Linux教程FG508-Linux综合实战案例十四

内容简介：本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容，详细介绍了相关技术的配置和使用方法。

风哥提示：

本文档介绍企业级VPN网络部署综合实战案例。

Part01-OpenVPN部署

1.1 OpenVPN服务器配置

# 安装OpenVPN和Easy-RSA
[root@fgedu-vpn ~]# yum install -y openvpn easy-rsa

# 初始化PKI
[root@fgedu-vpn ~]# mkdir -p /etc/openvpn/easy-rsa
[root@fgedu-vpn ~]# cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
[root@fgedu-vpn ~]# cd /etc/openvpn/easy-rsa
[root@fgedu-vpn easy-rsa]# ./easyrsa init-pki
init-pki complete; you may now create a CA or requests.

# 创建CA
[root@fgedu-vpn easy-rsa]# ./easyrsa build-ca nopass
Generating a RSA private key
……………………………………….+++++
…………..+++++
writing new private key to ‘/etc/openvpn/easy-rsa/pki/private/ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:FGEDU CA

CA creation complete and you may now import and sign cert requests.

# 生成服务器证书
[root@fgedu-vpn easy-rsa]# ./easyrsa gen-req fgedu-vpn nopass
[root@fgedu-vpn easy-rsa]# ./easyrsa sign-req server fgedu-vpn

# 生成DH参数
[root@fgedu-vpn easy-rsa]# ./easyrsa gen-dh
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

# 配置OpenVPN服务器
[root@fgedu-vpn ~]# cat > /etc/openvpn/server/server.conf << 'EOF' port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/fgedu-vpn.crt key /etc/openvpn/easy-rsa/pki/private/fgedu-vpn.key dh /etc/openvpn/easy-rsa/pki/dh.pem server学习交流加群风哥QQ113257174 10.8.0.0 255.255.255.0 push "route 192.168.1.0 255.255.255.0" push "dhcp-option DNS 192.168.1.10" push "dhcp-option DOMAIN fgedu.net.cn" keepalive 10 120 cipher AES-256-GCM auth SHA256 comp-lzo no persist-key persist-tun status /var/log/openvpn-status.log log /var/log/openvpn.log verb 3 explicit-exit-notify 1 EOF # 启动OpenVPN [root@fgedu-vpn ~]# systemctl enable openvpn-server@server --now Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /usr/lib/systemd/system/openvpn-server@server.service. # 查看状态 [root@fgedu-vpn ~]# systemctl status openvpn-server@server ● openvpn-server@server.service - OpenVPN service for server Loaded: loaded (/usr/lib/systemd/system/openvpn-server@server.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2026-04-04 23:00:00 CST; 1min ago

Part02-客户端配置

2.1 生成客户端证书

# 创建客户端证书
[root@fgedu-vpn easy-rsa]# ./easyrsa gen-req user1 nopass
Generating a RSA private key
………..+++++
………………..+++++
writing new private key to ‘/etc/openvpn/easy-rsa/pki/private/user1.key’
—–
Common Name (eg: your user, host, or server name) [user1]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/user1.req
key: /etc/openvpn/easy-rsa/pki/private/user1.key

[root@fgedu-vpn easy-rsa]# ./easyrsa sign-req client user1
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/user1.crt

# 创建客户端配置文件
[root@fgedu-vpn ~]# cat > /etc/openvpn/client/user1.ovpn << 'EOF' clienfrom PG视频:www.itpux.comt dev tun proto udp remote vpn.fgedu.net.cn 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-GCM auth SHA256 comp-lzo no verb 3
—–BEGIN CERTIFICATE—–
MIID…CA证书内容…
—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–
MIID…客户端证书内容…
—–END CERTIFICATE—–

—–BEGIN PRIVATE KEY—–
MIIE…客户端私钥内容…
—–END PRIVATE KEY—–

EOF

# 打包客户端配置
[root@fgedu-vpn ~]# cd /etc/openvpn/client
[root@fgedu-vpn client]# tar czf user1-vpn-config.tar.gz user1.ovpn

Part03-IPSec VPN

3.1 StrongSwan配置

# 安装StrongSwan
[root@fgedu-ipsec ~]# yum install -y strongswan

# 生成证书
[root@fgedu-ipsec ~]# ipsec pki –gen –size 4096 –outform pem > /etc/strongswan/ipsec.d/private/ca.key
[root@fgedu-ipsec ~]# ipsec pki –self –ca –lifetime 3650 \
–in /etc/strongswan/ipsec.d/private/ca.key \
–dn “C=CN, O=FGEDU, CN=FGEDU CA” \
–outform pem > /etc/strongswan/ipsec.d/cacerts/ca.crt

[root@fgedu-ipsec ~]# ipsec pki –gen –size 2048 –outform pem > /etc/strongswan/ipsec.d/private/server.key
[root@fgedu-ipsec ~]# ipsec pki –pub –in /etc/strongswan/ipsec.d/private/server.key \
| ipsec pki –issue –lifetime 3650 \
–cacert /etc/strongswan/ipsec.d/cacerts/ca.crt \
–cakey /etc/strongswan/ipsec.d/private/ca.key \
–dn “C=CN, O=FGEDU, CN=vpn.fgedu.net.cn” \
–san vpn.fgedu.net.cn \
–flag serverAuth –flag ikeIntermediate \
–outform pem > /etc/strongswan/ipsec.d/certs/server.crt

# 配置IPSec
[root@fgedu-ipsec ~]# cat > /etc/strongswan/ipsec.conf << 'EOF' config setup charondebug="ike 2, knl 2, cfg 2" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@vpn.fgedu.net.cn leftcert=server.crt leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.10.0.0/24学习交流加群风哥微信: itpux-com rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity EOF # 配置认证 [root@fgedu-ipsec ~]# cat > /etc/strongswan/ipsec.secrets << 'EOF' : RSA server.key user1 : EAP "User1@123" user2 : EAP "User2@123" EOF # 启动StrongSwan [root@fgedu-ipsec ~]# systemctl enable strongswan --now

Part04-VPN监控

4.1 VPN监控配置

# 创建VPN监控脚本
[root@fgedu-vpn ~]# cat > /usr/local/bin/vpn-monitor.sh << 'EOF' #!/bin/bash # vpn-monitor.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn echo "=== VPN监控报告 ===" echo "监控时间: $(date)" echo "" echo "1. OpenVPN状态" systemctl is-active openvpn-server@server echo "" echo "2. 当前连接数" cat /var/log/openvpn-status.log | grep -c "^CLIENT_LIST" echo "" echo "3. 连接详情" cat /var/log/openvpn-status.log | grep "^CLIENT_LIST" | awk '{print "用户: 更多学习教程公众号风哥教程itpux_com"$2", IP: "$3", 虚拟IP: "$4", 连接时间: "$5" "$6}' echo "" echo "4. 流量统计" cat /var/log/openvpn-status.log | grep "^CLIENT_LIST" | awk '{print "用户: "$2", 接收: "$6"字节, 发送: "$7"字节"}' echo "" echo "5. 网络接口状态" ip addr show tun0 echo "" echo "=== 监控完成 ===" EOF [root@fgedu-vpn ~]# chmod +x /usr/local/bin/vpn-monitor.sh # 配置日志轮转 [root@fgedu-vpn ~]# cat > /etc/logrotate.d/openvpn << 'EOF' /var/log/openvpn.log { weekly rotate 12 compress delaycompress missingok notifempty create 0640 root root postrotate systemctl reload openvpn-server@server > /dev/null 2>&1 || true
endscript
}
EOF

# 配置防火墙规则
[root@fgedu-vpn ~]# firewall-cmd –permanent –add-service=openvpn
success
[root@fgedu-vpn ~]# firewall-cmd –permanent –add-masquerade
success
[root@fgedu-vpn ~]# firewall-cmd –reload
success

风哥针对VPN部署建议：

选择合适的VPN协议
配置强加密算法
实施证书管理
配置访问控制策略
监控VPN连接状态

本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html