在阿里云ECS服务器上部署OpenVPN
以前写的OpenVPN的构建方法,记录一下。
OS
CentOS 7.x
安装
yum install -y openvpn easy-rsa
服务端配置
配置文件
cp -a /usr/share/easy-rsa /etc/openvpn/
编辑vars
cd /etc/openvpn/easy-rsa/2.0
vi vars 编辑以下内容
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="Beijing"
export KEY_ORG="Admin"
export KEY_EMAIL="admin@admin.cn"
export KEY_OU="IT"
生成证书
cd /etc/openvpn/easy-rsa/2.0
ln -s openssl-1.0.0.cnf openssl.cnf
source ./vars
source ./clean-all
./build-ca
./build-key-server aliyunvpn
./bulid-key aliyunuser
./build-dh
配置文件
cp -a /etc/openvpn/easy-rsa/2.0/keys/ca.crt /etc/openvpn/
cp -a /etc/openvpn/easy-rsa/2.0/keys/aliyunvpn.crt /etc/openvpn/
cp -a /etc/openvpn/easy-rsa/2.0/keys/aliyunvon.key /etc/openvpn/
cp -a /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem /etc/openvpn/
cp /usr/share/doc/openvpn-2.3.11/sample/sample-config-files/server.conf /etc/openvpn/
server.conf内容如下
port 1194
proto udp
dev tun
ca ca.crt
cert aliyunvpn.crt
key aliyunvpn.key # This file should be kept secret
;plugin /etc/openvpn/openvpn-plugin-auth-pam.so openvpn
;client-cert-not-required
;username-as-common-name
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.240.0.0"
push "dhcp-option DNS 223.5.5.5"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
开启转发
vi /etc/sysctl.conf 添加
net.ipv4.ip_forward=1
生效
sysctl -p
firewall防火墙添加策略
#启动防火墙
systemctl start firewalld
firewall-cmd --permanent --add-service openvpn
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
systemctl添加系统服务并启动
systemctl enable openvpn@server.service
systemctl start openvpn@server.service
阿里云安全组配置
添加一条允许UDP 1194端口访问的规则
客户端配置(linux为例)
安装openvpn
yum install -y openvpn
复制服务端以下文件到客户端对应文件夹中
aliyunuser.crt
aliyunuser.key
ca.crt
aliyun.ovpn配置
client
dev tun
proto udp
remote remote ip or domain
port 1194
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/config/ca.crt
cert /etc/openvpn/config/aliyunuser.crt
key /etc/openvpn/config/aliyunuser.key
ns-cert-type server
route-delay 2
comp-lzo
verb 3
启动命令
openvpn --config /etc/openvpn/config/aliyun.ovpn
附录 PAM和密码认证方式
复制openvpn-plugin-auth-pam.so到openvpn目录下
cp -a /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/openvpn/
在/etc/pam.d/目录下创建openvpn文件
cat /etc/pam.d/openvpn
auth required pam_unix.so shadow nodelay
account required pam_unix.so
修改/etc/openvpn/server.conf,添加以下内容
plugin /etc/openvpn/openvpn-plugin-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
创建账户
useradd aliyunuser -s /sbin/nologin
passwd aliyunuser
客户端配置
aliyun.ovpn
client
dev tun
proto udp
remote remote server ip
port 1194
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/config/ca.crt
auth-user-pass
ns-cert-type server
route-delay 2
comp-lzo
verb 3
user文件
username
password
客户端启动
/usr/sbin/openvpn --config /etc/openvpn/config/aliyun.ovpn --auth-user-pass /etc/openvpn/config/user
附firewalld命令
开启服务systemctl start firewalld.service
关闭防火墙systemctl stop firewalld.service
开机自动启动systemctl enable firewalld.service
关闭开机自动启动systemctl disable firewalld.service
查看状态firewall-cmd --state //running 表示运行
获取活动的区域firewall-cmd --get-active-zones
这条命令将用以下格式输出每个区域所含接口:
: ..: ..
获取所有支持的服务firewall-cmd --get-service
在不改变状态的条件下重新加载防火墙:firewall-cmd --reload
参考站点
https://help.aliyun.com/knowledge_detail/42521.html
https://wanglu.info/983.html
https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-7
http://unix.stackexchange.com/questions/149144/configuring-openvpn-to-use-firewalld-instead-of-iptables-on-centos-7
http://unix.stackexchange.com/questions/88667/openvpn-socket-bind-failed-on-local-address-af-inet-ip1194-cannot-assign-r
https://www.linuxsysadmintutorials.com/setup-pam-authentication-with-openvpns-auth-pam-module.html
https://wiki.archlinux.org/index.php/OpenVPN_(%E7%AE%80%E4%BD%93%E4%B8%AD%E6%96%87)
https://yq.aliyun.com/articles/14793
http://www.gooth.org/archives/1009