CentOS Openvpn2.0部署
1.環境優化
1.1檢視系統版本
[[email protected] ~]# uname -r
2.6.32-696.el6.x86_64
[[email protected] ~]# cat /etc/redhat-release
CentOS release 6.9 (Final)
1.2環境優化指令碼
#!bin/bash
. /etc/init.d/functions
#change system directory: create seripts/softwaredirectory
function change_dir(){
ShellDir="/server/scripts"
SoftwareDir="/server/tools"
mkdir -p$ShellDir &&\
mkdir -p$SoftwareDir
}
# input info verify
function info_verify(){
read -p"Please make sure the information you entered (yes|no): " info
case"$info" in
y*|Y*)
continue
;;
n*|N*)
exit1
;;
esac
}
#change system hostname
function change_hostname(){
read -p"Please input hostname: " HostName
info_verify
hostname$HostName &&\
sed -i"2s/=.*$/=$HostName/g" /etc/sysconfig/network &&\
chk_hosts=$(grep -o "\b$HostName\b" /etc/hosts)
get_ip=$(ifconfig eth0|awk -F "[ :]+" 'NR==2 {print $4}')
if [ -z$chk_hosts ]
then
echo"$get_ip $HostName">>/etc/hosts
else
continue
fi
}
#boot system optimize: setup chkconfig
function change_chkconfig(){
Boot_options="$1"
for bootsin `chkconfig --list|grep "3:on"|awk '{print $1}'|grep -vE"$Boot_options"`
do
chkconfig $boots off
done
}
#setup system optimize: setup ulimit
function change_ulimit(){
grep"* - nofile 65535" /etc/security/limits.conf>/dev/null 2>&1
if [ $? -ne0 ]
then
echo'* - nofile 65535' >>/etc/security/limits.conf
fi
}
#setup system optimize: setup sysctl
function change_sysctl(){
cat/tmp/sysctl.conf >/etc/sysctl.conf &&\
modprobebridge &>/dev/null &&\
sysctl -p&>/dev/null
}
#sshd software optimize: change sshd_conf
function change_sshdfile(){
SSH_Port="port 22"
SSH_ListenAddress=$(ifconfig eth0|awk -F "[ :]+" 'NR==2 {print$4}')
SSH_PermitRootLogin="PermitRootLogin no"
SSH_PermitEmptyPassword="PermitEmptyPasswords no"
SSH_GSSAPI="GSSAPIAuthentication no"
SSH_DNS="useDNS no"
#sed -i -e "13s/.*/$SSH_Port/g"/etc/ssh/sshd_config
#sed -i -e "15s/.*/ListenAddress$SSH_ListenAddress/g" /etc/ssh/sshd_config
#sed -i -e"42s/.*/$SSH_PermitRootLogin/g" /etc/ssh/sshd_config
#sed -i -e"65s/.*/$SSH_PermitEmptyPassword/g" /etc/ssh/sshd_config
sed -i -e "81s/.*/$SSH_GSSAPI/g"/etc/ssh/sshd_config
sed -i -e "122s/.*/$SSH_DNS/g"/etc/ssh/sshd_config
}
#selinux software optimize: change disable
function change_selinux(){
sed -i's#SELINUX=.*#SELINUX=disabled#g' /etc/selinux/config &&\
setenforce 0
}
#firewall software optimize: change stop
function change_firewall(){
/etc/init.d/iptables stop >/dev/null 2>&1
}
#crond software optimize: time synchronization
function change_update(){
grep -i"#crond-id-001" /var/spool/cron/root >/dev/null 2>&1
if [ $?-ne 0 ]
then
echo'#crond-id-001:time sync by hq' >>/var/spool/cron/root
echo"*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null2>&1">>/var/spool/cron/root
fi
}
#update yum info
function update_yum(){
wget -q -O/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo
wget -q -O/etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo
}
#change profile file info
function change_profile(){
grep"PS1" /etc/profile >>/dev/null 2>&1
if [ $?-ne 0 ]
then
echo "PS1='\[\e[32;1m\][\[email protected]\h \W]\\$ \[\e[0m\]'">>/etc/profile
fi
grep"alias grep" /etc/profile >>/dev/null 2>&1
if [ $?-ne 0 ]
then
echo"alias grep='grep --color=auto'" >>/etc/profile
echo"alias ll='ls -l --color=auto --time-style=long-iso'">>/etc/profile
fi
source/etc/profile
}
function main(){
change_dir
change_hostname
change_chkconfig "crond|network|rsyslog|sshd|sysstat"
change_ulimit
change_sysctl
change_sshdfile
change_selinux
change_firewall
change_update
update_yum
change_profile
}
main
action "system optimize complete"/bin/true
執行優化指令碼
sh /tmp/optimize-init_sys.sh
2.安裝OpenVPN服務
2.1安裝依賴環境
yum -y install openssl openssl-devel lzo openvpneasy-rsa
2.2建立證書檔案
cp -pr /usr/share/easy-rsa/2.0/* /etc/openvpn/
vim /etc/openvpn/vars
[[email protected] openvpn]# source vars
NOTE: If you run ./clean-all, I willbe doing a rm -rf on /etc/openvpn/keys
[[email protected] openvpn]# ./clean-all
[[email protected] openvpn]# ./build-ca 連續回車
2.3生成服務端證書和祕鑰
[[email protected] openvpn]# ./build-key-server server 連續回車—再加兩個y
2.4建立Diffie-Hellman確保key穿越不安全網路
[[email protected] openvpn]# ./build-key client 連續回車—再加兩個y
2.5配置openvpn配置檔案server.conf
vim /etc/openvpn/server.conf
local 10.0.0.110
port 19923
proto tcp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
ifconfig-pool-persist /etc/openvpn/ipp.txt
server 172.16.0.0 255.255.255.0
push "route 172.16.1.0 255.255.255.0"
client-to-client
keepalive 20 120
comp-lzo
user root
group root
persist-key
persist-tun
status openvpn-status1.log
log-append openvpn1.log
verb 1
mute 20
2.6防火牆設定
iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -oeth0 -j MASQUERADE
/etc/init.d/iptables save
2.7路由轉發
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1 修改為1
2.8建立客戶端使用者
[[email protected] openvpn]# source vars
[[email protected] openvpn]# ./build-key lcx 建立的客戶端使用者 重複回車---最後輸入兩個y
2.9啟動服務
/etc/init.d/openvpn restart
3.Windows客戶端配置
3.1獲取Openvpn
https://pan.baidu.com/s/1hLf2dijdpsiOcKAjV17Hsw
3.2安裝Openvpn
3.3下載祕鑰
[[email protected] keys]# sz -y lcx.*
[[email protected] keys]# sz -y ca.*
將下載的祕鑰放置在C:\Program Files (x86)\OpenVPN\config
3.4建立client.ovpn配置檔案
client
proto tcp
dev tun
remote 10.0.0.72 19923
ca ca.crt
cert lcx.crt
key lcx.key
resolv-retry infinite
nobind
mute-replay-warnings
keepalive 20 120
comp-lzo
user root
group root
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20
3.5連結vpn