外观
使用源码编译搭建OpenVPN进行内网穿透
参考资料
参考脚本: 一键脚本
OpenVPN 仓库: openvpn: OpenVPN is an open source VPN daemon
easy-rsa 仓库: easy-rsa - Simple shell based CA utility
官方文档: Resources For OpenVPN OpenSource Community
官方文档: Guide To Set Up & Configure OpenVPN Client/Server VPN | OpenVPN
参考: 办公、家庭openvpn搭建
参考: CentOS搭建OpenVPN
参考: openvpn搭建与使用
参考: OpenVPN编译安装部署
参考: OpenVPN-组内网
参考: 企业级OpenVPN搭建
参考: openVPN通过用户名密码认证
搭建教程
开启转发
- 安装
# 安装 iptables 和 iptables-persistent
sudo apt-get update
sudo apt install -y iptables iptables-persistent
# 清空iptables规则
iptables -F- 编辑 iptables 规则
sudo iptables -w 5 -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 192.168.6.137
sudo iptables -w 5 -I INPUT -p tcp --dport 36985 -j ACCEPT
sudo iptables -w 5 -I FORWARD -s 10.8.0.0/24 -j ACCEPT
sudo iptables -w 5 -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# 保存和加载
sudo netfilter-persistent save
sudo netfilter-persistent reload
# 检查 iptables 规则
sudo iptables -t nat -L -n -v
sudo iptables -L -n -v- 开启转发
vi /etc/sysctl.conf
# 在 sysctl.conf 写入
net.ipv4.ip_forward = 1
# 重载
sysctl -p
# 输出1表示开启转发
cat /proc/sys/net/ipv4/ip_forward- 同步时间
sudo apt-get install -y ntpdate
sudo ntpdate asia.pool.ntp.org
# 查看时间
data
# 如果不是北京时间,设置为背景时间
sudo timedatectl set-timezone Asia/Shanghai
# 查看状态
timedatectl status
# 设置定时任务
sudo crontab -e
# 命令
0 3 * * * /usr/sbin/ntpdate asia.pool.ntp.org下载 OpenVPN 和 Easy-RSA
- 下载 OpenVPN,下载[地址](Releases · OpenVPN/openvpn),注意版本。
wget https://github.com/OpenVPN/openvpn/releases/download/v2.6.14/openvpn-2.6.14.tar.gz- 下载 Easy-RSA,下载[地址](Releases · OpenVPN/easy-rsa),注意版本。
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.2/EasyRSA-3.2.2.tgz编译 OpenVPN
- 安装依赖(可能会随着版本更替发生变化,主要编译过程中出现的错误和警告)
apt install make gcc pkg-config libnl-genl-3-dev libcap-ng-dev libssl-dev liblz4-dev liblzo2-dev libcmocka-dev- 编译,注意 OpenVPN 版本号,要与自己下载的版本一致。
tar -zxf openvpn-2.6.14.tar.gz
cd openvpn-2.6.14
./configure
make
make install- 复制 OpenVPN
mkdir -p /etc/openvpn
cp -rf /root/openvpn-2.6.14/sample /etc/openvpn
cp /etc/openvpn/sample/sample-config-files/server.conf /etc/openvpn- 解压 EasyRSA
tar -xzvf EasyRSA-3.2.2.tgz
mv EasyRSA-3.2.2 easy-rsa
cp -rf easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa
cp vars.example vars
chmod +x vars- 创建相关证书和秘钥
提示
其中的servername和clientname根据实际设置,一般servername设置为server,clientname根据实际客户端名设置。
# 初始化目录
./easyrsa init-pki
# 创建根证书
# nopass 参数表示不加密;也可以不加此参数,那就需要输入密码短语
./easyrsa build-ca nopass
# 创建服务端秘钥
./easyrsa gen-req servername nopass
# 给服务端证书签名,这里要输入yes才能完成
./easyrsa sign-req server servername
# 创建客户端秘钥
./easyrsa gen-req clientname nopass
# 给客户端证书签名,这里要输入yes才能完成
./easyrsa sign-req client clientname
# 创建 Diffie-Hellman
./easyrsa gen-dh
#创建TLS认证密钥
openvpn --genkey secret /etc/openvpn/ta.key- 配置证书
提示
其中的servername和clientname根据实际设置。
mkdir /etc/openvpn/server
mkdir /etc/openvpn/client
mkdir /var/log/openvpn
cd /etc/openvpn/easy-rsa/pki/
cp ca.crt dh.pem /etc/openvpn/
cp private/servername.key issued/servername.crt /etc/openvpn/server/
cp private/clientname.key issued/clientname.crt /etc/openvpn/client/编辑配置文件
- 编辑服务端配置文件
server.conf
local 192.168.6.137
port 36985
proto tcp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server/servername.crt
key /etc/openvpn/server/servername.key
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
client-to-client
keepalive 10 120
tls-crypt /etc/openvpn/ta.key 0
topology subnet # 此行很重要,不填写的话,内网无法互联
cipher AES-256-GCM
max-clients 100
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 4
mute 20- 编辑客户端配置文件
clientname.ovpn,共有两种写法
- 写法1
提示
注意将Server IP改为服务器公网IP
要将ca.crt、clientname.crt、clientname.key和ta.key放在与clientname.ovpn配置文件相同的路径下。
# 写法1
client
dev tun
proto tcp
remote Server IP 36985
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert clientname.crt
key clientname.key
remote-cert-tls server
tls-crypt ta.key 1
cipher AES-256-GCM
auth-nocache
verb 4- 写法2
提示
注意将Server IP改为服务器公网IP
将ca.crt、clientname.crt、clientname.key和ta.key直接写入clientname.ovpn中
client
dev tun
proto tcp
remote Server IP 36985
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth-nocache
key-direction 1
verb 4
<ca>
ca.crt中的内容
</ca>
<cert>
clientname.crt中的内容
</cert>
<key>
clientname.key中的内容
</key>
<tls-crypt>
ta.key中的内容
</tls-crypt>注
以下是写法 2 的示例
client
dev tun
proto tcp
remote Server IP 36985
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth-nocache
key-direction 1
verb 4
<ca>
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIUUqcW/hcw3sEacq0HzMrUAZh97xkwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjUwNjA4MDYxMzI3WhcNMzUw
NjA2MDYxMzI3WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALzRiHvaSSAIKyRX5UFgHzjtQyLU5tCE2cgX6ENp
ZarLXTDbH8fqd7yHqrwejUwo9JxBfAVrI9LHj+RFwY3b74/0kpMg/MhZ4gFUwI/k
Ta+U9NVwPZerP/oBBnlIc+vHoypx+kLA3aZeVpJdDJwCa9gHfT6zEDKTX272lYLt
+NUrHm5l345vDN9jRwkKkqeQxPmbt4Onk6UXtRXHdPucv1wXC4NlbI8jcxYDT6/o
0XNM5cDcY1tWTditTqdRrpo8IouiAkCKRGqXjjM8YhCnUbzHHxyyBNzEkGLG/NgA
3DiuHC18rMXTm864P1EeinKQU1CASHACt8Zol1Elh8ppa/kCAwEAAaOBkDCBjTAM
BgNVHRMEBTADAQH/MB0GA1UdDgQWBBRkLBiLLzmKltwvdYj0FwAsVOUjwTBRBgNV
HSMESjBIgBRkLBiLLzmKltwvdYj0FwAsVOUjwaEapBgwFjEUMBIGA1UEAwwLRWFz
eS1SU0EgQ0GCFFKnFv4XMN7BGnKtB8zK1AGYfe8ZMAsGA1UdDwQEAwIBBjANBgkq
hkiG9w0BAQsFAAOCAQEAgQ1fZVZ6Vy+2cry0oNNGneqCfd7wgGatWK+YOlBFwA+N
Ak2iv2Y1CUsc1OQtVLE6XxofRkPw9Tu8ybYfzXmNu9CFRdEORFdJVRqhUEibX3NX
yvcjg+EqjXFDgH/klN1qJz9Z6N61nYXXKa4bLy+OyTSNWk+9ytAn3xaelgDs0MIR
iJIOlbnYEAZsMY58NQuTlbjyVLa0oYUr/NJ3S3SFkZElKzXkVsJYzh/fJRnwAKou
OJ4Ue++FOhFhAkDVnlkGSHlPwBB/yao0l/tMJMX1iZW0ySfGtydYdZIqL/J/yi1I
BFyzIUxGczzb8tTh9tpkVsTqg0aIn26A1EV7RknqlQ==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIQH0sOTYKZJN+qmJXsj34K9TANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yNTA2MDgwNjI3MjVaFw0yNzA5MTEw
NjI3MjVaMBExDzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALNEfiXJFYiwZv5lk/P5az6pzywjbFx6i6aI81o15nH4uR342/YH
T+92fkDQKeG82R8w6xy8kCKrWNoDs7SPbijMhvSAMTwMxt4eMXKhSSl6zle1ykYx
U9tmv85v3F4D9AzrzRipxevIIne2bCdNJSm6OetDYXC1l4A6IWGb4oKyaZFct+4/
WK+yEN5rlVmOMHhSCoa/7s86xDkGNLsWDBnxrEdMKL3EA2KbHyohCqkQX4hpLJBs
svb45Cc7yIVHPhyHCx8IcqRg9Za8W+vLdmZRcNSFKVdEdxoWCCXFJb5IyGzIWWFZ
5yd6f9qSCZjJ2OIf4d+9MmGTTcyDs1FAYdECAwEAAaOBojCBnzAJBgNVHRMEAjAA
MB0GA1UdDgQWBBTtsjuy492s1wtDRxYs6PNrNcr08zBRBgNVHSMESjBIgBRkLBiL
LzmKltwvdYj0FwAsVOUjwaEapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCFFKn
Fv4XMN7BGnKtB8zK1AGYfe8ZMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQE
AwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAetHHcQAl6Qc/sVgAdHhgdM9ed8QgaV7s
cFw+VKqt5A6wEB25QEQ6W4y3N7jRM9io6aJI7JbZ6ple7eFS+LKP5oiWipld9RBf
yfcG6HCYMz6NsXyrLp6D1vURTqmzAY58uxUtqNSNcAUI8ob65I1EqfJeMCU9jJ4c
qb09bI2SKx/o5p9b4kVwBZ9sVpeViSLTSE5KoiOpY84/tSRYZcWMpBy/zJcl+o5S
lh4rs5qZCPU6wRGbUXvxXaXLNUeKCBqyeyRO/IHCVQT2x1vuLM4jHs5B3rEqrMOv
neaKDifLZ4GjcwNa6k8zpxXmQi2pbioqzmdc7Pw0LIOQHQWi31S/7Q==
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQCzRH4lyRWIsGb+
ZZPz+Ws+qc8sI2xceoumiPNaNeZx+Lkd+Nv2B0/vdn5A0CnhvNkfMOscvJAiq1ja
A7O0j24ozIb0gDE8DMbeHjFyoUkpes5XtcpGMVPbZr/Ob9xeA/QM680YqcXryCJ3
tmwnTSUpujnrQ2FwtZeAOiFhm+KCsmmRXLfuP1ivshDea5VZjjB4UgqGv+7POsQ5
BjS7FgwZ8axHTCi9xANimx8qIQqpEF+IaSyQbLL2+OQnO8iFRz4chwsfCHKkYPWW
vFvry3ZmUXDUhSlXRHcaFgglxSW+SMhsyFlhWecnen/akgmYydjiH+HfvTJhk03M
g7NRQGHRAgMBAAECgf8rSpNN2ihhiuc5d1htkPTW2qENQqJgF+3a3EHa485mOvY2
C8nB4f7PKz8ztSxoDs+czpbQL6UEM5YkzKh8hLQoIsL0ey/UZn4f+fFfdOfSxqfo
4XwhsJwRUK+6gJZ4uLuun8MpdqBrNufmEdvuIcWw/tccKkK6W/enpmIb2mlQlW4K
+MFemVPETV/okP6P+Ehdz/HcXU4SfOtuCkHWNUaCmwq6ULCkFZ41FCAAlVhIgCU8
fWVku9wqLPrIL+xbqvxvKYvK4fYDeC/BB66ztmrL2JsR/ZgexBsKZKSHLpJK4cgW
YyrwIzndeU0NXbhAdzog6i5pM21wW2EqYbH5lzkCgYEA7w74fu+Wwcbv4d1jIoC4
qKPUMz8KSnOMSQJXp9cucr7oKqnJfHVwLRLtJSs/AoyF7ul+AXP7prul/X+dzBmI
vr+hgb1xJDzbIE4LlQQR2zIrTy6fkqDN/qkiKdJRVdDQP6GOvT+LK3kKHw7CKpLs
EeAVbypyjCPmCwOQ2V6SpAkCgYEAv/jJlXzL5g96r17+AiDSP8wI0zZpB7O+NPDV
trpCEh4m2Vh4QKMpmeCWO+o95o5Y4ZGwyLP/+dO1P7IfhRLa2UbelvHPP5QGki+T
NZXOFvVFrPWeZ0KiGsOcuQe1U9xyQugcaVbIk/M+aHrO/YJ4KuzbpHCHR5fKEpu7
4UVSEYkCgYBzYFhSezPZhjgUXJMR/eohiiBKM2y2Dhpwyi6gFNyYCMdof9V8uflP
58iIndylUEj7y7lC3kVgbURpmoQAE3rKBRbf1RycDrr7Vm+ElhhAIHCCoM/nJrEE
7YBNivIyZrt7Wm/Xqqlya9KUtrzDa3GAFxSBOI1cUZ8fRbNNFbXUcQKBgBaBUQiQ
V8sBt41FopuXQ26tOb+hGlEH1l2YekVwsnwzQrSqNXbGagMbHCGsBVO5DlxrWwE8
cN7V3eK4vA86taNRNpkVgglfDiInJ6fZhw6T9HYhWU+btStUEVRzveM17cNAOMx0
mxEVLBTNiOSZXgMSP3GYq5NODSd/UFhJaySZAoGBAKBNKgLqHwKiobRwVTdH5hKJ
HnbgMV2Wsf7zWfbDw+AnTHsBmfG/IYnpQKpO510gN4C1o54bADyhtX5kjyk3TTbj
Q6N/hhhFDwXGx0SoY2XS0xp2DFBuQ4x/KKm51zrMVENq369hlx/LQrFejAZ6eWGK
dFq2qmnA1VJReAI7tXWe
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
0fd6f3fe22ae368b4e8a4dab5a58818b
5f53e8caef9c97e934436ebbd6425c03
9dba40e7f9ec88f0eb60f28c700ce2cd
7ae248462af287ab684c5643bbd82e91
0897ebd6fef07664fcc1f3b2965476d5
48d621ae24abaa93e2d994a486d470ad
b514835fdc8ea5b0442d6145cee56aba
466b6da40fa59170fe20ee478f3fb686
a0952705b2bb80271c515bcffcbd14d2
55e99dad216b4aa1787bdf5c48b40a36
d8f9632299a064aac6ca679c412f416b
a8e1e6c4afd7c1d162e3e5a3a082baf0
c8111b3ee0c58be0c985192ce1613392
bd1f72bcb5230cda6ae4f6de81f3dbd9
4ae8e214e0af50b93b4ec1d3cfcd63b8
026eceb0c392b579d3625fbf42b971a3
-----END OpenVPN Static key V1-----
</tls-crypt>创建 OpenVPN 服务 systemd 启动脚本
cat > /etc/systemd/system/openvpn-server@server.service <<EOF
[Unit]
Description=OpenVPN service for %i
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
# 如果你编译安装在 /usr/local/sbin/openvpn,请保持下面路径;若用发行版自带包,改成 /usr/sbin/openvpn
ExecStart=/usr/local/sbin/openvpn --config /etc/openvpn/%i.conf
# --status 可以加在 ExecStart 中,但可能报错
# --status /var/log/openvpn/openvpn-status.log 10
# 服务运行时的工作目录设为 /etc/openvpn
WorkingDirectory=/etc/openvpn
# 让 OpenVPN 拥有创建 TUN 设备和绑定端口的能力,其他权限保持最小
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
# CapabilityBoundingSet 可以改为如下内容
# CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
# 最多只能启动 15 个进程,限制资源使用。
LimitNPROC=15
# 只读保护系统目录(如 /usr, /boot, /etc),防止进程修改核心系统文件。
ProtectSystem=true
# 只读保护用户家目录,防止服务修改或读取用户数据。
ProtectHome=true
# 为此服务分配独立的 /tmp,防止和其他服务共用。
PrivateTmp=yes
# 只杀死主进程
KillMode=process
# 服务如果失败退出,则自动重启。
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF- systemctl 命令
systemctl daemon-reload
systemctl enable openvpn-server@server
systemctl restart openvpn-server@server
systemctl status openvpn-server@server扩展
- 只让内网网段走代理,不使用全局代理,在
server.conf中加入
push "route remote_host 255.255.255.255 net_gateway"
push "route 10.8.0.0 255.255.255.0 vpn_gateway"- 默认情况下,一个
clientname只允许一个客户端接入,开启同一个clientname允许多个客户端连接,只要在server.conf中加入
duplicate-cn- 如果开启同一个
clientname允许多个客户端连接,应开启密码验证来保证安全,在/etc/openvpn/创建checkpsw.sh脚本
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate Openvpn users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1- 创建
LOG_FILE,并赋予checkpsw.sh权限。
touch /var/log/openvpn/openvpn-password.log
chmod +x /etc/openvpn/checkpsw.sh- 转换
checkpsw.sh格式为 Unix 格式
编辑后的checkpsw.sh默认带有 CRLF 换行符格式,转换为 Unix/Linux 使用的LF换行符。
apt install dos2unix
dos2unix /etc/openvpn/checkpsw.sh- 创建用户名密码文件
echo "test 123456" >>/etc/openvpn/psw-file
# 只读权限
chmod 400 /etc/openvpn/psw-file
# 公共权限
chmod 777 /etc/openvpn/psw-file- Windows 系统防止 DNS 泄漏,两条命令要同时加入,防止在其它客户端上出错
- 在
server.conf中加入
push "block-outside-dns" # 仅对 Windows 客户端有效- 在
clientname.ovpn中加入
ignore-unknown-option block-outside-dns开启密码验证配置文件
开启密码验证后,需要对server.conf对clientname.ovpn进行更改
- 编辑服务端配置文件
server.conf,加入
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
script-security 3
username-as-common-name- 完整
server.conf如下
local 192.168.6.137
port 36985
proto tcp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server/servername.crt
key /etc/openvpn/server/servername.key
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
client-to-client
keepalive 10 120
tls-crypt /etc/openvpn/ta.key 0
topology subnet # 此行很重要,不填写的话,内网无法互联
cipher AES-256-GCM
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
script-security 3
username-as-common-name
max-clients 100
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 4
mute 20- 编辑客户端配置文件
clientname.ovpn,共有两种写法
- 写法1,加入
auth-user-pass提示
注意将Server IP改为服务器公网IP
要将ca.crt、clientname.crt、clientname.key和ta.key放在与clientname.ovpn配置文件相同的路径下。
- 完整
clientname.ovpn如下
# 写法1
client
dev tun
proto tcp
remote Server IP 36985
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert clientname.crt
key clientname.key
remote-cert-tls server
tls-crypt ta.key 1
cipher AES-256-GCM
auth-user-pass
auth-nocache
verb 4- 写法2,加入
auth-user-pass提示
注意将Server IP改为服务器公网IP
将ca.crt、clientname.crt、clientname.key和ta.key直接写入clientname.ovpn中
- 完整
clientname.ovpn如下
client
dev tun
proto tcp
remote Server IP 36985
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth-user-pass
auth-nocache
key-direction 1
verb 4
<ca>
ca.crt中的内容
</ca>
<cert>
clientname.crt中的内容
</cert>
<key>
clientname.key中的内容
</key>
<tls-crypt>
ta.key中的内容
</tls-crypt>