From ff8149d1315bc63e48dfde753e358906e90199d9 Mon Sep 17 00:00:00 2001 From: geekpi Date: Thu, 12 Aug 2021 08:47:35 +0800 Subject: [PATCH] translated --- ... Configure your OpenVPN server on Linux.md | 172 ----------------- ... Configure your OpenVPN server on Linux.md | 173 ++++++++++++++++++ 2 files changed, 173 insertions(+), 172 deletions(-) delete mode 100644 sources/tech/20210805 Configure your OpenVPN server on Linux.md create mode 100644 translated/tech/20210805 Configure your OpenVPN server on Linux.md diff --git a/sources/tech/20210805 Configure your OpenVPN server on Linux.md b/sources/tech/20210805 Configure your OpenVPN server on Linux.md deleted file mode 100644 index c83c61a226..0000000000 --- a/sources/tech/20210805 Configure your OpenVPN server on Linux.md +++ /dev/null @@ -1,172 +0,0 @@ -[#]: subject: "Configure your OpenVPN server on Linux" -[#]: via: "https://opensource.com/article/21/7/openvpn-firewall" -[#]: author: "D. Greg Scott https://opensource.com/users/greg-scott" -[#]: collector: "lujun9972" -[#]: translator: "geekpi" -[#]: reviewer: " " -[#]: publisher: " " -[#]: url: " " - -Configure your OpenVPN server on Linux -====== -After you install OpenVPN, it's time to configure it. -![Lock][1] - -OpenVPN creates an encrypted tunnel between two points, preventing a third party from accessing your network traffic. By setting up your virtual private network (VPN) server, you become your own VPN provider. Many popular VPN services already use [OpenVPN][2], so why tie your connection to a specific provider when you can have complete control? - -The [first article][3] in this series set up a server for your VPN, and the [second article][4] demonstrated how to install and configure the OpenVPN server software. This third article shows how to start OpenVPN with authentication in place. - -To set up an OpenVPN server, you must: - - * Create a configuration file. - * Set the `sysctl` value `net.ipv4.ip_forward = 1` to enable routing. - * Set up appropriate ownership for all configuration and authentication files to run the OpenVPN server daemon under a non-root account. - * Set OpenVPN to start with the appropriate configuration file. - * Configure your firewall. - - - -### Configuration file - -You must create a server config file in `/etc/openvpn/server/`. You can start from scratch if you want, and OpenVPN includes several sample configuration files to use as a starting point. Have a look in `/usr/share/doc/openvpn/sample/sample-config-files/` to see them all. - -If you want to build a config file by hand, start with either `server.conf` or `roadwarrior-server.conf` (as appropriate), and place your config file in `/etc/openvpn/server`. Both files are extensively commented, so read the comments and decide which makes the most sense for your situation. - -You can save time and aggravation by using my prebuilt server and client configuration file templates and `sysctl` file to turn on network routing. This configuration also includes customization to log connects and disconnects. It keeps logs on the OpenVPN server in `/etc/openvpn/server/logs`. - -If you use my templates, you'll need to edit them to use your IP addresses and hostnames. - -To use my prebuilt config templates, scripts, and `sysctl` to turn on IP forwarding, download my script: - - -``` -$ curl \ - > \ -OVPNdownloads.sh -``` - -Read the script to get an idea of what it does. Here's a quick overview of its actions: - - * Creates the appropriate directories on your OpenVPN server - * Downloads server and client config file templates from my website - * Downloads my custom scripts and places them into the correct directory with correct permissions - * Downloads `99-ipforward.conf` and places it into `/etc/sysctl.d` to turn on IP forwarding at the next boot - * Sets up ownership for everything in `/etc/openvpn` - - - -Once you're satisfied that you understand what the script does, make it executable and run it: - - -``` -$ chmod +x OVPNdownloads.sh -$ sudo ./OVPNdownloads.sh -``` - -Here are the files it copies (notice the file ownership): - - -``` -$ ls -al -R /etc/openvpn -/etc/openvpn: -total 12 -drwxr-xr-x.   4 openvpn openvpn   34 Apr  6 20:35 . -drwxr-xr-x. 139 root    root    8192 Apr  6 20:35 .. -drwxr-xr-x.   2 openvpn openvpn   33 Apr  6 20:35 client -drwxr-xr-x.   4 openvpn openvpn   56 Apr  6 20:35 server - -/etc/openvpn/client: -total 4 -drwxr-xr-x. 2 openvpn openvpn   33 Apr  6 20:35 . -drwxr-xr-x. 4 openvpn openvpn   34 Apr  6 20:35 .. --rw-r--r--. 1 openvpn openvpn 1764 Apr  6 20:35 OVPNclient2020.ovpn - -/etc/openvpn/server: -total 4 -drwxr-xr-x. 4 openvpn openvpn   56 Apr  6 20:35 . -drwxr-xr-x. 4 openvpn openvpn   34 Apr  6 20:35 .. -drwxr-xr-x. 2 openvpn openvpn   59 Apr  6 20:35 ccd -drwxr-xr-x. 2 openvpn openvpn    6 Apr  6 20:35 logs --rw-r--r--. 1 openvpn openvpn 2588 Apr  6 20:35 OVPNserver2020.conf - -/etc/openvpn/server/ccd: -total 8 -drwxr-xr-x. 2 openvpn openvpn  59 Apr  6 20:35 . -drwxr-xr-x. 4 openvpn openvpn  56 Apr  6 20:35 .. --rwxr-xr-x. 1 openvpn openvpn 917 Apr  6 20:35 client-connect.sh --rwxr-xr-x. 1 openvpn openvpn 990 Apr  6 20:35 client-disconnect.sh - -/etc/openvpn/server/logs: -total 0 -drwxr-xr-x. 2 openvpn openvpn  6 Apr  6 20:35 . -drwxr-xr-x. 4 openvpn openvpn 56 Apr  6 20:35 .. -``` - -Here's the `99-ipforward.conf` file: - - -``` -# Turn on IP forwarding. OpenVPN servers need to do routing -net.ipv4.ip_forward = 1 -``` - -Edit `OVPNserver2020.conf` and `OVPNclient2020.ovpn` to include your IP addresses. Also, edit `OVPNserver2020.conf` to include your server certificate names from earlier. Later, you will rename and edit a copy of `OVPNclient2020.ovpn` for use with your client computers. The blocks that start with `***?` show you where to edit. - -### File ownership - -If you used the automated script from my website, file ownership is already in place. If not, you must ensure that your system has a user called `openvpn` that is a member of a group named `openvpn`. You must set the ownership of everything in `/etc/openvpn` to that user and group. It's safe to do this if you're unsure whether the user and group already exist because `useradd` will refuse to create a user with the same name as one that already exists: - - -``` -$ sudo useradd openvpn -$ sudo chown -R openvpn.openvpn /etc/openvpn -``` - -### Firewall - -If you decided not to disable the firewalld service in step 1, then your server's firewall service might not allow VPN traffic by default. Using the [`firewall-cmd` command][5], you can enable the OpenVPN service, which opens the necessary ports and routes traffic as necessary: - - -``` -$ sudo firewall-cmd --add-service openvpn --permanent -$ sudo firewall-cmd --reload -``` - -No need to get lost in a maze of iptables! - -### Start your server - -You can now start your OpenVPN server. So that it starts automatically after a reboot, use the `enable` subcommand of `systemctl`: - - -``` -`systemctl enable --now openvpn-server@OVPNserver2020.service` -``` - -### Final steps - -The fourth and final article in this article will demonstrate how to set up clients to connect to your OpenVPN from afar. - -* * * - -_This article is based on D. Greg Scott's [blog][6] and is reused with permission._ - --------------------------------------------------------------------------------- - -via: https://opensource.com/article/21/7/openvpn-firewall - -作者:[D. Greg Scott][a] -选题:[lujun9972][b] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]: https://opensource.com/users/greg-scott -[b]: https://github.com/lujun9972 -[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/security-lock-password.jpg?itok=KJMdkKum (Lock) -[2]: https://openvpn.net/ -[3]: https://opensource.com/article/21/7/vpn-openvpn-part-1 -[4]: https://opensource.com/article/21/7/vpn-openvpn-part-2 -[5]: https://www.redhat.com/sysadmin/secure-linux-network-firewall-cmd -[6]: https://www.dgregscott.com/how-to-build-a-vpn-in-four-easy-steps-without-spending-one-penny/ diff --git a/translated/tech/20210805 Configure your OpenVPN server on Linux.md b/translated/tech/20210805 Configure your OpenVPN server on Linux.md new file mode 100644 index 0000000000..6c997507f6 --- /dev/null +++ b/translated/tech/20210805 Configure your OpenVPN server on Linux.md @@ -0,0 +1,173 @@ +[#]: subject: "Configure your OpenVPN server on Linux" +[#]: via: "https://opensource.com/article/21/7/openvpn-firewall" +[#]: author: "D. Greg Scott https://opensource.com/users/greg-scott" +[#]: collector: "lujun9972" +[#]: translator: "geekpi" +[#]: reviewer: " " +[#]: publisher: " " +[#]: url: " " + +在 Linux 上配置你的 OpenVPN 服务器 +====== +在你安装了 OpenVPN 之后,是时候配置它了。 +![Lock][1] + +OpenVPN 在两点之间建立一个加密的隧道,防止第三方访问你的网络流量。通过设置你的虚拟私人网络(VPN)服务器,你就成为你自己的 VPN 供应商。许多流行的 VPN 服务已经使用 [OpenVPN][2],所以当你可以完全控制时,为什么要把你的连接绑定到一个特定的供应商? + +本系列中的[第一篇][3]设置了一个 VPN 服务器,[第二篇][4]演示了如何安装和配置 OpenVPN 服务器软件。这第三篇文章展示了如何在认证到位的情况下启动 OpenVPN。 + +要设置一个 OpenVPN 服务器,你必须: + + * 创建一个配置文件。 + * 设置 `sysctl` 值 `net.ipv4.ip_forward = 1` 以启用路由。 + * 为所有的配置和认证文件设置适当的所有权,以便在一个非 root 账户下运行 OpenVPN 服务器守护程序。 + * 设置 OpenVPN 以适当的配置文件启动。 + * 配置你的防火墙。 + + + +### 配置文件 + +你必须在 `/etc/openvpn/server/` 中创建一个服务器配置文件。如果你想的话,你可以从头开始,OpenVPN 包括了几个样本配置文件,可以作为开始。看看 `/usr/share/doc/openvpn/sample/sample-config-files/` 就知道了。 + +如果你想手工建立一个配置文件,从 `server.conf` 或 `roadwarrior-server.conf` 开始(视情况而定),并将你的配置文件放在 `/etc/openvpn/server` 中。这两个文件都有大量的注释,所以请阅读注释并决定哪一个适用你的情况。 + +你可以通过使用我预先建立的服务器和客户端配置文件模板和 `sysctl` 文件来打开网络路由,从而节省时间和麻烦。这个配置还包括自定义记录连接和断开的情况。它在 OpenVPN 服务器的 `/etc/openvpn/server/logs` 中保存日志。 + +如果你使用我的模板,你将需要编辑它们以使用你的 IP 地址和主机名。 + +要使用我的预建配置模板、脚本和 `sysctl` 来打开 IP 转发,请下载我的脚本: + + +``` +$ curl \ + > \ +OVPNdownloads.sh +``` + +阅读该脚本,了解它的工作内容。下面是它的行为概述: + + * 在你的 OpenVPN 服务器上创建适当的目录 + * 从我的网站下载服务器和客户端的配置文件模板 + * 下载我的自定义脚本,并以正确的权限把它们放到正确的目录中。 + * 下载 `99-ipforward.conf` 并把它放到 `/etc/sysctl.d` 中,以便在下次启动时打开 IP 转发功能。 + * 为 `/etc/openvpn` 中的所有内容设置了所有权 + + + +当你确定你理解了这个脚本的作用,就使它可执行并运行它: + + +``` +$ chmod +x OVPNdownloads.sh +$ sudo ./OVPNdownloads.sh +``` + +下面是它复制的文件(注意文件的所有权): + + +``` +$ ls -al -R /etc/openvpn +/etc/openvpn: +total 12 +drwxr-xr-x. 4 openvpn openvpn 34 Apr 6 20:35 . +drwxr-xr-x. 139 root root 8192 Apr 6 20:35 .. +drwxr-xr-x. 2 openvpn openvpn 33 Apr 6 20:35 client +drwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 server + +/etc/openvpn/client: +total 4 +drwxr-xr-x. 2 openvpn openvpn 33 Apr 6 20:35 . +drwxr-xr-x. 4 openvpn openvpn 34 Apr 6 20:35 .. +-rw-r--r--. 1 openvpn openvpn 1764 Apr 6 20:35 OVPNclient2020.ovpn + +/etc/openvpn/server: +total 4 +drwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 . +drwxr-xr-x. 4 openvpn openvpn 34 Apr 6 20:35 .. +drwxr-xr-x. 2 openvpn openvpn 59 Apr 6 20:35 ccd +drwxr-xr-x. 2 openvpn openvpn 6 Apr 6 20:35 logs +-rw-r--r--. 1 openvpn openvpn 2588 Apr 6 20:35 OVPNserver2020.conf + +/etc/openvpn/server/ccd: +total 8 +drwxr-xr-x. 2 openvpn openvpn 59 Apr 6 20:35 . +drwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 .. +-rwxr-xr-x. 1 openvpn openvpn 917 Apr 6 20:35 client-connect.sh +-rwxr-xr-x. 1 openvpn openvpn 990 Apr 6 20:35 client-disconnect.sh + +/etc/openvpn/server/logs: +total 0 +drwxr-xr-x. 2 openvpn openvpn 6 Apr 6 20:35 . +drwxr-xr-x. 4 openvpn openvpn 56 Apr 6 20:35 .. +``` + +下面是 `99-ipforward.conf` 文件: + + +``` +# Turn on IP forwarding. OpenVPN servers need to do routing +net.ipv4.ip_forward = 1 +``` + +编辑 `OVPNserver2020.conf` 和 `OVPNclient2020.ovpn` 以包括你的 IP 地址。同时,编辑 `OVPNserver2020.conf` 以包括你先前的服务器证书名称。稍后,你将重新命名和编辑 `OVPNclient2020.ovpn` 的副本,以便在你的客户电脑上使用。以 `***?` 开头的块显示了你要编辑的地方。 + +### 文件所有权 + +如果你使用了我网站上的自动脚本,文件所有权就已经到位了。如果没有,你必须确保你的系统有一个叫 `openvpn` 的用户,并且是 `openvpn` 组的成员。你必须将 `/etc/openvpn` 中的所有内容的所有权设置为该用户和组。如果你不确定该用户和组是否已经存在,这样做是安全的,因为 `useradd` 会拒绝创建一个与已经存在的用户同名的用户: + + +``` +$ sudo useradd openvpn +$ sudo chown -R openvpn.openvpn /etc/openvpn +``` + +### 防火墙 + +如果你在步骤 1 中决定不禁用 firewalld 服务,那么你的服务器的防火墙服务可能默认不允许 VPN 流量。使用 [`firewall-cmd` 命令][5],你可以启用 OpenVPN 服务,它可以打开必要的端口并根据需要路由流量: + + +``` +$ sudo firewall-cmd --add-service openvpn --permanent +$ sudo firewall-cmd --reload +``` + +没有必要在 iptables 的迷宫中迷失方向! + +### 启动你的服务器 + +现在你可以启动你的 OpenVPN 服务器了。为了让它在重启后自动启动,使用 `systemctl` 的 `enable` 子命令: + + +``` +`systemctl enable --now openvpn-server@OVPNserver2020.service` +``` + +### 最后的步骤 + +本文的第四篇也是最后一篇文章将演示如何设置客户端,以便从远处连接到你的 OpenVPN。 + + +* * * + +_本文基于 D.Greg Scott 的[博客][6],经许可后重新使用。_ + +-------------------------------------------------------------------------------- + +via: https://opensource.com/article/21/7/openvpn-firewall + +作者:[D. Greg Scott][a] +选题:[lujun9972][b] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]: https://opensource.com/users/greg-scott +[b]: https://github.com/lujun9972 +[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/security-lock-password.jpg?itok=KJMdkKum (Lock) +[2]: https://openvpn.net/ +[3]: https://opensource.com/article/21/7/vpn-openvpn-part-1 +[4]: https://opensource.com/article/21/7/vpn-openvpn-part-2 +[5]: https://www.redhat.com/sysadmin/secure-linux-network-firewall-cmd +[6]: https://www.dgregscott.com/how-to-build-a-vpn-in-four-easy-steps-without-spending-one-penny/