OpenVPN的部署连接(linux客户端版),附脚本操作

aa一叶知秋aa2024-03-13 18:04

上一篇文章为window的openvpn连接方式
本次为linux的openvpn连接方式,其实都差不多只要在服务器把证书弄好就可以了

直接上操作,简化操作步骤,服务端的操作全为脚本

实验环境

公网ip 内网ip 服务类型
192.168.121.159 客户端
192.168.121.160 192.168.122.253 服务端

首先需要配置好epel源,我是使用的是阿里云的epel源

bash 复制代码 
wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo

然后安装对应软件包,并执行相关配置操作

bash 复制代码 
#! /bin/bash

yum clean all
yum makecache
#然后安装openvpn和制作证书工具
yum -y install openvpn
yum -y install easy-rsa
yum -y install expect
# 准备相关配置文件
echo "生成服务器配置文件"
cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/

echo "准备证书签发相关文件"
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server

echo "准备签发证书相关变量的配置文件"
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-server/3/vars


echo "初始化服务端PKI生成PKI相关目录和文件"
cd /etc/openvpn/easy-rsa-server/3
./easyrsa init-pki

echo "创建CA证书"
# ./easyrsa build-ca nopass

expect <<EOF

spawn ./easyrsa build-ca nopass

expect {
    "Easy-RSA" {send "\n"}
}

expect eof

EOF

cat pki/serial 

echo "生成服务端证书"
# ./easyrsa gen-req server nopass

expect <<EOF
spawn ./easyrsa gen-req server nopass 

expect {
    "server" {send "\n"}
}
expect eof
EOF


echo "签发服务端证书"
# ./easyrsa sign server server

expect <<EOF
spawn ./easyrsa sign server server 

expect {
    "*details:" {send "yes\n"}
}
expect eof
EOF

echo "创建 Diffie-Hellman 密钥"
./easyrsa gen-dh

cat > /etc/openvpn/server.conf <<EOF
port 1194
proto tcp
dev tun
ca  /etc/openvpn/certs/ca.crt
cert  /etc/openvpn/certs/server.crt
key  /etc/openvpn/certs/server.key  # This file should be kept secret
dh  /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.122.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status  /var/log/openvpn/openvpn-status.log
log-append   /var/log/openvpn/openvpn.log
verb 3
mute 20
EOF

echo "添加防火墙"
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p
yum install iptables-services -y
systemctl disable --now firewalld
systemctl start iptables
iptables -F
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -vnL -t nat

mkdir -p /var/log/openvpn

mkdir -p /etc/openvpn/certs
cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/

echo "重启OpenVpn"
systemctl daemon-reload
systemctl enable --now openvpn@server
systemctl restart openvpn@server

服务端配置客户端的对应设置

bash 复制代码 
#! /bin/bash

read -p "请输入用户的姓名拼音(如:${NAME}): " NAME
read -p "请输入VPN服务端的公网IP(如:${IP}): " IP

echo "客户端证书环境"
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-client/3/varsa
cd /etc/openvpn/easy-rsa-client/3

echo "初始化pki证书目录"
# ./easyrsa init-pki

expect << EOF
spawn ./easyrsa init-pki 
expect {
    "removal" {send "yes\n"}
}
expect eof
EOF

echo "生成客户端证书"
# ./easyrsa gen-req ${NAME} nopass

expect << EOF
spawn ./easyrsa gen-req ${NAME} nopass 

expect {
    "${NAME}" {send "\n"}
}

expect eof
EOF

echo "将客户端证书同步到服务端"
cd /etc/openvpn/easy-rsa-server/3
./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req ${NAME}

echo "查看客户端证书"
ll pki/reqs/${NAME}.req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req 

echo "签发客户端证书,请输入:yes"
# ./easyrsa sign client ${NAME}

expect << EOF
spawn ./easyrsa sign client ${NAME} 

expect {    
	"*details" {send "yes\n"}
}

expect eof
EOF

echo "查看证书"
cat pki/index.txt
ll pki/certs_by_serial/
cat pki/issued/${NAME}.crt 

echo "创建客户端配置文件"
mkdir -p /etc/openvpn/client/${NAME}
cd /etc/openvpn/client/${NAME}
cat > /etc/openvpn/client/${NAME}/client.conf <<EOF
client
dev tun
proto tcp
remote ${IP} 1194
resolv-retry infinite
nobind
ca ca.crt
cert ${NAME}.crt
key ${NAME}.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
compress lz4-v2
EOF

cp /etc/openvpn/easy-rsa-client/3/pki/private/${NAME}.key .
cp /etc/openvpn/easy-rsa-server/3/pki/issued/${NAME}.crt .
cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt .

echo "打包用户证书"
tar -czvf ${NAME}.tar.gz ./
#重启OpenVpn
systemctl daemon-reload
systemctl enable --now openvpn@server
systemctl restart openvpn@server

然后到客户端的配置,客户端的配置就比较简单了,步骤很少,就不用脚本了,给大家操作了解一下

epel源也是需要的

bash 复制代码 
wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo

然后下载openvpn

bash 复制代码 
yum install openvpn -y

将服务端打包好的认证文件拷贝过来,这里大家对应自己的ip来修改

bash 复制代码 
scp 192.168.121.160:/etc/openvpn/client/yiyezhiqiu/yiyezhiqiu.tar.gz /etc/openvpn/

解压认证包文件

bash 复制代码 
tar -xf /etc/openvpn/yiyezhiqiu.tar.gz -C /etc/openvpn/

然后就可以启动openven了

bash 复制代码 
systemctl start openvpn@client
systemctl enable openvpn@client

查看启动日志一切正常

检测连接情况,ping没问题,ssh连接也可以
这样openvpn连接就可以了

相关推荐
##echo23 分钟前
嵌入式Linux裸机开发笔记9(IMX6ULL)GPIO 中断实验(1)
linux·c语言·笔记·单片机·嵌入式硬件
Reggie_L30 分钟前
RabbiteMQ安装-ubuntu
linux·ubuntu·ruby
AIGC_北苏1 小时前
让UV管理一切!!!
linux·人工智能·uv
YCY^v^3 小时前
centos 7 开启80,443端口,怎么弄?
linux·运维·centos
北南京海3 小时前
[Linux]进程地址空间
linux·运维·服务器
yzx9910134 小时前
服务器生成图片
运维·服务器
db_murphy5 小时前
Oracle数据块8KB、OS默认认块管理4KB,是否需调整大小为一致?
linux
liulilittle6 小时前
C++ TAP(基于任务的异步编程模式)
服务器·开发语言·网络·c++·分布式·任务·tap
小阳睡不醒8 小时前
小白成长之路-部署Zabbix7(二)
android·运维
mCell8 小时前
从删库到跑路?这50个Linux命令能保你职业生涯
linux·windows·macos
热门推荐
01Qwen3-Coder 快速上手教程 | Qwen Code + Claude Code02vue数据变化但页面不变03全球最强模型Grok4,国内已可免费使用!(附教程)04KGG转MP3工具|非KGM文件|解密音频05扣子开源本地部署教程 丨Coze智能体小白喂饭级指南06sqli-labs 靶场 less-8、9、10 第八关到第十关详解:布尔注入,时间注入07干翻 Typora!MilkUp:完全免费的桌面端 Markdown 编辑器!08【2025.7.18】更新vscode后所有.vue文件template标签后报红的临时解决办法,Vue - Official 插件3.0.2导致09Coze 开源了,送上保姆级私有化部署方案【建议收藏】10Claude Code用不了?来试下Qwen3-Coder加持的Qwen Code吧