主要的参考资料
一、几个参考的部署
1、https://www.fandenggui.com/post/centos7-install-openvpn.html
2、https://my.oschina.net/stache/blog/1512610
配置相关解析:
https://www.ilanni.com/?p=9847
用户密码验证配置:
http://www.89cool.com/811.html
配置openvpn选择性路由
二、注意事项1、用户密码配置请注意,
2.4.7取消了配置client-cert-not-required 改用 verify-client-cert none
2.系统及iptables配置
2.1配置路由转发
vim /etc/sysctl.conf net.ipv4.ip_forward = 1 sysctl -p
2.2 iptables nat配置
*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE #这个是最简单的配置 COMMIT *filter --省略若干 -A INPUT -s 10.8.0.0/24 -p all -j ACCEPT -A FORWARD -d 10.8.0.0/24 -j ACCEPT --省略若干
3.checkpsw.sh
#!/bin/sh PASSFILE="/etc/openvpn/server/user/psw-file" LOG_FILE="password.log" TIME_STAMP=`date "+%Y-%m-%d %T"` if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1
此处注意,因为是nobody用户启动openvpn --- password.log checkpsw.sh 的授权问题。
4. tcpdump 是个好东西,可以查看网络连接。非专业最好别玩。但是建议学学
5.配置仅允许访问特定地址走vpn通道。节省流量
5.1服务器server.conf中一个配置
#push "redirect-gateway def1 bypass-dhcp" 该配置强制推送路由到客户端,
就是说配置了这个,客户端所有请求都会走vpn
5.2当5.1所说配置,为配置时,默认客户端流量不走vpn此时,需要自己在客户端
配置路由
client.ovpn
配置文件添加
例:twitter走vpn
# NTT Twitter route 168.143.0.0 255.255.0.0 vpn_gateway route 128.121.0.0 255.255.0.0 vpn_gateway
如上
vpn_gateway 指定通过vpn
net_gateway 指定不通过vpn
乐享:知识积累,快乐无限。