SRE文档

深浅模式

1. openvpn-as

1.1 介绍

OpenVPN 官网:https://openvpn.net/

OpenVPN 提供了两种商业版的 VPN 服务:

  1. OpenVPN Cloud :一种 VPN 托管服务,连接 OpenVPN 提供的 VPN 服务,可免费提供 3 个连接;
  2. OpenVPN Access Server:一个商业版的 VPN 程序,简称(openvpn-as),相比于 openvpn 增加了 web 管理界面,可通过可视化对 VPN 服务和用户进行管理,可免费提供 2 个连接。

商业版在 OpenVPN 官网有很多介绍,但是免费版的部署和讲解就比较少。本文主要描述的还是免费版的部署方法,不对 openvpn-as 的部署进行赘述,官网有很详细的部署文档,见如下链接:

  1. 安装包下载:https://openvpn.net/download-open-vpn/
  2. 入门手册:https://openvpn.net/vpn-server-resources/finishing-configuration-of-access-server/

2. 部署

2.1 下载

基于rocklinux8环境部署,openvpn-as-2.14, openvpn-as-bundled-clients-30-1

bash
wget https://openvpn.net/downloads/openvpn-as-bundled-clients-latest.rpm

wget https://openvpn.net/downloads/openvpn-as-latest-CentOS8.x86_64.rpm
wget https://openvpn.net/downloads/openvpn-as-bundled-clients-latest.rpm

wget https://openvpn.net/downloads/openvpn-as-latest-CentOS8.x86_64.rpm

2.2 安装

bash
yum install openvpn-as-bundled-clients-30-1.rpm

yum install openvpn-as-2.14.0_b90cb316-1.el8.x86_64.rpm


To reconfigure manually, use the /usr/local/openvpn_as/bin/ovpn-init tool.

+++++++++++++++++++++++++++++++++++++++++++++++
Access Server 2.14.0 has been successfully installed in /usr/local/openvpn_as
Configuration log file has been written to /usr/local/openvpn_as/init.log


Access Server Web UIs are available here:
Admin  UI: https://10.103.236.199:943/admin
Client UI: https://10.103.236.199:943/
To login please use the "openvpn" account with "KHWRj3aP9T0E" password.
(password can be changed on Admin UI)
+++++++++++++++++++++++++++++++++++++++++++++++
......
yum install openvpn-as-bundled-clients-30-1.rpm

yum install openvpn-as-2.14.0_b90cb316-1.el8.x86_64.rpm


To reconfigure manually, use the /usr/local/openvpn_as/bin/ovpn-init tool.

+++++++++++++++++++++++++++++++++++++++++++++++
Access Server 2.14.0 has been successfully installed in /usr/local/openvpn_as
Configuration log file has been written to /usr/local/openvpn_as/init.log


Access Server Web UIs are available here:
Admin  UI: https://10.103.236.199:943/admin
Client UI: https://10.103.236.199:943/
To login please use the "openvpn" account with "KHWRj3aP9T0E" password.
(password can be changed on Admin UI)
+++++++++++++++++++++++++++++++++++++++++++++++
......

2.3 配置

https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html

2.4 登录

image-20240826171406833

2.4 破解

破解前的连接数

image-20240826171503682

开始破解

❌ 注意

openvpn-as-bundled-clients 千万注意这个版本,否则版本不对应破解会失败

名字版本
openvpn-as-2.14.xopenvpn-as-bundled-clients-30-1
openvpn-as-2.13.xopenvpn-as-bundled-clients-30
openvpn-as-2.10.xopenvpn-as-bundled-clients-25

2.9.0 以下版本破解的目标文件是 /pyovpn/lic/uprop.pyo, 2.9.0 及以上是 /pyovpn/lic/uprop.pyc;

bash
#备份
cp /usr/local/openvpn_as/lib/python/pyovpn-2.0-py3.11.egg{,.back}
 
#复制解压
cp /usr/local/openvpn_as/lib/python/pyovpn-2.0-py3.11.egg /root/openvpn-as

#解压
[root@Rocky openvpn-as]# unzip -q pyovpn-2.0-py3.11.egg
[root@Rocky openvpn-as]# ls
common  EGG-INFO  pyovpn  pyovpn-2.0-py3.11.egg

[root@Rocky openvpn-as]# cd pyovpn/lic
[root@Rocky lic]# pwd
/root/openvpn-as/pyovpn/lic

#删除文件名字uprop.pyc
[root@Rocky lic]# rm uprop.pyc
#备份
cp /usr/local/openvpn_as/lib/python/pyovpn-2.0-py3.11.egg{,.back}
 
#复制解压
cp /usr/local/openvpn_as/lib/python/pyovpn-2.0-py3.11.egg /root/openvpn-as

#解压
[root@Rocky openvpn-as]# unzip -q pyovpn-2.0-py3.11.egg
[root@Rocky openvpn-as]# ls
common  EGG-INFO  pyovpn  pyovpn-2.0-py3.11.egg

[root@Rocky openvpn-as]# cd pyovpn/lic
[root@Rocky lic]# pwd
/root/openvpn-as/pyovpn/lic

#删除文件名字uprop.pyc
[root@Rocky lic]# rm uprop.pyc
  • 创建uprop.py
python
from pyovpn.lic import uprop2
old_figure = None

def new_figure(self, licdict):
    ret = old_figure(self, licdict)
    ret['concurrent_connections'] = 1024
    return ret


for x in dir(uprop2):
    if x[:2] == '__':
        continue
    if x == 'UsageProperties':
        exec('old_figure = uprop2.UsageProperties.figure')
        exec('uprop2.UsageProperties.figure = new_figure')
    exec('%s = uprop2.%s' % (x, x))
from pyovpn.lic import uprop2
old_figure = None

def new_figure(self, licdict):
    ret = old_figure(self, licdict)
    ret['concurrent_connections'] = 1024
    return ret


for x in dir(uprop2):
    if x[:2] == '__':
        continue
    if x == 'UsageProperties':
        exec('old_figure = uprop2.UsageProperties.figure')
        exec('uprop2.UsageProperties.figure = new_figure')
    exec('%s = uprop2.%s' % (x, x))
  • 重新编译uprop.py
bash
# <2.9.0
python2 -O -m compileall uprop.py

# >=2.9.0
python3 -O -m compileall -f uprop.py && mv __pycache__/uprop.*.pyc uprop.pyc
# <2.9.0
python2 -O -m compileall uprop.py

# >=2.9.0
python3 -O -m compileall -f uprop.py && mv __pycache__/uprop.*.pyc uprop.pyc
  • 重新生成pyovpn-2.0-py3.11.egg
bash
[root@Rocky openvpn-as]# zip -rq pyovpn-2.0-py3.11.egg ./pyovpn ./EGG-INFO ./common
[root@Rocky openvpn-as]# zip -rq pyovpn-2.0-py3.11.egg ./pyovpn ./EGG-INFO ./common
  • 覆盖原来pyovpn-2.0-py3.11.egg文件
bash
#关闭openvpnas服务
systemctl stop openvpnas

#覆盖文件
 cp pyovpn-2.0-py3.11.egg /usr/local/openvpn_as/lib/python/pyovpn-2.0-py3.11.egg
#关闭openvpnas服务
systemctl stop openvpnas

#覆盖文件
 cp pyovpn-2.0-py3.11.egg /usr/local/openvpn_as/lib/python/pyovpn-2.0-py3.11.egg
  • 破解之后

image-20240827141329398

参考文档:

https://openvpn.net/as-docs/release-notes.html#access-server-release-notes

3. 配置

配置基本上都是存在数据库中,默认使用sqlite

参考文档,

https://openvpn.net/as-docs/plugins.html#plugins

https://openvpn.net/as-docs/configuration.html#create-a-new-ca

3.1 全局配置

允许vpn客户端可以相互访问

image-20240827182144495

3.1 流量分流

1.部署dns

bash
#安装
yum install dnsmasq -y

#创建日志目录
mkdir /var/log/dnsmasq
#安装
yum install dnsmasq -y

#创建日志目录
mkdir /var/log/dnsmasq

2.修改配置文件

bash
no-poll
clear-on-reload
no-negcache

resolv-file=/etc/resolv.dnsmasq.conf
strict-order
server=100.100.2.136
listen-address=10.8.0.1,172.18.0.24,127.0.0.1
addn-hosts=/etc/dnsmasq.hosts
cache-size=1024
bogus-nxdomain=100.100.2.136
log-queries
log-facility=/var/log/dnsmasq/dnsmasq.log
conf-dir=/etc/dnsmasq.d
conf-dir=/etc/dnsmasq.d,.bak
conf-dir=/etc/dnsmasq.d/,*.conf
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
no-poll
clear-on-reload
no-negcache

resolv-file=/etc/resolv.dnsmasq.conf
strict-order
server=100.100.2.136
listen-address=10.8.0.1,172.18.0.24,127.0.0.1
addn-hosts=/etc/dnsmasq.hosts
cache-size=1024
bogus-nxdomain=100.100.2.136
log-queries
log-facility=/var/log/dnsmasq/dnsmasq.log
conf-dir=/etc/dnsmasq.d
conf-dir=/etc/dnsmasq.d,.bak
conf-dir=/etc/dnsmasq.d/,*.conf
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig

100.100.2.136 ---> 公共dns地址

10.8.0.1 ---> vpn地址

172.18.0.24 ---> eth0地址

3.配置域名

bash
[root@iZ0xic7at6gaa3chq9xhy7Z ~]# cat /etc/dnsmasq.hosts
172.18.0.24 bot.freehan.ink
[root@iZ0xic7at6gaa3chq9xhy7Z ~]# cat /etc/dnsmasq.hosts
172.18.0.24 bot.freehan.ink

4.重启服务

bash
#dns
systemctl restart dnsmasq.service

#vpn
systemctl restart openvpnas.service
#dns
systemctl restart dnsmasq.service

#vpn
systemctl restart openvpnas.service

5.vpn服务端配置

禁用“推送所有流量”选项: 在 OpenVPN Access Server 中禁用“推送所有流量”功能:

  • 登录到管理界面 (https://server-ip:943/admin)
  • 进入 Configuration > VPN Settings
  • 找到 Should VPN clients have access to private subnets? 这一项。
  • 选择 No 或者在高级选项中勾选 "Allow Access To Only The Following Networks" 并手动添加你希望通过 VPN 路由的子网,其他流量将不通过 VPN。

image-20240827181546722

5.1 配置dns

进入 Configuration > VPN Settings,保存重启服务

image-20240828214220255

6.验证

创建用户省略...

启动vpn客户端

  • 验证域名解析

image-20240828214455442

  • 浏览器访问

image-20240828214819992

3.2 全局流量

Should client Internet traffic be routed through the VPN? 这个来控制全局流量走vpn

image-20240827223019937

全部设置成Yes

3.3 备份

https://openvpn.net/as-docs/tutorials/tutorial--configuration-backup.html

3.3.1 单节点配置文件

  • Global server configuration: /usr/local/openvpn_as/etc/db/config.db
  • Server and client certificates: /usr/local/openvpn_as/etc/db/certs.db
  • User and group properties: /usr/local/openvpn_as/etc/db/userprop.db
  • Log database: /usr/local/openvpn_as/etc/db/log.db
  • Debug and low level settings: /usr/local/openvpn_as/etc/as.conf

3.3.2 集群配置文件

  • Local server node configuration: /usr/local/openvpn_as/etc/db/config_local.db
  • Cluster configuration: /usr/local/openvpn_as/etc/db/cluster.db
  • Cluster notification system: /usr/local/openvpn_as/etc/db/notification.db

3.3.3 安装备份工具

bash
#ubuntu
which apt > /dev/null 2>&1 && apt -y install sqlite3

#centos
which yum > /dev/null 2>&1 && yum -y install sqlite
#ubuntu
which apt > /dev/null 2>&1 && apt -y install sqlite3

#centos
which yum > /dev/null 2>&1 && yum -y install sqlite
  • 备份配置文件
bash
cd /usr/local/openvpn_as/etc/db
[ -e config.db ]&&sqlite3 config.db .dump>../../config.db.bak
[ -e certs.db ]&&sqlite3 certs.db .dump>../../certs.db.bak
[ -e userprop.db ]&&sqlite3 userprop.db .dump>../../userprop.db.bak
[ -e log.db ]&&sqlite3 log.db .dump>../../log.db.bak
[ -e config_local.db ]&&sqlite3 config_local.db .dump>../../config_local.db.bak
[ -e cluster.db ]&&sqlite3 cluster.db .dump>../../cluster.db.bak
[ -e notification.db ]&&sqlite3 notification.db .dump>../../notification.db.bak 
cp ../as.conf ../../as.conf.bak
cd /usr/local/openvpn_as/etc/db
[ -e config.db ]&&sqlite3 config.db .dump>../../config.db.bak
[ -e certs.db ]&&sqlite3 certs.db .dump>../../certs.db.bak
[ -e userprop.db ]&&sqlite3 userprop.db .dump>../../userprop.db.bak
[ -e log.db ]&&sqlite3 log.db .dump>../../log.db.bak
[ -e config_local.db ]&&sqlite3 config_local.db .dump>../../config_local.db.bak
[ -e cluster.db ]&&sqlite3 cluster.db .dump>../../cluster.db.bak
[ -e notification.db ]&&sqlite3 notification.db .dump>../../notification.db.bak 
cp ../as.conf ../../as.conf.bak

3.4 添加登录信息

bash
vim as.conf
sa.company_name = HOO Inc
vim as.conf
sa.company_name = HOO Inc
  • 效果

image-20240829145658396

bash
sa.logo_image_file = /usr/local/openvpn_as/companylogo.png
sa.logo_image_file = /usr/local/openvpn_as/companylogo.png

图片要求

用具有透明背景,宽340像素,高50-300像素的PNG

3.6 隐藏页脚

image-20240829145924551

bash
vim as.conf
cs.footer=hide
vim as.conf
cs.footer=hide
  • 效果

image-20240829150026984

4. 用户管理

4.0 查看用户属性

bash
[root@Rocky scripts]# ./sacli --user "openvpn" UserPropGet
[root@Rocky scripts]# ./sacli --user "openvpn" UserPropGet

4.1 创建用户

bash
[root@Rocky scripts]# ./sacli --user "newuser" --new_pass "password123" SetLocalPassword
[root@Rocky scripts]# ./sacli --user "newuser" --new_pass "password123" SetLocalPassword
  • 设置用户权限
bash
./sacli --user "newuser" --key "prop_superuser" --value "true" UserPropPut
./sacli --user "newuser" --key "prop_superuser" --value "true" UserPropPut
  • 配置认证
bash
#认证模式为本地
[root@Rocky scripts]# ./sacli --user "newuser" --key "user_auth_type" --value "local" UserPropPut
#认证模式为本地
[root@Rocky scripts]# ./sacli --user "newuser" --key "user_auth_type" --value "local" UserPropPut
  • 应用配置并重启 OpenVPN Access Server
bash
[root@Rocky scripts]# ./sacli start
[root@Rocky scripts]# ./sacli start

4.2 删除用户

bash
[root@Rocky scripts]# ./sacli --user "newuser" UserPropDel
UserPropPut requires --key to be specified
[root@Rocky scripts]# ./sacli --user "newuser" UserPropDel
UserPropPut requires --key to be specified

4.3 查询用户

  • 查询指定用户,不加--pfilt显示所有
bash
[root@Rocky scripts]# ./sacli --pfilt "openvpn" UserPropGet
[root@Rocky scripts]# ./sacli --pfilt "openvpn" UserPropGet

4.3 重置用户密码

bash
#验证用户属性
./sacli --user "openvpn" UserPropGet


# 设置成本地验证
[root@Rocky scripts]# ./sacli --user "openvpn" --key "user_auth_type" --value "local" UserPropPut

[True, {}]

#重置密码
[root@Rocky scripts]# ./sacli --user "openvpn" --new_pass "123456" SetLocalPassword
#验证用户属性
./sacli --user "openvpn" UserPropGet


# 设置成本地验证
[root@Rocky scripts]# ./sacli --user "openvpn" --key "user_auth_type" --value "local" UserPropPut

[True, {}]

#重置密码
[root@Rocky scripts]# ./sacli --user "openvpn" --new_pass "123456" SetLocalPassword

4.4 允许多用户连接

bash
/usr/local/openvpn_as/scripts/sacli --key "vpn.server.user.allow_multiple_sessions" --value "true" ConfigPut

/usr/local/openvpn_as/scripts/sacli start
/usr/local/openvpn_as/scripts/sacli --key "vpn.server.user.allow_multiple_sessions" --value "true" ConfigPut

/usr/local/openvpn_as/scripts/sacli start

5. web界面

5.1 用户管理

5.1.1 重置密码

登录到 OpenVPN Access Server 的 Web 管理界面(通常是 https://<server-ip>:943/admin)。

在左侧导航栏中,点击 User Permissions

找到你要重置密码的用户,点击 Edit

在用户设置页面中,有一个 Set Password 选项,点击该选项并输入新密码。

保存更改。

5.1.2 创建用户

登录 Web 管理界面 使用管理员账户登录到 OpenVPN Access Server 的 Web 管理界面,通常是通过以下 URL 访问: https://<server-ip>:943/admin

创建新用户 在左侧菜单中,点击 User Permissions

添加新用户 在页面的顶部,点击 Add User,并填写新用户的用户名和密码。

设置权限 在权限设置页面,你可以为用户配置不同的权限,如是否允许 VPN 访问,是否赋予管理员权限等。

保存更改 点击保存以创建新用户

5.1.3 查询用户

登录 Web 管理界面 通过浏览器访问 OpenVPN Access Server 管理界面: https://<server-ip>:943/admin

查看用户列表 在管理界面中,点击 User Permissions 菜单,你将看到所有用户的列表,包括他们的访问权限状态等信息。

查询特定用户User Permissions 页面中,找到并点击用户的用户名,你可以查看该用户的详细信息和配置。

6. 客户端下载

6.1 win

直接访问,https://ip:943

image-20240827225555195

6.2 mac

直接访问,https://ip:943

7. 线上流量分流案例

7.1 Configuration配置

7.1.1 Network setting

image-20240829172259381

image-20240829172502090

image-20240829172600576

image-20240829172846660

❌ 注意

点击 Save Settings,重启服务

7.1.2 VPN Settings配置

  • 客户端分配ip地址

image-20240829173130527

  • 设置路由

image-20240829173345635

❌ 注意

如下保持不变

image-20240829173707094

其他参考文档:https://openvpn.net/as-docs/configuration.html#create-a-new-ca

7.2 User ManageMent

7.2.1 user permissions

  • 创建用户

image-20240829173906896

image-20240829174154503

❌ 注意

只设置这两处,其他保持默认, 点击保存重启服务

7.2.2 user Profiels(ovpn文件)

image-20240829181011867

image-20240829181058499

7.3 DNS设置

7.3.1 Configuration

只配置这三处,其他保持默认

image-20240829174955974

7.3.2 部署dns服务

1.安装

bash
#centos系列
yum install -y dnsmasq

#创建日志目录
mkdir /var/log/dnsmasq/
#centos系列
yum install -y dnsmasq

#创建日志目录
mkdir /var/log/dnsmasq/

2.配置

bash
#备份原始文件
cp /etc/dnsmasq.conf{,.back}

#修改之后的样子
cat /etc/dnsmasq.conf

no-poll
clear-on-reload
no-negcache

resolv-file=/etc/resolv.dnsmasq.conf
strict-order
server=114.114.114.114
listen-address=10.8.0.1,127.0.0.1,172.18.0.24
addn-hosts=/etc/dnsmasq.hosts
cache-size=1024
bogus-nxdomain=114.114.114.114
log-queries
log-facility=/var/log/dnsmasq/dnsmasq.log
conf-dir=/etc/dnsmasq.d
conf-dir=/etc/dnsmasq.d,.bak
conf-dir=/etc/dnsmasq.d/,*.conf
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
#备份原始文件
cp /etc/dnsmasq.conf{,.back}

#修改之后的样子
cat /etc/dnsmasq.conf

no-poll
clear-on-reload
no-negcache

resolv-file=/etc/resolv.dnsmasq.conf
strict-order
server=114.114.114.114
listen-address=10.8.0.1,127.0.0.1,172.18.0.24
addn-hosts=/etc/dnsmasq.hosts
cache-size=1024
bogus-nxdomain=114.114.114.114
log-queries
log-facility=/var/log/dnsmasq/dnsmasq.log
conf-dir=/etc/dnsmasq.d
conf-dir=/etc/dnsmasq.d,.bak
conf-dir=/etc/dnsmasq.d/,*.conf
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig

100.100.2.136 ---> 公共dns地址

10.8.0.1 ---> vpn地址

172.18.0.24 ---> eth0地址

3.重启所有服务

bash
systemctl restart dnsmasq.service
systemctl restart openvpnas.service
systemctl restart dnsmasq.service
systemctl restart openvpnas.service

4.配置hosts文件

bash
[root@xxx ~]# cat /etc/dnsmasq.hosts
47.92.165.146 log.freehan.ink
172.18.0.24 bot.freehan.ink
[root@xxx ~]# cat /etc/dnsmasq.hosts
47.92.165.146 log.freehan.ink
172.18.0.24 bot.freehan.ink

47.92.165.146 非相同vpc下网络

172.18.0.24 相同vpc网络

7.4 客户端安装

根据自己的环境进行下载

https://ip:11943

输入先前创建的用户

image-20240829180446043

image-20240829180614720

安装省略...

7.4.1 导入ovpn文件

image-20240829181227028

7.4.2 运行

image-20240829181319240

image-20240829181537813

代表启动成功

7.4.3 验证

  • 没有开启vpn

非相同vpc下

image-20240829181646192

相同vpc网络下

image-20240829181854176

  • 开启之后

image-20240829181725826

image-20240829182034442

参考:

https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.html#tunnel-settings

https://openvpn.net/as-docs/configuration.html##