Skip to main content

Deploy Server and Client

Install OpenVPN and EasyRSA

apt install -y openvpn easy-rsa

Create CA

cd /etc/openvpn

Create EasyRSA dir.

make-cadir ~/easy-rsa

cd easy-rsa

Init PKI

./easyrsa init-pki

Create CA(Self Sign): Input CA nama and password.

./easyrsa build-ca

Create Server Cert

Create server cert and key.

./easyrsa gen-req server nopass

./easyrsa sign-req server server

Create Diffie-Hellman Params.

./easyrsa gen-dh

Create TLS Key.

openvpn --genkey --secret ta.key

Create Client Cert

cname=kuga

./easyrsa gen-req $cname nopass

req: /etc/openvpn/easy-rsa/pki/reqs/kuga.req
key: /etc/openvpn/easy-rsa/pki/private/kuga.key

./easyrsa sign-req client $cname

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/kuga.crt

Put files to client dir.

mkdir -p /etc/openvpn/client/$sname

cp /etc/openvpn/easy-rsa/pki/issued/kuga.crt /etc/openvpn/client/$sname
cp /etc/openvpn/easy-rsa/pki/private/kuga.key /etc/openvpn/client/$sname

Setup Server

sname=kugarocks

mkdir -p /etc/openvpn/server/$sname

cp ./easy-rsa/pki/issued/server.crt /etc/openvpn/server/$sname
cp ./easy-rsa/pki/private/server.key /etc/openvpn/server/$sname
cp ./easy-rsa/pki/dh.pem /etc/openvpn/server/$sname
cp ./easy-rsa/ta.key /etc/openvpn/server/$sname

server.conf

# 监听端口和协议
port 1194
proto udp
dev tun

# 证书和密钥文件路径
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/server/kugarocks/server.crt
key /etc/openvpn/server/kugarocks/server.key
dh /etc/openvpn/server/kugarocks/dh.pem

remote-cert-tls client

# topology
topology subnet

# 分配给客户端的 IP 地址池
server 10.8.0.0 255.255.255.0

# 持久化 IP 分配,每60秒保存一次
ifconfig-pool-persist /var/log/openvpn/kugarocks-server-ipp.txt 60

# 推送路由规则到客户端,允许客户端访问 ECS 所在的内网(可选)和通过 ECS 上网
# push "redirect-gateway def1 bypass-dhcp"

# 推送 DNS 服务器,这里使用 Google 的公共 DNS
# push "dhcp-option DNS 8.8.8.8"
# push "dhcp-option DNS 8.8.4.4"

# 保持客户端之间的通信(客户端之间可以直接访问)
# client-to-client

# 保持连接,便于重新连接
keepalive 10 120

# 加密算法
data-ciphers AES-256-CBC
auth SHA256

# TLS 密钥,增强安全性
tls-auth /etc/openvpn/server/kugarocks/ta.key 0

# 允许压缩(如果带宽有限可以开启,但可能有安全风险,根据需求选择)
# comp-lzo

# 最大客户端数量
max-clients 2

# 权限降级,增加安全性
# user nobody
# group nobody

# 状态日志文件,每分钟记录一次
status /var/log/openvpn/kugarocks-server-status.log
log-append /var/log/openvpn/kugarocks-server.log
verb 4

push "route 10.8.0.0 255.0.0.0 vpn_gateway"

route 10.8.0.0 255.0.0.0 vpn_gateway

Client base.conf

client
dev tun
proto udp
remote ip-or-host 1194
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA256
verb 3

Client genconf.sh

#!/bin/bash
KEY_FILE=/etc/openvpn/client/kugarocks/kuga.key
CRT_FILE=/etc/openvpn/client/kugarocks/kuga.crt
CA_FILE=/etc/openvpn/easy-rsa/pki/ca.crt
TA_FILE=/etc/openvpn/server/kugarocks/ta.key
OVPN_DIR=/etc/openvpn/client/kugarocks
BASE_CONF=/etc/openvpn/client/kugarocks/base.conf

cat ${BASE_CONF} \
    <(echo -e '<ca>') \
    ${CA_FILE} \
    <(echo -e '</ca>\n<cert>') \
    ${CRT_FILE} \
    <(echo -e '</cert>\n<key>') \
    ${KEY_FILE} \
    <(echo -e '</key>\n<tls-auth>') \
    ${TA_FILE} \
    <(echo -e '</tls-auth>') \
    > ${OVPN_DIR}/${1}.ovpn

IP Forward & IP Table

vim /etc/sysctl.conf

net.ipv4.ip_forward=1

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

netfilter-persistent save
Back to top