sudo apt install openVPN easy-rsa拷贝 easy-rsa 目录cp -r /usr/share/easy-rsa/ /etc/openVPN/查看 openssl 版本openssl version生成 ca 证书(ca.crt)和私钥(ca.key)cd /etc/openVPN/easy-rsa/
cp openssl-1.0.0.cnf openssl.cnf
. ./vars # source ./vars
./clean-all # 只是增加客户端证书和私钥的时候不要执行这一句
./build-ca # 注意 Common Name生成服务端的证书和私钥(server.crt/server.key)./build-key-server server生成客户端的证书和私钥./build-key client1
./build-key client2
./build-key client3生成 dh 文件./build-dh让服务端文件就位cp /etc/openVPN/easy-rsa/keys/ca.crt /etc/openVPN/server/
cp /etc/openVPN/easy-rsa/keys/server.crt /etc/openVPN/server/
cp /etc/openVPN/easy-rsa/keys/server.key /etc/openVPN/server/
cp /etc/openVPN/easy-rsa/keys/dh2048.pem /etc/openVPN/server/创建 ccd 目录,里面存放推送信息(如固定 ip)到客户端的文件mkdir /etc/openVPN/server/ccd
cd /etc/openVPN/server/ccd
vim client # 文件名对应 Common Name
# client 内容示例(推送固定 ip)
ifconfig-push 192.168.77.46 255.255.255.0创建 server.conf,并按照样例写入配置cd /etc/openVPN/server/
/etc/openVPN/server# vim server.conf启动服务端nohup openVPN /etc/openVPN/server/server.conf &查看状态~# sudo systemctl status open***
● open***.service - Open××× service
Loaded: loaded (/lib/systemd/system/open***.service; enabled; vendor preset: enabled)
Active: active (exited) since Fri 2019-02-22 09:16:36 CST; 2 months 21 days ago
Process: 1024 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 1024 (code=exited, status=0/SUCCESS)
Feb 22 09:16:36 vip811 systemd[1]: Starting Open××× service...
Feb 22 09:16:36 vip811 systemd[1]: Started Open××× service.
~# ps aux | grep open***
root 1037 2.8 0.4 47040 17300 ? S Feb22 3346:47 open*** /etc/open***/server/server.conf
root 13329 0.0 0.0 13136 1000 pts/1 S+ 18:43 0:00 grep --color=auto open***服务端配置文件示例local 192.168.0.110
port 10101
proto tcp
dev tap
float
ca /etc/openVPN/server/ca.crt
cert /etc/openVPN/server/server.crt
key /etc/openVPN/server/server.key
dh /etc/openVPN/server/dh2048.pem
server 192.168.77.0 255.255.255.0
client-config-dir /etc/open***/server/ccd/
client-to-client
keepalive 10 120
comp-lzo
persist-key
status openVPN-status.log
log /var/log/openVPN.log
verb 4
mute 20客户端配置文件示例client
dev tap0
remote 123.456.789.154
port 10101
proto tcp
float
ca ./ca.crt
cert ./client1.crt
key ./client1.key
comp-lzo
verb 6
mute 20
【 OpenVPN迁移】
【FAQ】
Q:客户端连不上服务端,报错:WARNING: No server certificate verification method has been enabled.
A:检查私钥和公钥当中是否有 0B 的文件。
Q:客户端连不上服务端,报错:TCP: connect to [AF_INET]223.18.95.157:7872 failed: Unknown error
A:检查客户端外围防火墙。
【相关阅读】
*** walker ***