OpenVPN部署
系统环境
- 操作系统:Centos7.6
- OpenVPN 版本:2.4.8
- easy-rsa 版本:3.0.6
OpenVPN服务端安装
安装相应软件
[root@VM-32-194-centos ~]# yum -y install epel-release
[root@VM-32-194-centos ~]# yum -y install openvpn easy-rsa iptables-services
生成证书和秘钥文件
将 easy-rsa 脚本复制到 /etc/openvpn/
[root@VM-32-194-centos ~]# cp -r /usr/share/easy-rsa/3.0/ /etc/openvpn/easy-rsa/
编辑vars文件,应用vars变量
[root@VM-32-194-centos ~]# cd /etc/openvpn/easy-rsa/
[root@VM-32-194-centos ~]# vim vars
...
export KEY_COUNTRY="***" # 国家
export KEY_PROVINCE="***" # 省份
export KEY_CITY="***" # 城市
export KEY_ORG="***" # 公司
export KEY_EMAIL="***" # 邮箱
...
[root@VM-32-194-centos ~]# source ./vars # 使变量生效
生成 CA 根证书
[root@VM-32-194-centos ~]# ./easyrsa init-pki
[root@VM-32-194-centos ~]# ./easyrsa build-ca nopass
生成OpenVPN服务器证书和密钥
[root@VM-32-194-centos ~]# ./easyrsa build-server-full server nopass #第一个参数 server 为证书名称
[root@VM-32-194-centos ~]# ./easyrsa gen-dh
[root@VM-32-194-centos ~]# openvpn --genkey --secret ta.key
复制证书及密钥文件
[root@VM-32-194-centos ~]# cd /etc/openvpn/
[root@VM-32-194-centos ~]# cp /etc/openvpn/easy-rsa/{pki/dh.pem,pki/ca.crt,ta.key,pki/issued/server.crt,pki/private/server.key} /etc/openvpn/
OpenVPN服务端配置
创建server.conf文件
[root@VM-32-194-centos openvpn]# vim server.conf
#local 0.0.0.0 #指定监听的本机IP(因为有些计算机具备多个IP地址),该命令是可选的,默认监听所有IP地址。
port 11194 #服务端端口号,可自定义
proto tcp #通过tcp协议来连接,也可以通过udp
#dev tap
dev tun #路由模式,注意windows下必须使用dev tap
ca ca.crt #ca证书存放位置
cert server.crt #服务器证书存放位置
key server.key #服务器密钥存放位置
dh dh.pem #dh.pem存放位置
tls-auth ta.key 0 #ta.key存放位置
server 172.16.0.0/24 255.255.255.0 #虚拟局域网网段设置
ifconfig-pool-persist ipp.txt
#push "route 0.0.0.0 0.0.0.0"
push "route 10.105.0.0/16 225.225.0.0" #需要路由的网段,可多个push
push "route 10.66.0.0/16 225.225.0.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5" #指定客户端使用的主DNS
push "dhcp-option DNS 114.114.114.114" #指定客户端使用的备DNS
client-to-client #开启客户端互访
#duplicate-cn #支持一个证书多个客户端登录使用,建议不启用
keepalive 5 30
cipher AES-128-CBC
comp-lzo
max-clients 100 #最大客户端并发连接数量
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log #定期把openvpn的一些状态信息写到文件中
log /var/log/openvpn/openvpn.log #需创建并chown
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
配置防火墙规则和SELINUX
#关闭 Firewalld防火墙及SELINUX
[root@VM-32-194-centos ~]# systemctl stop firewalld && systemctl enable firewalld
[root@VM-32-194-centos ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
# 清理所有防火墙规则
[root@VM-32-194-centos ~]# iptables -F
[root@VM-32-194-centos ~]# iptables -t nat -A POSTROUTING -s 10.105.0.0/16 -j MASQUERADE
[root@VM-32-194-centos ~]# iptables -t nat -A POSTROUTING -s 10.66.0.0/16 -j MASQUERADE
#规则持久化保存
[root@VM-32-194-centos ~]# iptables-save > /etc/sysconfig/iptables # iptables
#启用地址转发
[root@VM-32-194-centos ~]# echo -e "###OpenVPN ADD\nnet.ipv4.conf.default.accept_source_route = 1\nnet.ipv4.conf.default.rp_filter = 0\nnet.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@VM-32-194-centos ~]# sysctl -p
启动OpenVPN服务端
[root@VM-32-194-centos ~]# systemctl start openvpn@server && systemctl enable openvpn@server
[root@VM-32-194-centos ~]# systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2021-10-18 09:54:29 CST; 4h 39min ago
Main PID: 16920 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─16920 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Oct 18 09:54:29 VM-32-194-centos systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application ...er...
Oct 18 09:54:29 VM-32-194-centos systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application O...rver.
Hint: Some lines were ellipsized, use -l to show in full.
用户端配置及生成证书文件
创建客户端配置模板文件sample.ovpn,该文件在脚本中会用到,放到 /etc/openvpn/client/ 目录
[root@VM-32-194-centos client]# vim sample.ovpn
client
remote xxx.xxx.xxx.xxx 11194 #服务器的公网IP和OpenVPN的端口,默认1194
dev tun
proto tcp
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
mute-replay-warnings
创建用户脚本
[root@VM-32-194-centos openvpn]# vim ovpn_user.sh
# ! /bin/bash
set -e
OVPN_USER_KEYS_DIR=/etc/openvpn/client/keys
EASY_RSA_DIR=/etc/openvpn/easy-rsa/
PKI_DIR=$EASY_RSA_DIR/pki
for user in "$@"
do
if [ -d "$OVPN_USER_KEYS_DIR/$user" ]; then
rm -rf $OVPN_USER_KEYS_DIR/$user
rm -rf $PKI_DIR/reqs/$user.req
sed -i '/'"$user"'/d' $PKI_DIR/index.txt
fi
cd $EASY_RSA_DIR
# 生成客户端SSL证书文件
./easyrsa build-client-full $user nopass
# 整理下生成的文件
mkdir -p $OVPN_USER_KEYS_DIR/$user
cp $PKI_DIR/ca.crt $OVPN_USER_KEYS_DIR/$user/ # CA 根证书
cp $PKI_DIR/issued/$user.crt $OVPN_USER_KEYS_DIR/$user/ # 客户端证书
cp $PKI_DIR/private/$user.key $OVPN_USER_KEYS_DIR/$user/ # 客户端证书密钥
cp /etc/openvpn/client/sample.ovpn $OVPN_USER_KEYS_DIR/$user/$user.ovpn # 客户端配置文件
sed -i 's/client.crt/'"$user".crt'/g' $OVPN_USER_KEYS_DIR/$user/$user.ovpn
sed -i 's/client.key/'"$user".key'/g' $OVPN_USER_KEYS_DIR/$user/$user.ovpn
cp $EASY_RSA_DIR/ta.key $OVPN_USER_KEYS_DIR/$user/ta.key # auth-tls 文件
cd $OVPN_USER_KEYS_DIR
zip -r $user.zip $user
done
exit 0
#执行脚本,即可在/etc/openvpn/client/keys目录下生成以用户名命令的zip打包文件,将该文件解压到本地,即可加载到客户端使用
[root@VM-32-194-centos openvpn]# sh ovpn_user.sh username(更改为添加的用户)
删除用户脚本
[root@VM-32-194-centos openvpn]# vim del_ovpn_user.sh
# ! /bin/bash
set -e
OVPN_USER_KEYS_DIR=/etc/openvpn/client/keys
EASY_RSA_DIR=/etc/openvpn/easy-rsa/
for user in "$@"
do
cd $EASY_RSA_DIR
echo -e 'yes\n' | ./easyrsa revoke $user
./easyrsa gen-crl
# 吊销掉证书后清理客户端相关文件
if [ -d "$OVPN_USER_KEYS_DIR/$user" ]; then
rm -rf $OVPN_USER_KEYS_DIR/${user}*
fi
systemctl restart openvpn@server
done
exit 0
#当需要是删除用户时,执行次脚本,会将/etc/openvpn/client/keys目录下用户有关的删除,并重启OpenVPN服务
[root@VM-32-194-centos openvpn]# sh del_ovpn_user.sh username(更改为删除的用户)
本文链接:
/archives/openvpn-bu-shu
版权声明:
本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自
爱吃可爱多!
喜欢就支持一下吧
打赏
微信
支付宝
微信
支付宝