使用Pritunl配置和管理OpenVPN服务

添加Mongodb Yum软件仓库源

[root@tunnel ~]# sudo tee -a /etc/yum.repos.d/mongodb-org-3.6.repo << EOF
> [mongodb-org-3.6]
> name=MongoDB Repository
> baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/3.6/x86_64/
> gpgcheck=1
> enabled=1
> gpgkey=https://www.mongodb.org/static/pgp/server-3.6.asc
> EOF
[mongodb-org-3.6]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/3.6/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.6.asc
[root@tunnel ~]#

添加Pritunl Yum软件仓库源

[root@tunnel ~]# sudo tee -a /etc/yum.repos.d/pritunl.repo << EOF
> [pritunl]
> name=Pritunl Repository
> baseurl=https://repo.pritunl.com/stable/yum/centos/7/
> gpgcheck=1
> enabled=1
> EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/7/
gpgcheck=1
enabled=1
[root@tunnel ~]# cat /etc/yum.repos.d/pritunl.repo 
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/7/
gpgcheck=1
enabled=1
[root@tunnel ~]#

更新Yum缓存

[root@tunnel ~]# yum makecache

导入GPG签名公钥

[root@tunnel ~]# gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key CF8E292A from hkp server keyserver.ubuntu.com
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key CF8E292A: public key "Pritunl <contact@pritunl.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
[root@tunnel ~]#

[root@tunnel ~]# gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f 
key.tmp
[root@tunnel ~]#

使用Yum安装Pritunl和Mongodb

[root@tunnel ~]# yum -y install pritunl mongodb-org

启动服务，并注册系统服务

[root@tunnel ~]# systemctl start mongod pritunl
[root@tunnel ~]# systemctl enable mongod pritunl
Created symlink from /etc/systemd/system/multi-user.target.wants/pritunl.service to /etc/systemd/system/pritunl.service.
[root@tunnel ~]# systemctl status mongod
● mongod.service - High-performance, schema-free document-oriented database
Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-08-08 10:07:00 UTC; 28s ago
Docs: https://docs.mongodb.org/manual
Main PID: 1732 (mongod)
CGroup: /system.slice/mongod.service
└─1732 /usr/bin/mongod -f /etc/mongod.conf

Aug 08 10:06:59 tunnel systemd[1]: Starting High-performance, schema-free document-oriented database...
Aug 08 10:06:59 tunnel mongod[1729]: about to fork child process, waiting until server is ready for connections.
Aug 08 10:06:59 tunnel mongod[1729]: forked process: 1732
Aug 08 10:07:00 tunnel systemd[1]: Started High-performance, schema-free document-oriented database.
[root@tunnel ~]# systemctl status pritunl
● pritunl.service - Pritunl Daemon
Loaded: loaded (/etc/systemd/system/pritunl.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-08-08 10:06:59 UTC; 35s ago
Main PID: 1724 (pritunl)
CGroup: /system.slice/pritunl.service
├─1724 /usr/lib/pritunl/bin/python2 /usr/lib/pritunl/bin/pritunl start
└─1778 pritunl-web

Aug 08 10:06:59 tunnel systemd[1]: Started Pritunl Daemon.
Aug 08 10:06:59 tunnel systemd[1]: Starting Pritunl Daemon...
[root@tunnel ~]#

查看服务及端口监听

[root@tunnel ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 1732/mongod 
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 673/sshd 
tcp6 0 0 :::443 :::* LISTEN 1778/pritunl-web 
tcp6 0 0 ::1:9755 :::* LISTEN 1724/python2 
tcp6 0 0 :::80 :::* LISTEN 1778/pritunl-web 
tcp6 0 0 :::22 :::* LISTEN 673/sshd 
[root@tunnel ~]#

生成初始设置密钥

[root@tunnel ~]# pritunl setup-key
ba0cc9655df84af33bd5ab1baad20dac
[root@tunnel ~]#

登录Web管理界面进行配置

https://66.80.120.167/login

初始用户名密码：pritunl/pritunl

1）添加组织
2）添加用户
3）添加服务器
4）将组织附加到服务器
5）启动服务器
6）下载用户配置文件

防火墙及规则设置
禁用Firewalld防火墙

systemctl disable firewalld
systemctl stop firewalld

安装并启用iptables防火墙

yum -y install iptables-services
systemctl status iptables
systemctl enable iptables
systemctl start iptables

添加iptables规则并保存

iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -p udp --dport 9443 -j ACCEPT
service iptables save

启动VPN Server服务
查看网络监听

[root@tunnel ~]# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 1732/mongod 
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 673/sshd 
tcp6 0 0 :::443 :::* LISTEN 1778/pritunl-web 
tcp6 0 0 ::1:9755 :::* LISTEN 1724/python2 
tcp6 0 0 :::80 :::* LISTEN 1778/pritunl-web 
tcp6 0 0 :::22 :::* LISTEN 673/sshd 
udp 0 0 127.0.0.1:323 0.0.0.0:* 435/chronyd 
udp 0 0 0.0.0.0:68 0.0.0.0:* 1216/dhclient 
udp6 0 0 :::9443 :::* 4926/openvpn 
udp6 0 0 ::1:323 :::* 435/chronyd 
[root@tunnel ~]#

查看网络接口状态

[root@tunnel ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 56:00:01:9f:8e:77 brd ff:ff:ff:ff:ff:ff
inet 66.80.120.167/23 brd 66.80.121.255 scope global dynamic eth0
valid_lft 85018sec preferred_lft 85018sec
inet6 2002:19f0:6001:3d90:5400:1ff:fe9f:8e77/64 scope global mngtmpaddr dynamic 
valid_lft 2591663sec preferred_lft 604463sec
inet6 fe80::5400:1ff:fe9f:8e77/64 scope link 
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none 
inet 10.20.30.1/24 brd 10.20.30.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::fd51:af66:8daf:bb96/64 scope link flags 800 
valid_lft forever preferred_lft forever
[root@tunnel ~]#

查看防火墙状态

[root@tunnel ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Wed Aug 8 11:53:56 2018
*nat
:PREROUTING ACCEPT [117:7699]
:INPUT ACCEPT [20:1442]
:OUTPUT ACCEPT [8:552]
:POSTROUTING ACCEPT [8:552]
-A POSTROUTING -s 10.20.30.0/24 -o eth0 -m comment --comment pritunl-5b6ac2d6627aae06bc506714 -j MASQUERADE
COMMIT
# Completed on Wed Aug 8 11:53:56 2018
# Generated by iptables-save v1.4.21 on Wed Aug 8 11:53:56 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2028:1155767]
-A INPUT -p udp -m udp --dport 9443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i tun4 -m comment --comment pritunl-5b6ac2d6627aae06bc506714 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o tun4 -m comment --comment pritunl-5b6ac2d6627aae06bc506714 -j ACCEPT
-A FORWARD -i tun4 -m comment --comment pritunl-5b6ac2d6627aae06bc506714 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o tun4 -m comment --comment pritunl-5b6ac2d6627aae06bc506714 -j ACCEPT
COMMIT
# Completed on Wed Aug 8 11:53:56 2018
[root@tunnel ~]#

在Linux CLI下以非交互式密码验证进行VPN连接

[root@localhost ~]# cd harveymei/

添加账户验证文件，用户名密码各占一行

[root@localhost harveymei]# vi account.txt

修改VPN配置文件，添加账户验证文件

[root@localhost harveymei]# vi LINUXCACHE_harveymei_LINUXCACHE.ovpn
auth-user-pass account.txt

启动

[root@localhost ~]# openvpn --daemon --cd harveymei/ --config LINUXCACHE_harveymei_LINUXCACHE.ovpn --log-append /var/log/openvpn.log