题目要求
服务器RouterSrv上的工作任务
5. OPENVPN
VPN客户端只能与InsideCli客户端网段通信,以及允许访问StorageSrv主机上的SAMBA服务;
VPN客户端可使用的地址范围是 172.16.0.100-172.16.0.120/24。
允许在OutsideCli客户端上使用systemctl start openvpn@csk进行连接。
项目实施
安装OpenVPN:
apt install -y openvpn
openvpn证书工具
将EasyRSA(证书制作工具)复制到/etc/openvpn/
cp -r /usr/share/easy-rsa /etc/openvpn/
复制自带的模板证书文件(注意所有证书没有密码)
将所有证书和密钥复制到/etc/openvpn/server目录
cp /usr/share/doc/openvpn/examples/sample-keys/* /etc/openvpn/server
解压默认的server.crt和clent.crt
cd /etc/openvpn/server/
gzip -d server.crt.gz
gzip -d client.crt.gz
配置OpenVPN服务端
编辑服务端配置文件
复制模板文件
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn
gzip -d server.conf.gz
vim /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca server/ca.crt
cert server/server.crt
key server.key # This file should be kept secret
dh server/dh2048.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.100.200 255.255.255.255"
client-config-dir /etc/openvpn/ccd
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
其中,server.conf配置文件中的server 172.16.0.0 255.255.255.0表示
OpenVPN服务器将分配给VPN客户端的IP地址范围为172.16.0.0/24,
并且允许VPN客户端访问服务器上的192.168.10.0/24网段,
同时推送Google公共DNS服务器的IP地址给客户端。
启动OpenVPN服务
systemctl start openvpn@server
systemctl enable openvpn@server
查看OpenVPN服务器状态
root@routersrv:/etc/openvpn# systemctl status openvpn@server
● openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled-runtime; vendor preset: enabled)
Active: active (running) since Sat 2021-10-16 10:08:57 CST; 11min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 124566 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 4673)
Memory: 1.9M
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─124566 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10
--cd /
10月 16 10:08:57 routersrv.chinaskills.cn systemd[1]: Starting OpenVPN connection to server...
10月 16 10:08:57 routersrv.chinaskills.cn systemd[1]: Started OpenVPN connection to server.
lines 1-15/15 (END)
安装OpenVPN
apt install openvpn -y
远程复制客户端证书和密钥文件
scp root@81.6.63.254:/etc/openvpn/server/ca.crt /etc/openvpn/
scp root@81.6.63.254:/etc/openvpn/server/client.crt /etc/openvpn/
scp root@81.6.63.254:/etc/openvpn/server/client.key /etc/openvpn/
编辑客户端配置文件
获取client.conf模板文件
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
重命名为csk.conf
mv /etc/openvpn/client.conf /etc/openvpn/csk.conf
root@outsitecli:/etc/openvpn# vi csk.conf
client
dev tun
proto udp
remote 81.6.63.254 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-256-GCM
verb 3
启动OpenVPN客户端
systemctl start openvpn@csk
systemctl enable openvpn@csk
查看网络状态
root@outsitecli:/etc/openvpn# ip add
3685: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN
group default qlen 100
link/none
inet 172.16.0.100/24 brd 172.16.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::e55d:44a1:c2f6:df27/64 scope link stable-privacy
valid_lft forever preferred_lft forever
OpenVPN的配置均已配置完成
客户端拨号测试
root@outsitecli:/etc/openvpn# systemctl restart openvpn@csk.service
root@outsitecli:/etc/openvpn# systemctl status openvpn@csk.service
客户端 openvpn@csk.service 成功连接 VPN
客户端获取地址
ip addr show | grep 172