拉新网 - 挖掘漏洞 - 线报平台

laxinadmin

京东团队长

注册时间： 2019-09-27

帖子： 35

阿里云搭建openvpn

某ecs,采用puppet发布openvpn

yum install puppetserver puppet-agent  -y

puppet module install puppet-openvpn --version 9.1.0

puppet.conf
[main]
server = pupper-serv
certname = pupper-serv
runinterval = 1h
strict_variables = true

# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - https://puppet.com/docs/puppet/latest/c … tings.html
# - https://puppet.com/docs/puppet/latest/c … tings.html
# - https://puppet.com/docs/puppet/latest/c … _main.html
# - https://puppet.com/docs/puppet/latest/c … ation.html
[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code

site.pp

# add a server instance
openvpn::server { 'xinghan':
country      => 'CH',
province     => 'ZH',
city         => 'Beijing',
organization => 'xxxxx.com',
email        => 'jincai@xxxxx.com',
server       => '10.200.200.0 255.255.255.0',
local    => '',
verb     => '6'
}

# define clients
openvpn::client { 'client1':
server => 'xinghan',
}
openvpn::client { 'client2':
server   => 'xinghan',
}

openvpn::client { 'client3':
server   => 'xinghan',
}

  openvpn::client_specific_config { 'client1':
    server => 'xinghan',
    ifconfig => '10.200.200.49 10.200.200.50',
#    dhcp_options => ['DNS 8.8.8.8'],
#    redirect_gateway => true,
     route => ['172.16.16.0 255.255.240.0 10.200.200.1'],
}
openvpn::client_specific_config { 'client2':
server => 'xinghan',
#dhcp_options => ['DNS 8.8.8.8'],
#redirect_gateway => 'true',
}

openvpn::client_specific_config { 'client3':
server => 'xinghan',
#dhcp_options => ['DNS 8.8.8.8'],
#redirect_gateway => 'true',
}

# a revoked client
#openvpn::client { 'client3':
##  server => 'xinghan',
#}
#openvpn::revoke { 'client3':
#  server => 'xinghan',
#}

发布：
puppet agent -t

访问openvpn同网段内ecs
sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -i tun0 -j ACCEPT

并在vpc上添加路由

目标：10.200.200.0/24
下一跳： openvpn-serv

laxinadmin

京东团队长

注册时间： 2019-09-27

帖子： 35

Re: 阿里云搭建openvpn

openvpn.conf

mode server
client-config-dir /etc/openvpn/server/xinghan/client-configs
ca /etc/openvpn/server/xinghan/keys/ca.crt
cert /etc/openvpn/server/xinghan/keys/issued/server.crt
key /etc/openvpn/server/xinghan/keys/private/server.key
dh /etc/openvpn/server/xinghan/keys/dh.pem
crl-verify /etc/openvpn/server/xinghan/crl.pem
proto tcp-server
port 1194
tls-server
comp-lzo
group nobody
user nobody
status /var/log/openvpn/xinghan-status.log
dev tun0
server 10.200.200.0 255.255.255.0
push 'route 172.16.16.0 255.255.240.0'
topology net30
verb 6
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

小天天

Moderator

注册时间： 2019-09-29

帖子： 891

Re: 阿里云搭建openvpn

某实例：
----- server.conf------
local 172.26.100.5
port 31194
proto tcp
dev tun
tls-server
ca conf/easy-rsa/pki/ca.crt
cert conf/easy-rsa/pki/issued/server.crt
key conf/easy-rsa/pki/private/server.key
crl-verify conf/easy-rsa/pki/crl.pem
dh conf/easy-rsa/pki/dh.pem
tls-auth conf/easy-rsa/pki/ta.key 0
server 10.222.0.0 255.255.0.0
push "route 172.26.100.0 255.255.255.0"
push "route 172.26.101.0 255.255.255.0"
keepalive 10 60
inactive 6000
comp-lzo
route 10.222.0.0 255.255.0.0
user root
group root
persist-tun
persist-key
reneg-sec 360000
status log/openvpn-status.log
log-append log/openvpn.log
verb 4

------ start.sh------
#!/bin/sh
dir=`cd $(dirname $0); pwd -P`
modprobe tun
echo 1 > /proc/sys/net/ipv4/ip_forward
$dir/sbin/openvpn --daemon --config $dir/conf/server.conf
opid=`pgrep openvpn`
if [ $? == 0 ];then
    echo -e "\033[32m OpenVpn Start OK! PID: $opid  \033[0m"
else
    echo -e "\033[31m OpenVpn Start  faild! \033[0m"
fi

-----stop.sh-----------
#!/bin/sh

# stop all openvpn processes

killall -TERM openvpn

--- 制作客户端证书---
#!/bin/bash

dir=`cd $(dirname $0); pwd -P`
dir=`dirname $dir`
PROTOCOL="tcp"
IP="公网ip"
PORT="31194"
PKI_PATH=$dir"/conf/easy-rsa/pki/"
RSA_BIN=$dir"/conf/easy-rsa/"

newclient () {
        cd $RSA_BIN
        expect -c "
          spawn  ./easyrsa gen-req $1 nopass    # 制作客户端证书
          expect {
            \"*Common Name*\" {send \"\r\"; exp_continue}
        }"

        expect -c "
        spawn ./easyrsa sign client $1
         expect {
            \"*Confirm request details*\" {send \"yes\r\"; exp_continue}
            \"*Confirm key overwrite*\" {send \"no\r\"; exp_continue}
            \"*Enter pass phrase*\" {send \"test123\r\"; exp_continue}
        }"
        # Generates the custom client.ovpn
        cd -
        cp ./client-common.txt ./$1.ovpn   ##另提供
        echo "<ca>" >> ./$1.ovpn
        cat $PKI_PATH/ca.crt >> ./$1.ovpn
        echo "</ca>" >> ./$1.ovpn
        echo "<cert>" >> ./$1.ovpn
        cat $PKI_PATH/issued/$1.crt >> ./$1.ovpn
        echo "</cert>" >> ./$1.ovpn
        echo "<key>" >> ./$1.ovpn
        cat $PKI_PATH/private/$1.key >> ./$1.ovpn
        echo $PKI_PATH/private/$1.key
        echo "</key>" >> ./$1.ovpn
        echo "<tls-auth>" >> ./$1.ovpn
        cat $PKI_PATH/ta.key >> ./$1.ovpn
        echo "</tls-auth>" >> ./$1.ovpn
}

if [ $# != 1 ];then
        echo -e  "\033[31m para is error \033[0m"
        echo -e "\033[37m usg:\033[0m  \033[32m ./create_opvpn_client.sh\033[0m  \033[36m username\033[0m"
        exit 1;
fi

which expect &> /dev/null
if [ $? != 0 ];then
   echo -e  "\033[31m expect cmd notfound please install expect! \033[0m"
   exit 1
fi

echo "client
dev tun
;dev tap
;proto udp
proto tcp
remote $IP $PORT
persist-key
persist-tun
resolv-retry infinite
nobind
;ns-cert-type server
comp-lzo
verb 3
route-method exe
route-delay 2
reneg-sec 360000
;redirect-gateway def1
;tls-auth ta.key 1
key-direction 1" > ./client-common.txt
# Generates the custom client.ovpn
newclient "$1"
echo ""
echo "Create User $1 Finished!"

###client-common.txt ###
client
dev tun
;dev tap
;proto udp
proto tcp
remote 公网ip 31194
persist-key
persist-tun
resolv-retry infinite
nobind
;ns-cert-type server
comp-lzo
verb 3
route-method exe
route-delay 2
reneg-sec 360000
;redirect-gateway def1
;tls-auth ta.key 1
key-direction 1

###批量删除用户证书####
#!/bin/bash

cat /home/openvpn/xx|while read line; do
  expect <<-EOF
  spawn ./easyrsa revoke $line
  expect {
     "revocation:" {send "yes\r"}
  }
  expect {
      "ca.key:" {send "test123\r"}
  }           
  expect eof
EOF
done

最近编辑记录 小天天 (2023-02-16 14:58:36)