阿里云上的搭建openvpn（easy-rsa2）

前面yum安装省略

1、安装前准备

# 关闭selinux

setenforce 0

sed -i '/^SELINUX=/c\SELINUX=disabled' /etc/selinux/config

# 安装openssl和lzo，lzo用于压缩通讯数据加快传输速度

yum -y install openssl openssl-devel

yum -y install lzo

# 安装epel源

rpm -ivh http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm

sed -i 's/^mirrorlist=https/mirrorlist=http/' /etc/yum.repos.d/epel.repo

2、安装及配置OpenVPN和easy-rsa

# 安装openvpn和easy-rsa

yum -y install openvpn

#下载密钥生成工具

wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip

unzip 2.x.zip

#复制我们的CA到openvpn配置目录下

cp -ra easy-rsa-release-2.x/easy-rsa/2.0 /etc/openvpn/easy-rsa

cd /etc/openvpn/easy-rsa

# 修改vars文件

vim vars

# 修改注册信息，比如公司地址、公司名称、部门名称等。

export KEY_COUNTRY="CN"

export KEY_PROVINCE="Shandong"

export KEY_CITY="Qingdao"

export KEY_ORG="MyOrganization"

export KEY_EMAIL="[email protected]"

export KEY_OU="MyOrganizationalUnit"

密钥创建步骤：

cd /usr/share/easy-rsa/2.0/

# 初始化环境变量

source vars

# 清除keys目录下所有与证书相关的文件

# 下面步骤生成的证书和密钥都在/usr/share/easy-rsa/2.0/keys目录里

./clean-all

# 生成根证书ca.crt和根密钥ca.key（一路按回车即可）

./build-ca

# 为服务端生成证书和密钥（一路按回车，直到提示需要输入y/n时，输入y再按回车，一共两次）

./build-key-server server

# 创建迪菲·赫尔曼密钥，会生成dh2048.pem文件（生成过程比较慢，在此期间不要去中断它）

./build-dh

# 生成ta.key文件（防DDos攻击、UDP淹没等恶意攻击）

openvpn --genkey --secret keys/ta.key

# 在openvpn的配置目录下新建一个keys目录

mkdir /etc/openvpn/keys

# 将需要用到的openvpn证书和密钥复制一份到刚创建好的keys目录中

cp /usr/share/easy-rsa/2.0/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/openvpn/keys/

# 编辑server.conf

vim /etc/openvpn/server.conf

local 172.18.209.xxx #阿里云的eth0内网地址

port 1194

proto tcp

dev tun

ca /etc/openvpn/keys/ca.crt

cert /etc/openvpn/keys/server.crt

key /etc/openvpn/keys/server.key

dh /etc/openvpn/keys/dh2048.pem

auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env

client-cert-not-required

username-as-common-name

client-config-dir /etc/openvpn/ccd

server 56.56.56.0 255.255.255.0

push "route 172.18.209.0 255.255.255.0" #你的客户端要访问内网的哪些机器就需要加push，不同网段要加不同的push,我这边是需要客户端连了能访问172.18.209.xxx地址的机器。

ifconfig-pool-persist ipp.txt

script-security 3

;push "redirect-gateway def1 bypass-dhcp"

;push "redirect-gateway def1”

push "dhcp-option DNS 202.96.209.5"

client-to-client

duplicate-cn

keepalive 10 120

tls-auth /etc/openvpn/keys/ta.key 0

comp-lzo

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

log /var/log/openvpn/openvpn.log

log-append /var/log/openvpn/openvpn.log

verb 3

防火墙配置：

cat /etc/sysconfig/iptables

# Generated by iptables-save v1.4.7 on Sat May 27 12:48:34 2017

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [36:27410]

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT

-A FORWARD -s 56.56.56.0/25 -d 0.0.0.0/0 -i tun0 -j ACCEPT

-A FORWARD -s 56.56.56.0/24 -i tun0 -j ACCEPT

-A FORWARD -s 56.56.56.0/24 -i tun0 -j DROP

COMMIT

# Completed on Sat May 27 12:48:34 2017

# Generated by iptables-save v1.4.7 on Sat May 27 12:48:34 2017

*nat

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [2:806]

:OUTPUT ACCEPT [2:806]

-A POSTROUTING -s 56.56.56.0/24 -j MASQUERADE

-A POSTROUTING -s 56.56.56.0/24 -o eth0 -j SNAT --to-source 172.18.209.xxx

COMMIT

# Completed on Sat May 27 12:48:34 2017

我这边分给客户端的都是固定ip，自己要算一下ip规划，如下，添加客户端都是脚本添加的：

添加客户端的脚本：

vim /etc/openvpn/vpn_add_del.sh

#!/bin/bash

#create user by lp

#创建openvpn user

case $1 in

'add')

openvpn_add()

{

echo -n "Please input your openvpn username:"

read username

echo -n "Please input your openvpn password:"

read password

echo -n "Please input your openvpn ip address:"

read ip_address

WORK_DIR=/etc/openvpn

IP=`expr $ip_address + 1`

}

openvpn_add

if [ -e $WORK_DIR/ccd/$username ]

then

printf '%100s\n' | tr ' ' -

echo -e "\033[31m $username is exits!!! \033[0m"

printf '%100s\n' | tr ' ' -

else

touch $WORK_DIR/ccd/$username

echo -e "\033[36m create user $uername is sucessed! \033[0m"

echo "$username $password">>$WORK_DIR/psw-file

echo -e "\033[36m set $username for password is sucessed! \033[0m"

echo "ifconfig-push 56.56.56.$ip_address 56.56.56.$IP" >>$WORK_DIR/ccd/$username

echo -e "\033[36m add address is sucessed! \033[0m"

;;

'del')

openvpn_del()

{

WORK_DIR=/etc/openvpn

echo -n "Please input your want to delete openvpn username:"

read username

}

openvpn_del

if [ -e $WORK_DIR/ccd/$username ]

then

find $WORK_DIR -type f -name $username | xargs rm -f

sed -i "/$username/d" $WORK_DIR/psw-file

echo -e "\033[31m openvpn user delete is sucessed! \033[0m"

else

echo -e "\033[31m user delete is failed! \033[0m"

exit

;;

'alter')

openvpn_alter()

{

WORK_DIR=/etc/openvpn

echo -n "please input your want to alter openvpn user:"

read username

echo -n "please input your new password for $username:"

read password

}

openvpn_alter

if [ $# -eq 1 ]

then

old_passwd=`grep "$username" $WORK_DIR/psw-file | awk '{print $2}'`

sed -i "s/$username $old_passwd/$username $password/g" $WORK_DIR/psw-file

echo -e "\033[32m $username password is ok! \033[0m"

else

exit

;;

* )

echo "USAGE:$0 {add|del|alter}"

;;

esac

mkdir /etc/openvpn/ccd/ 里面存放客户端的虚拟ip

添加客户端方法：图中17是缩写，实际上添加的虚拟ip是56.56.56.17

客户端配置：

讲keys下的ca.crt和ta.key放到客户端config文件下，

客户端配置文件：

client

;dev tap

dev tun

;dev-node MyTap

proto tcp

;proto udp

remote 119.23.239.xxx 1194 #阿里云公网ip

resolv-retry infinite

;user nobody

;group nobody

persist-key

persist-tun

ca ca.crt

tls-auth ta.key 1

comp-lzo

verb 3

;auth-user-pass

auth-user-pass pass.txt

还要在config下创建pass.txt文件里面放用户名和密码，免密码登录：

一个客户端的配置：

如果多个机房的openvpn可以在config下面创建多个config子目录，一个子目录代表一个连接。

这样就配置完了，

service iptables restart

service iptables save

/etc/init.d/openvpn start

chkconfig openvpn on

阿里云上的搭建openvpn（easy-rsa2）

猜你喜欢