openvpn高可用机制运用

openvpn高可用机制运用
# 这里用到了openpvn的高可用机制,
# openVPN的还有重连机制。

# 一台客户端,两台服务端。
# 这个是把两个服务端的配置文件密钥要一样的
# (一台机器的生成后复制到另外一台机器,两台机器密钥文件相同的操作也是不能连接的。)
# 客户端的配置写两个服务端IP。

 

# 客户端加个服务端检测定时脚本,服务端监控检测端口(这里用的tcp)就可以了。
openvpn客户端配置两个server IP,把一个服务端停了,
客户端重连了tun0不会自动更新,没有外网网络,看是连接上了正常的openvpn server。
刚开始以为是两个server端设置的IP是一样的,
后一个server端换了一个网段的依然要重启客服端才可以完全正常连接到服务端。

 

# 客户端增加一个服务检测脚本完美解决openpvn高可用。

[root@ovpn-client-1 openvpn-2.4.3]# cat monitor-ovpnclient.sh
#!/bin/bash

work=/usr/local/services/openvpn-2.4.3
netstat -lputna | grep openvpn | grep -v grep
if [ $? = 0 ]; then
date >> /tmp/monitor-ovpnclient.log
echo “openvpn: service was running!” >> /tmp/monitor-ovpnclient.log
else
$work/openvpn-shutdown
$work/openvpn-startup
date >> /tmp/monitor-ovpnclient.log
echo “openvpn: service was restart!” >> /tmp/monitor-ovpnclient.log
fi

 

add `crontab -e`
## */5 * * * * /usr/local/services/openvpn-2.4.3/monitor-ovpnclient.sh
# * * * * * /usr/local/services/openvpn-2.4.3/monitor-ovpnclient.sh

## server
# 加个服务状态自检自愈脚本。
# 脚本命令行方式copy,cat写入执行,$?变成 0 了,
# $work变量也不见了,执行了写入脚本,所以要检查脚本。
# scp过去,这里以vim方式写入

# crotab -l
* * * * * /usr/local/services/openvpn-2.4.3/monitor-ovpnserver.sh >> /tmp/monitor-ovpnclient.log
# * * * * * /usr/local/services/openvpn-2.4.3/monitor-ovpnserver.sh > /dev/null 2 > /dev/null

cat >> /usr/local/services/openvpn-2.4.3/monitor-ovpnserver.sh << EOF
#!/bin/bash

work=/usr/local/services/openvpn-2.4.3

netstat -lptun | grep openvpn | grep -v grep
if [ $? = 0 ]; then
date >> /tmp/monitor-ovpnclient.log
echo “openvpn: service was running!” >> /tmp/monitor-ovpnserver.log
else
$work/openvpn-shutdown
$work/openvpn-startup
date >> /tmp/monitor-ovpnclient.log
echo “openvpn: service was restart!” >> /tmp/monitor-ovpnserver.log
fi
EOF

chmod +x /usr/local/services/openvpn-2.4.3/monitor-ovpnserver.sh

 

 

vpn-add-chnroutes

add-chnroutes

# goal:连接vpn后区分国内国外(国内不走vpn,国外走vpn)。

 

git clone https://github.com/fivesheep/chnroutes.git
yum install python-argparse -y

[root@ovpn-server-3 chnroutes]# python chnroutes.py
Fetching data from apnic.net, it might take a few minutes, please wait…
Usage: Append the content of the newly created routes.txt to your openvpn config file, and also add ‘max-routes 8144’, which takes a line, to the head of the file.

 

[root@ovpn-server-3 openvpn-2.4.3]# cat openvpn-startup
#!/bin/sh

dir=/usr/local/services/openvpn-2.4.3
modprobe tun
echo 1 > /proc/sys/net/ipv4/ip_forward
/usr/local/services/openvpn-2.4.3/sbin/openvpn –cd $dir –daemon –config server.conf

[root@ovpn-server-3 openvpn-2.4.3]# /usr/local/services/openvpn-2.4.3/sbin/openvpn –cd $dir –config server.conf
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: cd (2.4.3)
Use –help for more information.
[root@ovpn-server-3 openvpn-2.4.3]# /usr/local/services/openvpn-2.4.3/sbin/openvpn –config server.conf
Thu Feb 22 17:26:36 2018 DEPRECATED OPTION: –max-routes option ignored.The number of routes is unlimited as of version 2.4. This option will be removed in a future version, please remove it from your configuration.

 

# 用修改的/etc/init.d/openvpn 脚本不能启动,用分开写的openvpn-startup启动OK
# 看是虚拟了连个tun,一个tun0,一个tun1,win7客户端重连后服务端就只有一个tun0了
# linux客户端没有断开和重连过,在服务端也可以ping通了。
# 刚开始可能是没纠正,网络设置生效需要一小会儿。

 

# max-routes 8144 ($num) 不需要加到头文件(看提示)。
# cat /usr/local/services/soft/openvpn/chnroutes/routes.txt >> server.conf

# 这里只是在内网验证,增加配置项可以正常连接。

# 原来有人很久之前就遇到过并写了解决方案了。
# https://www.igfw.net/archives/970
# https://github.com/fivesheep/chnroutes

linux-centos6.8虚拟网卡配置

linux-centos6.8虚拟网卡配置
# cat /etc/redhat-release
CentOS release 6.8 (Final)

cd /etc/sysconfig/network-scripts/
cp ifcfg-eth1{,:0}

# vim ifcfg-eth1:0
# 修改配置文件对应的网卡名。
DEVICE=eth1:0

# ifup ifcfg-eth1:0
# service network restart
# 重启时等待10秒左右生效。

 

# 这里实际配置时,内网的gateway和DNS的IP分开了文件写;
# 一般会在配置文件内找,找不到才会去分开的文件找网关和DNS;
# 建议写在一个配置文件;
# 网关不同,虚拟网卡就没有写网关了;
# 这样操作系统只配置了一个内网网关和外网网关。

 

## 配置文件
# 网卡
# pwd
/etc/sysconfig/network-scripts/
# ls
ifcfg-eth0
ifcfg-eth1
ifcfg-eth1:0

# 验证网卡连接是否正常。
mii-tool eht0
mii-tool eht1

# DNS
/etc/resolv.conf

# 主机名和网关的第二寻找配置文件
/etc/sysconfig/network

# 增加的静态路由文件
# 多路由重启网络用`route -n`验证路由是否生效了
/etc/sysconfig/static-routes

 

## e.g.
# 实体机器dell-r730
# 连接了远程控制卡网线、一根内网线(eth0)和外网线(eth1),共接了3根网线。

# 网卡配置文件所在目录
# pwd
/etc/sysconfig/network-scripts

# cat ifcfg-eth0
DEVICE=eth0
HWADDR=80:18:44:EE:52:BC
TYPE=Ethernet
UUID=aea107f0-955a-43e4-a281-3ec9e4e2f695
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=10.4.4.231
NETMASK=255.255.255.0

# cat ifcfg-eth1
DEVICE=eth1
HWADDR=80:18:44:EE:52:BD
TYPE=Ethernet
UUID=43ff34fa-f9fb-460f-9ff5-13895eaa28b8
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=119.*.*.169
NETMASK=255.255.255.192
GATEWAY=119.*.*.129

# cat ifcfg-eth1:0
DEVICE=eth1:0
HWADDR=80:18:44:EE:52:BD
TYPE=Ethernet
UUID=43ff34fa-f9fb-460f-9ff5-13895eaa28b8
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=123.*.*.169
NETMASK=255.255.255.192
# GATEWAY=123.*.*.129

# DNS配置文件,这里第一行加了个内网DNS-IP
# cat /etc/resolv.conf
nameserver 192.168.0.147
nameserver 114.114.114.114
nameserver 8.8.8.8

# 网关第二配置文件,这里设置的不是默认网关。
# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=server-231
GATEWAY=10.4.4.187
# GATEWAY=119.*.*.129

# 增加的静态路由文件,为了能够在两个不同的点内网网络可连通。
# cat /etc/sysconfig/static-routes
any net 192.168.0.0/16 gw 10.4.4.1
any net 10.0.0.0/8 gw 10.4.4.1

 

# 手动增加的项,为了确保正确(拼写完整正确并生效)
# 检查DNS和网关和子网掩码IP都是正确的
# 验证生效。

# 操作系统本机内和外验证
# 测试IP连通性
# 指定IP验证
ping -I 119.*.*.169 baidu.com
ping 119.*.*.169

lsyncd文件同步

git clone https://github.com/axkibe/lsyncd.git
git checkout -b release-2.1.5
./autogen.sh
./configure && make
# 不用make install,看提示。

[root@localhost lsyncd]# ln -s /usr/local/bin/lsyncd /usr/bin/lsyncd
ln: failed to create symbolic link ‘/usr/bin/lsyncd’: File exists
[root@localhost lsyncd]# /usr/bin/lsyncd –version
Version: 2.2.2
[root@localhost lsyncd]# mv /usr/bin/lsyncd /usr/bin/lsyncd.2.2.2
[root@localhost lsyncd]# ln -s /usr/local/bin/lsyncd /usr/bin/lsyncd
[root@localhost lsyncd]# /usr/bin/lsyncd –version
Version: 2.1.5

# mkdir -pv /usr/local/lsyncd/etc && mkdir -pv /usr/local/lsyncd/var
# touch tl
lsyncd -rsyncssh /root 192.168.181.130 /root

# 192.168.181.130
# pwd
# /root
# ls
tl

# 重命名了下配置文件,改回竟然传不过了。没有报错。
# 发现密钥文件被删除了,和改配置不相关。

# 密钥被删除问题发现了。
# 有点不同的rsync的客户端主动同步,单向密钥也可以。
# lsyncd 默认监听了客户端./ssh文件夹,
# 如果authorized_keys在服务端没有,客户端这个文件也会被删除。
# 也就是同步的时候会保持双方文件夹内容一样,不一样的的会被删除。
# 用rsync 可以加delete参数,同步时默认不删除。

# 做ssh双向互信。

 

# 一个用户所能监控的目录(不是文件)的数量。
# 直接修改,立即生效,但重启机器后会失效:
# 65535,这个可以设定一个合理的值。
# sysctl -w fs.inotify.max_user_watches=”65535“

# 也可以修改内核参数,使之重启后依然有效:
# echo “fs.inotify.max_user_watches=”65535” >> /etc/sysctl.conf
# 执行生效。
# sysctl -p

crontab jobs

# crontab jobs
# centos7.3 , Thu Sep 21 17:22:57 CST 2017
08 15 * * * /usr/sbin/ntpdate ntp1.aliyun.com > /var/log/cntpdata.log 2 > &1
# test
# 日志写不进去。写到脚本,显示语法错误被打断,不能识别 ‘&’ 。
# 全部定义日志文件了。

 

# crontab -e
# for ntpdate 17921.
15 16 * * * /home/sh/t.sh
30 8 * * * /home/sh/t.sh

# crontab -l
systemctl restart crond
systemctl status crond

 

# cat /home/sh/t.sh
#! /bin/bash
# Thu Sep 21 15:41:03 CST 2017

/usr/sbin/ntpdate ntp1.aliyun.com >> /var/log/t.log 2 >> /var/log/t.log
wait

 

# 刚开始写在 /etc/crontab,后写在crontab -e ,测试写不进去日志。
# 干脆写进脚本定时执行了,经过测试正常后要定期检查。

ovpneasyrsa3

## ovpneasyrsa3
## version: centos7.3,openvpn-2.4.3,easyrsa3

yum install libssl* libssl-dev net-tools libpam0g-dev liblzo2-dev -y
git clone https://github.com/OpenVPN/easy-rsa.git
mkdir -pv /etc/ovpneasy
mv easy-rsa/ /etc/ovpneasy/

tar zxvf openvpn-2.4.3.tar.gz
cd openvpn-2.4.3
./configure –prefix=/etc/ovpneasy
make && make install

cd /etc/ovpneasy/easy-rsa/easyrsa3/
cp vars.example vars
# vim vars
grep ‘^[^#]’ vars
if [ -z “$EASYRSA_CALLER” ]; then
echo “You appear to be sourcing an Easy-RSA ‘vars’ file.” >&2
echo “This is no longer necessary and is disallowed. See the section called” >&2
echo “‘How to use this file’ near the top comments for more details.” >&2
return 1
fi
set_var EASYRSA_REQ_COUNTRY “CN”
set_var EASYRSA_REQ_PROVINCE “GD”
set_var EASYRSA_REQ_CITY “Sheng Zhen”
set_var EASYRSA_REQ_ORG “yibu”
set_var EASYRSA_REQ_EMAIL “yibu@riseup.net”
set_var EASYRSA_REQ_OU “yibu”
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650

 

# source vars
[root@ywtest easyrsa3]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars
WARNING: can’t open config file: /openssl-1.0.cnf

Easy-RSA error:

The OpenSSL config file cannot be found.
Expected location: /openssl-1.0.cnf

 

# chmod +x openssl-1.0.cnf
# chmod +x vars
# ln -s openssl-1.0.cnf openssl.cnf

[root@ywtest easyrsa3]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/ovpneasy/easy-rsa/easyrsa3/pki

 

# ./easyrsa build-ca

[root@ywtest easyrsa3]# ./easyrsa build-ca

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
……………………+++
…………+++
writing new private key to ‘/etc/ovpneasy/easy-rsa/easyrsa3/pki/private/ca.key.CzK4QH2g6R’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/ovpneasy/easy-rsa/easyrsa3/pki/ca.crt

[root@ywtest easyrsa3]# ls pki/
ca.crt certs_by_serial index.txt issued private reqs serial

# ./easyrsa gen-req server nopass

[root@ywtest easyrsa3]# ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
…………………..+++
……….+++
writing new private key to ‘/etc/ovpneasy/easy-rsa/easyrsa3/pki/private/server.key.pCRYXwsoiU’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Common Name (eg: your user, host, or server name) [server]:ovpneasy

Keypair and certificate request completed. Your files are:
req: /etc/ovpneasy/easy-rsa/easyrsa3/pki/reqs/server.req
key: /etc/ovpneasy/easy-rsa/easyrsa3/pki/private/server.key

[root@ywtest easyrsa3]# ls pki/private/
ca.key server.key

# ./easyrsa sign server server
[root@ywtest easyrsa3]# ./easyrsa sign server server

Note: using Easy-RSA configuration from: ./vars

 

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=
commonName = ovpneasy

 

Type the word ‘yes’ to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/ovpneasy/easy-rsa/easyrsa3/pki/private/ca.key:
140087418582944:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for /etc/ovpneasy/easy-rsa/easyrsa3/pki/private/ca.key:
140087418582944:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for /etc/ovpneasy/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
commonName :PRINTABLE:’ovpneasy’
Certificate is to be certified until Sep 5 10:12:42 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/ovpneasy/easy-rsa/easyrsa3/pki/issued/server.crt

 

./easyrsa gen-dh
[root@ywtest easyrsa3]# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
…………………………………………………………………………………………………………………………………………………………………………….+………………………………………………………………………+…………………………………+…………………….
DH parameters of size 2048 created at /etc/ovpneasy/easy-rsa/easyrsa3/pki/dh.pem

 

# mkdir -pv /etc/ovpneasy/openvpnclient
# cp -R /etc/ovpneasy/openvpnclient/easy-rsa/easyrsa3/ /etc/ovpneasy/openvpnclient/
# cd /etc/ovpneasy/openvpnclient/

[root@ywtest easyrsa3]# ./easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/ovpneasy/openvpnclient/easyrsa3/pki

 

# ./easyrsa gen-req yibu
[root@ywtest easyrsa3]# ./easyrsa gen-req yibu
Generating a 2048 bit RSA private key
……………+++
……………+++
writing new private key to ‘/etc/ovpneasy/openvpnclient/easyrsa3/pki/private/yibu.key.YKNamaywis’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Common Name (eg: your user, host, or server name) [yibu]:

Keypair and certificate request completed. Your files are:
req: /etc/ovpneasy/openvpnclient/easyrsa3/pki/reqs/yibu.req
key: /etc/ovpneasy/openvpnclient/easyrsa3/pki/private/yibu.key

 

# mkdir -pv ovpnclient
# pwd
/etc/ovpneasy

# cd ovpnclient/easy-rsa/easyrsa3/
./easyrsa init-pki

# ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

 

WARNING!!!

You are about to remove the EASYRSA_PKI at: /etc/ovpneasy/ovpnclient/easy-rsa/easyrsa3/pki
and initialize a fresh PKI here.

Type the word ‘yes’ to continue, or any other input to abort.
Confirm removal: yes

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/ovpneasy/ovpnclient/easy-rsa/easyrsa3/pki

 

 

# ./easyrsa gen-req yibu

Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
…………………………………….+++
………………………………………………………………….+++
writing new private key to ‘/etc/ovpneasy/ovpnclient/easy-rsa/easyrsa3/pki/private/yibu.key.0M9hFNzkWP’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Common Name (eg: your user, host, or server name) [yibu]:

Keypair and certificate request completed. Your files are:
req: /etc/ovpneasy/ovpnclient/easy-rsa/easyrsa3/pki/reqs/yibu.req
key: /etc/ovpneasy/ovpnclient/easy-rsa/easyrsa3/pki/private/yibu.key

 

# cd /etc/ovpneasy/easy-rsa/easyrsa3/
# ./easyrsa import-req /etc/ovpneasy/ovpnclient/easy-rsa/easyrsa3/pki/reqs/yibu.req yibu

 

# ./easyrsa sign client yibu

Note: using Easy-RSA configuration from: ./vars

 

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

subject=
commonName = yibu

 

Type the word ‘yes’ to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/ovpneasy/easy-rsa/easyrsa3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
commonName :PRINTABLE:’yibu’
Certificate is to be certified until Sep 6 01:30:10 2027 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/ovpneasy/easy-rsa/easyrsa3/pki/issued/yibu.crt

 

## saw openvpn server file
# ls -ltr /etc/ovpneasy/easy-rsa/easyrsa3/pki/
total 32
-rw——- 1 root root 1172 Sep 7 18:08 ca.crt
drwx—— 2 root root 38 Sep 7 18:10 private
-rw——- 1 root root 71 Sep 7 18:12 index.txt.old
-rw——- 1 root root 21 Sep 7 18:12 index.txt.attr.old
-rw——- 1 root root 424 Sep 7 18:15 dh.pem
drwx—— 2 root root 40 Sep 8 09:26 reqs
-rw——- 1 root root 33 Sep 8 09:29 serial.old
-rw——- 1 root root 33 Sep 8 09:30 serial
-rw——- 1 root root 21 Sep 8 09:30 index.txt.attr
-rw——- 1 root root 138 Sep 8 09:30 index.txt
drwx—— 2 root root 94 Sep 8 09:30 certs_by_serial
drwx—— 2 root root 40 Sep 8 09:30 issued

 

# ls -ltr /etc/ovpneasy/easy-rsa/easyrsa3/pki/reqs
total 8
-rw——- 1 root root 891 Sep 7 18:10 server.req
-rw——- 1 root root 883 Sep 8 09:26 yibu.req

# ls -ltr /etc/ovpneasy/easy-rsa/easyrsa3/pki/private/
total 8
-rw——- 1 root root 1834 Sep 7 18:08 ca.key
-rw——- 1 root root 1704 Sep 7 18:10 server.key

# ls -ltr /etc/ovpneasy/easy-rsa/easyrsa3/pki/issued
total 16
-rw——- 1 root root 4560 Sep 7 18:12 server.crt
-rw——- 1 root root 4430 Sep 8 09:30 yibu.crt

 

## saw openvpn client file

# ls -ltr /etc/ovpneasy/ovpnclient/easy-rsa/easyrsa3/pki/private/
total 4
-rw——- 1 root root 1834 Sep 8 09:19 yibu.key

# ls -ltr /etc/ovpneasy/ovpnclient/easy-rsa/easyrsa3/pki/reqs
total 4
-rw——- 1 root root 883 Sep 8 09:19 yibu.req

 

# ls /etc/ovpneasy/ | wc -l
8

cp /etc/ovpneasy/easy-rsa/easyrsa3/pki/ca.crt /etc/ovpneasy
cp /etc/ovpneasy/easy-rsa/easyrsa3/pki/private/server.key /etc/ovpneasy
cp /etc/ovpneasy/easy-rsa/easyrsa3/pki/issued/server.crt /etc/ovpneasy
cp /etc/ovpneasy/easy-rsa/easyrsa3/pki/dh.pem /etc/ovpneasy

# ls /etc/ovpneasy/ | wc -l
12

 

# ls /etc/ovpneasy/ovpnclient/
easy-rsa

cp /etc/ovpneasy/easy-rsa/easyrsa3/pki/ca.crt /etc/ovpneasy/ovpnclient
cp /etc/ovpneasy/easy-rsa/easyrsa3/pki/issued/yibu.crt /etc/ovpneasy/ovpnclient
cp /etc/ovpneasy/ovpnclient/easy-rsa/easyrsa3/pki/private/yibu.key /etc/ovpneasy/ovpnclient

# ls /etc/ovpneasy/ovpnclient/
ca.crt easy-rsa yibu.crt yibu.key

 

# cp /etc/ovpneasy/openvpn-2.4.3/sample/sample-config-files/server.conf /etc/ovpneasy/

# grep ‘^[^#]’ /etc/ovpneasy/server.conf > server.conf
# grep ‘^[^;]’ server.conf

port 1194
proto udp
dev tun
ca /etc/ovpneasy/ca.crt
cert /etc/ovpneasy/server.crt
key /etc/ovpneasy/server.key # This file should be kept secret
dh /etc/ovpneasy/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 208.67.220.220”
push “dhcp-option DNS 8.8.8.8”
client-to-client
keepalive 10 120
tls-auth /etc/ovpneasy/ta.key 0 # This file is secret
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

# pwd
/etc/ovpneasy
# openvpn –genkey –secret ta.key

# /etc/ovpneasy/sbin/openvpn /etc/ovpneasy/server.conf

 

## firewalld ……

 

# win7 client
# five files put in config.
sz /etc/ovpneasy/easy-rsa/easyrsa3/pki/issued/yibu.crt
sz /etc/ovpneasy/ovpnclient/easy-rsa/easyrsa3/pki/private/yibu.key
sz /etc/ovpneasy/ca.crt
sz /etc/ovpneasy/ta.key

# grep ‘^[^#]’ client.ovpn > c.ovpn
# grep ‘^[^;]’ c.ovpn
client
dev tun
proto udp
remote *.*.*.99 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert yibu.crt
key yibu.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3

 

# baidu ip saw *.*.*.99

# add client key
cd /etc/ovpneasy/ovpnclient/easy-rsa/easyrsa3/
./easyrsa gen-req yibuyibu

cd /etc/ovpneasy/easy-rsa/easyrsa3
./easyrsa sign client yibuyibu

cp /etc/ovpneasy/easy-rsa/easyrsa3/pki/issued/yibuyibu.crt /etc/ovpneasy/ovpnclient
cp /etc/ovpneasy/ovpnclient/easy-rsa/easyrsa3/pki/private/yibuyibu.key /etc/ovpneasy/ovpnclient

# 在windows7和android手机上
# 打开浏览器不能打开网页,在openvpn连接成功时,伪装规则依赖firewalld防火墙的开启。

## advice
## http://www.jianshu.com/p/4bbf946222d5

openvpn.new

# use openvpn in CentOS Linux release 7.3.1611 (Core).

# update 2017年 08月 31日 星期四 16:59:07 CST by yibu.

yum -y install epel-release 

yum install gmp gmp-devel gawk flex bison iproute iptables sed kernel-devel -y 

yum install -y lzo* lzo-devel openssl* openssl-devel pam* pam-devel 

yum install -y easy-rsa firewalld firewall-config

yum install -y pkcs11-helper pkcs11-helper-devel

yum install ipsec* -y 

yum install tun* -y

 

modprobe tun

echo “modprobe tun” >> /etc/rc.d/rc.local

 

rm /dev/random -rf 

ln -s /dev/urandom /dev/random

 

echo ‘net.ipv4.ip_forward = 1’ >> /etc/sysctl.conf        

sysctl -p 

 

wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.gz    

 

# Signature verification can be performed by PGP or GnuPG once you have the correct key in your trusted keyring:

# $ gpg –import keyname.asc

# $ gpg -v –verify [.asc file]

# Make sure you have the corresponding OpenVPN package in the same directory. GnuPG signature files for OpenVPN file releases are available on the download page.

gpg –import security.key.asc openvpn-2.4.3.tar.gz.asc 

gpg -v –verify openvpn-2.4.3.tar.gz.asc

gpg –verify openvpn-2.4.3.tar.gz.asc openvpn-2.4.3.tar.gz

 

 

# gpg –import security.key.asc openvpn-2.4.3.tar.gz.asc 

gpg: key 2F2B01E7: “OpenVPN – Security Mailing List <security@openvpn.net>” not changed

gpg: no valid OpenPGP data found.

gpg: Total number processed: 1

gpg:              unchanged: 1

 

# gpg -v –verify openvpn-2.4.3.tar.gz.asc 

Version: GnuPG v1

gpg: armor header: 

gpg: assuming signed data in `openvpn-2.4.3.tar.gz’

gpg: Signature made Wed 21 Jun 2017 06:19:19 PM CST using RSA key ID 8CC2B034

gpg: using subkey 8CC2B034 instead of primary key 2F2B01E7

gpg: using PGP trust model

gpg: Good signature from “OpenVPN – Security Mailing List <security@openvpn.net>”

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7

     Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2 B034

gpg: binary signature, digest algorithm SHA1

 

 

# gpg –verify openvpn-2.4.3.tar.gz.asc openvpn-2.4.3.tar.gz  

gpg: Signature made Wed 21 Jun 2017 06:19:19 PM CST using RSA key ID 8CC2B034

gpg: Good signature from “OpenVPN – Security Mailing List <security@openvpn.net>”

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7

     Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2 B034

 

 

tar zxvf openvpn-2.4.3.tar.gz

cd openvpn-2.4.3

./configure –prefix=/etc/openvpn && make && make install

 

# ls /usr/local/share/doc/openvpn

Changes.rst  COPYING  COPYRIGHT.GPL  management-notes.txt  README  README.auth-pam  README.down-root  README.IPv6  README.polarssl

 

# ls /usr/share/easy-rsa/2.0/

build-ca  build-inter  build-key-pass    build-key-server  build-req-pass  inherit-inter  openssl-0.9.6.cnf  openssl-1.0.0.cnf  revoke-full  vars

build-dh  build-key    build-key-pkcs12  build-req         clean-all       list-crl       openssl-0.9.8.cnf  pkitool            sign-req     whichopensslcnf

 

 

mkdir -pv /etc/openvpn

cp -r /usr/share/easy-rsa/* /etc/openvpn/

cd /etc/openvpn/2.0/

 

 

vim vars

# modify 

export KEY_COUNTRY=”CN”

export KEY_PROVINCE=”GD”

export KEY_CITY=”ShenZhen”

export KEY_ORG=”yibu”

export KEY_EMAIL=”yibu@riseup.net”

export KEY_OU=yibu 

 

chmod +x vars

 

cp openssl-1.0.0.cnf openssl.cnf

chmod +x openssl.cnf

 

# follow 6 step need  step by step.

source ./vars

./clean-all

./build-ca

./build-key-server vpn

./build-dh 

./build-key openvpnclient

 

cp ./openvpn-2.4.3/sample/sample-config-files/server.conf /etc/openvpn/

 

openvpn –genkey –secret ta.key

mv ta.key /etc/openvpn/2.0/keys/

 

mkdir -pv /var/run/openvpn/

 

grep ^[^#] /etc/openvpn/server.conf > ovs.cnf 

grep ‘^[^;]’ ovs.cnf 

 

port 1194

proto udp

dev tun

ca /etc/openvpn/2.0/keys/ca.crt

cert /etc/openvpn/2.0/keys/openvpn.crt

key /etc/openvpn/2.0/keys/openvpn.key

dh /etc/openvpn/2.0/keys/dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist /var/run/openvpn/ipp.txt

push “route 192.168.20.0 255.255.255.0”

client-to-client

keepalive 10 120

tls-auth /etc/openvpn/2.0/keys/ta.key 0

comp-lzo

max-clients 100

persist-key

persist-tun

status /var/run/openvpn/openvpn-status.log

verb 3

 

 

 

sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/g’ /etc/selinux/config  

source /etc/selinux/config

 

systemctl start firewalld.service

systemctl enable firewalld.service

 

firewall-cmd –zone=public –add-masquerade

firewall-cmd –permanent –zone=public –add-masquerade

firewall-cmd –add-rich-rule=’rule family=ipv4 source address=10.8.0.1/24 masquerade’

firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=10.8.0.1/24 masquerade’

firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=ipv4 source address=10.8.0.1/24 masquerade’

firewall-cmd –reload

 

firewall-cmd –direct –add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT

firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT

firewall-cmd –reload

 

firewall-cmd –add-interface=eth0 

firewall-cmd –add-interface=eth0 –permanent

firewall-cmd –direct –passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.8.0.1/24

firewall-cmd –permanent –direct –passthrough ipv4 -t nat -I POSTROUTING -o eth1 -j MASQUERADE -s 10.8.0.1/24

firewall-cmd –add-port=1194/tcp –zone=public

firewall-cmd –add-port=1194/udp –zone=public

firewall-cmd –add-port=1194/tcp –zone=public –permanent

firewall-cmd –add-port=1194/udp –zone=public –permanent

firewall-cmd –reload

 

firewall-cmd –add-service=openvpn  –zone=public  

firewall-cmd –add-service=openvpn  –zone=public  –permanent 

firewall-cmd –reload

 

systemctl restart firewalld.service

 

# /usr/local/sbin/openvpn –config /etc/openvpn/server.conf &

Wed Aug 30 17:05:24 2017 OpenVPN 2.4.3 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 30 2017

Wed Aug 30 17:05:24 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06

Wed Aug 30 17:05:24 2017 Diffie-Hellman initialized with 2048 bit key

Wed Aug 30 17:05:24 2017 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.

Wed Aug 30 17:05:24 2017 ECDH curve secp384r1 added

Wed Aug 30 17:05:24 2017 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication

Wed Aug 30 17:05:24 2017 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication

Wed Aug 30 17:05:24 2017 ROUTE_GATEWAY 10.121.1.1/255.255.255.0 IFACE=ens192 HWADDR=00:50:56:af:40:2c

Wed Aug 30 17:05:24 2017 TUN/TAP device tun0 opened

Wed Aug 30 17:05:24 2017 TUN/TAP TX queue length set to 100

Wed Aug 30 17:05:24 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0

Wed Aug 30 17:05:24 2017 /usr/sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500

Wed Aug 30 17:05:24 2017 /usr/sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2

Wed Aug 30 17:05:24 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET

Wed Aug 30 17:05:24 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]

Wed Aug 30 17:05:24 2017 UDPv4 link local (bound): [AF_INET][undef]:1194

Wed Aug 30 17:05:24 2017 UDPv4 link remote: [AF_UNSPEC]

Wed Aug 30 17:05:24 2017 MULTI: multi_init called, r=256 v=256

Wed Aug 30 17:05:24 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0

Wed Aug 30 17:05:24 2017 IFCONFIG POOL LIST

Wed Aug 30 17:05:24 2017 Initialization Sequence Completed

 

 

# netstat -lptun | grep openvpn | grep -v grep 

udp        0      0 0.0.0.0:1194            0.0.0.0:*                           10131/openvpn  

 

# ifconfig tun0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500

        inet 10.8.0.1  netmask 255.255.255.255  destination 10.8.0.2

        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 3  bytes 252 (252.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

or # ip addr | grep tun0 | grep -v grep 

18: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100

    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0

 

# ping 10.8.0.1 

PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.

64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.027 ms

64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.018 ms

 

 

# /etc/openvpn/server.conf

 

 

 

 

# use in windows7

# wget http://swupdate.openvpn.org/community/releases/openvpn-install-2.4.3-I602.exe 

 

 

openvpn这里安装路径为 D:\installed\openvpn2.4.3

把服务器的openvpnclient.crt,openvpnclient.key,ca.crt,ta.key四个文件拷贝到D:\installed\openvpn2.4.3\OpenVPN\config目录

再把D:\installed\openvpn\sample-config里的client文件也拷到 D:\installed\openvpn2.4.3\OpenVPN\config目录

 

编辑client配置文件

用noptepad++程序打开client配置文件

 

client

dev tun

proto udp

remote 122.144.169.102 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert openvpnclient.crt

key openvpnclient.key

remote-cert-tls server

tls-auth ta.key 1

cipher AES-256-CBC

comp-lzo

verb 3

 

桌面有一个openvpn的快捷方式,右键点击打开,win7右下角有个上锁的电脑屏幕图标,鼠标右键点击connect。

如果安装时点击了advance 选项的小图标沟,鼠标右键点击下角有个上锁的电脑屏幕图标选settings,选择配置文件和日志路径,默认选项是在c盘。

ping 10.8.0.1 可以ping通。

用securecrt,ssh连接10.8.0.1可以连接了,这里实现的是点对点。

openvpn in centos7.3

# use openvpn in CentOS Linux release 7.3.1611 (Core).
# update 2017年 08月 23日 星期三 17:45:55 CST by yibu.
yum -y install epel-release
yum install gmp gmp-devel gawk flex bison iproute iptables sed kernel-devel -y
yum install -y lzo* lzo-devel openssl* openssl-devel pam* pam-devel
yum install -y easy-rsa firewalld firewall-config
yum install -y pkcs11-helper pkcs11-helper-devel
yum install ipsec* -y
yum install tun* -y

modprobe tun
echo “modprobe tun” >> /etc/rc.d/rc.local

rm /dev/random -rf
ln -s /dev/urandom /dev/random

systemctl start ipsec
systemctl enable ipsec
systemctl status ipsec

echo ‘net.ipv4.ip_forward = 1’ >> /etc/sysctl.conf
sysctl -p

tar xf openvpn-2.2.1.tar.gz -C /usr/src/
cd /usr/src/openvpn-2.2.1/
./configure && make && make install

mkdir -p /etc/openvpn
cp -r /usr/src/openvpn-2.2.1/easy-rsa/* /etc/openvpn/
cd /etc/openvpn/2.0/

vim vars
# modify
export KEY_COUNTRY=”CN”
export KEY_PROVINCE=”GD”
export KEY_CITY=”ShenZhen”
export KEY_ORG=”yibu”
export KEY_EMAIL=”yibu@riseup.net”
export KEY_EMAIL=yibu@riseup.net
export KEY_CN=openvpn
export KEY_NAME=yibu
export KEY_OU=yibu

 

cp openssl-1.0.0.cnf openssl.cnf

# follow 6 step need step by step.
source ./vars
./clean-all
./build-ca
./build-key-server vpn
./build-dh
./build-key client

cp /usr/src/openvpn-2.2.1/sample-config-files/server.conf /etc/openvpn/

grep ^[^#] /etc/openvpn/server.conf > ovs.cnf
grep ‘^[^;]’ ovs.cnf

port 1194
proto udp
dev tun
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/vpn.crt
key /etc/openvpn/2.0/keys/vpn.key
dh /etc/openvpn/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 192.168.20.0 255.255.255.0”
client-to-client
keepalive 10 120
comp-lzo
max-clients 100
persist-key
persist-tun
status openvpn-status.log
verb 3

 

cp /usr/src/openvpn-2.2.1/sample-scripts/openvpn.init /etc/rc.d/init.d/openvpn
chmod 755 /etc/rc.d/init.d/openvpn
/etc/init.d/openvpn start
systemctl start openvpn.service
systemctl enalbe openvpn.service
systemctl status openvpn.service

sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/g’ /etc/selinux/config
source /etc/selinux/config

systemctl start firewalld.service
systemctl enable firewalld.service

firewall-cmd –zone=public –add-masquerade
firewall-cmd –permanent –zone=public –add-masquerade
firewall-cmd –add-rich-rule=’rule family=ipv4 source address=10.8.0.1/24 masquerade’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=10.8.0.1/24 masquerade’
firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=ipv4 source address=10.8.0.1/24 masquerade’
firewall-cmd –reload

firewall-cmd –direct –add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd –reload

firewall-cmd –add-interface=eth1
firewall-cmd –add-interface=eth1 –permanent
firewall-cmd –direct –passthrough ipv4 -t nat -I POSTROUTING -o eth1 -j MASQUERADE -s 10.8.0.1/24
firewall-cmd –permanent –direct –passthrough ipv4 -t nat -I POSTROUTING -o eth1 -j MASQUERADE -s 10.8.0.1/24
firewall-cmd –add-port=1194/tcp –zone=public
firewall-cmd –add-port=1194/udp –zone=public
firewall-cmd –add-port=1194/tcp –zone=public –permanent
firewall-cmd –add-port=1194/udp –zone=public –permanent
firewall-cmd –reload

firewall-cmd –add-service=openvpn –zone=public
firewall-cmd –add-service=openvpn –zone=public –permanent
firewall-cmd –reload

systemctl start openvpn.service
systemctl enable openvpn.service
systemctl restart openvpn.service
systemctl restart firewalld.service
systemctl status openvpn.service

 

ifconfig tun0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 268 bytes 23811 (23.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 264 bytes 42915 (41.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

 

ping 10.8.0.1

PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.072 ms

 

# use in windows7
openvpn这里安装路径为 D:\installed\openvpn
把服务器的client.crt,client.key,ca.crt三个文件拷贝到D:\installed\openvpn\config目录
再把D:\installed\openvpn\sample-config里的client文件也拷到 D:\installed\openvpn\config目录

编辑client配置文件
用noptepad++程序打开client配置文件

client
dev tun
proto udp
remote 122.*.169.* 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3

对client文件右键– start …. 来进行拔号
桌面有一个openvpn的快捷方式,右键点击connect也可连接。
ping 10.8.0.1 可以ping通
用securecrt,ssh连接10.8.0.1可以连接了,这里实现的是点对点。

centos7.3 pptpd

## CentOS Linux release 7.3.1611 (Core)
# Fri Aug 18 11:38:24 CST 2017 update by yibu.
# pptpd
yum install epel-release -y
yum install -y ppp pptpd

# modify pptpd.config
vim /etc/pptpd.conf
localip 192.168.0.1 # vpn gateway ip.
remoteip 192.168.0.234-238,192.168.0.245 # vpn dial access address segment.

vim /etc/ppp/options.pptpd
# e.g. notic:IP modify other public DNS iddress,which can ping ok;can use ‘cat /etc/resolv.conf’ saw.
ms-dns 8.8.8.8
ms-dns 114.114.114.114

# add users one line one user.
vim /etc/ppp/chap-secrets
# e.g.
# Secrets for authentication using CHAP
# client server secret IP addresses
pptpd pptpd pptpd *

# add ‘ifconfig ppp0 mtu 1500’,set the maximum transport unit MTU.
vim /etc/ppp/ip-up
……
/etc/ppp/ip-up. ipv6to4 ${LOGDEVICE}
[ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local “$@”
ifconfig ppp0 mtu 1500
……

# modify kernel config.
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

 

sysctl -p

# set firewalld and start service.
systemctl start firewalld.service
systemctl enable firewalld.service

firewall-cmd –zone=public –add-masquerade
firewall-cmd –permanent –zone=public –add-masquerade
firewall-cmd –add-rich-rule=’rule family=ipv4 source address=192.168.0.1/24 masquerade’
firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address=192.168.0.1/24 masquerade’
firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=ipv4 source address=192.168.0.1/24 masquerade’
firewall-cmd –reload

firewall-cmd –direct –add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
# firewall-cmd –direct –add-rule ipv6 filter INPUT 0 -p gre -j ACCEPT
# firewall-cmd –permanent –direct –add-rule ipv6 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd –reload

firewall-cmd –add-interface=eth1 # can’t add interface same like use now,saw by ‘ifconfig or id addr’.
firewall-cmd –add-interface=eth1 –permanent
firewall-cmd –direct –passthrough ipv4 -t nat -I POSTROUTING -o eth1 -j MASQUERADE -s 192.168.0.1/24
firewall-cmd –permanent –direct –passthrough ipv4 -t nat -I POSTROUTING -o eth1 -j MASQUERADE -s 192.168.0.1/24

firewall-cmd –add-port=1723/tcp –zone=public
firewall-cmd –add-port=1723/tcp –zone=public –permanent
firewall-cmd –reload

 

systemctl start pptpd.service
systemctl enable pptpd.service

systemctl restart pptpd.service
systemctl restart firewalld.service
systemctl status pptpd.service
systemctl status firewalld.service

# notic: if your use vps or Lease Linux,need open service port on web backend.

# connet vpn user pptpd use windows cmd ‘ping google.com’.
# or check your ip,was show pptpd_vpn_server ip.

 

## service status info
[root@yibu]# systemctl status pptpd.service
● pptpd.service – PoPToP Point to Point Tunneling Server
Loaded: loaded (/usr/lib/systemd/system/pptpd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2017-08-18 11:10:46 CST; 875ms ago
Main PID: 2883 (pptpd)
CGroup: /system.slice/pptpd.service
└─2883 /usr/sbin/pptpd -f

Aug 18 11:10:46 localhost.localdomain systemd[1]: Started PoPToP Point to Point Tunneling Server.
Aug 18 11:10:46 localhost.localdomain systemd[1]: Starting PoPToP Point to Point Tunneling Server…
Aug 18 11:10:46 localhost.localdomain pptpd[2883]: MGR: Maximum of 100 connections reduced to 6, not enough IP addresses given
Aug 18 11:10:46 localhost.localdomain pptpd[2883]: MGR: Manager process started
Aug 18 11:10:46 localhost.localdomain pptpd[2883]: MGR: Maximum of 6 connections available

 

# modify /etc/pptpd.conf ip or connetctions number.
connections 6

## work on desktop computer vmware linux(but some time not work),
# when test use iptabeles was work when stop ipstables,may be iptables not set right
# work on real server linux vmware.
# enjoy it!

 

## other set
sed -i ‘/exit 0/i\ip link set $1 mtu 1500’ /etc/ppp/ip-up

# use iptables, not test.
iptables -t nat -I POSTROUTING -s 192.168.0.1/24 -j SNAT –to your_server_ip
service iptables save
service iptables restart

# use more config file.
/etc/pptpd.conf
/etc/ppp/options
/etc/ppp/options.pptpd
/etc/ppp/ip-up
/etc/ppp/chap-secrets

# use man or info,or see bolg and website.
man pppd
man pptpd

man pptpd.conf

 

openvpn

## for run openvpn
wget http://vtun.sourceforge.net/tun/tun-1.1.tar.gz
tar -zxvf tun-1.1.tar.gz
cd tun-1.1
./configure
make
make install

modprobe tun
# for auto downinto
# vim /etc/modules.conf
# for 2.2.x kernel
alias char-major-90 tun

# for 2.4 kernel
alias char-major-10-200 tun

 

modprobe -a

or # vim /etc/rc.d/rc.local
modprobe tun

 

# install openssl
yum install openssl -y

or1 # rpm -qa | grep openssl
rpm -ivh openssl

or2 # wget hhtp://openssl.org/source/openssl-1.0.0g.tar.gz
tar -zxvf openssl-1.0.0g.tar.gz
cd openssl-1.0.0g
./Configure
make
make install

 

# install lzo
or # when install openvpn use like
# ./configure –disable-lzo

wget http://www.oberhumer.com/opensource/lzo/lzo-2.06.tar.gz
tar -zxvf lzo2.06.tar.gz
cd lzo-2.06
./configure
make
make install

# notice,mybe need doing
add /usr/local/lib into /etc/ld.so.conf

ldconfig

 

## install openvpn
wget http://swupdate.openvpn.org/community/release/openvpn-2.2.2.tar.gz
tar -zxvf openvpn-2.2.2.tar.gz
cd openvpn-2.2.2
./configure –prefix=/usr/local/openvpn-2.2.2
make
make install
cd /usr/local/openvpn-2.2.2
tree
mkdir etc
mkdir keys
cp openvpn-2.2.2/sample-config-files/server.conf /usr/local/openvpn-2.2.2/etc/
cp -ra openvpn-2.2.2/easy-rsa /usr/local/openvpn-2.2.2/

pwd
cd /usr/local/openvpn-2.2.2/easy-rsa
# vi vars
export EASY_RSA=”‘pwd'”

export OPENSSL=”openssl”
export PKCS11TOOL=”pkcs11-tool”
export GREP=”grep”

export KEY_CONFIG=’$EASY_RSY/whichopensslcnf $EASY_RSA’

export KEY_DIR=”$EASY_RSA/keys”

export PKCS11_MODULE_PATH=”dummy”
export PKCS11_PIN=”dummy”

export KEY_SIZE=1024

export CA_EXPIRE=3650

export KEY_EXPIRE=3650

export KEY_COUNTRY=”CN”
export KEY_PROVINCE=”GD”
export KEY_CITY=”SZ”
export KEY_ORG=”W3″
export KEY_EMAIL=”openvpn@riseup.net”
export KEY_EMAIL=”openvpn@riseup.net”
export KEY_CN=now
export KEY_NAME=now
export KEY_OU=now
export PKCS11_MODULE_PATH=now
export PKCS11_PIN=abcd

 

# source vars
# ./clean-all
# ./build-ca
# ./build-key-server server
pree ‘y’ two time
# ./build-key client2
# ./build-dh
# cp /usr/local/opevpn-2.2.2/easy-rsa/key/* /usr/local/openvpn-2.2.2/keys

 

## start openvpn
# /usr/local/openvpn-2.2.2/sbin/openvpn /usr/local/openvpn-2.2.2/etc/server.conf

or # cp /openvpn-2.2.2/sample-scripts/openvpn.init /etc/init.d/openvpn
# vim /etc/init.d/openvpn
# base your server openvpn modify

# chkconfig –add openvpn
# chkconfig –level 35 openvpn on