genconf.sh脚本如下,gen_crt()生成根证书、DH、服务器证书和客户端证书。需要先安装easy-rsa3,并配置genconf.sh中正确的路径,client()生成客户端配置文件client.conf。server()生成服务器配置文件server.conf和服务器OpenVPN UP脚本server_up.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 | #!/bin/sh -e EASYRSA_DIR= /work/easy-rsa/easyrsa3 EASYRSA=$EASYRSA_DIR /easyrsa gen_crt () { rm -rf pki/ $EASYRSA init-pki $EASYRSA --batch build-ca nopass $EASYRSA gen-dh $EASYRSA build-client-full client nopass $EASYRSA build-server-full server nopass } client() { cat <<EOT > client.conf client dev tun proto udp remote your.domain 81 resolv-retry infinite nobind persist-key persist-tun <ca> ` cat pki /ca .crt` < /ca > <cert> ` sed - ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' pki /issued/client .crt` < /cert > <key> ` cat pki /private/client .key` < /key > cipher AES-256-CBC verb 3 comp-lzo up "/etc/openvpn/client_up_down.sh" down "/etc/openvpn/client_up_down.sh" EOT } server () { cat <<EOT > server.conf port 81 proto udp dev tun <ca> ` cat pki /ca .crt` < /ca > <cert> ` sed - ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' pki /issued/server .crt` < /cert > <key> ` cat pki /private/server .key` < /key > <dh> ` cat pki /dh .pem` < /dh > server 10.8.0.0 255.255.255.0 ifconfig -pool-persist ipp.txt keepalive 10 120 cipher AES-256-CBC persist-key persist-tun status /etc/openvpn/openvpn-status .log verb 3 push "dhcp-option DNS 8.8.8.8" comp-lzo script-security 2 up "/etc/openvpn/server_up.sh" EOT cat <<EOT > server_up.sh #!/bin/sh echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 10.8.0.0 /24 -o eth0 -j MASQUERADE EOT chmod +x server_up.sh } [ $ # -ne 0 ] && gen_crt client server |
client_up_down.sh 用于在OpenVPN客户端连接建立后添加DNS和路由。连接断开后删除DNS和相关路由。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | #!/bin/sh [ "$script_type" ] || exit 0 route_china () { ifs=` ls /sys/class/net ` for if in $ifs ; do if [ $ if = "lo" -o $ if = "ppp0" -o $ if = "tun0" ] ; then continue fi /work/sbin/batchroute $1 :china via 192.168.3.1 dev $ if done } case "$script_type" in up) ip route delete default || : ip route add xx.xx.xx.xx via 192.168.3.1 || : ip route add default dev tun0 route_china add ;; down) ip route delete default || : ip route add default via 192.168.3.1 || : route_china del ;; esac /etc/openvpn/update-resolv-conf |
上述脚本使用了batchroute命令(https://insidelinuxdev.net/article/a01d28.html),让中国的IP网段不走VPN连接。
执行./genconf.sh。
服务器上,将server.conf拷贝到/etc/openvpn/目录,将server_up.sh拷贝到/etc/openvpn,给server_up.sh添加可执行权限,执行service openvpn restart或者/etc/init.d/openvpn restart。注意使用systemd启动后OpenVPN进程直到有客户端连接才会启动,不要误以为启动失败。
客户端上,将client.conf和client_up_down.sh拷贝到/etc/openvpn,给client_up_down.sh添加可执行权限。启动方法和服务器一样。
/etc/network/if-up.d/openvpn
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | root@herbert-pc: /etc/network # cat if-up.d/openvpn #!/bin/bash OPENVPN= /usr/sbin/openvpn OPENVPN_INIT= /etc/init .d /openvpn SYSTEMCTL= /bin/systemctl SYSTEMD= /run/systemd/system if [ ! -x $OPENVPN ]; then exit 0 fi echo "`date` openvpn pre up $IFACE" >> /tmp/debug_net_script if [ "$IFACE" == "lo" -o "${IFACE:0:3}" == "tun" ] ; then exit 0 fi echo "`date` excute /etc/init.d/openvpn start" >> /tmp/debug_net_script /etc/init .d /openvpn start exit 0 |
/etc/network/if-post-down.d/openvpn
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | root@herbert-pc: /etc/network # cat if-post-down.d/openvpn #!/bin/bash OPENVPN= /usr/sbin/openvpn OPENVPN_INIT= /etc/init .d /openvpn SYSTEMCTL= /bin/systemctl SYSTEMD= /run/systemd/system if [ ! -x $OPENVPN ]; then exit 0 fi echo "`date` openvpn pre down $IFCAE" >> /tmp/debug_net_script if [ "$IFACE" = "lo" -o "${IFACE:0:3}" = "tun" ] ; then exit 0 fi echo "`date` excute /etc/init.d/openvpn stop" >> /tmp/debug_net_script /etc/init .d /openvpn stop exit 0 |
请准守中国法律,使用VPN仅用于资料浏览、办公等。