Paylaş
Bir Linux sistem yöneticisinin bilmesi gereken şeylerden biri de, şüphesiz ki OpenVPN Server kurulumu. Veri gizliliği ve güvenliğinin gün geçtikçe daha büyük önem arz ettiği günümüz şartlarında kendi VPN sunucusunu kurmak isteyenler için bu yazının bir rehber niteliğinde olacağı kanaatindeyim.
Bu yazıda bütün OpenVPN ayarlamalarını teker teker elle yapmaktan bizi kurtaran, GitHub’taki angristan kullanıcısının yazdığı openvpn-install adlı betiği (script) kullanarak bir anlatım yapılacaktır.
İlk olarak yapmanız gereken şey, elbette depoları güncellemek ve varsa güncellemeleri yapmak.
sudo apt update && sudo apt upgrade -yq
sudo apt update && sudo apt upgrade -yq
Şimdi sunucunun IP adresini öğrenmek ve her ihtimale karşı bir kenara not almak için şu komutu yazın.
ip a
ip a show eth0 #Yalnızca ethernet portuna atanmış adresleri gösterir.
ip a
ip a show eth0 #Yalnızca ethernet portuna atanmış adresleri gösterir.
ip a ip a show eth0 #Yalnızca ethernet portuna atanmış adresleri gösterir.
Örnek çıktı aşağıdaki gibi olmalı. Ben sunucumu sanal makinede çalıştırdığım için
eth0
eth0 yerine enp0s3
enp0s3 olarak gözüküyor.
prdsmehmetstc@pardus21sunucu:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:d9:43:f7 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.12/24 brd 192.168.1.255 scope global dynamic enp0s3
valid_lft 86301sec preferred_lft 86301sec
prdsmehmetstc@pardus21sunucu:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:d9:43:f7 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.12/24 brd 192.168.1.255 scope global dynamic enp0s3
valid_lft 86301sec preferred_lft 86301sec
prdsmehmetstc@pardus21sunucu:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:d9:43:f7 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.12/24 brd 192.168.1.255 scope global dynamic enp0s3
valid_lft 86301sec preferred_lft 86301sec
Sunucunun IP adresi yukarıda kalın olarak işaretlenmiş olan adres. Sizin sunucunuzun IP adresi daha farklı olabilir ancak bulunduğu yer yaklaşık aynı olmalı.
Sunucunuzun özel (private) IP’si ile genel (public) IP’si farklı olabilir. Sunucunun dışarıya açılan genel IP adresini öğrenmek için aşağıdaki komutu girebilirsiniz:
dig +short myip.opendns.com @resolver1.opendns.com
dig +short myip.opendns.com @resolver1.opendns.com
Şimdi betiği indirip OpenVPN Server kurulum aşamasına geçebiliriz. Betiği indirmek için aşağıdaki komutu yazın.
wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
wget https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
Ardından indirdiğiniz betiği çalışabilir hale getirmek için şu komutu girin:
chmod +x openvpn-install.sh
chmod +x openvpn-install.sh
Betiği çalıştırmak için aşağıdaki komutu girmeniz yeterli olacaktır.
sudo ./openvpn-install.sh
sudo ./openvpn-install.sh
Betiği çalıştırdığınızda sizden bazı parametreler girmenizi isteyecektir. Örnek olarak uyguladığım değerleri aşağıda görebilirsiniz:
prdsmehmetstc@pardus21sunucu:~$ sudo ./openvpn-install.sh
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install
I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.
I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: 192.168.1.12
prdsmehmetstc@pardus21sunucu:~$ sudo ./openvpn-install.sh
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install
I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.
I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: 192.168.1.12
prdsmehmetstc@pardus21sunucu:~$ sudo ./openvpn-install.sh Welcome to the OpenVPN installer! The git repository is available at: https://github.com/angristan/openvpn-install I need to ask you a few questions before starting the setup. You can leave the default options and just press enter if you are ok with them. I need to know the IPv4 address of the network interface you want OpenVPN listening to. Unless your server is behind NAT, it should be your public IPv4 address. IP address: 192.168.1.12
Sunucunuz direkt olarak kendisine atanmış bir sabit IP’ye sahip değil ve bu örnekteki gibi bir aracı vasıtasıyla internete çıkıyorsa betiğimiz bunu algılıyor, IP adreslerini buluyor ve otomatik olarak boşlukları dolduruyor. Size yalnızca enter tuşuna basmak kalıyor.
It seems this server is behind NAT. What is its public IPv4 address or hostname?
We need it for the clients to connect to the server.
Public IPv4 address or hostname: 85.99.177.72
Checking for IPv6 connectivity...
Your host does not appear to have IPv6 connectivity.
Do you want to enable IPv6 support (NAT)? [y/n]: n
It seems this server is behind NAT. What is its public IPv4 address or hostname?
We need it for the clients to connect to the server.
Public IPv4 address or hostname: 85.99.177.72
Checking for IPv6 connectivity...
Your host does not appear to have IPv6 connectivity.
Do you want to enable IPv6 support (NAT)? [y/n]: n
It seems this server is behind NAT. What is its public IPv4 address or hostname? We need it for the clients to connect to the server. Public IPv4 address or hostname: 85.99.177.72 Checking for IPv6 connectivity... Your host does not appear to have IPv6 connectivity. Do you want to enable IPv6 support (NAT)? [y/n]: n
Sunucunuzda ve ağınızda IPv6 desteği yoksa “n” parametresini girmelisiniz.
What port do you want OpenVPN to listen to?
1) Default: 1194
2) Custom
3) Random [49152-65535]
Port choice [1-3]: 1
What port do you want OpenVPN to listen to?
1) Default: 1194
2) Custom
3) Random [49152-65535]
Port choice [1-3]: 1
What port do you want OpenVPN to listen to? 1) Default: 1194 2) Custom 3) Random [49152-65535] Port choice [1-3]: 1
OpenVPN’in çalışacağı portu buradan seçebilirsiniz. 1 seçeneğinde varsayılan olan 1194 portunu kullanabilirsiniz. Eğer 1194 portu istemci tarafında erişilemiyorsa ve web sunucusu çalıştırmıyorsanız, 2 seçeneğini seçip 443 portundan çalışmasını sağlayabilirsiniz.
What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
1) UDP
2) TCP
Protocol [1-2]: 1
What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
1) UDP
2) TCP
Protocol [1-2]: 1
What protocol do you want OpenVPN to use? UDP is faster. Unless it is not available, you shouldn't use TCP. 1) UDP 2) TCP Protocol [1-2]: 1
Varsayılan olarak UDP protokolünü kullanmanız önerilir fakat UDP bir şekilde çalışmıyorsa buradan TCP’yi tercih edebilirsiniz.
What DNS resolvers do you want to use with the VPN?
1) Current system resolvers (from /etc/resolv.conf)
2) Self-hosted DNS Resolver (Unbound)
3) Cloudflare (Anycast: worldwide)
4) Quad9 (Anycast: worldwide)
5) Quad9 uncensored (Anycast: worldwide)
6) FDN (France)
7) DNS.WATCH (Germany)
8) OpenDNS (Anycast: worldwide)
9) Google (Anycast: worldwide)
10) Yandex Basic (Russia)
11) AdGuard DNS (Anycast: worldwide)
12) NextDNS (Anycast: worldwide)
13) Custom
DNS [1-12]: 9
What DNS resolvers do you want to use with the VPN?
1) Current system resolvers (from /etc/resolv.conf)
2) Self-hosted DNS Resolver (Unbound)
3) Cloudflare (Anycast: worldwide)
4) Quad9 (Anycast: worldwide)
5) Quad9 uncensored (Anycast: worldwide)
6) FDN (France)
7) DNS.WATCH (Germany)
8) OpenDNS (Anycast: worldwide)
9) Google (Anycast: worldwide)
10) Yandex Basic (Russia)
11) AdGuard DNS (Anycast: worldwide)
12) NextDNS (Anycast: worldwide)
13) Custom
DNS [1-12]: 9
What DNS resolvers do you want to use with the VPN? 1) Current system resolvers (from /etc/resolv.conf) 2) Self-hosted DNS Resolver (Unbound) 3) Cloudflare (Anycast: worldwide) 4) Quad9 (Anycast: worldwide) 5) Quad9 uncensored (Anycast: worldwide) 6) FDN (France) 7) DNS.WATCH (Germany) 8) OpenDNS (Anycast: worldwide) 9) Google (Anycast: worldwide) 10) Yandex Basic (Russia) 11) AdGuard DNS (Anycast: worldwide) 12) NextDNS (Anycast: worldwide) 13) Custom DNS [1-12]: 9
Betikte varsayılan değer olarak 11 yani AdGuard DNS verilmiş. Google (9) ve CloudFlare (3) DNS’leri diğerlerine göre daha hızlıdır, onları tercih etmenizi öneririm. Özel bir DNS tercihiniz varsa 13 seçeneğini seçerek girebilirsiniz.
Do you want to use compression? It is not recommended since the VORACLE attack make use of it.
Enable compression? [y/n]: n
Do you want to use compression? It is not recommended since the VORACLE attack make use of it.
Enable compression? [y/n]: n
Do you want to use compression? It is not recommended since the VORACLE attack make use of it. Enable compression? [y/n]: n
Sıkıştırmayı açmamanız önerilir. Çünkü bir güvenlik açığı olan VORACLE saldırısı sıkıştırmayı kullanır.
Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
Customize encryption settings? [y/n]: n
Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
Customize encryption settings? [y/n]: n
Do you want to customize encryption settings? Unless you know what you're doing, you should stick with the default parameters provided by the script. Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults) See https://github.com/angristan/openvpn-install#security-and-encryption to learn more. Customize encryption settings? [y/n]: n
Eğer şifreleme ayarlarını değiştirmek istiyorsanız, bu aşamada “y” demelisiniz. Genel olarak öntanımlı değerler güvenliğinizi sağlamak için yeterli olmakla birlikte, ne yaptığınızı biliyorsanız değiştirmenizde bir sakınca yok.
Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
Okay, that was all I needed. We are ready to setup your OpenVPN server now. You will be able to generate a client at the end of the installation. Press any key to continue...
OpenVPN Server kurulumu bitti, şimdi betiğimiz size istemci tarafından bağlanabilmeniz için dosyalar oluşturacak.
Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: Pardus21OpenVPNServerDeneme
Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: Pardus21OpenVPNServerDeneme
Tell me a name for the client. The name must consist of alphanumeric character. It may also include an underscore or a dash. Client name: Pardus21OpenVPNServerDeneme
İstemci yani client adını girin. İsim “alfanümerik” yani harf ve rakamlardan oluşmalıdır. Ek olarak alt çizgi ve tire de içerebilir. Kalın olan yazı benim istemcime verdiğim isim.
Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 1
Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 1
Do you want to protect the configuration file with a password? (e.g. encrypt the private key with a password) 1) Add a passwordless client 2) Use a password for the client Select an option [1-2]: 1
Eğer istemciye bir parola tanımlamak istiyorsanız, “2” seçeneğini seçmelisiniz.
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k 25 Mar 2021
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-2034.XkDzhL/tmp.pOGFHy'
-----
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-2034.XkDzhL/tmp.mUo4M7
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'Pardus21OpenVPNServerDeneme'
Certificate is to be certified until Jan 15 08:49:38 2024 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Client Pardus21OpenVPNServerDeneme added.
The configuration file has been written to /home/prdsmehmetstc/Pardus21OpenVPNServerDeneme.ovpn.
Download the .ovpn file and import it in your OpenVPN client.
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1k 25 Mar 2021
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-2034.XkDzhL/tmp.pOGFHy'
-----
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-2034.XkDzhL/tmp.mUo4M7
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'Pardus21OpenVPNServerDeneme'
Certificate is to be certified until Jan 15 08:49:38 2024 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Client Pardus21OpenVPNServerDeneme added.
The configuration file has been written to /home/prdsmehmetstc/Pardus21OpenVPNServerDeneme.ovpn.
Download the .ovpn file and import it in your OpenVPN client.
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars Using SSL: openssl OpenSSL 1.1.1k 25 Mar 2021 Generating an EC private key writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-2034.XkDzhL/tmp.pOGFHy' ----- Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-2034.XkDzhL/tmp.mUo4M7 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'Pardus21OpenVPNServerDeneme' Certificate is to be certified until Jan 15 08:49:38 2024 GMT (825 days) Write out database with 1 new entries Data Base Updated Client Pardus21OpenVPNServerDeneme added. The configuration file has been written to /home/prdsmehmetstc/Pardus21OpenVPNServerDeneme.ovpn. Download the .ovpn file and import it in your OpenVPN client.
OpenVPN Server kurulumu ve istemci ayar dosyası alma işlemi tamamlandı, artık güvenle internette dolaşabilirsiniz. Eğer birden fazla istemci eklemek istiyorsanız, betiği tekrar çalıştırmanız yeterli olacaktır.
prdsmehmetstc@pardus21sunucu:~$ sudo ./openvpn-install.sh
[sudo] password for prdsmehmetstc:
Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install
It looks like OpenVPN is already installed.
What do you want to do?
1) Add a new user
2) Revoke existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]:
prdsmehmetstc@pardus21sunucu:~$ sudo ./openvpn-install.sh
[sudo] password for prdsmehmetstc:
Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install
It looks like OpenVPN is already installed.
What do you want to do?
1) Add a new user
2) Revoke existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]:
prdsmehmetstc@pardus21sunucu:~$ sudo ./openvpn-install.sh [sudo] password for prdsmehmetstc: Welcome to OpenVPN-install! The git repository is available at: https://github.com/angristan/openvpn-install It looks like OpenVPN is already installed. What do you want to do? 1) Add a new user 2) Revoke existing user 3) Remove OpenVPN 4) Exit Select an option [1-4]:
1’i seçerek yeni istemci ayar dosyası oluşturabilir, 2’yi seçerek daha önce oluşturulmuş olan istemci kaldırılabilir, 3’ü seçerek OpenVPN Server kurulumu kaldırılabilir ve 4’ü seçerek betikten çıkılabilir.
Eğer UFW veya IPTABLES gibi bir güvenlik duvarı (firewall) kullanıyorsanız ilk başta belirlediğiniz OpenVPN portuna izin vermelisiniz. Aşağıda verilen örnekler öntanımlı 1194 portu içindir.
UFW için
sudo ufw allow 1194
sudo ufw allow 1194
IPTABLES için (TCP protokolünü kullanan)
sudo iptables -I INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
veya
sudo iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
IPTABLES için (UDP protokolünü kullanan)
sudo iptables -I INPUT -p udp -m udp --dport 1194 -j ACCEPT
sudo iptables -I INPUT -p udp -m udp --dport 1194 -j ACCEPT
veya
sudo iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
OpenVPN Server’ı durdurmak/başlatmak/yeniden başlatmak/durumunu kontrol etmek için gerekli olan komutlar da şöyle sıralanıyor:
sudo systemctl stop openvpn@server
sudo systemctl start openvpn@server
sudo systemctl restart openvpn@server
sudo systemctl status openvpn@server
sudo systemctl stop openvpn@server
sudo systemctl start openvpn@server
sudo systemctl restart openvpn@server
sudo systemctl status openvpn@server
sudo systemctl stop openvpn@server sudo systemctl start openvpn@server sudo systemctl restart openvpn@server sudo systemctl status openvpn@server
İstemci bağlantısının nasıl yapılacağı hakkında bilgi sahibi olmak istiyorsanız bu yazıyı okuyabilirsiniz.
