云服务器 ECS Linux CentOS OpenVPN 配置概述

  • A+
所属分类:Linux
高性能企业级服务器首台5折

本文概要说明 CentOS 系统下的 OpenVPN 配置。

说明:本文相关配置和说明仅用于示例和操作指引,阿里云不对相关操作结果及由此产生的问题负责。

 

OpenVPN 配置


准备工作

  1.  使用 工具:update_source.sh 更新 yum 源为阿里云的内网 yum源。

  2. 安装依赖的软件包:

  1. 1
    <span class="pln"><span class="hljs-attribute">bash</span></span>
  2. 1
    <span class="pln">yum <span class="hljs-keyword">install</span> </span><span class="pun">-</span><span class="pln">y lzo lzo</span><span class="pun">-</span><span class="pln">devel openssl openssl</span><span class="pun">-</span><span class="pln">devel pam pam</span><span class="pun">-</span><span class="pln">devel </span>
  3. 1
    <span class="pln">yum install </span><span class="pun">-</span><span class="pln">y pkcs11</span><span class="pun">-</span><span class="pln"><span class="hljs-keyword">helper</span> pkcs11</span><span class="pun">-</span><span class="pln"><span class="hljs-keyword">helper</span></span><span class="pun">-</span><span class="pln">devel</span>

确认已经安装完成:

  1. 1
    <span class="pln"><span class="hljs-attribute">bash</span></span>
  2. 1
    <span class="pln">rpm </span><span class="pun">-</span><span class="pln">qa lzolzo</span><span class="pun">-</span><span class="pln">devel openssl openssl</span><span class="pun">-</span><span class="pln">devel pam pam</span><span class="pun">-</span><span class="pln">devel pkcs11</span><span class="pun">-</span><span class="pln"><span class="hljs-keyword">helper</span> pkcs11</span><span class="pun">-</span><span class="pln"><span class="hljs-keyword">helper</span></span><span class="pun">-</span><span class="pln">devel</span>

1-rpm.jpg

安装 OpenVPN 服务

  1. 下载 openvpn 的源码包
  1. 1
    <span class="pln">wget </span><a href="http://oss.aliyuncs.com/aliyunecs/openvpn-2.2.2.tar.gz"><span class="pln">http</span><span class="pun">://</span><span class="pln">oss</span><span class="pun">.</span><span class="pln">aliyuncs</span><span class="pun">.</span><span class="pln">com</span><span class="pun">/</span><span class="pln">aliyunecs</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">-</span><span class="lit">2.2</span><span class="pun">.</span><span class="lit">2.tar</span><span class="pun">.</span><span class="pln">gz</span></a>
  1. 使用 rpmbuild 将源码包编译成rpm包来进行安装
  1. 1
    <span class="pln">rpmbuild </span><span class="pun">-</span><span class="pln">tb openvpn</span><span class="pun">-</span><span class="lit">2.2</span><span class="pun">.</span><span class="lit">2.tar</span><span class="pun">.</span><span class="pln">gz </span>

执行这条命令以后就会正常开始编译了,编译完成以后会在 /root/rpmbuild/RPMS/x86_64 目录下生成 openvpn-2.2.2-1.x86_64.rpm 安装包。

  1.  执行rpm -ivh openvpn-2.2.2-1.x86_64.rpm 以rpm包的方式安装:

2-狿瀀洀.jpg

配置 OpenVPN 服务(服务端)

  1. 初始化 PKI
  1. 1
    <span class="pln"><span class="hljs-built_in">cd</span> </span><span class="pun">/</span><span class="pln">usr</span><span class="pun">/</span><span class="pln">share</span><span class="pun">/</span><span class="pln">doc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">-</span><span class="lit">2.2</span><span class="pun">.</span><span class="lit">2</span><span class="pun">/</span><span class="pln">easy</span><span class="pun">-</span><span class="pln">rsa</span><span class="pun">/</span><span class="lit">2.0</span>

进入到 /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0 目录下,找到 vars 证书环境文件,修改以下几行 export 定义的参数值

  1. 1
    <span class="pln"><span class="hljs-attribute">bash</span></span>
  2. 1
    <span class="pln"><span class="hljs-attr">exportKEY_COUNTRY</span></span><span class="pun">=</span><span class="str"><span class="hljs-string">"CN"</span></span>   <span class="pun">所在的国家</span>
  3. 1
    <span class="kwd"><span class="hljs-builtin-name">export</span></span><span class="pln"> <span class="hljs-attribute">KEY_PROVINCE</span></span><span class="pun">=</span><span class="str"><span class="hljs-string">"BJ"</span></span>  <span class="pun">所在的省份</span>
  4. 1
    <span class="pln"><span class="hljs-attr">exportKEY_CITY</span></span><span class="pun">=</span><span class="str"><span class="hljs-string">"Hangzhou"</span></span>   <span class="pun">所在的城市</span>
  5. 1
    <span class="pln"><span class="hljs-attr">exportKEY_ORG</span></span><span class="pun">=</span><span class="str"><span class="hljs-string">"aliyun"</span></span>        <span class="pun">所属的组织</span>
  6. 1
    <span class="kwd"><span class="hljs-builtin-name">export</span></span><span class="pln"> <span class="hljs-attribute">KEY_EMAIL</span></span><span class="pun">=</span><span class="kwd">my</span><span class="lit">@test</span><span class="pun">.</span><span class="pln">com    </span><span class="pun">邮件地址</span>

上述参数的值可以自定义设置,对配置无影响。

  1. 生成服务端的证书:

清除并删除 keys 目录下的所有 key

  1. 1
    <span class="pln"><span class="hljs-attribute">bash</span></span>
  2. 1
    <span class="pln"><span class="hljs-selector-tag">ln</span> </span><span class="pun"><span class="hljs-selector-tag">-</span></span><span class="pln"><span class="hljs-selector-tag">s</span> <span class="hljs-selector-tag">openssl</span></span><span class="pun"><span class="hljs-selector-tag">-</span></span><span class="lit"><span class="hljs-selector-tag">1</span><span class="hljs-selector-class">.0</span></span><span class="pun"><span class="hljs-selector-class">.</span></span><span class="lit"><span class="hljs-selector-class">0</span><span class="hljs-selector-class">.cnf</span></span><span class="pln"> <span class="hljs-selector-tag">openssl</span></span><span class="pun"><span class="hljs-selector-class">.</span></span><span class="pln"><span class="hljs-selector-class">cnf</span> </span><span class="pun">做个软链接到</span><span class="pln"><span class="hljs-selector-tag">openssl</span></span><span class="pun"><span class="hljs-selector-tag">-</span></span><span class="lit"><span class="hljs-selector-tag">1</span><span class="hljs-selector-class">.0</span></span><span class="pun"><span class="hljs-selector-class">.</span></span><span class="lit"><span class="hljs-selector-class">0</span><span class="hljs-selector-class">.cnf</span></span><span class="pun">配置文件</span>
  3. 1
    <span class="pln"><span class="hljs-built_in">source</span> </span><span class="pun">./</span><span class="pln">vars</span>
  4. 1
    <span class="pun">./</span><span class="pln">clean</span><span class="pun">-</span><span class="pln"><span class="hljs-keyword">all</span></span>

生成 CA 证书,刚刚已经在 vars 文件中配置了默认参数值,多次回车完成就可以  :

  1. 1
    <span class="pun">./</span><span class="pln">build</span><span class="pun">-</span><span class="pln">ca </span>

3-buledca.jpg

 

生成服务器证书,其中 aliyuntest 是自定义的名字,一直回车,到最后会有两次交互,输入 y 确认,完成后会在 keys 目录下保存了 aliyuntest.key、aliyuntest.csr 和 aliyuntest.crt 三个文件。

  1. 1
    <span class="pun">./</span><span class="pln">build</span><span class="pun">-</span><span class="pln">key</span><span class="pun">-</span><span class="pln">server aliyuntest </span>

4-秿.jpg

  1. 创建用户秘钥与证书
  1. 1
    <span class="pun">./</span><span class="pln">build</span><span class="pun">-</span><span class="pln">key aliyunuser  </span>

创建用户名为 aliyunuser 的秘钥和证书,一直回车,到最后会有两次确认,只要按y确认即可。完成后,在 keys 目录下生成 1024 位 RSA 服务器密钥 aliyunuser.key、aliyunuser.crt 和 aliyunuser.csr 三个文件。

  1. 生成 Diffie Hellman参 数
  1. 1
    <span class="pun">./</span><span class="pln">build</span><span class="pun">-</span><span class="pln">dh </span>

执行了./build-dh后,会在 keys 目录下生成 dh 参数文件 dh1024.pem。该文件客户端验证的时候会用到。

  1. 将 /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys 目录下的所有文件复制到 /etc/openvpn下:
  1. 1
    <span class="pln">cp </span><span class="pun">-</span><span class="pln">a </span><span class="pun">/</span><span class="pln">usr</span><span class="pun">/</span><span class="pln">share</span><span class="pun">/</span><span class="pln">doc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">-</span><span class="lit">2.2</span><span class="pun">.</span><span class="lit">2</span><span class="pun">/</span><span class="pln">easy</span><span class="pun">-</span><span class="pln">rsa</span><span class="pun">/</span><span class="lit">2.0</span><span class="pun">/</span><span class="pln">keys</span><span class="pun">/*</span>  <span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span>
  1. 复制 openvpn 服务端配置文件 server.conf 到 /etc/openvpn/ 目录下:
  1. 1
    <span class="pln">cp </span><span class="pun">-</span><span class="pln">a </span><span class="pun">/</span><span class="pln">usr</span><span class="pun">/</span><span class="pln">share</span><span class="pun">/</span><span class="pln">doc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">-</span><span class="lit">2.2</span><span class="pun">.</span><span class="lit">2</span><span class="pun">/</span><span class="pln">sample</span><span class="pun">-</span><span class="pln">config</span><span class="pun">-</span><span class="pln">files</span><span class="pun">/</span><span class="pln">server</span><span class="pun">.</span><span class="pln">conf  </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span>
  1. server.conf 配置

配置完成后的内容如下:

  1. 1
    <span class="pln"><span class="hljs-attribute">bash</span></span>
  2. 1
    <span class="pln"><span class="hljs-meta">$</span><span class="bash"> egrep </span></span><span class="pun"><span class="bash">-</span></span><span class="pln"><span class="bash">v </span></span><span class="str"><span class="bash"><span class="hljs-string">"^$|^#|^;"</span></span></span><span class="pln"><span class="bash"> server</span></span><span class="pun"><span class="bash">.</span></span><span class="pln"><span class="bash">conf</span></span>
  3. 1
    <span class="kwd"><span class="hljs-selector-tag">local</span></span> <span class="lit">1<span class="hljs-selector-class">.1</span></span><span class="pun"><span class="hljs-selector-class">.</span></span><span class="lit"><span class="hljs-selector-class">1</span><span class="hljs-selector-class">.1</span></span>  <span class="pun">此处请填写用户自己的云服务器的公网</span><span class="pln"><span class="hljs-selector-tag">IP</span></span><span class="pun">地址</span>
  4. 1
    <span class="pln"><span class="hljs-keyword">port</span> </span><span class="lit">1194</span>
  5. 1
    <span class="pln"><span class="hljs-attribute">proto udp</span></span>
  6. 1
    <span class="pln"><span class="hljs-attribute">dev tun</span></span>
  7. 1
    <span class="pln"><span class="hljs-keyword">ca</span> <span class="hljs-keyword">ca</span></span><span class="pun">.</span><span class="pln">crt</span>
  8. 1
    <span class="pln">cert aliyuntest</span><span class="pun"><span class="hljs-selector-class">.</span></span><span class="pln"><span class="hljs-selector-class">crt</span>   </span><span class="pun">此处</span><span class="pln">crt</span><span class="pun">以及下一行的</span><span class="pln">key</span><span class="pun">,请填写生成服务器端证书时用户自定义的名称</span>
  9. 1
    <span class="pln"><span class="hljs-built_in">key</span> aliyuntest</span><span class="pun">.</span><span class="pln"><span class="hljs-built_in">key</span>  </span>
  10. 1
    <span class="pln"><span class="hljs-selector-tag">dh</span> <span class="hljs-selector-tag">dh1024</span></span><span class="pun"><span class="hljs-selector-class">.</span></span><span class="pln"><span class="hljs-selector-class">pem</span></span>
  11. 1
    <span class="pln"><span class="hljs-selector-tag">server</span> </span><span class="lit">172<span class="hljs-selector-class">.16</span></span><span class="pun"><span class="hljs-selector-class">.</span></span><span class="lit"><span class="hljs-selector-class">0</span><span class="hljs-selector-class">.0</span></span> <span class="lit">255<span class="hljs-selector-class">.255</span></span><span class="pun"><span class="hljs-selector-class">.</span></span><span class="lit"><span class="hljs-selector-class">255</span><span class="hljs-selector-class">.0</span></span>
  12. 1
    <span class="pln"><span class="hljs-selector-tag">ifconfig</span></span><span class="pun"><span class="hljs-selector-tag">-</span></span><span class="pln"><span class="hljs-selector-tag">pool</span></span><span class="pun"><span class="hljs-selector-tag">-</span></span><span class="pln"><span class="hljs-selector-tag">persist</span> <span class="hljs-selector-tag">ipp</span></span><span class="pun"><span class="hljs-selector-class">.</span></span><span class="pln"><span class="hljs-selector-class">txt</span></span>
  13. 1
    <span class="pln"><span class="hljs-keyword">push </span></span><span class="str"><span class="hljs-string">"redirect-gateway def1 bypass-dhcp"</span></span>
  14. 1
    <span class="pln"><span class="hljs-selector-tag">push</span> </span><span class="str">"<span class="hljs-selector-tag">dhcp-option</span> <span class="hljs-selector-tag">DNS</span> 223<span class="hljs-selector-class">.5</span><span class="hljs-selector-class">.5</span><span class="hljs-selector-class">.5</span>"</span>
  15. 1
    <span class="pln"><span class="hljs-keyword">client</span></span><span class="pun">-</span><span class="pln">to</span><span class="pun">-</span><span class="pln"><span class="hljs-keyword">client</span></span>
  16. 1
    <span class="pln">keepalive </span><span class="lit"><span class="hljs-number">10</span></span> <span class="lit"><span class="hljs-number">120</span></span>
  17. 1
    <span class="pln"><span class="hljs-built_in">comp</span></span><span class="pun">-</span><span class="pln">lzo</span>
  18. 1
    <span class="pln"><span class="hljs-keyword">user</span> <span class="hljs-title">nobody</span></span>
  19. 1
    <span class="kwd"><span class="hljs-keyword">group</span></span><span class="pln"> <span class="hljs-title">nobody</span></span>
  20. 1
    <span class="pln"><span class="hljs-attribute">persist</span></span><span class="pun"><span class="hljs-attribute">-</span></span><span class="pln"><span class="hljs-attribute">key</span></span>
  21. 1
    <span class="pln"><span class="hljs-attribute">persist</span></span><span class="pun"><span class="hljs-attribute">-</span></span><span class="pln"><span class="hljs-attribute">tun</span></span>
  22. 1
    <span class="pln"><span class="hljs-keyword">status</span> openvpn</span><span class="pun">-</span><span class="pln"><span class="hljs-keyword">status</span></span><span class="pun">.</span><span class="pln"><span class="hljs-built_in">log</span></span>
  23. 1
    <span class="pln"><span class="hljs-built_in">log</span>         openvpn</span><span class="pun">.</span><span class="pln"><span class="hljs-built_in">log</span></span>
  24. 1
    <span class="pln">verb </span><span class="lit"><span class="hljs-number">3</span></span>

0.jpg

  1. 设置 iptables

设置前请确保 iptables 已经开启,而且 /etc/sysconfig/iptables 文件已存在。然后开启转发:

  1. 1
    <span class="pln">vi </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">sysctl</span><span class="pun">.</span><span class="pln">conf</span>

修改以下内容:

  1. 1
    <span class="pln">net</span><span class="pun">.</span><span class="pln">ipv4</span><span class="pun">.</span><span class="pln">ip_forward </span><span class="pun">=</span> <span class="lit">1</span>

然后使内核参数生效:

  1. 1
    <span class="pln">sysctl </span><span class="pun">-</span><span class="pln">p </span>

添加 iptables 规则确保服务器可以转发数据包到阿里云内外网:

  1. 1
    <span class="pln">iptables </span><span class="pun">-</span><span class="pln">t nat </span><span class="pun">-</span><span class="pln">A POSTROUTING </span><span class="pun">-</span><span class="pln">s </span><span class="lit">172.16</span><span class="pun">.</span><span class="lit">0.0</span><span class="pun">/</span><span class="lit">24</span> <span class="pun">-</span><span class="pln">j MASQUERADE</span>

保存 iptables 配置:

  1. 1
    <span class="pln">service iptables save</span>

启动 OpenVPN

  1. 1
    <span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">init</span><span class="pun">.</span><span class="pln">d</span><span class="pun">/</span><span class="pln">openvpn start</span>

通过 netstat -ano | grep 1194 查看 1194 端口在监听,确保 openvpn 在运行中。

Windows PC 客户端的配置


1.下载 openvpn 客户端

  1. 安装:Windows系统下安装,按照默认设置安装完成。

  2. 云服务器中 /etc/openvpn/ 目录下的 aliyunuser.key、aliyunuser.crt 和 aliyunuser.csr 三个文件下载到需要连接 openvpn 的 Windows 客户端上(可以使用 ftp 工具下载)。

保存路径为 openvpn 软件的安装路径下的 \OpenVPN\config 目录。

  1. 配置 client.opvn

将 openvpn 安装路径下的 \OpenVPN\sample-config\ 目录中下的 client.opvn 复制到 openvpn 安装路径下的 \OpenVPN\config 目录,然后修配置文件中的如下参数;

  1. 1
    <span class="pln"><span class="hljs-attribute">bash</span></span>
  2. 1
    <span class="pln"><span class="hljs-attribute">proto</span> udp   </span><span class="pun">去掉前面的分号,采用与服务器端相同的</span><span class="pln">udp</span><span class="pun">协议</span>
  3. 1
    <span class="pln"><span class="hljs-comment">remote  </span></span><span class="lit"><span class="hljs-comment">1.1</span></span><span class="pun"><span class="hljs-comment">.</span></span><span class="lit"><span class="hljs-comment">1.1</span></span>  <span class="lit"><span class="hljs-comment">1194</span></span>   <span class="pun"><span class="hljs-comment">此处将</span></span><span class="lit"><span class="hljs-comment">1.1</span></span><span class="pun"><span class="hljs-comment">.</span></span><span class="lit"><span class="hljs-comment">1.1</span></span><span class="pun"><span class="hljs-comment">修改为用户的云服务器的公网</span></span><span class="pln"><span class="hljs-comment">IP</span></span><span class="pun"><span class="hljs-comment">地址,同时将该行前面的注释分号去掉</span></span>
  4. 1
    <span class="pln">cert aliyunuser</span><span class="pun"><span class="hljs-selector-class">.</span></span><span class="pln"><span class="hljs-selector-class">crt</span>     </span>
  5. 1
    <span class="pln"><span class="hljs-built_in">key</span> aliyunuser</span><span class="pun">.</span><span class="pln"><span class="hljs-built_in">key</span></span>
  1. 到 C:\Program Files (x86)\OpenVPN\bin 目录下,找到 openvpn-gui-1.0.3.exe 文件,右键选择以管理员权限运行(避免普通用户运行导致添加路由失败):

8-.jpg

  1. 连接成功后,通过访问阿里云的内网镜像源 http://mirrors.aliyuncs.com/ 确认可以通过 openvpn 访问阿里云内网:

7-.jpg

同时访问 ip.cn,可以查看到此时 Windows PC 端的出口公网 IP 已经变为了云服务器的公网 IP 地址:

6-ipcn.jpg

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: