Skip to main content

Linux OpenVPN Server 架設

下載安裝腳本

wget https://git.io/vpn -O openvpn-install.sh

openvpn-install.sh

bash ./openvpn-install.sh

依照選項建立vpn server

建立好後client端檔案的位置 (/root/pve.ovpn)

Finished!

The client configuration is available in: /root/pve.ovpn
New clients can be added by running this script again.

Tap橋接模式設定

apt-get install -y bridge-utils

將本身網卡註解,並加入bridge(br0),編輯/etc/network/interfaces

auto lo
iface lo inet loopback
#auto eth0
#iface eth0 inet dhcp
auto br0
iface br0 inet static
address 192.168.x.x
netmask 255.255.255.0
gateway 192.168.x.x
network 192.168.x.0
broadcast 192.168.x.255
bridge_ports eth0
#auto eth0
#iface eth0 inet static
#        address 192.168.x.x/24
#        gateway 192.168.x.x
service networking restart

伺服器設定檔修改

編輯/etc/openvpn/server/server.conf

local 192.168.x.x
port 1195
proto tcp
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
server-bridge
push "route 192.168.x.0 255.255.255.0"
route-gateway 192.168.x.x
keepalive 10 120
user nobody
group nogroup
cipher AES-256-CBC
persist-key
persist-tun
verb 3
explicit-exit-notify 1
script-security 2
up "openvpn_up br0"
down "openvpn_down br0"
cipher AES-256-CBC
comp-lzo
status /var/log/openvpn/status.log
duplicate-cn  <<<允許多個連線,共享證書和金鑰
service openvpn-server@server restart

編輯/etc/openvpn/server/openvpn_up

 

#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/sbin/brctl addif $BR $DEV
/sbin/ifconfig tap0 up

編輯/etc/openvpn/server/openvpn_down

#!/bin/sh
BR=$1
DEV=$2
/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

客戶端設定檔修改

加入comp-lzo壓縮參數

 

Tun橋接模式設定

 

local 10.0.0.5
push "route 10.0.0.0 255.255.255.0" (推送路由)
push "route 10.8.0.0 255.255.255.0" (推送路由)
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
server 10.8.0.0 255.255.255.0 (配發網段)
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
comp-lzo (壓縮參數)
log-append /var/log/openvpn/op_server.log (寫入log)
status /var/log/openvpn/status.log (寫入狀態)
duplicate-cn  <<<允許多個連線,共享證書和金鑰
service openvpn-server@server restart

 

告警訊息修正參數

DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1602', remote='link-mtu 1586'
WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Server設定檔新增

cipher AES-256-CBC

Client設定檔修改

cipher AES-256-CBC
修改
data-ciphers-fallback AES-256-CBC

auth-nocache

 

 

No comments to display

Back to top