部署OpenVPN

发表于 2024-04-19 分类于技术

本文主要介绍openvpn的部署

1.部署

几个特性：

将几个步骤抽取到了一个shell中，
支持了ipv6。如果你的vpn服务器开通了ipv6，那么client就可以直接连接。
给用户分发同一证书，每个用户单独设置账号密码。这里的问题：不便于重置

核心脚本，当中需要修改的部分：

修改server、client、server_domain、server_port。
修改push "route这里的内网网段以及是否下发dns。

#!/bin/bash
#
#********************************************************************
server=xx_server
client=xxx_client
server_domain=xxx.com
server_port=1194
#serverIP=`hostname -I|awk '{print $1}'`
# 安装openvpn和easy-rsa
install(){
  if  dnf repolist  |grep -i epel ;then
      echo "epel exist"
  else
     cat > /etc/yum.repos.d/epel.repo <<EOF
     [epel]
     name=EPEL
     baseurl=https://mirror.tuna.tsinghua.edu.cn/epel/$releasever/Everything/$basearch
     gpgcheck=0
     enabled=1
EOF
  fi
  dnf install -y openvpn easy-rsa openvpn-auth-ldap
}
# CA环境部署和初始化生成ca证书
CA_init(){
    rm -rf /etc/openvpn/
    rm -rf /var/log/openvpn/openvpn-status.log
    rm -rf /var/log/openvpn/openvpn.log
    mkdir -p /etc/openvpn/easy-rsa/
    mkdir -p /etc/openvpn/server/
    cd /etc/openvpn/easy-rsa
    cp -r /usr/share/easy-rsa/3/**  /etc/openvpn/easy-rsa 
    cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa/vars
    sed -r -i.bak 's/^#(set_var EASYRSA_CA_EXPIRE).*[0-9]+.*/\1  36500/' /etc/openvpn/easy-rsa/vars
    sed -r -i.bak  's/^#(#set_var EASYRSA_CERT_EXPIRE).*[0-9]+.*/\1  3650/' /etc/openvpn/easy-rsa/vars
    cd /etc/openvpn/easy-rsa
    echo yes | ./easyrsa init-pki <<EOF

EOF
    ./easyrsa build-ca  nopass <<EOF

EOF
}
# 创建服务器证书
server_init(){
    cd /etc/openvpn/easy-rsa
    ./easyrsa gen-req $server nopass <<EOF

EOF
    ./easyrsa sign server $server <<EOF
yes
EOF
    ./easyrsa gen-dh
    cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server/
    cp /etc/openvpn/easy-rsa/pki/issued/$server.crt /etc/openvpn/server/
    cp /etc/openvpn/easy-rsa/pki/private/$server.key /etc/openvpn/server/
    cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server/
    mkdir -p /var/log/openvpn/
    chown openvpn.openvpn /var/log/openvpn
    tee /etc/openvpn/checkpsw.sh<<-'EOF'
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then 
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then 
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
EOF
    echo "已生成/etc/openvpn/checkpsw.sh";
    chmod +x /etc/openvpn/checkpsw.sh
}
# 创建服务器配置文件
server_config(){
    cat > /etc/openvpn/server.conf <<EOF
port $server_port
proto tcp-server
proto 'tcp6'
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/$server.crt
key /etc/openvpn/server/$server.key
dh /etc/openvpn/server/dh.pem
server 10.9.0.0 255.255.255.0
push "route 10.10.10.0 255.255.255.0"
push "route 172.120.0.0 255.255.255.0"
push "dhcp-option DNS 223.5.5.5"
keepalive 10 120
cipher AES-256-CBC
data-ciphers AES-256-CBC
data-ciphers-fallback AES-256-CBC
#compress lz4-v2
#push "compress lz4-v2"
max-clients 1000
user root
group root
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
script-security 3
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
username-as-common-name
EOF
}
# 用户名密码
userPW(){
    read -p "请输入创建的用户名:" user
    read -p "请输入密码:" password
    echo "$user $password" >>  /etc/openvpn/psw-file 
}
# 启动openvpn服务
start_openvpn(){
    systemctl disable openvpn@server.service
    systemctl disable openvpn-server@server.service
    systemctl disable openvpn@service.service
    rm -rf /usr/lib/systemd/system/openvpn@.service
    rm -rf /usr/lib/systemd/system/openvpn
    rm -rf /usr/lib/systemd/system/openvpn-client@.service
    rm -rf /usr/lib/systemd/system/openvpn-server@.service
    tee /lib/systemd/system/openvpn@.service<<-'EOF'
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target

[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
User=root
Group=root
[Install]
WantedBy=multi-user.target
EOF
    # [ -e /lib/systemd/system/openvpn@.service ] || cp /root/openvpn/openvpn@.service /lib/systemd/system/
    systemctl daemon-reload
    systemctl enable --now openvpn@server
}
# 创建客户端证书
client_req(){
    cd /etc/openvpn/easy-rsa
    sed -r -i.bak  's/^#(#set_var EASYRSA_CERT_EXPIRE).*3650.*/\1  2650/' /etc/openvpn/easy-rsa/vars
    ./easyrsa gen-req $client nopass <<EOF

EOF

    ./easyrsa sign client $client <<EOF
yes
EOF

    mkdir -p /etc/openvpn/client/$client
    find /etc/openvpn/easy-rsa/ -name "${client}*" -exec cp {} /etc/openvpn/client/${client}/ \;
    cp pki/ca.crt ../client/$client/
}
# 创建客户端配置文件
client_config(){
    cat > /etc/openvpn/client/$client/$client.ovpn <<EOF
client
dev tun
proto tcp-client
remote $server_domain $server_port      #生产中为OpenVPN服务器的FQDN或者公网IP
resolv-retry infinite
nobind
remote-cert-tls server
cipher AES-256-CBC
data-ciphers AES-256-CBC
data-ciphers-fallback AES-256-CBC
verb 3                      #此值不能随意指定,否则无法通信
#compress lz4-v2              #此项在OpenVPN2.4.X版本使用,需要和服务器端保持一致,如不指定,默认使用comp-lz压缩
auth-user-pass
EOF
echo "<ca>" >> /etc/openvpn/client/$client/$client.ovpn
cat /etc/openvpn/client/$client/ca.crt >> /etc/openvpn/client/$client/$client.ovpn
echo "</ca>" >> /etc/openvpn/client/$client/$client.ovpn
echo "<cert>" >> /etc/openvpn/client/$client/$client.ovpn
cat /etc/openvpn/client/$client/$client.crt >> /etc/openvpn/client/$client/$client.ovpn
echo "</cert>" >> /etc/openvpn/client/$client/$client.ovpn
echo "<key>" >> /etc/openvpn/client/$client/$client.ovpn
cat /etc/openvpn/client/$client/$client.key >> /etc/openvpn/client/$client/$client.ovpn
echo "</key>" >> /etc/openvpn/client/$client/$client.ovpn
    cd /etc/openvpn/client/$client
    mkdir -p /root/openvpn/$client/
    cp /etc/openvpn/client/$client/*.ovpn /root/openvpn/$client/ && echo "证书文件已复制到/root/openvpn/"
}
# 吊销证书
revoke_user(){
    cd /etc/openvpn/easy-rsa
    read -p "请输入需要吊销证书的用户名:" revokeuser
    cd /etc/openvpn/easy-rsa   
    ./easyrsa revoke $revokeuser
    ./easyrsa gen-crl
    echo "crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/server.conf
    systemctl restart openvpn@server.service
}
# 删除用户
deluser(){
    read -p "请输入需要删除的用户名:" DELuser
    sed -i "/^$DELuser/d" /etc/openvpn/psw-file
}

# 增加iptables
vpn_iptables(){
    iptables -t nat -A POSTROUTING -s 10.9.0.0/24 ! -d 10.9.0.0/24 -j MASQUERADE
    echo 'iptables -t nat -A POSTROUTING -s 10.9.0.0/24 ! -d 10.9.0.0/24 -j MASQUERADE' >> /etc/rc.d/rc.local
    chmod +x /etc/rc.d/rc.local
    echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && echo "net.ipv6.conf.default.forwarding=1" >> /etc/sysctl.conf && sysctl -p
}
echo_success() {
    [ "$BOOTUP" = "color" ] && $MOVE_TO_COL
    echo -n "["
    [ "$BOOTUP" = "color" ] && $SETCOLOR_SUCCESS
    echo -n $"  OK  "
    [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
    echo -n "]"
    echo -ne "\r"
    return 0
}

echo_failure() {
    [ "$BOOTUP" = "color" ] && $MOVE_TO_COL
    echo -n "["
    [ "$BOOTUP" = "color" ] && $SETCOLOR_FAILURE
    echo -n $"FAILED"
    [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
    echo -n "]"
    echo -ne "\r"
    return 1
}
# Log that something failed
failure() {
    local rc=$?
    [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_failure
    [ -x /bin/plymouth ] && /bin/plymouth --details
    return $rc
}

# Log that something succeeded
success() {
    [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_success
    return 0
}
# Run some action. Log its output.
action() {
    local STRING rc

    STRING=$1
    echo -n "$STRING "
    shift
    "$@" && success $"$STRING" || failure $"$STRING"
    rc=$?
    echo
    return $rc
}
Menu(){
PS3="请选择:"
select MEMU in 创建CA 配置服务器 生成客户端文件 创建用户名密码 吊销证书 删除用户 增加iptables  退出;do
    case $MEMU in
        创建CA)
            install &&  action "安装成功" || action "安装失败" false
            CA_init &&  action "CA证书完成" || action "CA错误" false
            ;;
        配置服务器)
            server_init &&  action "服务器证书颁发完成" || action "服务器证书颁发错误" false
            server_config  &&  action "服务器配置文件生成" || action "服务器配置文件错误" false
            start_openvpn  &&  action "openvpn服务器配置完成，服务已启动" || action "服务启动失败" false      
            ;;    
        生成客户端文件)
            client_req &&  action "客户端证书颁发完成" || action "客户端证书颁发错误" false
            client_config  &&  action "客户端配置文件生成" || action "客户端配置文件错误" false
            ;;
        创建用户名密码)
           userPW &&  action "用户已创建" || action "创建失败" false
            ;;
        吊销证书)
            revoke_user &&  action "证书已吊销" || action "吊销失败" false
            ;;
        删除用户)
            deluser &&  action "删除用户成功" || action "删除失败" false
            ;;
        增加iptables)
            vpn_iptables &&  action "增加iptables完成" || action "增加iptables条目失败" false
            ;;
        退出)
            exit
        ;;
    esac
done
}
Menu

可以直接使用。

2.通过ldap认证

搭建ldap参见：部署OpenLdap
完整shell:

#!/bin/bash
#
#********************************************************************
server=server文件夹名称-随便填
client=client文件夹名称-随便填
server_domain=vpn服务器域名
server_port=vpn服务器端口
ldap_address=ldap服务域名:389
ldap_base_dn=dc=xxx,dc=com
ldap_admin=cn=admin,dc=xxx,dc=com
ldap_password=ldap密码
ldap_user_dn=ou=people,dc=xxx,dc=com

#serverIP=`hostname -I|awk '{print $1}'`
# 安装openvpn和easy-rsa
install(){
  if  dnf repolist  |grep -i epel ;then
      echo "epel仓库已存在"
  else
     cat > /etc/yum.repos.d/epel.repo <<EOF
     [epel]
     name=EPEL
     baseurl=https://mirror.tuna.tsinghua.edu.cn/epel/$releasever/Everything/$basearch
     gpgcheck=0
     enabled=1
EOF
  fi
  dnf install -y openvpn easy-rsa openvpn-auth-ldap;
  #开通指定端口
  semanage port -a -t openvpn_port_t -p tcp $server_port
}
# CA环境部署和初始化生成ca证书
CA_init(){
    rm -rf /etc/openvpn/
    rm -rf /var/log/openvpn/openvpn-status.log
    rm -rf /var/log/openvpn/openvpn.log
    mkdir -p /etc/openvpn/easy-rsa/
    mkdir -p /etc/openvpn/server/
    cd /etc/openvpn/easy-rsa
    cp -r /usr/share/easy-rsa/3/**  /etc/openvpn/easy-rsa 
    cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa/vars
    sed -r -i.bak 's/^#(set_var EASYRSA_CA_EXPIRE).*[0-9]+.*/\1  36500/' /etc/openvpn/easy-rsa/vars
    sed -r -i.bak  's/^#(#set_var EASYRSA_CERT_EXPIRE).*[0-9]+.*/\1  3650/' /etc/openvpn/easy-rsa/vars
    cd /etc/openvpn/easy-rsa
    echo yes | ./easyrsa init-pki <<EOF

EOF
    ./easyrsa build-ca  nopass <<EOF

EOF
}
# 创建服务器证书
server_init(){
    cd /etc/openvpn/easy-rsa
    ./easyrsa gen-req $server nopass <<EOF

EOF
    ./easyrsa sign server $server <<EOF
yes
EOF
    ./easyrsa gen-dh
    cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server/
    cp /etc/openvpn/easy-rsa/pki/issued/$server.crt /etc/openvpn/server/
    cp /etc/openvpn/easy-rsa/pki/private/$server.key /etc/openvpn/server/
    cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server/
    mkdir -p /var/log/openvpn/
    chown openvpn.openvpn /var/log/openvpn
}
# 创建服务器配置文件
server_config(){
    mkdir -p /etc/openvpn/auth/
    cat > /etc/openvpn/auth/ldap.conf <<EOF
<LDAP>
    URL     ldap://$ldap_address
    BindDN      $ldap_admin
    Password    $ldap_password
    Timeout     15
    TLSEnable   no
    FollowReferrals yes
</LDAP>

<Authorization>
    BaseDN      "$ldap_user_dn"
    SearchFilter    "(uid=%u)"
    RequireGroup    false
</Authorization>
EOF
    cat > /etc/openvpn/server.conf <<EOF
port $server_port
proto tcp-server
proto 'tcp6'
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/$server.crt
key /etc/openvpn/server/$server.key
dh /etc/openvpn/server/dh.pem
plugin /usr/lib64/openvpn/plugins/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf cn=%u"
ifconfig-pool-persist ipp.txt

verify-client-cert none
username-as-common-name 
server 10.9.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
push "route 172.120.0.0 255.255.255.0"
push "route 10.1.0.0 255.255.0.0"
push "route 10.10.0.0 255.255.0.0"
push "dhcp-option DNS 223.5.5.5"
keepalive 10 120
persist-key
persist-tun
cipher AES-256-GCM:AES-128-GCM
data-ciphers AES-256-GCM:AES-128-GCM
data-ciphers-fallback AES-256-CBC
client-to-client
duplicate-cn
#compress lz4-v2
#push "compress lz4-v2"
max-clients 1000
user root
group root
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
script-security 3
EOF
}

# 启动openvpn服务
start_openvpn(){
    systemctl disable openvpn.service
    rm -rf /etc/systemd/system/openvpn.servic
    tee /etc/systemd/system/openvpn.service<<-'EOF'
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application 
After=network.target

[Service]
Type=simple
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
User=root
Group=root
[Install]
WantedBy=multi-user.target
EOF
    # [ -e /lib/systemd/system/openvpn@.service ] || cp /root/openvpn/openvpn@.service /lib/systemd/system/
    systemctl daemon-reload
    systemctl enable --now openvpn
}
# 创建客户端证书
client_req(){
    cd /etc/openvpn/easy-rsa
    sed -r -i.bak  's/^#(#set_var EASYRSA_CERT_EXPIRE).*3650.*/\1  2650/' /etc/openvpn/easy-rsa/vars
    ./easyrsa gen-req $client nopass <<EOF

EOF

    ./easyrsa sign client $client <<EOF
yes
EOF

    mkdir -p /etc/openvpn/client/$client
    find /etc/openvpn/easy-rsa/ -name "${client}*" -exec cp {} /etc/openvpn/client/${client}/ \;
    cp pki/ca.crt ../client/$client/
}
# 创建客户端配置文件
client_config(){
    cat > /etc/openvpn/client/$client/$client.ovpn <<EOF
client
dev tun
proto tcp-client
remote $server_domain $server_port      #生产中为OpenVPN服务器的FQDN或者公网IP
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM:AES-128-GCM
data-ciphers AES-256-GCM:AES-128-GCM
data-ciphers-fallback AES-256-CBC
verb 3                      #此值不能随意指定,否则无法通信
#compress lz4-v2              #此项在OpenVPN2.4.X版本使用,需要和服务器端保持一致,如不指定,默认使用comp-lz压缩
auth-user-pass
EOF
echo "<ca>" >> /etc/openvpn/client/$client/$client.ovpn
cat /etc/openvpn/client/$client/ca.crt >> /etc/openvpn/client/$client/$client.ovpn
echo "</ca>" >> /etc/openvpn/client/$client/$client.ovpn
echo "<cert>" >> /etc/openvpn/client/$client/$client.ovpn
cat /etc/openvpn/client/$client/$client.crt >> /etc/openvpn/client/$client/$client.ovpn
echo "</cert>" >> /etc/openvpn/client/$client/$client.ovpn
echo "<key>" >> /etc/openvpn/client/$client/$client.ovpn
cat /etc/openvpn/client/$client/$client.key >> /etc/openvpn/client/$client/$client.ovpn
echo "</key>" >> /etc/openvpn/client/$client/$client.ovpn
    cd /etc/openvpn/client/$client
    mkdir -p /root/openvpn/$client/
    cp /etc/openvpn/client/$client/*.ovpn /root/openvpn/$client/ && echo "证书文件已复制到/root/openvpn/"
}


# 增加iptables
vpn_iptables(){
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -o tun+ -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.9.0.0/24 ! -d 10.9.0.0/24 -j MASQUERADE
    echo 'iptables -A INPUT -i tun+ -j ACCEPT' >> /etc/rc.d/rc.local
    echo 'iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT' >> /etc/rc.d/rc.local
    echo 'iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT' >> /etc/rc.d/rc.local
    echo 'iptables -A OUTPUT -o tun+ -j ACCEPT' >> /etc/rc.d/rc.local
    echo 'iptables -t nat -A POSTROUTING -s 10.9.0.0/24 ! -d 10.9.0.0/24 -j MASQUERADE' >> /etc/rc.d/rc.local
    chmod +x /etc/rc.d/rc.local
    echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && echo "net.ipv6.conf.default.forwarding=1" >> /etc/sysctl.conf && sysctl -p
}
echo_success() {
    [ "$BOOTUP" = "color" ] && $MOVE_TO_COL
    echo -n "["
    [ "$BOOTUP" = "color" ] && $SETCOLOR_SUCCESS
    echo -n $"  OK  "
    [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
    echo -n "]"
    echo -ne "\r"
    return 0
}

echo_failure() {
    [ "$BOOTUP" = "color" ] && $MOVE_TO_COL
    echo -n "["
    [ "$BOOTUP" = "color" ] && $SETCOLOR_FAILURE
    echo -n $"FAILED"
    [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
    echo -n "]"
    echo -ne "\r"
    return 1
}
# Log that something failed
failure() {
    local rc=$?
    [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_failure
    [ -x /bin/plymouth ] && /bin/plymouth --details
    return $rc
}

# Log that something succeeded
success() {
    [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_success
    return 0
}
# Run some action. Log its output.
action() {
    local STRING rc

    STRING=$1
    echo -n "$STRING "
    shift
    "$@" && success $"$STRING" || failure $"$STRING"
    rc=$?
    echo
    return $rc
}
Menu(){
PS3="请选择:"
select MEMU in 创建CA 配置服务器 生成客户端文件 增加iptables  退出;do
    case $MEMU in
        创建CA)
            install &&  action "安装成功" || action "安装失败" false
            CA_init &&  action "CA证书完成" || action "CA错误" false
            ;;
        配置服务器)
            server_init &&  action "服务器证书颁发完成" || action "服务器证书颁发错误" false
            server_config  &&  action "服务器配置文件生成" || action "服务器配置文件错误" false
            start_openvpn  &&  action "openvpn服务器配置完成，服务已启动" || action "服务启动失败" false      
            ;;    
        生成客户端文件)
            client_req &&  action "客户端证书颁发完成" || action "客户端证书颁发错误" false
            client_config  &&  action "客户端配置文件生成" || action "客户端配置文件错误" false
            ;;
        增加iptables)
            vpn_iptables &&  action "增加iptables完成" || action "增加iptables条目失败" false
            ;;
        退出)
            exit
        ;;
    esac
done
}
Menu