Linux 环境搭建
Softehervpn
1. 安装
centos
yum -y install make cmake gcc gcc-c++ gcc-g77 flex bison file libtool libtool-libs autoconf kernel-devel patch wget crontabs libjpeg libjpeg-devel libpng libpng-devel libpng10 libpng10-devel gd gd-devel libxml2 libxml2-devel zlib zlib-devel glib2 glib2-devel unzip tar bzip2 bzip2-devel libevent libevent-devel ncurses ncurses-devel curl curl-devel libcurl libcurl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel vim-minimal gettext gettext-devel ncurses-devel gmp-devel pspell-devel unzip libcap diffutils ca-certificates net-tools libc-client-devel psmisc libXpm-devel git-core c-ares-devel libicu-devel libxslt libxslt-devel xz expat-devel
wget https://www.softether-download.com/files/softether/v4.41-9787-rtm-2023.03.14-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.41-9787-rtm-2023.03.14-linux-x64-64bit.tar.gz
tar zxvf softether-vpnserver-v4.41-9787-rtm-2023.03.14-linux-x64-64bit.tar.gz -C /usr/local/
cd /usr/local/vpnserver/
make
./vpnserver start
debian
apt install -y make gcc cmake vim
wget https://www.softether-download.com/files/softether/v4.41-9787-rtm-2023.03.14-tree/Linux/SoftEther_VPN_Server/64bit_-_Intel_x64_or_AMD64/softether-vpnserver-v4.41-9787-rtm-2023.03.14-linux-x64-64bit.tar.gz
tar zxvf softether-vpnserver-v4.41-9787-rtm-2023.03.14-linux-x64-64bit.tar.gz -C /usr/local/
cd /usr/local/vpnserver/
make
./vpnserver start
2.设置自启动
创建自启动文件vi /etc/init.d/softethervpn并写入以下内容
#!/bin/sh
### BEGIN INIT INFO
# Provides: softethervpn
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
# Copyright Rene Mayrhofer, Gibraltar, 1999
# This script is distibuted under the GPL
start(){
/usr/local/vpnserver/vpnserver start
}
stop(){
/usr/local/vpnserver/vpnserver stop
}
case "$1" in
start)
start
;;
stop)
stop
;;
reload)
stop
start
;;
*)
echo "Usage: $0 {start|reload|stop}"
exit 1
;;
esac
3. 修改文件权限,并允许自启动
debian11先安装chkconfig,centos忽略本项操作
apt-get install -y sysv-rc-conf
cp /usr/sbin/sysv-rc-conf /usr/sbin/chkconfig
修改自启动
chmod +x /etc/init.d/softethervpn
chkconfig softethervpn on
4. 批量创建用户
创建users.txt
Hub DEFAULT
UserCreate user1 /GROUP:none /REALNAME:none /NOTE:none
UserCreate user2 /GROUP:none /REALNAME:none /NOTE:none
UserCreate user3 /GROUP:none /REALNAME:none /NOTE:none
UserPasswordSet user1 /password:56XvELNip8
UserPasswordSet user2 /password:6YkzFNDxUh
UserPasswordSet user3 /password:0RXm0EiShJ
执行批处理命令
./vpncmd /server localhost /password:密码 /in:users.txt /out:log.txt
5. 一键脚本
bash <(curl -sSL https://alist.xiaoyue.pro/d/bash/softhervpn.sh)
nps内网穿透
以linux服务器为例,其它平台请看官网
server端
wget https://github.com/ehang-io/nps/releases/download/v0.26.9/linux_amd64_server.tar.gz
tar -zxvf linux_amd64_server.tar.gz
./nps install
配置文件位于/etc/nps/conf/nps.conf
主要关注端口是否占用,注意替换为未使用的端口
直接执行
nps可查看运行日志
nps start|stop|restart
client
wget https://github.com/ehang-io/nps/releases/download/v0.26.9/linux_amd64_client.tar.gz
tar -zxvf linux_amd64_client.tar.gz
mkdir /etc/npc
创建配置文件nano /etc/npc/npc.conf
[common]
server_addr=127.0.0.1:8024 #服务器ip:端口
conn_type=tcp #tcp/udp默认tcp,与服务器一致
vkey= password #共享密钥
auto_reconnection=true #自动重连
安装
./npc install -config=/etc/npc/npc.conf
npc start|stop|restart
更新ssh版本
ssh更新前可先配置安装telnet以防万一
- 安装依赖
apt update
apt install build-essential
apt-get install -y libssl-dev zlib1g-dev cmake gcc gcc+
- 下载源码
国内源
cd /opt
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz
国外源
cd /opt
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz
- 解压文件
解压,并进入目录
tar -zxvf openssh-9.6p1.tar.gz
cd openssh-9.6p1
- 编译安装 :::tip提示 如果configure进程中报错,大部分原因都是依赖包没装,安装对应的依赖之后再重新configure就好 :::
./configure
make
make install
- 验证版本
重连ssh,验证版本
root@onlylife:~# ssh -V
OpenSSH_9.6p1, OpenSSL 3.0.11 19 Sep 2023
acme自动申请证书
acme dns
使用acme、acme-dns实现自动申请ssl证书并实现自动替换
有些dns没有dnsapi,所以用这种方式申请只需要添加一条dns解析即可完成
以下为linux系统操作
1. 安装acme.sh
所有命令均为root用户下操作
官方源自动安装
curl https://get.acme.sh | sh -s email=[email protected] #邮箱可随意填入
国内源自动安装
curl https://gitee.com/acmesh-official/acme.sh/raw/master/acme.sh | sh -s email=[email protected]
手动安装(用于无法访问github的设备)
官网链接:https://github.com/acmesh-official/acme.sh
国内镜像:https://gitee.com/acmesh-official/acme.sh
上传到服务器并解压
unzip acme.sh-master.zip
cd acme.sh-master
./acme.sh install -s email=[email protected] #邮箱可随意填入
2. acme-dns注册用户
acme-dns是acme.sh验证域名所属的一种方式,可自建服务器,本文以官方服务器为例
export ACMEDNS_BASE_URL="https://auth.acme-dns.io" #使用acme-dns官网地址
curl -s -X POST ${ACMEDNS_BASE_URL}/register | \
python3 -m json.tool > acme-dns.challenges;cat acme-dns.challenges
#默认用python3,可替换为python
3. 添加dns解析
前往域名管理控制台,添加一行dns解析用于验证dns
如:我的域名是 abc.com,我想申请abc.com或者*.abc.com的证书解析如 例1
如:我的域名是 abc.com 我想申请www.abc.com的证书解析如例2
| 例 | 主机记录 | 记录类型 | 记录值为2中申请的fulldomain |
|---|---|---|---|
| 例1 | _acme-challenge | CNAME | 96ef34b9-ce77-47dd-a68e-7e504bca13ae.auth.acme-dns.io |
| 例2 | _acme-challenge.www | CNAME | 96ef34b9-ce77-47dd-a68e-7e504bca13ae.auth.acme-dns.io |
4. 申请证书
以双证书 abc.com及*.abc.com为例
先将acme-dns信息导入环境变量
export ACMEDNS_USERNAME="$(cat acme-dns.challenges | awk -F"\"" '/username/{print $4}')"
export ACMEDNS_PASSWORD="$(cat acme-dns.challenges | awk -F"\"" '/password/{print $4}')"
export ACMEDNS_SUBDOMAIN="$(cat acme-dns.challenges | awk -F"\"" '/subdomain/{print $4}')"
echo "FULLDOMAIN = $(cat acme-dns.challenges | awk -F"\"" '/fulldomain/{print $4}')"
申请证书
cd ~/.acme.sh
./acme.sh --issue --dns dns_acmedns -d abc.com -d *.abc.com
申请成功执行如下:
root@debian:~/.acme.sh# ./acme.sh --issue --dns dns_acmedns -d abc.com -d *.abc.com
[Thu Jan 18 02:18:27 UTC 2024] Using CA: https://acme.zerossl.com/v2/DV90
[Thu Jan 18 02:18:27 UTC 2024] Creating domain key
[Thu Jan 18 02:18:27 UTC 2024] The domain key is here: /root/.acme.sh/abc.com_ecc/abc.com.key
[Thu Jan 18 02:18:27 UTC 2024] Multi domain='DNS:abc.com,DNS:*.abc.com'
[Thu Jan 18 02:18:27 UTC 2024] Getting domain auth token for each domain
[Thu Jan 18 02:18:52 UTC 2024] Getting webroot for domain='abc.com'
[Thu Jan 18 02:18:52 UTC 2024] Getting webroot for domain='*.abc.com'
[Thu Jan 18 02:18:53 UTC 2024] Adding txt value: X0B18yE-NpvdDJusOkQsAA9IO2oFjPAYzUhdl-n7etc for domain: _acme-challenge.abc.com
[Thu Jan 18 02:18:53 UTC 2024] Using acme-dns
[Thu Jan 18 02:18:54 UTC 2024] The txt record is added: Success.
[Thu Jan 18 02:18:54 UTC 2024] Adding txt value: v8qdmvz0U7WrQfaOwniHkVPR9lMMh4XII2u-9VboF9o for domain: _acme-challenge.abc.com
[Thu Jan 18 02:18:54 UTC 2024] Using acme-dns
[Thu Jan 18 02:18:56 UTC 2024] The txt record is added: Success.
[Thu Jan 18 02:18:56 UTC 2024] Let's check each DNS record now. Sleep 20 seconds first.
[Thu Jan 18 02:19:17 UTC 2024] You can use '--dnssleep' to disable public dns checks.
[Thu Jan 18 02:19:17 UTC 2024] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
[Thu Jan 18 02:19:17 UTC 2024] Checking abc.com for _acme-challenge.abc.com
[Thu Jan 18 02:19:19 UTC 2024] Domain abc.com '_acme-challenge.abc.com' success.
[Thu Jan 18 02:19:19 UTC 2024] Checking abc.com for _acme-challenge.abc.com
[Thu Jan 18 02:19:20 UTC 2024] Domain abc.com '_acme-challenge.abc.com' success.
[Thu Jan 18 02:19:20 UTC 2024] All success, let's return
[Thu Jan 18 02:19:20 UTC 2024] Verifying: abc.com
[Thu Jan 18 02:19:25 UTC 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Thu Jan 18 02:19:37 UTC 2024] Success
[Thu Jan 18 02:19:37 UTC 2024] Verifying: *.abc.com
[Thu Jan 18 02:19:49 UTC 2024] Processing, The CA is processing your order, please just wait. (1/30)
[Thu Jan 18 02:19:54 UTC 2024] Success
[Thu Jan 18 02:19:54 UTC 2024] Removing DNS records.
[Thu Jan 18 02:19:54 UTC 2024] Removing txt: X0B18yE-NpvdDJusOkQsAA9IO2oFjPAYzUhdl-n7etc for domain: _acme-challenge.abc.com
[Thu Jan 18 02:19:54 UTC 2024] Using acme-dns
[Thu Jan 18 02:19:54 UTC 2024] Removed: Success
[Thu Jan 18 02:19:54 UTC 2024] Removing txt: v8qdmvz0U7WrQfaOwniHkVPR9lMMh4XII2u-9VboF9o for domain: _acme-challenge.abc.com
[Thu Jan 18 02:19:54 UTC 2024] Using acme-dns
[Thu Jan 18 02:19:54 UTC 2024] Removed: Success
[Thu Jan 18 02:19:54 UTC 2024] Verify finished, start to sign.
[Thu Jan 18 02:19:54 UTC 2024] Lets finalize the order.
[Thu Jan 18 02:19:54 UTC 2024] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/WcvC10x0rzrenbSNx6S2aw/finalize'
[Thu Jan 18 02:20:08 UTC 2024] Order status is processing, lets sleep and retry.
[Thu Jan 18 02:20:08 UTC 2024] Retry after: 15
[Thu Jan 18 02:20:24 UTC 2024] Polling order status: https://acme.zerossl.com/v2/DV90/order/WcvC10x0rzrenbSNx6S2aw
[Thu Jan 18 02:20:26 UTC 2024] Downloading cert.
[Thu Jan 18 02:20:26 UTC 2024] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/YTqK1_OGtKouAdSsVVGbng'
[Thu Jan 18 02:20:41 UTC 2024] Cert success.
-----BEGIN CERTIFICATE-----
MIIECDCCA4+gAwIBAgIQKXY8d414sHWkuKt8PkO8uzAKBggqhkjOPQQDAzBLMQsw
CQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF
Q0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTI0MDExODAwMDAwMFoXDTI0MDQx
NzIzNTk1OVowFzEVMBMGA1UEAxMMb25seWxpZmUudG9wMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEqeUW6hGO9gNju2DPLmhGZaN9Qv6SHWjzX08sKGYNeweKOLCw
GeQCuzxUdRkq1zeA4gecyM5Jgci+5vEenXQSqqOCAocwggKDMB8GA1UdIwQYMBaA
FA9r5kvOOUeu9n6QHnawMJGSyF+jMB0GA1UdDgQWBBQHa43rFiRx2MlexSB9e0zP
P/r3cjAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICTjAlMCMG
CCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYgG
CCsGAQUFBwEBBHwwejBLBggrBgEFB*****Y/aHR0cDovL3plcm9zc2wuY3J0LnNl
Y3RpZ28uY29tL1plcm9TU0xFQ0NEb21haW5TZWN1cmVTaXRlQ0EuY3J0MCsGCCsG
AQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3NwLnNlY3RpZ28uY29tMIIBAwYKKwYB
BAHWeQIEAgSB9ASB8QDvAHUAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xa
OnQAAAGNGl5aYQAABAMARjBEAiAS1LfalOV7QbaT03kEKKyrKne/3u5Cz5rSSNMk
rE3IOwIgJEAFhHnWqSqmTSzQB0nYOY9lCVovcdR9tSfOesvtEqgAdgA7U3d1Pi25
gE6LMFsG/kA7Z9hPw/THvQANLXJv4frUFwAAAY0aXlrrAAAEAwBHMEUCIFYUa/5R
2L2YBHbnhe0XRghe3rvitpIWyUOfwY0pX17BAiEA7pT+2+VoGQ1LsYpZJfTafBK4
aev0m7F9TjEIfKg2XlcwJwYDVR0RBCAwHoIMb25seWxpZmUudG9wgg4qLm9ubHls
aWZlLnRvcDAKBggqhkjOPQQDAwNnADBkAjBIC4kz6XiJv6OBkfE4dht1yTrKnaxh
drZeejnTPNq72LfX6+rsyuWMcMaVEN1cQZsCMDfGuDoH3ktNNq9uT1UD7aT6hIst
tag/roZWR+GPzHXkdIOZFbMM3EJxRCli5lKImA==
-----END CERTIFICATE-----
[Thu Jan 18 02:20:41 UTC 2024] Your cert is in: /root/.acme.sh/abc.com_ecc/abc.com.cer
[Thu Jan 18 02:20:41 UTC 2024] Your cert key is in: /root/.acme.sh/abc.com_ecc/abc.com.key
[Thu Jan 18 02:20:41 UTC 2024] The intermediate CA cert is in: /root/.acme.sh/abc.com_ecc/ca.cer
[Thu Jan 18 02:20:41 UTC 2024] And the full chain certs is there: /root/.acme.sh/abc.com_ecc/fullchain.cer
root@debian:~/.acme.sh#
5. 安装证书
Nginx
acme.sh --install-cert -d example.com\
--cert-file /etc/nginx/cert/cert.pem \
--key-file /etc/nginx/cert/key.pem \
--fullchain-file /etc/nginx/cert/fullchain.pem \
--reloadcmd "nginx -s reload"
#替换替换完成后重载nginx使证书生效
Apche
acme.sh --install-cert -d example.com \
--cert-file /path/to/certfile/in/apache/cert.pem \
--key-file /path/to/keyfile/in/apache/key.pem \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd "service apache2 force-reload"
Pve
acme.sh --install-cert -d example.com \
--cert-file /etc/pve/local/pveproxy-ssl.pem \
--key-file /etc/pve/local/pveproxy-ssl.key \
--fullchain-file /etc/pve/local/pveproxy-ssl.pem \
--reloadcmd "systemctl restart pveproxy"
其它服务同理
6. 卸载acme.sh
rm -rf ~/.acme.sh #删除acme.sh安装目录
crontab -e #删除acme.sh计划任务
vim ~/.bashrc #删除其中acme.sh的环境变量
acme.sh别名模式
假设我有两个域名 a.com,b.com,使用a.com辅助验证b.com的证书
适用于a域名可以使用acme,b域名由于安全问题,或者dns供应商不受 acme支持的情况
b域名添加解析如下:
| 主机记录 | 记录类型 | 记录值 | 能申请的证书 |
|---|---|---|---|
| _acme-challenge | cname | _acme-challenge.a.com | a.com和*.a.com |
| _acme-challenge.www | cname | _acme-challenge.a.com | www.a.com和*.www.a.com |
申请证书的操作其它和a.com的申请方式一致,参考上方dns验证。证书申请命令如下:
acme.sh --issue -d b.com --challenge-alias a.com --dns dns_acmedns
如果有多个域名都用cname的方式可以申请多域名证书,也可以组合不同dns供应商的不同组合方式
# b解析到了a,a域名使用的是acmedns的验证方式
# c解析到了d,d域名使用的cloudflare的解析方式
# e没有使用别名模式,e域名直接使用的dnspod的验证方式
acme.sh --issue \
-d b.com --challenge-alias a.com --dns dns_acmedns \
-d c.com --challenge-alias d.com --dns dns_cf \
-d e.com --challenge-alias no --dns dns_dp