N46期第十七周作业
第17周作业:
一、利用SAMBA实现指定目录共享
samba服务器ip:10.0.0.84/24
客户端ip: 10.0.0.71/24
1. 安装服务器端软件, 并设置开机自启
[04:48:04 root@samba-server ~]#yum -y install samba
[04:48:30 root@samba-server ~]#systemctl enable --now smb.service
Created symlink /etc/systemd/system/multi-user.target.wants/smb.service → /usr/lib/systemd/system/smb.service.
2. 安装客户端工具samba-client(提供smbclient命令, 进行目录的访问)和cifs-utilis(提供目录挂载功能)
[16:50:20 root@samba-client ~]#yum -y install samba-client;yum -y install cifs-utils
3. 服务器端创建能访问samba服务的账号(虚拟账号)
3.1 创建系统账号
[04:49:07 root@samba-server ~]#useradd -s /sbin/nologin smblogin1
[05:12:54 root@samba-server ~]#useradd -s /sbin/nologin smblogin2
[05:12:57 root@samba-server ~]#useradd -s /sbin/nologin smblogin3
[05:12:58 root@samba-server ~]#ls /home
smblogin1 smblogin2 smblogin3
3.2 将操作系统账户变为samba虚拟账号, 并创建访问samba服务的密码
[05:17:59 root@samba-server ~]#smbpasswd -a smblogin1
New SMB password:
Retype new SMB password:
Added user smblogin1.
[05:18:12 root@samba-server ~]#smbpasswd -a smblogin2
New SMB password:
Retype new SMB password:
Added user smblogin2.
[05:18:16 root@samba-server ~]#smbpasswd -a smblogin3
New SMB password:
Retype new SMB password:
Added user smblogin3.
3.3 至此, 三个samba虚拟用户已经可以通过远程登录方式访问自己在samba服务器上的用户家目录
--------------------------------------------------------------------------------------------------------
[17:26:37 root@samba-client ~]#smbclient //10.0.0.84/smblogin1 -U smblogin1
Enter SAMBA\smblogin1's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Sep 21 05:12:54 2020
.. D 0 Mon Sep 21 05:12:58 2020
.bash_logout H 18 Sat Nov 9 00:21:40 2019
.bash_profile H 141 Sat Nov 9 00:21:40 2019
.bashrc H 312 Sat Nov 9 00:21:40 2019
7327744 blocks of size 1024. 5671996 blocks available
smb: \> !ls
anaconda-ks.cfg
---------------------------------------------------------------------------------------------------------
下面实现共享服务器指定目录, 假设共享/data/samba目录.
4. 先在samba服务器手动创建该目录, 并且创建几个测试文件
[05:25:38 root@samba-server ~]#mkdir -pv /data/samba
mkdir: created directory '/data/samba'
[05:33:35 root@samba-server ~]#touch /data/samba/f{1..3}.trtxt
[05:34:04 root@samba-server ~]#tree /data/samba/
/data/samba/
├── f1.txt
├── f2.txt
└── f3.txt
0 directories, 3 files
5. 修改samba服务器配置文件, 指定共享目录路径和以哪个目录名共享给客户端
[05:34:20 root@samba-server ~]#vim /etc/samba/smb.conf
[share]
path=/data/samba
6. 重启服务
[05:40:49 root@samba-server ~]#systemctl restart smb.service
7. 默认情况, 共享出来的目录, 对于所有虚拟用户都可见, 但是只能读, 下载, 不能修改和上传.
[17:33:25 root@samba-client ~]#smbclient -L 10.0.0.84 -U smblogin1
Enter SAMBA\smblogin1's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share Disk
IPC$ IPC IPC Service (Samba 4.11.2)
smblogin1 Disk Home Directories
[17:44:04 root@samba-client ~]#smbclient //10.0.0.84/share -U smblogin1
Enter SAMBA\smblogin1's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Sep 21 05:34:04 2020
.. D 0 Mon Sep 21 05:33:35 2020
f1.txt N 0 Mon Sep 21 05:34:04 2020
f2.txt N 0 Mon Sep 21 05:34:04 2020
f3.txt N 0 Mon Sep 21 05:34:04 2020
10475520 blocks of size 1024. 10369368 blocks available
smb: \> !ls
anaconda-ks.cfg
smb: \> get f1.txt
getting file \f1.txt of size 0 as f1.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> put anaconda-ks.cfg
NT_STATUS_ACCESS_DENIED opening remote file \anaconda-ks.cfg
-------------------------------------------------------------------------------------------------------------
控制共享目录写权限.
拥有共享目录写权限, 需要虚拟用户在samba中配置文件文件中有权限, 并且在文件系统层面也有权限. 假设, 我们需要admin组里的用户smblogin1, smblogin2能写, 而不在admin组里的smblogin3只能读.
8. 创建admin组, 并且将smblogin1, smblogin2添加到该组
[07:10:42 root@samba-server ~]#groupadd admin
[07:10:54 root@samba-server ~]#usermod -G admin smblogin1
[07:11:04 root@samba-server ~]#usermod -G admin smblogin2
[07:11:05 root@samba-server ~]#id smblogin1
uid=1000(smblogin1) gid=1000(smblogin1) groups=1000(smblogin1),1003(admin)
[07:11:10 root@samba-server ~]#id smblogin2
uid=1001(smblogin2) gid=1001(smblogin2) groups=1001(smblogin2),1003(admin)
9. 修改samba配置文件, 给予admin组的用户写权限
[share]
path=/data/samba
write list=@admin
10. 修改/data/samba目录权限, 目录, 及
[07:14:14 root@samba-server ~]#chgrp admin /data/samba -R
[07:14:32 root@samba-server ~]#ll /data/samba/
total 0
-rw-r--r-- 1 root admin 0 Sep 21 05:34 f1.txt
-rw-r--r-- 1 root admin 0 Sep 21 05:34 f2.txt
-rw-r--r-- 1 root admin 0 Sep 21 05:34 f3.txt
[07:26:32 root@samba-server ~]#chmod 775 /data/samba -R
[07:26:58 root@samba-server ~]#ll -d /data/samba/*
-rwxrwxr-x 1 root admin 0 Sep 21 07:25 /data/samba/f1.txt
-rwxrwxr-x 1 root admin 0 Sep 21 07:25 /data/samba/f2.txt
-rwxrwxr-x 1 root admin 0 Sep 21 07:25 /data/samba/f3.txt
[07:26:59 root@samba-server ~]#ll -d /data/samba/
drwxrwxr-x 2 root admin 48 Sep 21 07:25 /data/samba/
11. 重启服务
[07:27:03 root@samba-server ~]#systemctl restart smb.service
12. 验证
smblogin1 能读能写
[19:27:50 root@samba-client ~]#smbclient //10.0.0.84/share -U smblogin1
Enter SAMBA\smblogin1's password:
Try "help" to get a list of possible commands.
smb: \> put anaconda-ks.cfg
putting file anaconda-ks.cfg as \anaconda-ks.cfg (110.1 kb/s) (average 110.1 kb/s)
smb: \> ls
. D 0 Mon Sep 21 07:29:04 2020
.. D 0 Mon Sep 21 07:25:13 2020
f1.txt N 0 Mon Sep 21 07:25:28 2020
f2.txt N 0 Mon Sep 21 07:25:28 2020
f3.txt N 0 Mon Sep 21 07:25:28 2020
anaconda-ks.cfg A 1465 Mon Sep 21 07:29:04 2020
10475520 blocks of size 1024. 10369344 blocks available
smb: \> get f1.txt
getting file \f1.txt of size 0 as f1.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
[19:31:19 root@samba-client ~]#smbclient //10.0.0.84/share -U smblogin2
Enter SAMBA\smblogin2's password:
Try "help" to get a list of possible commands.
smb: \> get f1.txt
getting file \f1.txt of size 0 as f1.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> put anaconda-ks.cfg
putting file anaconda-ks.cfg as \anaconda-ks.cfg (286.1 kb/s) (average 286.1 kb/s)
smb: \> ls
. D 0 Mon Sep 21 07:31:02 2020
.. D 0 Mon Sep 21 07:25:13 2020
f1.txt N 0 Mon Sep 21 07:25:28 2020
f2.txt N 0 Mon Sep 21 07:25:28 2020
f3.txt N 0 Mon Sep 21 07:25:28 2020
anaconda-ks.cfg A 1465 Mon Sep 21 07:31:31 2020
10475520 blocks of size 1024. 10369364 blocks available
smblogin3, 只能读,不能写
[19:32:12 root@samba-client ~]#smbclient //10.0.0.84/share -U smblogin3
Enter SAMBA\smblogin3's password:
Try "help" to get a list of possible commands.
smb: \> get f1.txt
getting file \f1.txt of size 0 as f1.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> put anaconda-ks.cfg
NT_STATUS_ACCESS_DENIED opening remote file \anaconda-ks.cfg
smb: \> rm anaconda-ks.cfg
NT_STATUS_ACCESS_DENIED deleting remote file \anaconda-ks.cfg
//10.0.0.84/share /mnt cifs credentials=/etc/sambapasswd.txt 0 0
2. 创建保存使用挂载服务的账号和密码的文件
[19:40:20 root@samba-client ~]#vim /etc/sambapasswd.txt
username=smblogin1
password=000000
3. 修改文件权限为600
[19:46:37 root@samba-client ~]#chmod 600 /etc/sambapasswd.txt
4. mount -a
[19:47:08 root@samba-client ~]#mount -a
5. 验证, smblogin1用户, 可以挂载/data/samba目录到本地/mnt下, 且能读能写能修改, 在服务端能显示
客户端操作;
[19:47:30 root@samba-client ~]#ls /mnt
anaconda-ks.cfg f1.txt f2.txt f3.txt
[19:48:55 root@samba-client ~]#touch /mnt/f4.txt
[19:49:07 root@samba-client ~]#rm -rf /mnt/f1.txt /mnt/f2.txt /mnt/f3.txt
服务器端验证:
[07:49:49 root@samba-server ~]#ls /data/samba/
anaconda-ks.cfg f4.txt
----------------------至此, samb共享目录和挂载都完成-------------------------
二、实现不同samba用户访问相同的samba共享,实现不同的配置
实现, smblogin1访问共享目录, 会进入/data/samba/dir1. smblogin2访问共享目录, 会进入/data/samba/dir2. smblogin3访问共享目录就是/data/samba
1. 修改samba配置文件
[global]
workgroup = SAMBA
config file = /etc/samba/conf.d/%U
2. 针对smblogin1, smblogin2创建单独的配置文件
[08:16:46 root@samba-server ~]#mkdir -pv /etc/samba/conf.d
mkdir: created directory '/etc/samba/conf.d'
[08:17:05 root@samba-server ~]#vim /etc/samba/conf.d/smblogin1
[share]
path=/data/dir1
read only=no
[08:17:50 root@samba-server ~]#vim /etc/samba/conf.d/smblogin2
[share]
path=/data/dir2
read only=no
3. 重启samba服务 验证
3、远程主机通过链接openvpn修复内网里 httpd 服务主机,假如现在 httpd 宕机了,我们需要链接进去让 httpd 启动
实验环境:
共四台VMware主机
1. OpenVPN Server: CentOS 8, eth0:10.0.0.84 NAT模式, eth1: 172.30.0.8/24 仅主机模式
2. 内网两台Web服务器
第一台主机: eth0: 172.30.0.100/24 仅主机模式
第二台主机: eth0: 172.30.0.200/24 仅主机模式
3. Windows客户端作为OpenVPN客户端, 从局域网ip连接到OpenVPN服务器的10.0.0.84, 进入内网
配置步骤:
1. 分别在内网两台主机搭建Web服务
1.1 安装httpd
yum -y install httpd, systemctl enable --now httpd; echo 'WebServer1 on 172.30.0.100' > /var/www/html/index.html
yum -y install httpd, systemctl enable --now httpd; echo 'WebServer1 on 172.30.0.200' > /var/www/html/index.html
1.2 验证网页生效
[03:36:07 root@c8prac ~]#curl 172.30.0.100
WebServer1 on 172.30.0.100/24
[03:36:16 root@c8prac ~]#curl 172.30.0.200
Webserver2 on 172.30.0.200
服务器端配置
2. OpenVPN服务器端安装OpenVPN和easy-rsa软件
yum -y install openvpn; yum -y install easy-rsa
OpenVPN和easy-rsa包都没有提供服务器配置文件, 只提供了模板文件, 我们可以将模板文件复制到对应的目录下,编辑修改后直接使用.
3. 准备openvpn配置文件
[03:44:17 root@c8prac ~]#cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn
4. 准备easy-rsa配置文件和签发证书的相关变量配置文件, 将整个easy-rsa模板目录,复制到/etc/openvpn目录下, 改名为easy-rsa-server
[03:46:04 root@c8prac ~]#cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
[04:43:14 root@c8prac /etc/openvpn/easy-rsa-server/3]#cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-server/3/vars
5. 检查目录结构
[03:46:35 root@c8prac ~]#tree /etc/openvpn
/etc/openvpn
├── client #放客户端证书
├── easy-rsa-server #CA工作目录, 给用户颁发证书
│ ├── 3 -> 3.0.7
│ ├── 3.0 -> 3.0.7
│ └── 3.0.7
│ ├── easyrsa
│ ├── openssl-easyrsa.cnf
│ └── x509-types
│ ├── ca
│ ├── client
│ ├── code-signing
│ ├── COMMON
│ ├── email
│ ├── kdc
│ ├── server
│ └── serverClient
├── server #放服务器端证书
└── server.conf #配置文件
7 directories, 11 files
6. 初始化PKi生成PKI相关目录和文件
[04:14:00 root@c8prac ~]#cd /etc/openvpn/easy-rsa-server/3
[04:20:01 root@c8prac /etc/openvpn/easy-rsa-server/3]#pwd
/etc/openvpn/easy-rsa-server/3
[04:20:04 root@c8prac /etc/openvpn/easy-rsa-server/3]#ls
easyrsa openssl-easyrsa.cnf x509-types
[04:20:07 root@c8prac /etc/openvpn/easy-rsa-server/3]#./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-server/3/pki
[04:20:22 root@c8prac /etc/openvpn/easy-rsa-server/3]#tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki #初始化后, 生成新得pki目录和相关文件
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 12 files
7. 创建CA机构, 生成CA自签名文件
[04:22:15 root@c8prac /etc/openvpn/easy-rsa-server/3]#./easyrsa build-ca nopass #nopass 不给证书设置密码
Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
.........+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa-server/3/pki/ca.crt #生成自签名的证书文件
8. 创建服务器端证书申请文件
[04:28:36 root@c8prac /etc/openvpn/easy-rsa-server/3]#./easyrsa gen-req server nopass
Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019
Generating a RSA private key
..........................+++++
.......................................+++++
writing new private key to '/etc/openvpn/easy-rsa-server/3/pki/easy-rsa-2062.0oDtYT/tmp.tlq0pN'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-server/3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa-server/3/pki/private/server.key
9. 给服务器端颁发证书
[04:38:00 root@c8prac /etc/openvpn/easy-rsa-server/3]#./easyrsa sign server server #第一个server是指颁发的证书是给服务器的, 第二个server是前面指定的服务器名称, 这里用的默认值就是server
Using SSL: openssl OpenSSL 1.1.1c FIPS 28 May 2019
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 825 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-2089.9sCNIm/tmp.weP3V4
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Dec 26 20:39:52 2022 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt
10. 创建Diffie-Hellman密钥
[05:02:35 root@c8prac /etc/openvpn/easy-rsa-server/3]#./easyrsa gen-dh
*****服务器证书准备完毕*****
*****准备客户端证书*****
11. 准备客户端证书存放目录
[05:03:26 root@c8prac /etc/openvpn/easy-rsa-server/3]#cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
12. 准备客户端证书变量文件
[05:14:40 root@c8prac /etc/openvpn/easy-rsa-server/3]#cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-client/3/vars
13. 准备客户端证书相关目录
[05:17:49 root@c8prac /etc/openvpn/easy-rsa-client/3]#./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.7/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-client/3/pki
14. 创建客户端证书申请, 从这开始就是每次用户申请vpn权限时,需要的操作
假设给david用户颁发vpn证书
[05:21:01 root@c8prac /etc/openvpn/easy-rsa-client/3]#./easyrsa gen-req david nopass #服务器端没有设置密码, 因此不需要密码
15. 给客户端颁发证书, 需要回到服务器端的3目录
[05:21:09 root@c8prac /etc/openvpn/easy-rsa-client/3]#cd /etc/openvpn/easy-rsa-server/3
[05:22:32 root@c8prac /etc/openvpn/easy-rsa-server/3]#pwd
/etc/openvpn/easy-rsa-server/3
16. 将客户端证书请求文件复制到CA的工作目录
[05:22:33 root@c8prac /etc/openvpn/easy-rsa-server/3]#./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/david.req david
17. 必须先修改客户端证书有效期再颁发证书!!!!!
set_var EASYRSA_CERT_EXPIRE 90
18. 给david颁发客户端证书
[05:31:14 root@c8prac /etc/openvpn/easy-rsa-server/3]#./easyrsa sign client david
19. 证书统一管理, 将CA和服务器证书相关文件复制到服务器相应的目录
[05:34:04 root@c8prac ~]#mkdir /etc/openvpn/certs
[05:39:11 root@c8prac ~]#cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/
[05:39:23 root@c8prac ~]#cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
[05:39:39 root@c8prac ~]#cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/
[05:39:52 root@c8prac ~]#cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/
[05:40:01 root@c8prac ~]#ll /etc/openvpn/certs/
total 20
-rw------- 1 root root 1204 Sep 23 05:39 ca.crt
-rw------- 1 root root 424 Sep 23 05:40 dh.pem
-rw------- 1 root root 4608 Sep 23 05:39 server.crt
-rw------- 1 root root 1704 Sep 23 05:39 server.key
20. 将客户端私钥和证书相关文件复制到服务器相关目录. 每个用户单独创建一个目录
这里给david创建
[05:45:14 root@c8prac ~]#find /etc/openvpn \( -name 'david.key' -o -name 'david.crt' -o -name 'ca.crt' \) -exec cp {} /etc/openvpn/client/david \;
[05:46:03 root@c8prac ~]#ll /etc/openvpn/client/david/
total 16
-rw------- 1 root root 1204 Sep 23 05:46 ca.crt
-rw------- 1 root root 4487 Sep 23 05:46 david.crt
-rw------- 1 root root 1708 Sep 23 05:46 david.key
*******证书配置完毕*******
*******下面准备服务器配置文件*******
21. 修改服务器端配置文件
[06:02:14 root@c8prac ~]#vim /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.30.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
22. 准备日志相关目录
[06:07:19 root@c8prac ~]#mkdir /var/log/openvpn
[06:13:22 root@c8prac ~]#chown openvpn.openvpn /var/log/openvpn
23. 开启ipforward功能
[06:13:35 root@c8prac ~]#echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
[06:16:16 root@c8prac ~]#sysctl -p
net.ipv4.ip_forward = 1
24. 添加SNAT规则,设置持久保存和开机自动加载
[06:19:18 root@c8prac ~]#echo 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE' >> /etc/rc.d/rc.local
[06:19:26 root@c8prac ~]#cat /etc/rc.d/rc.local
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.
touch /var/lock/subsys/local
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
[06:19:35 root@c8prac ~]#chmod +x /etc/rc.d/rc.local
[06:20:23 root@c8prac ~]#/etc/rc.d/rc.local
[06:20:29 root@c8prac ~]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[06:20:34 root@c8prac ~]#iptables -vnL -t -nat
iptables v1.8.4 (nf_tables): table '-nat' does not exist
Perhaps iptables or your kernel needs to be upgraded.
[06:20:49 root@c8prac ~]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.8.0.0/24 0.0.0.0/0
25. 启动openvpn服务, 8上的openvpn不带service文件. 可从7上装一个拷贝到8
[06:28:13 root@c8prac ~]#vim /usr/lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
[Install]
WantedBy=multi-user.target
26. 加载daemod
[06:28:26 root@c8prac ~]#systemctl daemon-reload
[06:29:47 root@c8prac ~]#systemctl enable --now openvpn@server
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /usr/lib/systemd/system/openvpn@.service.
27. 生成客户端用户所需配置文件, 该文件将来需要传给所用客户端
[06:31:03 root@c8prac ~]#vim /etc/openvpn/client/david/client.ovpn
client
dev tun
proto tcp
remote 10.0.0.84 1194
resolv-retry infinite
nobind
#persist-key
#tls-auth ta.key 1
#persist-tun
ca ca.crt
cert david.crt
key david.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
compress lz4-v2
28. 验证david用户所需证书,秘钥和配置文件. 一起打包传给客户端
[06:45:46 root@c8prac ~]#ls /etc/openvpn/client/david/
ca.crt client.ovpn david.crt david.key
29. 打包发给windows客户端, C:\Program Files\openvpn\config, OpenVPN安装目录
[06:48:05 root@c8prac /etc/openvpn/client/david]#tar cf david.tar ./
tar: ./david.tar: file is the archive; not dumped
[06:48:23 root@c8prac /etc/openvpn/client/david]#ls
ca.crt client.ovpn david.crt david.key david.tar
[06:48:25 root@c8prac /etc/openvpn/client/david]#sz david.tar
30. 登录OpenVPN即可, 如果遇到证书不合法, 可以安装证书重新连接
