{"id":379,"date":"2023-11-26T21:43:53","date_gmt":"2023-11-26T13:43:53","guid":{"rendered":"http:\/\/8.141.4.74\/?p=379"},"modified":"2024-04-18T16:04:11","modified_gmt":"2024-04-18T08:04:11","slug":"%e4%bc%81%e4%b8%9a%e7%ba%a7openvpn%e6%90%ad%e5%bb%ba%e8%bf%87%e7%a8%8b","status":"publish","type":"post","link":"http:\/\/8.141.4.74\/?p=379","title":{"rendered":"\u4f01\u4e1a\u7ea7OpenVpn\u642d\u5efa\u8fc7\u7a0b"},"content":{"rendered":"<h1>OpenVpn\u642d\u5efa<\/h1>\n<h2>1.\u524d\u63d0\u6761\u4ef6<\/h2>\n<blockquote>\n<p>\u5728\u963f\u91cc\u4e91\u8d2d\u4e70\u4e09\u53f0\u670d\u52a1\u5668\uff0c\u5176\u4e2d\u6709\u4e00\u53f0\u670d\u52a1\u5668\u5fc5\u987b\u6709\u4e00\u4e2a\u516c\u7f51ip<\/p>\n<\/blockquote>\n<p><img decoding=\"async\" src=\"https:\/\/typora-images-1307361841.cos.ap-beijing.myqcloud.com\/img\/image-20230822095941197.png\" alt=\"image-20230822095941197\" \/><\/p>\n<h2>2.\u642d\u5efa\u73af\u5883<\/h2>\n<pre><code class=\"language-bash\"># \u4e00\u3001\u73af\u5883\u6982\u8ff0\uff1a\n# \u4e13\u6709\u7f51\u7edc\uff1a172.16.0.0\/12\n# \u4ea4\u6362\u673a(\u5f20\u5bb6\u53e3):172.30.0.0\/24\n# 1.openvpn-server\uff1a\u516c\u7f51(47.92.120.196)\u79c1\u7f51(172.30.0.1)\n# 2.web01.magedu.org:\u79c1\u7f51(172.30.0.100)\n# 2.web02.magedu.org:\u79c1\u7f51(172.30.0.200)\n\n# \u4e8c\u3001\u8fde\u63a5openvpn\u670d\u52a1\u5668\nssh root@47.92.100.196\n[root@openvpn-server ~]# ip a\n1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n    inet6 ::1\/128 scope host\n       valid_lft forever preferred_lft forever\n2: eth0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc pfifo_fast state UP group default qlen 1000\n    link\/ether 00:16:3e:04:4a:08 brd ff:ff:ff:ff:ff:ff\n    inet 172.30.0.1\/24 brd 172.30.0.255 scope global dynamic eth0\n       valid_lft 315358791sec preferred_lft 315358791sec\n    inet6 fe80::216:3eff:fe04:4a08\/64 scope link\n       valid_lft forever preferred_lft forever\n[root@openvpn-server ~]#\n[root@openvpn-server ~]# curl ifconfig.me\n47.92.120.196\n# \u8fd9\u91cc\u770b\u5230\u7684ip\u5374\u53ea\u6709\u4e00\u4e2a172.30.0.1\uff0c\u6ca1\u670947.92.120.196\uff0c\u901a\u8fc7curl ifocnfig.me\u624d\u80fd\u770b\u5230\uff0c\u8fd9\u662f\u4e3a\u4ec0\u4e48\uff1f\n\u8fd9\u91cc\u5c31\u662fDNAT\u7684\u4f5c\u7528\uff0c\u5728\u4e0b\u9762\u8bb2\u89e3\u4e00\u4e0bDNAT\u548cSNAT\u7684\u533a\u522b\u3002\n\n# \u76f4\u63a5\u901a\u8fc7ssh openvpn-server\u8fd9\u53f0\u673a\u5668\u8fdb\u884c\u8df3\u8f6c\u5230\u5176\u4ed6\u4e24\u53f0web\u670d\u52a1\u5668\nssh 172.30.0.100\n[root@web01 ~]# yum -y install httpd;hostname &gt; \/var\/www\/html\/index.html;systemctl enable --now httpd\n[root@web02 ~]# curl 172.30.0.200\nweb02.magedu.org\n\nssh 172.30.0.200\n[root@web01 ~]# yum -y install httpd;hostname &gt; \/var\/www\/html\/index.html;systemctl enable --now httpd\n[root@web01 ~]# curl 172.30.0.100\nweb01.magedu.org\n[root@web01 ~]#<\/code><\/pre>\n<h3>2.1 DNAT\uff08Destination Network Address Translation\uff09\u548c SNAT\uff08Source Network Address Translation\uff09<\/h3>\n<blockquote>\n<p><strong>\u5f53\u6211\u4eec\u8c08\u8bba\u7f51\u7edc\u5730\u5740\u8f6c\u6362\uff08NAT\uff09\u65f6\uff0c\u901a\u5e38\u4f1a\u6d89\u53ca\u4e24\u79cd\u4e3b\u8981\u7c7b\u578b\uff1aSNAT\uff08\u6e90\u7f51\u7edc\u5730\u5740\u8f6c\u6362\uff09\u548cDNAT\uff08\u76ee\u6807\u7f51\u7edc\u5730\u5740\u8f6c\u6362\uff09\u3002\u8fd9\u4e24\u79cd\u7c7b\u578b\u7684NAT\u5728\u5b9e\u9645\u7f51\u7edc\u4e2d\u6709\u5e7f\u6cdb\u7684\u5e94\u7528\u3002\u8ba9\u6211\u4eec\u8be6\u7ec6\u4e86\u89e3\u6bcf\u4e00\u79cd<\/strong><\/p>\n<\/blockquote>\n<p>SNAT\uff08\u6e90\u7f51\u7edc\u5730\u5740\u8f6c\u6362\uff09<\/p>\n<ul>\n<li><strong>\u5b9a\u4e49<\/strong>\uff1aSNAT \u662f\u7528\u4e8e\u66f4\u6539\u6570\u636e\u5305\u7684\u6e90 IP \u5730\u5740\u3002\u5e38\u5e38\u7528\u5728\u51fa\u7ad9\u6d41\u91cf\u4e2d\u3002<\/li>\n<li><strong>\u4f7f\u7528\u573a\u666f<\/strong>\uff1a\u5f53\u79c1\u6709\u7f51\u7edc\u5185\u7684\u8bbe\u5907\u9700\u8981\u8bbf\u95ee\u5916\u90e8\u7f51\u7edc\uff08\u4f8b\u5982\u4e92\u8054\u7f51\uff09\u65f6\uff0c\u901a\u5e38\u4f7f\u7528 SNAT\u3002\u8fd9\u5141\u8bb8\u591a\u4e2a\u5185\u90e8\u8bbe\u5907\u5171\u4eab\u4e00\u4e2a\u516c\u5171IP\u5730\u5740\u8fdb\u884c\u51fa\u7ad9\u8fde\u63a5\u3002<\/li>\n<li><strong>\u5de5\u4f5c\u539f\u7406<\/strong>\uff1a\u4f8b\u5982\uff0c\u5047\u8bbe\u4e00\u4e2a\u5185\u90e8\u8bbe\u5907\u4f7f\u7528\u79c1\u6709IP\uff08\u5982192.168.1.10\uff09\u5c1d\u8bd5\u8bbf\u95ee\u4e92\u8054\u7f51\u3002\u8def\u7531\u5668\u6216\u9632\u706b\u5899\u5c06\u4f7f\u7528SNAT\u5c06\u6e90\u5730\u5740192.168.1.10\u66f4\u6539\u4e3a\u516c\u5171IP\u5730\u5740\uff08\u4f8b\u5982203.0.113.10\uff09\uff0c\u7136\u540e\u5c06\u6570\u636e\u5305\u8f6c\u53d1\u5230\u4e92\u8054\u7f51\u3002<\/li>\n<li><strong>\u4f18\u52bf<\/strong>\uff1a\u53ef\u4ee5\u8282\u7701IPv4\u5730\u5740\u7a7a\u95f4\uff0c\u56e0\u4e3a\u591a\u4e2a\u5185\u90e8\u8bbe\u5907\u53ef\u4ee5\u5171\u4eab\u4e00\u4e2a\u516c\u5171IP\u8fdb\u884c\u4e92\u8054\u7f51\u8bbf\u95ee\u3002<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/typora-images-1307361841.cos.ap-beijing.myqcloud.com\/img\/a4bc44aa71169c5898e6ab2e7acbf60.png\" alt=\"a4bc44aa71169c5898e6ab2e7acbf60\" \/><\/p>\n<p>DNAT\uff08\u76ee\u6807\u7f51\u7edc\u5730\u5740\u8f6c\u6362\uff09<\/p>\n<ul>\n<li><strong>\u5b9a\u4e49<\/strong>\uff1aDNAT \u7528\u4e8e\u66f4\u6539\u6570\u636e\u5305\u7684\u76ee\u6807 IP \u5730\u5740\u3002\u5e38\u5e38\u7528\u5728\u5165\u7ad9\u6d41\u91cf\u4e2d\u3002<\/li>\n<li><strong>\u4f7f\u7528\u573a\u666f<\/strong>\uff1a\u5f53\u9700\u8981\u5c06\u6765\u81ea\u5916\u90e8\u7f51\u7edc\uff08\u4f8b\u5982\u4e92\u8054\u7f51\uff09\u7684\u8bf7\u6c42\u8def\u7531\u5230\u79c1\u6709\u7f51\u7edc\u5185\u7684\u7279\u5b9a\u8bbe\u5907\u65f6\uff0c\u901a\u5e38\u4f7f\u7528 DNAT\u3002\u8fd9\u901a\u5e38\u7528\u4e8e\u8ba9\u5916\u90e8\u7528\u6237\u8bbf\u95ee\u5185\u90e8\u670d\u52a1\u5668\uff0c\u4f8b\u5982web\u670d\u52a1\u5668\u3001FTP\u670d\u52a1\u5668\u7b49\u3002<\/li>\n<li><strong>\u5de5\u4f5c\u539f\u7406<\/strong>\uff1a\u4f8b\u5982\uff0c\u5047\u8bbe\u6709\u6765\u81ea\u4e92\u8054\u7f51\u7684\u8bf7\u6c42\u76ee\u6807\u662f\u4e00\u4e2a\u516c\u5171IP\u5730\u5740\uff08\u4f8b\u5982203.0.113.10\uff09\u3002\u8def\u7531\u5668\u6216\u9632\u706b\u5899\u4f1a\u4f7f\u7528DNAT\u5c06\u76ee\u6807\u5730\u5740\u66f4\u6539\u4e3a\u79c1\u6709\u7f51\u7edc\u5185\u7684\u7279\u5b9a\u8bbe\u5907\u7684IP\u5730\u5740\uff08\u5982192.168.1.10\uff09\uff0c\u7136\u540e\u5c06\u6570\u636e\u5305\u8f6c\u53d1\u5230\u8be5\u8bbe\u5907\u3002<\/li>\n<li><strong>\u4f18\u52bf<\/strong>\uff1a\u5141\u8bb8\u5916\u90e8\u7528\u6237\u8bbf\u95ee\u79c1\u6709\u7f51\u7edc\u5185\u7684\u670d\u52a1\uff0c\u540c\u65f6\u4fdd\u6301\u5176\u4ed6\u5185\u90e8\u8bbe\u5907\u7684\u9694\u79bb\u548c\u5b89\u5168\u3002<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/typora-images-1307361841.cos.ap-beijing.myqcloud.com\/img\/ff1ad5ab9f668f11ab7f72f96ec4c30.png\" alt=\"ff1ad5ab9f668f11ab7f72f96ec4c30\" \/><\/p>\n<p><strong>\u603b\u7ed3<\/strong>\uff1a<\/p>\n<ul>\n<li>SNAT\u4e3b\u8981\u5173\u5fc3\u201c\u4ece\u54ea\u91cc\u6765\u201d\uff08\u6e90\u5730\u5740\uff09\uff0c\u5b83\u4fee\u6539\u6e90\u5730\u5740\u3002<\/li>\n<li>DNAT\u4e3b\u8981\u5173\u5fc3\u201c\u8981\u53bb\u54ea\u91cc\u201d\uff08\u76ee\u6807\u5730\u5740\uff09\uff0c\u5b83\u4fee\u6539\u76ee\u6807\u5730\u5740\u3002<\/li>\n<\/ul>\n<h3>2.2 \u914d\u7f6e\u57fa\u4e8ekey\u9a8c\u8bc1<\/h3>\n<pre><code class=\"language-bash\"># 1.\u751f\u6210SSH\u5bc6\u94a5\u5bf9\uff1a\n[root@openvpn-server ~]# ssh-keygen\nGenerating public\/private rsa key pair.\nEnter file in which to save the key (\/root\/.ssh\/id_rsa):\nEnter passphrase (empty for no passphrase):\nEnter same passphrase again:\nYour identification has been saved in \/root\/.ssh\/id_rsa.\nYour public key has been saved in \/root\/.ssh\/id_rsa.pub.\nThe key fingerprint is:\nSHA256:xwBkc44wn2WmWiTZgRu5WLj54l7Envw\/xS5Gfi6tOrI root@openvpn-server\nThe key&#039;s randomart image is:\n+---[RSA 2048]----+\n|   .+*B.=        |\n|  . *B.%         |\n|   = +* o        |\n|  +.oo   o       |\n|   .+   S.o      |\n|  .+..  ..o      |\n| . .=  o +       |\n|  ..... * +      |\n| .. Eoo=oB.      |\n+----[SHA256]-----+\n\n# 2.\u62f7\u8d1d.ssh\u6587\u4ef6\u5939\u5230\u5176\u4ed6\u4e24\u53f0\u673a\u5668\u4e0a\n[root@openvpn-server ~]# rsync  -av .ssh 172.30.0.100:\/root\/\n[root@openvpn-server ~]# rsync  -av .ssh 172.30.0.200:\/root\/\n\n# 3.\u4f7f\u7528ssh\u8fdb\u884c\u9a8c\u8bc1\n\u8fd9\u6837\u5c31\u53ef\u4ee5\u514d\u5bc6\u94a5\u767b\u5f55\u4e86\uff0c\u5982\u679c\u4e3a\u4e86\u5b89\u5168\u53ef\u4ee5\u7981\u7528\u5bc6\u7801\u767b\u5f55\n[root@openvpn-server ~]# vim \/etc\/ssh\/sshd_config\n# \u6dfb\u52a0\u4e0b\u9762\u5185\u5bb9\nPasswordAuthentication no<\/code><\/pre>\n<h3>2.3 \u5b89\u88c5openvpn\u548ceasy-rsa<\/h3>\n<pre><code class=\"language-bash\"># \u67e5\u770bopenvpn\u7248\u672c\n[root@openvpn-server ~]# yum list openvpn\nLoaded plugins: fastestmirror\nLoading mirror speeds from cached hostfile\nInstalled Packages\nopenvpn.x86_64                                                                         2.4.12-1.el7                                                                         @epel\n[root@openvpn-server ~]#\n\n# \u5b89\u88c5openvpn\u670d\u52a1\u5668\u7aef\u4ee5\u53ca\u8bc1\u4e66\u7ba1\u7406\u5de5\u5177\n[root@openvpn-server ~]# yum -y install openvpn easy-rsa<\/code><\/pre>\n<h2>3.\u8bc1\u4e66\u7ba1\u7406<\/h2>\n<h3>3.1 \u51c6\u5907\u914d\u7f6e\u6587\u4ef6\u73af\u5883<\/h3>\n<pre><code class=\"language-bash\"># \u67e5\u770b\u5b89\u88c5\u597d\u7684openvpn\u7684\u7248\u672c\n[root@openvpn-server ~]# rpm -qi openvpn\nName        : openvpn\nVersion     : 2.4.12\nRelease     : 1.el7\nArchitecture: x86_64\nInstall Date: Tue 22 Aug 2023 11:36:40 AM CST\nGroup       : Unspecified\nSize        : 1286851\nLicense     : GPLv2\nSignature   : RSA\/SHA256, Fri 18 Mar 2022 05:21:26 AM CST, Key ID 6a2faea2352c64e5\nSource RPM  : openvpn-2.4.12-1.el7.src.rpm\nBuild Date  : Fri 18 Mar 2022 02:59:28 AM CST\nBuild Host  : buildvm-x86-10.iad2.fedoraproject.org\nRelocations : (not relocatable)\nPackager    : Fedora Project\nVendor      : Fedora Project\nURL         : https:\/\/community.openvpn.net\/\nBug URL     : https:\/\/bugz.fedoraproject.org\/openvpn\nSummary     : A full-featured SSL VPN solution\nDescription :\nOpenVPN is a robust and highly flexible tunneling application that uses all\nof the encryption, authentication, and certification features of the\nOpenSSL library to securely tunnel IP networks over a single UDP or TCP\nport.  It can use the Marcus Franz Xaver Johannes Oberhumers LZO library\nfor compression.\n[root@openvpn-server ~]#\n\n# \u67e5\u770b\u5b89\u88c5openvpn\u7684\u6587\u4ef6\u5217\u8868\n[root@openvpn-server ~]# rpm -ql openvpn\n\/etc\/openvpn\n\/etc\/openvpn\/client\n\/etc\/openvpn\/server\n\/run\/openvpn-client\n\/run\/openvpn-server\n\/usr\/lib\/systemd\/system\/openvpn-client@.service\n\/usr\/lib\/systemd\/system\/openvpn-server@.service\n\/usr\/lib\/systemd\/system\/openvpn@.service\n\/usr\/lib\/tmpfiles.d\/openvpn.conf\n\/usr\/lib64\/openvpn\n\/usr\/lib64\/openvpn\/plugins\n\/usr\/lib64\/openvpn\/plugins\/openvpn-plugin-auth-pam.so\n\/usr\/lib64\/openvpn\/plugins\/openvpn-plugin-down-root.so\n\/usr\/sbin\/openvpn\n\/usr\/share\/doc\/openvpn-2.4.12\n\/usr\/share\/doc\/openvpn-2.4.12\/AUTHORS\n\/usr\/share\/doc\/openvpn-2.4.12\/COPYING\n\/usr\/share\/doc\/openvpn-2.4.12\/COPYRIGHT.GPL\n\/usr\/share\/doc\/openvpn-2.4.12\/ChangeLog\n\/usr\/share\/doc\/openvpn-2.4.12\/Changes.rst\n\/usr\/share\/doc\/openvpn-2.4.12\/README\n\/usr\/share\/doc\/openvpn-2.4.12\/README.auth-pam\n\/usr\/share\/doc\/openvpn-2.4.12\/README.down-root\n\/usr\/share\/doc\/openvpn-2.4.12\/README.systemd\n\/usr\/share\/doc\/openvpn-2.4.12\/contrib\n\/usr\/share\/doc\/openvpn-2.4.12\/contrib\/OCSP_check\n\/usr\/share\/doc\/openvpn-2.4.12\/contrib\/OCSP_check\/OCSP_check.sh\n\/usr\/share\/doc\/openvpn-2.4.12\/contrib\/README\n\/usr\/share\/doc\/openvpn-2.4.12\/contrib\/openvpn-fwmarkroute-1.00\n\/usr\/share\/doc\/openvpn-2.4.12\/contrib\/openvpn-fwmarkroute-1.00\/README\n\/usr\/share\/doc\/openvpn-2.4.12\/contrib\/openvpn-fwmarkroute-1.00\/fwmarkroute.down\n\/usr\/share\/doc\/openvpn-2.4.12\/contrib\/openvpn-fwmarkroute-1.00\/fwmarkroute.up\n\/usr\/share\/doc\/openvpn-2.4.12\/contrib\/pull-resolv-conf\n\/usr\/share\/doc\/openvpn-2.4.12\/contrib\/pull-resolv-conf\/client.down\n\/usr\/share\/doc\/openvpn-2.4.12\/contrib\/pull-resolv-conf\/client.up\n\/usr\/share\/doc\/openvpn-2.4.12\/management-notes.txt\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/README\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/client.conf\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/firewall.sh\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/home.up\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/loopback-client\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/loopback-server\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/office.up\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/openvpn-shutdown.sh\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/openvpn-startup.sh\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/roadwarrior-client.conf\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/roadwarrior-server.conf\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/server.conf\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/static-home.conf\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/static-office.conf\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/tls-home.conf\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/tls-office.conf\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/xinetd-client-config\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/xinetd-server-config\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-scripts\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-scripts\/auth-pam.pl\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-scripts\/bridge-start\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-scripts\/bridge-stop\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-scripts\/ucn.pl\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-scripts\/verify-cn\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-windows\n\/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-windows\/sample.ovpn\n\/usr\/share\/man\/man8\/openvpn.8.gz\n\/var\/lib\/openvpn\n\n# \u62f7\u8d1d\u670d\u52a1\u914d\u7f6e\u6a21\u677f\u5230\/etc\/openvpn\uff0c\u751f\u6210\u670d\u52a1\u5668\u914d\u7f6e\u6587\u4ef6\n[root@openvpn-server ~]# cp \/usr\/share\/doc\/openvpn-2.4.12\/sample\/sample-config-files\/server.conf \/etc\/openvpn\/\n[root@openvpn-server ~]# ll \/etc\/openvpn\ntotal 20\ndrwxr-x--- 2 root openvpn  4096 Mar 18  2022 client\ndrwxr-x--- 2 root openvpn  4096 Mar 18  2022 server\n-rw-r--r-- 1 root root    10784 Aug 22 13:53 server.conf\n[root@openvpn-server ~]#\n\n# \u67e5\u770beasy-rsa\u7684\u6587\u4ef6\u5217\u8868\n[root@openvpn-server ~]# rpm -ql easy-rsa\n\/usr\/share\/doc\/easy-rsa-3.0.8\n\/usr\/share\/doc\/easy-rsa-3.0.8\/COPYING.md\n\/usr\/share\/doc\/easy-rsa-3.0.8\/ChangeLog\n\/usr\/share\/doc\/easy-rsa-3.0.8\/README.md\n\/usr\/share\/doc\/easy-rsa-3.0.8\/README.quickstart.md\n\/usr\/share\/doc\/easy-rsa-3.0.8\/vars.example\n\/usr\/share\/easy-rsa\n\/usr\/share\/easy-rsa\/3\n\/usr\/share\/easy-rsa\/3.0\n\/usr\/share\/easy-rsa\/3.0.8\n\/usr\/share\/easy-rsa\/3.0.8\/easyrsa\n\/usr\/share\/easy-rsa\/3.0.8\/openssl-easyrsa.cnf\n\/usr\/share\/easy-rsa\/3.0.8\/x509-types\n\/usr\/share\/easy-rsa\/3.0.8\/x509-types\/COMMON\n\/usr\/share\/easy-rsa\/3.0.8\/x509-types\/ca\n\/usr\/share\/easy-rsa\/3.0.8\/x509-types\/client\n\/usr\/share\/easy-rsa\/3.0.8\/x509-types\/code-signing\n\/usr\/share\/easy-rsa\/3.0.8\/x509-types\/email\n\/usr\/share\/easy-rsa\/3.0.8\/x509-types\/kdc\n\/usr\/share\/easy-rsa\/3.0.8\/x509-types\/server\n\/usr\/share\/easy-rsa\/3.0.8\/x509-types\/serverClient\n\/usr\/share\/licenses\/easy-rsa-3.0.8\n\/usr\/share\/licenses\/easy-rsa-3.0.8\/gpl-2.0.txt\n[root@openvpn-server ~]#\n\n# \u51c6\u5907\u8bc1\u4e66\u7b7e\u53d1\u76f8\u5173\u6587\u4ef6\n[root@openvpn-server ~]# cp -r \/usr\/share\/easy-rsa\/ \/etc\/openvpn\/easy-rsa-server\n\n[root@openvpn-server ~]# ll \/etc\/openvpn\ntotal 24\ndrwxr-x--- 2 root openvpn  4096 Mar 18  2022 client\ndrwxr-xr-x 3 root root     4096 Aug 22 14:01 easy-rsa-server\ndrwxr-x--- 2 root openvpn  4096 Mar 18  2022 server\n-rw-r--r-- 1 root root    10784 Aug 22 13:53 server.conf\n[root@openvpn-server ~]#\n\n# \u51c6\u5907\u7b7e\u53d1\u8bc1\u4e66\u76f8\u5173\u53d8\u91cf\u7684\u914d\u7f6e\u6587\u4ef6\n[root@openvpn-server ~]# cp \/usr\/share\/doc\/easy-rsa-3.0.8\/vars.example \/etc\/openvpn\/easy-rsa-server\/3\/vars\n\n# \u5efa\u8bae\u4fee\u6539\u7ed9CA\u548cOpenVPN\u670d\u52a1\u5668\u9881\u53d1\u7684\u8bc1\u4e66\u7684\u6709\u6548\u671f,\u53ef\u9002\u5f53\u52a0\u957f\n[root@openvpn-server ~]# vim \/etc\/openvpn\/easy-rsa-server\/3\/vars\n#CA\u7684\u8bc1\u4e66\u6709\u6548\u671f\u9ed8\u4e3a\u4e3a10\u5e74,\u53ef\u4ee5\u9002\u5f53\u5ef6\u957f,\u6bd4\u5982:36500\u5929\n#set_var EASYRSA_CA_EXPIRE 3650\nset_var EASYRSA_CA_EXPIRE 36500\n\n#\u670d\u52a1\u5668\u8bc1\u4e66\u9ed8\u4e3a\u4e3a825\u5929,\u53ef\u9002\u5f53\u52a0\u957f,\u6bd4\u5982:3650\u5929\n#set_var EASYRSA_CERT_EXPIRE 825\n#\u5c06\u4e0a\u9762\u884c\u4fee\u6539\u4e3a\u4e0b\u9762\nset_var EASYRSA_CERT_EXPIRE 3650<\/code><\/pre>\n<h3>3.2 \u51c6\u5907\u8bc1\u4e66\u76f8\u5173\u6587\u4ef6<\/h3>\n<h4>3.2.1 \u521b\u5efaCA\u673a\u6784<\/h4>\n<pre><code class=\"language-bash\"># \u8fdb\u5165easyrsa\u811a\u672c\u6240\u5728\u7684\u6587\u4ef6\u5939\u5217\u8868\n[root@openvpn-server ~]# cd \/etc\/openvpn\/easy-rsa-server\/3\/\n[root@openvpn-server 3]# ls\neasyrsa  openssl-easyrsa.cnf  vars  x509-types\n[root@openvpn-server 3]#\n\n# \u521d\u59cb\u5316 Public Key Infrastructure (PKI)\u751f\u6210PKI\u76f8\u5173\u76ee\u5f55\u548c\u6587\u4ef6\n[root@openvpn-server 3]# .\/easyrsa init-pki\n\nNote: using Easy-RSA configuration from: \/etc\/openvpn\/easy-rsa-server\/3.0.8\/vars\n\ninit-pki complete; you may now create a CA or requests.\nYour newly created PKI dir is: \/etc\/openvpn\/easy-rsa-server\/3\/pki\n[root@openvpn-server 3]#tree pki\npki\n\u251c\u2500\u2500 openssl-easyrsa.cnf\n\u251c\u2500\u2500 private\n\u251c\u2500\u2500 reqs\n\u2514\u2500\u2500 safessl-easyrsa.cnf\n2 directories, 2 files\n\n# \u521b\u5efaCA\u673a\u6784\n[root@openvpn-server 3]# .\/easyrsa build-ca nopass\n\nNote: using Easy-RSA configuration from: \/etc\/openvpn\/easy-rsa-server\/3.0.8\/vars\nUsing SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017\nGenerating RSA private key, 2048 bit long modulus\n........................................................................+++\n..............................................+++\ne is 65537 (0x10001)\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter &#039;.&#039;, the field will be left blank.\n-----\nCommon Name (eg: your user, host, or server name) [Easy-RSA CA]:\n\nCA creation complete and you may now import and sign cert requests.\nYour new CA certificate file for publishing is at:\n\/etc\/openvpn\/easy-rsa-server\/3\/pki\/ca.crt\n\n[root@openvpn-server 3]#\n\n# \u67e5\u770b\u6587\u4ef6\u5217\u8868\n[root@openvpn-server 3]# tree pki -C\npki\n\u251c\u2500\u2500 ca.crt\n\u251c\u2500\u2500 certs_by_serial\n\u251c\u2500\u2500 index.txt\n\u251c\u2500\u2500 index.txt.attr\n\u251c\u2500\u2500 issued\n\u251c\u2500\u2500 openssl-easyrsa.cnf\n\u251c\u2500\u2500 private\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 ca.key\n\u251c\u2500\u2500 renewed\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 certs_by_serial\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 private_by_serial\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 reqs_by_serial\n\u251c\u2500\u2500 reqs\n\u251c\u2500\u2500 revoked\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 certs_by_serial\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 private_by_serial\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 reqs_by_serial\n\u251c\u2500\u2500 safessl-easyrsa.cnf\n\u2514\u2500\u2500 serial\n\n12 directories, 7 files\n[root@openvpn-server 3]#\n\n# \u67e5\u770b\u751f\u6210\u7684CA\u8bc1\u4e66\n[root@openvpn-server 3]# openssl x509 -in pki\/ca.crt -noout -text\nCertificate:\n    Data:\n        Version: 3 (0x2)\n        Serial Number:\n            bc:21:18:c8:d0:e9:f9:c0\n    Signature Algorithm: sha256WithRSAEncryption\n        Issuer: CN=Easy-RSA CA\n        Validity\n            Not Before: Aug 22 06:42:24 2023 GMT\n            Not After : Jul 29 06:42:24 2123 GMT\n        Subject: CN=Easy-RSA CA\n        Subject Public Key Info:\n            Public Key Algorithm: rsaEncryption\n                Public-Key: (2048 bit)\n                Modulus:\n                    00:a6:d4:e2:27:20:15:40:e4:9c:a8:dc:1e:ab:1c:\n                    46:58:0d:50:63:56:8d:a5:98:55:35:30:74:f8:0c:\n                    e8:98:47:de:e0:1e:64:9a:d6:79:05:86:a3:ad:6f:\n                    7f:a9:7c:e5:0e:f5:16:16:3b:73:c0:45:aa:95:d8:\n                    30:ea:2a:26:85:7b:b1:2f:2a:6e:ba:f1:e4:d2:f4:\n                    d6:79:7c:31:b6:aa:17:fb:04:a2:a2:8d:7b:63:13:\n                    99:8d:38:b2:e5:14:6e:30:ed:71:b0:89:c6:05:9e:\n                    0b:80:3c:5c:d1:f2:25:3e:9a:b6:ec:fb:e1:f6:a7:\n                    f7:ac:13:76:44:c4:de:d0:e0:14:04:09:1c:b6:d0:\n                    62:8e:22:73:a1:6c:4f:dc:89:e5:1b:22:92:be:b8:\n                    35:43:d7:83:ab:fd:95:65:c3:f5:9c:18:ee:ce:d1:\n                    0f:fc:b1:b4:70:43:5b:ac:5c:79:5a:9b:cd:02:bf:\n                    d3:f3:0a:b3:78:c3:6c:69:e7:ac:da:d7:91:75:11:\n                    22:c8:ae:17:d3:96:4c:d1:27:c5:b5:3e:a4:18:65:\n                    e0:3e:69:e8:a2:9a:f4:03:7d:9f:5c:62:c0:c5:d8:\n                    d4:e5:6f:1c:bb:a4:8c:89:f5:91:44:03:c3:15:9d:\n                    79:8f:04:3a:79:03:30:bc:43:4e:d8:56:9d:96:86:\n                    8a:f5\n                Exponent: 65537 (0x10001)\n        X509v3 extensions:\n            X509v3 Subject Key Identifier:\n                2D:77:F9:F5:B0:DD:E2:0E:4E:51:A7:CD:7F:83:26:FC:FA:53:C4:1E\n            X509v3 Authority Key Identifier:\n                keyid:2D:77:F9:F5:B0:DD:E2:0E:4E:51:A7:CD:7F:83:26:FC:FA:53:C4:1E\n                DirName:\/CN=Easy-RSA CA\n                serial:BC:21:18:C8:D0:E9:F9:C0\n\n            X509v3 Basic Constraints:\n                CA:TRUE\n            X509v3 Key Usage:\n                Certificate Sign, CRL Sign\n    Signature Algorithm: sha256WithRSAEncryption\n         23:00:ff:38:24:f8:e2:09:4a:cd:58:ff:ab:08:73:51:60:bb:\n         7f:92:67:bc:d0:31:a7:ca:95:1a:fd:a9:45:91:4f:3d:e9:58:\n         a9:50:53:8f:49:c4:82:c0:59:d5:a6:ab:95:07:ec:d2:85:f3:\n         bd:18:e8:32:8f:11:f0:c4:2d:41:0b:1d:8c:67:72:8b:c8:32:\n         6a:e2:81:2a:0d:9e:0f:4c:21:f0:35:0f:dd:18:b0:4f:13:d9:\n         12:26:f1:2e:f1:e1:0a:d0:a5:a1:18:ce:e0:2b:19:a9:07:43:\n         00:dd:d8:3b:42:9d:6f:53:79:b1:2a:c0:58:ca:ab:9c:e7:c3:\n         70:56:24:ee:da:3a:1d:77:6c:e1:f4:95:ba:72:91:ee:6b:68:\n         31:d1:ac:7f:85:47:23:bb:49:6b:35:29:d2:78:01:73:59:75:\n         20:5e:15:31:5a:dd:c4:73:18:f1:98:85:b8:34:70:ce:ba:dc:\n         4c:0a:d1:0d:9b:f0:ca:57:5a:ce:0a:ea:24:0d:7b:a3:eb:8d:\n         28:bf:07:43:e3:dc:83:ee:0a:cb:0f:49:9d:1b:26:27:0d:cb:\n         f9:33:85:9f:3b:b7:c4:fe:6d:3a:73:3d:69:86:72:ed:f6:1c:\n         d8:61:97:9f:44:81:ac:f1:bb:25:02:d5:00:aa:a8:76:d3:ae:\n         37:6c:11:47\n[root@openvpn-server 3]#<\/code><\/pre>\n<h4>3.2.1 \u4e3aopenvpn\u670d\u52a1\u5668\u9881\u53d1\u8bc1\u4e66<\/h4>\n<pre><code class=\"language-bash\">#\u521b\u5efa\u670d\u52a1\u5668\u8bc1\u4e66\u7533\u8bf7\u6587\u4ef6\uff0c\u5176\u4e2dserver\u662f\u6587\u4ef6\u524d\u7f00\n[root@openvpn-server 3]# .\/easyrsa gen-req server nopass\n\nNote: using Easy-RSA configuration from: \/etc\/openvpn\/easy-rsa-server\/3.0.8\/vars\nUsing SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017\nGenerating a 2048 bit RSA private key\n...........+++\n............................................................................................+++\nwriting new private key to &#039;\/etc\/openvpn\/easy-rsa-server\/3\/pki\/easy-rsa-1684.jLW8wL\/tmp.nqY7jU&#039;\n-----\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter &#039;.&#039;, the field will be left blank.\n-----\nCommon Name (eg: your user, host, or server name) [server]:openvpn\n\nKeypair and certificate request completed. Your files are:\nreq: \/etc\/openvpn\/easy-rsa-server\/3\/pki\/reqs\/server.req\nkey: \/etc\/openvpn\/easy-rsa-server\/3\/pki\/private\/server.key\n\n[root@openvpn-server 3]#\n\n# [root@openvpn-server 3]# tree pki\/ -C\npki\/            #\u516c\u94a5\u57fa\u7840\u8bbe\u65bd\u7684\u4e3b\u76ee\u5f55\uff0c\u5176\u4e2d\u5305\u542b\u6240\u6709\u7684\u8bc1\u4e66\u3001\u5bc6\u94a5\u3001\u548c\u5176\u4ed6\u76f8\u5173\u6587\u4ef6\u3002\n\u251c\u2500\u2500 ca.crt      #\u8bc1\u4e66\u9881\u53d1\u673a\u6784\uff08CA\uff09\u7684\u516c\u5171\u8bc1\u4e66\u3002\u5b83\u7528\u4e8e\u9a8c\u8bc1\u6765\u81ea\u8be5CA\u7b7e\u7f72\u7684\u4efb\u4f55\u5176\u4ed6\u8bc1\u4e66\u3002\n\u251c\u2500\u2500 certs_by_serial #\u4e00\u4e2a\u76ee\u5f55\uff0c\u5176\u4e2d\u5305\u542b\u7531\u5e8f\u5217\u53f7\u7d22\u5f15\u7684\u8bc1\u4e66\u94fe\u63a5\u3002\u5b83\u4f7f\u5f97\u66f4\u5bb9\u6613\u5730\u627e\u5230\u7ed9\u5b9a\u5e8f\u5217\u53f7\u7684\u8bc1\u4e66\u3002\n\u251c\u2500\u2500 index.txt   #\u4e00\u4e2a\u6570\u636e\u5e93\u6587\u4ef6\uff0c\u5176\u4e2d\u5305\u542bCA\u7b7e\u53d1\u7684\u6240\u6709\u8bc1\u4e66\u7684\u72b6\u6001\u4fe1\u606f\u3002\n\u251c\u2500\u2500 index.txt.attr  #\u4e0eindex.txt\u6587\u4ef6\u76f8\u5173\u7684\u5c5e\u6027\u6587\u4ef6\u3002\n\u251c\u2500\u2500 issued      #\u4e00\u4e2a\u76ee\u5f55\uff0c\u5176\u4e2d\u5305\u542bCA\u7b7e\u53d1\u7684\u6240\u6709\u8bc1\u4e66\u3002\n\u251c\u2500\u2500 openssl-easyrsa.cnf #OpenVPN\u548ceasy-rsa\u7684OpenSSL\u914d\u7f6e\u6587\u4ef6\u3002\n\u251c\u2500\u2500 private #\u4e00\u4e2a\u76ee\u5f55\uff0c\u5176\u4e2d\u5305\u542b\u79c1\u94a5\u3002\u4e0d\u5e94\u4e0e\u5176\u4ed6\u4eba\u5206\u4eab\u8fd9\u4e9b\u5bc6\u94a5\u3002\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 ca.key  #\u8bc1\u4e66\u9881\u53d1\u673a\u6784\uff08CA\uff09\u7684\u79c1\u94a5\u3002\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 server.key  #OpenVPN\u670d\u52a1\u5668\u7684\u79c1\u94a5\u3002\n\u251c\u2500\u2500 renewed #\u4e00\u4e2a\u76ee\u5f55\uff0c\u5176\u4e2d\u5305\u542b\u7eed\u7b7e\u7684\u8bc1\u4e66\u548c\u5bc6\u94a5\u7684\u76f8\u5173\u6570\u636e\u3002\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 certs_by_serial\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 private_by_serial\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 reqs_by_serial\n\u251c\u2500\u2500 reqs    # \u4e00\u4e2a\u76ee\u5f55\uff0c\u5176\u4e2d\u5305\u542b\u8bc1\u4e66\u7b7e\u540d\u8bf7\u6c42\uff08CSR\uff09\u6587\u4ef6\u3002\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 server.req  #OpenVPN\u670d\u52a1\u5668\u7684\u8bc1\u4e66\u7b7e\u540d\u8bf7\u6c42\u3002\n\u251c\u2500\u2500 revoked #\u4e00\u4e2a\u76ee\u5f55\uff0c\u5176\u4e2d\u5305\u542b\u88ab\u64a4\u9500\u7684\u8bc1\u4e66\u548c\u5bc6\u94a5\u7684\u76f8\u5173\u6570\u636e\u3002\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 certs_by_serial\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 private_by_serial\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 reqs_by_serial\n\u251c\u2500\u2500 safessl-easyrsa.cnf #\u53e6\u4e00\u4e2aOpenSSL\u914d\u7f6e\u6587\u4ef6\uff0c\u53ef\u80fd\u662f\u9488\u5bf9\u66f4\u5b89\u5168\u7684\u914d\u7f6e\u6216\u7279\u5b9a\u7684\u64cd\u4f5c\u3002\n\u2514\u2500\u2500 serial  #\u4e00\u4e2a\u6587\u4ef6\uff0c\u5b83\u5305\u542b\u4e0b\u4e00\u4e2a\u8bc1\u4e66\u7684\u5e8f\u5217\u53f7\u3002\n\n12 directories, 9 files\n[root@openvpn-server 3]#\n\n#\u5c06\u4e0a\u9762server.req\u7684\u7533\u8bf7,\u9881\u53d1server\u7c7b\u578b\u7684\u8bc1\u4e66\n[root@openvpn-server 3]# .\/easyrsa sign-req server server\n\nNote: using Easy-RSA configuration from: \/etc\/openvpn\/easy-rsa-server\/3.0.8\/vars\nUsing SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017\n\nYou are about to sign the following certificate.\nPlease check over the details shown below for accuracy. Note that this request\nhas not been cryptographically verified. Please be sure it came from a trusted\nsource or that you have verified the request checksum with the sender.\n\nRequest subject, to be signed as a server certificate for 3650 days:\n\nsubject=\n    commonName                = openvpn\n\nType the word &#039;yes&#039; to continue, or any other input to abort.\n  Confirm request details: yes #\u8f93\u5165yes\nUsing configuration from \/etc\/openvpn\/easy-rsa-server\/3\/pki\/easy-rsa-1886.heaNji\/tmp.kGW5CF\nCheck that the request matches the signature\nSignature ok\nThe Subject&#039;s Distinguished Name is as follows\ncommonName            :ASN.1 12:&#039;openvpn&#039;\nCertificate is to be certified until Aug 19 07:13:37 2033 GMT (3650 days)\n\nWrite out database with 1 new entries\nData Base Updated\n\nCertificate created at: \/etc\/openvpn\/easy-rsa-server\/3\/pki\/issued\/server.crt\n\n[root@openvpn-server 3]#\n\n# \u521b\u5efa Diffie-Hellman \u5bc6\u94a5\n[root@openvpn-server 3]# .\/easyrsa gen-dh\n\nNote: using Easy-RSA configuration from: \/etc\/openvpn\/easy-rsa-server\/3.0.8\/vars\nUsing SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017\nGenerating DH parameters, 2048 bit long safe prime, generator 2\nThis is going to take a long time\n...............................................................................................................+......................................................................................................+.+......................................................................................................................................................................................................................................................................................................................................................................................+..........................................................................................................................................+................................................................................................++*++*\n\nDH parameters of size 2048 created at \/etc\/openvpn\/easy-rsa-server\/3\/pki\/dh.pem\n\n[root@openvpn-server 3]#\n<\/code><\/pre>\n<h4>3.2.2 \u4e3a\u5ba2\u6237\u7aef\u9881\u53d1\u8bc1\u4e66<\/h4>\n<pre><code class=\"language-bash\"># \u91cd\u65b0\u62f7\u8d1d\u4e00\u4efd\u5145\u5f53\u5ba2\u6237\u7aef\u73af\u5883\n[root@openvpn-server openvpn]# cp -r \/usr\/share\/easy-rsa \/etc\/openvpn\/easy-rsa-client\/\n[root@openvpn-server openvpn]# cd \/etc\/openvpn\/easy-rsa-client\/3\n\n# \u751f\u6210\u8bc1\u4e66\u7533\u8bf7\u6240\u9700\u76ee\u5f55pki\u548c\u6587\u4ef6\n[root@openvpn-server 3]# .\/easyrsa init-pki\n\n# \u751f\u6210\u5ba2\u6237\u7aef\u7528\u6237\u7684\u8bc1\u4e66\u7533\u8bf7\n[root@openvpn-server 3]# .\/easyrsa gen-req xingyuyu nopass\nUsing SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017\nGenerating a 2048 bit RSA private key\n...........................................................................................................+++\n.....................................+++\nwriting new private key to &#039;\/etc\/openvpn\/easy-rsa-client\/3\/pki\/easy-rsa-2122.AZW6ty\/tmp.j15lap&#039;\n-----\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter &#039;.&#039;, the field will be left blank.\n-----\nCommon Name (eg: your user, host, or server name) [xingyuyu]: #\u76f4\u63a5\u56de\u8f66\n\nKeypair and certificate request completed. Your files are:\nreq: \/etc\/openvpn\/easy-rsa-client\/3\/pki\/reqs\/xingyuyu.req   #\u8bc1\u4e66\u7533\u8bf7\u6587\u4ef6\nkey: \/etc\/openvpn\/easy-rsa-client\/3\/pki\/private\/xingyuyu.key #\u79c1\u94a5\u6587\u4ef6\n\n[root@openvpn-server 3]# tree -C\n.\n\u251c\u2500\u2500 easyrsa\n\u251c\u2500\u2500 openssl-easyrsa.cnf\n\u251c\u2500\u2500 pki\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 openssl-easyrsa.cnf\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 private\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 xingyuyu.key    #\u79c1\u94a5\u6587\u4ef6\n\u2502\u00a0\u00a0 \u251c\u2500\u2500 reqs\n\u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 xingyuyu.req    #\u8bc1\u4e66\u7533\u8bf7\u6587\u4ef6\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 safessl-easyrsa.cnf\n\u2514\u2500\u2500 x509-types\n    \u251c\u2500\u2500 ca\n    \u251c\u2500\u2500 client\n    \u251c\u2500\u2500 code-signing\n    \u251c\u2500\u2500 COMMON\n    \u251c\u2500\u2500 email\n    \u251c\u2500\u2500 kdc\n    \u251c\u2500\u2500 server\n    \u2514\u2500\u2500 serverClient\n\n4 directories, 14 files\n[root@openvpn-server 3]#\n\n# \u56de\u5230CA\u7684\u76f8\u5173\u76ee\u5f55\uff0c\u4e3a\u5ba2\u6237\u7aef\u9881\u53d1\u8bc1\u4e66\n[root@openvpn-server 3]#cd \/etc\/openvpn\/easy-rsa-server\/3\n# \u5c06\u5ba2\u6237\u7aef\u7528\u6237\u7684\u7533\u8bf7\u6587\u4ef6\u5bfc\u5165\u5230CA\u7684\u7533\u8bf7\u76ee\u5f55\u91cc\u9762\uff0c\u8bf4\u767d\u4e86\u5c31\u662fcopy\u6587\u4ef6\u7684\u8fc7\u7a0b\uff0c\u5f97\u52a0\u4e0a\u524d\u7f00\u90a2\u5b87\u5b87\n[root@openvpn-server 3]# .\/easyrsa import-req \/etc\/openvpn\/easy-rsa-client\/3\/pki\/reqs\/xingyuyu.req xingyuyu\n\nNote: using Easy-RSA configuration from: \/etc\/openvpn\/easy-rsa-server\/3.0.8\/vars\nUsing SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017\n\nEasy-RSA error:\n\nUnable to import: incorrect command syntax.\nRun easyrsa without commands for usage and command help.\n\n[root@openvpn-server 3]#\n\n# \u4fee\u6539\u914d\u7f6e\u6587\u4ef6,\u521a\u624d\u662f\u4e3aserver\u9881\u53d1\u8bc1\u4e66\u8bbe\u7f6e\u7684\u662f10\u5e74\uff0c\u4f46\u662f\u73b0\u5728\u4e3a\u5ba2\u6237\u7aef\u9881\u53d1\u8bc1\u4e66\u4e0d\u80fd\u8bbe\u7f6e\u90a3\u4e48\u957f\u7684\u65f6\u95f4\uff0c\u6240\u4ee5\u9700\u8981\u4fee\u6539\n[root@openvpn-server 3]# vim vars\nset_var EASYRSA_CERT_EXPIRE     180\n\n# \u7b7e\u53d1\u8bc1\u4e66\n[root@openvpn-server 3]# .\/easyrsa sign-req client xingyuyu\n\n# \u5c06CA\u548c\u670d\u52a1\u5668\u8bc1\u4e66\u76f8\u5173\u6587\u4ef6\u590d\u5236\u5230\u670d\u52a1\u5668\u76f8\u5e94\u7684\u76ee\u5f55\n[root@openvpn-server 3]# mkdir \/etc\/openvpn\/certs\n[root@openvpn-server 3]# cp \/etc\/openvpn\/easy-rsa-server\/3\/pki\/{ca.crt,dh.pem} \/etc\/openvpn\/certs\/\n[root@openvpn-server 3]# cp \/etc\/openvpn\/easy-rsa-server\/3\/pki\/issued\/server.crt \/etc\/openvpn\/certs\/\n[root@openvpn-server 3]# cp \/etc\/openvpn\/easy-rsa-server\/3\/pki\/private\/server.key \/etc\/openvpn\/certs\n\n# \u5c06\u5ba2\u6237\u7aef\u7528\u6237\u6240\u9700\u8981\u7684\u76f8\u5173\u6587\u4ef6\u653e\u5230\u76f8\u5e94\u7684\u76ee\u5f55\n[root@openvpn-server 3]# mkdir \/etc\/openvpn\/client\/xingyuyu\/\n[root@openvpn-server 3]# find \/etc\/openvpn\/ \\( -name &quot;xingyuyu.key&quot; -o -name &quot;xingyuyu.crt&quot; -o -name ca.crt \\) -exec cp {} \/etc\/openvpn\/client\/xingyuyu\/ \\;\n# find \/etc\/openvpn\/: find \u662f\u4e00\u4e2a\u5728\u76ee\u5f55\u7ed3\u6784\u4e2d\u641c\u7d22\u6587\u4ef6\u7684\u547d\u4ee4\u3002\/etc\/openvpn\/ \u662f\u8981\u5f00\u59cb\u641c\u7d22\u7684\u76ee\u5f55\u3002\n\u2212name&quot;xingyuyu.key&quot;\u2212o\u2212name&quot;xingyuyu.crt&quot;\u2212o\u2212nameca.crt: \u8fd9\u662f\u4e00\u4e2a\u590d\u6742\u7684\u8868\u8fbe\u5f0f\uff0c\u7528\u4e8e\u5339\u914d\u4e09\u79cd\u6587\u4ef6\u540d\u3002\n\n-name &quot;xingyuyu.key&quot;: \u5339\u914d\u540d\u4e3a &quot;xingyuyu.key&quot; \u7684\u6587\u4ef6\u3002\n-o: \u903b\u8f91 OR \u64cd\u4f5c\u7b26\uff0c\u8868\u793a\u6ee1\u8db3\u4efb\u4f55\u4e00\u4e2a\u6761\u4ef6\u7684\u6587\u4ef6\u90fd\u5c06\u88ab\u9009\u4e2d\u3002\n-name &quot;xingyuyu.crt&quot;: \u5339\u914d\u540d\u4e3a &quot;xingyuyu.crt&quot; \u7684\u6587\u4ef6\u3002\n-name ca.crt: \u5339\u914d\u540d\u4e3a &quot;ca.crt&quot; \u7684\u6587\u4ef6\u3002\n\u6574\u4e2a\u8868\u8fbe\u5f0f\u7684\u610f\u601d\u662f\uff1a\u627e\u5230\u4efb\u4f55\u540d\u79f0\u4e3a &quot;xingyuyu.key&quot;\u3001&quot;xingyuyu.crt&quot; \u6216 &quot;ca.crt&quot; \u7684\u6587\u4ef6\u3002\n\n-exec cp {} \/etc\/openvpn\/client\/xingyuyu\/ ;: \u5f53 find \u547d\u4ee4\u627e\u5230\u7b26\u5408\u6761\u4ef6\u7684\u6587\u4ef6\u65f6\uff0c\u5b83\u4f1a\u5bf9\u6bcf\u4e2a\u6587\u4ef6\u6267\u884c\u6307\u5b9a\u7684\u64cd\u4f5c\u3002\n\n-exec: \u8868\u793a\u8981\u5bf9\u627e\u5230\u7684\u6587\u4ef6\u6267\u884c\u4e00\u4e2a\u64cd\u4f5c\u3002\ncp {} \/etc\/openvpn\/client\/xingyuyu\/: \u662f\u8981\u6267\u884c\u7684\u64cd\u4f5c\u3002\u5176\u4e2d {} \u662f\u4e00\u4e2a\u5360\u4f4d\u7b26\uff0c\u4ee3\u8868 find \u547d\u4ee4\u627e\u5230\u7684\u6587\u4ef6\u3002\u6240\u4ee5\uff0c\u8fd9\u4e2a\u64cd\u4f5c\u7684\u610f\u601d\u662f\u5c06\u627e\u5230\u7684\u6587\u4ef6\u590d\u5236\u5230 \/etc\/openvpn\/client\/xingyuyu\/ \u76ee\u5f55\u3002\n;: \u8868\u793a -exec \u64cd\u4f5c\u7684\u7ed3\u675f\u3002\\\u662f\u8f6c\u4e49<\/code><\/pre>\n<h2>4. \u51c6\u5907 OpenVPN \u670d\u52a1\u5668\u914d\u7f6e\u6587\u4ef6<\/h2>\n<pre><code class=\"language-bash\"># \u5199\u5165\u914d\u7f6e\u6587\u4ef6\n[root@openvpn-server openvpn]# vim \/etc\/openvpn\/server.conf\nport 1194\nproto tcp\ndev tun\nca \/etc\/openvpn\/certs\/ca.crt\ncert \/etc\/openvpn\/certs\/server.crt\nkey \/etc\/openvpn\/certs\/server.key # This file should be kept secret\ndh \/etc\/openvpn\/certs\/dh.pem\nserver 10.8.0.0 255.255.255.0\npush &quot;route 172.30.0.0 255.255.255.0&quot;\nkeepalive 10 120\ncipher AES-256-CBC\ncompress lz4-v2\npush &quot;compress lz4-v2&quot;\nmax-clients 2048\nuser openvpn\ngroup openvpn\nstatus \/var\/log\/openvpn\/openvpn-status.log\nlog-append \/var\/log\/openvpn\/openvpn.log\nverb 3\nmute 20\n[root@openvpn-server openvpn]#\n\n#\u521b\u5efa\u65e5\u5fd7\u6240\u5728\u6587\u4ef6\u5939\n[root@openvpn-server openvpn]# mkdir \/var\/log\/openvpn\n[root@openvpn-server openvpn]# chown openvpn.openvpn \/var\/log\/openvpn\/\n\n# \u5f00\u542f\u7f51\u5361\u8f6c\u53d1\u529f\u80fd\n[root@openvpn-server openvpn]# echo net.ipv4.ip_forward =1 &gt;&gt; \/etc\/sysctl.conf\n[root@openvpn-server openvpn]# sysctl -p\n\n# \u4f7f\u7528openvpn,\u5f00\u542f\u96a7\u9053\u9ed8\u8ba4\u7684\u7f51\u6bb5\u5c31\u662f\u914d\u7f6e\u6587\u4ef6\u91cc\u9762\u914d\u7f6e\u7684\u7f51\u6bb5\uff0c\u7136\u540e\u901a\u8fc7iptables\u914d\u7f6e\u4ee5\u540e\u5c06\u8fd9\u4e2a\u7f51\u6bb5\u7684\u5730\u5740\u6307\u5411\u5185\u7f51\u5730\u5740\n[root@openvpn-server openvpn]# echo &quot;iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j MASQUERADE&quot; &gt;&gt; \/etc\/rc.d\/rc.local\n[root@openvpn-server openvpn]# chmod +x \/etc\/rc.d\/rc.local\n[root@openvpn-server openvpn]# \/etc\/rc.d\/rc.local\n[root@openvpn-server openvpn]# iptables -vnL -t nat\nChain PREROUTING (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination\n\nChain INPUT (policy ACCEPT 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination\n\nChain OUTPUT (policy ACCEPT 1 packets, 76 bytes)\n pkts bytes target     prot opt in     out     source               destination\n\nChain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)\n pkts bytes target     prot opt in     out     source               destination\n    0     0 MASQUERADE  all  --  *      *       10.8.0.0\/24          0.0.0.0\/0\n[root@openvpn-server openvpn]#\n<\/code><\/pre>\n<h3>4.1 \u542f\u52a8OpenVpn<\/h3>\n<pre><code class=\"language-bash\"># \u8fd9\u4e2a\u6587\u4ef6\u9ed8\u8ba4Centos8\u6ca1\u6709\uff0c\u9700\u8981\u4eceCentOS7\u4e0a\u62f7\u8d1d\n[root@openvpn-server openvpn]# vim \/usr\/lib\/systemd\/system\/openvpn@.service\n[root@openvpn-server openvpn]# ll \/usr\/sbin\/openvpn\n-rwxr-xr-x 1 root root 787232 Mar 18  2022 \/usr\/sbin\/openvpn\n[root@openvpn-server openvpn]#\n\n# \u542f\u52a8\n[root@openvpn-server openvpn]# systemctl daemon-reload\n[root@openvpn-server openvpn]# systemctl enable --now openvpn@server\nCreated symlink from \/etc\/systemd\/system\/multi-user.target.wants\/openvpn@server.service to \/usr\/lib\/systemd\/system\/openvpn@.service.\n[root@openvpn-server openvpn]#\n\n#\u67e5\u770b\u7f51\u5361\n[root@openvpn-server openvpn]# ip a\n1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n    inet6 ::1\/128 scope host\n       valid_lft forever preferred_lft forever\n2: eth0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc pfifo_fast state UP group default qlen 1000\n    link\/ether 00:16:3e:04:4a:08 brd ff:ff:ff:ff:ff:ff\n    inet 172.30.0.1\/24 brd 172.30.0.255 scope global dynamic eth0\n       valid_lft 315348175sec preferred_lft 315348175sec\n    inet6 fe80::216:3eff:fe04:4a08\/64 scope link\n       valid_lft forever preferred_lft forever\n3: tun0: &lt;POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP&gt; mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100\n    link\/none\n    inet 10.8.0.1 peer 10.8.0.2\/32 scope global tun0\n       valid_lft forever preferred_lft forever\n    inet6 fe80::ea53:4d53:6150:51d6\/64 scope link flags 800\n       valid_lft forever preferred_lft forever\n[root@openvpn-server openvpn]#\n#\u591a\u4e86\u4e00\u4e2atun0\u7684\u865a\u62df\u7f51\u5361\uff0c\u5e76\u4e14\u5730\u5740\u662f10.8.0.1<\/code><\/pre>\n<h2>5.\u51c6\u5907 OpenVPN \u670d\u52a1\u5668\u914d\u7f6e\u6587\u4ef6<\/h2>\n<pre><code class=\"language-bash\">#\u521b\u5efa\u5ba2\u6237\u7aef\u7684\u914d\u7f6e\u6587\u4ef6\n[root@openvpn-server openvpn]# vim \/etc\/openvpn\/client\/xingyuyu\/client.ovpn\nclient\ndev tun\nproto tcp\nremote 39.100.98.155 1194\nresolv-retry infinite\nnobind\n#persist-key\n#persist-tun\nca ca.crt\ncert xingyuyu.crt\nkey xingyuyu.key\nremote-cert-tls server\n#tls-auth ta.key 1\ncipher AES-256-CBC\nverb 3\ncompress lz4-v2\n\n[root@openvpn-server openvpn]# tree \/etc\/openvpn\/client\/xingyuyu\/\n\/etc\/openvpn\/client\/xingyuyu\/\n\u251c\u2500\u2500 ca.crt\n\u251c\u2500\u2500 client.ovpn\n\u251c\u2500\u2500 xingyuyu.crt\n\u2514\u2500\u2500 xingyuyu.key\n\n0 directories, 4 files\n[root@openvpn-server openvpn]#\n\n#\u6253\u5305\u5ba2\u6237\u7aef\u7528\u6237\u6240\u9700\u7684\u6587\u4ef6\uff0c\u8fd9\u4e9b\u6587\u4ef6\u9700\u8981\u5bfc\u5165\u5230windows\u4e2d\u7684openvpn\u8def\u5f84\u4e0b\u624d\u80fd\u4f7f\u7528\n[root@openvpn-server ~]# cd \/etc\/openvpn\/client\/xingyuyu\/\n[root@openvpn-server ~]# tar cf \/root\/xingyuyu.tar .\/\n#\u5c06\u5b89\u88c5\u5305\u89e3\u538b\uff0c\u7136\u540e\u653e\u5230C:\\Program Files\\OpenVPN\\config,\u5c31\u53ef\u4ee5\u4f7f\u7528\u4e86\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>OpenVpn\u642d\u5efa 1.\u524d\u63d0\u6761\u4ef6 \u5728\u963f\u91cc\u4e91\u8d2d\u4e70\u4e09\u53f0\u670d\u52a1\u5668\uff0c\u5176\u4e2d\u6709\u4e00\u53f0\u670d\u52a1\u5668\u5fc5\u987b\u6709\u4e00\u4e2a\u516c\u7f51ip 2.\u642d [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[61],"views":247,"_links":{"self":[{"href":"http:\/\/8.141.4.74\/index.php?rest_route=\/wp\/v2\/posts\/379"}],"collection":[{"href":"http:\/\/8.141.4.74\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/8.141.4.74\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/8.141.4.74\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/8.141.4.74\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=379"}],"version-history":[{"count":2,"href":"http:\/\/8.141.4.74\/index.php?rest_route=\/wp\/v2\/posts\/379\/revisions"}],"predecessor-version":[{"id":479,"href":"http:\/\/8.141.4.74\/index.php?rest_route=\/wp\/v2\/posts\/379\/revisions\/479"}],"wp:attachment":[{"href":"http:\/\/8.141.4.74\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=379"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/8.141.4.74\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=379"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/8.141.4.74\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=379"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}