「OpenVPN」:修訂間差異
跳至導覽
跳至搜尋
本頁面具有訪問限制。如果您看見此訊息,這代表您沒有訪問本頁面的權限。
(→設定) |
|||
| (未顯示同一使用者於中間所作的 14 次修訂) | |||
| 行 3: | 行 3: | ||
== 安裝 == | == 安裝 == | ||
<syntaxhighlight lang=" | 先安裝OpenVPN本體,以及使用密碼檔認證的套件。 | ||
sudo apt install -y libpam-pwdfile openvpn | |||
<syntaxhighlight lang="bash"> | |||
sudo apt install -y libpam-pwdfile openvpn; sudo apt clean | |||
</syntaxhighlight> | </syntaxhighlight> | ||
== 設定 == | == 設定 == | ||
* 先產生SSL相關的設定: | * 先產生SSL相關的設定: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 | sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
* 依照[[Dehydrated]]或是其他方式產生出合法 | * 依照[[Dehydrated]]或是其他方式產生出合法 的SSL 憑證。 | ||
* 在<code>/etc/openvpn/server.conf</code>內放: | * 在<code>/etc/openvpn/server/vpn.conf</code>內放 (16.04的舊版是<code>/etc/openvpn/server.conf</code>) : | ||
<syntaxhighlight lang="apache"> | <syntaxhighlight lang="apache"> | ||
# | # | ||
| 行 23: | 行 26: | ||
key /etc/dehydrated/certs/vpn.example.com/privkey.pem | key /etc/dehydrated/certs/vpn.example.com/privkey.pem | ||
dh /etc/ssl/certs/dhparam.pem | dh /etc/ssl/certs/dhparam.pem | ||
server 192.168.254. | server 192.168.254.128 255.255.255.128 | ||
server-ipv6 fda9:4efe:7e3b:03ea::/64 | server-ipv6 fda9:4efe:7e3b:03ea::/64 | ||
push "dhcp-option DNS 8.8.8.8" | push "dhcp-option DNS 8.8.8.8" | ||
| 行 30: | 行 33: | ||
persist-key | persist-key | ||
persist-tun | persist-tun | ||
client-cert | verify-client-cert none | ||
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn | plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn | ||
status /var/log/openvpn-status.log | status /var/log/openvpn-status.log | ||
verb 4 | verb 4 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
* 在<code>/etc/pam.d/openvpn</code>設定使用<code>/etc/openvpn/passwd</code>當作認證來源: | * 設定為開機啟動: | ||
<syntaxhighlight lang="bash"> | |||
sudo systemctl enable openvpn-server@vpn | |||
</syntaxhighlight> | |||
* 在<code>/etc/pam.d/openvpn</code>設定使用<code>/etc/openvpn/server/vpn.passwd</code>當作認證來源: | |||
<syntaxhighlight lang="apache"> | <syntaxhighlight lang="apache"> | ||
# | # | ||
auth required pam_pwdfile.so pwdfile=/etc/openvpn/passwd | auth required pam_pwdfile.so pwdfile=/etc/openvpn/server/vpn.passwd | ||
auth required pam_permit.so | auth required pam_permit.so | ||
account required pam_permit.so | account required pam_permit.so | ||
session required pam_permit.so | session required pam_permit.so | ||
password required pam_deny.so | password required pam_deny.so | ||
</syntaxhighlight> | |||
=== iptables === | |||
[[iptables]]有兩個設定,一個是服務本身的防火牆,另外一個是NAT: | |||
<syntaxhighlight lang="bash"> | |||
sudo iptables -A INPUT -p tcp --dport 1194 -j ACCEPT | |||
sudo iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -o eth0 -j MASQUERADE | |||
</syntaxhighlight> | |||
=== sysctl === | |||
[[sysctl]]需要設定允許forwarding: | |||
<syntaxhighlight lang="bash"> | |||
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-net.conf; sudo sysctl -p /etc/sysctl.d/99-net.conf | |||
</syntaxhighlight> | </syntaxhighlight> | ||
於 2020年11月29日 (日) 21:22 的最新修訂
OpenVPN是個VPN軟體。
安裝
先安裝OpenVPN本體,以及使用密碼檔認證的套件。
sudo apt install -y libpam-pwdfile openvpn; sudo apt clean
設定
- 先產生SSL相關的設定:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
- 依照Dehydrated或是其他方式產生出合法的SSL憑證。
- 在
/etc/openvpn/server/vpn.conf內放(16.04的舊版是/etc/openvpn/server.conf):
#
port 1194
proto udp
dev tun
ca /etc/ssl/certs/ca-certificates.crt
cert /etc/dehydrated/certs/vpn.example.com/fullchain.pem
key /etc/dehydrated/certs/vpn.example.com/privkey.pem
dh /etc/ssl/certs/dhparam.pem
server 192.168.254.128 255.255.255.128
server-ipv6 fda9:4efe:7e3b:03ea::/64
push "dhcp-option DNS 8.8.8.8"
user nobody
group nogroup
persist-key
persist-tun
verify-client-cert none
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
status /var/log/openvpn-status.log
verb 4
- 設定為開機啟動:
sudo systemctl enable openvpn-server@vpn
- 在
/etc/pam.d/openvpn設定使用/etc/openvpn/server/vpn.passwd當作認證來源:
#
auth required pam_pwdfile.so pwdfile=/etc/openvpn/server/vpn.passwd
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
password required pam_deny.so
iptables
iptables有兩個設定,一個是服務本身的防火牆,另外一個是NAT:
sudo iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -o eth0 -j MASQUERADE
sysctl
sysctl需要設定允許forwarding:
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-net.conf; sudo sysctl -p /etc/sysctl.d/99-net.conf