0
点赞
收藏
分享

微信扫一扫

网络系统管理Linux环境——6.ROUTERSRV之OPEN为皮N

题目要求

服务器RouterSrv上的工作任务

5.  OPENVPN

VPN客户端只能与InsideCli客户端网段通信,以及允许访问StorageSrv主机上的SAMBA服务;

VPN客户端可使用的地址范围是 172.16.0.100-172.16.0.120/24。

允许在OutsideCli客户端上使用systemctl start openvpn@csk进行连接。

项目实施

安装OpenVPN:

apt install -y openvpn

openvpn证书工具

将EasyRSA(证书制作工具)复制到/etc/openvpn/
cp -r /usr/share/easy-rsa /etc/openvpn/

复制自带的模板证书文件(注意所有证书没有密码)

将所有证书和密钥复制到/etc/openvpn/server目录
cp /usr/share/doc/openvpn/examples/sample-keys/* /etc/openvpn/server
解压默认的server.crt和clent.crt
cd /etc/openvpn/server/
gzip -d server.crt.gz
gzip -d client.crt.gz

配置OpenVPN服务端

编辑服务端配置文件

复制模板文件
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn
gzip -d server.conf.gz

vim /etc/openvpn/server.conf

port 1194
proto udp
dev tun
ca server/ca.crt
cert server/server.crt
key server.key # This file should be kept secret
dh server/dh2048.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.100.200 255.255.255.255"
client-config-dir /etc/openvpn/ccd
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3


其中,server.conf配置文件中的server 172.16.0.0 255.255.255.0表示
OpenVPN服务器将分配给VPN客户端的IP地址范围为172.16.0.0/24
并且允许VPN客户端访问服务器上的192.168.10.0/24网段,
同时推送Google公共DNS服务器的IP地址给客户端。

启动OpenVPN服务

systemctl start openvpn@server
systemctl enable openvpn@server

查看OpenVPN服务器状态

root@routersrv:/etc/openvpn# systemctl status openvpn@server
openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled-runtime; vendor preset: enabled)
Active: active (running) since Sat 2021-10-16 10:08:57 CST; 11min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 124566 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 4673)
Memory: 1.9M
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─124566 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10
--cd /
10 16 10:08:57 routersrv.chinaskills.cn systemd[1]: Starting OpenVPN connection to server...
10 16 10:08:57 routersrv.chinaskills.cn systemd[1]: Started OpenVPN connection to server.
lines 1-15/15 (END)

安装OpenVPN

apt install openvpn -y

远程复制客户端证书和密钥文件

scp root@81.6.63.254:/etc/openvpn/server/ca.crt /etc/openvpn/
scp root@81.6.63.254:/etc/openvpn/server/client.crt /etc/openvpn/
scp root@81.6.63.254:/etc/openvpn/server/client.key /etc/openvpn/

编辑客户端配置文件

获取client.conf模板文件
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
重命名为csk.conf
mv /etc/openvpn/client.conf /etc/openvpn/csk.conf

root@outsitecli:/etc/openvpn# vi csk.conf
client
dev tun
proto udp
remote 81.6.63.254 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-256-GCM
verb 3

启动OpenVPN客户端

systemctl start openvpn@csk
systemctl enable openvpn@csk

查看网络状态

root@outsitecli:/etc/openvpn# ip add
3685: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN
group default qlen 100
link/none
inet 172.16.0.100/24 brd 172.16.0.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::e55d:44a1:c2f6:df27/64 scope link stable-privacy
valid_lft forever preferred_lft forever

OpenVPN的配置均已配置完成

客户端拨号测试

root@outsitecli:/etc/openvpn# systemctl restart openvpn@csk.service
root@outsitecli:/etc/openvpn# systemctl status openvpn@csk.service

客户端 openvpn@csk.service 成功连接 VPN

网络系统管理Linux环境——6.ROUTERSRV之OPEN为皮N_客户端

客户端获取地址

ip addr show | grep 172

举报

相关推荐

0 条评论