Добавляем в систему EPEL репозиторий и обновляем все текущие пакеты
# yum -y install epel-release # yum -y update
Устанавливает необходимые зависимости
# yum -y install unzip zip vim wget bash-completion net-tools bind-utils iptables-services
Устанавливаем сам OpenVPN
# yum -y install openvpn
и начинаем с ним работать. Создадим каталог для ключей, каталог для логов и сами лог-файлы
# mkdir /etc/openvpn/keys && mkdir /etc/openvpn/ccd && mkdir /var/log/openvpn # touch /var/log/openvpn/openvpn.log /var/log/openvpn/openvpn-status.log
Переходим в каталог для ключей и начинаем их генерацию. Для генерации будем использовать инструмент EasyRSA.
# cd /etc/openvpn/keys # wget https://github.com/OpenVPN/easy-rsa/archive/master.zip # unzip master.zip # cd /etc/openvpn/keys/easy-rsa-master/easyrsa3 # mv vars.example vars # ./easyrsa init-pki # ./easyrsa build-ca
тут нас попросят придумать пароль, который будет использоваться для генерации клиентских сертификатов. Забывать этот пароль крайне не рекомендуется.
Далее генерируем сертификат для сервера
# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: /etc/openvpn/keys/easy-rsa-master/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key .............................+++ ............................................................+++ writing new private key to '/etc/openvpn/keys/easy-rsa-master/easyrsa3/pki/easy-rsa-11692.ZCAF5u/tmp.tqT0Yu' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/keys/easy-rsa-master/easyrsa3/pki/reqs/server.req key: /etc/openvpn/keys/easy-rsa-master/easyrsa3/pki/private/server.key
И подписываем его. Вот тут потребуется пароль от CA, который мы придумали на предыдущем шаге
# ./easyrsa sign-req server server Note: using Easy-RSA configuration from: /etc/openvpn/keys/easy-rsa-master/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 1080 days: subject= commonName = server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/keys/easy-rsa-master/easyrsa3/pki/easy-rsa-11718.to8xAl/tmp.HTbbMI Enter pass phrase for /etc/openvpn/keys/easy-rsa-master/easyrsa3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Jun 28 17:09:35 2022 GMT (1080 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/keys/easy-rsa-master/easyrsa3/pki/issued/server.crt
Сгенерируем сертификат Диффи — Хеллмана
# ./easyrsa gen-dh
# openvpn --genkey --secret /etc/openvpn/ta.key
Складываем все ключики в удобное место
# cp pki/ca.crt /etc/openvpn/ca.crt # cp pki/dh.pem /etc/openvpn/dh.pem # cp pki/issued/server.crt /etc/openvpn/server.crt # cp pki/private/server.key /etc/openvpn/server.key
Теперь можно заняться созданием ключиков для клиентов. Снова генерируем запрос и потом подписываем его своим центром.
Обратите внимание на логин клиента — client1. Он нам понадобится в дальнейшем.
# ./easyrsa gen-req client1 nopass Note: using Easy-RSA configuration from: /etc/openvpn/keys/easy-rsa-master/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key .................+++ ......+++ writing new private key to '/etc/openvpn/keys/easy-rsa-master/easyrsa3/pki/easy-rsa-11826.Dzy7yF/tmp.v1vqts' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client1]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/keys/easy-rsa-master/easyrsa3/pki/reqs/client1.req key: /etc/openvpn/keys/easy-rsa-master/easyrsa3/pki/private/client1.key
Подписываем его используя логин
# ./easyrsa sign-req client client1 Note: using Easy-RSA configuration from: /etc/openvpn/keys/easy-rsa-master/easyrsa3/vars Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 1080 days: subject= commonName = client1 Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /etc/openvpn/keys/easy-rsa-master/easyrsa3/pki/easy-rsa-11852.TCwJXt/tmp.E1Ymp9 Enter pass phrase for /etc/openvpn/keys/easy-rsa-master/easyrsa3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client1' Certificate is to be certified until Jun 28 17:19:40 2022 GMT (1080 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/keys/easy-rsa-master/easyrsa3/pki/issued/client1.crt
Важно! По завершению процедуры создания ключа для клиента мы получили 2 файла, которые понядобятся для создания клиентских конфигураций:
— файл сертификата /etc/openvpn/keys/easy-rsa-master/easyrsa3/pki/issued/client1.crt
— файл приватного ключа /etc/openvpn/keys/easy-rsa-master/easyrsa3/pki/private/client1.key
Как и говорилось выше для каждого клиента мы будем назначать статический внутренний IP для необходимой нам маршрутизации. Привязка пользователя и IP осуществляется созданием файлика с именем клиента и значением в нем
# cat /etc/openvpn/ccd/client1 ifconfig-push 10.8.0.81 255.255.255.0
то есть при подключении client1 всегда будет получать IP 10.8.0.81
За это в конфигурационном файле сервера отвечает строка client-config-dir /etc/openvpn/ccd
Вот весь конфигурационный файл
port 1194 proto tcp dev tun client-config-dir /etc/openvpn/ccd ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh.pem server 10.8.0.0 255.255.255.0 topology subnet push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 tls-auth /etc/openvpn/ta.key 0 cipher AES-256-CBC persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log verb 4 explicit-exit-notify 0
Далее запускаем, активируем и проверяем службу
# systemctl start openvpn@server # systemctl enable openvpn@server Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service. # systemctl status openvpn@server ? openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2019-07-14 13:23:51 EDT; 10s ago Main PID: 12281 (openvpn) Status: "Initialization Sequence Completed" CGroup: /system.slice/system-openvpn.slice/openvpn@server.service ??12281 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf Jul 14 13:23:51 vps systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server... Jul 14 13:23:51 vps systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
Тут всё отлично. Смотрим логи на наличие ошибок
# cat /var/log/openvpn/openvpn.log ... Sun Jul 14 13:23:51 2019 us=976602 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 Sun Jul 14 13:23:51 2019 us=976653 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06 Sun Jul 14 13:23:51 2019 us=980260 Diffie-Hellman initialized with 2048 bit key Sun Jul 14 13:23:51 2019 us=990748 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Jul 14 13:23:51 2019 us=990894 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Jul 14 13:23:51 2019 us=990962 TLS-Auth MTU parms [ L:1623 D:1182 EF:68 EB:0 ET:0 EL:3 ] Sun Jul 14 13:23:52 2019 us=11066 TUN/TAP device tun0 opened Sun Jul 14 13:23:52 2019 us=11208 TUN/TAP TX queue length set to 100 Sun Jul 14 13:23:52 2019 us=11284 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Sun Jul 14 13:23:52 2019 us=11316 /sbin/ip link set dev tun0 up mtu 1500 Sun Jul 14 13:23:52 2019 us=18568 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255 Sun Jul 14 13:23:52 2019 us=26033 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ] Sun Jul 14 13:23:52 2019 us=26093 Could not determine IPv4/IPv6 protocol. Using AF_INET Sun Jul 14 13:23:52 2019 us=26438 Socket Buffers: R=[87380->87380] S=[16384->16384] Sun Jul 14 13:23:52 2019 us=26751 Listening for incoming TCP connection on [AF_INET][undef]:1194 Sun Jul 14 13:23:52 2019 us=26796 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194 Sun Jul 14 13:23:52 2019 us=26817 TCPv4_SERVER link remote: [AF_UNSPEC] Sun Jul 14 13:23:52 2019 us=26887 MULTI: multi_init called, r=256 v=256 Sun Jul 14 13:23:52 2019 us=26947 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0 Sun Jul 14 13:23:52 2019 us=27012 MULTI: TCP INIT maxclients=1024 maxevents=1028 Sun Jul 14 13:23:52 2019 us=27178 Initialization Sequence Completed
Тоже всё аккуратно.
Далее маршрутизация. Первым делом нужно разрешить форвард. Для этого добавляем строку
net.ipv4.ip_forward = 1
в файл /etc/sysctl.conf и применяем изменения с помощью команды
# sysctl -p
Теперь конфигурация фаерфола. Рассматриваем случай когда на сервере нет никаких служб кроме OpenVPN и SSH.
# cat /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [08:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m tcp -m multiport --dports 22,53,1194 -j ACCEPT -A INPUT -m conntrack -j ACCEPT --ctstate RELATED,ESTABLISHED -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -j DROP -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -j DROP -A FORWARD -s 10.8.0.0/24 -i tun0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.8.0.81 -o eth0 -j SNAT --to-source 99.100.101.55 -A POSTROUTING -s 10.8.0.82 -o eth0 -j SNAT --to-source 99.100.101.56 -A POSTROUTING -s 10.8.0.83 -o eth0 -j SNAT --to-source 99.100.101.57 COMMIT