OpenVPN

  1. 作者QQ:67065435 QQ群:821635552

IP假设

  1. IP假设
    # 服务器公网IP为
    118.200.200.200
    # 服务器内网IP为
    10.8.0.2
    

CentOS7.x服务端

  1. 安装openvpn

    yum install openvpn lrzsz epel-release easy-rsa net-tools bridge-utils -y
    
  2. 创建ca证书

    # 这里**************为密码,请自行指定
    cd /usr/share/easy-rsa/3
    
    ./easyrsa init-pki
    
    ./easyrsa build-ca
    # Enter New CA Key Passphrase:    **************
    # Re-Enter New CA Key Passphrase: **************
    # Common Name:                    server1
    
    ./easyrsa build-server-full server1 nopass
    # Enter pass phrase for ./pki/private/ca.key: **************
    
    ./easyrsa build-client-full client1 nopass
    # Enter pass phrase for ./pki/private/ca.key: **************
    
    ./easyrsa gen-dh
    # DH parameters of size 2048 created at ./pki/dh.pem
    
    openvpn --genkey --secret ./pki/ta.key
    
    cp -r ./pki/ca.crt  /etc/openvpn/server/
    cp -r ./pki/dh.pem  /etc/openvpn/server/
    cp -r ./pki/issued  /etc/openvpn/server/
    cp -r ./pki/private /etc/openvpn/server/
    cp -r ./pki/ta.key  /etc/openvpn/server/
    
  3. 开启ipv4转发

    vi /etc/sysctl.conf
    
    net.ipv4.ip_forward = 1
    
    ESC
    :wq
    
    sysctl -w net.ipv4.ip_forward=1
    
    sysctl --system
    
  4. 修改配置文件

    # 这里根据openvpn版本,灵活选择路径
    cp /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf /etc/openvpn/server/openvpn-tcp.conf
    cp /usr/share/doc/openvpn-2.4.9/sample/sample-config-files/server.conf /etc/openvpn/server/openvpn-udp.conf
    
    vi /etc/openvpn/server/openvpn-tcp.conf
    
    local       0.0.0.0
    port        1101
    proto       tcp
    dev         tap
    
    ca          ca.crt
    cert        issued/server1.crt
    key         private/server1.key
    dh          dh.pem
    
    server      10.8.0.0 255.255.255.0
    push        "route 0.0.0.0 0.0.0.0"
    push        "redirect-gateway def1 bypass-dhcp"
    push        "dhcp-option DNS 223.5.5.5"
    push        "dhcp-option DNS 114.114.114.114"
    push        "dhcp-option DNS 119.29.29.29"
    push        "dhcp-option DNS 8.8.8.8"
    
    tls-auth    ta.key 0
    comp-lzo
    max-clients 10
    
    user        www
    group       www
    
    status      openvpn-tcp.stu
    log         openvpn-tcp.log
    
    explicit-exit-notify 0
    
    ESC
    :wq
    
    vi /etc/openvpn/server/openvpn-udp.conf
    
    local       0.0.0.0
    port        1102
    proto       udp
    dev         tun
    
    ca          ca.crt
    cert        issued/server1.crt
    key         private/server1.key
    dh          dh.pem
    
    server      10.8.0.0 255.255.255.0
    push        "route 0.0.0.0 0.0.0.0"
    
    tls-auth    ta.key 0
    comp-lzo
    max-clients 10
    
    user        www
    group       www
    
    status      openvpn-udp.stu
    log         openvpn-udp.log
    
    explicit-exit-notify 1
    
    ESC
    :wq
    
  5. 复制启动项

    cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-tcp.service
    cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-udp.service
    
    vi /etc/systemd/system/openvpn-tcp.service
    
    [Unit]
    Description=OpenVPN service for tcp
    After=syslog.target network-online.target
    Wants=network-online.target
    
    [Service]
    Type=notify
    PrivateTmp=true
    WorkingDirectory=/etc/openvpn/server
    ExecStart=/usr/sbin/openvpn --status /etc/openvpn/server/openvpn-tcp.stu --status-version 2 --suppress-timestamps --config /etc/openvpn/server/openvpn-tcp.conf
    CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
    LimitNPROC=10
    DeviceAllow=/dev/null rw
    DeviceAllow=/dev/net/tun rw
    ProtectSystem=true
    ProtectHome=true
    KillMode=process
    RestartSec=5s
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    
    ESC
    :wq
    
    vi /etc/systemd/system/openvpn-udp.service
    
    [Unit]
    Description=OpenVPN service for udp
    After=syslog.target network-online.target
    Wants=network-online.target
    
    [Service]
    Type=notify
    PrivateTmp=true
    WorkingDirectory=/etc/openvpn/server
    ExecStart=/usr/sbin/openvpn --status /etc/openvpn/server/openvpn-udp.stu --status-version 2 --suppress-timestamps --config /etc/openvpn/server/openvpn-udp.conf
    CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
    LimitNPROC=10
    DeviceAllow=/dev/null rw
    DeviceAllow=/dev/net/tun rw
    ProtectSystem=true
    ProtectHome=true
    KillMode=process
    RestartSec=5s
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    
    ESC
    :wq
    
  6. 启动服务端

    useradd www
    chown -R www:www /etc/openvpn
    
    systemctl daemon-reload
    
    systemctl status openvpn-tcp
    systemctl start  openvpn-tcp
    systemctl status openvpn-tcp
    systemctl enable openvpn-tcp
    
    systemctl status openvpn-udp
    systemctl start  openvpn-udp
    systemctl status openvpn-udp
    systemctl enable openvpn-udp
    
  7. 开启指定端口

    # firewall开启指定端口
    firewall-cmd --permanent --zone=public --add-port=1101/tcp
    firewall-cmd --permanent --zone=public --add-port=1102/udp
    firewall-cmd --reload
    
    # iptables开启指定端口-百度
    
  8. 配置NAT转发

    # firewall开启转发
    firewall-cmd --permanent --zone=public --add-masquerade
    firewall-cmd --reload
    # firewall关闭转发
    firewall-cmd --permanent --zone=public --remove-masquerade
    firewall-cmd --reload
    # firewall查询状态
    firewall-cmd --permanent --zone=public --query-masquerade
    
    # iptables开启转发-百度
    # iptables关闭转发-百度
    # iptables查询状态-百度
    

Windows客户端

  1. 下载openvpn客户端

  2. 安装openvpn客户端到D:\openvpn

  3. 复制openvpn客户端配置文件

    复制 D:\openvpn\sample-config\client.ovpn 到 D:\openvpn\config\openvpn-tcp.ovpn
    复制 D:\openvpn\sample-config\client.ovpn 到 D:\openvpn\config\openvpn-udp.ovpn
    
  4. 从服务器下载客户端文件到D:\openvpn\config

    sz /etc/openvpn/server/ca.crt
    sz /etc/openvpn/server/ta.key
    sz /etc/openvpn/server/issued/client1.crt
    sz /etc/openvpn/server/private/client1.key
    
  5. 编辑openvpn-tcp.ovpn

    vi openvpn-tcp.ovpn
    
    client
    proto           tcp
    dev             tap
    remote          118.200.200.200 1101
    ca              ca.crt
    tls-auth        ta.key 1
    cert            client1.crt
    key             client1.key
    resolv-retry    infinite
    ns-cert-type    server
    remote-cert-tls server
    cipher          AES-256-CBC
    nobind
    persist-key
    persist-tun
    comp-lzo
    verb 3
    
    ESC
    :wq
    
  6. 编辑openvpn-udp.ovpn

    vi openvpn-udp.ovpn
    
    client
    dev             tun
    proto           udp
    remote          118.200.200.200 1102
    ca              ca.crt
    tls-auth        ta.key 1
    cert            client1.crt
    key             client1.key
    resolv-retry    infinite
    remote-cert-tls server
    cipher          AES-256-CBC
    nobind
    persist-key
    persist-tun
    comp-lzo
    verb 3
    
    ESC
    :wq
    
  7. 启动openvpn客户端

Copyright © 豆包嘿嘿~ 2012-∞ 冀ICP备17033181号 all right reserved,powered by Gitbook修订: 2020-09-15 15:56:54

results matching ""

    No results matching ""