在阿里云 ECS 服务器上部署 OpenVPN
以前写的 OpenVPN 的构建方法,记录一下。
OS
CentOS 7.x
安装
yum install -y openvpn easy-rsa
复制代码
服务端配置
配置文件
cp -a /usr/share/easy-rsa /etc/openvpn/
复制代码
编辑 vars
cd /etc/openvpn/easy-rsa/2.0vi vars 编辑以下内容export KEY_COUNTRY="CN"export KEY_PROVINCE="BJ"export KEY_CITY="Beijing"export KEY_ORG="Admin"export KEY_EMAIL="admin@admin.cn"export KEY_OU="IT"
复制代码
生成证书
cd /etc/openvpn/easy-rsa/2.0ln -s openssl-1.0.0.cnf openssl.cnfsource ./varssource ./clean-all./build-ca./build-key-server aliyunvpn./bulid-key aliyunuser./build-dh
复制代码
配置文件
cp -a /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn/cp -a /etc/openvpn/easy-rsa/2.0/keys/aliyunvpn.crt /etc/openvpn/cp -a /etc/openvpn/easy-rsa/2.0/keys/aliyunvon.key /etc/openvpn/cp -a /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem /etc/openvpn/cp /usr/share/doc/openvpn-2.3.11/sample/sample-config-files/server.conf /etc/openvpn/
复制代码
server.conf 内容如下
port 1194proto udpdev tunca ca.crtcert aliyunvpn.crtkey aliyunvpn.key # This file should be kept secret;plugin /etc/openvpn/openvpn-plugin-auth-pam.so openvpn;client-cert-not-required;username-as-common-namedh dh2048.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtpush "route 172.16.0.0 255.240.0.0"push "dhcp-option DNS 223.5.5.5"client-to-clientkeepalive 10 120comp-lzouser nobodygroup nobodypersist-keypersist-tunstatus /var/log/openvpn-status.loglog /var/log/openvpn.logverb 3
复制代码
开启转发
vi /etc/sysctl.conf 添加
生效
firewall 防火墙添加策略
#启动防火墙systemctl start firewalldfirewall-cmd --permanent --add-service openvpnfirewall-cmd --permanent --add-masqueradefirewall-cmd --reload
复制代码
systemctl 添加系统服务并启动
systemctl enable openvpn@server.servicesystemctl start openvpn@server.service
复制代码
阿里云安全组配置
添加一条允许 UDP 1194 端口访问的规则
客户端配置(linux 为例)
安装 openvpn
复制服务端以下文件到客户端对应文件夹中
aliyunuser.crtaliyunuser.keyca.crt
复制代码
aliyun.ovpn 配置
clientdev tunproto udpremote remote ip or domainport 1194remote-randomresolv-retry infinitenobindpersist-keypersist-tunca /etc/openvpn/config/ca.crtcert /etc/openvpn/config/aliyunuser.crtkey /etc/openvpn/config/aliyunuser.keyns-cert-type serverroute-delay 2comp-lzoverb 3
复制代码
启动命令
openvpn --config /etc/openvpn/config/aliyun.ovpn
复制代码
附录 PAM 和密码认证方式
复制 openvpn-plugin-auth-pam.so 到 openvpn 目录下
cp -a /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/openvpn/
复制代码
在/etc/pam.d/目录下创建 openvpn 文件
cat /etc/pam.d/openvpnauth required pam_unix.so shadow nodelayaccount required pam_unix.so
复制代码
修改/etc/openvpn/server.conf,添加以下内容
plugin /etc/openvpn/openvpn-plugin-auth-pam.so openvpnclient-cert-not-requiredusername-as-common-name
复制代码
创建账户
useradd aliyunuser -s /sbin/nologinpasswd aliyunuser
复制代码
客户端配置
aliyun.ovpn
clientdev tunproto udpremote remote server ipport 1194remote-randomresolv-retry infinitenobindpersist-keypersist-tunca /etc/openvpn/config/ca.crtauth-user-passns-cert-type serverroute-delay 2comp-lzoverb 3
复制代码
user 文件
客户端启动
/usr/sbin/openvpn --config /etc/openvpn/config/aliyun.ovpn --auth-user-pass /etc/openvpn/config/user
复制代码
附 firewalld 命令
开启服务systemctl start firewalld.service 关闭防火墙systemctl stop firewalld.service 开机自动启动systemctl enable firewalld.service 关闭开机自动启动systemctl disable firewalld.service 查看状态firewall-cmd --state //running 表示运行 获取活动的区域firewall-cmd --get-active-zones 这条命令将用以下格式输出每个区域所含接口: <zone1>: <interface1> <interface2> ..<zone2>: <interface3> .. 获取所有支持的服务firewall-cmd --get-service 在不改变状态的条件下重新加载防火墙:firewall-cmd --reload
复制代码
参考站点
https://help.aliyun.com/knowledge_detail/42521.html
https://wanglu.info/983.html
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7
http://unix.stackexchange.com/questions/149144/configuring-openvpn-to-use-firewalld-instead-of-iptables-on-centos-7
http://unix.stackexchange.com/questions/88667/openvpn-socket-bind-failed-on-local-address-af-inet-ip1194-cannot-assign-r
https://www.linuxsysadmintutorials.com/setup-pam-authentication-with-openvpns-auth-pam-module.html
https://wiki.archlinux.org/index.php/OpenVPN_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)
https://yq.aliyun.com/articles/14793
http://www.gooth.org/archives/1009
评论