之前让同事架设了一个openvpn, 后来同事离职, 用命令注销账号, 确老是报错, 后来不断有新账号加入需要, 后来想要是有个web页面去管理就好了,就在github上搜, 后来找到了这个项目:
https://github.com/Chocobozzz/OpenVPN-Admin
正符合需要, 于是就开始clone下来安装.
依次输入命令:
|
1 2 3 4 5 |
# yum install epel-release # yum install openvpn httpd php-mysql mariadb-server php nodejs unzip git wget sed npm # npm install -g bower # systemctl enable mariadb # systemctl start mariadb |
./install.sh /data/apps/www_openvpn sean admin
Server Hostname/IP: x.x.x.x
Port [443]: xxxx
MySQL root password:
MySQL user name for OpenVPN-Admin (will be created): admin
MySQL user password for OpenVPN-Admin:
############ Certificates informations ##################
Key size (1024, 2048 or 4096) [2048]:
Root certificate expiration (in days) [3650]:
Certificate expiration (in days) [3650]:
Country Name (2 letter code) [US]: CN
State or Province Name (full name) [California]: Beijing
Locality Name (eg, city) [San Francisco]: Beijing
Organization Name (eg, company) [Copyleft Certificate Co]: yonyou
Organizational Unit Name (eg, section) [My Organizational Unit]: yonyou
Email Address [me@example.net]: rainingwalk@sina.com
Common Name (eg, your name or your server’s hostname) [ChangeMe]: jump1-iuap-hb2-ali.yonyouiuap.com
安装完成以后, 配置nginx:
nginx.conf:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |
user root; worker_processes auto; #error_log /data/log/nginx/error.log crit; error_log /data/log/nginx/error.log error; pid /run/nginx.pid; #Specifies the value for maximum file descriptors that can be opened by this process. worker_rlimit_nofile 65535; events { use epoll; worker_connections 51200; multi_accept on; } http { include mime.types; #include upstreams; charset utf-8; default_type application/octet-stream; server_name_in_redirect off; server_names_hash_bucket_size 128; client_header_buffer_size 32k; large_client_header_buffers 4 32k; #client_max_body_size 300m; client_body_timeout 10; types_hash_max_size 2048; sendfile on; tcp_nopush on; keepalive_timeout 60; tcp_nodelay on; underscores_in_headers on; fastcgi_cache_path /var/cache/nginx/fastcgi_cache levels=1:2:1 keys_zone=fastcgi-cache:20m max_size=1g; fastcgi_connect_timeout 600; fastcgi_send_timeout 600; fastcgi_read_timeout 600; fastcgi_buffer_size 64k; fastcgi_buffers 4 64k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 256k; proxy_cache_path /var/cache/nginx/proxy_cache levels=1:2 keys_zone=http-cache:500m max_size=10g inactive=60m; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 60; proxy_send_timeout 60; proxy_read_timeout 60; proxy_buffer_size 16k; proxy_buffers 4 64k; proxy_busy_buffers_size 128k; proxy_temp_file_write_size 128k; proxy_temp_path /var/cache/nginx/proxy_cache/tmp; #use_temp_path off; gzip on; gzip_static on; gzip_min_length 1024; gzip_buffers 4 16k; gzip_http_version 1.0; gzip_comp_level 2; #gzip_types text/plain application/x-javascript text/css application/xml; gzip_types text/plain text/css image/png image/gif image/jpeg application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon; gzip_vary on; gzip_proxied expired no-cache no-store private auth; gzip_disable "MSIE [1-6]\."; server_tokens off; map $http_upgrade $connection_upgrade { default upgrade; '' close; } client_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486) chunked_transfer_encoding on; log_format main '$remote_addr|$remote_user|[$time_local]|"$request"|' '$status|$body_bytes_sent|$http_host|"$http_referer"|' '"$http_user_agent"|$http_x_forwarded_for|$upstream_cache_status|' '"$upstream_http_content_type"|$request_time|$upstream_response_time|$bytes_sent|$request_length|' '"$upstream_addr"'; access_log /data/log/nginx/access.log main; include conf.d/*.conf; } |
openvpn.conf:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
server { listen xxxx; #server_name localhost; root /data/apps/www_openvpn/openvpn-admin; location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include /etc/nginx/fastcgi_params; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } } |
完成后进入页面:http://x.x.x.x:xxxx/index.php?installation 开始安装:
结果创建admin时, 输入用户密码, 就没反映了, 白屏, http://x.x.x.x:xxxx/index.php?admin登陆时却一直报错: loggin error.
查数据库admin表也没有数据, 于是想手动进入数据库创建一个用户, 先hash一个密码:
<?php
$pwd = “123456”;
$hash = password_hash($pwd, PASSWORD_DEFAULT);
echo $hash;
?>
报错, 说是没有定义password_hash方法, 后来放狗搜索, 说是php版本低, 果然Php是5.4版本的, 后来用yum 升级php, 因为此服务器装了freeipa, 导致好多软件冲突, 只能编译安装另一个版本的Php
参考大神: https://zoco.me/v/centos-7-multi-version-php-build和
https://my.oschina.net/mark35/blog/511357
安装开发环境:
yum groupinstall “Development tools”
然后安装编译PHP所需要的包:
yum install libxml2-devel gd-devel libmcrypt-devel libcurl-devel openssl-devel
我打算指定使用www用户来执行,所以需要新建一个www用户:
useradd www
下载所需要安装版本的PHP源码包,我先安装PHP 7.1:
wget http://am1.php.net/get/php-7.1.0.tar.gz/from/this/mirror -O php-7.1.0.tar.gz
解压:
tar zxvf php-7.1.0.tar.gz
进入文件夹之后,configure信息:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
./configure \ -prefix=/usr/local/php71 \ -with-config-file-path=/usr/local/php71/etc \ -with-fpm-user=www \ -with-fpm-group=www \ -enable-fpm \ -enable-opcache \ -disable-fileinfo \ -with-mysqli=mysqlnd \ -with-pdo-mysql=mysqlnd \ -with-jpeg-dir \ -with-iconv-dir=/usr/local \ -with-freetype-dir \ -with-png-dir -with-zlib \ -disable-rpath \ -with-libxml-dir=/usr \ -enable-xml \ -enable-bcmath \ -enable-shmop \ -enable-exif \ -with-curl \ -enable-sysvsem \ -enable-inline-optimization \ -enable-mbregex \ -enable-inline-optimization \ -enable-mbstring \ -with-mcrypt \ -with-gd \ -enable-gd-native-ttf \ -with-openssl \ -with-mhash \ -enable-pcntl \ -enable-sockets \ -with-xmlrpc \ -enable-ftp \ -with-gettext \ -enable-zip \ -enable-soap \ -disable-ipv6 \ -disable-debug \ --with-mysqli=mysqlnd \ --with-pdo-mysql=mysqlnd \ --enable-bcmath \ --with-openssl \ --enable-mbstring \ --enable-exif \ --with-gd \ --with-tidy \ --enable-soap \ --with-readline \ --enable-shmop \ --with-mcrypt \ --enable-pcntl \ --enable-fpm \ --with-curl |
make、make test及make install合并成一步:
make && make test && make install
完成之后,复制当前目录下面的php.ini-production到对应目录下面:
mv php.ini-production /usr/local/php71/etc/php.ini
编辑php.ini文件,因为我们要搭配Nginx一起工作,所以需要改变一下cgi.fix_pathinfo的值,大概在775行:
vim /usr/local/php71/etc/php.ini
改成:
cgi.fix_pathinfo=0
再更改一下时区,大概在939行:
date.timezone = Asia/Shanghai
复制php-fpm.conf:
cp /usr/local/php71/etc/php-fpm.conf.default /usr/local/php71/etc/php-fpm.conf
复制www.conf:
cp /usr/local/php71/etc/php-fpm.d/www.conf.default /usr/local/php71/etc/php-fpm.d/www.conf
编辑www.conf文件:
vim /usr/local/php71/etc/php-fpm.d/www.conf
大概在36行,按照要求更改一下,我这里改成这样:
listen = 127.0.0.1:9001
这么做是为了区别别的版本。
复制php-fpm.service到系统目录:
cp sapi/fpm/php-fpm.service /usr/lib/systemd/system/php-fpm71.service
然后将php-fpm71.service里面涉及路径的变量更改一下:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[Unit] Description=The PHP FastCGI Process Manager After=syslog.target network.target [Service] Type=simple PIDFile=/usr/local/php71/var/run/php-fpm.pid ExecStart=/usr/local/php71/sbin/php-fpm --allow-to-run-as-root --nodaemonize --fpm-config /usr/local/php71/etc/php-fpm.conf ExecReload=/bin/kill -USR2 $MAINPID PrivateTmp=true [Install] WantedBy=multi-user.target |
这样就能通过systemctl启停php-fpm71服务了。
设置环境变量:
vim /etc/profile
末尾添加如下行:
PATH=/usr/local/php71/bin:/usr/local/php71/sbin:$PATH
export PATH
保存之后重新source一下:
source /etc/profile
多版本PHP共存到目前为止PHP 7.1版本就编译好了。
nginx配置文件里把php-fpm后端端口改为9001.
chmod -R 777 /etc/openvpn/scripts
chmod -R 777 /etc/openvpn/ccd
在/etc/openvpn/scripts下各sh文件前面加入:source /etc/profile
最后大功告成!
这折腾了两天, 主要原因是没有看清楚人家的要求:
Prerequisite
GNU/Linux with Bash and root access
Fresh install of OpenVPN
Web server (NGinx, Apache…)
MySQL
PHP >= 5.5 with modules:
zip
pdo_mysql
bower
unzip
wget
sed
curl
明明是要求:
PHP >= 5.5 with modules:
zip
pdo_mysql
以后要吸取教训! 遇到问题要细细分析.
2017-04-18补充:
配置完vpn后, 还要设置防火墙规则:
https://arashmilani.com/post?id=53
How to configure iptables for openvpn
If you have installed the openvpn server and iptable is blocking the service by default then use these configurations for openvpn to function properly. First let’s allow the tcp connection on the openvpn port. If you are using udp or another port number then change this line accordingly.
|
1 |
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT |
Allow TUN interface connections to OpenVPN server
|
1 |
iptables -A INPUT -i tun+ -j ACCEPT |
Allow TUN interface connections to be forwarded through other interfaces
|
1 2 3 |
iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT |
NAT the VPN client traffic to the Internet. change the ip address mask according to your info of tun0 result while running “ifconfig” command.
|
1 |
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE |
If your default iptables OUTPUT value is not ACCEPT, you will also need a line like:
|
1 |
iptables -A OUTPUT -o tun+ -j ACCEPT |
That’s it now restart the iptables service and you are finished.
2 Comments
Billie Sorrick · 06/18/2020 at 7:59 AM
Howdy! I just want to give you a huge thumbs up for the great info you’ve got right here on this post. I’ll be coming back to your blog for more soon.
Lenard Furgason · 06/20/2020 at 8:15 AM
Hi! Do you use Twitter? I’d like to follow you if that would be ok. I’m undoubtedly enjoying your blog and look forward to new updates.