Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to install and configure openvpn server in centos7 system". In daily operation, I believe many people have doubts about how to install and configure openvpn server in centos7 system. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts about "how to install and configure openvpn server in centos7 system". Next, please follow the editor to study!

Use environment:

The openvpn server is installed on the centos7 system platform

Openvpn client is installed on windows platform

The procedure is similar to a previously written article, the ca server signing a certificate.

Openvpn is a secure vpn. Ssl encryption and decryption is realized through openssl.

The simple principles of openvpn implementation are as follows:

Establish a logical and secure communication connection between the openvpn client and the server using a virtual network card, and then transfer data through the physical network card

That is, first the openvpn server installs the program and starts the service, and then the server automatically generates a virtual network card tun0, which is used to establish secure access, and listens to a port ready to receive requests from the client.

Second, after the client installs openvpn, a virtual network card is automatically generated. The openvpn client needs to specify the ip address and listening port on the physical network card of the openvpn server to connect.

Third, after the certificate, key and password are all passed, the vpn (virtual private network) function is realized.

Specific configuration steps:

First: install software] # yum install openvpn easy-rsa second: prepare related directories and configuration files] # cp / usr/share/doc/easy-rsa-3.0.3/vars.example / etc/openvpn/easy-rsa/vars] # cp-r / usr/share/easy-rsa/3.0.3/* / etc/openvpn/easy-rsa/ copied files are: easyrsa, openssl-1.0.cnf, x509-types ] # cp / usr/share/doc/openvpn-2.4.5/sample/sample-config-files/server.conf / etc/openvpn/ Edit vars file: set_var easyrsa_req_country "cn" set_var easyrsa_req_province "beijing" set_var easyrsa_req_city "beijing" set_var easyrsa_req_org "openvpn ca" set_var easyrsa_req_email "4*4@.qq.com" set_var easyrsa_req_ou "my vpn"

Create a server-side certificate and key:

First: directory initialization:] # cd / etc/openvpn/easy-rsa/] #. / easyrsa init-pki second: create a root certificate:] #. / easyrsa build-ca enter pem pass phrase: enter the pem password twice and remember (the pem password entered is openvpn, which will be used later). Common name (eg: your user, host, or server name) [easy-rsa ca]: enter a name; (enter opvpn-ca) enter and display: ca creation complete and you may now import and sign cert requests.your new ca certificate file for publishing is at:/etc/openvpn/easy-rsa/pki/ca.crt

Third: create a server-side certificate:

] #. / easyrsa gen-req server nopass

Common name (eg: your user, host, or server name) [server]: (input is node2)

Enter enter and display:

Keypair and certificate request completed. Your files are:

Req: / etc/openvpn/easy-rsa/pki/reqs/server.req

Key: / etc/openvpn/easy-rsa/pki/private/server.key

Fourth: sign server-side certificate:

] #. / easyrsa sign server server

Enter confirm request details: (enter yes)

Enter pass phrase for / etc/openvpn/easy-rsa/pki/private/ca.key: (enter the pem password of the previous ca root certificate is openvpn)

Enter shows:

Check that the request matches the signature

Signature ok

The subject's distinguished name is as follows

Commonname: asn.1 12 virtual node2'

Certificate is to be certified until apr 4 16:04:29 2028 gmt (3650 days)

Write out database with 1 new entries

Data base updated

Certificate created at: / etc/openvpn/easy-rsa/pki/issued/server.crt

Fifth: create a command for diffie-hellman to ensure that key traverses an insecure network:

] #. / easyrsa gen-dh

After entering the car, the waiting time is a little longer, and finally it shows:

Dh parameters of size 2048 created at / etc/openvpn/easy-rsa/pki/dh.pem

Sixth: generate ta key file

] # openvpn-- genkey-- secret / etc/openvpn/easy-rsa/ta.key

If you do not execute this command, an error will be reported:

Sat apr 7 12:53:37 2018 warning: cannot stat file 'ta.key': no such file or directory (errno=2)

Options error:-- tls-auth fails with 'ta.key': no such file or directory (errno=2)

Options error: please correct these errors.

Use-- help for more information.

Create a client certificate and key:

First, the creation process is the same as that of the server:

] # mkdir / root/client

] # cd / root/client

] # cp-r / usr/share/easy-rsa/3.0.3/*. /

] #. / easyrsa init-pki

] #. / easyrsa gen-req client

Enter the enter pem pass phrase: enter the password, which is used by the client to connect to the server (enter vpnclient)

Common name (eg: your user, host, or server name) [client]: (enter client, which will be used later)

Enter shows:

Keypair and certificate request completed. Your files are:

Req: / root/client/pki/reqs/client.req

Key: / root/client/pki/private/client.key

Second: import the obtained clientone.req and sign the certificate:

] #. / easyrsa import-req / root/client/pki/reqs/client.req client

Enter shows:

Note: using easy-rsa configuration from:. / vars

The request has been successfully imported with a short name of: clientone

You may now use this name to perform signing operations on this request.

Third: contract certificate

] #. / easyrsa sign client client

After entering enter, enter yes

Enter pass phrase for / etc/openvpn/easy-rsa/pki/private/ca.key: (input is openvpn)

Note:

Client is generated here, so the first client location must be client, and the second parameter client must be the same as the previous import name. During import, you will be required to enter a password. This password is the password of the root certificate set for the first time, so don't type it wrong; because openvpn is a client that corresponds to a set of certificate key files.

Enter shows:

Check that the request matches the signature

Signature ok

The subject's distinguished name is as follows

Commonname: asn.1 12 virtual client'

Certificate is to be certified until apr 4 16:38:37 2028 gmt (3650 days)

Write out database with 1 new entries

Data base updated

Certificate created at: / etc/openvpn/easy-rsa/pki/issued/client.crt

Copy related files

Copy the files required on the server side to their respective locations:

] # cp pki/ca.crt / etc/openvpn/

] # cp pki/private/server.key / etc/openvpn/

] # cp pki/issued/server.crt / etc/openvpn/

] # cp pki/dh.pem / etc/openvpn/

] # cp / etc/openvpn/easy-rsa/ta.key / etc/openvpn/

Copy the files required by the client to various locations:

] # cp pki/ca.crt / root/client/

] # cp pki/issued/client.crt / root/client/

] # cp / root/client/pki/private/client.key / root/client/

] # cp / etc/openvpn/easy-rsa/ta.key / root/client/

Modify the vpn configuration file:

] # egrep-v "^ $| ^ # | ^ "/ etc/openvpn/server.confport 1194proto udpdev tunca / etc/openvpn/ca.crtcert / etc/openvpn/server.crtkey / etc/openvpn/server.key # this file should be kept secretdh / etc/openvpn/dh.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush" redirect-gateway def1 bypass-dhcp "push" dhcp-option dns 8.8.8.8 "push" dhcp-option dns 208.67.220.220 "keepalive 10 120tls-auth ta.key 0 # This file is secretcipher aes-256-cbccomp-lzomax-clients 100persist-keypersist-tunstatus openvpn-status.logverb 3explicit-exit-notify 1

Start the openvpn server:

] # openvpn/ etc/openvpn/server.conf &

After a successful startup, it displays:

Sat apr 7 13:00:23 2018 openvpn 2.4.5 x86_64-redhat-linux-gnu [fedora epel patched] [ssl (openssl)] [lzo] [lz4] [epoll] [pkcs11] [mh/pktinfo] [aead] built on mar 1 2018

Sat apr 7 13:00:23 2018 library versions: openssl 1.0.2k-fips 26 jan 2017, lzo 2.06

Sat apr 7 13:00:23 2018 diffie-hellman initialized with 2048 bit key

Sat apr 7 13:00:23 2018 outgoing control channel authentication: using 160 bit message hash 'sha1' for hmac authentication

Sat apr 7 13:00:23 2018 incoming control channel authentication: using 160 bit message hash 'sha1' for hmac authentication

Sat apr 7 13:00:23 2018 route_gateway 192.168.255.1/255.255.255.0 iface=eno16777736 hwaddr=00:0c:29:ef:e4:a7

Sat apr 7 13:00:23 2018 tun/tap device tun0 opened

Sat apr 7 13:00:23 2018 tun/tap tx queue length set to 100

Sat apr 7 13:00:23 2018 do_ifconfig, tt- > did_ifconfig_ipv6_setup=0

Sat apr 7 13:00:23 2018 / sbin/ip link set dev tun0 up mtu 1500

Sat apr 7 13:00:23 2018 / sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2

Sat apr 7 13:00:23 2018 / sbin/ip route add 10.8.0.0/24 via 10.8.0.2

Sat apr 7 13:00:24 2018 could not determine ipv4/ipv6 protocol. Using af_inet

Sat apr 7 13:00:24 2018 socket buffers: r = [212992-> 212992] s = [212992-> 212992]

Sat apr 7 13:00:24 2018 udpv4 link local (bound): [af_inet] [undef]: 1194

Sat apr 7 13:00:24 2018 udpv4 link remote: [af_unspec]

Sat apr 7 13:00:24 2018 multi: multi_init called, ringing 256 vs. 256

Sat apr 7 13:00:24 2018 ifconfig pool: base=10.8.0.4 size=62, ipv6=0

Sat apr 7 13:00:24 2018 ifconfig pool list

Sat apr 7 13:00:24 2018 initialization sequence completed

Or use systemctl to start:

Systemctl-f enable openvpn@server.service# sets the startup file systemctl start openvpn@server.service# commands to start openvpn

Configure the openvpn client on windows7:

First: download the openvpn client

The installation process will not be listed. The specific configuration is as follows:

Download the relevant files to the directory specified herein:

From centos7, rename client.crt and client.conf to client.ovpn, client.key and ta.key, and put them in the config directory under the installation directory.

The contents of the client.ovpn profile:

Clientdev tunproto udpremote 192.168.255.12 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client.crtkey client.keyremote-cert-tls servertls-auth ta.key 1cipher aes-256-cbcverb 3

Openvpn client login:

After double-clicking the icon, a window pops up to enter the password. The previously set password is vpnclient to log in successfully.

Indicates a successful login

The openvpn icon turns green to connect to the openvpn server successfully.

At this point, the study on "how to install and configure openvpn server in centos7 system" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.