openvpn安装使用及客户端添加删除脚本示例

    技术教程 vpnxxw 160次浏览 0个评论 扫描二维码

    1、安装前准备

    # 关闭selinux
    setenforce 0
    sed -i ‘/^SELINUX=/c\SELINUX=disabled’ /etc/selinux/config
    # 安装openssl和lzo,lzo用于压缩通讯数据加快传输速度
    yum -y install openssl openssl-devel
    yum -y install lzo
    # 安装epel源
    rpm -ivh http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm
    sed -i ‘s/^mirrorlist=https/mirrorlist=http/’ /etc/yum.repos.d/epel.repo

    2、安装及配置OpenVPN和easy-rsa

    # 安装openvpn和easy-rsa
    yum -y install openvpn easy-rsa
    # 修改vars文件
    cd /usr/share/easy-rsa/2.0/
    vim vars
    # 修改注册信息,比如公司地址、公司名称、部门名称等。
    export KEY_COUNTRY=”CN”
    export KEY_PROVINCE=”Shanghai”
    export KEY_CITY=”Shanghai”
    export KEY_ORG=”suredata”
    export KEY_EMAIL=”[email protected]
    export KEY_OU=”suredataUnit”
    # 初始化环境变量
    source vars
    # 清除keys目录下所有与证书相关的文件
    # 下面步骤生成的证书和密钥都在/usr/share/easy-rsa/2.0/keys目录里
    ./clean-all
    # 生成根证书ca.crt和根密钥ca.key(一路按回车即可)
    ./build-ca
    # 为服务端生成证书和密钥(一路按回车,直到提示需要输入y/n时,输入y再按回车)
    ./build-key-server server
    # 创建迪菲·赫尔曼密钥,会生成dh2048.pem文件(生成过程比较慢,不要去中断它)
    ./build-dh
    # 生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击)
    openvpn –genkey –secret keys/ta.key

    3、创建服务器端配置文件

    # 在openvpn的配置目录下新建一个keys目录
    mkdir /etc/openvpn/keys
    # 将需要用到的openvpn证书和密钥复制一份到刚创建好的keys目录中
    cp /usr/share/easy-rsa/2.0/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/openvpn/keys/
    # 复制一份服务器端配置文件模板server.conf到/etc/openvpn/
    cp /usr/share/doc/openvpn-2.4.3/sample/sample-config-files/server.conf /etc/openvpn/
    # 查看server.conf里的配置参数
    grep ‘[#;]’ /etc/openvpn/server.conf
    # 编辑server.conf
    vi /etc/openvpn/server.conf

         以下是我本地的配置,供参考
         port 1194
         proto udp
         dev tun
         # 路径前面加keys,全路径为/etc/openvpn/keys/ca.crt
         ca keys/ca.crt
         cert keys/server.crt
         key keys/server.key  # This file should be kept secret
         dh keys/dh2048.pem
         # 默认虚拟局域网网段,不要和实际的局域网冲突即可
         server 10.8.0.0 255.255.0.0
         ifconfig-pool-persist ipp.txt
         push "route 172.16.0.0 255.255.0.0"
         keepalive 10 120
         cipher BF-CBC
         comp-lzo
         persist-key
         persist-tun
         # OpenVPN的状态日志,默认为/etc/openvpn/openvpn-status.log
         status openvpn-status.log
         # OpenVPN的运行日志,默认为/etc/openvpn/openvpn.log
         log-append  openvpn.log
         # 改成verb 5可以多查看一些调试信息
         verb 5
         explicit-exit-notify 1
         
         # 可以让客户端之间相互访问直接通过openvpn程序转发,根据需要设置
         #client-to-client
         # 如果客户端都使用相同的证书和密钥连接VPN,一定要打开这个选项,否则每个证书只允许一个人连接VPN
         #duplicate-cn
    

    4、配置内核和防火墙,启动服务

    # 开启路由转发功能
    sed -i ‘/net.ipv4.ip_forward/s/0/1/’ /etc/sysctl.conf
    sysctl -p
    # 配置防火墙,别忘记保存
    iptables -I INPUT -p udp –dport 1194 -m comment –comment “openvpn” -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j MASQUERADE
    service iptables save
    # 启动openvpn并设置为开机启动
    service openvpn start
    chkconfig openvpn on

    5、生成客户端证书及配置文件

    # 为客户端生成证书和密钥(一路按回车,直到提示需要输入y/n时,输入y再按回车,一共两次)
    /usr/share/easy-rsa/2.0/build-key client1
    # 客户端配置文件生成
    客户端配置文件示例:
    client
    dev tun
    proto udp
    remote 58.247.x.x 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    comp-lzo
    keysize 128
    verb 5
    <ca>
    —–BEGIN CERTIFICATE—–
    ca.crt 内容
    —–END CERTIFICATE—–
    </ca>
    <cert>
    6a:1f:62:81
    —–BEGIN CERTIFICATE—–
    client1.crt 内容
    —–END CERTIFICATE—–
    </cert>
    <key>
    —–BEGIN PRIVATE KEY—–
    client1.key 内容
    —–END PRIVATE KEY—–
    </key>

    6、下面贴出自动生成客户端证书和配置的脚本

    openvpn_user.sh 脚本内容:
    vi openvpn_user.sh
    以下是脚本内容,供参考

     #! /bin/bash
     para_num=$#
     operation=$1
     vpn_user=$2
    
     function help()
     {
        echo './openvpn_user.sh add username(vpn username)'
        echo './openvpn_user.sh del username(vpn username)'
     }
    
     function add_user()
     {
        if [ -f /usr/share/easy-rsa/2.0/keys/$vpn_user.crt ];then
                echo "$vpn_user already exist!"
                exit 1
        else
                cd /usr/share/easy-rsa/2.0/
                source ./vars
                /suredata/bin/vpn_expect.expect $vpn_user 
                cd /usr/share/easy-rsa/2.0/keys
                generate_client_conf
                cp /root/user_data/${vpn_user}/${vpn_user}.ovpn /suredata/bin/weblog/
    
                echo "===============================success=================================="
                echo "add vpn user: $vpn_user success!"
                echo "===============================success=================================="
        fi
     }
    
     function del_user()
     {
        cd /usr/share/easy-rsa/2.0/
        source ./vars
        /usr/share/easy-rsa/2.0/revoke-full $vpn_user
        rm -rf /usr/share/easy-rsa/2.0/keys/${vpn_user}.*
        rm -rf /suredata/bin/weblog/${vpn_user}.*
        echo "================================success================================"
        echo "del vpn user: $vpn_user success!" 
        echo "================================success================================"
     }
    
     function generate_client_conf()
     {
        # client path
        mkdir -p /root/user_data/$vpn_user
        user_path=/root/user_data/$vpn_user
        client_file=${user_path}/${vpn_user}.ovpn
        client_crt_file=/usr/share/easy-rsa/2.0/keys/${vpn_user}.crt
        client_key_file=/usr/share/easy-rsa/2.0/keys/${vpn_user}.key
        ca_crt_file=/usr/share/easy-rsa/2.0/keys/ca.crt
    
        echo "client" > ${client_file}
        echo "dev tun" >> ${client_file}  
        echo "proto udp" >> ${client_file}
        echo "remote 58.247.125.141 1194" >> ${client_file}
        echo "resolv-retry infinite" >> ${client_file}
        echo "nobind" >> ${client_file}
        echo "persist-key" >> ${client_file}
        echo "persist-tun" >> ${client_file}
        echo "comp-lzo" >> ${client_file}
        echo "keysize 128" >> ${client_file}
        echo "verb 5" >> ${client_file}
    
        echo "<ca>" >> ${client_file}
        cat ${ca_crt_file} >> ${client_file}
        echo "</ca>" >> ${client_file}
    
        echo "<cert>" >> ${client_file}
        tail -n 31 ${client_crt_file} >> ${client_file}
        echo "</cert>" >> ${client_file}
    
        echo "<key>" >> ${client_file}
        cat ${client_key_file} >> ${client_file}
        echo "</key>" >> ${client_file}
     }
    
     function main()
     {
        if [ $para_num -ne 2 ];then
                echo "para is illegal!"
                help
                exit 1
        else
                if [ $operation = "add" ];then
                        add_user
                elif [ $operation = "del" ];then
                        del_user
                else
                        echo 'operation only support add | del'
                        help
                        exit 1
                fi
        fi
     }
    
     main
    

    /suredata/bin/vpn_expect.expect //自动生成客户端证书expect脚本
    以下是脚本内容,供参考

     #!/usr/bin/expect -f
     if $argc<1 {
        puts stderr "Usage: $argv0 need argv.\n"
        exit 1
     }
     set vpnuser [lindex $argv 0]
     set path /usr/share/easy-rsa/2.0
     spawn $path/build-key $vpnuser
     expect "*"
     send "\r"
     expect "*"
     send "\r"
     expect "*"
     send "\r"
     expect "*"
     send "\r"
     expect "*"
     send "\r"
     expect "*"
     send "\r"
     expect "*"
     send "\r"
     expect "*"
     send "\r"
     expect "*"
     send "\r"
     expect "*"
     send "\r"
     expect "*"
     send "y\r"
     expect "*"
     send "y\r"
     expect eof
     exit
    anyShare分享到:

    VPN信息网 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权 , 转载请注明-VPN信息网-openvpn安装使用及客户端添加删除脚本示例
    喜欢 (0)
    发表我的评论
    取消评论

    表情 贴图 加粗 删除线 居中 斜体 签到

    Hi,您需要填写昵称和邮箱!

    • 昵称 (必填)
    • 邮箱 (必填)
    • 网址