一键安装openvpn、申请证书、吊销证书
[root@centos7 ~]# cat install_openvpn.sh
#!/bin/bash
#
#******************************************************************************
#Author: zhanghui
#QQ: 19661891
#Date: 2021-03-28
#FileName: install_openvpn.sh
#URL: www.neteagles.cn
#Description: install_openvpn for centos 7/8
#Copyright (C): 2021 All rights reserved
#******************************************************************************
NET_NAME=`ip a |awk -F"[: ]" '/^2/{print $3}'`
INNER_NET=`ip addr show ${NET_NAME}| awk -F" +|/" '/global/{print $3}'`
ROUTE=`ip route|awk -F"/" '/dev ${NET_NAME} proto kernel/{print $1}'`
NETMASK=255.255.255.0
PASSWORD=123456
#如果只有一个网卡外网IP和内网IP是同一个,如果有外网IP,OUTER_NET请改成外网IP
OUTER_NET=${INNER_NET}
os(){
if grep -Eqi "CentOS" /etc/issue || grep -Eq "CentOS" /etc/*-release;then
rpm -q redhat-lsb-core &> /dev/null || { ${COLOR}"安装lsb_release工具"${END};yum -y install redhat-lsb-core &> /dev/null; }
fi
OS_RELEASE_VERSION=`lsb_release -rs |awk -F'.' '{print $1}'`
}
install_openvpn(){
yum -y install epel-release &> /dev/null
yum -y install openvpn easy-rsa &> /dev/null
if [[ ${OS_RELEASE_VERSION} == 8 ]] &> /dev/null;then
cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn
else
cp /usr/share/doc/openvpn-2.4.10/sample/sample-config-files/server.conf /etc/openvpn
fi
cp -r /usr/share/easy-rsa/ /etc/openvpn/easyrsa-server
if [[ ${OS_RELEASE_VERSION} == 8 ]] &> /dev/null;then
cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easyrsa-server/3/vars
else
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easyrsa-server/3/vars
fi
sed -i.bak -e 's/#set_var EASYRSA_CA_EXPIRE.*/set_var EASYRSA_CA_EXPIRE 3650/' -e 's/#set_var EASYRSA_CERT_EXPIRE.*/set_var EASYRSA_CERT_EXPIRE 365/' /etc/openvpn/easyrsa-server/3/vars
cd /etc/openvpn/easyrsa-server/3/
#初始化服务端pki
./easyrsa init-pki
#创建CA机构
yum -y install expect &> /dev/null
expect <<EOF
spawn ./easyrsa build-ca nopass
expect "]:" { send "\n";exp_continue }
EOF
#创建服务端证书(私钥)
expect <<EOF
spawn ./easyrsa gen-req server nopass
expect "]:" { send "\n";exp_continue }
EOF
#签发服务端证书
expect <<EOF
spawn ./easyrsa sign server server
expect "details:" { send "yes\n";exp_continue }
EOF
#创建Diffie-Hellman秘钥
./easyrsa gen-dh
#复制服务端证书到server目录
cd /etc/openvpn/server
cp /etc/openvpn/easyrsa-server/3/pki/dh.pem .
cp /etc/openvpn/easyrsa-server/3/pki/ca.crt .
cp /etc/openvpn/easyrsa-server/3/pki/issued/server.crt .
cp /etc/openvpn/easyrsa-server/3/pki/private/server.key .
openvpn --genkey --secret ta.key
#配置server.conf文件
sed -i.bak -e 's/;local a.b.c.d/local '${INNER_NET}'/' -e 's/;proto tcp/proto tcp/' -e 's/proto udp/#proto udp/' -e 's/;dev tap/#dev tap/' -e 's/;dev-node MyTap/#dev-node MyTap/' -e 's@ca ca.crt@ca /etc/openvpn/server/ca.crt@' -e 's@cert server.crt@cert /etc/openvpn/server/server.crt@' -e 's@key server.key@key /etc/openvpn/server/server.key@' -e 's@dh dh2048.pem@dh /etc/openvpn/server/dh.pem@' -e 's/;topology subnet/#topology subnet/' -e 's/ifconfig-pool-persist ipp.txt/#ifconfig-pool-persist ipp.txt/' -e 's/;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100/#server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100/' -e 's/;server-bridge/#server-bridge/' -e 's/;push "route 192.168.10.0 255.255.255.0"/#push "route 192.168.10.0 255.255.255.0"/' -e 's/;push "route 192.168.20.0 255.255.255.0"/push "route '${ROUTE}' '${NETMASK}'"/' -e 's/;client-config-dir ccd/#client-config-dir ccd/' -e 's/;route 192.168.40.128 255.255.255.248/#route 192.168.40.128 255.255.255.248/' -e 's/;client-config-dir ccd/#client-config-dir ccd/' -e 's/;route 10.9.0.0 255.255.255.252/#route 10.9.0.0 255.255.255.252/' -e 's@;learn-address ./script@#learn-address ./script@' -e 's/;push "redirect-gateway def1 bypass-dhcp"/#push "redirect-gateway def1 bypass-dhcp"/' -e 's/;push "dhcp-option DNS 208.67.222.222"/#push "dhcp-option DNS 208.67.222.222"/' -e 's/;push "dhcp-option DNS 208.67.220.220"/#push "dhcp-option DNS 208.67.220.220"/' -e 's/;client-to-client/#client-to-client/' -e 's/;duplicate-cn/#duplicate-cn/' -e 's@tls-auth ta.key 0 # This file is secret@tls-auth /etc/openvpn/server/ta.key 0 # This file is secret@' -e 's/;compress lz4-v2/compress lz4-v2/' -e 's/;push "compress lz4-v2"/#push "compress lz4-v2"/' -e 's/;comp-lzo/comp-lzo/' -e 's/;max-clients 100/max-clients 256/' -e 's/;user nobody/user openvpn/' -e 's/;group nobody/group openvpn/' -e 's/persist-key/#persist-key/' -e 's/persist-tun/#persist-tun/' -e 's@status openvpn-status.log@status /var/log/openvpn/openvpn-status.log@' -e 's@;log-append openvpn.log@log-append /var/log/openvpn/openvpn.log@' -e 's/;mute 20/mute 20/' -e 's/explicit-exit-notify 1/#explicit-exit-notify 1/' /etc/openvpn/server.conf
mkdir /var/log/openvpn
chown -R openvpn.openvpn /var/log/openvpn/
systemctl stop firewalld
systemctl disable firewalld
yum -y install iptables-services iptables &> /dev/null
systemctl enable --now iptables
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf;sysctl -p
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j MASQUERADE
iptables -A INPUT -p TCP --dport 1194 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
service iptables save
if [[ ${OS_RELEASE_VERSION} == 8 ]] &> /dev/null;then
cat > /usr/lib/systemd/system/openvpn@.service <<-EOF
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
[Install]
WantedBy=multi-user.target
EOF
fi
systemctl enable --now openvpn@server
cp -r /usr/share/easy-rsa/ /etc/openvpn/easyrsa-client/
if [[ ${OS_RELEASE_VERSION} == 8 ]] &> /dev/null;then
cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easyrsa-client/3/vars
else
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easyrsa-client/3/vars
fi
sed -i.bak -e 's/#set_var EASYRSA_CA_EXPIRE.*/set_var EASYRSA_CA_EXPIRE 3650/' -e 's/#set_var EASYRSA_CERT_EXPIRE.*/set_var EASYRSA_CERT_EXPIRE 90/' /etc/openvpn/easyrsa-client/3/vars
cd /etc/openvpn/easyrsa-client/3
#初始化客户端pki
./easyrsa init-pki
}
client(){
#创建客户端证书
cd /etc/openvpn/easyrsa-client/3
read -p "请输入用户名:" USER
expect <<EOF
spawn ./easyrsa gen-req ${USER}
expect "phrase:" { send "${PASSWORD}\n";exp_continue }
expect "phrase:" { send "${PASSWORD}\n";exp_continue }
expect "]:" { send "\n";exp_continue }
EOF
#签发客户端证书
cd /etc/openvpn/easyrsa-server/3
./easyrsa import-req /etc/openvpn/easyrsa-client/3/pki/reqs/${USER}.req ${USER}
expect <<EOF
spawn ./easyrsa sign client ${USER}
expect "details:" { send "yes\n";exp_continue }
EOF
#复制客户端证书到client目录
cd /etc/openvpn/client
[ -d ${USER} ] || mkdir ${USER} &> /dev/null
cd ${USER}
cp /etc/openvpn/easyrsa-server/3/pki/ca.crt .
cp /etc/openvpn/easyrsa-server/3/pki/issued/${USER}.crt ./client.crt
cp /etc/openvpn/easyrsa-client/3/pki/private/${USER}.key ./client.key
cp /etc/openvpn/server/ta.key .
cat > /etc/openvpn/client/${USER}/client.ovpn <<-EOF
client
dev tun
proto tcp
remote ${OUTER_NET} 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2
comp-lzo
EOF
tar czf ${USER}.tar.gz ./
}
revoke_client(){
cd /etc/openvpn/easyrsa-server/3/
cat /etc/openvpn/easyrsa-server/3/pki/index.txt
read -p "请输入用户名:" REVOKE_USER
expect <<EOF
spawn ./easyrsa revoke ${REVOKE_USER}
expect ":" { send "yes\n";exp_continue }
EOF
if [ ! -f /etc/openvpn/easyrsa-server/3/pki/crl.pem ];then
#生成吊销文件
./easyrsa gen-crl
cat >> /etc/openvpn/server.conf <<-EOF
crl-verify /etc/openvpn/easyrsa-server/3/pki/crl.pem
EOF
fi
systemctl restart openvpn@server
cd /etc/openvpn/easyrsa-client/3/
rm -f pki/private/${REVOKE_USER}.key
rm -f pki/reqs/${REVOKE_USER}.req
rm -rf /etc/openvpn/client/${REVOKE_USER}/
rm -f /etc/openvpn/easyrsa-server/3/pki/reqs/${REVOKE_USER}.req
rm -rf /etc/openvpn/easyrsa-server/3/pki/issued/${REVOKE_USER}.crt
sed -i '/^R/d' /etc/openvpn/easyrsa-server/3/pki/index.txt
}
os
PS3="请选择相应的编号(1-4):"
MENU="
安装openvpn、创建服务端证书和配置文件、客户端配置
创建客户端证书
吊销客户端证书
退出"
select menu in $MENU;do
case $REPLY in
1)
install_openvpn
;;
2)
client
;;
3)
revoke_client
;;
4)
break
;;
*)
echo -e "\e[1;31m输入错误,请输入正确的数字(1-4)!\e[0m"
;;
esac
done
