OpenVPN

OpenVPN 是一个基于 OpenSSL 库的应用层 VPN 实现。和传统 VPN 相比,它的优点是简单易用。OpenVPN能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X与Windows 2000/XP/Vista上运行,并包含了许多安全性的功能。

OpenVPN服务端

  • 更新系统包
1
[email protected]:~# sudo apt update && apt upgrade

查看主机网卡和公网IP

  • 查看主机网卡
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[email protected]:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:16:3e:0b:8a:30 brd ff:ff:ff:ff:ff:ff
inet 172.27.15.76/20 brd 172.27.32.255 scope global dynamic eth0
valid_lft 315288418sec preferred_lft 315288418sec
inet6 fe80::216:3eff:fe0b:8a30/64 scope link
valid_lft forever preferred_lft forever
[email protected]:~# ip a show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:16:3e:0b:8a:30 brd ff:ff:ff:ff:ff:ff
inet 172.27.15.76/20 brd 172.27.32.255 scope global dynamic eth0
valid_lft 315288410sec preferred_lft 315288410sec
inet6 fe80::216:3eff:fe0b:8a30/64 scope link
valid_lft forever preferred_lft forever
  • 查看公网Ip
1
2
[email protected]:~# dig +short myip.opendns.com @resolver1.opendns.com
125.56.79.38

或者

1
2
[email protected]:~# dig TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2}'
125.56.79.38
  • 关于IP地址
    这里有两个地址,对应两个网卡
    • 公网IP:可以直接访问,
    • 内网IP:只能在内网访问,

安装脚本

  • 下载安装脚本
1
[email protected]:~# wget https://git.io/vpn -O openvpn-install.sh`

注意:
这里可能会下载失败,这个地址会301重定向。如果下载失败,直接把地址换成这个,https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh。也可以本地下载openvpn-install.sh

脚本安装OpenVPN

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
[email protected]:~# sudo chmod -x openvpn-install
[email protected]:~# sudo sh ./openvpn-install.sh
Welcome to this OpenVPN road warrior installer!

Which IPv4 address should be used?
1) 172.27.15.76
2) 172.17.0.1
IPv4 address [1]: 1

This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [125.56.79.38]:

Which protocol should OpenVPN use?
1) UDP (recommended)
2) TCP
Protocol [1]:

What port should OpenVPN listen to?
Port [1194]:

Select a DNS server for the clients:
1) Current system resolvers
2) Google
3) 1.1.1.1
4) OpenDNS
5) Quad9
6) AdGuard
DNS server [1]:

Enter a name for the first client:
Name [client]: desktop

OpenVPN installation is ready to begin.
Press any key to continue...

安装后续

  • 查看安装结果

稍等片刻就可以执行完,查看安装是否成功

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[email protected]:~# sudo systemctl status [email protected]
[email protected] - OpenVPN service for server
Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-12-03 19:48:38 CST; 1s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 27120 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 2315)
Memory: 1.0M
CGroup: /system.slice/system-openvpn\x2dserver.slice/[email protected]
└─27120 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf

Dec 03 19:48:38 iZbp1j7lkpb4u4etrx0dq7Z openvpn[27120]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Dec 03 19:48:38 iZbp1j7lkpb4u4etrx0dq7Z openvpn[27120]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Dec 03 19:48:38 iZbp1j7lkpb4u4etrx0dq7Z openvpn[27120]: UDPv4 link local (bound): [AF_INET]172.26.5.75:1194
Dec 03 19:48:38 iZbp1j7lkpb4u4etrx0dq7Z openvpn[27120]: UDPv4 link remote: [AF_UNSPEC]
Dec 03 19:48:38 iZbp1j7lkpb4u4etrx0dq7Z openvpn[27120]: GID set to nogroup
Dec 03 19:48:38 iZbp1j7lkpb4u4etrx0dq7Z openvpn[27120]: UID set to nobody
Dec 03 19:48:38 iZbp1j7lkpb4u4etrx0dq7Z openvpn[27120]: MULTI: multi_init called, r=256 v=256
Dec 03 19:48:38 iZbp1j7lkpb4u4etrx0dq7Z openvpn[27120]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Dec 03 19:48:38 iZbp1j7lkpb4u4etrx0dq7Z openvpn[27120]: IFCONFIG POOL LIST
Dec 03 19:48:38 iZbp1j7lkpb4u4etrx0dq7Z openvpn[27120]: Initialization Sequence Completed
  • 检查防火墙

如果VPC安全组没设置进站规则,需要设置一条http协议:UDP,端口:1194进站规则

阿里云安全组配置

OpenVPN客户端

查看生成在服务端home路径下的desktop.ovpn客户端配置。

1
2
[email protected]:~# ls
desktop.ovpn

复制OpenVPN服务端生成的客户端配置desktop.ovpn到本地

1
scp [email protected]:~/desktop.ovpn .

Linux系统

  • Debian
1
[email protected]:~# sudo apt install openvpn
  • CentOS
1
[email protected]:~# sudo yum install openvpn

复制desktop.ovpn/etc/openvpn/

1
[email protected]:~# sudo cp desktop.ovpn /etc/openvpn/client.conf

测试配置是否可以连通服务端

1
[email protected]:~# sudo openvpn --client --config /etc/openvpn/client.conf

启动OpenVPN服务

1
[email protected]:~# sudo systemctl start [email protected]

Windows系统

  • 下载客户端

Windows客户端下载

Windows客户端

  • 配置客户端

有两种方法

第一种

客户端里面选择导入配置文件,选择配置文件导入即可。

第二种

把客户端配置放在C:\Users\<登录名>\OpenVPN\config目录下

  • 启动OpenVPN

Windows显示状态

OpenVPN路由配置

默认情况是流量优先走了VPN,如果想给特定的IP走VPN,需要增加路由配置

10.8.0.1/24路由段走vpn

1
route 10.8.0.0 255.255.255.0