參考網頁:
OpenVPN – ArchWiki
Create a Public Key Infrastructure Using the easy-rsa Scripts – ArchWiki
頭城國小資訊組 | Banana Pi 測試 – Bananian 篇 安裝 OpenVPN Server
安裝 OpenVPN
# pacman -S openvpn easy-rsa
複製範例的設定檔到 /etc/openvpn 目錄
# cp -r /usr/share/easy-rsa /etc/openvpn
修改憑證預設資訊
# sed -i ‘s/KEY_COUNTRY=”US”/KEY_COUNTRY=”TW”/’ /etc/openvpn/easy-rsa/vars
# sed -i ‘s/KEY_PROVINCE=”CA”/KEY_PROVINCE=”Taiwan”/’ /etc/openvpn/easy-rsa/vars
# sed -i ‘s/KEY_CITY=”SanFrancisco”/KEY_CITY=”E-Land”/’ /etc/openvpn/easy-rsa/vars
# sed -i ‘s/KEY_ORG=”Fort-Funston”/KEY_ORG=”Home”/’ /etc/openvpn/easy-rsa/vars
[@more@]
切換目錄 /etc/openvpn/easy-rsa
# cd /etc/openvpn/easy-rsa
開始建立憑證
# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
清空舊有憑證
# ./clean-all
建立所需憑證
# ./build-ca
# ./build-key-server CubieTruck
# ./build-dh
# ./build-key Cubier
產生 ta.key
# openvpn –genkey –secret /etc/openvpn/easy-rsa/keys/ta.key
切換到 /etc/openvpn/easy-rsa/keys 目錄
# cd /etc/openvpn/easy-rsa/keys
複製 Server 端的檔案到 /etc/openvpn
# cp ta.key ca.crt ca.key dh2048.pem CubieTruck.crt CubieTruck.key /etc/openvpn
建立用來存放 Client 端所須檔案的目錄
# mkdir $HOME/openvpn-client-files
複製 Client 端所須檔案
# cp ca.crt Cubier.crt Cubier.key $HOME/openvpn-client-files
更改檔案名稱
# mv $HOME/openvpn-client-files/ca.crt $HOME/openvpn-client-files/capi.crt
更改檔案權限
# chmod +r $HOME/openvpn-client-files/Cubier.key
建立 /etc/openvpn/server.conf 設定檔
# vim /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
;; Key File 設定
dh /etc/openvpn/dh2048.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/CubieTruck.crt
key /etc/openvpn/CubieTruck.key
tls-auth /etc/openvpn/ta.key 0
;; vpn 使用網段
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
;; 允許 client 間互相連接
;client-to-client
push “redirect-gateway def1”
;; DNS 設定
push “dhcp-option DNS 168.95.1.1”
push “dhcp-option DNS 140.111.66.1”
keepalive 5 30
;; 最大使用者量
max-clients 12
user nobody
group nobody
測試 /etc/openvpn/server.conf 設定檔語法是否正確
# openvpn /etc/openvpn/server.conf
防火牆上的設定,如果原本就有防火牆,就要將規則做整合
# vim /etc/firewall.vpn
#!/bin/bash
# Enable ip_forward
echo “1” > /proc/sys/net/ipv4/ip_forward
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s “10.8.0.0/24” -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s “10.8.0.0/24” -j MASQUERADE
更改檔案權限
# chmod 700 /etc/firewall.vpn
設定開機時執行
在 /etc/rc.local 檔案最後面加入執行防火牆規則的設定
# sed -i ‘$a # OpenVPN 防火牆nsh /etc/firewall.vpn’ /etc/rc.local
執行 OpenVPN Server
# systemctl start openvpn@server.service
設定開機時執行 OpenVPN Server
# systemctl enable openvpn@server.service
檢查 OpenVPN Server 執行狀態
# systemctl status openvpn@server.service
檢查 OpenVPN Server 是否有正常執行
# netstat -antpul | grep openvpn
tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 3682/openvpn
tun0 介面資訊
# ip addr show tun0
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
解決出現 Failed to read PID from file /run/openvpn@server.pid: Invalid argument 的訊息
# chown nobody:nobody /var/run/openvpn@server.pid