{"id":235,"date":"2021-05-31T23:09:49","date_gmt":"2021-05-31T15:09:49","guid":{"rendered":"https:\/\/www.buyao007.icu\/?p=235"},"modified":"2021-06-20T15:05:57","modified_gmt":"2021-06-20T07:05:57","slug":"openvpn%e9%83%a8%e7%bd%b2","status":"publish","type":"post","link":"https:\/\/www.buyao007.icu\/?p=235","title":{"rendered":"openvpn\u90e8\u7f72"},"content":{"rendered":"\n

\u5b59\u5bcc\u9633\uff0c \u6c5f\u6e56\u4eba\u79f0\u6ca1\u4eba\u79f0\u3002\u591a\u5e74\u4e92\u8054\u7f51\u8fd0\u7ef4\u5de5\u4f5c\u7ecf\u9a8c\uff0c\u66fe\u8d1f\u8d23\u8fc7\u5b59\u5e03\u65af\u5927\u89c4\u6a21\u96c6\u7fa4\u67b6\u6784\u81ea\u52a8\u5316\u8fd0\u7ef4\u7ba1\u7406\u5de5\u4f5c\u3002\u64c5\u957fWeb\u96c6\u7fa4\u67b6\u6784\u4e0e\u81ea\u52a8\u5316\u8fd0\u7ef4\uff0c\u66fe\u8d1f\u8d23\u56fd\u5185\u67d0\u5927\u578b\u535a\u5ba2\u7f51\u7ad9\u8fd0\u7ef4\u5de5\u4f5c\u3002<\/p>\n\n\n\n

1.vpn\u6982\u8ff0<\/h2>\n\n\n\n
\u4e24\u70b9\u5982\u4f55\u4f20\u8f93\u6570\u636e\u6700\u5b89\u5168\n\u65b9\u68481: \u4e13\u7ebf\n\u65b9\u68482: \u786c\u4ef6\u8bbe\u59073\u5c42\u8def\u7531\u5668 , \u786c\u4ef6vpn\u8bbe\u5907 vpn virtual private network \u865a\u62df\u4e13\u6709\u7f51\u7edc\n\u65b9\u68483: \u5f00\u6e90\u8f6f\u4ef6\npptp \u4f7f\u7528\u6700\u7b80\u5355,\u4e0d\u662f\u5f88\u7a33\u5b9a,\u4f9d\u8d56\u4e8e\u786c\u4ef6\u8bbe\u5907\u7684\u652f\u6301\n\tOpenVPN \u5b9e\u73b0\u7528\u6237\/\u8fd0\u7ef4\/\u5f00\u53d1,\u8bbf\u95ee\u7f51\u7ad9\u5185\u7f51\n\tIpSEC\n        OpenSwan\n<\/code><\/pre>\n\n\n\n
2.OpenVPN\u5e94\u7528\u573a\u666f<\/h2>\n\n\n\n
\u4e3b\u673a\u8fdc\u7a0b\u8bbf\u95ee\u670d\u52a1\u5668\u8bbe\u5907 VPN \u8bbf\u95ee\u5355\u53f0\u8bbe\u5907\n\u4e3b\u673a\u8fdc\u7a0b\u8bbf\u95ee\u670d\u52a1\u5668\u8bbe\u5907 VPN \u8bbf\u95ee\u5355\u53f0\u8bbe\u5907\n\u4f01\u4e1a\u516c\u53f8\u4e4b\u95f4\u5efa\u7acb\u901a\u8baf VPN IDC-IDC\n<\/code><\/pre>\n\n\n\n
3. OpenVPN\u670d\u52a1\u7aef\u914d\u7f6e<\/h2>\n\n\n\n
#\u5148\u6dfb\u52a0\u5185\u6838\u53c2\u6570\uff08\u5426\u5219\u65e0\u6cd5\u8fde\u63a5\u5185\u90e8\u7f51\u7edc\uff09<\/strong><\/p>\n\n\n\n
[root@vpn ~]# echo 'net.ipv4.ip_forward = 1' >> \/etc\/sysctl.conf\n[root@vpn ~]#  sysctl -p\nnet.ipv4.icmp_echo_ignore_all = 1\nnet.ipv4.ip_forward = 1\n<\/code><\/pre>\n\n\n\n
#\u4f7f\u7528easy-rsa\u751f\u6210\u79d8\u94a5\u8bc1\u4e66<\/strong><\/p>\n\n\n\n
[root@vpn ~]# yum install easy-rsa<\/code><\/pre>\n\n\n\n
#\u751f\u6210\u79d8\u94a5\u8bc1\u4e66\u524d\u9700\u8981\u51c6\u5907vars\u6587\u4ef6<\/strong><\/p>\n\n\n\n
[root@vpn ~]# mkdir \/opt\/easy-rsa\n[root@vpn ~]# cd \/opt\/easy-rsa\/\n[root@vpn \/opt\/easy-rsa]# cp -a \/usr\/share\/easy-rsa\/3.0.8\/* .\/\n[root@vpn \/opt\/easy-rsa]# cp -a \/usr\/share\/doc\/easy-rsa-3.0.8\/vars.example .\/vars\n[root@vpn \/opt\/easy-rsa]# vim vars \nif [ -z \"$EASYRSA_CALLER\" ]; then\n\techo \"You appear to be sourcing an Easy-RSA 'vars' file.\" >&2\n\techo \"This is no longer necessary and is disallowed. See the section called\" >&2\n\techo \"'How to use this file' near the top comments for more details.\" >&2\n\treturn 1\nfi\nset_var EASYRSA_DN \"cn_only\"\nset_var EASYRSA_REQ_COUNTRY \"CN\"               ##\u6240\u5728\u56fd\u5bb6\nset_var EASYRSA_REQ_PROVINCE \"beijing\"         ##\u6240\u5728\u7701\u4efd\nset_var EASYRSA_REQ_CITY \"shanghai\"            ##\u6240\u5728\u57ce\u5e02\nset_var EASYRSA_REQ_ORG \"sfy\"                  ##\u6240\u5728\u7684\u7ec4\u7ec7\nset_var EASYRSA_REQ_EMAIL \"2195802440@qq.com\"  ##\u90ae\u7bb1\u5730\u5740\nset_var EASYRSA_NS_SUPPORT \"yes\"\n<\/code><\/pre>\n\n\n\n
#\u521d\u59cb\u5316\u751f\u6210\u8bc1\u4e66<\/strong><\/p>\n\n\n\n
[root@vpn \/opt\/easy-rsa]# .\/easyrsa init-pki\nNote: using Easy-RSA configuration from: \/opt\/easy-rsa\/vars\ninit-pki complete; you may now create a CA or requests.\nYour newly created PKI dir is: \/opt\/easy-rsa\/pki\n<\/code><\/pre>\n\n\n\n
#\u521b\u5efa\u6839\u8bc1\u4e66\uff0c\u4f1a\u63d0\u793a\u8bbe\u7f6e\u5bc6\u7801\uff0c\u7528\u4e8eca\u5bf9\u4e4b\u540e\u751f\u6210\u7684server\u548cclient\u8bc1\u4e66\u7b7e\u540d\u65f6\u4f7f\u7528\uff0c\u5176\u4ed6\u9ed8\u8ba4\u5373\u53ef<\/strong><\/p>\n\n\n\n
[root@vpn \/opt\/easy-rsa]# .\/easyrsa build-ca\nNote: using Easy-RSA configuration from: \/opt\/easy-rsa\/vars\nUsing SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017\nEnter New CA Key Passphrase:                      ###\u8f93\u5165\u5bc6\u7801\nRe-Enter New CA Key Passphrase:                   ###\u8f93\u5165\u5bc6\u7801\nGenerating RSA private key, 2048 bit long modulus\n......+++\n....................................................................................................+++\ne is 65537 (0x10001)\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCommon Name (eg: your user, host, or server name) [Easy-RSA CA]:           ##\u76f4\u63a5\u56de\u8f66\nCA creation complete and you may now import and sign cert requests.\nYour new CA certificate file for publishing is at:\n\/opt\/easy-rsa\/pki\/ca.crt\n<\/code><\/pre>\n\n\n\n
#\u521b\u5efaserver\u7aef\u8bc1\u4e66\u548c\u79c1\u94a5\u6587\u4ef6\uff0cnopass\u8868\u793a\u4e0d\u52a0\u5bc6\u79c1\u94a5\u6587\u4ef6\uff0c\u5176\u4ed6\u53ef\u4ee5\u9ed8\u8ba4<\/strong><\/p>\n\n\n\n
[root@vpn \/opt\/easy-rsa]# .\/easyrsa gen-req server nopass\n\nNote: using Easy-RSA configuration from: \/opt\/easy-rsa\/vars\nUsing SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017\nGenerating a 2048 bit RSA private key\n....................+++\n..+++\nwriting new private key to '\/opt\/easy-rsa\/pki\/easy-rsa-2041.2qaRXL\/tmp.TOl2dW'\n-----\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCommon Name (eg: your user, host, or server name) [server]:                 #####\u76f4\u63a5\u56de\u8f66\n\nKeypair and certificate request completed. Your files are:\nreq: \/opt\/easy-rsa\/pki\/reqs\/server.req\nkey: \/opt\/easy-rsa\/pki\/private\/server.key\n<\/code><\/pre>\n\n\n\n
#\u7ed9server\u7aef\u8bc1\u4e66\u7b7e\u540d\uff0c\u9996\u5148\u662f\u5bf9\u4e00\u4e9b\u4fe1\u606f\u7684\u786e\u8ba4\uff0c\u53ef\u4ee5\u8f93\u5165yes\uff0c\u7136\u540e\u8f93\u5165\u521b\u5efaca\u6839\u8bc1\u4e66\u65f6\u8bbe\u7f6e\u7684\u5bc6\u7801<\/strong><\/p>\n\n\n\n
[root@vpn \/opt\/easy-rsa]# .\/easyrsa sign server server\nNote: using Easy-RSA configuration from: \/opt\/easy-rsa\/vars\nUsing SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017\nYou are about to sign the following certificate.\nPlease check over the details shown below for accuracy. Note that this request\nhas not been cryptographically verified. Please be sure it came from a trusted\nsource or that you have verified the request checksum with the sender.\nRequest subject, to be signed as a server certificate for 825 days:\nsubject=\n    commonName                = server\nType the word 'yes' to continue, or any other input to abort.\n  Confirm request details: yes                                     ###\u8f93\u5165yes\nUsing configuration from \/opt\/easy-rsa\/pki\/easy-rsa-2089.eVFgoM\/tmp.Hjdzxn\nEnter pass phrase for \/opt\/easy-rsa\/pki\/private\/ca.key:            ###\u8f93\u5165\u5bc6\u7801\nCheck that the request matches the signature\nSignature ok\nThe Subject's Distinguished Name is as follows\ncommonName            :ASN.1 12:'server'\nCertificate is to be certified until Sep  3 01:52:09 2023 GMT (825 days)\nWrite out database with 1 new entries\nData Base Updated\nCertificate created at: \/opt\/easy-rsa\/pki\/issued\/server.crt\n<\/code><\/pre>\n\n\n\n
#\u521b\u5efaDiffie-Hellman\u6587\u4ef6\uff0c\u79d8\u94a5\u4ea4\u6362\u65f6\u7684Diffie-Hellman\u7b97\u6cd5\uff08\u8010\u5fc3\u7b49\u5f85\u5373\u53ef\uff09<\/strong><\/p>\n\n\n\n
[root@vpn \/opt\/easy-rsa]# .\/easyrsa gen-dh<\/code><\/pre>\n\n\n\n
#\u521b\u5efaclient\u7aef\u8bc1\u4e66\u548c\u79c1\u94a5\u6587\u4ef6\uff0cnopass\u8868\u793a\u662f\u4e0d\u52a0\u5bc6\u79c1\u94a5\u6587\u4ef6\uff0c\u5176\u4ed6\u9ed8\u8ba4\u5373\u53ef<\/strong><\/p>\n\n\n\n
[root@vpn \/opt\/easy-rsa]# .\/easyrsa gen-req client nopass\nNote: using Easy-RSA configuration from: \/opt\/easy-rsa\/vars\nUsing SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017\nGenerating a 2048 bit RSA private key\n............................................................................................................................................................+++\n.......+++\nwriting new private key to '\/opt\/easy-rsa\/pki\/easy-rsa-2240.QwREH4\/tmp.p1Jyl7'\n-----\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCommon Name (eg: your user, host, or server name) [client]:       ###\u56de\u8f66\u5373\u53ef\nKeypair and certificate request completed. Your files are:\nreq: \/opt\/easy-rsa\/pki\/reqs\/client.req\nkey: \/opt\/easy-rsa\/pki\/private\/client.key\n<\/code><\/pre>\n\n\n\n
#\u7ed9client\u7aef\u8bc1\u4e66\u7b7e\u540d\uff0c\u9996\u5148\u662f\u5bf9\u4e00\u4e9b\u4fe1\u606f\u7684\u786e\u8ba4\uff0c\u53ef\u4ee5\u8f93\u5165yes\uff0c\u7136\u540e\u8f93\u5165\u521b\u5efaca\u6839\u8bc1\u4e66\u65f6\u8bbe\u7f6e\u7684\u5bc6\u7801<\/strong><\/p>\n\n\n\n
[root@vpn \/opt\/easy-rsa]# .\/easyrsa sign client client\nNote: using Easy-RSA configuration from: \/opt\/easy-rsa\/vars\nUsing SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017\nYou are about to sign the following certificate.\nPlease check over the details shown below for accuracy. Note that this request\nhas not been cryptographically verified. Please be sure it came from a trusted\nsource or that you have verified the request checksum with the sender.\nRequest subject, to be signed as a client certificate for 825 days:\nsubject=\n    commonName                = client\nType the word 'yes' to continue, or any other input to abort.\n  Confirm request details: yes                                  ###\u8f93\u5165yes\u5373\u53ef\nUsing configuration from \/opt\/easy-rsa\/pki\/easy-rsa-2289.52oYT9\/tmp.WF8wkn\nEnter pass phrase for \/opt\/easy-rsa\/pki\/private\/ca.key:          ###\u8f93\u5165\u5bc6\u7801\nCheck that the request matches the signature\nSignature ok\nThe Subject's Distinguished Name is as follows\ncommonName            :ASN.1 12:'client'\nCertificate is to be certified until Sep  3 02:10:49 2023 GMT (825 days)\nWrite out database with 1 new entries\nData Base Updated\nCertificate created at: \/opt\/easy-rsa\/pki\/issued\/client.crt\n<\/code><\/pre>\n\n\n\n
#\u5b89\u88c5openvpn<\/strong><\/p>\n\n\n\n
[root@vpn \/opt\/easy-rsa]# yum -y install openvpn<\/code><\/pre>\n\n\n\n
#\u590d\u5236\u914d\u7f6e\u6587\u4ef6\u81f3etc\u5e76\u4fee\u6539<\/strong><\/p>\n\n\n\n
[root@vpn \/opt\/easy-rsa]# cp \/usr\/share\/doc\/openvpn-2.4.11\/sample\/sample-config-files\/server.conf \/etc\/openvpn\/\n[root@vpn \/opt\/easy-rsa]# cat \/etc\/openvpn\/server.conf \nport 1194                  #\u7aef\u53e3\nproto udp                  #\u534f\u8bae\ndev tun                    #\u91c7\u7528\u8def\u7531\u96a7\u9053\u6a21\u5f0ftun\nca ca.crt                  #ca\u8bc1\u4e66\u6587\u4ef6\u4f4d\u7f6e\ncert server.crt   #\u670d\u52a1\u7aef\u516c\u94a5\u540d\u79f0\nkey server.key    #\u670d\u52a1\u7aef\u79c1\u94a5\u540d\u79f0\ndh dh.pem         #\u4ea4\u6362\u8bc1\u4e66\nserver 10.8.0.0 255.255.255.0               #\u7ed9\u5ba2\u6237\u7aef\u5206\u914d\u5730\u5740\u6c60\uff0c\u6ce8\u610f\uff1a\u4e0d\u80fd\u548cvpn\u670d\u52a1\u5668\u5185\u7f51\u7f51\u6bb5\u6709\u76f8\u540c\npush \"route 172.16.1.0 255.255.255.0\"        #\u5141\u8bb8\u5ba2\u6237\u7aef\u8bbf\u95ee172.16.1.0\u7f51\u6bb5\nifconfig-pool-persist ipp.txt                #\u5730\u5740\u6c60\u8bb0\u5f55\u6587\u4ef6\u4f4d\u7f6e\nkeepalive 10 120            #\u5b58\u6d3b\u65f6\u95f4\uff0c10\u79d2ping\u4e00\u6b21\uff0c120\u79d2\u5982\u672a\u6536\u5230\u54cd\u5e94\u5219\u89c6\u4e3a\u65ad\u7ebf\nmax-clients 100             #\u6700\u591a\u5141\u8bb8100\u4e2a\u5ba2\u6237\u7aef\u8fde\u63a5\nstatus openvpn-status.log #\u65e5\u5fd7\u8bb0\u5f55\u4f4d\u7f6e\nverb 3                    #openvpn\u7248\u672c\nclient-to-client          #\u5ba2\u6237\u7aef\u4e0e\u5ba2\u6237\u7aef\u4e4b\u95f4\u652f\u6301\u901a\u4fe1\nlog \/var\/log\/openvpn.log  #openvpn\u65e5\u5fd7\u8bb0\u5f55\u4f4d\u7f6e\npersist-key         # #\u901a\u8fc7keepalive\u68c0\u6d4b\u8d85\u65f6\u540e\uff0c\u91cd\u65b0\u542f\u52a8VPN\uff0c\u4e0d\u91cd \u65b0\u8bfb\u53d6keys\uff0c\u4fdd\u7559\u7b2c\u4e00\u6b21\u4f7f\u7528\u7684keys\npersist-tun     #\u68c0\u6d4b\u8d85\u65f6\u540e\uff0c\u91cd\u65b0\u542f\u52a8VPN\uff0c\u4e00\u76f4\u4fdd\u6301tun\u662f linkup\u7684\u3002\u5426\u5219\u7f51\u7edc\u4f1a\u5148linkdown\u7136\u540e\u518dlinkup\nduplicate-cn\n<\/code><\/pre>\n\n\n\n
#\u62f7\u8d1d\u8bc1\u4e66\u81f3\u914d\u7f6e\u6587\u4ef6\u6307\u5b9a\u7684\u76ee\u5f55<\/strong><\/p>\n\n\n\n
[root@vpn \/opt\/easy-rsa]# cd \/etc\/openvpn\/\n[root@vpn \/etc\/openvpn]# cp \/opt\/easy-rsa\/pki\/ca.crt .\/\n[root@vpn \/etc\/openvpn]# cp \/opt\/easy-rsa\/pki\/issued\/server.crt .\/\n[root@vpn \/etc\/openvpn]# cp \/opt\/easy-rsa\/pki\/private\/server.key .\/\n[root@vpn \/etc\/openvpn]# cp \/opt\/easy-rsa\/pki\/dh.pem .\/\n<\/code><\/pre>\n\n\n\n
\u542f\u52a8openvpn\u670d\u52a1\u5e76\u52a0\u5165\u5f00\u673a\u81ea\u542f\u52a8<\/strong><\/p>\n\n\n\n
[root@mb01 \/etc\/openvpn]# systemctl start openvpn@server\n[root@mb01 \/etc\/openvpn]# systemctl enable openvpn@server\nCreated symlink from \/etc\/systemd\/system\/multi-user.target.wants\/openvpn@server.service to \/usr\/lib\/systemd\/system\/openvpn@.service.\n<\/code><\/pre>\n\n\n\n
#\u68c0\u67e5\u8fdb\u7a0b\u4e0e\u7aef\u53e3<\/strong><\/p>\n\n\n\n
[root@mb01 \/etc\/openvpn]# ip a s tun0\n4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100\n    link\/none \n    inet 10.8.0.1 peer 10.8.0.2\/32 scope global tun0\n       valid_lft forever preferred_lft forever\n    inet6 fe80::10bb:e986:5a1c:138c\/64 scope link flags 800 \n       valid_lft forever preferred_lft forever\n[root@mb01 \/etc\/openvpn]#  ss -lntup |grep 1194\nudp    UNCONN     0      0         *:1194                  *:*                   users:((\"openvpn\",pid=2172,fd=6))\n[root@mb01 \/etc\/openvpn]# ps -ef |grep openvpn\nroot       2172      1  0 21:55 ?        00:00:00 \/usr\/sbin\/openvpn --cd \/etc\/openvpn\/ --config server.conf\nroot       2219   1680  0 21:56 pts\/0    00:00:00 grep --color=auto openvpn\n<\/code><\/pre>\n\n\n\n
#\u670d\u52a1\u7aef\u65e5\u5fd7:<\/strong><\/p>\n\n\n\n
[root@mb01 \/etc\/openvpn]# tail -f \/var\/log\/openvpn.log \nROUTE_GATEWAY 10.0.0.2\/255.255.255.0 IFACE=eth0 HWADDR=00:50:56:2c:77:be#openvpn\u53d1\u4e0b\u5f53\u524d\u7cfb\u7edf\u7f51\u5173\n\/sbin\/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2#\u6dfb\u52a0openvpn\u865a\u62df\u7f51\u5361 tun0\n \/sbin\/ip route add 10.8.0.0\/24 via 10.8.0.2#\u5728\u7cfb\u7edf\u4e2d\u6dfb\u52a0\u8def\u7531\u4fe1\u606f\n<\/code><\/pre>\n\n\n\n
4.OpenVPN\u5ba2\u6237\u7aef\u914d\u7f6e<\/h2>\n\n\n\n
#\u5c06\u670d\u52a1\u7aef\u521b\u5efa\u7684\u5ba2\u6237\u7aef\u79d8\u94a5\u4e0b\u8f7d\u81f3\u672c\u5730<\/strong><\/p>\n\n\n\n
[root@mb01 \/opt\/easy-rsa\/pki]# sz issued\/client.crt\n[root@mb01 \/opt\/easy-rsa\/pki]# sz private\/client.key\n[root@mb01 \/etc\/openvpn]# sz \/etc\/openvpn\/ca.crt\n<\/code><\/pre>\n\n\n\n
\u7f16\u8f91client.ovpn\u5e76\u653e\u5165\u5ba2\u6237\u7aef\u914d\u7f6e\u6587\u4ef6\u5185<\/strong><\/p>\n\n\n\n
client                               #\u6307\u5b9a\u5f53\u524dVPN\u662f\u5ba2\u6237\u7aef\ndev tun                              #\u4f7f\u7528tun\u96a7\u9053\u4f20\u8f93\u534f\u8bae\nproto udp                            #\u4f7f\u7528udp\u534f\u8bae\u4f20\u8f93\u6570\u636e\nremote 10.0.0.61 1194                #openvpn\u670d\u52a1\u5668IP\u5730\u5740\u7aef\u53e3\u53f7\nresolv-retry infinite                #\u65ad\u7ebf\u81ea\u52a8\u91cd\u65b0\u8fde\u63a5\uff0c\u5728\u7f51\u7edc\u4e0d\u7a33\u5b9a\u7684\u60c5\u51b5 \u4e0b\u975e\u5e38\u6709\u7528\nnobind                               #\u4e0d\u7ed1\u5b9a\u672c\u5730\u7279\u5b9a\u7684\u7aef\u53e3\u53f7\nca ca.crt                            #\u6307\u5b9aCA\u8bc1\u4e66\u7684\u6587\u4ef6\u8def\u5f84\ncert client.crt                      #\u6307\u5b9a\u5f53\u524d\u5ba2\u6237\u7aef\u7684\u8bc1\u4e66\u6587\u4ef6\u8def\u5f84\nkey client.key                       #\u6307\u5b9a\u5f53\u524d\u5ba2\u6237\u7aef\u7684\u79c1\u94a5\u6587\u4ef6\u8def\u5f84\nverb 3                  #\u6307\u5b9a\u65e5\u5fd7\u6587\u4ef6\u7684\u8bb0\u5f55\u8be6\u7ec6\u7ea7\u522b\uff0c\u53ef\u90090- 9\uff0c\u7b49\u7ea7\u8d8a\u9ad8\u65e5\u5fd7\u5185\u5bb9\u8d8a\u8be6\u7ec6\npersist-key             #\u901a\u8fc7keepalive\u68c0\u6d4b\u8d85\u65f6\u540e\uff0c\u91cd\u65b0\u542f\u52a8 VPN\uff0c\u4e0d\u91cd\u65b0\u8bfb\u53d6keys\uff0c\u4fdd\u7559\u7b2c\u4e00\u6b21\u4f7f\u7528\u7684keys\n<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
5.OpenVPN\u52a0\u5bc6\/\u8ba4\u8bc1<\/h2>\n\n\n\n
#openvpn server\u7aef<\/h2>\n\n\n\n
1.\u5148\u914d\u7f6e\u670d\u52a1\u7aef\u652f\u6301\u5bc6\u7801\u8ba4\u8bc1:<\/strong><\/p>\n\n\n\n
[root@vpn ~]# echo script-security 3 >> \/etc\/openvpn\/server.conf \n####\u5141\u8bb8\u4f7f\u7528\u81ea\u5b9a\u4e49\u811a\u672c\n[root@vpn ~]#echo auth-user-pass-verify \/etc\/openvpn\/check.sh via-env >> \/etc\/openvpn\/server.conf \n###\u811a\u672c\u8def\u5f84\n[root@vpn ~]# echo username-as-common-name >> \/etc\/openvpn\/server.conf\n#\u7528\u6237\u5bc6\u7801\u767b\u9646\u65b9\u5f0f\u9a8c\u8bc1\n<\/code><\/pre>\n\n\n\n
2. \u7f16\u5199\u914d\u7f6e\u6587\u4ef6\u6307\u5b9a\u7684\/etc\/openvpn\/check.sh \u811a\u672c\u6587\u4ef6\uff08\u590d\u5236\u7c98\u8d34\u5373\u53ef\uff09<\/strong><\/p>\n\n\n\n
[root@vpn ~]# vim \/etc\/openvpn\/check.sh\n#!\/bin\/sh\n#desc: openvpn  uesr check   scripts \n#author: by  oldboylinux\n###########################################################\nPASSFILE=\"\/etc\/openvpn\/openvpnfile\"             #\u5bc6\u7801\u6587\u4ef6 \u7528\u6237\u540d \u5bc6\u7801\u660e\u6587 \nLOG_FILE=\"\/var\/log\/openvpn-password.log\"        #\u7528\u6237\u767b\u5f55\u60c5\u51b5\u7684\u65e5\u5fd7 \nTIME_STAMP=`date \"+%Y-%m-%d %T\"`\n\n\tif [ ! -r \"${PASSFILE}\" ]; then\n\t  echo \"${TIME_STAMP}: Could not open password file \\\"${PASSFILE}\\\" for reading.\" >> ${LOG_FILE}\n\t  exit 1\n\tfi\n\tCORRECT_PASSWORD=`awk '!\/^;\/&&!\/^#\/&&$1==\"'${username}'\"{print $2;exit}' ${PASSFILE}`\n\tif [ \"${CORRECT_PASSWORD}\" = \"\" ]; then\n\t  echo \"${TIME_STAMP}: User does not exist: username=\\\"${username}\\\", password=\\\"${password}\\\".\" >> ${LOG_FILE}\n\t  \t  exit 1\n\tfi\n\tif [ \"${password}\" = \"${CORRECT_PASSWORD}\" ]; then\n\t  echo \"${TIME_STAMP}: Successful authentication: username=\\\"${username}\\\".\" >> ${LOG_FILE}\n\t  exit 0\n\tfi\n\techo \"${TIME_STAMP}: Incorrect password: username=\\\"${username}\\\", password=\\\"${password}\\\".\" >> ${LOG_FILE}\nexit 1\n<\/code><\/pre>\n\n\n\n
3.\u5c06\u811a\u672c\u8bbe\u7f6e\u4e3a\u53ef\u6267\u884c<\/strong><\/p>\n\n\n\n
[root@vpn ~]# chmod +x \/etc\/openvpn\/check.sh<\/code><\/pre>\n\n\n\n
4.\u521b\u5efa\u7528\u6237<\/strong><\/p>\n\n\n\n
[root@vpn ~]# cat > \/etc\/openvpn\/openvpnfile<<EOF\n> oldboy 1   #\u8fd9\u6837\u5199\u662f\u53ef\u4ee5\u4f7f\u7528\u7684\u5bc6\u7801\u767b\u5f55\u7684\n> lidao:1     #\u8fd9\u6837\u5199\u662f\u4e0d\u80fd\u4f7f\u7528\u5bc6\u7801\u767b\u5f55\u7684\n> EOF\n<\/code><\/pre>\n\n\n\n
5. \u91cd\u542f\u670d\u52a1\u7aef<\/strong><\/p>\n\n\n\n
[root@vpn ~]# systemctl restart openvpn@server.service<\/code><\/pre>\n\n\n\n
#openvpn \u5ba2\u6237\u7aef<\/h2>\n\n\n\n
\u53ea\u9700\u5c06auth-user-pass\u52a0\u5165\u5ba2\u6237\u7aef\u914d\u7f6e\u6587\u4ef6\u5373\u53ef<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u5b59\u5bcc\u9633\uff0c \u6c5f\u6e56\u4eba\u79f0\u6ca1\u4eba\u79f0\u3002\u591a\u5e74\u4e92\u8054\u7f51\u8fd0\u7ef4\u5de5\u4f5c\u7ecf\u9a8c\uff0c\u66fe\u8d1f\u8d23\u8fc7\u5b59\u5e03\u65af\u5927\u89c4\u6a21\u96c6\u7fa4\u67b6\u6784\u81ea\u52a8\u5316\u8fd0\u7ef4\u7ba1\u7406\u5de5\u4f5c\u3002\u64c5\u957fWeb\u96c6 […]<\/p>\n","protected":false},"author":1,"featured_media":246,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts\/235"}],"collection":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=235"}],"version-history":[{"count":1,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts\/235\/revisions"}],"predecessor-version":[{"id":247,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts\/235\/revisions\/247"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/media\/246"}],"wp:attachment":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=235"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=235"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=235"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}