OpenVPN === ## 安裝 ``` sudo apt install openvpn easy-rsa resolvconf sudo su - ``` ## rsa key 製作key與證書 ``` make-cadir /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa/ ln -s openssl-1.0.0.cnf openssl.cnf vi vars export KEY_COUNTRY="TW" export KEY_PROVINCE="TW" export KEY_CITY="Kaohsiung" export KEY_ORG="STU" export KEY_EMAIL="15115127@stu.edu.tw" export KEY_OU="STU" source ./vars source ./clean-all 清除舊的keys source ./build-ca 製作ca key source ./build-dh Diffie-Hellman PEM ./build-key-server server server key openvpn --genkey --secret ta.key cp ta.key /etc/openvpn/easy-rsa/keys/ ``` 使用者key ``` cd /etc/openvpn/easy-rsa/ source ./vars source ./build-key client1 ``` 刪除使用者key ``` cd /etc/openvpn/easy-rsa/ source ./vars ./revoke-full client1 ``` ## OpenVPN設定 ### config ``` gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf vim /etc/openvpn/server.conf ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem ``` ### start Service ``` systemctl enable openvpn systemctl start openvpn netstat -tulnp | grep 1194 ip -c a ``` ## 打包 OVPN ### 部屬 ``` mkdir -p ~s15115127/client-config/keys mkdir -p ~s15115127/client-config/ovpn ``` ### base.conf ``` cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~s15115127/client-config/base.conf cd ~s15115127/client-config vi base.conf proto udp remote 192.168.226.195 1194 cipher AES-256-CBC # ca ca.crt # cert client.crt # key client.key # tls-auth ta.key 1 key-direction 1 ``` ### vi make_config.sh ``` #!/bin/bash # First argument: Client identifier KEY_DIR=./keys OUTPUT_DIR=./ovpn BASE_CONFIG=./base.conf cat ${BASE_CONFIG} \ <(echo -e '<ca>') \ ${KEY_DIR}/ca.crt \ <(echo -e '</ca>\n<cert>') \ ${KEY_DIR}/${1}.crt \ <(echo -e '</cert>\n<key>') \ ${KEY_DIR}/${1}.key \ <(echo -e '</key>\n<tls-auth>') \ ${KEY_DIR}/ta.key \ <(echo -e '</tls-auth>') \ > ${OUTPUT_DIR}/${1}.ovpn //結束後修改權限 chmod 700 make_config.sh ``` ### 複製打包需要的key ``` cp -r /etc/openvpn/easy-rsa/keys/. ~s15115127/client-config/keys/ ``` ### 執行 ``` ./make_config.sh client1 cat ./ovpn/client1.ovpn ``` ### 取得 OVPN ``` cd ovpn cp client1.ovpn /var/www/html/ http://192.168.226.130/client1.ovpn ``` ## 防火牆與路由 ### 轉址 ``` vi /etc/sysctl.conf net.ipv4.ip_forward=1 sysctl -p ``` ### 清除iptables ``` iptables -F FORWARD iptables -F INPUT iptables -F OUTPUT ``` ### 新增route進防火牆 ``` ufw route allow in on tun0 out on ens160 或是 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t filter -A FORWARD -i tun0 -o eth0 -j ACCEPT iptables -t filter -A FORWARD -i eth0 -o tun0 -j ACCEPT iptables -A INPUT -i tun0 -j ACCEPT ```