Openvpn创建代理及虚拟局域网

发布于 2021-08-24  540 次阅读

最后还是没能开mc,气死。

最近又想重新开mc服务器了,手里的阿里云服务器带不动服务端,于是想到通过openvpn构建虚拟局域网,然后让朋友访问我电脑上的服务端的方式。

大体上参考这篇教程,部分内容参考官方docs桥接部分

安装OpenVPN并配置tun模式

使用这个脚本安装即可。安装完成后按需要修改配置文件。

我的配置文件:

port 2254
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_certname.crt
key server_certname.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
client-to-client
verb 3

script-security 2
up tun-to-bridge.sh

按照教程操作,我选择创建了tun-to-bridge.sh脚本,并且在配置中加入了相应内容。

如果需要增加客户端配置,将配置文件命名为server.conf并重新运行安装脚本即可。

配置虚拟局域网(tap模式)

复制tun模式的配置文件并修改,我修改后的配置文件是:

port 2255
proto udp
dev tap0
sndbuf 0
rcvbuf 0
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server-bridge 172.19.218.1 255.255.240.0 172.19.218.100 172.19.218.199
ifconfig-pool-persist ipp.txt
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_certname.crt
key server_certname.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
client-to-client
duplicate-cn
verb 3

script-security 2

up tap-to-bridge.sh

将该配置命名为server.conf并重新运行安装脚本,生成一个客户端配置,因为加入了duplicate-cn项,该配置可以由所有客户端通用。

客户端配置修改后:

client
proto udp
explicit-exit-notify
remote xxx.xxx.xxx.xxx 2255
dev tap
sndbuf 0
rcvbuf 0
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_certname name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----

按照教程创建tap-to-bridge.sh脚本。

设置桥接

桥接的配置可以按照官方教程来,个人觉得官方教程的脚本比较好用。

首先运行sudo apt-get install bridge-utils安装bridge-utils。

随后创建启动脚本:

#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="172.19.218.1"
eth_netmask="255.255.240.0"
eth_broadcast="172.19.223.255"
gw="172.19.223.253"
eth_mac="00:11:22:33:44:55"

for t in $tap; do
    openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
#ip link set $br address $eth_mac
route add default gw $gw $br

脚本中的各项信息可以通过ifconfig以及ip a命令看到。

随后创建停止脚本:

#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

ifconfig $br down
brctl delbr $br

for t in $tap; do
    openvpn --rmtun --dev $t
done

/etc/init.d/networking restart

启动和停止的流程是:
启动桥接
启动OpenVPN
关闭OpenVPN
停止桥接

查看运行状态

假设配置文件分别是tun-server.conf以及tap-server.conf,运行systemctl status openvpn@tun-server以及systemctl status openvpn@tap-server即可查看运行状况。

ifconfig可以查看桥接是否成功。

Sup