搭建openvpn
安装openvpn和easy-rsa软件
[root@openvpn ~]# yum install -y openvpn easy-rsa
#openvpn和easy-rsa安装需要epel源
#yum install epel-release -y
[root@openvpn /etc/openvpn]# openvpn --version
OpenVPN 2.4.9 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2020easy-rsa版本为3.0.8
[root@openvpn ~]# rpm -ql easy-rsa
/usr/share/doc/easy-rsa-3.0.8
/usr/share/doc/easy-rsa-3.0.8/COPYING.md
/usr/share/doc/easy-rsa-3.0.8/ChangeLog
/usr/share/doc/easy-rsa-3.0.8/README.md
/usr/share/doc/easy-rsa-3.0.8/README.quickstart.md
/usr/share/doc/easy-rsa-3.0.8/vars.example
/usr/share/easy-rsa
/usr/share/easy-rsa/3
/usr/share/easy-rsa/3.0
/usr/share/easy-rsa/3.0.8
/usr/share/easy-rsa/3.0.8/easyrsa
/usr/share/easy-rsa/3.0.8/openssl-easyrsa.cnf
/usr/share/easy-rsa/3.0.8/x509-types
/usr/share/easy-rsa/3.0.8/x509-types/COMMON
/usr/share/easy-rsa/3.0.8/x509-types/ca
/usr/share/easy-rsa/3.0.8/x509-types/client
/usr/share/easy-rsa/3.0.8/x509-types/code-signing
/usr/share/easy-rsa/3.0.8/x509-types/email
/usr/share/easy-rsa/3.0.8/x509-types/kdc
/usr/share/easy-rsa/3.0.8/x509-types/server
/usr/share/easy-rsa/3.0.8/x509-types/serverClient
/usr/share/licenses/easy-rsa-3.0.8
/usr/share/licenses/easy-rsa-3.0.8/gpl-2.0.txt使用easy-rsa为openvpn服务端生成相关证书
PS:生成证书前需要同步系统时间,不然后面客户端连接会报错证书错误。
拷贝easy-rsa文件到openvpn目录
[root@openvpn ~]# cp -r /usr/share/easy-rsa /etc/openvpn/easy-rsa
[root@openvpn ~]# cd /etc/openvpn/easy-rsa
[root@openvpn /etc/openvpn/easy-rsa]# ll
total 0
lrwxrwxrwx 1 root root 5 Dec 12 16:49 3 -> 3.0.8
lrwxrwxrwx 1 root root 5 Dec 12 16:49 3.0 -> 3.0.8
drwxr-xr-x 3 root root 66 Dec 12 16:49 3.0.8
[root@openvpn /etc/openvpn/easy-rsa]# cd 3
[root@openvpn /etc/openvpn/easy-rsa/3]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example ./vars
[root@openvpn /etc/openvpn/easy-rsa/3]# ll
total 96
-rwxr-xr-x 1 root root 76946 Dec 12 16:49 easyrsa
-rw-r--r-- 1 root root 4616 Dec 12 16:49 openssl-easyrsa.cnf
-rw-r--r-- 1 root root 8925 Dec 12 16:50 vars
drwxr-xr-x 2 root root 122 Dec 12 16:49 x509-types创建一个新的PKI和CA
#初始化pki空间
[root@openvpn /etc/openvpn/easy-rsa/3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki
#创建一个CA,不使用密码
[root@openvpn /etc/openvpn/easy-rsa/3]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating RSA private key, 2048 bit long modulus
......................................................................................................................+++
.....................................................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: 直接回车
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3/pki/ca.crt生成服务端证书
[root@openvpn /etc/openvpn/easy-rsa/3]# pwd
/etc/openvpn/easy-rsa/3
#生成服务端证书 nopass表示证书不设置密码
[root@openvpn /etc/openvpn/easy-rsa/3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...........+++
....................................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/easy-rsa-14815.HmiQ3c/tmp.iyhm0j'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: 直接回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3/pki/private/server.key签约服务端证书
[root@openvpn /etc/openvpn/easy-rsa/3]# pwd
/etc/openvpn/easy-rsa/3
#签约服务端证书 第二个server为自定义名称
[root@openvpn /etc/openvpn/easy-rsa/3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #此处输入yes
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-15525.nCQ4VP/tmp.WnoCLR
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Mar 17 09:01:49 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/server.crt创建diffie-hellman
[root@openvpn /etc/openvpn/easy-rsa/3]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......................
......漫长的生成过程.....
................++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem使用easy-rsa为openvpn客户端生成相关证书
拷贝easy-rsa文件到openvpn客户端目录
[root@openvpn /etc/openvpn/easy-rsa/3]# cp -r /usr/share/easy-rsa /etc/openvpn/client/easy-rsa
[root@openvpn /etc/openvpn/easy-rsa/3]# cd /etc/openvpn/client/easy-rsa
[root@openvpn /etc/openvpn/client/easy-rsa]# ll
total 0
lrwxrwxrwx 1 root root 5 Dec 12 17:09 3 -> 3.0.8
lrwxrwxrwx 1 root root 5 Dec 12 17:09 3.0 -> 3.0.8
drwxr-xr-x 3 root root 66 Dec 12 17:09 3.0.8
[root@openvpn /etc/openvpn/client/easy-rsa]# cd 3
[root@openvpn /etc/openvpn/client/easy-rsa/3]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example ./vars
[root@openvpn /etc/openvpn/client/easy-rsa/3]# ll
total 96
-rwxr-xr-x 1 root root 76946 Dec 12 17:09 easyrsa
-rw-r--r-- 1 root root 4616 Dec 12 17:09 openssl-easyrsa.cnf
-rw-r--r-- 1 root root 8925 Dec 12 17:10 vars
drwxr-xr-x 2 root root 122 Dec 12 17:09 x509-types生成客户端相关证书
[root@openvpn /etc/openvpn/client/easy-rsa/3]# pwd
/etc/openvpn/client/easy-rsa/3
##初始化pki空间
[root@openvpn /etc/openvpn/client/easy-rsa/3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/client/easy-rsa/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3/pki
#生成客户端证书 osker为自定义名称 nopass表示不设置证书密码
[root@openvpn /etc/openvpn/client/easy-rsa/3]# ./easyrsa gen-req osker nopass
Note: using Easy-RSA configuration from: /etc/openvpn/client/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
..............................................+++
........................+++
writing new private key to '/etc/openvpn/client/easy-rsa/3/pki/easy-rsa-19341.Cy6pk8/tmp.OFFqF4'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [osker]: 直接回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/easy-rsa/3/pki/reqs/osker.req
key: /etc/openvpn/client/easy-rsa/3/pki/private/osker.key签约客户端证书
#切换到服务端的easy-rsa目录下
[root@openvpn /etc/openvpn/client/easy-rsa/3]# cd /etc/openvpn/easy-rsa/3
[root@openvpn /etc/openvpn/easy-rsa/3]# pwd
/etc/openvpn/easy-rsa/3
#将req文件导入
[root@openvpn /etc/openvpn/easy-rsa/3]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3/pki/reqs/osker.req osker
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: osker
You may now use this name to perform signing operations on this request.
#签约客户端证书 osker为自定义名称
[root@openvpn /etc/openvpn/easy-rsa/3]# ./easyrsa sign client osker
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 825 days:
subject=
commonName = osker
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #此处输入yes后回车
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-24537.rgR8BK/tmp.K02MR9
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'osker'
Certificate is to be certified until Mar 17 09:26:35 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/osker.crt整理生成的服务端和客户端相关证书
服务端
[root@openvpn /etc/openvpn/easy-rsa/3]# mkdir /etc/openvpn/certs
[root@openvpn /etc/openvpn/easy-rsa/3]# cd /etc/openvpn/certs
[root@openvpn /etc/openvpn/certs]# cp /etc/openvpn/easy-rsa/3/pki/dh.pem .
[root@openvpn /etc/openvpn/certs]# cp /etc/openvpn/easy-rsa/3/pki/ca.crt .
[root@openvpn /etc/openvpn/certs]# cp /etc/openvpn/easy-rsa/3/pki/issued/server.crt .
[root@openvpn /etc/openvpn/certs]# cp /etc/openvpn/easy-rsa/3/pki/private/server.key .
[root@openvpn /etc/openvpn/certs]# ll
total 20
-rw------- 1 root root 1172 Dec 12 17:30 ca.crt
-rw------- 1 root root 424 Dec 12 17:30 dh.pem
-rw------- 1 root root 4552 Dec 12 17:30 server.crt
-rw------- 1 root root 1704 Dec 12 17:31 server.key客户端
[root@openvpn /etc/openvpn/certs]# mkdir /etc/openvpn/client/osker
[root@openvpn /etc/openvpn/certs]# cd /etc/openvpn/client/osker
[root@openvpn /etc/openvpn/client/osker]# cp /etc/openvpn/easy-rsa/3/pki/ca.crt .
[root@openvpn /etc/openvpn/client/osker]# cp /etc/openvpn/easy-rsa/3/pki/issued/osker.crt .
[root@openvpn /etc/openvpn/client/osker]# cp /etc/openvpn/client/easy-rsa/3/pki/private/osker.key .
[root@openvpn /etc/openvpn/client/osker]# ll
total 16
-rw------- 1 root root 1172 Dec 12 17:32 ca.crt
-rw------- 1 root root 4431 Dec 12 17:32 osker.crt
-rw------- 1 root root 1704 Dec 12 17:33 osker.key
配置openvpn 服务端
[root@openvpn /etc/openvpn/client/osker]# cd /etc/openvpn/
[root@openvpn /etc/openvpn]# ll
total 0
drwxr-xr-x 2 root root 70 Dec 12 17:31 certs
drwxr-x--- 4 root openvpn 35 Dec 12 17:31 client
drwxr-xr-x 3 root root 39 Dec 12 16:49 easy-rsa
drwxr-x--- 2 root openvpn 6 Apr 25 2020 server
[root@openvpn /etc/openvpn]# openvpn --genkey --secret /etc/openvpn/ta.key
#需要增加此命令,不然启动程序会报错。
Aug 03 15:24:13 qiu-test1 polkitd[592]: Registered Authentication Agent for unix-process:16762:9103163 (system bus name :1.110 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/
Aug 03 15:24:13 qiu-test1 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
-- Subject: Unit openvpn@server.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit openvpn@server.service has begun starting up.
Aug 03 15:24:13 qiu-test1 systemd[1]: openvpn@server.service: main process exited, code=exited, status=1/FAILURE
Aug 03 15:24:13 qiu-test1 systemd[1]: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server.
-- Subject: Unit openvpn@server.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit openvpn@server.service has failed.
--
-- The result is failed.
Aug 03 15:24:13 qiu-test1 systemd[1]: Unit openvpn@server.service entered failed state.
Aug 03 15:24:13 qiu-test1 systemd[1]: openvpn@server.service failed.
Aug 03 15:24:13 qiu-test1 polkitd[592]: Unregistered Authentication Agent for unix-process:16762:9103163 (system bus name :1.110, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, l
[root@openvpn /etc/openvpn]# vim server.conf
[root@openvpn /etc/openvpn]# cat server.conf
local 0.0.0.0 #监听地址
port 1194 #监听端口
proto tcp #指定协议(可以指定udp,udp比tcp快)
dev tun #采用路由隧道模式
ca /etc/openvpn/certs/ca.crt #ca证书路径
cert /etc/openvpn/certs/server.crt #服务器证书
key /etc/openvpn/certs/server.key #服务器秘钥 This file should be kept secret
dh /etc/openvpn/certs/dh.pem #密钥交换协议文件
server 10.8.0.0 255.255.255.0 #给客户端分配地址池,注意:不能和VPN服务器内网网段有相同
ifconfig-pool-persist /etc/openvpn/ipp.txt
push "route 192.168.199.0 255.255.0.0" #推送路由,根据实际情况修改
push "redirect-gateway def1 bypass-dhcp" #客户端网关使用openvpn服务器网关(建议关闭)
push "dhcp-option DNS 192.168.199.1" #指定dns
push "dhcp-option DNS 114.114.114.114"
client-to-client #客户端之间互相通信
keepalive 10 120 #心跳检测,10秒检测一次,2分钟内没有回应则视为断线
#tls-auth ta.key 0 #服务端值为0,客户端为1
cipher AES-256-CBC
comp-lzo #传输数据压缩
max-clients 100 #最多允许 100 客户端连接
#user openvpn #用户
#group openvpn #用户组
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20若需要账号密码认证,需要在openvpn服务端配置如下步骤
server.conf中添加如下内容:
# use username and password login
script-security 3
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
client-cert-not-required #如果加上client-cert-not-required则代表只使用用户名密码方式验证登录,如果不加,则代表需要证书和用户名密码双重验证登录
username-as-common-name若需要指定客户端获取指定ip地址,需要在server配置文件中加入如下配置
client-config-dir /etc/openvpn/ccd/同时需要创建ccd目录,在ccd目录下添加以客户端为用户名的文件,文件中写入需要分配的ip:10.8.0.21(注意,openvpn默认的子网掩码是255.255.255.252,所以要注意你需要分配的IP的可用性)
例:给osker用户分配10.8.0.21
cat /etc/openvpn/ccd/osker
ifconfig-push 10.8.0.21 10.8.0.22同时创建密码检测脚本checkpsw.sh 到对应路径下/etc/openvpn/
[root@openvpn /etc/openvpn]# vim /etc/openvpn/checkpsw.sh
[root@openvpn /etc/openvpn]# chmod +x /etc/openvpn/checkpsw.sh
[root@openvpn /etc/openvpn]# cat /etc/openvpn/checkpsw.sh
#!/bin/sh
###########################################################
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file" # 账号密码的路径
LOG_FILE="/etc/openvpn/openvpn-password.log" # 账号密码的日志
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1注意:需要将sh文件添加可执行权限
添加账号密码文件
[root@openvpn /etc/openvpn]# vim /etc/openvpn/psw-file
[root@openvpn /etc/openvpn]# cat /etc/openvpn/psw-file
osker 123456
qiu 654321
账户 密码开启IP路由转发
[root@openvpn /etc/openvpn]# echo "net.ipv4.ip_forward=1" >>/etc/sysctl.conf
[root@openvpn /etc/openvpn]# sysctl -p
net.ipv4.ip_forward = 1iptables设置NAT规则
[root@openvpn /etc/openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
#保存iptables规则
#centos7系统下
[root@openvpn ~]# iptables-save > /etc/sysconfig/iptables
[root@openvpn ~]# echo "iptables-restore < /etc/sysconfig/iptables" >> /etc/rc.d/rc.local
[root@openvpn ~]# chmod +x /etc/rc.d/rc.local
[root@openvpn /etc/openvpn]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 2 packets, 1434 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 2 packets, 1434 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 262 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3 packets, 262 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.8.0.0/24 0.0.0.0/0启动openvpn
[root@openvpn /etc/openvpn]# systemctl start openvpn@server
[root@openvpn /etc/openvpn]# systemctl status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)
Active: active (running) since Sat 2020-12-12 17:50:43 CST; 6s ago
Main PID: 33430 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─33430 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Dec 12 17:50:43 openvpn systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Dec 12 17:50:43 openvpn systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@openvpn /etc/openvpn]# netstat -lntup |grep openvpn
tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 33430/openvpn
路由器配置端口转发
添加端口转发:
外部IP为:27.10.217.105,外部端口21194转发到内网IP:192.168.199.161的TCP协议的1194端口
客户端使用
下载openvpn软件
1 windows
2 mac
3 linux
4 IOS
5 Android
配置openvpn客户端
客户端不带账号密码认证方式
#vim osker.ovpn
client
dev tun
proto tcp
remote 27.10.217.105 21194 #openvpn服务端外网ip或域名 端口
comp-lzo
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
key-direction 1
cipher AES-256-CBC
#可选1 将相关证书下载到本地或者将证书内容粘贴到对应的位置
#ca ca.crt #ca证书路径
#cert osker.crt #client的证书
#key osker.key #client的密钥
#可选2
<ca>
-----BEGIN CERTIFICATE-----
#此处为ca证书内容
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
#此处为客户端证书
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
#此处为客户端密钥
-----END PRIVATE KEY-----
</key>客户端带账号密码认证方式
在客户端配置文件中增加如下参数
auth-user-pass参考链接:
https://www.ilanni.com/?p=9847
https://olei.me/907/
https://openvpn.net/community-downloads/
https://www.bbsmax.com/A/kPzOX038Jx/
docker安装openvpn
安装docker
wget -O /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.repo
sed -i 's+download.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo
yum install docker-ce -y
systemctl enable docker
systemctl start docker部署docker服务
#设置全局环境变量
OVPN_DATA="/data/openvpn"
#创建openvpn目录
mkdir -p ${OVPN_DATA}
cd ${OVPN_DATA}
#生成配置文件(使用tcp模式,并设置你的公网ip)
docker run -v ${OVPN_DATA}:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u tcp://your_public_ip
Unable to find image 'kylemanna/openvpn:latest' locally
latest: Pulling from kylemanna/openvpn
188c0c94c7c5: Pull complete
e470f824352c: Pull complete
d6ed0c7c142e: Pull complete
74586f3c5cd4: Pull complete
cb26244a2b2a: Pull complete
Digest: sha256:643531abb010a088f1e23a1c99d44f0bd417a3dbb483f809caf4396b5c9829a0
Status: Downloaded newer image for kylemanna/openvpn:latest
Processing PUSH Config: 'block-outside-dns'
Processing Route Config: '192.168.254.0/24'
Processing PUSH Config: 'dhcp-option DNS 8.8.8.8'
Processing PUSH Config: 'dhcp-option DNS 8.8.4.4'
Processing PUSH Config: 'comp-lzo no'
Successfully generated config
Cleaning up before Exit ...
#生成密钥文件
docker run -v ${OVPN_DATA}:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Enter New CA Key Passphrase: #输入一个密码
Re-Enter New CA Key Passphrase: #再次输入密码
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................................+++++
..................................................................+++++
e is 65537 (0x010001)
......
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #直接回车
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
Enter pass phrase for /etc/openvpn/pki/private/ca.key: #输入刚才设置的密码
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Using configuration from /etc/openvpn/pki/easy-rsa-149.bMMPdD/tmp.HkIppk
Enter pass phrase for /etc/openvpn/pki/private/ca.key: #输入刚才设置的密码
An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem
#生成客户端证书(cqcd修改为你想要的名字)nopass表示证书不需要设置密码
docker run -v ${OVPN_DATA}:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full cqcd nopass
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
...........................................................................................................................+++++
.......................................................................................................................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-1.FKncgO/tmp.fNneAN'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-1.FKncgO/tmp.jgCkjI
Enter pass phrase for /etc/openvpn/pki/private/ca.key: #输入之前设置的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'cqcd'
Certificate is to be certified until Sep 20 03:26:00 2023 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
#导出客户端配置文件
docker run -v ${OVPN_DATA}:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient cqcd > ${OVPN_DATA}/cqcd.ovpn
#启动openvpn服务(映射本机tcp的1194到容器的1194),--privileged表示容器使用特权模式
docker run --name openvpn -v ${OVPN_DATA}:/etc/openvpn -d -p 1194:1194/tcp --privileged kylemanna/openvpn
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
140be3bafea7 kylemanna/openvpn "ovpn_run" 26 minutes ago Up 26 minutes 1194/udp, 0.0.0.0:1194->1194/tcp, :::1194->1194/tcp openvpn脚本搭建
[root@openvpn ~]# cat openvpn-install.sh
#!/bin/bash
#
# https://github.com/Nyr/openvpn-install
#
# Copyright (c) 2013 Nyr. Released under the MIT License.
if grep -qs "14.04" /etc/os-release; then
echo "Ubuntu 14.04 is too old and not supported"
exit
fi
if grep -qs "jessie" /etc/os-release; then
echo "Debian 8 is too old and not supported"
exit
fi
if grep -qs "CentOS release 6" /etc/redhat-release; then
echo "CentOS 6 is too old and not supported"
exit
fi
if grep -qs "Ubuntu 16.04" /etc/os-release; then
echo 'Ubuntu 16.04 is no longer supported in the current version of openvpn-install
Use an older version if Ubuntu 16.04 support is needed: https://git.io/vpn1604'
exit
fi
# Detect Debian users running the script with "sh" instead of bash
if readlink /proc/$$/exe | grep -q "dash"; then
echo "This script needs to be run with bash, not sh"
exit
fi
if [[ "$EUID" -ne 0 ]]; then
echo "Sorry, you need to run this as root"
exit
fi
if [[ ! -e /dev/net/tun ]]; then
echo "The TUN device is not available
You need to enable TUN before running this script"
exit
fi
if ! iptables -t nat -nL &>/dev/null; then
echo "Unable to initialize the iptables/netfilter NAT table, setup can't continue.
Make sure that your system has iptables/netfilter available.
If using OpenVZ, ask your provider to enable full netfilter support."
exit
fi
if [[ -e /etc/debian_version ]]; then
os="debian"
group_name="nogroup"
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
os="centos"
group_name="nobody"
else
echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS"
exit
fi
new_client () {
# Generates the custom client.ovpn
{
cat /etc/openvpn/server/client-common.txt
echo "<ca>"
cat /etc/openvpn/server/easy-rsa/pki/ca.crt
echo "</ca>"
echo "<cert>"
sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$1".crt
echo "</cert>"
echo "<key>"
cat /etc/openvpn/server/easy-rsa/pki/private/"$1".key
echo "</key>"
echo "<tls-crypt>"
sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key
echo "</tls-crypt>"
} > ~/"$1".ovpn
}
if [[ -e /etc/openvpn/server/server.conf ]]; then
while :
do
clear
echo "Looks like OpenVPN is already installed."
echo
echo "What do you want to do?"
echo " 1) Add a new user"
echo " 2) Revoke an existing user"
echo " 3) Remove OpenVPN"
echo " 4) Exit"
read -p "Select an option: " option
until [[ "$option" =~ ^[1-4]$ ]]; do
echo "$option: invalid selection."
read -p "Select an option: " option
done
case "$option" in
1)
echo
echo "Tell me a name for the client certificate."
read -p "Client name: " unsanitized_client
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
while [[ -z "$client" || -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt ]]; do
echo "$client: invalid client name."
read -p "Client name: " unsanitized_client
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
done
cd /etc/openvpn/server/easy-rsa/
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
# Generates the custom client.ovpn
new_client "$client"
echo
echo "Client $client added, configuration is available at:" ~/"$client.ovpn"
exit
;;
2)
# This option could be documented a bit better and maybe even be simplified
# ...but what can I say, I want some sleep too
number_of_clients=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$number_of_clients" = 0 ]]; then
echo
echo "You have no existing clients!"
exit
fi
echo
echo "Select the existing client certificate you want to revoke:"
tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
read -p "Select one client: " client_number
until [[ "$client_number" =~ ^[0-9]+$ && "$client_number" -le "$number_of_clients" ]]; do
echo "$client_number: invalid selection."
read -p "Select one client: " client_number
done
client=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$client_number"p)
echo
read -p "Do you really want to revoke access for client $client? [y/N]: " revoke
until [[ "$revoke" =~ ^[yYnN]*$ ]]; do
echo "$revoke: invalid selection."
read -p "Do you really want to revoke access for client $client? [y/N]: " revoke
done
if [[ "$revoke" =~ ^[yY]$ ]]; then
cd /etc/openvpn/server/easy-rsa/
./easyrsa --batch revoke "$client"
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
rm -f pki/reqs/"$client".req
rm -f pki/private/"$client".key
rm -f pki/issued/"$client".crt
rm -f /etc/openvpn/server/crl.pem
cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
# CRL is read with each client connection, when OpenVPN is dropped to nobody
chown nobody:"$group_name" /etc/openvpn/server/crl.pem
echo
echo "Certificate for client $client revoked!"
else
echo
echo "Certificate revocation for client $client aborted!"
fi
exit
;;
3)
echo
read -p "Do you really want to remove OpenVPN? [y/N]: " remove
until [[ "$remove" =~ ^[yYnN]*$ ]]; do
echo "$remove: invalid selection."
read -p "Do you really want to remove OpenVPN? [y/N]: " remove
done
if [[ "$remove" =~ ^[yY]$ ]]; then
port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
if pgrep firewalld; then
ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
# Using both permanent and not permanent rules to avoid a firewalld reload.
firewall-cmd --remove-port="$port"/"$protocol"
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --permanent --remove-port="$port"/"$protocol"
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
else
systemctl disable --now openvpn-iptables.service
rm -f /etc/systemd/system/openvpn-iptables.service
fi
if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
semanage port -d -t openvpn_port_t -p "$protocol" "$port"
fi
systemctl disable --now openvpn-server@server.service
rm -rf /etc/openvpn/server
rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
rm -f /etc/sysctl.d/30-openvpn-forward.conf
if [[ "$os" = "debian" ]]; then
apt-get remove --purge -y openvpn
else
yum remove openvpn -y
fi
echo
echo "OpenVPN removed!"
else
echo
echo "Removal aborted!"
fi
exit
;;
4) exit;;
esac
done
else
clear
echo "Welcome to this OpenVPN "road warrior" installer!"
echo
echo "I need to ask you a few questions before starting setup."
echo "You can use the default options and just press enter if you are ok with them."
# If system has a single IPv4, it is selected automatically. Else, ask the user
if [[ $(ip addr | grep inet | grep -v inet6 | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') -eq 1 ]]; then
ip=$(ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
else
number_of_ips=$(ip addr | grep inet | grep -v inet6 | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
echo
echo "What IPv4 address should the OpenVPN server bind to?"
ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | nl -s ') '
read -p "IPv4 address [1]: " ip_number
until [[ -z "$ip_number" || "$ip_number" =~ ^[0-9]+$ && "$ip_number" -le "$number_of_ips" ]]; do
echo "$ip_number: invalid selection."
read -p "IPv4 address [1]: " ip_number
done
[[ -z "$ip_number" ]] && ip_number="1"
ip=$(ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sed -n "$ip_number"p)
fi
# If $IP is a private IP address, the server must be behind NAT
if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
echo
echo "This server is behind NAT. What is the public IPv4 address or hostname?"
get_public_ip=$(wget -4qO- "http://whatismyip.akamai.com/" || curl -4Ls "http://whatismyip.akamai.com/")
read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip
[ -z "$public_ip" ] && public_ip="$get_public_ip"
fi
echo
echo "Which protocol do you want for OpenVPN connections?"
echo " 1) UDP (recommended)"
echo " 2) TCP"
read -p "Protocol [1]: " protocol
until [[ -z "$protocol" || "$protocol" =~ ^[12]$ ]]; do
echo "$protocol: invalid selection."
read -p "Protocol [1]: " protocol
done
case "$protocol" in
1|"")
protocol=udp
;;
2)
protocol=tcp
;;
esac
echo
echo "What port do you want OpenVPN listening to?"
read -p "Port [1194]: " port
until [[ -z "$port" || "$port" =~ ^[0-9]+$ && "$port" -le 65535 ]]; do
echo "$port: invalid selection."
read -p "Port [1194]: " port
done
[[ -z "$port" ]] && port="1194"
echo
echo "Which DNS do you want to use with the VPN?"
echo " 1) Current system resolvers"
echo " 2) 1.1.1.1"
echo " 3) Google"
echo " 4) OpenDNS"
echo " 5) Verisign"
read -p "DNS [1]: " dns
until [[ -z "$dns" || "$dns" =~ ^[1-5]$ ]]; do
echo "$dns: invalid selection."
read -p "DNS [1]: " dns
done
echo
echo "Finally, tell me a name for the client certificate."
read -p "Client name [client]: " unsanitized_client
# Allow a limited set of characters to avoid conflicts
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
[[ -z "$client" ]] && client="client"
echo
echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now."
read -n1 -r -p "Press any key to continue..."
# If running inside a container, disable LimitNPROC to prevent conflicts
if systemd-detect-virt -cq; then
mkdir /etc/systemd/system/openvpn-server@server.service.d/ 2>/dev/null
echo "[Service]
LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
fi
if [[ "$os" = "debian" ]]; then
apt-get update
apt-get install openvpn iptables openssl ca-certificates -y
else
# Else, the distro is CentOS
yum install epel-release -y
yum install openvpn iptables openssl ca-certificates -y
fi
# Get easy-rsa
easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz'
wget -O ~/easyrsa.tgz "$easy_rsa_url" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$easy_rsa_url"
tar xzf ~/easyrsa.tgz -C ~/
mv ~/EasyRSA-3.0.5/ /etc/openvpn/server/
mv /etc/openvpn/server/EasyRSA-3.0.5/ /etc/openvpn/server/easy-rsa/
chown -R root:root /etc/openvpn/server/easy-rsa/
rm -f ~/easyrsa.tgz
cd /etc/openvpn/server/easy-rsa/
# Create the PKI, set up the CA and the server and client certificates
./easyrsa init-pki
./easyrsa --batch build-ca nopass
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
# Move the stuff we need
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
# CRL is read with each client connection, when OpenVPN is dropped to nobody
chown nobody:"$group_name" /etc/openvpn/server/crl.pem
# Generate key for tls-crypt
openvpn --genkey --secret /etc/openvpn/server/tc.key
# Create the DH parameters file using the predefined ffdhe2048 group
echo '-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem
# Generate server.conf
echo "local $ip
port $port
proto $protocol
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" > /etc/openvpn/server/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf
# DNS
case "$dns" in
1|"")
# Locate the proper resolv.conf
# Needed for systems running systemd-resolved
if grep -q "127.0.0.53" "/etc/resolv.conf"; then
resolv_conf="/run/systemd/resolve/resolv.conf"
else
resolv_conf="/etc/resolv.conf"
fi
# Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' "$resolv_conf" | grep nameserver | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf
done
;;
2)
echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf
;;
3)
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf
;;
4)
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf
;;
5)
echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server/server.conf
echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server/server.conf
;;
esac
echo "keepalive 10 120
cipher AES-256-CBC
user nobody
group $group_name
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem" >> /etc/openvpn/server/server.conf
if [[ "$protocol" = "udp" ]]; then
echo "explicit-exit-notify" >> /etc/openvpn/server/server.conf
fi
# Enable net.ipv4.ip_forward for the system
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf
# Enable without waiting for a reboot or service restart
echo 1 > /proc/sys/net/ipv4/ip_forward
if pgrep firewalld; then
# Using both permanent and not permanent rules to avoid a firewalld
# reload.
# We don't use --add-service=openvpn because that would only work with
# the default port and protocol.
firewall-cmd --add-port="$port"/"$protocol"
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
firewall-cmd --permanent --add-port="$port"/"$protocol"
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
# Set NAT for the VPN subnet
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
else
# Create a service to set up persistent iptables rules
echo "[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
ExecStart=/sbin/iptables -I INPUT -p $protocol --dport $port -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
ExecStop=/sbin/iptables -D INPUT -p $protocol --dport $port -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/openvpn-iptables.service
systemctl enable --now openvpn-iptables.service
fi
# If SELinux is enabled and a custom port was selected, we need this
if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
# Install semanage if not already present
if ! hash semanage 2>/dev/null; then
if grep -qs "CentOS Linux release 7" "/etc/centos-release"; then
yum install policycoreutils-python -y
else
yum install policycoreutils-python-utils -y
fi
fi
semanage port -a -t openvpn_port_t -p "$protocol" "$port"
fi
# If the server is behind a NAT, use the correct IP address
if [[ "$public_ip" != "" ]]; then
ip="$public_ip"
fi
# client-common.txt is created so we have a template to add further users later
echo "client
dev tun
proto $protocol
remote $ip $port
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3" > /etc/openvpn/server/client-common.txt
# Enable and start the OpenVPN service
systemctl enable --now openvpn-server@server.service
# Generates the custom client.ovpn
new_client "$client"
echo
echo "Finished!"
echo
echo "Your client configuration is available at:" ~/"$client.ovpn"
echo "If you want to add more clients, just run this script again!"
fi
Comments | NOTHING