Debian Linux v8.x/9.x中5分钟搭建OpenVPN Server
OpenVPN
是一个免费的开源VPN(虚拟专用网络)软件,适用于Linux和类Unix系统。它使用SSL / TLS协议实现OSI第2层或第3层安全网络扩展。VPN允许您安全地连接到不安全的公共网络,例如机场或酒店的无线网络。VPN还需要访问您的企业或企业或家庭服务器资源。您可以绕过地理位置阻止的网站,并在线增加您的隐私或安全。本教程提供了在Debian Linux v8.x / 9.x上配置OpenVPN“road warrior”服务器的逐步说明,包括ufw / iptables防火墙配置。
步骤如下:
- 查找并记下您的公共IP地址
- 下载openvpn-install.sh脚本
- 运行openvpn-install.sh以安装OpenVPN服务器
- 使用IOS / Android / Linux /Windows客户端连接OpenVPN服务器
- 验证您的连接
第1步 - 查找您的公共IP地址
1使用以下任一命令查找IPv4公共地址。如果您internface名字为eth0或eth1的,请输入:
$ ip addr show eth0
或者
$ ip addr show eth1
或者
host myip.opendns.com resolver1.opendns.com
又或者
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
示例输出:记下的公共IP地址104.237.156.154即你的OpenVPN服务器的公网IP地址。
第2步 - 更新系统并安装ufw
1.输入apt-get command / apt命令来更新系统:示例输出:
$ sudo apt-get update $ sudo apt-get upgrade
Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages will be upgraded: libc-bin libc-l10n libc6 libexpat1 linux-image-4.9.0-3-amd64 locales multiarch-support 7 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 46.6 MB of archives. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://security.debian.org/debian-security stretch/updates/main amd64 libc6 amd64 2.24-11+deb9u1 [2,695 kB] Get:2 http://security.debian.org/debian-security stretch/updates/main amd64 libc-bin amd64 2.24-11+deb9u1 [778 kB] Get:3 http://security.debian.org/debian-security stretch/updates/main amd64 multiarch-support amd64 2.24-11+deb9u1 [200 kB] Get:4 http://security.debian.org/debian-security stretch/updates/main amd64 libc-l10n all 2.24-11+deb9u1 [820 kB] Get:5 http://security.debian.org/debian-security stretch/updates/main amd64 locales all 2.24-11+deb9u1 [3,290 kB] Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 libexpat1 amd64 2.2.0-2+deb9u1 [83.4 kB] Get:7 http://security-cdn.debian.org stretch/updates/main amd64 linux-image-4.9.0-3-amd64 amd64 4.9.30-2+deb9u2 [38.7 MB] Fetched 46.6 MB in 2s (15.5 MB/s) Reading changelogs... Done Preconfiguring packages ... (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../libc6_2.24-11+deb9u1_amd64.deb ... Unpacking libc6:amd64 (2.24-11+deb9u1) over (2.24-11) ... Setting up libc6:amd64 (2.24-11+deb9u1) ... (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../libc-bin_2.24-11+deb9u1_amd64.deb ... Unpacking libc-bin (2.24-11+deb9u1) over (2.24-11) ... Setting up libc-bin (2.24-11+deb9u1) ... Updating /etc/nsswitch.conf to current default. (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../multiarch-support_2.24-11+deb9u1_amd64.deb ... Unpacking multiarch-support (2.24-11+deb9u1) over (2.24-11) ... Setting up multiarch-support (2.24-11+deb9u1) ... (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../libc-l10n_2.24-11+deb9u1_all.deb ... Unpacking libc-l10n (2.24-11+deb9u1) over (2.24-11) ... Preparing to unpack .../locales_2.24-11+deb9u1_all.deb ... Unpacking locales (2.24-11+deb9u1) over (2.24-11) ... Preparing to unpack .../libexpat1_2.2.0-2+deb9u1_amd64.deb ... Unpacking libexpat1:amd64 (2.2.0-2+deb9u1) over (2.2.0-2) ... Preparing to unpack .../linux-image-4.9.0-3-amd64_4.9.30-2+deb9u2_amd64.deb ... Unpacking linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u2) over (4.9.30-2) ... Setting up libexpat1:amd64 (2.2.0-2+deb9u1) ... Processing triggers for libc-bin (2.24-11+deb9u1) ... Setting up libc-l10n (2.24-11+deb9u1) ... Processing triggers for man-db (2.7.6.1-2) ... Setting up linux-image-4.9.0-3-amd64 (4.9.30-2+deb9u2) ... /etc/kernel/postinst.d/initramfs-tools: update-initramfs: Generating /boot/initrd.img-4.9.0-3-amd64 /etc/kernel/postinst.d/zz-update-grub: Generating grub configuration file ... Found linux image: /boot/vmlinuz-4.9.0-3-amd64 Found initrd image: /boot/initrd.img-4.9.0-3-amd64 done Setting up locales (2.24-11+deb9u1) ... Generating locales (this might take a while)... en_US.UTF-8... done Generation complete.
重启电脑,保证内核升级生效
$ sudo reboot
第3步-安装ufw ( Uncomplicated Firewall)[不复杂的防火墙]
1.要在Debian 9/8上安装ufw,请键入以下apt-get命令
$ sudo apt-get install ufw
示例输出:
Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ufw 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 164 kB of archives. After this operation, 848 kB of additional disk space will be used. Get:1 http://mirrors.linode.com/debian stretch/main amd64 ufw all 0.35-4 [164 kB] Fetched 164 kB in 0s (13.1 MB/s) Preconfiguring packages ... Selecting previously unselected package ufw. (Reading database ... 28439 files and directories currently installed.) Preparing to unpack .../archives/ufw_0.35-4_all.deb ... Unpacking ufw (0.35-4) ... Setting up ufw (0.35-4) ... Creating config file /etc/ufw/before.rules with new version Creating config file /etc/ufw/before6.rules with new version Creating config file /etc/ufw/after.rules with new version Creating config file /etc/ufw/after6.rules with new version Created symlink /etc/systemd/system/multi-user.target.wants/ufw.service ? /lib/systemd/system/ufw.service. Processing triggers for systemd (232-25) ... Processing triggers for man-db (2.7.6.1-2) ... Processing triggers for rsyslog (8.24.0-1) ...
2.您必须打开所需的端口,例如SSH端口22,80,443等:启用防火墙,运行:
$ sudo ufw allow 22 $ sudo ufw allow 80 $ sudo ufw allow 443 ... $ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
第4步 - 下载openvpn-install.sh脚本
键入以下wget命令:
$ wget https://gitee.com/MILISERVICE_admin/codes/al57tqnchxv4se9firj2831/raw?blob_name=5%E5%88%86%E9%92%9F%E6%90%AD%E5%BB%BAOpenVPN+Server -O openvpn-install.sh
输出:
--2018-09-27 12:48:27-- https://git.io/vpn Resolving git.io (git.io)... 34.238.48.57, 34.238.3.58, 34.235.97.255, ... Connecting to git.io (git.io)|34.238.48.57|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh [following] --2018-09-27 12:48:29-- https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.github.com (raw.github.com)... 151.101.108.133 Connecting to raw.github.com (raw.github.com)|151.101.108.133|:443... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh [following] --2018-09-27 12:48:31-- https://raw.githubusercontent.com/Nyr/openvpn-install/master/openvpn-install.sh Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.108.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.108.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 14257 (14K) [text/plain] Saving to: ‘openvpn-install.sh’ openvpn-install.sh 100%[==============================================================>] 13.92K 66.9KB/s in 0.2s 2018-09-27 12:48:32 (66.9 KB/s) - ‘openvpn-install.sh’ saved [14257/14257]
运行openvpn-install.sh脚本为您自动安装和配置OpenVPN服务器:
$ sudo bash openvpn-install.sh
当提示设置IP地址为104.237.156.154(用您的实际IP地址替换104.237.156.154)和端口为1194(如果您不使用,则为443)网络服务器)。将Google或OpenDNS DNS服务器与vpn一起使用。接下来,键入客户端名称(例如iPhone,Nexus6,LinuxRouter,BackupServer等)。最后,按[Enter]键在您的系统上安装和设置OpenVPN:
就这些。您的OpenVPN服务器已配置好并可以使用。您可以使用cat命令查看添加的防火墙规则/etc/rc.local文件:
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I INPUT -p tcp --dport 1194 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to 104.237.156.154
您可以按如下方式查看脚本生成的openvpn服务器配置文件(不要手动编辑此文件):示例输出:
$ sudo more /etc/openvpn/server.conf $ sudo vi -M /etc/openvpn/server.conf
如何在Debian Linux 9.x / 8.x LTS上启动/停止/重启OpenVPN服务器?
sudo systemctl start/stop/restart openvpn@server
第4步 - 客户端配置
在服务器上,您将找到一个名为〜/ macos-vpn-client.ovpn的客户端配置文件。您所要做的就是使用scp将此文件复制到本地桌面,并将此文件提供给OpenVPN客户端进行连接:
$ scp [email protected]:~/macos-vpn-client.ovpn .
配置客户端即可,archlinux参考:
OpenVPN (client)