「详解vps搭建vpn服务器,实现网络自由上网」 (vps如何搭建vpn服务器)
详解vps搭建vpn服务器,实现网络自由上网
在当今信息时代,互联网成为了人们必不可少的一部分。但是,有些地区的网络限制严格,甚至无法访问某些国内外网站。而且,在一些公共WiFi环境中,网络安全也成为了我们不得不考虑的问题。这时,使用虚拟专用网络(VPN)会成为解决这些问题的一个好方法。
VPN可以让我们在任何网络环境中安全上网,保护我们的隐私。 这里,我们将介绍如何使用VPS(Virtual Private Server,即虚拟专用服务器)搭建VPN服务器,以便实现网络自由上网。
1. 购买VPS
我们需要购买一台VPS,建议选择国外的VPS,在国内的 VPS 厂商中,常常会受到监管和审查。此外,小型虚拟主机公司经营不善容易垮台,可能会导致数据丢失和财产损失。建议选择大型知名厂商,稳定性更有保障。 主流厂商有vultr、digitalocean、linode、aws等,这里我们以vultr为例。
注册vultr账号,登录后,点击窗口右上角的“+”按钮,创建一台vps服务器,选择“Deploy a New Server”项。
然后根据我们的实际需要来选择VPS的规格, 操作系统和区域。如下图所示,我们选择CentOS7的系统,纽约的服务器。完成后,点击“Deploy Now”按钮等待几分钟,服务器就被成功创建了。
创建成功后,点击服务器名称,便可以查看到该服务器的详细信息和配置。
在这里,我们拿到了服务器的IP地址,登录帐号为root。我们之后将会用到这些信息来进行 VPN 服务器的搭建。
2. 安装OpenVPN
接下来,我们需要在VPS上安装OpenVPN软件。OpenVPN是一个开源的VPN解决方案,在接下来的步骤中我们将使用它来搭建VPN服务器。
我们可以通过在VPS中执行以下命令,使用yum安装OpenVPN:
`yum -y install openvpn`
安装成功后,我们需要下载Easy-RSA工具。Easy-RSA是一个基于PKI(公钥基础设施)的证书颁发系统,它用于创建和管理X.509数字证书,以便在OpenVPN中使用。
`wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-3.0.6.tgz`
解压下载的文件
`tar xvfz EasyRSA-3.0.6.tgz`
进入EasyRSA-3.0.6目录
`cd EasyRSA-3.0.6/`
执行init-config脚本
`./easyrsa init-pki`
创建CA根证书
“`bash
[root@vps ~]# ./easyrsa build-ca
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2023
Enter New CA Key Passphrase: # 为了保险,建议设置密码。
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2023 bit long modulus
…………………………………………………………..+++
…………………+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]:CN # 国家和地区,必填
State or Province Name (full name) [CA]:GD # 省市,必填
Locality Name (eg, city) [SanFrancisco]:GZ # 城市,必填
Organization Name (eg, company) [Fort-Funston]:EXAMPLE # 公司或组织,必填
Organizational Unit Name (eg, section) []:EXAMPLE # 部门或组,选填
Common Name (eg, your name or your server’s hostname) [Fort-Funston CA]:MyVPN # 通用名,必填
Name []: # 姓名或其他,选填
Eml Address []:example@example.com # 邮箱,选填
Note: current (pre-release) versions of Easy RSA, defaults to creating a unified cert.
You can use it as a CA cert and for server certs, but some OpenVPN clients may not support this
and will fl to establish a connection.
Do you wish to continue with the generation of a unified cert? [yes]:yes
“`
创建服务器证书
“`bash
[root@vps ~]# ./easyrsa gen-req server nopass
Generating a 2023 bit RSA private key
…………………………………………………….+++
………………………………………………+++
writing new private key to ‘/root/EasyRSA-3.0.6/pki/private/server.key.i4KjYJKQdf’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [GZ]:
Organization Name (eg, company) [EXAMPLE]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:vps.example.com # 这里需要填写你的VPS的域名
Name []:
Eml Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
“`
使用CA证书签署服务器证书(输入yes确认)
“`bash
[root@vps ~]# ./easyrsa sign-req server server
You are about to sign the following certificate.
Please check over the detls shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
countryName = CN
stateOrProvinceName = GD
localityName = GZ
organizationName = EXAMPLE
commonName = vps.example.com
emlAddress =
Type the word ‘yes’ to continue, or any other input to abort.
Confirm request detls: yes
Using configuration from /root/EasyRSA-3.0.6/pki/easy-rsa-90372.tmp
Enter pass phrase for /root/EasyRSA-3.0.6/pki/private/ca.key: # 根证书的密码
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’CN’
stateOrProvinceName :PRINTABLE:’GD’
localityName :PRINTABLE:’GZ’
organizationName :PRINTABLE:’EXAMPLE’
commonName :PRINTABLE:’vps.example.com’
Certificate is to be certified until Jan 23 08:48:50 2023 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /root/EasyRSA-3.0.6/pki/issued/server.crt
“`
创建客户端证书
“`bash
[root@vps ~]# ./easyrsa gen-req client nopass # 注意:这里的 client 仅表示一个客户端的名称,根据实际情况自行修改。
Generating a 2023 bit RSA private key
………………………………..+++
…………………………………………………+++
writing new private key to ‘/root/EasyRSA-3.0.6/pki/private/client.key.2qy3qg5C5b’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:US
State or Province Name (full name) [GD]:CA
Locality Name (eg, city) [GZ]:SF
Organization Name (eg, company) [EXAMPLE]:EXAMPLE
Organizational Unit Name (eg, section) []:EXAMPLE
Common Name (eg, your name or your server’s hostname) []:client
Name []:
Eml Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: # 无输入,直接回车
An optional company name []: # 无输入,直接回车
“`
使用CA证书签署客户端证书
“`bash
[root@vps ~]# ./easyrsa sign-req client client
You are about to sign the following certificate.
Please check over the detls shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
countryName = US
stateOrProvinceName = CA
localityName = SF
organizationName = EXAMPLE
organizationalUnitName = EXAMPLE
commonName = client
emlAddress =
Type the word ‘yes’ to continue, or any other input to abort.
Confirm request detls: yes
Using configuration from /root/EasyRSA-3.0.6/pki/easy-rsa-10596.tmp
Enter pass phrase for /root/EasyRSA-3.0.6/pki/private/ca.key: # 根证书的密码
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’US’
stateOrProvinceName :PRINTABLE:’CA’
localityName :PRINTABLE:’SF’
organizationName :PRINTABLE:’EXAMPLE’
organizationalUnitName:PRINTABLE:’EXAMPLE’
commonName :PRINTABLE:’client’
Certificate is to be certified until Jan 23 09:02:06 2023 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /root/EasyRSA-3.0.6/pki/issued/client.crt
“`
剩下的证书都已经创建完成,我们需要将它们拷贝到OpenVPN服务器上。
3. 配置OpenVPN
创建的证书现在在EasyRSA-3.0.6/pki/issued目录下。我们需要将它们拷贝到OpenVPN服务器上,然后在服务器上创建配置文件。
我们可以使用scp工具将这些文件拷贝到服务器上。
我们需要在本地机器上生成客户端配置文件,通过生成的客户端配置文件向VPN服务器连接。我们可以通过执行以下命令生成客户端配置文件:
“`bash
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn-*/sample/sample-config-files/client.conf ~/client-configs/base.conf
“`
将以下内容添加到~/client-configs/base.conf的末尾:
“`
# Redirect all network traffic through the VPN gateway – CHANGE THE IP ADDRESS TO THE SERVER’S IP ADDRESS (net_gateway will be different for everyone)
redirect-gateway def1
# Enable TLS encryption
tls-client
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-256-CBC
# Use the same setting as you are using on
# the server.
remote-cert-tls server
# Verify server certificate by checking that the
# certicate has the n-th key usage.
# (Note that nsCertType is deprecated)
verify-x509-name server name
# If a tls-auth key is used on the server then every client must also have the key.
# tls-auth /etc/openvpn/server/ta.key 1
# Select a ns-cert-type server which can
# be ‘server’ for an OpenVPN server, ‘client’
# for an OpenVPN client, or ‘client-cert-proxy’
# for a user who is logged in with a certificate
# and who wants to use the certificate to authenticate for OpenVPN.
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
# The OpenVPN 2.5.0+ release supports the
# ‘inline’ keyword which allows the configuration
# to be embedded directly into the .ovpn file itself.
—–BEGIN OpenVPN Static key V1—–
dd0d1095308c28089aa515c19af32984
…
2f9aaa1ccaa1411cc9797e002d31009e
—–END OpenVPN Static key V1—–
# If you wish to allow traffic between clients on the same subnet,
# use client-to-client
# client-to-client
“`
其中最关键的是将cluster-01.example.com替换为我们自己的服务器IP地址。然后,我们需要将客户端的证书、私钥和TA密钥(必要时)转移到~/client-configs/files目录中。我们可以通过以下命令在本地机器上创建这些目录:
“`bash
cd ~/EasyRSA-3.0.6/pki/
scp ca.crt server.crt server.key ta.key example@192.0.2.5:/tmp/
“`
在服务器上,我们需要在/etc/openvpn/目录下创建server.conf配置文件,编辑之前请备份。
在完成之前请务必自行更改以下信息
– `ca /etc/openvpn/server/ca.crt`: VPN server证书目录
– `cert /etc/openvpn/server/server.crt`: VPN server 证书
– `key /etc/openvpn/server/server.key`: VPN server 私钥
– `dh /etc/openvpn/server/dh.pem`: Diffie-Hellman 认证文件
– `server 10.8.0.0 255.255.255.0`: VPN 服务器分配给客户端的IP地址
– `push “redirect-gateway def1 bypass-dhcp”`: 将客户端的网络流量重定向到 VPN 服务器
– `push “dhcp-option DNS 208.67.222.222″`: 用于修改 VPN 客户端的 DNS 设置。
“`conf
;local a.b.c.d
port 443
proto tcp
;proto udp
;dev tap
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key # This file should be kept secret
dh /etc/openvpn/server/dh.pem
;server 10.8.0.0 255.255.255.0
server 192.168.0.0 255.255.255.0 #表示 OpenVPN 服务器将分配一个 IP 地址给每个客户端,并用该 IP 地址设置为客户端的虚拟 IP 地址。
ifconfig-pool-persist ipp.txt
;client-to-client
;duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
tls-cert-profile preferred
cipher AES-256-GCM
auth SHA512
;tls-auth ta.key 0 # This file is secret
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20
explicit-exit-notify 1
client-config-dir /etc/openvpn/clientconfig
client-to-client
topology subnet
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
push “redirect-gateway def1 bypass-dhcp”
push “ping 10”
push “ping-restart 60”
“`
然后,我们可以启动 OpenVPN。我们需要启动OpenVPN消防墙规则。默认情况下,OpenVPN使用UDP端口1194,但这将受到许多网络管理员的阻止。因此,我们在服务器上使用TCP端口443,因为这个端口会经常被使用,很可能被防火墙允许。
执行以下命令,开启 OpenVPN UDP 8999 端口
“`bash
firewall-cmd —
