目录
一、准备工作
1、系统配置和工具
系统:Centos 7.9
工具: SecureCRT(https://download.topunix.com/SecureCRT.rar)
2、注意事项
下述脚本三个需要注意的地方:
1是公网IP地址,已经用红色标注。 2是内网IP地址,已经用红色标注 3是代理访问,已经用红色标注
3、解释版:
如果要看详细内容:https://www.topunix.com/post-2986.html
二、根据脚本部署
1、第一步,先将SecureCRT工具字符编码设置为UTF-8
2、第二部安装openvpn等软件
yum install epel-* -y yum -y install openvpn easy-rsa iptables-services cp -r /usr/share/easy-rsa/ /etc/openvpn/ yum info easy-rsa cd /etc/openvpn/easy-rsa/3.0.8/ touch vars cat > vars <<"EOF" export KEY_COUNTRY="CN" #(国家名称) export KEY_PROVINCE="ShangHai" #(省份名称) export KEY_CITY="ShangHai" #(城市名称) export KEY_ORG="HHHH" #(组织机构名称) export KEY_EMAIL="*****@qq.com" #(邮件地址) EOF
source ./vars ./easyrsa init-pki ./easyrsa build-ca nopass
注:最后这里需要输入值:openvpn(此处设置为openvpn即可,其他也可以)
3、第三步:安装配置
cd /etc/openvpn/easy-rsa/3.0.8/ ./easyrsa build-server-full server nopass ./easyrsa gen-dh openvpn --genkey --secret ta.key mkdir /etc/openvpn/server/certs cd /etc/openvpn/server/certs/ cp /etc/openvpn/easy-rsa/3/pki/dh.pem ./ cp /etc/openvpn/easy-rsa/3/pki/ca.crt ./ cp /etc/openvpn/easy-rsa/3/pki/issued/server.crt ./server.crt cp /etc/openvpn/easy-rsa/3/pki/private/server.key ./server.key cp /etc/openvpn/easy-rsa/3/ta.key ./
4、第四步:配置脚本
mkdir -p /var/log/openvpn/ chown openvpn:openvpn /var/log/openvpn mkdir /etc/openvpn/ccd echo ''>/etc/openvpn/server.conf touch /etc/openvpn/server.conf cat > /etc/openvpn/server.conf <<"EOF" port 11940 proto udp dev tun ca /etc/openvpn/server/certs/ca.crt cert /etc/openvpn/server/certs/server.crt key /etc/openvpn/server/certs/server.key dh /etc/openvpn/server/certs/dh.pem tls-auth /etc/openvpn/server/certs/ta.key 0 server 10.9.0.0 255.255.240.0 push "dhcp-option DNS 223.5.5.5" push "dhcp-option DNS 8.8.4.4" push "dhcp-option DNS 8.8.8.8" #push "redirect-gateway def1 bypass-dhcp" push "redirect-gateway def1" push "route 172.22.4.0 255.255.255.0" #compress lzo #duplicate-cn keepalive 10 120 client-config-dir ccd comp-lzo persist-key persist-tun # use username and password login auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env username-as-common-name script-security 3 user openvpn #client-cert-not-required log /var/log/openvpn/server.log log-append /var/log/openvpn/server.log status /var/log/openvpn/status.log verb 3 explicit-exit-notify 1 EOF echo ''>/etc/openvpn/checkpsw.sh touch /etc/openvpn/checkpsw.sh cat > /etc/openvpn/checkpsw.sh <<"EOF" #!/bin/sh ########################################################### # checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se> # # This script will authenticate OpenVPN users against # a plain text file. The passfile should simply contain # one row per user with the username first followed by # one or more space(s) or tab(s) and then the password. PASSFILE="/etc/openvpn/psw-file" LOG_FILE="/var/log/openvpn-password.log" TIME_STAMP=`date "+%Y-%m-%d %T"` ########################################################### if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 EOF chmod +x /etc/openvpn/checkpsw.sh systemctl stop firewalld systemctl disable firewalld sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux setenforce 0 systemctl start iptables systemctl enable iptables iptables -F iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE service iptables save systemctl restart iptables echo net.ipv4.ip_forward = 1 >>/etc/sysctl.conf sysctl -p systemctl start openvpn@server systemctl enable openvpn@server systemctl status openvpn@server echo ''>/etc/openvpn/openvpn.sh touch /etc/openvpn/openvpn.sh cat > /etc/openvpn/openvpn.sh <<"EOF" #!/bin/bash #by openvpn useradd #name LLL 2022年02月23日13:48:55 ########################################### #user="$1" #pass="$2" #ip="$3" easyrsa="/etc/openvpn/easy-rsa/3.0.8" function useradd(){ read -p "请输入用户名:" user if [ ! $user ];then echo "user is NULL" read -p "请输入用户名:" user fi read -p "请输入密码:" pass if [ ! $pass ];then echo "password is NULL" exit fi read -p "请输入IP地址(如:10.9.0.6 10.9.0.5,IP地址以4个为单位增加):" ip if [ ! $ip ];then echo "ip is NULL" exit fi sh /etc/openvpn/client/ovpn_user.sh $user cat>>/etc/openvpn/ccd/$user<<eof ifconfig-push $ip eof cat>>/etc/openvpn/psw-file<<eof $user $pass eof } function userdel(){ read -p "请输入您需要删除的用户名:" user if [ ! $user ];then echo "user is NULL" fi cd $easyrsa echo "-----------------------------------------------------------------" echo "出现continue with revocation请输入yes" echo "------------------------------------------------------------------" ./easyrsa revoke $user ./easyrsa gen-crl rm -f /etc/openvpn/ccd/$user } function alter_user(){ read -p "请输入您需要修改的用户名:" user read -p "请输入此用户名的新密码:" pass sed -i '/'"$user"'/d' /etc/openvpn/psw-file echo "$user $pass" >>/etc/openvpn/psw-file } function alter_ip(){ read -p "请输入您需要修改的用户名:" user if [ ! $user ];then echo "user is NULL" exit fi read -p "请输入您的新IP地址(如:10.9.0.6 10.9.0.5):" ip if [ ! $ip ];then echo "ip is NULL" exit fi echo ifconfig-push $ip >>/etc/openvpn/ccd/$user } echo "请选择您需要做的操作选项" echo "----------------------------------------------------------------" select VPN in "创建用户" "删除用户" "修改账号密码" "修改IP地址" do case $VPN in 创建用户) useradd ;; 删除用户) userdel ;; 修改账号密码) alter_user ;; 修改IP地址) alter_ip ;; esac done EOF echo ''>/etc/openvpn/client/ovpn_user.sh touch /etc/openvpn/client/ovpn_user.sh cat > /etc/openvpn/client/ovpn_user.sh <<"EOF" # ! /bin/bash set -e OVPN_USER_KEYS_DIR=/etc/openvpn/client/keys EASY_RSA_VERSION=3 EASY_RSA_DIR=/etc/openvpn/easy-rsa/ PKI_DIR=$EASY_RSA_DIR/$EASY_RSA_VERSION/pki for user in "$@" do if [ -d "$OVPN_USER_KEYS_DIR/$user" ]; then rm -rf $OVPN_USER_KEYS_DIR/$user rm -rf $PKI_DIR/reqs/$user.req sed -i '/'"$user"'/d' $PKI_DIR/index.txt fi cd $EASY_RSA_DIR/$EASY_RSA_VERSION # 生成客户端 ssl 证书文件 ./easyrsa build-client-full $user nopass # 整理下生成的文件 mkdir -p $OVPN_USER_KEYS_DIR/$user cp $PKI_DIR/ca.crt $OVPN_USER_KEYS_DIR/$user/ # CA 根证书 cp $PKI_DIR/issued/$user.crt $OVPN_USER_KEYS_DIR/$user/ # 客户端证书 cp $PKI_DIR/private/$user.key $OVPN_USER_KEYS_DIR/$user/ # 客户端证书密钥 cp /etc/openvpn/client/sample.ovpn $OVPN_USER_KEYS_DIR/$user/$user.ovpn # 客户端配置文件 sed -i 's/admin/'"$user"'/g' $OVPN_USER_KEYS_DIR/$user/$user.ovpn cp /etc/openvpn/server/certs/ta.key $OVPN_USER_KEYS_DIR/$user/ta.key # auth-tls 文件 cd $OVPN_USER_KEYS_DIR zip -r $user.zip $user done exit 0 EOF echo ''>/etc/openvpn/client/sample.ovpn touch /etc/openvpn/client/sample.ovpn cat > /etc/openvpn/client/sample.ovpn<<"EOF" client proto udp dev tun remote 47.90.252.130 11940 ca ca.crt cert admin.crt auth-user-pass #密码验证需要 key admin.key tls-auth ta.key 1 remote-cert-tls server persist-tun persist-key comp-lzo verb 3 mute-replay-warnings redirect-gateway def1 EOF
三、给客户端配置用户名密码及文件
1、运行sh openvpn.sh-配置用户
(1)运行sh openvpn.sh
cd /etc/openvpn sh openvpn.sh
(2)创建用户和密码。
(3)分配ip地址
10.9.0.6 10.9.0.5 或 10.9.0.10 10.9.0.9 新用户依次递增
4、复制zip文件
下载zip文件并解压,复制到客户端:C:\Program Files\OpenVPN\config
5、连接测试
注意:如果出现报错:auth failed等,可能是脚本/etc/openvpn/checkpsw.sh的问题;
先查看日志/var/log/openvpn/server.log,再重新创建此脚本。如果还不行,重新推到系统,根据脚本一步步进行,不要批量执行了。