软件下载
服务端及组件:
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz
wget https://www.openssl.org/source/openssl-1.0.2l.tar.gz
wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.gz
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.2/EasyRSA-3.0.2.tgz
wget http://openvpn.se/files/other/checkpsw.sh
客户端程序:
https://swupdate.openvpn.org/community/releases/openvpn-install-2.3.17-I601-x86_64.exe
安装依赖组件
[root@WEB1 ~]# tar zxvf lzo-2.10.tar.gz
[root@WEB1 ~]# mkdir /usr/local/lzo
[root@WEB1 ~]# cd lzo-2.10; mkdir bld; cd bld
[root@WEB1 bld]# ../configure --prefix=/usr/local/lzo && make
[root@WEB1 bld]# make check && make test && make install
[root@WEB1 ~]# echo '/usr/local/lzo/lib' >> /etc/ld.so.conf.d/local.conf && ldconfig
[root@WEB1 ~]# ln -s /usr/local/lzo/include/lzo/ /usr/include/
[root@WEB1 ~]# yum -y install zlib-devel
[root@WEB1 ~]# tar zxvf openssl-1.0.2l.tar.gz
[root@WEB1 ~]# mkdir /usr/local/openssl
[root@WEB1 ~]# cd openssl-1.0.2l
[root@WEB1 openssl-1.0.2l]# ./config --prefix=/usr/local/openssl shared zlib-dynamic
[root@WEB1 openssl-1.0.2l]# make && make test && make install
[root@WEB1 ~]# chown -R root:nginx /usr/local/openssl
[root@WEB1 ~]# echo '/usr/local/openssl/lib' >> /etc/ld.so.conf.d/local.conf && ldconfig
[root@WEB1 ~]# ln -s /usr/local/openssl/include/openssl/ /usr/include/
[root@WEB1 ~]# modinfo tun; modprobe tun; lsmod | grep tun
[root@WEB1 ~]# sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf; sysctl -p
[root@WEB1 ~]# cat /proc/sys/net/ipv4/ip_forward
创建程序目录
执行命令 | 目录说明 |
---|---|
groupadd openvpn |
程序安装目录:/usr/local/openvpn 配置文件目录:/usr/local/openvpn/config 日志文件目录:/data/openvpn/var 运行文件目录:/data/ocserv/run |
编译安装
[root@WEB1 ~]# yum -y install pam-devel
[root@WEB1 ~]# ln -s /usr/local/openssl/lib/lib* /usr/lib64/
[root@WEB1 ~]# tar zxvf openvpn-2.4.3.tar.gz
[root@WEB1 ~]# cd openvpn-2.4.3; mkdir bld; cd bld
[root@WEB1 bld]# ../configure --prefix=/usr/local/openvpn \
CPPFLAGS="-I/usr/local/lzo/include -I/usr/local/openssl/include" \
LDFLAGS="-L/usr/local/lzo/lib -L/usr/local/openssl/lib"
[root@WEB1 bld]# make && make check && make install
[root@WEB1 bld]# cp ../sample/sample-config-files/server.conf /usr/local/openvpn/config/
编译检查:make check
时出错
解决方法:开启防火墙的UDP协议进出2个方向,测试完成后可以关闭
证书配置
[root@WEB1 ~]# tar zxvf EasyRSA-2.2.2.tgz
[root@WEB1 ~]# cd EasyRSA-2.2.2
[root@WEB1 EasyRSA-2.2.2]# vim vars
1 2 3 4 5 6 7 8 9 10 11 |
#---根证书配置文件--- set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 3650 set_var EASYRSA_REQ_COUNTRY "AU" set_var EASYRSA_REQ_PROVINCE "New South Wales" set_var EASYRSA_REQ_CITY "Sydney" set_var EASYRSA_REQ_ORG "desenpast.com" set_var EASYRSA_REQ_EMAIL "wsh11080329@qq.com" set_var EASYRSA_REQ_OU "desenpast.com" export KEY_NAME="desenpast.com" |
[root@WEB1 EasyRSA-2.2.2]# source ./vars
[root@WEB1 EasyRSA-2.2.2]# ./clean-all
#---生成CA证书和密钥---
[root@WEB1 EasyRSA-2.2.2]# ./build-ca
#---生成服务器证书和密钥---
[root@WEB1 EasyRSA-2.2.2]# ./build-key-server server
#---生成客户端证书和密钥---
[root@WEB1 EasyRSA-2.2.2]# ./build-key client
#---迪菲•赫尔曼交换密钥;文件名称为dh.pem---
[root@WEB1 EasyRSA-2.2.2]# ./build-dh
#---生成tls-auth所需的密钥文件---
[root@WEB1 EasyRSA-2.2.2]# openvpn --genkey --secret keys/ta.key
[root@WEB1 EasyRSA-2.2.2]# cp -r keys $OPENVPN_HOME/
权限及变量
[root@WEB1 ~]# vim /etc/profile
1 2 |
export PATH=$PATH:/usr/local/openvpn/sbin export OPENVPN_HOME=/usr/local/openvpn |
#---配置OpenVPN服务端---
[root@WEB1 ~]# vim $OPENVPN_HOME/config/server.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
local 0.0.0.0 port 31194 proto tcp dev tun ca /usr/local/openvpn/keys/ca.crt cert /usr/local/openvpn/keys/server.crt key /usr/local/openvpn/keys/server.key dh /usr/local/openvpn/keys/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /data/openvpn/ipp.txt #Twitter push "route 104.244.40.0 255.255.240.0" #FaceBook push "route 31.13.0.0 255.255.0.0" push "route 157.240.0.0 255.255.0.0" #Akamai push "route 23.72.0.0 255.248.0.0" push "route 125.56.128.0 255.255.128.0" #Amazon push "route 52.48.0.0 255.252.0.0" #Youtube push "route 74.125.0.0 255.255.0.0" push "route 173.194.0.0 255.255.0.0" #Google push "route 172.217.0.0 255.255.0.0" push "route 203.208.0.0 255.255.0.0" push "route 216.58.0.0 255.255.0.0" push "route 216.239.0.0 255.255.0.0" #Korea Telecom push "route 59.0.0.0 255.224.0.0" #查询IP所属https://www.speedguide.net/ip/ push "dhcp-option DNS 100.100.2.138" push "dhcp-option DNS 100.100.2.136" ;client-to-client ;duplicate-cn keepalive 10 120 tls-auth /usr/local/openvpn/keys/ta.key 0 cipher AES-256-CBC comp-lzo max-clients 10 user openvpn group openvpn persist-key persist-tun status /data/openvpn/var/openvpn-status.log log-append /data/openvpn/var/openvpn.log verb 3 client-cert-not-required username-as-common-name # 使用认证脚本及密码文件进行用户认证 auth-user-pass-verify /usr/local/openvpn/config/checkpsw.sh via-env script-security 3 # 使用PAM进行用户认证(进程较多且调用root权限) ;plugin /usr/local/openvpn/lib/openvpn/plugins/openvpn-plugin-auth-pam.so login |
#---设置应用目录及数据目录权限---
[root@WEB1 ~]# chown -R root:openvpn /usr/local/lzo/ /usr/local/openvpn
[root@WEB1 ~]# chmod -R o-rx /usr/local/lzo/ /usr/local/openvpn
[root@WEB1 ~]# chmod -R g+r /usr/local/lzo/ /usr/local/openvpn
[root@WEB1 ~]# chown -R openvpn:openvpn /data/openvpn
[root@WEB1 ~]# chmod g+x /usr/local/openvpn/config/checkpsw.sh
#说明:密码文件格式“用户名 密码”写在同一行上。
设置开机启动
[root@WEB1 ~]# vim /etc/systemd/system/openvpn.service
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[Unit] Description=OpenVPN server Documentation=man:openvpn(8) After=network-online.target After=dbus.service [Service] Type=forking PrivateTmp=true PIDFile=/data/openvpn/run/openvpn.pid ExecStart=/usr/local/openvpn/sbin/openvpn --cd /usr/local/openvpn/config --daemon --config server.conf --writepid /data/openvpn/run/openvpn.pid ExecReload=/bin/kill -HUP $MAINPID ExecStop=/bin/kill -QUIT $MAINPID [Install] WantedBy=multi-user.target |
#---添加到开机启动项---
[root@WEB1 ~]# systemctl daemon-reload
[root@WEB1 ~]# systemctl enable openvpn.service
#---查看日志及状态---
[root@WEB1 ~]# systemctl status openvpn
#---防火墙开启NAT---
[root@WEB1 ~]# iptables -P FORWARD ACCEPT
[root@WEB1 ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
[root@WEB1 ~]# iptables -t nat -A POSTROUTING -s 172.25.254.29/32 -o eth0 -j MASQUERADE
[root@WEB1 ~]# iptables -t nat -nvL
[root@WEB1 ~]# service iptables save
OpenVPN客户端
- 安装openvpn-install-2.3.17-I601-x86_64.exe程序;
- 下载生成的client证书和密钥、CA证书、TLS-AUTH密钥,保存到OpenVPN\config目录中;
- 更改OpenVPN\config\client.ovpn配置文件,可以从OpenVPN\sample-config目录中复制;
12345678910111213141516171819clientdev tunproto tcpremote 172.25.254.29 31194resolv-retry 60nobindpersist-keypersist-tunca ca.crtcert client.crtkey client.keyremote-cert-tls servertls-auth ta.key 1cipher AES-256-CBCcomp-lzoverb 3#---使用用户密码认证---auth-user-passns-cert-type server - 打开OpenVPN程序,输入用户名和密码。
问题汇总
问题描述:部分网络可能受限,无法进行TLS协商
解决方法:使用OpenConnect Server搭建VPN服务,OpenVPN连接受限或其它原因。
怎么评论了还看不到开机启动操作
由于后台版本升级导致旧的函数失效,已将失效函数相关的文章更新过了、不需要回复即可查看。
谢谢留言!
学习学习!
不错不错,感谢感谢!
写的不错,感谢
写的非常好!
这个是使用源码的方式去安装配置OpenVPN的教程?
写的很不错