OpenVPN
跳转到导航
跳转到搜索
OpenVPN是个VPN软件。
安装
先安装OpenVPN本体,以及使用密码档认证的套件。
sudo apt install -y libpam-pwdfile openvpn; sudo apt clean
设定
- 先产生SSL相关的设定:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
- 依照Dehydrated或是其他方式产生出合法的SSL凭证。
- 在
/etc/openvpn/server/vpn.conf
内放(16.04的旧版是/etc/openvpn/server.conf
):
#
port 1194
proto udp
dev tun
ca /etc/ssl/certs/ca-certificates.crt
cert /etc/dehydrated/certs/vpn.example.com/fullchain.pem
key /etc/dehydrated/certs/vpn.example.com/privkey.pem
dh /etc/ssl/certs/dhparam.pem
server 192.168.254.128 255.255.255.128
server-ipv6 fda9:4efe:7e3b:03ea::/64
push "dhcp-option DNS 8.8.8.8"
user nobody
group nogroup
persist-key
persist-tun
verify-client-cert none
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
status /var/log/openvpn-status.log
verb 4
- 设定为开机启动:
sudo systemctl enable openvpn-server@vpn
- 在
/etc/pam.d/openvpn
设定使用/etc/openvpn/server/vpn.passwd
当作认证来源:
#
auth required pam_pwdfile.so pwdfile=/etc/openvpn/server/vpn.passwd
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
password required pam_deny.so
iptables
iptables有两个设定,一个是服务本身的防火墙,另外一个是NAT:
sudo iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -o eth0 -j MASQUERADE
sysctl
sysctl需要设定允许forwarding:
echo "net.ipv4.ip_forward=1" | sudo tee /etc/sysctl.d/99-net.conf; sudo sysctl -p /etc/sysctl.d/99-net.conf