OpenVPN

xyalter原创2022/4/1...大约 1 分钟

OpenVPN

server

local ServerAddress
port 1194

dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

#10.66.0.0 is Server Side LAN but Gateway isn't Server
#push "route 10.66.0.0 255.255.255.0"

client-config-dir ccd
#write a file like client2 in ccd
#iroute 192.168.4.0 255.255.255.0
#client2 subnet 192.168.4.0 route between VPN
#route 192.168.4.0 255.255.255.0
#route is route on server
#iroute is route on vpn-inside
#push route is route on client
#push "route 192.168.4.0 255.255.255.0"
#if server side have subnet, will add route 192.168.4.0 on server side gateway

#push "dhcp-option DNS 10.66.0.4"
#push "dhcp-option DNS 10.66.0.5"
#push "dhcp-option WINS 10.66.0.8"

client-to-client
duplicate-cn

max-clients 50

client

remote  ServerAddress  Port

common

proto udp[tcp]
dev tun[tap]

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/host.crt
key /etc/openvpn/easy-rsa/2.0/keys/host.key



keepalive 20 60
comp-lzo

persist-key
persist-tun

management localhost 7505

verb 3
mute 20
status openvpn-status.log

iptables

# 10.168.0.0/16=VPN子网
iptables -t nat -A POSTROUTING -s 10.168.0.0/16 -o eth0 -j MASQUERADE
iptables-save > /etc/iptables.rules

在/etc/network/if-up.d/目录下创建iptables文件，内容如下：

#!/bin/sh
iptables-restore < /etc/iptables.rules

然后

chmod +x /etc/network/if-up.d/iptables

修改/etc/sysctl.conf的内容为：

net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

然后

# 重新载入/etc/sysctl.conf使其生效，执行如下命令
sysctl -p

# 重启OpenVPN及网络
/etc/init.d/openvpn restart
/etc/init.d/networking restart

others

样例文件位置
/usr/share/doc/openvpn/examples/easy-rsa/

source vars
./clean-all
./build-ca
./build-key-server ServerName
./build-key ClientName
./build-dh

ifconfig-pool-persist ipp.txt

server 10.168.1.0 255.255.255.0 #给客户的分配的IP段，注意不要与客户端网段冲突！

push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

status openvpn-status.log
log-append openvpn.log

--------------------------------------------------------------------------------
client

resolv-retry infinite
nobind

ns-cert-type server
redirect-gateway

#tls-auth ta.key 1

route-method exe
route-delay 2