基于web管理OpenVPN服务的安装使用详解
作者:公众号: 云原生生态圈
正文
服务名称 | 版本 | 备注 |
---|---|---|
OpenVPN | openvpn-2.4.12-1.el7.x86_64 | github有开源一键安装脚本项目 |
操作系统 | CentOS Linux 7 (Core)/Linux 3.10.0-1160.11.1.el7.x86_64 | |
默认python | Python 2.7.5 | |
Openvpnas | openvpn-as-2.11.0_794ab41d-CentOS7.x86_64.rpm | |
openvpn-as-bundled-clients | openvpn-as-bundled-clients-25.rpm |
python版本修改
系统默认的python版本为2.7.5
,此版本对目前的openvpnas依赖的运行时版本来说太低了,因此稍微调整下版本
rm -rf /usr/bin/python ln -s /usr/bin/python3.6 /usr/bin/python #微信订阅号1:云原生生态圈 [root@vm-24-13-centos openvpnas]# python --version Python 3.6.8
安装openVPN服务
GitHub上已经有人将安装的过程写成shell脚本了,我们这里只要去下载然后一键安装就好了。
- 安装并生成wahaha用户的客户端配置
wget -O openvpn-install.sh https://ghproxy.com/https://github.com/Nyr/openvpn-install/blob/master/openvpn-install.sh bash ./openvpn-install.sh #按照提示完成安装即可 # 创建用户测试openVPN服务是否正常可用 [root@vm-24-13-centos openvpnas]# bash ./openvpn-install.sh OpenVPN is already installed. #微信订阅号2:云原生生态圈 Select an option: 1) Add a new client 2) Revoke an existing client 3) Remove OpenVPN 4) Exit Option: 1 Provide a name for the client: Name: wahaha # 此处填写客户端用户名 Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Generating a 2048 bit RSA private key ...........+++ ...........................................................................................................................+++ writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-3528.1YPIvY/tmp.WSJFtM' ----- Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-3528.1YPIvY/tmp.M3K3Dv Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'wahaha' Certificate is to be certified until Oct 6 10:25:26 2032 GMT (3650 days) Write out database with 1 new entries Data Base Updated wahaha added. Configuration available in:/root/wahaha.ovpn #微信订阅号3:云原生生态圈 [root@vm-24-13-centos openvpnas]# ls -al /root/wahaha.ovpn # 使用此客户端配置文件在openVPN connector或者Tunnelblick上测试是否可正常链接 -rw-r--r-- 1 root root 4944 Oct 9 18:25 /root/wahaha.ovpn
- 吊销wahaha客户端配置
[root@vm-24-13-centos openvpnas]# bash ./openvpn-install.sh OpenVPN is already installed. Select an option: 1) Add a new client 2) Revoke an existing client 3) Remove OpenVPN 4) Exit Option: 2 Select the client to revoke: 1) marionxue 2) zhangsan 3) wangwu 4) sunwei 5) wahaha Client: 5 Confirm wahaha revocation? [y/N]: y Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-6774.jtuovx/tmp.GIgu00 Revoking Certificate 61A8ED5490C8018ACDE6909EF0133B6B. Data Base Updated Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-6816.Z2PRCV/tmp.6rZIjZ #微信订阅号6:云原生生态圈 An updated CRL has been created. CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem wahaha revoked!
安装openvpn web 服务
在验证openVPN没有问题后,即可安装openvpnas服务,但是默认情况下,此web服务只允许两个客户端链接,因此我们需要参考网上的破解的方式,修改一下此限制。下面先安装一下web服务。
安装openvpnas
wget https://openvpn.net/downloads/openvpn-as-latest-CentOS7.x86_64.rpm # openvpn-as-2.11.0_794ab41d-CentOS7.x86_64.rpm wget https://openvpn.net/downloads/openvpn-as-bundled-clients-latest.rpm # openvpn-as-bundled-clients-25.rpm yum localinstall -y ./openvpn-as*.rpm # 检查openvpn服务 [root@vm-24-13-centos openvpnas]# systemctl status openvpn-server@server ● openvpn-server@server.service - OpenVPN service for server Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2022-10-08 16:59:55 CST; 1 day 1h ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Main PID: 49185 (openvpn) Status: "Initialization Sequence Completed" CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service └─49185 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: 49.232.x.x:52801 [wangwu] Peer Connection Initiated with [AF_INET]49.232.x.x:52801 Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)#微信订阅号12:云原生生态圈 Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 MULTI: Learn: 10.8.0.2 -> wangwu/49.232.x.x:52801 Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 MULTI: primary virtual IP for wangwu/49.232.x.x:52801: 10.8.0.2 Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 PUSH: Received control message: 'PUSH_REQUEST' Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 SENT CONTROL [wangwu]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 183.60.83.19,dhcp-option DNS 183.60.82.98,route-gateway 10....6-GCM' (status=1) Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 Data Channel: using negotiated cipher 'AES-256-GCM' Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Oct 08 17:04:33 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 SIGTERM[soft,remote-exit] received, client-instance exiting Hint: Some lines were ellipsized, use -l to show in full. # 检查openvpn的web服务openvpnas [root@vm-24-13-centos openvpnas]# systemctl status openvpnas.service ● openvpnas.service - OpenVPN Access Server Loaded: loaded (/usr/lib/systemd/system/openvpnas.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2022-10-08 18:46:34 CST; 23h ago Process: 31318 ExecStop=/bin/bash /usr/local/openvpn_as/scripts/openvpn_service_cleanup (code=exited, status=0/SUCCESS) Main PID: 31332 (python3) Tasks: 18 Memory: 246.0M CGroup: /system.slice/openvpnas.service ├─31332 python3 -c from pyovpn.sagent.sagent_entry import openvpnas ; openvpnas() --nodaemon --logfile=/var/log/openvpnas.log --pidfile= ├─31374 /usr/bin/python3 -c from pyovpn.cserv.wserv_entry import start ; start() -no -u openvpn_as -g openvpn_as --pidfile /usr/local/openvpn_as/etc/tmp/wserv.pid ├─31375 /usr/bin/python3 -c from pyovpn.log.logworker import start ; start() ├─31394 /usr/bin/python3 -c from pyovpn.sagent.iptworker import start6 ; start6() ├─31398 /usr/bin/python3 -c from pyovpn.sagent.iptworker import start ; start() ├─31405 openvpn-openssl --errors-to-stderr --config stdin ├─31407 openvpn-openssl --errors-to-stderr --config stdin └─31459 iptables-restore -n Oct 08 18:46:34 vm-24-13-centos systemd[1]: Started OpenVPN Access Server.
修改用户限制
网络上有存在不同版本的编译文件,不想使用的可以直接去找,我们这里使用的是最新的openvpnas服务,需要自己手动修改下
- 备份安装目录下的
pyovpn-2.0-py3.6.egg
文件
[root@vm-24-13-centos openvpnas]# cd /usr/local/openvpn_as/lib/python/ [root@vm-24-13-centos python]# cp pyovpn-2.0-py3.6.egg{,.back} [root@vm-24-13-centos python]# ls -alh|grep pyovpn drwxr-xr-x 37 root root 4.0K Oct 8 18:08 pyovpn -rw-r--r-- 1 root root 5.8M Oct 8 18:45 pyovpn-2.0-py3.6.egg -rw-r--r-- 1 root root 5.7M Oct 8 17:28 pyovpn-2.0-py3.6.egg.back #这是备份出来的文件 -rwxr-xr-x 1 root root 19K Jun 15 22:28 pyovpnc.cpython-36m-x86_64-linux-gnu.so
- 编译补丁文件
[root@vm-24-13-centos openvpnas]# cd /root/openvpnas [root@vm-24-13-centos openvpnas]# mkdir compile && cd $_ [root@vm-24-13-centos compile]# cp /usr/local/openvpn_as/lib/python/pyovpn-2.0-py3.6.egg . [root@vm-24-13-centos compile]# unzip -q ./pyovpn-2.0-py3.6.egg [root@vm-24-13-centos compile]# ls common EGG-INFO pyovpn pyovpn-2.0-py3.6.egg [root@vm-24-13-centos compile]# cd pyovpn/lic/ [root@vm-24-13-centos lic]# ls -a . .. conf info.pyc __init__.pyc ino.pyc lbcs.pyc lbq.pyc lic_entry.pyc licerror.pyc lichelper.pyc lickey.pyc licser.pyc licstore.pyc liman.pyc lspci.pyc prop.pyc uprop.pyc vprop.pyc [root@vm-24-13-centos lic]# mv uprop.pyc uprop2.pyc [root@vm-24-13-centos lic]# vim uprop.py [root@vm-24-13-centos lic]# cat uprop.py from pyovpn.lic import uprop2 old_figure = None def new_figure(self, licdict): ret = old_figure(self, licdict) ret['concurrent_connections'] = 6666 return ret #微信订阅号:云原生生态圈 for x in dir(uprop2): if x[:2] == '__': continue if x == 'UsageProperties': exec('old_figure = uprop2.UsageProperties.figure') exec('uprop2.UsageProperties.figure = new_figure') exec('%s = uprop2.%s' % (x, x)) [root@vm-24-13-centos lic]# python -O -m compileall uprop.py && mv __pycache__/uprop.*.pyc uprop.pyc Compiling 'uprop.py'... # 最后打包一下就结束了 [root@vm-24-13-centos lic]# cd ../../ [root@vm-24-13-centos compile]# zip -rq pyovpn-2.0-py3.6.egg ./pyovpn ./EGG-INFO ./common
- 替换补丁文件,重启服务
cp ./pyovpn-2.0-py3.6.egg /usr/local/openvpn_as/lib/python/ systemctl restart openvpnas.service
- 使用openvpn账号登录
新版本会在openvpnas安装的时候初始化openvpn的密码
grep -i 'password.$' /usr/local/openvpn_as/init.log
- 配置客户端
在完成以上操作且验证没问题之后,就可以创建部分用户,来体验一下
从以上来看,不同的客户端用户可以分配不同的权限,以及客户端账号的认证方式等等,创建完成之后,使用客户端用户的账号以及密码登录openvpnas,下载客户端连接工具以及自助生成客户端的配置文件:访问地址为:https://ip:943/
登录之后,即可下载客户端软件以及创建对应的配置文件了
创建完成之后,在管理后台也可以管理用户的配置文件
下载配置文件后,即可在推荐的openvpn-connect或者Tunnelblick上打开使用了。
使用OpenVPN AS.不仅仅可以在web浏览器上更方便管理用户和权限,也能更方便的吊销证书等,同时也更大的化的方便客户端人员的使用。
到此,OpenVPNAS的主要介绍的就这些了,更多关于web管理OpenVPN服务安装的资料请关注脚本之家其它相关文章!