[root@zabbix ~]# yum -y install easy-rsa

[root@zabbix ~]# mkdir /opt/easy-rsa

[root@z abbix ~]# cd !$

[root@zabbix easy-rsa]# ll /usr/share/easy-rsa/

lrwxrwxrwx 1 root root  5 Jan  5 11:43 3 -> 3.0.8

lrwxrwxrwx 1 root root  5 Jan  5 11:43 3.0 -> 3.0.8

drwxr-xr-x 3 root root 66 Jan  5 11:43 3.0.8

[root@zabbix easy-rsa]# cp -a  /usr/share/easy-rsa/3.0.8/* ./

cp -a /usr/share/doc/easy-rsa-3.0.8/vars.example  ./vars

[root@zabbix easy-rsa]# vim vars

set_var EASYRSA_DN "cn_only"

set_var EASYRSA_REQ_COUNTRY "CN"

set_var EASYRSA_REQ_PROVINCE "Shanghai"

set_VAR EASYRSA_REQ_CITY "Shanghai"

set_var EASYRSA_REQ_ORG "fuxing"

set_var EASYRSA_REQ_EMAIL "569933452@qq.com"

set_var EASYRSA_NS_SUPPORT "yes"

[root@zabbix easy-rsa]# grep -Ev '^$|^#' vars

if [ -z "$EASYRSA_CALLER" ]; then

echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2

echo "This is no longer necessary and is disallowed. See the section called" >&2

echo "'How to use this file' near the top comments for more details." >&2

return 1

fi

set_var EASYRSA_DN "cn_only"

set_var EASYRSA_REQ_COUNTRY "CN"

set_var EASYRSA_REQ_PROVINCE "Shanghai"

set_VAR EASYRSA_REQ_CITY "Shanghai"

set_var EASYRSA_REQ_ORG "fuxing"

set_var EASYRSA_REQ_EMAIL "569933452@qq.com"

set_var EASYRSA_NS_SUPPORT "yes"

[root@zabbix easy-rsa]# ./easyrsa  init-pki

#生成根证书

[root@zabbix easy-rsa]# ./easyrsa build-ca

/opt/easy-rsa/vars: line 97: set_VAR: command not found

Note: using Easy-RSA configuration from: /opt/easy-rsa/vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Enter New CA Key Passphrase:  设置密码 1234

Re-Enter New CA Key Passphrase:    设置密码 1234

Generating RSA private key, 2048 bit long modulus

......................+++

..................................................................................................+++

e is 65537 (0x10001)

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.

Your new CA certificate file for publishing is at:

/opt/easy-rsa/pki/ca.crt

生成服务端证书

[root@zabbix easy-rsa]# ./easyrsa gen-req server nopass

/opt/easy-rsa/vars: line 97: set_VAR: command not found

Note: using Easy-RSA configuration from: /opt/easy-rsa/vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

Generating a 2048 bit RSA private key

...+++

....................................+++

writing new private key to '/opt/easy-rsa/pki/easy-rsa-54384.2xag0s/tmp.Kho3Lj'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Common Name (eg: your user, host, or server name) [server]:  回车

Keypair and certificate request completed. Your files are:

req: /opt/easy-rsa/pki/reqs/server.req

key: /opt/easy-rsa/pki/private/server.key

[root@zabbix easy-rsa]# ./easyrsa  sign server server

/opt/easy-rsa/vars: line 97: set_VAR: command not found

Note: using Easy-RSA configuration from: /opt/easy-rsa/vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

You are about to sign the following certificate.

Please check over the details shown below for accuracy. Note that this request

has not been cryptographically verified. Please be sure it came from a trusted

source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=

    commonName                = server

Type the word 'yes' to continue, or any other input to abort.

  Confirm request details: yes  输入yes

Using configuration from /opt/easy-rsa/pki/easy-rsa-54459.15y3wH/tmp.f0xZtk

Enter pass phrase for /opt/easy-rsa/pki/private/ca.key:  密码为1234

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

commonName            :ASN.1 12:'server'

Certificate is to be certified until Apr 10 04:02:19 2023 GMT (825 days)

Write out database with 1 new entries

Data Base Updated

Certificate created at: /opt/easy-rsa/pki/issued/server.crt

生成算法

[root@zabbix easy-rsa]# ./easyrsa  gen-dh

生成客户端 证书

[root@zabbix easy-rsa]# ./easyrsa gen-req client nopass

[root@zabbix easy-rsa]# ./easyrsa sign client client

/opt/easy-rsa/vars: line 97: set_VAR: command not found

Note: using Easy-RSA configuration from: /opt/easy-rsa/vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

You are about to sign the following certificate.

Please check over the details shown below for accuracy. Note that this request

has not been cryptographically verified. Please be sure it came from a trusted

source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=

    commonName                = client

Type the word 'yes' to continue, or any other input to abort.

  Confirm request details: yes  输入yes

Using configuration from /opt/easy-rsa/pki/easy-rsa-54701.biJwTN/tmp.QYdddb

Enter pass phrase for /opt/easy-rsa/pki/private/ca.key: 密码1234

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

commonName            :ASN.1 12:'client'

Certificate is to be certified until Apr 10 04:05:56 2023 GMT (825 days)

Write out database with 1 new entries

Data Base Updated

Certificate created at: /opt/easy-rsa/pki/issued/client.crt

[root@zabbix easy-rsa]# yum -y install openvpn

[root@zabbix easy-rsa]# vim /etc/openvpn/server.conf

[root@zabbix easy-rsa]# more !$

more /etc/openvpn/server.conf

port 1194 #端口

proto udp #协议

dev tun #采用路由隧道模式tun

ca ca.crt #ca证书文件位置

cert server.crt #服务器端公钥名称

key server.key #服务端私钥名称

dh dh.pem #交换证书

server 172.16.99.0 255.255.255.0 #给客户端分配地址池，注意，不能和VPN服务器内网网段有相同

push "route 10.197.0.0 255.255.0.0" #允许客户端访问内网10.197.0.0网段

ifconfig-pool-persist ipp.txt #地址池记录文件位置

keepalive 10 120 #存活时间,10秒ping一次，120如未收到响应则视为断线

max-clients 100 #最多允许 100个客户端连接

status openvpn-status.log #日志记录位置

verb 3 #openvpn版本

client-to-client #客户端与客户端之间支持通信

log /var/log/openvpn.log #openvpn日志记录位置

persist-key #通过keepalive 检测超时后，重新启动VPN，不重新读取keys，保留第一次使用的keys

persist-tun #检测超时后，重新启动VPN，一直保持tun是linkup的。否则网络会优先linkdown再linkup。

duplicate-cn

[root@zabbix openvpn]# cd /etc/openvpn/

[root@zabbix openvpn]# cp -a /opt/easy-rsa/pki/ca.crt  ./

[root@zabbix openvpn]# cp -a /opt/easy-rsa/pki/issued/server.crt ./

[root@zabbix openvpn]# cp -a /opt/easy-rsa/pki/private/server.key  ./

[root@zabbix openvpn]# cp -a /opt/easy-rsa/pki/dh.pem  ./

[root@zabbix openvpn]# systemctl -f enable openvpn@server.service

Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.

[root@zabbix openvpn]# systemctl start openvpn@server.service

安装 openvpn客户端

[root@zabbix openvpn]#  sz /opt/easy-rsa/pki/ca.crt

[root@zabbix openvpn]#  sz /opt/easy-rsa/pki/ca.crt

[root@zabbix openvpn]# sz /opt/easy-rsa/pki/issued/client.crt

OO

[root@zabbix openvpn]# sz /opt/easy-rsa/pki/private/client.key

windows创建fx.ovpns

client  #指定当前VPN是客户端

dev tun #使用tun隧道传输协议

proto udp #使用udp协议传输数据

remote 10.197.17.99 1194 #openvpn #服务器IP地址端口号

resolv-retry infinite #断线自动重新连接

nobind #不绑定本地特定的端口号

ca ca.crt #指定CA证书的文件路径

cert client.crt  #指定当前客户端的私钥文件路径

key client.key #指定当前 客户端 的私钥文件路径

verb 3 #指定日志文件的记录详细级别，可选0-9

persist-key #通过keepalive检测超时后，重新启动VPN，不重新读取keys，保留第一次使用的keys

persist-tun #检测超时后，重新启动VPN，一直保持tun是linkup的。否则网络会先linkdown然后再linkup

开启内核转发

[root@zabbix openvpn]# echo "net.ipv4.ip_forward=1" >>/etc/sysctl.conf

[root@zabbix openvpn]#  sysctl -p

net.ipv4.ip_forward = 1

第一种：访问内部资源 ，需要手动一台台添加回指路由

route add -net  172.16.99.0/24 gw 10.197.17.99

第二种 开启 防火墙伪装

[root@zabbix openvpn]# systemctl  start firewalld.service

[root@zabbix openvpn]#

[root@zabbix openvpn]# firewall-cmd  --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: eth0

  sources:

  services: ssh dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:

永久添加

[root@zabbix openvpn]# firewall-cmd --add-masquerade --permanent

success

添加openvpn服务

[root@zabbix openvpn]# firewall-cmd --add-service=openvpn

success

firewall-cmd --add-service=openvpn --permanent

重新加载

[root@zabbix openvpn]# firewall-cmd --reload

success

[root@zabbix openvpn]# firewall-cmd  --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: eth0

  sources:

  services: ssh dhcpv6-client

  ports:

  protocols:

  masquerade: yes

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:

双重认证

/etc/openvpn/server.conf

script-security 3

auth-user-pass-verify /etc/openvpn/check.sh via-env

username-as-common-name

[root@openvpn ~]# vim /etc/openvpn/check.sh

#!/bin/sh

###########################################################

PASSFILE="/etc/openvpn/openvpnfile"

LOG_FILE="/var/log/openvpn-password.log"

TIME_STAMP=`date "+%Y-%m-%d %T"`

if [ ! -r "${PASSFILE}" ]; then

    echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}

    exit 1

fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then

    echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

    exit 1

fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then

    echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}

    exit 0

fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}

exit 1