\u00a0 \u5f88\u4e45\u4e4b\u524d\u53d1\u8fc7\uff0c\u4f7f\u7528SSH\u901a\u9053\u52a0\u5bc6\u9690\u85cf\u6d41\u91cf\u7684\uff0c\u8fd9\u671f\u76f4\u63a5\u6765\u4e00\u4e2a\u5168\u9762\u8be6\u7ec6\u7684\u7248\u672c\uff0c\u9644\u5e26\u4f7f\u7528\u8def\u7531\u5668\u81ea\u5e26openvpn\u5ba2\u6237\u7aef\u5b9e\u73b0\u5168\u5c40VPN\u7684\u8bbe\u7f6e\u3002<\/p>\n
1.\u670d\u52a1\u5668\u642d\u5efa \uff08CentOS7\uff09<\/p>\n\n\n
yum -y install openvpn\n<\/code><\/pre>\n\n\n\n\u4e0b\u8f7deasy-rsa\u6765\u751f\u6210\u8bc1\u4e66<\/p>\n\n\n\n
wget -P ~\/ https:\/\/github.com\/OpenVPN\/easy-rsa\/releases\/download\/v3.0.8\/EasyRSA-3.0.8.tgz\ntar xzf EasyRSA-3.0.8.tgz\ncd EasyRSA-3.0.8\ncp vars.example vars\n<\/code><\/pre>\n\n\n\n\u4fee\u6539vars\uff0c\u8bb0\u5f97\u628a\u8bc1\u4e66\u65f6\u95f4\u6539\u957f\u70b9\uff0c\u5341\u5e74\u4e8c\u5341\u5e74\u7684\u6837\u5b50\u5427\u3002
\u4f9d\u6b21\u751f\u6210ca\/dh\/\u670d\u52a1\u5668\u8bc1\u4e66\/\u5ba2\u6237\u7aef\u8bc1\u4e66<\/p>\n\n\n\n
.\/easyrsa init-pki\n .\/easyrsa build-ca nopass\n .\/easyrsa gen-dh\n .\/easyrsa build-server-full server nopass\n .\/easyrsa build-client-full client nopass\n<\/code><\/pre>\n\n\n\n\u9700\u8981\u591a\u4e2a\u5ba2\u6237\u7aef\u8bc1\u4e66\u7684\uff0c\u53ef\u4ee5\u4f7f\u7528\u4e0d\u540c\u7684\u540d\u5b57\u751f\u6210\u591a\u4e2a\u8bc1\u4e66\uff0c\u4f8b\u5982client1 client2
\u628a\u6574\u4e2apki\u76ee\u5f55\u62f7\u8d1d\u5230\/etc\/openvpn\u91cc\u9762<\/p>\n\n\n\n
cp -rp pki \/etc\/openvpn\/\n<\/code><\/pre>\n\n\n\n\u4fee\u6539openvpn\u670d\u52a1\u5668\u7aef\u914d\u7f6e\u6587\u4ef6<\/p>\n\n\n\n
vi \/etc\/openvpn\/server.conf\n<\/code><\/pre>\n\n\n\ncomp-lzo\nport 33899 ###\u7aef\u53e3\nproto tcp ###\u534f\u8bae\uff0c\u5fc5\u987btcp\uff0c\u540e\u9762\u7528\u5230\ndev tun\nca \/etc\/openvpn\/pki\/ca.crt\ncert \/etc\/openvpn\/pki\/issued\/server.crt\nkey \/etc\/openvpn\/pki\/private\/server.key \ndh \/etc\/openvpn\/pki\/dh.pem\nserver 10.8.0.0 255.255.0.0\nifconfig-pool-persist ipp.txt\npush \"dhcp-option DNS 8.8.8.8\"\npush \"dhcp-option DNS 223.5.5.5\"\npush \"redirect-gateway def1 bypass-dhcp\"\nclient-to-client\nkeepalive 10 120\ncipher AES-256-CBC\nlog \/var\/log\/openvpn.log\nverb 3\n<\/code><\/pre>\n\n\n\n\u4fdd\u5b58\u9000\u51fa<\/p>\n\n\n\n
\u4fee\u6539\u4e00\u4e0b\u7cfb\u7edf\u6587\u4ef6\uff0c\u542f\u7528nat\u8f6c\u53d1<\/p>\n\n\n\n
vi \/etc\/sysctl.conf\nnet.ipv4.ip_forward = 1\n<\/code><\/pre>\n\n\n\nsysctl -p\n\n\u4f7f\u7528iptables\u6765\u8fdb\u884c\u8f6c\u53d1\u3002\niptables -t nat -A POSTROUTING -s 10.8.0.0\/16 -o eth0 -j MASQUERADE\n<\/code><\/pre>\n\n\n\neth0\u662f\u4f60\u7684\u670d\u52a1\u5668\u7f51\u5361\u540d\u79f0\uff0c\u6309\u5b9e\u9645\u586b\u5199.<\/p>\n\n\n\n
\u6dfb\u52a0systemctl\u811a\u672c<\/p>\n\n\n\n
vi \/usr\/lib\/systemd\/system\/openvpn.service\n<\/code><\/pre>\n\n\n\n[Unit]\nDescription=OpenVPN Robust And Highly Flexible Tunneling Application On %I\nAfter=network.target\n\n[Service]\nType=notify\nPrivateTmp=true\nExecStart=\/usr\/sbin\/openvpn --cd \/etc\/openvpn\/ --config \/etc\/openvpn\/server.conf\n\n[Install]\nWantedBy=multi-user.target\n<\/code><\/pre>\n\n\n\n\u4fdd\u5b58\u9000\u51fa<\/p>\n\n\n\n
systemctl enable openvpn<\/code><\/pre>\n\n\n\n\u542f\u52a8VPN\u670d\u52a1\u5668\u770b\u770b<\/p>\n\n\n\n
systemctl start openvpn\n\n<\/code><\/pre>\n\n\n\n\u670d\u52a1\u5668\u642d\u5efa\u5b8c\u6bd5\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
2.\u5ba2\u6237\u7aef\u642d\u5efa\u8fc7\u7a0b\u5c31\u7701\u7565\u4e86\uff0c\u8fd9\u91cc\u67b6\u8bbe\u4f60\u5df2\u7ecf\u5b89\u88c5\u597d\u5ba2\u6237\u7aef\uff0cWIN\u4e0b\u5ba2\u6237\u7aef\u914d\u7f6e\u6587\u4ef6client.ovpn<\/p>\n\n\n\n
client\ndev tun\nproto tcp\nremote 127.0.0.1 33899\nremote-cert-tls server\nauth-nocache\nresolv-retry infinite\nnobind\nverb 3\npersist-key\npersist-tun \ncipher AES-256-CBC\ncomp-lzo\n\n\n<cert>\n<\/cert>\n\n<key>\n<\/key>\n\n<ca>\n<\/ca>\n\n<\/code><\/pre>\n\n\n\n\u8bb0\u5f97\u628aca\u548c\u8bc1\u4e66\u8fd9\u4e9b\u7c98\u8d34\u8fdb\u53bb<\/p>\n\n\n\n
3.\u4f7f\u7528SSH\u901a\u9053\u52a0\u5bc6\u8f6c\u53d1\u3002<\/p>\n\n\n\n
\u76ee\u524d\u6240\u6709VPN\u6d41\u91cf\u4e00\u65e6\u68c0\u6d4b\u5230\u90fd\u4f1a\u7ecf\u5e38\u88ab\u5e72\u6270\u751a\u81f3\u76f4\u63a5\u5c4f\u853d\uff0c\u6240\u4ee5\u5ba2\u6237\u7aef\u76f4\u63a5\u8fde\u63a5\u670d\u52a1\u5668\u7aef\u662f\u80af\u5b9a\u4e0d\u884c\u7684\u3002\u6d4b\u8bd5\u8fc7\u5f88\u591a\u6df7\u80b4\u53c2\u6570\u4e5f\u6ca1\u4ec0\u4e48\u7528\uff0c\u6765\u6765\u53bb\u53bb\u8fd8\u662fSSH\u52a0\u5bc6\u901a\u9053\u7aef\u53e3\u8f6c\u53d1\u6700\u597d\u7528\u3002<\/p>\n\n\n\n
WIN\u4e0a\u53ef\u4ee5\u7528PuTTY\uff0c\u5148\u586b\u597d\u4f60\u7684\u670d\u52a1\u5668\u4fe1\u606f<\/p>\n\n\n\n
\u5de6\u8fb9\u680f Connection — SSH — Tunnels<\/p>\n\n\n\n
Source port\uff1a33899<\/p>\n\n\n\n
Destination\uff1a1.1.1.1:33899 (\u8fd9\u91cc\u76841.1.1.1\u6539\u6210\u4f60\u7684\u670d\u52a1\u5668\u516c\u7f51IP)<\/p>\n\n\n\n
add\u4e4b\u540e\u70b9open\u8fde\u63a5\uff0c\u8fde\u63a5\u4e0a\u670d\u52a1\u5668\u540e\u901a\u9053\u5c31\u6253\u5f00\u4e86\u3002\u8fd9\u65f6\u53ef\u4ee5\u6253\u5f00openvpn-gui\u8fde\u63a5\u8bd5\u8bd5\u4e86\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u79fb\u52a8\u5ba2\u6237\u7aef\u53ef\u4ee5\u7528Termius\uff0c\u91cc\u9762\u7684Port Forwarding\u5c31\u662fTunnels\u4e00\u6837\u7684\u529f\u80fd\uff0c\u8fc7\u7a0b\u8ddfputty\u7c7b\u4f3c\u3002<\/p>\n\n\n\n
Linux\u5ba2\u6237\u7aef\u4e0b\uff0c\u53ef\u4ee5\u76f4\u63a5\u7528SSH\u547d\u4ee4\u6765\u5efa\u7acb\u8fde\u63a5<\/p>\n\n\n\n
\/usr\/bin\/ssh -Nf -L 127.0.0.1:33899:1.1.1.1:33899 1.1.1.1<\/code><\/pre>\n\n\n\n127.0.0.1\u6539\u6210\u5ba2\u6237\u7aef\u5b9e\u9645IP\u5730\u5740\uff0c\u90a3\u4e48\u5176\u4ed6\u5ba2\u6237\u7aef\u90fd\u53ef\u4ee5\u901a\u8fc7\u8fd9\u4e2a\u901a\u9053\u8fdb\u884c\u8fde\u63a5\u30021.1.1.1\u662f\u4f60\u7684openvpn\u670d\u52a1\u5668\u516c\u7f51IP\u5730\u5740\uff0c\u6309\u7167\u5b9e\u9645\u4fee\u6539\u3002<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u5230\u8fd9\u91cc\uff0c\u57fa\u672c\u4e0a\u4f60\u5df2\u7ecf\u53ef\u4ee5\u7545\u901a\u65e0\u963b\u4e86\u3002\u4f46\u662f\u4f60\u53ef\u80fd\u4f1a\u53d1\u73b0\uff0c\u6240\u6709\u6d41\u91cf\u6d41\u7ecfvpn\u4e4b\u540e\uff0c\u7f51\u901f\u4f1a\u6162\u4e86\u5f88\u591a\uff0c\u6709\u4e9b\u7f51\u7edc\u4e0d\u9700\u8981\u8d70vpn\u3002\u800c\u4e14\u4f7f\u7528SSH\u901a\u9053\u9700\u8981\u901a\u9053\u4e00\u76f4\u5f00\u7740\uff0cWIN\u4e0a\u8981\u5f00\u7740PuTTY\uff0c\u624b\u673a\u4e0a\u8981\u5f00\u7740Termius\uff0c\u611f\u89c9\u5f88\u4e0d\u723d\uff0c\u4e0b\u9762\u5c31\u6765\u8fdb\u9636\u7248<\/p>\n\n\n\n
\u76ee\u524d\u6211\u7528\u7684\u8def\u7531\u662f\u6590\u8bafK2P\uff0c\u81ea\u5e26openvpn\uff0c\u5f88\u591a\u8def\u7531\u5668\u90fd\u53ef\u4ee5\u5237\u56fa\u4ef6\u5e26openvpn\u7684\u3002<\/p>\n\n\n\n
\u767b\u5f55\u8def\u7531\u5668\u540e\u53f0\uff0c\u627e\u5230VPN\u5ba2\u6237\u7aef\uff0c\u542f\u7528VPN\u5ba2\u6237\u7aef<\/p>\n\n\n\n
VPN \u534f\u8bae: openvpn\n\u8fdc\u7a0b VPN \u670d\u52a1\u5668 (IP \u6216\u8005 DNS \u4e3b\u673a): 127.0.0.1\n\u901a\u4fe1\u7aef\u53e3: 33899\n\u901a\u4fe1\u534f\u8bae:\tTCP\n\u5c01\u88c5\u5c42:\tL3 - TUN (IP)\n\u8ba4\u8bc1\u7c7b\u578b:\tTLS: client.crt\/client.key\n\u52a0\u5bc6\u7b97\u6cd5:\t[AES-256-CBC] AES, 256 bit\n\n<\/code><\/pre>\n\n\n\nOpenVPN \u8bc1\u4e66\u548c\u5bc6\u94a5<\/p>\n\n\n\n
ca.crt (Root CA Certificate):\nclient.crt (Client Certificate):\nclient.key (Client Private Key) - secret:<\/code><\/pre>\n\n\n\n\u5206\u522b\u628aca\u8bc1\u4e66\u548c\u5ba2\u6237\u7aef\u8bc1\u4e66\u5bc6\u94a5\u7c98\u8d34\u8fdb\u53bb\uff0c\u4fdd\u5b58\u3002<\/p>\n\n\n\n
\u542f\u7528\u8def\u7531\u5668\u7684SSH\u670d\u52a1\uff0cssh\u767b\u5f55\u5230\u8def\u7531\u5668\uff0c\u901a\u8fc7\u521a\u624d\u7684\u547d\u4ee4\u5efa\u7acb\u901a\u9053\u8fde\u63a5<\/p>\n\n\n\n
\/usr\/bin\/ssh -Nf -L 127.0.0.1:33899:1.1.1.1:33899 1.1.1.1<\/code><\/pre>\n\n\n\n\u7b49\u901a\u9053\u8fde\u63a5\u6b63\u5e38\uff0cVPN\u5ba2\u6237\u7aef\u4e5f\u5c31\u6b63\u5e38\u8fde\u63a5\u4e86\u3002<\/p>\n\n\n\n
\u56de\u5230OpenVPN\u670d\u52a1\u5668\uff0c\u4fee\u6539server.conf\uff0c\u5220\u6389<\/p>\n\n\n\n
push \"redirect-gateway def1 bypass-dhcp\"\npush \"dhcp-option DNS 8.8.8.8\"\npush \"dhcp-option DNS 223.5.5.5\"\n\n<\/code><\/pre>\n\n\n\n\u628a\u9700\u8981\u8d70vpn\u7684\u7f51\u6bb5\uff0c\u6dfb\u52a0\u5230\u8def\u7531\u8868\uff0c\u683c\u5f0f\u5982\u4e0b\uff1a<\/p>\n\n\n\n
push \"route 1.1.0.0 255.255.0.0\"\npush \"route 8.0.0.0 255.0.0.0\"\n<\/code><\/pre>\n\n\n\n\u518d\u56de\u5230\u6590\u8baf\u8def\u7531\u7ba1\u7406\u9875\u9762\uff0c\u5185\u90e8\u7f51\u7edc (LAN) —-DHCP \u670d\u52a1\u5668 —\u81ea\u5b9a\u4e49\u914d\u7f6e\u6587\u4ef6 “dnsmasq.servers”<\/p>\n\n\n\n
\u5b9a\u4e49\u4e00\u4e0b\u54ea\u4e9b\u57df\u540d\u4f7f\u7528\u56fd\u5185DNS\uff0c\u54ea\u4e9b\u4f7f\u7528\u56fd\u5916DNS\uff0c\u907f\u514dDNS\u6c61\u67d3\uff0c\u4e5f\u907f\u514d\u7edf\u4e00\u4f7f\u7528\u56fd\u5916DNS\u592a\u6162\uff0c\u683c\u5f0f\u5982\u4e0b<\/p>\n\n\n\n
<\/p>\n\n\n\n
server=\/taobao.org\/223.5.5.5\nserver=\/cn\/223.5.5.5\nserver=\/google.com\/8.8.8.8\nserver=\/reddit.com\/8.8.8.8\nserver=\/gov\/eu\/ca\/tw\/8.8.8.8\nserver=\/wikipedia.org\/wikimedia.org\/8.8.8.8\nserver=\/bytedance.com\/8.8.8.8\nserver=\/akamai.net\/8.8.8.8\nserver=\/edgesuite.net\/8.8.8.8<\/code><\/pre>\n\n\n\n\u4fdd\u5b58\uff0c\u73b0\u5728\u662f\u4e0d\u662f\u611f\u89c9\u5feb\u591a\u4e86\u3002<\/p>\n\n\n\n
\u9ad8\u9636\u9636\u6bb5\uff0c\u8def\u7531\u5668\u4e0a\uff0c\u4f60\u53ef\u4ee5\u7528dropbear\u751f\u6210\u9a8c\u8bc1\u6587\u4ef6\uff0c\u901a\u8fc7\u6587\u4ef6\u9a8c\u8bc1\u7684\u65b9\u5f0f\u4e0d\u7528\u6bcf\u6b21\u5efa\u7acb\u901a\u9053\u90fd\u8981\u8f93\u5165\u5bc6\u7801\u3002\u7136\u540e\u518d\u521b\u5efa\u4e00\u4e2acron\uff0c\u5b9a\u65f6\u68c0\u67e5\u7cfb\u7edf\u7684tunnel\u662f\u5426\u6b63\u5e38\uff0c\u4e0d\u6b63\u5e38\u5c31\u91cd\u8fde\u3002\u5728vpn\u65ad\u5f00\u7684\u811a\u672c\u91cc\uff0c\u4e5f\u52a0\u5165\u91cd\u8fdetunnel\u7684\u811a\u672c\uff0c\u8fd9\u6837\u6bcf\u6b21vpn\u56e0\u4e3a\u6545\u969c\u65ad\u6389\uff0c\u7cfb\u7edf\u90fd\u4f1a\u7b2c\u4e00\u65f6\u95f4\u91cd\u65b0\u8fde\u63a5tunnel\uff0cvpn\u4e5f\u5c31\u9a6c\u4e0a\u80fd\u81ea\u52a8\u91cd\u8fde\u4e86\u3002\u5728OpenVPN\u670d\u52a1\u5668\u4e0a\uff0c\u4f60\u8fd8\u53ef\u4ee5\u7981\u6b62\u9664\u4e86\u670d\u52a1\u5668\u516c\u7f51IP\u523033899\u7684\u8fde\u63a5\uff0c\u8fd9\u6837\u4f60\u768433899\u5c31\u4e0d\u5bf9\u5916\u516c\u5f00\u4e86\uff0c\u52a0\u5927\u4e86vpn\u670d\u52a1\u7684\u5b89\u5168\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u00a0 \u5f88\u4e45\u4e4b\u524d\u53d1\u8fc7\uff0c\u4f7f\u7528SSH\u901a\u9053\u52a0\u5bc6\u9690\u85cf…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.q25.net\/index.php?rest_route=\/wp\/v2\/posts\/123"}],"collection":[{"href":"https:\/\/www.q25.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.q25.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.q25.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.q25.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=123"}],"version-history":[{"count":14,"href":"https:\/\/www.q25.net\/index.php?rest_route=\/wp\/v2\/posts\/123\/revisions"}],"predecessor-version":[{"id":138,"href":"https:\/\/www.q25.net\/index.php?rest_route=\/wp\/v2\/posts\/123\/revisions\/138"}],"wp:attachment":[{"href":"https:\/\/www.q25.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.q25.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.q25.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}