OpenVPN Site-To-Client por usuário e senha no CentOS 7
1 – Instalando pacotes e preparando o ambiente
|
1 2 |
[root@centos7 ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) |
|
1 |
[root@centos7 ~]# yum -y install epel-release |
|
1 |
[root@centos7 ~]# yum -y install openvpn easy-rsa |
|
1 |
[root@centos7 ~]# cp -Rfv /usr/share/easy-rsa/2.0/ /etc/openvpn/easy-rsa |
|
1 2 3 4 5 6 7 8 |
[root@centos7 ~]# firewall-cmd --add-port=1194/udp --permanent success [root@centos7 ~]# firewall-cmd --reload success [root@centos7 ~]# firewall-cmd --list-port 1194/udp [root@centos7 ~]# firewall-cmd --list-service dhcpv6-client ssh |
2 – Gerando certificados CA/CA-SERVER/DH
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[root@centos7 easy-rsa]# cd /etc/openvpn/easy-rsa/ [root@centos7 easy-rsa]# vi vars # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="BR" export KEY_PROVINCE="SP" export KEY_CITY="RIBEIRAOPRETO" export KEY_ORG="JPCORP" export KEY_OU="JPCORP" # X509 Subject Field export KEY_NAME="CA-JPCORP" |
|
1 2 |
[root@centos7 easy-rsa]# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys |
|
1 |
[root@centos7 easy-rsa]# ./clean-all |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
[root@centos7 easy-rsa]# ./build-ca Generating a 2048 bit RSA private key ............................................+++ .........+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [BR]: State or Province Name (full name) [SP]: Locality Name (eg, city) [RIBEIRAOPRETO]: Organization Name (eg, company) [JPCORP]: Organizational Unit Name (eg, section) [JPCORP]: Common Name (eg, your name or your server's hostname) [JPCORP CA]: Name [CA-JPCORP]: Email Address [JHONES@JPCORP.ETI.BR]: |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
[root@centos7 easy-rsa]# ./build-key-server server Generating a 2048 bit RSA private key .........+++ ...........+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [BR]: State or Province Name (full name) [SP]: Locality Name (eg, city) [RIBEIRAOPRETO]: Organization Name (eg, company) [JPCORP]: Organizational Unit Name (eg, section) [JPCORP]: Common Name (eg, your name or your server's hostname) [server]: Name [CA-JPCORP]: Email Address [JHONES@JPCORP.ETI.BR]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'BR' stateOrProvinceName :PRINTABLE:'SP' localityName :PRINTABLE:'RIBEIRAOPRETO' organizationName :PRINTABLE:'JPCORP' organizationalUnitName:PRINTABLE:'JPCORP' commonName :PRINTABLE:'server' name :PRINTABLE:'CA-JPCORP' Certificate is to be certified until Jan 28 23:35:47 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated |
|
1 2 3 |
[root@centos7 easy-rsa]# ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 ................+............ |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[root@centos7 easy-rsa]# ll keys/ total 52 -rw-r--r-- 1 root root 5492 Jan 31 20:35 01.pem -rw-r--r-- 1 root root 1732 Jan 31 20:35 ca.crt -rw------- 1 root root 1704 Jan 31 20:35 ca.key -rw-r--r-- 1 root root 424 Jan 31 20:39 dh2048.pem -rw-r--r-- 1 root root 134 Jan 31 20:35 index.txt -rw-r--r-- 1 root root 21 Jan 31 20:35 index.txt.attr -rw-r--r-- 1 root root 0 Jan 31 20:35 index.txt.old -rw-r--r-- 1 root root 3 Jan 31 20:35 serial -rw-r--r-- 1 root root 3 Jan 31 20:35 serial.old -rw-r--r-- 1 root root 5492 Jan 31 20:35 server.crt -rw-r--r-- 1 root root 1078 Jan 31 20:35 server.csr -rw------- 1 root root 1708 Jan 31 20:35 server.key |
|
1 2 |
[root@centos7 easy-rsa]# cd .. [root@centos7 openvpn]# ln -s /etc/openvpn/easy-rsa/keys/ /etc/openvpn/ca-server |
3 – Criando o .conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
[root@centos7 openvpn]# vi site-to-client.conf port 1194 proto udp dev tun ca /etc/openvpn/ca-server/ca.crt cert /etc/openvpn/ca-server/server.crt key /etc/openvpn/ca-server/server.key dh /etc/openvpn/ca-server/dh2048.pem ifconfig-pool-persist /var/log/ipp_site-to-client.log ;push "route 172.16.1.1 255.255.255.0" client-cert-not-required tls-server username-as-common-name server 10.10.10.0 255.255.255.0 keepalive 10 120 comp-lzo user nobody group nobody plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login persist-key persist-tun status /var/log/status_site-to-client.log log-append /var/log/site-to-client.log verb 3 |
4 – Ativando o serviço, o @site-to-client deve ser o mesmo nome do arquivo .conf criado, aqui neste caso site-to-client.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[root@centos7 openvpn]# systemctl enable openvpn@site-to-client Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@site-to-client.service to /usr/lib/systemd/system/openvpn@.service. [root@centos7 openvpn]# systemctl start openvpn@site-to-client [root@centos7 openvpn]# systemctl status openvpn@site-to-client ● openvpn@site-to-client.service - OpenVPN Robust And Highly Flexible Tunneling Application On site/to/client Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled) Active: active (running) since Dom 2016-01-31 20:45:09 BRT; 4s ago Process: 1795 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS) Main PID: 1796 (openvpn) CGroup: /system.slice/system-openvpn.slice/openvpn@site-to-client.service ├─1796 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/site-to-client.pid --cd /etc/openvpn/ --config site-to-cli... └─1797 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/site-to-client.pid --cd /etc/openvpn/ --config site-to-cli... Jan 31 20:45:09 centos7 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On site/to/client... Jan 31 20:45:09 centos7 systemd[1]: PID file /var/run/openvpn/site-to-client.pid not readable (yet?) after start. Jan 31 20:45:09 centos7 systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On site/to/client. |
5 -…
Continue reading →