반응형
설치 스크립트 (amzonlinux2 version or centos7 version)
# root
sudo -s
echo "ZONE=\"Asia/Seoul\"" > /etc/sysconfig/clock
echo "UTC=true" >> /etc/sysconfig/clock
ln -sf /usr/share/zoneinfo/Asia/Seoul /etc/localtime
###################################
#VPN IP CIDR
VPN_CIDR="192.168.255.0/24"
#VPN IP RANGE
VPN_RANGE="192.168.255.0 255.255.255.0"
#EC2 VPC RANGE (customizing)
VPC_RANGE="10.1.0.0 255.255.0.0"
#VPN 1194
VPN_PORT=1194
VPN_PROTOCOL=udp
#etec/openvpn/server.conf
SUPPORT_ACCOUNT_HOME_DIR=/home/ec2-user
GROUP=ec2-user
OWNER=ec2-user
###################################
groupadd vpnuser
###################################
USER_COUNT=1
USERS[0]=test
###################################
for (( i=0 ; i<$USER_COUNT ; i++ ))
do
useradd -g vpnuser -d /home/vpnuser/ -s /sbin/nologin ${USERS[$i]}
PASSWORDS[$i]=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 10 | head -n 1)
echo ${PASSWORDS[$i]} | passwd ${USERS[$i]} --stdin
done
for (( i=0 ; i<$USER_COUNT ; i++ ))
do
echo ${USERS[$i]}=${PASSWORDS[$i]}
done
amazon-linux-extras install -y epel
yum -y install yum-utils
yum-config-manager --enable epel
#openvpn
yum -y install openvpn
#openvpn /etc/opevpn
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
#openvpn
cat /etc/openvpn/server.conf | sed -r 's/^cipher AES-256-CBC/;cipher AES-256-CBC/g' | sed -r 's/^;user nobody/user nobody/g' | sed -r 's/^;group nobody/group nobody/g' | sed -r 's/^tls-auth ta.key 0/;tls-auth ta.key 0/g' | sed -r 's/^;comp-lzo/comp-lzo/g' > /etc/openvpn/server.conf_tmp
cat /etc/openvpn/server.conf_tmp | sed -r 's/^cipher AES-256-CBC/;cipher AES-256-CBC/g' > /etc/openvpn/server.conf
cat /etc/openvpn/server.conf_tmp | sed -r "s/^server\s.*/server $VPN_RANGE/g" > /etc/openvpn/server.conf
echo -e "\npush \"route $VPC_RANGE\"" >> /etc/openvpn/server.conf
echo "duplicate-cn" >> /etc/openvpn/server.conf
echo "reneg-sec 84600" >> /etc/openvpn/server.conf
#user/pass- START
echo "plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> /etc/openvpn/server.conf
echo "auth required pam_unix.so shadow nodelay" > /etc/pam.d/openvpn
echo "auth requisite pam_succeed_if.so uid >= 500 quiet" >> /etc/pam.d/openvpn
echo "auth requisite pam_succeed_if.so user ingroup vpnuser quiet" >> /etc/pam.d/openvpn
echo "auth required pam_tally2.so deny=5 even_deny_root unlock_time=60" >> /etc/pam.d/openvpn
echo "account required pam_tally2.so" >> /etc/pam.d/openvpn
echo "account required pam_unix.so" >> /etc/pam.d/openvpn
#easy-rsa
yum -y install easy-rsa --enablerepo=epel
mkdir -p /etc/openvpn/easy-rsa
cp -rf /usr/share/easy-rsa/3.0/* /etc/openvpn/easy-rsa
cat /etc/openvpn/easy-rsa/vars | sed -r 's/^export EASYRSA_REQ_COUNTRY=/#export EASYRSA_REQ_COUNTRY=/g' > /etc/openvpn/easy-rsa/vars.1.tmp
cat /etc/openvpn/easy-rsa/vars.1.tmp | sed -r 's/^export EASYRSA_REQ_PROVINCE=/#export EASYRSA_REQ_PROVINCE=/g' > /etc/openvpn/easy-rsa/vars.2.tmp
cat /etc/openvpn/easy-rsa/vars.2.tmp | sed -r 's/^export EASYRSA_REQ_CITY=/#export EASYRSA_REQ_CITY=/g' > /etc/openvpn/easy-rsa/vars.3.tmp
cat /etc/openvpn/easy-rsa/vars.3.tmp | sed -r 's/^export EASYRSA_REQ_ORG=/#export EASYRSA_REQ_ORG=/g' > /etc/openvpn/easy-rsa/vars.4.tmp
cat /etc/openvpn/easy-rsa/vars.4.tmp | sed -r 's/^export EASYRSA_REQ_EMAIL=/#export EASYRSA_REQ_EMAIL=/g' > /etc/openvpn/easy-rsa/vars.5.tmp
cat /etc/openvpn/easy-rsa/vars.5.tmp | sed -r 's/^export EASYRSA_REQ_CN=/#export EASYRSA_REQ_CN=/g' > /etc/openvpn/easy-rsa/vars.6.tmp
cat /etc/openvpn/easy-rsa/vars.6.tmp | sed -r 's/^export EASYRSA_REQ_OU=/#export EASYRSA_REQ_OU=/g' > /etc/openvpn/easy-rsa/vars
rm -f /etc/openvpn/easy-rsa/vars.*.tmp
echo "export EASYRSA_REQ_COUNTRY=\"KR\"" >> /etc/openvpn/easy-rsa/vars
echo "export EASYRSA_REQ_PROVINCE=\"SEOUL\"" >> /etc/openvpn/easy-rsa/vars
echo "export EASYRSA_REQ_CITY=\"Seoul\"" >> /etc/openvpn/easy-rsa/vars
echo "export EASYRSA_REQ_ORG=\"NDS\"" >> /etc/openvpn/easy-rsa/vars
echo "export EASYRSA_REQ_EMAIL=\"awsbilling_nsg@nongshim.co.kr\"" >> /etc/openvpn/easy-rsa/vars
echo "export EASYRSA_REQ_CN=NDS-kr" >> /etc/openvpn/easy-rsa/vars
echo "export EASYRSA_REQ_OU=server" >> /etc/openvpn/easy-rsa/vars
source ./vars
cp /etc/openvpn/easy-rsa/openssl-1.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
mkdir -p /etc/openvpn/easy-rsa/keys/serverside
mkdir -p /etc/openvpn/easy-rsa/keys/clientside
cd /etc/openvpn/easy-rsa
./easyrsa --batch init-pki
##### pki/ca.crt
./easyrsa --batch build-ca nopass
##### server key
##### pki/pirvate/server.key
##### pki/issued/server.crt
##### pki/dh.pem
./easyrsa gen-dh
./easyrsa --batch build-server-full server nopass
cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/keys/serverside/ca.crt
cp /etc/openvpn/easy-rsa/keys/serverside/ca.crt /etc/openvpn/ca.crt
cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/easy-rsa/keys/serverside/server.key
cp /etc/openvpn/easy-rsa/keys/serverside/server.key /etc/openvpn/server.key
cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/easy-rsa/keys/serverside/server.crt
cp /etc/openvpn/easy-rsa/keys/serverside/server.crt /etc/openvpn/server.crt
cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/easy-rsa/keys/serverside/dh.pem
cp /etc/openvpn/easy-rsa/keys/serverside/dh.pem /etc/openvpn/dh2048.pem
##### client key
CLIENT_NAME=client
KEY_CN=$CLIENT_NAME
##### pki/pirvate/client.key
##### pki/issued/client.crt
./easyrsa --batch build-client-full $CLIENT_NAME nopass
cp /etc/openvpn/easy-rsa/pki/private/client.key /etc/openvpn/easy-rsa/keys/clientside/$CLIENT_NAME.key
cp /etc/openvpn/easy-rsa/pki/issued/client.crt /etc/openvpn/easy-rsa/keys/clientside/$CLIENT_NAME.crt
echo "client" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "dev tun" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "proto $VPN_PROTOCOL" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
mypublicip=$(curl http://169.254.169.254/latest/meta-data/public-ipv4)
echo "remote $mypublicip $VPN_PORT" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "resolv-retry infinite" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "nobind" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "persist-key" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "persist-tun" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "comp-lzo" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "verb 3" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "<ca>" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "</ca>" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "<cert>" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
cat /etc/openvpn/easy-rsa/keys/clientside/$CLIENT_NAME.crt >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
rm -f /etc/openvpn/easy-rsa/keys/clientside/$CLIENT_NAME.crt
echo "</cert>" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "<key>" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
cat /etc/openvpn/easy-rsa/keys/clientside/$CLIENT_NAME.key >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
rm -f /etc/openvpn/easy-rsa/keys/clientside/$CLIENT_NAME.key
echo "</key>" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
#user/pass-start
echo "remote-cert-tls server" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "auth-nocache" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "auth-user-pass" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
echo "reneg-sec 84600" >> $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
#user/pass-end
chown $OWNER:$GROUP $SUPPORT_ACCOUNT_HOME_DIR/$CLIENT_NAME.ovpn
cat /etc/sysctl.conf | sed -r 's/^net\.ipv4\.ip_forward\s*=.+/net.ipv4.ip_forward = 1/g' > /etc/sysctl.conf.tmp
mv -f /etc/sysctl.conf.tmp /etc/sysctl.conf
sysctl -p
chkconfig openvpn on
iptables -t nat -A POSTROUTING -s $VPN_CIDR -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables-save > /etc/iptables.conf
RC_LOCAL_TEST=`cat /etc/rc.local | grep "iptables-restore" | wc -c`
if [ $[RC_LOCAL_TEST] -lt 10 ];then
echo "iptables-restore < /etc/iptables.conf" >> /etc/rc.local
fi
#service iptables save
sudo systemctl -f enable openvpn@server.service
sudo systemctl start openvpn@server.service
#sudo openvpn --config ~/path/to/client.ovpn
for (( i=0 ; i<$USER_COUNT ; i++ ))
do
echo 'ovpn user info || id: '${USERS[$i]}' pw: '${PASSWORDS[$i]}
done
cd /home/ec2-user
#vi client.ovpn
cat client.ovpn터널블릭(mac 용 openvpn실행 클라이언트) 다운로드URL
https://tunnelblick.net/downloads.html
OpenVPN Server 실행(Centos7 이상)
sudo systemctl -f enable openvpn@server.service
sudo systemctl start openvpn@server.service
sudo systemctl status openvpn@server.service반응형
'IT' 카테고리의 다른 글
| jenv 사용하여 멀티 자바 버전 사용하기 (0) | 2021.10.08 |
|---|---|
| Apple MAC M1 에서 linux/amd64로 docker 빌드하기 (0) | 2021.10.07 |
| 유용한 vim 단축키 모음 (0) | 2021.10.06 |
| MSA(Micro Service Architecture)와 API Gateway (0) | 2021.09.23 |
| VSC(Visual Studio Code) 유용한 단축키 모음 (0) | 2021.09.15 |