Bootstrap

基于AnolisOS 8.6的OpenVPN和GmSSLv2国密算法SSL VPN测试

测试环境

AnolisOS-8.6-x86_64-minimal.iso
Virtual Box,2 vCPU, 4G RAM, 40 vDisk

安装依赖

yum install -y make gcc

编译安装GmSSL

unzip GmSSL-master.zip
**注:**由于许多系统有自带的 ssl 库,为避免潜在的动态库冲突,此处仅生成静态库
./config --prefix=/usr/local/gmssl --openssldir=/usr/local/gmssl no-shared
make && make install
加到系统环境变量
echo ‘export PATH=“$PATH:/usr/local/gmssl/bin”’ >> ~/.bash_profile
source ~/.bash_profile
查看版本
gmssl version
gmssl ciphers -v |grep SM

OpenVPN编译安装

安装依赖

yum install -y gcc libnl3-devel libcap-ng-devel openssl-devel lz4-devel lzo-devel pam-devel make

tar -zxvf openvpn-2.5.10.tar.gz

cd openvpn-2.5.10

./configure OPENSSL_LIBS=“-L/usr/local/gmssl/lib /usr/local/gmssl/lib/libssl.a /usr/local/gmssl/lib/libcrypto.a -lpthread -ldl”
OPENSSL_CFLAGS=-I/usr/local/gmssl/include --includedir=/usr/local/gmssl/include
–libdir=/usr/local/gmssl/lib --prefix=/usr/local/openvpn

重点1: 两个静态库要指定。
重点2: -lpthread -ldl 要指定。
变量名不能写错, OPENSSL_CFLAGS、 OPENSSL_LIBS

make && make install

/usr/local/openvpn/sbin/openvpn --version

/usr/local/openvpn/sbin/openvpn --show-ciphers | grep SM
SMS4-CBC (128 bit key, 128 bit block)
SMS4-CFB (128 bit key, 128 bit block, TLS client/server mode only)
SMS4-OFB (128 bit key, 128 bit block, TLS client/server mode only)

/usr/local/openvpn/sbin/openvpn --show-digests | grep SM

SM3 256 bit digest size

SM3 256 bit digest size

/usr/local/openvpn/sbin/openvpn --show-tls | grep SM

ECDHE-SM2-WITH-SMS4-GCM-SM3 (No IANA name known to OpenVPN, use OpenSSL name.)
ECDHE-SM2-WITH-SMS4-SM3 (No IANA name known to OpenVPN, use OpenSSL name.)
SM9-WITH-SMS4-SM3 (No IANA name known to OpenVPN, use OpenSSL name.)
SM9DHE-WITH-SMS4-SM3 (No IANA name known to OpenVPN, use OpenSSL name.)
SM2-WITH-SMS4-SM3 (No IANA name known to OpenVPN, use OpenSSL name.)
SM2DHE-WITH-SMS4-SM3 (No IANA name known to OpenVPN, use OpenSSL name.)

注:GmSSL v2还不支持RFC8998国密套件

生成证书

编辑openssl.cnf

mkdir root_ca
cd root_ca
cp /usr/local/gmssl/openssl.cnf .

vi openssl.cnf

[ v3_req ]

keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth

[ v3_ca ]

keyUsage = cRLSign, keyCertSign
extendedKeyUsage = serverAuth, clientAuth

根证书

gmssl ecparam -genkey -name sm2p256v1 -text -out Root.key #SM2根密钥
gmssl req -config openssl.cnf -new -key Root.key -out Root.req -subj “/C=CN/ST=HA/L=ZZ/O=ITAI/OU=DEVOPS/CN=root/[email protected]” #证书请求

gmssl x509 -req -extfile openssl.cnf -extensions v3_ca -days 365 -sm3 -in Root.req -signkey Root.key -out RootCA.crt #生成根证书

gmssl x509 -in RootCA.crt -text -noout #查看根证书

服务端证书

gmssl ecparam -genkey -name sm2p256v1 -text -out Server.key #生成私钥
gmssl req -config openssl.cnf -new -key Server.key -out Server.req -subj “/C=CN/ST=HA/L=ZZ/O=ITAI/OU=DEVOPS/CN=server/[email protected]” #证书请求

gmssl x509 -req -extfile openssl.cnf -extensions v3_req -sm3 -days 365 -CA RootCA.crt -CAkey Root.key -CAcreateserial -in Server.req -out ServerCA.crt #签发证书
gmssl verify -CAfile RootCA.crt ServerCA.crt #证书验证
gmssl x509 -in ServerCA.crt -text -noout #查看证书

客户端证书

gmssl ecparam -genkey -name sm2p256v1 -text -out Client.key #生成私钥
gmssl req -config openssl.cnf -new -key Client.key -out Client.req -subj “/C=CN/ST=HA/L=ZZ/O=ITAI/OU=DEVOPS/CN=client/[email protected]” #证书请求

gmssl x509 -req -extfile openssl.cnf -extensions v3_req -sm3 -days 365 -CA RootCA.crt -CAkey Root.key -CAcreateserial -in Client.req -out ClientCA.crt #签发证书
gmssl verify -CAfile RootCA.crt ClientCA.crt #证书验证
gmssl x509 -in ClientCA.crt -text -noout #查看证书

服务端配置

mkdir -p /etc/openvpn
cp /root/openvpn-2.5.10/sample/sample-config-files/server.conf /etc/openvpn

cp /root/openvpn-2.5.10/sample/sample-keys/dh2048.pem /etc/openvpn/

cp RootCA.crt /etc/openvpn/ca.crt

cp ServerCA.crt /etc/openvpn/server.crt

cp Server.key /etc/openvpn/server.key

编辑server.conf

grep -vE “#|;|^$” /etc/openvpn/server.conf
local 192.168.1.74
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher SMS4-CFB
data-ciphers SMS4-CFB
data-ciphers-fallback SMS4-CFB
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3

启动openvpn
/usr/local/openvpn/sbin/openvpn --cd /etc/openvpn --auth-nocache --config server.conf

客户端配置

mkdir -p /etc/openvpn
cp /root/openvpn-2.5.10/sample/sample-config-files/client.conf /etc/openvpn

客户端证书,从服务端拷贝过来,放到/etc/openvpn下

cp RootCA.crt /etc/openvpn/ca.crt

cp ClientCA.crt /etc/openvpn/client.crt

cp Client.key /etc/openvpn/client.key

编辑client.conf

grep -vE “#|;|^$” /etc/openvpn/client.conf

client
dev tun
proto tcp
remote 192.168.1.74 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher SMS4-CFB
data-ciphers SMS4-CFB
data-ciphers-fallback SMS4-CFB
verb 3
log openvpn.log

启动openvpn
/usr/local/openvpn/sbin/openvpn --cd /etc/openvpn --auth-nocache --config client.conf

悦读

道可道,非常道;名可名,非常名。 无名,天地之始,有名,万物之母。 故常无欲,以观其妙,常有欲,以观其徼。 此两者,同出而异名,同谓之玄,玄之又玄,众妙之门。

最新收录
50个开发必备的Python经典脚本(41-50) 原创
c++之构造函数,析构函数(六千字长文详解!)
List-迭代器与反向迭代器
2025 AI产品经理必知的100个专业术语
[内部资源] 想拿年薪40W+的软件测试人员,这份资料必须领取~
深度学习-121-RAG技术之基于Anything LLM搭建本地私人知识库的效果提升途径
springSecurity配置详解
万字详解YOLOv8网络结构Backbone/neck/head以及Conv、Bottleneck、C2f、SPPF、Detect等模块
idea最好看的主题Material Theme UI
第四章:C语言函数全解析:从“工具人”到“代码复用大师”
;