阿里云搭建openvpn

Linux

阿里云搭建openvpn

一、安装软件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-8.noarch.rpm

sed -i 's|^#baseurl=https://download.example/pub|baseurl=https://mirrors.aliyun.com|' /etc/yum.repos.d/epel*
sed -i 's|^metalink|#metalink|' /etc/yum.repos.d/epel*

yum install -y openvpn

yum install -y easy-rsa
cp -r /usr/share/easy-rsa/3.0/*  /home/data/easy-rsa/
cp -r /usr/share/doc/easy-rsa/vars.example /home/data/easy-rsa/vars

#证书配置修改  /home/data/easy-rsa/vars
sed -Ei.bak 's@^#(set_var EASYRSA_CA_EXPIRE).*@\1  3650 @g;s@^#(set_var EASYRSA_CERT_EXPIRE).*@\1   3650@g' /home/data/easy-rsa/vars

二、CA颁发证书

1
2
3
#初始化
./easyrsa init-pki
./easyrsa build-ca nopass

三、颁发服务器证书

1
2
./easyrsa gen-req server nopass
./easyrsa sign server server

四、生成加密文件

1
./easyrsa gen-dh

三、颁发客户端证书

1
2
3
sed -Ei.0720bak 's@^(set_var EASYRSA_CERT_EXPIRE).*@\1   365@g' /home/data/easy-rsa/vars #先修改证书过期时间
./easyrsa gen-req bai nopass
./easyrsa sign client bai

四、准备VPN证书

1
2
3
4
5
6
7
8
9
10
11
mkdir -p /etc/openvpn/certs/
cp /home/data/easy-rsa/pki/ca.crt /etc/openvpn/certs/
cp /home/data/easy-rsa/pki/issued/server.crt /etc/openvpn/certs/
cp /home/data/easy-rsa/pki/private/server.key /etc/openvpn/certs/
cp /home/data/easy-rsa/pki/dh.pem /etc/openvpn/certs/

#每个用户建独立的文件夹
mkdir -p /etc/openvpn/client/bai
cp /home/data/easy-rsa/pki/ca.crt /etc/openvpn/client/bai/
cp /home/data/easy-rsa/pki/issued/bai.crt /etc/openvpn/client/bai/
cp /home/data/easy-rsa/pki/private/bai.key /etc/openvpn/client/bai/

五、配置vpn

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# 查看vpn 默认安装路径 查找范例配置文件
rpm -ql openvpn
cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/

grep -Ev '^#|^$|^;' /etc/openvpn/server.conf #查看配置文件


port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key  # This file should be kept secret
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.16.1.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
mute 20

mkdir /var/log/openvpn
chown openvpn:openvpn /var/log/openvpn/

#配置系统服务
vim /usr/lib/systemd/system/openvpn@server.service
[Unit]
Description=OpenVPN service
After=network.target

[Service]
Type=notify
ExecStart=/usr/sbin/openvpn --config /etc/openvpn/server.conf
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure

[Install]
WantedBy=multi-user.target

systemctl daemon-reload
systemctl enable --now openvpn@server.service

#配置用户配置文件
cp /usr/share/doc/openvpn/sample/sample-config-files/client.conf /etc/openvpn/client/bai/client.ovpn

client
dev tun
proto tcp
remote 39.100.76.63  1194
resolv-retry infinite
nobind
ca ca.crt
cert bai.crt
key bai.key
remote-cert-tls server
cipher AES-256-CBC
compress lz4-v2
verb 3

#客户端文件打包
zip /home/openvpn/bai.zip /etc/openvpn/client/bai/*

六、vpn服务器设置

1
2
echo net.ipv4.ip_forward =1  >> /etc/sysctl.conf 
sysctl -p

七、配置后端服务器

1
2
3
#vpn服务器要转发数据包到后端服务器,后端服务器增加10.8.0.0/24网段的路由
#阿里云虚拟机不支持增加路由,改为在vpn服务器增加iptables 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j MASQUERADE

八、ssh登录后端服务器

1689856882212