OpenVPN:修订间差异
跳到导航
跳到搜索
此页面具有访问限制。如果您看见此消息,则说明您没有权限访问此页面。
(→設定) |
|||
(未显示同一用户的13个中间版本) | |||
第3行: | 第3行: | ||
== 安裝 == | == 安裝 == | ||
<syntaxhighlight lang=" | 先安裝OpenVPN本體,以及使用密碼檔認證的套件。 | ||
sudo apt install -y libpam-pwdfile openvpn | |||
<syntaxhighlight lang="bash"> | |||
sudo apt install -y libpam-pwdfile openvpn; sudo apt clean | |||
</syntaxhighlight> | </syntaxhighlight> | ||
== 設定 == | == 設定 == | ||
* 先產生SSL相關的設定: | * 先產生SSL相關的設定: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 | sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
* 依照[[Dehydrated]]或是其他方式產生出合法 | * 依照[[Dehydrated]]或是其他方式產生出合法 的SSL 憑證。 | ||
* 在<code>/etc/openvpn/server/ | * 在<code>/etc/openvpn/server/vpn.conf</code>內放 (16.04的舊版是<code>/etc/openvpn/server.conf</code>) : | ||
<syntaxhighlight lang="apache"> | <syntaxhighlight lang="apache"> | ||
# | # | ||
第23行: | 第26行: | ||
key /etc/dehydrated/certs/vpn.example.com/privkey.pem | key /etc/dehydrated/certs/vpn.example.com/privkey.pem | ||
dh /etc/ssl/certs/dhparam.pem | dh /etc/ssl/certs/dhparam.pem | ||
server 192.168.254. | server 192.168.254.128 255.255.255.128 | ||
server-ipv6 fda9:4efe:7e3b:03ea::/64 | server-ipv6 fda9:4efe:7e3b:03ea::/64 | ||
push "dhcp-option DNS 8.8.8.8" | push "dhcp-option DNS 8.8.8.8" | ||
第30行: | 第33行: | ||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
client-cert | verify-client-cert none | ||
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn | plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn | ||
status /var/log/openvpn-status.log | status /var/log/openvpn-status.log | ||
verb 4 | verb 4 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
* 在<code>/etc/pam.d/openvpn</code>設定使用<code>/etc/openvpn/passwd</code>當作認證來源: | * 設定為開機啟動: | ||
<syntaxhighlight lang="bash"> | |||
sudo systemctl enable openvpn-server@vpn | |||
</syntaxhighlight> | |||
* 在<code>/etc/pam.d/openvpn</code>設定使用<code>/etc/openvpn/server/vpn.passwd</code>當作認證來源: | |||
<syntaxhighlight lang="apache"> | <syntaxhighlight lang="apache"> | ||
# | # | ||
auth required pam_pwdfile.so pwdfile=/etc/openvpn/passwd | auth required pam_pwdfile.so pwdfile=/etc/openvpn/server/vpn.passwd | ||
auth required pam_permit.so | auth required pam_permit.so | ||
account required pam_permit.so | account required pam_permit.so | ||
session required pam_permit.so | session required pam_permit.so | ||
password required pam_deny.so | password required pam_deny.so | ||
</syntaxhighlight> | |||
=== iptables === | |||
[[iptables]]有兩個設定,一個是服務本身的防火牆,另外一個是NAT: | |||
<syntaxhighlight lang="bash"> | |||
sudo iptables -A INPUT -p tcp --dport 1194 -j ACCEPT | |||
sudo iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -o eth0 -j MASQUERADE | |||
</syntaxhighlight> | |||
=== sysctl === | |||
[[sysctl]]需要設定允許forwarding: | |||
<syntaxhighlight lang="bash"> | |||
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-net.conf; sudo sysctl -p /etc/sysctl.d/99-net.conf | |||
</syntaxhighlight> | </syntaxhighlight> | ||
2020年11月29日 (日) 21:22的最新版本
OpenVPN是个VPN软体。
安装
先安装OpenVPN本体,以及使用密码档认证的套件。
sudo apt install -y libpam-pwdfile openvpn; sudo apt clean
设定
- 先产生SSL相关的设定:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
- 依照Dehydrated或是其他方式产生出合法的SSL凭证。
- 在
/etc/openvpn/server/vpn.conf
内放(16.04的旧版是/etc/openvpn/server.conf
):
#
port 1194
proto udp
dev tun
ca /etc/ssl/certs/ca-certificates.crt
cert /etc/dehydrated/certs/vpn.example.com/fullchain.pem
key /etc/dehydrated/certs/vpn.example.com/privkey.pem
dh /etc/ssl/certs/dhparam.pem
server 192.168.254.128 255.255.255.128
server-ipv6 fda9:4efe:7e3b:03ea::/64
push "dhcp-option DNS 8.8.8.8"
user nobody
group nogroup
persist-key
persist-tun
verify-client-cert none
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
status /var/log/openvpn-status.log
verb 4
- 设定为开机启动:
sudo systemctl enable openvpn-server@vpn
- 在
/etc/pam.d/openvpn
设定使用/etc/openvpn/server/vpn.passwd
当作认证来源:
#
auth required pam_pwdfile.so pwdfile=/etc/openvpn/server/vpn.passwd
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
password required pam_deny.so
iptables
iptables有两个设定,一个是服务本身的防火墙,另外一个是NAT:
sudo iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -o eth0 -j MASQUERADE
sysctl
sysctl需要设定允许forwarding:
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-net.conf; sudo sysctl -p /etc/sysctl.d/99-net.conf