一、OpenVPN 简单介绍
1.1、OpenVPN又是什么
- OpenVPN 是一种种开源、快速、流行的程序,可以选择使用TCP或UDP传输协议,大量使用了OpenSSL加密库,以及SSLv3/TLSv1协议。
- OpenVPN在用户空间运行,无须对内核及网络协议栈作修改,具备许多安全特性,可使用共享金钥、电子证书、用户名/密码来进行身份验证。
- OpenVpN与大多数 Vpn协议一样,具有客户端-服务器架构。可用于多种设备和系统,能在Linux、xBSD、Mac OS X与Windows主机上运行。
1.2、OpenVPN的使用场景
- 企业与企业之间,如:两企业深层次合作,或者总公司与旗下各子公司之间
- 企业与个人之间,如:部门员工在家或者外地需要连接到公司内网进行远程办公
- 企业公网的统一管理:需要经常连接内网的服务器而大部分服务器没有外网IP地址
1.3、安装部署方式有哪些
1.3.1、安装方式介绍
- YUM 安装
- 源码安装
- 二进制安装
- DOCKER安装
- 脚本一键安装
1.3.2、安装方式说明
-
本次只介绍 后面的两种 最简单的安装方式,
-
如果有对内网主机做登录区分,建议使用二进制的安装方式
1.4、VPN的使用提醒
1.4.1、法律与法规
使用VPN本身并不一定违法,但关键在于使用的目的和方式。以下几个注意点:
- 非法经营行为:提供未经许可的VPN服务给他人,特别是以牟利为目的。
- 非法内容访问:利用VPN访问并传播非法内容,或者参与其他违法活动。
1.4.2、使用的前提
- 如果是公司里面部署,记得在出口路由器或者防火墙上做主机和端口的映射
- 如果是公有云上部署,记得在防火墙策略里面开放和映射一下服务器的端口
二、容器的安装方式(Docker)
2.1、安装Docker容器
2.1.1、安装前准备工作
# 开启服务器端的IP转发功能
[root@localhost ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@localhost ~]# sysctl -p
[root@localhost ~]# systemctl enable firewalld && systemctl start firewalld
[root@localhost ~]# systemctl status firewalld | grep running
2.1.2、容器正式安装
[root@localhost ~]# systemctl enable firewalld && systemctl start firewalld
[root@localhost ~]# systemctl status firewalld | grep running
[root@localhost ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
[root@localhost ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@localhost ~]# yum list docker-ce --showduplicates | sort -r
[root@localhost ~]# yum install -y docker-ce-19.03.9 docker-ce-cli-19.03.9 containerd.io
[root@localhost ~]# systemctl start docker && systemctl enable docker
[root@localhost ~]# systemctl status docker | grep running
Active: active (running) since Thu 2024-07-04 19:43:22 CST; 1 months 25 days ago
### 以下非必须操作(设置加速器和SYSTEMD管理)
[root@localhost ~]# vim /etc/docker/daemon.json
{
"exec-opts": ["native.cgroupdriver=systemd"],
"registry-mirrors":["https://docker.m.daocloud.io"],
}
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# docker info | grep "Cgroup Driver"
Cgroup Driver: systemd
2.2、创建配置文件
[root@localhost ~]# mkdir -p /data/openvpn
[root@localhost ~]# docker pull kylemanna/openvpn:2.4 # 拉取镜像到本地( 此步可省略 )
[root@localhost ~]# docker image list | grep openvpn
kylemanna/openvpn 2.4 cc03802fc5c0 3 years ago 15.3MB
[root@localhost ~]# docker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_genconfig -u udp://61.169.X.X:4911
### 61.169.X.X 公司出口路由器的IP地址
# 4911 路由上外围访问端口,也是服务器上端口映射的对应端口
### udp://vpn.abc.com 这里也可以写上域名
### 注意: 此操作只是生成相关配置文件,还没有生成容器,“docker ps” 没有容器相关的输出
2.3、配置证书密钥
[root@localhost ~]# docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 ovpn_initpki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Enter New CA Key Passphrase: ### 输入私钥密码(输入时看不见) vpnpwd123
Re-Enter New CA Key Passphrase: ### 第二次输入
Generating RSA private key, 2048 bit long modulus (2 primes)
..........+++++
..................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: ### 输入一个 CA 名称,一般直接回车即可
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.........................................................+.......................................+.....................+.....................................+.............................+.............................+..............................+...........................+..................................+..............................................
DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
........+++++
.....+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-72.EDkcAa/tmp.LjiKDn'
Using configuration from /etc/openvpn/pki/easy-rsa-72.EDkcAa/tmp.PlCfJH
Enter pass phrase for /etc/openvpn/pki/private/ca.key: ### 输入上面设置的 证书私钥密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'210.22.78.6'
Certificate is to be certified until Jan 2 02:16:02 2025 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Using configuration from /etc/openvpn/pki/easy-rsa-147.AbkKeG/tmp.Ejiagg
Enter pass phrase for /etc/openvpn/pki/private/ca.key: ### 再输入一次 证书私钥密码
An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem
2.4、启动服务并验证
[root@localhost ~]# docker run -d -v /data/openvpn:/etc/openvpn -p 4911:1194/udp --cap-add=NET_ADMIN --name openvpn-server --restart always kylemanna/openvpn:2.4
### 4911 既是出口路由器的对外端口,也是本服务器VPN服务的访问端口
### 最新版本的Docker增加了Linux Capabilities(可允许普通用户和进程执行一些root才能执行的特殊权限),需要设置正确的的cap参数,NET_RAW和NET_ADMIN,因为默认策略是Drop,在docker run时使用--cap-add NET_ADMIN
[root@localhost ~]# docker ps | grep openvpn
8fc86b18c244 kylemanna/openvpn:2.4 "ovpn_run" 17 months ago Up 7 weeks 0.0.0.0:4911->1194/udp openvpn-server
[root@localhost ~]# netstat -lntpu | grep 4911
udp6 0 0 :::4911 :::* 6709/docker-proxy
2.5、服务配置相关
2.5.1、服务器信息相关
1、在生成了服务器配置文件后,就产生了下面的目录文件
[root@localhost ~]# ll /data/openvpn
drwxr-xr-x. 2 root root 6 Sep 2 11:45 ccd
-rw-r--r--. 1 root root 638 Sep 2 11:46 openvpn.conf
-rw-r--r--. 1 root root 807 Sep 2 11:46 ovpn_env.sh
drwx------. 8 root root 4096 Sep 2 11:48 pki
2、配置了证书密钥后生成一个密钥文件
[root@localhost ~]# ll /data/openvpn/
-rw-r--r--. 1 root root 650 Sep 2 11:51 crl.pem
2.5.2、配置文件信息相关
1、服务器配置文件
[root@localhost ~]# cat /data/openvpn/openvpn.conf
server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/61.169.X.X.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/61.169.X.X.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun
proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log
user nobody
group nogroup
comp-lzo no
### Route Configurations Below
route 192.168.254.0 255.255.255.0
### Push Configurations Below
push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"
2、日志文件信息
[root@localhost ~]# cat /data/openvpn/openvpn.conf | grep log
status /tmp/openvpn-status.log
# 通过日志文件查看账号登录的信息
[root@localhost ~]# cat /tmp/openvpn-status.log
OpenVPN CLIENT LIST
Updated,Sat Aug 31 07:47:10 2024
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
laowang,61.169.X.X:43780,173057876,16477702,Sat Aug 31 07:28:07 2024 # 账号 laowang 的登录信息
liangxxxxx,61.169.X.X:43829,1070618,1775803,Sat Aug 31 07:37:39 2024 # 账号 liangxxxxx 的登录信息
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
192.168.255.6,laowang,61.169.X.X:43780,Sat Aug 31 07:47:09 2024
192.168.255.10,liangxxxxx,61.169.X.X:43829,Sat Aug 31 07:47:09 2024
GLOBAL STATS
Max bcast/mcast queue length,0
END
2.6、生成客户端证书并导出
2.6.1、无密码客户端证书
[root@localhost ~]# mkdir -p /data/openvpn/client # 指定统一存放证书的目录( 此步非必须 )
[root@localhost ~]# docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full liangxxx nopass
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
................................................................+++++
....................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-1.PFCOnk/tmp.IdfFnd'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-1.PFCOnk/tmp.gEomLD
Enter pass phrase for /etc/openvpn/pki/private/ca.key: +++++ 证书私钥密码 vpnpwd123
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'liangxxx'
Certificate is to be certified until Dec 2 04:16:08 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
[root@localhost ~]# docker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient liangxxx > /data/openvpn/client/liangxxx.ovpn
[root@localhost ~]# ll /data/openvpn/client/
-rw-r--r-- 1 root root 4945 Mar 18 2023 liangxxx.ovpn
2.6.2、有密码客户端证书
[root@localhost ~]# docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full laowang
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
........
..........
writing new private key to '/etc/openvpn/pki/easy-rsa-1.bFdpMa/tmp.IkCDpD'
Enter PEM pass phrase: +++++ 账号 laowang 的验证密码 laowang666
Verifying - Enter PEM pass phrase: +++++ 再输入一次密码 laowang666
-----
Using configuration from /etc/openvpn/pki/easy-rsa-1.bFdpMa/tmp.OdbNiN
Enter pass phrase for /etc/openvpn/pki/private/ca.key: +++++ 证书私钥密码 vpnpwd123
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'laowang'
Certificate is to be certified until Dec 2 04:12:10 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
[root@localhost ~]# docker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient laowang > /data/openvpn/client/laowang.ovpn
[root@localhost ~]# ll /data/openvpn/client/
-rw-r--r-- 1 root root 5087 Aug 29 12:18 laowang.ovpn
-rw-r--r-- 1 root root 4945 Mar 18 2023 liangxxx.ovpn
2.7、添加和清除账号操作
1、添加账号操作
# 替换三个 USERNAME 为要添加的账号名字即可
[root@localhost ~]# docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full USERNAME nopass
### 使不使用 nopass 参数自行定夺就好
[root@localhost ~]# docker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient USERNAME > /data/openvpn/client/USERNAME.ovpn
2、删除账号操作
# 后三步非必须 ,建议也执行下 ; 替换四个 USERNAME 为要删除的账号名字即可
[root@localhost ~]# docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa revoke USERNAME
[root@localhost ~]# docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa gen-crl
[root@localhost ~]# docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -f /etc/openvpn/pki/reqs/USERNAME.req
[root@localhost ~]# docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -f /etc/openvpn/pki/issued/USERNAME.crt
[root@localhost ~]# docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -f /etc/openvpn/pki/private/USERNAME.key
2.8、添加或者清除账号脚本
2.8.1、具体脚本的内容
[root@localhost ~]# mkdir /data/openvpn/scripts
[root@localhost ~]# cat /data/openvpn/scripts/add-user.sh
#!/bin/bash
# 添加用户时管理员密码 vpnpwd123
read -p "Please input the username which will be add: " USERNAME
docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa build-client-full $USERNAME nopass
docker run -v /data/openvpn:/etc/openvpn --rm kylemanna/openvpn:2.4 ovpn_getclient $USERNAME > /data/openvpn/client/"$USERNAME".ovpn
docker restart openvpn-server
[root@localhost ~]# cat /data/openvpn/scripts/delete-user.sh
#!/bin/bash
# 删除VPN账号方法 ./delete-user.sh , 直接回车后,根据提示输入账号和密码
read -p "Please input the username which will be delete: " USERNAME
docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa revoke $USERNMAE
docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 easyrsa gen-crl
docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -f /etc/openvpn/pki/reqs/"$USERNAME".req
docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -f /etc/openvpn/pki/issued/"$USERNAME".crt
docker run -v /data/openvpn:/etc/openvpn --rm -it kylemanna/openvpn:2.4 rm -f /etc/openvpn/pki/private/"$USERNAME".key
rm -f /data/openvpn/client/"$USERNAME".ovpn
docker restart openvpn-server
2.8.2、脚本的使用方式
添加账号 zhangsan
[root@localhost ~]# cd /data/openvpn/scripts
[root@localhost ~]# ./add-user.sh ### 直接回车,根据提示输入账号和密码即可
删除账号 zhangsan
[root@localhost ~]# cd /data/openvpn/scripts
[root@localhost ~]# ./delete-user.sh ### 直接回车,根据提示输入账号和密码即可
三、脚本一键安装的方式
3.1、安装前准备工作
# 开启服务器端的IP转发功能
[root@localhost ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@localhost ~]# sysctl -p
3.2、执行脚本安装
[root@localhost ~]# wget https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
[root@localhost ~]# bash openvpn-install.sh
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install
I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.
I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: 192.168.1.103 ### 本机的IP地址
It seems this server is behind NAT. What is its public IPv4 address or hostname?
We need it for the clients to connect to the server.
Public IPv4 address or hostname: 101.80.196.103 ### 网关路由器的公网IP地址
Checking for IPv6 connectivity...
Your host does not appear to have IPv6 connectivity.
Do you want to enable IPv6 support (NAT)? [y/n]: n ### 是否要启用IPv6,默认 不启用
What port do you want OpenVPN to listen to?
1) Default: 1194
2) Custom
3) Random [49152-65535]
Port choice [1-3]: 1 ### 需要监听的端口 ,默认 1194,也可以自定义
What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
1) UDP
2) TCP
Protocol [1-2]: 1 ### 协议选择,默认推荐的协议是udp,支持tcp协议
What DNS resolvers do you want to use with the VPN?
1) Current system resolvers (from /etc/resolv.conf)
2) Self-hosted DNS Resolver (Unbound)
3) Cloudflare (Anycast: worldwide)
4) Quad9 (Anycast: worldwide)
5) Quad9 uncensored (Anycast: worldwide)
6) FDN (France)
7) DNS.WATCH (Germany)
8) OpenDNS (Anycast: worldwide)
9) Google (Anycast: worldwide)
10) Yandex Basic (Russia)
11) AdGuard DNS (Anycast: worldwide)
12) NextDNS (Anycast: worldwide)
13) Custom
DNS [1-12]: 13 ### DNS设置 ,选择13,也就是自定义DNS配置 ,114.114.114.114(电信)、223.5.5.5(阿里云)
Primary DNS: 114.114.114.114
Secondary DNS (optional): 223.5.5.5
Do you want to use compression? It is not recommended since the VORACLE attack makes use of it.
Enable compression? [y/n]: n ### 是否启用压缩 ,默认不启用,因为启用压缩有风险
Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
Customize encryption settings? [y/n]: n ### OpenVPN在传输过程中是加密的,我们采用脚本提供的默认证书生成规则就可以了
Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
### 到此处 安装的部分已经完成,下面是创建账号的过程 !!!
3.3、创建第一个账号
### 紧接着上面的操作,执行过程中不要中断
。。。。。。
Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: testonly ### 创建一个用户
Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 1 ### 是否配置证书密码 1 不配置 2 配置 (这里不配置密码,在后面添加新账号的时候再配置)
* Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
* The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>
Generating a 256 bit EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/8c08a3e4/temp.de73a299'
-----
Notice
------
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/testonly.req
key: /etc/openvpn/easy-rsa/pki/private/testonly.key
Using configuration from /etc/openvpn/easy-rsa/pki/8c08a3e4/temp.a0ac9712
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'testonly'
Certificate is to be certified until Aug 27 02:45:08 2034 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Notice
------
Certificate created at:
* /etc/openvpn/easy-rsa/pki/issued/testonly.crt
Notice
------
Inline file created:
* /etc/openvpn/easy-rsa/pki/inline/testonly.inline
Client testonly added.
The configuration file has been written to /root/testonly.ovpn.
Download the .ovpn file and import it in your OpenVPN client.
[root@localhost ~]# ll
-rw-------. 1 root root 1419 Aug 21 23:46 anaconda-ks.cfg
-rwxr-xr-x. 1 root root 40923 Aug 29 10:15 openvpn-install.sh
-rw-r--r-- 1 root root 2721 Aug 29 10:45 testonly.ovpn
### 说明
# 1、不同脚本安装时候出线的选项多少不一样
wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh
# 2、有些版本的脚本安装时,第一个账号会默认创建,名叫 client
The client configuration is available in: /root/client.ovpn.
New clients can be added by running this script again.
3.4、服务配置相关
3.4.1、服务器信息相关
# 安装结束后后,在 etc 目录下面的生成一个 openvp n的目录文件
[root@localhost ~]# ll /etc/openvpn
rwxr-xr-x. 2 root root 6 Sep 2 12:53 ccd
drwxr-x---. 2 root openvpn 6 Mar 18 2022 client
-rw-r--r--. 1 root root 424 Sep 2 12:53 client-template.txt
drwxr-xr-x. 2 root root 74 Sep 2 12:53 easy-rsa
drwxr-x---. 2 root openvpn 6 Mar 18 2022 server
-rw-r--r--. 1 root root 648 Sep 2 12:53 server.conf # 主配置文件
-rw-------. 1 root root 636 Sep 2 12:53 tls-crypt.key
3.4.2、配置文件信息相关
1、服务器配置文件
[root@localhost ~]# cat /etc/openvpn/server.conf
port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 202.96.209.5"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_RyF88aAq2yRpgF9K.crt
key server_RyF88aAq2yRpgF9K.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
2、日志文件信息
[root@localhost ~]# cat /etc/openvpn/server.conf | grep log
status /var/log/openvpn/status.log
3.5、新增账号操作
[root@localhost ~]# bash openvpn-install.sh
Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install
It looks like OpenVPN is already installed.
What do you want to do?
1) Add a new user ### 添加账号
2) Revoke existing user ### 清除账号
3) Remove OpenVPN
4) Exit
Select an option [1-4]: 1
Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: laowang ####
Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client #### 选择设置密码的证书密钥
Select an option [1-2]: 2
⚠️ You will be asked for the client password below ⚠️
* Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
* The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>
Generating a 256 bit EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/5743616c/temp.5521300f'
Enter PEM pass phrase: #### laowang666
Verifying - Enter PEM pass phrase: #### laowang666
-----
Notice
------
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/laowang.req
key: /etc/openvpn/easy-rsa/pki/private/laowang.key
Using configuration from /etc/openvpn/easy-rsa/pki/5743616c/temp.267442d2
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'laowang'
Certificate is to be certified until Aug 27 02:55:48 2034 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Notice
------
Certificate created at:
* /etc/openvpn/easy-rsa/pki/issued/laowang.crt
Notice
------
Inline file created:
* /etc/openvpn/easy-rsa/pki/inline/laowang.inline
Client laowang added.
The configuration file has been written to /root/laowang.ovpn.
Download the .ovpn file and import it in your OpenVPN client.
[root@node117 ~]# ll
total 52
-rw-------. 1 root root 1419 Aug 21 23:46 anaconda-ks.cfg
-rw-r--r-- 1 root root 2847 Aug 29 10:55 laowang.ovpn
-rwxr-xr-x. 1 root root 40923 Aug 29 10:15 openvpn-install.sh
-rw-r--r-- 1 root root 2721 Aug 29 10:45 testonly.ovpn
3.6、清除账号操作
[root@node117 ~]# bash openvpn-install.sh
Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install
It looks like OpenVPN is already installed.
What do you want to do?
1) Add a new user
2) Revoke existing user ####
3) Remove OpenVPN
4) Exit
Select an option [1-4]: 2
Select the existing client certificate you want to revoke
1) testonly
2) laowang
Select one client [1-2]: 2
* Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
* The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>
WARNING
=======
This process is destructive!
These files will be MOVED to the 'revoked' storage directory:
* /etc/openvpn/easy-rsa/pki/issued/laowang.crt
* /etc/openvpn/easy-rsa/pki/private/laowang.key
* /etc/openvpn/easy-rsa/pki/reqs/laowang.req
These files will be DELETED:
All PKCS files for commonName : laowang
The inline credentials files:
* /etc/openvpn/easy-rsa/pki/laowang.creds
* /etc/openvpn/easy-rsa/pki/inline/laowang.inline
The duplicate certificate:
* /etc/openvpn/easy-rsa/pki/certs_by_serial/45EF7CF8FFA92B2C0B8BE18FDFF94EDF.pem
Using configuration from /etc/openvpn/easy-rsa/pki/32c3f393/temp.8abb71ec
Revoking Certificate 45EF7CF8FFA92B2C0B8BE18FDFF94EDF.
Data Base Updated
Notice
------
* IMPORTANT *
Revocation was successful. You must run 'gen-crl' and upload a new CRL to your
infrastructure in order to prevent the revoked certificate from being accepted.
* Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
* The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>
Using configuration from /etc/openvpn/easy-rsa/pki/7eedd3ad/temp.8eceaa62
Notice
------
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
Certificate for client laowang revoked.
四、OpenVPN 客户端相关
4.1、客户端相关说明
# OpenVPN 客户端支持多种操作系统,包括Windows、Linux、Mac、Android
1、OpenVPN 支持Windows7及更高版本的操作系统,需要以管理员身份运行 OpenVPN客户端
2、Mac系统的电脑上安装了插件才能使用,常见的有 Tunnelblick 、Viscosity
3、OpenVPN是一个开源的VPN解决方案,因此在Linux平台上也有广泛的支持
4、在使用安卓客户端时可能会遇到不支持Tap模块的情况,因此在使用时可能需要调整配置
### 无论是哪种类型的工具,都必须先将 客户端证书文件 下载到本地 !!!
4.2、Windows 客户端
### WINDOWS 系统常见的两个OpenVPN客户端工具: OpenVPN GUI 和 OpenVPN-Connect
说明:早期的时候是 OpenVPN GUI,OpenVPN版本是 2 的时候,OpenVPN-Connect 是后面才出现的
# 下载地址:(要使用魔法才能够下载)
https://obs.cstcloud.cn/share/obs/cstcloud/OpenVPN-2.5.4-I604-amd64.msi
https://openvpn.net/downloads/openvpn-connect-3.5.0.3818_signed.msi
# 这里分享下网盘的链接
通过网盘分享的文件:ClientVPN.zip
链接: https://pan.baidu.com/s/196ZlzwRuIi23YtfeEx26ig 提取码: xfb9
五、OpenVPN 客户端的使用
5.1、OpenVPN GUI 工具
5.1.1、客户端使用说明
1、第一种方法:将账号文件放在客户端的安装目录中的 "config" 目录下,重启客户端工具右键图标,在弹出框中选择账号,再右键,点击 "connect" 选项
2、第二种方法:在桌面右下角右键客户端工具图标,点击 "import file" ,选择账号文件导入,然后再选择账号进行 "connect" 操作
5.1.2、客户端使用截图
1、左边的截图是打开OpenVPN GUI 工具,还没进行连接的情况
2、中间的截图是连接上服务器端后的一瞬间提示连接成功了的弹出框
3、右边的截图是连接服务器端成功 (小电视是绿色的(黄色的话代表连接失败))
4、下面是使用有密码的客户端证书账号登录时的提示
5、连接到服务器成功后,宿主机上的地址显示 和 客户端工具显示的连接成功的信息
5.2、OpenVPN-Connect 工具
5.2.1、客户端使用说明
1、第一种方法:使用账号文件登录(默认情况),只需要导入账号文件即可,最快捷的方法是直接文件托入进工具里面
2、第二种方法:使用账号操作,这种情况要去更改配置文件,使用支持账号相关认证 (个人认为太麻烦和感觉没有必要,就没研究了)
5.2.2、客户端使用截图
1、左边的截图是登录界面,支持两种方式:
1)第一种是账号密码的登录方式,选择"URL"选项,填上服务端的连接地址,然后再使用账号登录
2)第二种是使用账号文件登录的方式,选择"UPLOAD FILE",选择账号文件或者将文件拖入进来即可
2、中间的截图是 无密码的账号文件导入后,直接就显示登录成功了的界面
3、右边的截图是 有密码的账号文件导入后,提示要求输入账号证书的密码的界面
4、左边的截图是显示已经有两个账号文件导入成功了
5、中间的截图是客户端工具可以进行其它的操作项
6、右边的截图是连接成功后,可以查看的日志文件信息