mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-01-22 23:00:57 +08:00
173 lines
7.2 KiB
Markdown
173 lines
7.2 KiB
Markdown
|
[#]: subject: "Configure your OpenVPN server on Linux"
|
|||
|
[#]: via: "https://opensource.com/article/21/7/openvpn-firewall"
|
|||
|
[#]: author: "D. Greg Scott https://opensource.com/users/greg-scott"
|
|||
|
[#]: collector: "lujun9972"
|
|||
|
[#]: translator: " "
|
|||
|
[#]: reviewer: " "
|
|||
|
[#]: publisher: " "
|
|||
|
[#]: url: " "
|
|||
|
|
|||
|
Configure your OpenVPN server on Linux
|
|||
|
======
|
|||
|
After you install OpenVPN, it's time to configure it.
|
|||
|
![Lock][1]
|
|||
|
|
|||
|
OpenVPN creates an encrypted tunnel between two points, preventing a third party from accessing your network traffic. By setting up your virtual private network (VPN) server, you become your own VPN provider. Many popular VPN services already use [OpenVPN][2], so why tie your connection to a specific provider when you can have complete control?
|
|||
|
|
|||
|
The [first article][3] in this series set up a server for your VPN, and the [second article][4] demonstrated how to install and configure the OpenVPN server software. This third article shows how to start OpenVPN with authentication in place.
|
|||
|
|
|||
|
To set up an OpenVPN server, you must:
|
|||
|
|
|||
|
* Create a configuration file.
|
|||
|
* Set the `sysctl` value `net.ipv4.ip_forward = 1` to enable routing.
|
|||
|
* Set up appropriate ownership for all configuration and authentication files to run the OpenVPN server daemon under a non-root account.
|
|||
|
* Set OpenVPN to start with the appropriate configuration file.
|
|||
|
* Configure your firewall.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
### Configuration file
|
|||
|
|
|||
|
You must create a server config file in `/etc/openvpn/server/`. You can start from scratch if you want, and OpenVPN includes several sample configuration files to use as a starting point. Have a look in `/usr/share/doc/openvpn/sample/sample-config-files/` to see them all.
|
|||
|
|
|||
|
If you want to build a config file by hand, start with either `server.conf` or `roadwarrior-server.conf` (as appropriate), and place your config file in `/etc/openvpn/server`. Both files are extensively commented, so read the comments and decide which makes the most sense for your situation.
|
|||
|
|
|||
|
You can save time and aggravation by using my prebuilt server and client configuration file templates and `sysctl` file to turn on network routing. This configuration also includes customization to log connects and disconnects. It keeps logs on the OpenVPN server in `/etc/openvpn/server/logs`.
|
|||
|
|
|||
|
If you use my templates, you'll need to edit them to use your IP addresses and hostnames.
|
|||
|
|
|||
|
To use my prebuilt config templates, scripts, and `sysctl` to turn on IP forwarding, download my script:
|
|||
|
|
|||
|
|
|||
|
```
|
|||
|
$ curl \
|
|||
|
<https://www.dgregscott.com/ovpn/OVPNdownloads.sh> > \
|
|||
|
OVPNdownloads.sh
|
|||
|
```
|
|||
|
|
|||
|
Read the script to get an idea of what it does. Here's a quick overview of its actions:
|
|||
|
|
|||
|
* Creates the appropriate directories on your OpenVPN server
|
|||
|
* Downloads server and client config file templates from my website
|
|||
|
* Downloads my custom scripts and places them into the correct directory with correct permissions
|
|||
|
* Downloads `99-ipforward.conf` and places it into `/etc/sysctl.d` to turn on IP forwarding at the next boot
|
|||
|
* Sets up ownership for everything in `/etc/openvpn`
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Once you're satisfied that you understand what the script does, make it executable and run it:
|
|||
|
|
|||
|
|
|||
|
```
|
|||
|
$ chmod +x OVPNdownloads.sh
|
|||
|
$ sudo ./OVPNdownloads.sh
|
|||
|
```
|
|||
|
|
|||
|
Here are the files it copies (notice the file ownership):
|
|||
|
|
|||
|
|
|||
|
```
|
|||
|
$ ls -al -R /etc/openvpn
|
|||
|
/etc/openvpn:
|
|||
|
total 12
|
|||
|
drwxr-xr-x. 4 openvpn openvpn 34 Apr 6 20:35 .
|
|||
|
drwxr-xr-x. 139 root root 8192 Apr 6 20:35 ..
|
|||
|
drwxr-xr-x. 2 openvpn openvpn 33 Apr 6 20:35 client
|
|||
|
drwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 server
|
|||
|
|
|||
|
/etc/openvpn/client:
|
|||
|
total 4
|
|||
|
drwxr-xr-x. 2 openvpn openvpn 33 Apr 6 20:35 .
|
|||
|
drwxr-xr-x. 4 openvpn openvpn 34 Apr 6 20:35 ..
|
|||
|
-rw-r--r--. 1 openvpn openvpn 1764 Apr 6 20:35 OVPNclient2020.ovpn
|
|||
|
|
|||
|
/etc/openvpn/server:
|
|||
|
total 4
|
|||
|
drwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 .
|
|||
|
drwxr-xr-x. 4 openvpn openvpn 34 Apr 6 20:35 ..
|
|||
|
drwxr-xr-x. 2 openvpn openvpn 59 Apr 6 20:35 ccd
|
|||
|
drwxr-xr-x. 2 openvpn openvpn 6 Apr 6 20:35 logs
|
|||
|
-rw-r--r--. 1 openvpn openvpn 2588 Apr 6 20:35 OVPNserver2020.conf
|
|||
|
|
|||
|
/etc/openvpn/server/ccd:
|
|||
|
total 8
|
|||
|
drwxr-xr-x. 2 openvpn openvpn 59 Apr 6 20:35 .
|
|||
|
drwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 ..
|
|||
|
-rwxr-xr-x. 1 openvpn openvpn 917 Apr 6 20:35 client-connect.sh
|
|||
|
-rwxr-xr-x. 1 openvpn openvpn 990 Apr 6 20:35 client-disconnect.sh
|
|||
|
|
|||
|
/etc/openvpn/server/logs:
|
|||
|
total 0
|
|||
|
drwxr-xr-x. 2 openvpn openvpn 6 Apr 6 20:35 .
|
|||
|
drwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 ..
|
|||
|
```
|
|||
|
|
|||
|
Here's the `99-ipforward.conf` file:
|
|||
|
|
|||
|
|
|||
|
```
|
|||
|
# Turn on IP forwarding. OpenVPN servers need to do routing
|
|||
|
net.ipv4.ip_forward = 1
|
|||
|
```
|
|||
|
|
|||
|
Edit `OVPNserver2020.conf` and `OVPNclient2020.ovpn` to include your IP addresses. Also, edit `OVPNserver2020.conf` to include your server certificate names from earlier. Later, you will rename and edit a copy of `OVPNclient2020.ovpn` for use with your client computers. The blocks that start with `***?` show you where to edit.
|
|||
|
|
|||
|
### File ownership
|
|||
|
|
|||
|
If you used the automated script from my website, file ownership is already in place. If not, you must ensure that your system has a user called `openvpn` that is a member of a group named `openvpn`. You must set the ownership of everything in `/etc/openvpn` to that user and group. It's safe to do this if you're unsure whether the user and group already exist because `useradd` will refuse to create a user with the same name as one that already exists:
|
|||
|
|
|||
|
|
|||
|
```
|
|||
|
$ sudo useradd openvpn
|
|||
|
$ sudo chown -R openvpn.openvpn /etc/openvpn
|
|||
|
```
|
|||
|
|
|||
|
### Firewall
|
|||
|
|
|||
|
If you decided not to disable the firewalld service in step 1, then your server's firewall service might not allow VPN traffic by default. Using the [`firewall-cmd` command][5], you can enable the OpenVPN service, which opens the necessary ports and routes traffic as necessary:
|
|||
|
|
|||
|
|
|||
|
```
|
|||
|
$ sudo firewall-cmd --add-service openvpn --permanent
|
|||
|
$ sudo firewall-cmd --reload
|
|||
|
```
|
|||
|
|
|||
|
No need to get lost in a maze of iptables!
|
|||
|
|
|||
|
### Start your server
|
|||
|
|
|||
|
You can now start your OpenVPN server. So that it starts automatically after a reboot, use the `enable` subcommand of `systemctl`:
|
|||
|
|
|||
|
|
|||
|
```
|
|||
|
`systemctl enable --now openvpn-server@OVPNserver2020.service`
|
|||
|
```
|
|||
|
|
|||
|
### Final steps
|
|||
|
|
|||
|
The fourth and final article in this article will demonstrate how to set up clients to connect to your OpenVPN from afar.
|
|||
|
|
|||
|
* * *
|
|||
|
|
|||
|
_This article is based on D. Greg Scott's [blog][6] and is reused with permission._
|
|||
|
|
|||
|
--------------------------------------------------------------------------------
|
|||
|
|
|||
|
via: https://opensource.com/article/21/7/openvpn-firewall
|
|||
|
|
|||
|
作者:[D. Greg Scott][a]
|
|||
|
选题:[lujun9972][b]
|
|||
|
译者:[译者ID](https://github.com/译者ID)
|
|||
|
校对:[校对者ID](https://github.com/校对者ID)
|
|||
|
|
|||
|
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
|||
|
|
|||
|
[a]: https://opensource.com/users/greg-scott
|
|||
|
[b]: https://github.com/lujun9972
|
|||
|
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/security-lock-password.jpg?itok=KJMdkKum (Lock)
|
|||
|
[2]: https://openvpn.net/
|
|||
|
[3]: https://opensource.com/article/21/7/vpn-openvpn-part-1
|
|||
|
[4]: https://opensource.com/article/21/7/vpn-openvpn-part-2
|
|||
|
[5]: https://www.redhat.com/sysadmin/secure-linux-network-firewall-cmd
|
|||
|
[6]: https://www.dgregscott.com/how-to-build-a-vpn-in-four-easy-steps-without-spending-one-penny/
|