为了连接到 OpenVPN 服务器以允许您访问内部网本地资源,您只需要一个 OpenVPN 客户端。 在本指南中,我们将学习如何在 Rocky Linux 8 上安装和配置 OpenVPN 客户端。请注意,OpenVPN 软件可以配置为作为服务器或客户端工作。
通过以下链接了解如何在 Rocky Linux 8 上安装和配置 OpenVPN 服务器;
在 Rocky Linux 8 上设置 OpenVPN 服务器
在 Rocky Linux 8 上安装和配置 OpenVPN 客户端
在 Rocky Linux 8 上安装 OpenVPN 客户端
通过运行以下命令在 Rocky Linux 8 上安装 OpenVPN 客户端;
dnf epel-release -y
dnf info openvpn
Available Packages
Name : openvpn
Version : 2.4.11
Release : 1.el8
Architecture : x86_64
Size : 543 k
Source : openvpn-2.4.11-1.el8.src.rpm
Repository : epel
Summary : A full-featured SSL VPN solution
URL : https://community.openvpn.net/
License : GPLv2
Description : OpenVPN is a robust and highly flexible tunneling application that uses all
: of the encryption, authentication, and certification features of the
: OpenSSL library to securely tunnel IP networks over a single UDP or TCP
: port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library
: for compression
然后就可以通过执行命令安装OpenVPN客户端了;
dnf install openvpn
在 Rocky Linux 8 上配置 OpenVPN 客户端
为了能够连接到 OpenVPN 服务器,您需要创建包含 CA 证书、客户端服务器证书和密钥的客户端配置。
如果您遵循我们在 Rocky Linux 8 上设置 OpenVPN 服务器的指南,我们描述了如何生成客户端证书文件和密钥。
生成密钥后,将它们复制到客户端并记下它们的存储路径。
您还需要将 HMAC 密钥和 CA 证书复制到客户端。
然后您可以创建 OpenVPN 客户端配置。
例如,要为客户端创建 OpenVPN 配置文件, gentoo,其证书和密钥是, gentoo.crt 和 gentoo.key;
vim gentoo.ovpn
client tls-client pull dev tun proto udp4 remote 192.168.60.19 1194 resolv-retry infinite nobind #user nobody #group nogroup persist-key persist-tun key-direction 1 remote-cert-tls server auth-nocache comp-lzo verb 3 auth SHA512 tls-auth ta.key 1 ca ca.crt cert gentoo.crt key gentoo.key
请注意,在此设置中,客户端证书、密钥、CA 证书和 HMAC 密钥与 OpenVPN 客户端配置本身位于同一路径,gentoo.ovpn。
ls -1 .
ca.crt
gentoo.crt
gentoo.key
gentoo.ovpn
ta.key为了避免证书和密钥路径的问题,您可以将它们内嵌在配置文件中;
client
tls-client
pull
dev tun
proto udp4
remote 192.168.60.19 1194
resolv-retry infinite
nobind
#user nobody
#group nogroup
persist-key
persist-tun
key-direction 1
remote-cert-tls server
auth-nocache
comp-lzo
verb 3
auth SHA512
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
feb1af5407baa247d4e772c76aed6c75
...
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
MIIDTjCCAjagAwIBAgIUX0VQrHTgLDabUUIOAf7tD9cGp4YwDQYJKoZIhvcNAQEL
...
WA9BBk2shVWfR849Lmkep+GPyqHpU47dZAz37ARB2Gfu3w==
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
...
/7FvJaeLqmUHnvSs5eBlRZSgtOL19SCFkG0HXdnw3LtBaoHQXxgzOkDPW1+5
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+DI7kg6MsRoCs
...
6WdLcNtWKAcU294xJEZoOA8/
-----END PRIVATE KEY-----
</key>
在所有客户端服务器上为需要连接到 vpn 的每个用户执行相同操作。
如果你注意到了,下面的行被注释以避免错误, 错误:Linux 路由添加命令失败:外部程序退出,错误状态:2 通过在重新连接时再次添加它们之前刷新创建的路由。
#user nobody #group nogroup
OpenVPN 客户端配置文件现已准备就绪。
在 Rocky Linux 8 上连接到 OpenVPN 服务器
然后您可以按需连接到 OpenVPN 服务器或配置您的服务器以在系统重新启动时建立 VPN 配置文件。
使用 openvpn 命令在命令行上连接到 OpenVPN
要按需连接,只需使用 openvpn 命令为;
sudo openvpn client-config.ovpn
或者
sudo openvpn --config client-config.ovpn
其中client-config是客户端的openvpn配置文件,如上面的gentoo.ovpn文件。
如果连接到 OpenVPN 服务器成功,您应该看到 Initialization Sequence Completed.
Wed Jun 30 15:27:16 2021 OpenVPN 2.4.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021 Wed Jun 30 15:27:16 2021 library versions: OpenSSL 1.1.1g FIPS 21 Apr 2020, LZO 2.08 Wed Jun 30 15:27:16 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Wed Jun 30 15:27:16 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Wed Jun 30 15:27:16 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.60.19:1194 Wed Jun 30 15:27:16 2021 Socket Buffers: R=[212992->212992] S=[212992->212992] Wed Jun 30 15:27:16 2021 UDPv4 link local: (not bound) Wed Jun 30 15:27:16 2021 UDPv4 link remote: [AF_INET]192.168.60.19:1194 Wed Jun 30 15:27:16 2021 TLS: Initial packet from [AF_INET]192.168.60.19:1194, sid=7ec70642 fdcdad40 Wed Jun 30 15:27:16 2021 VERIFY OK: depth=1, CN=Kifarunix-demo CA Wed Jun 30 15:27:16 2021 VERIFY KU OK Wed Jun 30 15:27:16 2021 Validating certificate extended key usage Wed Jun 30 15:27:16 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Wed Jun 30 15:27:16 2021 VERIFY EKU OK Wed Jun 30 15:27:16 2021 VERIFY OK: depth=0, CN=server Wed Jun 30 15:27:16 2021 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1586', remote='link-mtu 1602' Wed Jun 30 15:27:16 2021 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-256-CBC' Wed Jun 30 15:27:16 2021 WARNING: 'keysize' is used inconsistently, local='keysize 128', remote='keysize 256' Wed Jun 30 15:27:16 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA Wed Jun 30 15:27:16 2021 [server] Peer Connection Initiated with [AF_INET]192.168.60.19:1194 Wed Jun 30 15:27:17 2021 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Wed Jun 30 15:27:17 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 192.168.10.3,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: timers and/or timeouts modified Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: --ifconfig/up options modified Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: route options modified Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: route-related options modified Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: peer-id set Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: adjusting link_mtu to 1625 Wed Jun 30 15:27:17 2021 OPTIONS IMPORT: data channel crypto options modified Wed Jun 30 15:27:17 2021 Data Channel: using negotiated cipher 'AES-256-GCM' Wed Jun 30 15:27:17 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Jun 30 15:27:17 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Wed Jun 30 15:27:17 2021 ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:98:30:73 Wed Jun 30 15:27:17 2021 TUN/TAP device tun0 opened Wed Jun 30 15:27:17 2021 TUN/TAP TX queue length set to 100 Wed Jun 30 15:27:17 2021 /sbin/ip link set dev tun0 up mtu 1500 Wed Jun 30 15:27:17 2021 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255 Wed Jun 30 15:27:17 2021 /sbin/ip route add 192.168.60.19/32 via 10.0.2.2 Wed Jun 30 15:27:17 2021 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1 Wed Jun 30 15:27:17 2021 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1 Wed Jun 30 15:27:17 2021 Initialization Sequence Completed
检查IP地址;
ip add show tun0
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.2/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::697:ce38:b852:540c/64 scope link stable-privacy
valid_lft forever preferred_lft forever测试与 VPN 服务器的连接;
ping 10.8.0.1 -c 3
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=2.71 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=2.42 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=1.95 ms
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 46ms
rtt min/avg/max/mdev = 1.952/2.362/2.713/0.316 ms根据您的服务器路由设置,您还应该能够访问互联网。
将 OpenVPN 客户端作为服务运行
为了在服务器重新启动时自动建立连接,您可以启用 OpenVPN 客户端 systemd 服务。
在执行此操作之前,请将 VPN 配置文件的扩展名从 .ovpn 到 .conf. 相应地替换文件名。
cp gentoo.{ovpn,conf}复制 .conf 文件到 OpenVPN 客户端配置目录, /etc/openvpn/client.
mv gentoo.conf /etc/openvpn/client接下来,禁用 SELinux(不过我不推荐这样做,-:));
setenforce 0 && sed -i 's/=enforcing/=permissive/' /etc/selinux/config
启动 OpenVPN 客户端 systemd 服务。 更换名称 gentoo 使用 .conf 配置文件的名称。
systemctl start [email protected]
检查状态;
systemctl status [email protected]
● [email protected] - OpenVPN tunnel for gentoo
Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled; vendor preset: disabled)
Active: active (running) since Wed 2021-06-30 15:48:47 EDT; 12s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 39782 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 11272)
Memory: 1.6M
CGroup: /system.slice/system-openvpnx2dclient.slice/[email protected]
└─39782 /usr/sbin/openvpn --suppress-timestamps --nobind --config gentoo.conf
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:98:30:73
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: TUN/TAP device tun0 opened
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: TUN/TAP TX queue length set to 100
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: /sbin/ip link set dev tun0 up mtu 1500
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: /sbin/ip route add 192.168.60.19/32 via 10.0.2.2
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Jun 30 15:48:48 localhost.localdomain openvpn[39782]: Initialization Sequence Completed
使其能够在系统启动时运行;
systemctl enable [email protected]
您已成功安装并设置 OpenVPN 客户端 Rocky Linux 8。
我们的教程到此结束,如何在 Rocky Linux 8 上安装和配置 OpenVPN 客户端。
为 OpenVPN 客户端分配静态 IP 地址
配置基于 OpenVPN LDAP 的身份验证
