Linux安装部署OpenVPN

本次部署的通过账户与密码进行认证,实现多人登录使用VPN,只需要分发固定的证书和用户名、密码就可以,简单快捷 。
一、软件与规划网络软件版本:
centos7.6
easy-rsa 3.0.8
OpenVPN 2.4.9
网络环境规划:
VPN客户端地址段:10.98.1.0/24
VPN服务器网卡地址:10.99.1.253
VPN流量出设备NAT为10.99.1.253
二、基础环境配置2.1、关闭SElinuxsetenforce 0sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config2.2、开启内核转发grep -qF "net.ipv4.ip_forward" /etc/sysctl.conf|| echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.confsysctl -p2.3、关闭Firewall防火墙systemctl stop firewalldsystemctl disable firewalld三、服务器安装与部署3.1、软件与环境安装本文使用yum来安装openvpn,openvpn及其依赖的一些包在epel源上,首先先安装epel源 。
yum -y update#更新软件包yum install -y epel-release#安装epel源yum install -y openssl lzo pam openssl-devel lzo-devel pam-develyum install -y easy-rsa#安装依赖包yum install -y openvpn#安装openvpn3.2、easy-rsa配置证书密钥cp -rf /usr/share/easy-rsa/3.0.8 /etc/openvpn/server/easy-rsacd /etc/openvpn/server/easy-rsa#复制easy-rsa工具find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars#复制vars.example并重命名vars配置vars文件,文件也有该内容不过是注释的,可以直接再最后追加如下内容:
cat << EOF >> /etc/openvpn/server/easy-rsa/varsset_var EASYRSA_REQ_COUNTRY"CN"# 国家set_var EASYRSA_REQ_PROVINCE"BJ"# 省set_var EASYRSA_REQ_CITY"BeiJing"# 城市set_var EASYRSA_REQ_ORG"Lin"# 组织set_var EASYRSA_REQ_EMAIL"test@xxshell.com"# 邮箱set_var EASYRSA_REQ_OU"Lin"# 拥有者set_var EASYRSA_KEY_SIZE2048# 长度set_var EASYRSA_ALGOrsa# 算法set_var EASYRSA_CA_EXPIRE36500# CA证书过期时间,单位天set_var EASYRSA_CERT_EXPIRE36500# 签发证书的有效期是多少天,单位天EOF生成证书与私钥:
./easyrsa init-pki./easyrsa build-ca nopass#生成CA证书,需要填写组织名称,随便写 。./easyrsa build-server-full server nopass./easyrsa gen-dhopenvpn --genkey --secret ta.key3.3、创建日志存储与用户目录mkdir -p /var/log/openvpn/# 日志存放目录mkdir -p /etc/openvpn/server/user# 用户管理目录chown -R openvpn:openvpn /var/log/openvpn# 配置权限3.4、创建用户名密码文件echo 'vpnuser01 admin123456' >> /etc/openvpn/server/user/psw-file#后续添加用户直接在该文件下添加就可以;chmod 600 /etc/openvpn/server/user/psw-filechown openvpn:openvpn /etc/openvpn/server/user/psw-file3.5、创建密码检查脚本创建一个shell文件
/etc/openvpn/server/user/checkpsw.sh,内容如下:
#!/bin/shPASSFILE="/etc/openvpn/server/user/psw-file"LOG_FILE="/var/log/openvpn/password.log"TIME_STAMP=`date "+%Y-%m-%d %T"`if [ ! -r "${PASSFILE}" ]; thenecho "${TIME_STAMP}: Could not open password file "${PASSFILE}" for reading." >>${LOG_FILE}exit 1fiCORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`if [ "${CORRECT_PASSWORD}" = "" ]; thenecho "${TIME_STAMP}: User does not exist: username="${username}", password="${password}"." >> ${LOG_FILE}exit 1fiif [ "${password}" = "${CORRECT_PASSWORD}" ]; thenecho "${TIME_STAMP}: Successful authentication: username="${username}"." >> ${LOG_FILE}exit 0fiecho "${TIME_STAMP}: Incorrect password: username="${username}", password="${password}"." >> ${LOG_FILE}exit 1赋予密码检查脚本权限:
chmod 700 /etc/openvpn/server/user/checkpsw.shchown openvpn:openvpn /etc/openvpn/server/user/checkpsw.sh3.7、创建OpenVPN服务器配置文件编辑
/etc/openvpn/server/server.conf文件,并写入以下内容:
(也可以复制一份模板文件进行改写,模板文件路径
/usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf
port 10444proto udpdev tunuser openvpngroup openvpn#配置证书信息ca /etc/openvpn/server/easy-rsa/pki/ca.crtcert /etc/openvpn/server/easy-rsa/pki/issued/server.crtkey /etc/openvpn/server/easy-rsa/pki/private/server.keydh /etc/openvpn/server/easy-rsa/pki/dh.pemtls-auth /etc/openvpn/server/easy-rsa/ta.key 0#配置账号密码的认证方式auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-envscript-security 3verify-client-cert noneusername-as-common-nameclient-to-clientduplicate-cn#配置网络信息server 10.98.1.0 255.255.255.0push "route 10.99.1.0 255.255.255.0"push "route 172.16.0.9 255.255.255.255"compress lzocipher AES-256-CBCkeepalive 10 120persist-keypersist-tunverb 3reneg-sec 0#配置日志存放位置log /var/log/openvpn/server.loglog-Append /var/log/openvpn/server.logstatus /var/log/openvpn/status.log


推荐阅读