VPN一键部署脚本
#!/bin/bash
#function: centos7 一键部署openvpn
#author:ADS 20220227
##注:使用此脚本前请先添加外网网卡,要保证内网网卡和外网网卡都能上网,否则将运行失败=.=
read -p "请输入要连接的外网ip:" a
read -p "请输入连接后要访问的内网资源ip网段:" b
read -p "请输入连接后分配的虚拟ip:" c
read -p "请输入你要建立验证的客户端用户名:" d
yum -y install epel-release && yum -y install openvpn easy-rsa
cp /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/server.conf /etc/openvpn
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-server/vars
sed -i "134s/#//" /etc/openvpn/easy-rsa-server/vars
sed -i "138s/#//" /etc/openvpn/easy-rsa-server/vars ##拷贝所需文件到配置目录下并进行修改
cd /etc/openvpn/easy-rsa-server/3
./easyrsa init-pki
echo "ca" | ./easyrsa build-ca nopass ##生成CA证书 CA
openssl x509 -in pki/ca.crt -noout -text
echo "server" | ./easyrsa gen-req server nopass ##创建服务端证书申请
echo "yes" | ./easyrsa sign server server ##签发服务端证书
##diff pki/certs_by_serial/tab pki/issued/server.crt ##对比 没有报错就对
./easyrsa gen-dh ##证书密钥
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client ##以下为客户端证书
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-client/3/vars
cd /etc/openvpn/easy-rsa-client/3
./easyrsa init-pki
echo "$d" | ./easyrsa gen-req $d nopass ##中间自己定义客户名
cd /etc/openvpn/easy-rsa-server/3 ##客户端证书请求文件 复制到CA的工作目录
./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/$d.req $d
echo "yes" | ./easyrsa sign client $d ##签发客户端证书 让服务端认证
mkdir /etc/openvpn/certs ##创建目录以用于客户端认证用
cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs
cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs
cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs
cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs
mkdir /etc/openvpn/client/$d ##创建存放客户端私钥与证书相关存放的目录
find /etc/openvpn/ ( -name "$d.key" -o -name "$d.crt" -o -name "ca.crt" ) -exec cp {} /etc/openvpn/client/$d ; ##搜索用户验证文件并复制在客户目录下
cd /etc/openvpn
cp server.conf server.conf.bak
rm -f server.conf
echo "port 1194 ##服务端配置文件修改
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server $c 255.255.255.0
push "route $b 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
">> /etc/openvpn/server.conf
sed -i "9s/r/"r/" /etc/openvpn/server.conf
sed -i "9s/255.255.255.0/255.255.255.0"/" /etc/openvpn/server.conf
sed -i "13s/c/"c/" /etc/openvpn/server.conf
sed -i "13s/2/2"/" /etc/openvpn/server.conf ##以上为服务端配置文件修改
cd /etc/openvpn/client/$d
touch $d.ovpn
echo "client ##客户端配置文件修改
dev tun
proto tcp
remote $a 1194
resolv-retry infinite
nobind
# persist-key
# persist-tun
ca ca.crt
cert $d.crt
key $d.key
remote-cert-tls server
# tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2"> /etc/openvpn/client/$d/$d.ovpn ##以上为客户端配置文件修改
yum install -y iptables-services iptables ##安装iptable防火墙做虚拟路由转发
iptables -F ##清空iptable防火墙默认规则
systemctl start iptables ##启动iptable防火墙
iptables -t nat -A POSTROUTING -s $c/24 -j MASQUERADE ##加入虚拟ip路由转发
echo "net.ipv4.ip_forward = 1">> /etc/sysctl.conf ##增加内核参数 开启内核网络转发功能
sysctl -p ##验证是否添加成功
mkdir /var/log/openvpn ##创建openvpn日志文件
chown openvpn:openvpn /var/log/openvpn ##给与openvpn用户及组的权限
systemctl enable --now openvpn@server ##开启openvpn服务
iptables -L -v -n -t nat ##虚拟路由转发规则是否添加成功
systemctl status --now openvpn@server ##查看状态 是否成功开启
echo "openvpn服务部署成功"
echo "请在客户端安装openvpn-install-2.4.7-I606-Win10"
echo "把/etc/openvpn/client/$d下所以文件复制到客户端安装openvpn目录下config验证使用"
#function: centos7 一键部署openvpn
#author:ADS 20220227
##注:使用此脚本前请先添加外网网卡,要保证内网网卡和外网网卡都能上网,否则将运行失败=.=
read -p "请输入要连接的外网ip:" a
read -p "请输入连接后要访问的内网资源ip网段:" b
read -p "请输入连接后分配的虚拟ip:" c
read -p "请输入你要建立验证的客户端用户名:" d
yum -y install epel-release && yum -y install openvpn easy-rsa
cp /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/server.conf /etc/openvpn
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-server/vars
sed -i "134s/#//" /etc/openvpn/easy-rsa-server/vars
sed -i "138s/#//" /etc/openvpn/easy-rsa-server/vars ##拷贝所需文件到配置目录下并进行修改
cd /etc/openvpn/easy-rsa-server/3
./easyrsa init-pki
echo "ca" | ./easyrsa build-ca nopass ##生成CA证书 CA
openssl x509 -in pki/ca.crt -noout -text
echo "server" | ./easyrsa gen-req server nopass ##创建服务端证书申请
echo "yes" | ./easyrsa sign server server ##签发服务端证书
##diff pki/certs_by_serial/tab pki/issued/server.crt ##对比 没有报错就对
./easyrsa gen-dh ##证书密钥
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client ##以下为客户端证书
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-client/3/vars
cd /etc/openvpn/easy-rsa-client/3
./easyrsa init-pki
echo "$d" | ./easyrsa gen-req $d nopass ##中间自己定义客户名
cd /etc/openvpn/easy-rsa-server/3 ##客户端证书请求文件 复制到CA的工作目录
./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/$d.req $d
echo "yes" | ./easyrsa sign client $d ##签发客户端证书 让服务端认证
mkdir /etc/openvpn/certs ##创建目录以用于客户端认证用
cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs
cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs
cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs
cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs
mkdir /etc/openvpn/client/$d ##创建存放客户端私钥与证书相关存放的目录
find /etc/openvpn/ ( -name "$d.key" -o -name "$d.crt" -o -name "ca.crt" ) -exec cp {} /etc/openvpn/client/$d ; ##搜索用户验证文件并复制在客户目录下
cd /etc/openvpn
cp server.conf server.conf.bak
rm -f server.conf
echo "port 1194 ##服务端配置文件修改
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server $c 255.255.255.0
push "route $b 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
">> /etc/openvpn/server.conf
sed -i "9s/r/"r/" /etc/openvpn/server.conf
sed -i "9s/255.255.255.0/255.255.255.0"/" /etc/openvpn/server.conf
sed -i "13s/c/"c/" /etc/openvpn/server.conf
sed -i "13s/2/2"/" /etc/openvpn/server.conf ##以上为服务端配置文件修改
cd /etc/openvpn/client/$d
touch $d.ovpn
echo "client ##客户端配置文件修改
dev tun
proto tcp
remote $a 1194
resolv-retry infinite
nobind
# persist-key
# persist-tun
ca ca.crt
cert $d.crt
key $d.key
remote-cert-tls server
# tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2"> /etc/openvpn/client/$d/$d.ovpn ##以上为客户端配置文件修改
yum install -y iptables-services iptables ##安装iptable防火墙做虚拟路由转发
iptables -F ##清空iptable防火墙默认规则
systemctl start iptables ##启动iptable防火墙
iptables -t nat -A POSTROUTING -s $c/24 -j MASQUERADE ##加入虚拟ip路由转发
echo "net.ipv4.ip_forward = 1">> /etc/sysctl.conf ##增加内核参数 开启内核网络转发功能
sysctl -p ##验证是否添加成功
mkdir /var/log/openvpn ##创建openvpn日志文件
chown openvpn:openvpn /var/log/openvpn ##给与openvpn用户及组的权限
systemctl enable --now openvpn@server ##开启openvpn服务
iptables -L -v -n -t nat ##虚拟路由转发规则是否添加成功
systemctl status --now openvpn@server ##查看状态 是否成功开启
echo "openvpn服务部署成功"
echo "请在客户端安装openvpn-install-2.4.7-I606-Win10"
echo "把/etc/openvpn/client/$d下所以文件复制到客户端安装openvpn目录下config验证使用"
上一技术:LAMP一键部署
下一技术:for循环:while小游戏
