[toc]
CentOS7一键安装OpenVPN
需求及使用场景
公司的一些资源不想对外开放访问,例如gitlab、jenkins等等,现在想要的效果是部分资源只允许公司公网IP以及特定IP访问,这个时候就需要用到VPN了,但是公司花钱买VPN是不可能的,那么就需要一款免费好用的VPN,OpenVPN免费开源又好用,配置完OpenVPN后再加上云主机的安 全组就完美解决问题了。
说明
系统 | openvpn版本 | 内网IP | openvpn分配客户端网段 |
---|---|---|---|
CentOS7.9 | 2.4.11 | 10.206.0.9 | 10.8.0.0 |
1.安装OpenVPN
1.1 克隆项目
git clone https://github.com/Nyr/openvpn-install.git
1.2 执行安装脚本
cd openvpn-install && sh openvpn-install.sh
安装完成后再次执行脚本会提示如下
OpenVPN is already installed.
Select an option:
# 添加新的客户端
1) Add a new client
# 移除已存在的客户端
2) Revoke an existing client
# 移除OpenVPN
3) Remove OpenVPN
# 退出
4) Exit
Option:
第一步、输入本机私网IP地址
Welcome to this OpenVPN road warrior installer!
Which IPv4 address should be used?
1) 10.9.95.147
2) 172.17.0.1
3) 172.20.0.1
IPv4 address [1]: 1
第二步、输入本机公网IP
This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [8.8.8.8]: 8.8.8.8
第三步、选择OpenVPN协议,推荐使用UDP
Which protocol should OpenVPN use?
1) UDP (recommended)
2) TCP
Protocol [1]: 1
第四步、输入OpenVPN监听的端口
What port should OpenVPN listen to?
Port [1194]:
第五步、为客户端选择一个DNS服务器
Select a DNS server for the clients:
1) Current system resolvers
2) Google
3) 1.1.1.1
4) OpenDNS
5) Quad9
6) AdGuard
DNS server [1]: 1
第六步、为第一个客户端输入一个名称
Enter a name for the first client:
Name [client]:
第七步、按任意键开始安装
OpenVPN installation is ready to begin.
Press any key to continue...
完整输出
OpenVPN installation is ready to begin.
Press any key to continue...
Loaded plugins: fastestmirror
Determining fastest mirrors
10gen | 1.2 kB 00:00:00
base | 3.6 kB 00:00:00
centosplus | 2.9 kB 00:00:00
docker-ce-stable | 3.5 kB 00:00:00
epel | 4.7 kB 00:00:00
extras | 2.9 kB 00:00:00
nginx-stable | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
zabbix | 2.9 kB 00:00:00
zabbix-non-supported | 951 B 00:00:00
(1/7): 10gen/primary | 32 kB 00:00:00
(2/7): extras/7/x86_64/primary_db | 222 kB 00:00:00
(3/7): epel/x86_64/updateinfo | 1.0 MB 00:00:00
(4/7): centosplus/7/x86_64/primary_db | 1.6 MB 00:00:01
(5/7): base/7/x86_64/primary_db | 6.1 MB 00:00:01
(6/7): updates/7/x86_64/primary_db | 3.7 MB 00:00:01
(7/7): epel/x86_64/primary_db | 6.9 MB 00:00:01
10gen 279/279
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-13 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================================
Installing:
epel-release noarch 7-13 epel 15 k
Transaction Summary
========================================================================================================================================================
Install 1 Package
Total download size: 15 k
Installed size: 25 k
Downloading packages:
epel-release-7-13.noarch.rpm | 15 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-13.noarch 1/1
warning: /etc/yum.repos.d/epel.repo created as /etc/yum.repos.d/epel.repo.rpmnew
Verifying : epel-release-7-13.noarch 1/1
Installed:
epel-release.noarch 0:7-13
Complete!
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Package 1:openssl-1.0.2k-19.el7.x86_64 already installed and latest version
Package 2:tar-1.26-35.el7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package ca-certificates.noarch 0:2019.2.32-76.el7_7 will be updated
---> Package ca-certificates.noarch 0:2020.2.41-70.0.el7_8 will be an update
---> Package openvpn.x86_64 0:2.4.9-1.el7 will be installed
--> Processing Dependency: libpkcs11-helper.so.1()(64bit) for package: openvpn-2.4.9-1.el7.x86_64
--> Running transaction check
---> Package pkcs11-helper.x86_64 0:1.11-3.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================================
Installing:
openvpn x86_64 2.4.9-1.el7 epel 524 k
Updating:
ca-certificates noarch 2020.2.41-70.0.el7_8 base 382 k
Installing for dependencies:
pkcs11-helper x86_64 1.11-3.el7 epel 56 k
Transaction Summary
========================================================================================================================================================
Install 1 Package (+1 Dependent package)
Upgrade 1 Package
Total download size: 962 k
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/3): ca-certificates-2020.2.41-70.0.el7_8.noarch.rpm | 382 kB 00:00:00
(2/3): pkcs11-helper-1.11-3.el7.x86_64.rpm | 56 kB 00:00:00
(3/3): openvpn-2.4.9-1.el7.x86_64.rpm | 524 kB 00:00:00
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total 3.4 MB/s | 962 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : pkcs11-helper-1.11-3.el7.x86_64 1/4
Installing : openvpn-2.4.9-1.el7.x86_64 2/4
Updating : ca-certificates-2020.2.41-70.0.el7_8.noarch 3/4
Cleanup : ca-certificates-2019.2.32-76.el7_7.noarch 4/4
Verifying : ca-certificates-2020.2.41-70.0.el7_8.noarch 1/4
Verifying : openvpn-2.4.9-1.el7.x86_64 2/4
Verifying : pkcs11-helper-1.11-3.el7.x86_64 3/4
Verifying : ca-certificates-2019.2.32-76.el7_7.noarch 4/4
Installed:
openvpn.x86_64 0:2.4.9-1.el7
Dependency Installed:
pkcs11-helper.x86_64 0:1.11-3.el7
Updated:
ca-certificates.noarch 0:2020.2.41-70.0.el7_8
Complete!
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/server/easy-rsa/pki
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating RSA private key, 2048 bit long modulus
....+++
...................................+++
e is 65537 (0x10001)
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.................................................................+++
....+++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-2726385.U7ScUb/tmp.FTK8rI'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-2726385.U7ScUb/tmp.9FN60w
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Nov 28 02:24:33 2030 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.....+++
........................................................................................+++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-2726473.aJtBJi/tmp.bmyQVL'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-2726473.aJtBJi/tmp.zwz1tQ
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'pptfz'
Certificate is to be certified until Nov 28 02:24:34 2030 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-2726540.Fvyapy/tmp.eJmfVQ
An updated CRL has been created.
CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn-iptables.service to /etc/systemd/system/openvpn-iptables.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service to /usr/lib/systemd/system/openvpn-server@.service.
Finished!
The client configuration is available in: /root/pptfz.ovpn
New clients can be added by running this script again.
:::tip说明
客户端文件是 /root/pptfz.ovpn
,在最后的输出中有提示,这里的客户端文件名称是自定义的,然后把这个文件下载到本地,后续配置VPN认证的时候需要用到这个客户端文件
:::