{"id":785,"date":"2019-06-16T00:24:19","date_gmt":"2019-06-15T16:24:19","guid":{"rendered":"https:\/\/www.izhuhn.cn\/?p=785"},"modified":"2021-04-09T14:39:42","modified_gmt":"2021-04-09T06:39:42","slug":"linux%e4%b8%8bopenvpn%e6%9c%8d%e5%8a%a1%e9%83%a8%e7%bd%b2","status":"publish","type":"post","link":"https:\/\/www.izhuhn.cn\/index.php\/2019\/06\/16\/linux%e4%b8%8bopenvpn%e6%9c%8d%e5%8a%a1%e9%83%a8%e7%bd%b2\/","title":{"rendered":"linux\u4e0bopenvpn\u670d\u52a1\u90e8\u7f72"},"content":{"rendered":"\n

\u90e8\u7f72\u73af\u5883:<\/p>\n\n\n\n

centos 7<\/p>\n\n\n\n

\u5b89\u88c5EPEL\u6e90:<\/p>\n\n\n\n

rpm -ivh https:\/\/mirrors.ustc.edu.cn\/epel\/7\/x86_64\/Packages\/e\/epel-release-7-11.noarch.rpm #\u6211\u7684\u73af\u5883\u662f7\u7248\u672c\u6545\u4f7f\u75287\u7684epel\uff0c6\u7248\u672c\u53ef\u53c2\u8003\u53e6\u4e00\u7bc7\u535a\u5ba2\"Yum\u5e38\u7528\u7684\u4e00\u4e9b\u914d\u7f6e\"<\/code><\/pre>\n\n\n\n
\u5b89\u88c5\u8f6f\u4ef6\u5305\u548c\u4f9d\u8d56\u5305:<\/p>\n\n\n\n
yum install openvpn easy-rsa openssh-server lzo openssl openssl-devel openvpn NetworkManager-openvpn openvpn-auth-ldap -y<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\u751f\u6210\u8bc1\u4e66\u6587\u4ef6:<\/p>\n\n\n\n
# mkdir -p \/etc\/openvpn\/easy-rsa\n# cp -a \/usr\/share\/easy-rsa\/\u5b89\u88c5\u7248\u672c(\u6211\u8fd9\u91cc\u662f3)\/* \/etc\/openvpn\/easy-rsa\n# cd \/etc\/openvpn\/easy-rsa\/\n# .\/easyrsa init-pki # \u521d\u59cb\u5316\u8bc1\u4e66\u76ee\u5f55pki\n# .\/easyrsa build-ca nopass # \u521b\u5efa\u6839\u8bc1\u4e66\uff0c\u63d0\u793a\u8f93\u5165Common Name\uff0c\u540d\u79f0\u968f\u610f\uff0c\u4f46\u662f\u4e0d\u80fd\u548c\u670d\u52a1\u7aef\u8bc1\u4e66\u6216\u5ba2\u6237\u7aef\u8bc1\u4e66\u540d\u79f0\u76f8\u540c\n# .\/easyrsa gen-dh # \u751f\u6210Diffle Human\u53c2\u6570\uff0c\u5b83\u80fd\u4fdd\u8bc1\u5bc6\u94a5\u5728\u7f51\u7edc\u4e2d\u5b89\u5168\u4f20\u8f93 \n# .\/easyrsa build-server-full server nopass # server\u662f\u670d\u52a1\u7aef\u8bc1\u4e66\u540d\u79f0\uff0c\u53ef\u4ee5\u7528\u5176\u5b83\u540d\u79f0\n# .\/easyrsa build-client-full client nopass # barry\u662f\u5ba2\u6237\u7aef\u8bc1\u4e66\u540d\u79f0\uff0c\u53ef\u4ee5\u7528\u5176\u5b83\u540d\u79f0<\/code><\/pre>\n\n\n\n
\u7f16\u8f91\u914d\u7f6e\/etc\/openvpn\/server.conf\u6587\u4ef6:<\/p>\n\n\n\n
# cp \/usr\/share\/doc\/openvpn-*\/sample\/sample-config-files\/server.conf  \/etc\/openvpn\/server.conf\n# vi \/etc\/openvpn\/server.conf\nlocal 192.168.1.1 \u586b\u5199#\u670d\u52a1\u5668IP\nport 1194 #\u76d1\u542c\u7aef\u53e3\nproto tcp #\u4f7f\u7528tcp\u534f\u8bae\u53ef\u66f4\u6539udp\ndev tun #\u865a\u62df\u63a5\u53e3\u7c7b\u578b\nca \/etc\/openvpn\/easy-rsa\/pki\/ca.crt\ncert \/etc\/openvpn\/easy-rsa\/pki\/issued\/server.crt\nkey \/etc\/openvpn\/easy-rsa\/pki\/private\/server.key\ndh \/etc\/openvpn\/easy-rsa\/pki\/dh.pem\nserver 192.168.2.0 255.255.255.0 # \u7ed9\u5ba2\u6237\u7aef\u5206\u914d\u7684IP\u6bb5\nifconfig-pool-persist ipp.txt # \u8bb0\u5f55\u5ba2\u6237\u7aef\u548c\u865a\u62dfip\u7684\u6620\u5c04\u5173\u7cfb\uff0c\u5f53\u5ba2\u6237\u7aef\u91cd\u65b0\u8fde\u63a5\u65f6\u4f9d\u7136\u88ab\u5206\u914d\u65ad\u5f00\u4e4b\u524d\u7684IP\u5730\u5740\npush \"redirect-gateway def1 bypass-dhcp\" # \u91cd\u5b9a\u5411\u5ba2\u6237\u7aef\u7f51\u5173\npush \"dhcp-option DNS 8.8.8.8\" # \u9009\u62e9\u4e00\u4e2aDNS\uff0c\u8fd9\u91cc\u7528Google\u7684DNS\u793a\u4f8b\nclient-to-client\nkeepalive 10 120\ncompress lz4-v2\npush \"compress lz4-v2\"\nuser nobody\ngroup nobody\npersist-key\npersist-tun\nstatus \/var\/log\/openvpn-status.log\nlog \/var\/log\/openvpn.log\nverb 3 # \u65e5\u5fd7\u7b49\u7ea7<\/code><\/pre>\n\n\n\n
\u5f00\u542f\u8def\u7531\u8f6c\u53d1:<\/p>\n\n\n\n
$ vi \/etc\/sysctl.conf\n# ...\nnet.ipv4.ip_forward = 1\n$ syscrl -p<\/code><\/pre>\n\n\n\n
\u6dfb\u52a0\u9632\u706b\u5899\u8f6c\u53d1\u89c4\u5219:<\/p>\n\n\n\n
# iptables -t nat -A POSTROUTING -s 10.2.0.0\/24   -j MASQUERADE<\/code><\/pre>\n\n\n\n
\u542f\u52a8\u670d\u52a1:<\/p>\n\n\n\n
systemctl start openvpn@server<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
\u5ba2\u6237\u7aef\u4f7f\u7528:<\/p>\n\n\n\n
# cd \/etc\/openvpn\/client\n# cp \/etc\/openvpn\/easy-rsa\/pki\/ca.crt \/etc\/openvpn\/client\n# cp \/etc\/openvpn\/easy-rsa\/pki\/issued\/client.crt \/etc\/openvpn\/client\n# cp \/etc\/openvpn\/easy-rsa\/pki\/private\/client.key \/etc\/openvpn\/client\n# vi client.ovpn\nclient #\u6307\u5b9a\u5f53\u524dVPN\u662f\u5ba2\u6237\u7aef\ndev tun #\u5fc5\u987b\u4e0e\u670d\u52a1\u5668\u7aef\u7684\u4fdd\u6301\u4e00\u81f4\nproto tcp #\u5fc5\u987b\u4e0e\u670d\u52a1\u5668\u7aef\u7684\u4fdd\u6301\u4e00\u81f4\nsndbuf 0\nrcvbuf 0\nremote 192.168.1.1 #\u670d\u52a1\u5668 \u76d1\u542c\u7aef\u53e3\n#dhcp-option DNS 8.8.8.8\n#ip-win32 netsh\nresolv-retry infinite\n#tun-mtu 65500\nlink-mtu 65500\npersist-key\npersist-tun\nca ca.crt #\u6307\u5b9aCA\u8bc1\u4e66\u7684\u6587\u4ef6\u8def\u5f84\ncert client.crt #\u6307\u5b9a\u5f53\u524d\u5ba2\u6237\u7aef\u7684\u8bc1\u4e66\u6587\u4ef6\u8def\u5f84\nkey client.key #\u6307\u5b9a\u5f53\u524d\u5ba2\u6237\u7aef\u7684\u79c1\u94a5\u6587\u4ef6\u8def\u5f84\n#keepalive 20 240\ncipher AES-256-CBC\n#\u6307\u5b9a\u91c7\u7528\u670d\u52a1\u5668\u6821\u9a8c\u65b9\u5f0f\n#tls-auth ta.key 1 #\u5982\u679c\u670d\u52a1\u5668\u8bbe\u7f6e\u4e86\u9632\u5fa1DoS\u7b49\u653b\u51fb\u7684ta.key\uff0c\u5219\u5fc5\u987b\u6bcf\u4e2a\u5ba2\ncomp-lzo #\u542f\u7528\u538b\u7f29\uff0c\u4e0e\u670d\u52a1\u5668\u4fdd\u6301\u4e00\u81f4\nverb 4 #\u6307\u5b9a\u65e5\u5fd7\u6587\u4ef6\u7684\u8bb0\u5f55\u8be6\u7ec6\u7ea7\u522b\uff0c\u53ef\u90090-9\uff0c\u7b49\u7ea7\u8d8a\u9ad8\u65e5\u5fd7\u5185\u5bb9\u8d8a\u8be6\u7ec6<\/code><\/pre>\n\n\n\n
\u5c06\/etc\/openvpn\/client\u6253\u5305\u653e\u81f3\u5ba2\u6237\u7aef\u76ee\u5f55\u52a0\u8f7dclient.ovpn\u5373\u53ef(\u6d4b\u8bd5linux\u3001windows\u6b63\u5e38)<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u90e8\u7f72\u73af\u5883: centos 7 \u5b89\u88c5EPEL\u6e90: \u5b89\u88c5\u8f6f\u4ef6\u5305\u548c\u4f9d\u8d56\u5305: \u751f\u6210\u8bc1\u4e66\u6587\u4ef6: \u7f16\u8f91\u914d\u7f6e\/etc\/openvpn\/serve …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.izhuhn.cn\/index.php\/wp-json\/wp\/v2\/posts\/785"}],"collection":[{"href":"https:\/\/www.izhuhn.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.izhuhn.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.izhuhn.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.izhuhn.cn\/index.php\/wp-json\/wp\/v2\/comments?post=785"}],"version-history":[{"count":18,"href":"https:\/\/www.izhuhn.cn\/index.php\/wp-json\/wp\/v2\/posts\/785\/revisions"}],"predecessor-version":[{"id":803,"href":"https:\/\/www.izhuhn.cn\/index.php\/wp-json\/wp\/v2\/posts\/785\/revisions\/803"}],"wp:attachment":[{"href":"https:\/\/www.izhuhn.cn\/index.php\/wp-json\/wp\/v2\/media?parent=785"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.izhuhn.cn\/index.php\/wp-json\/wp\/v2\/categories?post=785"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.izhuhn.cn\/index.php\/wp-json\/wp\/v2\/tags?post=785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}