部署openvpn服务

Posted by 刘勇 on 2020-03-18

openvpn安装

  • 建议安装新的稳定版本,老版本怕有安全隐患,以下为Debian8.9系统下的安装方式,其他Debian系统的安装大同小异。

APT源安装

1
2
3
4
5
aptitude install openvpn
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 jessie main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
apt-get update
apt-get install openvpn

deb安装

1
2
3
aptitude install openvpn
wget http://build.openvpn.net/debian/openvpn/release/2.4/pool/jessie/main/o/openvpn/openvpn_2.4.7-jessie0_amd64.deb
dpkg -i openvpn_2.4.7-jessie0_amd64.deb

初始化证书相关

初始化

1
2
3
4
5
6
apt-get install easy-rsa
cp -R /usr/share/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa/
chmod +x vars
source ./vars
./clean-all

生成ca

1
./build-ca

这一步,一般来说,直接回车就可以,不过我在这一步的时候把hostname改成myhostname了。

1
2
Common Name (eg, your name or your server's hostname) [server]:myhostname
Name [changeme]:myhostname

这里会在/etc/openvpn/easy-rsa/2.0/keys/目录下生成ca.crt,ca.key两个文件。

生成服务器端证书

1
./build-key-server server

同上一步一样,我把这里的hostname改成myhostname了。这里,keys目录下会生成server.crt,server.csrserver.key文件。如果多个客户端使用同一个key登录时,会都登陆不上。

生成客户端证书

  • 新用户申请vpn账号时,执行此步骤即可。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
cd /etc/openvpn/easy-rsa/

# 此步骤如果前面已经执行则无需重复执行
source ./vars

#即用户名,一般设置方便识别的名字,比如代理方英文简称
./build-key client1

#下面为Averina_Anastasia用户颁发证书的操作过程
root@xxxx:/etc/openvpn/easy-rsa# ./build-key Averina_Anastasia
Generating a 2048 bit RSA private key
..........................+++
.................+++
writing new private key to 'Averina_Anastasia.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US #国家简称
State or Province Name (full name) [CA]:Averina_Anastasia #所在省名
Locality Name (eg, city) [SanFrancisco]:Averina_Anastasia #所在市名
Organization Name (eg, company) [Fort-Funston]:Averina_Anastasia #公司名
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Averina_Anastasia #所在部门或者组织
Common Name (eg, your name or your server's hostname) [Averina_Anastasia]:Averina_Anastasia #主机名
Name [EasyRSA]:
Email Address [me@myhost.mydomain]: #邮件地址

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :T61STRING:'Averina_Anastasia'
localityName :T61STRING:'Averina_Anastasia'
organizationName :T61STRING:'Averina_Anastasia'
organizationalUnitName:T61STRING:'Averina_Anastasia'
commonName :T61STRING:'Averina_Anastasia'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Jul 13 06:10:41 2029 GMT (3650 days)
Sign the certificate? [y/n]:y #确认签发证书


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

在keys目录下生成client1.crtclient1.csrclient1.key,为其他新用户生成证书时选择不同的客户端名字即可,比如client2,client3···(如果多个客户端使用同一个key登录时,会都登陆不上,因此需要为每一个用户生成一个key)。

若开通新的VPN账号,则把ca.crt, 用户名.crt,用户名.key,用户名.ovpn四个文件打包发给用户即可

其中用户名.ovpn文件的内容参考:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
client
proto tcp #连接协议,和服务端对应,有tcp/udp 2种
dev tun #类型tun/tap
remote xxx 9190 #vpn服务端地址和端口

ca ca.crt #ca证书
cert Averina_Anastasia.crt #客户端证书名
key Averina_Anastasia.key #客户端key

resolv-retry infinite
nobind
mute-replay-warnings

keepalive 20 120
comp-lzo
#user openvpn
#group openvpn

persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
  • 在vpn服务端创建路由认证文件/etc/openvpn/ccd/Averina_Anastasia,注意Averina_Anastasia为你创建证书时(./build-key Averina_Anastasia)输入的用户名一致。内容如下
1
2
3
4
#推送某个IP的路由给用户
push "route x.x.x.x 255.255.255.255 vpn_gateway"
#给用户设置的静态IP
ifconfig-push 10.8.0.3 255.255.255.0

创建DH(Diffie Hellman)

1
./build-dh

在keys目录下生成dh2048.pem文件。

编辑服务器端配置文件

1
2
3
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn
gunzip server.conf.gz

配置文件说明

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
local 10.30.30.12  #VPN服务器本地网卡IP
port 9194 #VPN服务端口
proto tcp #TCP模式
dev tun # tun模式
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0 # 给客户端分配的vpn网段
ifconfig-pool-persist ipp.txt # 存放每个用户使用的IP
client-config-dir /etc/openvpn/ccd # 用户路由和静态IP信息所在目录
push "redirect-gateway def1 bypass-dhcp" #让客户端所有流量都走VPN,如果不需要则注释
push "dhcp-option DNS 114.114.114.114" #推送给客户端的DNS信息,如果不需要则注释
keepalive 10 120 #保持连接时间
comp-lzo
user openvpn #启动用户名
group openvpn #启动组名
persist-key
persist-tun
status openvpn-status.log #状态日志
log openvpn.log #日志打印
log-append openvpn.log
verb 4
management 127.0.0.1 12531 #打开管理端口,方便调试
topology subnet # 拓扑子网模式,启动此模式则客户端的虚拟IP和服务端的虚拟IP一致
script-security 3
reneg-sec 0

防火墙配置

  • 打开转发设置
1
net.ipv4.ip_forward = 1
  • iptable文件新增如下内容,然后reload
1
2
3
4
5
6
7
*nat
:PREROUTING ACCEPT [4970304:316848500]
:INPUT ACCEPT [313688:18825076]
:OUTPUT ACCEPT [1264349:90633841]
:POSTROUTING ACCEPT [1264349:90633841]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

启停服务

1
2
/etc/init.d/openvpn stop
/etc/init.d/openvpn start

服务端调试模式

  • telnet进入管理端口
1
2
3
4
5
6
7
root@localhost:~# telnet 127.0.0.1 12531
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help #执行help命令查看可执行的命令选项
status #查看当前连接的客户端IP信息

客户端连接方式

openvpn客户端gui

参考官网安装即可。

mac下openvpn命令行

1
2
brew install openvpn
sudo openvpn 客户端配置文件

参考文档



支付宝打赏 微信打赏

赞赏一下