基于web管理OpenVPN服务的安装使用详解

正文

服务名称

版本

备注

OpenVPN

openvpn-2.4.12-1.el7.x86_64

github有开源一键安装脚本项目

操作系统

CentOS Linux 7 (Core)/Linux 3.10.0-1160.11.1.el7.x86_64

默认python

Python 2.7.5

Openvpnas

openvpn-as-2.11.0_794ab41d-CentOS7.x86_64.rpm

openvpn-as-bundled-clients

openvpn-as-bundled-clients-25.rpm

python版本修改

系统默认的python版本为2.7.5,此版本对目前的openvpnas依赖的运行时版本来说太低了,因此稍微调整下版本

rm -rf /usr/bin/python
ln -s /usr/bin/python3.6 /usr/bin/python
#微信订阅号1:云原生生态圈
[root@vm-24-13-centos openvpnas]# python --version
Python 3.6.8

安装openVPN服务

GitHub上已经有人将安装的过程写成shell脚本了,我们这里只要去下载然后一键安装就好了。

  • 安装并生成wahaha用户的客户端配置
wget -O openvpn-install.sh https://ghproxy.com/https://github.com/Nyr/openvpn-install/blob/master/openvpn-install.sh
bash ./openvpn-install.sh #按照提示完成安装即可
# 创建用户测试openVPN服务是否正常可用
[root@vm-24-13-centos openvpnas]# bash ./openvpn-install.sh
OpenVPN is already installed.
#微信订阅号2:云原生生态圈
Select an option:
 1) Add a new client
 2) Revoke an existing client
 3) Remove OpenVPN
 4) Exit
Option: 1
Provide a name for the client:
Name: wahaha # 此处填写客户端用户名
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
...........+++
...........................................................................................................................+++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-3528.1YPIvY/tmp.WSJFtM'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-3528.1YPIvY/tmp.M3K3Dv
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'wahaha'
Certificate is to be certified until Oct 6 10:25:26 2032 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
wahaha added. Configuration available in:/root/wahaha.ovpn
#微信订阅号3:云原生生态圈
[root@vm-24-13-centos openvpnas]# ls -al /root/wahaha.ovpn # 使用此客户端配置文件在openVPN connector或者Tunnelblick上测试是否可正常链接
-rw-r--r-- 1 root root 4944 Oct 9 18:25 /root/wahaha.ovpn
  • 吊销wahaha客户端配置
[root@vm-24-13-centos openvpnas]# bash ./openvpn-install.sh
OpenVPN is already installed.
Select an option:
 1) Add a new client
 2) Revoke an existing client
 3) Remove OpenVPN
 4) Exit
Option: 2
Select the client to revoke:
 1) marionxue
 2) zhangsan
 3) wangwu
 4) sunwei
 5) wahaha
Client: 5
Confirm wahaha revocation? [y/N]: y
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-6774.jtuovx/tmp.GIgu00
Revoking Certificate 61A8ED5490C8018ACDE6909EF0133B6B.
Data Base Updated
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-6816.Z2PRCV/tmp.6rZIjZ
#微信订阅号6:云原生生态圈
An updated CRL has been created.
CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem
wahaha revoked!

安装openvpn web 服务

在验证openVPN没有问题后,即可安装openvpnas服务,但是默认情况下,此web服务只允许两个客户端链接,因此我们需要参考网上的破解的方式,修改一下此限制。下面先安装一下web服务。

安装openvpnas

wget https://openvpn.net/downloads/openvpn-as-latest-CentOS7.x86_64.rpm # openvpn-as-2.11.0_794ab41d-CentOS7.x86_64.rpm
wget https://openvpn.net/downloads/openvpn-as-bundled-clients-latest.rpm # openvpn-as-bundled-clients-25.rpm
yum localinstall -y ./openvpn-as*.rpm
# 检查openvpn服务
[root@vm-24-13-centos openvpnas]# systemctl status openvpn-server@server
● openvpn-server@server.service - OpenVPN service for server
 Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; enabled; vendor preset: disabled)
 Active: active (running) since Sat 2022-10-08 16:59:55 CST; 1 day 1h ago
 Docs: man:openvpn(8)
 https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 49185 (openvpn)
 Status: "Initialization Sequence Completed"
 CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service
 └─49185 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf
Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: 49.232.x.x:52801 [wangwu] Peer Connection Initiated with [AF_INET]49.232.x.x:52801
Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)#微信订阅号12:云原生生态圈
Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 MULTI: Learn: 10.8.0.2 -> wangwu/49.232.x.x:52801
Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 MULTI: primary virtual IP for wangwu/49.232.x.x:52801: 10.8.0.2
Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 PUSH: Received control message: 'PUSH_REQUEST'
Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 SENT CONTROL [wangwu]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 183.60.83.19,dhcp-option DNS 183.60.82.98,route-gateway 10....6-GCM' (status=1)
Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 Data Channel: using negotiated cipher 'AES-256-GCM'
Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 08 17:03:42 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Oct 08 17:04:33 vm-24-13-centos openvpn[49185]: wangwu/49.232.x.x:52801 SIGTERM[soft,remote-exit] received, client-instance exiting
Hint: Some lines were ellipsized, use -l to show in full.
# 检查openvpn的web服务openvpnas
[root@vm-24-13-centos openvpnas]# systemctl status openvpnas.service
● openvpnas.service - OpenVPN Access Server
 Loaded: loaded (/usr/lib/systemd/system/openvpnas.service; enabled; vendor preset: disabled)
 Active: active (running) since Sat 2022-10-08 18:46:34 CST; 23h ago
 Process: 31318 ExecStop=/bin/bash /usr/local/openvpn_as/scripts/openvpn_service_cleanup (code=exited, status=0/SUCCESS)
 Main PID: 31332 (python3)
 Tasks: 18
 Memory: 246.0M
 CGroup: /system.slice/openvpnas.service
 ├─31332 python3 -c from pyovpn.sagent.sagent_entry import openvpnas ; openvpnas() --nodaemon --logfile=/var/log/openvpnas.log --pidfile=
 ├─31374 /usr/bin/python3 -c from pyovpn.cserv.wserv_entry import start ; start() -no -u openvpn_as -g openvpn_as --pidfile /usr/local/openvpn_as/etc/tmp/wserv.pid
 ├─31375 /usr/bin/python3 -c from pyovpn.log.logworker import start ; start()
 ├─31394 /usr/bin/python3 -c from pyovpn.sagent.iptworker import start6 ; start6()
 ├─31398 /usr/bin/python3 -c from pyovpn.sagent.iptworker import start ; start()
 ├─31405 openvpn-openssl --errors-to-stderr --config stdin
 ├─31407 openvpn-openssl --errors-to-stderr --config stdin
 └─31459 iptables-restore -n
Oct 08 18:46:34 vm-24-13-centos systemd[1]: Started OpenVPN Access Server.

修改用户限制

网络上有存在不同版本的编译文件,不想使用的可以直接去找,我们这里使用的是最新的openvpnas服务,需要自己手动修改下

  • 备份安装目录下的pyovpn-2.0-py3.6.egg文件
[root@vm-24-13-centos openvpnas]# cd /usr/local/openvpn_as/lib/python/
[root@vm-24-13-centos python]# cp pyovpn-2.0-py3.6.egg{,.back}
[root@vm-24-13-centos python]# ls -alh|grep pyovpn
drwxr-xr-x 37 root root 4.0K Oct 8 18:08 pyovpn
-rw-r--r-- 1 root root 5.8M Oct 8 18:45 pyovpn-2.0-py3.6.egg
-rw-r--r-- 1 root root 5.7M Oct 8 17:28 pyovpn-2.0-py3.6.egg.back #这是备份出来的文件
-rwxr-xr-x 1 root root 19K Jun 15 22:28 pyovpnc.cpython-36m-x86_64-linux-gnu.so
  • 编译补丁文件
[root@vm-24-13-centos openvpnas]# cd /root/openvpnas
[root@vm-24-13-centos openvpnas]# mkdir compile && cd $_
[root@vm-24-13-centos compile]# cp /usr/local/openvpn_as/lib/python/pyovpn-2.0-py3.6.egg .
[root@vm-24-13-centos compile]# unzip -q ./pyovpn-2.0-py3.6.egg
[root@vm-24-13-centos compile]# ls
common EGG-INFO pyovpn pyovpn-2.0-py3.6.egg
[root@vm-24-13-centos compile]# cd pyovpn/lic/
[root@vm-24-13-centos lic]# ls -a
. .. conf info.pyc __init__.pyc ino.pyc lbcs.pyc lbq.pyc lic_entry.pyc licerror.pyc lichelper.pyc lickey.pyc licser.pyc licstore.pyc liman.pyc lspci.pyc prop.pyc uprop.pyc vprop.pyc
[root@vm-24-13-centos lic]# mv uprop.pyc uprop2.pyc
[root@vm-24-13-centos lic]# vim uprop.py
[root@vm-24-13-centos lic]# cat uprop.py
from pyovpn.lic import uprop2
old_figure = None
def new_figure(self, licdict):
 ret = old_figure(self, licdict)
 ret['concurrent_connections'] = 6666
 return ret
#微信订阅号:云原生生态圈
for x in dir(uprop2):
 if x[:2] == '__':
 continue
 if x == 'UsageProperties':
 exec('old_figure = uprop2.UsageProperties.figure')
 exec('uprop2.UsageProperties.figure = new_figure')
 exec('%s = uprop2.%s' % (x, x))
[root@vm-24-13-centos lic]# python -O -m compileall uprop.py && mv __pycache__/uprop.*.pyc uprop.pyc
Compiling 'uprop.py'...
# 最后打包一下就结束了
[root@vm-24-13-centos lic]# cd ../../
[root@vm-24-13-centos compile]# zip -rq pyovpn-2.0-py3.6.egg ./pyovpn ./EGG-INFO ./common
  • 替换补丁文件,重启服务
cp ./pyovpn-2.0-py3.6.egg /usr/local/openvpn_as/lib/python/
systemctl restart openvpnas.service
  • 使用openvpn账号登录

新版本会在openvpnas安装的时候初始化openvpn的密码

grep -i 'password.$' /usr/local/openvpn_as/init.log

  • 配置客户端

在完成以上操作且验证没问题之后,就可以创建部分用户,来体验一下

从以上来看,不同的客户端用户可以分配不同的权限,以及客户端账号的认证方式等等,创建完成之后,使用客户端用户的账号以及密码登录openvpnas,下载客户端连接工具以及自助生成客户端的配置文件:访问地址为:https://ip:943/

登录之后,即可下载客户端软件以及创建对应的配置文件了

创建完成之后,在管理后台也可以管理用户的配置文件

下载配置文件后,即可在推荐的openvpn-connect或者Tunnelblick上打开使用了。

使用OpenVPN AS.不仅仅可以在web浏览器上更方便管理用户和权限,也能更方便的吊销证书等,同时也更大的化的方便客户端人员的使用。

作者:公众号: 云原生生态圈原文地址:https://cloud.tencent.com/developer/article/2207426?areaSource=101001.68&traceId=-wllE2OKdo-PAU502SCtN

%s 个评论

要回复文章请先登录注册