OpenVPN的部署连接(linux客户端版),附脚本操作

aa一叶知秋aa2024-03-13 18:04

上一篇文章为window的openvpn连接方式
本次为linux的openvpn连接方式,其实都差不多只要在服务器把证书弄好就可以了

直接上操作,简化操作步骤,服务端的操作全为脚本

实验环境

公网ip 内网ip 服务类型
192.168.121.159 客户端
192.168.121.160 192.168.122.253 服务端

首先需要配置好epel源,我是使用的是阿里云的epel源

bash 复制代码 
wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo

然后安装对应软件包,并执行相关配置操作

bash 复制代码 
#! /bin/bash

yum clean all
yum makecache
#然后安装openvpn和制作证书工具
yum -y install openvpn
yum -y install easy-rsa
yum -y install expect
# 准备相关配置文件
echo "生成服务器配置文件"
cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/

echo "准备证书签发相关文件"
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server

echo "准备签发证书相关变量的配置文件"
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-server/3/vars


echo "初始化服务端PKI生成PKI相关目录和文件"
cd /etc/openvpn/easy-rsa-server/3
./easyrsa init-pki

echo "创建CA证书"
# ./easyrsa build-ca nopass

expect <<EOF

spawn ./easyrsa build-ca nopass

expect {
    "Easy-RSA" {send "\n"}
}

expect eof

EOF

cat pki/serial 

echo "生成服务端证书"
# ./easyrsa gen-req server nopass

expect <<EOF
spawn ./easyrsa gen-req server nopass 

expect {
    "server" {send "\n"}
}
expect eof
EOF


echo "签发服务端证书"
# ./easyrsa sign server server

expect <<EOF
spawn ./easyrsa sign server server 

expect {
    "*details:" {send "yes\n"}
}
expect eof
EOF

echo "创建 Diffie-Hellman 密钥"
./easyrsa gen-dh

cat > /etc/openvpn/server.conf <<EOF
port 1194
proto tcp
dev tun
ca  /etc/openvpn/certs/ca.crt
cert  /etc/openvpn/certs/server.crt
key  /etc/openvpn/certs/server.key  # This file should be kept secret
dh  /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.122.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status  /var/log/openvpn/openvpn-status.log
log-append   /var/log/openvpn/openvpn.log
verb 3
mute 20
EOF

echo "添加防火墙"
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
sysctl -p
yum install iptables-services -y
systemctl disable --now firewalld
systemctl start iptables
iptables -F
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -vnL -t nat

mkdir -p /var/log/openvpn

mkdir -p /etc/openvpn/certs
cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/

echo "重启OpenVpn"
systemctl daemon-reload
systemctl enable --now openvpn@server
systemctl restart openvpn@server

服务端配置客户端的对应设置

bash 复制代码 
#! /bin/bash

read -p "请输入用户的姓名拼音(如:${NAME}): " NAME
read -p "请输入VPN服务端的公网IP(如:${IP}): " IP

echo "客户端证书环境"
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-client/3/varsa
cd /etc/openvpn/easy-rsa-client/3

echo "初始化pki证书目录"
# ./easyrsa init-pki

expect << EOF
spawn ./easyrsa init-pki 
expect {
    "removal" {send "yes\n"}
}
expect eof
EOF

echo "生成客户端证书"
# ./easyrsa gen-req ${NAME} nopass

expect << EOF
spawn ./easyrsa gen-req ${NAME} nopass 

expect {
    "${NAME}" {send "\n"}
}

expect eof
EOF

echo "将客户端证书同步到服务端"
cd /etc/openvpn/easy-rsa-server/3
./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req ${NAME}

echo "查看客户端证书"
ll pki/reqs/${NAME}.req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req 

echo "签发客户端证书,请输入:yes"
# ./easyrsa sign client ${NAME}

expect << EOF
spawn ./easyrsa sign client ${NAME} 

expect {    
	"*details" {send "yes\n"}
}

expect eof
EOF

echo "查看证书"
cat pki/index.txt
ll pki/certs_by_serial/
cat pki/issued/${NAME}.crt 

echo "创建客户端配置文件"
mkdir -p /etc/openvpn/client/${NAME}
cd /etc/openvpn/client/${NAME}
cat > /etc/openvpn/client/${NAME}/client.conf <<EOF
client
dev tun
proto tcp
remote ${IP} 1194
resolv-retry infinite
nobind
ca ca.crt
cert ${NAME}.crt
key ${NAME}.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
compress lz4-v2
EOF

cp /etc/openvpn/easy-rsa-client/3/pki/private/${NAME}.key .
cp /etc/openvpn/easy-rsa-server/3/pki/issued/${NAME}.crt .
cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt .

echo "打包用户证书"
tar -czvf ${NAME}.tar.gz ./
#重启OpenVpn
systemctl daemon-reload
systemctl enable --now openvpn@server
systemctl restart openvpn@server

然后到客户端的配置,客户端的配置就比较简单了,步骤很少,就不用脚本了,给大家操作了解一下

epel源也是需要的

bash 复制代码 
wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo

然后下载openvpn

bash 复制代码 
yum install openvpn -y

将服务端打包好的认证文件拷贝过来,这里大家对应自己的ip来修改

bash 复制代码 
scp 192.168.121.160:/etc/openvpn/client/yiyezhiqiu/yiyezhiqiu.tar.gz /etc/openvpn/

解压认证包文件

bash 复制代码 
tar -xf /etc/openvpn/yiyezhiqiu.tar.gz -C /etc/openvpn/

然后就可以启动openven了

bash 复制代码 
systemctl start openvpn@client
systemctl enable openvpn@client

查看启动日志一切正常

检测连接情况,ping没问题,ssh连接也可以
这样openvpn连接就可以了

相关推荐
2401_857610036 分钟前
SpringBoot实现:校园资料分享平台开发指南
服务器·spring boot·php
C++忠实粉丝1 小时前
Linux环境基础开发工具使用(2)
linux·运维·服务器
康熙38bdc1 小时前
Linux 环境变量
linux·运维·服务器
存储服务专家StorageExpert1 小时前
DELL SC compellent存储的四种访问方式
运维·服务器·存储维护·emc存储
hakesashou2 小时前
python如何比较字符串
linux·开发语言·python
Ljubim.te2 小时前
Linux基于CentOS学习【进程状态】【进程优先级】【调度与切换】【进程挂起】【进程饥饿】
linux·学习·centos
cooldream20092 小时前
Linux性能调优技巧
linux
大G哥2 小时前
记一次K8S 环境应用nginx stable-alpine 解析内部域名失败排查思路
运维·nginx·云原生·容器·kubernetes
长天一色2 小时前
【ECMAScript 从入门到进阶教程】第三部分:高级主题(高级函数与范式,元编程,正则表达式,性能优化)
服务器·开发语言·前端·javascript·性能优化·ecmascript
醉颜凉3 小时前
银河麒麟桌面操作系统修改默认Shell为Bash
运维·服务器·开发语言·bash·kylin·国产化·银河麒麟操作系统
热门推荐
01分享几个惊艳的 Three.js 个人站点02【经验分享】Ubuntu22.04安装微信(linux官方版)032024年高教社杯数学建模国赛C题超详细解题思路分析04组基轨迹建模 GBTM的介绍与实现(Stata 或 R)05安卓系列机型永久去除data分区加密 详细步骤解析06【2024数模国赛赛题思路公开】国赛B题思路丨附可运行代码丨无偿自提07CTF网络安全大赛简单的web抓包题目:HEADache08Ubuntu24.04安装中文输入法09【2024高教社杯全国大学生数学建模竞赛】B题 生产过程中的决策问题——解题思路 代码 论文10springer 在线投稿编译踩坑