OpenVPN部署_openvpen

一、服务端安装

1.安装openvpn

安装epel仓库

yum install -y epel-release
1

安装easy-RSA

yum install -y easy-rsa
yum list installed easy-rsa
1
2

安装openvpn服务端

yum install -y openvpn
yum list installed openvpn
1
2

注：安装完成后，会自动创建用户openvpn、用户组openvpn
如果在线无法安装，可以通过离线文件进行安装

yum localinstall openvpn-2.4.12-1.el7.x86_64.rpm
1

2.配置EASY-RSA 3.0

在/etc/openvpn文件夹下面创建easy-rsa文件夹，并把相关文件复制进去

mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
cp -r /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/vars
1
2
3

3.创建OpenVPN相关的密钥

需要创建CA密钥、server端密钥、client端密钥，DH和CRL密钥、TLS认证钥匙。（因为用户名密码登录，所以client端密钥可以不用）

cd /etc/openvpn/easy-rsa/
1

(1)CA证书（/etc/openvpn/easy-rsa/pki/ca.crt）

创建服务端和客户端密钥之前，需要初始化PKI目录

[root@localhost easy-rsa]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
1
2
3
4
5
6

创建ca.crt文件，Common Name可直接回车为空

[root@localhost easy-rsa]# ./easyrsa build-ca nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating RSA private key, 2048 bit long modulus
...........................................................................................+++
......................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

(2)server端密钥（/etc/openvpn/easy-rsa/pki/issued/server1.crt）

创建服务器密钥名称为server1.key，添加nopass 选项，是指不需要为密钥添加密码。Common Name可直接回车为空。

[root@localhost easy-rsa]# ./easyrsa gen-req server1 nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
.......+++
........................................................................................................................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-10402.FrivCO/tmp.civyls'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server1]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server1.req
key: /etc/openvpn/easy-rsa/pki/private/server1.key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

用CA证书签署server1密钥，Confirm request details处输入yes继续。

[root@localhost easy-rsa]# ./easyrsa sign-req server server1

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = server1


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-10429.IEMQRt/tmp.GowRIQ
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server1'
Certificate is to be certified until Feb 25 06:31:46 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server1.crt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

(3)client端密钥（/etc/openvpn/easy-rsa/pki/issued/client1.crt）

创建客户端密钥名称为client1.key，Common Name可直接回车为空

[root@localhost easy-rsa]# ./easyrsa gen-req client1 nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
............+++
......................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-10502.op71Ww/tmp.1gn6TV'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client1]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/client1.req
key: /etc/openvpn/easy-rsa/pki/private/client1.key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

用CA证书签署client1密钥，Confirm request details处输入yes继续

[root@localhost easy-rsa]# ./easyrsa sign-req client client1

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = client1


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-10529.5MUC5D/tmp.IlTObJ
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client1'
Certificate is to be certified until Feb 25 06:33:01 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/client1.crt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

(4)DH密钥

根据之前创建的vars配置文件生成2048位的密钥

[root@localhost easy-rsa]# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.....................................+.....................................+....................................+.............................................................................+.........................................................................................................................................................................................................................................................................+..............................................................................................................................................................................................................+...........................................+................................................................................+...................+................+....................+......................+.........................................................................................................................................................................................................................................................................................+.....................+....+.....................................................+...........+.......+..........+...............+.............................................................................+............................................................+...............................................................+......+...............+....................................................+............................................................................................................++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
1
2
3
4
5
6
7
8
9

(5)TLS认证密钥

创建TLS认证密钥

openvpn --genkey --secret /etc/openvpn/easy-rsa/ta.key
1

(6)CRL密钥（/etc/openvpn/easy-rsa/pki/crl.pem）

CRL（证书撤销列表）密钥用于撤销客户端密钥。如果服务器上有多个客户端证书，希望删除某个密钥，那么只需使用./easyrsa revoke NAME这个命令撤销即可。
生成CRL密钥

[root@localhost easy-rsa]# ./easyrsa gen-crl

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-10595.u0arNx/tmp.8GnEvO

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
1
2
3
4
5
6
7
8

4.复制证书文件

复制ca证书、ta.key和server端证书及密钥到/etc/openvpn/server文件夹里

cp -p pki/ca.crt /etc/openvpn/server
cp -p pki/issued/server1.crt /etc/openvpn/server
cp -p pki/private/server1.key /etc/openvpn/server
cp -p ta.key /etc/openvpn/server
1
2
3
4

复制ca证书、ta.key和client端证书及密钥到/etc/openvpn/client文件夹里

cp -p pki/ca.crt /etc/openvpn/client/
cp -p pki/issued/client1.crt /etc/openvpn/client/
cp -p pki/private/client1.key /etc/openvpn/client/
cp -p ta.key /etc/openvpn/client/
1
2
3
4

复制dh.pem、crl.pem到/etc/openvpn/client文件夹里

cp pki/dh.pem /etc/openvpn/server
cp pki/crl.pem /etc/openvpn/server
1
2

5.创建OpenVPN配置文件

复制模板到主配置文件夹里面

cp -p /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/server
1

备份配置文件，并删除配置文件中的注释行

cd /etc/openvpn/server/
cp server.conf server.conf.bak
cat server.conf.bak | grep '^[^#|^;]' > server.conf
1
2
3

修改配置文件，/etc/openvpn/server/server.conf

local x.x.x.x
port 1194
#使用udp协议传输数据
proto udp
#使用tun隧道传输协议，接口为tun0
dev tun0
ca ca.crt
cert server1.crt
key server1.key  # This file should be kept secret
dh dh.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user openvpn
group openvpn
max-clients 100
#通过keepalive检测超时后，重新启动VPN，不重新读取keys，保留第一次使用的keys
persist-key
#检测超时后，重新启动VPN，一直保持tun是linkup的。否则网络会先linkdown然后再linkup
persist-tun
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status-server.log
verb 3
#当服务端重启后通知客户端重新连接服务器，此项配置仅能用于udp模式，tcp模式无需配置即能实现重新连接功能，如果tcp模式下开启此项会导致openvpn服务无法>启动
explicit-exit-notify 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

6.配置用户名密码登录

创建用户管理目录

mkdir -p /etc/openvpn/server/user
1

在主配置文件 /etc/openvpn/server/server.conf 结尾增加如下内容：

# 使用用户名密码
auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env
username-as-common-name
# 取消客户端证书验证
verify-client-cert none
# 外部脚本可运行的级别
script-security 3
1
2
3
4
5
6
7

其中，需要指定外部脚本运行的级别，否则会导致checkpsw.sh运行报错。script-security级别越低限制性高，越高越宽松。
0-完全不调用外部程序
1-（默认）仅调用内置可执行文件，例如ifconfig、ip等
2-允许调用内置可执行文件和用户定义的脚本
3-允许将密码通过环境传递到脚本变量（可能不安全）

创建checkpsw.sh文件

mkdir /etc/openvpn/server/user
touch /etc/openvpn/server/user/checkpsw.sh
1
2

编辑文件内容，/etc/openvpn/server/user/checkpsw.sh

#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/server/user/psw-file" #用户名和密码的配置文件
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

修改权限及归属

chmod 700 /etc/openvpn/server/user/checkpsw.sh
chown openvpn:openvpn /etc/openvpn/server/user/checkpsw.sh
1
2

创建账号密码文件，/etc/openvpn/server/user/psw-file

# 示例格式，第一列为用户名，第二列为密码
user1	pwd123
user2	password789
# 其他示例
user3	PSW112233
1
2
3
4
5

设置psw-file权限

chmod 600 /etc/openvpn/server/user/psw-file
chown openvpn:openvpn /etc/openvpn/server/user/psw-file
1
2

7.配置网络策略

将目的网段推送到客户端侧，在主配置文件 /etc/openvpn/server/server.conf 结尾增加如下内容：

# 配置网络信息，通过下发路由引导客户端访问业务地址段
client-to-client
push "route 192.168.255.1 255.255.255.255"
push "route 192.168.255.2 255.255.255.255"
1
2
3
4

附：完整的 /etc/openvpn/server/server.conf

local x.x.x.x
port 1194
proto udp
dev tun0
ca ca.crt
cert server1.crt
key server1.key  # This file should be kept secret
dh dh.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user openvpn
group openvpn
max-clients 100
persist-key
persist-tun
log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status-server.log
verb 3
explicit-exit-notify 1

# 使用用户名密码
auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env
username-as-common-name
# 取消客户端证书验证
verify-client-cert none
# 外部脚本可运行的级别
script-security 3

# 配置网络信息，通过下发路由引导客户端访问业务地址段
client-to-client
push "route 192.168.255.1 255.255.255.255"
push "route 192.168.255.2 255.255.255.255"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

8.创建日志存放目录

创建日志存放目录

mkdir -p /var/log/openvpn/
chown -R openvpn:openvpn /var/log/openvpn
1
2

9.开启转发

修改内核模块

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p
1
2

10.启动服务并开机启动

启动服务

systemctl enable --now openvpn-server@server.service
1

此处必须要写openvpn-server@server，因为在系统服务文件中通过占位符%i来指定具体配置文件的名称

[root@localhost ~]# cat /usr/lib/systemd/system/openvpn-server@.service
[Unit]
Description=OpenVPN service for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure

[Install]
WantedBy=multi-user.target
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

其中，–config %i.conf表示如果写的系统服务名为openvpn-server@server，则运行时指定的配置文件为server.conf，%i对应@后面的部分
检查一下服务是否启动

systemctl status openvpn-server@server.service
netstat -tunalp | grep xxxxx
1
2

openvpn服务进程启动后，服务器接口上会增加tun0，IP为dhcp地址池中的一个

[root@localhost ~]# ifconfig tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 172.16.0.1  netmask 255.255.255.255  destination 172.16.0.2
        inet6 fe80::e98:a767:9b64:85f6  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
1
2
3
4
5
6
7
8
9

11.防火墙策略

将openvpn的隧道接口加入到firewalld中的trusted域，确保隧道内的数据包可以不受限制

firewall-cmd --permanent --zone=trusted --add-interface=tun0
1

在公网接口的防火墙策略上，增加对udp:1194的开放

firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4"  port protocol="udp" port="1194" accept"
firewall-cmd --reload
1
2

二、客户端安装

client.ovpn配置文件修改
在服务端上，修改client.ovpn的客户端配置文件

cat /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/client.conf | grep '^[^#|^;]' > /etc/openvpn/client.ovpn	
1

修改其中的内容，remote为服务端的IP及端口，proto指定使用tcp还是udp协议，将ca.crt内容增加到结尾的中，将tls认证密钥ta.key内容增加到结尾的中。此处直接将ca等写到client.ovpn文件中，这样后面直接给客户端一个client.ovpn文件即可，无需附带其他ca、key等文件。
完整内容如下：

client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
;ca ca.crt
;cert xxxxxx.crt
;key xxxxxx.key
;remote-cert-tls server
;tls-auth ta.key 1
key-direction 1
cipher AES-256-CBC
verb 3
auth-user-pass

<ca>
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxx
-----END CERTIFICATE-----
</ca>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END OpenVPN Static key V1-----
</tls-auth>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

双击打开client.ovpn文件，或着拖放到客户端界面中，点击OK确定导入

勾选Save password，填写用户名和密码。并点击CONNECT连接

勾选Don’t show again for this profile，并点击CONTINUE继续

出现这个界面就表示连接成功。

连接成功后，在客户端本地查看路由，可以看到业务路由段192.168.255.1和192.168.255.2

三、新增用户

在/etc/openvpn/server/user/psw-file中新增用户即可，格式为：
用户名[空格]密码

密码使用pwgen生成随机密码

pwgen -ncy1 10
1