Centos7 + OpenVPN 2.4 + easy-ras 3.0 + fairwall environment construction

Building environment

  • centos7.1
  • openvpn-2.4.4
  • easy-rsa-3.0
  • Fairwall-0.4.4
  • Windows 7 64 bit

Software installation

Download the required software

yum install epel-release
yum install lsb_release -a
yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig makecache
yum install -y openvpn
yum install -y easy-rs

#The user who started openvpn, I didn't add it and there was no problem
groupadd openvpn
useradd -g openvpn -M -s /sbin/nologin openvpn

Modify software catalog

mkdir /etc/openvpn/
cp -R /usr/share/easy-rsa/ /etc/openvpn/
cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn/
cp -r /usr/share/doc/easy-rsa-3.0.3/vars.example /etc/openvpn/easy-rsa/3.0/vars

Environmental configuration

server.conf

vim /etc/openvpn/server.conf
;local a.b.c.d  
port 1194  
;proto tcp  
proto udp  
dev tun  
#Certificate file  
ca /etc/openvpn/easy-rsa/3.0/pki/ca.crt  
cert /etc/openvpn/easy-rsa/3.0/pki/issued/wwwserver.crt  
key /etc/openvpn/easy-rsa/3.0/pki/private/wwwserver.key  
dh /etc/openvpn/easy-rsa/3.0/pki/dh.pem  
tls-auth /etc/openvpn/ta.key 0  
server 10.8.0.0 255.255.255.0  
ifconfig-pool-persist ipp.txt  
#Represents that all requests go through the openVPN server, which can be optimized  
push "redirect-gateway def1 bypass-dhcp"  
push "dhcp-option DNS 223.5.5.5"  
push "dhcp-option DNS 114.114.114.114"  
keepalive 10 120  
cipher AES-256-CBC  
comp-lzo no
max-clients 50  
user openvpn  
group openvpn  
persist-key  
persist-tun  
status openvpn-status.log  
log-append  openvpn.log  
verb 3  
mute 20

vars

vim /etc/openvpn/easy-rsa/3.0/vars
set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$EASYRSA/pki"
set_var EASYRSA_DN      "cn_only"
set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "BEIJING"
set_var EASYRSA_REQ_CITY        "BEIJING"
set_var EASYRSA_REQ_ORG         "OpenVPN CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL       "346416267@qq.com"
set_var EASYRSA_REQ_OU          "OpenVPN EASY CA"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       7000
set_var EASYRSA_CERT_EXPIRE     3650
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "OpenVPN CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST          "sha256"

Certificate generation

  1. Create CA with password zwh.com
cd /etc/openvpn/easy-rsa/3.0
./easyrsa init-pki
./easyrsa build-ca
#Enter password: zwh.com
#Confirm password: zwh.com

./easyrsa build-ca
#Enter password: zwh.com
#Confirm password: zwh.com
#Enter COMMON: OpenVPN CERTIFICATE AUTHORITY
  1. Create server certificate with password zwh.com
./easyrsa  gen-req wwwserver
#Set password: zwh.com
#Confirm password: zwh.com
#Enter COMMON: OpenVPN CERTIFICATE AUTHORITY
  1. Sign and issue server certificate, password zwh.com
./easyrsa sign-req server wwwserver
#Enter yes to confirm
#Input password
  1. Generate client certificate with password zwh.com
./easyrsa build-client-full www001
#If you don't need a password, just enter
  1. View client certificates
ls -l /etc/openvpn/easy-rsa/3.0/pki/issued/www001.crt
ls -l /etc/openvpn/easy-rsa/3.0/pki/private/www001.key

Allow data forwarding

vim /etc/sysctl.conf
#Add on last line
net.ipv4.ip_forward = 1
#wq save file
sysctl -p
#Execute the command after saving for the file to take effect

Fairwall configuration

  1. View Fairwall configuration
firewall-cmd --list-all
  1. Add configuration
systemctl start firewalld.service
firewall-cmd --state
firewall-cmd --zone=public --list-all
firewall-cmd --add-service=openvpn --permanent
firewall-cmd --add-port=1194/udp --permanent
firewall-cmd --add-port=1194/tcp --permanent
firewall-cmd --add-port=22/tcp --permanent
firewall-cmd --add-source=10.8.0.0 --permanent
firewall-cmd --query-source=10.8.0.0 --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --query-masquerade --permanent
firewall-cmd --reload

Start openVPN

systemctl start openvpn@server
#Password zwh.com is required
#The first time you execute this command, there may be errors. Just execute it again
#Stop command: systemctl stop openvpn@server

Client configuration

win7 64 bit openSVN download address
https://download.csdn.net/download/mhgz322/10565084

Client certificate collation

  1. Copy the client certificate to the / etc/openvpn/client directory
mkdir -p /etc/openvpn/client
cp -r /etc/openvpn/easy-rsa/3.0/pki/issued/www001.crt /etc/openvpn/client/
cp -r /etc/openvpn/easy-rsa/3.0/pki/private/www001.key /etc/openvpn/client/
cp -r /etc/openvpn/easy-rsa/3.0/pki/ca.crt /etc/openvpn/client/
cp -r /etc/openvpn/ta.key /etc/openvpn/client/
  1. Copy the above four certificates www001.crt, www001.key, ca.crt and ta.key to the / config folder under the OpenVPN installation directory
  2. Create the uvs-001.ovpn file in the config folder. The file content:
client
dev tun
proto udp
resolv-retry infinite
nobind
remote x.x.x.x 1194
#Change x.x.x.x to your openSVN server IP
ns-cert-type server
comp-lzo
ca ca.crt
cert www001.crt
key www001.key
tls-auth ta.key 1
keepalive 10 120
persist-key
persist-tun
verb 5
redirect-gateway def1
#Let all IP requests initiated by the client pass the OpenSVN server, corresponding to push "redirect gateway def1 bypass DHCP" in server.conf
route-method exe
route-delay 2
status www001-status.log
log-append www001.log
  1. Run / bin/openvpn.exe
    If the password is set when generating the client, you need to enter the password

Tags: firewall yum OpenSSL vim

Posted on Fri, 31 Jan 2020 06:02:34 -0800 by Jim_Bo