在CentOS上設定openvpn 實在是很麻煩
找了一下其實有付費版本的openvpn 完全使用Web Interface
https://openvpn.net/software-packages/
但當然還是有高手在github上分享一鍵安裝openvpn
https://github.com/angristan/openvpn-install
支援非常多的Linux 版本
1.下載openvpn install
2.安裝openvpn
3.在Linux Client使用
1.下載openvpn install
#curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
2.安裝openvpn
#./openvpn-install.sh
Welcome to the OpenVPN installer! The git repository is available at: https://github.com/angristan/openvpn-install I need to ask you a few questions before starting the setup. You can leave the default options and just press enter if you are ok with them. I need to know the IPv4 address of the network interface you want OpenVPN listening to. Unless your server is behind NAT, it should be your public IPv4 address. IP address: 172.21.169.208 (内網IP) It seems this server is behind NAT. What is its public IPv4 address or hostname? We need it for the clients to connect to the server. Public IPv4 address or hostname: 4X.X4.XX.175 (外網IP) Checking for IPv6 connectivity... Your host does not appear to have IPv6 connectivity. Do you want to enable IPv6 support (NAT)? [y/n]: n (不支援IPv6) What port do you want OpenVPN to listen to? 1) Default: 1194 2) Custom 3) Random [49152-65535] Port choice [1-3]: 2 (使用自定Port) Custom port [1-65535]: 443 What protocol do you want OpenVPN to use? UDP is faster. Unless it is not available, you shouldn't use TCP. 1) UDP 2) TCP Protocol [1-2]: 2 (使用TCP) What DNS resolvers do you want to use with the VPN? 1) Current system resolvers (from /etc/resolv.conf) 2) Self-hosted DNS Resolver (Unbound) 3) Cloudflare (Anycast: worldwide) 4) Quad9 (Anycast: worldwide) 5) Quad9 uncensored (Anycast: worldwide) 6) FDN (France) 7) DNS.WATCH (Germany) 8) OpenDNS (Anycast: worldwide) 9) Google (Anycast: worldwide) 10) Yandex Basic (Russia) 11) AdGuard DNS (Russia) DNS [1-10]: 3 (使用DNS) Do you want to use compression? It is not recommended since the VORACLE attack make use of it. Enable compression? [y/n]: y (是否壓縮) Choose which compression algorithm you want to use: 1) LZ4 (more efficient) 2) LZ0 Compression algorithm [1-2]: 1 (壓縮演算法) Do you want to customize encryption settings? Unless you know what you're doing, you should stick with the default parameters provided by the script. Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults) See https://github.com/angristan/openvpn-install#security-and-encryption to learn more. Customize encryption settings? [y/n]: n (加密設定是否要調整) Okay, that was all I needed. We are ready to setup your OpenVPN server now. You will be able to generate a client at the end of the installation. Press any key to continue...
安裝完成後系統會自動把服務帶起來,並且設定開機啟動
預設設定如下:
a.VPN後取得route是10.8.0.0/24
b.VPN後所有Internet流量全部經過openvpn主機 (Route All Traffic)
安裝完成後,系統會再詢問帳戶密碼建立
Tell me a name for the client. Use one word only, no special characters. Client name: fred (建立fred帳戶) Do you want to protect the configuration file with a password? (e.g. encrypt the private key with a password) 1) Add a passwordless client 2) Use a password for the client Select an option [1-2]: 1 (是否需要密碼登入)
帳戶建立完成後系統會再提示以下訊息
Client fred added, the configuration file is available at /root/fred.ovpn. Download the .ovpn file and import it in your OpenVPN client. If you want to add more clients, you simply need to run this script another time!
如果要修改vpn設定在以下路徑修改
#vim /etc/openvpn/server.conf
port 9999 #端口 proto tcp #使用TCP dev tun #tunnel mode server 10.8.0.0 255.255.255.0 #openvpn 使用者VPN後獲取的網段 push "dhcp-option DNS 8.8.8.8" #openvpn 使用者VPN後獲取的DNS push "redirect-gateway def1 bypass-dhcp" #把使用者Default route 送往openvpn server上
設定openvpn client 固定IP
#sed -i '$aclient-config-dir /etc/openvpn/ccd' /etc/openvpn/server.conf
#echo "ifconfig-push 10.8.0.50 255.255.255.0" > /etc/openvpn/ccd/test
設定openvpn iptables
#vim /etc/iptables/add-openvpn-rules.sh
#!/bin/sh iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -I INPUT 1 -i tun0 -j ACCEPT iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT iptables -I FORWARD 1 -i tun0 -o eth0 -j ACCEPT iptables -I INPUT 1 -i eth0 -p tcp --dport 9999 -j ACCEPT
重新啟動服務
#systemctl restart [email protected]
單純重新啟動iptables
#systemctl restart iptables-openvpn.service
3.在Linux Client使用
設定自動連線,並且在斷線後5秒自動嘗試重新連線
#openvpn --config /root/fred.ovpn --resolv-retry infinite
Facebook Comments