• debian安装OpenVPN Server的一切
  • 安装服务
  • 生成CA,用于后续签发证书
  • 创建服务器证书、密钥和加密文件(证书模式登录)
    • CA机器签发server的证书
    • CA签发客户端证书
    • 配置服务器基本参数
    • 配置服务器网络参数
  • Client证书模式配置
  • 基本配置
  • client测试
    • 有错就看 journalctl -xe和sudo systemctl status openvpn@client中的提示,很清晰
• 密码模式(更简单)
  • 配置密码
  • 最终server端密码模式完整配置文件
  • client端配置
  • 最终client端密码模式完整配置文件
• 编写ovpn文件
  • 证书文件处理
• 参考文献:

debian安装OpenVPN Server的一切#

本文包括搭建和配置,包括证书模式,密码模式,以及ovpn文件撰写.

安装服务#

简介之类的省略,debian使用apt安装比较方便.

有两个东西,一个是openvpn,一个是ssl证书生成工具easy-rsa

sudo apt-get install iptables easy-rsa openvpn

生成CA,用于后续签发证书#

建议在非VPN服务器上执行,CA.key泄漏很危险

cp -r /usr/share/easy-rsa/     /main
cd /main/easy-rsa
cp vars.example vars

然后vim vars,修改证书的几个要素

. . .

#set_var EASYRSA_REQ_COUNTRY    "US"
#set_var EASYRSA_REQ_PROVINCE   "California"
#set_var EASYRSA_REQ_CITY       "San Francisco"
#set_var EASYRSA_REQ_ORG        "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL      "[email protected]"
#set_var EASYRSA_REQ_OU         "My Organizational Unit"

. . .

证书要素,很眼熟了,改成你想要的内容,source vars就能把变量设置到vars,后面命令要用这些环境变量.

EasyRSA 目录中有一个脚本，调用easyrsa它来执行与构建和管理 CA 相关的各种任务。运行此脚本并init-pki选择在 CA 服务器上启动公钥基础结构：

./easyrsa init-pki

Output. . .
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/sammy/EasyRSA-v3.0.6/pki

在此之后，再次调用脚本easyrsa build-ca,这将构建 CA 并创建两个重要的文件 –ca.crt和ca.key– 构成 SSL 证书的公共和私有方面。

• ca.crt是 CA 的公共证书文件，在 OpenVPN 的上下文中，服务器和客户端使用它来通知彼此它们是同一信任网络的一部分，而不是执行中间人攻击的人。因此，您的服务器和所有客户端都需要该ca.crt文件的副本。
• ca.key是 CA 机器用来为服务器和客户端签署密钥和证书的私钥。如果攻击者获得对您的 CA 的访问权限，进而访问您的ca.key文件，他们将能够签署证书请求并获得对您的 VPN 的访问权限，从而阻碍其安全性。这就是为什么你的ca.key文件应该只在你的 CA 机器上，理想情况下，你的 CA 机器应该在不签署证书请求时保持离线状态作为额外的安全措施。

如果您不想在每次与 CA 交互时都提示输入密码，则可以build-ca使用该nopass选项运行命令，如下所示：

./easyrsa build-ca nopass

输入一个CA名字,回车就会生成:

Common Name (eg: your user, host, or server name) [Easy-RSA CA]:XXXXXXXXXXXXX  

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/main/easy-rsa/pki/ca.crt

此时pki目录下:

-rw------- 1 root root 1200  5月 12 16:11 ca.crt
drwx------ 2 root root 4096  5月 12 16:10 certs_by_serial
-rw------- 1 root root    0  5月 12 16:10 index.txt
-rw------- 1 root root    0  5月 12 16:10 index.txt.attr
drwx------ 2 root root 4096  5月 12 16:10 issued
-rw------- 1 root root 4616  5月 12 16:08 openssl-easyrsa.cnf
drwx------ 2 root root 4096  5月 12 16:11 private
drwx------ 5 root root 4096  5月 12 16:10 renewed
drwx------ 2 root root 4096  5月 12 16:08 reqs
drwx------ 5 root root 4096  5月 12 16:10 revoked
-rw------- 1 root root 4529  5月 12 16:08 safessl-easyrsa.cnf
-rw------- 1 root root    3  5月 12 16:10 serial

ca.key在/main/easy-rsa/pki目录下, CA 就已就绪，可以开始签署证书请求了。

创建服务器证书、密钥和加密文件(证书模式登录)#

执行如下命令./easyrsa gen-req server nopass,生成一个server证书的请求(注意这个名字server是和后面配置文件对应的,不然需要手动修改)

• 也可以到和CA不同的机器上生成,然后把这个request文件scp到CA机器,由CA签发(需要先在server机器也先执行一次./easyrsa init-pki,然后再执行下面的 gen-req命令)
• 本文为了偷懒,就把CA和server在一台机器上操作了

./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: /main/easy-rsa/vars
Using SSL: openssl OpenSSL 1.1.1n  15 Mar 2022 (Library: OpenSSL 1.1.1k  25 Mar 2021)
Generating a RSA private key
.....................................+++++
.................................+++++
writing new private key to '/main/easy-rsa/pki/easy-rsa-1257.KGcyQz/tmp.lIBkNa'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:XXXXXXXXXXXXXXXXXXXXXXXXXX

Keypair and certificate request completed. Your files are:
req: /main/easy-rsa/pki/reqs/server.req
key: /main/easy-rsa/pki/private/server.key

• 这将为服务器创建一个私钥和一个名为server.req. 将服务器密钥复制到server机器的/etc/openvpn/目录：
• cp /main/easy-rsa/pki/private/server.key /etc/openvpn/

ll /etc/openvpn/
总用量 16
drwxr-xr-x 2 root root 4096  5月 14  2021 client
drwxr-xr-x 2 root root 4096  5月 14  2021 server
-rw------- 1 root root 1704  5月 12 16:28 server.key
-rwxr-xr-x 1 root root 1468  5月 14  2021 update-resolv-conf

CA机器签发server的证书#

• 如果CA和request机器不一样,需要先把request机器上生成的server.req想办法scp或者copy到CA的机器,然后CA机器再./easyrsa import-req /tmp/server.req server导入一下. 本文在同一机器,这个就略了

• CA机器执行./easyrsa sign-req server server,第一个server是说签发server类型的证书,第二个server时说证书req命名为’server’(也就是easy-rsa/pki/reqs/server.req)

  Output...
  
  Request subject, to be signed as a server certificate for 825 days:
  
  subject=
      commonName                = XXXXXXX(确认是否要签发这个请求的名字)
  
  
  Type the word 'yes' to continue, or any other input to abort.
    Confirm request details: yes
  Using configuration from /main/easy-rsa/pki/easy-rsa-1290.gHL4BM/tmp.DL0G2N
  Check that the request matches the signature
  Signature ok
  The Subject's Distinguished Name is as follows
  commonName            :ASN.1 12:'XXXXXXX'
  Certificate is to be certified until Aug 14 08:32:03 2025 GMT (825 days)
  
  Write out database with 1 new entries
  Data Base Updated
  
  Certificate created at: /main/easy-rsa/pki/issued/server.crt

• ca.crt及server.crt就是server端需要用的,需要cp到server机器的/etc/openvpn/(如果不在一台机器,需要从CA机器scp到server机器.)

  cp pki/issued/server.crt /etc/openvpn/
  cp pki/ca.crt /etc/openvpn/

• 创建一个强大的 Diffie-Hellman 密钥以在密钥交换期间使用：

  ./easyrsa gen-dh
  
  
  ......
  DH parameters of size 2048 created at /main/easy-rsa/pki/dh.pem
  ......

  这可能需要几分钟才能完成。完成后，生成 HMAC 签名以加强服务器的 TLS 完整性验证功能：

openvpn --genkey secret ta.key

命令完成后，将两个新文件复制到您的/etc/openvpn/目录中：

sudo cp  ta.key /etc/openvpn/
sudo cp  pki/dh.pem /etc/openvpn/


ll /etc/openvpn/
总用量 36
-rw------- 1 root root 1200  5月 12 16:46 ca.crt
drwxr-xr-x 2 root root 4096  5月 14  2021 client
-rw------- 1 root root  424  5月 12 16:50 dh.pem
drwxr-xr-x 2 root root 4096  5月 14  2021 server
-rw------- 1 root root 4644  5月 12 16:45 server.crt
-rw------- 1 root root 1704  5月 12 16:28 server.key
-rw------- 1 root root  636  5月 12 16:50 ta.key
-rwxr-xr-x 1 root root 1468  5月 14  2021 update-resolv-conf

这样，您的服务器所需的所有证书和密钥文件都已生成。您已准备好创建相应的证书和密钥，您的客户端计算机将使用这些证书和密钥来访问您的 OpenVPN 服务器。

CA签发客户端证书#

• 也可以类似server,在client的机器上用easy-rsa生成client的req,然后传给CA,import后签发.

• 但是一般来说在server上操作更简单

• 创建一个目录用来存放所有client的key:

  mkdir -p /main/easy-rsa/client-configs/keys
  chmod -R 700  /main/easy-rsa/client-configs/keys
  
  ./easyrsa gen-req client1 nopass
  
   # 生成的密钥复制到目录中
  cp pki/private/client1.key /main/easy-rsa/client-configs/keys/

  如果没在CA机器,还是需要scp client1.req到CA机器,然后CA机器./easyrsa import-req /tmp/client1.req client1 这个req,再签发.

  没有的话直接签发./easyrsa sign-req client client1

• ./easyrsa sign-req client client1
  
  
  ...........
  Write out database with 1 new entries
  Data Base Updated
  
  Certificate created at: /main/easy-rsa/pki/issued/client1.crt
  ...........
  - OpenVPN 服务器并将客户端证书复制到`/client-configs/keys/`目录：
  
    ```bash
    cp  /main/easy-rsa/pki/issued/client1.crt    /main/easy-rsa/client-configs/keys/
  
  

• 将ca.crt和ta.key文件也复制到/client-configs/keys/目录中：

  cp   /main/easy-rsa/ta.key    /main/easy-rsa/client-configs/keys/
  cp   /main/easy-rsa/pki/ca.crt    /main/easy-rsa/client-configs/keys/
  
  
  
  
  ll /main/easy-rsa/client-configs/keys/
  总用量 20
  -rw------- 1 root root 1200  5月 12 18:03 ca.crt
  -rw------- 1 root root 4491  5月 12 18:01 client1.crt
  -rw------- 1 root root 1704  5月 12 18:00 client1.key
  -rw------- 1 root root  636  5月 12 18:03 ta.key

  这样，您的服务器和客户端的证书和密钥都已生成并存储在您服务器上的相应目录中。仍然需要对这些文件执行一些操作，但这些将在稍后的步骤中进行。现在，您可以继续在服务器上配置 OpenVPN。

配置服务器基本参数#

以下都是/etc/openvpn/server.conf文件的基础配置. 首先将示例 OpenVPN 配置文件复制到配置目录中,用作设置的基础：

cp /usr/share/doc/openvpn//examples/sample-config-files/server.conf /etc/openvpn/

然后vim /etc/openvpn/server.conf 这个文件;开头的一行是被注释掉了

必须的修改项:#

# 端口自定义
port 33192

# udp/udp6   如果改tcp需要改另一个参数,下面有说明
proto udp6

# 这一行默认是ok的,如果被注释了需要打开,是
tls-auth ta.key 0 # This file is secret


# 同上,这个算法有芯片支持,比较快
cipher AES-256-GCM
#添加一个auth指令来选择 HMAC 消息摘要算法。为此，SHA256是一个不错的选择
auth SHA256


# 修改dh相关的配置,文件名是当前目录下之前生成后cp过来的dh.pem
# Diffie hellman parameters. Generate your own with:   openssl dhparam -out dh2048.pem 2048
;dh dh2048.pem
dh dh.pem

# 压缩,如果打开了,client必须保持一致
comp-lzo


# 缩小权限
# It's a good idea to reduce the OpenVPN daemon's privileges after initialization.
# You can uncomment this out on non-Windows systems.
user nobody
group nogroup

可选的修改项:#

• 协议TCP/UDP,默认UDP,如果要用TCP,需要同时改另一个参数( TCP需要将explicit-exit-notify指令的值从更改1为0，因为该指令仅由 UDP 使用。如果在使用 TCP 时不这样做会导致启动 OpenVPN 服务时出错)

# Optional!
proto tcp
explicit-exit-notify 0

• 自定义证书目录或文件名:

  如果./easyrsa gen-req选择了不同的名称，需要修改server.conf配置文件中cert和key行以指向适当的.crt和.key文件。如果您使用默认名称“server”，则已正确设置

  /etc/openvpn/
  ca ca.crt
  cert server.crt
  key server.key 

• 推送 DNS 更改以通过 VPN 重定向所有流量

以上设置已经可以在两台机器之间创建 VPN 连接，但不会强制任何链接都使用隧道。如果希望使用 VPN 来路由所有流量，可以将 DNS 设置推送到客户端计算机(客户端重新配置其 DNS 设置以将 VPN 隧道用作默认网关)。

# 找到该`redirect-gateway`部分并删除分号“ **;** ” 从`redirect-gateway`行首取消注释：
push "redirect-gateway def1 bypass-dhcp"
# 在此下方，找到该`dhcp-option`部分。再次，删除“ **;** ”从两行前面取消注释：
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

• 开启客户端之间互相访问

# Uncomment this directive to allow different clients to be able to "see" each other. By default, clients will only see the server. To force clients to only see the server, you will also need to appropriately firewall the server's TUN/TAP interface.
client-to-client

最终server的证书模式完整配置文件#

#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 33192

# TCP or UDP server?
;proto tcp
;proto udp
proto udp6

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one.  On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh2048.pem 2048
;dh dh2048.pem
dh dh.pem

# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
;topology subnet

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /var/log/openvpn/ipp.txt

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses.  You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients.  There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
#     group, and firewall the TUN/TAP interface
#     for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
#     modify the firewall in response to access
#     from different clients.  See man
#     page for more info on learn-address script.
;learn-address ./script

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.  This is recommended
# only for testing purposes.  For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey tls-auth ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
#添加一个auth指令来选择 HMAC 消息摘要算法。为此，SHA256是一个不错的选择
cipher AES-256-GCM
auth SHA256

# Enable compression on the VPN link and push the
# option to the client (v2.4+ only, for earlier
# versions see below)
#compress lz4-v2
#push "compress lz4-v2"
#allow-compression yes

# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1

配置服务器网络参数#

注意,以下是/etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

• 生效 sysctl -p

修改某些防火墙规则以启用伪装，这是一种 iptables 概念，可提供即时动态网络地址转换 (NAT) 以正确路由客户端连接。

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlan0 -j MASQUERADE

Client证书模式配置#

基本配置#

sudo apt install openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/


# 刚才生成的文件cp到client机器的/etc/openvpn/下
-rw-------   1 tree tree  1200 5月  12 22:23 ca.crt
-rw-------   1 tree tree  4491 5月  12 22:25 client1.crt
-rw-------   1 tree tree  1704 5月  12 22:26 client1.key
-rw-r--r--   1 root root  3588 5月  12 22:28 client.conf
-rw-------   1 tree tree   424 5月  12 22:24 dh.pem

还有 ta.key

vim client.conf

# 协议相同
proto udp6

# 对段IPv6 端口一致
remote 2409:8a00:787f:XXXXXXXXXXXXXXX   33192


tls-auth ta.key 1

# 算法相同
cipher AES-256-GCM
auth SHA256

# 文件存在
ca ca.crt
cert client1.crt
key client1.key

# 压缩打开和server一致
comp-lzo

# 忽略一个告警
mute-replay-warnings

systemctl restart openvpn@client

systemctl status openvpn@client

最终client证书模式完整配置文件#

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp6

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 2409:8a00:787f:XXXXXXXXXXXXXXXXXXXXXXXXXX 33192
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
# 指定的client证书才是登录的核心凭据
cert client1.crt
key client1.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
#   digitalSignature, keyEncipherment
# and the extendedKeyUsage to
#   serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-GCM
auth SHA256

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

client测试#

sudo systemctl status openvpn@client

● [email protected] - OpenVPN connection to client
   Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
   Active: active (running) since Fri 2023-05-12 22:58:59 CST; 4s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 29010 (openvpn)
   Status: "Initialization Sequence Completed"
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/system-openvpn.slice/[email protected]
           └─29010 /usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client.conf --

5月 12 22:59:01 treeMate ovpn-client[29010]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
5月 12 22:59:01 treeMate ovpn-client[29010]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
5月 12 22:59:01 treeMate ovpn-client[29010]: ROUTE_GATEWAY 192.168.43.1/255.255.255.0 IFACE=wlp2s0 HWADDR=98:2c:bc:91:ad:c0
5月 12 22:59:01 treeMate ovpn-client[29010]: TUN/TAP device tun0 opened
5月 12 22:59:01 treeMate ovpn-client[29010]: TUN/TAP TX queue length set to 100
5月 12 22:59:01 treeMate ovpn-client[29010]: /sbin/ip link set dev tun0 up mtu 1500
5月 12 22:59:01 treeMate ovpn-client[29010]: /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
5月 12 22:59:01 treeMate ovpn-client[29010]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.5
5月 12 22:59:01 treeMate ovpn-client[29010]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

ip addr show dev tun0

41: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::a877:5ee:b2ad:a68d/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

ping 10.8.0.1

 ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=253 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=92.7 ms

有错就看 journalctl -xe和sudo systemctl status openvpn@client中的提示,很清晰#

密码模式(更简单)#

密码模式只需要CA.crt和CA.key,其中CA.crt用于客户端和服务端的信道加密,可以不再使用server和client的证书

server.conf新增:

# use username and password login
# 新加此行，开启密码验证脚本
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
# 加上verify-client-cert none代表只使用用户密码方式验证登录，不加则代表需要证书和用户名密码双重验证登录(所有client证书可以相同,带证书可以防止被扫描到端口后简单的口令爆破,所以一般还是校验证书比较好.)
# verify-client-cert none
# 新加此行，使用客户提供的UserName作为Common Name
username-as-common-name
# 该指令提供对OpenVPN使用外部程序和脚本的策略级别的控制。较低的 水平 值更具限制性，较高的值更宽松。级别设置 
# 0- 完全不调用外部程序。
# 1- （默认）仅调用内置可执行文件，例如ifconfig，ip，route或netsh。
# 2- 允许调用内置的可执行文件和用户定义的脚本。
# 3- 允许通过环境变量将密码传递给脚本（可能不安全）。
# 特别注意如果没有这个配置项会导致服务端校验密码时无法获取到密码，导致校验失败
script-security 3

密码校验脚本

vim /etc/openvpn/checkpsw.sh

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <[email protected]>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
###########################################################

# 需要保证以下两个文件nobody用户可操作
PASSFILE="/etc/openvpn/user_passwd.txt"
LOG_FILE="/var/log/openvpn/openvpn-login.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then 
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then 
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

chmod +x /etc/openvpn/checkpsw.sh

配置密码#

server端#

配置账号/密码文件user_passwd.txt的内容，新增账号/密码到这个文件，一行一个账号，账号密码用空格隔开：

注：密码需要使用字母加数字，特殊字符等，且不能以数字开头

# 编辑账号密码文件，添加以下内容
$ vim /etc/openvpn/user_passwd.txt 
zhangsan 123b456_
lisi 12345b_



# 修改账号密码文件的访问权限，第一是为了安全起见，第二是启动OpenVPN服务端的用户（上面启用了nobody）必须对账号密码文件和log具有可读,log可写权限
$ cd /etc/openvpn/
$ chmod 400 user_passwd.txt
$ chmod 666 /var/log/openvpn/*
$ chown nobody:nogroup user_passwd.txt

最终server端密码模式完整配置文件#

#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 33192

# TCP or UDP server?
;proto tcp
;proto udp
proto udp6

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one.  On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh2048.pem 2048
;dh dh2048.pem
dh dh.pem

# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
;topology subnet

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /var/log/openvpn/ipp.txt

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses.  You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients.  There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
#     group, and firewall the TUN/TAP interface
#     for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
#     modify the firewall in response to access
#     from different clients.  See man
#     page for more info on learn-address script.
;learn-address ./script

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.  This is recommended
# only for testing purposes.  For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey tls-auth ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
#添加一个auth指令来选择 HMAC 消息摘要算法。为此，SHA256是一个不错的选择
cipher AES-256-GCM
auth SHA256

# Enable compression on the VPN link and push the
# option to the client (v2.4+ only, for earlier
# versions see below)
#compress lz4-v2
#push "compress lz4-v2"
#allow-compression yes

# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1




########################## server 密码模式  #############################
# 新加此行，开启密码验证脚本
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
# 加上verify-client-cert none代表只使用用户密码方式验证登录，不加则代表需要证书和用户名密码双重验证登录
#verify-client-cert none
# 新加此行，使用客户提供的UserName作为Common Name
username-as-common-name
# 该指令提供对OpenVPN使用外部程序和脚本的策略级别的控制。较低的 水平 值更具限制性，较高的值更宽松。级别设置 
# 0- 完全不调用外部程序。
# 1- （默认）仅调用内置可执行文件，例如ifconfig，ip，route或netsh。
# 2- 允许调用内置的可执行文件和用户定义的脚本。
# 3- 允许通过环境变量将密码传递给脚本（可能不安全）。
# 特别注意如果没有这个配置项会导致服务端校验密码时无法获取到密码，导致校验失败
script-security 3

重启server

systemctl restart openvpn@server

client端配置#

# 注释掉客户端密钥认证方式,只需要保留ca.crt即可
;cert laptop.crt
;key laptop.key

# 新增账号/密码验证方式
auth-user-pass login.conf

目录里新增login.conf 文件，账号密码使用换行符分隔，内容如下：

zhangsan
xxxxx

最终client端密码模式完整配置文件#

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
;proto udp
proto udp6

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 2409:8a00:787f:XXXXXXXXXXXXXXXX 33192
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
# 如果server配置了verify-client-cert none,下面两行可以注释掉不提供
cert client1.crt
key client1.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
#   digitalSignature, keyEncipherment
# and the extendedKeyUsage to
#   serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
# 和server保持一致
cipher AES-256-GCM
auth SHA256

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
# 和server保持一致
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

# 指定配置文件
auth-user-pass login.conf

有效内容是

client
dev tun
proto udp6
remote 2409:8a00:787f:XXXXXXXXXXXXXXXX 33192
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun

ca ca.crt
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-GCM
auth SHA256
comp-lzo
verb 3
auth-user-pass  login.conf

编写ovpn文件#

证书文件处理#

证书文件文本化: 证书文件sudo cat ca.crt就能看到文本

类似如下:

<ca>
把ca.crt文件内容复制到这里
</ca>

<cert>
把client.crt文件内容复制到这里
</cert>

<key>
把client.key文件内容复制到这里
</key>

# 如果有ta.key,需要加上这个
key-direction 1
<tls-auth>
把ta.key文件内容复制到这里
</tls-auth>

（ca.crt、client.crt、client.key、ta.key这些文件不一定全都与，有那些就修改那些；这些文件的名字不一定都是这样，可以在.ovpn配置文件里搜索ca、cert、key、tls-auth看他们所对应的文件名）

修改完成后删除client.conf中类似如下那几行:

tls-auth ta.key 1
ca ca.crt
cert client.crt
key client.key

故,client的配置文件稍加修改就是ovpn文件,比如把上一章节最后的client文件改写后为:

client
dev tun
proto udp6
remote 2409:8a00:787f:9c60:200:a1ff:fef2:d097 33192
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun

<ca>
-----BEGIN CERTIFICATE-----
xxxxxxxxxx
xxxxxxxxxx
xxxxxxxxxx
-----END CERTIFICATE-----
</ca>


<cert>
-----BEGIN CERTIFICATE-----
xxxxxxxxxx
xxxxxxxxxx
xxxxxxxxxx
-----END CERTIFICATE-----
</cert>



<key>
-----BEGIN PRIVATE KEY-----
xxxxxxxxxx
xxxxxxxxxx
xxxxxxxxxx
-----END PRIVATE KEY-----
</key>

# 因为启用了ta.key,需要加上这一句,别忘记
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
xxxxxxxxxx
xxxxxxxxxx
xxxxxxxxxx
-----END OpenVPN Static key V1-----
</tls-auth>


remote-cert-tls server
cipher AES-256-GCM
auth SHA256
comp-lzo
verb 3
# 在GUI提供用户密码
auth-user-pass

导入到gui客户端即可使用

某大学的一个demo:

client
dev tun
proto tcp

# 多个server可以负载均衡
<connection>
remote openvpn.xxx.edu.cn 443 
remote openvpn1.xxx.edu.cn 443
remote openvpn2.xxx.edu.cn 443
remote openvpn3.xxx.edu.cn 443
remote openvpn4.xxx.edu.cn 443
remote openvpn5.xxx.edu.cn 443
remote openvpn6.xxx.edu.cn 443
remote openvpn7.xxx.edu.cn 443
remote openvpn8.xxx.edu.cn 443
remote openvpn9.xxx.edu.cn 443
</connection>

# 随机连接一个
remote-random
# 重试
resolv-retry 60

comp-lzo
resolv-retry infinite
nobind
persist-key
persist-tun
setenv CLIENT_CERT 0
# 在GUI提供用户密码
auth-user-pass
remote-cert-tls server
verb 3

sndbuf 0
rcvbuf 0
mssfix 0
cipher none

<ca>
-----BEGIN CERTIFICATE-----
.................
.................
-----END CERTIFICATE-----
</ca>

参考文献:#

主要参考了这个: https://www.gingerdoc.com/tutorials/how-to-set-up-an-openvpn-server-on-debian-10-

还看了debian和ubuntu的官网,非常棒:https://wiki.debian.org/OpenVPN 及 https://ubuntu.com/server/docs/service-openvpn

密码校验: https://www.cnblogs.com/cj1698/p/15927664.html 及 https://zhuanlan.zhihu.com/p/554690377

centos搭建: https://zhuanlan.zhihu.com/p/554690377

ovpn文件撰写: https://zhuanlan.zhihu.com/p/199176752

另外,也可以用快速搭建: https://github.com/Nyr/openvpn-install