Openvpn construction of centos7

Others 2022-04-22 10:28:36 views: 0

1. Environment introduction

  Operating system centos7.4

  openvpn version: openvpn-2.1

  lzo version: lzo-2.03

  

2. Build

  Turn off the firewalld firewall, and set the boot to not start. close selinux

systemctl stop firewalld
systemctl disable  firewalld

setenforce 0

  Install openvpn and necessary dependencies

yum install bridge-utils gcc gcc-c++ make openssl openssl-devel ntpdate* sh*  pam pam-devel -y

  Compile and install lzo (data encryption and compression function)

#./configure
#make
#make install

  Compile and install openvpn (openvpn-2.1_rc7.tar.gz is used here)

#./configure
#make
#make install

  You need to copy the easy-rsa file in the original installation package to /etc/openvpn/ in the openvpn installation directory

cp -R  /root/openvpn-2.1_rc7/easy-rsa /etc/openvpn/

  Then give read, write and execute permissions to all files in the 2.0 directory under the installation directory.

#cd /etc/openvpn/2.0/
#chmod +rwx *

  Modify and add the following at the end of the file below

#vi vars
export KEY_COUNTRY=”CN”#(country)
export KEY_PROVINCE=”BEIJING”#(province)
export KEY_CITY=”BEIJING”#(city)
export KEY_ORG=”gaosiedu”#(organization)
export KEY_EMAIL=”[email protected]”#(mail address)
export KEY_OU=”gaosi”#(unit)

  Execute the following command to generate a certificate

#source ./vars
#./clean-all Clear all certificate-related values ​​of openvpn
#./build-ca Generate a certificate trusted by CA (Common Name: fill in the company's full spelling here)
#./build-key-server server Generate the server's certificate and private key (Common Name: fill in the company's full spelling here)
#./build-key client Generate client certificate and private key ./build-key is followed by the client name (such as the name of a place or a person)
#./build-dh Create Diffie-Hellman parameters (to prevent malicious attacks, an encrypted hash message verification code)

  synchronised time

# timedatectl set-timezone Asia/Shanghai
#timedatectl set-ntp yes

  

mkdir /etc/openvpn/keys Create a keys directory in the installation directory
cp /etc/openvpn/2.0/keys/* /etc/openvpn/keys/ Then copy all the certificate and key files generated earlier here

  Copy the previously prepared server.conf file to the openvpn installation directory and modify it. (The decompressed installation package contains all the sample files)

cp  /root/server.conf /etc/openvpn/

  Modify the configuration file

#vi /etc/openvpn/server.conf

  Configuration file modification content

port 1195 The default port number of openvpn is 1194, which can be modified
proto tcp uses TCP transport
dev tap0 tap0 is used here (there is also tun three-layer routing mode)
ca /etc/openvpn/keys/ca.crt CA trust certificate location
cert /etc/openvpn/keys/server.crt server certificate
key /etc/openvpn/keys/server.key # This file should be kept secret server key
dh /etc/openvpn/keys/dh1024.pem is generally OK by default here.
ifconfig 192.168.0.200 255.255.255.0 The real IP address of the machine must be filled in here
ifconfig-pool-persist /etc/openvpn/ipp.txt Here is the client name and the corresponding ip file

The required server in front here is the real IP address, followed by the openvpn address (usually we will set an IP address segment with the real server, the front is the real IP address of the machine, and the back is the IP address to be assigned to the client) .
server-bridge 192.168.32.100 255.255.255.0 192.168.32.200 192.168.32.205
push "route 192.168.0.0 255.255.255.0" The route issued to the client
push "dhcp-option DNS 202.106.0.20" DNS delivered to the client
client-to-client allows dial-in openvpn clients to communicate with each other
keepalive 10 120 Dial-in timeout 10-120 seconds
comp-lzo enables network transmission compression
max-clients 3 The maximum number of connected clients
user nobody openvpn service own username
group nobody openvpn service own group
persist-key default OK
persist-tun default OK
status /etc/openvpn/openvpn-status.log Status information file location, generated by yourself
log /etc/openvpn/openvpn.log log file, generated by yourself
log-append /etc/openvpn/openvpn.log       
verb 5

  Execute the following command

/usr/local/sbin/openvpn --daemon openvpn --config /etc/openvpn/server.conf --dev-typetap

  

Copy the three files in the compressed package to /etc/init.d/ and give execution permission. If the path is wrong, you need to change the path inside.

When you start openvpn for the first time, you need to start bridge-start first, and then start openvpn

bridge-stop

bridge-start

openvpn

  The following three files need to be placed under /etc/init.d/, giving 755 permissions

#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="ens33"
eth_ip="172.16.5.238"
eth_netmask="255.255.255.0"
eth_broadcast="172.16.5.1"

for t in $tap; do
    /usr/local/sbin/openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
############################################################################################
bridge-start

 

#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

ifconfig $br down
brctl delbr $br

for t in $tap; do
    /usr/local/sbin/openvpn --rmtun --dev $t
done
bridge-stop

 

openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn"
for location in $openvpn_locations
do
  if [ -f "$location" ]
  then
    openvpn=$location
  be
done

# Lockfile
lock="/var/lock/subsys/openvpn"

# PID directory
piddir="/var/run/openvpn"

# Our working directory
work=/etc/openvpn

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
  echo "Networking is down"
  exit 0
be

# Check that binary exists
if ! [ -f  $openvpn ]
then
  echo "openvpn binary not found"
  exit 0
be

# See how we were called.
case "$1" in
  start)
        echo -n $"Starting openvpn: "

        /sbin/modprobe tun >/dev/null 2>&1

        # From a security perspective, I think it makes
        # sense to remove this, and have users who need
        # it explictly enable in their --up scripts or
        # firewall setups.

        #echo 1 > /proc/sys/net/ipv4/ip_forward
openvpn

 

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324967700&siteId=291194637
Recommended
Ranking
springcloud + nacos - version selection
tensorflow2.1 MNIST handwritten digit recognition dataset
ACWING58. The minimum number of arrays arranged (the offer to prove safety)
What is the station station
Linux Ubuntu installation common services (7) Elasticsearch
LeetCode | 0994. Rotting Oranges rotten oranges [Python]
Close source line removal console Vue
sql tutorial
Egret 2D(6)--collision detection and text
SpringCloud-Introduction to Zuul
Daily
More
2024-07-24(0)
2024-07-23(0)
2024-07-22(0)
2024-07-21(0)
2024-07-20(0)
2024-07-19(0)
2024-07-18(0)
2024-07-17(0)
2024-07-16(0)
2024-07-15(0)

Code World

© 2018 codetd.com