openvpn实现tcp和udp共存

post thumb
Ops
作者 Louis 发表于 2020年5月20日

[toc]

背景: 疫情期间, 在家办公让vpn突然火了起来。openvpn的udp和tcp两种模式都可以正常工作, 因为公司是通过动态拨号上网,没有固定的外网地址,所以VPN是通过映射到内网来实现. 由于端口映射导致tls错误,将udp协议改成了tcp协议。 解决了映射相关错误后 ,又重新开启了udp端口。

$表示bash shell, #表示注释, > 表示数据库

安装配置

修改配置文件

$ cd /etc/openvpnserver/
$ cp server.conf udp.conf
$ vim udp.conf

# 修改proto
proto udp
# 修改ip, 将老的ip替换为其他的即可, 其他配置暂时不用修改
server 10.8.0.0 255.255.255.0

配置systemd文件

$ cat /lib/systemd/system/openvpn@.service 
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=network.target

[Service]
Type=notify
PrivateTmp=true
ExecStart=/usr/sbin/openvpn --cd /etc/openvpnserver/ --config %i.conf

[Install]
WantedBy=multi-user.target

解释一下

  • systemd的配置文件 %i 为占位符, Unit 文件名中在 @ 符号之后的部分,不包括 @ 符号和 .service 后缀名, 详细的占位符可以查看官方文档官方

启动

$ systemctl start openvpn@server
$ systemctl start openvpn@udp
$ systemctl status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2020-05-19 09:29:31 CST; 1 day 5h ago
 Main PID: 3545 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─3545 /usr/sbin/openvpn --cd /etc/openvpnserver/ --config server.conf

May 19 09:29:31 server11-new systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Applicati...er...
May 19 09:29:31 server11-new systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Applicatio...rver.
Hint: Some lines were ellipsized, use -l to show in full.
$  systemctl status openvpn@udp
● openvpn@udp.service - OpenVPN Robust And Highly Flexible Tunneling Application On udp
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-05-20 11:34:08 CST; 3h 22min ago
 Main PID: 6212 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn.slice/openvpn@udp.service
           └─6212 /usr/sbin/openvpn --cd /etc/openvpnserver/ --config udp.conf

May 20 11:34:08 server11-new systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Applicati...dp...
May 20 11:34:08 server11-new systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Applicatio... udp.
Hint: Some lines were ellipsized, use -l to show in full.

配置iptables转发, 因为服务器是内网, 内网ip基本不会变化, 这边用的SNAT替代了MASQUERADE.

iptables -t nat -A POSTROUTING -s 172.8.8.0/24 -j SNAT --to-source 192.168.0.11
iptables -t nat -A POSTROUTING -s 10.8.0.0/24  -j SNAT --to-source 192.168.0.11

开机自启动

$ systemctl enable openvpn@server
$ systemctl enable openvpn@udp

配置完成.

客户端配置文件秘钥合并

## 可以合并到脚本文件里面.
$ echo "
client
dev tun
proto tcp
remote 123.45.67.89 6666

resolv-retry infinite
nobind
persist-key
persist-tun
<key>
$(cat /etc/openvpnclient/${vpn_user}.key)
</key>
<cert>
$(openssl x509 -in /etc/openvpnclient/${vpn_user}.crt)
</cert>
<ca>
$(cat /etc/openvpnclient/ca.crt)
</ca>
remote-cert-tls server

comp-lzo
verb 3
" > /etc/openvpnclient/new/${vpn_user}.ovpn

参考

谢谢您的观看

上一篇
内网穿透使用wss