Help us understand the problem. What is going on with this article?

CentOS7にOpenVPN-Adminインストール

OpenVPN-Admin

https://github.com/Chocobozzz/OpenVPN-Admin

  • PHP7.x
  • MariaDB 5.5.x

CentOS確認

# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
# getenforce
Disabled

PHP7.3インストール

# sudo yum install epel-release
# sudo rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
# sudo yum install --enablerepo=remi-php73 php php-mysqlnd php-pecl-zip

# php -v
PHP 7.3.14 (cli) (built: Jan 21 2020 09:59:50) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.14, Copyright (c) 1998-2018 Zend Technologies

# sudo yum install openvpn httpd php-mysql mariadb-server php nodejs unzip git wget sed npm
# mysql --version
mysql  Ver 15.1 Distrib 5.5.64-MariaDB, for Linux (x86_64) using readline 5.1
# npm -v
3.10.10
# node -v
v6.17.1

# sudo npm install -g bower
# bower --version
1.8.8

MariaDB起動と初期設定

# systemctl enable mariadb
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
# systemctl start mariadb
# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

install.sh実行

/homeディレクトリで実行

# cd /home
# git clone https://github.com/Chocobozzz/OpenVPN-Admin openvpn-admin
# cd openvpn-admin
# ./install.sh /var/www apache apache

iptablesエラーになる(CentOS7はfirewalld)

################## Setup firewall ##################
./install.sh: 行 192: route: コマンドが見つかりません
Bad argument `ACCEPT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `MASQUERADE'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `MASQUERADE'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `MASQUERADE'
Try `iptables -h' or 'iptables --help' for more information.
#####################################################

firewallの設定

IPマスカレード trustedゾーンにtunインターフェイスの割り当て
# sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# sudo firewall-cmd --add-service=openvpn --zone=public --permanent
# sudo firewall-cmd --add-service=http --zone=public --permanent
# sudo firewall-cmd --permanent --zone=trusted --add-interface=tun+
# sudo firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
# sudo firewall-cmd --reload

firewallの確認

# sudo firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


external
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


home
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


internal
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3 enp0s8
  sources:
  services: dhcpv6-client http openvpn ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: tun+
  sources: 10.8.0.0/24
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

/etc/openvpn/server.confを環境に合わせ修正

## GENERAL ##

# TCP or UDP, port 1194, tunneling
mode server
proto udp
port 1194
dev tun

## KEY, CERTS AND NETWORK CONFIGURATION ##
# Identity
ca ca.crt
# Public key
cert server.crt
# Private key
key server.key
# Symmetric encryption
dh dh.pem
# Improve security (DDOS, port flooding...)
# 0 for the server, 1 for the client
tls-auth ta.key 0
# Encryption protocol
cipher AES-256-CBC

# Network
# Subnetwork, the server will be the 10.8.0.1 and clients will take the other ips
server 10.8.0.0 255.255.255.0

# Redirect all IP network traffic originating on client machines to pass through the OpenVPN server
push "redirect-gateway def1"

# Alternatives DNS (FDN)
push "dhcp-option DNS 80.67.169.12"
push "dhcp-option DNS 80.67.169.40"

# (OpenDNS)
# push "dhcp-option DNS 208.67.222.222"
# push "dhcp-option DNS 208.67.220.220"

# (Google)
# push "dhcp-option DNS 8.8.8.8"
# push "dhcp-option DNS 8.8.4.4"

# Ping every 10 seconds and if after 120 seconds the client doesn't respond we disconnect
keepalive 10 120
# Regenerate key each 5 hours (disconnect the client)
reneg-sec 18000

## SECURITY ##

# Downgrade privileges of the daemon
user nobody
group nobody

# Persist keys (because we are nobody, so we couldn't read them again)
persist-key
# Don't close and re open TUN/TAP device
persist-tun
# Enable compression
comp-lzo

## LOG ##

# Verbosity
# 3/4 for a normal utilisation
verb 3
# Max 20 messages of the same category
mute 20
# Log gile where we put the clients status
status openvpn-status.log
# Log file
log-append /var/log/openvpn.log
# Configuration directory of the clients
client-config-dir ccd

## PASS ##

# Allow running external scripts with password in ENV variables
script-security 3

# Use the authenticated username as the common name, rather than the common name from the client cert
username-as-common-name
# Client certificate is not required
verify-client-cert none
# Use the connection script when a user wants to login
auth-user-pass-verify scripts/login.sh via-env
# Maximum of clients
max-clients 50
# Run this scripts when the client connects/disconnects
client-connect scripts/connect.sh
client-disconnect scripts/disconnect.sh

# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1

/etc/httpd/conf/httpd.confの修正

DocumentRoot "/var/www/"

#
# Relax access to content within /var/www.
#

<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

# Further relax access to the default document root:
<Directory "/var/www/">

httpd起動

# sudo systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
# sudo systemctl start httpd

Openvpn起動

# sudo systemctl start openvpn@server
# sudo systemctl enable openvpn@server
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away