赞
踩
上一篇文章为window的openvpn连接方式
本次为linux的openvpn连接方式,其实都差不多只要在服务器把证书弄好就可以了
直接上操作,简化操作步骤,服务端的操作全为脚本
实验环境
公网ip | 内网ip | 服务类型 |
---|---|---|
192.168.121.159 | 客户端 | |
192.168.121.160 | 192.168.122.253 | 服务端 |
首先需要配置好epel源,我是使用的是阿里云的epel源
wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo
然后安装对应软件包,并执行相关配置操作
#! /bin/bash yum clean all yum makecache #然后安装openvpn和制作证书工具 yum -y install openvpn yum -y install easy-rsa yum -y install expect # 准备相关配置文件 echo "生成服务器配置文件" cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/ echo "准备证书签发相关文件" cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server echo "准备签发证书相关变量的配置文件" cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-server/3/vars echo "初始化服务端PKI生成PKI相关目录和文件" cd /etc/openvpn/easy-rsa-server/3 ./easyrsa init-pki echo "创建CA证书" # ./easyrsa build-ca nopass expect <<EOF spawn ./easyrsa build-ca nopass expect { "Easy-RSA" {send "\n"} } expect eof EOF cat pki/serial echo "生成服务端证书" # ./easyrsa gen-req server nopass expect <<EOF spawn ./easyrsa gen-req server nopass expect { "server" {send "\n"} } expect eof EOF echo "签发服务端证书" # ./easyrsa sign server server expect <<EOF spawn ./easyrsa sign server server expect { "*details:" {send "yes\n"} } expect eof EOF echo "创建 Diffie-Hellman 密钥" ./easyrsa gen-dh cat > /etc/openvpn/server.conf <<EOF port 1194 proto tcp dev tun ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server.crt key /etc/openvpn/certs/server.key # This file should be kept secret dh /etc/openvpn/certs/dh.pem server 10.8.0.0 255.255.255.0 push "route 192.168.122.0 255.255.255.0" keepalive 10 120 cipher AES-256-CBC compress lz4-v2 push "compress lz4-v2" max-clients 2048 user openvpn group openvpn status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 3 mute 20 EOF echo "添加防火墙" echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf sysctl -p yum install iptables-services -y systemctl disable --now firewalld systemctl start iptables iptables -F iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE iptables -vnL -t nat mkdir -p /var/log/openvpn mkdir -p /etc/openvpn/certs cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/ cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/ cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/ cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/ echo "重启OpenVpn" systemctl daemon-reload systemctl enable --now openvpn@server systemctl restart openvpn@server
服务端配置客户端的对应设置
#! /bin/bash read -p "请输入用户的姓名拼音(如:${NAME}): " NAME read -p "请输入VPN服务端的公网IP(如:${IP}): " IP echo "客户端证书环境" cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-client/3/varsa cd /etc/openvpn/easy-rsa-client/3 echo "初始化pki证书目录" # ./easyrsa init-pki expect << EOF spawn ./easyrsa init-pki expect { "removal" {send "yes\n"} } expect eof EOF echo "生成客户端证书" # ./easyrsa gen-req ${NAME} nopass expect << EOF spawn ./easyrsa gen-req ${NAME} nopass expect { "${NAME}" {send "\n"} } expect eof EOF echo "将客户端证书同步到服务端" cd /etc/openvpn/easy-rsa-server/3 ./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req ${NAME} echo "查看客户端证书" ll pki/reqs/${NAME}.req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req echo "签发客户端证书,请输入:yes" # ./easyrsa sign client ${NAME} expect << EOF spawn ./easyrsa sign client ${NAME} expect { "*details" {send "yes\n"} } expect eof EOF echo "查看证书" cat pki/index.txt ll pki/certs_by_serial/ cat pki/issued/${NAME}.crt echo "创建客户端配置文件" mkdir -p /etc/openvpn/client/${NAME} cd /etc/openvpn/client/${NAME} cat > /etc/openvpn/client/${NAME}/client.conf <<EOF client dev tun proto tcp remote ${IP} 1194 resolv-retry infinite nobind ca ca.crt cert ${NAME}.crt key ${NAME}.key remote-cert-tls server cipher AES-256-CBC verb 3 compress lz4-v2 EOF cp /etc/openvpn/easy-rsa-client/3/pki/private/${NAME}.key . cp /etc/openvpn/easy-rsa-server/3/pki/issued/${NAME}.crt . cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt . echo "打包用户证书" tar -czvf ${NAME}.tar.gz ./ #重启OpenVpn systemctl daemon-reload systemctl enable --now openvpn@server systemctl restart openvpn@server
然后到客户端的配置,客户端的配置就比较简单了,步骤很少,就不用脚本了,给大家操作了解一下
epel源也是需要的
wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo
然后下载openvpn
yum install openvpn -y
将服务端打包好的认证文件拷贝过来,这里大家对应自己的ip来修改
scp 192.168.121.160:/etc/openvpn/client/yiyezhiqiu/yiyezhiqiu.tar.gz /etc/openvpn/
解压认证包文件
tar -xf /etc/openvpn/yiyezhiqiu.tar.gz -C /etc/openvpn/
然后就可以启动openven了
systemctl start openvpn@client
systemctl enable openvpn@client
查看启动日志一切正常
检测连接情况,ping没问题,ssh连接也可以
这样openvpn连接就可以了
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。