差異處
這裏顯示兩個版本的差異處。
兩邊的前次修訂版 前次修改 下次修改 | 前次修改 | ||
tech:pve_openvpn [2021/08/16 15:50] – jonathan | tech:pve_openvpn [2023/10/29 00:44] (目前版本) – jonathan | ||
---|---|---|---|
行 1: | 行 1: | ||
- | ====== | + | ====== 安裝 OpenVPN Server(使用 PVE 內 CT Template) |
* 採用 PVE 可下載的 CT Template - debian-10-turnkey-openvpn_16.1-1_amd64.tar.gz 來建立 | * 採用 PVE 可下載的 CT Template - debian-10-turnkey-openvpn_16.1-1_amd64.tar.gz 來建立 | ||
行 16: | 行 16: | ||
</ | </ | ||
+ | <note warning> | ||
+ | * 如果在 PVE7 上安裝, 需要特別執行以下程序 Exp. openvpn CT 的 id 是 133 | ||
+ | - 修改 ct 設定檔內容, | ||
+ | vi / | ||
+ | : | ||
+ | : | ||
+ | ostype: debian | ||
+ | rootfs: zfs-raid: | ||
+ | swap: 512 | ||
+ | lxc.cgroup2.devices.allow: | ||
+ | lxc.mount.entry: | ||
+ | </ | ||
+ | - 修改 tun 權限 <cli> | ||
+ | chown 100000: | ||
+ | </ | ||
+ | # ls -l / | ||
+ | crw-rw-rw- 1 100000 100000 10, 200 Jun 3 16:37 / | ||
+ | </ | ||
+ | - 重新啟動 openvpn CT <cli> | ||
+ | pct reboot 133 | ||
+ | </ | ||
+ | | ||
+ | </ | ||
+ | ===== 自訂 Open VPN Server ===== | ||
+ | * 預設 UDP Listen Port : 1194 想改成 TCP Listen Port : 10443 | ||
+ | * 修改 Push Route 為 10.20.0.0/ | ||
+ | * 修改 / | ||
+ | |||
+ | port 10443 | ||
+ | proto tcp | ||
+ | dev tun | ||
+ | : | ||
+ | : | ||
+ | # push routes to clients to allow them to reach private subnets | ||
+ | push "route 10.20.0.0 255.255.255.0" | ||
+ | </ | ||
+ | * 重新啟動 openvpn server <cli> | ||
+ | service openvpn restart | ||
+ | </ | ||
+ | * 透過直接修改 vi / | ||
+ | * 修改 / | ||
+ | : | ||
+ | : | ||
+ | # | ||
+ | REMOTE_PORT=' | ||
+ | : | ||
+ | : | ||
+ | remote $SERVER_ADDR $REMOTE_PORT | ||
+ | ;proto udp | ||
+ | proto tcp | ||
+ | remote-cert-tls server | ||
+ | : | ||
+ | </ | ||
+ | |||
+ | ===== 建立與取消 VPN 帳號 ===== | ||
+ | * 透過 ssh 連入 VPN Server 執行以下的命令 | ||
+ | * 建立帳號 Exp. jerry [email protected] <cli> | ||
+ | root@ct-openvpn ~# openvpn-addclient jerry [email protected] | ||
+ | </ | ||
+ | * ++看詳細處理訊息|< | ||
+ | Note: using Easy-RSA configuration from: / | ||
+ | |||
+ | Using SSL: openssl OpenSSL 1.1.1d | ||
+ | Generating a RSA private key | ||
+ | ........................+++++ | ||
+ | ..................................................................................+++++ | ||
+ | writing new private key to '/ | ||
+ | ----- | ||
+ | Using configuration from / | ||
+ | Check that the request matches the signature | ||
+ | Signature ok | ||
+ | The Subject' | ||
+ | commonName | ||
+ | Certificate is to be certified until Jul 31 08:27:58 2024 GMT (1080 days) | ||
+ | |||
+ | Write out database with 1 new entries | ||
+ | Data Base Updated | ||
+ | |||
+ | INFO: generated / | ||
+ | </ | ||
+ | * 建立帳號設定檔的下載連結(下載後獲一段時間連結就會失效), | ||
+ | / | ||
+ | </ | ||
+ | * 連上網址可以出現下載頁面 {{: | ||
+ | * 強制取消設定檔的下載連結 <cli> | ||
+ | / | ||
+ | </ | ||
+ | * 刪除使用者帳號(廢除使用者憑證) Exp. jerry <cli> | ||
+ | openvpn-revoke jerry | ||
+ | </ | ||
+ | * ++看詳細處理訊息|< | ||
+ | root@ct-openvpn ~# openvpn-revoke jerry | ||
+ | |||
+ | Note: using Easy-RSA configuration from: / | ||
+ | |||
+ | Using SSL: openssl OpenSSL 1.1.1d | ||
+ | |||
+ | |||
+ | Please confirm you wish to revoke the certificate with the following subject: | ||
+ | |||
+ | subject= | ||
+ | commonName | ||
+ | |||
+ | |||
+ | Type the word ' | ||
+ | Continue with revocation: yes | ||
+ | Using configuration from / | ||
+ | Revoking Certificate 7E5BBA3C6024A6FE617B80BA5DE5DB40. | ||
+ | Data Base Updated | ||
+ | |||
+ | IMPORTANT!!! | ||
+ | |||
+ | Revocation was successful. You must run gen-crl and upload a CRL to your | ||
+ | infrastructure in order to prevent the revoked cert from being accepted. | ||
+ | |||
+ | |||
+ | Note: using Easy-RSA configuration from: / | ||
+ | |||
+ | Using SSL: openssl OpenSSL 1.1.1d | ||
+ | Using configuration from / | ||
+ | |||
+ | An updated CRL has been created. | ||
+ | CRL file: / | ||
+ | |||
+ | INFO: revoked / | ||
+ | </ | ||
+ | ===== 查詢管理性資訊 ===== | ||
+ | * 查看登入登出紀錄 < | ||
+ | * 目前可用帳號 < | ||
+ | * 已廢止的帳號 < | ||
+ | |||
+ | <note tip> | ||
+ | * 如果想讓 OpenVPN 的 Listen Port 改為 443, 因為會與提供下載憑證的 lighttpd 衝突, 所以可以修改 SSL Port 為其他 port Exp. 20443 | ||
+ | * [舊版] 修改 / | ||
+ | vi / | ||
+ | </ | ||
+ | : | ||
+ | $SERVER[" | ||
+ | $HTTP[" | ||
+ | url.redirect = ( " | ||
+ | } | ||
+ | } | ||
+ | |||
+ | $SERVER[" | ||
+ | ssl.engine = " | ||
+ | # Note using shared hardened SSL settings | ||
+ | include " | ||
+ | : | ||
+ | </ | ||
+ | * [新版] 修改 / | ||
+ | vi / | ||
+ | </ | ||
+ | : | ||
+ | $SERVER[" | ||
+ | $HTTP[" | ||
+ | url.redirect = ( " | ||
+ | } | ||
+ | } | ||
+ | |||
+ | $SERVER[" | ||
+ | ssl.engine = " | ||
+ | # Note using shared hardened SSL settings | ||
+ | include " | ||
+ | : | ||
+ | </ | ||
+ | vi / | ||
+ | </ | ||
+ | : | ||
+ | $SERVER[" | ||
+ | ssl.engine | ||
+ | } | ||
+ | : | ||
+ | # support for IPv6 HTTPS via Debian script (in ' | ||
+ | include_shell "/ | ||
+ | </ | ||
+ | systemctl restart lighttpd.service | ||
+ | </ | ||
+ | * 修改 / | ||
+ | vi / | ||
+ | </ | ||
+ | : | ||
+ | # | ||
+ | SERVER_ADDR=" | ||
+ | : | ||
+ | </ | ||
+ | * Webmin 的 Firewall 也要設定開放該 Port Exp. TCP 20443 | ||
+ | * INPUT : Add Rule | ||
+ | * Apply Configuration | ||
+ | </ | ||
+ | |||
+ | ===== 設定 VPN Client 可以互相連線 ===== | ||
+ | * 只要在 server.conf 內加入 client-to-client <cli> | ||
+ | cat / | ||
+ | root@ct-openvpn ~# cat / | ||
+ | # PUBLIC_ADDRESS: | ||
+ | |||
+ | port 443 | ||
+ | proto tcp | ||
+ | dev tun | ||
+ | |||
+ | cipher AES-256-CBC | ||
+ | auth SHA256 | ||
+ | |||
+ | keepalive 10 120 | ||
+ | : | ||
+ | : | ||
+ | client-config-dir / | ||
+ | client-to-client | ||
+ | status / | ||
+ | : | ||
+ | </ | ||
+ | * 重新啟動 openvpn 讓設定生效< | ||
+ | systemctl restart openvpn | ||
+ | </ | ||
+ | |||
+ | ===== 安裝 snmpd 進行監控 ===== | ||
+ | * 如果要將 openvpn server 啟用 snmpd 進行監控, | ||
+ | * 開啟主機防火牆 udp port 161 < | ||
+ | : | ||
+ | *filter | ||
+ | :FORWARD ACCEPT [0:0] | ||
+ | :OUTPUT ACCEPT [0:0] | ||
+ | :INPUT DROP [0:0] | ||
+ | -A INPUT -i lo -j ACCEPT | ||
+ | -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT | ||
+ | -A INPUT -m state --state ESTABLISHED, | ||
+ | : | ||
+ | -A INPUT -p udp -m udp --dport 161 -j ACCEPT | ||
+ | : | ||
+ | </ | ||
+ | iptable-restore < / | ||
+ | </ | ||
+ | |||
+ | ===== 安裝 openvpn-snmp-stats 強化監控 ===== | ||
+ | * 參考 - https:// | ||
+ | * 安裝 openvpn.py <cli> | ||
+ | apt install sudo -y | ||
+ | mkdir -p / | ||
+ | cd / | ||
+ | wget https:// | ||
+ | chmod a+x openvpn.py | ||
+ | visudo / | ||
+ | </ | ||
+ | Debian-snmp ALL = NOPASSWD: / | ||
+ | </ | ||
+ | vi / | ||
+ | : | ||
+ | group MyROGroup v2c iiidevops | ||
+ | |||
+ | view systemview | ||
+ | view systemview | ||
+ | view systemview | ||
+ | view systemview | ||
+ | : | ||
+ | extend wireguard / | ||
+ | </ | ||
+ | ln -s / | ||
+ | systemctl restart snmpd.service | ||
+ | </ | ||
+ | * 可以至 LibreNMS 針對這台主機開啟 Applications -> Wireguard 就可以出現類似以下的畫面 \\ {{: | ||
+ | |||
+ | ===== 安裝 openvpn-monitor 強化監控 ===== | ||
+ | * 參考 - https:// | ||
+ | * 在 openvpn server 開啟監控服務 Port Exp. 5555< | ||
+ | vi / | ||
+ | </ | ||
+ | : | ||
+ | status / | ||
+ | verb 4 | ||
+ | management 0.0.0.0 5555 | ||
+ | : | ||
+ | </ | ||
+ | * 重啟 openvpn server 讓設定生效, | ||
+ | root@ct-devops-vpn ~# netstat -lntp | grep openvpn | ||
+ | tcp 0 0 0.0.0.0: | ||
+ | tcp 0 0 0.0.0.0: | ||
+ | </ | ||
+ | * 參考 [[tech: | ||
===== 參考網址 ===== | ===== 參考網址 ===== | ||
- | * https://wiki.alpinelinux.org/wiki/Setting_up_a_OpenVPN_server | + | * https://forum.proxmox.com/ |
+ | * https:// | ||
+ | * https:// | ||
{{tag> | {{tag> |