一、环境准备
我这里是购买的阿里云的 ECS 服务器,因为目前国家防火墙已经拦截了 OpenVPN 的数据包,所以我们这里购买的国内的区域。
操作系统版本:CentOS 7.6
二、安装
1、OpenVPN 的安装
我们直接使用 epel 源自带的软件包进行安装,我这里安装的版本是2.4.6
。
yum install openvpn -y
2、环境设定
具体 IP 和 网络设备命令根据实际情况填写。
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
三、OpenVPN 配置
3.1 创建证书文件,放到/etc/openvpn/server/
下面
-rw-r--r-- 1 root root 2195 May 11 2015 ca.crt
-rw-r--r-- 1 root root 424 May 11 2015 dh2048.pem
-rw-r--r-- 1 root root 6391 May 11 2015 server.crt
-rw-r--r-- 1 root root 1704 May 11 2015 server.key
3.2、创建配置文件
添加配置文件/etc/openvpn/server/server.conf
,内容如下:
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key # This file should be kept secret
dh /etc/openvpn/server/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.20.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env # 脚本
verify-client-cert none
username-as-common-name
script-security 3
创建日志目录。
mkdir -p /var/log/openvpn
3.3 脚本内容
创建脚本/etc/openvpn/checkpsw.sh
,内容如下:
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <[email protected]>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
添加执行权限。
chmod +x /etc/openvpn/checkpsw.sh
3.4 配置账号密码
配置/etc/openvpn/psw-file
,新增账号/密码增加到这里即可,一行一个账号,密码用空格隔开:
test 123456
test1 123456a
重置权限,安全着想吧。
chmod 400 /etc/openvpn/psw-file
chown nobody.nobody /etc/openvpn/psw-file
四、启动服务
添加开机启动。
扫描二维码关注公众号,回复:
5134439 查看本文章
systemctl enable [email protected]
启动服务。
systemctl start [email protected]
五、客户端配置
客户端以windows为例:
修改配置文件client.ovpn
,内容如下:
client
dev tun
proto udp
remote 47.92.142.220 1194
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
;cert client.crt
;key client.key
comp-lzo
verb 3
auth-user-pass #客户端使用账号密码登录
reneg-sec 360000
点击链接,输入账号密码即可成功。