香港 vpc 云主机,ubuntu 22.04,自建 vpn,备忘
用香港vpc云主机,ubuntu 22.04,自建vpn,告诉我详细步骤
https://huang12zheng.github.io/openvpn_cn/ openvpn中文文档
https://blog.csdn.net/weixin_44863363/article/details/131621748
1. 准备工作
云主机:确保已购买并配置好香港VPC云主机,且操作系统为Ubuntu 22.04。
SSH访问:确保能通过SSH连接到云主机。
2. 更新系统
apt update
apt upgrade
3. 安装必要软件
安装OpenVPN和Easy-RSA:
apt install openvpn
apt install easy-rsa
cd /usr/share/doc/openvpn/examples/sample-config-files/
确保存在
server.conf.gz
4. 配置Easy-RSA
# mkdir ~/easy-rsa
# ln -s /usr/share/easy-rsa/* ~/easy-rsa/
# cd ~/easy-rsa
cd /etc/openvpn/
mkdir ./easy-rsa
ln -s /usr/share/easy-rsa/* ./easy-rsa/
cd ./easy-rsa
./easyrsa init-pki # 也可用于重新开始
检查 .rnd 文件是否存在:
ls -l /root/easy-rsa/pki/.rnd
如果文件不存在,可以手动生成:
openssl rand -out ./pki/.rnd 2048
确保文件权限正确:
chmod 600 ./pki/.rnd
# 确保 easyrsa 的环境变量配置正确。编辑 vars 文件:
# vim /root/easy-rsa/vars
# 确保以下变量已设置:
# export EASYRSA="$PWD"
# export EASYRSA_PKI="$EASYRSA/pki"
# export EASYRSA_RAND_SN="yes"
./easyrsa build-ca
Enter New CA Key Passphrase: #注意密码不能太短,我这边设置的是123456
Re-Enter New CA Key Passphrase: #再输一遍
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #直接回车
Your new CA certificate file for publishing is at:
/root/easy-rsa/pki/ca.crt
./easyrsa build-server-full server nopass
Enter pass phrase for /root/easy-rsa/pki/private/ca.key: 123456
./easyrsa build-client-full client nopass
Enter pass phrase for /root/easy-rsa/pki/private/ca.key: 123456
./easyrsa gen-dh
openvpn --genkey --secret ta.key
5. 配置OpenVPN
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gzip -d /etc/openvpn/server.conf.gz
vim /etc/openvpn/server.conf
修改为
ca /root/easy-rsa/pki/ca.crt
cert /root/easy-rsa/pki/issued/server.crt
key /root/easy-rsa/pki/private/server.key
dh /root/easy-rsa/pki/dh.pem
tls-auth /root/easy-rsa/ta.key 0
启用IP转发:
vim /etc/sysctl.conf
取消注释或添加:
net.ipv4.ip_forward=1
应用更改:
sysctl -p
配置防火墙:
ufw allow 1194/udp
ufw allow OpenSSH
ufw disable && ufw enable
ufw allow 16835/tcp
然后我的 xshell 连不上云主机了
Could not connect to '103.116.246.82' (port 16835): Connection failed.
我该怎样解决?
这个问题是因为你在启用 ufw 防火墙时,只允许了 OpenSSH 和 1194/udp 端口,而你的 Xshell 连接使用的是自定义端口 16835,导致该端口被防火墙阻止。
ufw status
修复防火墙规则
允许 Xshell 使用的端口(例如 16835):
ufw allow 16835/tcp
检查防火墙状态
ufw status
确保输出中包含:
16835/tcp ALLOW Anywhere
OpenSSH ALLOW Anywhere
1194/udp ALLOW Anywhere
mkdir -p /etc/openvpn/certs
cp /root/easy-rsa/pki/ca.crt /etc/openvpn/certs/
cp /root/easy-rsa/pki/dh.pem /etc/openvpn/certs/
cp /root/easy-rsa/pki/issued/server.crt /etc/openvpn/certs/
cp /root/easy-rsa/pki/private/server.key /etc/openvpn/certs/
cp /root/easy-rsa/ta.key /etc/openvpn/certs/
chmod 755 /etc/openvpn/certs
chmod 600 /etc/openvpn/certs/ca.crt
chmod 600 /etc/openvpn/certs/server.crt
chmod 600 /etc/openvpn/certs/server.key
chmod 600 /etc/openvpn/certs/dh.pem
chmod 600 /etc/openvpn/certs/ta.key
chown root:root /etc/openvpn/certs/*
vim /etc/openvpn/server.conf
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
tls-auth /etc/openvpn/certs/ta.key 0
6. 启动OpenVPN服务
systemctl restart openvpn && systemctl enable openvpn
# systemctl start openvpn@server
# systemctl enable openvpn@server
# systemctl status openvpn@server
7. 配置客户端
导出客户端配置:
mkdir -p ./files
chmod 700 ./files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ./client/base.conf
cd /etc/openvpn/certs ./
#cp /root/easy-rsa/pki/ca.crt ./
#cp /root/easy-rsa/pki/dh.pem ./
cp /root/easy-rsa/pki/issued/client.crt ./
cp /root/easy-rsa/pki/private/client.key ./
#cp /root/easy-rsa/ta.key ./
编辑客户端配置:
vim ~/client-configs/base.conf # 也可以在这修改以上证书路径
修改以下内容:
remote 103.116.246.82 1194
生成客户端配置文件:
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cd ~/client-configs
cat base.conf \
<(echo -e '<ca>') \
/etc/openvpn/certs/ca.crt \
<(echo -e '</ca>\n<cert>') \
/etc/openvpn/certs/client.crt \
<(echo -e '</cert>\n<key>') \
/etc/openvpn/certs/client.key \
<(echo -e '</key>\n<tls-auth>') \
/etc/openvpn/certs/ta.key \
<(echo -e '</tls-auth>') \
> files/client.ovpn
cat base.conf \
<(echo -e '<ca>') \
/etc/openvpn/easy-rsa/pki/ca.crt \
<(echo -e '</ca>\n<cert>') \
/etc/openvpn/easy-rsa/pki/issued/client.crt \
<(echo -e '</cert>\n<key>') \
/etc/openvpn/easy-rsa/pki/private/client.key \
<(echo -e '</key>\n<tls-auth>') \
/etc/openvpn/easy-rsa/ta.key \
<(echo -e '</tls-auth>') \
> ./client.ovpn
传输配置文件:
将生成的client.ovpn文件下载到本地,使用OpenVPN客户端导入即可连接。
openVPN客户端连接指南
https://blog.csdn.net/gtj0617/article/details/139085759
连接成功之后,任务栏中的OpenVPN图标会变成绿色,同时会有一个连接成功的提示。
查看网络适配器信息,可以看到新安装的TAP网卡连接成功,
并且获得了一个OpenVPN服务器分配的IP地址10.153.113.4。
下载 windows 客户端
wget https://openvpn.net/downloads/openvpn-connect-v3-windows.msi
journalctl -u openvpn@server
报错
临时禁用 tls-auth
journalctl -u openvpn@server
报错
TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 16 15:20:41 cxyfezafh1 ovpn-server[48095]: 42.235.99.110:49602 TLS Error: TLS handshake failed
验服务器端 1194 端口
# Windows 安装 Nmap
# Windows 安装后使用 ncat
ncat -vu 103.116.246.82 1194
# Linux 安装 netcat
apt install netcat
nc -vu 103.116.246.82 1194
如果端口开放,会显示 Connection to 103.116.246.82 1194 port [udp/openvpn] succeeded!。
------------------------------------------
到这里,3天了
自建vpn没有成功
Ubuntu 服务器文档 官方
如何安装和使用 OpenVPN
https://documentation.ubuntu.com/server/how-to/security/install-openvpn/index.html
若是成功的 vpn,连接时 ipv4 应被设置如下
ip
10.4.77.101
255.255.0.0
dns
172.31.255.250
vpn 搭建暂停。。。。。。
