#环境信息
root@server:~# cat /etc/os-release |grep PRETTY_NAME
PRETTY_NAME="Ubuntu 24.04.4 LTS"
root@server01:/data/openvpn# openvpn --version
OpenVPN 2.6.19 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_unit_tests=no enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no
证书配置
在openvpn server服务器上运行
生成CA证书及服务器证书
apt-get update
apt-get install easy-rsa -y
mkdir /data/openvpn
cd /data/openvpn
#声明证书密码
export EASYRSA_ALGO="rsa"
export EASYRSA_PASS="123456"
rsabin="/usr/share/easy-rsa/easyrsa"
#生成CA证书
$rsabin init-pki
$rsabin --batch --passin="pass:$EASYRSA_PASS" --passout="pass:$EASYRSA_PASS" build-ca nopass
$rsabin gen-dh
openssl x509 -in pki/ca.crt -text -noout
#生成服务器证书
$rsabin --batch --passin="pass:$EASYRSA_PASS" build-server-full openserver01 nopass
生成客户端证书及配置
这里将openvpn客户端的配置和证书都放到了ovpn文件中
#生成客户端证书及配置
cd /data/openvpn
#声明证书密码
export EASYRSA_ALGO="rsa"
export EASYRSA_PASS="123456"
rsabin="/usr/share/easy-rsa/easyrsa"
#要生成的客户端名称
clientName="client01"
$rsabin --batch --passin="pass:$EASYRSA_PASS" build-client-full $clientName nopass
mkdir -p client
#生成客户端配置
tee client/$clientName.ovpn <<-'EOF'
client
dev tun
remote 81.70.145.133 10005 udp
remote 81.70.145.133 10005 tcp
connect-timeout 10
user openvpn
group openvpn
verb 3
keepalive 10 60
compress lz4
EOF
echo "" >>client/$clientName.ovpn
echo "<ca>" >>client/$clientName.ovpn
cat pki/ca.crt >>client/$clientName.ovpn
echo "</ca>" >>client/$clientName.ovpn
openssl x509 -in pki/issued/${clientName}.crt -out /tmp/${clientName}.cert.pem -outform PEM
echo "<cert>" >>client/$clientName.ovpn
cat /tmp/${clientName}.cert.pem >>client/$clientName.ovpn
echo "</cert>" >>client/$clientName.ovpn
echo "<key>" >>client/$clientName.ovpn
cat pki/private/$clientName.key >>client/$clientName.ovpn
echo "</key>" >>client/$clientName.ovpn
生成证书在/data/openvpn/client下,将其拷贝到openvpn客户端的机器上加载,也可以直接在其他平台的客户端上直接使用。
吊销客户端证书
cd /data/openvpn
#声明证书密码
export EASYRSA_ALGO="rsa"
export EASYRSA_PASS="123456"
rsabin="/usr/share/easy-rsa/easyrsa"
#要生成的客户端名称
clientName="client01"
$rsabin --passin="pass:$EASYRSA_PASS" revoke $clientName
$rsabin --passin="pass:$EASYRSA_PASS" gen-crl
openssl crl -in pki/crl.pem -text -noout -CAfile pki/ca.crt
吊销客户端后,需要重启openvpn服务端后才能生效
安装openvpn服务端
#开启ipv4路由转发
root@server:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
apt-get install openvpn -y
useradd -u 6000 -s /usr/sbin/nologin -M openvpn
生成服务端配置
tee /data/openvpn/server.conf <<-'EOF'
port 10005
proto udp
dev tun
ca /data/openvpn/pki/ca.crt
cert /data/openvpn/pki/issued/openserver01.crt
key /data/openvpn/pki/private/openserver01.key
dh /data/openvpn/pki/dh.pem
#吊销的客户端列表
crl-verify /data/openvpn/pki/crl.pem
#虚拟网络网段
server 10.1.0.0 255.255.255.0
#client-config-dir ccd
#route 172.16.0.0 255.240.0.0
#客户端访问以下网段/IP时,将流量转发给服务端
push "route 172.20.0.0 255.255.248.0"
push "route 8.8.8.8 255.255.255.255"
keepalive 10 60
user openvpn
group openvpn
verb 3
compress lz4
EOF
systemd服务配置
tee /etc/systemd/system/openvpn.service <<-'EOF'
[Unit]
Description=OpenVPN Server
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
RuntimeDirectory=openvpn
ExecStart=/usr/sbin/openvpn --config /data/openvpn/server.conf --writepid /run/openvpn/server.pid
PIDFile=/run/openvpn/server.pid
Restart=always
RestartSec=3
# 授予创建网卡的权限
AmbientCapabilities=CAP_NET_ADMIN
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable openvpn
systemctl restart openvpn
查看运行状态
journalctl -u openvpn.service -f
journalctl -u openvpn.service -n 50
配置nat转发
有很多时候需要通过openvpn服务端访问公网的其他网站,公网没有办法配置回程路由。
所以将流量改为nat模式
iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE
# 允许 tun0 的流量转发出去
iptables -A FORWARD -i tun0 -j ACCEPT
# 允许已建立连接的反向流量回来
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
需要将这个iptables命令加到开机启动里
配置方式:https://www.aliencn.net/archives/413/cn/Ubuntu-rc-localkaijijiaoben
这样所有通过虚拟网卡的流量都会nat为服务端的地址,包括访问内网的流量。
Linux客户端部署
apt-get update
apt-get install openvpn -y
useradd -u 6000 -s /usr/sbin/nologin -M openvpn
mkdir -p /data/openvpnClient/
将在服务端的/data/openvpn/client目录下生成的ovpn文件拷贝到当前机器的/data/openvpnCLient/目录下
systemd服务配置
tee /etc/systemd/system/openvpnClient.service <<-'EOF'
[Unit]
Description=OpenVPN Client
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
RuntimeDirectory=openvpn
ExecStart=/usr/sbin/openvpn --config /data/openvpnClient/client.conf --writepid /run/openvpn/server.pid
PIDFile=/run/openvpn/server.pid
Restart=always
RestartSec=3
# 授予创建网卡的权限
AmbientCapabilities=CAP_NET_ADMIN
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable openvpnClient
systemctl restart openvpnClient
查看运行状态
journalctl -u openvpnClient.service -f
journalctl -u openvpnClient.service -n 50
其他平台客户端
https://openvpn.net/client/
在上面链接下载相应版本安装,并加载vopn配置即可链接
另外一篇文章介绍其他网络访问场景:https://www.aliencn.net/archives/er1i50g698vr5e5/cn/openvpngejiedianzhijianhuxiangfangwen