The reason for this is that the server with cloud needs some services to interact with the local server, and this traffic does not want it to go through the Internet. Because the local exit router has an OpenVPN service, it connects the cloud server with the local network.
There should not be many small partners with such needs. I didn't find many tutorials on the network, and found that they were quite disordered. So after my own trouble, I sorted them out and sent them out, which is also a backup.
Statement:
This article only introduces the implementation of encrypted tunnel transmission between cloud server and local network using OpenVPN technology, aiming to provide technical reference and learning for readers.
We will not bear any responsibility for any legal dispute, tort or other adverse consequences arising from anyone's use of the technology or tools mentioned in this article. Anyone who reads this article, downloads relevant resources or uses the technologies and tools described in this article is deemed to agree to all the terms and conditions of this disclaimer.
1、 Building the server and obtaining the configuration file
This is not mentioned. There are many online tutorials. And now many routers can directly implement these functions, so we will skip them here.
2、 Installation of OpenVPN client
It is usually very simple to install the OpenVPN client on a Linux system, because mainstream Linux distributions (such as Debian, Ubuntu, Fedora, CentOS, etc.) provide the official OpenVPN package in the default source. So in most cases, you can directly install it by using the package manager of the corresponding system. Here we take Debian system as an example. You only need to enter two commands to install the OpenVPN client.
sudo apt-get update sudo apt-get install openvpn
After installation, you can use the following command to test whether the openvpn client is successfully installed. If the OpenVPN client software information is returned normally, the installation is successful
openvpn --version
3、 Test connection to OpenVPN
First, upload the configuration file of your openvpn to the server. There are many ways to do this. I personally recommend using the "rz" command to upload files directly. Most Linux distributions have the lrzsz tool pre installed. If you can't install it yourself, this will not be expanded.
I would like to mention that the configuration file should be placed in a separate folder instead of being placed everywhere to avoid accidental deletion during future operation and maintenance.
After uploading the file to the server, use the following command to connect to OpenVPN.
sudo openvpn --config /root/.config/openvpn/openvpn-config.ovpn #/Etc/openvpn/openvpn-config.ovpn is the specific path of the openvpn configuration file you uploaded
After entering this command, openvpn will connect to VPN according to the configuration file, and will ask you to enter the account and password used to connect to VPN, and enter the corresponding account password to connect to OpenVPN.
At this stage, it is possible to connect to OpenVPN, and 1/3 of the whole requirement has been realized.
If an "openvpn Fatal TLS error (check_tls_errors_co)" error occurs when connecting to OpenVPN, and the OpenVPN you are using is the Ojet VPN service on Openwrt and other routers, then it is likely that the version of TLS supported by the server is too old, resulting in the mismatch of TLS versions. If the configuration of the server cannot be updated, You can only enable the client to support the old version of TLS protocol.
Edit the "/etc/ssl/openssl. cnf" configuration file and find [system_default_sect], which is usually at the end, as follows:
[system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL =2
Then change "MinProtocol=TLSv1.2" to 1.0 (the idea here is to set the minimum TLS support to TLSv1.0. There are some security vulnerabilities in the lower version of the TLS protocol. Whether you want to use this depends on your own choice), as follows:
[system_default_sect] MinProtocol = TLSv1.0 CipherString = DEFAULT@SECLEVEL =2
4、 Remember account password
Since we will have OpenVPN power on and connect automatically later, it is impossible to enter the password every time, so some operations are needed to let OpenVPN remember the password when connecting, so that it is not necessary to enter the password every time.
First, we need to create a txt file to store the OpenVPN account and password.
The file can be placed in any location and the name can be taken at will. However, in order to facilitate management, it is recommended that the configuration file of OpenVPN be placed in the same folder as the configuration file of OpenVPN, and to avoid unnecessary problems, it is recommended that the file name should not have Chinese and special characters.
The content in the file is very simple. The first line is filled with the user name, and the second line is filled with the password, as follows:
user01 password
Let me mention that the account and password are stored on the server in clear text. For security reasons, it is recommended to use randomly generated passwords.
Then we need to upload the ovpn configuration file before editing, and add the password file path created just now after the "auth user pass" line in the configuration file (Note here that the absolute path must be written, and the file name cannot be written only because the file is in the unified directory, otherwise the file can only be found and placed after being executed in the same directory) , as follows:
..... auth-user-pass /root/.config/openvpn/user-password.txt .....
After modifying the configuration file, we also need to change the suffix of the configuration file from the original "ovpn" to "conf". This basic operation will not be expanded. I believe you have your own ECS, and this operation should be all right.
After modification, we will test the VPN connection again in the same way as in Step 3. However, the suffix of our configuration file has changed. Please pay attention to this.
5、 Add Service
If we want to automatically connect to the VPN after startup, we also need to use the OpenVPN connection as a service.
First, we need to create a systemd unit file in the "/etc/systemd/system/" directory. The file suffix is ". service", and the file name can be taken at will.
sudo vim /etc/systemd/system/openvpn-myconfig.service
The contents of the file are as follows:
[Unit] Description=OpenVPN-myconfig After=network.target [Service] Type=forking ExecStart=/usr/sbin/openvpn --config /root/.config/openvpn/openvpn-config.conf [Install] WantedBy=multi-user.target
Where the file path after "ExecStart=/usr/sbin/openvpn – config" is the path of your OpenVPN configuration file, fill in according to the actual situation
Finally, we need to enable the service we added and set it to boot automatically, where "openvpn myconfig. service" is the file name of the file created previously
sudo systemctl enable openvpn-myconfig.service
After the service is enabled, we can test whether this service can connect to OpenVPN. Use the following command to enable the service, where "openvpn myconfig. service" is the service name and the file name of the previously created file
sudo systemctl start openvpn-myconfig.service
If you can successfully connect to OpenVPN, you are almost done. Try restarting the server to see if OpenVPN can automatically connect.
If it is found that the service can be connected with manually started, but the startup is invalid, it may be that the OpenVPN service is not started locally. You can also set the OpenVPN service to start automatically after starting. The command is as follows
sudo systemctl enable openvpn
Friendly prompt: Before restarting the server, please confirm the impact of restarting the server on the business to decide whether to restart the server
6、 Some advanced configurations
If the VPN is interrupted due to network factors or various reasons, we hope that the server can actively connect to OpenVPN after the interruption. Therefore, in order to ensure that the server can always connect to OpenVPN, we need to make some minor changes to the OpenVPN configuration file.
Edit the configuration file of OpenVPN, and add the following configuration in the configuration file
persist-key persist-tun keepalive 10 60
Several configuration purposes here are as follows:
Persistent key: The client keeps the private key used for SSL/TLS encryption unchanged when reconnecting to ensure that no new key is generated when reconnecting.
Persistent run: The client keeps the TUN/TAP device unchanged when reconnecting, which helps to maintain the continuity of the connection and avoid changing the network settings when reconnecting.
Keepalive 5 30: Set the activation mechanism of the OpenVPN connection. The first number 5 means that the activation packet is sent every 5 seconds, and the second number 30 means that if no response is received within 30 seconds, the connection is considered disconnected.
This article is published at: yingfeng Blog >> Linxu system automatically connects to OpenVPN server when it is powered on , please indicate the source for reprinting.
