仅从技术层面讨论,应用场景请自行设计
举例:
- 从外网通过VPN连接校园网内的计算机,可以访问校园网资源;
- 从中国网连接世界网内的计算机,可以访问
不存在的网站;
服务端安装
用debian系统为例,说明在服务器端部署的步骤。
首先是安装openvpn和easy-rsa:
sudo apt-get install openvpn easy-rsa
然后,生成密钥:
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
# edit `vars`
vim vars
设置以下信息,方便后续密钥的验证:
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="Beijing"
export KEY_ORG="Tsinghua"
export KEY_EMAIL="******@gmail.com"
export KEY_OU="Tom"
export KEY_NAME="telecomVPN"
生成服务端及用户端的密钥:
source vars
./clean-all
./build-ca
./build-key-server telecomVPN
./build-dh
openvpn --genkey --secret keys/ta.key # may need sudo
# user key
./build-key clientDefault
复制服务器端密钥到相应的文件夹,解压默认的配置文件:
sudo cp ca.crt ca.key <server>.crt <server>.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
edit /etc/openvpn/server.conf:
# enable tls-auth
tls-auth ta.key 0 # This file is secret
key-direction 0
# uncomment
cipher AES-128-CBC
auth SHA256
# user and group
user nobody
group nogroup
# redirect
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DNS 8.8.8.8"
# adjust port and proto
proto udp
# auth keys
cert <server>.crt
key <server>.key
dh dh2048.pem
networking configure
sudo vim /etc/sysctl.conf
# enable net.ipv4.ip_forward
net.ipv4.ip_forward=1
# enable net.ipv4.ip_forward
sudo sysctl -p
firewall settings
raspbian:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
启动方式(systemd):
sudo systemctl start openvpn@server
# check status
sudo systemctl status openvpn@server
ip addr show tun0
sudo systemctl enable openvpn@server
用户配置
在服务器生成用户配置文件:
mkdir -p client-config/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-config/base.conf
编辑base.conf,改变其中的默认设置:
remote server_IP_address 1194
proto udp
cipher AES-128-CBC
auth SHA256
key-direction 1
# if linux client uncomment below
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
create new file ~/client-config/make_config.sh
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
change mod: chmod 700 ~/client-config/make_config.sh
./make_config.sh clientDefault
# ta.key permission issue
使用方法
将上述方法生成的:clientDefault.ovpn拷贝到用户设备。然后参考不同系统的openVPN使用说明。