openvpn打通云

发表于 更新于 阅读次数: 本文字数: 6.8k 阅读时长 ≈ 6 分钟

架构:

image-20220718142157800

公司内部vpn服务配置

server.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
port 1196
proto udp
dev tap0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
ifconfig-pool-persist ipp.txt
ifconfig 10.255.255.1 255.255.255.0
server-bridge 10.255.255.1 255.255.255.0 10.255.255.2 10.255.255.250
client-config-dir ccd
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
#user nobody
#group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4
mute 20
script-security 3 
#验证用户名密码脚本
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env 
#开启用户名和密码验证,用于服务端分配固定ip
username-as-common-name
client-config-dir /etc/openvpn/ccd #用于服务端分配固定ip #这个里面放每个人的ip地址,不能冲突

需在公司server添加的路由

1
2
3
ip route add 10.10.0.0/16 via 10.255.255.83  # ecs
ip route add 172.20.0.0/16 via 10.255.255.83 # pod
ip route add 172.21.0.0/16 via 10.255.255.83 # svc
1
2
3
4
5
6
7
8
9
10
[root@localhost openvpn]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    100    0        0 p4p1
10.10.0.0       10.255.255.83   255.255.0.0     UG    0      0        0 tap0
10.255.255.0    0.0.0.0         255.255.255.0   U     0      0        0 tap0
172.19.96.0     10.255.255.20   255.255.240.0   UG    0      0        0 tap0
172.20.0.0      10.255.255.83   255.255.0.0     UG    0      0        0 tap0
172.21.0.0      10.255.255.83   255.255.0.0     UG    0      0        0 tap0
192.168.11.0    0.0.0.0         255.255.255.0   U     100    0        0 p4p1

checkpsw.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then 
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then 
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

/etc/openvpn/ccd/xxxxxxx

1
ifconfig-push 172.20.1.108 255.255.255.0

ali云配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
client
dev tap1
proto udp
remote xxxxx 1196
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
auth-user-pass psw.conf  #指定分配10.255.255.83

添加路由

1
ip route add 192.168.0.0/16 via 10.255.255.1

腾讯云容器部署

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tx-openvpn
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: tx-openvpn
  template:
    metadata:
      labels:
        app: tx-openvpn
    spec:
      volumes:
        - name: vpn-data
          persistentVolumeClaim:
            claimName: tx-vpn-data
      containers:
        - name: vpn
          image: xxxxxx:openvpn:v1
          command:
            - openvpn
          args:
            - '--config'
            - /etc/openvpn/client.ovpn
          env:
            - name: TZ
              value: Asia/Shanghai
          resources:
            limits:
              cpu: 50m
              memory: 512Mi
            requests:
              cpu: 50m
              memory: 512Mi
          volumeMounts:
            - name: vpn-data
              mountPath: /etc/openvpn
          lifecycle:
            postStart:
              exec:
                command:
                  - sh
                  - '-c'
                  - |
                    sleep 10;ip route add 192.168.0.0/16 via 10.255.255.1
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: IfNotPresent
          securityContext:
            privileged: true
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      nodeSelector:
        kubernetes.io/hostname: 172.19.48.9
      hostNetwork: true
      securityContext: {}
      schedulerName: default-scheduler
  strategy:
    type: Recreate
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600

用户端配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
client
dev tap
proto udp
remote xxxxxxxx 1196
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
#指定密码文件 需要指定全局路径
auth-user-pass psw.conf
#需要手工输入账号密码
#auth-user-pass

#yw
route xxxxxx  255.255.255.255 10.255.255.1 net_gateway

#测试环境
route 172.20.0.0 255.255.0.0 10.255.255.83 net_gateway
route 172.21.0.0 255.255.0.0 10.255.255.83 net_gateway
route 10.10.0.0 255.255.0.0 10.255.255.83 net_gateway

#阿里云服务
route 192.168.11.0 255.255.255.0 10.255.255.1 net_gateway
route 112.124.16.48 255.255.255.255 10.255.255.1 net_gateway

同步VPN账号脚本在公司192.168.11.252上

每小时同步一次

sh /root/sh/vpnuser.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#!/bin/bash
datetime=$(date +%Y%m%d%H%M%S)
procedure_path=/etc/openvpn/
procedure_bak_path=$procedure_path'psw_bak/'
shell_path=/root/sh/
file_name='psw-file'
tmp_file_name='/tmp/'$file_name
mysql -u apex -hxxxxxx.com -pxxxxxx -e "use apex;select username,password from vpn_user_info where status=1"|awk '{print $1,$2}' |grep -v 'username password'> $tmp_file_name
file_difference=$(diff $tmp_file_name $procedure_path$file_name)
if [ "$file_difference" ];then
    curl 'https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=9b31ec2e-79b6-xxxx-a586-xxxxxx' -H 'Content-Type: application/json' -d '{"msgtype": "text","text": {"content": "'"$file_difference"',vpn用户修改成功"}}'
        cp $procedure_path$file_name $procedure_bak_path$file_name$datetime
        mv $tmp_file_name $procedure_path$file_name
        num=20;
        for i in $(cat /etc/openvpn/psw-file |awk '{print $1}'|grep -v -E 'aly|cy|dx|wll');do 

            if [ "$i" == "xctest" ];then
                echo '83'$i
                echo "ifconfig-push 10.255.255.83 255.255.255.0" > /etc/openvpn/ccd/$i;let num++; 
            elif [ "$num" -eq "83" ];then
                echo 'no83'$i
                let num++
                echo "ifconfig-push 10.255.255.$num 255.255.255.0" > /etc/openvpn/ccd/$i;let num++; 
            else
                echo "ifconfig-push 10.255.255.$num 255.255.255.0" > /etc/openvpn/ccd/$i;let num++; 
            fi
        done
fi

1
2
3
4
5
6
7
8
9
CREATE TABLE `vpn_user_info` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(255) DEFAULT NULL,
  `password` varchar(255) DEFAULT NULL,
  `status` int(11) NOT NULL,
  `createtime` datetime(6) NOT NULL,
  `updatetime` datetime(6) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=253 DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC;