官方文档:@L_502_0@
安装软件
sudoaptinstallopenVPNeasy-rsa
拷贝 easy-rsa 目录
cp-r/usr/share/easy-rsa//etc/openVPN/
查看 openssl 版本
opensslversion
生成 ca 证书(ca.crt)和私钥(ca.key)
cd/etc/openVPN/easy-rsa/ cpopenssl-1.0.0.cnfopenssl.cnf ../vars#source./vars ./clean-all#只是增加客户端证书和私钥的时候不要执行这一句 ./build-ca#注意CommonName
生成服务端的证书和私钥(server.crt/server.key)
./build-key-serverserver
生成客户端的证书和私钥
./build-keyclient1 ./build-keyclient2 ./build-keyclient3
./build-dh
让服务端文件就位
cp/etc/openVPN/easy-rsa/keys/ca.crt/etc/open***/ cp/etc/openVPN/easy-rsa/keys/server.crt/etc/open***/server/ cp/etc/openVPN/easy-rsa/keys/server.key/etc/open***/server/ cp/etc/openVPN/easy-rsa/keys/dh2048.pem/etc/open***/server/
创建 ccd 目录,里面存放推送信息(如固定 ip)到客户端的文件
mkdir/etc/open***/server/ccd cd/etc/open***/server/ccd vimclient#文件名对应CommonName #client内容示例(推送固定ip) ifconfig-push192.168.77.46255.255.255.0
创建 server.conf,并按照样例写入配置
cd/etc/openVPN/server/ /etc/openVPN/server#vimserver.con
启动服务端
nohupopenVPN/etc/openVPN/server/server.conf&
服务端配置文件示例
local192.168.0.110 port10101 prototcp devtap float ca/etc/openVPN/server/ca.crt cert/etc/openVPN/server/server.crt key/etc/openVPN/server/server.key dh/etc/openVPN/server/dh2048.pem server192.168.77.0255.255.255.0 client-config-dir/etc/open***/server/ccd/ client-to-client keepalive10120 comp-lzo persist-key statusopenVPN-status.log log/var/log/openVPN.log verb4 mute20
客户端配置文件示例
client devtap0 remote123.456.789.154 port10101 prototcp float ca./ca.crt cert./client1.crt key./client1.key comp-lzo verb6 mute20
【FAQ】
Q:客户端连不上服务端,报错:WARNING: No server certificate verification method has been enabled.
A:检查私钥和公钥当中是否有 0B 的文件。
Q:客户端连不上服务端,报错:TCP: connect to [AF_INET]223.18.95.157:7872 @R_502_159@: Unknown error
A:检查客户端外围防火墙。
*** walker ***