搭建VPN服务之OpenVPN

1.搭建VPN之OpenVPN

系统环境

[root@node01 2.0]# cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core) 
[root@node01 2.0]# uname -r
3.10.0-327.el7.x86_64
[root@node01 2.0]# systemctl status firewalld.service 
● firewalld.service - firewalld - dynamic firewall daemon
 Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
 Active: inactive (dead)
[root@node01 2.0]# getenforce 
Disabled
[root@node01 2.0]# hostname -I
118.190.201.68 172.16.1.68

1.1 安装openvpn

~]# yum install wget -y
#!/bin/bash
if [ `rpm -qa wget|wc -l` -lt 1 ]; then
 yum install -y wget
 else
 echo software exist install
fi
##更新Base源
~]# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
##更新epel源
~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
##安装VPN
yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel pkcs11-helper pkcs11-helper-devel gcc
##确认已经安装完成
~]# rpm -qa lzo lzo-devel openssl openssl-devel pam pam-devel pkcs11-helper pkcs11-helper-devel
pam-1.1.8-22.el7.x86_64
pam-devel-1.1.8-22.el7.x86_64
pkcs11-helper-1.11-3.el7.x86_64
lzo-devel-2.06-8.el7.x86_64
openssl-1.0.2k-12.el7.x86_64
lzo-2.06-8.el7.x86_64
openssl-devel-1.0.2k-12.el7.x86_64
pkcs11-helper-devel-1.11-3.el7.x86_64

##下载openvpn的源码包
~]# wget http://oss.aliyuncs.com/aliyunecs/openvpn-2.2.2.tar.gz
##使用rpmbuild将源码包编译成rpm包来进行安装 yum install -y rpm-build
~]# rpmbuild -tb openvpn-2.2.2.tar.gz
~]# echo $?
0
##执行rpmbuild就会正常开始编译了,编译完成以后会在 /root/rpmbuild/RPMS/x86_64 目录下生成 openvpn-2.2.2-1.x86_64.rpm 安装包
[root@node01 ~]# ll /root/rpmbuild/RPMS/x86_64/
total 408
-rw-r--r-- 1 root root 415672 May 11 09:25 openvpn-2.2.2-1.x86_64.rpm
##执行rpm -ivh以rpm包的方式安装
[root@node01 ~]# rpm -ivh /root/rpmbuild/RPMS/x86_64/openvpn-2.2.2-1.x86_64.rpm
Preparing... ################################# [100%]
Updating / installing...
 1:openvpn-2.2.2-1 ################################# [100%]
Restarting openvpn (via systemctl): [ OK ]

1.2配置pki

[root@node01 ~]# cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/
[root@node01 2.0]# egrep -v "#|^$" vars
export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="BEIJING"
export KEY_ORG="IT"
export KEY_EMAIL="443060965@qq.com"
export KEY_EMAIL=mail@host.domain
export KEY_CN=changeme
export KEY_NAME=John
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
#上述红色部分参数的值可以自定义设置,对配置无影响。
#后面生成服务端ca证书时这里的配置会作为缺省配置
[root@node01 2.0]# source vars

1.3产生ca证书

##生成服务端的证书
[root@node01 2.0]# ln -s openssl-1.0.0.cnf openssl.cnf
[root@node01 2.0]# ll openssl*
-rwxr-xr-x 1 root root 7768 Oct 21 2010 openssl-0.9.6.cnf
-rwxr-xr-x 1 root root 8325 Nov 25 2011 openssl-0.9.8.cnf
-rwxr-xr-x 1 root root 8222 Nov 25 2011 openssl-1.0.0.cnf
lrwxrwxrwx 1 root root 17 May 11 10:02 openssl.cnf -> openssl-1.0.0.cnf
[root@node01 2.0]# source ./vars      ##产生ca证书
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys
##清空原有证书
[root@node01 2.0]# ./clean-all        ##执行./clean-all清空keys下所有文件

1.4 生成服务器端和客户端ca证书多次回车完成就可以

注下面这个命令在第一次安装时可以运行以后在添加完客户端后慎用因为这个命令会清除所有已经生成的证书密钥和上面的提示对应

[root@node01 2.0]# ./build-ca
Generating a 1024 bit RSA private key
.++++++
................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [IT]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [John]:
Email Address [mail@host.domain]:

1)生成服务器端密钥证书, 名字可以随便起但要记住后面要用到

如下JohnVPN是自定义的名字,一直回车,到最后会有两次交互,输入y确认,完成后会在keys目录下保存了JohnVPN.key、JohnVPN.csrl和JohnVPN.crt 三个文件。

[root@node01 2.0]# ./build-key-server JohnVPN
Generating a 1024 bit RSA private key
.......................................++++++
.......++++++
writing new private key to 'JohnVPN.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [IT]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [JohnVPN]:
Name [John]:
Email Address [mail@host.domain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'IT'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'JohnVPN'
name :PRINTABLE:'John'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until May 8 02:15:06 2028 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
##生产的三个JohnVPN文件
[root@node01 2.0]# ll keys/JohnVPN.*
-rw-r--r-- 1 root root 3987 May 11 10:15 keys/JohnVPN.crt
-rw-r--r-- 1 root root 704 May 11 10:15 keys/JohnVPN.csr
-rw------- 1 root root 912 May 11 10:15 keys/JohnVPN.key

2)生成客户端密钥证书

注生成客户端证书 名字任意建议写成你要发给的人的姓名方便管理这里与生成服务端证书配置类似中间一步提示输入服务端密码也可以不设置密码其他按照缺省提示一路回车即可。

如果想生成客户端使用密码方式证书登陆请使用如下命令,其实不使用密码方式的也可以到时候在客户端登陆vpn后进行更改也是一样的。

#####./build-key-pass client-pass ###不用操作(重置)

创建vpn登陆用户的秘钥与证书

如下,创建用户名为kevin的秘钥和证书,一直回车,到最后会有两次确认,只要按y确认即可。完成后,在keys目录下生成1024位RSA服务器密钥kevin.key、kevin.crt和kevin.csr 三个文件。

[root@node01 2.0]# ./build-key kevin 
Generating a 1024 bit RSA private key
......................................................++++++
...++++++
writing new private key to 'kevin.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [IT]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [kevin]:
Name [John]:
Email Address [mail@host.domain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BEIJING'
organizationName :PRINTABLE:'IT'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'kevin'
name :PRINTABLE:'John'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until May 8 02:23:15 2028 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

1.5 生成DH验证文件

##生成Diffie Hellman参数
##注生成diffie hellman参数用于增强openvpn安全性生成需要漫长等待时间
[root@node01 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...............................................++*++*++*
说明:
执行了./build-dh后,会在 keys 目录下生成 dh 参数文件 dh1024.pem。该文件客户端验证的时候会用到

1.6 生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击)

[root@node01 2.0]# openvpn --genkey --secret keys/ta.key

1.7 复制配置文件

###将keys 目录下的所有文件复制到 /etc/openvpn下
[root@node01 2.0]# mkdir /etc/openvpn/keys
[root@node01 2.0]# cp -a /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys/* /etc/openvpn/keys
###复制openvpn服务端配置文件 server.conf 到 /etc/openvpn/ 目录下 
[root@node01 2.0]# cp -a /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/
###server.conf文件的配置

[root@node01 2.0]# cp /etc/openvpn/server.conf{,.ori}
[root@node01 2.0]# egrep -v "^$|^#|^;" /etc/openvpn/server.conf
local 118.190.201.68 #监听地址(内网或外网地址),最好填写openvpn服务器的公网IP地址(使用"curl ifconfig.me"命令查看)。或者这一行直接注释掉!我在线上配置的就是注释这行
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "route 172.16.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
duplicate-cn
log /var/log/openvpn.log

配置文件内容注释如下

openvpn配置文件内容注释如下

#openvpn监听本地ip地址,可选
;local a.b.c.d
#监听tcp或udp端口,如果有多个服务端,要设置不同的端口
port 1194
#tcp模式还是udp模式
proto tcp
#虚拟网络接口类型:1. TUN :路由模式,工作在三层,无物理地址,效率高;无法与物理网卡桥接,会无视广播包,客户端可以是TUN/TAP
#2. TAP :桥接模式,工作在二层,有物理地址,效率不如TUN;可以与物理网卡桥接,广播包可以通过,客户端必须是TAP
dev tun
#证书配置 请注意路径,可以使用以配置文件开始为根的相对路径,// 也可以使用绝对路径// 请小心存放.key密钥文件
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server-ssl.crt
key /etc/openvpn/server-ssl.key
dh /etc/openvpn/dh.pem
#客户端使用的网段
server 10.8.0.0 255.255.255.0
#维持客户和ip的对应关系,重连后能保持虚拟ip
ifconfig-pool-persist ipp.txt
#为客户端推送路由,允许客户端访问其它网段
;push "route 172.16.1.0 255.255.255.0"
#设置所有客户端默认网关为VPN,所有流量经过vpn
;push "redirect-gateway def1 bypass-dhcp"
#为客户端推送DNS
;push "dhcp-option DNS 208.67.222.222"
#允许客户端之间互相访问
client-to-client
#允许多个客户端使用相同证书连接  #常用于测试开启的话一个证书可以多个客户端连接
duplicate-cn
#存活检测,每10秒检测一次,120秒未响应则认为连接丢失
keepalive 10 120
#对数据进行压缩,server和client 需保持一致
comp-lzo
#最大客户端数量
;max-clients 100
#重新连接时,不重新读取key和保持tun/tap设备在线
persist-key
persist-tun
#记录openvpn状态信息
status openvpn-status.log
#记录并追加日志
;log openvpn.log
;log-append openvpn.log
#日志级别,指定日志文件的记录详细级别可选0-9等级越高日志内容越详细
verb 5

1.8创建openvpn日志目录

mkdir -p /var/log/openvpn/   ##可以省略

1.9开启路由转发功能

[root@node01 ~]# echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
[root@node01 ~]# sysctl -p

1.10 设置防火墙

添加iptables规则,确保服务器可以转发数据包到外网
设置iptables这一条至关重要通过配置nat将vpn网段IP转发到server内网,10.8.0.0/24是vpn网段

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE 
iptables -A INPUT -p TCP --dport 1194 -j ACCEPT                   #可以不用执行
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT   #可以不用执行
~]# iptables-save    #保存iptable设置
~]# iptables -t nat -L

1.11 启动openvpn服务

启动OpenVPN时出现报错如下

~]# tailf /var/log/openvpn.log
Fri May 11 19:24:40 2018 OpenVPN 2.2.2 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on May 11 2018
Fri May 11 19:24:40 2018 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri May 11 19:24:40 2018 Diffie-Hellman initialized with 1024 bit key
Fri May 11 19:24:40 2018 Cannot load certificate file JohnVPN.csr: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Fri May 11 19:24:40 2018 Exiting

##解决办法重新生成证书
~]# cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0
~]# source ./vars
~]# ./clean-all
~]# ./build-ca
~]# ./build-key-server server 
~]# ./build-key client
~]# ./build-dh
~]# mkdir -p /etc/openvpn/keys
~]# cp -a keys/* /etc/openvpn/keys/
~]# cat > /etc/openvpn/server.conf<< EOF
local 118.190.201.68
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "route 172.16.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
duplicate-cn
log /var/log/openvpn.log
EOF

重新启动

[root@node01 ~]# /etc/init.d/openvpn start 
Starting openvpn (via systemctl):                  [ OK ]
[root@node01 openvpn]# lsof -i:1194
COMMAND          PID    USER   FD    TYPE    DEVICE   SIZE/OFF NODE NAME
openvpn          24507 root    5u    IPv4    51887    0t0       UDP     118.190.201.68:openvpn

1.12 OpenVPN增加客户端

后续给同事开vpn账号,只需要下面几步

比如给zhangsan同事开vpn

~]# cd /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0
2.0]# ./build-key zhangsan
2.0]# cp -a /usr/share/doc/openvpn-2.2.2/easy-rsa/2.0/keys/zhangqiang.* /etc/openvpn/
2.0]# /etc/init.d/openvpn restart
2.0]# lsof -i:1194
 
然后编写zhangsan用户的config.ovpn客户端配置文件:
2.0]# vim /tmp/config.ovpn
client
dev tun
proto udp
remote 201.84.149.74 1194 //注意这里的201.84.149.74是openvpn服务器端的外围ip。
resolv-retry infinite
nobind
mute-replay-warnings
ca ca.crt
cert zhangsan.crt
key zhangsan.key
comp-lzo
 
然后将ca.crt、config.ovpn、zhangsan.crt、zhangsan.csr、zhangsan.key这五个文件放到zhagnsan用户下
2.0]# mkdir /tmp/zhangsan
2.0]# cd keys/
keys]# cp ca.crt /tmp/config.ovpn zhangsan.crt zhangsan.csr zhangsan.key /tmp/zhangsan
keys]# cd /tmp && tar -zvcf zhangsan.tar.gz zhangsan
 
然后将/opt/zhangsan.tar.gz文件拷贝给用户zhangsan,让他在客户机上进行openvpn的连接。

2. windows客户端配置

2.1windows用户

1. 需要向管理员申请openvpn的配置及秘钥文件(总共包括5个文件:ca.crt证书、config.ovpn客户端配置文件、用户.crt、用户.csr、用户.key)。(其中,config.ovpn客户端文件是直接配置好拷贝给客户机的,这个文件在服务器端是不存在的,需要自己编写)
2. 如果你的电脑没有安装过TAP,安装过程中会有下面的提示,选择安装。

3.安装链接如下

windows 用户下载 链接:https://pan.baidu.com/s/1ON591DAOOa–HuX1bR6qGA 密码:k8su

mac 用户下载 链接:https://pan.baidu.com/s/1a4OcHRWO3Vzp4pv0scuFLA 密码:vkop

1)下载之后,双击如下图标进行安装

2)然后点击下一步

3)默认下一步,然后点击信任安装

4)安装完成后你的桌面会出现下面的图标,出现这个说明安装成功了。

5)然后打开我的电脑,进到openvpn安装目录即 C:\Program Files\OpenVPN\config 这个文件夹下,然后拿出管理员给你的配置文件,放到这个目录下,如下

将服务器端生成的ca.crt client.crt client.key 下载到本地。放入 config/client目录(需要在客户端自行创建或者服务端打包解压到config目录)

进入客户端OpenVPN目录将sample-config下的client.ovpn文件进行修改后复制到config/client目录

###client.ovpn配置文件做相应的修改

client
dev tun
proto udp
remote 118.190.201.68 1194 
resolv-retry infinite
nobind
comp-lzo
persist-key
persist-tun
ca ca.crt 
cert client.crt 
key client.key
verb 3

6)回到桌面,右键openvpn的图标,选择以管理员身份运行,电脑右下角会出现openvpn的程序,鼠标右键,选择connect

7)程序图标变成绿色,就说明openvpn连接成功了

2.2 Mac 用户

1.向管理员申请配置及秘钥文件(即那5个文件:ca.crt、config.ovpn、wangshibo.crt、wangshibo.csr、wangshibo.key。将这5个文件打包成wangshibo.tar.gz,然后传给wangshibo用户).
2.安装文末的程序
3.删除管理员给你文档中的.csr结尾的文件
4.给上层文件夹加上.tblk,然后双击载入,添加到VPN的配置里面
5.在菜单栏,左键点击图标选择连接,连接成功就是以下状态.
例如:
管理员给wangshibo用户申请配置及秘钥文件,打包给wangshiyong用户,如下:
用户收到后将其解压成wangshibo文件夹,打开wangshibo文件夹,有以下五个文件:
接着删除其中的wangshibo.csr文件,然后回到上层文件夹即wangshibo文件夹,将该文件夹改名为wangshibo.tblk
最后双击这个.tblk文件夹就自动加载到Tunnelblick的VPN客户端里面了.出现如下标志就说明已经连接上VPN了。

2.3 连接到openvpn后,查看本机分配的vpn地址

[root@node01 2.0]# ifconfig     ##//发现已经成功分配到上面定义的vpn地址范围内的地址了(10.8.0.10) ....... utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 inet 10.8.0.10 --> 10.8.0.9 netmask 0xffffffff

注意:

其中传给用户的config.ovpn文件是openvpn的客户端的配置文件,这个文件是不真实存在于openvpn的服务器端的,是手动配置好拿到客户机上的。
比如上面的wangshibo用户的config.ovpn文件配置如下:
每个用户的config.ovpn文件配置除了cert和key不一样之外,其他地方的配置完全一致!

client
dev tun
proto udp
remote 111.94.149.74 1194
resolv-retry infinite
nobind
mute-replay-warnings
ca ca.crt
cert wangshibo.crt
key wangshibo.key
comp-lzo

注意:

其中mac客户端安装后会提示升级,升级后有可能会导致不能使用,没有特殊原因的话,就不用升级了,如果已经升级,删除后安装下面这个就行了

2.4其中Windows客户端的证书及配置文件仅作参考,如下

链接:https://pan.baidu.com/s/1DuT6uS0n4inFlaLY3nloyw 密码:ikbd

3.Linux客户端

下载epel源

[root@IDC-server ~]# wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm 
[root@IDC-server ~]# rpm -ivh epel-release-latest-6.noarch.rpm

1.安装openvpn

[root@IDC-server ~]# yum -y install openvpn

2.将openvpn服务端的/etc/openvpn/easy-rsa/keys/{ca.crt,client.crt,client,key}/etc/openvpn/client.ovpn这四个文件拷贝到客户机的/etc/openvpn目录下
或者将服务端配置好的client.ovpn文件(其他三个文件内容已经写到它里面)拷贝到/etc/openvpn

连接VPN服务器

[root@IDC-server ~]# openvpn --config /etc/openvpn/client.ovpn
[root@IDC-server ~]# ps -ef|grep openvpn

最后检查下连接openvpn成功后的ip地址情况

4.补充说明

为了方面连接,可以采用下面策略:
ca.crt、client.crt、client.key这三个文件内容全部拷贝到client.ovpn文件里,这样只需将client.ovpn一个文件拷贝到客户机上就可以连接!

[root@ops-server3 ~]# vim /etc/openvpn/server.conf //注释掉下面的三行,然后在文件底部添加
;ca ca.crt //将这行注释掉
;cert client.crt //将这行注释掉
;key client.key //将这行注释掉
 
<ca> //粘贴ca.crt文件内容
-----BEGIN CERTIFICATE-----
MIIExDCCA6ygAwIBAgIJAPQzONLZmHecMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD
VQQGEwJDTjELMAkGA1UECBMCQ0ExEDAOBgNVBAcTB2JlaWppbmcxEDAOBgNVBAoT
B2h1YW5xaXUxEDAOBgNVBAsTB2h1YW5xaXUxEDAOBgNVBAMTB2h1YW5xaXUxEjAQ
BgNVBCkTCXZwbnNlcnZlcjEkMCIGCSqGSIb3DQEJARYVd2FuZ3NoaWJvQHhxc2hp
amllLmNuMB4XDTE3MDExODA2Mjk0OVoXDTI3MDExNjA2Mjk0OVowgZwxCzAJBgNV
BAYTAkNOMQswCQYDVQQIEwJDQTEQMA4GA1UEBxMHYmVpamluZzEQMA4GA1UEChMH
aHVhbnFpdTEQMA4GA1UECxMHaHVhbnFpdTEQMA4GA1UEAxMHaHVhbnFpdTESMBAG
A1UEKRMJdnBuc2VydmVyMSQwIgYJKoZIhvcNAQkBFhV3YW5nc2hpYm9AeHFzaGlq
aWUuY24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGUQ61hv4ARMco
k437NQa/gSLYCmAXSHSo9cHY/yf/Cm8JqNcnylrHR0LrszS8nMrpL6gNZkwt5ZGT
mHPANbMNj4lwxELHGEVRdeI2VugwJsxBV890e8HsTR4ie6J7P452gcy5AUBcbNtz
HxKAnNFVjLe9i18NoUz9hmDt01e9VQNKER6iktDBbAgUoPRS7XaX4tIJiQRoqb2C
vsuxQEurAWXcR1rFbU57xeKi5p1jYp/GDgo+UH4/ecQLQHkVArxxqTGaV3aF3GS4
79M9S2qJzlZ9yZMOShQiuCqR+/IJ1nw+RaH36SRDI/Ijai3+fq0AYGwartjtCatJ
6q2Ac7xvAgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUjl/9/WRWMN3/2nylqqi5x1Hs
PCswgdEGA1UdIwSByTCBxoAUjl/9/WRWMN3/2nylqqi5x1HsPCuhgaKkgZ8wgZwx
CzAJBgNVBAYTAkNOMQswCQYDVQQIEwJDQTEQMA4GA1UEBxMHYmVpamluZzEQMA4G
A1UEChMHaHVhbnFpdTEQMA4GA1UECxMHaHVhbnFpdTEQMA4GA1UEAxMHaHVhbnFp
dTESMBAGA1UEKRMJdnBuc2VydmVyMSQwIgYJKoZIhvcNAQkBFhV3YW5nc2hpYm9A
eHFzaGlqaWUuY26CCQD0MzjS2Zh3nDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
CwUAA4IBAQBA4bGYaAwImaYUiAOcb4Q1yiZ8FrWXjXc+/5DxS6ad0q033ZwSXPVe
aKVyWTEKQ2xL/YfHMW+Y1s16AUBS15gblHoSUPjMSDpsIvhvbEE3izAcByF8bnim
yAuWMNoWzWsjyH7RNPJi+p9hvZgpqz3AE65rc6bXp48visLRfhs5c8e4W46/bQu6
K0Ebj/qPWs6g8WC0VSpFE883hroSeWammuAobC69F6FnQSEeZAOG2GnP8mQ5JXWX
KBA6dB16dA2DYOo+7YppZmOlBUi86izOl6JwD1ShhyLzTfnvaj86Gxc0U2AF5KHm
ZXK8Nes6z+XYP3w2emfC3Irf7LEwiZDZ
-----END CERTIFICATE-----
</ca>
 
<cert> //粘贴client.crt文件内容
-----BEGIN CERTIFICATE-----
MIIFCTCCA/GgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCQ04x
CzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdiZWlqaW5nMRAwDgYDVQQKEwdodWFucWl1
MRAwDgYDVQQLEwdodWFucWl1MRAwDgYDVQQDEwdodWFucWl1MRIwEAYDVQQpEwl2
cG5zZXJ2ZXIxJDAiBgkqhkiG9w0BCQEWFXdhbmdzaGlib0B4cXNoaWppZS5jbjAe
Fw0xNzAxMTgwNjQzMTVaFw0yNzAxMTYwNjQzMTVaMIGbMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCQ0ExEDAOBgNVBAcTB2JlaWppbmcxEDAOBgNVBAoTB2h1YW5xaXUx
EDAOBgNVBAsTB2h1YW5xaXUxDzANBgNVBAMTBmNsaWVudDESMBAGA1UEKRMJdnBu
c2VydmVyMSQwIgYJKoZIhvcNAQkBFhV3YW5nc2hpYm9AeHFzaGlqaWUuY24wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLcNY7Z++v9yqIgg6mcApuFF+e
JIGaXQBL1xR7cG/mNNbsBJtjhBcCjfI1mP/ZVBzVyuWaUr8HP1Z7YaO6kv60iPDh
vvzeTObpBnpXAzmNQhTwEUDAfS4Z/8W0uM2Pm8tdMDoL/0X02eqnZWZVC5f0JJEn
WHSF+3TRcy5UKJxEpQ+Qa2M1cO8mXG3lcD9r4B1aq+TNbuGHBtWBzuccHtibOz0J
fTKdqsup9CAZJlh0T8KbqYJr/YqjlPL0I3dOR/xBXhuhT9c5iwCxu3g7qS/+QAbv
VLUwxuQuini7ppYNV6dZLxXUeHrNVCZiyRBkP/iHUe05Rk9guKN3xQkJ7TGZAgMB
AAGjggFTMIIBTzAJBgNVHRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFW73ySODGqH6M8x4NieVjpQ
8SA6MIHRBgNVHSMEgckwgcaAFI5f/f1kVjDd/9p8paqoucdR7DwroYGipIGfMIGc
MQswCQYDVQQGEwJDTjELMAkGA1UECBMCQ0ExEDAOBgNVBAcTB2JlaWppbmcxEDAO
BgNVBAoTB2h1YW5xaXUxEDAOBgNVBAsTB2h1YW5xaXUxEDAOBgNVBAMTB2h1YW5x
aXUxEjAQBgNVBCkTCXZwbnNlcnZlcjEkMCIGCSqGSIb3DQEJARYVd2FuZ3NoaWJv
QHhxc2hpamllLmNuggkA9DM40tmYd5wwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYD
VR0PBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQBwOBSP+BUTqSBtviGsagh1zhfm
5glQaCw/ZtH/8tYFmWx7adwd9GxagqMQgXVoW3xhhaWfHmjNeIsPOl8C4gFMRUZC
MT8LrWYm9iYj6ey4J9n877mkau1B2k27ev4YdmMCtvVql8lCkHvChUt8XzmyqM+5
YEUfWf1jgZ7K6sBpFXwMxEItGpuo8H9Iew2vApQlwqhLDmwe1AmWHbenBuZW2vhy
akY7tA3b4gkQU95TfrqxIPfbUxe/HLME3WIijeai8l1S82FUYxHq3J6mNIZyIi8e
NaQe7kKTZmrYH9LRvf9wXiV8VPMQeAN4mExjlDzsqQDJRO5+hflWcnmsYjAu
-----END CERTIFICATE-----
</cert>
 
<key> //粘贴client.key文件内容
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDLcNY7Z++v9yqI
gg6mcApuFF+eJIGaXQBL1xR7cG/mNNbsBJtjhBcCjfI1mP/ZVBzVyuWaUr8HP1Z7
YaO6kv60iPDhvvzeTObpBnpXAzmNQhTwEUDAfS4Z/8W0uM2Pm8tdMDoL/0X02eqn
ZWZVC5f0JJEnWHSF+3TRcy5UKJxEpQ+Qa2M1cO8mXG3lcD9r4B1aq+TNbuGHBtWB
zuccHtibOz0JfTKdqsup9CAZJlh0T8KbqYJr/YqjlPL0I3dOR/xBXhuhT9c5iwCx
u3g7qS/+QAbvVLUwxuQuini7ppYNV6dZLxXUeHrNVCZiyRBkP/iHUe05Rk9guKN3
xQkJ7TGZAgMBAAECggEAOHjJ/xOK5T2nAN2ZU3omawgcwrk/gKnwOx0pAlrjtPNV
9Y4R1D4GZR8h7N7bpmhC2NXJhl0RyeE7EGS6HkBPk62vr/pkFxEhx+2UaDLs9tkx
FrKzVrto4K6vIstpxENq4CNS+aGSubUD/hOXpGPjelHsOQ/EyKxUcQ+X/KSJPERV
8wHedCX5Ywas3vgA9B7KAOS1pX6LRo8a/GHy71A5YO5TQYkvMmhu4fcWI44jgFuY
dngqoKlagpKvdMTliqA4HzuBupwxoFEEsV2UvWcsi6+b76sRMZii/FNxRhRsdVSB
RqzfUYCnJrvYVTKKgpSin16r/2/IY9Jsvsu16w2CQQKBgQD92dtFlPeCZooxO02k
6969fhdasWgaMlvagxPQhV6rY1z62JhAa5yT+o/+o7fSCDGlEFRMDfh3euk/xRcS
JhDWPa/WrZVepUdPZaxgNxPbPSGGoKfzTfTkNCYOtCTop655mxQAB/Q+A2meRW9v
35xSmVoLyQNeoZZ1MvPdZ6s0IwKBgQDNKbtTIPmSctFWelV9SNil45P/RWVVGxuJ
IXKZKQ5oat6mYu23fgzZMwWtWs2qd9aeE/4P94TOGAx80RkVdZZZlRRAI0PeLDTD
DPverJsLigKzM8hwbWB1NqSd5+ei5xxdUWHsnlxDcHzlFqrpZVrZqJpIIqSMDVW7
pfbuElYREwKBgACjnMa3Ekx0v6JSGObyZRQrDhn/Wli+ibaqH9GllFBwJprHEtMO
sk05E0W72cmgladpvByY6Gg8mfu8HkvAZshzTU8IDtk3J0/O3Lk9SkKCC+SP4Pxe
1OACNZpR38nqKilKN6msW3QQhCKO4DHy6SzYD/75mZWSaJOQ9kY3bZnrAoGBAMGg
jSbbjC9nJaLUOjLPuYh2zIqzV/uGZep6IsniMbLiidfGrkvrLv0eZlFBzbEBARCY
FcPD+xb3I3H5dg8Gtys8w6v0nGzmk7UyX9O8W2f8jKfMS3OwBsUZGSveXoMkU2TP
FfhXTQRo+bbMOemkuqWJtnI2H83+F9fNvsrZi1j5AoGAY7zK9XqXGxZCUaQBfVeT
LKFMfBNDnFFjq7crKfzh4p6wzskJOZ7AmGJp8L7hUB64exsrhhGaGqomjPR7K+YC
0/UtIdQLurVau23WmZGZbYPnvEN8e6xKodQT+zzcLxX62TdRPJ3QGjXeuO8B2E3S
HvVtQ7QQeLIrwmFsu1UuaYY=
-----END PRIVATE KEY-----
</key>

 

 

AD:《熊孩子博客》熊孩子QQ:443060965

本文Tags:
4
如无特殊说明,文章均为本站原创,转载请注明出处

该文章由 发布

这货来去如风,什么鬼都没留下!!!