如何在5分钟内在Ubuntu Linux上设置OpenVPN服务器
时间:2020-01-09 10:40:43 来源:igfitidea点击:
如何在Ubuntu Linux版本14.04或16.04/18.04 LTS服务器上设置OpenVPN服务器,以保护我的浏览活动不受公共Wi-Fi等恶意软件的侵害?
OpenVPN是功能齐全的SSL VPN(虚拟专用网络)。
它使用SSL/TLS协议实现OSI第2层或第3层安全网络扩展。
它是一个开源软件,在GNU GPL下分发。
VPN使您可以安全地连接到不安全的公共网络,例如机场或酒店的wifi网络。
还需要VPN来访问您的公司或企业或家庭服务器资源。
您可以绕过地理封锁的网站,并在线增加隐私或安全。
本教程提供了有关在Ubuntu Linux v14.04/16.04/18.04 LTS(19.10)版本上配置OpenVPN Road Warrior服务器(包括ufw/iptables防火墙配置)的分步说明。
步骤如下:
- 查找并记下您的公共IP地址
- 下载openvpn-install.sh脚本
- 运行openvpn-install.sh以安装OpenVPN服务器
- 使用IOS/Android/Linux/Windows客户端连接OpenVPN服务器
- 验证您的连接
查找您的公共IP地址
使用以下任何命令来查找您的IPv4公共地址。
如果您的接口名称是eth0或eth1,请执行:
$ ip addr show eth0
或者
$ ip addr show eth1
或按以下方式使用host命令或dig命令:
$ host myip.opendns.com resolver1.opendns.com
或者
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
记下公共IP地址139.59.1.155,即您的OpenVPN服务器的公共IP地址。
下载openvpn-install.sh脚本以在5分钟内在Ubuntu上设置OpenVPN服务器
执行以下wget命令或curl命令:
$ wget https://git.io/vpn -O openvpn-install.sh
输出示例:
--2016-07-25 17:17:22-- https://git.io/vpn Resolving git.io (git.io)... 52.3.63.2, 52.44.230.61, 52.4.95.48, ... Connecting to git.io (git.io)|52.3.63.2|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following] --2016-07-25 17:17:22-- https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.github.com (raw.github.com)... 151.101.48.133 Connecting to raw.github.com (raw.github.com)|151.101.48.133|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following] --2016-07-25 17:17:22-- https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.48.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.48.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 14196 (14K) [text/plain] Saving to: ?openvpn-install.sh? openvpn-install.sh 100%[====================================================================================================================- ] 13.86K --.-KB/s in 0s 2016-07-25 17:17:22 (39.0 MB/s) - ?openvpn-install.sh? saved [14196/14196]
运行openvpn-install.sh以安装OpenVPN服务器
执行以下命令:
$ sudo bash openvpn-install.sh
出现提示时,将IP地址设置为139.59.1.155并将端口设置为1194。
将Google或OpenDNS DNS服务器与vpn一起使用。
接下来,输入客户端名称(例如iPhone,Nexus6,LinuxRouter等)。
最后,按[Enter]键在系统上安装并设置OpenVPN:
在Ubuntu Linux服务器v16.04 LTS上设置OpenVPN服务器
该脚本现在将生成密钥,DH参数以及更多信息,如下所示:
Okay, that was all I needed. We are ready to setup your OpenVPN server now Press any key to continue... Get:1 http://security.ubuntu.com ...... ... .. --2015-06-27 17:10:38-- https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz Resolving github.com (github.com)... 192.30.252.120 Connecting to github.com (github.com)|192.30.252.120|:443... connected. HTTP request sent, awaiting response... 302 Found Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'server' Certificate is to be certified until Jun 25 11:55:48 2026 GMT (3650 days) Write out database with 1 new entries Data Base Updated Generating a 2048 bit RSA private key .........+++ .........+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/iphone.key.lokNfOiobc' ---- Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'iphone' Certificate is to be certified until Jun 25 11:55:48 2026 GMT (3650 days) Write out database with 1 new entries Data Base Updated Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf An updated CRL has been created. CRL file: /etc/openvpn/easy-rsa/pki/crl.pem 244 Looks like your server is behind a NAT! If your server is NATed (e.g. LowEndSpirit), I need to know the external IP If that's not the case, just ignore this and leave the next field blank External IP:
您的OpenVPN服务器已配置并可以使用。
您可以看到添加的防火墙规则/etc/rc.local文件:
$ cat /etc/rc.local
输出示例:
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I INPUT -p udp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 139.59.1.155
您可以按以下方式查看由脚本生成的openvpn服务器配置文件(请勿手动编辑此文件):
$ sudo more /etc/openvpn/server.conf $ sudo vi /etc/openvpn/server.conf
输出示例:
port 1194 proto udp dev tun sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-128-CBC comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem
如何在Ubuntu Linux 16.04/18.04 LTS上启动/停止/重启OpenVPN服务器?
执行以下命令停止OpenVPN服务:
$ sudo systemctl stop openvpn@server
执行以下命令以启动OpenVPN服务:
$ sudo systemctl start openvpn@server
执行以下命令,重新启动OpenVPN服务:
$ sudo systemctl restart openvpn@server
如何在Ubuntu Linux 14.04 LTS上启动/停止/重启OpenVPN服务器?
执行以下命令停止OpenVPN服务:
$ sudo /etc/init.d/openvpn stop
执行以下命令以启动OpenVPN服务:
$ sudo /etc/init.d/openvpn start
执行以下命令,重新启动OpenVPN服务:
$ sudo /etc/init.d/openvpn restart
如何为OpenVPN服务器配置和使用ufw防火墙规则
添加到/etc/rc.local文件中的默认规则应该可以立即使用。
但是,如果您具有复杂的防火墙设置,或者希望使用ufw控制Ubuntu Linux服务器上的所有防火墙设置,请尝试以下操作。
首先,使用文本编辑器编辑/etc/rc.local文件,并注释掉脚本添加的所有防火墙规则。
执行以下ufw命令以打开端口1194和22(ssh):
$ sudo ufw allow 1194/udp $ sudo ufw allow 22/tcp
编辑文件/etc/ufw/before.rules,执行:
$ sudo vi /etc/ufw/before.rules
在文件顶部添加以下规则:
# START OPENVPN RULES by vg # NAT table rules *nat :POSTROUTING ACCEPT [0:0] #****************************************[README]*****************************************************# # Allow traffic from OpenVPN client to 139.59.1.155. Replace 139.59.1.155 with your actual IP address*# #****************************************[README]*****************************************************# -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 139.59.1.155 COMMIT # END OPENVPN RULES by vg
接下来向下滚动并找到跟随的注释
# ok icmp code for FORWARD
追加以下规则:
#OpenVPN Forward by vg -A ufw-before-forward -m state --state RELATED,ESTABLISHED -j ACCEPT -A ufw-before-forward -s 10.8.0.0/24 -j ACCEPT -A ufw-before-forward -i tun+ -j ACCEPT -A ufw-before-forward -i tap+ -j ACCEPT #OpenVPN END by vg
保存并关闭文件。
接下来编辑/etc/ufw/sysctl.conf文件,执行:
$ sudo vi /etc/ufw/sysctl.conf
查找并取消注释以下行,以允许该主机在接口之间路由数据包
net/ipv4/ip_forward=1
保存并关闭文件。
启用ufw或重新加载(如果已运行):
$ sudo ufw enable
或者
$ sudo ufw reload
验证新的防火墙规则:
$ sudo ufw status $ sudo iptables -t nat -L -n -v $ sudo iptables -L FORWARD -n -v $ sudo iptables -L ufw-before-forward -n -v
客户端配置
在服务器上,您将找到一个名为~/iphone.ovpn的客户端配置文件。
您所要做的就是使用scp将此文件复制到本地桌面,并将此文件提供给您的OpenVPN客户端以进行连接:
$ scp [email protected]:~/iphone.ovpn .
接下来,您需要根据操作系统下载OpenVPN客户端:
- 下载适用于Apple IOS版本6.x或更高版本的OpenVPN客户端,然后安装它。
- 下载适用于Android的OpenVPN客户端并进行安装。
- 下载适用于Apple MacOS(OS X)的OpenVPN客户端并进行安装。
- 下载适用于Windows 8/10的OpenVPN客户端并进行安装。
MacOS/OS X OpenVPN客户端配置
只需双击iphone.ovpn文件,它将在您的tunnelblick客户端中打开>单击"仅由我安装"。
MacOS/OS X openvpn客户端配置
安装后,单击"连接"按钮,您将在线。
在MacOS客户端上使用以下命令来验证您的公共IP已更改为VPN服务器IP:
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
您可以ping通OpenVPN服务器专用IP:
$ ping 10.8.0.1
Linux OpenVPN客户端配置
首先,安装openvpn客户端,执行:
$ sudo yum install openvpn
或者
$ sudo apt install openvpn
接下来,复制iphone.ovpn,如下所示:
$ sudo cp iphone.ovpn /etc/openvpn/client.conf
从CLI测试连接性:
$ sudo openvpn --client --config /etc/openvpn/client.conf
当计算机使用/etc/init.d/openvpn脚本重新启动时,您的Linux系统将自动连接:
$ sudo /etc/init.d/openvpn start
对于基于systemd的系统,请使用以下命令:
$ sudo systemctl start openvpn@client
测试连接性:
$ ping 10.8.0.1 #Ping to OpenVPN server gateway $ ip route #Make sure routing setup $ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com #Make sure your public IP set to OpenVPN server
FreeBSD OpenVPN客户端配置
首先,安装openvpn客户端,执行:
$ sudo pkg install openvpn
接下来,复制iphone.ovpn,如下所示:
$ mkdir -p /usr/local/etc/openvpn/ $ sudo cp iphone.ovpn /usr/local/etc/openvpn/client.conf
编辑/etc/rc.conf并添加以下内容:
openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/client.conf"
启动OpenVPN服务:
$ sudo /usr/local/etc/rc.d/openvpn start
验证一下:
$ ping 10.8.0.1 #Ping to OpenVPN server gateway $ $ netstat -nr #Make sure routing setup $ $ drill myip.opendns.com @resolver1.opendns.com #Make sure your public IP set to OpenVPN server
如何添加新客户端?
为了演示,我添加了一个名为iphone的新设备。
让我们再次运行脚本,再添加一个名为googlephone的设备:
$ sudo bash openvpn-install.sh
输出示例:
Looks like OpenVPN is already installed What do you want to do? 1) Add a cert for a new user 2) Revoke existing user cert 3) Remove OpenVPN 4) Exit Select an option [1-4]:
选择选项1并输入googlephone作为客户端名称:
Tell me a name for the client cert Please, use one word only, no special characters Client name: googlephone Generating a 2048 bit RSA private key .........+++ .................................................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/googlephone.key.FNaDMaP56c' ---- Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'googlephone' Certificate is to be certified until Sep 25 07:31:46 2027 GMT (3650 days) Write out database with 1 new entries Data Base Updated Client googlephone added, certs available at ~/googlephone.ovpn
现在,您可以将googlephone.ovpn与Google Android手机一起使用。
您可以使用此方法添加任意数量的用户。
如何删除/撤销现有用户证书?
运行脚本:
$ sudo bash openvpn-install.sh
输出示例:
Looks like OpenVPN is already installed What do you want to do? 1) Add a cert for a new user 2) Revoke existing user cert 3) Remove OpenVPN 4) Exit Select an option [1-4]:
输入2选项,您将看到要撤消的所有现有客户端证书的列表:
Select the existing client certificate you want to revoke
1) iphone6
2) googlephone
3) delllaptop
4) macbook
Select one client [1-4]: 2
吊销googlephone证书时的示例输出:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf Revoking Certificate 09. Data Base Updated Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.cnf An updated CRL has been created. CRL file: /etc/openvpn/easy-rsa/pki/crl.pem Certificate for client googlephone revoked
