我们前面不只一次的强调,SSL VPN是以SSL(Secure Sockets Layer,安全套接字层)为基础提供远程的安全连接服务,主要基于数字证书利用数字签名方法对SSL服务器和SSL客户端进行身份验证(一篇能解决90%以上SSL VPN问题的武林秘籍)。所以,对于openVPN来讲,“证书”也是同样不可或缺!
关于如何创建一份可以自动创建Easy-RSA证书的脚本,我们之前已经做了详细介绍(手撸一个自动创建SSL证书的SHELL脚本)。其实,证书创建完成之后,openVPN的配置就完成了一大半了。
今天,我们就把剩下的一点介绍完。
服务端剩下的配置就是创建一个server.conf配置文件和一个openvpn.service服务文件,而openvpn.service中包含server.conf,那我们就先生成server.conf配置文件。而server.conf中需要引用刚才生成的ca.crt、ttserver.crt、ttserver.key和dh.pem这4个文件,所以我们需要对证书的存放路径做一下微调,添加以下4条命令。
cp /usr/share/easy-rsa/3.0.8/pki/ca.crt /etc/openvpn/server/ca.crtcp /usr/share/easy-rsa/3.0.8/pki/dh.pem /etc/openvpn/server/dh.pemcp /usr/share/easy-rsa/3.0.8/pki/issued/ttserver.crt /etc/openvpn/server/ttserver.crtcp /usr/share/easy-rsa/3.0.8/pki/private/ttserver.key /etc/openvpn/server/ttserver.key然后,我们需要安装openVPN软件,对应的命令为:
yum install -y openvpn如果转换成SHELL脚本,则可以是:
# 安装openVPNinstall_openvpn() { echo "正在安装openVPN..." yum -y install openvpn echo "openVPN安装完成。"}然后,我们的server.conf配置文件就不用调整了,直接写入内容即可。
# 配置/etc/openvpn/server/server.confconfigure_server_conf() { cat << EOF > /etc/openvpn/server/server.conf local 0.0.0.0 proto tcp port 44331 dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/ttserver.crt key /etc/openvpn/server/ttserver.key dh /etc/openvpn/server/dh.pem topology subnet server 10.153.117.0 255.255.255.0 push "dhcp-option DNS 8.8.8.8" push "redirect-gateway def1 bypass-dhcp" duplicate-cn keepalive 20 120 persist-key persist-tun EOF# 检查配置文件是否写入成功 echo "server.conf配置如下:" cat /etc/openvpn/server/server.conf}接下来,就是openVPN的服务配置文件openvpn.service,和server.conf一样,直接写入内容即可。
# 配置/etc/systemd/system/openvpn.serviceconfigure_openvpn_service() { cat << EOF > /etc/systemd/system/openvpn.service [Unit] Description=OpenVPN Server After=network.target After=syslog.target [Install] WantedBy=multi-user.target [Service] ExecStart=/usr/sbin/openvpn --config /etc/openvpn/server/server.conf EOF# 检查配置文件是否写入成功 echo "openvpn.service配置如下:" cat /etc/systemd/system/openvpn.service}然后,我们重新加载openVPN服务。
# 启动openVPN服务start_openvpn() { systemctl daemon-reload systemctl start openvpn systemctl enable openvpn systemctl restart openvpn echo "openVPN服务状态如下:" systemctl status openvpn ss -atnp |grep 44331 ss -atnp |grep openvpn echo "使能本地转发功能!" echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -j MASQUERADE}到这里,服务端就配置好了,我们希望继续生成一份客户端的配置文件。参考之前的文章(配置优化:将openVPN的配置文件合4为1),我们需要ca.crt、ttclient.crt和ttclient.key这几个文件的内容,还需要服务器的IP地址信息。
先创建tietou.ovpn配置文件,并导入固定部分内容。
# 创建tietou.ovpn配置文件create_ovpn() { cat << EOF > /etc/openvpn/client/tietou.ovpn client dev tun proto tcp nobind resolv-retry infinite persist-key persist-tun EOF}# 获取IP地址get_ip() { IP=$(curl -s cip.cc | awk '/IP/{print $3}') echo "公网IP地址为:$IP"# 写入到配置文件中 echo "remote $IP 44331" >> /etc/openvpn/client/tietou.ovpn}# 提取ca.crt的证书内容get_cacrt() { CACRT=$(awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' /usr/share/easy-rsa/3.0.8/pki/ca.crt)# 将证书内容写入到配置文件中 echo "<ca>" >> /etc/openvpn/client/tietou.ovpn echo "$CACRT" >> /etc/openvpn/client/tietou.ovpn echo "</ca>" >> /etc/openvpn/client/tietou.ovpn}# 提取ttclient.crt的证书内容get_clientcrt() { CLIENTCRT=$(awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' /usr/share/easy-rsa/3.0.8/pki/issued/ttclient.crt)# 将证书内容写入到配置文件中 echo "<cert>" >> /etc/openvpn/client/tietou.ovpn echo "$CLIENTCRT" >> /etc/openvpn/client/tietou.ovpn echo "</cert>" >> /etc/openvpn/client/tietou.ovpn}# 提取ttclient.key的证书内容get_clientkey() { CLIENTKEY=$(awk '/-----BEGIN PRIVATE KEY-----/,/-----END PRIVATE KEY-----/' /usr/share/easy-rsa/3.0.8/pki/private/ttclient.key)# 将证书内容写入到配置文件中 echo "<key>" >> /etc/openvpn/client/tietou.ovpn echo "$CLIENTKEY" >> /etc/openvpn/client/tietou.ovpn echo "</key>" >> /etc/openvpn/client/tietou.ovpn}# 展示tietou.ovpn配置内容echo "tietou.ovpn配置内容如下:"cat /etc/openvpn/client/tietou.ovpn
最后,我们将所有配置片段合成一个,内容如下:
#!/bin/bash# 安装Easy-RSAinstall_easyrsa() { echo "正在安装Easy-RSA..." yum -y install easy-rsa echo "Easy-RSA安装完成。"}# 初始化Easy-RSA环境init_easyrsa() { echo "初始化Easy-RSA环境..." cd /usr/share/easy-rsa/3.0.8/# 备份vars.example为vars,避免覆盖 if [ -f vars ]; then mv vars vars.backup fi cp /usr/share/doc/easy-rsa-3.0.8/vars.example vars echo "Easy-RSA环境初始化完成。"}# 更新vars文件中的机构信息字段update_vars() { echo "更新vars文件中的机构信息字段..." cd /usr/share/easy-rsa/3.0.8/# 向vars文件中插入机构信息字段 echo 'set_var EASYRSA_REQ_COUNTRY "CN"' >> vars echo 'set_var EASYRSA_REQ_PROVINCE "Beijing"' >> vars echo 'set_var EASYRSA_REQ_CITY "Haidian"' >> vars echo 'set_var EASYRSA_REQ_ORG "TIETOU TECH"' >> vars echo 'set_var EASYRSA_REQ_EMAIL "tietou@h3cadmin.cn"' >> vars echo 'set_var EASYRSA_REQ_OU "Tietou openVPN"' >> vars echo "vars文件中的机构信息字段已更新。"}# 生成证书和密钥generate_certs() { echo "正在生成证书和密钥..." cd /usr/share/easy-rsa/3.0.8/# 初始化PKI目录结构 ./easyrsa init-pki# 加载环境变量 source /usr/share/easy-rsa/3.0.8/vars# 清空证书目录 echo "yes" | ./easyrsa clean-all# 生成证书和密钥文件 echo | ./easyrsa build-ca nopass echo | ./easyrsa gen-req ttserver nopass echo "yes" | ./easyrsa sign server ttserver ./easyrsa gen-dh echo | ./easyrsa gen-req ttclient nopass echo "yes" | ./easyrsa sign-req client ttclient echo "证书和密钥生成完成。"}# 安装openVPNinstall_openvpn() { echo "正在安装openVPN..." yum -y install openvpn echo "openVPN安装完成。"}# 配置/etc/openvpn/server/server.confconfigure_server_conf() { cp /usr/share/easy-rsa/3.0.8/pki/ca.crt /etc/openvpn/server/ca.crt cp /usr/share/easy-rsa/3.0.8/pki/dh.pem /etc/openvpn/server/dh.pem cp /usr/share/easy-rsa/3.0.8/pki/issued/ttserver.crt /etc/openvpn/server/ttserver.crt cp /usr/share/easy-rsa/3.0.8/pki/private/ttserver.key /etc/openvpn/server/ttserver.key cat << EOF > /etc/openvpn/server/server.conf local 0.0.0.0 proto tcp port 44331 dev tun ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/ctyuns.crt key /etc/openvpn/server/ctyuns.key dh /etc/openvpn/server/dh.pem topology subnet server 10.153.117.0 255.255.255.0 push "dhcp-option DNS 8.8.8.8" push "redirect-gateway def1 bypass-dhcp" duplicate-cn keepalive 20 120 persist-key persist-tun EOF# 检查配置文件是否写入成功 echo "server.conf配置如下:" cat /etc/openvpn/server/server.conf}# 配置/etc/systemd/system/openvpn.serviceconfigure_openvpn_service() { cat << EOF > /etc/systemd/system/openvpn.service [Unit] Description=OpenVPN Server After=network.target After=syslog.target [Install] WantedBy=multi-user.target [Service] ExecStart=/usr/sbin/openvpn --config /etc/openvpn/server/server.conf EOF# 检查配置文件是否写入成功 echo "openvpn.service配置如下:" cat /etc/systemd/system/openvpn.service}# 启动openVPN服务start_openvpn() { systemctl daemon-reload systemctl start openvpn systemctl enable openvpn systemctl restart openvpn echo "openVPN服务状态如下:" systemctl status openvpn ss -atnp |grep 44331 ss -atnp |grep openvpn echo "使能本地转发功能!" echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -j MASQUERADE}# 创建tietou.ovpn配置文件create_ovpn() { cat << EOF > /etc/openvpn/client/tietou.ovpn client dev tun proto tcp nobind resolv-retry infinite persist-key persist-tun EOF}# 获取IP地址get_ip() { IP=$(curl -s cip.cc | awk '/IP/{print $3}') echo "公网IP地址为:$IP"# 写入到配置文件中 echo "remote $IP 44331" >> /etc/openvpn/client/tietou.ovpn}# 提取ca.crt的证书内容get_cacrt() { CACRT=$(awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' /usr/share/easy-rsa/3.0.8/pki/ca.crt) # 将证书内容写入到配置文件中 echo "<ca>" >> /etc/openvpn/client/tietou.ovpn echo "$CACRT" >> /etc/openvpn/client/tietou.ovpn echo "</ca>" >> /etc/openvpn/client/tietou.ovpn}# 提取ttclient.crt的证书内容get_clientcrt() { CLIENTCRT=$(awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' /usr/share/easy-rsa/3.0.8/pki/issued/ttclient.crt)# 将证书内容写入到配置文件中 echo "<cert>" >> /etc/openvpn/client/tietou.ovpn echo "$CLIENTCRT" >> /etc/openvpn/client/tietou.ovpn echo "</cert>" >> /etc/openvpn/client/tietou.ovpn}# 提取ttclient.key的证书内容get_clientkey() { CLIENTKEY=$(awk '/-----BEGIN PRIVATE KEY-----/,/-----END PRIVATE KEY-----/' /usr/share/easy-rsa/3.0.8/pki/private/ttclient.key)# 将证书内容写入到配置文件中 echo "<key>" >> /etc/openvpn/client/tietou.ovpn echo "$CLIENTKEY" >> /etc/openvpn/client/tietou.ovpn echo "</key>" >> /etc/openvpn/client/tietou.ovpn}# 创建SSL-cert目录generate_dir() {# 获取当前时间 current_time=$(date +"%Y%m%d%H%M")# 创建新的目录 new_dir="/SSL-cert/${current_time}" mkdir -p "${new_dir}"# 将证书和密钥复制到新目录下 cp /usr/share/easy-rsa/3.0.8/pki/ca.crt "${new_dir}/ca.crt" cp /usr/share/easy-rsa/3.0.8/pki/issued/ttserver.crt "${new_dir}/ttserver.crt" cp /usr/share/easy-rsa/3.0.8/pki/private/ttserver.key "${new_dir}/ttserver.key" cp /usr/share/easy-rsa/3.0.8/pki/issued/ttclient.crt "${new_dir}/ttclient.crt" cp /usr/share/easy-rsa/3.0.8/pki/private/ttclient.key "${new_dir}/ttclient.key" cp /etc/openvpn/client/tietou.ovpn "${new_dir}/tietou.ovpn "echo "证书和密钥已复制到目录:${new_dir}"}# 主函数main() { install_easyrsa init_easyrsa update_vars generate_certs install_openvpn configure_server_conf configure_openvpn_service start_openvpn create_ovpn get_ip get_cacrt get_clientcrt get_clientkey generate_dir}# 展示tietou.ovpn配置内容echo "tietou.ovpn配置内容如下:"cat /etc/openvpn/client/tietou.ovpn运行一下试试,不到一分钟就跑完了。
用客户端连接测试,拨号成功。
声明:文中观点不代表本站立场。本文传送门:https://eyangzhen.com/385911.html
