在Linux中安装和配置OpenVPN服务器的最简单方法
时间:2020-03-21 11:47:48 来源:igfitidea点击:
本教程介绍如何在RPM和基于DEB的系统中安装和配置OpenVPN服务器。
在本教程中,我们将使用称为OpenVPN-Install的脚本,可自动执行整个OpenVPN服务器安装和配置流程。
此脚本可在几分钟内设置自己的VPN服务器,即使我们以前没有使用OpenVPN也是如此。
在Linux中安装和配置OpenVPN服务器
出于本教程,我将使用与CentOS 7 64bit Edition一起运行的两个系统。
一个充当OpenVPN服务器,另一个充当OpenVPN客户端。
以下是我的测试盒细节。
OpenVPN服务器:
- OS:CentOS 7 64bit Minimal Edition
- IP:192.168.43.150/24
- hostname:vpnserver.theitroad.local.
OpenVPN客户端:
- OS:CentOS 7 64bit Minimal Edition
- IP:192.168.43.199/24
首先,我们将看到服务器端配置。
OpenVPN服务器安装和配置
从其GitHub页面下载OpenVPN-Install脚本。
wget https://git.io/vpn -O openvpn-install.sh
然后,使用以下命令用作root用户来运行脚本:
bash openvpn-install.sh
我们将被要求回答一系列问题。
相应地回答他们。
确保VPN服务器的IP地址是正确的。
如果使用多个IP地址,请输入我们希望OpenVPN收听的网络接口的IP。
Welcome to this quick OpenVPN "road warrior" installer I need to ask you a few questions before starting the setup You can leave the default options and just press enter if you are ok with them First I need to know the IPv4 address of the network interface you want OpenVPN listening to. IP address: 192.168.43.150
选择要使用的协议。
我想使用TCP端口,因此我选择了第2号。
Which protocol do you want for OpenVPN connections? 1) UDP (recommended) 2) TCP Protocol [1-2]: 2
输入端口号。
What port do you want OpenVPN listening to? Port: 1194
输入我们要与VPN一起使用的DNS服务器详细信息。
我想使用Google DNS解析器,所以我选择了选项2.
Which DNS do you want to use with the VPN? 1) Current system resolvers 2) Google 3) OpenDNS 4) NTT 5) Hurricane Electric 6) Verisign DNS [1-6]: 2
我们已达到最后一步。
输入客户端证书名称。
名称应该是单个单词,不应包含任何特殊字符。
Finally, tell me your name for the client certificate Please, use one word only, no special characters Client name: client
按ENTER键启动OpenVPN Server安装。
Okay, that was all I needed. We are ready to setup your OpenVPN server now Press any key to continue...
NPW,此脚本将开始安装所有必需的软件包以设置OpenVPN服务器。
ANSLO,它将创建所有必要的键和证书以使用VPN客户端进行身份验证。
这需要几分钟。
最后,脚本会询问我们是否有外部IP地址。
如果我们没有任何,请将其留空即可忽略,然后按Enter键。
If your server is NATed (e.g. LowEndSpirit), I need to know the external IP If that's not the case, just ignore this and leave the next field blank External IP: Finished! Your client configuration is available at /root/client.ovpn If you want to add more clients, you simply need to run this script again!
OpenVPN服务器安装和配置完成。
在最后一次输出中看到,客户端配置详细信息存储在文件/root/client.ovpn中。
我们需要将此文件复制到所有VPN客户端系统。
我将Client.ovpn文件复制到我的VPN客户端
scp client.ovpn Hyman@theitroad:/etc/openvpn/
接下来,我们需要配置OpenVPN客户端。
OpenVPN客户端配置
确保已从VPN服务器系统中复制Client.ovpn文件。
我已经将此文件复制到我的VPN客户端系统的/etc/OpenVPN /目录。
使用分发包管理器安装OpenVPN包。
yum install openvpn
接下来,运行以下命令以与VPN服务器建立安全连接。
openvpn --config /etc/openvpn/client.ovpn
示例输出:
Wed Apr 5 18:50:44 2016 Unrecognized option or missing parameter(s) in /etc/openvpn/client.ovpn:14: block-outside-dns (2.3.14) Wed Apr 5 18:50:44 2016 OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2015 Wed Apr 5 18:50:44 2016 library versions: OpenSSL 1.0.1e-fips 11 Nov 2013, LZO 2.06 Wed Apr 5 18:50:44 2016 Control Channel Authentication: tls-auth using INLINE static key file Wed Apr 5 18:50:44 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 5 18:50:44 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 5 18:50:44 2016 Socket Buffers: R=[87380->87380] S=[16384->16384] Wed Apr 5 18:50:44 2016 Attempting to establish TCP connection with [AF_INET]192.168.43.150:1194 [nonblock] Wed Apr 5 18:50:45 2016 TCP connection established with [AF_INET]192.168.43.150:1194 Wed Apr 5 18:50:45 2016 TCPv4_CLIENT link local: [undef] Wed Apr 5 18:50:45 2016 TCPv4_CLIENT link remote: [AF_INET]192.168.43.150:1194 Wed Apr 5 18:50:45 2016 TLS: Initial packet from [AF_INET]192.168.43.150:1194, sid=c6fb554e 362eb192 Wed Apr 5 18:50:45 2016 VERIFY OK: depth=1, CN=ChangeMe Wed Apr 5 18:50:45 2016 Validating certificate key usage Wed Apr 5 18:50:45 2016 ++ Certificate has key usage 00a0, expects 00a0 Wed Apr 5 18:50:45 2016 VERIFY KU OK Wed Apr 5 18:50:45 2016 Validating certificate extended key usage Wed Apr 5 18:50:45 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Wed Apr 5 18:50:45 2016 VERIFY EKU OK Wed Apr 5 18:50:45 2016 VERIFY OK: depth=0, CN=server Wed Apr 5 18:50:45 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Wed Apr 5 18:50:45 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 5 18:50:45 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Wed Apr 5 18:50:45 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 5 18:50:45 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Wed Apr 5 18:50:45 2016 [server] Peer Connection Initiated with [AF_INET]192.168.43.150:1194 Wed Apr 5 18:50:48 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Wed Apr 5 18:50:48 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' Wed Apr 5 18:50:48 2016 OPTIONS IMPORT: timers and/or timeouts modified Wed Apr 5 18:50:48 2016 OPTIONS IMPORT: --ifconfig/up options modified Wed Apr 5 18:50:48 2016 OPTIONS IMPORT: route options modified Wed Apr 5 18:50:48 2016 OPTIONS IMPORT: route-related options modified Wed Apr 5 18:50:48 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed Apr 5 18:50:48 2016 ROUTE_GATEWAY 192.168.43.1/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:28:98:6b Wed Apr 5 18:50:48 2016 TUN/TAP device tun0 opened Wed Apr 5 18:50:48 2016 TUN/TAP TX queue length set to 100 Wed Apr 5 18:50:48 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Wed Apr 5 18:50:48 2016 /usr/sbin/ip link set dev tun0 up mtu 1500 Wed Apr 5 18:50:48 2016 /usr/sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255 Wed Apr 5 18:50:48 2016 /usr/sbin/ip route add 192.168.43.150/32 dev enp0s3 Wed Apr 5 18:50:48 2016 /usr/sbin/ip route add 0.0.0.0/1 via 10.8.0.1 Wed Apr 5 18:50:48 2016 /usr/sbin/ip route add 128.0.0.0/1 via 10.8.0.1 Wed Apr 5 18:50:48 2016 Initialization Sequence Completed
现在,检查是否创建了TUN0(VPN接口),并使用'ip addr'命令检查VPN接口IP地址:
ip addr
示例输出:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 08:00:27:28:98:6b brd ff:ff:ff:ff:ff:ff inet 192.168.43.199/24 brd 192.168.43.255 scope global dynamic enp0s3 valid_lft 42359sec preferred_lft 42359sec inet6 fe80::a00:27ff:fe28:986b/64 scope link valid_lft forever preferred_lft forever 3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/none inet 10.8.0.2/24 brd 10.8.0.255 scope global tun0 valid_lft forever preferred_lft forever
正如我们在上面的输出中看到的,我们的VPN服务器会自动为VPN客户端分配IP地址10.8.0.2.
现在,尝试从VPN客户端系统中ping VPN服务器:
ping -c3 10.8.0.1
示例输出:
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=1.05 ms 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=1.94 ms 64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=2.49 ms --- 10.8.0.1 ping statistics -- 3 packets transmitted, 3 received, 0% packet loss, time 2001ms rtt min/avg/max/mdev = 1.057/1.832/2.495/0.594 ms
恭喜!我们现在已在CentOS中成功安装和配置了OpenVPN服务器和客户端。
