当前位置:首页 » 《关注互联网》 » 正文

OpenVPN的部署连接(linux客户端版),附脚本操作

17 人参与  2024年09月15日 18:01  分类 : 《关注互联网》  评论

点击全文阅读


上一篇文章为window的openvpn连接方式
本次为linux的openvpn连接方式,其实都差不多只要在服务器把证书弄好就可以了

直接上操作,简化操作步骤,服务端的操作全为脚本
实验环境

公网ip内网ip服务类型
192.168.121.159客户端
192.168.121.160192.168.122.253服务端

首先需要配置好epel源,我是使用的是阿里云的epel源

wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo

然后安装对应软件包,并执行相关配置操作

#! /bin/bashyum clean allyum makecache#然后安装openvpn和制作证书工具yum -y install openvpnyum -y install easy-rsayum -y install expect# 准备相关配置文件echo "生成服务器配置文件"cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/echo "准备证书签发相关文件"cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-serverecho "准备签发证书相关变量的配置文件"cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-server/3/varsecho "初始化服务端PKI生成PKI相关目录和文件"cd /etc/openvpn/easy-rsa-server/3./easyrsa init-pkiecho "创建CA证书"# ./easyrsa build-ca nopassexpect <<EOFspawn ./easyrsa build-ca nopassexpect {    "Easy-RSA" {send "\n"}}expect eofEOFcat pki/serial echo "生成服务端证书"# ./easyrsa gen-req server nopassexpect <<EOFspawn ./easyrsa gen-req server nopass expect {    "server" {send "\n"}}expect eofEOFecho "签发服务端证书"# ./easyrsa sign server serverexpect <<EOFspawn ./easyrsa sign server server expect {    "*details:" {send "yes\n"}}expect eofEOFecho "创建 Diffie-Hellman 密钥"./easyrsa gen-dhcat > /etc/openvpn/server.conf <<EOFport 1194proto tcpdev tunca  /etc/openvpn/certs/ca.crtcert  /etc/openvpn/certs/server.crtkey  /etc/openvpn/certs/server.key  # This file should be kept secretdh  /etc/openvpn/certs/dh.pemserver 10.8.0.0 255.255.255.0push "route 192.168.122.0 255.255.255.0"keepalive 10 120cipher AES-256-CBCcompress lz4-v2push "compress lz4-v2"max-clients 2048user openvpngroup openvpnstatus  /var/log/openvpn/openvpn-status.loglog-append   /var/log/openvpn/openvpn.logverb 3mute 20EOFecho "添加防火墙"echo net.ipv4.ip_forward = 1 >> /etc/sysctl.confsysctl -pyum install iptables-services -ysystemctl disable --now firewalldsystemctl start iptablesiptables -Fiptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADEiptables -vnL -t natmkdir -p /var/log/openvpnmkdir -p /etc/openvpn/certscp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/echo "重启OpenVpn"systemctl daemon-reloadsystemctl enable --now openvpn@serversystemctl restart openvpn@server

服务端配置客户端的对应设置

#! /bin/bashread -p "请输入用户的姓名拼音(如:${NAME}): " NAMEread -p "请输入VPN服务端的公网IP(如:${IP}): " IPecho "客户端证书环境"cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-clientcp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-client/3/varsacd /etc/openvpn/easy-rsa-client/3echo "初始化pki证书目录"# ./easyrsa init-pkiexpect << EOFspawn ./easyrsa init-pki expect {    "removal" {send "yes\n"}}expect eofEOFecho "生成客户端证书"# ./easyrsa gen-req ${NAME} nopassexpect << EOFspawn ./easyrsa gen-req ${NAME} nopass expect {    "${NAME}" {send "\n"}}expect eofEOFecho "将客户端证书同步到服务端"cd /etc/openvpn/easy-rsa-server/3./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req ${NAME}echo "查看客户端证书"ll pki/reqs/${NAME}.req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req echo "签发客户端证书,请输入:yes"# ./easyrsa sign client ${NAME}expect << EOFspawn ./easyrsa sign client ${NAME} expect {    "*details" {send "yes\n"}}expect eofEOFecho "查看证书"cat pki/index.txtll pki/certs_by_serial/cat pki/issued/${NAME}.crt echo "创建客户端配置文件"mkdir -p /etc/openvpn/client/${NAME}cd /etc/openvpn/client/${NAME}cat > /etc/openvpn/client/${NAME}/client.conf <<EOFclientdev tunproto tcpremote ${IP} 1194resolv-retry infinitenobindca ca.crtcert ${NAME}.crtkey ${NAME}.keyremote-cert-tls servercipher AES-256-CBCverb 3compress lz4-v2EOFcp /etc/openvpn/easy-rsa-client/3/pki/private/${NAME}.key .cp /etc/openvpn/easy-rsa-server/3/pki/issued/${NAME}.crt .cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt .echo "打包用户证书"tar -czvf ${NAME}.tar.gz ./#重启OpenVpnsystemctl daemon-reloadsystemctl enable --now openvpn@serversystemctl restart openvpn@server

然后到客户端的配置,客户端的配置就比较简单了,步骤很少,就不用脚本了,给大家操作了解一下
epel源也是需要的

wget -O /etc/yum.repos.d/epel.repo https://mirrors.aliyun.com/repo/epel-7.repo

然后下载openvpn

yum install openvpn -y

将服务端打包好的认证文件拷贝过来,这里大家对应自己的ip来修改

scp 192.168.121.160:/etc/openvpn/client/yiyezhiqiu/yiyezhiqiu.tar.gz /etc/openvpn/

解压认证包文件

tar -xf /etc/openvpn/yiyezhiqiu.tar.gz -C /etc/openvpn/

然后就可以启动openven了

systemctl start openvpn@clientsystemctl enable openvpn@client

查看启动日志一切正常
在这里插入图片描述
检测连接情况,ping没问题,ssh连接也可以
在这里插入图片描述这样openvpn连接就可以了


点击全文阅读


本文链接:http://zhangshiyu.com/post/160503.html

<< 上一篇 下一篇 >>

  • 评论(0)
  • 赞助本站

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

关于我们 | 我要投稿 | 免责申明

Copyright © 2020-2022 ZhangShiYu.com Rights Reserved.豫ICP备2022013469号-1