/
搜索到
2
篇与
的结果
-
OpenVPN-配置文件 1. Openvpn Server 端配置文件################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. # # # # This file is for the server side # # of a many-clients <-> one-server # # OpenVPN configuration. # # # # OpenVPN also supports # # single-machine <-> single-machine # # configurations (See the Examples page # # on the web site for more info). # # # # This config should work on Windows # # or Linux/BSD systems. Remember on # # Windows to quote pathnames and use # # double backslashes, e.g.: # # "C:\\Program Files\\OpenVPN\\config\\foo.key" # # # # Comments are preceded with '#' or ';' # ################################################# # Which local IP address should OpenVPN # listen on? (optional) ;local a.b.c.d # Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port 1194 # TCP or UDP server? proto tcp ;proto udp # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. # Use "dev tap0" if you are ethernet bridging # and have precreated a tap0 virtual interface # and bridged it with your ethernet interface. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you # have more than one. On XP SP2 or higher, # you may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server.crt key /etc/openvpn/certs/server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh2048.pem 2048 #dh dh2048.pem dh /etc/openvpn/certs/dh.pem # Network topology # Should be subnet (addressing via IP) # unless Windows clients v2.0.9 and lower have to # be supported (then net30, i.e. a /30 per client) # Defaults to net30 (not recommended) ;topology subnet # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 10.8.0.0 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ifconfig-pool-persist /var/log/openvpn/ipp.txt # Configure server mode for ethernet bridging. # You must first use your OS's bridging capability # to bridge the TAP interface with the ethernet # NIC interface. Then you must manually set the # IP/netmask on the bridge interface, here we # assume 10.8.0.4/255.255.255.0. Finally we # must set aside an IP range in this subnet # (start=10.8.0.50 end=10.8.0.100) to allocate # to connecting clients. Leave this line commented # out unless you are ethernet bridging. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 # Configure server mode for ethernet bridging # using a DHCP-proxy, where clients talk # to the OpenVPN server-side DHCP server # to receive their IP address allocation # and DNS server addresses. You must first use # your OS's bridging capability to bridge the TAP # interface with the ethernet NIC interface. # Note: this mode only works on clients (such as # Windows), where the client-side TAP adapter is # bound to a DHCP client. ;server-bridge # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" # To assign specific IP addresses to specific # clients or if a connecting client has a private # subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific # configuration files (see man page for more info). # EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 # Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248 # This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, i.e. you are # using "dev tun" and "server" directives. # EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2 # Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. ;learn-address ./script # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # or bridge the TUN/TAP interface to the internet # in order for this to work properly). ;push "redirect-gateway def1 bypass-dhcp" push "redirect-gateway def1" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats # The addresses below refer to the public # DNS servers provided by opendns.com. ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.8.4" # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. client-to-client # Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use, # each client should have its own certificate/key # pair. # # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. ;duplicate-cn # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. tls-auth /etc/openvpn/server/certs/ta.key 0 # This file is secret # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. # Note that v2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. # See also the ncp-cipher option in the manpage cipher AES-256-CBC # Enable compression on the VPN link and push the # option to the client (v2.4+ only, for earlier # versions see below) ;compress lz4-v2 ;push "compress lz4-v2" # For compression compatible with older clients use comp-lzo # If you enable it here, you must also # enable it in the client config file. ;comp-lzo # The maximum number of concurrently connected # clients we want to allow. ;max-clients 100 # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. ;user nobody ;group nogroup # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Output a short status file showing # current connections, truncated # and rewritten every minute. status /var/log/openvpn/openvpn-status.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). ;log /var/log/openvpn/openvpn.log ;log-append /var/log/openvpn/openvpn.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20 # Notify the client that when the server restarts so it # can automatically reconnect. explicit-exit-notify 0 crl-verify /etc/openvpn/easyrsa/pki/crl.pem1. Openvpn Client 端配置文件############################################## # Sample client-side OpenVPN 2.0 config file # # for connecting to multi-client server. # # # # This configuration can be used by multiple # # clients, however each client should have # # its own cert and key files. # # # # On Windows, you might want to rename this # # file so it has a .ovpn extension # ############################################## # Specify that we are a client and that we # will be pulling certain config file directives # from the server. client # Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. proto tcp ;proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote my-server-1 1194 ;remote my-server-2 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) ;user nobody ;group nogroup # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert username.crt key username.key # Verify server certificate by checking that the # certicate has the correct key usage set. # This is an important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the keyUsage set to # digitalSignature, keyEncipherment # and the extendedKeyUsage to # serverAuth # EasyRSA can do this for you. remote-cert-tls server # If a tls-auth key is used on the server # then every client must also have the key. tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. # Note that v2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. # See also the ncp-cipher option in the manpage cipher AES-256-CBC # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. #comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 203. Openvpn APP 配置[Tips] IOS客户端配置client dev tun ;proto tcp proto udp remote xxx.xxx.xxx.xxx 1194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings #ca ca.crt #cert client02.crt #key client02.key remote-cert-tls server #tls-auth ta.key 1 #comp-lzo verb 3 <ca> -----BEGIN CERTIFICATE----- MIIDJDCCAgygAwIBAgIJAMv+3UPUdlJjMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV BAMMBnNlcnZlcjAeFw0yMjA0MjEwOTEzNDJaFw0zMjA0MTgwOTEzNDJaMBExDzAN BgNVBAMMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ3n HQJcnsmqkPJwLEV8YymrH1l7189/sXmJ0sa5mIYIcBKKL5haAQ6rdjRlJtuTDnoA oFJ1+Uf9Qwpxs/Tj4blsfewsSD5WlXGq2htgXZv8jjIiKwpSjN2LImJi0pOuow/v nFYGA58Xtsg4EDCIGF5LWc8L0WdfmkvN+LFvUQtnlzyIJ1haHFJdCNtgxpj8Khsa GDDRX7Nr4abnTAQwEb6jcReAhvrqu/b5CtgQDYBHV6pY1toXwZ8PzFnay4ngQFJA 5KUoFsso4beHl/F7u4O44CH61rJwiPavRKBwbYZt6ySU7mQkJRC1yQkRNV4HKwdB 6DOBdmZ+CDJSfMbkpysCAwEAAaN/MH0wHQYDVR0OBBYEFLcvJFbXdouS61U7FQ+d OTmjS20JMEEGA1UdIwQ6MDiAFLcvJFbXdouS61U7FQ+dOTmjS20JoRWkEzARMQ8w DQYDVQQDDAZzZXJ2ZXKCCQDL/t1D1HZSYzAMBgNVHRMEBTADAQH/MAsGA1UdDwQE AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAQt6Qxbp2sNc/WtRY7jhLl7J52kMzpoO/ 5MWmqoHZ4IU1yM9hN3KzJIby0d0JgzlWAPvl74RnV3Padu5xSlYeCK8y+EOKuJXx b/CXPloHET5EcGLpZWnhFzTUrG68QUAeP3mwP+rr+2/RTSoYNq8Qu5r8npHjhr40 xH+dLtBZDAOLJcKgi4lgCu8WINCMgPwDd5hAsGD1ul7Lso3xGlHJePt6pV2tM45e BD8vhF59WpShIRYlLqWbRG9glB7IFws024jefCEThSXuPt5M6cSO15pqDkeSjG25 CNtvgMw+VSFeBzvs2hEgY8x08pU2EPn1lhmfolcmRVdg8i0qnJBpRg== -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- MIIDQjCCAiqgAwIBAgIRANLIdjgXLZIM++/mhxiBLRYwDQYJKoZIhvcNAQELBQAw ETEPMA0GA1UEAwwGc2VydmVyMB4XDTIyMDQyMTEyNTEwOVoXDTI0MDcyNDEyNTEw OVowEzERMA8GA1UEAwwIY2xpZW50MDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDJgm94AHU2P8NpTTuPIDLCQxT3fqJafi/67Yy2LgTAbif+C/9aUuXC M/wJ4fUcBej82+oga583wfwSECubxAaiJc6hJ8fnXUQ7ZPL4PSUCu8QCCFaJCjMC 1nv8DjCC6R9YX7tAzcWOv3z8kz2Ci4elzQCm1oyhxKJKPAUoANtDPO2/8z2vNmWA 01nMsz3ehWADpVto0WWHM2o1ZCE+Mihx20rSL0c3P1IMWqoXdEllo3E10Tl/d1I1 tPY0DQ/t6BjTSUnmbto41rGHat/sarpg4sznuA1eU+wbJbF0/3kAmK8GRdelGLjs Veq0EWIc5QfU7TAl+majz5cBEp8Lh8gNAgMBAAGjgZIwgY8wCQYDVR0TBAIwADAd BgNVHQ4EFgQUUgrZwhdjvyyLaMdexvU32gKz/+4wQQYDVR0jBDowOIAUty8kVtd2 i5LrVTsVD505OaNLbQmhFaQTMBExDzANBgNVBAMMBnNlcnZlcoIJAMv+3UPUdlJj MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsF AAOCAQEAl07HOolF0Hos9oHfcQlztWt+WNHKQBQ/FxVjufwYv8cZRu+eZozrZvZe fA4mgzvPXsDRZlLKqL4zLhsGyEUTcjAdvhh0s7PVqgppWN1pLEozTvhgJ8r8L8ev fRXf7R0bJHPzzqFdBzdnFhZ3D4fnDafEFlXfqpl30TdEP50CRjYHk1U+0PWyl3+l 05SBCvNaF0nrK+gD2VDtIHp17nB6LFdpW03sBmkLCVy9KDhk1Z0zwtoJe8RI98sj 2r/7ApuXh6otEJlaFKZ0ChotJL4QEBM5nVOJNFWCvu34KXJevkhRQYTwlKsjgfDN eDOvxAOxozI1HegVavrl8K70iFUhQw== -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJgm94AHU2P8Np TTuPIDLCQxT3fqJafi/67Yy2LgTAbif+C/9aUuXCM/wJ4fUcBej82+ogDwnyIzPe IrubxAaiJc6hJ8fnXUQ7ZPL4PSUCu8QCCFaJCjMC1nv8DjCC6R9YX7tAzcWOv3z8 kz2Ci4elzQCm1oyhxKJKPAUoANtDPO2/8z2vNmWA01nMsz3ehWADpVto0WWHM2o1 ZCE+Mihx20rSL0c3P1IMWqoXdEllo3E10Tl/d1I1tPY0DQ/t6BjTSUnmbto41rGH at/sarpg4sznuA1eU+wbJbF0/3kAmK8GRdelGLjsVeq0EWIc5QfU7TAl+majz5cB Ep8Lh8gNAgMBAAECggEAajhZbdY/8vK1nSJbDN0aJJCb0sJr7mup+wmRLM8hLhZi +mV0mzYraq1gZA052SW8ZN2/klqbEYpA4w1H+5nfLUXkn8qKc4kUWIKkGPqSMdis P64Jf39i2FIbVQhdxgQAw+LioAxX4SFLTxCGUfQe8uUXPNrHktZF/f+ZcDbTXaMm 8Y2FyUBXBXuiDgdFw1cP4ShkMY6bGje1pAJ1gVMDKvGumL5L7XYQBF4idu+oUJvH xgZGbxihMA/MpSQK3qp+0/TjvQ3hyxPnoFaZ2IVWDhsdaTINJ88odBeWx/apYUhJ ZArs29e08h+CCDdm2ahgAysFOvRV9QsMrOz/D96LOQKBgQDldojO+OY6ApL+83D6 dtvPYUd0FZbgeNmmuNmpKvD73u2Ui2GfsJvp4DCyegCrxqMrvNVSCmJDUaYZr0qp M2Osbqksn+g0+SRGxSH8l0HhXJDiDCfIeWIWpma4MCnaMJyDq7Qi53gGG1ErXVC3 YjwhjFS8e7sHO+vrI3J3XnsVOwKBgQDg0E+3Jozfuv9AHUqYGfNg4UOs8kADbVTM uNEBQiEGLGvmXfJj5nwPv5IXlybhCf3pezEjGdosRoFkNgauQ2/L7LokWG6siJaE 3xRzWmHu6U7LNoIRc8kPTqf66tTtu9TJExI5uOVMWLq7KVS72qnlHbneq+kjbjmm JSNz5J2jVwKBgQCy97eOjiyqtBVISkEk6I1aesoLLUeG/lrroSMKwVZBbEcq42cZ 8No6GESC/4sEbyIW2+oZWcX4MXd2cvStcUpdU9YY2wN2RZdYpypx4ttcVSEfXVGu F5Y8ij51jAMojV+Vhtcxng1L3gR56QcqcLDrjZMNiwd9hevkcro1hfhDvwKBgDOq 7Ic1Tu8kdQFxOfGXFT5Qx1L6IggnmnOqji5x2lEm6G17bffTwvODnbnaPU8/EqIU dAiTKnc+hQJZAFQQn6MIdwdfY6A3jBBhjLuuLA/Sgw9lKaOFLtJby3N5gRJaNt83 iNrHSbuwMMpasweffsd23Cp67Av+izVKF8nM4wXlAoGBAMFoEH4QDsU9sCZ/7L9t ZstQJ6zPo/aEyVmVH8aogSmlVGBXTigIfXi33UbTqg93IfVGfL1AS+9Ey8I4jq/w 3RtEqe5jzFTdYakjQns++dMq4+0uLSm8XvEGzOZO6dv+dDHXjr3BXUqVFwyyta0O ERqSBDvaSh5zPEc0VeNrZ4Dp -----END PRIVATE KEY----- </key> key-direction 1 <tls-auth> -----BEGIN OpenVPN Static key V1----- 2c5942c3e9d2bf3ba6841c4dc83ac75b 9d73d8e18c45cfecfb98b6d111223d46 6e7eb7309e891e0966914c479e7db614 e847ebcc1f7364c9b4d12db64915e6e7 62cee3c02bbd11a467bbf3053598e865 bcc4497128d4b14816edf37a16737a58 e0f51f0309863ed6458e68730edfe8de 74e54c593b7278581cb3be0a100b2cf4 dae3e72c521a06a7b3ce2777bb7e0caa 42b4255b5dd05d4d5f0315f3989952fd 06a7acc06209a78fe23841818a02303e 2afe2b70cecc110d18bb8fdcb891fa76 7afc99574047c707e5df5afcba937403 4388a0f8ebfbff63079bf6fae3535c56 88f7d75982d56bc24e4e1ae51286c992 f81b01a21523656458941f19e3a98629 -----END OpenVPN Static key V1----- </tls-auth> -
CentOS 7 - 安装 OpenVPN CentOS 7 安装 Open VPN一、安装openvpnyum -y install epel-release yum -y install openvpn easy-rsa iptables-servicesDebian 安装 iptablesapt install iptables #保存配置文件 iptables-save >/etc/network/iptables.up.rules # 重启生效: vim/etc/network/if-pre-up.d/iptables #!/bin/bash /sbin/iptables-restore < /etc/network/iptables.up.rules chmod +x /etc/network/if-pre-up.d/iptables二、 移动easy-rsa目录easy-rsa 默认安装目录在/usr/share/easy-rsa/3.0.8文档配置文件模板在/usr/share/doc/easy-rsa-3.0.8cp -a /usr/share/easy-rsa/3.0.8 /etc/openvpn/easy-rsa # 复制配置文件模板 cp -a /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/vars三、修改配置文件:[root@C20210910156669 easy-rsa]# grep -Ev "^#|^$" vars if [ -z "$EASYRSA_CALLER" ]; then echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2 echo "This is no longer necessary and is disallowed. See the section called" >&2 echo "'How to use this file' near the top comments for more details." >&2 return 1 fi set_var EASYRSA_REQ_COUNTRY "US" #所在国家 set_var EASYRSA_REQ_PROVINCE "California" #所在省份 set_var EASYRSA_REQ_CITY "San Francisco" #所在城市 set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" #所属组织 set_var EASYRSA_REQ_EMAIL "[email protected]" #邮箱地址 set_var EASYRSA_REQ_OU "My Organizational Unit" #组织单位、部门四、初始化PKI目录[root@C20210910156669 easy-rsa]# ./easyrsa init-pki五、创建CA根证书[root@C20210910156669 easy-rsa]# ./easyrsa build-ca nopass创建CA根证书。 提示输入Common Name,名字自定义。在这部分会提示Enter New CA Key Passphrase,输入两次PEM密码,此密码必须记住,不然以后不能为证书签名。可以加nopass参数表示不用密码六、生成 OpenVPN 服务器证书和密钥[root@C20210910156669 easy-rsa]# ./easyrsa build-server-full server nopass七、生成 Diffie-Hellman 算法需要的密钥文件[root@C20210910156669 easy-rsa]# ./easyrsa gen-dh八、生成 生成 tls-auth key这个 key 主要用于防止 DoS 和 TLS 攻击,这一步其实是可选的,但为了安全还是生成一下,该文件在后面配置 open VPN 时会用到[root@C20210910156669 easy-rsa]# openvpn --genkey --secret ta.key九、移动生成的证书文件mkdir /etc/openvpn/server/certs cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server/certs cp /etc/openvpn/easy-rsa/pki/private/ca.key /etc/openvpn/server/certs cp /etc/openvpn/easy-rsa/pki/private/openvpn-server.key /etc/openvpn/server/certs cp /etc/openvpn/easy-rsa/pki/issued/openvpn-server.crt /etc/openvpn/server/certs cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server/certs十、创建openvpn日志目录[root@C20210910156669]# mkdir -p /var/log/openvpn [root@C20210910156669]# chown openvpn:openvpn /var/log/openvpn/十一、移动配置文件:[root@C20210910156669]# cd /etc/openvpn/server [root@C20210910156669 server]# cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf .十二、编辑配置文件[root@C20210910156669 server]# grep -Ev "^#|^$" server.conf ;local a.b.c.d port 1194 #监听端口 ;proto tcp proto udp ;dev tap dev tun ;dev-node MyTap ca /etc/openvpn/server/certs/ca.crt #CA根证书路径 cert /etc/openvpn/server/certs/server.crt #open vpn服务器证书路径 key /etc/openvpn/server/certs/server.key #open vpn 服务器密钥路径 This file should be kept secret dh /etc/openvpn/server/certs/dh.pem #diffie hellman算法密钥路径 ;topology subnet server 10.8.0.0 255.255.255.0 #该网段为VPN虚拟网卡网段,不要和内网网段冲突即可 ifconfig-pool-persist ipp.txt ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 ;server-bridge ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 ;learn-address ./script ;push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" #DNS服务器配置 push "dhcp-option DNS 8.8.8.4" push "redirect-gateway def1" #客户端所有流量通过VPN转发,类似开全局代理 client-to-client #让VPN客户端之间可以互相通信 ;duplicate-cn #允许多个客户端使用同一个VPN账号连接服务端; 默认注释:不允许多个客户端登录一个账号 keepalive 10 120 #每10秒ping一次, ;tls-auth ta.key 0 # This file is secret tls-auth /etc/openvpn/server/certs/ta.key 0 #tls-auth,参数0可以省略,如果不省略,客户端配置相应的参数 1,如果省略客户端不需要配置tls-auth cipher AES-256-CBC ;compress lz4-v2 ;push "compress lz4-v2" ;comp-lzo ;max-clients 100 #并发客户端连接数 ;user nobody ;group nobody persist-key persist-tun status openvpn-status.log ;log openvpn.log ;log-append openvpn.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/server.log status /var/log/openvpn/status.log verb 3 #日志记录的详细级别 ;mute 20 explicit-exit-notify 1 #此选项开启只能使用 udp 协议, 否则会报错Options error: --explicit-exit-notify can only be used with --proto udp十三、关闭防火墙和selinuxsystemctl stop firewalld systemctl disable firewalld setenforce 0十四、开启内核转发vi /etc/sysctl.conf net.ipv4.ip_forward = 1 sysctl -p十五、防火墙配置iptables -F iptables -X iptables -Z iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 1194 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth0 -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -P INPUT DROP iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables-save > /etc/sysconfig/iptables十六、iptables配置# Generated by iptables-save v1.4.21 on Thu Apr 21 16:25:00 2022 *filter :INPUT DROP [3:212] :FORWARD DROP [0:0] :OUTPUT ACCEPT [138:18252] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 1194 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -s 0.0.0.0/0 -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 1688 -j ACCEPT -A FORWARD -s 10.8.0.0/24 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Thu Apr 21 16:25:00 2022 # Generated by iptables-save v1.4.21 on Thu Apr 21 16:25:00 2022 *nat :PREROUTING ACCEPT [5:602] :INPUT ACCEPT [1:60] :OUTPUT ACCEPT [1:59] :POSTROUTING ACCEPT [1:59] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Thu Apr 21 16:25:00 2022 [root@C20210910156669 sysconfig]# 十七、启动VPN serversystemctl start openvpn-server@server # 启动 systemctl enable openvpn-server@server # 开机自启动 systemctl status openvpn-server@server # 查看服务状态十八、配置客户端[root@C20210910156669 client]# grep -Ev "^#|^$" client.ovpn client ;dev tap dev tun ;dev-node MyTap ;proto tcp proto udp remote xxx.xxx.xxx.xxx 1194 ;remote my-server-2 1194 ;remote-random resolv-retry infinite #断线自动重连 nobind ;user nobody ;group nobody persist-key persist-tun ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] ;mute-replay-warnings mute-replay-warnings ca ca.crt cert username.crt key username.key remote-cert-tls server ;tls-auth ta.key 1 tls-auth ta.key 1 cipher AES-256-CBC verb 3 十九、自动创建用户脚本【内容回复可见】二十、吊销证书# 进入目录 cd /etc/openvpn/easy-rsa/ # 吊销证书 ./easyrsa revoke test01 #查看写入的文件 ./easyrsa gen-crl # 在server.conf加入一行 crl-verify crl.pem vim /etc/openvpn/server/server.conf 最后加入一行: crl-verify /etc/openvpn/easy-rsa/pki/crl.pem 重启openvpn二十一、配置文件合并到一个文件中 client.ovpn[Tips] IOS客户端配置client dev tun ;proto tcp proto udp remote xxx.xxx.xxx.xxx 1194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings #ca ca.crt #cert client02.crt #key client02.key remote-cert-tls server #tls-auth ta.key 1 #comp-lzo verb 3 <ca> -----BEGIN CERTIFICATE----- MIIDJDCCAgygAwIBAgIJAMv+3UPUdlJjMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV BAMMBnNlcnZlcjAeFw0yMjA0MjEwOTEzNDJaFw0zMjA0MTgwOTEzNDJaMBExDzAN BgNVBAMMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ3n HQJcnsmqkPJwLEV8YymrH1l7189/sXmJ0sa5mIYIcBKKL5haAQ6rdjRlJtuTDnoA oFJ1+Uf9Qwpxs/Tj4blsfewsSD5WlXGq2htgXZv8jjIiKwpSjN2LImJi0pOuow/v nFYGA58Xtsg4EDCIGF5LWc8L0WdfmkvN+LFvUQtnlzyIJ1haHFJdCNtgxpj8Khsa GDDRX7Nr4abnTAQwEb6jcReAhvrqu/b5CtgQDYBHV6pY1toXwZ8PzFnay4ngQFJA 5KUoFsso4beHl/F7u4O44CH61rJwiPavRKBwbYZt6ySU7mQkJRC1yQkRNV4HKwdB 6DOBdmZ+CDJSfMbkpysCAwEAAaN/MH0wHQYDVR0OBBYEFLcvJFbXdouS61U7FQ+d OTmjS20JMEEGA1UdIwQ6MDiAFLcvJFbXdouS61U7FQ+dOTmjS20JoRWkEzARMQ8w DQYDVQQDDAZzZXJ2ZXKCCQDL/t1D1HZSYzAMBgNVHRMEBTADAQH/MAsGA1UdDwQE AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAQt6Qxbp2sNc/WtRY7jhLl7J52kMzpoO/ 5MWmqoHZ4IU1yM9hN3KzJIby0d0JgzlWAPvl74RnV3Padu5xSlYeCK8y+EOKuJXx b/CXPloHET5EcGLpZWnhFzTUrG68QUAeP3mwP+rr+2/RTSoYNq8Qu5r8npHjhr40 xH+dLtBZDAOLJcKgi4lgCu8WINCMgPwDd5hAsGD1ul7Lso3xGlHJePt6pV2tM45e BD8vhF59WpShIRYlLqWbRG9glB7IFws024jefCEThSXuPt5M6cSO15pqDkeSjG25 CNtvgMw+VSFeBzvs2hEgY8x08pU2EPn1lhmfolcmRVdg8i0qnJBpRg== -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- MIIDQjCCAiqgAwIBAgIRANLIdjgXLZIM++/mhxiBLRYwDQYJKoZIhvcNAQELBQAw ETEPMA0GA1UEAwwGc2VydmVyMB4XDTIyMDQyMTEyNTEwOVoXDTI0MDcyNDEyNTEw OVowEzERMA8GA1UEAwwIY2xpZW50MDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDJgm94AHU2P8NpTTuPIDLCQxT3fqJafi/67Yy2LgTAbif+C/9aUuXC M/wJ4fUcBej82+oga583wfwSECubxAaiJc6hJ8fnXUQ7ZPL4PSUCu8QCCFaJCjMC 1nv8DjCC6R9YX7tAzcWOv3z8kz2Ci4elzQCm1oyhxKJKPAUoANtDPO2/8z2vNmWA 01nMsz3ehWADpVto0WWHM2o1ZCE+Mihx20rSL0c3P1IMWqoXdEllo3E10Tl/d1I1 tPY0DQ/t6BjTSUnmbto41rGHat/sarpg4sznuA1eU+wbJbF0/3kAmK8GRdelGLjs Veq0EWIc5QfU7TAl+majz5cBEp8Lh8gNAgMBAAGjgZIwgY8wCQYDVR0TBAIwADAd BgNVHQ4EFgQUUgrZwhdjvyyLaMdexvU32gKz/+4wQQYDVR0jBDowOIAUty8kVtd2 i5LrVTsVD505OaNLbQmhFaQTMBExDzANBgNVBAMMBnNlcnZlcoIJAMv+3UPUdlJj MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsF AAOCAQEAl07HOolF0Hos9oHfcQlztWt+WNHKQBQ/FxVjufwYv8cZRu+eZozrZvZe fA4mgzvPXsDRZlLKqL4zLhsGyEUTcjAdvhh0s7PVqgppWN1pLEozTvhgJ8r8L8ev fRXf7R0bJHPzzqFdBzdnFhZ3D4fnDafEFlXfqpl30TdEP50CRjYHk1U+0PWyl3+l 05SBCvNaF0nrK+gD2VDtIHp17nB6LFdpW03sBmkLCVy9KDhk1Z0zwtoJe8RI98sj 2r/7ApuXh6otEJlaFKZ0ChotJL4QEBM5nVOJNFWCvu34KXJevkhRQYTwlKsjgfDN eDOvxAOxozI1HegVavrl8K70iFUhQw== -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJgm94AHU2P8Np TTuPIDLCQxT3fqJafi/67Yy2LgTAbif+C/9aUuXCM/wJ4fUcBej82+ogDwnyIzPe IrubxAaiJc6hJ8fnXUQ7ZPL4PSUCu8QCCFaJCjMC1nv8DjCC6R9YX7tAzcWOv3z8 kz2Ci4elzQCm1oyhxKJKPAUoANtDPO2/8z2vNmWA01nMsz3ehWADpVto0WWHM2o1 ZCE+Mihx20rSL0c3P1IMWqoXdEllo3E10Tl/d1I1tPY0DQ/t6BjTSUnmbto41rGH at/sarpg4sznuA1eU+wbJbF0/3kAmK8GRdelGLjsVeq0EWIc5QfU7TAl+majz5cB Ep8Lh8gNAgMBAAECggEAajhZbdY/8vK1nSJbDN0aJJCb0sJr7mup+wmRLM8hLhZi +mV0mzYraq1gZA052SW8ZN2/klqbEYpA4w1H+5nfLUXkn8qKc4kUWIKkGPqSMdis P64Jf39i2FIbVQhdxgQAw+LioAxX4SFLTxCGUfQe8uUXPNrHktZF/f+ZcDbTXaMm 8Y2FyUBXBXuiDgdFw1cP4ShkMY6bGje1pAJ1gVMDKvGumL5L7XYQBF4idu+oUJvH xgZGbxihMA/MpSQK3qp+0/TjvQ3hyxPnoFaZ2IVWDhsdaTINJ88odBeWx/apYUhJ ZArs29e08h+CCDdm2ahgAysFOvRV9QsMrOz/D96LOQKBgQDldojO+OY6ApL+83D6 dtvPYUd0FZbgeNmmuNmpKvD73u2Ui2GfsJvp4DCyegCrxqMrvNVSCmJDUaYZr0qp M2Osbqksn+g0+SRGxSH8l0HhXJDiDCfIeWIWpma4MCnaMJyDq7Qi53gGG1ErXVC3 YjwhjFS8e7sHO+vrI3J3XnsVOwKBgQDg0E+3Jozfuv9AHUqYGfNg4UOs8kADbVTM uNEBQiEGLGvmXfJj5nwPv5IXlybhCf3pezEjGdosRoFkNgauQ2/L7LokWG6siJaE 3xRzWmHu6U7LNoIRc8kPTqf66tTtu9TJExI5uOVMWLq7KVS72qnlHbneq+kjbjmm JSNz5J2jVwKBgQCy97eOjiyqtBVISkEk6I1aesoLLUeG/lrroSMKwVZBbEcq42cZ 8No6GESC/4sEbyIW2+oZWcX4MXd2cvStcUpdU9YY2wN2RZdYpypx4ttcVSEfXVGu F5Y8ij51jAMojV+Vhtcxng1L3gR56QcqcLDrjZMNiwd9hevkcro1hfhDvwKBgDOq 7Ic1Tu8kdQFxOfGXFT5Qx1L6IggnmnOqji5x2lEm6G17bffTwvODnbnaPU8/EqIU dAiTKnc+hQJZAFQQn6MIdwdfY6A3jBBhjLuuLA/Sgw9lKaOFLtJby3N5gRJaNt83 iNrHSbuwMMpasweffsd23Cp67Av+izVKF8nM4wXlAoGBAMFoEH4QDsU9sCZ/7L9t ZstQJ6zPo/aEyVmVH8aogSmlVGBXTigIfXi33UbTqg93IfVGfL1AS+9Ey8I4jq/w 3RtEqe5jzFTdYakjQns++dMq4+0uLSm8XvEGzOZO6dv+dDHXjr3BXUqVFwyyta0O ERqSBDvaSh5zPEc0VeNrZ4Dp -----END PRIVATE KEY----- </key> key-direction 1 <tls-auth> -----BEGIN OpenVPN Static key V1----- 2c5942c3e9d2bf3ba6841c4dc83ac75b 9d73d8e18c45cfecfb98b6d111223d46 6e7eb7309e891e0966914c479e7db614 e847ebcc1f7364c9b4d12db64915e6e7 62cee3c02bbd11a467bbf3053598e865 bcc4497128d4b14816edf37a16737a58 e0f51f0309863ed6458e68730edfe8de 74e54c593b7278581cb3be0a100b2cf4 dae3e72c521a06a7b3ce2777bb7e0caa 42b4255b5dd05d4d5f0315f3989952fd 06a7acc06209a78fe23841818a02303e 2afe2b70cecc110d18bb8fdcb891fa76 7afc99574047c707e5df5afcba937403 4388a0f8ebfbff63079bf6fae3535c56 88f7d75982d56bc24e4e1ae51286c992 f81b01a21523656458941f19e3a98629 -----END OpenVPN Static key V1----- </tls-auth>server.conf 配置描述################################################# # 针对多客户端的OpenVPN 2.0 的服务器端配置文件示例 # # 本文件用于多客户端<->单服务器端的OpenVPN服务器端配置 # # OpenVPN也支持单机<->单机的配置(更多信息请查看网站上的示例页面) # # 该配置支持Windows或者Linux/BSD系统。此外,在Windows上,记得将路径加上双引号, # 并且使用两个反斜杠,例如:"C:\Program Files\OpenVPN\config\foo.key" # # '#' or ';'开头的均为注释内容 ################################################# #OpenVPN应该监听本机的哪些IP地址? #该命令是可选的,如果不设置,则默认监听本机的所有IP地址。 ;local a.b.c.d # OpenVPN应该监听哪个TCP/UDP端口? # 如果你想在同一台计算机上运行多个OpenVPN实例,你可以使用不同的端口号来区分它们。 # 此外,你需要在防火墙上开放这些端口。 port 1194 #OpenVPN使用TCP还是UDP协议? ;proto tcp proto udp # 指定OpenVPN创建的通信隧道类型。 # "dev tun"将会创建一个路由IP隧道, # "dev tap"将会创建一个以太网隧道。 # # 如果你是以太网桥接模式,并且提前创建了一个名为"tap0"的与以太网接口进行桥接的虚拟接口,则你可以使用"dev tap0" # # 如果你想控制VPN的访问策略,你必须为TUN/TAP接口创建防火墙规则。 # # 在非Windows系统中,你可以给出明确的单位编号(unit number),例如"tun0"。 # 在Windows中,你也可以使用"dev-node"。 # 在多数系统中,除非你部分禁用或者完全禁用了TUN/TAP接口的防火墙,否则VPN将不起作用。 ;dev tap dev tun # 如果你想配置多个隧道,你需要用到网络连接面板中TAP-Win32适配器的名称(例如"MyTap")。 # 在XP SP2或更高版本的系统中,你可能需要有选择地禁用掉针对TAP适配器的防火墙 # 通常情况下,非Windows系统则不需要该指令。 ;dev-node MyTap # 设置SSL/TLS根证书(ca)、证书(cert)和私钥(key)。 # 每个客户端和服务器端都需要它们各自的证书和私钥文件。 # 服务器端和所有的客户端都将使用相同的CA证书文件。 # # 通过easy-rsa目录下的一系列脚本可以生成所需的证书和私钥。 # 记住,服务器端和每个客户端的证书必须使用唯一的Common Name。 # # 你也可以使用遵循X509标准的任何密钥管理系统来生成证书和私钥。 # OpenVPN 也支持使用一个PKCS #12格式的密钥文件(详情查看站点手册页面的"pkcs12"指令) ca ca.crt cert server.crt key server.key # 该文件应该保密 # 指定迪菲·赫尔曼参数。 # 你可以使用如下名称命令生成你的参数: # openssl dhparam -out dh1024.pem 1024 # 如果你使用的是2048位密钥,使用2048替换其中的1024。 dh dh1024.pem # 设置服务器端模式,并提供一个VPN子网,以便于从中为客户端分配IP地址。 # 在此处的示例中,服务器端自身将占用10.8.0.1,其他的将提供客户端使用。 # 如果你使用的是以太网桥接模式,请注释掉该行。更多信息请查看官方手册页面。 server 10.8.0.0 255.255.255.0 # 指定用于记录客户端和虚拟IP地址的关联关系的文件。 # 当重启OpenVPN时,再次连接的客户端将分配到与上一次分配相同的虚拟IP地址 ifconfig-pool-persist ipp.txt # 该指令仅针对以太网桥接模式。 # 首先,你必须使用操作系统的桥接能力将以太网网卡接口和TAP接口进行桥接。 # 然后,你需要手动设置桥接接口的IP地址、子网掩码; # 在这里,我们假设为10.8.0.4和255.255.255.0。 # 最后,我们必须指定子网的一个IP范围(例如从10.8.0.50开始,到10.8.0.100结束),以便于分配给连接的客户端。 # 如果你不是以太网桥接模式,直接注释掉这行指令即可。 ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 # 该指令仅针对使用DHCP代理的以太网桥接模式, # 此时客户端将请求服务器端的DHCP服务器,从而获得分配给它的IP地址和DNS服务器地址。 # # 在此之前,你也需要先将以太网网卡接口和TAP接口进行桥接。 # 注意:该指令仅用于OpenVPN客户端,并且该客户端的TAP适配器需要绑定到一个DHCP客户端上。 ;server-bridge # 推送路由信息到客户端,以允许客户端能够连接到服务器背后的其他私有子网。 # (简而言之,就是允许客户端访问VPN服务器自身所在的其他局域网) # 记住,这些私有子网也要将OpenVPN客户端的地址池(10.8.0.0/255.255.255.0)反馈回OpenVPN服务器。 ;push "route 192.168.10.0 255.255.255.0" ;push "route 192.168.20.0 255.255.255.0" # 为指定的客户端分配指定的IP地址,或者客户端背后也有一个私有子网想要访问VPN, # 那么你可以针对该客户端的配置文件使用ccd子目录。 # (简而言之,就是允许客户端所在的局域网成员也能够访问VPN) # 举个例子:假设有个Common Name为"Thelonious"的客户端背后也有一个小型子网想要连接到VPN,该子网为192.168.40.128/255.255.255.248。 # 首先,你需要去掉下面两行指令的注释: ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 # 然后创建一个文件ccd/Thelonious,该文件的内容为: # iroute 192.168.40.128 255.255.255.248 #这样客户端所在的局域网就可以访问VPN了。 # 注意,这个指令只能在你是基于路由、而不是基于桥接的模式下才能生效。 # 比如,你使用了"dev tun"和"server"指令。 # 再举个例子:假设你想给Thelonious分配一个固定的IP地址10.9.0.1。 # 首先,你需要去掉下面两行指令的注释: ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # 然后在文件ccd/Thelonious中添加如下指令: # ifconfig-push 10.9.0.1 10.9.0.2 # 如果你想要为不同群组的客户端启用不同的防火墙访问策略,你可以使用如下两种方法: # (1)运行多个OpenVPN守护进程,每个进程对应一个群组,并为每个进程(群组)启用适当的防火墙规则。 # (2) (进阶)创建一个脚本来动态地修改响应于来自不同客户的防火墙规则。 # 关于learn-address脚本的更多信息请参考官方手册页面。 ;learn-address ./script # 如果启用该指令,所有客户端的默认网关都将重定向到VPN,这将导致诸如web浏览器、DNS查询等所有客户端流量都经过VPN。 # (为确保能正常工作,OpenVPN服务器所在计算机可能需要在TUN/TAP接口与以太网之间使用NAT或桥接技术进行连接) ;push "redirect-gateway def1 bypass-dhcp" # 某些具体的Windows网络设置可以被推送到客户端,例如DNS或WINS服务器地址。 # 下列地址来自opendns.com提供的Public DNS 服务器。 ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" # 去掉该指令的注释将允许不同的客户端之间相互"可见"(允许客户端之间互相访问)。 # 默认情况下,客户端只能"看见"服务器。为了确保客户端只能看见服务器,你还可以在服务器端的TUN/TAP接口上设置适当的防火墙规则。 ;client-to-client # 如果多个客户端可能使用相同的证书/私钥文件或Common Name进行连接,那么你可以取消该指令的注释。 # 建议该指令仅用于测试目的。对于生产使用环境而言,每个客户端都应该拥有自己的证书和私钥。 # 如果你没有为每个客户端分别生成Common Name唯一的证书/私钥,你可以取消该行的注释(但不推荐这样做)。 ;duplicate-cn # keepalive指令将导致类似于ping命令的消息被来回发送,以便于服务器端和客户端知道对方何时被关闭。 # 每10秒钟ping一次,如果120秒内都没有收到对方的回复,则表示远程连接已经关闭。 keepalive 10 120 # 出于SSL/TLS之外更多的安全考虑,创建一个"HMAC 防火墙"可以帮助抵御DoS攻击和UDP端口淹没攻击。 # 你可以使用以下命令来生成: # openvpn --genkey --secret ta.key # # 服务器和每个客户端都需要拥有该密钥的一个拷贝。 # 第二个参数在服务器端应该为'0',在客户端应该为'1'。 ;tls-auth ta.key 0 # 该文件应该保密 # 选择一个密码加密算法。 # 该配置项也必须复制到每个客户端配置文件中。 ;cipher BF-CBC # Blowfish (默认) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES # 在VPN连接上启用压缩。 # 如果你在此处启用了该指令,那么也应该在每个客户端配置文件中启用它。 comp-lzo # 允许并发连接的客户端的最大数量 ;max-clients 100 # 在完成初始化工作之后,降低OpenVPN守护进程的权限是个不错的主意。 # 该指令仅限于非Windows系统中使用。 ;user nobody ;group nobody # 持久化选项可以尽量避免访问那些在重启之后由于用户权限降低而无法访问的某些资源。 persist-key persist-tun # 输出一个简短的状态文件,用于显示当前的连接状态,该文件每分钟都会清空并重写一次。 status openvpn-status.log # 默认情况下,日志消息将写入syslog(在Windows系统中,如果以服务方式运行,日志消息将写入OpenVPN安装目录的log文件夹中)。 # 你可以使用log或者log-append来改变这种默认情况。 # "log"方式在每次启动时都会清空之前的日志文件。 # "log-append"这是在之前的日志内容后进行追加。 # 你可以使用两种方式之一(但不要同时使用)。 ;log openvpn.log ;log-append openvpn.log # 为日志文件设置适当的冗余级别(0~9)。冗余级别越高,输出的信息越详细。 # # 0 表示静默运行,只记录致命错误。 # 4 表示合理的常规用法。 # 5 和 6 可以帮助调试连接错误。 # 9 表示极度冗余,输出非常详细的日志信息。 verb 3 # 重复信息的沉默度。 # 相同类别的信息只有前20条会输出到日志文件中。 ;mute 20iptables 配置# Generated by iptables-save v1.4.21 on Wed May 10 08:44:55 2023 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [9150:5540077] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT -A INPUT -p udp -m udp --dport 1194 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT #-A FORWARD -s 10.8.0.0/24 -j ACCEPT # 允许访问的服务器 -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.0.10.201,10.0.20.100,10.0.30.90 -j ACCEPT # 禁止访问内网网段 -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.0.10.0/24,10.0.20.0/24,10.0.30.0/24,10.0.91.0/24 -j DROP #-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT COMMIT # Completed on Wed May 10 08:44:55 2023 # Generated by iptables-save v1.4.21 on Wed May 10 08:44:55 2023 *nat :PREROUTING ACCEPT [1525:155528] :INPUT ACCEPT [421:26649] :OUTPUT ACCEPT [1:76] :POSTROUTING ACCEPT [1:76] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE #-A POSTROUTING -s 10.8.0.0/24 -d 10.0.19.201/24 -j SNAT --to-source 10.0.19.250 COMMIT # Completed on Wed May 10 08:44:55 2023
