8 月 092018
添加Mongodb Yum软件仓库源
[root@tunnel ~]# sudo tee -a /etc/yum.repos.d/mongodb-org-3.6.repo << EOF > [mongodb-org-3.6] > name=MongoDB Repository > baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/3.6/x86_64/ > gpgcheck=1 > enabled=1 > gpgkey=https://www.mongodb.org/static/pgp/server-3.6.asc > EOF [mongodb-org-3.6] name=MongoDB Repository baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/3.6/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://www.mongodb.org/static/pgp/server-3.6.asc [root@tunnel ~]#
添加Pritunl Yum软件仓库源
[root@tunnel ~]# sudo tee -a /etc/yum.repos.d/pritunl.repo << EOF > [pritunl] > name=Pritunl Repository > baseurl=https://repo.pritunl.com/stable/yum/centos/7/ > gpgcheck=1 > enabled=1 > EOF [pritunl] name=Pritunl Repository baseurl=https://repo.pritunl.com/stable/yum/centos/7/ gpgcheck=1 enabled=1 [root@tunnel ~]# cat /etc/yum.repos.d/pritunl.repo [pritunl] name=Pritunl Repository baseurl=https://repo.pritunl.com/stable/yum/centos/7/ gpgcheck=1 enabled=1 [root@tunnel ~]#
更新Yum缓存
[root@tunnel ~]# yum makecache
导入GPG签名公钥
[root@tunnel ~]# gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A gpg: directory `/root/.gnupg' created gpg: new configuration file `/root/.gnupg/gpg.conf' created gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/root/.gnupg/secring.gpg' created gpg: keyring `/root/.gnupg/pubring.gpg' created gpg: requesting key CF8E292A from hkp server keyserver.ubuntu.com gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key CF8E292A: public key "Pritunl <contact@pritunl.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) [root@tunnel ~]#
[root@tunnel ~]# gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp [root@tunnel ~]#
使用Yum安装Pritunl和Mongodb
[root@tunnel ~]# yum -y install pritunl mongodb-org
启动服务,并注册系统服务
[root@tunnel ~]# systemctl start mongod pritunl [root@tunnel ~]# systemctl enable mongod pritunl Created symlink from /etc/systemd/system/multi-user.target.wants/pritunl.service to /etc/systemd/system/pritunl.service. [root@tunnel ~]# systemctl status mongod ● mongod.service - High-performance, schema-free document-oriented database Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2018-08-08 10:07:00 UTC; 28s ago Docs: https://docs.mongodb.org/manual Main PID: 1732 (mongod) CGroup: /system.slice/mongod.service └─1732 /usr/bin/mongod -f /etc/mongod.conf Aug 08 10:06:59 tunnel systemd[1]: Starting High-performance, schema-free document-oriented database... Aug 08 10:06:59 tunnel mongod[1729]: about to fork child process, waiting until server is ready for connections. Aug 08 10:06:59 tunnel mongod[1729]: forked process: 1732 Aug 08 10:07:00 tunnel systemd[1]: Started High-performance, schema-free document-oriented database. [root@tunnel ~]# systemctl status pritunl ● pritunl.service - Pritunl Daemon Loaded: loaded (/etc/systemd/system/pritunl.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2018-08-08 10:06:59 UTC; 35s ago Main PID: 1724 (pritunl) CGroup: /system.slice/pritunl.service ├─1724 /usr/lib/pritunl/bin/python2 /usr/lib/pritunl/bin/pritunl start └─1778 pritunl-web Aug 08 10:06:59 tunnel systemd[1]: Started Pritunl Daemon. Aug 08 10:06:59 tunnel systemd[1]: Starting Pritunl Daemon... [root@tunnel ~]#
查看服务及端口监听
[root@tunnel ~]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 1732/mongod tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 673/sshd tcp6 0 0 :::443 :::* LISTEN 1778/pritunl-web tcp6 0 0 ::1:9755 :::* LISTEN 1724/python2 tcp6 0 0 :::80 :::* LISTEN 1778/pritunl-web tcp6 0 0 :::22 :::* LISTEN 673/sshd [root@tunnel ~]#
生成初始设置密钥
[root@tunnel ~]# pritunl setup-key ba0cc9655df84af33bd5ab1baad20dac [root@tunnel ~]#
登录Web管理界面进行配置
https://66.80.120.167/login 初始用户名密码:pritunl/pritunl 1)添加组织 2)添加用户 3)添加服务器 4)将组织附加到服务器 5)启动服务器 6)下载用户配置文件
防火墙及规则设置
禁用Firewalld防火墙
systemctl disable firewalld systemctl stop firewalld
安装并启用iptables防火墙
yum -y install iptables-services systemctl status iptables systemctl enable iptables systemctl start iptables
添加iptables规则并保存
iptables -I INPUT -p tcp --dport 80 -j ACCEPT iptables -I INPUT -p tcp --dport 443 -j ACCEPT iptables -I INPUT -p udp --dport 9443 -j ACCEPT service iptables save
启动VPN Server服务 查看网络监听
[root@tunnel ~]# netstat -lntup Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 1732/mongod tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 673/sshd tcp6 0 0 :::443 :::* LISTEN 1778/pritunl-web tcp6 0 0 ::1:9755 :::* LISTEN 1724/python2 tcp6 0 0 :::80 :::* LISTEN 1778/pritunl-web tcp6 0 0 :::22 :::* LISTEN 673/sshd udp 0 0 127.0.0.1:323 0.0.0.0:* 435/chronyd udp 0 0 0.0.0.0:68 0.0.0.0:* 1216/dhclient udp6 0 0 :::9443 :::* 4926/openvpn udp6 0 0 ::1:323 :::* 435/chronyd [root@tunnel ~]#
查看网络接口状态
[root@tunnel ~]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 56:00:01:9f:8e:77 brd ff:ff:ff:ff:ff:ff inet 66.80.120.167/23 brd 66.80.121.255 scope global dynamic eth0 valid_lft 85018sec preferred_lft 85018sec inet6 2002:19f0:6001:3d90:5400:1ff:fe9f:8e77/64 scope global mngtmpaddr dynamic valid_lft 2591663sec preferred_lft 604463sec inet6 fe80::5400:1ff:fe9f:8e77/64 scope link valid_lft forever preferred_lft forever 3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100 link/none inet 10.20.30.1/24 brd 10.20.30.255 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::fd51:af66:8daf:bb96/64 scope link flags 800 valid_lft forever preferred_lft forever [root@tunnel ~]#
查看防火墙状态
[root@tunnel ~]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.21 on Wed Aug 8 11:53:56 2018 *nat :PREROUTING ACCEPT [117:7699] :INPUT ACCEPT [20:1442] :OUTPUT ACCEPT [8:552] :POSTROUTING ACCEPT [8:552] -A POSTROUTING -s 10.20.30.0/24 -o eth0 -m comment --comment pritunl-5b6ac2d6627aae06bc506714 -j MASQUERADE COMMIT # Completed on Wed Aug 8 11:53:56 2018 # Generated by iptables-save v1.4.21 on Wed Aug 8 11:53:56 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2028:1155767] -A INPUT -p udp -m udp --dport 9443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -i tun4 -m comment --comment pritunl-5b6ac2d6627aae06bc506714 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -o tun4 -m comment --comment pritunl-5b6ac2d6627aae06bc506714 -j ACCEPT -A FORWARD -i tun4 -m comment --comment pritunl-5b6ac2d6627aae06bc506714 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -o tun4 -m comment --comment pritunl-5b6ac2d6627aae06bc506714 -j ACCEPT COMMIT # Completed on Wed Aug 8 11:53:56 2018 [root@tunnel ~]#
在Linux CLI下以非交互式密码验证进行VPN连接
[root@localhost ~]# cd harveymei/
添加账户验证文件,用户名密码各占一行
[root@localhost harveymei]# vi account.txt
修改VPN配置文件,添加账户验证文件
[root@localhost harveymei]# vi LINUXCACHE_harveymei_LINUXCACHE.ovpn auth-user-pass account.txt
启动
[root@localhost ~]# openvpn --daemon --cd harveymei/ --config LINUXCACHE_harveymei_LINUXCACHE.ovpn --log-append /var/log/openvpn.log