偷得浮生 偷得浮生

记录精彩的人生

目录
3-OpenVPN 高级功能
/  

3-OpenVPN 高级功能

4 OpenVPN 高级功能

本节介绍OpenVPN的高级功能,主要关于安全加强及客户端的管理功能,比如:员工入职、离职涉及到的创建账户与吊销账户证书。

4.1 启用安全增强功能

启用防止DoS攻击的安全增强配置

[15:38:14 root@openvpn-server ~]#openvpn --genkey --secret /etc/openvpn/certs/ta.key
[15:38:43 root@openvpn-server ~]#cat /etc/openvpn/certs/ta.key
#

# 2048 bit OpenVPN static key

#
-----BEGIN OpenVPN Static key V1-----
98f2e8b46308ad6c40fdbcb53cbafce6
e3f7970ddae64849f4c160047fc88866
f717dab259981ea836eeb7ef31a778d9
1cc8b20962c79cb3d2fda168819bc8c6
bc8386f0de5264712d8ebb358c8c8f2a
dcd5a1e15a3e3f76346e84496ba12052
2c53a5f055486c9200ef0855d2df9e9e
ecc71a8c4dd8bec1ff15ac20e44aec77
52c289b343a20979c3b52ea466585073
c14752e40e6b8ce5ef5d0f8ed894a82e
ff8c6f784c7ec9b87f51cdaad9ee06b2
ea22307d87c1e6b31292819e0d8ddcf7
dc324b5a7e968ae1b3334f61af6a4b6e
91a2992a580edbd4b8c584bfbe7fa8f4
1a22ca55777827c49b237157d03d1d68
75fc0d4eb632da7e61d258594ade093b
-----END OpenVPN Static key V1-----
[15:38:57 root@openvpn-server ~]#ll /etc/openvpn/certs/
total 24
-rw------- 1 root root 1204 Jan 26 14:03 ca.crt
-rw------- 1 root root  424 Jan 26 14:04 dh.pem
-rw------- 1 root root 4608 Jan 26 14:04 server.crt
-rw------- 1 root root 1704 Jan 26 14:04 server.key
-rw------- 1 root root  636 Jan 26 15:38 ta.key
[15:39:09 root@openvpn-server ~]#vim /etc/openvpn/server.conf
tls-auth /etc/openvpn/certs/ta.key 0    #服务器端为0,客户端为1

客户端配置文件需要添加tls-auth ta.key 1,并把key文件放到客户端中

4.2 设置客户端的私钥密码增强安全性

新建一个账户cy,并且设置证书密码,提高证书及登录VPN的安全性。

4.2.1 创建新用户,生成对应的有密码的私钥和证书申请

[15:47:14 root@openvpn-server zhangzhuo]#cd /etc/openvpn/easy-rsa-client/3
[15:47:59 root@openvpn-server 3]#pwd
/etc/openvpn/easy-rsa-client/3
[15:48:40 root@openvpn-server 3]#./easyrsa gen-req cy

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Generating a RSA private key
..............+++++
....................+++++
writing new private key to '/etc/openvpn/easy-rsa-client/3/pki/easy-rsa-14457.v8A2IC/tmp.k97esu'
Enter PEM pass phrase:              #输入2遍密码
Verifying - Enter PEM pass phrase:
----------------------------------

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----------------------------------------------

Common Name (eg: your user, host, or server name) [cy]:   #默认确认

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-client/3/pki/reqs/cy.req
key: /etc/openvpn/easy-rsa-client/3/pki/private/cy.key

4.2.2 导入用户证书申请并颁发证书

[15:50:31 root@openvpn-server 3]#cd /etc/openvpn/easy-rsa-server/3
[15:50:41 root@openvpn-server 3]#./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/cy.req cy

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020

The request has been successfully imported with a short name of: cy
You may now use this name to perform signing operations on this request.

#确保证书有效期是合理值
[root@centos8 3]#grep EASYRSA_CERT_EXPIRE vars
set_var EASYRSA_CERT_EXPIRE 90
#颁发证书
[15:51:55 root@openvpn-server 3]#./easyrsa sign client cy

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 180 days:

subject=
commonName                = cy

Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-14563.jwqiuE/tmp.5fUTr0
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'cy'
Certificate is to be certified until Jul 25 07:51:59 2021 GMT (180 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/cy.crt

4.2.3 将用户的证书相关文件放在指定的目录中

[15:51:59 root@openvpn-server 3]#mkdir /etc/openvpn/client/cy
[15:53:10 root@openvpn-server 3]#cp /etc/openvpn/easy-rsa-server/3/pki/issued/cy.crt /etc/openvpn/client/cy
[15:53:34 root@openvpn-server 3]#cp /etc/openvpn/easy-rsa-server/3/pki/private/cy.key /etc/openvpn/client/cy
[15:53:46 root@openvpn-server 3]#cp /etc/openvpn/certs/{ca.crt,dh.pem,ta.key} /etc/openvpn/client/cy
[15:55:54 root@openvpn-server 3]#cp /etc/openvpn/client/zhangzhuo/client.ovpn /etc/openvpn/client/cy
[15:56:30 root@openvpn-server 3]#ll /etc/openvpn/client/cy/
[16:00:36 root@openvpn-server 3]#ll /etc/openvpn/client/cy/
total 28
-rw------- 1 root root 1204 Jan 26 15:55 ca.crt
-rw-r--r-- 1 root root  255 Jan 26 15:56 client.ovpn
-rw------- 1 root root 4484 Jan 26 15:53 cy.crt
-rw------- 1 root root 1854 Jan 26 16:00 cy.key
-rw------- 1 root root  424 Jan 26 15:55 dh.pem
-rw------- 1 root root  636 Jan 26 15:55 ta.key

[16:01:00 root@openvpn-server 3]#cd /etc/openvpn/client/cy/
#根据服务器端修改下面配置,需要和服务器同步
[16:01:24 root@openvpn-server cy]#vim client.ovpn
client
dev tun
proto tcp
remote 39.98.146.209 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2
tls-auth ta.key 1
[16:03:03 root@openvpn-server cy]#mv cy.crt client.crt
[16:03:21 root@openvpn-server cy]#mv cy.key client.key

4.3 账户证书管理

主要是证书的创建和吊销,对应的员工的入职和离职

4.3.1 证书自动过期

过期时间以服务器时间为准,如果过期,需要重新颁发证书

#过期时间由以下设置决定
[root@centos8 ~]#grep EASYRSA_CERT_EXPIRE /etc/openvpn/easy-rsa-server/3/vars
set_var EASYRSA_CERT_EXPIRE 90

如果证书过期,在服务器端可以看到以下日志

#让服务器时间改为2年后时间
[16:08:17 root@openvpn-server cy]#date -s '2 year'
Thu Jan 26 16:08:26 CST 2023

#服务器端日志中会显示用户证书过期
[16:10:05 root@openvpn-server cy]#tail -f /var/log/openvpn/openvpn.log -n0
Thu Jan 26 16:10:16 2023 TCP connection established with [AF_INET]110.17.5.83:20296
Thu Jan 26 16:10:16 2023 110.17.5.83:20296 TLS: Initial packet from [AF_INET]110.17.5.83:20296, sid=5b28249e 72485450
Thu Jan 26 16:10:17 2023 110.17.5.83:20296 VERIFY OK: depth=1, CN=Easy-RSA CA
Thu Jan 26 16:10:17 2023 110.17.5.83:20296 VERIFY ERROR: depth=0, error=certificate has expired: CN=cy, serial=311680221580796027677648559459392328591
Thu Jan 26 16:10:17 2023 110.17.5.83:20296 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Thu Jan 26 16:10:17 2023 110.17.5.83:20296 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jan 26 16:10:17 2023 110.17.5.83:20296 TLS Error: TLS object -> incoming plaintext read error
Thu Jan 26 16:10:17 2023 110.17.5.83:20296 TLS Error: TLS handshake failed
Thu Jan 26 16:10:17 2023 110.17.5.83:20296 Fatal TLS error (check_tls_errors_co), restarting
Thu Jan 26 16:10:17 2023 110.17.5.83:20296 SIGUSR1[soft,tls-error] received, client-instance restarting

4.3.2 证书手动注销

4.3.2.1 查看当前证书的有效性,有效为V,无效为R

[16:11:54 root@openvpn-server ~]#cat /etc/openvpn/easy-rsa-server/3/pki/index.txt
V	310124043132Z		5D3B930AA9D6B0AF69E65FA76C6251C4	unknown	/CN=server
V	210725055946Z		8EB7E418B1FE1715BCBB73A513498893	unknown	/CN=zhangzhuo
V	210725075159Z		EA7B6D5BC57A40FD5959D1740320938F	unknown	/CN=cy

4.3.2.2 吊销指定的用户的证书

[16:12:16 root@openvpn-server ~]#cd /etc/openvpn/easy-rsa-server/3
[16:12:50 root@openvpn-server 3]#./easyrsa revoke cy

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020

Please confirm you wish to revoke the certificate with the following subject:

subject=
commonName                = cy

Type the word 'yes' to continue, or any other input to abort.
Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-14869.nncxHf/tmp.36WIhl
Revoking Certificate EA7B6D5BC57A40FD5959D1740320938F.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

4.3.2.3 生成证书吊销列表

#每次吊销证书后都需要更新证书吊销列表文件,并且需要重启OpenVPN服务
[16:13:08 root@openvpn-server 3]#./easyrsa gen-crl

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.1.1g FIPS  21 Apr 2020
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-14912.pXdWC2/tmp.JqsCVv

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa-server/3/pki/crl.pem

[16:14:43 root@openvpn-server 3]#cat pki/crl.pem
-----BEGIN X509 CRL-----
MIIB3DCBxQIBATANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDDAtFYXN5LVJTQSBD
QRcNMjEwMTI2MDgxNDQzWhcNMjEwNzI1MDgxNDQzWjAkMCICEQDqe21bxXpA/VlZ
0XQDIJOPFw0yMTAxMjYwODEzMDhaoFUwUzBRBgNVHSMESjBIgBQoyNfaufa2jaEC
RtJ+9ve4X5qANKEapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFBB9VrzPLTr+
IL6acSTyhMQ3Yac4MA0GCSqGSIb3DQEBCwUAA4IBAQDALTvWucW3kSW5Dt14uENQ
yF1ad+FkcXxXa3Y3PKR8eQOmc9vL9vTsctR4SvuIT70UmNVZhkGAk+Ioi5SBIKJa
CgMxpZe6u9Slwl5kNy4IVuQYzu59e3azUOb6v4B0rpEI2WxW5Van/niGLKOg/wJt
Nft5IJCrTQF6NBjDugqV9/EIrBa9Pks2qQsShGCj/+VYapGgY7UJxL/1H5STt+Sd
t2CDqj4kFe+yXAgo8CwM2zzPtWkc1pg4U1BwHkVDYZvCoklZshh4a17KfdubXTPQ
NLLMuDu3J0R/Ld2IumxbBl11ys5AOoUG1xVoNQjqV+YJkDDOZOV88FVoloGX/gJo
-----END X509 CRL-----

4.3.2.4 将吊销列表文件发布

#第一次吊销证时需要编辑配置文件调用吊销证书的文件,后续吊销无需此步
[16:14:55 root@openvpn-server 3]#vim /etc/openvpn/server.conf
crl-verify /etc/openvpn/easy-rsa-server/3/pki/crl.pem
#每次吊销证书后,都需要重新启动才能生效
[16:16:11 root@openvpn-server 3]#systemctl restart openvpn@server

4.4 生产推荐配置文件

server端和client端的生产推荐配置文件分别如下

4.4.1 server 端配置

[root@openvpn-server ~]# cat /etc/openvpn/server.conf
port 1194
proto tcp
#pexplicit-exit-notify 1
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 10.0.0.0 255.255.255.0
push "route 172.30.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
;comp-lzo
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 200
tls-auth /etc/openvpn/certs/ta.key 0
crl-verify /etc/openvpn/easy-rsa-server/3/pki/crl.pem

4.4.2 client 端配置

[root@openvpn-server ~]# cat /etc/openvpn/client-file/client.ovpn
client
dev tun
proto tcp
remote 39.98.146.209 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2
tls-auth ta.key 1