阿里云上的搭建openvpn(easy-rsa2)
前面yum安装省略
1、安装前准备
# 关闭selinux setenforce 0 sed -i '/^SELINUX=/c\SELINUX=disabled' /etc/selinux/config # 安装openssl和lzo,lzo用于压缩通讯数据加快传输速度 yum -y install openssl openssl-devel yum -y install lzo # 安装epel源 rpm -ivh http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm sed -i 's/^mirrorlist=https/mirrorlist=http/' /etc/yum.repos.d/epel.repo |
2、安装及配置OpenVPN和easy-rsa
# 安装openvpn和easy-rsa yum -y install openvpn #下载密钥生成工具 wget https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip unzip 2.x.zip #复制我们的CA到openvpn配置目录下 cp -ra easy-rsa-release-2.x/easy-rsa/2.0 /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa # 修改vars文件 vim vars |
# 修改注册信息,比如公司地址、公司名称、部门名称等。 export KEY_COUNTRY="CN" export KEY_PROVINCE="Shandong" export KEY_CITY="Qingdao" export KEY_ORG="MyOrganization" export KEY_EMAIL="[email protected]" export KEY_OU="MyOrganizationalUnit" |
密钥创建步骤:
cd /usr/share/easy-rsa/2.0/
# 初始化环境变量
source vars
# 清除keys目录下所有与证书相关的文件
# 下面步骤生成的证书和密钥都在/usr/share/easy-rsa/2.0/keys目录里
./clean-all
# 生成根证书ca.crt和根密钥ca.key(一路按回车即可)
./build-ca
# 为服务端生成证书和密钥(一路按回车,直到提示需要输入y/n时,输入y再按回车,一共两次)
./build-key-server server
# 创建迪菲·赫尔曼密钥,会生成dh2048.pem文件(生成过程比较慢,在此期间不要去中断它)
./build-dh
# 生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击)
openvpn --genkey --secret keys/ta.key
# 在openvpn的配置目录下新建一个keys目录
mkdir /etc/openvpn/keys
# 将需要用到的openvpn证书和密钥复制一份到刚创建好的keys目录中
cp /usr/share/easy-rsa/2.0/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/openvpn/keys/
# 编辑server.conf
vim /etc/openvpn/server.conf
local 172.18.209.xxx #阿里云的eth0内网地址
port 1194
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
client-cert-not-required
username-as-common-name
client-config-dir /etc/openvpn/ccd
server 56.56.56.0 255.255.255.0
push "route 172.18.209.0 255.255.255.0" #你的客户端要访问内网的哪些机器就需要加push,不同网段要加不同的push,我这边是需要客户端连了能访问172.18.209.xxx地址的机器。
ifconfig-pool-persist ipp.txt
script-security 3
;push "redirect-gateway def1 bypass-dhcp"
;push "redirect-gateway def1”
push "dhcp-option DNS 202.96.209.5"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
防火墙配置:
cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Sat May 27 12:48:34 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [36:27410]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A FORWARD -s 56.56.56.0/25 -d 0.0.0.0/0 -i tun0 -j ACCEPT
-A FORWARD -s 56.56.56.0/24 -i tun0 -j ACCEPT
-A FORWARD -s 56.56.56.0/24 -i tun0 -j DROP
COMMIT
# Completed on Sat May 27 12:48:34 2017
# Generated by iptables-save v1.4.7 on Sat May 27 12:48:34 2017
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [2:806]
:OUTPUT ACCEPT [2:806]
-A POSTROUTING -s 56.56.56.0/24 -j MASQUERADE
-A POSTROUTING -s 56.56.56.0/24 -o eth0 -j SNAT --to-source 172.18.209.xxx
COMMIT
# Completed on Sat May 27 12:48:34 2017
我这边分给客户端的都是固定ip,自己要算一下ip规划,如下,添加客户端都是脚本添加的:
添加客户端的脚本:
vim /etc/openvpn/vpn_add_del.sh
#!/bin/bash
#create user by lp
#创建openvpn user
case $1 in
'add')
openvpn_add()
{
echo -n "Please input your openvpn username:"
read username
echo -n "Please input your openvpn password:"
read password
echo -n "Please input your openvpn ip address:"
read ip_address
WORK_DIR=/etc/openvpn
IP=`expr $ip_address + 1`
}
openvpn_add
if [ -e $WORK_DIR/ccd/$username ]
then
printf '%100s\n' | tr ' ' -
echo -e "\033[31m $username is exits!!! \033[0m"
printf '%100s\n' | tr ' ' -
else
touch $WORK_DIR/ccd/$username
echo -e "\033[36m create user $uername is sucessed! \033[0m"
echo "$username $password">>$WORK_DIR/psw-file
echo -e "\033[36m set $username for password is sucessed! \033[0m"
echo "ifconfig-push 56.56.56.$ip_address 56.56.56.$IP" >>$WORK_DIR/ccd/$username
echo -e "\033[36m add address is sucessed! \033[0m"
fi
;;
'del')
openvpn_del()
{
WORK_DIR=/etc/openvpn
echo -n "Please input your want to delete openvpn username:"
read username
}
openvpn_del
if [ -e $WORK_DIR/ccd/$username ]
then
find $WORK_DIR -type f -name $username | xargs rm -f
sed -i "/$username/d" $WORK_DIR/psw-file
echo -e "\033[31m openvpn user delete is sucessed! \033[0m"
else
echo -e "\033[31m user delete is failed! \033[0m"
exit
fi
;;
'alter')
openvpn_alter()
{
WORK_DIR=/etc/openvpn
echo -n "please input your want to alter openvpn user:"
read username
echo -n "please input your new password for $username:"
read password
}
openvpn_alter
if [ $# -eq 1 ]
then
old_passwd=`grep "$username" $WORK_DIR/psw-file | awk '{print $2}'`
sed -i "s/$username $old_passwd/$username $password/g" $WORK_DIR/psw-file
echo -e "\033[32m $username password is ok! \033[0m"
else
exit
fi
;;
* )
echo "USAGE:$0 {add|del|alter}"
;;
esac
mkdir /etc/openvpn/ccd/ 里面存放客户端的虚拟ip
添加客户端方法:图中17是缩写,实际上添加的虚拟ip是56.56.56.17
客户端配置:
讲keys下的ca.crt和ta.key放到客户端config文件下,
客户端配置文件:
client
;dev tap
dev tun
;dev-node MyTap
proto tcp
;proto udp
remote 119.23.239.xxx 1194 #阿里云公网ip
resolv-retry infinite
;user nobody
;group nobody
persist-key
persist-tun
ca ca.crt
tls-auth ta.key 1
comp-lzo
verb 3
;auth-user-pass
auth-user-pass pass.txt
还要在config下创建pass.txt文件里面放用户名和密码,免密码登录:
一个客户端的配置:
如果多个机房的openvpn可以在config下面创建多个config子目录,一个子目录代表一个连接。
这样就配置完了,
service iptables restart
service iptables save
/etc/init.d/openvpn start
chkconfig openvpn on