openvpn 安装 (Alibaba Cloud Linux release 3 (Soaring Falcon))

dubhe_zhao

于 2024-07-19 16:40:00 发布

阅读量666

点赞数 20

文章标签： centos 运维 linux

本文链接：https://blog.csdn.net/dubhe_zhao/article/details/140486529

版权

一、安装

yum install openvpn

# 配置证书软件
yum install easy-rsa

二、配置

# 找个地方生成证书文件
mkdir /opt/easy-rsa
cd /opt/easy-rsa/

cp -a /usr/share/easy-rsa/3.0.8/* .

# 如有需要可以修改
cp /usr/share/doc/easy-rsa/vars.example vars

# 初始化,在当前目录创建pki目录
./easyrsa init-pki

# 创建根目录，会提示设置密码（下面会用到），用于ca对之后生成的server和client证书签名时使用
./easyrsa build-ca

# 创建server端证书和私钥，nopass表示不加密私钥文件
./easyrsa gen-req server nopass

# server端证书签名，提示需要输入yes和创建ca根证书时候的密码
./easyrsa sign server server

# 创建Diffie-Hellman文件， 密钥交换时的Diffie-Hellman算法
./easyrsa gen-dh

# 创建client端证书和私钥文件，nopass表示不加密私钥文件
./easyrsa gen-req client nopass 

# client端证书签名，提示需要输入yes和创建ca根证书时候的密码
./easyrsa sign client client

# 生成ta.key
cd /etc/openvpn/server/
openvpn --genkey --secret ta.key

1.服务端：

示例配置文件位置

/usr/share/doc/openvpn/sample/sample-config-files

复制配置文件到etc目录

cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/server.conf

配置文件修改

# 端口默认 1194

port 1194

# ca证书配置上面生成的完整路径

ca /opt/easy-rsa/pki/ca.crt

# 服务端公钥位置

cert /opt/easy-rsa/pki/issued/server.crt

# 服务端私钥位置
key /opt/easy-rsa/pki/private/server.key # This file should be kept secret

# 证书校验算法配置上面生成的完整路径

dh /opt/easy-rsa/pki/dh.pem

# ta.key在/etc/openvpn/server/目录下可以如下配置，否则需要写完整路径

tls-auth ta.key 0 # This file is secret

# 日志文件

log /var/log/openvpn.log

# 代理所有网络

push "redirect-gateway def1 bypass-dhcp"

# DNS解析服务器

push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 8.8.8.8"

# 配置账号密码登录客户端需要ca证书（可选）

script-security 3
auth-user-pass-verify /etc/openvpn/server/auth_check.sh via-env
username-as-common-name

# 不验证客户端证书
# verify-client-cert none

# auth_check.sh (据说openvpn官网提供，可根据实际情况修改)
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman 
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/server/password"
LOG_FILE="/etc/openvpn/server/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then 
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then 
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\",     password=\"${password}\"." >> ${LOG_FILE}
exit 1

2.客户端：

示例配置文件位置

/usr/share/doc/openvpn/sample/sample-config-files

客户端示例配置文件 clent.conf （下面是linux端配置修改位置）

cp /usr/share/doc/openvpn/sample/sample-config-files/clent.conf /etc/openvpn/client/client.conf


# 下面三个证书需去服务器下载，在上面 pki 目录里面 
ca ca.crt
cert client.crt
key client.key
# 需服务器下载，ta.key位置/etc/openvpn/server/ 
tls-auth ta.key 1

# 开启账号密码登录，服务端需要配置验证脚本及开启验证
auth-user-pass

三、启动

服务端：

systemctl start openvpn-server@server

离线安装

一、下载

项目地址：https://github.com/OpenVPN/openvpn

本次安装版本openvpn-2.6.11.tar.gz

二、安装

tar -zxf openvpn-2.6.11.tar.gz 
cd openvpn-2.6.11/
./configure 
make
make install

三、配置

配置如上

四、启动

服务端：

/usr/local/sbin/openvpn --cd /etc/openvpn/server/ --daemon --config server.conf

备注：

1.错误：configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (/usr/bin/pkg-config) installed? Must be version 3.4.0 or newer for DCO

解决：

yum install libnl3-devel

2.错误：configure: error: libcap-ng package not found. Is the development package and pkg-config (/usr/bin/pkg-config) installed?

解决：

yum install libcap-ng-devel

3.错误：checking additionally if OpenSSL is available and version >= 1.0.2... configure: error: OpenSSL version too old

解决：

yum install openssl-devel

4.错误：configure: error: No compatible LZ4 compression library found. Consider --disable-lz4

解决：

yum install lz4-devel lz4

5.错误：configure: error: lzo enabled but missing

解决：

yum install lzo-devel lzo

6.错误：configure: error: libpam required but missing

解决：

yum install pam-devel

7.错误：configure: error: no acceptable C compiler found in $PATH

yum install gcc

更换yum源

先备份CentOS-Base.repo, 然后下载aliyun的

mv CentOS-Base.repo CentOS-Base.repo.backup

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

yum clean all

yum makecache

安装EPEL仓库

yum install epel-release

dubhe_zhao

关注

20
点赞
踩
24

收藏

觉得还不错? 一键收藏
0
评论
openvpn 安装 (Alibaba Cloud Linux release 3 (Soaring Falcon))

1.错误：configure: error: libnl-genl-3.0 package not found or too old. Is the development package and pkg-config (/usr/bin/pkg-config) installed?# ta.key在/etc/openvpn/server/目录下可以如下配置，否则需要写完整路径。# 配置账号密码登录客户端需要ca证书（可选）# 证书校验算法配置上面生成的完整路径。# ca证书配置上面生成的完整路径。
复制链接

扫一扫