OpenVPN 是Linux下开源VPN的应用,提供了良好的性能和友好的用户GUI。
OpenVPN 是一个基于 OpenSSL 库的应用层 VPN 实现。和传统 VPN 相比,它的优点是简单易用。
OpenVPN允许参与建立VPN的单点使用共享密钥,电子证书,或者用户名/密码来进行身份验证。
OpenVPN支持在各种系统,如:Linux、Windows、Mac OS X、Solaris、OpenBSD、FreeBSD、NetBSD上运行,并包含了许多安全性的功能。它并不是一个基于Web的VPN软件,也不与IPsec及其他VPN软件包兼容。
https://openvpn.net/
https://github.com/OpenVPN/openvpnOpenVPN 常见适用场景
- 实现远程主机到内网的连接
- 实现多个远程主机之间的连接
1、部署环境
![图片[1]-部署OpenVPN-李佳程的个人主页](http://www.lijiach.com/wp-content/uploads/2022/11/image-146.png)
2、安装 OpenVPN 软件包
2.1、安装 OpenVPN 和证书工具
# 查看安装包版本
[root@openvpn ~]# yum list openvpn
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Available Packages
openvpn.x86_64 2.4.12-1.el7 local_epel
[root@openvpn ~]# yum list easy-rsa
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Available Packages
easy-rsa.noarch 3.0.8-1.el7 local_epel
# 使用本地的epel源安装openvpn和证书工具
[root@openvpn ~]# yum install -y openvpn easy-rsa
# 开启流量转发
[root@openvpn ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@openvpn ~]# sysctl -p
net.ipv4.ip_forward = 1
2.2、查看包中相关文件
[root@openvpn ~]# rpm -ql openvpn
/etc/openvpn
/etc/openvpn/client
/etc/openvpn/server
/run/openvpn-client
/run/openvpn-server
/usr/lib/systemd/system/openvpn-client@.service
/usr/lib/systemd/system/openvpn-server@.service
/usr/lib/systemd/system/openvpn@.service
/usr/lib/tmpfiles.d/openvpn.conf
/usr/lib64/openvpn
/usr/lib64/openvpn/plugins
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so
/usr/sbin/openvpn
/usr/share/doc/openvpn-2.4.12
/usr/share/doc/openvpn-2.4.12/AUTHORS
/usr/share/doc/openvpn-2.4.12/COPYING
/usr/share/doc/openvpn-2.4.12/COPYRIGHT.GPL
/usr/share/doc/openvpn-2.4.12/ChangeLog
/usr/share/doc/openvpn-2.4.12/Changes.rst
/usr/share/doc/openvpn-2.4.12/README
/usr/share/doc/openvpn-2.4.12/README.auth-pam
/usr/share/doc/openvpn-2.4.12/README.down-root
/usr/share/doc/openvpn-2.4.12/README.systemd
/usr/share/doc/openvpn-2.4.12/contrib
/usr/share/doc/openvpn-2.4.12/contrib/OCSP_check
/usr/share/doc/openvpn-2.4.12/contrib/OCSP_check/OCSP_check.sh
/usr/share/doc/openvpn-2.4.12/contrib/README
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00/README
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down
/usr/share/doc/openvpn-2.4.12/contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up
/usr/share/doc/openvpn-2.4.12/contrib/pull-resolv-conf
/usr/share/doc/openvpn-2.4.12/contrib/pull-resolv-conf/client.down
/usr/share/doc/openvpn-2.4.12/contrib/pull-resolv-conf/client.up
/usr/share/doc/openvpn-2.4.12/management-notes.txt
/usr/share/doc/openvpn-2.4.12/sample
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/README
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/firewall.sh
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/home.up
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/loopback-client
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/loopback-server
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/office.up
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/openvpn-shutdown.sh
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/openvpn-startup.sh
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/roadwarrior-client.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/roadwarrior-server.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/static-home.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/static-office.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/tls-home.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/tls-office.conf
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/xinetd-client-config
/usr/share/doc/openvpn-2.4.12/sample/sample-config-files/xinetd-server-config
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/auth-pam.pl
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/bridge-start
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/bridge-stop
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/ucn.pl
/usr/share/doc/openvpn-2.4.12/sample/sample-scripts/verify-cn
/usr/share/doc/openvpn-2.4.12/sample/sample-windows
/usr/share/doc/openvpn-2.4.12/sample/sample-windows/sample.ovpn
/usr/share/man/man8/openvpn.8.gz
/var/lib/openvpn[root@openvpn ~]# rpm -ql easy-rsa
/usr/share/doc/easy-rsa-3.0.8
/usr/share/doc/easy-rsa-3.0.8/COPYING.md
/usr/share/doc/easy-rsa-3.0.8/ChangeLog
/usr/share/doc/easy-rsa-3.0.8/README.md
/usr/share/doc/easy-rsa-3.0.8/README.quickstart.md
/usr/share/doc/easy-rsa-3.0.8/vars.example
/usr/share/easy-rsa
/usr/share/easy-rsa/3
/usr/share/easy-rsa/3.0
/usr/share/easy-rsa/3.0.8
/usr/share/easy-rsa/3.0.8/easyrsa
/usr/share/easy-rsa/3.0.8/openssl-easyrsa.cnf
/usr/share/easy-rsa/3.0.8/x509-types
/usr/share/easy-rsa/3.0.8/x509-types/COMMON
/usr/share/easy-rsa/3.0.8/x509-types/ca
/usr/share/easy-rsa/3.0.8/x509-types/client
/usr/share/easy-rsa/3.0.8/x509-types/code-signing
/usr/share/easy-rsa/3.0.8/x509-types/email
/usr/share/easy-rsa/3.0.8/x509-types/kdc
/usr/share/easy-rsa/3.0.8/x509-types/server
/usr/share/easy-rsa/3.0.8/x509-types/serverClient
/usr/share/licenses/easy-rsa-3.0.8
/usr/share/licenses/easy-rsa-3.0.8/gpl-2.0.txt2.3、准备相关配置文件
# 生成服务器配置文件
[root@openvpn ~]# cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/
# 准备证书颁发相关文件
[root@openvpn ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-server
# 准备颁发证书相关变量的配置文件
[root@openvpn ~]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-server/3/vars
# 修改证书有效期
[root@openvpn ~]# vim /etc/openvpn/easy-rsa-server/3/vars
# 修改CA的证书的有效期,默认十年
set_var EASYRSA_CA_EXPIRE 36500
# 修改服务器证书有效期,默认825天
set_var EASYRSA_CERT_EXPIRE 3650
[root@openvpn ~]# tree /etc/openvpn/
/etc/openvpn/
├── client
├── easy-rsa-server
│ ├── 3 -> 3.0.8
│ ├── 3.0 -> 3.0.8
│ └── 3.0.8
│ ├── easyrsa
│ ├── openssl-easyrsa.cnf
│ ├── vars
│ └── x509-types
│ ├── ca
│ ├── client
│ ├── code-signing
│ ├── COMMON
│ ├── email
│ ├── kdc
│ ├── server
│ └── serverClient
├── server
└── server.conf
7 directories, 12 files
3、准备证书相关文件
3.1、初始化PKI和CA颁发机构环境
[root@openvpn 3]# pwd
/etc/openvpn/easy-rsa-server/3
[root@openvpn 3]# ls
easyrsa openssl-easyrsa.cnf vars x509-types
# 初始化数据,在当前目录下生成pki目录及相关文件
[root@openvpn 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-server/3/pki
[root@openvpn 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 13 files3.2、创建 CA 机构环境
[root@openvpn 3]# pwd
/etc/openvpn/easy-rsa-server/3
[root@openvpn 3]# tree pki/
pki/
├── openssl-easyrsa.cnf
├── private
├── reqs
└── safessl-easyrsa.cnf
2 directories, 2 files[root@openvpn 3]# ./easyrsa build-ca nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating RSA private key, 2048 bit long modulus
.................+++
.....+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #回车接受默认值
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa-server/3/pki/ca.crt #生成自签名的证书文件
[root@openvpn 3]# tree pki
pki
├── ca.crt #生成的自签名的证书文件
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ └── ca.key #生成的私钥文件
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 7 files
# 查看生成CA相关的文件
[root@openvpn 3]# cat pki/serial
01
[root@openvpn 3]# ll pki/index.txt
-rw------- 1 root root 0 Nov 22 09:29 pki/index.txt
[root@openvpn 3]# ll pki/ca.crt pki/private/ca.key
-rw------- 1 root root 1176 Nov 22 09:29 pki/ca.crt
-rw------- 1 root root 1675 Nov 22 09:29 pki/private/ca.key
# 查看生成的自签名证书
[root@openvpn 3]# cat pki/ca.crt
-----BEGIN CERTIFICATE-----
MIIDNzCCAh+gAwIBAgIJAJrFCfS7xbc6MA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC0Vhc3ktUlNBIENBMCAXDTIyMTEyMjAxMjk0NVoYDzIxMjIxMDI5MDEyOTQ1
WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAK7KTt9u+He5XVxazh8FW9qzilsT8tOPNCeShFAuwqvEwJQOUp1D
3bMZ671cSIba3M7IKGKIr/wn8J+wCYjIN7lrrTYPtniUUFydEhPm/fZX72wul/vH
tTUCFYCrvzxCVBlHSd7oAidmO4XLTNP9sV2ydqr3sqJJc+tN599EZcdvtOpNVWGD
hjZvDyml0TtB12+yas/kFIEfQBe+TE29DWJvWnU3a2bvQfJLTkEoouVhCxcNiGam
7l7h71i/inVKIeAW1EuzamW+Plcb81gVf3Xmtj+qZnEDJ4hXQacipbCrEb+s4vYP
8aaT1bEoJcz6YxCvyuImmdGkX1IXQCHbekkCAwEAAaOBhTCBgjAdBgNVHQ4EFgQU
zSIc1tQOMpLKWh+k84mJ4bCxYoAwRgYDVR0jBD8wPYAUzSIc1tQOMpLKWh+k84mJ
4bCxYoChGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBggkAmsUJ9LvFtzowDAYD
VR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAJl2EqbZ
uiTkvWYtmJTmCxW6yF7tajglTCFtZbnqytfuEnaVhkTDljM8EwcfA8GpCpXpgZFL
w+TDiIwkA6XmFHSELH6Njy2+JFP8PNeYh0X+RBLyvG8dA+gojJTlqwuqKAR1SFcL
HdkJSzq0LWWNnXX/sgDmeg4Toc7ac1aQVu57s6+o8JlfTRPzp5MdqYR6n/LSpKXx
7jYvMV66jKma5goQ2h1An/bo2Dr7qxXvaEkHYHfQs2TvmyTfQlR67tmQMYgzyToN
uayO7IsPtMDEoNnCzqCQLzzAXHyYTmimR7S7iSIK1KxajA3a22vrZtOAn9ZwErE+
UrK6QsgxpPbj7ng=
-----END CERTIFICATE-----[root@openvpn 3]# openssl x509 -in pki/ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9a:c5:09:f4:bb:c5:b7:3a
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Easy-RSA CA
Validity
Not Before: Nov 22 01:29:45 2022 GMT
Not After : Oct 29 01:29:45 2122 GMT
Subject: CN=Easy-RSA CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ae:ca:4e:df:6e:f8:77:b9:5d:5c:5a:ce:1f:05:
5b:da:b3:8a:5b:13:f2:d3:8f:34:27:92:84:50:2e:
c2:ab:c4:c0:94:0e:52:9d:43:dd:b3:19:eb:bd:5c:
48:86:da:dc:ce:c8:28:62:88:af:fc:27:f0:9f:b0:
09:88:c8:37:b9:6b:ad:36:0f:b6:78:94:50:5c:9d:
12:13:e6:fd:f6:57:ef:6c:2e:97:fb:c7:b5:35:02:
15:80:ab:bf:3c:42:54:19:47:49:de:e8:02:27:66:
3b:85:cb:4c:d3:fd:b1:5d:b2:76:aa:f7:b2:a2:49:
73:eb:4d:e7:df:44:65:c7:6f:b4:ea:4d:55:61:83:
86:36:6f:0f:29:a5:d1:3b:41:d7:6f:b2:6a:cf:e4:
14:81:1f:40:17:be:4c:4d:bd:0d:62:6f:5a:75:37:
6b:66:ef:41:f2:4b:4e:41:28:a2:e5:61:0b:17:0d:
88:66:a6:ee:5e:e1:ef:58:bf:8a:75:4a:21:e0:16:
d4:4b:b3:6a:65:be:3e:57:1b:f3:58:15:7f:75:e6:
b6:3f:aa:66:71:03:27:88:57:41:a7:22:a5:b0:ab:
11:bf:ac:e2:f6:0f:f1:a6:93:d5:b1:28:25:cc:fa:
63:10:af:ca:e2:26:99:d1:a4:5f:52:17:40:21:db:
7a:49
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
CD:22:1C:D6:D4:0E:32:92:CA:5A:1F:A4:F3:89:89:E1:B0:B1:62:80
X509v3 Authority Key Identifier:
keyid:CD:22:1C:D6:D4:0E:32:92:CA:5A:1F:A4:F3:89:89:E1:B0:B1:62:80
DirName:/CN=Easy-RSA CA
serial:9A:C5:09:F4:BB:C5:B7:3A
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
99:76:12:a6:d9:ba:24:e4:bd:66:2d:98:94:e6:0b:15:ba:c8:
5e:ed:6a:38:25:4c:21:6d:65:b9:ea:ca:d7:ee:12:76:95:86:
44:c3:96:33:3c:13:07:1f:03:c1:a9:0a:95:e9:81:91:4b:c3:
e4:c3:88:8c:24:03:a5:e6:14:74:84:2c:7e:8d:8f:2d:be:24:
53:fc:3c:d7:98:87:45:fe:44:12:f2:bc:6f:1d:03:e8:28:8c:
94:e5:ab:0b:aa:28:04:75:48:57:0b:1d:d9:09:4b:3a:b4:2d:
65:8d:9d:75:ff:b2:00:e6:7a:0e:13:a1:ce:da:73:56:90:56:
ee:7b:b3:af:a8:f0:99:5f:4d:13:f3:a7:93:1d:a9:84:7a:9f:
f2:d2:a4:a5:f1:ee:36:2f:31:5e:ba:8c:a9:9a:e6:0a:10:da:
1d:40:9f:f6:e8:d8:3a:fb:ab:15:ef:68:49:07:60:77:d0:b3:
64:ef:9b:24:df:42:54:7a:ee:d9:90:31:88:33:c9:3a:0d:b9:
ac:8e:ec:8b:0f:b4:c0:c4:a0:d9:c2:ce:a0:90:2f:3c:c0:5c:
7c:98:4e:68:a6:47:b4:bb:89:22:0a:d4:ac:5a:8c:0d:da:db:
6b:eb:66:d3:80:9f:d6:70:12:b1:3e:52:b2:ba:42:c8:31:a4:
f6:e3:ee:783.3、创建服务端证书申请
[root@openvpn 3]# pwd
/etc/openvpn/easy-rsa-server/3
# 创建服务器证书申请文件,其中server是文件前缀
[root@openvpn 3]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
..................+++
...........................+++
writing new private key to '/etc/openvpn/easy-rsa-server/3/pki/easy-rsa-1845.fRAIFB/tmp.Yjy4HU'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: #默认值,直接回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-server/3/pki/reqs/server.req #生成请求文件
key: /etc/openvpn/easy-rsa-server/3/pki/private/server.key #生成私钥文件
[root@openvpn 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
├── index.txt
├── index.txt.attr
├── issued
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
└── serial
12 directories, 9 files
3.4、颁发服务端证书
[root@openvpn 3]# pwd
/etc/openvpn/easy-rsa-server/3
# 将上面server.req的申请,颁发server类型的证书
# 第一个server表示证书的类型,第二个server表示请求文件名的前缀
[root@openvpn 3]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days: #有效期
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #输入yes回车
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-1873.lrlaOB/tmp.WBGwGk
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Nov 19 01:36:36 2032 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt
#生
成服务器证书文件
# 验证结果
[root@openvpn 3]# tree pki/
pki/
├── ca.crt
├── certs_by_serial
│ └── 44698F16A97DB0D25CF758CB4AE07E84.pem #生成的服务器证书文件
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt #生成的服务器证书文件
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 14 files
[root@openvpn 3]# diff pki/certs_by_serial/44698F16A97DB0D25CF758CB4AE07E84.pem pki/issued/server.crt
[root@openvpn 3]# ll !*
ll pki/certs_by_serial/44698F16A97DB0D25CF758CB4AE07E84.pem pki/issued/server.crt
-rw------- 1 root root 4547 Nov 22 09:36 pki/certs_by_serial/44698F16A97DB0D25CF758CB4AE07E84.pem
-rw------- 1 root root 4547 Nov 22 09:36 pki/issued/server.crt
[root@openvpn 3]# cat pki/issued/server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
44:69:8f:16:a9:7d:b0:d2:5c:f7:58:cb:4a:e0:7e:84
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Easy-RSA CA
Validity
Not Before: Nov 22 01:36:36 2022 GMT
Not After : Nov 19 01:36:36 2032 GMT
Subject: CN=server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:54:f8:54:aa:28:76:f6:a1:a6:d6:0c:13:8c:
22:08:82:58:20:91:96:0c:70:41:74:5e:56:98:30:
c8:61:aa:44:5f:a5:11:7f:c7:03:83:3c:36:5e:dc:
2c:3b:db:c7:73:16:93:6c:4c:82:ac:62:a3:95:93:
9d:33:2f:ff:57:4b:65:a4:8b:3b:5d:f6:7e:23:49:
4f:0f:c2:a6:67:d4:1c:b4:7d:5d:60:c6:04:a5:71:
c9:b4:61:73:a4:8c:db:bb:f1:c5:8e:62:2e:77:06:
87:72:e1:b6:f5:54:23:d9:e3:f9:1f:8e:ab:1b:28:
c9:58:5d:66:92:52:9c:f4:e2:37:47:19:92:c8:6b:
67:4d:b4:29:90:a6:f0:97:15:ea:c4:b6:f8:e4:16:
34:75:f7:36:39:62:f7:23:48:2e:16:84:69:85:8a:
82:e1:86:dc:df:47:23:fa:ad:19:b2:25:a6:e9:2f:
e7:ce:24:de:27:90:85:37:72:07:77:55:9e:b4:75:
ea:13:8c:69:0f:67:d2:4b:47:73:73:53:b5:a4:2c:
40:f4:d3:9f:85:4a:80:8f:84:af:f2:2b:70:2f:09:
f2:b8:01:8e:4a:48:39:4c:5b:63:8a:cb:14:58:8b:
c5:1e:c8:6d:77:c8:51:e7:47:03:f2:68:51:9f:ff:
e1:1f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
DF:E7:BC:F3:D4:62:B7:EF:D3:15:AE:95:95:1C:DB:B8:4A:41:AC:AE
X509v3 Authority Key Identifier:
keyid:CD:22:1C:D6:D4:0E:32:92:CA:5A:1F:A4:F3:89:89:E1:B0:B1:62:80
DirName:/CN=Easy-RSA CA
serial:9A:C5:09:F4:BB:C5:B7:3A
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:server
Signature Algorithm: sha256WithRSAEncryption
a0:c3:4b:d9:00:9b:61:c5:b4:81:71:74:17:73:18:8e:77:aa:
11:66:a2:d8:d8:cc:5d:34:39:b5:ba:ac:8d:e1:dc:bb:9b:b9:
8b:7a:2b:da:5e:19:38:cf:74:35:be:69:2b:fa:6c:26:8e:7e:
dd:ab:b0:da:07:32:92:c1:e2:16:3d:ac:64:9a:a4:9f:15:43:
82:ab:c3:1c:b3:1d:8b:a7:23:8c:1b:91:6d:0d:08:09:cc:db:
d4:77:e6:d7:43:27:50:85:cd:15:ad:8a:b8:62:44:16:23:fd:
00:fe:e3:0d:04:8c:27:ec:72:ce:d5:93:31:07:ee:30:12:fc:
e7:85:7d:36:36:89:33:67:6b:8a:72:a6:09:6c:48:20:08:ec:
0b:43:09:cf:be:ea:c4:08:2f:87:bf:8d:4e:37:d4:ca:a6:4c:
7e:c0:ea:4d:ee:28:39:93:f3:e8:24:c6:26:b8:bc:85:b0:71:
55:e0:8c:fc:24:81:19:c9:39:3b:76:a2:ba:37:ce:2b:89:05:
3b:26:7f:b2:fa:16:12:64:cf:db:aa:dc:aa:e0:1d:c4:28:2f:
84:23:c4:cf:33:1b:0e:31:cd:29:2e:cd:23:4a:5a:58:8e:32:
00:f4:71:1f:8c:04:12:a6:a2:64:4e:bd:a2:28:de:54:e1:bf:
c3:3d:cc:8e
-----BEGIN CERTIFICATE-----
MIIDXDCCAkSgAwIBAgIQRGmPFql9sNJc91jLSuB+hDANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0yMjExMjIwMTM2MzZaFw0zMjExMTkw
MTM2MzZaMBExDzANBgNVBAMMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAKlU+FSqKHb2oabWDBOMIgiCWCCRlgxwQXReVpgwyGGqRF+lEX/H
A4M8Nl7cLDvbx3MWk2xMgqxio5WTnTMv/1dLZaSLO132fiNJTw/CpmfUHLR9XWDG
BKVxybRhc6SM27vxxY5iLncGh3LhtvVUI9nj+R+OqxsoyVhdZpJSnPTiN0cZkshr
Z020KZCm8JcV6sS2+OQWNHX3Njli9yNILhaEaYWKguGG3N9HI/qtGbIlpukv584k
3ieQhTdyB3dVnrR16hOMaQ9n0ktHc3NTtaQsQPTTn4VKgI+Er/IrcC8J8rgBjkpI
OUxbY4rLFFiLxR7IbXfIUedHA/JoUZ//4R8CAwEAAaOBqjCBpzAJBgNVHRMEAjAA
MB0GA1UdDgQWBBTf57zz1GK379MVrpWVHNu4SkGsrjBGBgNVHSMEPzA9gBTNIhzW
1A4ykspaH6TziYnhsLFigKEapBgwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0GCCQCa
xQn0u8W3OjATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwEQYDVR0R
BAowCIIGc2VydmVyMA0GCSqGSIb3DQEBCwUAA4IBAQCgw0vZAJthxbSBcXQXcxiO
d6oRZqLY2MxdNDm1uqyN4dy7m7mLeivaXhk4z3Q1vmkr+mwmjn7dq7DaBzKSweIW
PaxkmqSfFUOCq8Mcsx2LpyOMG5FtDQgJzNvUd+bXQydQhc0VrYq4YkQWI/0A/uMN
BIwn7HLO1ZMxB+4wEvznhX02NokzZ2uKcqYJbEggCOwLQwnPvurECC+Hv41ON9TK
pkx+wOpN7ig5k/PoJMYmuLyFsHFV4Iz8JIEZyTk7dqK6N84riQU7Jn+y+hYSZM/b
qtyq4B3EKC+EI8TPMxsOMc0pLs0jSlpYjjIA9HEfjAQSpqJkTr2iKN5U4b/DPcyO
-----END CERTIFICATE-----
# 查看证书相关文件
[root@openvpn 3]# cat pki/serial
44698F16A97DB0D25CF758CB4AE07E85
[root@openvpn 3]# cat pki/index.txt
V 321119013636Z 44698F16A97DB0D25CF758CB4AE07E84 unknown /CN=server
[root@openvpn 3]# cat pki/serial.old
44698f16a97db0d25cf758cb4ae07e843.5、创建 Diffie-Hellman 密钥
# Diffie-Hellman 算法说明
Diffie-Hellman 密钥交换方法是迪菲(Whitefield Diffie)和赫尔曼(Martin Hellman)在1976
年公布的一种秘钥交换算法,它是一种建立秘钥的方法,而不是加密方法,所以秘钥必须和其他一种加密算法
结合使用。这种密钥交换技术的目的在于使两个用户安全地交换一个密钥,用此密钥做为对称密钥来加密后续
的报文传输。# 创建 Diffie-Hellman 密钥
[root@openvpn 3]# pwd
/etc/openvpn/easy-rsa-server/3
[root@openvpn 3]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..........................................................................................................+.........................................................................................................................................................++*++* # 需要等待
DH parameters of size 2048 created at /etc/openvpn/easy-rsa-server/3/pki/dh.pem# 查看生成的文件
[root@openvpn 3]# ll pki/dh.pem
-rw------- 1 root root 424 Nov 22 09:42 pki/dh.pem
[root@openvpn 3]# cat pki/dh.pem
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA9c3vFFKsn4nU5c7S0VJWqrCfuJyxbd/yPSFEIcfMmu3pVSIW8p1g
+hfdiv/VD5pTdb9vkdgr/Rk7jdLRQkoNQ8bXwhopEpiuShDpeThqz2p5ubR4dlGP
r7COthOSvYCobJztn68IbVBtdP6t9PafaI6hUCDJsftTfIvKTaAq3K0MMMLHBPAr
0W7Rw6qzyl1FpXqNcGSlyhhCvEb+BU2utVwhvbzMwBrMWKHy+e7VO4aLan5NH8KW
jWfjtAH44o9hI+hBEAPnjcmrqJXuYr20LMxmdiMnZ02fwCPqCfcA9xZJyHNmwuC7
KJKYA8pEoLZ6XvC9wAfakWZ/ZzUPfFm1gwIBAg==
-----END DH PARAMETERS-----
3.6、准备客户端证书环境
[root@openvpn ~]# cp -a /usr/share/easy-rsa/ /etc/openvpn/easy-rsa-client
[root@openvpn ~]# cd /etc/openvpn/easy-rsa-client/3
[root@openvpn 3]# pwd
/etc/openvpn/easy-rsa-client/3
[root@openvpn 3]# cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa-client/3/vars
[root@openvpn 3]# ls
easyrsa openssl-easyrsa.cnf vars x509-types
[root@openvpn 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
1 directory, 11 files#生成证书申请所需目录pki和文件
[root@openvpn 3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa-client/3/pki
[root@openvpn 3]# tree
.
├── easyrsa
├── openssl-easyrsa.cnf
├── pki
│ ├── openssl-easyrsa.cnf
│ ├── private
│ ├── reqs
│ └── safessl-easyrsa.cnf
├── vars
└── x509-types
├── ca
├── client
├── code-signing
├── COMMON
├── email
├── kdc
├── server
└── serverClient
4 directories, 13 files3.7、创建客户端证书申请
[root@openvpn 3]# pwd
/etc/openvpn/easy-rsa-client/3
# 生成客户端用户的证书申请
[root@openvpn 3]# ./easyrsa gen-req lijiacheng nopass
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-client/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.................+++
...........................................................+++
writing new private key to '/etc/openvpn/easy-rsa-client/3/pki/easy-rsa-2086.AaLiqT/tmp.O1Y9H4'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [lijiacheng]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa-client/3/pki/reqs/lijiacheng.req
key: /etc/openvpn/easy-rsa-client/3/pki/private/lijiacheng.key
[root@openvpn 3]# tree pki/
pki/
├── openssl-easyrsa.cnf
├── private
│ └── lijiacheng.key #证书申请文件
├── reqs
│ └── lijiacheng.req #私钥文件
└── safessl-easyrsa.cnf
2 directories, 4 files3.8、颁发客户端证书
[root@openvpn 3]# cd /etc/openvpn/easy-rsa-server/3
[root@openvpn 3]# pwd
/etc/openvpn/easy-rsa-server/3
# 将客户端证书请求文件复制到CA的工作目录
[root@openvpn 3]# ./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/lijiacheng.req lijiacheng
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: lijiacheng
You may now use this name to perform signing operations on this request.
[root@openvpn 3]# tree pki
pki
├── ca.crt
├── certs_by_serial
│ └── 44698F16A97DB0D25CF758CB4AE07E84.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── lijiacheng.req #导入文件
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 16 files
[root@openvpn 3]# ll pki/reqs/lijiacheng.req /etc/openvpn/easy-rsa-client/3/pki/reqs/lijiacheng.req
-rw------- 1 root root 891 Nov 22 09:52 /etc/openvpn/easy-rsa-client/3/pki/reqs/lijiacheng.req
-rw------- 1 root root 891 Nov 22 09:54 pki/reqs/lijiacheng.req# 修改给客户端颁发的证书的有效期
[root@openvpn 3]# vim vars
# 建议修改给客户端颁发证书的有效期,可适当减少,比如:90天
set_var EASYRSA_CERT_EXPIRE 90
# 颁发客户端证书
[root@openvpn 3]# ./easyrsa sign client lijiacheng
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa-server/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 90 days:
subject=
commonName = lijiacheng
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes #输入yes后回车
Using configuration from /etc/openvpn/easy-rsa-server/3/pki/easy-rsa-2206.Gb6UeQ/tmp.lbqCSb
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'lijiacheng'
Certificate is to be certified until Feb 20 01:57:44 2023 GMT (90 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa-server/3/pki/issued/lijiacheng.crt
[root@openvpn 3]# tree pki/
pki/
├── ca.crt
├── certs_by_serial
│ ├── 44698F16A97DB0D25CF758CB4AE07E84.pem
│ └── 8053A30ECBB33E7440E0059F0BBF0B9E.pem
├── dh.pem
├── index.txt
├── index.txt.attr
├── index.txt.attr.old
├── index.txt.old
├── issued
│ ├── lijiacheng.crt #生成客户端证书
│ └── server.crt
├── openssl-easyrsa.cnf
├── private
│ ├── ca.key
│ └── server.key
├── renewed
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── reqs
│ ├── lijiacheng.req
│ └── server.req
├── revoked
│ ├── certs_by_serial
│ ├── private_by_serial
│ └── reqs_by_serial
├── safessl-easyrsa.cnf
├── serial
└── serial.old
12 directories, 18 files[root@openvpn 3]# cat pki/index.txt
V 321119013636Z 44698F16A97DB0D25CF758CB4AE07E84 unknown /CN=server
V 230220015744Z 8053A30ECBB33E7440E0059F0BBF0B9E unknown /CN=lijiacheng
[root@openvpn 3]# ll pki/issued/
total 16
-rw------- 1 root root 4444 Nov 22 09:57 lijiacheng.crt
-rw------- 1 root root 4547 Nov 22 09:36 server.crt
[root@openvpn 3]# ll pki/certs_by_serial/
total 16
-rw------- 1 root root 4547 Nov 22 09:36 44698F16A97DB0D25CF758CB4AE07E84.pem
-rw------- 1 root root 4444 Nov 22 09:57 8053A30ECBB33E7440E0059F0BBF0B9E.pem
[root@openvpn 3]# cat pki/issued/lijiacheng.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
80:53:a3:0e:cb:b3:3e:74:40:e0:05:9f:0b:bf:0b:9e
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Easy-RSA CA
Validity
Not Before: Nov 22 01:57:44 2022 GMT
Not After : Feb 20 01:57:44 2023 GMT
Subject: CN=lijiacheng
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a7:4c:60:5d:b9:ce:f5:46:91:41:c1:01:3e:50:
0f:53:46:0f:ee:90:3c:17:f3:2e:10:3e:f5:00:bb:
f4:1d:e8:ca:00:90:f0:94:25:b2:30:ca:a1:59:ad:
90:a0:db:9f:1a:79:7a:a2:c8:ab:02:b4:24:46:29:
66:57:a6:71:0b:67:34:d8:38:f7:ae:66:b8:c9:4d:
c8:7c:55:06:c0:fe:c5:e5:76:67:f8:bc:30:f4:5b:
a7:46:dc:76:6d:d7:8b:6c:d9:30:4e:a9:77:24:e2:
e7:7e:82:21:33:c0:08:e3:a6:59:01:c7:f1:71:46:
b0:8e:96:6d:99:38:d8:99:f0:76:b2:51:46:7b:95:
24:cd:25:50:11:d4:51:7a:66:11:75:51:b4:f7:45:
a6:de:fa:69:9e:06:a7:3b:dd:df:94:b7:9c:cb:03:
12:4a:5b:1f:26:ef:7d:3e:5d:f1:f0:e8:f7:34:f7:
60:53:dc:8f:23:e0:17:48:f4:51:46:39:af:cb:ef:
e6:ce:27:c1:e8:f0:4b:21:e0:3a:36:7c:23:76:5b:
68:dd:95:24:12:71:b8:f8:f3:a7:fb:72:09:81:87:
e1:69:88:82:d4:2f:b6:5b:84:a1:1b:1c:94:be:f3:
d5:a9:37:f3:55:6e:59:80:ad:2e:6a:0a:9d:f4:22:
44:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
F4:47:67:13:FE:41:F3:21:74:2C:C4:3B:22:D9:DC:EA:F4:FE:E3:A6
X509v3 Authority Key Identifier:
keyid:CD:22:1C:D6:D4:0E:32:92:CA:5A:1F:A4:F3:89:89:E1:B0:B1:62:80
DirName:/CN=Easy-RSA CA
serial:9A:C5:09:F4:BB:C5:B7:3A
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
8e:b3:ab:6d:bf:1b:54:15:cb:e7:80:c7:45:e7:50:21:02:4b:
fa:ac:bc:cd:39:19:fb:71:92:a6:da:50:b8:a2:7e:65:68:8f:
52:c5:d5:73:5e:a5:20:f5:71:a9:e4:e4:aa:a2:a2:75:0c:a7:
ef:b0:c4:a3:91:c7:40:18:0e:66:cb:31:96:35:89:a4:8c:52:
53:f9:8e:b7:53:99:2a:9e:1f:8e:fd:68:bc:21:c9:df:96:7c:
7a:85:6f:b6:85:6e:28:d9:9e:9d:b9:e1:6e:de:d7:a1:18:9b:
99:5e:30:c1:f5:29:28:b1:6b:a2:fb:fe:dc:f0:e9:07:86:48:
6c:ef:cf:5f:48:f9:70:c4:eb:64:48:a5:2b:ae:30:af:da:62:
c6:a1:15:f3:c9:e6:fd:53:88:3f:73:8b:23:91:e8:ad:6b:1d:
09:93:07:a5:ba:00:f4:44:d2:88:a6:75:8f:80:4f:d7:63:30:
c4:07:8d:5e:9d:ad:d8:d6:19:98:86:fe:4c:c1:02:c0:1d:83:
54:23:be:8d:7a:0b:54:63:64:b6:2f:23:e2:7f:71:17:bf:02:
81:03:70:50:ad:53:00:26:78:07:97:6e:dd:4d:ad:9f:02:ef:
4f:b5:33:6e:86:60:65:dd:df:57:17:a2:06:99:43:3b:48:30:
62:ae:88:1e
-----BEGIN CERTIFICATE-----
MIIDTjCCAjagAwIBAgIRAIBTow7Lsz50QOAFnwu/C54wDQYJKoZIhvcNAQELBQAw
FjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMjIxMTIyMDE1NzQ0WhcNMjMwMjIw
MDE1NzQ0WjAVMRMwEQYDVQQDDApsaWppYWNoZW5nMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAp0xgXbnO9UaRQcEBPlAPU0YP7pA8F/MuED71ALv0HejK
AJDwlCWyMMqhWa2QoNufGnl6osirArQkRilmV6ZxC2c02Dj3rma4yU3IfFUGwP7F
5XZn+Lww9FunRtx2bdeLbNkwTql3JOLnfoIhM8AI46ZZAcfxcUawjpZtmTjYmfB2
slFGe5UkzSVQEdRRemYRdVG090Wm3vppnganO93flLecywMSSlsfJu99Pl3x8Oj3
NPdgU9yPI+AXSPRRRjmvy+/mzifB6PBLIeA6Nnwjdlto3ZUkEnG4+POn+3IJgYfh
aYiC1C+2W4ShGxyUvvPVqTfzVW5ZgK0uagqd9CJEqwIDAQABo4GXMIGUMAkGA1Ud
EwQCMAAwHQYDVR0OBBYEFPRHZxP+QfMhdCzEOyLZ3Or0/uOmMEYGA1UdIwQ/MD2A
FM0iHNbUDjKSylofpPOJieGwsWKAoRqkGDAWMRQwEgYDVQQDDAtFYXN5LVJTQSBD
QYIJAJrFCfS7xbc6MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDAN
BgkqhkiG9w0BAQsFAAOCAQEAjrOrbb8bVBXL54DHRedQIQJL+qy8zTkZ+3GSptpQ
uKJ+ZWiPUsXVc16lIPVxqeTkqqKidQyn77DEo5HHQBgOZssxljWJpIxSU/mOt1OZ
Kp4fjv1ovCHJ35Z8eoVvtoVuKNmenbnhbt7XoRibmV4wwfUpKLFrovv+3PDpB4ZI
bO/PX0j5cMTrZEilK64wr9pixqEV88nm/VOIP3OLI5HorWsdCZMHpboA9ETSiKZ1
j4BP12MwxAeNXp2t2NYZmIb+TMECwB2DVCO+jXoLVGNkti8j4n9xF78CgQNwUK1T
ACZ4B5du3U2tnwLvT7UzboZgZd3fVxeiBplDO0gwYq6IHg==
-----END CERTIFICATE-----# 客户端证书自动颁发脚本
#!/bin/bash
read -p "请输入用户的姓名拼音(如:${NAME}): " NAME
cd /etc/openvpn/easy-rsa-client/3
./easyrsa gen-req ${NAME} nopass <<EOF
EOF
cd /etc/openvpn/easy-rsa-server/3
./easyrsa import-req /etc/openvpn/easy-rsa-client/3/pki/reqs/${NAME}.req ${NAME}
./easyrsa sign client ${NAME} <<EOF
yes
EOF
3.9、将CA和服务器证书相关文件复制到服务器相应的目录
[root@openvpn 3]# mkdir /etc/openvpn/certs
[root@openvpn 3]# cp /etc/openvpn/easy-rsa-server/3/pki/ca.crt /etc/openvpn/certs/
[root@openvpn 3]# cp /etc/openvpn/easy-rsa-server/3/pki/issued/server.crt /etc/openvpn/certs/
[root@openvpn 3]# cp /etc/openvpn/easy-rsa-server/3/pki/private/server.key /etc/openvpn/certs/
[root@openvpn 3]# cp /etc/openvpn/easy-rsa-server/3/pki/dh.pem /etc/openvpn/certs/
[root@openvpn 3]# ll /etc/openvpn/certs/
total 20
-rw------- 1 root root 1176 Nov 22 10:01 ca.crt
-rw------- 1 root root 424 Nov 22 10:02 dh.pem
-rw------- 1 root root 4547 Nov 22 10:01 server.crt
-rw------- 1 root root 1704 Nov 22 10:02 server.key
3.10、将客户端私钥与证书相关文件复制到服务器相关的目录
[root@openvpn 3]# mkdir /etc/openvpn/client/lijiacheng/
[root@openvpn 3]# find /etc/openvpn/ \( -name "lijiacheng.key" -o -name "lijiacheng.crt" -o -name ca.crt \) -exec cp {} /etc/openvpn/client/lijiacheng/ \;
[root@openvpn 3]# ll /etc/openvpn/client/lijiacheng/
total 16
-rw------- 1 root root 1176 Nov 22 10:06 ca.crt
-rw------- 1 root root 4444 Nov 22 10:06 lijiacheng.crt
-rw------- 1 root root 1704 Nov 22 10:06 lijiacheng.key4、准备 OpenVPN 服务器配置文件
4.1、服务器端配置文件说明
[root@openvpn ~]# grep -Ev "^#|^$" /etc/openvpn/server.conf
;local a.b.c.d #本机监听IP,默认为本机所有IP
port 1194 #端口
;proto tcp #协议,生产推荐使用TCP
proto udp #默认协议udp
;dev tap #创建以太网隧道设备,tap设备实现以太网帧通过Openvpn隧道,可提供非IP协议如IPX和AppleTalk等的支持,tap等当于一个以太网设备,它操作第二层数据包如以太网数据帧。
dev tun #创建IP路由隧道,生产推存使用tun.互联网使用tun,一个tun设备大多时候被用于基于IP协议的通讯。tun模拟了网络层设备,操作第三层数据包比如IP数据封包。
;dev-node MyTap #TAP-Win32的设备驱动。非windows系统不需要
ca ca.crt #ca证书文件
cert server.crt #服务器证书文件
key server.key #服务器私钥文件
dh dh2048.pem #dh参数文件
;topology subnet
server 10.8.0.0 255.255.255.0 #客户端连接后自动分配的IP网段,默认会给服务器分配此网段的第一个IP将做为客户端的网关,注意不要和内网网段相同
ifconfig-pool-persist ipp.txt #记录客户端和虚拟ip地址分配的文件
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 #配置网桥模式,无需配置,建议注释
;server-bridge
;push "route 192.168.10.0 255.255.255.0" #推送给客户端的到达服务器后面网段的静态路由,网关是服务器地址10.8.0.1
;push "route 192.168.10.100 255.255.255.255" #用255.255.255.255可实现只能访问内网单个主机的功能,比如:jumpserver
;push "route 192.168.20.0 255.255.255.0" #推送路由信息到客户端,以允许客户端能够连接到服务器背后的其它私有网络
;client-config-dir ccd #为特定客户端添加路由信息,此路由是客户端后面的网段而非服务端的网段,无需设置
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script #指定外部脚本文件,实现创建不同组的iptables规则,无需配置
;push "redirect-gateway def1 bypass-dhcp" #启用此配置后客户端所有流量都将通过VPN服务器进行转发,因此生产一般无需配置此项
;push "dhcp-option DNS 208.67.222.222" #推送DNS服务器地址,无需配置
;push "dhcp-option DNS 208.67.220.220"
;client-to-client #允许不同的客户端直接通信,不安全,生产环境一般无需配置
;duplicate-cn #多个用户共用一个证书,一般用于测试环境,生产环境建议一个用户一个证书,无需开启
keepalive 10 120 #设置服务端活动的检测的间隔和超时时间,每隔10秒ping一次,120秒没有回应则认为已经断线
tls-auth ta.key 0 #访止DoS等攻击的安全增强配置,服务器和每个客户端都需要拥有此密钥文
件。第二个参数在服务器端为0,客户端为1
cipher AES-256-CBC #加密算法
;compress lz4-v2 #启用Openvpn2.4.X新版压缩算法
;push "compress lz4-v2" #推送客户端使用新版压缩算法,和下面的comp-lzo不要同时使用
;comp-lzo #旧户端兼容的压缩配置,需要客户端配置开启压缩,openvpn2.4.X等新版可以不用开启
;max-clients 100 #最多支持的客户端数量
;user nobody #指定openvpn服务的用户
;group nobody #指定openvpn服务的组
persist-key #重启服务时默认会重新读取key文件,开启此配置后保持使用第一次的key文件,生产环境无需开启
persist-tun #Don’t close and reopen TUN/TAP device or run up/down
scripts across SIGUSR1 or --ping-restart restarts,生产环境建议无需开启
status openvpn-status.log #服务器状态记录文件,每分钟记录一次相关信息
;log openvpn.log #第一种日志记录方式,并指定日志路径,log会在openvpn启动的时候清空日志文件,不建议使用
;log-append openvpn.log #第二种日志记录方式,并指定日志路径,重启openvpn后在之前的日志后面追加新的日志,生产环境建议使用
verb 3 #设置日志级别,0-9,级别越高记录的内容越详细,0 表示静默运行,只记录致命错误,4 表示合理的常规用法,5 和 6 可以帮助调试连接错误。9 表示极度冗余,输出非常详细的日志
信息
;mute 20 #对相同类别的信息只记录前20条到日志文件中
explicit-exit-notify 1 #当服务端重启后通知客户端自动重新连接服务器,此项配置仅能用于udp模式,tcp模式无需配置即能实现重新连接功能,且开启此项后tcp配置后将导致openvpn服务无法启动,所以tcp时必须不能开启此项
script-security 3 # 允许使用自定义脚本
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env #指定自定义脚本路径
username-as-common-name #开启用户密码验证
client-cert-not-required #只支持用户和密码方式验证,不支持证书,无此配置表示需要证书和用户密码多种验证4.2、修改服务器端配置文件
[root@openvpn ~]# grep '^[a-Z].*' /etc/openvpn/server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key # This file should be kept secret
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.2.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 2048
user openvpn
group openvpn
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
# 准备日志相关目录
[root@openvpn ~]# getent passwd openvpn
openvpn:x:997:995:OpenVPN:/etc/openvpn:/sbin/nologin
[root@openvpn ~]# mkdir /var/log/openvpn
[root@openvpn ~]# chown openvpn.openvpn /var/log/openvpn
[root@openvpn ~]# ll -d /var/log/openvpn
drwxr-xr-x 2 openvpn openvpn 6 Nov 22 10:24 /var/log/openvpn5、启动openvpn服务
[root@openvpn ~]# systemctl start openvpn@server
[root@openvpn ~]# systemctl status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2022-11-22 10:30:22 CST; 3s ago
Main PID: 2881 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─2881 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Nov 22 10:30:22 openvpn systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Nov 22 10:30:22 openvpn systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@openvpn ~]# ss -ntlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1222,fd=13))
LISTEN 0 32 *:1194 *:* users:(("openvpn",pid=2881,fd=6))
LISTEN 0 128 *:111 *:* users:(("rpcbind",pid=713,fd=8))
LISTEN 0 128 *:22 *:* users:(("sshd",pid=1014,fd=3))
LISTEN 0 100 [::1]:25 [::]:* users:(("master",pid=1222,fd=14))
LISTEN 0 128 [::]:111 [::]:* users:(("rpcbind",pid=713,fd=11))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1014,fd=4))
[root@openvpn ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:01:25:b6 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.30/24 brd 192.168.1.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe01:25b6/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:01:25:c0 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.30/24 brd 192.168.2.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe01:25c0/64 scope link
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::a07f:a0ad:ffe7:3766/64 scope link flags 800
valid_lft forever preferred_lft forever
[root@openvpn ~]# tail /var/log/openvpn/openvpn.log
Tue Nov 22 10:30:22 2022 Listening for incoming TCP connection on [AF_INET][undef]:1194
Tue Nov 22 10:30:22 2022 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
Tue Nov 22 10:30:22 2022 TCPv4_SERVER link remote: [AF_UNSPEC]
Tue Nov 22 10:30:22 2022 GID set to openvpn
Tue Nov 22 10:30:22 2022 UID set to openvpn
Tue Nov 22 10:30:22 2022 MULTI: multi_init called, r=256 v=256
Tue Nov 22 10:30:22 2022 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Tue Nov 22 10:30:22 2022 IFCONFIG POOL LIST
Tue Nov 22 10:30:22 2022 MULTI: TCP INIT maxclients=2048 maxevents=2052
Tue Nov 22 10:30:22 2022 Initialization Sequence Completed
[root@openvpn ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.2 0.0.0.0 UG 100 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
6、准备 OpenVPN 客户端配置文件
# 客户端默认范例配置文件说明
[root@openvpn ~]# grep '^[[:alpha:]].*' /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf
client #指明客户端
dev tun #指定和服务端一致的接口类型
proto udp #指定和服务端一致的协议类型
remote my-server-1 1194 #服务器端的ip或FQDN及端口
resolv-retry infinite #指定服务器端FQDN而非IP时,当客户端重新连接后会重新解FQDN对应的IP
nobind #客户端不绑定监听端口,随机打开端口连接到服务端的端口
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server #使用服务器证书校验方式
tls-auth ta.key 1 #安全加强
cipher AES-256-CBC
verb 3
# 生成客户端用户的配置文件
[root@openvpn ~]# grep '^[[:alpha:]].*' /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf > /etc/openvpn/client/lijiacheng/client.ovpn
[root@openvpn ~]# vim /etc/openvpn/client/lijiacheng/client.ovpn
[root@openvpn ~]# cat /etc/openvpn/client/lijiacheng/client.ovpn
client
dev tun
proto tcp
remote 192.168.1.30 1194
resolv-retry infinite
nobind
ca ca.crt
cert lijiacheng.crt
key lijiacheng.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
compress lz4-v27、实现openvpn客户端
# 客户端下载并安装
https://openvpn.net/community-downloads/![图片[2]-部署OpenVPN-李佳程的个人主页](http://www.lijiach.com/wp-content/uploads/2022/11/image-148.png)
保存证书到openvpn 客户端安装目录,放置到windows客户端默认安装目录下 C:\Program Files\OpenVPN\config 目录
![图片[3]-部署OpenVPN-李佳程的个人主页](http://www.lijiach.com/wp-content/uploads/2022/11/image-147.png)
运行openvpn gui
![图片[4]-部署OpenVPN-李佳程的个人主页](http://www.lijiach.com/wp-content/uploads/2022/11/image-149.png)
![图片[5]-部署OpenVPN-李佳程的个人主页](http://www.lijiach.com/wp-content/uploads/2022/11/image-150.png)
![图片[6]-部署OpenVPN-李佳程的个人主页](http://www.lijiach.com/wp-content/uploads/2022/11/image-151.png)
8、验证通信
# 查看服务器日志
[root@openvpn ~]# tail -f /var/log/openvpn/openvpn.log
Tue Nov 22 10:51:40 2022 192.168.1.1:63233 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Nov 22 10:51:40 2022 192.168.1.1:63233 [lijiacheng] Peer Connection Initiated with [AF_INET]192.168.1.1:63233
Tue Nov 22 10:51:40 2022 lijiacheng/192.168.1.1:63233 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Tue Nov 22 10:51:40 2022 lijiacheng/192.168.1.1:63233 MULTI: Learn: 10.8.0.6 -> lijiacheng/192.168.1.1:63233
Tue Nov 22 10:51:40 2022 lijiacheng/192.168.1.1:63233 MULTI: primary virtual IP for lijiacheng/192.168.1.1:63233: 10.8.0.6
Tue Nov 22 10:51:41 2022 lijiacheng/192.168.1.1:63233 PUSH: Received control message: 'PUSH_REQUEST'
Tue Nov 22 10:51:41 2022 lijiacheng/192.168.1.1:63233 SENT CONTROL [lijiacheng]: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,compress lz4-v2,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Tue Nov 22 10:51:41 2022 lijiacheng/192.168.1.1:63233 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Nov 22 10:51:41 2022 lijiacheng/192.168.1.1:63233 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Nov 22 10:51:41 2022 lijiacheng/192.168.1.1:63233 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
[root@openvpn ~]# tail -f /var/log/openvpn/openvpn-status.log
OpenVPN CLIENT LIST
Updated,Tue Nov 22 10:52:39 2022
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
lijiacheng,192.168.1.1:63233,11934,3210,Tue Nov 22 10:51:39 2022
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,lijiacheng,192.168.1.1:63233,Tue Nov 22 10:52:35 2022
GLOBAL STATS
Max bcast/mcast queue length,0
END# 客户端验证
[C:\~]$ ipconfig
Windows IP 配置
以太网适配器 以太网:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::63c4:4481:cf69:a751%20
IPv4 地址 . . . . . . . . . . . . : 192.168.124.115
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . : 192.168.124.1
未知适配器 本地连接:
连接特定的 DNS 后缀 . . . . . . . :
本地链接 IPv6 地址. . . . . . . . : fe80::6896:8d15:feb5:6757%43
IPv4 地址 . . . . . . . . . . . . : 10.8.0.6
子网掩码 . . . . . . . . . . . . : 255.255.255.252
默认网关. . . . . . . . . . . . . :
[C:\~]$ route print
IPv4 路由表
===========================================================================
活动路由:
网络目标 网络掩码 网关 接口 跃点数
0.0.0.0 0.0.0.0 192.168.124.1 192.168.124.115 25
10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 281
10.8.0.4 255.255.255.252 在链路上 10.8.0.6 281
10.8.0.6 255.255.255.255 在链路上 10.8.0.6 281
10.8.0.7 255.255.255.255 在链路上 10.8.0.6 281
127.0.0.0 255.0.0.0 在链路上 127.0.0.1 331
127.0.0.1 255.255.255.255 在链路上 127.0.0.1 331
127.255.255.255 255.255.255.255 在链路上 127.0.0.1 331
192.168.1.0 255.255.255.0 在链路上 192.168.1.1 291
192.168.1.1 255.255.255.255 在链路上 192.168.1.1 291
192.168.1.255 255.255.255.255 在链路上 192.168.1.1 291
192.168.2.0 255.255.255.0 10.8.0.5 10.8.0.6 281
192.168.124.0 255.255.255.0 在链路上 192.168.124.115 281
192.168.124.115 255.255.255.255 在链路上 192.168.124.115 281
192.168.124.255 255.255.255.255 在链路上 192.168.124.115 281
224.0.0.0 240.0.0.0 在链路上 127.0.0.1 331
224.0.0.0 240.0.0.0 在链路上 192.168.1.1 291
224.0.0.0 240.0.0.0 在链路上 192.168.124.115 281
224.0.0.0 240.0.0.0 在链路上 10.8.0.6 281
255.255.255.255 255.255.255.255 在链路上 127.0.0.1 331
255.255.255.255 255.255.255.255 在链路上 192.168.1.1 291
255.255.255.255 255.255.255.255 在链路上 192.168.124.115 281
255.255.255.255 255.255.255.255 在链路上 10.8.0.6 281
===========================================================================
[C:\~]$ ping 192.168.2.31
正在 Ping 192.168.2.31 具有 32 字节的数据:
来自 192.168.2.31 的回复: 字节=32 时间<1ms TTL=63
来自 192.168.2.31 的回复: 字节=32 时间=5ms TTL=63
来自 192.168.2.31 的回复: 字节=32 时间=2ms TTL=63
来自 192.168.2.31 的回复: 字节=32 时间=3ms TTL=63
192.168.2.31 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 5ms,平均 = 2ms
[C:\~]$ ping 192.168.2.32
正在 Ping 192.168.2.32 具有 32 字节的数据
来自 192.168.2.32 的回复: 字节=32 时间<1ms TTL=63
来自 192.168.2.32 的回复: 字节=32 时间=1ms TTL=63
来自 192.168.2.32 的回复: 字节=32 时间=3ms TTL=63
来自 192.168.2.32 的回复: 字节=32 时间<1ms TTL=63
192.168.2.32 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 3ms,平均 = 1ms
[C:\~]$ ssh 192.168.2.31
Connecting to 192.168.2.31:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
WARNING! The remote SSH server rejected X11 forwarding request.
Last login: Tue Nov 22 10:57:18 2022 from 10.8.0.6
[root@web1 ~]#
[C:\~]$ ssh 192.168.2.32
Connecting to 192.168.2.32:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
WARNING! The remote SSH server rejected X11 forwarding request.
Last login: Tue Nov 22 09:08:09 2022 from 192.168.2.1
[root@web2 ~]# # 内网服务器验证
[root@web2 ~]# ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.2.32:22 10.8.0.6:63435
ESTAB 0 0 192.168.2.32:22 192.168.2.1:53059
ESTAB 0 208 192.168.2.32:22 10.8.0.6:63430
ESTAB 0 0 192.168.2.32:22 192.168.2.1:530589、Linux 配置部署 OpenVPN 客户端
# 客户端安装 openvpn
yum install openvpn -y
# 下载客户端公钥与私钥以及Ca证书至客户端
cd /etc/openvpn/
scp openvpn-server:/data/easy-rsa-server/pki/ca.crt ./
scp openvpn-server:/data/easy-rsa-client/pki/issued/client.crt ./
scp openvpn-server:/data/easy-rsa-client/pki/private/client.key ./
# 准备对应的客户端配置文件
cat /etc/openvpn/client.ovpn
client #指定当前VPN是客户端
dev tun #使用tun隧道传输协议
proto tcp #使用tcp协议传输数据
remote OpenVPN服务器地址 1194 #openvpn服务器IP地址端口号
resolv-retry infinite #断线自动重新连接,在网络不稳定的情况下非常有用
nobind #不绑定本地特定的端口号
ca ca.crt #指定CA证书的文件路径
cert client.crt #指定当前客户端的证书文件路径
key client.key #指定当前客户端的私钥文件路径
verb 3 #指定日志文件的记录详细级别,可选0-9,等级越高日志内容越详细
persist-key #重启服务时默认会重新读取key文件,开启此配置后保持使用第一次key文
件
persist-tun #重新启动VPN时,仍会一直保持tun是up状态
#
openvpn --daemon --cd /etc/openvpn --config client.ovpn --log-append /var/log/openvpn.log
--daemon #openvpn以daemon方式启动
--cd dir #配置文件的目录,openvpn初始化前,先切换到此目录
--config file #客户端配置文件的路径
--log-append file #日志文件路径,如果文件不存在会自动创建
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
