본문으로 바로가기

OpenVPN 설치 스크립트(amzonlinux2 or centos7)

category IT 2021. 10. 6. 23:52
반응형

설치 스크립트 (amzonlinux2 version or centos7 version)

# root
sudo -s 

echo "ZONE=\"Asia/Seoul\"" > /etc/sysconfig/clock
echo "UTC=true" >> /etc/sysconfig/clock
ln -sf /usr/share/zoneinfo/Asia/Seoul /etc/localtime

###################################

#VPN IP CIDR
VPN_CIDR="192.168.255.0/24"

#VPN IP RANGE
VPN_RANGE="192.168.255.0 255.255.255.0"

#EC2 VPC RANGE (customizing)
VPC_RANGE="10.1.0.0 255.255.0.0"

#VPN 1194
VPN_PORT=1194
VPN_PROTOCOL=udp

#etec/openvpn/server.conf
SUPPORT_ACCOUNT_HOME_DIR=/home/ec2-user
GROUP=ec2-user
OWNER=ec2-user

###################################

groupadd vpnuser

###################################

USER_COUNT=1

USERS[0]=test

###################################

for (( i=0 ; i<$USER_COUNT ; i++ ))
do
   useradd -g vpnuser -d /home/vpnuser/ -s /sbin/nologin ${USERS[$i]}

   PASSWORDS[$i]=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 10 | head -n 1)
   echo ${PASSWORDS[$i]} | passwd ${USERS[$i]} --stdin
done

for (( i=0 ; i<$USER_COUNT ; i++ ))
do
    echo ${USERS[$i]}=${PASSWORDS[$i]}
done

amazon-linux-extras install -y epel
yum -y install yum-utils
yum-config-manager --enable epel

#openvpn 
yum -y install openvpn

#openvpn /etc/opevpn
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

#openvpn
cat /etc/openvpn/server.conf | sed -r 's/^cipher AES-256-CBC/;cipher AES-256-CBC/g'  | sed -r 's/^;user nobody/user nobody/g'  | sed -r 's/^;group nobody/group nobody/g' | sed -r 's/^tls-auth ta.key 0/;tls-auth ta.key 0/g' | sed -r 's/^;comp-lzo/comp-lzo/g' > /etc/openvpn/server.conf_tmp
cat /etc/openvpn/server.conf_tmp | sed -r 's/^cipher AES-256-CBC/;cipher AES-256-CBC/g'  > /etc/openvpn/server.conf
cat /etc/openvpn/server.conf_tmp | sed -r "s/^server\s.*/server $VPN_RANGE/g" > /etc/openvpn/server.conf
echo -e "\npush \"route $VPC_RANGE\"" >> /etc/openvpn/server.conf
echo "duplicate-cn" >> /etc/openvpn/server.conf
echo "reneg-sec 84600" >> /etc/openvpn/server.conf

#user/pass- START

echo "plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> /etc/openvpn/server.conf
echo "auth    required        pam_unix.so    shadow    nodelay" > /etc/pam.d/openvpn
echo "auth    requisite       pam_succeed_if.so uid >= 500 quiet" >> /etc/pam.d/openvpn
echo "auth    requisite       pam_succeed_if.so user ingroup vpnuser quiet" >> /etc/pam.d/openvpn
echo "auth    required        pam_tally2.so deny=5 even_deny_root unlock_time=60" >> /etc/pam.d/openvpn
echo "account required        pam_tally2.so" >> /etc/pam.d/openvpn
echo "account required        pam_unix.so" >> /etc/pam.d/openvpn

#easy-rsa
yum -y install easy-rsa --enablerepo=epel

mkdir -p /etc/openvpn/easy-rsa
cp -rf /usr/share/easy-rsa/3.0/* /etc/openvpn/easy-rsa

cat /etc/openvpn/easy-rsa/vars | sed -r 's/^export EASYRSA_REQ_COUNTRY=/#export EASYRSA_REQ_COUNTRY=/g' > /etc/openvpn/easy-rsa/vars.1.tmp
cat /etc/openvpn/easy-rsa/vars.1.tmp | sed -r 's/^export EASYRSA_REQ_PROVINCE=/#export EASYRSA_REQ_PROVINCE=/g' > /etc/openvpn/easy-rsa/vars.2.tmp
cat /etc/openvpn/easy-rsa/vars.2.tmp | sed -r 's/^export EASYRSA_REQ_CITY=/#export EASYRSA_REQ_CITY=/g' > /etc/openvpn/easy-rsa/vars.3.tmp
cat /etc/openvpn/easy-rsa/vars.3.tmp | sed -r 's/^export EASYRSA_REQ_ORG=/#export EASYRSA_REQ_ORG=/g' > /etc/openvpn/easy-rsa/vars.4.tmp
cat /etc/openvpn/easy-rsa/vars.4.tmp | sed -r 's/^export EASYRSA_REQ_EMAIL=/#export EASYRSA_REQ_EMAIL=/g' > /etc/openvpn/easy-rsa/vars.5.tmp
cat /etc/openvpn/easy-rsa/vars.5.tmp | sed -r 's/^export EASYRSA_REQ_CN=/#export EASYRSA_REQ_CN=/g' > /etc/openvpn/easy-rsa/vars.6.tmp
cat /etc/openvpn/easy-rsa/vars.6.tmp | sed -r 's/^export EASYRSA_REQ_OU=/#export EASYRSA_REQ_OU=/g' > /etc/openvpn/easy-rsa/vars

rm -f /etc/openvpn/easy-rsa/vars.*.tmp

echo "export EASYRSA_REQ_COUNTRY=\"KR\"" >> /etc/openvpn/easy-rsa/vars
echo "export EASYRSA_REQ_PROVINCE=\"SEOUL\"" >> /etc/openvpn/easy-rsa/vars
echo "export EASYRSA_REQ_CITY=\"Seoul\"" >> /etc/openvpn/easy-rsa/vars
echo "export EASYRSA_REQ_ORG=\"NDS\"" >> /etc/openvpn/easy-rsa/vars
echo "export EASYRSA_REQ_EMAIL=\"awsbilling_nsg@nongshim.co.kr\"" >> /etc/openvpn/easy-rsa/vars
echo "export EASYRSA_REQ_CN=NDS-kr" >> /etc/openvpn/easy-rsa/vars
echo "export EASYRSA_REQ_OU=server" >> /etc/openvpn/easy-rsa/vars

source ./vars

cp /etc/openvpn/easy-rsa/openssl-1.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

mkdir -p /etc/openvpn/easy-rsa/keys/serverside
mkdir -p /etc/openvpn/easy-rsa/keys/clientside

cd /etc/openvpn/easy-rsa

./easyrsa --batch init-pki 

##### pki/ca.crt
./easyrsa --batch build-ca nopass

##### server key 
##### pki/pirvate/server.key
##### pki/issued/server.crt
##### pki/dh.pem

./easyrsa gen-dh
./easyrsa --batch build-server-full server nopass

cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/keys/serverside/ca.crt
cp /etc/openvpn/easy-rsa/keys/serverside/ca.crt /etc/openvpn/ca.crt

cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/easy-rsa/keys/serverside/server.key
cp /etc/openvpn/easy-rsa/keys/serverside/server.key /etc/openvpn/server.key

cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/easy-rsa/keys/serverside/server.crt
cp /etc/openvpn/easy-rsa/keys/serverside/server.crt /etc/openvpn/server.crt

cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/easy-rsa/keys/serverside/dh.pem
cp /etc/openvpn/easy-rsa/keys/serverside/dh.pem /etc/openvpn/dh2048.pem

##### client key

CLIENT_NAME=client

KEY_CN=$CLIENT_NAME

##### pki/pirvate/client.key
##### pki/issued/client.crt

./easyrsa --batch build-client-full $CLIENT_NAME nopass

cp /etc/openvpn/easy-rsa/pki/private/client.key /etc/openvpn/easy-rsa/keys/clientside/$CLIENT_NAME.key
cp /etc/openvpn/easy-rsa/pki/issued/client.crt /etc/openvpn/easy-rsa/keys/clientside/$CLIENT_NAME.crt

echo "client" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "dev tun" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "proto $VPN_PROTOCOL" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn

mypublicip=$(curl http://169.254.169.254/latest/meta-data/public-ipv4)

echo "remote $mypublicip $VPN_PORT" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "resolv-retry infinite" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "nobind" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "persist-key" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "persist-tun" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "comp-lzo" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "verb 3" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "<ca>" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "</ca>" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "<cert>" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
cat /etc/openvpn/easy-rsa/keys/clientside/$CLIENT_NAME.crt >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
rm -f /etc/openvpn/easy-rsa/keys/clientside/$CLIENT_NAME.crt
echo "</cert>" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "<key>" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
cat /etc/openvpn/easy-rsa/keys/clientside/$CLIENT_NAME.key >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
rm -f /etc/openvpn/easy-rsa/keys/clientside/$CLIENT_NAME.key
echo "</key>" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn

#user/pass-start
echo "remote-cert-tls server" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "auth-nocache" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "auth-user-pass" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "reneg-sec 84600" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn

#user/pass-end
chown $OWNER:$GROUP $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn

cat /etc/sysctl.conf | sed -r 's/^net\.ipv4\.ip_forward\s*=.+/net.ipv4.ip_forward = 1/g' > /etc/sysctl.conf.tmp
mv -f /etc/sysctl.conf.tmp /etc/sysctl.conf
sysctl -p
chkconfig openvpn on
iptables -t nat -A POSTROUTING -s $VPN_CIDR -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables-save > /etc/iptables.conf
RC_LOCAL_TEST=`cat /etc/rc.local | grep "iptables-restore" | wc -c`

if [ $[RC_LOCAL_TEST] -lt 10 ];then
    echo "iptables-restore < /etc/iptables.conf" >> /etc/rc.local
fi

#service iptables save
sudo systemctl -f enable openvpn@server.service
sudo systemctl start openvpn@server.service

#sudo openvpn --config ~/path/to/client.ovpn

for (( i=0 ; i<$USER_COUNT ; i++ ))
do
   echo 'ovpn user info || id: '${USERS[$i]}' pw: '${PASSWORDS[$i]}
done

cd /home/ec2-user

#vi client.ovpn

cat client.ovpn

터널블릭(mac 용 openvpn실행 클라이언트) 다운로드URL

https://tunnelblick.net/downloads.html

OpenVPN Server 실행(Centos7 이상)

sudo systemctl -f enable openvpn@server.service
sudo systemctl start openvpn@server.service
sudo systemctl status openvpn@server.service
반응형
저작자표시 비영리

'IT' 카테고리의 다른 글

jenv 사용하여 멀티 자바 버전 사용하기  (0) 2021.10.08
Apple MAC M1 에서 linux/amd64로 docker 빌드하기  (3) 2021.10.07
유용한 vim 단축키 모음  (0) 2021.10.06
MSA(Micro Service Architecture)와 API Gateway  (0) 2021.09.23
VSC(Visual Studio Code) 유용한 단축키 모음  (0) 2021.09.15
댓글 , 엮인글
kim.dragon
블로그 이미지 kimdragon 님의 블로그
MENU
CATEGORY
VISITOR 오늘 / 전체

티스토리툴바