OpenVPN服务器启动脚本 该脚本为官方编写，位于/etc/init.d/openvpn目录请注意：本文章仅用于学习交流，该软件仅供运维需要使用，请勿使用该软件从事非法业务。#!/bin/sh -e ### BEGIN INIT INFO # Provides: OpenVPN # Required-Start: $network $remote_fs $syslog # Required-Stop: $network $remote_fs $syslog # Should-Start: network-manager # Should-Stop: network-manager # X-Start-Before: $x-display-manager gdm kdm xdm wdm ldm sdm nodm # X-Interactive: true # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: openvpn VPN service # Description: This script will start OpenVPN tunnels as specified # in /etc/default/openvpn and /etc/openvpn/*.conf ### END INIT INFO # Original version by Robert Leslie # <rob@mars.org>, edited by iwj and cs # Modified for openvpn by Alberto Gonzalez Iniesta <agi@inittab.org> # Modified for restarting / starting / stopping single tunnels by Richard Mueller <mueller@teamix.net> . /lib/lsb/init-functions test $DEBIAN_SCRIPT_DEBUG && set -v -x DAEMON=/usr/sbin/openvpn DESC="virtual private network daemon" CONFIG_DIR=/etc/openvpn test -x $DAEMON || exit 0 test -d $CONFIG_DIR || exit 0 # Source defaults file; edit that file to configure this script. AUTOSTART="all" STATUSREFRESH=10 OMIT_SENDSIGS=0 if test -e /etc/default/openvpn ; then . /etc/default/openvpn fi start_vpn () { if grep -q '^[ ]*daemon' $CONFIG_DIR/$NAME.conf ; then # daemon already given in config file DAEMONARG= else # need to daemonize DAEMONARG="--daemon ovpn-$NAME" fi if grep -q '^[ ]*status ' $CONFIG_DIR/$NAME.conf ; then # status file already given in config file STATUSARG="" elif test $STATUSREFRESH -eq 0 ; then # default status file disabled in /etc/default/openvpn STATUSARG="" else # prepare default status file STATUSARG="--status /run/openvpn/$NAME.status $STATUSREFRESH" fi # tun using the "subnet" topology confuses the routing code that wrongly # emits ICMP redirects for client to client communications SAVED_DEFAULT_SEND_REDIRECTS=0 if grep -q '^[[:space:]]*dev[[:space:]]*tun' $CONFIG_DIR/$NAME.conf && \ grep -q '^[[:space:]]*topology[[:space:]]*subnet' $CONFIG_DIR/$NAME.conf ; then # When using "client-to-client", OpenVPN routes the traffic itself without # involving the TUN/TAP interface so no ICMP redirects are sent if ! grep -q '^[[:space:]]*client-to-client' $CONFIG_DIR/$NAME.conf ; then sysctl -w net.ipv4.conf.all.send_redirects=0 > /dev/null # Save the default value for send_redirects before disabling it # to make sure the tun device is created with send_redirects disabled SAVED_DEFAULT_SEND_REDIRECTS=$(sysctl -n net.ipv4.conf.default.send_redirects) if [ "$SAVED_DEFAULT_SEND_REDIRECTS" -ne 0 ]; then sysctl -w net.ipv4.conf.default.send_redirects=0 > /dev/null fi fi fi log_progress_msg "$NAME" STATUS=0 start-stop-daemon --start --quiet --oknodo \ --pidfile /run/openvpn/$NAME.pid \ --exec $DAEMON -- $OPTARGS --writepid /run/openvpn/$NAME.pid \ $DAEMONARG $STATUSARG --cd $CONFIG_DIR \ --config $CONFIG_DIR/$NAME.conf || STATUS=1 [ "$OMIT_SENDSIGS" -ne 1 ] || ln -s /run/openvpn/$NAME.pid /run/sendsigs.omit.d/openvpn.$NAME.pid # Set the back the original default value of send_redirects if it was changed if [ "$SAVED_DEFAULT_SEND_REDIRECTS" -ne 0 ]; then sysctl -w net.ipv4.conf.default.send_redirects=$SAVED_DEFAULT_SEND_REDIRECTS > /dev/null fi } stop_vpn () { start-stop-daemon --stop --quiet --oknodo \ --pidfile $PIDFILE --exec $DAEMON --retry 5 if [ "$?" -eq 0 ]; then rm -f $PIDFILE [ "$OMIT_SENDSIGS" -ne 1 ] || rm -f /run/sendsigs.omit.d/openvpn.$NAME.pid rm -f /run/openvpn/$NAME.status 2> /dev/null fi } case "$1" in start) log_daemon_msg "Starting $DESC" # first create /run directory so it's present even # when no VPN are autostarted by this script, but later # by systemd openvpn@.service mkdir -p /run/openvpn # autostart VPNs if test -z "$2" ; then # check if automatic startup is disabled by AUTOSTART=none if test "x$AUTOSTART" = "xnone" -o -z "$AUTOSTART" ; then log_warning_msg " Autostart disabled." exit 0 fi if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then # all VPNs shall be started automatically for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do NAME=${CONFIG%%.conf} start_vpn done else # start only specified VPNs for NAME in $AUTOSTART ; do if test -e $CONFIG_DIR/$NAME.conf ; then start_vpn else log_failure_msg "No such VPN: $NAME" STATUS=1 fi done fi #start VPNs from command line else while shift ; do [ -z "$1" ] && break if test -e $CONFIG_DIR/$1.conf ; then NAME=$1 start_vpn else log_failure_msg " No such VPN: $1" STATUS=1 fi done fi log_end_msg ${STATUS:-0} ;; stop) log_daemon_msg "Stopping $DESC" if test -z "$2" ; then for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} stop_vpn log_progress_msg "$NAME" done else while shift ; do [ -z "$1" ] && break if test -e /run/openvpn/$1.pid ; then PIDFILE=`ls /run/openvpn/$1.pid 2> /dev/null` NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} stop_vpn log_progress_msg "$NAME" else log_failure_msg " (failure: No such VPN is running: $1)" fi done fi log_end_msg 0 ;; # Only 'reload' running VPNs. New ones will only start with 'start' or 'restart'. reload|force-reload) log_daemon_msg "Reloading $DESC" for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} # If openvpn if running under a different user than root we'll need to restart if egrep '^[[:blank:]]*user[[:blank:]]' $CONFIG_DIR/$NAME.conf > /dev/null 2>&1 ; then stop_vpn start_vpn log_progress_msg "(restarted)" else kill -HUP `cat $PIDFILE` || true log_progress_msg "$NAME" fi done log_end_msg 0 ;; # Only 'soft-restart' running VPNs. New ones will only start with 'start' or 'restart'. soft-restart) log_daemon_msg "$DESC sending SIGUSR1" for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} kill -USR1 `cat $PIDFILE` || true log_progress_msg "$NAME" done log_end_msg 0 ;; restart) shift $0 stop ${@} $0 start ${@} ;; cond-restart) log_daemon_msg "Restarting $DESC." for PIDFILE in `ls /run/openvpn/*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c14-` NAME=${NAME%%.pid} stop_vpn start_vpn done log_end_msg 0 ;; status) GLOBAL_STATUS=0 if test -z "$2" ; then # We want status for all defined VPNs. # Returns success if all autostarted VPNs are defined and running if test "x$AUTOSTART" = "xnone" ; then # Consider it a failure if AUTOSTART=none log_warning_msg "No VPN autostarted" GLOBAL_STATUS=1 else if ! test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then # Consider it a failure if one of the autostarted VPN is not defined for VPN in $AUTOSTART ; do if ! test -f $CONFIG_DIR/$VPN.conf ; then log_warning_msg "VPN '$VPN' is in AUTOSTART but is not defined" GLOBAL_STATUS=1 fi done fi fi for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do NAME=${CONFIG%%.conf} # Is it an autostarted VPN ? if test -z "$AUTOSTART" -o "x$AUTOSTART" = "xall" ; then AUTOVPN=1 else if test "x$AUTOSTART" = "xnone" ; then AUTOVPN=0 else AUTOVPN=0 for VPN in $AUTOSTART; do if test "x$VPN" = "x$NAME" ; then AUTOVPN=1 fi done fi fi if test "x$AUTOVPN" = "x1" ; then # If it is autostarted, then it contributes to global status status_of_proc -p /run/openvpn/${NAME}.pid openvpn "VPN '${NAME}'" || GLOBAL_STATUS=1 else status_of_proc -p /run/openvpn/${NAME}.pid openvpn "VPN '${NAME}' (non autostarted)" || true fi done else # We just want status for specified VPNs. # Returns success if all specified VPNs are defined and running while shift ; do [ -z "$1" ] && break NAME=$1 if test -e $CONFIG_DIR/$NAME.conf ; then # Config exists status_of_proc -p /run/openvpn/${NAME}.pid openvpn "VPN '${NAME}'" || GLOBAL_STATUS=1 else # Config does not exist log_warning_msg "VPN '$NAME': missing $CONFIG_DIR/$NAME.conf file !" GLOBAL_STATUS=1 fi done fi exit $GLOBAL_STATUS ;; *) echo "Usage: $0 {start|stop|reload|restart|force-reload|cond-restart|soft-restart|status}" >&2 exit 1 ;; esac exit 0 # vim:set ai sts=2 sw=2 tw=0:

CentOS下编译安装OpenVPN2.1.4 安装依赖yum install openssl openssl-devel gcc wget -y下载OpenVPN2.1.4源码包和LZO2.05wget http://downloads.openwrt.org.cn/sources/openvpn-2.1.4.tar.gzwget http://downloads.openwrt.org.cn/sources/lzo-2.05.tar.gztar -zxvf openvpn-2.1.4.tar.gz && tar -zxvf lzo-2.05.tar.gzcd lzo-2.05.tar.gz/先编译安装lzo2.05./configuremake && make install 编译安装openvpn2.1.4cd openvpn-2.1.4/./configuremake && make install 使用easyrsa2.0生成证书cd easyrsa2.0/vi vars填写末尾六行eg：export KEY_SIZE=2048 export KEY_COUNTRY="US"export KEY_PROVINCE="CA"export KEY_CITY="LosAngeles"export KEY_ORG="Lonelyboy Networks"export KEY_EMAIL="lonelyboyzavier@gmail.com"保存后chmod +x varssource ./vars清空keys中的内容./clean-all生成2048位RSA服务器CA证书./build-ca生成服务器证书./build-key-server openvpnserver生成客户端证书./build-key clientname(自定义名)生成dh2048.pem文件./build-dh 一个客户端连接需要三个文件ca.crt ,client.crt,client.key拷贝至客户端即可mkdir /etc/openvpn && cd /etc/openvpntouch server.confmkdir cert (将ca.crt ，dh2048.pem，openvpnserver.crt，openvpnserver.key拷贝到cert文件夹)服务器端配置server.conf参考自定义协议）proto #端口号定义port XXXVPS使用tun需要母鸡支持dev tuntopology subnetserver 10.8.0.0 255.255.255.0自定义需要走VPN的IP路由push "route 172.31.9.0 255.255.255.0"auth SHA256cipher AES-256-CBCcomp-lzo adaptivepush "comp-lzo adaptive"通过服务端转发所有流量，默认不启用push "redirect-gateway def1 bypass-dhcp"向客户端通告DNS，可自定义push "dhcp-option DNS 114.114.114.114"push "dhcp-option DNS 8.8.8.8"配置证书文件路径ca /etc/openvpn/cert/ca.crtdh /etc/openvpn/cert/dh2048.pemcert /etc/openvpn/cert/openvpnserver.crtkey /etc/openvpn/cert/openvpnserver.keypersist-keypersist-tunuser nobody生成openvpn日志，verb为日志等级，默认为3log /var/log/openvpn.log log-append /var/log/openvpn.logmax-clients 10client-to-clientkeepalive 10 60nice 3verb 4mute 10iptables配置转发iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADEvi /etc/sysctl.conf net.ipv4.ip_forward=1 openvpn启动命令openvpn --config /etc/openvpn/server.conf