如何在 Debian 10 上安装和配置 OpenVPN Server
在此页
- 要求
- 安装 OpenVPN
- 生成服务器证书和密钥
- 生成客户端证书和密钥
- 配置 OpenVPN 服务器
- 安装和配置 OpenVPN 客户端
OpenVPN 是一种开源软件,可用于在连接到不受信任的网络时安全地访问互联网。 OpenVPN 允许您通过加密服务器传输数据来保证在线数据的安全。 OpenVPN 使用 SSL/TLS 进行密钥交换并能够遍历网络地址转换器。市场上有许多可用的 VPN 软件,但都成本高昂,并且/或设置和管理起来具有挑战性。虽然 OpenVPN 是免费的,但易于设置、配置和管理。
在本教程中,我们将解释如何在 Debian 10 服务器上设置 OpenVPN 服务器。
要求
- 两台运行 Debian 10 的服务器。
- 在 VPN 服务器上配置静态 IP 地址 192.168.0.103,在 VPN 客户端上配置静态 IP 地址 192.168.0.102。
- 在两台服务器上都配置了根密码。
安装 OpenVPN
首先,您需要启用 IP 转发才能正确转发网络数据包。您可以通过编辑 /etc/sysctl.conf 文件来执行此操作:
nano /etc/sysctl.conf更改以下行:
net.ipv4.ip_forward=1
完成后保存并关闭文件。然后,通过运行以下命令来应用新设置:
sysctl -p接下来,只需运行以下命令即可安装 OpenVPN 软件包:
apt-get install openvpn -y安装完成后,您可以继续下一步。
生成服务器证书和密钥
首先,您需要将 EasyRSA 目录复制到 /etc/openvpn/。您可以使用以下命令执行此操作:
cp -r /usr/share/easy-rsa /etc/openvpn/接下来,将目录更改为 easy-rsa 并重命名 vars.example 文件:
cd /etc/openvpn/easy-rsa
mv vars.example vars接下来,打开 vars 文件:
nano vars添加以下行:
export KEY_COUNTRY="INDIA"
export KEY_PROVINCE="CA"
export KEY_CITY="Junagadh"
export KEY_ORG="Howtoforge"
export KEY_EMAIL=""
export KEY_OU="OpenVPN"
完成后保存并关闭文件。然后,使用以下命令初始化 PKI:
./easyrsa init-pki您应该看到以下输出:
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
接下来,构建没有密码的 CA,如下所示:
./easyrsa build-ca nopass您应该看到以下输出:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................+++++
..............+++++
e is 65537 (0x010001)
Can't load /etc/openvpn/easy-rsa/pki/.rnd into RNG
140449484268672:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/etc/openvpn/easy-rsa/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt
接下来,使用以下命令生成服务器密钥:
./easyrsa gen-req server nopass您应该看到以下输出:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
Generating a RSA private key
...+++++
................................................................................................................+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server.key.uQ7rqU8ryK'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key
接下来,使用以下命令签署服务器证书:
./easyrsa sign-req server server您应该看到以下输出:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 1080 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Sep 5 15:43:29 2022 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
接下来,使用以下命令构建 Diffie-Hellman 密钥交换:
./easyrsa gen-dh您应该看到以下输出:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................+.............................................+..........................................................................................................................................................................................................................................................+.......+................................................................................+................+....................................+..........................+........................................+............................................................................................+.......................................................+............................+......................................................................................................+...................................................................................+.................+............+.+............................+...............................................................................................................................................+............+...............................................+................................................................................................................................................................................+.....................................................................................................................+...................................................................................................................................................................................................+.............................................+..................................................................................................................................+......................................................................................................................................+....................................+..................................................................................................................................................................................+................................................................................................+..............................................................................................+............................................................................................................................................................................................+...........+.................+.....+..........................................................................................................+..........................................................+............+......................................+............................................................................................................................................................................................................................................................................................................+..................................+.................................................................................+.............................+.....................................................................................................................................................................................................................+..........................+.......................................................+......................+.................................+..............................................................+.............................................................................................................................................................+........................................................................+...............................+...............................................................................................................+..............................................+......................................................+.......................+......................................................................................................................................................................................................................+............................................................................................................................+..........................+......................................................................................................................................................................+..........................................................................................+..........................................................++*++*++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
接下来,使用以下命令生成 HMAC 签名:
openvpn --genkey --secret ta.key最后,将所有证书和密钥复制到 /etc/openvpn 目录:
cp ta.key /etc/openvpn/
cp pki/ca.crt /etc/openvpn/
cp pki/private/server.key /etc/openvpn/
cp pki/issued/server.crt /etc/openvpn/
cp pki/dh.pem /etc/openvpn/生成客户端证书和密钥
接下来,使用以下命令生成客户端证书:
./easyrsa gen-req client nopass您应该看到以下输出:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
Generating a RSA private key
..........................................+++++
...............+++++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/client.key.wU45j6E0Dt'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/client.req
key: /etc/openvpn/easy-rsa/pki/private/client.key
接下来,使用以下命令签署客户端证书:
./easyrsa sign-req client client您应该看到以下输出:
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 1080 days:
subject=
commonName = client
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Sep 5 12:28:25 2022 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client.crt
接下来,将所有客户端证书和密钥复制到 /etc/openvpn/client/ 目录:
cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/配置 OpenVPN 服务器
现在已生成服务器和客户端所需的所有证书和密钥。接下来,您需要创建一个 OpenVPN 配置文件。您可以使用以下命令创建它:
nano /etc/openvpn/server.conf添加以下内容:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
保存并关闭文件。然后,使用以下命令启动 OpenVPN 服务:
systemctl start 接下来,使用以下命令验证 OpenVPN 服务器:
systemctl status 输出:
? - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/; disabled; vendor preset: enabled)
Active: active (running) since Sat 2019-09-21 08:46:47 EDT; 6s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 5040 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 1138)
Memory: 1.7M
CGroup: /system.slice/system-openvpn.slice/
??5040 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.
Sep 21 08:46:47 debian systemd[1]: Starting OpenVPN connection to server...
Sep 21 08:46:47 debian systemd[1]: Started OpenVPN connection to server.
安装和配置 OpenVPN 客户端
接下来,登录到 OpenVPN 客户端系统并使用以下命令安装 OpenVPN 软件包:
apt-get install openvpn -y安装后,为 OpenVPN Client 创建一个新的配置文件:
nano /etc/openvpn/client.conf定义您的服务器 IP 地址和客户端证书文件,如下所示:
client
dev tun
proto udp
remote 192.168.0.103 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
保存并关闭文件。然后,使用以下命令将所有客户端证书和密钥文件从 OpenVPN 服务器复制到 OpenVPN 客户端系统:
scp :/etc/openvpn/ta.key /etc/openvpn/接下来,使用以下命令启动 OpenVPN 客户端服务:
systemctl start 现在,您可以使用以下命令查看 OpenVPN 服务器分配的新 IP 地址:
ifconfig您应该看到以下输出:
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.102 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::a00:27ff:fe99:dc40 prefixlen 64 scopeid 0x20
ether 08:00:27:99:dc:40 txqueuelen 1000 (Ethernet)
RX packets 447 bytes 42864 (41.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 334 bytes 47502 (46.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 57 bytes 9754 (9.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 57 bytes 9754 (9.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5
inet6 fe80::52b5:a1d2:fa23:f51e prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9 bytes 472 (472.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
接下来,转到 OpenVPN 服务器系统并使用以下命令检查 OpenVPN 日志:
tail -f /var/log/openvpn/openvpn.log您应该得到以下输出:
Sun Sep 22 19:46:08 2019 192.168.0.103:45700 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Sun Sep 22 19:46:08 2019 192.168.0.103:45700 [_] Peer Connection Initiated with [AF_INET]192.168.0.103:45700
Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI: Learn: 10.8.0.6 -> _/192.168.0.103:45700
Sun Sep 22 19:46:08 2019 _/192.168.0.103:45700 MULTI: primary virtual IP for _/192.168.0.103:45700: 10.8.0.6
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 PUSH: Received control message: 'PUSH_REQUEST'
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 SENT CONTROL [_]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Sep 22 19:46:09 2019 _/192.168.0.103:45700 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
恭喜!您已在 Debian 10 上成功安装和配置 OpenVPN 服务器和客户端。