OpenVPN 配置
使用脚本一键安装 openvpn,该脚本默认全局转发,多次运行可以添加/删除用户
常用命令
sh
# 重启OpenVPN
systemctl restart openvpn-server@server.service
# 检查状态
systemctl status openvpn-server@server.service
# 查看日志
tail -f /var/log/openvpn/openvpn.log脚本一键安装
服务端
sh
# 设置可执行权限
[root@VM-4-8-centos ~]# chmod u+x openvpn-install.sh
# 运行脚本
[root@VM-4-8-centos ~]# ./openvpn-install.sh
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install
I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are okay with them.
I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: 43.155.1xx.xx # 填入服务器公网IP地址
Checking for IPv6 connectivity...
Your host appears to have IPv6 connectivity.
Do you want to enable IPv6 support (NAT)? [y/n]: n # 是否开启IPV6,开不开都行,先不开
What port do you want OpenVPN to listen to?
1) Default: 1194
2) Custom
3) Random [49152-65535]
Port choice [1-3]: 1 # 使用默认端口号
What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldnt use TCP.
1) UDP
2) TCP
Protocol [1-2]: 1 # 使用UDP
What DNS resolvers do you want to use with the VPN?
1) Current system resolvers (from /etc/resolv.conf)
2) Self-hosted DNS Resolver (Unbound)
3) Cloudflare (Anycast: worldwide)
4) Quad9 (Anycast: worldwide)
5) Quad9 uncensored (Anycast: worldwide)
6) FDN (France)
7) DNS.WATCH (Germany)
8) OpenDNS (Anycast: worldwide)
9) Google (Anycast: worldwide)
10) Yandex Basic (Russia)
11) AdGuard DNS (Anycast: worldwide)
12) NextDNS (Anycast: worldwide)
13) Custom
DNS [1-12]: 1 # 选择DNS服务,改成1 或 8
Do you want to use compression? It is not recommended since the VORACLE attack makes use of it.
Enable compression? [y/n]: n # 不使用压缩
Do you want to customize encryption settings?
Unless you know what you re doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe (unlike OpenVPNs defaults).
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
Customize encryption settings? [y/n]: n # 自定义加密设置,默认否
Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue... # 按任意键继续
# 开始安装,此处省略很多安装步骤。。。。。
Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: inkwell # 输入客户端用户脚本名称
Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 1 # 不需要密码问题排查
连接VPN失败
- ovpn-dco: 拒绝访问
这是 OpenVPN 连接时出现的 DCO(数据通道)驱动程序权限问题。一个 ovpn-dco 只能服务一个连接,多个 VPN 连接需要多个适配器
临时解决方法(禁用 DCO):修改 OpenVPN 配置文件,在配置文件中添加
disable-dco以管理员身份运行openvpn
安装多个DCO驱动
检查服务器转发
sh
# 检查IP转发是否启用
cat /proc/sys/net/ipv4/ip_forward
# 应该返回 1,如果是0则需要启用
# 临时启用
echo 1 > /proc/sys/net/ipv4/ip_forward
# 永久启用
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p检查 NAT 配置
sh
# 查看当前的NAT规则,如果没有MASQUERADE规则,需要添加
iptables -t nat -L -n -v快速修复脚本(包含开启转发与NAT规则)
创建并授权执行
shchmod +x fix_openvpn_forwarding.sh ./fix_openvpn_forwarding.sh
sh
#!/bin/bash
# fix_openvpn_forwarding.sh
# 启用IP转发
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
# 获取公网网卡名称
PUBLIC_INTERFACE=$(ip route show default | awk '{print $5}' | head -1)
echo "检测到公网网卡: $PUBLIC_INTERFACE"
# 清除可能冲突的规则(可选)
# iptables -t nat -F
# iptables -F
# 添加NAT规则 - 关键步骤!-j MASQUERADE 代表伪装IP
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $PUBLIC_INTERFACE -j MASQUERADE
# 允许转发
iptables -A FORWARD -i tun0 -o $PUBLIC_INTERFACE -j ACCEPT
iptables -A FORWARD -i $PUBLIC_INTERFACE -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# 保存规则
if command -v iptables-save >/dev/null 2>&1; then
iptables-save > /etc/iptables/rules.v4
echo "iptables规则已保存"
fi
echo "配置完成!"
echo "公网网卡: $PUBLIC_INTERFACE"
echo "VPN网段: 10.8.0.0/24"验证配置
sh
# 检查NAT规则
iptables -t nat -L -n
# 应该看到类似这样的输出:
# Chain POSTROUTING (policy ACCEPT)
# target prot opt source destination
# MASQUERADE all -- 10.8.0.0/24 0.0.0.0/0
# 还不行就重启下openvpn快速验证命令
sh
# 1. 检查IP转发
sysctl net.ipv4.ip_forward
# 2. 检查NAT规则
iptables -t nat -L POSTROUTING -n -v
# 3. 检查转发规则
iptables -L FORWARD -n -v
# 4. 测试从服务器B到服务器A的连通性
ping 123.123.14.120
telnet 123.123.14.120 3306
# 5. 检查OpenVPN状态
systemctl status openvpn-server@server.service修改VPN网段
手动复制命令或新建 sh 文件:
sh
#!/bin/bash
echo "正在修改 OpenVPN IP 段从 10.8.0.0/24 到 20.8.0.0/24..."
# 1. 删除旧规则 注意 -o eth0 网卡名称是否正确,不正确配置无效
echo "删除旧 NAT 规则..."
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 2>/dev/null
# 2. 添加新规则 -j MASQUERADE 代表伪装IP
echo "添加新 NAT 规则..."
iptables -t nat -A POSTROUTING -s 20.8.0.0/24 -o eth0 -j MASQUERADE
# 3. 修改 OpenVPN 配置
echo "修改 OpenVPN 配置..."
sed -i 's/^server 10\.8\.0\.0 255\.255\.255\.0/server 20.8.0.0 255.255.255.0/g' /etc/openvpn/server.conf
# 4. 重启 OpenVPN
echo "重启 OpenVPN 服务..."
systemctl restart openvpn@server
# 5. 保存规则
echo "保存 iptables 规则..."
if [ -f /etc/sysconfig/iptables ]; then
iptables-save > /etc/sysconfig/iptables
elif [ -d /etc/iptables ]; then
iptables-save > /etc/iptables/rules.v4
fi
echo "修改完成!"
echo "新的 VPN IP 段: 20.8.0.0/24"内网穿透配置
1.客户端互访 (client-to-client): 如果你有两个客户端(比如公司电脑和家里电脑)都连上了这个 VPN,想要它们之间互相 Ping 通(例如 20.8.0.2 访问 20.8.0.3),你必须在服务端配置文件里加上一行,否则默认情况下,客户端只能访问服务器,客户端之间是隔离的。
2.访问服务器背后的局域网: 如果你想通过 VPN 访问服务器所在的真实内网(比如服务器是在公司局域网 192.168.1.x),你需要推送该网段的路由:
ini# 如果使用 255.255.255.0 作为掩码,那么前面的 IP 地址必须是网段地址(通常以 .0 结尾,例如 125.112.22.0)。 push "route 192.168.1.0 255.255.255.0"并在服务器开启 IP Forwarding 和 NAT 设置。如果仅仅是访问 20.8.0.x 网段,则不需要这一步。
代理模式配置
| 场景 | 服务端配置 | 客户端配置 | 结果 |
|---|---|---|---|
| 典型全局代理 | push "redirect-gateway def1" | (默认,接受所有推送) | 所有流量都通过VPN服务器。 |
| 典型分流代理 | push "route 10.0.0.0 255.0.0.0" | (默认,接受所有推送) | 只有访问10.0.0.0/8的流量走VPN,其他流量走本地。 |
| 客户端自定义分流 | push "redirect-gateway def1" | route-nopull route 192.168.1.0 ... | 忽略服务端的全局代理指令, 只按客户端自己的路由规则走(只访问特定网络)。 |
| 客户端强制全局代理 | (无特殊推送,或只推了路由) | redirect-gateway def1 | 所有流量都通过VPN服务器(客户端强制覆盖)。 |
配置文件示例(分流模式)
ini
# 服务端
port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 20.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# 不推送DNS
# push "dhcp-option DNS 8.8.8.8"
# push "dhcp-option DNS 114.114.114.114"
# 不强制推送全局代理配置
# push "redirect-gateway def1 bypass-dhcp"
# 分流代理
push "route 20.8.0.0 255.255.255.0"
# 客户端互联
client-to-client
...
# 客户端
client
proto udp
explicit-exit-notify
remote 118.11.137.51 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_d2avdsVG0OkBFrXd name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
# 取消掉强制屏蔽本地DNS接收服务器分派DNS
# ignore-unknown-option block-outside-dns
# setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
...Linux 客户端配置
linux作为客户端连接其他openvpn
sh
RockyLinux/AlmaLinux/CentOS/RHEL/Fedora
sudo yum install openvpn -y
sudo mv /root/fdusp.ovpn /etc/openvpn/
sudo openvpn --config fudsp.ovpn --daemon
优麒麟/LinuxMint/Ubuntu/Debian
1)安装openvpn
sudo apt-get install openvpn -y
2)修改配置文件权限
sudo chown root:root /etc/openvpn/fdusp.ovpn
3)启动openvpn
(1)上海OpenVPN连接
sudo openvpn --daemon --cd /etc/openvpn/ --config fdusp.ovpn --log-append /var/log/fdusp.log
或: sudo openvpn --config /etc/openvpn/new_fdusp.ovpn --daemon
输入自己EIP用户名和密码
(2)苏州OpenVPN连接
sudo openvpn --daemon --cd /etc/openvpn/ --config suzhou.ovpn --log-append /var/log/suzhou.log
输入自己EIP用户名和密码
4)关闭openvpn
(1)获取openvpn进程pid
sudo ps -ef |grep openvpn
(2)关闭openvpn进程
sudo kill -9 "openvpn pid"
ArchLinux
sudo pacman -S openvpn
sudo mv /root/fdusp.ovpn /etc/openvpn/
sudo openvpn --config fdusp.ovpn --daemon