yum update && sudo yum upgrade –y
yum install wget nano -y
dnf install epel-release -y
yum install libgcrypt libgcrypt-devel gcc-c++ -y
sudo yum groupinstall "Development Tools" -y
dnf install openvpn
sudo setenforce 0
SYSCTL dosyasını açıp
içine ekle varsa değiştir.
cd /etc/openvpn
sudo wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
sudo tar -xvzf EasyRSA-unix-v3.0.6.tgz
sudo mv EasyRSA-v3.0.6 easy-rsa
cd /etc/openvpn/easy-rsa
sudo nano vars
İçine ekle
ÇALIŞTIR
SSL kur
sudo ./easyrsa gen-req vpnserver nopass
sudo ./easyrsa sign-req server vpnserver
openssl verify -CAfile pki/ca.crt
pki/issued/vpnserver.crt
sudo ./easyrsa gen-dh
cp pki/ca.crt /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
cp pki/private/vpnserver.key /etc/openvpn/server/
cp pki/issued/vpnserver.crt /etc/openvpn/server/
sudo ./easyrsa gen-req client nopass
sudo ./easyrsa sign-req client client
cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/
sudo nano /etc/openvpn/server/server.conf
sudo systemctl start openvpn-server@server
sudo systemctl enable openvpn-server@server
sudo dnf install firewalld
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --state
firewall-cmd --permanent --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-interface=tun0
firewall-cmd --add-masquerade
firewall-cmd --permanent --add-masquerade
vpserver=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $vpserver -j MASQUERADE
firewall-cmd --reload
mkdir /etc/radiusplugin
cd /etc/radiusplugin/
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
tar xvf radiusplugin_v2.1a_beta1.tar.gz
cd radiusplugin_v2.1a_beta1
make
mkdir /etc/openvpn/radius
cp -r radiusplugin.so /etc/openvpn/radius
nano /etc/openvpn/radius/radius.cnf
Düzenle
OpenVPNConfig=/etc/openvpn/server/server.conf
yum install wget nano -y
dnf install epel-release -y
yum install libgcrypt libgcrypt-devel gcc-c++ -y
sudo yum groupinstall "Development Tools" -y
dnf install openvpn
sudo setenforce 0
SYSCTL dosyasını açıp
Kod:
nano /etc/sysctl.conf
Kod:
net.ipv4.ip_forward = 1
sudo wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
sudo tar -xvzf EasyRSA-unix-v3.0.6.tgz
sudo mv EasyRSA-v3.0.6 easy-rsa
cd /etc/openvpn/easy-rsa
sudo nano vars
İçine ekle
Kod:
set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "GERMANY"
set_var EASYRSA_REQ_PROVINCE "PUNJAB"
set_var EASYRSA_REQ_CITY "FALKENSTEIN"
set_var EASYRSA_REQ_ORG "VPNKIT CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "VPNKIT EASY CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "VPNKIT CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST "sha256"
Kod:
./easyrsa init-pki
Kod:
./easyrsa build-ca
sudo ./easyrsa sign-req server vpnserver
openssl verify -CAfile pki/ca.crt
pki/issued/vpnserver.crt
sudo ./easyrsa gen-dh
cp pki/ca.crt /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
cp pki/private/vpnserver.key /etc/openvpn/server/
cp pki/issued/vpnserver.crt /etc/openvpn/server/
sudo ./easyrsa gen-req client nopass
sudo ./easyrsa sign-req client client
cp pki/ca.crt /etc/openvpn/client/
cp pki/issued/client.crt /etc/openvpn/client/
cp pki/private/client.key /etc/openvpn/client/
sudo nano /etc/openvpn/server/server.conf
Kod:
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpnserver.crt
key /etc/openvpn/server/vpnserver.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
#duplicate-cn
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf ifconfig-pool-persist ipp.txt persist-key
client-cert-not-required
username-as-common-name
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
#auth SHA512
#auth-nocache
keepalive 5 30
persist-key
persist-tun
comp-lzo
daemon
user nobody
group nobody
log-append /var/log/openvpn.log
explicit-exit-notify 1
verb 3
sudo systemctl enable openvpn-server@server
sudo dnf install firewalld
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --state
firewall-cmd --permanent --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-interface=tun0
firewall-cmd --add-masquerade
firewall-cmd --permanent --add-masquerade
vpserver=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $vpserver -j MASQUERADE
firewall-cmd --reload
mkdir /etc/radiusplugin
cd /etc/radiusplugin/
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
tar xvf radiusplugin_v2.1a_beta1.tar.gz
cd radiusplugin_v2.1a_beta1
make
mkdir /etc/openvpn/radius
cp -r radiusplugin.so /etc/openvpn/radius
nano /etc/openvpn/radius/radius.cnf
Düzenle
Kod:
NAS-Identifier=000.000.000.000
# The service type which is sent to the RADIUS server
Service-Type=5
# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1
# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5
# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=000.000.000.000
# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH (searches for the path)
# status FILE (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name (if the option is used or not)