顯示頁面舊版反向連結Fold/unfold all回到頁頂 本頁是唯讀的,您可以看到原始碼,但不能更動它。您如果覺得它不應被鎖上,請詢問管理員。 ====== 安裝 OpenVPN Server(使用 PVE 內 CT Template) ====== * 採用 PVE 可下載的 CT Template - debian-10-turnkey-openvpn_16.1-1_amd64.tar.gz 來建立 ===== 安裝程序 ===== - 建立 CT 時, 將 Unprivileged container 打勾取消 \\ {{:tech:openvpn_01.png?600|}} - 建立完成後, 查看 /var/log/syslog 會出現以下錯誤訊息 <cli> openvpn@server.service: Failed at step NAMESPACE spawning /usr/sbin/openvpn: Permission denied </cli> - 只要在 Options -> Features -> Nesting 打勾並重新啟動 CT 即可解決 \\ {{:tech:openvpn_02.png?600|}} <WRAP center round important 60%> * 如果 /var/log/syslog 出現以下的錯誤訊息 <cli> ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2 </cli> 就表示**建立 CT 時, 沒有將 Unprivileged container 打勾取消** </WRAP> <note warning> * 如果在 PVE7 上安裝, 需要特別執行以下程序 Exp. openvpn CT 的 id 是 133 - 修改 ct 設定檔內容, 最後兩行加上 lxc 的相關設定<cli> vi /etc/pve/lxc/133.conf</cli><file> : : ostype: debian rootfs: zfs-raid:subvol-133-disk-1,size=8G swap: 512 lxc.cgroup2.devices.allow: c 10:200 rwm lxc.mount.entry: /dev/net dev/net none bind,create=dir </file> - 修改 tun 權限 <cli> chown 100000:100000 /dev/net/tun </cli>確認權限是否修改成功<cli> # ls -l /dev/net/tun crw-rw-rw- 1 100000 100000 10, 200 Jun 3 16:37 /dev/net/tun </cli> - 重新啟動 openvpn CT <cli> pct reboot 133 </cli> </note> ===== 自訂 Open VPN Server ===== * 預設 UDP Listen Port : 1194 想改成 TCP Listen Port : 10443 * 修改 Push Route 為 10.20.0.0/24 * 修改 /etc/openvpn/server.conf <cli> port 10443 proto tcp dev tun : : # push routes to clients to allow them to reach private subnets push "route 10.20.0.0 255.255.255.0" </cli> * 重新啟動 openvpn server <cli> service openvpn restart </cli> * 透過直接修改 vi /etc/iptables.up.rules 然後重啟 iptables 或是登入 Webmin 對主機防火牆要加入允許 TCP 10443 規則 \\ {{:tech:openvpn_03.png|}} * 修改 /usr/local/bin/openvpn-addclient 產生設定檔的預設值 <cli> : : #REMOTE_PORT='1194' REMOTE_PORT='10443' : : remote $SERVER_ADDR $REMOTE_PORT ;proto udp proto tcp remote-cert-tls server : </cli> ===== 建立與取消 VPN 帳號 ===== * 透過 ssh 連入 VPN Server 執行以下的命令 * 建立帳號 Exp. jerry jerry@test.com <cli> root@ct-openvpn ~# openvpn-addclient jerry jerry@test.com </cli> * ++看詳細處理訊息|<cli> Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019 Generating a RSA private key ........................+++++ ..................................................................................+++++ writing new private key to '/etc/openvpn/easy-rsa/keys/private/jerry.key.Gc3caPoNbL' ----- Using configuration from /etc/openvpn/easy-rsa/keys/safessl-easyrsa.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'jerry' Certificate is to be certified until Jul 31 08:27:58 2024 GMT (1080 days) Write out database with 1 new entries Data Base Updated INFO: generated /etc/openvpn/easy-rsa/keys/jerry.ovpn </cli> ++ * 建立帳號設定檔的下載連結(下載後獲一段時間連結就會失效), Exp. jerry <cli> /var/www/openvpn/bin/addprofile jerry </cli> 會回傳類似以下的網址 URL: https://vpn.ichiayi.org/profiles/e092f97123456789067ff594c9f8dc0305d81b71/ * 連上網址可以出現下載頁面 {{:tech:openvpn_04.png?300|}} * 強制取消設定檔的下載連結 <cli> /etc/cron.hourly/openvpn-profiles-delexpired </cli> 這樣上面產生的設定檔下載網址就立即失效 * 刪除使用者帳號(廢除使用者憑證) Exp. jerry <cli> openvpn-revoke jerry </cli> * ++看詳細處理訊息|<cli> root@ct-openvpn ~# openvpn-revoke jerry Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019 Please confirm you wish to revoke the certificate with the following subject: subject= commonName = jerry Type the word 'yes' to continue, or any other input to abort. Continue with revocation: yes Using configuration from /etc/openvpn/easy-rsa/keys/safessl-easyrsa.cnf Revoking Certificate 7E5BBA3C6024A6FE617B80BA5DE5DB40. Data Base Updated IMPORTANT!!! Revocation was successful. You must run gen-crl and upload a CRL to your infrastructure in order to prevent the revoked cert from being accepted. Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019 Using configuration from /etc/openvpn/easy-rsa/keys/safessl-easyrsa.cnf An updated CRL has been created. CRL file: /etc/openvpn/easy-rsa/keys/crl.pem INFO: revoked /etc/openvpn/easy-rsa/keys/jerry.ovpn </cli>++ ===== 查詢管理性資訊 ===== * 查看登入登出紀錄 <cli>cat /var/log/syslog | grep 'VERIFY OK: depth=0, CN=\| received, client-instance restarting'</cli> * 目前可用帳號 <cli>cat /etc/openvpn/easy-rsa/keys/index.txt | grep 'V'</cli> * 已廢止的帳號 <cli>cat /etc/openvpn/easy-rsa/keys/index.txt | grep 'R'</cli> <note tip> * 如果想讓 OpenVPN 的 Listen Port 改為 443, 因為會與提供下載憑證的 lighttpd 衝突, 所以可以修改 SSL Port 為其他 port Exp. 20443 * [舊版] 修改 /etc/lighttpd/lighttpd.conf 的設定<cli> vi /etc/lighttpd/lighttpd.conf </cli><file> : $SERVER["socket"] == ":80" { $HTTP["host"] =~ "(.*)" { url.redirect = ( "^/(.*)" => "https://%1/$1" ) } } $SERVER["socket"] == ":20443" { ssl.engine = "enable" # Note using shared hardened SSL settings include "ssl-params.conf" : </file> * [新版] 修改 /etc/lighttpd/conf-enabled/50-tklcp.conf <cli> vi /etc/lighttpd/conf-enabled/50-tklcp.conf </cli><file> : $SERVER["socket"] == ":80" { $HTTP["host"] =~ "(.*)" { url.redirect = ( "^/(.*)" => "https://%1/$1" ) } } $SERVER["socket"] == ":20443" { ssl.engine = "enable" # Note using shared hardened SSL settings include "ssl-params.conf" : </file><cli> vi /etc/lighttpd/conf-enabled/10-ssl.conf </cli><file> : $SERVER["socket"] == "0.0.0.0:20443" { ssl.engine = "enable" } : # support for IPv6 HTTPS via Debian script (in 'lighttpd' package) include_shell "/usr/share/lighttpd/use-ipv6.pl 20443" </file>修改好重啟 lighttpd<cli> systemctl restart lighttpd.service </cli> * 修改 /var/www/openvpn/bin/addprofile 的 SERVER_ADDR 設定 Exp. 改成 172.16.0.246:20443 <cli> vi /var/www/openvpn/bin/addprofile </cli><file> : #SERVER_ADDR=$(grep remote $OVPN_PATH | awk '{print $2;exit}') SERVER_ADDR="172.16.0.246:20443" : </file> * Webmin 的 Firewall 也要設定開放該 Port Exp. TCP 20443 * INPUT : Add Rule * Apply Configuration </note> ===== 設定 VPN Client 可以互相連線 ===== * 只要在 server.conf 內加入 client-to-client <cli> cat /etc/openvpn/server.conf</cli><file> root@ct-openvpn ~# cat /etc/openvpn/server.conf # PUBLIC_ADDRESS: vpn.iiidevops.org (used by openvpn-addclient) port 443 proto tcp dev tun cipher AES-256-CBC auth SHA256 keepalive 10 120 : : client-config-dir /etc/openvpn/server.ccd client-to-client status /var/log/openvpn/server.log : </file> * 重新啟動 openvpn 讓設定生效<cli> systemctl restart openvpn </cli> ===== 安裝 snmpd 進行監控 ===== * 如果要將 openvpn server 啟用 snmpd 進行監控, 可以參考 [[tech/ubuntu_snmpd]] * 開啟主機防火牆 udp port 161 <cli>vi /etc/iptables.up.rules</cli><file> : *filter :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :INPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT : -A INPUT -p udp -m udp --dport 161 -j ACCEPT : </file>更改後重啟主機或是使用 iptable-restore 讓 firewall 生效<cli> iptable-restore < /etc/iptables.up.rules </cli> ===== 安裝 openvpn-snmp-stats 強化監控 ===== * 參考 - https://github.com/ThierryDi/-openvpn-snmp-stats * 安裝 openvpn.py <cli> apt install sudo -y mkdir -p /opt/openvpn-snmp-stats/db cd /opt/openvpn-snmp-stats wget https://raw.githubusercontent.com/ThierryDi/-openvpn-snmp-stats/main/openvpn.py chmod a+x openvpn.py visudo /etc/sudoers.d/openvpn-stats </cli><file> Debian-snmp ALL = NOPASSWD: /opt/openvpn-snmp-stats/openvpn.py </file><cli> vi /etc/snmp/snmpd.conf</cli><file> : group MyROGroup v2c iiidevops view systemview included .1.3.6.1.2.1.1 view systemview included .1.3.6.1.2.1.2 view systemview included .1.3.6.1.2.1.25.1.1 view systemview included .1.3.6.1.4.1.8072.1.3.2 : extend wireguard /usr/bin/sudo /opt/openvpn-snmp-stats/openvpn.py </file><cli> ln -s /var/log/openvpn/server.log /var/log/openvpn/openvpn-status.log systemctl restart snmpd.service </cli> * 可以至 LibreNMS 針對這台主機開啟 Applications -> Wireguard 就可以出現類似以下的畫面 \\ {{:tech:2023-07-10_230252.png?1024|}} ===== 安裝 openvpn-monitor 強化監控 ===== * 參考 - https://registry.hub.docker.com/r/ruimarinho/openvpn-monitor * 在 openvpn server 開啟監控服務 Port Exp. 5555<cli> vi /etc/openvpn/server.conf </cli><file> : status /var/log/openvpn/server.log verb 4 management 0.0.0.0 5555 : </file> * 重啟 openvpn server 讓設定生效, 可以使用 netstat 查看是否 port 5555 已經開啟<cli> root@ct-devops-vpn ~# netstat -lntp | grep openvpn tcp 0 0 0.0.0.0:5555 0.0.0.0:* LISTEN 88842/openvpn tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 88842/openvpn </cli> * 參考 [[tech:openvpn-monitor]] ===== 參考網址 ===== * https://forum.proxmox.com/threads/openvpn-in-the-lxc.41889/ * https://blog.programster.org/openvpn-allow-clients-to-talk-to-each-other * https://pve.proxmox.com/wiki/OpenVPN_in_LXC {{tag>openvpn pve}} tech/pve_openvpn.txt 上一次變更: 2023/10/29 00:44由 jonathan