OpenVPN的部署连接(linux客户端版),附脚本操作

上一篇文章为window的openvpn连接方式
本次为linux的openvpn连接方式,其实都差不多只要在服务器把证书弄好就可以了

直接上操作,简化操作步骤,服务端的操作全为脚本

实验环境

公网ip 内网ip 服务类型
192.168.121.159 客户端
192.168.121.160 192.168.122.253 服务端

首先需要配置好epel源,我是使用的是阿里云的epel源

bash 复制代码
wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo

然后安装对应软件包,并执行相关配置操作

bash 复制代码
#! /bin/bash

yum clean all
yum makecache
#然后安装openvpn和制作证书工具
yum -y install openvpn
yum -y install easy-rsa
yum -y install expect
# 准备相关配置文件
echo "生成服务器配置文件"
cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/

echo "准备证书签发相关文件"
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server

echo "准备签发证书相关变量的配置文件"
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-server/3/vars


echo "初始化服务端PKI生成PKI相关目录和文件"
cd /etc/openvpn/easy-rsa-server/3
./easyrsa init-pki

echo "创建CA证书"
# ./easyrsa build-ca nopass

expect <<EOF

spawn ./easyrsa build-ca nopass

expect {
    "Easy-RSA" {send "\n"}
}

expect eof

EOF

cat pki/serial 

echo "生成服务端证书"
# ./easyrsa gen-req server nopass

expect <<EOF
spawn ./easyrsa gen-req server nopass 

expect {
    "server" {send "\n"}
}
expect eof
EOF


echo "签发服务端证书"
# ./easyrsa sign server server

expect <<EOF
spawn ./easyrsa sign server server 

expect {
    "*details:" {send "yes\n"}
}
expect eof
EOF

echo "创建 Diffie-Hellman 密钥"
./easyrsa gen-dh

cat > /etc/openvpn/server.conf <<EOF
port 1194
proto tcp
dev tun
ca  /etc/openvpn/certs/ca.crt
cert  /etc/openvpn/certs/server.crt
key  /etc/openvpn/certs/server.key  # This file should be kept secret
dh  /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.122.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status  /var/log/openvpn/openvpn-status.log
log-append   /var/log/openvpn/openvpn.log
verb 3
mute 20
EOF

echo "添加防火墙"
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p
yum install iptables-services -y
systemctl disable --now firewalld
systemctl start iptables
iptables -F
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -vnL -t nat

mkdir -p /var/log/openvpn

mkdir -p /etc/openvpn/certs
cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/

echo "重启OpenVpn"
systemctl daemon-reload
systemctl enable --now openvpn@server
systemctl restart openvpn@server

服务端配置客户端的对应设置

bash 复制代码
#! /bin/bash

read -p "请输入用户的姓名拼音(如:${NAME}): " NAME
read -p "请输入VPN服务端的公网IP(如:${IP}): " IP

echo "客户端证书环境"
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-client/3/varsa
cd /etc/openvpn/easy-rsa-client/3

echo "初始化pki证书目录"
# ./easyrsa init-pki

expect << EOF
spawn ./easyrsa init-pki 
expect {
    "removal" {send "yes\n"}
}
expect eof
EOF

echo "生成客户端证书"
# ./easyrsa gen-req ${NAME} nopass

expect << EOF
spawn ./easyrsa gen-req ${NAME} nopass 

expect {
    "${NAME}" {send "\n"}
}

expect eof
EOF

echo "将客户端证书同步到服务端"
cd /etc/openvpn/easy-rsa-server/3
./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req ${NAME}

echo "查看客户端证书"
ll pki/reqs/${NAME}.req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req 

echo "签发客户端证书,请输入:yes"
# ./easyrsa sign client ${NAME}

expect << EOF
spawn ./easyrsa sign client ${NAME} 

expect {    
	"*details" {send "yes\n"}
}

expect eof
EOF

echo "查看证书"
cat pki/index.txt
ll pki/certs_by_serial/
cat pki/issued/${NAME}.crt 

echo "创建客户端配置文件"
mkdir -p /etc/openvpn/client/${NAME}
cd /etc/openvpn/client/${NAME}
cat > /etc/openvpn/client/${NAME}/client.conf <<EOF
client
dev tun
proto tcp
remote ${IP} 1194
resolv-retry infinite
nobind
ca ca.crt
cert ${NAME}.crt
key ${NAME}.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
compress lz4-v2
EOF

cp /etc/openvpn/easy-rsa-client/3/pki/private/${NAME}.key .
cp /etc/openvpn/easy-rsa-server/3/pki/issued/${NAME}.crt .
cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt .

echo "打包用户证书"
tar -czvf ${NAME}.tar.gz ./
#重启OpenVpn
systemctl daemon-reload
systemctl enable --now openvpn@server
systemctl restart openvpn@server

然后到客户端的配置,客户端的配置就比较简单了,步骤很少,就不用脚本了,给大家操作了解一下

epel源也是需要的

bash 复制代码
wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo

然后下载openvpn

bash 复制代码
yum install openvpn -y

将服务端打包好的认证文件拷贝过来,这里大家对应自己的ip来修改

bash 复制代码
scp 192.168.121.160:/etc/openvpn/client/yiyezhiqiu/yiyezhiqiu.tar.gz /etc/openvpn/

解压认证包文件

bash 复制代码
tar -xf /etc/openvpn/yiyezhiqiu.tar.gz -C /etc/openvpn/

然后就可以启动openven了

bash 复制代码
systemctl start openvpn@client
systemctl enable openvpn@client

查看启动日志一切正常

检测连接情况,ping没问题,ssh连接也可以
这样openvpn连接就可以了

相关推荐
xuanzdhc44 分钟前
Linux 基础IO
linux·运维·服务器
愚润求学1 小时前
【Linux】网络基础
linux·运维·网络
bantinghy1 小时前
Linux进程单例模式运行
linux·服务器·单例模式
小和尚同志2 小时前
29.4k!使用 1Panel 来管理你的服务器吧
linux·运维
帽儿山的枪手2 小时前
为什么Linux需要3种NAT地址转换?一探究竟
linux·网络协议·安全
shadon1789 天前
回答 如何通过inode client的SSLVPN登录之后,访问需要通过域名才能打开的服务
linux
AWS官方合作商9 天前
AWS ACM 重磅上线:公有 SSL/TLS 证书现可导出,突破 AWS 边界! (突出新功能的重要性和突破性)
服务器·https·ssl·aws
小米里的大麦9 天前
014 Linux 2.6内核进程调度队列(了解)
linux·运维·驱动开发
程序员的世界你不懂9 天前
Appium+python自动化(三十)yaml配置数据隔离
运维·appium·自动化
算法练习生9 天前
Linux文件元信息完全指南:权限、链接与时间属性
linux·运维·服务器