个人VPN青睐排行:
OpenConnect VPN Server(OCServ)
WireGuard
OpenVPN
OpenVPN社区版实践笔记https://openvpn.net/community/
高可用的思考:
保证多个实例证书相同(easy-rsa工具生成证书拷贝到多个实例)
1、在客户端配置多个remote,且随机选择remote-random
2、HAProxy负载均衡代理
安装
1
2
3
4
5
|
yum install openvpn easy-rsa iptables-services
|
证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| mkdir /etc/openvpn/server/easy-rsa
cp -r /usr/share/easy-rsa/3.0.8/* /etc/openvpn/server/easy-rsa/
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/server/easy-rsa/vars
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Chongqing"
set_var EASYRSA_REQ_CITY "Chongqing"
set_var EASYRSA_REQ_ORG "Boer Inc."
set_var EASYRSA_REQ_EMAIL "boer0924@gmail.com"
set_var EASYRSA_REQ_OU "boer"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 36500
set_var EASYRSA_CERT_EXPIRE 36500
source ./vars
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-dh
./easyrsa build-server-full server nopass
./easyrsa build-client-full client nopass
mkdir /etc/openvpn/server/certs/
cp -r ca.crt dh.pem issued/*.crt private/*.key /etc/openvpn/server/certs/
cd /etc/openvpn/server
openvpn --genkey --secret ta.key
cp ta.key /etc/openvpn/server/certs/
|
服务端
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| ### /etc/openvpn/server
### touch server.conf
local 10.10.253.16
port 1194
; proto udp
proto tcp
; 使用三层路由IP隧道(tun)还是二层以太网隧道(tap)。一般都使用tun
dev tun
persist-key
persist-tun
ca certs/ca.crt
cert certs/server.crt
key certs/server.key
dh certs/dh.pem
tls-auth certs/ta.key 0
duplicate-cn
cipher AES-256-CBC
; comp-lzo
compress lz4-v2
push "compress lz4-v2"
ifconfig-pool-persist ipp.txt
server 172.30.1.0 255.255.255.0
; push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
; vpn服务端向客户端推送vpn服务端内网网段的路由配置,以便让客户端能够找到服务端内网。多条路由就写多个Push指令
client-config-dir ccd
push "route 10.0.0.0 255.255.0.0"
push "route 10.96.0.0 255.240.0.0"
max-clients 100
; 让vpn客户端之间可以互相看见对方,即能互相通信。默认情况客户端只能看到服务端一个人,默认是注释的,不能客户端之间相互看见
client-to-client
; user openvpn
; group openvpn
keepalive 10 120
status openvpn-status.log
log openvpn.log
verb 3
; explicit-exit-notify 1
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf # openvpn-auth-ldap
client-cert-not-required # ldap auth
|
LDAP配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| <LDAP>
URL ldap://10.10.253.16:10389
BindDN cn=admin,dc=boer,dc=xyz
Password <your_password>
Timeout 15
TLSEnable no
FollowReferrals no
</LDAP>
<Authorization>
BaseDN "ou=users,dc=boer,dc=xyz"
SearchFilter "uid=%u"
RequireGroup false # 2.0.3bug
<Group>
BaseDN "ou=groups,dc=boer,dc=xyz"
SearchFilter "(|(cn=developers)(cn=devops))"
MemberAttribute memberUid
</Group>
</Authorization>
|
启动服务systemctl start openvpn-server@server.service
客户端
1、下载服务端证书到本地
- ca.crt
- ta.key
- client.crt [可选]
- client.key [可选]
2、配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| ### Windows client.ovpn
client
;dev tap
dev tun
proto tcp
;proto udp
remote 10.10.253.16 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
; cert client.crt
; key client.key
auth-user-pass # ldap auth
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
|
他山之石