CentOS 7.9 部署 ov ，助力居家办公

1、自动部署服务，并创建一个demo账号，拨通vpn后访问 http://10.10.10.1 即可以查看所有登录的用户，以及分配的IP地址，因为开启了 client-to-client 功能，所以这个客户端直接可以直接访问。实现下图效果：

  1 #!/bin/bash
  2 
  3 IP=117.117.117.119
  4 PORT=19397
  5 
  6 # 配置阿里云 epel 源
  7 curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
  8 
  9 # 安装 openvpn easy-rsa httpd lrzsz 软件
 10 yum install -y openvpn easy-rsa lrzsz httpd
 11 
 12 # 拷贝 easy-rsa 软件到 openvpn 目录
 13 cp -a /usr/share/easy-rsa/[[:digit:]]*.[[:digit:]]*.[[:digit:]]* /etc/openvpn/easy-rsa
 14 
 15 # 切换到 easy-rsa 目录，方便执行easyrsa命令
 16 cd /etc/openvpn/easy-rsa
 17 
 18 # 初始化 pki 目录
 19 ./easyrsa init-pki
 20 
 21 # 创建 ca 证书
 22 ./easyrsa build-ca nopass
 23 
 24 # 创建 server 密钥和证书
 25 ./easyrsa build-server-full server nopass
 26 
 27 # 创建dn
 28 ./easyrsa gen-dh
 29 
 30 # 准备证书吊销列表文件
 31 ./easyrsa gen-crl
 32 
 33 # 准备 server 用的证书和秘密等文件，统一放到 /etc/openvpn/server/
 34 cp pki/ca.crt /etc/openvpn/server/
 35 cp pki/dh.pem /etc/openvpn/server/
 36 cp pki/issued/server.crt /etc/openvpn/server/
 37 cp pki/private/server.key /etc/openvpn/server/
 38 
 39 # 准备 server 配置文件，绝对路径必须 /etc/openvpn/service.conf ，下面是配置文件模板
 40 # cp /usr/share/doc/openvpn-[[:digit:]]*.[[:digit:]]*.[[:digit:]]*/sample/sample-config-files/server.conf /etc/openvpn/service.conf
 41 
 42 echo 'local 0.0.0.0
 43 port '$PORT'
 44 proto udp
 45 dev tun
 46 ca /etc/openvpn/server/ca.crt
 47 cert /etc/openvpn/server/server.crt
 48 key /etc/openvpn/server/server.key
 49 dh /etc/openvpn/server/dh.pem
 50 server 10.10.10.0 255.255.255.0
 51 client-to-client
 52 duplicate-cn
 53 keepalive 10 120
 54 cipher AES-256-CBC
 55 max-clients 100
 56 persist-key
 57 persist-tun
 58 status /var/www/html/index.txt
 59 log-append /var/log/openvpn.log
 60 verb 3
 61 mute 20
 62 explicit-exit-notify 1
 63 crl-verify /etc/openvpn/easy-rsa/pki/crl.pem ' > /etc/openvpn/service.conf
 64 
 65 # 启动服务，并设置开机自动运行
 66 systemctl enable openvpn@service && systemctl start openvpn@service 
 67 
 68 # 创建 client 证书和密钥
 69 ./easyrsa build-client-full demo nopass
 70 
 71 # 准备 client 配置文件，下面是配置文件模板
 72 # cp /usr/share/doc/openvpn-[[:digit:]]*.[[:digit:]]*.[[:digit:]]*/sample/sample-config-files/client.conf /etc/openvpn/client/
 73 
 74 echo 'client
 75 dev tun
 76 proto udp
 77 remote '$IP' '$PORT'
 78 nobind
 79 persist-key
 80 persist-tun
 81 remote-cert-tls server
 82 cipher AES-256-CBC
 83 verb 3' > /etc/openvpn/client/demo.ovpn
 84 
 85 # 为 client 配置ca证书
 86 echo '<ca>' >> /etc/openvpn/client/demo.ovpn
 87 cat /etc/openvpn/easy-rsa/pki/ca.crt >> /etc/openvpn/client/demo.ovpn
 88 echo '</ca>' >> /etc/openvpn/client/demo.ovpn
 89 
 90 # 为 client 配置证书
 91 echo '<cert>' >> /etc/openvpn/client/demo.ovpn
 92 cat /etc/openvpn/easy-rsa/pki/issued/demo.crt >> /etc/openvpn/client/demo.ovpn
 93 echo '</cert>' >> /etc/openvpn/client/demo.ovpn
 94 
 95 # 为 client 配置密钥
 96 echo '<key>' >> /etc/openvpn/client/demo.ovpn
 97 cat /etc/openvpn/easy-rsa/pki/private/demo.key >> /etc/openvpn/client/demo.ovpn
 98 echo '</key>' >> /etc/openvpn/client/demo.ovpn
 99 
100 # 配置 httpd 服务，用于显示办公室客户端ip，http://10.10.10.1
101 chmod +r /var/www/html/index.txt
102 sed -i 's/index.html/index.txt/' /etc/httpd/conf/httpd.conf
103 echo 'ServerName 10.10.10.1:80' >> /etc/httpd/conf/httpd.conf
104 systemctl enable httpd && systemctl start httpd
105 
106 sz /etc/openvpn/client/demo.ovpn

2、自动创建用户的脚本： sh create.sh usera

 1 #!/bin/bash
 2 
 3 IP=117.117.117.119
 4 PORT=11947
 5 USER=$1
 6 
 7 # 切换到 easy-rsa 目录，方便执行easyrsa命令
 8 cd /etc/openvpn/easy-rsa
 9 
10 # 创建 client 证书和密钥
11 ./easyrsa build-client-full $USER nopass
12 
13 # 准备 client 配置文件，下面是配置文件模板
14 
15 echo 'client
16 dev tun
17 proto udp
18 remote '$IP' '$PORT'
19 nobind
20 persist-key
21 persist-tun
22 remote-cert-tls server
23 cipher AES-256-CBC
24 verb 3' > /etc/openvpn/client/$USER.ovpn
25 
26 # 为 client 配置ca证书
27 echo '<ca>' >> /etc/openvpn/client/$USER.ovpn
28 cat /etc/openvpn/easy-rsa/pki/ca.crt >> /etc/openvpn/client/$USER.ovpn
29 echo '</ca>' >> /etc/openvpn/client/$USER.ovpn
30 
31 # 为 client 配置证书
32 echo '<cert>' >> /etc/openvpn/client/$USER.ovpn
33 cat /etc/openvpn/easy-rsa/pki/issued/$USER.crt >> /etc/openvpn/client/$USER.ovpn
34 echo '</cert>' >> /etc/openvpn/client/$USER.ovpn
35 
36 # 为 client 配置密钥
37 echo '<key>' >> /etc/openvpn/client/$USER.ovpn
38 cat /etc/openvpn/easy-rsa/pki/private/$USER.key >> /etc/openvpn/client/$USER.ovpn
39 echo '</key>' >> /etc/openvpn/client/$USER.ovpn
40 
41 sz /etc/openvpn/client/$USER.ovpn

3、自动删除用户的脚本: sh delete.sh useraaa

 1 #!/bin/bash
 2 
 3 USER=$1
 4 
 5 # 切换到 easy-rsa 目录，方便执行easyrsa命令
 6 cd /etc/openvpn/easy-rsa
 7 
 8 # 注销用户，即吊销证书
 9 ./easyrsa revoke $USER
10 ./easyrsa gen-crl

4、补充配置文件，重启服务后，客户端还能获取之前的IP地址

1 ifconfig-pool-persist /etc/openvpn/server/ipp.txt

5、自动把用户名以及对应的ip记录到 hosts文件中，这样的server上访问客户端服务的时候直接访问用户名就可以了，不用查ip，再访问ip

1 #!/bin/bash
2 
3 echo '127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
4 ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
5 ' > /etc/hosts
6 cat /var/www/html/index.txt | grep 10.10.10 | awk -F , '{print $1,$2}' >> /etc/hosts

6、给5中的脚本添加计划任务，每分钟执行一次

# 注销用户，即吊销证书
./easyrsa revoke $USER
./easyrsa gen-crl
rm -rf ../client/$USER.ovpn

7、客户端自动重连

在客户端配置文件中添加

resolv-retry infinite

8、openvpnas

下载安装：

wget https://openvpn.net/downloads/openvpn-as-latest-CentOS7.x86_64.rpm

wget https://openvpn.net/downloads/openvpn-as-bundled-clients-latest.rpm

yum localinstall -y ./openvpn-as*.rpm

激活

OpenVPN AS：基于web管理OpenVPN服务 - 知乎 (zhihu.com)

[root@vm-24-13-centos openvpnas]# cd /usr/local/openvpn_as/lib/python/
[root@vm-24-13-centos python]# cp pyovpn-2.0-py3.6.egg{,.back}
[root@vm-24-13-centos python]# ls -alh|grep pyovpn
drwxr-xr-x 37 root root 4.0K Oct  8 18:08 pyovpn
-rw-r--r--  1 root root 5.8M Oct  8 18:45 pyovpn-2.0-py3.6.egg
-rw-r--r--  1 root root 5.7M Oct  8 17:28 pyovpn-2.0-py3.6.egg.back #这是备份出来的文件
-rwxr-xr-x  1 root root  19K Jun 15 22:28 pyovpnc.cpython-36m-x86_64-linux-gnu.so

[root@vm-24-13-centos openvpnas]# cd /root/openvpnas
[root@vm-24-13-centos openvpnas]# mkdir compile && cd $_
[root@vm-24-13-centos compile]# cp /usr/local/openvpn_as/lib/python/pyovpn-2.0-py3.6.egg .
[root@vm-24-13-centos compile]# unzip -q ./pyovpn-2.0-py3.6.egg
[root@vm-24-13-centos compile]# ls
common  EGG-INFO  pyovpn  pyovpn-2.0-py3.6.egg
[root@vm-24-13-centos compile]# cd pyovpn/lic/
[root@vm-24-13-centos lic]# ls -a
.  ..  conf  info.pyc  __init__.pyc  ino.pyc  lbcs.pyc  lbq.pyc  lic_entry.pyc  licerror.pyc  lichelper.pyc  lickey.pyc  licser.pyc  licstore.pyc  liman.pyc  lspci.pyc  prop.pyc  uprop.pyc  vprop.pyc
[root@vm-24-13-centos lic]# mv uprop.pyc uprop2.pyc
[root@vm-24-13-centos lic]# vim uprop.py
[root@vm-24-13-centos lic]# cat uprop.py
from pyovpn.lic import uprop2
old_figure = None

def new_figure(self, licdict):
      ret = old_figure(self, licdict)
      ret['concurrent_connections'] = 6666
      return ret

for x in dir(uprop2):
      if x[:2] == '__':
         continue
      if x == 'UsageProperties':
         exec('old_figure = uprop2.UsageProperties.figure')
         exec('uprop2.UsageProperties.figure = new_figure')
      exec('%s = uprop2.%s' % (x, x))
[root@vm-24-13-centos lic]# python -O -m compileall uprop.py && mv __pycache__/uprop.*.pyc uprop.pyc
Compiling 'uprop.py'...

# 最后打包一下就结束了
[root@vm-24-13-centos lic]# cd ../../
[root@vm-24-13-centos compile]# zip -rq pyovpn-2.0-py3.6.egg ./pyovpn ./EGG-INFO ./common

cp ./pyovpn-2.0-py3.6.egg /usr/local/openvpn_as/lib/python/
systemctl restart openvpnas.service

# 免配置yum，直接安装

rpm -ivh https://mirrors.aliyun.com/epel/7/x86_64/Packages/p/pkcs11-helper-1.11-3.el7.x86_64.rpm
rpm -ivh https://mirrors.aliyun.com/epel/7/x86_64/Packages/e/easy-rsa-3.0.8-1.el7.noarch.rpm
rpm -ivh https://mirrors.aliyun.com/epel/7/x86_64/Packages/o/openvpn-2.4.12-1.el7.x86_64.rpm

posted @ 2022-07-01 20:58 三角形阅读(264) 评论(0) 编辑收藏举报

刷新页面返回顶部

三角形

致力于帮助运维初学者完成从0到1、从1到10 的蜕变

CentOS 7.9 部署 ov ，助力居家办公

公告

三角形

致力于帮助运维初学者完成 从0到1、从1到10 的蜕变

CentOS 7.9 部署 ov ，助力居家办公

公告

致力于帮助运维初学者完成从0到1、从1到10 的蜕变