openvpn安装使用及客户端添加删除脚本示例

1、安装前准备

# 关闭selinux
setenforce 0
sed -i ‘/^SELINUX=/c\SELINUX=disabled’ /etc/selinux/config
# 安装openssl和lzo,lzo用于压缩通讯数据加快传输速度
yum -y install openssl openssl-devel
yum -y install lzo
# 安装epel源
rpm -ivh http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm
sed -i ‘s/^mirrorlist=https/mirrorlist=http/’ /etc/yum.repos.d/epel.repo

2、安装及配置OpenVPN和easy-rsa

# 安装openvpn和easy-rsa
yum -y install openvpn easy-rsa
# 修改vars文件
cd /usr/share/easy-rsa/2.0/
vim vars
# 修改注册信息,比如公司地址、公司名称、部门名称等。
export KEY_COUNTRY=”CN”
export KEY_PROVINCE=”Shanghai”
export KEY_CITY=”Shanghai”
export KEY_ORG=”suredata”
export KEY_EMAIL=”xiabing@suredata.com”
export KEY_OU=”suredataUnit”
# 初始化环境变量
source vars
# 清除keys目录下所有与证书相关的文件
# 下面步骤生成的证书和密钥都在/usr/share/easy-rsa/2.0/keys目录里
./clean-all
# 生成根证书ca.crt和根密钥ca.key(一路按回车即可)
./build-ca
# 为服务端生成证书和密钥(一路按回车,直到提示需要输入y/n时,输入y再按回车)
./build-key-server server
# 创建迪菲·赫尔曼密钥,会生成dh2048.pem文件(生成过程比较慢,不要去中断它)
./build-dh
# 生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击)
openvpn –genkey –secret keys/ta.key

3、创建服务器端配置文件

# 在openvpn的配置目录下新建一个keys目录
mkdir /etc/openvpn/keys
# 将需要用到的openvpn证书和密钥复制一份到刚创建好的keys目录中
cp /usr/share/easy-rsa/2.0/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key} /etc/openvpn/keys/
# 复制一份服务器端配置文件模板server.conf到/etc/openvpn/
cp /usr/share/doc/openvpn-2.4.3/sample/sample-config-files/server.conf /etc/openvpn/
# 查看server.conf里的配置参数
grep ‘[#;]’ /etc/openvpn/server.conf
# 编辑server.conf
vi /etc/openvpn/server.conf

     以下是我本地的配置,供参考
     port 1194
     proto udp
     dev tun
     # 路径前面加keys,全路径为/etc/openvpn/keys/ca.crt
     ca keys/ca.crt
     cert keys/server.crt
     key keys/server.key  # This file should be kept secret
     dh keys/dh2048.pem
     # 默认虚拟局域网网段,不要和实际的局域网冲突即可
     server 10.8.0.0 255.255.0.0
     ifconfig-pool-persist ipp.txt
     push "route 172.16.0.0 255.255.0.0"
     keepalive 10 120
     cipher BF-CBC
     comp-lzo
     persist-key
     persist-tun
     # OpenVPN的状态日志,默认为/etc/openvpn/openvpn-status.log
     status openvpn-status.log
     # OpenVPN的运行日志,默认为/etc/openvpn/openvpn.log
     log-append  openvpn.log
     # 改成verb 5可以多查看一些调试信息
     verb 5
     explicit-exit-notify 1
     
     # 可以让客户端之间相互访问直接通过openvpn程序转发,根据需要设置
     #client-to-client
     # 如果客户端都使用相同的证书和密钥连接VPN,一定要打开这个选项,否则每个证书只允许一个人连接VPN
     #duplicate-cn

4、配置内核和防火墙,启动服务

# 开启路由转发功能
sed -i ‘/net.ipv4.ip_forward/s/0/1/’ /etc/sysctl.conf
sysctl -p
# 配置防火墙,别忘记保存
iptables -I INPUT -p udp –dport 1194 -m comment –comment “openvpn” -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j MASQUERADE
service iptables save
# 启动openvpn并设置为开机启动
service openvpn start
chkconfig openvpn on

5、生成客户端证书及配置文件

# 为客户端生成证书和密钥(一路按回车,直到提示需要输入y/n时,输入y再按回车,一共两次)
/usr/share/easy-rsa/2.0/build-key client1
# 客户端配置文件生成
客户端配置文件示例:
client
dev tun
proto udp
remote 58.247.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
keysize 128
verb 5
<ca>
—–BEGIN CERTIFICATE—–
ca.crt 内容
—–END CERTIFICATE—–
</ca>
<cert>
6a:1f:62:81
—–BEGIN CERTIFICATE—–
client1.crt 内容
—–END CERTIFICATE—–
</cert>
<key>
—–BEGIN PRIVATE KEY—–
client1.key 内容
—–END PRIVATE KEY—–
</key>

6、下面贴出自动生成客户端证书和配置的脚本

openvpn_user.sh 脚本内容:
vi openvpn_user.sh
以下是脚本内容,供参考

 #! /bin/bash
 para_num=$#
 operation=$1
 vpn_user=$2

 function help()
 {
    echo './openvpn_user.sh add username(vpn username)'
    echo './openvpn_user.sh del username(vpn username)'
 }

 function add_user()
 {
    if [ -f /usr/share/easy-rsa/2.0/keys/$vpn_user.crt ];then
            echo "$vpn_user already exist!"
            exit 1
    else
            cd /usr/share/easy-rsa/2.0/
            source ./vars
            /suredata/bin/vpn_expect.expect $vpn_user 
            cd /usr/share/easy-rsa/2.0/keys
            generate_client_conf
            cp /root/user_data/${vpn_user}/${vpn_user}.ovpn /suredata/bin/weblog/

            echo "===============================success=================================="
            echo "add vpn user: $vpn_user success!"
            echo "===============================success=================================="
    fi
 }

 function del_user()
 {
    cd /usr/share/easy-rsa/2.0/
    source ./vars
    /usr/share/easy-rsa/2.0/revoke-full $vpn_user
    rm -rf /usr/share/easy-rsa/2.0/keys/${vpn_user}.*
    rm -rf /suredata/bin/weblog/${vpn_user}.*
    echo "================================success================================"
    echo "del vpn user: $vpn_user success!" 
    echo "================================success================================"
 }

 function generate_client_conf()
 {
    # client path
    mkdir -p /root/user_data/$vpn_user
    user_path=/root/user_data/$vpn_user
    client_file=${user_path}/${vpn_user}.ovpn
    client_crt_file=/usr/share/easy-rsa/2.0/keys/${vpn_user}.crt
    client_key_file=/usr/share/easy-rsa/2.0/keys/${vpn_user}.key
    ca_crt_file=/usr/share/easy-rsa/2.0/keys/ca.crt

    echo "client" > ${client_file}
    echo "dev tun" >> ${client_file}  
    echo "proto udp" >> ${client_file}
    echo "remote 58.247.125.141 1194" >> ${client_file}
    echo "resolv-retry infinite" >> ${client_file}
    echo "nobind" >> ${client_file}
    echo "persist-key" >> ${client_file}
    echo "persist-tun" >> ${client_file}
    echo "comp-lzo" >> ${client_file}
    echo "keysize 128" >> ${client_file}
    echo "verb 5" >> ${client_file}

    echo "<ca>" >> ${client_file}
    cat ${ca_crt_file} >> ${client_file}
    echo "</ca>" >> ${client_file}

    echo "<cert>" >> ${client_file}
    tail -n 31 ${client_crt_file} >> ${client_file}
    echo "</cert>" >> ${client_file}

    echo "<key>" >> ${client_file}
    cat ${client_key_file} >> ${client_file}
    echo "</key>" >> ${client_file}
 }

 function main()
 {
    if [ $para_num -ne 2 ];then
            echo "para is illegal!"
            help
            exit 1
    else
            if [ $operation = "add" ];then
                    add_user
            elif [ $operation = "del" ];then
                    del_user
            else
                    echo 'operation only support add | del'
                    help
                    exit 1
            fi
    fi
 }

 main

/suredata/bin/vpn_expect.expect //自动生成客户端证书expect脚本
以下是脚本内容,供参考

 #!/usr/bin/expect -f
 if $argc<1 {
    puts stderr "Usage: $argv0 need argv.\n"
    exit 1
 }
 set vpnuser [lindex $argv 0]
 set path /usr/share/easy-rsa/2.0
 spawn $path/build-key $vpnuser
 expect "*"
 send "\r"
 expect "*"
 send "\r"
 expect "*"
 send "\r"
 expect "*"
 send "\r"
 expect "*"
 send "\r"
 expect "*"
 send "\r"
 expect "*"
 send "\r"
 expect "*"
 send "\r"
 expect "*"
 send "\r"
 expect "*"
 send "\r"
 expect "*"
 send "y\r"
 expect "*"
 send "y\r"
 expect eof
 exit

评论 在此处输入想要评论的文本。

タイトルとURLをコピーしました