翻越中国墙,必须要有个境外的VPN账号,下面就介绍一下Ubuntu 16.04配置OpenVPN的方法,首先要有个牛逼点的境外的机器,这里推荐一个超高性价比的SSD的虚拟主机,vultr公司,这是个美国的公司,世界很多地区有机房,每个月只要5美元,
官方网站:http://www.vultr.com/ ,如果打不开可先访问个在线或者免费的vpn代理,首先要进行注册,然后就可以购买了
登陆后可以看到他的界面,非常简单,操作方便,下图是所支持地区的机房,大部分是美国机房,东京机房比较近
下图是所支持的操作系统,基本主流的都包括了
然后就是价格,性价比非常高,支持本站发展,请选择20美元购买链接 http://www.vultr.com/
购买好虚机后,选择 Ubuntu 16.04 操作系统,本文测试的是用Ubuntu 16.04.1,尽可能的简单介绍一下安装过程,下面开始登陆你的Ubuntu服务器
————–正式开始—————–
步骤1:安装OpenVPN
首先,我们将在服务器上安装OpenVPN。OpenVPN在Ubuntu的默认库是可用的,所以安装起来非常容易。
更新一下服务器并开始安装:
|
1 2 |
sudo apt-get update sudo apt-get install openvpn easy-rsa |
步骤2:创建CA目录,并进入目录
|
1 2 |
make-cadir ~/openvpn-ca cd ~/openvpn-ca |
步骤3:配置CA变量
vim ~/openvpn-ca/vars
. . .
|
1 2 3 4 5 6 |
export KEY_COUNTRY="CN" export KEY_PROVINCE="BJ" export KEY_CITY="BeiJing" export KEY_ORG="zhoujianhui.com" export KEY_EMAIL="zjhiii@163.com" export KEY_OU="www.zhoujianhui.com" |
|
1 |
export KEY_NAME="server" |
步骤4:创建证书
|
1 2 |
cd ~/openvpn-ca source vars |
如果出现如下提示即表示成功
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/ubuntu/openvpn-ca/keys
|
1 2 |
./clean-all ./build-ca |
步骤5:创建服务器证书、密钥文件
|
1 |
./build-key-server server |
|
1 2 |
./build-dh openvpn --genkey --secret keys/ta.key |
|
1 2 |
cd ~/openvpn-ca source vars |
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/sammy/openvpn-ca/keys
|
1 |
./build-key client |
如需创建带密码的证书,按下面操作
|
1 2 3 |
cd ~/openvpn-ca source vars ./build-key-pass client |
|
1 2 3 |
cd ~/openvpn-ca/keys sudo cp ca.crt ca.key server.crt server.key ta.key dh2048.pem /etc/openvpn gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf |
修改openvpn的配置文件
|
1 |
sudo vim /etc/openvpn/server.conf |
tls-auth ta.key 0 # This file is secret(去掉前边的;号)
下面一行增加
key-direction 0
cipher AES-128-CBC(去掉前边的;号)
下面一行增加
auth SHA256
user nobody (去掉前边的;号)
group nogroup (去掉前边的 ;号)
push “redirect-gateway def1 bypass-dhcp” (去掉前边的;号)
push “dhcp-option DNS 208.67.222.222” (去掉前边的;号)
push “dhcp-option DNS 208.67.220.220” (去掉前边的 ;号)
————————————————-
默认的是udp 端口1194
可选
port 443
proto tcp
这里的server是 ./build-key-server 创建的
cert server.crt key server.key
————————————————-
步骤8:调整服务器网络配置
|
1 |
sudo vim /etc/sysctl.conf |
|
1 |
sudo sysctl -p |
|
1 |
ip route | grep default |
|
1 |
sudo vim /etc/ufw/before.rules |
顶部添加一段
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
|
1 2 3 4 5 6 7 8 |
# START OPENVPN RULES # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Allow traffic from OpenVPN client to eth0 -A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE COMMIT # END OPENVPN RULES |
*filter
|
1 |
sudo vim/etc/default/ufw |
开启OpenVPN端口
|
1 2 3 4 5 |
sudo ufw allow 1194/udp sudo ufw allow OpenSSH sudo ufw disable sudo ufw enable |
|
1 2 |
sudo systemctl start openvpn@server sudo systemctl status openvpn@server |
检查OpenVPN tun0接口
|
1 |
ip addr show tun0 |
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
服务加入自启动
|
1 |
sudo systemctl enable openvpn@server |
步骤10:创建客户端配一键生成脚本
|
1 2 |
mkdir -p ~/client-configs/files chmod 700 ~/client-configs/files |
|
1 |
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf |
|
1 |
sudo vim ~/client-configs/base.conf |
remote 192.168.16.110 1194 (服务器的IP)
proto udp
user nobody (去掉前边 ; 号) group nogroup (去掉前边 ; 号)
ca ca.crt (前边加 # 号)
cert client.crt (前边加 # 号)
key client.key (前边加 # 号)
cipher AES-128-CBC
auth SHA256
key-direction 1 (添加一行)
创建客户端生成脚本
|
1 |
sudo vim ~/client-configs/make_config.sh |
内容为:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
#!/bin/bash # First argument: Client identifier KEY_DIR=~/openvpn-ca/keys OUTPUT_DIR=~/client-configs/files BASE_CONFIG=~/client-configs/base.conf cat ${BASE_CONFIG} \ <(echo -e '<ca>') \ ${KEY_DIR}/ca.crt \ <(echo -e '</ca>\n<cert>') \ ${KEY_DIR}/${1}.crt \ <(echo -e '</cert>\n<key>') \ ${KEY_DIR}/${1}.key \ <(echo -e '</key>\n<tls-auth>') \ ${KEY_DIR}/ta.key \ <(echo -e '</tls-auth>') \ >${OUTPUT_DIR}/${1}.ovpn |
|
1 2 |
sudo chmod 700 ~/client-configs/make_config.sh sudo chown ubuntu.ubuntu make_config.sh |
生成客户端脚本,先第六步执行创建客户端脚本
|
1 2 |
cd ~/client-configs ./make_config.sh client |
|
1 2 |
cd ~/client-configs ./make_config.sh client |
如果顺利的话可以看见 client.ovpn的配置文件
ls ~/client-configs/files
将配置文件下载到本地
———————————————–
Note:新建用户步骤
|
1 2 3 |
cd ~/openvpn-ca source vars ./build-key username |
|
1 2 |
cd ~/client-configs ./make_config.sh username |
————————————————
步骤11:证书注销
|
1 2 3 |
cd ~/openvpn-ca source vars ./revoke-full username |
username为注销的用户名
|
1 |
sudo cp ~/openvpn-ca/keys/crl.pem /etc/openvpn |
|
1 |
sudo vim /etc/openvpn/server.conf |
|
1 |
crl-verify crl.pem |
|
1 |
sudo systemctl restart openvpn@server |
设置证书过期时间,修改相关参数即可,默认10年
|
1 |
sudo vim /home/ubuntu/openvpn-ca/vars |
步骤12:客户端拨OpenVPN
1、CentOS6.x
|
1 2 |
yum install epel-release -y yum install openvpn -y |
|
1 2 |
user root group root |
|
1 |
openvpn --config /etc/openvpn/zhoujianhui.ovpn > /dev/null & |
2、Windows
将配置文件拷贝到安装目录config下
3、Mac OS
Safari 浏览 https://tunnelblick.net/downloads.html
待续。。。
微信扫一扫,打赏作者吧~