ubuntu 搭建 openvpn 服务器

Posted on Posted in linux

环境

Distributor ID: Ubuntu
Description:    Ubuntu 17.10
Release:    17.10
Codename:   artful

一、安装vpn

apt-get update
apt-get install openvpn easy-rsa

二、建立 ca 目录

make-cadir ~/openvpn-ca
cd ~/openvpn-ca
# 这条命令相当于
$ mkdir ~/openvpn-ca  
$ cp -r /usr/share/easy-rsa/*  ~/openvpn-ca

三、配置ca变量

vim vars 

export KEY_COUNTRY="CN"
export KEY_PROVINCE="BeiJing"
export KEY_CITY="BeiJing"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"

export KEY_NAME="server"

四、制作ca

cd ~/openvpn-ca
source vars
./clean-all 
./build-ca # 制作root ca

五、制作Server端的 Server Certificate, Key, Encryption Files

./build-key-server server # server 就是上面的 KEY_NAME,一路回车,最后两个问题 y
./build-dh
openvpn --genkey --secret keys/ta.key

六、制作客户端的 Client Certificate, Key

cd ~/openvpn-ca
source vars
./build-key client1 # 一路回车,最后两个问题 y

七、配置openvpn服务器

cd ~/openvpn-ca/keys  
sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/  
cd /etc/openvpn/  
gzip -d server.conf.gz
vim /etc/openvpn/server.con # 修改配置文件,下面几个选项

tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
# 下面为可选配置
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 8.8.8.8"
proto udp
port 1194

cert server.crt # server 的名字和上面一致
key server.key  # This file should be kept secret

八、调整网络配置

vim /etc/sysctl.com

net.ipv4.ip_forward=1

sysctl -p

ip route | grep default # 输出包含dev,指向的是网卡名称,例如ens3

vim /etc/ufw/before.rules

# START OPENVPN RULES

# NAT table rules

*nat

:POSTROUTING ACCEPT [0:0]

# Allow traffic from OpenVPN client to eth0(changeto the interface you discovered!)

-A POSTROUTING -s 10.8.0.0/8 -o ens3 -j MASQUERADE

COMMIT

# END OPENVPN RULES

vim /etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"

ufw allow 1194/udp
ufw allow OpenSSH
ufw disable
ufw enable

九、开启openvpn服务

systemctl start openvpn@server
systemctl status openvpn@server
ip addr show tun0
systemctl enable openvpn@server

十、创造客户端配置文件 .ovpn

mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf     ~/client-configs/base.conf
vim ~/client-configs/base.conf

remote server_IP_address 1194 # 填写远程的IP地址和端口
proto udp
user nobody
group nogroup
#ca ca.crt # 都注释掉
#cert client.crt
#key client.key
cipher AES-256-CBC
auth SHA256
key-direction 1 # 添加一项
# script-security 2 # 添加注释信息
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf

自动生成客户端配置的脚本

vim ~/client-configs/make_confi#!/bin/bash # 目的,是吧ca.crt,ta.key等都写到配置文件里

# First argument: Client identifier

KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} \
        <(echo -e '<ca>') \
        ${KEY_DIR}/ca.crt \
        <(echo -e '</ca>\n<cert>') \
        ${KEY_DIR}/${1}.crt \
        <(echo -e '</cert>\n<key>') \
        ${KEY_DIR}/${1}.key \
        <(echo -e '</key>\n<tls-auth>') \
        ${KEY_DIR}/ta.key \
        <(echo -e '</tls-auth>') \
        > ${OUTPUT_DIR}/${1}.ovpn

执行脚本

cd ~/client-configs
bash make_config.sh pi # 生成的配置文件在files目录中,然后,只要把 pi.ovpn 一个文件拷贝到客户端,运行openvpn即可
» 转载请注明来源:若我若鱼 » ubuntu 搭建 openvpn 服务器

Leave a Reply

Your email address will not be published. Required fields are marked *

twelve − 11 =