「详解vps搭建vpn服务器,实现网络自由上网」 (vps如何搭建vpn服务器)

详解vps搭建vpn服务器,实现网络自由上网

在当今信息时代,互联网成为了人们必不可少的一部分。但是,有些地区的网络限制严格,甚至无法访问某些国内外网站。而且,在一些公共WiFi环境中,网络安全也成为了我们不得不考虑的问题。这时,使用虚拟专用网络(VPN)会成为解决这些问题的一个好方法。

VPN可以让我们在任何网络环境中安全上网,保护我们的隐私。 这里,我们将介绍如何使用VPS(Virtual Private Server,即虚拟专用服务器)搭建VPN服务器,以便实现网络自由上网。

1. 购买VPS

我们需要购买一台VPS,建议选择国外的VPS,在国内的 VPS 厂商中,常常会受到监管和审查。此外,小型虚拟主机公司经营不善容易垮台,可能会导致数据丢失和财产损失。建议选择大型知名厂商,稳定性更有保障。 主流厂商有vultr、digitalocean、linode、aws等,这里我们以vultr为例。

注册vultr账号,登录后,点击窗口右上角的“+”按钮,创建一台vps服务器,选择“Deploy a New Server”项。

![](https://cdn.temporaryfile.com/pic/2f7d1efa3732dd8f83c978e94133d879.png)

然后根据我们的实际需要来选择VPS的规格, 操作系统和区域。如下图所示,我们选择CentOS7的系统,纽约的服务器。完成后,点击“Deploy Now”按钮等待几分钟,服务器就被成功创建了。

![](https://cdn.temporaryfile.com/pic/4df9fad4e85b63f0957fbb81b03f69b5.png)

创建成功后,点击服务器名称,便可以查看到该服务器的详细信息和配置。

![](https://cdn.temporaryfile.com/pic/cd538682f51a2bb8c61794e74d81d713.png)

在这里,我们拿到了服务器的IP地址,登录帐号为root。我们之后将会用到这些信息来进行 VPN 服务器的搭建。

2. 安装OpenVPN

接下来,我们需要在VPS上安装OpenVPN软件。OpenVPN是一个开源的VPN解决方案,在接下来的步骤中我们将使用它来搭建VPN服务器。

我们可以通过在VPS中执行以下命令,使用yum安装OpenVPN:

`yum -y install openvpn`

安装成功后,我们需要下载Easy-RSA工具。Easy-RSA是一个基于PKI(公钥基础设施)的证书颁发系统,它用于创建和管理X.509数字证书,以便在OpenVPN中使用。

`wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-3.0.6.tgz`

解压下载的文件

`tar xvfz EasyRSA-3.0.6.tgz`

进入EasyRSA-3.0.6目录

`cd EasyRSA-3.0.6/`

执行init-config脚本

`./easyrsa init-pki`

创建CA根证书

“`bash

[root@vps ~]# ./easyrsa build-ca

Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2023

Enter New CA Key Passphrase: # 为了保险,建议设置密码。

Re-Enter New CA Key Passphrase:

Generating RSA private key, 2023 bit long modulus

…………………………………………………………..+++

…………………+++

e is 65537 (0x10001)

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [US]:CN # 国家和地区,必填

State or Province Name (full name) [CA]:GD # 省市,必填

Locality Name (eg, city) [SanFrancisco]:GZ # 城市,必填

Organization Name (eg, company) [Fort-Funston]:EXAMPLE # 公司或组织,必填

Organizational Unit Name (eg, section) []:EXAMPLE # 部门或组,选填

Common Name (eg, your name or your server’s hostname) [Fort-Funston CA]:MyVPN # 通用名,必填

Name []: # 姓名或其他,选填

Eml Address []:example@example.com # 邮箱,选填

Note: current (pre-release) versions of Easy RSA, defaults to creating a unified cert.

You can use it as a CA cert and for server certs, but some OpenVPN clients may not support this

and will fl to establish a connection.

Do you wish to continue with the generation of a unified cert? [yes]:yes

“`

创建服务器证书

“`bash

[root@vps ~]# ./easyrsa gen-req server nopass

Generating a 2023 bit RSA private key

…………………………………………………….+++

………………………………………………+++

writing new private key to ‘/root/EasyRSA-3.0.6/pki/private/server.key.i4KjYJKQdf’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [CN]:

State or Province Name (full name) [GD]:

Locality Name (eg, city) [GZ]:

Organization Name (eg, company) [EXAMPLE]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server’s hostname) []:vps.example.com # 这里需要填写你的VPS的域名

Name []:

Eml Address []:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

“`

使用CA证书签署服务器证书(输入yes确认)

“`bash

[root@vps ~]# ./easyrsa sign-req server server

You are about to sign the following certificate.

Please check over the detls shown below for accuracy. Note that this request

has not been cryptographically verified. Please be sure it came from a trusted

source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 3650 days:

subject=

countryName = CN

stateOrProvinceName = GD

localityName = GZ

organizationName = EXAMPLE

commonName = vps.example.com

emlAddress =

Type the word ‘yes’ to continue, or any other input to abort.

Confirm request detls: yes

Using configuration from /root/EasyRSA-3.0.6/pki/easy-rsa-90372.tmp

Enter pass phrase for /root/EasyRSA-3.0.6/pki/private/ca.key: # 根证书的密码

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName :PRINTABLE:’CN’

stateOrProvinceName :PRINTABLE:’GD’

localityName :PRINTABLE:’GZ’

organizationName :PRINTABLE:’EXAMPLE’

commonName :PRINTABLE:’vps.example.com’

Certificate is to be certified until Jan 23 08:48:50 2023 GMT (3650 days)

Write out database with 1 new entries

Data Base Updated

Certificate created at: /root/EasyRSA-3.0.6/pki/issued/server.crt

“`

创建客户端证书

“`bash

[root@vps ~]# ./easyrsa gen-req client nopass # 注意:这里的 client 仅表示一个客户端的名称,根据实际情况自行修改。

Generating a 2023 bit RSA private key

………………………………..+++

…………………………………………………+++

writing new private key to ‘/root/EasyRSA-3.0.6/pki/private/client.key.2qy3qg5C5b’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [CN]:US

State or Province Name (full name) [GD]:CA

Locality Name (eg, city) [GZ]:SF

Organization Name (eg, company) [EXAMPLE]:EXAMPLE

Organizational Unit Name (eg, section) []:EXAMPLE

Common Name (eg, your name or your server’s hostname) []:client

Name []:

Eml Address []:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []: # 无输入,直接回车

An optional company name []: # 无输入,直接回车

“`

使用CA证书签署客户端证书

“`bash

[root@vps ~]# ./easyrsa sign-req client client

You are about to sign the following certificate.

Please check over the detls shown below for accuracy. Note that this request

has not been cryptographically verified. Please be sure it came from a trusted

source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 3650 days:

subject=

countryName = US

stateOrProvinceName = CA

localityName = SF

organizationName = EXAMPLE

organizationalUnitName = EXAMPLE

commonName = client

emlAddress =

Type the word ‘yes’ to continue, or any other input to abort.

Confirm request detls: yes

Using configuration from /root/EasyRSA-3.0.6/pki/easy-rsa-10596.tmp

Enter pass phrase for /root/EasyRSA-3.0.6/pki/private/ca.key: # 根证书的密码

Check that the request matches the signature

Signature ok

The Subject’s Distinguished Name is as follows

countryName :PRINTABLE:’US’

stateOrProvinceName :PRINTABLE:’CA’

localityName :PRINTABLE:’SF’

organizationName :PRINTABLE:’EXAMPLE’

organizationalUnitName:PRINTABLE:’EXAMPLE’

commonName :PRINTABLE:’client’

Certificate is to be certified until Jan 23 09:02:06 2023 GMT (3650 days)

Write out database with 1 new entries

Data Base Updated

Certificate created at: /root/EasyRSA-3.0.6/pki/issued/client.crt

“`

剩下的证书都已经创建完成,我们需要将它们拷贝到OpenVPN服务器上。

3. 配置OpenVPN

创建的证书现在在EasyRSA-3.0.6/pki/issued目录下。我们需要将它们拷贝到OpenVPN服务器上,然后在服务器上创建配置文件。

我们可以使用scp工具将这些文件拷贝到服务器上。

我们需要在本地机器上生成客户端配置文件,通过生成的客户端配置文件向VPN服务器连接。我们可以通过执行以下命令生成客户端配置文件:

“`bash

mkdir -p ~/client-configs/files

chmod 700 ~/client-configs/files

cp /usr/share/doc/openvpn-*/sample/sample-config-files/client.conf ~/client-configs/base.conf

“`

将以下内容添加到~/client-configs/base.conf的末尾:

“`

# Redirect all network traffic through the VPN gateway – CHANGE THE IP ADDRESS TO THE SERVER’S IP ADDRESS (net_gateway will be different for everyone)

redirect-gateway def1

# Enable TLS encryption

tls-client

# Select a cryptographic cipher.

# If the cipher option is used on the server

# then you must also specify it here.

cipher AES-256-CBC

# Use the same setting as you are using on

# the server.

remote-cert-tls server

# Verify server certificate by checking that the

# certicate has the n-th key usage.

# (Note that nsCertType is deprecated)

verify-x509-name server name

# If a tls-auth key is used on the server then every client must also have the key.

# tls-auth /etc/openvpn/server/ta.key 1

# Select a ns-cert-type server which can

# be ‘server’ for an OpenVPN server, ‘client’

# for an OpenVPN client, or ‘client-cert-proxy’

# for a user who is logged in with a certificate

# and who wants to use the certificate to authenticate for OpenVPN.

remote-cert-tls server

# If a tls-auth key is used on the server

# then every client must also have the key.

# The OpenVPN 2.5.0+ release supports the

# ‘inline’ keyword which allows the configuration

# to be embedded directly into the .ovpn file itself.

—–BEGIN OpenVPN Static key V1—–

dd0d1095308c28089aa515c19af32984

2f9aaa1ccaa1411cc9797e002d31009e

—–END OpenVPN Static key V1—–

# If you wish to allow traffic between clients on the same subnet,

# use client-to-client

# client-to-client

“`

其中最关键的是将cluster-01.example.com替换为我们自己的服务器IP地址。然后,我们需要将客户端的证书、私钥和TA密钥(必要时)转移到~/client-configs/files目录中。我们可以通过以下命令在本地机器上创建这些目录:

“`bash

cd ~/EasyRSA-3.0.6/pki/

scp ca.crt server.crt server.key ta.key example@192.0.2.5:/tmp/

“`

在服务器上,我们需要在/etc/openvpn/目录下创建server.conf配置文件,编辑之前请备份。

在完成之前请务必自行更改以下信息

– `ca /etc/openvpn/server/ca.crt`: VPN server证书目录

– `cert /etc/openvpn/server/server.crt`: VPN server 证书

– `key /etc/openvpn/server/server.key`: VPN server 私钥

– `dh /etc/openvpn/server/dh.pem`: Diffie-Hellman 认证文件

– `server 10.8.0.0 255.255.255.0`: VPN 服务器分配给客户端的IP地址

– `push “redirect-gateway def1 bypass-dhcp”`: 将客户端的网络流量重定向到 VPN 服务器

– `push “dhcp-option DNS 208.67.222.222″`: 用于修改 VPN 客户端的 DNS 设置。

“`conf

;local a.b.c.d

port 443

proto tcp

;proto udp

;dev tap

dev tun

ca /etc/openvpn/server/ca.crt

cert /etc/openvpn/server/server.crt

key /etc/openvpn/server/server.key # This file should be kept secret

dh /etc/openvpn/server/dh.pem

;server 10.8.0.0 255.255.255.0

server 192.168.0.0 255.255.255.0 #表示 OpenVPN 服务器将分配一个 IP 地址给每个客户端,并用该 IP 地址设置为客户端的虚拟 IP 地址。

ifconfig-pool-persist ipp.txt

;client-to-client

;duplicate-cn

keepalive 10 120

tls-version-min 1.2

tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

tls-cert-profile preferred

cipher AES-256-GCM

auth SHA512

;tls-auth ta.key 0 # This file is secret

user nobody

group nobody

persist-key

persist-tun

status openvpn-status.log

;log openvpn.log

;log-append openvpn.log

verb 3

;mute 20

explicit-exit-notify 1

client-config-dir /etc/openvpn/clientconfig

client-to-client

topology subnet

push “dhcp-option DNS 8.8.8.8”

push “dhcp-option DNS 8.8.4.4”

push “redirect-gateway def1 bypass-dhcp”

push “ping 10”

push “ping-restart 60”

“`

然后,我们可以启动 OpenVPN。我们需要启动OpenVPN消防墙规则。默认情况下,OpenVPN使用UDP端口1194,但这将受到许多网络管理员的阻止。因此,我们在服务器上使用TCP端口443,因为这个端口会经常被使用,很可能被防火墙允许。

执行以下命令,开启 OpenVPN UDP 8999 端口

“`bash

firewall-cmd —


数据运维技术 » 「详解vps搭建vpn服务器,实现网络自由上网」 (vps如何搭建vpn服务器)