在5分钟内在Debian 9上安装和配置OpenVPN
时间:2020-01-09 10:40:54 来源:igfitidea点击:
如何在Debian Linux版本9.x或8.x服务器上设置OpenVPN服务器,以保护我的浏览活动免受公共Wi-Fi等恶意软件的侵害?
如何在由AWS云托管的Debian 9 Stretch Linux服务器上使用OpenVPN设置VPN?
OpenVPN是用于Debian Linux 9的免费和开源VPN(虚拟专用网络)软件。
它使用SSL/TLS协议实现OSI第2层或第3层安全网络扩展。
VPN使您可以安全地连接到不安全的公共网络,例如机场或酒店的wifi网络。
还需要VPN来访问您的公司或企业或家庭服务器资源。
您可以绕过地理封锁的网站,并在线增加隐私或安全。
本教程"提供了在Debian Linux v8.x/9.x上配置OpenVPN Road Warrior服务器(包括ufw/iptables防火墙)的分步说明"。
在5分钟内在Debian 9上设置OpenVPN
步骤如下:
- 查找并记下您的公共IP地址
- 下载openvpn-install.sh脚本
- 运行openvpn-install.sh以安装OpenVPN服务器
- 使用IOS/Android/Linux/Windows客户端连接OpenVPN服务器
- 验证您的连接
步骤1找到您的公共IP地址
使用以下任何命令来查找您的IPv4公共地址。
如果您的接口名称是eth0或eth1,请输入以下ip命令:
$ ip addr show eth0
或者
$ ip addr show eth1
或按以下方式使用host命令或dig命令:
$ host myip.opendns.com resolver1.opendns.com
或者
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
记下公共IP地址104.237.156.154,即您的OpenVPN服务器的公共IP地址。
步骤2更新系统并安装ufw
执行apt-get命令/apt命令来更新系统:
$ sudo apt-get update $ sudo apt-get upgrade
输出示例:
Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages will be upgraded: libc-bin libc-l10n libc6 libexpat1 linux-image-4.9.0-3-amd64 locales multiarch-support 7 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 46.6 MB of archives. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://security.debian.org/debian-security stretch/updates/main amd64 libc6 amd64 2.24-11+deb9u1 [2,695 kB] Get:2 http://security.debian.org/debian-security stretch/updates/main amd64 libc-bin amd64 2.24-11+deb9u1 [778 kB] Get:3 http://security.debian.org/debian-security stretch/updates/main amd64 multiarch-support amd64 2.24-11+deb9u1 [200 kB] Get:4 http://security.debian.org/debian-security stretch/updates/main amd64 libc-l10n all 2.24-11+deb9u1 [820 kB] Get:5 http://security.debian.org/debian-security stretch/updates/main amd64 locales all 2.24-11+deb9u1 [3,290 kB] Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 libexpat1 amd64 2.2.0-2+deb9u1 [83.4 kB] Get:7 http://security-cdn.debian.org stretch/updates/main amd64 linux-image-4.9.0-3-amd64 amd64 4.9.30-2+deb9u2 [38.7 MB] Fetched 46.6 MB in 2s (15.5 MB/s) Reading changelogs... Done Preconfiguring packages ... (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../libc6_2.24-11+deb9u1_amd64.deb ... Unpacking libc6:amd64 (2.24-11+deb9u1) over (2.24-11) ... Setting up libc6:amd64 (2.24-11+deb9u1) ... (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../libc-bin_2.24-11+deb9u1_amd64.deb ... Unpacking libc-bin (2.24-11+deb9u1) over (2.24-11) ... Setting up libc-bin (2.24-11+deb9u1) ... Updating /etc/nsswitch.conf to current default. (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../multiarch-support_2.24-11+deb9u1_amd64.deb ... Unpacking multiarch-support (2.24-11+deb9u1) over (2.24-11) ... Setting up multiarch-support (2.24-11+deb9u1) ... (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../libc-l10n_2.24-11+deb9u1_all.deb ... Unpacking libc-l10n (2.24-11+deb9u1) over (2.24-11) ... Preparing to unpack .../locales_2.24-11+deb9u1_all.deb ... Unpacking locales (2.24-11+deb9u1) over (2.24-11) ... Preparing to unpack .../libexpat1_2.2.0-2+deb9u1_amd64.deb ... Unpacking libexpat1:amd64 (2.2.0-2+deb9u1) over (2.2.0-2) ... Preparing to unpack .../linux-image-4.9.0-3-amd64_4.9.30-2+deb9u2_amd64.deb ... Unpacking linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u2) over (4.9.30-2) ... Setting up libexpat1:amd64 (2.2.0-2+deb9u1) ... Processing triggers for libc-bin (2.24-11+deb9u1) ... Setting up libc-l10n (2.24-11+deb9u1) ... Processing triggers for man-db (2.7.6.1-2) ... Setting up linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u2) ... /etc/kernel/postinst.d/initramfs-tools: update-initramfs: Generating /boot/initrd.img-4.9.0-3-amd64 /etc/kernel/postinst.d/zz-update-grub: Generating grub configuration file ... Found linux image: /boot/vmlinuz-4.9.0-3-amd64 Found initrd image: /boot/initrd.img-4.9.0-3-amd64 done Setting up locales (2.24-11+deb9u1) ... Generating locales (this might take a while)... en_US.UTF-8... done Generation complete.
安装Linux内核后,如何重新启动该框。
执行以下重新启动命令:
$ sudo reboot
安装ufw(不复杂的防火墙)
您必须在Debian 9上设置OpenVPN Server以及防火墙,以在Debian 9上保护和加固OpenVPN Server。
因此,要在Debian 9/8上安装ufw,请执行以下apt-get命令/apt命令:
$ sudo apt-get install ufw
您必须打开所需的端口,例如SSH端口22、80、443等:
$ sudo ufw allow 22 $ sudo ufw allow 80 $ sudo ufw allow 443
启用防火墙,运行:
$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
验证防火墙规则
$ sudo ufw status
输出示例:
Status: active To Action From -- ------ --- 22 ALLOW Anywhere 80 ALLOW Anywhere 443 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 80 (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6)
如何在Debian 9上设置OpenVPN服务器
我们将使用易于使用的openvpn-install.sh来设置OpenVPN服务器。
步骤3下载openvpn-install.sh脚本
执行以下wget命令:
$ wget https://git.io/vpn -O openvpn-install.sh
输出示例:
--2019-03-08 16:39:32-- https://git.io/vpn Resolving git.io (git.io)... 52.73.9.93, 52.73.94.166, 52.7.169.168, ... Connecting to git.io (git.io)|52.73.9.93|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following] --2019-03-08 16:39:33-- https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.github.com (raw.github.com)... 151.101.8.133 Connecting to raw.github.com (raw.github.com)|151.101.8.133|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following] --2019-03-08 16:39:34-- https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.8.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.8.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 14712 (14K) [text/plain] Saving to: ?openvpn-install.sh? openvpn-install.sh 100%[====================================- ] 14.37K --.-KB/s in 0.04s 2019-03-08 16:39:34 (338 KB/s) - ?openvpn-install.sh? saved [14712/14712]
运行openvpn-install.sh脚本为您自动安装和配置OpenVPN服务器:
$ sudo bash openvpn-install.sh
出现提示时,将IP地址设置为104.237.156.154(用您的实际IP地址替换104.237.156.154),将端口设置为1194(如果您不使用Web服务器,则设置为443)。
将Google或OpenDNS DNS服务器与vpn一起使用。
接下来,输入客户端名称(例如iPhone,Nexus6,LinuxRouter,BackupServer等)。
最后,按[Enter]键在系统上安装和设置OpenVPN:
在我的Debian 9服务器上设置OpenVPN
就这些。
您的OpenVPN服务器已配置并可以使用。
您可以使用cat命令查看添加的防火墙规则/etc/rc.local文件:
$ cat /etc/rc.local
输出示例:
#!/bin/sh -e iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I INPUT -p udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 104.237.156.154 exit 0
您可以按以下方式查看由脚本生成的openvpn服务器配置文件(请勿手动编辑此文件):
$ sudo more /etc/openvpn/server.conf $ sudo vi -M /etc/openvpn/server.conf
输出示例:
port 1194 proto udp dev tun sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 173.230.155.5" push "dhcp-option DNS 173.255.212.5" push "dhcp-option DNS 173.255.219.5" push "dhcp-option DNS 173.255.241.5" push "dhcp-option DNS 173.255.243.5" push "dhcp-option DNS 173.255.244.5" push "dhcp-option DNS 173.230.145.5" push "dhcp-option DNS 173.230.147.5" push "dhcp-option DNS 74.207.241.5" push "dhcp-option DNS 74.207.242.5" keepalive 10 120 cipher AES-256-CBC comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem
如何在Debian Linux 9.x/8.x LTS上启动/停止/重启OpenVPN服务器?
执行以下命令停止OpenVPN服务:
$ sudo systemctl stop openvpn@server
执行以下命令以启动OpenVPN服务:
$ sudo systemctl start openvpn@server
执行以下命令,重新启动OpenVPN服务:
$ sudo systemctl restart openvpn@server
步骤4客户端配置
在服务器上,您将找到一个名为~/macos-vpn-client.ovpn的客户端配置文件。
您所要做的就是使用scp将此文件复制到本地桌面,并将此文件提供给您的OpenVPN客户端以进行连接:
$ scp [email protected]:~/macos-vpn-client.ovpn .
接下来,您需要根据操作系统下载OpenVPN客户端:
- Apple iOS OpenVPN应用
- Google Android移动OpenVPN应用
- Apple MacOS(OS X)OpenVPN客户端
- MS-Windows 7/8/10 OpenVPN客户端
MacOS/OS X OpenVPN客户端配置
首先安装OpenVPN macos客户端。
接下来,双击macos-vpn-client.ovpn文件,它将在您的tunnelblick客户端中打开>单击"仅由我安装"。
MacOS/OS X openvpn客户端配置
安装后,单击"连接"按钮,您将在线。
在MacOS客户端上使用以下命令来验证您的公共IP已更改为VPN服务器IP(在Linux/Unix/MacOS桌面上为类型):
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
输出示例:
"104.237.156.154"
您可以ping通OpenVPN服务器专用IP:
$ ping 10.8.0.1
输出示例:
PING 10.8.0.1 (10.8.0.1): 56 data bytes 64 bytes from 10.8.0.1: icmp_seq=0 ttl=64 time=287.760 ms 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=283.046 ms 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=278.271 ms 64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=283.679 ms ^C --- 10.8.0.1 ping statistics -- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 278.271/283.189/287.760/3.367 ms
Linux OpenVPN客户端配置
使用yum命令在RHEL/CentOS Linux上安装openvpn客户端:
$ sudo yum install openvpn
或者,使用apt命令在Debian/Ubuntu Linux Linux上安装openvpn客户端:
$ sudo apt install openvpn
接下来,如下复制macos-vpn-client.ovpn:
$ sudo cp macos-vpn-client.ovpn /etc/openvpn/client.conf
从CLI测试连接性:
$ sudo openvpn --client --config /etc/openvpn/client.conf
当计算机使用/etc/init.d/openvpn脚本重新启动时,您的Linux系统将自动连接:
$ sudo /etc/init.d/openvpn start
对于基于systemd的系统,请使用以下命令:
$ sudo systemctl start openvpn@client
测试连接性:
$ ping 10.8.0.1 # Ping to OpenVPN server gateway $ ip route # Make sure routing setup $ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com # Make sure your public IP set to OpenVPN server
FreeBSD OpenVPN客户端配置
首先,安装openvpn客户端,执行:
$ sudo pkg install openvpn
接下来,如下复制macos-vpn-client.ovpn:
$ mkdir -p /usr/local/etc/openvpn/ $ sudo cp macos-vpn-client.ovpn /usr/local/etc/openvpn/client.conf
编辑/etc/rc.conf并添加以下内容:
openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/client.conf"
启动OpenVPN服务:
$ sudo /usr/local/etc/rc.d/openvpn start
验证一下:
$ ping 10.8.0.1 #Ping to OpenVPN server gateway $ $ netstat -nr #Make sure routing setup $ $ drill myip.opendns.com @resolver1.opendns.com #Make sure your public IP set to OpenVPN server
