#!/bin/bash
#
#********************************************************************
#Author:zhangzhuo
#QQ: 1191400158
#Date: 2021-01-26
#FileName:openvpn_install.sh
#URL: [https://www.zhangzhuo.ltd](https://www.zhangzhuo.ltd)
#Description:The test script
#Copyright (C): 2021 All rights reserved
#********************************************************************
openvpn_install(){
while :;do
read -p "请输入OpenVPN服务器公网IP: " IP
{ echo $IP | grep -E "^(([1-9]?[0-9]|1[0-9](#)|2[0-4](#)|25[0-5]).){3}([1-9]?[0-9]|1[0-9](#)|2[0-4](#)|25[0-5])$">/dev/null; } && break || echo "请输入正确的IP地址!"
done
while :;do
read -p "请输入内网的网络地址如(192.168.10.0): " NET
{ echo $NET | grep -E "^(([1-9]?[0-9]|1[0-9](#)|2[0-4](#)|25[0-5]).){3}([1-9]?[0-9]|1[0-9](#)|2[0-4](#)|25[0-5])$">/dev/null; } && break || echo "请输入正确的网络地址!"
done
while :;do
read -p "请输入内网的子网掩码如(255.255.255.0): " MASK
{ echo $MASK | grep -E "^(([1-9]?[0-9]|1[0-9](#)|2[0-4](#)|25[0-5]).){3}([1-9]?[0-9]|1[0-9](#)|2[0-4](#)|25[0-5])$">/dev/null; } && break || echo "请输入正确的子网掩码!"
done
centos_Version #版本centos版本区分,centos8缺少server文件
yum install -y openvpn easy-rsa #安装
rpm -ql openvpn &>/dev/null || { echo "openvpn服务安装失败请检查YUM是否配置EPEL源";exit ;}
rpm -ql easy-rsa &>/dev/null || { echo "easy-rsa服务安装失败请检查YUM是否配置EPEL源";exit ;}
#准备服务器端证书环境
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
#修改vars配置文件
cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-server/3/vars
#修改CA自签证书有效期
sed -ri 's/.*(set_var EASYRSA_CA_EXPIRE).*/\1 36500/' /etc/openvpn/easy-rsa-server/3/vars
#修改openvpn服务器证书有效期
sed -ri 's/.*(set_var EASYRSA_CERT_EXPIRE).*/\1 3650/' /etc/openvpn/easy-rsa-server/3/vars
cd /etc/openvpn/easy-rsa-server/3
#初始化PKI生成PKI相关目录和文件
./easyrsa init-pki
#创建CA机构
echo -e "\n" | ./easyrsa build-ca nopass
#创建openvpn服务器证书并颁发
echo -e "\n" | ./easyrsa gen-req server nopass
echo -e "yes\n" | ./easyrsa sign server server
#创建Diffie-Hellman算法
./easyrsa gen-dh
#准备客户端证书环境
cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
cp /usr/share/doc/easy-rsa/vars.example /etc/openvpn/easy-rsa-client/3/vars
cd /etc/openvpn/easy-rsa-client/3
./easyrsa init-pki
#修改客户端证书有效期,根据自己的实际情况可修改
sed -ri 's/.*(set_var EASYRSA_CERT_EXPIRE).*/\1 180/' /etc/openvpn/easy-rsa-client/3/vars
#CA和服务器证书复制到openvpn服务的目录
mkdir /etc/openvpn/certs
cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/
cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/
openvpn --genkey --secret /etc/openvpn/certs/ta.key
#准备客户端配置文件
mkdir /etc/openvpn/client-file
cp /etc/openvpn/certs/{ca.crt,dh.pem,ta.key} /etc/openvpn/client-file
cat <<EOF >/etc/openvpn/client-file/client.ovpn
client
dev tun
proto tcp
remote server-ip 1194
resolv-retry infinite
nobind
#persist-key
#persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
compress lz4-v2
tls-auth ta.key 1
EOF
sed -ri "s/(server-ip)/$IP/" /etc/openvpn/client-file/client.ovpn
#生成证书吊销列表
cd /etc/openvpn/easy-rsa-server/3
./easyrsa gen-crl
#创建openvpn日志目录
mkdir /var/log/openvpn
chown openvpn: /var/log/openvpn/
#生成openvpn服务器配置文件
cat <<EOF >/etc/openvpn/server.conf
port 1194
proto tcp
#pexplicit-exit-notify 1
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 10.0.0.0 255.255.255.0
push "route network"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
;comp-lzo
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
tls-auth /etc/openvpn/certs/ta.key 0
crl-verify /etc/openvpn/easy-rsa-server/3/pki/crl.pem
EOF
sed -ri "s/(network)/$NET $MASK/" /etc/openvpn/server.conf
#添加iptables规则和内核参数
echo net.ipv4.ip_forward = 1 >>/etc/sysctl.conf
sysctl -p
echo "iptables -t nat -APOSTROUTING -s 10.0.0.0/24 -j MASQUERADE" >>/etc/rc.d/rc.local
chmod +x /etc/rc.d/rc.local
/etc/rc.d/rc.local
#启动openvpn服务
systemctl daemon-reload
systemctl enable --now openvpn@server
echo -e "\033[1;31m服务安装完成,已经启动!\033[0m"
}
#centos系统版本区分
centos_Version(){
Version=`grep -Eo "[0-9].[0-9]" /etc/redhat-release | tr '.' '%' | tr '\n' % |cut -d% -f 1`
if [ $Version = 8 ];then
cat <<EOF >/lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target
[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf
[Install]
WantedBy=multi-user.target
EOF
chmod 644 /lib/systemd/system/openvpn@.service
fi
}
issue(){
while :;do
read -p "请输入创建证书的人名全拼如(zhangzhuo):" REQ_NAME
ls -ld /etc/openvpn/client/$REQ_NAME &>/dev/null && echo "用户已经存在" || break
done
read -p "私钥是否设置密码(1设置,其他为不设置)" A
if [ ! $A = 1 ];then
NOPASS=nopass
fi
#生成证书申请文件
cd /etc/openvpn/easy-rsa-client/3
echo -e "\n" | ./easyrsa gen-req $REQ_NAME $NOPASS
#导入申请文件到CA
cd /etc/openvpn/easy-rsa-server/3
./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/$REQ_NAME.req $REQ_NAME
#颁发
echo -e "yes\n" | ./easyrsa sign client $REQ_NAME
#创建用户客户端配置文件
mkdir /etc/openvpn/client/$REQ_NAME
cp /etc/openvpn/easy-rsa-server/3/pki/issued/${REQ_NAME}.crt /etc/openvpn/client/${REQ_NAME}
cp /etc/openvpn/easy-rsa-client/3/pki/private/${REQ_NAME}.key /etc/openvpn/client/${REQ_NAME}
cp /etc/openvpn/client-file/* /etc/openvpn/client/${REQ_NAME}
mv /etc/openvpn/client/${REQ_NAME}/${REQ_NAME}.crt /etc/openvpn/client/${REQ_NAME}/client.crt
mv /etc/openvpn/client/${REQ_NAME}/${REQ_NAME}.key /etc/openvpn/client/${REQ_NAME}/client.key
cd /etc/openvpn/client/${REQ_NAME}/
#打包用户客户端配置文件
tar -cf ${REQ_NAME}.tar *
cp ${REQ_NAME}.tar /root/
echo -e "\033[1;31m用户客户端配置文件已经生成,已经打包放置到root目录下\033[0m"
echo -e "\033[1;31m原本的文件在/etc/openvpn/client/文件夹下\033[0m"
}
revoked(){
echo `ls /etc/openvpn/client/`
while :;do
read -p "请输入要吊销的用户名:" NAME
ls -ld /etc/openvpn/client/$NAME &>/dev/null && { rm -rf /etc/openvpn/client/$NAME;break; } || echo "没有这个用户请重新输入!"
done
cd /etc/openvpn/easy-rsa-server/3
echo -e "yes\n" | ./easyrsa revoke $NAME
./easyrsa gen-crl
systemctl restart openvpn@server
}
PS3="请选择相应的编号(1-4):"
MENU="
安装OpenVPN服务
给用户颁发证书
吊销用户证书
退出
"
select menu in $MENU;do
case $REPLY in
1)
openvpn_install
;;
2)
issue
;;
3)
revoked
;;
4)
break
;;
*)
echo -e "\e[1;31m输入错误,请输入正确的数字(1-3)!\e[0m"
;;
esac
done
脚本功能
- 可以实现在 Centos7 和 8 系统部署 openvpn 服务,部署完成后 CA 证书 100 年,openvpn 证书 10 年
- 可以自动实现客户端证书颁发,有效期 180 天
- 脚本具体过程脚本中有注释
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于