上一篇文章为window的openvpn连接方式
本次为linux的openvpn连接方式,其实都差不多只要在服务器把证书弄好就可以了
直接上操作,简化操作步骤,服务端的操作全为脚本
实验环境
公网ip内网ip服务类型192.168.121.159客户端192.168.121.160192.168.122.253服务端
首先需要配置好epel源,我是使用的是阿里云的epel源
wget-O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo
然后安装对应软件包,并执行相关配置操作
#! /bin/bash
yum clean all
yum makecache
#然后安装openvpn和制作证书工具
yum -yinstall openvpn
yum -yinstall easy-rsa
yum -yinstallexpect# 准备相关配置文件echo"生成服务器配置文件"cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/
echo"准备证书签发相关文件"cp-r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
echo"准备签发证书相关变量的配置文件"cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-server/3/vars
echo"初始化服务端PKI生成PKI相关目录和文件"cd /etc/openvpn/easy-rsa-server/3
./easyrsa init-pki
echo"创建CA证书"# ./easyrsa build-ca nopassexpect<<EOF
spawn ./easyrsa build-ca nopass
expect {
"Easy-RSA" {send "\n"}
}
expect eof
EOFcat pki/serial
echo"生成服务端证书"# ./easyrsa gen-req server nopassexpect<<EOF
spawn ./easyrsa gen-req server nopass
expect {
"server" {send "\n"}
}
expect eof
EOFecho"签发服务端证书"# ./easyrsa sign server serverexpect<<EOF
spawn ./easyrsa sign server server
expect {
"*details:" {send "yes\n"}
}
expect eof
EOFecho"创建 Diffie-Hellman 密钥"
./easyrsa gen-dh
cat> /etc/openvpn/server.conf <<EOF
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key # This file should be kept secret
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.122.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
EOFecho"添加防火墙"echo net.ipv4.ip_forward =1>> /etc/sysctl.conf
sysctl-p
yum install iptables-services -y
systemctl disable --now firewalld
systemctl start iptables
iptables -F
iptables -t nat -A POSTROUTING -s10.8.0.0/24 -j MASQUERADE
iptables -vnL-t nat
mkdir-p /var/log/openvpn
mkdir-p /etc/openvpn/certs
cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/
echo"重启OpenVpn"
systemctl daemon-reload
systemctl enable--now openvpn@server
systemctl restart openvpn@server
服务端配置客户端的对应设置
#! /bin/bashread-p"请输入用户的姓名拼音(如:${NAME}): " NAME
read-p"请输入VPN服务端的公网IP(如:${IP}): " IP
echo"客户端证书环境"cp-r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-client/3/varsa
cd /etc/openvpn/easy-rsa-client/3
echo"初始化pki证书目录"# ./easyrsa init-pkiexpect<<EOF
spawn ./easyrsa init-pki
expect {
"removal" {send "yes\n"}
}
expect eof
EOFecho"生成客户端证书"# ./easyrsa gen-req ${NAME} nopassexpect<<EOF
spawn ./easyrsa gen-req ${NAME} nopass
expect {
"${NAME}" {send "\n"}
}
expect eof
EOFecho"将客户端证书同步到服务端"cd /etc/openvpn/easy-rsa-server/3
./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req ${NAME}echo"查看客户端证书"
ll pki/reqs/${NAME}.req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req
echo"签发客户端证书,请输入:yes"# ./easyrsa sign client ${NAME}expect<<EOF
spawn ./easyrsa sign client ${NAME}
expect {
"*details" {send "yes\n"}
}
expect eof
EOFecho"查看证书"cat pki/index.txt
ll pki/certs_by_serial/
cat pki/issued/${NAME}.crt
echo"创建客户端配置文件"mkdir-p /etc/openvpn/client/${NAME}cd /etc/openvpn/client/${NAME}cat> /etc/openvpn/client/${NAME}/client.conf <<EOF
client
dev tun
proto tcp
remote ${IP} 1194
resolv-retry infinite
nobind
ca ca.crt
cert ${NAME}.crt
key ${NAME}.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
compress lz4-v2
EOFcp /etc/openvpn/easy-rsa-client/3/pki/private/${NAME}.key .cp /etc/openvpn/easy-rsa-server/3/pki/issued/${NAME}.crt .cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt .echo"打包用户证书"tar-czvf${NAME}.tar.gz ./
#重启OpenVpn
systemctl daemon-reload
systemctl enable--now openvpn@server
systemctl restart openvpn@server
然后到客户端的配置,客户端的配置就比较简单了,步骤很少,就不用脚本了,给大家操作了解一下
epel源也是需要的
wget-O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo
然后下载openvpn
yum install openvpn -y
将服务端打包好的认证文件拷贝过来,这里大家对应自己的ip来修改
scp192.168.121.160:/etc/openvpn/client/yiyezhiqiu/yiyezhiqiu.tar.gz /etc/openvpn/
解压认证包文件
tar-xf /etc/openvpn/yiyezhiqiu.tar.gz -C /etc/openvpn/
然后就可以启动openven了
systemctl start openvpn@client
systemctl enable openvpn@client
查看启动日志一切正常
检测连接情况,ping没问题,ssh连接也可以
这样openvpn连接就可以了
本文转载自: https://blog.csdn.net/m0_58833554/article/details/136249882
版权归原作者 aa一叶知秋aa 所有, 如有侵权,请联系我们删除。
版权归原作者 aa一叶知秋aa 所有, 如有侵权,请联系我们删除。