一、更新系统软件包: `sudo apt update` `sudo apt upgrade` 二、安装OpenVPN软件包: `sudo apt install openvpn` 三、创建并配置OpenVPN服务器: 1、进入OpenVPN配置目录: `cd /etc/openvpn` 2、复制示例配置文件: `sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .` 3、解压缩配置文件: `sudo gzip -d server.conf.gz` 4、编辑配置文件: `sudo nano server.conf` 5、根据实际需求修改配置文件中的参数,例如: `local <服务器IP地址>` `port <服务器端口号>` `proto udp` `dev tun` `ca ca.crt` `cert server.crt` `key server.key` `dh dh.pem` `server 10.8.0.0 255.255.255.0` `push "redirect-gateway def1 bypass-dhcp"` `push "dhcp-option DNS 208.67.222.222"` `push "dhcp-option DNS 208.67.220.220"` `keepalive 10 120` `comp-lzo` `user nobody` `group nogroup` `persist-key` `persist-tun` `status openvpn-status.log` `log-append /var/log/openvpn.log` `verb 3` 6、保存并退出配置文件。 三、生成证书和密钥: 1、进入Easy-RSA目录: `cd /usr/share/easy-rsa` 2、初始化证书颁发机构(CA): `sudo ./easyrsa init-pki` 3、生成证书和密钥: `sudo ./easyrsa build-ca` `sudo ./easyrsa gen-dh` `sudo ./easyrsa build-server-full server nopass` `sudo ./easyrsa build-client-full client nopass` `openvpn --genkey --secret keys/ta.key` 4、启动OpenVPN服务: `sudo systemctl start openvpn@server` 四、配置内核和防火墙 1、开启路由转发功能 `sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf` `sed -i '/net.ipv4.ip_forward/s/#//' /etc/sysctl.conf` `sysctl -p` 2、配置 iptables `iptables -I INPUT -p tcp --dport 1194 -m comment --comment "openvpn" -j ACCEPT` `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE` 3、保存 iptables `sudo apt-get install iptables-persistent` `sudo service netfilter-persistent save` 4、查看 iptables 规则 `sudo iptables -L` 五、基于用户密码方式认证 1、修改服务端 server.conf配置文件,添加几个参数 客户端不进行证书认证,如果不加将实现证书和用户密码双重认证 `client-cert-not-required` ####用户和密码验证脚本 `auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env` 使用用户名密码登录认证 `username-as-common-name` 脚本安全级别 `script-security 3` 2、创建脚本和用户密码文件 vim /etc/openvpn/checkpsw.sh #!/bin/bash ########################################################### # checkpsw.sh (C) 2004 Mathias Sundman # # This script will authenticate OpenVPN users against # a plain text file. The passfile should simply contain # one row per user with the username first followed by # one or more space(s) or tab(s) and then the password. PASSFILE="/etc/openvpn/psw-file" LOG_FILE="/var/log/openvpn-password.log" TIME_STAMP=`date "+%Y-%m-%d %T"` ########################################################### if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 增加执行权限 (标注:不加权限,连接会用户密码认证失败,因为执行不了脚本) `chmod +x /etc/openvpn/checkpsw.sh` 用户密码文件,格式:一行对应一个用户 `vim /etc/openvpn/psw-file` `jinc 123456` `test 456789` 修改权限 `chmod 777 /etc/openvpn/psw-file` `chown root.openvpn /etc/openvpn/* -R` 3、客户端配置文件修改 注释掉: `;cert client.crt` `;key client.key` 添加: `auth-user-pass` 六、OpenVPN 服务管理 1、查看OpenVPN 服务状态 `sudo systemctl status openvpn@server` 2、启动 OpenVPN 服务 `sudo systemctl start openvpn@server` 3、重起 OpenVPN 服务 `sudo systemctl restart openvpn@server` 4、关闭 OpenVPN 服务 `sudo systemctl stop openvpn@server` 八零网管(Devilink) 2023-11-01 赏感谢支持关闭微信 支付宝 上一篇: Riot Vanguard 的正确打开方式 下一篇: 客户机无LOL特权一例 评论已关闭
评论已关闭