未分类
在arm64机器上快速搭建openvpn
由于测试需要直接通过内网上华为云测试, 需要搭建vpn进行访问, 在arm64机器上搭建方法如下: 下载openvpn aarch64架构的rpm包:
|
1 |
wget https://cbs.centos.org/kojifiles/packages/openvpn/2.4.1/2.el7/aarch64/openvpn-2.4.1-2.el7.aarch64.rpm |
yum安装时会报pkcs11找不着, 所以下载此包:
|
1 |
wget https://download-ib01.fedoraproject.org/pub/epel/7/aarch64/Packages/p/pkcs11-helper-1.11-3.el7.aarch64.rpm |
安装:
|
1 |
yum install pkcs11-helper-1.11-3.el7.aarch64.rpm openvpn-2.4.1-2.el7.aarch64.rpm |
下载一键配置脚本:
|
1 |
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh |
在运行脚本之前, 需要先创建目录:
|
1 2 |
mkdir /etc/openvpn/ sh openvpn-install.sh |
server.conf配置:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
duplicate-cn # 如过是多个用户共用一个认证来登录的话, 需要配置 max-clients 100 # 最多能连接的客户端 #配置路由 push "route 10.166.0.0 255.255.0.0" push "route 10.3.0.0 255.255.0.0" push "route 10.10.0.0 255.255.0.0" push "route 172.0.0.0 255.0.0.0" push "route 192.168.0.0 255.255.0.0" push "dhcp-option DNS 10.10.6.11" push "dhcp-option DNS 100.125.1.250" status /var/log/openvpn/status.log log-append /var/log/openvpn/openvpn.log |
配置防火墙:
|
1 2 3 4 5 6 7 8 9 10 11 |
*nat :PREROUTING ACCEPT [27:11935] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [598:57368] :POSTROUTING ACCEPT [591:57092] :DOCKER - [0:0] #OpenVPN -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE COMMIT |
打开内核转发: net.ipv4.ip_forward = 1 也可以配置udp和tcp都监听, 方法如下:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
把/etc/openvpn/server.conf复制一份,比如/etc/openvpn/tcp.conf,然后修改tcp.conf: 协议修改为TCP:proto tcp IP地址修改略作修改,比如所有原来是10.8.0.x的地方,都改为10.8.1.x 2. 修改防火墙 然后修改iptables,增加一条nat规则-A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE。 iptables -t nat -A POSTROUTING -s 10.8.1.0/24 -o eth0 -j MASQUERADE 3. 启动进程 /usr/sbin/openvpn --cd /etc/openvpn/ --config tcp.conf 4. 添加开机启动 /etc/systemd/system/openvpntcp@.service [Unit] Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I After=network.target [Service] Type=notify PrivateTmp=true ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config tcp.conf [Install] WantedBy=multi-user.target 重载服务,添加为开启启动 systemctl daemon-reload systemctl restart openvpntcp@server systemctl enable openvpntcp@server systemctl list-unit-files |grep openvpntcp 客户端ovpn配置 生成的客户端配置,只需要修改udp为tcp. 其中如果remote有2个的话,代表负载均衡,如果其中一个连接不上,会自动连接另外一个 client proto tcp remote x.x.x.x 11111 remote x.x.x.x 12222 ...... |