N63044-第十周
2024-05-31 06:49:49
十九、VPN服务
1、firewalld和最新技术nft实现防火墙功能(65分钟)
2、open-v-p-n介绍和环境准备(48分钟)
3、open-v-p-n实现CA证书(45分钟)
4、open-v-p-n服务和客户端实现(65分钟)
5、open-v-p-n高级管理功能(49分钟)
6、阿里云释放资源(7分钟)
7、数据库基础原理(47分钟)
8、关系型数据库理论(44分钟)
二十、Mysql数据库一
1、MySQL安装和安全加固(58分钟)
2、MySQL的基本使用和二进制安装(54分钟)
3、MySQL的编译安装和SQL语言介绍(44分钟)
4、MySQL多实例和SQL语句分类(54分钟)
5、SQL的数据库管理和表创建(55分钟)
6、DML和DQL语句(45分钟)
7、SQL的单表和多表查询(62分钟)
1、在局域网搭建openv-p-n
#各主机网卡配置
[root@centos8 ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=static
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=10.0.0.8
NETMASK=255.255.255.0[root@centos8 ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE=Ethernet
NAME=eth1
DEVICE=eth1
ONBOOT=yes
IPADDR=172.30.0.1
PREFIX=24[root@centos7 ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE="Ethernet"
BOOTPROTO="static"
NAME="eth0"
DEVICE="eth0"
ONBOOT="yes"
IPADDR=172.30.0.100
NETMASK=255.255.255.0[root@centos17 ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE="Ethernet"
BOOTPROTO="static"
NAME="eth0"
DEVICE="eth0"
ONBOOT="yes"
IPADDR=172.30.0.200
NETMASK=255.255.255.0#修改主机名称
[root@centos7 ~]#hostnamectl set-hostname web01.magedu.org
[root@centos17 ~]#hostnamectl set-hostname web02.magedu.org
[root@centos8 ~]#hostnamectl set-hostname openvpn-server.magedu.org#安装httpd
[root@web01 ~]#yum -y install httpd;systemctl enable --now httpd;hostname > /var/www/html/index.html
[root@web02 ~]#yum install -y httpd;systemctl enable --now httpd;hostname > /var/www/html/index.html
[root@centos8 ~]#curl 172.30.0.100
web01.magedu.org
[root@centos8 ~]#curl 172.30.0.200
web02.magedu.org#安装OpenVPN和证书工具
[root@openvpn-server ~]#yum install -y openvpn easy-rsa#查看包中相关文件
[root@openvpn-server ~]#rpm -ql openvpn
/etc/openvpn
/etc/openvpn/client
/etc/openvpn/server
/run/openvpn-client
/run/openvpn-server
/usr/lib/.build-id
/usr/lib/.build-id/18
/usr/lib/.build-id/18/a6602b682bee9327f8a254188e270349898ab1
/usr/lib/.build-id/26
/usr/lib/.build-id/26/b7acb96c927678621ec0d416a3e73c436f6fbc
/usr/lib/.build-id/5b
/usr/lib/.build-id/5b/f591de13b621aef596a3a1f3d38c04565aa050
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/tmpfiles.d/openvpn.conf
/usr/lib64/openvpn
/usr/lib64/openvpn/plugins
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so
/usr/sbin/openvpn
/usr/share/doc/openvpn
/usr/share/doc/openvpn/AUTHORS
/usr/share/doc/openvpn/COPYING
/usr/share/doc/openvpn/COPYRIGHT.GPL
/usr/share/doc/openvpn/ChangeLog
/usr/share/doc/openvpn/Changes.rst
/usr/share/doc/openvpn/README
/usr/share/doc/openvpn/README.auth-pam
/usr/share/doc/openvpn/README.down-root
/usr/share/doc/openvpn/README.systemd
/usr/share/doc/openvpn/contrib
/usr/share/doc/openvpn/contrib/OCSP_check
/usr/share/doc/openvpn/contrib/OCSP_check/OCSP_check.sh
/usr/share/doc/openvpn/contrib/README
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00/README
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
/usr/share/doc/openvpn/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
/usr/share/doc/openvpn/contrib/pull-resolv-conf
/usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down
/usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up
/usr/share/doc/openvpn/management-notes.txt
/usr/share/doc/openvpn/sample
/usr/share/doc/openvpn/sample/sample-config-files
/usr/share/doc/openvpn/sample/sample-config-files/README
/usr/share/doc/openvpn/sample/sample-config-files/client.conf
/usr/share/doc/openvpn/sample/sample-config-files/firewall.sh
/usr/share/doc/openvpn/sample/sample-config-files/home.up
/usr/share/doc/openvpn/sample/sample-config-files/loopback-client
/usr/share/doc/openvpn/sample/sample-config-files/loopback-server
/usr/share/doc/openvpn/sample/sample-config-files/office.up
/usr/share/doc/openvpn/sample/sample-config-files/openvpn-shutdown.sh
/usr/share/doc/openvpn/sample/sample-config-files/openvpn-startup.sh
/usr/share/doc/openvpn/sample/sample-config-files/roadwarrior-client.conf
/usr/share/doc/openvpn/sample/sample-config-files/roadwarrior-server.conf
/usr/share/doc/openvpn/sample/sample-config-files/server.conf
/usr/share/doc/openvpn/sample/sample-config-files/static-home.conf
/usr/share/doc/openvpn/sample/sample-config-files/static-office.conf
/usr/share/doc/openvpn/sample/sample-config-files/tls-home.conf
/usr/share/doc/openvpn/sample/sample-config-files/tls-office.conf
/usr/share/doc/openvpn/sample/sample-config-files/xinetd-client-config
/usr/share/doc/openvpn/sample/sample-config-files/xinetd-server-config
/usr/share/doc/openvpn/sample/sample-scripts
/usr/share/doc/openvpn/sample/sample-scripts/auth-pam.pl
/usr/share/doc/openvpn/sample/sample-scripts/bridge-start
/usr/share/doc/openvpn/sample/sample-scripts/bridge-stop
/usr/share/doc/openvpn/sample/sample-scripts/ucn.pl
/usr/share/doc/openvpn/sample/sample-scripts/verify-cn
/usr/share/doc/openvpn/sample/sample-windows
/usr/share/doc/openvpn/sample/sample-windows/sample.ovpn
/usr/share/man/man8/openvpn.8.gz
/var/lib/openvpn
[root@openvpn-server ~]#rpm -ql easy-rsa
/usr/share/doc/easy-rsa
/usr/share/doc/easy-rsa/COPYING.md
/usr/share/doc/easy-rsa/ChangeLog
/usr/share/doc/easy-rsa/README.md
/usr/share/doc/easy-rsa/README.quickstart.md
/usr/share/doc/easy-rsa/vars.example
/usr/share/easy-rsa
/usr/share/easy-rsa/3
/usr/share/easy-rsa/3.0
/usr/share/easy-rsa/3.0.8
/usr/share/easy-rsa/3.0.8/easyrsa
/usr/share/easy-rsa/3.0.8/openssl-easyrsa.cnf
/usr/share/easy-rsa/3.0.8/x509-types
/usr/share/easy-rsa/3.0.8/x509-types/COMMON
/usr/share/easy-rsa/3.0.8/x509-types/ca
/usr/share/easy-rsa/3.0.8/x509-types/client
/usr/share/easy-rsa/3.0.8/x509-types/code-signing
/usr/share/easy-rsa/3.0.8/x509-types/email
/usr/share/easy-rsa/3.0.8/x509-types/kdc
/usr/share/easy-rsa/3.0.8/x509-types/server
/usr/share/easy-rsa/3.0.8/x509-types/serverClient
/usr/share/licenses/easy-rsa
/usr/share/licenses/easy-rsa/gpl-2.0.txt#生成服务器配置文件
[root@openvpn-server ~]#cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/
[root@openvpn-server ~]#ll /etc/openvpn/server/
total 4
-rw-r--r-- 1 root root 440 Mar 5 16:27 server.conf#准备证书签发相关文件
[root@openvpn-server ~]#cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
[root@openvpn-server ~]#ll /etc/openvpn
total 0
drwxr-xr-x 2 root root 70 Mar 4 20:39 certs
drwxr-x--- 3 root openvpn 25 Mar 4 20:53 client
drwxr-xr-x 3 root root 39 Mar 4 18:53 easy-rsa-server
drwxr-x--- 2 root openvpn 25 Mar 5 17:36 server#准备签发证书相关变量的配置文件
[root@openvpn-server ~]#cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-server/3/vars
[root@openvpn-server ~]#ll /etc/openvpn/easy-rsa-server/3/
total 96
-rwxr-xr-x 1 root root 76946 Mar 4 18:53 easyrsa
-rw-r--r-- 1 root root 4616 Mar 4 18:53 openssl-easyrsa.cnf
-rw-r--r-- 1 root root 8925 Mar 4 18:56 vars
drwxr-xr-x 2 root root 122 Mar 4 18:53 x509-types#建议修改给CA和OpenVPN服务器颁发的证书的有效期,可适当加长
[root@openvpn-server ~]#vim /etc/openvpn/easy-rsa-server/3/vars
#CA的证书有效期默为为10年,可以适当延长,比如:36500天
#set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CA_EXPIRE 36500
#服务器证书默为为825天,可适当加长,比如:3650天
#set_var EASYRSA_CERT_EXPIRE 825
#将上面行修改为下面
set_var EASYRSA_CERT_EXPIRE 3650[root@openvpn-server ~]#tree /etc/openvpn/
/etc/openvpn/
├── client
├── easy-rsa-server
│ ├── 3 -> 3.0.8
│ ├── 3.0 -> 3.0.8
│ └── 3.0.8
│ ├── easyrsa
│ ├── openssl-easyrsa.cnf
│ ├── vars
│ └── x509-types
│ ├── ca
│ ├── client
│ ├── code-signing
│ ├── COMMON
│ ├── email
│ ├── kdc
│ ├── server
│ └── serverClient
├── server
│ ├── server.conf7 directories, 12 files#脚本easyrsa
[root@openvpn-server ~]#vim /etc/openvpn/easy-rsa-server/3/easyrsa
#!/bin/sh# Easy-RSA 3 -- A Shell-based CA Utility
#
# Copyright (C) 2018 by the Open-Source OpenVPN development community.
# A full list of contributors can be found in the ChangeLog.
#
# This code released under version 2 of the GNU GPL; see COPYING and the
# Licensing/ directory of this project for full licensing details.#脚本easyrsa帮助用法
[root@openvpn-server ~]#cd /etc/openvpn/easy-rsa-server/3/
[root@openvpn-server 3]#./easyrsaNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/varsEasy-RSA 3 usage and overviewUSAGE: easyrsa [options] COMMAND [command-options]A list of commands is shown below. To get detailed usage and help for a
command, run:./easyrsa help COMMANDFor a listing of options that can be supplied before the command, use:./easyrsa help optionsHere is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.init-pkibuild-ca [ cmd-opts ]gen-dhgen-req <filename_base> [ cmd-opts ]sign-req <type> <filename_base>build-client-full <filename_base> [ cmd-opts ]build-server-full <filename_base> [ cmd-opts ]revoke <filename_base> [cmd-opts]renew <filename_base> [cmd-opts]build-serverClient-full <filename_base> [ cmd-opts ]gen-crlupdate-dbshow-req <filename_base> [ cmd-opts ]show-cert <filename_base> [ cmd-opts ]show-ca [ cmd-opts ]import-req <request_file_path> <short_basename>export-p7 <filename_base> [ cmd-opts ]export-p8 <filename_base> [ cmd-opts ]export-p12 <filename_base> [ cmd-opts ]set-rsa-pass <filename_base> [ cmd-opts ]set-ec-pass <filename_base> [ cmd-opts ]upgrade <type>DIRECTORY STATUS (commands would take effect on these locations)EASYRSA: /etc/openvpn/easy-rsa-server/3.0.8PKI: /etc/openvpn/easy-rsa-server/3/pki#初始化数据,在当前目录下生成pki目录及相关文件
[root@openvpn-server 3]#./easyrsa init-pkiNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/varsinit-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-server/3/pki[root@openvpn-server 3]#tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki #生成一个新目录及相关文件
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types├── ca├── client├── code-signing├── COMMON├── email├── kdc├── server└── serverClient4 directories, 13 files#创建CA机构
[root@openvpn-server 3]#./easyrsa build-ca nopassNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating RSA private key, 2048 bit long modulus (2 primes)
..............................+++++
....+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #接受默认值,直接回车CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa-server/3/pki/ca.crt #生成自签名的证书文件[root@openvpn-server 3]#tree pki
pki
├── ca.crt #生成自签名的证书文件
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ └── ca.key #生成私钥文件
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial12 directories, 7 files#查看生成的自签名证书
[root@openvpn-server 3]#openssl x509 -in pki/ca.crt -noout -text
Certificate:Data:Version: 3 (0x2)Serial Number:1b:62:81:45:b9:ad:5c:2b:3d:92:52:d5:8c:cf:79:39:e2:7a:57:23Signature Algorithm: sha256WithRSAEncryptionIssuer: CN = Easy-RSA CAValidityNot Before: Mar 4 11:19:51 2022 GMTNot After : Feb 8 11:19:51 2122 GMTSubject: CN = Easy-RSA CASubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (2048 bit)Modulus:00:b4:29:66:35:76:4b:8e:51:4b:1f:03:97:75:2a:ed:40:43:85:d0:2b:bd:fa:e3:af:2f:39:ef:e0:7b:a0:79:3a:a9:25:e0:ca:d4:cb:d0:bb:a9:59:60:be:d5:95:64:31:66:33:51:06:f5:ab:68:a2:3d:eb:28:0f:df:92:2c:05:a7:f7:56:a9:cb:c3:e1:d5:99:be:46:03:b7:21:5c:70:9d:cc:ca:0d:fc:ba:29:6e:21:d4:fc:2f:61:d0:be:c4:8b:e3:64:77:dd:45:99:3f:a7:34:23:0e:fc:05:ae:b2:1e:df:54:91:79:fe:c0:2e:23:0c:b1:0c:e0:37:67:d5:00:38:f6:90:c2:8f:73:27:02:ae:ec:77:07:b5:4e:bb:7c:33:91:7f:3e:bc:41:83:66:7b:d9:20:e6:17:46:c4:91:8a:4b:5d:74:4c:ec:9e:0a:86:89:a0:af:2d:b2:2c:99:7b:79:30:bf:ea:b0:70:74:7e:35:c1:34:03:eb:4f:9c:20:d0:e9:dc:43:8e:a9:1b:15:70:56:e8:5a:3f:1d:a1:dd:a5:40:4b:6f:7b:6c:10:31:8c:9d:fc:7c:5b:a6:32:a3:b2:ba:73:18:d2:74:a6:a3:43:fc:a5:71:d2:3e:f9:f8:7d:77:dc:2c:ce:57:c8:ff:86:7d:89:43:29:79Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Subject Key Identifier: 66:66:2C:63:22:6B:47:C3:7A:3D:75:17:0A:E8:F6:29:80:4E:D2:F4X509v3 Authority Key Identifier: keyid:66:66:2C:63:22:6B:47:C3:7A:3D:75:17:0A:E8:F6:29:80:4E:D2:F4DirName:/CN=Easy-RSA CAserial:1B:62:81:45:B9:AD:5C:2B:3D:92:52:D5:8C:CF:79:39:E2:7A:57:23X509v3 Basic Constraints: CA:TRUEX509v3 Key Usage: Certificate Sign, CRL SignSignature Algorithm: sha256WithRSAEncryption7f:a6:fb:5f:6b:28:09:d8:67:d1:03:bf:49:b8:29:70:04:60:fc:c2:7d:e4:19:50:18:6e:48:94:9b:a2:90:6c:65:93:e3:4b:2a:2b:91:33:6f:3a:1e:78:d2:32:cb:b9:ef:4c:d2:19:0d:f0:0a:08:6e:0a:d2:83:4f:f9:3d:8e:b1:62:35:84:55:f1:37:2f:78:83:c7:aa:bb:79:67:2b:48:ac:10:38:72:db:ca:c5:04:9d:27:4f:91:a1:cc:a4:a0:70:16:7a:73:12:a7:f1:d7:ef:d5:54:d5:ba:3f:a1:e6:dd:e0:36:47:9a:1e:ab:31:36:4e:10:c0:83:b9:b4:38:bd:bd:87:97:15:d7:52:04:53:f2:07:c7:62:b1:08:fb:b8:41:69:2c:cd:8c:8f:d3:3d:ae:ca:61:22:c3:46:b1:86:e4:d5:99:8a:d5:52:74:e2:e4:dd:9b:e5:1e:f4:63:ef:3c:aa:fa:0b:53:f2:17:c3:19:40:7a:b3:29:23:04:bc:ba:bc:16:46:83:18:56:dd:66:f8:b5:35:0a:1a:1e:f2:c0:6f:e0:5f:8d:6d:eb:ce:3a:bd:b6:6f:59:30:cf:28:98:32:69:26:b9:07:b4:0b:b4:bd:aa:8a:6e:e4:79:f2:51:cc:73:f8:b8:ce:e8:24:5e:9c:5b:95:a7:0a#创建服务器证书申请文件,其中server是文件前缀
[root@openvpn-server 3]#./easyrsa gen-req server nopassNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
........+++++
................+++++
writing new private key to '/etc/openvpn/easy-rsa-server/3/pki/easy-rsa-3036.zaiY3A/tmp.ZyqeZd'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: #接受Common Name的默认值,直接回车Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-server/3/pki/reqs/server.req #生成请求文件
key: /etc/openvpn/easy-rsa-server/3/pki/private/server.key #生成私钥文件[root@openvpn-server 3]#tree pki
pki
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key #生成私钥文件
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req #生成请求文件
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial12 directories, 9 files#将上面server.req的申请,颁发server类型的证书
[root@openvpn-server 3]#./easyrsa sign server serverNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.Request subject, to be signed as a server certificate for 3650 days: #可以看到vars文件指定的有效期subject=commonName = serverType the word 'yes' to continue, or any other input to abort.Confirm request details: yes #输入yes回车
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-3077.jFdCXc/tmp.WD2eIT
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Mar 1 11:40:28 2032 GMT (3650 days)Write out database with 1 new entries
Data Base UpdatedCertificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt #生成服务器证书文件[root@openvpn-server 3]#tree pki
pki
├── ca.crt
├── certs_by_serial
│ └── DA37C45781BE832554ADD42152B14E72.pem #服务器证书文件
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt #服务器证书文件
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old12 directories, 14 files#证书相关文件
[root@openvpn-server 3]#diff pki/certs_by_serial/DA37C45781BE832554ADD42152B14E72.pem pki/issued/server.crt
[root@openvpn-server 3]#cat pki/index.txt
V 320301114028Z DA37C45781BE832554ADD42152B14E72 unknown /CN=server#创建 Diffie-Hellman 密钥
[root@openvpn-server 3]#./easyrsa gen-dhNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.........+.....................................................................................................................................+....................+................................#需要等待一会儿DH parameters of size 2048 created at /etc/openvpn/easy-rsa-server/3/pki/dh.pem
#查看生成的文件
[root@openvpn-server 3]#ll pki/dh.pem
-rw------- 1 root root 424 Mar 4 19:50 pki/dh.pem
[root@openvpn-server 3]#cat pki/dh.pem
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAi1MtpXv4VDt2EogqMyxR5r4ViE1H2RkX55jkNp7X8qVTLIKicClb
0CRM0+MiOHKEXNSfFcBifpdDJSsarFNZqmrr/bf+xbtW105mBIhfj9Ika4Drzxds
FPnJPRhkcW2o82xmNe1eh33zcNXZm+Zfq+n4fnj8o2lJNGXii9QCmQZWbiwphVgf
Iy+/PD8J6OD7uMWx9nJu8RQ7Gr0IJN4+yW8mOnoX/Fp3k4kv2urwm7Q2VJ+QKWTn
HBL52GhU3A++paa8Wy4TPICmWeN6qKYFjwSYb9GaOPcE3YZ4yi2iYt2BfgpYftoV
q0+0VJpsgpJYM+bOAWQ8mre6REdm06ZBAwIBAg==
-----END DH PARAMETERS-----#上面服务端证书配置完成,下面是配置客户端证书
[root@openvpn-server ~]#cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
[root@openvpn-server ~]#tree /etc/openvpn/easy-rsa-client
/etc/openvpn/easy-rsa-client
├── 3 -> 3.0.8
├── 3.0 -> 3.0.8
└── 3.0.8├── easyrsa├── openssl-easyrsa.cnf└── x509-types├── ca├── client├── code-signing├── COMMON├── email├── kdc├── server└── serverClient4 directories, 10 files
[root@openvpn-server ~]#cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-client/3/vars
[root@openvpn-server ~]#tree /etc/openvpn/easy-rsa-client/3
/etc/openvpn/easy-rsa-client/3
├── easyrsa
├── openssl-easyrsa.cnf
├── vars
└── x509-types├── ca├── client├── code-signing├── COMMON├── email├── kdc├── server└── serverClient1 directory, 11 files#生成证书申请所需目录pki和文件
[root@openvpn-server ~]#cd /etc/openvpn/easy-rsa-client/3
[root@openvpn-server 3]#./easyrsa init-pkiNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/varsinit-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-client/3/pki #生成新目录[root@openvpn-server 3]#tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki #生成新目录
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types├── ca├── client├── code-signing├── COMMON├── email├── kdc├── server└── serverClient4 directories, 13 files#创建客户端证书申请
[root@openvpn-server 3]#./easyrsa gen-req linxiaodong nopassNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
......+++++
............+++++
writing new private key to '/etc/openvpn/easy-rsa-client/3/pki/easy-rsa-3298.AlUELy/tmp.y38ewQ'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [linxiaodong]: #接受默认值,直接回车Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-client/3/pki/reqs/linxiaodong.req #证书申请文件
key: /etc/openvpn/easy-rsa-client/3/pki/private/linxiaodong.key #私钥文件#生成两个新文件
[root@openvpn-server 3]#tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ └── linxiaodong.key #私钥文件
│ ├── reqs
│ │ └── linxiaodong.req #证书申请文件
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types├── ca├── client├── code-signing├── COMMON├── email├── kdc├── server└── serverClient4 directories, 15 files#签发客户端证书
[root@openvpn-server 3]#cd /etc/openvpn/easy-rsa-server/3
[root@openvpn-server 3]#pwd
/etc/openvpn/easy-rsa-server/3
#将客户端证书请求文件复制到CA的工作目录
[root@openvpn-server 3]#./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/linxiaodong.req linxiaodongNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020The request has been successfully imported with a short name of: linxiaodong
You may now use this name to perform signing operations on this request.
[root@openvpn-server 3]#tree pki
pki
├── ca.crt
├── certs_by_serial
│ └── DA37C45781BE832554ADD42152B14E72.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── linxiaodong.req #导入文件
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old12 directories, 16 files#修改给客户端颁发的证书的有效期
[root@openvpn-server 3]#vim vars
#建议修改给客户端颁发证书的有效期,可适当减少,比如:90天
#set_var EASYRSA_CERT_EXPIRE 825
#将上面行修改为下面
set_var EASYRSA_CERT_EXPIRE 90#签发客户端证书
[root@openvpn-server 3]#./easyrsa sign client linxiaodongNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.Request subject, to be signed as a client certificate for 90 days:subject=commonName = linxiaodongType the word 'yes' to continue, or any other input to abort.Confirm request details: yes #输入yes后回车
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-3393.EeTafH/tmp.MKYtg3
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'linxiaodong'
Certificate is to be certified until Jun 2 12:18:35 2022 GMT (90 days)Write out database with 1 new entries
Data Base UpdatedCertificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/linxiaodong.crt #证书文件
[root@openvpn-server 3]#tree pki
pki
├── ca.crt
├── certs_by_serial
│ ├── 4D81B88EE05D328D8D7B8CA615C025DF.pem
│ └── DA37C45781BE832554ADD42152B14E72.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ ├── linxiaodong.crt #生成客户端证书
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── linxiaodong.req
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old12 directories, 18 files
[root@openvpn-server 3]#cat pki/index.txt
V 320301114028Z DA37C45781BE832554ADD42152B14E72 unknown /CN=server
V 220602121835Z 4D81B88EE05D328D8D7B8CA615C025DF unknown /CN=linxiaodong#如果需要颁发的客户端证书较多,可以使用下面脚本实现客户端证书的批量颁发
客户端证书自动颁发脚本
[root@openvpn-server 3]#cat /root/openvpn-user-crt.sh
#!/bin/bash
#
#********************************************************************
#Author: linxiaodong
#QQ: 916794060
#Date: 2022-03-04
#FileName: openvpn-user-crt.sh
#Description: The test script
#Copyright (C): 2022 All rights reserved
#********************************************************************
read -p "请输入用户的姓名拼音(如:${NAME}): " NAME
cd /etc/openvpn/easy-rsa-client/3
./easyrsa gen-req ${NAME} nopass <<EOFEOFcd /etc/openvpn/easy-rsa-server/3
./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req ${NAME}./easyrsa sign client ${NAME} <<EOF
yes
EOF
#执行脚本
[root@openvpn-server 3]#bash /root/openvpn-user-crt.sh
请输入用户的姓名拼音(如:): dongNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
..............................................................+++++
.............+++++
writing new private key to '/etc/openvpn/easy-rsa-client/3/pki/easy-rsa-3478.2FPk7V/tmp.fBPlkG'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [dong]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-client/3/pki/reqs/dong.req
key: /etc/openvpn/easy-rsa-client/3/pki/private/dong.keyNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020The request has been successfully imported with a short name of: dong
You may now use this name to perform signing operations on this request.Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.Request subject, to be signed as a client certificate for 90 days:subject=commonName = dongType the word 'yes' to continue, or any other input to abort.Confirm request details: Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-3526.cGcruv/tmp.gXPbCZ
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'dong'
Certificate is to be certified until Jun 2 12:31:26 2022 GMT (90 days)Write out database with 1 new entries
Data Base UpdatedCertificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/dong.crt
[root@openvpn-server 3]#tree pki
pki
├── ca.crt
├── certs_by_serial
│ ├── 4D81B88EE05D328D8D7B8CA615C025DF.pem
│ ├── 8A5AECDF1961D802096DC4C4C5723318.pem
│ └── DA37C45781BE832554ADD42152B14E72.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ ├── dong.crt #生成客户端证书
│ ├── linxiaodong.crt
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── dong.req
│ ├── linxiaodong.req
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old12 directories, 21 files#将CA和服务器证书相关文件复制到服务器相应的目录
[root@openvpn-server 3]#cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/
[root@openvpn-server 3]#cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
[root@openvpn-server 3]#cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/
[root@openvpn-server 3]#cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/
[root@openvpn-server 3]#ll /etc/openvpn/certs/
total 20
-rw------- 1 root root 1204 Mar 4 20:39 ca.crt
-rw------- 1 root root 424 Mar 4 20:39 dh.pem
-rw------- 1 root root 4608 Mar 4 20:39 server.crt
-rw------- 1 root root 1704 Mar 4 20:39 server.key#将客户端私钥与证书相关文件复制到服务器相关的目录
[root@openvpn-server ~]#mkdir /etc/openvpn/client/linxiaodong/
[root@openvpn-server ~]#find /etc/openvpn/ \( -name "linxiaodong.key" -o -name "linxiaodong.crt" -o -name ca.crt \) -exec cp {} /etc/openvpn/client/linxiaodong \;
[root@openvpn-server ~]#tree /etc/openvpn/client/linxiaodong
/etc/openvpn/client/linxiaodong
├── ca.crt
├── linxiaodong.crt
└── linxiaodong.key0 directories, 3 files#修改服务器端配置文件
[root@openvpn-server ~]#vim /etc/openvpn/server/server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.30.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20#准备目志相关目录
[root@openvpn-server ~]#getent passwd openvpn
openvpn:x:994:991:OpenVPN:/etc/openvpn:/sbin/nologin
[root@openvpn-server ~]#mkdir /var/log/openvpn
[root@openvpn-server ~]#chown openvpn.openvpn /var/log/openvpn
[root@openvpn-server ~]#ll -d /var/log/openvpn
drwxr-xr-x 2 openvpn openvpn 6 Mar 4 21:21 /var/log/openvpn#在服务器开启ip_forward转发功能
[root@openvpn-server ~]#echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
[root@openvpn-server ~]#sysctl -p
net.ipv4.ip_forward = 1#添加SNAT规则
[root@openvpn-server ~]#echo 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE' >> /etc/rc.d/rc.local
[root@openvpn-server ~]#chmod +x /etc/rc.d/rc.local
[root@openvpn-server ~]#/etc/rc.d/rc.local
[root@openvpn-server ~]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 10.8.0.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination #服务器配置
[root@openvpn-server ~]#vim /usr/lib/systemd/system/openvpn-server@.service
[Unit]
Description=OpenVPN service for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphe
rs AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AU
DIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure[Install]
WantedBy=multi-user.target#加载配置文件
[root@openvpn-server ~]#systemctl daemon-reload
[root@openvpn-server ~]#systemctl enable --now openvpn-server@server.service
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /usr/lib/systemd/system/openvpn-server@.service.
[root@openvpn-server ~]#systemctl status openvpn-server@server.service
● openvpn-server@server.service - OpenVPN service for serverLoaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; enabled; vendor preset: disabled)Active: active (running) since Sat 2022-03-05 16:41:57 CST; 3s agoDocs: man:openvpn(8)https://community.openvpn.net/openvpn/wiki/Openvpn24ManPagehttps://community.openvpn.net/openvpn/wiki/HOWTOMain PID: 9008 (openvpn)Status: "Initialization Sequence Completed"Tasks: 1 (limit: 12241)Memory: 1.5MCGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service└─9008 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --cipher AES-256->Mar 05 16:41:57 openvpn-server.magedu.org systemd[1]: Starting OpenVPN service for server...
Mar 05 16:41:57 openvpn-server.magedu.org systemd[1]: Started OpenVPN service for server.#已经生成1194端口
[root@openvpn-server ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 100 127.0.0.1:25 0.0.0.0:*
LISTEN 0 32 0.0.0.0:1194 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 100 [::1]:25 [::]:* #生成客户端用户的配置文件
[root@openvpn-server ~]#vim /etc/openvpn/client/linxiaodong/client.ovpn
client
dev tun
proto tcp
remote 10.0.0.8 1194 #生产中为OpenVPN公网IP
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert wangxiaochun.crt
key wangxiaochun.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2
Windows 安装 OpenVPN 客户端:
官方客户端下载地址:
https://openvpn.net/community-downloads/
openvpn客户端安装过程:
[root@openvpn-server ~]#cd /etc/openvpn/client/linxiaodong/
[root@openvpn-server linxiaodong]#ll
total 20
-rw------- 1 root root 1204 Mar 4 20:55 ca.crt
-rw-r--r-- 1 root root 242 Mar 5 15:44 client.ovpn
-rw------- 1 root root 4501 Mar 4 20:55 linxiaodong.crt
-rw------- 1 root root 1704 Mar 4 20:55 linxiaodong.key
[root@openvpn-server ~]#cd /etc/openvpn/client/linxiaodong/
#在服务器打包证书并下载发送给windows客户端
[root@openvpn-server linxiaodong]#tar cf linxiaodong.tar ./*
[root@openvpn-server linxiaodong]#ll
total 40
-rw------- 1 root root 1204 Mar 4 20:55 ca.crt
-rw-r--r-- 1 root root 242 Mar 5 15:44 client.ovpn
-rw------- 1 root root 4501 Mar 4 20:55 linxiaodong.crt
-rw------- 1 root root 1704 Mar 4 20:55 linxiaodong.key
-rw-r--r-- 1 root root 20480 Mar 5 18:02 linxiaodong.tar
[root@openvpn-server linxiaodong]#tar tf linxiaodong.tar
./ca.crt
./client.ovpn
./linxiaodong.crt
./linxiaodong.key
放置到windows客户端的 C:\Program Files\OpenVPN\config 目录下:
在windows 程序中打开 OpenVPN GUI 工具:
稍等一会儿,在状态栏显示以下图标,右键点连接
后端服务器显示是来自于OpenVPN服务器的连接:
#观察OpenVPN服务器日志:
[root@openvpn-server ~]#tail /var/log/openvpn/openvpn.log -f -n0
TCP connection established with [AF_INET]10.0.0.1:62275
10.0.0.1:62275 TLS: Initial packet from [AF_INET]10.0.0.1:62275, sid=5f3e291a 47de5d46
10.0.0.1:62275 VERIFY OK: depth=1, CN=Easy-RSA CA
10.0.0.1:62275 VERIFY OK: depth=0, CN=linxiaodong
10.0.0.1:62275 peer info: IV_VER=2.4.9
10.0.0.1:62275 peer info: IV_PLAT=win
10.0.0.1:62275 peer info: IV_PROTO=2
10.0.0.1:62275 peer info: IV_NCP=2
10.0.0.1:62275 peer info: IV_LZ4=1
10.0.0.1:62275 peer info: IV_LZ4v2=1
10.0.0.1:62275 peer info: IV_LZO=1
10.0.0.1:62275 peer info: IV_COMP_STUB=1
10.0.0.1:62275 peer info: IV_COMP_STUBv2=1
10.0.0.1:62275 peer info: IV_TCPNL=1
10.0.0.1:62275 peer info: IV_GUI_VER=OpenVPN_GUI_11
10.0.0.1:62275 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
10.0.0.1:62275 [linxiaodong] Peer Connection Initiated with [AF_INET]10.0.0.1:62275
linxiaodong/10.0.0.1:62275 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
linxiaodong/10.0.0.1:62275 MULTI: Learn: 10.8.0.6 -> linxiaodong/10.0.0.1:62275
linxiaodong/10.0.0.1:62275 MULTI: primary virtual IP for linxiaodong/10.0.0.1:62275: 10.8.0.6
linxiaodong/10.0.0.1:62275 PUSH: Received control message: 'PUSH_REQUEST'
linxiaodong/10.0.0.1:62275 SENT CONTROL [linxiaodong]: 'PUSH_REPLY,route 172.30.0.0 255.255.255.0,compress lz4-v2,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
linxiaodong/10.0.0.1:62275 Data Channel: using negotiated cipher 'AES-256-GCM'
linxiaodong/10.0.0.1:62275 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
linxiaodong/10.0.0.1:62275 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key[root@openvpn-server ~]#cat /var/log/openvpn/openvpn-status.log
TITLE,OpenVPN 2.4.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021
TIME,Sat Mar 5 17:01:31 2022,1646470891
HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Virtual IPv6 Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Username,Client ID,Peer ID
CLIENT_LIST,linxiaodong,10.0.0.1:62275,10.8.0.6,,18932,10677,Sat Mar 5 17:00:50 2022,1646470850,UNDEF,2,0
HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)
ROUTING_TABLE,10.8.0.6,linxiaodong,10.0.0.1:62275,Sat Mar 5 17:01:00 2022,1646470860
GLOBAL_STATS,Max bcast/mcast queue length,1
END
#验证OpenVPN服务器连接状态:
[root@openvpn-server ~]#ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 10.0.0.8:1194 10.0.0.1:62275
ESTAB 0 52 10.0.0.8:22 10.0.0.1:61341
验证 Windows 客户端的 IP地址:
验证Windows 客户端的路由表:
生成多了一个虚拟网卡
浏览器访问172.30.0.100
#日志显示172.30.0.1网关地址访问
[root@web01 ~]#tail -f /var/log/httpd/access_log
172.30.0.1 - - [05/Mar/2022:23:29:27 +0800] "GET / HTTP/1.1" 200 17 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36"
172.30.0.1 - - [05/Mar/2022:23:29:27 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "http://172.30.0.100/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36"#在udp模式下开启通知
[root@openvpn-server ~]#vim /etc/openvpn/server/server.conf
proto udp
explicit-exit-notify 1 #添加通知选项
#并且修改客户端配置文件为udp
#重启正常,客户端自动重启连接
[root@openvpn-server ~]#systemctl restart openvpn-server@server.service
#端口显示使用UDP
[root@openvpn-server ~]#ss -ntul
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:1194 0.0.0.0:*
需打开windows通知选项
客户端也需要修改为UDP协议,否则会显示下面
因10.0.0.8前面2个空格引起,复制王老师文档是2个空格,删除1个空格后正常!
未导入用户配置文件会出现以下情况:
#openvpn客户端连接日志(扩展):
Sat Mar 05 22:40:06 2022 OpenVPN 2.4.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 16 2020
Sat Mar 05 22:40:06 2022 Windows version 6.2 (Windows 8 or greater) 64bit
Sat Mar 05 22:40:06 2022 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Enter Management Password:
Sat Mar 05 22:40:06 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Mar 05 22:40:06 2022 Need hold release from management interface, waiting...
Sat Mar 05 22:40:06 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Mar 05 22:40:06 2022 MANAGEMENT: CMD 'state on'
Sat Mar 05 22:40:06 2022 MANAGEMENT: CMD 'log all on'
Sat Mar 05 22:40:06 2022 MANAGEMENT: CMD 'echo all on'
Sat Mar 05 22:40:06 2022 MANAGEMENT: CMD 'bytecount 5'
Sat Mar 05 22:40:06 2022 MANAGEMENT: CMD 'hold off'
Sat Mar 05 22:40:06 2022 MANAGEMENT: CMD 'hold release'
Sat Mar 05 22:40:06 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]10.0.0.8:1194
Sat Mar 05 22:40:06 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Mar 05 22:40:06 2022 Attempting to establish TCP connection with [AF_INET]10.0.0.8:1194 [nonblock]
Sat Mar 05 22:40:06 2022 MANAGEMENT: >STATE:1646491206,TCP_CONNECT,,,,,,
Sat Mar 05 22:40:07 2022 TCP connection established with [AF_INET]10.0.0.8:1194
Sat Mar 05 22:40:07 2022 TCP_CLIENT link local: (not bound)
Sat Mar 05 22:40:07 2022 TCP_CLIENT link remote: [AF_INET]10.0.0.8:1194
Sat Mar 05 22:40:07 2022 MANAGEMENT: >STATE:1646491207,WAIT,,,,,,
Sat Mar 05 22:40:07 2022 MANAGEMENT: >STATE:1646491207,AUTH,,,,,,
Sat Mar 05 22:40:07 2022 TLS: Initial packet from [AF_INET]10.0.0.8:1194, sid=41871541 1ce28afb
Sat Mar 05 22:40:07 2022 VERIFY OK: depth=1, CN=Easy-RSA CA
Sat Mar 05 22:40:07 2022 VERIFY KU OK
Sat Mar 05 22:40:07 2022 Validating certificate extended key usage
Sat Mar 05 22:40:07 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Mar 05 22:40:07 2022 VERIFY EKU OK
Sat Mar 05 22:40:07 2022 VERIFY OK: depth=0, CN=server
Sat Mar 05 22:40:07 2022 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sat Mar 05 22:40:07 2022 [server] Peer Connection Initiated with [AF_INET]10.0.0.8:1194
Sat Mar 05 22:40:08 2022 MANAGEMENT: >STATE:1646491208,GET_CONFIG,,,,,,
Sat Mar 05 22:40:08 2022 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Mar 05 22:40:08 2022 PUSH: Received control message: 'PUSH_REPLY,route 172.30.0.0 255.255.255.0,compress lz4-v2,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Sat Mar 05 22:40:08 2022 OPTIONS IMPORT: timers and/or timeouts modified
Sat Mar 05 22:40:08 2022 OPTIONS IMPORT: compression parms modified
Sat Mar 05 22:40:08 2022 OPTIONS IMPORT: --ifconfig/up options modified
Sat Mar 05 22:40:08 2022 OPTIONS IMPORT: route options modified
Sat Mar 05 22:40:08 2022 OPTIONS IMPORT: peer-id set
Sat Mar 05 22:40:08 2022 OPTIONS IMPORT: adjusting link_mtu to 1627
Sat Mar 05 22:40:08 2022 OPTIONS IMPORT: data channel crypto options modified
Sat Mar 05 22:40:08 2022 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Mar 05 22:40:08 2022 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Mar 05 22:40:08 2022 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Mar 05 22:40:08 2022 interactive service msg_channel=888
Sat Mar 05 22:40:08 2022 ROUTE_GATEWAY 172.31.0.1/255.255.0.0 I=11 HWADDR=fc:aa:14:1f:47:f5
Sat Mar 05 22:40:08 2022 open_tun
Sat Mar 05 22:40:08 2022 TAP-WIN32 device [本地连接] opened: \\.\Global\{B88E9BD7-CD76-4041-B018-D0E4B299483D}.tap
Sat Mar 05 22:40:08 2022 TAP-Windows Driver Version 9.24
Sat Mar 05 22:40:08 2022 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {B88E9BD7-CD76-4041-B018-D0E4B299483D} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Sat Mar 05 22:40:08 2022 Successful ARP Flush on interface [42] {B88E9BD7-CD76-4041-B018-D0E4B299483D}
Sat Mar 05 22:40:08 2022 MANAGEMENT: >STATE:1646491208,ASSIGN_IP,,10.8.0.6,,,,
Sat Mar 05 22:40:14 2022 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sat Mar 05 22:40:14 2022 MANAGEMENT: >STATE:1646491214,ADD_ROUTES,,,,,,
Sat Mar 05 22:40:14 2022 C:\Windows\system32\route.exe ADD 172.30.0.0 MASK 255.255.255.0 10.8.0.5
Sat Mar 05 22:40:14 2022 Route addition via service succeeded
Sat Mar 05 22:40:14 2022 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sat Mar 05 22:40:14 2022 Route addition via service succeeded
Sat Mar 05 22:40:14 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Mar 05 22:40:14 2022 Initialization Sequence Completed
Sat Mar 05 22:40:14 2022 MANAGEMENT: >STATE:1646491214,CONNECTED,SUCCESS,10.8.0.6,10.0.0.8,1194,10.0.0.1,56488
Sat Mar 05 22:42:42 2022 C:\Windows\system32\route.exe DELETE 172.30.0.0 MASK 255.255.255.0 10.8.0.5
Sat Mar 05 22:42:42 2022 Route deletion via service succeeded
Sat Mar 05 22:42:42 2022 C:\Windows\system32\route.exe DELETE 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sat Mar 05 22:42:42 2022 Route deletion via service succeeded
Sat Mar 05 22:42:42 2022 Closing TUN/TAP interface
Sat Mar 05 22:42:42 2022 TAP: DHCP address released
Sat Mar 05 22:42:42 2022 SIGTERM[hard,] received, process exiting
Sat Mar 05 22:42:42 2022 MANAGEMENT: >STATE:1646491362,EXITING,SIGTERM,,,,,#开启兼容的压缩功能
[root@openvpn-server ~]#vim /etc/openvpn/server/server.conf
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
comp-lzo #添加此行#windows客户端连接后,服务器可以看到下面日志提示
[root@openvpn-server ~]#tail -f /var/log/openvpn/openvpn.log -n0
10.0.0.1:54268 41 variation(s) on previous 20 message(s) suppressed by --mute
10.0.0.1:54268 TLS: Initial packet from [AF_INET]10.0.0.1:54268, sid=c7221ddb 560d1a73
10.0.0.1:54268 VERIFY OK: depth=1, CN=Easy-RSA CA
10.0.0.1:54268 VERIFY OK: depth=0, CN=linxiaodong
10.0.0.1:54268 peer info: IV_VER=2.4.9
10.0.0.1:54268 peer info: IV_PLAT=win
10.0.0.1:54268 peer info: IV_PROTO=2
10.0.0.1:54268 peer info: IV_NCP=2
10.0.0.1:54268 peer info: IV_LZ4=1
10.0.0.1:54268 peer info: IV_LZ4v2=1
10.0.0.1:54268 peer info: IV_LZO=1
10.0.0.1:54268 peer info: IV_COMP_STUB=1
10.0.0.1:54268 peer info: IV_COMP_STUBv2=1
10.0.0.1:54268 peer info: IV_TCPNL=1
10.0.0.1:54268 peer info: IV_GUI_VER=OpenVPN_GUI_11
10.0.0.1:54268 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
10.0.0.1:54268 [linxiaodong] Peer Connection Initiated with [AF_INET]10.0.0.1:54268
MULTI: new connection by client 'linxiaodong' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
MULTI: Learn: 10.8.0.6 -> linxiaodong/10.0.0.1:54268
MULTI: primary virtual IP for linxiaodong/10.0.0.1:54268: 10.8.0.6
linxiaodong/10.0.0.1:54268 PUSH: Received control message: 'PUSH_REQUEST'
linxiaodong/10.0.0.1:54268 SENT CONTROL [linxiaodong]: 'PUSH_REPLY,route 172.30.0.0 255.255.255.0,compress lz4-v2,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)
linxiaodong/10.0.0.1:54268 Data Channel: using negotiated cipher 'AES-256-GCM'
linxiaodong/10.0.0.1:54268 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
linxiaodong/10.0.0.1:54268 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 96
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 96
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 80
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 96
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 96
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 96
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 80
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 80
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 96
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 80
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 96
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 96
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 96
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 96
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 80
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 96
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 80
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 80
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 80
linxiaodong/10.0.0.1:54268 Bad LZO decompression header byte: 96
linxiaodong/10.0.0.1:54268 NOTE: --mute triggered...#windows ping 172.30.0.100超时#删除comp-lzo,再次恢复正常#启用防止DoS攻击的安全增强配置
[root@openvpn-server ~]#openvpn --genkey --secret /etc/openvpn/certs/ta.key
[root@openvpn-server ~]#cat /etc/openvpn/certs/ta.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
4b422cdc264e7308bb272efed04700f6
d238c2763a48b9530b4d1b5962640346
30f47873e5385aa71b2399daeb87c2ce
637520d8f36d69b36832ef89a93e9fdf
4b76016f53ed145b9a97808de183b586
62556164ad4e699c966756bbdf7be766
436ae8afcc59e80d39703f75fbdab62e
d05e9d410ffd37f9b116d0f643c18f91
388b669bff3e9949e8bb4cfe32f97a58
aa92604808d2b2e08d2aca22470d4011
488f7792c2259912e2f95668a5fe5d25
07e912a8e35a867290c44ee43dfa5c41
b0df9e50e2140f8bf0766deb48ec263f
0712770c33a71fa0053ccf7a4fa80c68
9e2530548570f2ff9fded185f91b4dad
ffbe3f88ecbdb90934fd64c03ea497e1
-----END OpenVPN Static key V1-----
[root@openvpn-server ~]#ll /etc/openvpn/certs/
total 24
-rw------- 1 root root 1204 Mar 4 20:39 ca.crt
-rw------- 1 root root 424 Mar 4 20:39 dh.pem
-rw------- 1 root root 4608 Mar 4 20:39 server.crt
-rw------- 1 root root 1704 Mar 4 20:39 server.key
-rw------- 1 root root 636 Mar 6 11:31 ta.key
[root@openvpn-server ~]#vim /etc/openvpn/server/server.conf
port 1194
proto tcp #修改为默认tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.30.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
tls-auth /etc/openvpn/certs/ta.key 0 #客户端为1,服务器端为0#拷贝ta.key到windows客户端config目录下
#修改客户端配置文件为tcp
#修改客户端配置文件clent.ovpn,添加一行
tls-auth ta.key 1
#重启正常,客户端自动重启连接
[root@openvpn-server ~]#systemctl restart openvpn-server@server.service#创建新用户,生成对应的有密码的私钥和证书申请
[root@openvpn-server ~]#cd /etc/openvpn/easy-rsa-client/3/
[root@openvpn-server 3]#./easyrsa gen-req mageduNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
....+++++
.....................................................+++++
writing new private key to '/etc/openvpn/easy-rsa-client/3/pki/easy-rsa-11436.MvLgfb/tmp.IqR5C1'
Enter PEM pass phrase: #输入两遍密码
Verifying - Enter PEM pass phrase: #输入两遍密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [magedu]: #接受默认值,直接回车Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-client/3/pki/reqs/magedu.req
key: /etc/openvpn/easy-rsa-client/3/pki/private/magedu.key#导入用户证书申请并颁发证书
[root@openvpn-server 3]#cd /etc/openvpn/easy-rsa-server/3
[root@openvpn-server 3]#./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/magedu.req mageduNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020The request has been successfully imported with a short name of: magedu
You may now use this name to perform signing operations on this request.#颁发证书
[root@openvpn-server 3]#./easyrsa sign client mageduNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.Request subject, to be signed as a client certificate for 90 days:subject=commonName = mageduType the word 'yes' to continue, or any other input to abort.Confirm request details: yes #输入yes
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-11601.TJBxvv/tmp.lWx3D5
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'magedu'
Certificate is to be certified until Jun 4 03:56:37 2022 GMT (90 days) #有效期Write out database with 1 new entries
Data Base UpdatedCertificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/magedu.crt
[root@openvpn-server 3]#cat /etc/openvpn/easy-rsa-server/3/pki/index.txt
V 320301114028Z DA37C45781BE832554ADD42152B14E72 unknown /CN=server
V 220602121835Z 4D81B88EE05D328D8D7B8CA615C025DF unknown /CN=linxiaodong
V 220602123126Z 8A5AECDF1961D802096DC4C4C5723318 unknown /CN=dong
V 220604035637Z 5EC2B841F00F8047D796CF7F2BB34BA9 unknown /CN=magedu#将用户的证书相关文件放在指定的目录中
[root@openvpn-server 3]#mkdir /etc/openvpn/client/magedu
[root@openvpn-server 3]#cp /etc/openvpn/easy-rsa-server/3/pki/issued/magedu.crt /etc/openvpn/client/magedu
[root@openvpn-server 3]#cp /etc/openvpn/easy-rsa-client/3/pki/private/magedu.key /etc/openvpn/client/magedu
[root@openvpn-server 3]#cp /etc/openvpn/certs/{ca.crt,dh.pem,ta.key} /etc/openvpn/client/magedu
[root@openvpn-server 3]#cp /etc/openvpn/client/linxiaodong/client.ovpn /etc/openvpn/client/magedu
[root@openvpn-server 3]#ll /etc/openvpn/client/magedu
total 28
-rw------- 1 root root 1204 Mar 6 12:01 ca.crt
-rw-r--r-- 1 root root 235 Mar 6 12:02 client.ovpn
-rw------- 1 root root 424 Mar 6 12:01 dh.pem
-rw------- 1 root root 4492 Mar 6 12:00 magedu.crt
-rw------- 1 root root 1854 Mar 6 12:01 magedu.key
-rw------- 1 root root 636 Mar 6 12:01 ta.key#根据服务器端修改下面配置,需要和服务器同步
[root@openvpn-server 3]#cd /etc/openvpn/client/magedu
[root@openvpn-server magedu]#vim client.ovpn
client
dev tun
proto tcp
remote 10.0.0.8
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert magedu.crt
key magedu.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2
[root@openvpn-server ~]#cd /etc/openvpn/client/magedu
[root@openvpn-server magedu]#zip -e /root/magedu.zip ./*
Enter password:
Verify password: adding: ca.crt (deflated 26%)adding: client.ovpn (deflated 26%)adding: dh.pem (deflated 18%)adding: magedu.crt (deflated 45%)adding: magedu.key (deflated 24%)adding: ta.key (deflated 40%)#放置到windows客户端的 C:\Program Files\OpenVPN\config 目录下#重启服务
[root@openvpn-server magedu]#systemctl restart openvpn-server@server.service Windows 客户端重新连接
config存在相同配置文件报错
#让服务器时间改为120天后时间
[root@openvpn-server ~]#date -s '120 day'
Sat Aug 13 13:38:56 CST 2022#服务器端日志中会显示用户证书过期
[root@openvpn-server ~]#tail -f /var/log/openvpn/openvpn.log -n0
TCP connection established with [AF_INET]10.0.0.1:62480
10.0.0.1:62480 TLS: Initial packet from [AF_INET]10.0.0.1:62480, sid=cf814e10 0f2b95d5
10.0.0.1:62480 VERIFY OK: depth=1, CN=Easy-RSA CA
10.0.0.1:62480 VERIFY ERROR: depth=0, error=certificate has expired: CN=magedu, serial=125958474381830625980013234418110122921
10.0.0.1:62480 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
10.0.0.1:62480 TLS_ERROR: BIO read tls_read_plaintext error
10.0.0.1:62480 TLS Error: TLS object -> incoming plaintext read error
10.0.0.1:62480 TLS Error: TLS handshake failed
10.0.0.1:62480 Fatal TLS error (check_tls_errors_co), restarting
#恢复系统时间
[root@openvpn-server ~]#clock -s
[root@openvpn-server ~]#date
Sun Mar 6 13:43:36 CST 2022#吊销指定的用户的证书
[root@openvpn-server ~]#cat /etc/openvpn/easy-rsa-server/3/pki/index.txt
V 320301114028Z DA37C45781BE832554ADD42152B14E72 unknown /CN=server
V 220602121835Z 4D81B88EE05D328D8D7B8CA615C025DF unknown /CN=linxiaodong
V 220602123126Z 8A5AECDF1961D802096DC4C4C5723318 unknown /CN=dong
V 220604035637Z 5EC2B841F00F8047D796CF7F2BB34BA9 unknown /CN=magedu
[root@openvpn-server ~]#cd /etc/openvpn/easy-rsa-server/3/
[root@openvpn-server 3]#./easyrsa revoke mageduNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020Please confirm you wish to revoke the certificate with the following subject:subject=commonName = mageduType the word 'yes' to continue, or any other input to abort.Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-12891.9rk0rQ/tmp.5H1HXY
Revoking Certificate 5EC2B841F00F8047D796CF7F2BB34BA9.
Data Base UpdatedIMPORTANT!!!Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.[root@openvpn-server 3]#cat /etc/openvpn/easy-rsa-server/3/pki/index.txt
V 320301114028Z DA37C45781BE832554ADD42152B14E72 unknown /CN=server
V 220602121835Z 4D81B88EE05D328D8D7B8CA615C025DF unknown /CN=linxiaodong
V 220602123126Z 8A5AECDF1961D802096DC4C4C5723318 unknown /CN=dong
R 220604035637Z 220306055023Z 5EC2B841F00F8047D796CF7F2BB34BA9 unknown /CN=magedu
#当前断开客户端连接,magedu用户仍然能连接成功#每次吊销证书后都需要更新证书吊销列表文件,并且需要重启OpenVPN服务
[root@openvpn-server 3]#./easyrsa gen-crlNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-12938.rNOHRe/tmp.IOyJ6yAn updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa-server/3/pki/crl.pem#传到windows上,修改文件后缀为crl,双击就可以打开此文件,看到下面显示信息
#第一次吊销证时需要编辑配置文件调用吊销证书的文件,后续吊销无需此步
[root@openvpn-server 3]#vim /etc/openvpn/server/server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.30.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
tls-auth /etc/openvpn/certs/ta.key 0
crl-verify /etc/openvpn/easy-rsa-server/3/pki/crl.pem #添加此行
#每次吊销证书后,都需要重新启动才能生效
[root@openvpn-server 3]#systemctl restart openvpn-server@server.service #用户端再次连接失败
#观察OpenVPN目志
[root@openvpn-server ~]#tail -f /var/log/openvpn/openvpn.log -n0
TCP connection established with [AF_INET]10.0.0.1:62723
10.0.0.1:62723 TLS: Initial packet from [AF_INET]10.0.0.1:62723, sid=6e0204af 2d63be1a
10.0.0.1:62723 WARNING: Failed to stat CRL file, not (re)loading CRL.
10.0.0.1:62723 VERIFY ERROR: depth=0, error=certificate revoked: CN=magedu, serial=125958474381830625980013234418110122921
10.0.0.1:62723 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
10.0.0.1:62723 TLS_ERROR: BIO read tls_read_plaintext error
10.0.0.1:62723 TLS Error: TLS object -> incoming plaintext read error
10.0.0.1:62723 TLS Error: TLS handshake failed
10.0.0.1:62723 Fatal TLS error (check_tls_errors_co), restarting#删除已离职备撤销的账户证书
[root@openvpn-server ~]#cd /etc/openvpn/easy-rsa-client/3/
[root@openvpn-server 3]#rm -f pki/private/magedu.key
[root@openvpn-server 3]#rm -f pki/reqs/magedu.req
[root@openvpn-server 3]#rm -rf /etc/openvpn/client/magedu/*
[root@openvpn-server 3]#rm -f /etc/openvpn/easy-rsa-server/3/pki/reqs/magedu.req
[root@openvpn-server 3]#rm -f /etc/openvpn/easy-rsa-server/3/pki/issued/magedu.crt
#删除之前的带R的吊销记录,此为可选项
[root@openvpn-server 3]#vim /etc/openvpn/easy-rsa-server/3/pki/index.txt#通过脚本实现自动化的证书颁发
[root@openvpn-server ~]#vim openvpn-user-crt.sh
. /etc/init.d/functionsOPENVPN_SERVER=10.0.0.8
PASS=123456remove_cert () {rm -rf /etc/openvpn/client/${NAME} find /etc/openvpn/ -name "$NAME.*" -delete
}create_cert () {cd /etc/openvpn/easy-rsa-client/3./easyrsa gen-req ${NAME} nopass <<EOFEOFcd /etc/openvpn/easy-rsa-server/3./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req ${NAME}./easyrsa sign client ${NAME} <<EOF
yes
EOFmkdir /etc/openvpn/client/${NAME}cp /etc/openvpn/easy-rsa-server/3/pki/issued/${NAME}.crt /etc/openvpn/client/${NAME}cp /etc/openvpn/easy-rsa-client/3/pki/private/${NAME}.key /etc/openvpn/client/${NAME}cp /etc/openvpn/certs/{ca.crt,dh.pem,ta.key} /etc/openvpn/client/${NAME}cat > /etc/openvpn/client/${NAME}/client.ovpn <<EOF
client
dev tun
proto tcp
remote $OPENVPN_SERVER 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert $NAME.crt
key $NAME.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2
EOFecho "证书存放路径:/etc/openvpn/client/${NAME},证书文件如下:"echo -e "\E[1;32m******************************************************************\E[0m"ls -l /etc/openvpn/client/${NAME}echo -e "\E[1;32m******************************************************************\E[0m"cd /etc/openvpn/client/${NAME} zip -qP "$PASS" /root/${NAME}.zip * action "证书的打包文件已生成: /root/${NAME}.zip"
}read -p "请输入用户的姓名拼音(如:wangxiaochun): " NAMEremove_cert
create_cert[root@openvpn-server ~]#bash openvpn-user-crt.sh
请输入用户的姓名拼音(如:wangxiaochun): dongdongNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020
Generating a RSA private key
.........+++++
.....................................................+++++
writing new private key to '/etc/openvpn/easy-rsa-client/3/pki/easy-rsa-13889.bwt38q/tmp.rpYqtB'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [dongdong]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-client/3/pki/reqs/dongdong.req
key: /etc/openvpn/easy-rsa-client/3/pki/private/dongdong.keyNote: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020The request has been successfully imported with a short name of: dongdong
You may now use this name to perform signing operations on this request.Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS 21 Apr 2020You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.Request subject, to be signed as a client certificate for 90 days:subject=commonName = dongdongType the word 'yes' to continue, or any other input to abort.Confirm request details: Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-13937.SqHy11/tmp.c6dvC8
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'dongdong'
Certificate is to be certified until Jun 4 07:37:56 2022 GMT (90 days)Write out database with 1 new entries
Data Base UpdatedCertificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/dongdong.crt证书存放路径:/etc/openvpn/client/dongdong,证书文件如下:
******************************************************************
total 28
-rw------- 1 root root 1204 Mar 6 15:37 ca.crt
-rw-r--r-- 1 root root 229 Mar 6 15:37 client.ovpn
-rw------- 1 root root 424 Mar 6 15:37 dh.pem
-rw------- 1 root root 4498 Mar 6 15:37 dongdong.crt
-rw------- 1 root root 1704 Mar 6 15:37 dongdong.key
-rw------- 1 root root 636 Mar 6 15:37 ta.key
******************************************************************
证书的打包文件已生成: /root/dongdong.zip [ OK ]
2、通过编译、二进制安装MySQL5.7
范例:centos7源码编译安装 MySQL5.7
#安装相关依赖包
[root@centos17 ~]#yum -y install gcc gcc-c++ cmake bison bison-devel zlib-devel libcurl-devel libarchive-devel boost-devel ncurses-devel gnutls-devel libxml2-devel openssl-devel libevent-devel libaio-devel perl-Data-Dumper ncurses-static ncurses-term #做准备用户和数据目录
[root@centos17 ~]#useradd -r -s /sbin/nologin -d /data/mysql mysql#准备数据库目录
[root@centos17 ~]#mkdir /data/mysql
[root@centos17 ~]#chown mysql.mysql /data/mysql#下载并解压缩源码包,需带boost版本
[root@centos17 ~]#wget https://cdn.mysql.com/archives/mysql-5.7/mysql-boost-5.7.36.tar.gz
[root@centos17 ~]#tar xf mysql-boost-5.7.36.tar.gz -C /usr/local/src/#源码编译安装 MySQL,需增加-DWITH_BOOST这个选项,与mysql5.6不同点
[root@centos27 ~]#cd /usr/local/src/mysql-5.7.36/
[root@centos27 ~]#cmake . \
-DCMAKE_INSTALL_PREFIX=/apps/mysql \
-DMYSQL_DATADIR=/data/mysql/ \
-DSYSCONFDIR=/etc/ \
-DMYSQL_USER=mysql \
-DWITH_INNOBASE_STORAGE_ENGINE=1 \
-DWITH_ARCHIVE_STORAGE_ENGINE=1 \
-DWITH_BLACKHOLE_STORAGE_ENGINE=1 \
-DWITH_PARTITION_STORAGE_ENGINE=1 \
-DWITHOUT_MROONGA_STORAGE_ENGINE=1 \
-DWITH_DEBUG=0 \
-DWITH_READLINE=1 \
-DWITH_SSL=system \
-DWITH_ZLIB=system \
-DWITH_LIBWRAP=0 \
-DENABLED_LOCAL_INFILE=1 \
-DMYSQL_UNIX_ADDR=/data/mysql/mysql.sock \
-DDEFAULT_CHARSET=utf8 \
-DDEFAULT_COLLATION=utf8_general_ci \
-DWITH_BOOST=./boost/boost_1_59_0提示:如果出错,执行rm -f CMakeCache.txt#编译需要较长时间,内存4G以上,CPU 核数越多越好
[root@centos17 mysql-5.7.36]#make && make install#准备环境变量
[root@centos17 ~]#echo 'PATH=/apps/mysql/bin:$PATH' > /etc/profile.d/mysql.sh
[root@centos17 ~]#. /etc/profile.d/mysql.sh #生成数据库文件
[root@centos17 ~]#cd /apps/mysql/bin/[root@centos17 bin]#./mysqld –-initialize-insecure --user=mysql --datadir=/data/mysql#准备配置文件
[root@centos17 ~]#cat > /etc/my.cnf <<EOF
[mysqld]
datadir=/data/mysql
skip_name_resolve=1
socket=/data/mysql/mysql.sock
log-error=/data/mysql/mysql.log
pid-file=/data/mysql/mysql.pid
skip-grant-tables #比5.6多这一行
EOF#准备启动脚本,并启动服务
[root@centos17 ~]#cp -b /apps/mysql/support-files/mysql.server /etc/init.d/mysqld
[root@centos17 ~]#chkconfig --add mysqld
[root@centos17 ~]#service mysqld start#安全初始化
[root@centos17 ~]#mysql_secure_installation#登录
[root@centos27 bin]#mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.36 Source distributionCopyright (c) 2000, 2021, Oracle and/or its affiliates.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> 范例:centos8手动二进制安装mysql-5.7
#安装相关包
[root@centos8 ~]#yum install libaio numactl-libs ncurses-compat-libs ncurses-c++-libs -y#用户和组
[root@centos8 ~]#groupadd mysql
[root@centos8 ~]#useradd -r -g mysql -s /bin/false mysql#准备程序文件
[root@centos8 ~]#wget http://mirrors.163.com/mysql/Downloads/MySQL-5.7/mysql-5.7.35-linux-glibc2.12-x86_64.tar.gz
[root@centos8 ~]#tar xf mysql-5.7.35-linux-glibc2.12-x86_64.tar.gz -C /usr/local
[root@centos8 ~]#cd /usr/local
[root@centos8 local]#ln -s mysql-5.7.35-linux-glibc2.12-x86_64/ mysql
[root@centos8 local]#chown -R root.root /usr/local/mysql/#准备环境变量
[root@centos8 local]#echo 'PATH=/usr/local/mysql/bin:$PATH' > /etc/profile.d/mysql.sh
[root@centos8 local]#. /etc/profile.d/mysql.sh #准备配置文件
[root@centos8 local]#cat > /etc/my.cnf <<EOF
[mysqld]
datadir=/data/mysql
skip_name_resolve=1
socket=/data/mysql/mysql.sock
log-error=/data/mysql/mysql.log
pid-file=/data/mysql/mysql.pid
[client]
socket=/data/mysql/mysql.sock
EOF#生成 root 空密码
[root@centos8 local]#mysqld --initialize-insecure --user=mysql --datadir=/data/mysql#准备服务脚本和启动
[root@centos8 local]#cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
[root@centos8 local]#chkconfig --add mysqld
[root@centos8 local]#service mysqld start
Starting MySQL. SUCCESS! #修改前面生成的空密码为指定密码
[root@centos8 local]#mysqladmin -uroot password magedu
mysqladmin: [Warning] Using a password on the command line interface can be insecure.
Warning: Since password will be sent to server in plain text, use ssl connection to ensure password safety.#再次登录
[root@centos8 ~]#mysql -u root -pmagedu
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 27
Server version: 5.7.35 MySQL Community Server (GPL)Copyright (c) 2000, 2021, Oracle and/or its affiliates.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql>
3、二进制安装mariadb10.4
#安装相关包
[root@centos8 ~]#yum install libaio numactl-libs ncurses-compat-libs ncurses-c++-libs -y#用户和组
[root@centos8 ~]#groupadd mysql
[root@centos8 ~]#useradd -r -g mysql -s /bin/false mysql#准备数据库目录
[root@centos17 ~]#mkdir /data/mysql
[root@centos17 ~]#chown mysql.mysql /data/mysql#准备程序文件
[root@centos8 ~]#wget https://mirrors.aliyun.com/mariadb/mariadb-10.4.24/bintar-linux-x86_64/mariadb-10.4.24-linux-x86_64.tar.gz
[root@centos8 ~]#tar xf mariadb-10.4.24-linux-x86_64.tar.gz -C /usr/local/
[root@centos8 ~]#cd /usr/local/
[root@centos8 local]# ln -s mariadb-10.4.24-linux-x86_64/ mysql
[root@centos8 local]#chown -R root.root /usr/local/mysql/#准备环境变量
[root@centos8 local]#echo 'PATH=/usr/local/mysql/bin:$PATH' > /etc/profile.d/mysql.sh
[root@centos8 local]#. /etc/profile.d/mysql.sh #准备配置文件
[root@centos8 local]#cat > /etc/my.cnf <<EOF
[mysqld]
datadir=/data/mysql
skip_name_resolve=1
socket=/data/mysql/mysql.sock
log-error=/data/mysql/mysql.log
pid-file=/data/mysql/mysql.pid
[client]
socket=/data/mysql/mysql.sock
EOF#生成 root 空密码
[root@centos8 mysql]# scripts/mariadb-install-db --datadir=/data/mysql --user=mysql#准备服务脚本和启动
[root@centos8 local]#cp /usr/local/mysql/support-files/mysql.server /etc/init.d/mysqld
[root@centos8 local]#chkconfig --add mysqld
[root@centos8 local]#service mysqld start
Starting MySQL. SUCCESS! #修改前面生成的空密码为指定密码
[root@centos8 local]#mysqladmin -uroot password magedu
mysqladmin: [Warning] Using a password on the command line interface can be insecure.
Warning: Since password will be sent to server in plain text, use ssl connection to ensure password safety.#再次登录
[root@centos8 mysql]# mysql -u root -pmagedu
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.4.24-MariaDB MariaDB ServerCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]>N63044-第十周相关推荐
- 20145324 《信息安全系统设计基础》第十周学习总结
20145324 <信息安全系统设计基础>第十周学习总结 学习内容总结 who •who能做什么:显示目前登入系统的用户信息 •man who •使用一下 ①who ②who am i ③ ...
- 20165204 第十周课下作业补做
20165204 第十周课下测试补做 课上测试内容补做 测试2 针对下面的Student类,使用Comparator编程完成以下功能: 在测试类StudentTest中新建学生列表,包括自己和学号前后 ...
- java程序设计编程题_20165237 2017-2018-2 《Java程序设计》第十周考试补做及编程题...
20165237 2017-2018-2 <Java程序设计>第十周考试补做及编程题 知识点 1.链表是由若干个称作节点的对象组成的一种数据结构,每个节点含有一个数据和下一个节点的引用 . ...
- 201521123038 《Java程序设计》 第十周学习总结
201521123038 <Java程序设计> 第十周学习总结 1. 本周学习总结 1.1 以你喜欢的方式(思维导图或其他)归纳总结异常与多线程相关内容. 2. 书面作业 本次PTA作业题 ...
- 20165301第十周课下补做
第十周课下补做 知识点总结 创建一个空的链表 List<Student> list = new LinkedList<Student>(); 向链表中添加新的结点 list.a ...
- 2019春第十周作业
第十周作业 本周作业头 这个作业属于哪个教程 C语言程序设计Ⅱ 这个作业要求在哪里 (https://edu.cnblogs.com/campus/zswxy/software-engineering ...
- 20172313 2017-2018-2 《程序设计与数据结构》第十周学习总结
20172313 2017-2018-2 <程序设计与数据结构>第十周学习总结 教材学习内容总结 了解集合的同构和异构:同构集合保存类型全部相同的对象,异构集合可以保存各种类型的对象. 集 ...
- infor wms 中英文对照_【融合·君豪】新君豪中英文学校第十周食谱
原标题:[融合·君豪]新君豪中英文学校第十周食谱 健 康 / 光盘行动,不够份量,随时添加 一 周 食 谱 星期一 早餐:小米粥,蛋炒米粉.肉松蛋糕,鸡蛋 午餐:骨头海带汤.胡萝卜焖猪手.花菜炒肉.油 ...
- 2017-2018-1 20155320第十周课下作业-IPC
2017-2018-1 20155320第十周课下作业-IPC 研究Linux下IPC机制:原理,优缺点,每种机制至少给一个示例,提交研究博客的链接 共享内存 管道 FIFO 信号 消息队列 共享内存 ...
- 20155230 2016-2017-2 《Java程序设计》第十周学习总结
20155230 2016-2017-2 <Java程序设计>第十周学习总结 教材学习内容总结 网络编程:就是在两个或两个以上的设备(例如计算机)之间传输数据.程序员所作的事情就是把数据发 ...
最新文章
- 【 MATLAB 】信号处理工具箱之 fft 案例分析
- 【原创】有关Silverlight中“DataGrid中级联动态绑定父/子ComboBox ”的示例。
- 浏览器发送http请求过程分析
- ffmpeg命令行map参数的使用
- 【论文解读】从BERT和XLNet到MPNet
- Redis的安装与部署
- 科大讯飞ai研究院_科大讯飞1024开发者大会:让AI赋能行业数字化升级
- AngularJS $q
- ipqc异常处理流程图_IPQC巡检流程.七大手法.八大原则.九大步骤
- php 自动处理小图的代码,php对图像的各种处理函数代码小结
- “现有人工智能都是二流的”
- Android ------ 开源的Modnet算法实现抠图和更换背景
- windowsXP sp3 升级包
- 小米3文件与电脑连接到服务器,小米3如何连接电脑_小米3连接电脑发送文件的步骤...
- 保留字符串中的大写字母(汇编语言)
- 《学会提问》-批判性思维
- Java数组的扩容与缩减
- 微课--Python使用UDP协议实现局域网内屏幕广播(40分钟)
- excel2010的使用笔记
- 压力传感器变送器的作用