VPN与OpenVPN
VPN(虚拟专用网络)概述
VPN(Virtual Private Network) 是一种通过公共网络(如互联网)构建安全、加密的专用通信通道的技术,实现远程设备与目标网络的安全连接。
核心原理
- 隧道技术:通过封装协议(如IPsec、OpenVPN、WireGuard等)将原始数据包裹在新的数据包中,在公共网络上建立一条逻辑“隧道”。
- 加密与认证:对传输数据进行加密(如AES、RSA),并通过身份验证(如证书、密码)确保只有授权用户可访问隧道。
- 网络地址转换(NAT):隐藏用户真实IP地址,实现匿名访问。
主要功能与作用
- 突破网络限制:绕过地域或机构对特定内容的屏蔽(如访问海外网站、企业内部系统)。
- 数据安全与隐私保护:防止第三方监听、篡改数据,尤其在公共Wi-Fi环境下保护用户信息。
- 远程办公与资源访问:员工通过VPN安全接入企业内网,访问文件服务器、数据库等内部资源。
- 匿名访问:隐藏用户真实IP,降低网络追踪风险。
VPN的分类(按协议划分)
- PPTP:早期协议,速度快但安全性较低,已逐渐被淘汰。
- L2TP/IPSec:结合L2TP隧道与IPsec加密,安全性较高,支持多平台。
- OpenVPN:开源、高安全性,支持自定义配置,灵活性强(下文详细介绍)。
- WireGuard:轻量级协议,近年兴起,速度快、代码简洁,逐渐普及。
- SSL/TLS VPN:基于HTTPS协议,适合Web端访问,无需安装客户端。
OpenVPN:开源高安全VPN解决方案
OpenVPN 是基于 OpenSSL库 开发的开源VPN软件,支持多种平台(Windows、Linux、macOS、Android、iOS等),因其高度可定制性和安全性,被企业和个人广泛使用。
核心特点
- 安全性强
- 加密算法:支持AES-256、ChaCha20等高强度加密,确保数据传输机密性。
- 认证方式:支持证书认证(推荐企业使用,安全性最高)、用户名/密码、硬件令牌等,防止未授权访问。
- 密钥交换:基于TLS/DTLS协议(传输层安全/数据包传输层安全),确保密钥协商过程安全。
- 跨平台与兼容性
- 支持几乎所有主流操作系统,可在不同设备间无缝连接。
- 兼容传统网络架构(如NAT、防火墙),可穿透复杂网络环境。
- 灵活性与可扩展性
- 自定义配置:通过配置文件(.ovpn)灵活调整参数,如加密算法、端口(默认UDP 1194,也可切换TCP)、路由规则等。
- 插件支持:可集成第三方工具(如动态DNS、身份验证服务器),满足企业复杂需求。
- 开源与社区支持
- 源代码公开,全球开发者持续维护,漏洞修复及时,安全性透明。
- 提供免费版本,企业版支持集中管理、日志审计等高级功能。
工作模式
- 客户端-服务器模式:用户通过客户端连接到OpenVPN服务器,访问目标网络(如企业内网)。
- 点对点模式:直接在两台设备间建立隧道,无需中间服务器(需静态IP或穿透技术)。
优势与适用场景
- 优势:
- 安全性远超PPTP等旧协议,适合传输敏感数据(如金融、企业机密)。
- 高度可控,适合需要定制化安全策略的企业。
- 开源免费,降低个人和中小企业使用成本。
- 适用场景:
- 企业远程办公:员工安全接入内网,访问内部资源。
- 个人隐私保护:浏览网页、下载文件时隐藏IP,防止数据泄露。
- 多设备组网:搭建私有局域网,实现家庭设备或分支机构间的安全互联。
局限性
- 配置复杂度:相比简易VPN工具(如基于PPTP的客户端),OpenVPN需要手动配置证书、服务器参数,对普通用户不够友好。
- 性能影响:高强度加密可能导致轻微延迟,影响视频流、游戏等对速度敏感的场景(可通过UDP协议优化)。
VPN与OpenVPN的关系
- VPN是技术概念,指通过加密隧道实现安全连接的一类技术;
- OpenVPN是具体实现,是VPN技术的一种开源解决方案,以高安全性和灵活性著称。
选择VPN时,可根据需求权衡安全性、易用性和性能:
- 个人轻度使用:可选易用的商业VPN服务(可能基于OpenVPN或WireGuard)。
- 企业或技术用户:OpenVPN是首选,可自主搭建服务器,完全掌控数据安全。
通过合理配置,OpenVPN能在保障安全的同时,满足不同场景的网络连接需求。
OpenVPN环境搭建
1.环境准备
# 服务器环境
- 操作系统:CentOS 7.9
- 内网IP:192.168.8.100 (示例)
- 公网IP:123.183.113.159 (示例)
- 需要开放的端口:1194/udp (OpenVPN)
# 客户端环境
- Windows 10/11
- OpenVPN客户端软件
2.OpenVPN服务器配置
2.1安装必要软件包
[root@zuolaoshi ~]# yum install -y epel-release
已加载插件:fastestmirror, langpacks
Determining fastest mirrors
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
……
Transaction test succeeded
Running transaction
正在安装 : epel-release-7-11.noarch 1/1
验证中 : epel-release-7-11.noarch 1/1
已安装:
epel-release.noarch 0:7-11
完毕!
[root@zuolaoshi ~]#
[root@zuolaoshi ~]# yum install -y openvpn easy-rsa
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
epel/x86_64/metalink| 5.1 kB 00:00:00
* base: mirrors.aliyun.com
* epel: d2lzkl7pfhq30w.cloudfront.net
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
……
已安装:
easy-rsa.noarch 0:3.0.8-1.el7 openvpn.x86_64 0:2.4.12-1.el7
作为依赖被安装:
pkcs11-helper.x86_64 0:1.11-3.el7
完毕!
[root@zuolaoshi ~]#
2.2设置PKI(公钥基础设施)
[root@zuolaoshi ~]# mkdir -p /etc/openvpn/easy-rsa/keys
[root@zuolaoshi ~]# cp -r /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa/
[root@zuolaoshi ~]# cp -a /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/vars
[root@zuolaoshi ~]# cd /etc/openvpn/easy-rsa
[root@zuolaoshi easy-rsa]#
编辑vars文件:
vim vars
修改以下内容:
[root@zuolaoshi easy-rsa]# grep ^[^#] vars
if [ -z "$EASYRSA_CALLER" ]; then
echo"You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo"This is no longer necessary and is disallowed. See the section called" >&2
echo"'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Beijing"
set_var EASYRSA_REQ_CITY "Shanghai"
set_var EASYRSA_REQ_ORG "MOONRONG IT"
set_var EASYRSA_REQ_EMAIL "netskyman@163.com"
set_var EASYRSA_CA_EXPIRE 36500
set_var EASYRSA_CERT_EXPIRE 36500
set_var EASYRSA_NS_SUPPORT "yes"
[root@zuolaoshi easy-rsa]#
2.3创建证书
在当前目录位置:
[root@zuolaoshi easy-rsa]# pwd
/etc/openvpn/easy-rsa
[root@zuolaoshi easy-rsa]# ll
总用量 96
-rwxr-xr-x 1 root root 76946 4月 3 14:37 easyrsa
drwxr-xr-x 2 root root 6 4月 3 14:37 keys
-rw-r--r-- 1 root root 4616 4月 3 14:37 openssl-easyrsa.cnf
-rw-r--r-- 1 root root 8903 4月 3 14:50 vars
drwxr-xr-x 2 root root 122 4月 3 14:37 x509-types
[root@zuolaoshi easy-rsa]#
1)初始化
在当前目录创建PKI目录,用于存储证书:
[root@zuolaoshi easy-rsa]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
[root@zuolaoshi easy-rsa]#
2)创建根证书
提示设置密码,这里设置密码为12345678,用于ca对之后生成的server和client证书签名时使用,其他提示内容直接回车即可:
[root@zuolaoshi easy-rsa]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase: 12345678
Re-Enter New CA Key Passphrase: 12345678
Generating RSA private key, 2048 bit long modulus
..................................................................+++
............................................................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt
然后可以查看证书过期详情:
[root@zuolaoshi easy-rsa]# openssl x509 -text -in pki/ca.crt -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a5:5c:70:da:d2:6b:75:00
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Easy-RSA CA
Validity
Not Before: Apr 3 06:59:33 2025 GMT
Not After : Mar 10 06:59:33 2125 GMT
Subject: CN=Easy-RSA CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
……
62:01:a1:d3:5d:ab:f4:4f:3f:31:d1:30:34:5b:f7:ef:fd:6f:
6a:b9:16:88:50:83:75:ea:93:a1:0f:15:4d:9b:2b:11:8e:d6:
f2:a6:27:18:9c:c9:55:af:17:08:24:b2:57:83:bc:38:75:4d:
89:23:05:cd:71:d5:91:3f:35:b5:fd:65:4f:4b:8b:9d:48:f7:
d8:dd:f4:fe
[root@zuolaoshi easy-rsa]#
3)创建server端证书和私钥文件
nopass表示不加密私钥文件,提示内容直接回车即可
[root@zuolaoshi easy-rsa]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.......................................+++
...........................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-28964.nOL8mm/tmp.0KmYFD'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key
[root@zuolaoshi easy-rsa]#
4)给server端证书签名
提示内容需要输入yes和创建ca根证书时候的密码
[root@zuolaoshi easy-rsa]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 36500 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-29619.YZkC1k/tmp.fOkCYd
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
…
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
[root@zuolaoshi easy-rsa]#
5)创建Diffie-Hellman文件
密钥交换时的Diffie-Hellman算法
[root@zuolaoshi easy-rsa]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
....................................................................................................................+.......................................................................+..............+.........................+.+............................................................................................................++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
[root@zuolaoshi easy-rsa]#
6)创建client端的证书和私钥文件
nopass表示不加密私钥文件,提示内容直接回车即可:
[root@zuolaoshi easy-rsa]# ./easyrsa gen-req client1 nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.....+++
...........................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-29193.zP5HZ2/tmp.xPQ9RC'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client1]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/client1.req
key: /etc/openvpn/easy-rsa/pki/private/client1.key
[root@zuolaoshi easy-rsa]#
7)给client端证书签名
提示内容输入yes和创建ca根证书时候的密码:
[root@zuolaoshi easy-rsa]# ./easyrsa sign client client1
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 36500 days:
subject=common
Name=client1
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-29799.zarTwR/tmp.erHpAW
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
……
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client1.crt
2.4检查配置
检查是否有ca根证书、客户端服务端证书、客户端服务端私钥:
[root@zuolaoshi easy-rsa]# tree
.
├── easyrsa # 管理命令
├── keys
├── openssl-easyrsa.cnf
├── pki
│ ├── ca.crt # ca根证书,服务端与客户端都需要用
│ ├── certs_by_serial
│ │ ├── 3282D2B7F15060106A611496E77ED0D5.pem
│ │ ├── A8B95F1B3A095E363E1B3AC57788103A.pem
│ │ └── E8AD78EDEA4FBCC213D2CB75FA92BA6D.pem
│ ├── dh.pem # 认证算法 服务端
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── issued
│ │ ├── client1.crt # 客户端证书
│ │ └── server.crt # 服务端证书
│ ├── openssl-easyrsa.cnf
│ ├── private
│ │ ├── ca.key
│ │ ├── client1.key # 客户端私钥
│ │ └── server.key # 服务端私钥
│ ├── renewed
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── reqs
│ │ ├── client1.req
│ │ └── server.req
│ ├── revoked
│ │ ├── certs_by_serial
│ │ ├── private_by_serial
│ │ └── reqs_by_serial
│ ├── safessl-easyrsa.cnf
│ ├── serial
│ └── serial.old
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
15 directories, 27 files
3.配置OpenVPN
[root@zuolaoshi openvpn]# vim /etc/openvpn/server.conf
[root@zuolaoshi openvpn]# cat /etc/openvpn/server.conf
port 1194 #端口,生产建议修改
proto udp #协议
dev tun #采用路由隧道模式
ca /etc/openvpn/easy-rsa/pki/ca.crt #ca证书的位置
cert /etc/openvpn/easy-rsa/pki/issued/server.crt #服务端公钥的位置
key /etc/openvpn/easy-rsa/pki/private/server.key #服务端私钥的位置
dh /etc/openvpn/easy-rsa/pki/dh.pem #证书校验算法
server 10.8.0.0 255.255.255.0 #给客户端分配的地址池
push "route 192.168.8.0 255.255.255.0" #允许客户端访问的内网网段,注意这里要和实际环境符合
ifconfig-pool-persist ipp.txt #地址池记录文件位置,未来让openvpn客户端固定ip地址使用的
keepalive 10 120 #存活时间,10秒ping一次,120秒如果未收到响应则视为断线
max-clients 5 #最多允许5个客户端连接
status openvpn-status.log #日志位置,记录openvpn状态
log /var/log/openvpn.log #openvpn日志记录位置
verb 3 #openvpn版本
client-to-client #允许客户端与客户端之间通信
persist-key #通过keepalive检测超时后,重新启动VPN,不重新读取
persist-tun #检测超时后,重新启动VPN,一直保持tun是linkup的,否则网络会先linkdown然后再linkup
duplicate-cn #客户端密钥(证书和私钥)是否可以重复,即允许多个客户端使用同一账号登录(默认否)
comp-lzo #启动lzo数据压缩格式
[root@zuolaoshi openvpn]#
4.启用IP转发和配置防火墙
[root@zuolaoshi openvpn]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@zuolaoshi openvpn]# sysctl -p
net.ipv4.ip_forward = 1
[root@zuolaoshi openvpn]#
配置防火墙:
[root@zuolaoshi openvpn]# firewall-cmd --permanent --add-port=1194/udp
success
[root@zuolaoshi openvpn]# firewall-cmd --permanent --add-masquerade
success
[root@zuolaoshi openvpn]# firewall-cmd --reload
success
[root@zuolaoshi openvpn]#
查看tun0:
[root@zuolaoshi openvpn]# ip a s tun0
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::96c4:50f4:34ca:aa5c/64 scope link flags 800
valid_lft forever preferred_lft forever
[root@zuolaoshi openvpn]#
5.启动OpenVPN服务
[root@zuolaoshi openvpn]# systemctl start openvpn@server
[root@zuolaoshi openvpn]#
6.OpenVPN客户端配置(window)
6.1下载OpenVPN
https://openvpn.net/community-downloads/
这里从这里下:
https://juejin.cn/post/7419666298941718537
6.2安装及配置客户端
下载客户端证书
将ca根证书、client.key、client.crt放入config目录
在服务端,下载证书:
[root@zuolaoshi easy-rsa]# pwd
/etc/openvpn/easy-rsa
[root@zuolaoshi easy-rsa]# sz pki/ca.crt
[root@zuolaoshi easy-rsa]# sz pki/private/client1.key
[root@zuolaoshi easy-rsa]# sz pki/issued/client1.crt
创建客户端配置文件
client #模式,客户端
dev tun
proto udp
remote 123.183.113.159 1194 #此处的IP和端口需在防火墙上做端口映射对应的内网IP
resolv-retry infinite
nobind #不绑定本地特定端口
ca ca.crt
cert client1.crt
key client1.key
verb 3
persist-key
comp-lzo
7.连接测试
在测试之前,需要在出口设备上将内网IP地址123.183.113.159的1194端口进行端口映射,如果是在云主机上,这一步可以直接省略。
双击左桌面openVPN快捷键,在右下角出现图标后右键点击连接: