在Linux中安裝和配置OpenVPN Server的最簡便方法!
譯文【51CTO.com快譯】本文介紹了如何在基于RPM和DEB的系統中安裝和配置OpenVPN服務器。我們在本文中將使用一個名為openvpn-install的腳本,它使整個OpenVPN服務器的安裝和配置過程實現了自動化。該腳本可幫助你在幾分鐘內搭建好自己的VPN服務器,哪怕你之前沒有用過OpenVPN。
好了,閑話少說。
在Linux中安裝和配置OpenVPN Server
出于本文的需要,我將使用兩個運行CentOS 7 64位版本的系統。一個充當OpenVPN服務器,另一個充當OpenVPN客戶機。下面是測試系統的詳細信息。
- OpenVPN服務器:
- 操作系統:CentOS 7 64位極簡版
- IP地址:192.168.43.150/24
- 主機名稱:vpnserver.ostechnix.local
- OpenVPN客戶機:
- 操作系統:CentOS 7 64位極簡版
- IP地址:192.168.43.199/24
我們先來看看服務器端配置。
OpenVPN Server的安裝和配置
從GitHub頁面下載openvpn-install腳本。
wget https://git.io/vpn -O openvpn-install.sh
然后,使用下列命令,以root用戶的身份運行該腳本:
- bash openvpn-install.sh
系統會要求你回答一系列問題。回答相應的問題。
確保VPN服務器的IP地址正確。如果你使用多個IP地址,輸入想讓OpenVPN偵聽的那個網絡接口的IP地址。
- Welcome to this quick OpenVPN "road warrior" installer
- I need to ask you a few questions before starting the setup
- You can leave the default options and just press enter if you are ok with them
- First I need to know the IPv4 address of the network interface you want OpenVPN
- listening to.
- IP address: 192.168.43.150
選擇你想使用哪種協議。我想要使用tcp端口,因此選擇了數字2。
Which protocol do you want for OpenVPN connections?
1) UDP (recommended)
2) TCP
Protocol [1-2]: 2
輸入端口號。
What port do you want OpenVPN listening to?
Port: 1194
輸入你想與VPN結合使用的DNS服務器細節。我想使用谷歌DNS解析器,于是選擇了選項2。
Which DNS do you want to use with the VPN?
1) Current system resolvers
2) Google
3) OpenDNS
4) NTT
5) Hurricane Electric
6) Verisign
DNS [1-6]: 2
我們已到了最后一步。輸入你的客戶機證書名稱。這個名稱應該是一個單詞,不該含有任何特殊字符。
- Finally, tell me your name for the client certificate
- Please, use one word only, no special characters
- Client name: client
按回車鍵,開始OpenVPN服務器的安裝。
- Okay, that was all I needed. We are ready to setup your OpenVPN server now
- Press any key to continue...
沒有任何問題,該腳本會開始裝上安裝OpenVPN服務器需要的所有必要依賴項。另外,它還會創建所有必要的密鑰和證書,以便通過VPN客戶機的驗證。這個過程需要幾分鐘。
最后,腳本會問你有沒有任何外部IP地址。如果沒有外部IP地址,就讓它空著,不用管,按回車鍵。
- If your server is NATed (e.g. LowEndSpirit), I need to know the external IP
- If that's not the case, just ignore this and leave the next field blank
- External IP:
- Finished!
- Your client configuration is available at /root/client.ovpn
- If you want to add more clients, you simply need to run this script again!
OpenVPN服務器的安裝和配置已完成。你從最后的輸出中可以看出,客戶機配置細節保存在文件/root/client.ovpn中。需要將該文件拷貝到你的所有VPN客戶機系統。
我將client.ovpn文件拷貝到了我的VPN客戶機。
- scp client.ovpn root@192.168.43.199:/etc/openvpn/
接下來,我們需要配置OpenVPN客戶機。
OpenVPN客戶機的配置
確保你從VPN服務器系統拷貝過來了client.ovpn文件。我已經將這個文件拷貝到VPN客戶機系統的/etc/openvpn/目錄。
使用發行版軟件包管理器安裝OpenVPN軟件包。
- yum install openvpn
接下來,運行下列命令,與VPN服務器之間建立一條安全連接。
- openvpn --config /etc/openvpn/client.ovpn
示例輸出:
- Wed Apr 5 18:50:44 2017 Unrecognized option or missing parameter(s) in /etc/openvpn/client.ovpn:14: block-outside-dns (2.3.14)
- Wed Apr 5 18:50:44 2017 OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016
- Wed Apr 5 18:50:44 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
- Wed Apr 5 18:50:44 2017 Control Channel Authentication: tls-auth using INLINE static key file
- Wed Apr 5 18:50:44 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
- Wed Apr 5 18:50:44 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
- Wed Apr 5 18:50:44 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
- Wed Apr 5 18:50:44 2017 Attempting to establish TCP connection with [AF_INET]192.168.43.150:1194 [nonblock]
- Wed Apr 5 18:50:45 2017 TCP connection established with [AF_INET]192.168.43.150:1194
- Wed Apr 5 18:50:45 2017 TCPv4_CLIENT link local: [undef]
- Wed Apr 5 18:50:45 2017 TCPv4_CLIENT link remote: [AF_INET]192.168.43.150:1194
- Wed Apr 5 18:50:45 2017 TLS: Initial packet from [AF_INET]192.168.43.150:1194, sid=c6fb554e 362eb192
- Wed Apr 5 18:50:45 2017 VERIFY OK: depth=1, CN=ChangeMe
- Wed Apr 5 18:50:45 2017 Validating certificate key usage
- Wed Apr 5 18:50:45 2017 ++ Certificate has key usage 00a0, expects 00a0
- Wed Apr 5 18:50:45 2017 VERIFY KU OK
- Wed Apr 5 18:50:45 2017 Validating certificate extended key usage
- Wed Apr 5 18:50:45 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
- Wed Apr 5 18:50:45 2017 VERIFY EKU OK
- Wed Apr 5 18:50:45 2017 VERIFY OK: depth=0, CN=server
- Wed Apr 5 18:50:45 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
- Wed Apr 5 18:50:45 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
- Wed Apr 5 18:50:45 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
- Wed Apr 5 18:50:45 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
- Wed Apr 5 18:50:45 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
- Wed Apr 5 18:50:45 2017 [server] Peer Connection Initiated with [AF_INET]192.168.43.150:1194
- Wed Apr 5 18:50:48 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
- Wed Apr 5 18:50:48 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0'
- Wed Apr 5 18:50:48 2017 OPTIONS IMPORT: timers and/or timeouts modified
- Wed Apr 5 18:50:48 2017 OPTIONS IMPORT: --ifconfig/up options modified
- Wed Apr 5 18:50:48 2017 OPTIONS IMPORT: route options modified
- Wed Apr 5 18:50:48 2017 OPTIONS IMPORT: route-related options modified
- Wed Apr 5 18:50:48 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
- Wed Apr 5 18:50:48 2017 ROUTE_GATEWAY 192.168.43.1/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:28:98:6b
- Wed Apr 5 18:50:48 2017 TUN/TAP device tun0 opened
- Wed Apr 5 18:50:48 2017 TUN/TAP TX queue length set to 100
- Wed Apr 5 18:50:48 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
- Wed Apr 5 18:50:48 2017 /usr/sbin/ip link set dev tun0 up mtu 1500
- Wed Apr 5 18:50:48 2017 /usr/sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
- Wed Apr 5 18:50:48 2017 /usr/sbin/ip route add 192.168.43.150/32 dev enp0s3
- Wed Apr 5 18:50:48 2017 /usr/sbin/ip route add 0.0.0.0/1 via 10.8.0.1
- Wed Apr 5 18:50:48 2017 /usr/sbin/ip route add 128.0.0.0/1 via 10.8.0.1
- Wed Apr 5 18:50:48 2017 Initialization Sequence Completed
現在,檢查一下tun0(VPN接口)是否已創建,并使用‘ip addr’命令,檢查VPN接口的IP地址。
- ip addr
示例輸出:
- 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
- link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- inet 127.0.0.1/8 scope host lo
- valid_lft forever preferred_lft forever
- inet6 ::1/128 scope host
- valid_lft forever preferred_lft forever
- 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
- link/ether 08:00:27:28:98:6b brd ff:ff:ff:ff:ff:ff
- inet 192.168.43.199/24 brd 192.168.43.255 scope global dynamic enp0s3
- valid_lft 42359sec preferred_lft 42359sec
- inet6 fe80::a00:27ff:fe28:986b/64 scope link
- valid_lft forever preferred_lft forever
- 3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
- link/none
- inet 10.8.0.2/24 brd 10.8.0.255 scope global tun0
- valid_lft forever preferred_lft forever
你可以從上述輸出中看出,我們的VPN服務器自動將IP地址10.8.0.2分配給了VPN客戶機。
現在試著從VPN客戶機系統ping該VPN服務器:
ping -c3 10.8.0.1
示例輸出:
- PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
- 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=1.05 ms
- 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=1.94 ms
- 64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=2.49 ms
- --- 10.8.0.1 ping statistics ---
- 3 packets transmitted, 3 received, 0% packet loss, time 2001ms
- rtt min/avg/max/mdev = 1.057/1.832/2.495/0.594 ms
恭喜!我們現在已在CentOS中成功地安裝和配置了OpenVPN服務器和客戶機。這個方法對基于DEB的系統(比如Ubuntu和Linux Mint)來說一樣。不像手動安裝,該腳本讓OpenVPN的安裝和配置容易了許多。
原文標題:An Easiest Way To Install And Configure OpenVPN Server In Linux,作者:SK
【51CTO譯稿,合作站點轉載請注明原文譯者和出處為51CTO.com】
