CentOS 7.9 部署 ov ,助力居家办公
1、自动部署服务,并创建一个demo账号,拨通vpn后访问 http://10.10.10.1 即可以查看所有登录的用户,以及分配的IP地址,因为开启了 client-to-client 功能,所以这个客户端直接可以直接访问。实现下图效果:
1 #!/bin/bash 2 3 IP=117.117.117.119 4 PORT=19397 5 6 # 配置阿里云 epel 源 7 curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo 8 9 # 安装 openvpn easy-rsa httpd lrzsz 软件 10 yum install -y openvpn easy-rsa lrzsz httpd 11 12 # 拷贝 easy-rsa 软件到 openvpn 目录 13 cp -a /usr/share/easy-rsa/[[:digit:]]*.[[:digit:]]*.[[:digit:]]* /etc/openvpn/easy-rsa 14 15 # 切换到 easy-rsa 目录,方便执行easyrsa命令 16 cd /etc/openvpn/easy-rsa 17 18 # 初始化 pki 目录 19 ./easyrsa init-pki 20 21 # 创建 ca 证书 22 ./easyrsa build-ca nopass 23 24 # 创建 server 密钥和证书 25 ./easyrsa build-server-full server nopass 26 27 # 创建dn 28 ./easyrsa gen-dh 29 30 # 准备证书吊销列表文件 31 ./easyrsa gen-crl 32 33 # 准备 server 用的证书和秘密等文件,统一放到 /etc/openvpn/server/ 34 cp pki/ca.crt /etc/openvpn/server/ 35 cp pki/dh.pem /etc/openvpn/server/ 36 cp pki/issued/server.crt /etc/openvpn/server/ 37 cp pki/private/server.key /etc/openvpn/server/ 38 39 # 准备 server 配置文件,绝对路径必须 /etc/openvpn/service.conf ,下面是配置文件模板 40 # cp /usr/share/doc/openvpn-[[:digit:]]*.[[:digit:]]*.[[:digit:]]*/sample/sample-config-files/server.conf /etc/openvpn/service.conf 41 42 echo 'local 0.0.0.0 43 port '$PORT' 44 proto udp 45 dev tun 46 ca /etc/openvpn/server/ca.crt 47 cert /etc/openvpn/server/server.crt 48 key /etc/openvpn/server/server.key 49 dh /etc/openvpn/server/dh.pem 50 server 10.10.10.0 255.255.255.0 51 client-to-client 52 duplicate-cn 53 keepalive 10 120 54 cipher AES-256-CBC 55 max-clients 100 56 persist-key 57 persist-tun 58 status /var/www/html/index.txt 59 log-append /var/log/openvpn.log 60 verb 3 61 mute 20 62 explicit-exit-notify 1 63 crl-verify /etc/openvpn/easy-rsa/pki/crl.pem ' > /etc/openvpn/service.conf 64 65 # 启动服务,并设置开机自动运行 66 systemctl enable openvpn@service && systemctl start openvpn@service 67 68 # 创建 client 证书和密钥 69 ./easyrsa build-client-full demo nopass 70 71 # 准备 client 配置文件,下面是配置文件模板 72 # cp /usr/share/doc/openvpn-[[:digit:]]*.[[:digit:]]*.[[:digit:]]*/sample/sample-config-files/client.conf /etc/openvpn/client/ 73 74 echo 'client 75 dev tun 76 proto udp 77 remote '$IP' '$PORT' 78 nobind 79 persist-key 80 persist-tun 81 remote-cert-tls server 82 cipher AES-256-CBC 83 verb 3' > /etc/openvpn/client/demo.ovpn 84 85 # 为 client 配置ca证书 86 echo '<ca>' >> /etc/openvpn/client/demo.ovpn 87 cat /etc/openvpn/easy-rsa/pki/ca.crt >> /etc/openvpn/client/demo.ovpn 88 echo '</ca>' >> /etc/openvpn/client/demo.ovpn 89 90 # 为 client 配置证书 91 echo '<cert>' >> /etc/openvpn/client/demo.ovpn 92 cat /etc/openvpn/easy-rsa/pki/issued/demo.crt >> /etc/openvpn/client/demo.ovpn 93 echo '</cert>' >> /etc/openvpn/client/demo.ovpn 94 95 # 为 client 配置密钥 96 echo '<key>' >> /etc/openvpn/client/demo.ovpn 97 cat /etc/openvpn/easy-rsa/pki/private/demo.key >> /etc/openvpn/client/demo.ovpn 98 echo '</key>' >> /etc/openvpn/client/demo.ovpn 99 100 # 配置 httpd 服务,用于显示办公室客户端ip,http://10.10.10.1 101 chmod +r /var/www/html/index.txt 102 sed -i 's/index.html/index.txt/' /etc/httpd/conf/httpd.conf 103 echo 'ServerName 10.10.10.1:80' >> /etc/httpd/conf/httpd.conf 104 systemctl enable httpd && systemctl start httpd 105 106 sz /etc/openvpn/client/demo.ovpn
2、自动创建用户的脚本: sh create.sh usera
1 #!/bin/bash 2 3 IP=117.117.117.119 4 PORT=11947 5 USER=$1 6 7 # 切换到 easy-rsa 目录,方便执行easyrsa命令 8 cd /etc/openvpn/easy-rsa 9 10 # 创建 client 证书和密钥 11 ./easyrsa build-client-full $USER nopass 12 13 # 准备 client 配置文件,下面是配置文件模板 14 15 echo 'client 16 dev tun 17 proto udp 18 remote '$IP' '$PORT' 19 nobind 20 persist-key 21 persist-tun 22 remote-cert-tls server 23 cipher AES-256-CBC 24 verb 3' > /etc/openvpn/client/$USER.ovpn 25 26 # 为 client 配置ca证书 27 echo '<ca>' >> /etc/openvpn/client/$USER.ovpn 28 cat /etc/openvpn/easy-rsa/pki/ca.crt >> /etc/openvpn/client/$USER.ovpn 29 echo '</ca>' >> /etc/openvpn/client/$USER.ovpn 30 31 # 为 client 配置证书 32 echo '<cert>' >> /etc/openvpn/client/$USER.ovpn 33 cat /etc/openvpn/easy-rsa/pki/issued/$USER.crt >> /etc/openvpn/client/$USER.ovpn 34 echo '</cert>' >> /etc/openvpn/client/$USER.ovpn 35 36 # 为 client 配置密钥 37 echo '<key>' >> /etc/openvpn/client/$USER.ovpn 38 cat /etc/openvpn/easy-rsa/pki/private/$USER.key >> /etc/openvpn/client/$USER.ovpn 39 echo '</key>' >> /etc/openvpn/client/$USER.ovpn 40 41 sz /etc/openvpn/client/$USER.ovpn
3、自动删除用户的脚本: sh delete.sh useraaa
1 #!/bin/bash 2 3 USER=$1 4 5 # 切换到 easy-rsa 目录,方便执行easyrsa命令 6 cd /etc/openvpn/easy-rsa 7 8 # 注销用户,即吊销证书 9 ./easyrsa revoke $USER 10 ./easyrsa gen-crl
4、补充配置文件,重启服务后,客户端还能获取之前的IP地址
1 ifconfig-pool-persist /etc/openvpn/server/ipp.txt
5、自动把用户名以及对应的ip记录到 hosts文件中,这样的server上访问客户端服务的时候直接访问用户名就可以了,不用查ip,再访问ip
1 #!/bin/bash 2 3 echo '127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 5 ' > /etc/hosts 6 cat /var/www/html/index.txt | grep 10.10.10 | awk -F , '{print $1,$2}' >> /etc/hosts
6、给5中的脚本添加计划任务,每分钟执行一次
# 注销用户,即吊销证书
./easyrsa revoke $USER
./easyrsa gen-crl
rm -rf ../client/$USER.ovpn
7、客户端自动重连
在客户端配置文件中添加
resolv-retry infinite
8、openvpnas
下载安装:
wget https://openvpn.net/downloads/openvpn-as-latest-CentOS7.x86_64.rpm
wget https://openvpn.net/downloads/openvpn-as-bundled-clients-latest.rpm
yum localinstall -y ./openvpn-as*.rpm
激活
OpenVPN AS:基于web管理OpenVPN服务 - 知乎 (zhihu.com)
[root@vm-24-13-centos openvpnas]# cd /usr/local/openvpn_as/lib/python/ [root@vm-24-13-centos python]# cp pyovpn-2.0-py3.6.egg{,.back} [root@vm-24-13-centos python]# ls -alh|grep pyovpn drwxr-xr-x 37 root root 4.0K Oct 8 18:08 pyovpn -rw-r--r-- 1 root root 5.8M Oct 8 18:45 pyovpn-2.0-py3.6.egg -rw-r--r-- 1 root root 5.7M Oct 8 17:28 pyovpn-2.0-py3.6.egg.back #这是备份出来的文件 -rwxr-xr-x 1 root root 19K Jun 15 22:28 pyovpnc.cpython-36m-x86_64-linux-gnu.so [root@vm-24-13-centos openvpnas]# cd /root/openvpnas [root@vm-24-13-centos openvpnas]# mkdir compile && cd $_ [root@vm-24-13-centos compile]# cp /usr/local/openvpn_as/lib/python/pyovpn-2.0-py3.6.egg . [root@vm-24-13-centos compile]# unzip -q ./pyovpn-2.0-py3.6.egg [root@vm-24-13-centos compile]# ls common EGG-INFO pyovpn pyovpn-2.0-py3.6.egg [root@vm-24-13-centos compile]# cd pyovpn/lic/ [root@vm-24-13-centos lic]# ls -a . .. conf info.pyc __init__.pyc ino.pyc lbcs.pyc lbq.pyc lic_entry.pyc licerror.pyc lichelper.pyc lickey.pyc licser.pyc licstore.pyc liman.pyc lspci.pyc prop.pyc uprop.pyc vprop.pyc [root@vm-24-13-centos lic]# mv uprop.pyc uprop2.pyc [root@vm-24-13-centos lic]# vim uprop.py [root@vm-24-13-centos lic]# cat uprop.py from pyovpn.lic import uprop2 old_figure = None def new_figure(self, licdict): ret = old_figure(self, licdict) ret['concurrent_connections'] = 6666 return ret for x in dir(uprop2): if x[:2] == '__': continue if x == 'UsageProperties': exec('old_figure = uprop2.UsageProperties.figure') exec('uprop2.UsageProperties.figure = new_figure') exec('%s = uprop2.%s' % (x, x)) [root@vm-24-13-centos lic]# python -O -m compileall uprop.py && mv __pycache__/uprop.*.pyc uprop.pyc Compiling 'uprop.py'... # 最后打包一下就结束了 [root@vm-24-13-centos lic]# cd ../../ [root@vm-24-13-centos compile]# zip -rq pyovpn-2.0-py3.6.egg ./pyovpn ./EGG-INFO ./common cp ./pyovpn-2.0-py3.6.egg /usr/local/openvpn_as/lib/python/ systemctl restart openvpnas.service
# 免配置yum,直接安装
rpm -ivh https://mirrors.aliyun.com/epel/7/x86_64/Packages/p/pkcs11-helper-1.11-3.el7.x86_64.rpm
rpm -ivh https://mirrors.aliyun.com/epel/7/x86_64/Packages/e/easy-rsa-3.0.8-1.el7.noarch.rpm
rpm -ivh https://mirrors.aliyun.com/epel/7/x86_64/Packages/o/openvpn-2.4.12-1.el7.x86_64.rpm