VPN 或虚拟专用网络是一组通过公共网络(Internet)连接到专用网络的计算机。如今,安全性是每个人最关心的问题,在公共网络上工作时更需要安全性。
就像您在远程位置有一组计算机一样。现在您需要将这些计算机作为系统中的 LAN 网络进行访问。此外,您需要在计算机之间传输期间对所有数据进行加密。解决方案是 VPN。您可以使用 VPN 网络将两个远程定位系统相互连接,因为它们位于同一 LAN 上。本教程将帮助您在 Ubuntu、Debian 和 Linux Mint 系统上安装和配置 OpenVPN 服务器。
第 1 步 – 先决条件
使用 SSH 登录您的 Ubuntu 系统。现在更新系统的 apt 缓存并将系统软件包更新到最新版本。
sudo apt-get update
sudo apt-get upgrade
第 2 步 – 安装 OpenVPN 服务器
Now, Install the OpenVPN package by typing below command. Also, install easy-rsa packages for managing SSL certificates required for data encryption between server and client.
sudo apt-get install openvpn easy-rsa
将 OpenVPN 的示例配置文件复制到 /etc/openvpn/server.conf 文件。这将用作 OpenVPN 服务器配置文件。
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
步骤 3 – 配置 OpenVPN 服务器
在您喜欢的文本编辑器中编辑 OpenVPN 服务器配置文件。
vim /etc/openvpn/server.conf
去除 ”;”取消注释行或为配置文件中的以下条目添加新行。
tls-auth ta.key 0
key-direction 0
cipher AES-256-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
cert server.crt
key server.key
上述设置将允许系统之间的 VPN 连接。但他们不会通过 VPN 引导客户的互联网流量。另外,取消注释 dhcp-option 值。
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
第 4 步 – 更新网络配置
Do some network settings to allow users to access the server on the same network of OpenVPN servers. First, Allow IP forwarding on the server by executing the below commands to set net.ipv4.ip_forward value to 1 in /etc/sysctl.conf file.
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sudo sysctl -p
伪装来自 VPN 网络 (10.8.0.0/24) 的互联网流量到系统本地网络接口 (eth0)。其中 10.8.0.0 是我的 VPN 网络,eth0 是我系统的网络接口。
sudo modprobe iptable_nat
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
第 5 步 – 设置证书颁发机构
OpenVPN 使用服务器和客户端之间的流量 TLS/SSL 加密来提供安全的 VPN 服务。为此,您需要为服务器和客户端颁发可信证书才能工作。要颁发证书,您需要在系统上配置证书颁发机构。
Let’s create a directory for certificate authority using make-cadir command. This command also initializes the directory with the required files.
make-cadir /etc/openvpn/openvpn-ca/
cd /etc/openvpn/openvpn-ca/
Edit vars file in your favorite text editor.
vim vars
并根据需要更新以下值。这些值将用作默认值来为服务器和客户端颁发证书。您还可以在证书创建期间覆盖这些值。
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="TecAdmin"
export KEY_EMAIL="info@example.com"
export KEY_OU="Security"
加载系统环境中的值。
source vars
Now use ./clean-all to remove exiting keys and then run ./build-ca to build CA certificates under /etc/openvpn/openvpn-ca/ directory.
./clean-all
./build-ca
上述命令的示例输出:
Generating a 2048 bit RSA private key
...+++
..........................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [TecAdmin]:
Organizational Unit Name (eg, section) [Security]:
Common Name (eg, your name or your server's hostname) [TecAdmin CA]:
Name [EasyRSA]:
Email Address [info@example.com]:
现在您的系统已准备好作为证书颁发机构来颁发证书。
步骤 6 – 生成服务器证书文件
Firstly create the certificates for the OpenVPN server using the ./build-key-server command followed by keyword server to generate certificates for the server. This will create required certificates, key file under keys directory.
cd /etc/openvpn/openvpn-ca/
./build-key-server server
上述命令的示例输出:
...
...
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'TecAdmin'
organizationalUnitName:PRINTABLE:'Security'
commonName :PRINTABLE:'server'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'info@example.com'
Certificate is to be certified until Jan 2 05:33:24 2028 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
现在使用该命令生成一个强 Diffie-Hellman 密钥以用于密钥交换。此命令可能需要一些时间才能完成。
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
之后生成HMAC签名,使服务器的TLS完整性验证能力更加安全。
openvpn --genkey --secret /etc/openvpn/openvpn-ca/keys/ta.key
After creating all files, copy them to /etc/openvpn directory.
cd /etc/openvpn/openvpn-ca/keys
sudo cp ca.crt ta.key server.crt server.key /etc/openvpn
步骤 7 – 启动 OpenVPN 服务
OpenVPN 服务器现已准备就绪。让我们使用以下命令启动服务系统控制命令。另外,检查服务状态。
sudo systemctl start openvpn@server
sudo systemctl status openvpn@server
服务成功启动后,您将看到如下结果。
● openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2018-01-04 11:09:51 IST; 6s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 4403 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --
Main PID: 4404 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─4404 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --
Jan 04 11:09:51 laitkor237 ovpn-server[4404]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Jan 04 11:09:51 laitkor237 ovpn-server[4404]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Jan 04 11:09:51 laitkor237 ovpn-server[4404]: GID set to nogroup
Jan 04 11:09:51 laitkor237 ovpn-server[4404]: UID set to nobody
Jan 04 11:09:51 laitkor237 ovpn-server[4404]: UDPv4 link local (bound): [undef]
Jan 04 11:09:51 laitkor237 ovpn-server[4404]: UDPv4 link remote: [undef]
Jan 04 11:09:51 laitkor237 ovpn-server[4404]: MULTI: multi_init called, r=256 v=256
Jan 04 11:09:51 laitkor237 ovpn-server[4404]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Jan 04 11:09:51 laitkor237 ovpn-server[4404]: IFCONFIG POOL LIST
Jan 04 11:09:51 laitkor237 ovpn-server[4404]: Initialization Sequence Completed
OpenVPN will create a network interface name tun0. Execute the below command to view the IP assigned to the interface. Mostly it assigns the first IP of the network defined in server.conf file.
ifconfig tun0
步骤 8 – 生成客户端配置
您的 OpenVPN 服务器已准备好使用。现在生成客户端配置文件,包括私钥、证书。我使这个过程变得更容易,让您可以使用简单的脚本生成任意数量的配置文件。按照以下步骤生成配置文件。确保使用正确的目录结构。
mkdir /etc/openvpn/clients
cd /etc/openvpn/clients
创建一个 shell 脚本文件,如下所示。
vim make-vpn-client.sh
copy the below content. Update the OPENVPN_SERVER variable with the correct OpenVPN server ip address and save it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
#!/bin/bash
# 生成 OpenVPN 客户端配置文件。
客户名称=$1
OPENVPN_SERVER=“192.168.1.237”
CA_DIR=/etc/openvpn/openvpn-ca
CLIENT_DIR=/etc/openvpn/clients
cd ${CA_DIR}
source vars
./build-key ${客户名称}
echo "client
dev tun
proto udp
remote ${OPENVPN_SERVER} 1194
user nobody
group nogroup
persist-key
persist-tun
cipher AES-128-CBC
auth SHA256
key-方向 1
remote-cert-tls server
comp-lzo
verb 3" > ${CLIENT_DIR}/${客户名称}.ovpn
cat <(echo -e '') \
${CA_DIR}/keys/ca.crt \
<(echo -e '\n') \
${CA_DIR}/keys/${客户名称}.crt \
<(echo -e '证书>\n') \
${CA_DIR}/keys/${客户名称}.key \
<(echo -e '\n') \
${CA_DIR}/keys/ta.key \
<(echo -e '') \
>> ${CLIENT_DIR}/${客户名称}.ovpn
echo -e “已创建客户端文件 - ${CLIENT_DIR}/${CLIENT_NAME}.ovpn”
|
设置新创建的脚本的执行权限。
chmod +x ./make-vpn-client.sh
现在使用此脚本为 VPN 客户端生成配置文件,包括证书和密钥。您需要将客户端名称作为命令行参数传递。
./make-vpn-client.sh vpnclient1
按 Enter 键获取证书的默认值。最后,它将提示签署证书并提交。对于两个输入均按 y。
Certificate is to be certified until Jan 2 07:18:10 2028 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Client File Created - /etc/openvpn/clients/vpnclient1.ovpn
上面的脚本将在 /etc/openvpn/clients/ 目录下创建客户端配置文件,其客户端名称带有 .ovpn 扩展名,如输出的最后一行所示。使用此文件从远程系统进行连接。
步骤 9 – 从客户端连接 VPN
您需要上面生成的配置文件
Windows客户端
Download OpenVPN GUI client software from its official download page and install on your system. Now copy the given .ovpn file under c:\Program Files\OpenVPN\config file\ directory. Now launch Openvpn GUI client and connect. On successful connection you will a green icon in right-bottom notifications. You can view status by rigth click on icon.
Linux客户端
在 Linux 客户端上,首先,您需要安装 OpenVPN 软件包。之后,使用以下命令使用给定的客户端配置文件连接到 OpenVPN 服务器。
openvpn --config client1.ovpn
连接成功后,OpenVPN 将为您的系统分配一个 IP 地址。使用以下命令检查分配的 IP 地址。
ifconfig tun0
[output]
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.18 P-t-P:10.8.0.17 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)