搭建OpenVPN需要您具备一定的Linux系统基础知识,以下是OpenVPN的搭建教程:
在终端输入以下命令安装OpenVPN:
- sudo yum install -y epel-release
- sudo yum install -y openvpn
-
在终端中输入以下命令创建OpenVPN配置文件:
- cd /etc/openvpn
- sudo cp -r /usr/share/doc/openvpn/sample/sample-config-files/* .
-
使用文本编辑器打开/etc/openvpn/server.conf,并修改以下配置:
- dev tun
- server 10.8.0.0 255.255.255.0
- push "redirect-gateway def1 bypass-dhcp"
- push "dhcp-option DNS 8.8.8.8"
- push "dhcp-option DNS 8.8.4.4"
- user nobody
- group nobody
- keepalive 10 120
- tls-auth ta.key 0 # This file is secret
- key server.key
- cert server.crt
- dh dh.pem
- verb 3
-
其中10.8.0.0 255.255.255.0是VPN分配给客户端的IP地址范围,redirect-gateway def1 bypass-dhcp表示将客户端所有的网络流量都通过VPN进行转发,8.8.8.8和8.8.4.4是Google的DNS服务器地址,用于解析域名。
- cd /etc/openvpn
- sudo openvpn --genkey --secret ta.key
- sudo openssl dhparam -out dh.pem 2048
- sudo openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
- sudo openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
-
在终端中输入以下命令启动OpenVPN:
- sudo systemctl start openvpn@server
- sudo systemctl enable openvpn@server
-
在终端中输入以下命令创建客户端配置文件:
- cd /etc/openvpn
- sudo cp client.conf /etc/openvpn/client.ovpn
-
使用文本编辑器打开/etc/openvpn/client.ovpn,并修改以下配置:
- client
- dev tun
- proto udp
- remote YOUR_SERVER_IP 1194
- resolv-retry infinite
- nobind
- user nobody
- group nobody
- persist-key
- persist-tun
- remote-cert-tls server
- cipher AES-256-CBC
- auth SHA256
- key-direction 1
- verb 3
- <ca>
- -----BEGIN CERTIFICATE-----
- MIIE...
- -----END CERTIFICATE-----
- </ca>
- <cert>
- -----BEGIN CERTIFICATE-----
- MIIE...
- -----END CERTIFICATE-----
- </cert>
- <key>
- -----
-
在终端中输入以下命令启动OpenVPN:
- sudo openvpn --config /etc/openvpn/client.ovpn
-
其中YOUR_SERVER_IP是VPN服务器的IP地址。
在客户端电脑中打开终端,输入以下命令测试连接:
- ping 10.8.0.1
-
如果VPN连接成功,就可以看到VPN服务器的响应。
至此,您已经成功搭建了一个OpenVPN服务器。请注意,在实际使用中,需要进行更严格的安全设置,例如使用防火墙、关闭不必要的端口等。
最后附上自动搭建脚本:
- #!/bin/bash
-
- # 获取脚本执行时的参数
- while getopts "d:k:" arg
- do
- case $arg in
- d)
- DOMAIN=$OPTARG;;
- k)
- KEY=$OPTARG;;
- ?)
- echo "Usage: $0 -d <domain name> -k <client key name>"
- exit 1;;
- esac
- done
-
- # 安装easy-rsa并创建证书
- yum install -y easy-rsa
- cd /usr/share/easy-rsa/3
- ./easyrsa init-pki
- ./easyrsa build-ca
- ./easyrsa gen-dh
- ./easyrsa gen-crl
- ./easyrsa build-server-full server nopass
-
- # 配置OpenVPN
- cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/
- sed -i -e 's/;tls-auth ta.key 0/tls-auth ta.key 0/' -e 's/;cipher AES-128-CBC/cipher AES-256-CBC/' /etc/openvpn/server.conf
- echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
- echo 'user nobody' >> /etc/openvpn/server.conf
- echo 'group nobody' >> /etc/openvpn/server.conf
-
- # 生成客户端证书和配置文件
- ./easyrsa build-client-full $KEY nopass
- cp pki/ca.crt pki/private/server.key pki/issued/server.crt /etc/openvpn
- cp /usr/share/doc/openvpn-*/sample/sample-config-files/client.conf /etc/openvpn/$KEY.ovpn
- sed -i -e "s/remote my-server-1 1194/remote $DOMAIN 1194/" -e 's/;user nobody/user nobody/' -e 's/;group nobody/group nobody/' /etc/openvpn/$KEY.ovpn
- echo '<ca>' >> /etc/openvpn/$KEY.ovpn
- cat /usr/share/easy-rsa/3/pki/ca.crt >> /etc/openvpn/$KEY.ovpn
- echo '</ca>' >> /etc/openvpn/$KEY.ovpn
- echo '<cert>' >> /etc/openvpn/$KEY.ovpn
- cat /usr/share/easy-rsa/3/pki/issued/$KEY.crt >> /etc/openvpn/$KEY.ovpn
- echo '</cert>' >> /etc/openvpn/$KEY.ovpn
- echo '<key>' >> /etc/openvpn/$KEY.ovpn
- cat /usr/share/easy-rsa/3/pki/private/$KEY.key >> /etc/openvpn/$KEY.ovpn
- echo '</key>' >> /etc/openvpn/$KEY.ovpn
- echo '<tls-auth>' >> /etc/openvpn/$KEY.ovpn
- cat /usr/share/easy-rsa/3/pki/ta.key >> /etc/openvpn/$KEY.ovpn
- echo '</tls-auth>' >> /etc/openvpn/$KEY.ovpn
-
- # 启动OpenVPN
- systemctl start openvpn@server
- systemctl enable openvpn@server
-
- echo "OpenVPN server is now running on
-
湘公网安备 43102202000103号
