shell脚本之一键部署openV~P~N
提前准备:/root目录下:
checkpsw.sh ## 官方提供的自定义脚本,可在http://openvpn.se/files/other/checkpsw.sh下载
openvpn@.service #openvpn的服务启动文件,centos8缺失unit文件,从CentOS7复制文件或者自己写一个。
windows客户端需要提前下载客户端:https://openvpn.net/community-downloads/
点击查看代码
#!/bin/bash
#
#********************************************************************
#Author: wangdayu
#QQ: 965507991
#Date: 2022-08-20
#FileName: autovpn.sh
#URL: https://blog.51cto.com/dayu
#Description: The test script
#Copyright (C): 2022 All rights reserved
#********************************************************************
. /etc/init.d/functions
server=dayuserver
client=wangdayu
serverIP=`hostname -I|awk '{print $1}'`
# 安装openvpn和easy-rsa
install(){
if yum repolist |grep -i epel ;then
yum install -y openvpn easy-rsa
else
cat > /etc/yum.repos.d/epel.repo <<EOF
[epel]
name=EPEL
baseurl=https://mirror.tuna.tsinghua.edu.cn/epel/$releasever/Everything/$basearch
gpgcheck=0
enabled=1
EOF
yum install -y openvpn easy-rsa
fi
}
# CA环境部署和初始化生成ca证书
CA_init(){
cd /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/3/ /etc/openvpn/easy-rsa
cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa/vars
sed -r -i.bak 's/^#(set_var EASYRSA_CA_EXPIRE).*[0-9]+.*/\1 36500/' /etc/openvpn/easy-rsa/vars
sed -r -i.bak 's/^#(#set_var EASYRSA_CERT_EXPIRE).*[0-9]+.*/\1 3650/' /etc/openvpn/easy-rsa/vars
cd /etc/openvpn/easy-rsa
./easyrsa init-pki <<EOF
EOF
./easyrsa build-ca nopass <<EOF
EOF
}
# 创建服务器证书
server_init(){
cd /etc/openvpn/easy-rsa
./easyrsa gen-req $server nopass <<EOF
EOF
./easyrsa sign server $server <<EOF
yes
EOF
./easyrsa gen-dh
cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/pki/issued/$server.crt /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/pki/private/$server.key /etc/openvpn/server/
cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server/
mkdir /var/log/openvpn
chown openvpn.openvpn /var/log/openvpn
[ -e /etc/openvpn/checkpsw.sh ] || cp /root/checkpsw.sh /etc/openvpn/checkpsw.sh ; echo "已拷贝/root/checkpsw.sh至/etc/openvpn/checkpsw.sh";
chmod +x /etc/openvpn/checkpsw.sh
}
# 创建服务器配置文件
server_config(){
cat > /etc/openvpn/server.conf <<EOF
port 1194
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/$server.crt
key /etc/openvpn/server/$server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.30.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 1000
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
script-security 3
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
username-as-common-name
EOF
}
# 用户名密码
userPW(){
read -p "请输入创建的用户名:" user
read -p "请输入密码:" password
echo "$user $password" >> /etc/openvpn/psw-file
}
# 启动openvpn服务
start_openvpn(){
[ -e /lib/systemd/system/openvpn@.service ] || cp /root/openvpn@.service /lib/systemd/system/
systemctl daemon-reload
systemctl enable --now openvpn@server
}
# 创建客户端证书
client_req(){
cd /etc/openvpn/easy-rsa
sed -r -i.bak 's/^#(#set_var EASYRSA_CERT_EXPIRE).*3650.*/\1 90/' /etc/openvpn/easy-rsa/vars
./easyrsa gen-req $client nopass <<EOF
EOF
./easyrsa sign client $client <<EOF
yes
EOF
mkdir /etc/openvpn/client/$client
find /etc/openvpn/easy-rsa/ -name "${client}*" -exec cp {} /etc/openvpn/client/${client}/ \;
cp pki/ca.crt ../client/$client/
}
# 创建客户端配置文件
client_config(){
cat > /etc/openvpn/client/$client/$client.ovpn <<EOF
client
dev tun
proto tcp
remote $serverIP 1194 #生产中为OpenVPN服务器的FQDN或者公网IP
resolv-retry infinite
nobind
ca ca.crt
cert $client.crt
key $client.key
remote-cert-tls server
cipher AES-256-CBC
verb 3 #此值不能随意指定,否则无法通信
compress lz4-v2 #此项在OpenVPN2.4.X版本使用,需要和服务器端保持一致,如不指定,默认使用comp-lz压缩
auth-user-pass
EOF
cd /etc/openvpn/client/$client
tar zcvf /root/$client.tar.gz * && echo "客户端文件已打包至/root/$client.tar/gz"
}
# 吊销证书
revoke_user(){
cd /etc/openvpn/easy-rsa
read -p "请输入需要吊销证书的用户名:" revokeuser
cd /etc/openvpn/easy-rsa
./easyrsa revoke $revokeuser
./easyrsa gen-crl
echo "crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/server.conf
systemctl restart openvpn@server.service
}
# 删除用户
deluser(){
read -p "请输入需要删除的用户名:" DELuser
sed -i "/^$DELuser/d" /etc/openvpn/psw-file
}
# 增加iptables
vpn_iptables(){
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j MASQUERADE
echo 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j MASQUERADE' >> /etc/rc.d/rc.local
chmod +x /etc/rc.d/rc.local
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p
}
Menu(){
PS3="请选择:"
select MEMU in 创建CA 配置服务器 生成客户端文件 创建用户名密码 吊销证书 删除用户 增加iptables 退出;do
case $MEMU in
创建CA)
install && action "安装成功" || action "安装失败" false
CA_init && action "CA证书完成" || action "CA错误" false
;;
配置服务器)
server_init && action "服务器证书颁发完成" || action "服务器证书颁发错误" false
server_config && action "服务器配置文件生成" || action "服务器配置文件错误" false
start_openvpn && action "openvpn服务器配置完成,服务已启动" || action "服务启动失败" false
;;
生成客户端文件)
client_req && action "客户端证书颁发完成" || action "客户端证书颁发错误" false
client_config && action "客户端配置文件生成" || action "客户端配置文件错误" false
;;
创建用户名密码)
userPW && action "用户已创建" || action "创建失败" false
;;
吊销证书)
revoke_user && action "证书已吊销" || action "吊销失败" false
;;
删除用户)
deluser && action "删除用户成功" || action "删除失败" false
;;
增加iptables)
vpn_iptables && action "增加iptables完成" || action "增加iptables条目失败" false
;;
退出)
exit
;;
esac
done
}
Menu手机扫一扫
移动阅读更方便
你可能感兴趣的文章