生成相关证书:CA 根证书、服务器证书—>配置 open VPN 服务端—>添加防火墙规则:snat—>启动 open VPN 服务端—>创建一个用户测试连接:创建客户端 CA 证书、生成 .ovpn 配置文件、打包相关文件供客户端使用
环境配置:
centos7
easy-rsa - 3.0.5
OpenVPN - 2.4.7
时间服务器一定要同步环境配置:
centos7
easy-rsa - 3.0.5
OpenVPN - 2.4.7
时间服务器一定要同步#更换阿里源
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all && yum makecache
[root@beta ~]# yum install -y epel-release
[root@beta ~]# yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel
[root@beta ~]#yum -y install epel-release
[root@beta ~]#yum -y install openvpn easy-rsa iptables-services
#或者脚本安装
[root@beta ~]# sh openvpn-install.sh
Welcome to this OpenVPN "road warrior" installer!
I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.
First, provide the IPv4 address of the network interface you want OpenVPN
listening to.
IP address:
Which protocol do you want for OpenVPN connections?
1) UDP (recommended)
2) TCP
Protocol [1-2]: 2
What port do you want OpenVPN listening to?
Port: 330
Which DNS do you want to use with the VPN?
1) Current system resolvers
2) 1.1.1.1
3) Google
4) OpenDNS
5) Verisign
DNS [1-5]: 1#更换阿里源
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all && yum makecache
[root@beta ~]# yum install -y epel-release
[root@beta ~]# yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel
[root@beta ~]#yum -y install epel-release
[root@beta ~]#yum -y install openvpn easy-rsa iptables-services
#或者脚本安装
[root@beta ~]# sh openvpn-install.sh
Welcome to this OpenVPN "road warrior" installer!
I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.
First, provide the IPv4 address of the network interface you want OpenVPN
listening to.
IP address:
Which protocol do you want for OpenVPN connections?
1) UDP (recommended)
2) TCP
Protocol [1-2]: 2
What port do you want OpenVPN listening to?
Port: 330
Which DNS do you want to use with the VPN?
1) Current system resolvers
2) 1.1.1.1
3) Google
4) OpenDNS
5) Verisign
DNS [1-5]: 1输入用户名
Finally, tell me your name for the client certificate.
Please, use one word only, no special characters.
Client name: client1Finally, tell me your name for the client certificate.
Please, use one word only, no special characters.
Client name: client1Okay, that was all I needed. We are ready to set up your OpenVPN server now.
Press any key to continue...
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Package iptables-1.4.21-28.el7.x86_64 already installed and latest version
Package 1:openssl-1.0.2k-16.el7_6.1.x86_64 already installed and latest version
Package ca-certificates-2018.2.22-70.0.el7_5.noarch already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package openvpn.x86_64 0:2.4.7-1.el7 will be installed
--> Finished Dependency Resolution
。。。。
Installed:
openvpn.x86_64 0:2.4.7-1.el7
Complete!
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/server/easy-rsa/pki
Generating RSA private key, 2048 bit long modulus
.............................+++
................................+++
e is 65537 (0x10001)
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
..+++
.............................................+++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/private/server.key.IseSDZ9N9j'
-----
Using configuration from ./safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Sep 3 03:03:59 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...............+++
....+++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/private/client1.key.EdLb68mAda'
-----
Using configuration from ./safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client1'
Certificate is to be certified until Sep 3 03:04:00 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Using configuration from ./safessl-easyrsa.cnf
An updated CRL has been created.
CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn-iptables.service to /etc/systemd/system/openvpn-iptables.service.
Job for openvpn-iptables.service failed because the control process exited with error code. See "systemctl status openvpn-iptables.service" and "journalctl -xe" for details.
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service to /usr/lib/systemd/system/openvpn-server@.service.
Finished!
Your client configuration is available at: /root/client1.ovpn
If you want to add more clients, you simply need to run this script again!Okay, that was all I needed. We are ready to set up your OpenVPN server now.
Press any key to continue...
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Package epel-release-7-11.noarch already installed and latest version
Nothing to do
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Package iptables-1.4.21-28.el7.x86_64 already installed and latest version
Package 1:openssl-1.0.2k-16.el7_6.1.x86_64 already installed and latest version
Package ca-certificates-2018.2.22-70.0.el7_5.noarch already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package openvpn.x86_64 0:2.4.7-1.el7 will be installed
--> Finished Dependency Resolution
。。。。
Installed:
openvpn.x86_64 0:2.4.7-1.el7
Complete!
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/server/easy-rsa/pki
Generating RSA private key, 2048 bit long modulus
.............................+++
................................+++
e is 65537 (0x10001)
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
..+++
.............................................+++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/private/server.key.IseSDZ9N9j'
-----
Using configuration from ./safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Sep 3 03:03:59 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...............+++
....+++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/private/client1.key.EdLb68mAda'
-----
Using configuration from ./safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client1'
Certificate is to be certified until Sep 3 03:04:00 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Using configuration from ./safessl-easyrsa.cnf
An updated CRL has been created.
CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn-iptables.service to /etc/systemd/system/openvpn-iptables.service.
Job for openvpn-iptables.service failed because the control process exited with error code. See "systemctl status openvpn-iptables.service" and "journalctl -xe" for details.
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service to /usr/lib/systemd/system/openvpn-server@.service.
Finished!
Your client configuration is available at: /root/client1.ovpn
If you want to add more clients, you simply need to run this script again!#二、步骤
监听地址设置为空 IP address
Protocol:[2]TCP
Port:1194
不选DNS
client name: client_k2
External IP : 公网ip地址监听地址设置为空 IP address
Protocol:[2]TCP
Port:1194
不选DNS
client name: client_k2
External IP : 公网ip地址#三、添加用户
Select an option[1-4]:1 (add a new user)
client name: client_nameSelect an option[1-4]:1 (add a new user)
client name: client_name#三、删除用户
[root@beta ~]# sh openvpn-install.sh
Looks like OpenVPN is already installed.
What do you want to do?
1) Add a new user
2) Revoke an existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]:[root@beta ~]# sh openvpn-install.sh
Looks like OpenVPN is already installed.
What do you want to do?
1) Add a new user
2) Revoke an existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]:#四、启动服务
#重启生效
[root@beta server]#systemctl restart openvpn-server@server.service
#随系统启动服务
[root@beta server]#systemctl enable openvpn-server@server.service#重启生效
[root@beta server]#systemctl restart openvpn-server@server.service
#随系统启动服务
[root@beta server]#systemctl enable openvpn-server@server.service#五、配置 iptables 及转发
#关闭 firewalld 防火墙
[root@beta ~]# systemctl stop firewalld.service //停止服务
[root@beta ~]# systemctl disable firewalld.service //禁止开启动
[root@beta ~]# firewall-cmd --state //查看状态
删除FORWARD 规则:
iptables -nL FORWARD --line-number
iptables -D FORWARD 1
#查看nat
[root@beta ~]#iptables -L -n -t nat --line-number
删除一条nat 规则 删除SNAT规则
iptables -t nat -D POSTROUTING 1
iptables -t nat -D POSTROUTING 7
让openstack 虚拟机上网的规则
iptables -t nat -A POSTROUTING -s 172.28.101.111/255.255.255.0 -o ens33 -j MASQUERADE
##如果是 iptables
[root@beta ~]# yum -y install iptables iptables-services
[root@beta ~]# iptables -t nat -A POSTROUTING -s 17.166.221.0/24 -o ens192 -j MASQUERADE #NAT
[root@beta ~]# systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
#保存
[root@beta ~]# service iptables save
[root@beta ~]# systemctl start iptables.service
#查看
[root@beta ~]# iptables -L -n
[root@beta ~]# iptables -t nat -L -n
#如果是 firewall-cmd
[root@beta ~]#firewall-cmd --permanent --add-masquerade
[root@beta ~]#firewall-cmd --permanent --add-service=openvpn
# 或者添加自定义端口
# firewall-cmd --permanent --add-port=1194/tcp
[root@beta ~]# firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
[root@beta ~]#firewall-cmd --reload
#开启转发
[root@beta ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
或者
echo "1" > /proc/sys/net/ipv4/ip_forward #这个是临时
[root@beta ~]# sysctl -p
:::warning
到这里为止,openvpn搭建结束,不过这个时候链接vpn之后,本地网络是不能上网的
17.166.221.0/24 这个地址vpn server配置文件中定义
:::
[C:\~]$ ping www.baidu.com
正在 Ping www.a.shifen.com [220.181.38.150] 具有 32 字节的数据:
请求超时。
220.181.38.150 的 Ping 统计信息:
数据包: 已发送 = 1,已接收 = 0,丢失 = 1 (100% 丢失),#关闭 firewalld 防火墙
[root@beta ~]# systemctl stop firewalld.service //停止服务
[root@beta ~]# systemctl disable firewalld.service //禁止开启动
[root@beta ~]# firewall-cmd --state //查看状态
删除FORWARD 规则:
iptables -nL FORWARD --line-number
iptables -D FORWARD 1
#查看nat
[root@beta ~]#iptables -L -n -t nat --line-number
删除一条nat 规则 删除SNAT规则
iptables -t nat -D POSTROUTING 1
iptables -t nat -D POSTROUTING 7
让openstack 虚拟机上网的规则
iptables -t nat -A POSTROUTING -s 172.28.101.111/255.255.255.0 -o ens33 -j MASQUERADE
##如果是 iptables
[root@beta ~]# yum -y install iptables iptables-services
[root@beta ~]# iptables -t nat -A POSTROUTING -s 17.166.221.0/24 -o ens192 -j MASQUERADE #NAT
[root@beta ~]# systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
#保存
[root@beta ~]# service iptables save
[root@beta ~]# systemctl start iptables.service
#查看
[root@beta ~]# iptables -L -n
[root@beta ~]# iptables -t nat -L -n
#如果是 firewall-cmd
[root@beta ~]#firewall-cmd --permanent --add-masquerade
[root@beta ~]#firewall-cmd --permanent --add-service=openvpn
# 或者添加自定义端口
# firewall-cmd --permanent --add-port=1194/tcp
[root@beta ~]# firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
[root@beta ~]#firewall-cmd --reload
#开启转发
[root@beta ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
或者
echo "1" > /proc/sys/net/ipv4/ip_forward #这个是临时
[root@beta ~]# sysctl -p
:::warning
到这里为止,openvpn搭建结束,不过这个时候链接vpn之后,本地网络是不能上网的
17.166.221.0/24 这个地址vpn server配置文件中定义
:::
[C:\~]$ ping www.baidu.com
正在 Ping www.a.shifen.com [220.181.38.150] 具有 32 字节的数据:
请求超时。
220.181.38.150 的 Ping 统计信息:
数据包: 已发送 = 1,已接收 = 0,丢失 = 1 (100% 丢失),WARNING
允许 tun0 网卡进行 FORWARD
OpenVPN nat配置笔录
#192.168.10.0 为虚拟网卡地址
iptables -t nat -A POSTROUTING -s 172.31.33.214/20 -j MASQUERADE
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -o tun0 -j ACCEPT
############################################
[root@beta ~]# iptables -I FORWARD -i tun0 -j ACCEPT
[root@beta ~]# iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@beta ~]# iptables -L -n
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0OpenVPN nat配置笔录
#192.168.10.0 为虚拟网卡地址
iptables -t nat -A POSTROUTING -s 172.31.33.214/20 -j MASQUERADE
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -o tun0 -j ACCEPT
############################################
[root@beta ~]# iptables -I FORWARD -i tun0 -j ACCEPT
[root@beta ~]# iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@beta ~]# iptables -L -n
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0WARNING
到这里为止,openvpn搭建结束,不过这个时候链接vpn之后,本地网络是不能上网的 17.166.221.0/24 这个地址vpn server配置文件中定义
[C:\~]$ ping www.baidu.com
正在 Ping www.wshifen.com [103.235.46.39] 具有 32 字节的数据:
来自 103.235.46.39 的回复: 字节=32 时间=55ms TTL=56
来自 103.235.46.39 的回复: 字节=32 时间=134ms TTL=56
103.235.46.39 的 Ping 统计信息:
数据包: 已发送 = 2,已接收 = 2,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 55ms,最长 = 134ms,平均 = 94ms
#如果还是不行,查看
cat /etc/iptables/add-openvpn-rules.sh
iptables -t nat -A POSTROUTING -s 10.8.8.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 56619 -j ACCEPT
iptables -t nat -L -n -v
net.ipv4.ip_forward
netstat -tulpn | grep :1194
ps aux | grep openvpn
[C:\~]$ ping www.baidu.com
正在 Ping www.wshifen.com [103.235.46.39] 具有 32 字节的数据:
来自 103.235.46.39 的回复: 字节=32 时间=55ms TTL=56
来自 103.235.46.39 的回复: 字节=32 时间=134ms TTL=56
103.235.46.39 的 Ping 统计信息:
数据包: 已发送 = 2,已接收 = 2,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 55ms,最长 = 134ms,平均 = 94ms
#如果还是不行,查看
cat /etc/iptables/add-openvpn-rules.sh
iptables -t nat -A POSTROUTING -s 10.8.8.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 56619 -j ACCEPT
iptables -t nat -L -n -v
net.ipv4.ip_forward
netstat -tulpn | grep :1194
ps aux | grep openvpn- iptables
[root@hkfengkongnginx ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:61379
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 10.8.0.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@hkfengkongnginx ~]# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.8.0.0/24 0.0.0.0/0[root@hkfengkongnginx ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:61379
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 10.8.0.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
[root@hkfengkongnginx ~]# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.8.0.0/24 0.0.0.0/0添加路由规则方式访问内部网络
在内网主机web01上添加一条路由规则,让web01有回到OpenVPN客户端的路由。如果不添加,那web01只能接受到来自客户端的包,但是没法把响应的包传回去。
[root@web01 ~]# route add -net 10.8.0.0/24 gw 172.16.1.61
添加防火墙方式访问内部网络
在服务端开启防火墙,放行openvpn服务,并且开启masquerade。
优点:只需在OpenVPN服务端配置防火墙规则,内部网络主机无需配置
systemctl start firewalld
firewall-cmd --add-masquerade --permanent
firewall-cmd --add-service=openvpn --permanent
firewall-cmd --reloadsystemctl start firewalld
firewall-cmd --add-masquerade --permanent
firewall-cmd --add-service=openvpn --permanent
firewall-cmd --reload