Build openvpn on Alibaba cloud centos

Others 2022-04-27 12:42:10 views: 0

This article provides an overview of OpenVPN configuration under CentOS system.

Note: The relevant configurations and descriptions in this article are only used for examples and operation guidelines. Alibaba Cloud is not responsible for the results of related operations and the resulting problems.

OpenVPN configuration

Ready to work

1. Use the  tool: update_source.sh to  update the yum source to Alibaba Cloud's intranet yum source. 

2. Install the dependent packages:

  1. bash
  2. yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel
  3. yum install -y pkcs11-helper pkcs11-helper-devel

Confirm that the installation is complete:

  1. bash
  2. rpm -qa lzolzo-devel openssl openssl-devel pam pam-devel pkcs11-helper pkcs11-helper-devel

1-rpm.jpg  

Install OpenVPN service

1. Download the source package of openvpn

  1. wget http://oss.aliyuncs.com/aliyunecs/openvpn-2.2.2.tar.gz

2. Use  rpmbuild  to compile the source package into an rpm package for installation

  1. rpmbuild -tb openvpn-2.2.2.tar.gz

After executing this command, the compilation will start normally. After the compilation is completed, the openvpn-2.2.2-1.x86_64.rpm installation package will be generated in the /root/rpmbuild/RPMS/x86_64 directory.

3. Execute rpm -ivh openvpn-2.2.2-1.x86_64.rpm  to install as an rpm package:

2- 狀瀀.jpg  

Configure OpenVPN service (server side)

1. Initialize PKI

  1. cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0

Go to the /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0 directory, find the vars certificate environment file, and modify the parameter values ​​defined by the following lines of export  

  1. bash
  2. exportKEY_COUNTRY="CN" 所在的国家
  3. export KEY_PROVINCE="BJ" 所在的省份
  4. exportKEY_CITY="Hangzhou" 所在的城市
  5. exportKEY_ORG="aliyun" 所属的组织
  6. export KEY_EMAIL=my@test.com 邮件地址

The values ​​of the above parameters can be customized and have no effect on the configuration.  

2. Generate the server certificate:

Clear and delete all keys in the keys directory 

  1. bash
  2. ln -s openssl-1.0.0.cnf openssl.cnf 做个软链接到openssl-1.0.0.cnf配置文件
  3. source ./vars
  4. ./clean-all

To generate a CA certificate, you have just configured the default parameter values ​​in the vars file, and you can complete it by pressing Enter multiple times:

  1. ./build-ca

3-buledca.jpg 

 

Generate a server certificate, where aliyuntest is a custom name, keep pressing Enter, and there will be two interactions at the end, enter y to confirm, after completion, aliyuntest.key, aliyuntest.csr and aliyuntest.crt will be saved in the keys directory. document. 

  1. ./build-key-server aliyuntest

4-Yang.jpg

3. Create user key and certificate 

  1. ./build-key aliyunuser

Create a secret key and certificate with the user name aliyunuser, keep pressing Enter, there will be two confirmations at the end, just press y to confirm. After completion, generate 1024-bit RSA server keys aliyunuser.key, aliyunuser.crt and aliyunuser.csr files in the keys directory.

4. Generate Diffie Hellman parameters 

  1. ./build-dh

After executing ./build-dh, the dh parameter file dh1024.pem will be generated in the keys directory. This file will be used for client authentication.  

5. Copy all files in the /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys directory to /etc/openvpn:

  1. cp -a /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys/* /etc/openvpn/

6. Copy the openvpn server configuration file server.conf to the /etc/openvpn/ directory:

  1. cp -a /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/

7. server.conf configuration

After the configuration is complete, the content is as follows:

  1. bash
  2. $ egrep -v "^$|^#|^;" server.conf
  3. local 1.1.1.1 此处请填写用户自己的云服务器的公网IP地址
  4. port 1194
  5. proto udp
  6. dev tun
  7. ca ca.crt
  8. cert aliyuntest.crt 此处crt以及下一行的key,请填写生成服务器端证书时用户自定义的名称
  9. key aliyuntest.key
  10. dh dh1024.pem
  11. server 172.16.0.0 255.255.255.0
  12. ifconfig-pool-persist ipp.txt
  13. push "redirect-gateway def1 bypass-dhcp"
  14. push "dhcp-option DNS 223.5.5.5"
  15. client-to-client
  16. keepalive 10 120
  17. comp-lzo
  18. user nobody
  19. group nobody
  20. persist-key
  21. persist-tun
  22. status openvpn-status.log
  23. log openvpn.log
  24. verb 3

0.jpg

8. Set up iptables

Make sure iptables is enabled and the /etc/sysconfig/iptables file exists before setting. Then turn on forwarding:

  1. vi /etc/sysctl.conf

Modify the following:

  1. net.ipv4.ip_forward = 1

Then make the kernel parameters take effect:

  1. sysctl -p

Add iptables rules to ensure that the server can forward data packets to Alibaba Cloud intranet and intranet:

  1. iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE

Save the iptables configuration:

  1. service iptables save

Start OpenVPN

  1. /etc/init.d/openvpn start

Check that port 1194 is listening by  netstat -ano | grep 1194  to make sure openvpn is running.

Configuration for Windows PC clients 

1. Download  openvpn client

2. Installation: It is installed under Windows system, and the installation is completed according to the default settings.

3. Download the three files aliyunuser.key, aliyunuser.crt and aliyunuser.csr in the /etc/openvpn/ directory of the cloud server to the Windows client that needs to connect to openvpn (you can use the ftp tool to download).

The saving path is the \OpenVPN\config directory under the installation path of the openvpn software.

4. Configure client.opvn 

Copy client.opvn in the \OpenVPN\sample-config\ directory under the openvpn installation path to the \OpenVPN\config directory under the openvpn installation path, and then modify the following parameters in the configuration file; 

  1. bash
  2. proto udp 去掉前面的分号,采用与服务器端相同的udp协议
  3. remote 1.1.1.1 1194 此处将1.1.1.1修改为用户的云服务器的公网IP地址,同时将该行前面的注释分号去掉
  4. cert aliyunuser.crt
  5. key aliyunuser.key

5. Go to the C:\Program Files (x86)\OpenVPN\bin directory, find the openvpn-gui-1.0.3.exe file, right-click and select run with administrator privileges (to avoid the failure of adding routes due to running by ordinary users):

8-.jpg

 6. After the connection is successful, confirm that you can access the Alibaba Cloud intranet through openvpn by visiting the Alibaba Cloud intranet mirror source  http://mirrors.aliyuncs.com/ :

7-.jpg

Visit ip.cn at the same time, and you can see that the exit public IP of the Windows PC has become the public IP address of the cloud server:

6-ipcn.jpg

 

 

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325606792&siteId=291194637
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com