open V P N搭建
1. 关闭 selinux# setenforce 0
setenforce: SELinux is disabled
2. 安装 epel 源
rpm -ivh
http://mirrors.sohu.com/fedora-epel/7/x86_64/e/ epel-release-7-9.noarch.rpm
3.yum 安装
yum -y install openssl openssl-devel lzo open*** easy-rsa vim
4. 配置
修改 varsls
cd /usr/share/easy-rsa/2.0/
vim vars # 修改如下
export KEY_COUNTRY="CN"
export KEY_PROVINCE="HuBei"
export KEY_CITY="WuHan"
export KEY_ORG="123"
export KEY_EMAIL="123@qq.com"
export KEY_OU="123"
生成秘钥文件
source ./vars
./clean-all
./build-ca
./build-key-server cty_***server
./build-dh
./build-key cloud
其他的一路回车,但遇到 yes or no 的时候要输入 y
复制生成的证书至 open××× 目录
cp -rf keys/ /etc/open***/
cd /etc/open***/
编辑 server.conf 文件
# vim server.conf
;local a.b.c.d
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/cty_***server.crt
key keys/cty_***server.key # This file should be kept secret
dh keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.99.0 255.255.255.0"
push "route 192.168.98.0 255.255.255.0"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status open***-status.log
log-append open***.log
verb 3
cipher AES-256-CBC
防火墙配置
yum install -y iptables-services
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables -F
iptables -L
开启转发
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1 # 在最后新增这一行
sysctl -p
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -I INPUT -p tcp --dport 1194 -m comment --comment "open***" -j ACCEPT # 针对 tcp 端口
iptables -I INPUT -p udp --dport 1194 -m comment --comment "open***" -j ACCEPT # 针对 udp 端口
service iptables save
启动
systemctl start open***@server.service
systemctl status open***@server.service
配置用户密码认证
修改 server.con 配置文件
# tail -5 server.conf # 在在最后新增以下 5 行
script-security 3
auth-user-pass-verify /etc/open***/checkpsw.sh via-env
#client-cert-not-required
username-as-common-name
client-config-dir /etc/open***/ccd
创建认证脚本
# cat checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman
#
# This script will authenticate Open××× users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/open***/psw-file"
LOG_FILE="/var/log/open***-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
# chmod u+x checkpsw.sh
创建账号文件
# cat psw-file
test 123456
# chmod 400 psw-file
# chown nobody.nobody psw-file
# systemctl restart open***@server
Windows 客户端配置文件
client
dev tun
proto udp
remote 27.18.17.241 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cloud.crt
key cloud.key
comp-lzo
verb 3
auth-user-pass cloudpw.txt
添加权限控制
账号获取指定 ip
配置文件中添加
client-config-dir /etc/open***/ccd
把每个账号的 ip 配置信息单独建一个文件
# ls ccd/
test zhangsan
echo "ifconfig-push 10.8.0.17 10.8.0.18" > ccd/zhangsan
ip 只能配套对应下表的地址集
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18] [ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38] [ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58] [ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78] [ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
添加 iptables 规则
iptables -A FORWARD -i tun0 -s 10.8.0.13/32 -d 192.168.99.101 -j ACCEPT
iptables -A FORWARD -s 10.8.0.13/32 -j DROP
iptables -A FORWARD -i tun0 -s 10.8.0.17/32 -d 192.168.98.0/24 -j ACCEPT
iptables -A FORWARD -s 10.8.0.17/32 -j DROP
service iptables save
页:
[1]