vps系统是debian vps先更改时区dpkg-reconfigure tzdata
1 安装软件 apt-get update&&apt-get dist-upgrade
&&apt-get install openvpn squid3
2 用easy-rsa生成服务端证书
cp -r /usr/share/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0
source vars
./clean-all
./build-ca
3 生成服务器证书和密钥
./build-key-server server #server服务器名称
期间也会提示输入一些信息,直接回车默认,选择[Y/n]的都选Y。
4 生成客户端证书和密钥:(client为客户端名字可以自定义,注意这里的客户端名字不能与上步的服务端名字相同)
./build-key client
期间也会提示输入一些信息,直接回车默认,选择[Y/n]的都选Y。 若要生成多个客户端的证书和密钥,将client改成另外的名字重复操作即可。所有生成的证书和密钥存都放在/etc/openvpn/easy-rsa/2.0/keys/下面。
5 生成Diffie Hellman参数:
./build-dh
把2 3 生成的文件复制到 /etc/openvpn下
cd /etc/openvpn/easy-rsa/keys/
cp ca.crt dh2048.pem server.crt server.key /etc/openvpn/
7 配置openvpn 服务器
将/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz文件复制到/etc/openvpn目录,并解压
# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
# gzip -d /etc/openvpn/server.conf.gz
修改 /etc/openvpn/server.conf 文件
local ip
dh dh2048.pem
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
client-to-client
duplicate-cn
cipher AES-128-CBC
log-append openvpn.log
auth-nocache
8 修改 /etc/sysctl.conf内容为
net.ipv4.ip_forward=1 运行sysctl -p 启动
8 设置IP转发
若Xen或KVM的请输入:(eth0要根据具体的网卡标示来,可以通过ifconfig查看)
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
若OpenVZ的请输入:(11.22.33.44是你VPS的IP)
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source x.x.x.x # x.x.x.x为服务器IP
应对GFW封锁,我们要忽略RST包
iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
为防止重启后转发丢失,把代码写进 /etc/rc.local中
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source x.x.x.x
iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
iptables -t filter -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
/etc/init.d/dnsmasq restart
exit 0
9 配置openvpn客户端文件
mkdir /home/openvpn-client
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /home/openvpn-client/client.ovpn
cd /etc/openvpn/easy-rsa/keys/
cp -r ./ca.crt client.key client.crt /home/openvpn-client/
cd /home/openvpn-client/
将密钥文件添加到client.ovpn里
echo "" >> client.ovpn
echo "
cat ca.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE" >> client.ovpn
echo "
" >> client.ovpnecho "
cat client.crt | grep -A 100 "BEGIN CERTIFICATE" | grep -B 100 "END CERTIFICATE" >> client.ovpn
echo "
" >> client.ovpnecho "
cat client.key | grep -A 100 "BEGIN PRIVATE KEY" | grep -B 100 "END PRIVATE KEY" >> client.ovpn
echo "
" >> client.ovpn
以下是cmcc 免流代码
mssfix 1400
auth-nocache
http-proxy 服务器IP 8080
http-proxy-retry
http-proxy-timeout 1
http-proxy-option EXT1 "GET http://rd.go.10086.cn"
http-proxy-option EXT1 "POST http://rd.go.10086.cn"
http-proxy-option EXT1 "X-Online-Host: rd.go.10086.cn"
http-proxy-option EXT1 "Host: rd.go.10086.cn"
http-proxy-option AGENT "Iphone 9x"
;script-security 3 system
;route-up "net stop dnscache"
;route-up "net start dnscache"
;route-up "ipconfig /flushdns"
;route-up "ipconfig /registerdns"
ns-cert-type server # 要求客户端证书 nsCertType 为 server
remote-cert-tls server # 检查客户端证书 key usage 和 extended key usage
您能浏览我的网站,能让我高兴一整天!
没有评论:
发表评论
您能评论我的帖子,能让我高兴一整天!