如何在Ubuntu 20.04上设置和配置OpenVPN服务器
介绍 (Introduction)
A Virtual Private Network (VPN) allows you to traverse untrusted networks as if you were on a private network. It gives you the freedom to access the internet safely and securely from your smartphone or laptop when connected to an untrusted network, like the WiFi at a hotel or coffee shop.
虚拟专用网络 (VPN)允许您遍历不受信任的网络,就像在专用网络上一样。 当您连接到不受信任的网络(例如酒店或咖啡店的WiFi)时,它使您可以从智能手机或笔记本电脑安全,安全地访问Internet。
When combined with HTTPS connections, this setup allows you to secure your wireless logins and transactions. You can circumvent geographical restrictions and censorship, and shield your location and any unencrypted HTTP traffic from untrusted networks.
与HTTPS连接结合使用时,此设置可让您保护无线登录和交易。 您可以绕过地理限制和审查制度,并屏蔽不受信任的网络的位置和所有未加密的HTTP流量。
OpenVPN is a full featured, open-source Transport Layer Security (TLS) VPN solution that accommodates a wide range of configurations. In this tutorial, you will set up OpenVPN on an Ubuntu 20.04 server, and then configure it to be accessible from a client machine.
OpenVPN是功能齐全的,开源的传输层安全性(TLS)VPN解决方案,可适应多种配置。 在本教程中,您将在Ubuntu 20.04服务器上设置OpenVPN,然后将其配置为可从客户端计算机访问。
Note: If you plan to set up an OpenVPN Server on a DigitalOcean Droplet, be aware that we, like many hosting providers, charge for bandwidth overages. For this reason, please be mindful of how much traffic your server is handling.
注意:如果您打算在DigitalOcean Droplet上设置OpenVPN服务器,请注意,我们像许多托管服务提供商一样,对带宽超额收费。 因此,请注意您的服务器正在处理多少流量。
See this page for more info.
请参阅此页面以获取更多信息。
先决条件 (Prerequisites)
To follow this tutorial, you will need:
要遵循本教程,您将需要:
One Ubuntu 20.04 server with a sudo non-root user and a firewall enabled. To set this up, you can follow our Initial Server Setup with Ubuntu 20.04 tutorial. We will refer to this as the OpenVPN Server throughout this guide.
一台具有sudo非root用户和启用防火墙的Ubuntu 20.04服务器。 要进行设置,您可以按照我们的《 Ubuntu 20.04初始服务器设置》教程进行操作。 在本指南中,我们将其称为OpenVPN服务器 。
A separate Ubuntu 20.04 server set up as a private Certificate Authority (CA), which we will refer to as the CA Server throughout this guide. After executing the steps from the Initial Server Setup Guide on this server, you can follow steps 1 to 3 of our guide on How To Set Up and Configure a Certificate Authority (CA) on Ubuntu 20.04 to accomplish that.
单独的Ubuntu 20.04服务器设置为私有证书颁发机构(CA),在本指南中,我们将其称为CA Server 。 在此服务器上执行《 初始服务器安装指南》中的步骤之后,您可以按照我们的指南(在Ubuntu 20.04上如何设置和配置证书颁发机构(CA))的步骤1至3来完成此操作。
Note: While it is technically possible to use your OpenVPN Server or your local machine as your CA, this is not recommended as it opens up your VPN to some security vulnerabilities. Per the official OpenVPN documentation, you should place your CA on a standalone machine that’s dedicated to importing and signing certificate requests. For this reason, this guide assumes that your CA is on a separate Ubuntu 20.04 server that also has a non-root user with sudo privileges and a basic firewall enabled.
注意:虽然从技术上讲可以将您的OpenVPN服务器或本地计算机用作CA,但不建议这样做,因为它会使您的VPN出现一些安全漏洞。 根据官方OpenVPN文档 ,您应该将CA放置在专用于导入和签名证书请求的独立计算机上。 因此,本指南假定您的CA位于单独的Ubuntu 20.04服务器上,该服务器还具有具有sudo特权的非root用户并启用了基本防火墙。
In addition to that, you’ll need a client machine which you will use to connect to your OpenVPN Server. In this guide, we’ll call this the OpenVPN Client. For the purposes of this tutorial, it’s recommended that you use your local machine as the OpenVPN client.
除此之外,您还需要一台用于连接到OpenVPN服务器的客户端计算机。 在本指南中,我们将其称为OpenVPN Client 。 就本教程而言,建议您将本地计算机用作OpenVPN客户端。
With these prerequisites in place, you are ready to begin setting up and configuring an OpenVPN Server on Ubuntu 20.04.
具备这些先决条件后,您就可以开始在Ubuntu 20.04上设置和配置OpenVPN服务器了。
Note: Please note that if you disable password authentication while configuring these servers, you may run into difficulties when transferring files between them later on in this guide. To resolve this issue, you could re-enable password authentication on each server. Alternatively, you could generate an SSH keypair for each server, then add the OpenVPN Server’s public SSH key to the CA machine’s authorized_keys file and vice versa. See How to Set Up SSH Keys on Ubuntu 20.04 for instructions on how to perform either of these solutions.
注意:请注意,如果在配置这些服务器时禁用密码验证,则在本指南后面的文件之间传输文件时可能会遇到困难。 若要解决此问题,您可以在每个服务器上重新启用密码验证。 或者,您可以为每个服务器生成一个SSH密钥对,然后将OpenVPN Server的公共SSH密钥添加到CA计算机的authorized_keys文件中,反之亦然。 有关如何执行这两种解决方案的说明,请参见如何在Ubuntu 20.04上设置SSH密钥 。
第1步-安装OpenVPN和Easy-RSA (Step 1 — Installing OpenVPN and Easy-RSA)
The first step in this tutorial is to install OpenVPN and Easy-RSA. Easy-RSA is a public key infrastructure (PKI) management tool that you will use on the OpenVPN Server to generate a certificate request that you will then verify and sign on the CA Server.
本教程的第一步是安装OpenVPN和Easy-RSA。 Easy-RSA是一种公钥基础结构(PKI)管理工具,您将在OpenVPN Server上使用该工具来生成证书请求,然后您将在CA Server上进行验证和签名。
To start off, update your OpenVPN Server’s package index and install OpenVPN and Easy-RSA. Both packages are available in Ubuntu’s default repositories, so you can use apt for the installation:
首先,请更新您的OpenVPN服务器的软件包索引,然后安装OpenVPN和Easy-RSA。 这两个软件包都可以在Ubuntu的默认存储库中找到,因此您可以使用apt进行安装:
- sudo apt update sudo apt更新
- sudo apt install open easy-rsa sudo apt安装open easy-rsa
Next you will need to create a new directory on the OpenVPN Server as your non-root user called ~/easy-rsa:
接下来,您将需要以非root用户身份在~/easy-rsa在OpenVPN服务器上创建一个新目录:
- mkdir ~/easy-rsa mkdir〜/ easy-rsa
Now you will need to create a symlink from the easyrsa script that the package installed into the ~/easy-rsa directory that you just created:
现在,您将需要从easyrsa脚本创建一个符号链接,该脚本已将软件包安装到您刚刚创建的~/easy-rsa目录中:
- ln -s /usr/share/easy-rsa/* ~/easy-rsa/ ln -s / usr / share / easy-rsa / *〜/ easy-rsa /
Note: While other guides might instruct you to copy the easy-rsa package files into your PKI directory, this tutorial adopts a symlink approach. As a result, any updates to the easy-rsa package will be automatically reflected in your PKI’s scripts.
注意:虽然其他指南可能会指导您将easy-rsa软件包文件复制到PKI目录中,但本教程采用了符号链接方法。 因此,对easy-rsa软件包的任何更新将自动反映在您的PKI脚本中。
Finally, ensure the directory’s owner is your non-root sudo user and restrict access to that user using chmod:
最后,确保目录的所有者是您的非root用户sudo用户,并使用chmod限制对该用户的访问:
sudo chown sammy ~/easy-rsa
须藤弦萨米 〜/ easy-rsa
- chmod 700 ~/easy-rsa chmod 700〜/ easy-rsa
Once these programs are installed and have been moved to the right locations on your system, the next step is to create a Public Key Infrastructure (PKI) on the OpenVPN server so that you can request and manage TLS certificates for clients and other servers that will connect to your VPN.
一旦安装了这些程序并将它们移至系统上的正确位置,下一步就是在OpenVPN服务器上创建公钥基础结构(PKI),以便您可以请求和管理客户端和其他服务器的TLS证书。连接到您的VPN。
第2步-为OpenVPN创建PKI (Step 2 — Creating a PKI for OpenVPN)
Before you can create your OpenVPN server’s private key and certificate, you need to create a local Public Key Infrastructure directory on your OpenVPN server. You will use this directory to manage the server and clients’ certificate requests instead of making them directly on your CA server.
在创建OpenVPN服务器的私钥和证书之前,需要在OpenVPN服务器上创建本地公共密钥基础结构目录。 您将使用此目录来管理服务器和客户端的证书请求,而不是直接在您的CA服务器上进行。
To build a PKI directory on your OpenVPN server, you’ll need to populate a file called vars with some default values. First you will cd into the easy-rsa directory, then you will create and edit the vars file using nano or your preferred text editor.
要在OpenVPN服务器上构建PKI目录,您需要使用一些默认值填充名为vars的文件。 首先,您将进入cd easy-rsa目录,然后使用nano或您喜欢的文本编辑器创建和编辑vars文件。
- cd ~/easy-rsa 光盘〜/ easy-rsa
- nano vars 纳米变种
Once the file is opened, paste in the following two lines:
打开文件后,粘贴以下两行:
set_var EASYRSA_ALGO "ec"
set_var EASYRSA_DIGEST "sha512"These are the only two lines that you need in this vars file on your OpenVPN server since it will not be used as a Certificate Authority. They will ensure that your private keys and certificate requests are configured to use modern Elliptic Curve Cryptography (ECC) to generate keys and secure signatures for your clients and OpenVPN server.
这是您在OpenVPN服务器上的此vars文件中仅需要的两行,因为它不会用作证书颁发机构。 他们将确保将您的私钥和证书请求配置为使用现代的椭圆曲线密码术(ECC)为您的客户端和OpenVPN服务器生成密钥和安全签名。
Configuring your OpenVPN & CA servers to use ECC means when a client and server attempt to establish a shared symmetric key, they can use Elliptic Curve algorithms to do their exchange. Using ECC for a key exchange is significantly faster than using plain Diffie-Hellman with the classic RSA algorithm since the numbers are much smaller and the computations are faster.
将您的OpenVPN和CA服务器配置为使用ECC意味着,当客户端和服务器尝试建立共享对称密钥时,它们可以使用椭圆曲线算法进行交换。 使用ECC进行密钥交换比使用普通的Diffie-Hellman和经典的RSA算法要快得多,因为数字要小得多并且计算速度也要快。
Background: When clients connect to OpenVPN, they use asymmetric encryption (also known as public/private key) to perform a TLS handshake. However, when transmitting encrypted VPN traffic, the server and clients use symmetric encryption, which is also known as shared key encryption.
背景:客户端连接到OpenVPN时,它们使用非对称加密(也称为公钥/私钥)来执行TLS握手 。 但是,在传输加密的VPN流量时,服务器和客户端使用对称加密,也称为共享密钥加密。
There is much less computational overhead with symmetric encryption compared to asymmetric: the numbers that are used are much smaller, and modern CPUs integrate instructions to perform optimized symmetric encryption operations. To make the switch from asymmetric to symmetric encryption, the OpenVPN server and client will use the Elliptic Curve Diffie-Hellman (ECDH) algorithm to agree on a shared secret key as quickly as possible.
与非对称加密相比,使用对称加密的计算开销要少得多:使用的数字要小得多,并且现代CPU 集成了指令以执行优化的对称加密操作 。 为了使从非对称加密转换为对称加密,OpenVPN服务器和客户端将使用椭圆曲线Diffie-Hellman(ECDH)算法来尽快同意共享密钥。
Once you have populated the vars file you can proceed with creating the PKI directory. To do so, run the easyrsa script with the init-pki option. Although you already ran this command on the CA server as part of the prerequisites, it’s necessary to run it here because your OpenVPN server and CA server have separate PKI directories:
填充vars文件后,即可继续创建PKI目录。 为此,请使用init-pki选项运行easyrsa脚本。 尽管作为前提条件的一部分,您已经在CA服务器上运行了此命令,但由于您的OpenVPN服务器和CA服务器具有单独的PKI目录,因此有必要在此处运行该命令:
- ./easyrsa init-pki ./easyrsa init-pki
Note that on your OpenVPN server there is no need to create a Certificate Authority. Your CA server is solely responsible for validating and signing certificates. The PKI on your VPN server is only used as a convenient and centralized place to store certificate requests and public certificates.
请注意,在您的OpenVPN服务器上,无需创建证书颁发机构。 您的CA服务器仅负责验证和签名证书。 VPN服务器上的PKI仅用作存储证书请求和公共证书的方便且集中的位置。
After you’ve initialized your PKI on the OpenVPN server, you are ready to move on to the next step, which is creating an OpenVPN server certificate request and private key.
在OpenVPN服务器上初始化PKI之后,您可以继续进行下一步,即创建OpenVPN服务器证书请求和私钥。
步骤3 —创建一个OpenVPN服务器证书请求和私钥 (Step 3 — Creating an OpenVPN Server Certificate Request and Private Key)
Now that your OpenVPN server has all the prerequisites installed, the next step is to generate a private key and Certificate Signing Request (CSR) on your OpenVPN server. After that you’ll transfer the request over to your CA to be signed, creating the required certificate. Once you have a signed certificate, you’ll transfer it back to the OpenVPN server and install it for the server to use.
现在,您的OpenVPN服务器已安装了所有先决条件,下一步是在OpenVPN服务器上生成私钥和证书签名请求(CSR)。 之后,您会将请求转移到要签名的CA上,从而创建所需的证书。 获得签名证书后,将其转移回OpenVPN服务器并安装该服务器以供使用。
To start, navigate to the ~/easy-rsa directory on your OpenVPN Server as your non-root user:
首先,以非root用户身份浏览到OpenVPN Server上的~/easy-rsa目录:
- cd ~/easy-rsa 光盘〜/ easy-rsa
Now you’ll call the easyrsa with the gen-req option followed by a Common Name (CN) for the machine. The CN can be anything you like but it can be helpful to make it something descriptive. Throughout this tutorial, the OpenVPN Server’s CN will be server. Be sure to include the nopass option as well. Failing to do so will password-protect the request file which could lead to permissions issues later on.
现在,您将用gen-req选项调用easyrsa ,后跟机器的通用名称(CN)。 CN可以是您喜欢的任何内容,但可以使其具有描述性。 在本教程中,OpenVPN Server的CN将是server 。 确保还包括nopass选项。 否则,将对请求文件进行密码保护,这可能会在以后导致权限问题。
Note: If you choose a name other than server here, you will have to adjust some of the instructions below. For instance, when copying the generated files to the /etc/open directory, you will have to substitute the correct names. You will also have to modify the /etc/open/server.conf file later to point to the correct .crt and .key files.
注意:如果您在此处选择server以外的其他名称,则必须调整以下一些说明。 例如,将生成的文件复制到/etc/open目录时,必须替换正确的名称。 您还必须稍后修改/etc/open/server.conf文件,以指向正确的.crt和.key文件。
./easyrsa gen-req server nopass
./easyrsa gen-req 服务器无密码
Output
Common Name (eg: your user, host, or server name) [server]:
Keypair and certificate request completed. Your files are:
req: /home/sammy/easy-rsa/pki/reqs/server.req
key: /home/sammy/easy-rsa/pki/private/server.key
This will create a private key for the server and a certificate request file called server.req. Copy the server key to the /etc/open/server directory:
这将为服务器创建一个私钥,并创建一个名为server.req的证书请求文件。 将服务器密钥复制到/etc/open/server目录:
- sudo cp /home/sammy/easy-rsa/pki/private/server.key /etc/open/server/ 须藤cp /home/sammy/easy-rsa/pki/private/server.key / etc / open / server /
After completing these steps, you have successfully created a private key for your OpenVPN server. You have also generated a Certificate Signing Request for the OpenVPN server. The CSR is now ready for signing by your CA. In the next section of this tutorial you will learn how to sign a CSR with your CA server’s private key.
完成这些步骤后,您已成功为您的OpenVPN服务器创建了私钥。 您还为OpenVPN服务器生成了证书签名请求。 CSR现在可以由您的CA签名了。 在本教程的下一部分中,您将学习如何使用CA服务器的私钥对CSR进行签名。
步骤4 —签署OpenVPN服务器的证书请求 (Step 4 — Signing the OpenVPN Server’s Certificate Request)
In the previous step you created a Certificate Signing Request (CSR) and private key for the OpenVPN server. Now the CA server needs to know about the server certificate and validate it. Once the CA validates and relays the certificate back to the OpenVPN server, clients that trust your CA will be able to trust the OpenVPN server as well.
在上一步中,您为OpenVPN服务器创建了证书签名请求(CSR)和私钥。 现在,CA服务器需要了解server证书并对其进行验证。 一旦CA验证并将证书中继回OpenVPN服务器,信任您的CA的客户端也将能够信任OpenVPN服务器。
On the OpenVPN server, as your non-root user, use SCP or another transfer method to copy the server.req certificate request to the CA server for signing:
在OpenVPN服务器上,以您的非root用户身份,使用SCP或其他传输方法将server.req证书请求复制到CA服务器以进行签名:
scp /home/sammy/easy-rsa/pki/reqs/server.req sammy@your_ca_server_ip:/tmp
scp /home/sammy/easy-rsa/pki/reqs/server.req sammy @ your_ca_server_ip :/ tmp
If you followed the prerequisite How To Set Up and Configure a Certificate Authority (CA) on Ubuntu 20.04 tutorial, the next step is to log in to the CA server as the non-root user that you created to manage your CA. You’ll cd to the ~/easy-rsa directory where you created your PK and then import the certificate request using the easyrsa script:
如果遵循先决条件“ 如何在Ubuntu 20.04上设置和配置证书颁发机构(CA)” ,则下一步是以您创建的用于管理CA的非root用户身份登录到CA服务器。 您将cd到创建PK的~/easy-rsa目录,然后使用easyrsa脚本导入证书请求:
- cd ~/easy-rsa 光盘〜/ easy-rsa
- ./easyrsa import-req /tmp/server.req server ./easyrsa import-req /tmp/server.req服务器
Output
. . .
The request has been successfully imported with a short name of: server
You may now use this name to perform signing operations on this request.
Next, sign the request by running the easyrsa script with the sign-req option, followed by the request type and the Common Name. The request type can either be client or server. Since we’re working with the OpenVPN server’s certificate request, be sure to use the server request type:
接下来,通过使用带有sign-req选项的easyrsa脚本,然后是请求类型和公用名来对请求进行sign-req 。 请求类型可以是client或server 。 由于我们正在处理OpenVPN服务器的证书请求,因此请确保使用server请求类型:
./easyrsa sign-req server server
./easyrsa登录请求服务器服务器
In the output, you’ll be prompted to verify that the request comes from a trusted source. Type yes then press ENTER to confirm:
在输出中,将提示您验证请求是否来自受信任的来源。 键入yes然后按ENTER确认:
Output
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
. . .
Certificate created at: /home/sammy/easy-rsa/pki/issued/server.crt
Note that if you encrypted your CA private key, you’ll be prompted for your password at this point.
请注意,如果您对CA私钥进行了加密,则此时将提示您输入密码。
With those steps complete, you have signed the OpenVPN server’s certificate request using the CA server’s private key. The resulting server.crt file contains the OpenVPN server’s public encryption key, as well as a signature from the CA server. The point of the signature is to tell anyone who trusts the CA server that they can also trust the OpenVPN server when they connect to it.
完成这些步骤后,您已经使用CA服务器的私钥签署了OpenVPN服务器的证书请求。 生成的server.crt文件包含OpenVPN服务器的公共加密密钥以及CA服务器的签名。 签名的目的是告诉所有信任CA服务器的人,当他们连接到OpenVPN服务器时,他们也可以信任OpenVPN服务器。
To finish configuring the certificates, copy the server.crt and ca.crt files from the CA server to the OpenVPN server:
要完成证书的配置,请将server.crt和ca.crt文件从CA服务器复制到OpenVPN服务器:
scp pki/issued/server.crt sammy@your__server_ip:/tmp
scp pki / issued / server.crt sammy @ your__server_ip :/ tmp
scp pki/ca.crt sammy@your__server_ip:/tmp
scp pki / ca.crt sammy @ your__server_ip :/ tmp
Now back on your OpenVPN server, copy the files from /tmp to /etc/open/server:
现在回到您的OpenVPN服务器,将文件从/tmp复制到/etc/open/server :
- sudo cp /tmp/{server.crt,ca.crt} /etc/open/server 须藤cp /tmp/{server.crt,ca.crt} / etc / open / server
Now your OpenVPN server is nearly ready to accept connections. In the next step you’ll perform some additional steps to increase the security of the server.
现在,您的OpenVPN服务器几乎可以接受连接了。 在下一步中,您将执行一些其他步骤来提高服务器的安全性。
步骤5 —配置OpenVPN加密材料 (Step 5 — Configuring OpenVPN Cryptographic Material)
For an additional layer of security, we’ll add an extra shared secret key that the server and all clients will use with OpenVPN’s tls-crypt directive. This option is used to obfuscate the TLS certificate that is used when a server and client connect to each other initially. It is also used by the OpenVPN server to perform quick checks on incoming packets: if a packet is signed using the pre-shared key, then the server processes it; if it is not signed, then the server knows it is from an untrusted source and can discard it without having to perform additional decryption work.
为了增加安全性,我们将添加一个额外的共享密钥,服务器和所有客户端将使用该密钥与OpenVPN的tls-crypt指令一起使用 。 此选项用于混淆服务器和客户端最初相互连接时使用的TLS证书。 OpenVPN服务器还使用它对传入的数据包进行快速检查:如果数据包是使用预共享密钥签名的,则服务器会对其进行处理; 如果未签名,则服务器知道它来自不受信任的来源,可以丢弃它而不必执行其他解密工作。
This option will help ensure that your OpenVPN server is able to cope with unauthenticated traffic, port scans, and Denial of Service attacks, which can tie up server resources. It also makes it harder to identify OpenVPN network traffic.
此选项将帮助确保您的OpenVPN服务器能够应对未经身份验证的流量,端口扫描和拒绝服务攻击,这些攻击可能占用服务器资源。 这也使识别OpenVPN网络流量变得更加困难。
To generate the tls-crypt pre-shared key, run the following on the OpenVPN server in the ~/easy-rsa directory:
要生成tls-crypt预共享密钥,请在OpenVPN服务器上的~/easy-rsa目录中运行以下命令:
- cd ~/easy-rsa 光盘〜/ easy-rsa
- open --genkey --secret ta.key open --genkey --secret ta.key
The result will be a file called ta.key. Copy it to the /etc/open/server/ directory:
结果将是一个名为ta.key的文件。 将其复制到/etc/open/server/目录:
- sudo cp ta.key /etc/open/server 须藤cp ta.key / etc / open / server
With these files in place on the OpenVPN server you are ready to create client certificates and key files for your users, which you will use to connect to the VPN.
将这些文件放置在OpenVPN服务器上之后,就可以为用户创建客户端证书和密钥文件了,这些文件将用于连接到VPN。
步骤6 —生成客户端证书和密钥对 (Step 6 — Generating a Client Certificate and Key Pair)
Although you can generate a private key and certificate request on your client machine and then send it to the CA to be signed, this guide outlines a process for generating the certificate request on the OpenVPN server. The benefit of this approach is that we can create a script that will automatically generate client configuration files that contain all of the required keys and certificates. This lets you avoid having to transfer keys, certificates, and configuration files to clients and streamlines the process of joining the VPN.
尽管您可以在客户端计算机上生成私钥和证书请求,然后将其发送到要签名的CA,但本指南概述了在OpenVPN服务器上生成证书请求的过程。 这种方法的好处是我们可以创建一个脚本,该脚本将自动生成包含所有必需的密钥和证书的客户端配置文件。 这样可以避免将密钥,证书和配置文件传输到客户端,并简化了加入VPN的过程。
We will generate a single client key and certificate pair for this guide. If you have more than one client, you can repeat this process for each one. Please note, though, that you will need to pass a unique name value to the script for every client. Throughout this tutorial, the first certificate/key pair is referred to as client1.
我们将为该指南生成一个客户端密钥和证书对。 如果您有多个客户端,则可以为每个客户端重复此过程。 但是请注意,您将需要为每个客户端将唯一的名称值传递给脚本。 在本教程中,第一个证书/密钥对称为client1 。
Get started by creating a directory structure within your home directory to store the client certificate and key files:
首先在您的主目录中创建一个目录结构来存储客户端证书和密钥文件:
- mkdir -p ~/client-configs/keys mkdir -p〜/ client-configs / keys
Since you will store your clients’ certificate/key pairs and configuration files in this directory, you should lock down its permissions now as a security measure:
由于您将客户端的证书/密钥对和配置文件存储在此目录中,因此,为了安全起见,现在应锁定其权限:
- chmod -R 700 ~/client-configs chmod -R 700〜/ client-configs
Next, navigate back to the EasyRSA directory and run the easyrsa script with the gen-req and nopass options, along with the common name for the client:
接下来,导航回到EasyRSA目录,并使用gen-req和nopass选项以及客户端的通用名称运行easyrsa脚本:
- cd ~/easy-rsa 光盘〜/ easy-rsa
./easyrsa gen-req client1 nopass
./easyrsa gen-req client1 nopass
Press ENTER to confirm the common name. Then, copy the client1.key file to the ~/client-configs/keys/ directory you created earlier:
按ENTER确认通用名称。 然后,将client1.key文件复制到您之前创建的~/client-configs/keys/目录中:
- cp pki/private/client1.key ~/client-configs/keys/ cp pki / private / client1.key〜/ client-configs / keys /
Next, transfer the client1.req file to your CA Server using a secure method:
接下来,使用安全方法将client1.req文件传输到您的CA Server:
scp pki/reqs/client1.req sammy@your_ca_server_ip:/tmp
scp pki / reqs / client1.req sammy @ your_ca_server_ip :/ tmp
Now log in to your CA Server. Then, navigate to the EasyRSA directory, and import the certificate request:
现在登录到您的CA Server。 然后,导航到EasyRSA目录,并导入证书请求:
- cd ~/easy-rsa 光盘〜/ easy-rsa
- ./easyrsa import-req /tmp/client1.req client1 ./easyrsa import-req /tmp/client1.req client1
Next, sign the request the same way as you did for the server in the previous step. This time, though, be sure to specify the client request type:
接下来,以与上一步中对服务器相同的方式对请求进行签名。 但是,这次一定要指定client请求类型:
./easyrsa sign-req client client1
./easyrsa登录请求客户端client1
When prompted, enter yes to confirm that you intend to sign the certificate request and that it came from a trusted source:
出现提示时,输入“ yes以确认您打算签署证书请求,并且该请求来自受信任的来源:
Output
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Again, if you encrypted your CA key, you’ll be prompted for your password here.
同样,如果您加密了CA密钥,则会在此处提示您输入密码。
This will create a client certificate file named client1.crt. Transfer this file back to the server:
这将创建一个名为client1.crt的客户端证书文件。 将此文件传输回服务器:
scp pki/issued/client1.crt sammy@your_server_ip:/tmp
scp pki / issued / client1.crt sammy @ your_server_ip :/ tmp
Back on your OpenVPN server, copy the client certificate to the ~/client-configs/keys/ directory:
返回您的OpenVPN服务器,将客户端证书复制到~/client-configs/keys/目录:
- cp /tmp/client1.crt ~/client-configs/keys/ cp /tmp/client1.crt〜/ client-configs / keys /
Next, copy the ca.crt and ta.key files to the ~/client-configs/keys/ directory as well, and set the appropriate permissions for your sudo user:
接下来,将ca.crt和ta.key文件也复制到~/client-configs/keys/目录,并为您的sudo用户设置适当的权限:
- cp ~/easy-rsa/ta.key ~/client-configs/keys/ cp〜/ easy-rsa / ta.key〜/ client-configs / keys /
- sudo cp /etc/open/server/ca.crt ~/client-configs/keys/ 须藤cp /etc/open/server/ca.crt〜/ client-configs / keys /
sudo chown sammy.sammy ~/client-configs/keys/*
须藤香萨米 。 萨米 〜/ client-configs / keys / *
With that, your server and client’s certificates and keys have all been generated and are stored in the appropriate directories on your OpenVPN server. There are still a few actions that need to be performed with these files, but those will come in a later step. For now, you can move on to configuring OpenVPN.
这样,服务器和客户端的证书和密钥都已生成,并存储在OpenVPN服务器上的相应目录中。 这些文件仍然需要执行一些操作,但是这些操作将在以后的步骤中进行。 现在,您可以继续配置OpenVPN。
步骤7 —配置OpenVPN (Step 7 — Configuring OpenVPN)
Like many other widely used open-source tools, OpenVPN has numerous configuration options available to customize your server for your specific needs. In this section, we will provide instructions on how to set up an OpenVPN server configuration based on one of the sample configuration files that is included within this software’s documentation.
像许多其他广泛使用的开放源代码工具一样,OpenVPN具有许多可用于根据特定需求自定义服务器的配置选项。 在本节中,我们将提供有关如何基于此软件文档中包含的示例配置文件之一来设置OpenVPN服务器配置的说明。
First, copy the sample server.conf file as a starting point for your own configuration file:
首先,将样本server.conf文件复制为您自己的配置文件的起点:
- sudo cp /usr/share/doc/open/examples/sample-config-files/server.conf.gz /etc/open/server/ 须藤cp /usr/share/doc/open/examples/sample-config-files/server.conf.gz / etc / open / server /
- sudo gunzip /etc/open/server/server.conf.gz 须藤gunzip /etc/open/server/server.conf.gz
Open the new file for editing with the text editor of your choice. We’ll use nano in our example:
打开新文件以使用您选择的文本编辑器进行编辑。 在示例中,我们将使用nano:
- sudo nano /etc/open/server/server.conf 须藤nano /etc/open/server/server.conf
We’ll need to change a few lines in this file. First, find the HMAC section of the configuration by searching for the tls-auth directive. This line should be uncommented. Comment it out by adding a ; to the beginning of the line. Then add a new line after it containing the value tls-crypt ta.key only:
我们需要在此文件中更改几行。 首先,通过搜索tls-auth指令找到配置的HMAC部分。 这行应该不加注释。 通过添加一个注释将其注释掉; 到行的开头。 然后在仅包含值tls-crypt ta.key行之后添加新行:
;tls-auth ta.key 0 # This file is secret
tls-crypt ta.keyNext, find the section on cryptographic ciphers by looking for the cipher lines. The default value is set to AES-256-CBC, however, the AES-256-GCM cipher offers a better level of encryption, performance, and is well supported in up-to-date OpenVPN clients. We’ll comment out the default value by adding a ; sign to the beginning of this line, and then we’ll add another line after it containing the updated value of AES-256-GCM:
接下来,通过查找cipher行找到有关密码的部分。 默认值设置为AES-256-CBC ,但是AES-256-GCM密码提供更高级别的加密,性能,并且在最新的OpenVPN客户端中得到很好的支持。 我们将通过添加默认值注释掉; 签名到此行的开头,然后我们将在包含更新后的AES-256-GCM值的行之后添加另一行:
;cipher AES-256-CBC
cipher AES-256-GCMRight after this line, add an auth directive to select the HMAC message digest algorithm. For this, SHA256 is a good choice:
在此行之后,添加auth指令以选择HMAC消息摘要算法。 为此, SHA256是一个不错的选择:
auth SHA256Next, find the line containing a dh directive, which defines Diffie-Hellman parameters. Since we’ve configured all the certificates to use Elliptic Curve Cryptography, there is no need for a Diffie-Hellman seed file. Comment out the existing line that looks like dh dh2048.pem or dh dh.pem. The filename for the Diffie-Hellman key may be different than what is listed in the example server configuration file. Then add a line after it with the contents dh none:
接下来,找到包含dh指令的行,该指令定义了Diffie-Hellman参数。 由于我们已将所有证书配置为使用“椭圆曲线密码术”,因此不需要Diffie-Hellman种子文件。 注释掉看起来像dh dh2048.pem或dh dh.pem的现有行。 Diffie-Hellman密钥的文件名可能与示例服务器配置文件中列出的文件名不同。 然后在其后添加一行内容dh none :
;dh dh2048.pem
dh noneNext, we want OpenVPN to run with no privileges once it has started, so we need to tell it to run with a user nobody and group nogroup. To enable this, find and uncomment the user nobody and group nogroup lines by removing the ; sign from the beginning of each line:
接下来,我们希望OpenVPN一旦启动就可以在没有特权的情况下运行,因此我们需要告诉它在没有用户和nogroup组的情况下运行。 要启用此功能,请通过删除;查找并取消注释user nobody并对group nogroup行进行group nogroup ; 每行开头的符号:
user nobody
group nogroup(可选)推送DNS更改以重定向通过VPN的所有流量 ((Optional) Push DNS Changes to Redirect All Traffic Through the VPN)
The settings above will create the VPN connection between your client and server, but will not force any connections to use the tunnel. If you wish to use the VPN to route all of your client traffic over the VPN, you will likely want to push some extra settings to the client computers.
上面的设置将在客户端和服务器之间创建VPN连接,但不会强制任何连接使用隧道。 如果希望使用VPN通过VPN路由所有客户端流量,则可能需要将一些其他设置推送到客户端计算机。
To get started, find and uncomment the line containing push "redirect-gateway def1 bypass-dhcp". Doing this will tell your client to redirect all of its traffic through your OpenVPN Server. Be aware that enabling this functionality can cause connectivity issues with other network services, like SSH:
首先,找到并取消注释包含push "redirect-gateway def1 bypass-dhcp" 。 这样做将告诉您的客户端通过您的OpenVPN服务器重定向其所有流量。 请注意,启用此功能可能会导致与其他网络服务(如SSH)的连接问题:
push "redirect-gateway def1 bypass-dhcp"Just below this line, find the dhcp-option section. Again, remove the ; from the beginning of both of the lines to uncomment them:
在此行下面,找到dhcp-option部分。 再次,删除; 从这两行的开头取消注释:
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"These lines will tell your client to use the free OpenDNS resolvers at the listed IP addresses. If you prefer other DNS resolvers you can substitute them in place of the highlighted IPs.
这些行将告诉您的客户端在列出的IP地址上使用免费的OpenDNS解析器 。 如果您更喜欢其他DNS解析器,则可以用它们代替突出显示的IP。
This will assist clients in reconfiguring their DNS settings to use the VPN tunnel as the default gateway.
这将帮助客户端重新配置其DNS设置,以将VPN隧道用作默认网关。
(可选)调整端口和协议 ((Optional) Adjust the Port and Protocol)
By default, the OpenVPN server uses port 1194 and the UDP protocol to accept client connections. If you need to use a different port because of restrictive network environments that your clients might be in, you can change the port option. If you are not hosting web content on your OpenVPN server, port 443 is a popular choice since it is usually allowed through firewall rules.
默认情况下,OpenVPN服务器使用端口1194和UDP协议来接受客户端连接。 如果由于客户端可能处于限制性网络环境而需要使用其他端口,则可以更改port选项。 如果您不在OpenVPN服务器上托管Web内容,则端口443是一种流行的选择,因为防火墙规则通常允许使用该端口。
To change OpenVPN to listen on port 443, open the server.conf file and find the line that looks like this:
要将OpenVPN更改为侦听端口443,请打开server.conf文件并找到如下所示的行:
port 1194Edit it so that the port is 443:
编辑它,以便端口为443:
# Optional!
port 443Oftentimes, the protocol is restricted to that port as well. If so, find the proto line below the port line and change the protocol from udp to tcp:
通常,协议也仅限于该端口。 如果是这样,请在port行下方找到proto行,并将协议从udp更改为tcp :
# Optional!
proto tcpIf you do switch the protocol to TCP, you will need to change the explicit-exit-notify directive’s value from 1 to 0, as this directive is only used by UDP. Failing to do so while using TCP will cause errors when you start the OpenVPN service.
如果确实将协议切换为TCP,则需要将explicit-exit-notify指令的值从1更改为0 ,因为该指令仅由UDP使用。 如果使用TCP失败,则会在启动OpenVPN服务时导致错误。
Find the explicit-exit-notify line at the end of the file and change the value to 0:
在文件末尾找到explicit-exit-notify行并将其值更改为0 :
# Optional!
explicit-exit-notify 0If you have no need to use a different port and protocol, it is best to leave these settings unchanged.
如果您不需要使用其他端口和协议,则最好保持这些设置不变。
(可选)指向非默认凭据 ((Optional) Point to Non-Default Credentials)
If you selected a different name during the ./easyrsa gen-req server command earlier, modify the cert and key lines in the server.conf configuration file so that they point to the appropriate .crt and .key files. If you used the default name, server, this is already set correctly:
如果您之前在./easyrsa gen-req server命令中选择了其他名称,请修改server.conf配置文件中的cert和key行,使其指向相应的.crt和.key文件。 如果您使用默认名称server ,则已经正确设置:
cert server.crt
key server.keyWhen you are finished, save and close the file.
完成后,保存并关闭文件。
You have now finished configuring your OpenVPN general settings. In the next step, we’ll customize the server’s networking options.
现在,您已经完成了OpenVPN常规设置的配置。 在下一步中,我们将自定义服务器的网络选项。
步骤8 —调整OpenVPN服务器网络配置 (Step 8 — Adjusting the OpenVPN Server Networking Configuration)
There are some aspects of the server’s networking configuration that need to be tweaked so that OpenVPN can correctly route traffic through the VPN. The first of these is IP forwarding, a method for determining where IP traffic should be routed. This is essential to the VPN functionality that your server will provide.
需要调整服务器网络配置的某些方面,以便OpenVPN可以通过VPN正确路由流量。 首先是IP转发 ,这是一种确定IP流量应路由到何处的方法。 这对于服务器将提供的VPN功能至关重要。
To adjust your OpenVPN server’s default IP forwarding setting, open the /etc/sysctl.conf file using nano or your preferred editor:
要调整您的OpenVPN服务器的默认IP转发设置,请使用nano或您喜欢的编辑器打开/etc/sysctl.conf文件:
- sudo nano /etc/sysctl.conf 须藤nano /etc/sysctl.conf
Then add the following line at the bottom of the file:
然后在文件底部添加以下行:
net.ipv4.ip_forward = 1Save and close the file when you are finished.
完成后保存并关闭文件。
To read the file and load the new values for the current session, type:
要读取文件并加载当前会话的新值,请输入:
- sudo sysctl -p 须藤sysctl -p
Output
net.ipv4.ip_forward = 1
Now your OpenVPN server will be able to forward incoming traffic from one ethernet device to another. This setting makes sure the server can direct traffic from clients that connect on the virtual VPN interface out over its other physical ethernet devices. This configuration will route all web traffic from your client via your server’s IP address, and your client’s public IP address will effectively be hidden.
现在,您的OpenVPN服务器将能够将传入流量从一台以太网设备转发到另一台。 此设置确保服务器可以将来自虚拟VPN接口上连接的客户端的流量通过其其他物理以太网设备引导出去。 此配置将通过服务器的IP地址路由来自客户端的所有Web流量,并且客户端的公共IP地址将被有效隐藏。
In the next step you will need to configure some firewall rules to ensure that traffic to and from your OpenVPN server flows properly.
在下一步中,您将需要配置一些防火墙规则,以确保进出OpenVPN服务器的流量正常流动。
第9步-防火墙配置 (Step 9 — Firewall Configuration)
So far, you’ve installed OpenVPN on your server, configured it, and generated the keys and certificates needed for your client to access the VPN. However, you have not yet provided OpenVPN with any instructions on where to send incoming web traffic from clients. You can stipulate how the server should handle client traffic by establishing some firewall rules and routing configurations.
到目前为止,您已经在服务器上安装了OpenVPN,对其进行了配置,并生成了客户端访问VPN所需的密钥和证书。 但是,您尚未向OpenVPN提供任何有关从客户端向何处发送传入Web流量的说明。 您可以通过建立一些防火墙规则和路由配置来规定服务器应如何处理客户端流量。
Assuming you followed the prerequisites at the start of this tutorial, you should already have ufw installed and running on your server. To allow OpenVPN through the firewall, you’ll need to enable masquerading, an iptables concept that provides on-the-fly dynamic network address translation (NAT) to correctly route client connections.
假设您已按照本教程开始时的先决条件进行操作,则应该已经在服务器上安装并运行了ufw 。 要允许OpenVPN通过防火墙,您需要启用伪装,这是iptables概念,可提供动态动态网络地址转换(NAT)来正确路由客户端连接。
Before opening the firewall configuration file to add the masquerading rules, you must first find the public network interface of your machine. To do this, type:
在打开防火墙配置文件以添加伪装规则之前,必须首先找到计算机的公共网络接口。 为此,请键入:
- ip route list default ip路由列表默认
Your public interface is the string found within this command’s output that follows the word “dev”. For example, this result shows the interface named eth0, which is highlighted below:
您的公共接口是在该命令的输出中找到的,紧随单词“ dev”之后的字符串。 例如,此结果显示名为eth0的接口,该接口在下面突出显示:
Output
default via 159.65.160.1 dev eth0 proto static
When you have the interface associated with your default route, open the /etc/ufw/before.rules file to add the relevant configuration:
当具有与默认路由关联的接口时,打开/etc/ufw/before.rules文件以添加相关配置:
- sudo nano /etc/ufw/before.rules 须藤nano /etc/ufw/before.rules
UFW rules are typically added using the ufw command. Rules listed in the before.rules file, though, are read and put into place before the conventional UFW rules are loaded. Towards the top of the file, add the highlighted lines below. This will set the default policy for the POSTROUTING chain in the nat table and masquerade any traffic coming from the VPN. Remember to replace eth0 in the -A POSTROUTING line below with the interface you found in the above command:
UFW规则通常使用ufw命令添加。 但是,在加载常规UFW规则之前,必须先阅读并放置在before.rules文件中列出的规则。 在文件顶部,在下面添加突出显示的行。 这将为nat表中的POSTROUTING链设置默认策略,并伪装来自VPN的所有流量。 请记住,将下面的-A POSTROUTING行中的eth0替换为您在上述命令中找到的接口:
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter
. . .Save and close the file when you are finished.
完成后保存并关闭文件。
Next, you need to tell UFW to allow forwarded packets by default as well. To do this, open the /etc/default/ufw file:
接下来,您需要告诉UFW默认情况下也允许转发数据包。 为此,请打开/etc/default/ufw文件:
- sudo nano /etc/default/ufw 须藤nano / etc / default / ufw
Inside, find the DEFAULT_FORWARD_POLICY directive and change the value from DROP to ACCEPT:
在内部,找到DEFAULT_FORWARD_POLICY指令并将其值从DROP更改为ACCEPT :
DEFAULT_FORWARD_POLICY="ACCEPT"Save and close the file when you are finished.
完成后保存并关闭文件。
Next, adjust the firewall itself to allow traffic to OpenVPN. If you did not change the port and protocol in the /etc/open/server.conf file, you will need to open up UDP traffic to port 1194. If you modified the port and/or protocol, substitute the values you selected here.
接下来,调整防火墙本身以允许向OpenVPN的流量。 如果未更改/etc/open/server.conf文件中的端口和协议,则需要打开到端口1194 UDP通信。 如果您修改了端口和/或协议,请替换您在此处选择的值。
In case you forgot to add the SSH port when following the prerequisite tutorial, add it here as well:
如果遵循先决条件教程时忘记添加SSH端口,请在此处也添加它:
sudo ufw allow 1194/udp
sudo ufw allow 1194 / udp
- sudo ufw allow OpenSSH sudo ufw允许OpenSSH
After adding those rules, disable and re-enable UFW to restart it and load the changes from all of the files you’ve modified:
添加这些规则后,禁用并重新启用UFW以重新启动它并从您已修改的所有文件中加载更改:
- sudo ufw disable sudo ufw禁用
- sudo ufw enable sudo ufw启用
Your server is now configured to correctly handle OpenVPN traffic. With the firewall rules in place, we can start the OpenVPN service on the server.
现在,您的服务器已配置为正确处理OpenVPN流量。 有了防火墙规则,我们就可以在服务器上启动OpenVPN服务。
步骤10 —启动OpenVPN (Step 10 — Starting OpenVPN)
OpenVPN runs as a systemd service, so we can use systemctl to manage it. We will configure OpenVPN to start up at boot so you can connect to your VPN at any time as long as your server is running. To do this, enable the OpenVPN service by adding it to systemctl:
OpenVPN作为systemd服务运行,因此我们可以使用systemctl进行管理。 我们将OpenVPN配置为在引导时启动,以便您可以在服务器运行时随时连接到VPN。 为此,通过将OpenVPN服务添加到systemctl来systemctl它:
- sudo systemctl -f enable [email protected] sudo systemctl -f启用[email protected]
Then start the OpenVPN service:
然后启动OpenVPN服务:
- sudo systemctl start [email protected] sudo systemctl启动[email protected]
Double check that the OpenVPN service is active with the following command. You should see active (running) in the output:
使用以下命令再次检查OpenVPN服务是否处于活动状态。 您应该在输出中看到active (running) :
- sudo systemctl status [email protected] sudo systemctl状态[email protected]
Output
● [email protected] - OpenVPN service for server
Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-04-29 15:39:59 UTC; 6s ago
Docs: man:open(8)
https://community.open.net/open/wiki/Open24ManPage
https://community.open.net/open/wiki/HOWTO
Main PID: 16872 (open)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 1137)
Memory: 1.0M
CGroup: /system.slice/system-open\x2dserver.slice/[email protected]
└─16872 /usr/sbin/open --status /run/open-server/status-server.log --status-version 2 --suppress-timestamps --c>
. . .
. . .
Apr 29 15:39:59 ubuntu-20 open[16872]: Initialization Sequence Completed
We’ve now completed the server-side configuration for OpenVPN. Next, you will configure your client machine and connect to the OpenVPN Server.
现在,我们已经完成了OpenVPN的服务器端配置。 接下来,您将配置客户端计算机并连接到OpenVPN Server。
步骤11 —创建客户端配置基础结构 (Step 11 — Creating the Client Configuration Infrastructure)
Creating configuration files for OpenVPN clients can be somewhat involved, as every client must have its own config and each must align with the settings outlined in the server’s configuration file. Rather than writing a single configuration file that can only be used on one client, this step outlines a process for building a client configuration infrastructure which you can use to generate config files on-the-fly. You will first create a “base” configuration file then build a script which will allow you to generate unique client config files, certificates, and keys as needed.
为OpenVPN客户端创建配置文件可能会有些麻烦,因为每个客户端都必须具有自己的配置,并且每个客户端都必须与服务器配置文件中列出的设置保持一致。 此步骤概述了构建客户端配置基础结构的过程,而不是编写只能在一个客户端上使用的单个配置文件,您可以使用该基础结构即时生成配置文件。 您将首先创建一个“基本”配置文件,然后创建一个脚本,该脚本将允许您根据需要生成唯一的客户端配置文件,证书和密钥。
Get started by creating a new directory where you will store client configuration files within the client-configs directory you created earlier:
首先创建一个新目录,您将在其中将客户端配置文件存储在您先前创建的client-configs目录中:
- mkdir -p ~/client-configs/files mkdir -p〜/ client-configs / files
Next, copy an example client configuration file into the client-configs directory to use as your base configuration:
接下来,将示例客户端配置文件复制到client-configs目录中,以用作基本配置:
- cp /usr/share/doc/open/examples/sample-config-files/client.conf ~/client-configs/base.conf cp /usr/share/doc/open/examples/sample-config-files/client.conf〜/ client-configs / base.conf
Open this new file using nano or your preferred text editor:
使用nano或您喜欢的文本编辑器打开此新文件:
- nano ~/client-configs/base.conf 纳米〜/ client-configs / base.conf
Inside, locate the remote directive. This points the client to your OpenVPN server address — the public IP address of your OpenVPN server. If you decided to change the port that the OpenVPN server is listening on, you will also need to change 1194 to the port you selected:
在内部,找到remote指令。 这会将客户端指向您的OpenVPN服务器地址-OpenVPN服务器的公共IP地址。 如果您决定更改OpenVPN服务器正在侦听的端口,则还需要将1194更改为所选的端口:
. . .
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote your_server_ip 1194
. . .Be sure that the protocol matches the value you are using in the server configuration:
确保协议与服务器配置中使用的值匹配:
proto udpNext, uncomment the user and group directives by removing the ; sign at the beginning of each line:
接下来,通过删除;取消注释user和group指令; 在每行的开头签名:
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroupFind the directives that set the ca, cert, and key. Comment out these directives since you will add the certs and keys within the file itself shortly:
查找设置ca , cert和key的指令。 注释掉这些指令,因为您很快将在文件本身中添加证书和密钥:
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.keySimilarly, comment out the tls-auth directive, as you will add ta.key directly into the client configuration file (and the server is set up to use tls-crypt):
同样,注释掉tls-auth指令,因为您将ta.key直接添加到客户端配置文件中(并且服务器被设置为使用tls-crypt ):
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1Mirror the cipher and auth settings that you set in the /etc/open/server/server.conf file:
镜像您在/etc/open/server/server.conf文件中设置的cipher和auth设置:
cipher AES-256-GCM
auth SHA256Next, add the key-direction directive somewhere in the file. You must set this to “1” for the VPN to function correctly on the client machine:
接下来,将key-direction指令添加到文件中的某个位置。 您必须将此设置为“ 1”,VPN才能在客户端计算机上正常运行:
key-direction 1Finally, add a few commented out lines to handle various methods that Linux based VPN clients will use for DNS resolution. You’ll add two similar, but separate sets of commented out lines. The first set is for clients that do not use systemd-resolved to manage DNS. These clients rely on the resolvconf utility to update DNS information for Linux clients.
最后,添加一些注释行以处理基于Linux的VPN客户端将用于DNS解析的各种方法。 您将添加两组相似但独立的注释行。 第一组用于不使用systemd-resolved管理DNS的客户端。 这些客户端依靠resolvconf实用程序来更新Linux客户端的DNS信息。
; script-security 2
; up /etc/open/update-resolv-conf
; down /etc/open/update-resolv-confNow add another set of lines for clients that use systemd-resolved for DNS resolution:
现在为使用systemd-resolved进行DNS解析的客户端添加另一行代码:
; script-security 2
; up /etc/open/update-systemd-resolved
; down /etc/open/update-systemd-resolved
; down-pre
; dhcp-option DOMAIN-ROUTE .Save and close the file when you are finished.
完成后保存并关闭文件。
Later in Step 13 - Installing the Client Configuration step of this tutorial you will learn how to determine how DNS resolution works on Linux clients and which section to uncomment.
在本教程的“ 步骤13-安装客户端配置”步骤的稍后部分,您将学习如何确定DNS解析在Linux客户端上的工作方式以及要取消注释的部分。
Next, we’ll create a script that will compile your base configuration with the relevant certificate, key, and encryption files and then place the generated configuration in the ~/client-configs/files directory. Open a new file called make_config.sh within the ~/client-configs directory:
接下来,我们将创建一个脚本,该脚本将使用相关的证书,密钥和加密文件来编译您的基本配置,然后将生成的配置放在~/client-configs/files目录中。 在~/client-configs目录中打开一个名为make_config.sh的新文件:
- nano ~/client-configs/make_config.sh 纳米〜/ client-configs / make_config.sh
Inside, add the following content:
在里面,添加以下内容:
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '') \
${KEY_DIR}/ca.crt \
<(echo -e ' \n') \
${KEY_DIR}/${1}.crt \
<(echo -e ' \n') \
${KEY_DIR}/${1}.key \
<(echo -e ' \n') \
${KEY_DIR}/ta.key \
<(echo -e ' ') \
> ${OUTPUT_DIR}/${1}.oSave and close the file when you are finished.
完成后保存并关闭文件。
Before moving on, be sure to mark this file as executable by typing:
在继续之前,请确保通过键入以下内容将此文件标记为可执行文件:
- chmod 700 ~/client-configs/make_config.sh chmod 700〜/ client-configs / make_config.sh
This script will make a copy of the base.conf file you made, collect all the certificate and key files you’ve created for your client, extract their contents, append them to the copy of the base configuration file, and export all of this content into a new client configuration file. This means that, rather than having to manage the client’s configuration, certificate, and key files separately, all the required information is stored in one place. The benefit of using this method is that if you ever need to add a client in the future, you can run this script to quickly create a new config file and ensure that all the important information is stored in a single, easy-to-access location.
该脚本将复制您创建的base.conf文件,收集为客户端创建的所有证书和密钥文件,提取其内容,将它们附加到基本配置文件的副本中,并导出所有这些文件。内容放入新的客户端配置文件中。 This means that, rather than having to manage the client's configuration, certificate, and key files separately, all the required information is stored in one place. The benefit of using this method is that if you ever need to add a client in the future, you can run this script to quickly create a new config file and ensure that all the important information is stored in a single, easy-to-access location.
Please note that any time you add a new client, you will need to generate new keys and certificates for it before you can run this script and generate its configuration file. You will get some practice using this script in the next step.
Please note that any time you add a new client, you will need to generate new keys and certificates for it before you can run this script and generate its configuration file. You will get some practice using this script in the next step.
Step 12 — Generating Client Configurations (Step 12 — Generating Client Configurations)
If you followed along with the guide, you created a client certificate and key named client1.crt and client1.key, respectively, in Step 6. You can generate a config file for these credentials by moving into your ~/client-configs directory and running the script you made at the end of the previous step:
If you followed along with the guide, you created a client certificate and key named client1.crt and client1.key , respectively, in Step 6. You can generate a config file for these credentials by moving into your ~/client-configs directory and running the script you made at the end of the previous step:
- cd ~/client-configs cd ~/client-configs
./make_config.sh client1
./make_config.sh client1
This will create a file named client1.o in your ~/client-configs/files directory:
This will create a file named client1.o in your ~/client-configs/files directory:
- ls ~/client-configs/files ls ~/client-configs/files
Output
client1.o
You need to transfer this file to the device you plan to use as the client. For instance, this could be your local computer or a mobile device.
You need to transfer this file to the device you plan to use as the client. For instance, this could be your local computer or a mobile device.
While the exact applications used to accomplish this transfer will depend on your device’s operating system and your personal preferences, a dependable and secure method is to use SFTP (SSH file transfer protocol) or SCP (Secure Copy) on the backend. This will transport your client’s VPN authentication files over an encrypted connection.
While the exact applications used to accomplish this transfer will depend on your device's operating system and your personal preferences, a dependable and secure method is to use SFTP (SSH file transfer protocol) or SCP (Secure Copy) on the backend. This will transport your client's VPN authentication files over an encrypted connection.
Here is an example SFTP command which you can run from your local computer (macOS or Linux). This will copy the client1.o file we’ve created in the last step to your home directory:
Here is an example SFTP command which you can run from your local computer (macOS or Linux). This will copy the client1.o file we've created in the last step to your home directory:
sftp sammy@open_server_ip:client-configs/files/client1.o ~/
sftp sammy @ open_server_ip :client-configs/files/client1.o ~/
Here are several tools and tutorials for securely transferring files from the OpenVPN server to a local computer:
Here are several tools and tutorials for securely transferring files from the OpenVPN server to a local computer:
WinSCP
WinSCP
How To Use SFTP to Securely Transfer Files with a Remote Server
How To Use SFTP to Securely Transfer Files with a Remote Server
How To Use Filezilla to Transfer and Manage Files Securely on your VPS
How To Use Filezilla to Transfer and Manage Files Securely on your VPS
Step 13 — Installing the Client Configuration (Step 13 — Installing the Client Configuration)
This section covers how to install a client VPN profile on Windows, macOS, Linux, iOS, and Android. None of these client instructions are dependent on one another, so feel free to skip to whichever is applicable to your device.
This section covers how to install a client VPN profile on Windows, macOS, Linux, iOS, and Android. None of these client instructions are dependent on one another, so feel free to skip to whichever is applicable to your device.
The OpenVPN connection will have the same name as whatever you called the .o file. In regards to this tutorial, this means that the connection is named client1.o, aligning with the first client file you generated.
The OpenVPN connection will have the same name as whatever you called the .o file. In regards to this tutorial, this means that the connection is named client1.o , aligning with the first client file you generated.
视窗 (Windows)
Installing
Installing
Download the OpenVPN client application for Windows from OpenVPN’s Downloads page. Choose the appropriate installer version for your version of Windows.
Download the OpenVPN client application for Windows from OpenVPN's Downloads page . Choose the appropriate installer version for your version of Windows.
Note: OpenVPN needs administrative privileges to install.
Note : OpenVPN needs administrative privileges to install.
After installing OpenVPN, copy the .o file to:
After installing OpenVPN, copy the .o file to:
C:\Program Files\OpenVPN\configWhen you launch OpenVPN, it will automatically locate the profile and make it available.
When you launch OpenVPN, it will automatically locate the profile and make it available.
You must run OpenVPN as an administrator each time it’s used, even by administrative accounts. To do this without having to right-click and select Run as administrator every time you use the VPN, you must preset this from an administrative account. This also means that standard users will need to enter the administrator’s password to use OpenVPN. On the other hand, standard users can’t properly connect to the server unless the OpenVPN application on the client has admin rights, so the elevated privileges are necessary.
You must run OpenVPN as an administrator each time it's used, even by administrative accounts. To do this without having to right-click and select Run as administrator every time you use the VPN, you must preset this from an administrative account. This also means that standard users will need to enter the administrator's password to use OpenVPN. On the other hand, standard users can't properly connect to the server unless the OpenVPN application on the client has admin rights, so the elevated privileges are necessary.
To set the OpenVPN application to always run as an administrator, right-click on its shortcut icon and go to Properties. At the bottom of the Compatibility tab, click the button to Change settings for all users. In the new window, check Run this program as an administrator.
To set the OpenVPN application to always run as an administrator, right-click on its shortcut icon and go to Properties . At the bottom of the Compatibility tab, click the button to Change settings for all users . In the new window, check Run this program as an administrator .
Connecting
Connecting
Each time you launch the OpenVPN GUI, Windows will ask if you want to allow the program to make changes to your computer. Click Yes. Launching the OpenVPN client application only puts the applet in the system tray so that you can connect and disconnect the VPN as needed; it does not actually make the VPN connection.
Each time you launch the OpenVPN GUI, Windows will ask if you want to allow the program to make changes to your computer. Click Yes . Launching the OpenVPN client application only puts the applet in the system tray so that you can connect and disconnect the VPN as needed; it does not actually make the VPN connection.
Once OpenVPN is started, initiate a connection by going into the system tray applet and right-clicking on the OpenVPN applet icon. This opens the context menu. Select client1 at the top of the menu (that’s your client1.o profile) and choose Connect.
Once OpenVPN is started, initiate a connection by going into the system tray applet and right-clicking on the OpenVPN applet icon. This opens the context menu. Select client1 at the top of the menu (that's your client1.o profile) and choose Connect .
A status window will open showing the log output while the connection is established, and a message will show once the client is connected.
A status window will open showing the log output while the connection is established, and a message will show once the client is connected.
Disconnect from the VPN the same way: Go into the system tray applet, right-click the OpenVPN applet icon, select the client profile and click Disconnect.
Disconnect from the VPN the same way: Go into the system tray applet, right-click the OpenVPN applet icon, select the client profile and click Disconnect .
苹果系统 (macOS)
Installing
Installing
Tunnelblick is a free, open source OpenVPN client for macOS. You can download the latest disk image from the Tunnelblick Downloads page. Double-click the downloaded .dmg file and follow the prompts to install.
Tunnelblick is a free, open source OpenVPN client for macOS. You can download the latest disk image from the Tunnelblick Downloads page . Double-click the downloaded .dmg file and follow the prompts to install.
Towards the end of the installation process, Tunnelblick will ask if you have any configuration files. Answer I have configuration files and let Tunnelblick finish. Open a Finder window and double-click client1.o. Tunnelblick will install the client profile. Administrative privileges are required.
Towards the end of the installation process, Tunnelblick will ask if you have any configuration files. Answer I have configuration files and let Tunnelblick finish. Open a Finder window and double-click client1.o . Tunnelblick will install the client profile. Administrative privileges are required.
Connecting
Connecting
Launch Tunnelblick by double-clicking the Tunnelblick icon in the Applications folder. Once Tunnelblick has been launched, there will be a Tunnelblick icon in the menu bar at the top right of the screen for controlling connections. Click on the icon, and then the Connect client1 menu item to initiate the VPN connection.
Launch Tunnelblick by double-clicking the Tunnelblick icon in the Applications folder. Once Tunnelblick has been launched, there will be a Tunnelblick icon in the menu bar at the top right of the screen for controlling connections. Click on the icon, and then the Connect client1 menu item to initiate the VPN connection.
的Linux (Linux)
Installing
Installing
If you are using Linux, there are a variety of tools that you can use depending on your distribution. Your desktop environment or window manager might also include connection utilities.
If you are using Linux, there are a variety of tools that you can use depending on your distribution. Your desktop environment or window manager might also include connection utilities.
The most universal way of connecting, however, is to just use the OpenVPN software.
The most universal way of connecting, however, is to just use the OpenVPN software.
On Ubuntu or Debian, you can install it just as you did on the server by typing:
On Ubuntu or Debian, you can install it just as you did on the server by typing:
- sudo apt update sudo apt更新
- sudo apt install open sudo apt install open
On CentOS you can enable the EPEL repositories and then install it by typing:
On CentOS you can enable the EPEL repositories and then install it by typing:
- sudo dnf install epel-release sudo dnf安装epel-release
- sudo dnf install open sudo dnf install open
Configuring Clients that use systemd-resolved (Configuring Clients that use systemd-resolved)
First determine if your system is using systemd-resolved to handle DNS resolution by checking the /etc/resolv.conf file:
First determine if your system is using systemd-resolved to handle DNS resolution by checking the /etc/resolv.conf file:
- cat /etc/resolv.conf cat /etc/resolv.conf
Output
# This file is managed by man:systemd-resolved(8). Do not edit.
. . .
nameserver 127.0.0.53
options edns0
If your system is configured to use systemd-resolved for DNS resolution, the IP address after the nameserver option will be 127.0.0.53. There should also be comments in the file like the output that is shown that explain how systemd-resolved is managing the file. If you have a different IP address than 127.0.0.53 then chances are your system is not using systemd-resolved and you can go to the next section on configuring Linux clients that have an update-resolv-conf script instead.
If your system is configured to use systemd-resolved for DNS resolution, the IP address after the nameserver option will be 127.0.0.53 . There should also be comments in the file like the output that is shown that explain how systemd-resolved is managing the file. If you have a different IP address than 127.0.0.53 then chances are your system is not using systemd-resolved and you can go to the next section on configuring Linux clients that have an update-resolv-conf script instead.
To support these clients, first install the open-systemd-resolved package. It provides scripts that will force systemd-resolved to use the VPN server for DNS resolution.
To support these clients, first install the open-systemd-resolved package. It provides scripts that will force systemd-resolved to use the VPN server for DNS resolution.
- sudo apt install open-systemd-resolved sudo apt install open-systemd-resolved
One that package is installed, configure the client to use it, and to send all DNS queries over the VPN interface. Open the client’s VPN file:
One that package is installed, configure the client to use it, and to send all DNS queries over the VPN interface. Open the client's VPN file:
nano client1.o
nano client1 .o
Now uncomment the following lines that you added earlier:
Now uncomment the following lines that you added earlier:
script-security 2
up /etc/open/update-systemd-resolved
down /etc/open/update-systemd-resolved
down-pre
dhcp-option DOMAIN-ROUTE . Configuring Clients that use update-resolv-conf (Configuring Clients that use update-resolv-conf)
If your system is not using systemd-resolved to manage DNS, check to see if your distribution includes an /etc/open/update-resolv-conf script instead:
If your system is not using systemd-resolved to manage DNS, check to see if your distribution includes an /etc/open/update-resolv-conf script instead:
- ls /etc/open ls /etc/open
Output
update-resolv-conf
If your client includes the update-resolv-conf file, then edit the OpenVPN client configuration file that you transferred earlier:
If your client includes the update-resolv-conf file, then edit the OpenVPN client configuration file that you transferred earlier:
nano client1.o
nano client1 .o
Uncomment the three lines you added to adjust the DNS settings:
Uncomment the three lines you added to adjust the DNS settings:
script-security 2
up /etc/open/update-resolv-conf
down /etc/open/update-resolv-confIf you are using CentOS, change the group directive from nogroup to nobody to match the distribution’s available groups:
If you are using CentOS, change the group directive from nogroup to nobody to match the distribution's available groups:
group nobodySave and close the file.
保存并关闭文件。
Connecting
Connecting
Now, you can connect to the VPN by just pointing the open command to the client configuration file:
Now, you can connect to the VPN by just pointing the open command to the client configuration file:
sudo open --config client1.o
sudo open --config client1 .o
This should connect you to your VPN.
This should connect you to your VPN.
Note: If your client uses systemd-resolved to manage DNS, check the settings are applied correctly by running the systemd-resolve --status command like this:
Note: If your client uses systemd-resolved to manage DNS, check the settings are applied correctly by running the systemd-resolve --status command like this:
- systemd-resolve --status tun0 systemd-resolve --status tun0
You should see output like the following:
您应该看到如下输出:
Output
Link 22 (tun0)
. . .
DNS Servers: 208.67.222.222
208.67.220.220
DNS Domain: ~.
If you see the IP addresses of the DNS servers that you configured on the OpenVPN server, along with the ~. setting for DNS Domain in the output, then you have correctly configured your client to use the VPN server’s DNS resolver. You can also check that you are sending DNS queries over the VPN by using a site like DNS leak test.com.
If you see the IP addresses of the DNS servers that you configured on the OpenVPN server, along with the ~. setting for DNS Domain in the output, then you have correctly configured your client to use the VPN server's DNS resolver. You can also check that you are sending DNS queries over the VPN by using a site like DNS leak test.com .
的iOS (iOS)
Installing
Installing
From the iTunes App Store, search for and install OpenVPN Connect, the official iOS OpenVPN client application. To transfer your iOS client configuration onto the device, connect it directly to a computer.
From the iTunes App Store, search for and install OpenVPN Connect , the official iOS OpenVPN client application. To transfer your iOS client configuration onto the device, connect it directly to a computer.
The process of completing the transfer with iTunes is outlined here. Open iTunes on the computer and click on iPhone > apps. Scroll down to the bottom to the File Sharing section and click the OpenVPN app. The blank window to the right, OpenVPN Documents, is for sharing files. Drag the .o file to the OpenVPN Documents window.
The process of completing the transfer with iTunes is outlined here. Open iTunes on the computer and click on iPhone > apps . Scroll down to the bottom to the File Sharing section and click the OpenVPN app. The blank window to the right, OpenVPN Documents , is for sharing files. Drag the .o file to the OpenVPN Documents window.
Now launch the OpenVPN app on the iPhone. You will receive a notification that a new profile is ready to import. Tap the green plus sign to import it.
Now launch the OpenVPN app on the iPhone. You will receive a notification that a new profile is ready to import. Tap the green plus sign to import it.
Connecting
OpenVPN is now ready to use with the new profile. Start the connection by sliding the Connect button to the On position. Disconnect by sliding the same button to Off.
OpenVPN is now ready to use with the new profile. Start the connection by sliding the Connect button to the On position. Disconnect by sliding the same button to Off .
Note: The VPN switch under Settings cannot be used to connect to the VPN. If you try, you will receive a notice to only connect using the OpenVPN app.
Note : The VPN switch under Settings cannot be used to connect to the VPN. If you try, you will receive a notice to only connect using the OpenVPN app.
安卓系统 (Android)
Installing
Installing
Open the Google Play Store. Search for and install Android OpenVPN Connect, the official Android OpenVPN client application.
Open the Google Play Store. Search for and install Android OpenVPN Connect , the official Android OpenVPN client application.
You can transfer the .o profile by connecting the Android device to your computer by USB and copying the file over. Alternatively, if you have an SD card reader, you can remove the device’s SD card, copy the profile onto it and then insert the card back into the Android device.
You can transfer the .o profile by connecting the Android device to your computer by USB and copying the file over. Alternatively, if you have an SD card reader, you can remove the device's SD card, copy the profile onto it and then insert the card back into the Android device.
Start the OpenVPN app and tap the FILE menu to import the profile.
Start the OpenVPN app and tap the FILE menu to import the profile.
Then navigate to the location of the saved profile (the screenshot uses /storage/emulated/0/open) and select your .o file. Tap the IMPORT button to finish importing this profile.
Then navigate to the location of the saved profile (the screenshot uses /storage/emulated/0/open ) and select your .o file. Tap the IMPORT button to finish importing this profile.
Connecting Once the profile is added, you will see a screen like this:
Connecting Once the profile is added, you will see a screen like this:
To connect, tap the toggle button close to the profile you want to use. You’ll see real time stats of your connection and traffic being routed through your OpenVPN server:
To connect, tap the toggle button close to the profile you want to use. You'll see real time stats of your connection and traffic being routed through your OpenVPN server:
To disconnect, just tap the toggle button on the top left once again. You will be prompted to confirm that you want to disconnect from your VPN.
To disconnect, just tap the toggle button on the top left once again. You will be prompted to confirm that you want to disconnect from your VPN.
Step 14 — Testing Your VPN Connection (Optional) (Step 14 — Testing Your VPN Connection (Optional))
Note: This method for testing your VPN connection will only work if you opted to route all your traffic through the VPN in Step 7 when you edited the server.conf file for OpenVPN.
Note: This method for testing your VPN connection will only work if you opted to route all your traffic through the VPN in Step 7 when you edited the server.conf file for OpenVPN.
Once everything is installed, a simple check confirms everything is working properly. Without having a VPN connection enabled, open a browser and go to DNSLeakTest.
Once everything is installed, a simple check confirms everything is working properly. Without having a VPN connection enabled, open a browser and go to DNSLeakTest .
The site will return the IP address assigned by your internet service provider and as you appear to the rest of the world. To check your DNS settings through the same website, click on Extended Test and it will tell you which DNS servers you are using.
The site will return the IP address assigned by your internet service provider and as you appear to the rest of the world. To check your DNS settings through the same website, click on Extended Test and it will tell you which DNS servers you are using.
Now connect the OpenVPN client to your Droplet’s VPN and refresh the browser. A completely different IP address (that of your VPN server) should now appear, and this is how you appear to the world. Again, DNSLeakTest’s Extended Test will check your DNS settings and confirm you are now using the DNS resolvers pushed by your VPN.
Now connect the OpenVPN client to your Droplet's VPN and refresh the browser. A completely different IP address (that of your VPN server) should now appear, and this is how you appear to the world. Again, DNSLeakTest's Extended Test will check your DNS settings and confirm you are now using the DNS resolvers pushed by your VPN.
Step 15 — Revoking Client Certificates (Step 15 — Revoking Client Certificates)
Occasionally, you may need to revoke a client certificate to prevent further access to the OpenVPN server.
Occasionally, you may need to revoke a client certificate to prevent further access to the OpenVPN server.
To do so, follow the example in the prerequisite tutorial on How to Set Up and Configure a Certificate Authority on Ubuntu 20.04 under the Revoking a Certificate section.
To do so, follow the example in the prerequisite tutorial on How to Set Up and Configure a Certificate Authority on Ubuntu 20.04 under the Revoking a Certificate section.
Once you have revoked a certificate for a client using those instructions, you’ll need to copy the generated crl.pem file to your OpenVPN server in the /etc/open/server directory:
Once you have revoked a certificate for a client using those instructions, you'll need to copy the generated crl.pem file to your OpenVPN server in the /etc/open/server directory:
- sudo cp /tmp/crl.pem /etc/open/server/ sudo cp /tmp/crl.pem /etc/open/server/
Next, open the OpenVPN server configuration file:
Next, open the OpenVPN server configuration file:
- sudo nano /etc/open/server/server.conf sudo nano /etc/open/server/server.conf
At the bottom of the file, add the crl-verify option, which will instruct the OpenVPN server to check the certificate revocation list that we’ve created each time a connection attempt is made:
At the bottom of the file, add the crl-verify option, which will instruct the OpenVPN server to check the certificate revocation list that we've created each time a connection attempt is made:
crl-verify crl.pemSave and close the file.
保存并关闭文件。
Finally, restart OpenVPN to implement the certificate revocation:
Finally, restart OpenVPN to implement the certificate revocation:
- sudo systemctl restart [email protected] sudo systemctl restart [email protected]
The client should no longer be able to successfully connect to the server using the old credential.
The client should no longer be able to successfully connect to the server using the old credential.
To revoke additional clients, follow this process:
To revoke additional clients, follow this process:
Revoke the certificate with the
./easyrsa revoke client_namecommandRevoke the certificate with the
./easyrsa revoke client_namecommand- Generate a new CRL Generate a new CRL
Transfer the new
crl.pemfile to your OpenVPN server and copy it to the/etc/open/server/directory to overwrite the old list.Transfer the new
crl.pemfile to your OpenVPN server and copy it to the/etc/open/server/directory to overwrite the old list.- Restart the OpenVPN service. Restart the OpenVPN service.
You can use this process to revoke any certificates that you’ve previously issued for your server.
You can use this process to revoke any certificates that you've previously issued for your server.
结论 (Conclusion)
You should now have a fully operational virtual private network running on your OpenVPN Server. You can browse the web and download content without worrying about malicious actors tracking your activity.
You should now have a fully operational virtual private network running on your OpenVPN Server. You can browse the web and download content without worrying about malicious actors tracking your activity.
There are several steps you could take to customize your OpenVPN installation even further, such as configuring your client to connect to the VPN automatically or configuring client-specific rules and access policies. For these and other OpenVPN customizations, you should consult the official OpenVPN documentation.
There are several steps you could take to customize your OpenVPN installation even further, such as configuring your client to connect to the VPN automatically or configuring client-specific rules and access policies. For these and other OpenVPN customizations, you should consult the official OpenVPN documentation .
To configure more clients, you only need to follow steps 6 and 11-13 for each additional device. To revoke access to clients, follow step 15.
To configure more clients, you only need to follow steps 6 and 11-13 for each additional device. To revoke access to clients, follow step 15 .
翻译自: https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-open-server-on-ubuntu-20-04