小伙伴反应国外的阿里云服务器各种服务访问时断时续,要求加vpn。
另:国内云厂商服务器搞不了梯子,会检测通知你,想自己搞,就去买国外的服务器吧。这里openvpn 仅作为访问服务器内网资源。
服务端OS
Alibaba Cloud Linux release 3
网段 172.26.1.0/24
注意:
⇨⇨⇨ 安全组开放入方向的 UDP协议的1194端口 ⇦⇦⇦
1.安装服务端
关闭selinux 开启转发 net.ipv4.ip_forward=1
$ cat /etc/selinux/config | grep SELINUX
# SELINUX= can take one of these three values:
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
SELINUXTYPE=targeted
$ cat /etc/sysctl.conf | grep net.ipv4.ip_forward
net.ipv4.ip_forward=1
$ sysctl -p
$ yum install openvpn easy-rsa
2.配置
cp -r /usr/share/easy-rsa/3.0.8 /etc/openvpn/easy-rsa
cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa/vars
编辑/etc/openvpn/easy-rsa/vars 文件
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "BJ"
set_var EASYRSA_REQ_CITY "BeiJing"
set_var EASYRSA_REQ_ORG "Admin"
set_var EASYRSA_REQ_EMAIL "admin@163.com"
set_var EASYRSA_REQ_OU "OP"
3.添加相关密钥 CA密钥 server client密钥 DH CRL PEM TLS认证密钥
目录 /etc/openvpn/easy-rsa/
source vars
./easyrsa init-pki
./easyrsa build-ca #common name 默认即可
./easyrsa gen-req server nopass #不为密钥添加密码 common name 默认
./easyrsa sign-req server server #为server密钥签署 confirm request details: 填入yes
./easyrsa gen-req client nopass #不为密钥添加密码 common name 默认
./easyrsa sign-req client client #为client密钥签署 confirm request details: 填入yes
./easyrsa gen-dh
openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key #创建TLS 认证密钥
./easyrsa gen-crl
复制证书
cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem pki/crl.pem ta.key /etc/openvpn/server/
cp pki/ca.crt pki/issued/client.crt pki/private/client.key ta.key /etc/openvpn/client/
4.server端配置文件
cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/
调整如下
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh.pem
crl-verify crl.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.26.1.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
explicit-exit-notify 1
5.client 端配置文件
/usr/share/doc/openvpn/sample/sample-config-files/client.conf
client
dev tun
proto udp
remote 服务端IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
6.配置转发、启动
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
systemctl enable openvpn-server@server && systemctl start openvpn-server@server
7.客户端软件 (需要魔法)
8.添加用户
cd /home/op/openvpn/easy-rsa/
./easyrsa gen-req username nopass
./easyrsa sign client username
把里面的username.key username.crt ca.crt 这三个文件拷贝到客户端
Windows 下面的client.ovpn 在安装openvpn的目录下面 OpenVPN/eample-config/client.ovpn
remote 公网ip 端口
ca ca.crt
cert username.crt
key username.key
9.删除用户
cd /home/op/openvpn/easy-rsa/
./easyrsa revoke username
10.关于使用supervisor管理vpn客户端进程 可实现 进程意外退出时自动重启进程
supervisord.conf中添加如下
[program:vpn]
command=openvpn --cd /etc/openvpn/tx --config tx.ovpn --log-append /var/log/openvpn.log autorestart=true
autostart=true
user=root
numprocs=1
startretries=10
exitcodes=0
stopsignal=KILL
stopwaitsecs=10
redirect_stderr=true
11.supervisor管理vpn服务端进程 可实现 进程意外退出时自动重启进程
supervisord.conf中添加如下
[program:vpn]
command=openvpn —writepid /var/run/openvpn/openvpn.pid —cd /home/op/openvpn/conf/ —config /home/op/openvpn/conf/openvpn.conf
autorestart=true
autostart=true
user=root
numprocs=1
startretries=10
exitcodes=0
stopsignal=KILL
stopwaitsecs=10
redirect_stderr=true