Ubuntu安装

先打开VMware
再新建虚拟机

image.png

选择自定义---下一步

下一步

image.png

选择稍后安装

image.png

选择安装系统情况

image.png

新建一个文件夹存储安装ubuntu

image.png

修改虚拟机名称，并选择虚拟机安装位置

image.png

选择处理器数量

image.png

内存设置为2G

image.png

设置网络

image.png

选择i/o控制器

image.png

选择磁盘类型

image.png

选择磁盘--创建新磁盘

image.png

指定磁盘容量-选择单个文件

下一步

image.png

点击完成

image.png

虚拟机创建完成

image.png

选择Ubuntu镜像

image.png

image.png

打开

image.png

注意：要关闭网络连接，不然它会自动连接网络，会下载安装会很慢

image.png

修改网卡名称为eth0

开机出现logo后按f5键，然后按esc键，下方会出现boot的内容，添加如下内容即可修改网卡名称为传统的eth0，修改完后按回车键

image.png

image.png

net.ifnames=0 biosdevname=0

出现Ubuntu的logo，按f5，出现下面界面为准

image.png

选择English回车

image.png

方向键选择第一个后，立即按f6，出现小菜单后

image.png

立即按电脑esc键 ，再修改网络

image.png

可以使用vmware粘贴命令

image.png

修改后，按回车

image.png

image.png

再次回车，出现下列界面，选择English

image.png

选择英文键盘

image.png

修改网络

image.png

选择ipv4修改网络

image.png

选择Manual，即自定义模式

image.png

修改以下这样保存

image.png

选择在没有网络的情况下继续

image.png

代理设置为空，继续

image.png

仓库地址先默认

image.png

下一步选择

image.png

下一步，使用一块磁盘，不分区

image.png

警告不用管，继续

image.png

修改账号密码等

image.png

系统安装ssh，保证系统有ssh等会xshell可以连接上

image.png

等待一会，选择reboot now

image.png

正在启动

image.png

现在可以把网络打开，让它起来

image.png

image.png

开机中

image.png

登录

image.png

登录成功

image.png

配置xshell连接Ubuntu

image.png

image.png

设置root密码为123

image.png

切换root用户登录

image.png

给普通用户修改密码
先登录root用户
再修改密码

image.png

普通用户使用sudo命令修改文件，root也可以使用xshell连接
默认Ubuntu不让xshell连接
可以修改配置文件

image.png

image.png

重启ssh
systemctl restart sshd

image.png

root 连接成功

image.png

oldboy也可以连接成功

image.png

注意：oldboy连接不上去重启sshd

配置网卡是yml文件
sudo vim /etc/netplan/00-installer-config.yaml

第二块网卡地址已经配置好，重启生效

image.png

重启网卡
sudo netplan apply

image.png

注意:虚拟机也要配置一个网络适配器

image.png

image.png

配置apt源

image.png

image.png

跟新软件包列表
apt update

报错了

image.png

把https去掉s，并把注释的行去掉

image.png

现在就不报错。并且速度很快

image.png

软件包格式
centos 是.rpm
ubuntu 是.deb

安装命令
centos yum install
ubunt apt install

更新缓存
centos yum makecache
ubuntu apt update

卸载软件
centos yum remove
ubuntu apt remove

清除缓存
centos yum clean all
ubuntu apt clean all

apt跟apt-get是一样功能

安装软件包
centos rmp -ivh
ubuntu dpkg -i

使用nginx测试
nginx下载地址

http://nginx.org/packages/

image.png

复制地址链接

http://nginx.org/packages/ubuntu/pool/nginx/n/nginx/nginx_1.20.2-1~focal_amd64.deb

image.png

image.png

注意：处理器型号是amd64

安装

sudo dpkg -i nginx_1.20.2-1~focal_amd64.deb

image.png

启动nginx测试

image.png

image.png

注意：安装可道云跟centos流程一样，但是不用装php，ubuntu内置php-7版本

注意：debian系统跟Ubuntu系统命令是一样的

openvpn

image.png

image.png

第1章 创建证书

1.安装秘钥工具

yum install easy-rsa -y

image.png

2.准备生成证书的变量文件

mkdir /opt/easy-rsa
cp -a /usr/share/easy-rsa/3.0.8/* /opt/easy-rsa/
cat >> /opt/easy-rsa/vars <<EOF
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="Beijing"
export KEY_ORG="oldboy"
export KEY_EMAIL="526195417@qq.com"
EOF

image.png

3.生成初始化证书

1.初始化,在当前目录创建PKI目录,用于存储证书

cd /opt/easy-rsa/
./easyrsa init-pki

image.png

2.创建根证书,会提示设置密码,大于4位,用于ca对之后生成的server和client证书签名时使用,其他可默认

./easyrsa build-ca

image.png

3.创建server端证书和私钥文件,nopass表示不加密私钥文件,其他可默认

./easyrsa gen-req server nopass

image.png

4.给server端证书签名,首先是对一些信息的确认,可以输入yes,然后创建ca根证书时设置的密码

./easyrsa sign server server

image.png

5.创建Diffie-Hellman文件,秘钥交换时的Diffie-Hellman算法

./easyrsa gen-dh

image.png

image.png

6.创建client端证书和私钥文件,nopass表示不加密私钥文件,其他可默认

./easyrsa gen-req client nopass

image.png

7.给client端证书签名 首先是对一些信息的确认,可以输入yes,然后创建ca根证书时设置的密码

./easyrsa sign client client

image.png

4.检查证书
ls /opt/easy-rsa/pki/ca.crt
ls /opt/easy-rsa/pki/reqs/server.req
ls /opt/easy-rsa/pki/private/server.key
ls /opt/easy-rsa/pki/issued/server.crt
ls /opt/easy-rsa/pki/dh.pem
ls /opt/easy-rsa/pki/reqs/client.req
ls /opt/easy-rsa/pki/private/client.key
ls /opt/easy-rsa/pki/issued/client.crt

image.png

第2章 openvpn服务端配置
1.安装openvpn服务端
yum install openvpn -y

image.png

2.准备证书和目录
mkdir /etc/openvpn/logs -p
\cp /opt/easy-rsa/pki/ca.crt /etc/openvpn/server/
\cp /opt/easy-rsa/pki/issued/server.crt /etc/openvpn/server/
\cp /opt/easy-rsa/pki/private/server.key /etc/openvpn/server/
\cp /opt/easy-rsa/pki/dh.pem /etc/openvpn/server/
\cp /opt/easy-rsa/pki/ca.crt /etc/openvpn/client/
\cp /opt/easy-rsa/pki/private/client.key /etc/openvpn/client/
\cp /opt/easy-rsa/pki/issued/client.crt /etc/openvpn/client/

image.png

3.创建配置文件
cat >/etc/openvpn/server.conf <<EOF
port 1194
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "route 172.16.1.0 255.255.255.0"
ifconfig-pool-persist /etc/openvpn/logs/ipp.txt
keepalive 10 120
max-clients 100
status /etc/openvpn/logs/openvpn-status.log
verb 3
client-to-client
log /etc/openvpn/logs/openvpn.log
persist-key
persist-tun
duplicate-cn
EOF

image.png

4.开启内核转发
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
systemctl restart network

5.设置防火墙
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d 172.16.1.0/24 -j SNAT --to-source 172.16.1.61

6.启动服务端
systemctl enable openvpn@server.service
systemctl start openvpn@server.service

image.png

第3章 客户端安装
1.windows下客户端安装
下载安装openvpn软件
将配置文件放到软件的安装目录下的config目录下
点击连接按钮

2.创建客户端文件
client
dev tun
proto tcp
remote 10.0.0.61 1194
resolv-retry infinite
nobind
ca ca.crt
cert client.crt
key client.key
verb 3
persist-key

image.png

后缀名是ovpn
发送到电脑设置目录里面

image.png

image.png

image.png

打开openvpn
注意：以管理员方式运行

image.png

连接成功

image.png

ping测试

image.png

第4章 设置账号密码
1.服务端创建密码认证脚本

cat > /etc/openvpn/checkpsw.sh <<'EOF'
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/etc/openvpn/logs/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>  ${LOG_FILE}
  exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username="${username}", password=

"${password}"." >> ${LOG_FILE}
  exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username="${username}"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username="${username}", password=

"${password}"." >> ${LOG_FILE}
exit 1
EOF

chmod +x /etc/openvpn/checkpsw.sh

image.png

2.服务端创建密码文件
cat >/etc/openvpn/psw-file <<EOF
zhangya 123456
EOF

路由表查看

image.png

3.创建用户指定的IP地址
也可以手动配ip地址给zhangya用户
但是10.8.0.5 和10.8.0.6已经使用了

image.png

image.png

mkdir /etc/openvpn/ccd/ -p
cat >/etc/openvpn/ccd/zhangya <<EOF
ifconfig-push 10.8.0.9 10.8.0.10
EOF

image.png

4.修改服务端配置以支持密码认证
cat >/etc/openvpn/server.conf<<EOF
port 1194
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem

server 10.8.0.0 255.255.255.0

push "route 172.16.1.0 255.255.255.0"

keepalive 10 120
max-clients 100
verb 3
client-to-client
persist-key
persist-tun
duplicate-cn
ifconfig-pool-persist /etc/openvpn/logs/ipp.txt
log /etc/openvpn/logs/openvpn.log
status /etc/openvpn/logs/openvpn-status.log

client-config-dir ccd
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
client-cert-not-required
username-as-common-name
script-security 3
EOF
systemctl restart openvpn@server.service

image.png

image.png

5.客户端配置
client
dev tun
proto tcp
remote 10.0.0.61 1194
resolv-retry infinite
nobind
ca ca.crt
cert client.crt
key client.key
verb 3
persist-key
auth-user-pass pass.txt

image.png

6.客户端创建密码文件
zhangya
123456

image.png

删除离职员工账号
把里面文本内容删除就行了

image.png

自动化牛逼脚本

#!/bin/bash
#
# https://github.com/Nyr/openvpn-install
#
# Copyright (c) 2013 Nyr. Released under the MIT License.


if grep -qs "Ubuntu 16.04" "/etc/os-release"; then
    echo 'Ubuntu 16.04 is no longer supported in the current version of openvpn-install
Use an older version if Ubuntu 16.04 support is needed: https://git.io/vpn1604'
    exit
fi

# Detect Debian users running the script with "sh" instead of bash
if readlink /proc/$$/exe | grep -q "dash"; then
    echo "This script needs to be run with bash, not sh"
    exit
fi

if [[ "$EUID" -ne 0 ]]; then
    echo "Sorry, you need to run this as root"
    exit
fi

if [[ ! -e /dev/net/tun ]]; then
    echo "The TUN device is not available
You need to enable TUN before running this script"
    exit
fi

if [[ -e /etc/debian_version ]]; then
    OS=debian
    GROUPNAME=nogroup
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
    OS=centos
    GROUPNAME=nobody
else
    echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS"
    exit
fi

newclient () {
    # Generates the custom client.ovpn
    cp /etc/openvpn/server/client-common.txt ~/$1.ovpn
    echo "<ca>" >> ~/$1.ovpn
    cat /etc/openvpn/server/easy-rsa/pki/ca.crt >> ~/$1.ovpn
    echo "</ca>" >> ~/$1.ovpn
    echo "<cert>" >> ~/$1.ovpn
    sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn
    echo "</cert>" >> ~/$1.ovpn
    echo "<key>" >> ~/$1.ovpn
    cat /etc/openvpn/server/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
    echo "</key>" >> ~/$1.ovpn
    echo "<tls-auth>" >> ~/$1.ovpn
    sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/ta.key >> ~/$1.ovpn
    echo "</tls-auth>" >> ~/$1.ovpn
}

if [[ -e /etc/openvpn/server/server.conf ]]; then
    while :
    do
    clear
        echo "Looks like OpenVPN is already installed."
        echo
        echo "What do you want to do?"
        echo "   1) Add a new user"
        echo "   2) Revoke an existing user"
        echo "   3) Remove OpenVPN"
        echo "   4) Exit"
        read -p "Select an option [1-4]: " option
        case $option in
            1) 
            echo
            echo "Tell me a name for the client certificate."
            echo "Please, use one word only, no special characters."
            read -p "Client name: " -e CLIENT
            cd /etc/openvpn/server/easy-rsa/
            EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass
            # Generates the custom client.ovpn
            newclient "$CLIENT"
            echo
            echo "Client $CLIENT added, configuration is available at:" ~/"$CLIENT.ovpn"
            exit
            ;;
            2)
            # This option could be documented a bit better and maybe even be simplified
            # ...but what can I say, I want some sleep too
            NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V")
            if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
                echo
                echo "You have no existing clients!"
                exit
            fi
            echo
            echo "Select the existing client certificate you want to revoke:"
            tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
            if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
                read -p "Select one client [1]: " CLIENTNUMBER
            else
                read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
            fi
            CLIENT=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
            echo
            read -p "Do you really want to revoke access for client $CLIENT? [y/N]: " -e REVOKE
            if [[ "$REVOKE" = 'y' || "$REVOKE" = 'Y' ]]; then
                cd /etc/openvpn/server/easy-rsa/
                ./easyrsa --batch revoke $CLIENT
                EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
                rm -f pki/reqs/$CLIENT.req
                rm -f pki/private/$CLIENT.key
                rm -f pki/issued/$CLIENT.crt
                rm -f /etc/openvpn/server/crl.pem
                cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
                # CRL is read with each client connection, when OpenVPN is dropped to nobody
                chown nobody:$GROUPNAME /etc/openvpn/server/crl.pem
                echo
                echo "Certificate for client $CLIENT revoked!"
            else
                echo
                echo "Certificate revocation for client $CLIENT aborted!"
            fi
            exit
            ;;
            3) 
            echo
            read -p "Do you really want to remove OpenVPN? [y/N]: " -e REMOVE
            if [[ "$REMOVE" = 'y' || "$REMOVE" = 'Y' ]]; then
                PORT=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
                PROTOCOL=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
                if pgrep firewalld; then
                    IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
                    IP_LAN=$(ifconfig eth1|awk 'NR==2{print $2}')
                    # Using both permanent and not permanent rules to avoid a firewalld reload.
                    firewall-cmd --remove-port=$PORT/$PROTOCOL
                    firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
                    firewall-cmd --permanent --remove-port=$PORT/$PROTOCOL
                    firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
                    firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP_LAN
                    firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP_LAN
                else
                    systemctl disable --now openvpn-iptables.service
                    rm -f /etc/systemd/system/openvpn-iptables.service
                fi
                if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
                    semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
                fi
                systemctl disable --now openvpn-server@server.service
                rm -rf /etc/openvpn/server
                rm -f /etc/sysctl.d/30-openvpn-forward.conf
                if [[ "$OS" = 'debian' ]]; then
                    apt-get remove --purge -y openvpn
                else
                    yum remove openvpn -y
                fi
                echo
                echo "OpenVPN removed!"
            else
                echo
                echo "Removal aborted!"
            fi
            exit
            ;;
            4) exit;;
        esac
    done
else
    clear
    echo 'Welcome to this OpenVPN "road warrior" installer!'
    echo
    # OpenVPN setup and first user creation
    echo "I need to ask you a few questions before starting the setup."
    echo "You can leave the default options and just press enter if you are ok with them."
    echo
    echo "First, provide the IPv4 address of the network interface you want OpenVPN"
    echo "listening to."
    # Autodetect IP address and pre-fill for the user
    IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
    IP_LAN=$(ifconfig eth1|awk 'NR==2{print $2}')
    read -p "IP address: " -e -i $IP IP
    # If $IP is a private IP address, the server must be behind NAT
    if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
        echo
        echo "This server is behind NAT. What is the public IPv4 address or hostname?"
        read -p "Public IP address / hostname: " -e -i $IP PUBLICIP
    fi
    echo
    echo "Which protocol do you want for OpenVPN connections?"
    echo "   1) UDP (recommended)"
    echo "   2) TCP"
    read -p "Protocol [1-2]: " -e -i 1 PROTOCOL
    case $PROTOCOL in
        1) 
        PROTOCOL=udp
        ;;
        2) 
        PROTOCOL=tcp
        ;;
    esac
    echo
    echo "What port do you want OpenVPN listening to?"
    read -p "Port: " -e -i 1194 PORT
    echo
    echo "Which DNS do you want to use with the VPN?"
    echo "   1) Current system resolvers"
    echo "   2) 1.1.1.1"
    echo "   3) Google"
    echo "   4) OpenDNS"
    echo "   5) Verisign"
    read -p "DNS [1-5]: " -e -i 1 DNS
    echo
    echo "Finally, tell me your name for the client certificate."
    echo "Please, use one word only, no special characters."
    read -p "Client name: " -e -i client CLIENT
    echo
    echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now."
    read -n1 -r -p "Press any key to continue..."
    if [[ "$OS" = 'debian' ]]; then
        apt-get update
        apt-get install openvpn iptables openssl ca-certificates -y
    else
        # Else, the distro is CentOS
        yum install epel-release -y
        yum install openvpn iptables openssl ca-certificates -y
    fi
    # Get easy-rsa
    EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz'
    wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL"
    tar xzf ~/easyrsa.tgz -C ~/
    mv ~/EasyRSA-3.0.5/ /etc/openvpn/server/
    mv /etc/openvpn/server/EasyRSA-3.0.5/ /etc/openvpn/server/easy-rsa/
    chown -R root:root /etc/openvpn/server/easy-rsa/
    rm -f ~/easyrsa.tgz
    cd /etc/openvpn/server/easy-rsa/
    # Create the PKI, set up the CA and the server and client certificates
    ./easyrsa init-pki
    ./easyrsa --batch build-ca nopass
    EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass
    EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass
    EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
    # Move the stuff we need
    cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
    # CRL is read with each client connection, when OpenVPN is dropped to nobody
    chown nobody:$GROUPNAME /etc/openvpn/server/crl.pem
    # Generate key for tls-auth
    openvpn --genkey --secret /etc/openvpn/server/ta.key
    # Create the DH parameters file using the predefined ffdhe2048 group
    echo '-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem
    # Generate server.conf
    echo "port $PORT
proto $PROTOCOL
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" > /etc/openvpn/server/server.conf
NETWORK=$(echo "172.16.1.61"|sed -r 's#([0-9]+.[0-9]+.[0-9]+).[0-9]+$#\1.0#g')
echo "push \"route ${NETWORK} 255.255.255.0\"" >> /etc/openvpn/server/server.conf
    #change by zhangya 20190628
    #echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf
    # DNS
    #case $DNS in
    #   1)
    #   # Locate the proper resolv.conf
    #   # Needed for systems running systemd-resolved
    #   if grep -q "127.0.0.53" "/etc/resolv.conf"; then
    #       RESOLVCONF='/run/systemd/resolve/resolv.conf'
    #   else
    #       RESOLVCONF='/etc/resolv.conf'
    #   fi
    #   # Obtain the resolvers from resolv.conf and use them for OpenVPN
    #    # change by zhangya 20190628
    #   #grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
    #   #   echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf
    #   #done
    #   ;;
    #   2)
    #   echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf
    #   echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf
    #   ;;
    #   3)
    #   echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf
    #   echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf
    #   ;;
    #   4)
    #   echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf
    #   echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf
    #   ;;
    #   5)
    #   echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server/server.conf
    #   echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server/server.conf
    #   ;;
    #esac
    echo "keepalive 10 120
cipher AES-256-CBC
user nobody
group $GROUPNAME
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem" >> /etc/openvpn/server/server.conf
    # Enable net.ipv4.ip_forward for the system
    echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf
    # Enable without waiting for a reboot or service restart
    echo 1 > /proc/sys/net/ipv4/ip_forward
    if pgrep firewalld; then
        # Using both permanent and not permanent rules to avoid a firewalld
        # reload.
        # We don't use --add-service=openvpn because that would only work with
        # the default port and protocol.
        firewall-cmd --add-port=$PORT/$PROTOCOL
        firewall-cmd --zone=trusted --add-source=10.8.0.0/24
        firewall-cmd --permanent --add-port=$PORT/$PROTOCOL
        firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
        # Set NAT for the VPN subnet
        firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP_LAN
        firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP_LAN
    else
        # Create a service to set up persistent iptables rules
        echo "[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP_LAN
ExecStart=/sbin/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP_LAN
ExecStop=/sbin/iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/openvpn-iptables.service
        systemctl enable --now openvpn-iptables.service
    fi
    # If SELinux is enabled and a custom port was selected, we need this
    if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
        # Install semanage if not already present
        if ! hash semanage 2>/dev/null; then
            if grep -qs "CentOS Linux release 7" "/etc/centos-release"; then
                yum install policycoreutils-python -y
            else
                yum install policycoreutils-python-utils -y
            fi
        fi
        semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT
    fi
    # And finally, enable and start the OpenVPN service
    systemctl enable --now openvpn-server@server.service
    # If the server is behind a NAT, use the correct IP address
    if [[ "$PUBLICIP" != "" ]]; then
        IP=$PUBLICIP
    fi
    # client-common.txt is created so we have a template to add further users later
    echo "client
dev tun
proto $PROTOCOL
sndbuf 0
rcvbuf 0
remote $IP $PORT
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
setenv opt block-outside-dns
key-direction 1
verb 3" > /etc/openvpn/server/client-common.txt
    # Generates the custom client.ovpn
    newclient "$CLIENT"
    echo
    echo "Finished!"
    echo
    echo "Your client configuration is available at:" ~/"$CLIENT.ovpn"
    echo "If you want to add more clients, you simply need to run this script again!"
fi

image.png