天天看点
返回

路由器上配置Openvpn Server实现跨网络局域网互联准备工作生成Openvpn证书文件编辑Server端Openvpn配置文件配置Server端Openvpn隧道接口配置openvpn防火墙区域局域网测试Openvpn连接情况公网测试Openvpn连接配置

文章目录

  • 准备工作
    • 安装路由器系统
    • 安装Openvpn Server软件
  • 生成Openvpn证书文件
    • 修改证书配置文件vars
    • 生成证书
    • 生成Diffie-Hellman交换密钥
    • 生成服务端证书并签署
    • 生成客户端证书并签署
    • 导出客户端PKCS12证书
    • 生成Transport Layer Security (TLS) 传输层安全认证
    • 整理配置文件
  • 编辑Server端Openvpn配置文件
  • 配置Server端Openvpn隧道接口
    • 创建 OPENVPN 接口
    • 配置接口防火墙区域
  • 配置openvpn防火墙区域
    • 区域出入站配置
    • 区域端口转发配置
  • 局域网测试Openvpn连接情况
    • 编辑局域网客户端配置文件
    • 下载Openvpn 客户端并测试
  • 公网测试Openvpn连接配置
    • 修改Server端openvpn配置
    • 修改iptables中NAT转发规则

准备工作

安装路由器系统

安装Openvpn Server软件

进入软件包管理,安装openvpn-openssl、openvpn-easy-rsa、luci-i18n-openvpn-zh-cn三个软件

路由器上配置Openvpn Server实现跨网络局域网互联准备工作生成Openvpn证书文件编辑Server端Openvpn配置文件配置Server端Openvpn隧道接口配置openvpn防火墙区域局域网测试Openvpn连接情况公网测试Openvpn连接配置

生成Openvpn证书文件

修改证书配置文件vars

查看配置好的配置文件,可以直接复制这些配置参数

查询结果如下所示

if [ -z "$EASYRSA_CALLER" ]; then
        echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
        echo "This is no longer necessary and is disallowed. See the section called" >&2
        echo "'How to use this file' near the top comments for more details." >&2
        return 1
fi
set_var EASYRSA                 "$PWD"
set_var EASYRSA_PKI             "$PWD/pki"
set_var EASYRSA_DN              "cn_only"
set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "Jiangsu"
set_var EASYRSA_REQ_CITY        "Nanjing"
set_var EASYRSA_REQ_ORG         "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL       "[email protected]"
set_var EASYRSA_REQ_OU          "My Organizational Unit"
set_var EASYRSA_KEY_SIZE        4096
set_var EASYRSA_ALGO            rsa
set_var EASYRSA_CA_EXPIRE       3650
set_var EASYRSA_CERT_EXPIRE     3650
set_var EASYRSA_NS_SUPPORT      "no"
set_var EASYRSA_NS_COMMENT      "Easy-RSA Generated Certificate"
set_var EASYRSA_EXT_DIR         "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF        "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_DIGEST          "sha256"

生成证书

进入目录/etc/easy-rsa/初始化pki,并生成ca证书,需要注意以下两点:

(1)在build-ca指令之后,加了nopass参数,以避免每次使用证书都需要输入口令。如需更强的安全性,可不加该参数,后面生成服务端证书的时候也使用了nopass参数。

(2)在脚本运行过程中可能会暂停,等待确认,通常方括号[]内的预设内容如不需要改可直接回车,有些提示输入’yes’的则需照输,否则脚本会退出。

cd /etc/easy-rsa/
easyrsa init-pki
easyrsa build-ca nopass

生产文件路径如下所示

/etc/easy-rsa/pki/ca.crt
/etc/easy-rsa/pki/private/ca.key

生成Diffie-Hellman交换密钥 

easyrsa gen-dh

生产文件路径如下所示

/etc/easy-rsa/pki/dh.pem

生成服务端证书并签署 

easyrsa build-server-full server nopass

生产文件路径如下所示

Certificate created at: /etc/easy-rsa/pki/issued/server.crt

生成客户端证书并签署 

easyrsa build-client-full client nopass

生产文件路径如下所示

Certificate created at: /etc/easy-rsa/pki/issued/client.crt

导出客户端PKCS12证书 

easyrsa export-p12 client nopass

生产文件路径如下所示

location: /etc/easy-rsa/pki/private/client.p12

生成Transport Layer Security (TLS) 传输层安全认证 

openvpn --genkey --secret ./ta.key

整理配置文件

创建配置文件目录

mkdir /etc/openvpn/certs
mkdir /etc/openvpn/client

/etc/openvpn/certs/目录下文件

[email protected]:/etc/easy-rsa/pki# ll /etc/openvpn/certs/
drwxr-xr-x    2 root     root          3488 Aug 23 14:40 ./
drwxr-xr-x    4 root     root          3488 Aug 21 20:59 ../
-rw-------    1 root     root          1895 Aug 19 20:12 ca.crt
-rw-------    1 root     root           769 Aug 19 20:30 dh.pem
-rw-------    1 root     root          7335 Aug 19 20:48 server.crt
-rw-------    1 root     root          3272 Aug 19 20:48 server.key
-rw-------    1 root     root           636 Aug 19 20:51 ta.key

/etc/openvpn/client/目录下文件

[email protected]:/etc/easy-rsa/pki# ll /etc/openvpn/client/
drwxr-xr-x    2 root     root          3488 Aug 23 14:40 ./
drwxr-xr-x    4 root     root          3488 Aug 21 20:59 ../
-rw-------    1 root     root          1895 Aug 19 20:12 ca.crt
-rw-------    1 root     root          7216 Aug 19 20:50 client.crt
-rw-------    1 root     root          3272 Aug 19 20:50 client.key
-rw-------    1 root     root           636 Aug 19 20:51 ta.key

编辑Server端Openvpn配置文件

编辑openvpn配置文件,配置好的文件如下所示

[email protected]:/etc/easy-rsa/pki# cat /etc/config/openvpn

config openvpn 'server'
        option dev 'tun'
        option port '1194'
        option cipher 'AES-256-GCM'
        option keepalive '10 60'
        option ca '/etc/openvpn/certs/ca.crt'
        option cert '/etc/openvpn/certs/server.crt'
        option key '/etc/openvpn/certs/server.key'
        option dh '/etc/openvpn/certs/dh.pem'
        option tls_auth '/etc/openvpn/certs/ta.key 0'
        option server '10.8.0.0 255.255.255.0'
        option topology 'subnet'
        list push 'route 192.168.0.0 255.255.0.0'
        list push 'route 172.16.0.0 255.240.0.0'
        list push 'route 10.0.0.0 255.0.0.0'
        list push 'dhcp-option DNS 192.168.20.1'
        option tls_server '1'
        option auth_nocache '1'
        option verb '1'
        option client_to_client '1'
        option float '1'
        option comp_lzo 'adaptive'
        option persist_tun '1'
        option persist_key '1'
        option duplicate_cn '1'
        option enabled '1'
        option proto 'tcp-server'

配置Server端Openvpn隧道接口

创建 OPENVPN 接口

(1)填写接口名称:OPENVPN

(2)配置接口协议:不配置协议

(3)绑定接口设备:tun0(这里因为是第一次配置,故需要创建)

(4)配置完成后,点击提交

路由器上配置Openvpn Server实现跨网络局域网互联准备工作生成Openvpn证书文件编辑Server端Openvpn配置文件配置Server端Openvpn隧道接口配置openvpn防火墙区域局域网测试Openvpn连接情况公网测试Openvpn连接配置

(5)配置OPENVPN接口开机自动运行

(6)配置完成后,点击保存并应用

路由器上配置Openvpn Server实现跨网络局域网互联准备工作生成Openvpn证书文件编辑Server端Openvpn配置文件配置Server端Openvpn隧道接口配置openvpn防火墙区域局域网测试Openvpn连接情况公网测试Openvpn连接配置

配置接口防火墙区域

(1)进入接口OPENVPN

(2)配置防火墙区域:openvpn(之前未创建openvpn防火墙区域,则本次会自动创建)

(3)配置完成后,点击“保存并应用”

路由器上配置Openvpn Server实现跨网络局域网互联准备工作生成Openvpn证书文件编辑Server端Openvpn配置文件配置Server端Openvpn隧道接口配置openvpn防火墙区域局域网测试Openvpn连接情况公网测试Openvpn连接配置

(4)保存后网络接口如下图所示

路由器上配置Openvpn Server实现跨网络局域网互联准备工作生成Openvpn证书文件编辑Server端Openvpn配置文件配置Server端Openvpn隧道接口配置openvpn防火墙区域局域网测试Openvpn连接情况公网测试Openvpn连接配置

配置openvpn防火墙区域

区域出入站配置

(1)配置openvpn区域下的数据入站、出站和转发

(2)配置“IPD动态伪装”和“Full Core”

(3)配置完成后,点击保存并应用,防火墙区域如下图所示

路由器上配置Openvpn Server实现跨网络局域网互联准备工作生成Openvpn证书文件编辑Server端Openvpn配置文件配置Server端Openvpn隧道接口配置openvpn防火墙区域局域网测试Openvpn连接情况公网测试Openvpn连接配置

区域端口转发配置

(1)配置目标区域(转发到哪个接口):lan

(2)配置源区域(从哪个接口转发):lan

(3)配置完成后,点击保存并应用

路由器上配置Openvpn Server实现跨网络局域网互联准备工作生成Openvpn证书文件编辑Server端Openvpn配置文件配置Server端Openvpn隧道接口配置openvpn防火墙区域局域网测试Openvpn连接情况公网测试Openvpn连接配置

(4)配置完成后如下图所示

路由器上配置Openvpn Server实现跨网络局域网互联准备工作生成Openvpn证书文件编辑Server端Openvpn配置文件配置Server端Openvpn隧道接口配置openvpn防火墙区域局域网测试Openvpn连接情况公网测试Openvpn连接配置

局域网测试Openvpn连接情况

编辑局域网客户端配置文件

基础配置文件如下所示,需将对应的ca、cert、key和tls-auth校验文件配置填入各自标签中

client
dev tun
proto tcp
remote 192.168.20.13 8080
float
cipher AES-256-GCM
comp-lzo adaptive
keepalive 10 60
remote-cert-tls server
key-direction 1
auth-nocache
resolv-retry infinite
nobind

<ca></ca>

<cert></cert>

<key></key>

<tls-auth></tls-auth>

查看配置文件 /etc/openvpn/client/ca.crt

[email protected]:~# cat /etc/openvpn/client/ca.crt 
-----BEGIN CERTIFICATE-----
MIIFSzCCAzOgAwIBAgIUBAY1yXnehc9/prW5vj0B9VxX5W0wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODE5MTIxMjU0WhcNMjkw
ODE2MTIxMjU0WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAL202M03vD3iLoycOKYoMRSZysoOm6lVbMgRq3AE
gHz/yf5dRddQmJTfKMtkltwGhrCxt6TG69ABSVtEqmp6FUtGLgizg5VOmPcelzJm
6uWK2GsxLU458yBBmH78hinj91ZVTyAnDKCcE7u1clat5Ik6XVYfw3u9qGqZuMDG
I7UgvCxguzxz6u4cEkmn9925GzSNj/AOEflcKm9G9PeVTVw6HFSpU0owGCF8flh1
oEXbuWeI+KEiYYRyRxP+A92yZ9vZJRdKYKKfspMPf36TStZnOyvibkZ44IEnP35c
ci4tJgjTPb9epFqwXTo3sjbgzt/L9usrn4Me4qxSy5poq9oKG9a4RsZw8q2dc1l1
/Ovq8/cwGTPl90j7YsBcU2lO0XQ4lsCjtGd6ag+KK1wSFI+WNcndXUgfQuW8D5vg
HlkZnmm/v6Rnrq0FlO19utPr2ITJA7VkCfSU2HQ1TTbNERFRb1TLixLgrmcb1Uj5
O+avOWbgwqosfs9TqVS17bn0p8P3Jir+Hag1lGCfEUy7IVEb2VuDVkE48EjSh+Iq
myTmFTOh61JRXmo6ITxLV8Xfkua5YgDVU8fyNC3FN2czSykfZ9/TubsyPbvMPWmq
gM9zraY737EYNEplFbMGntVLewbSyZ2anvG8cp6SPwyqsCUqyG+FSuTU9/bcf97o
+GiRAgMBAAGjgZAwgY0wHQYDVR0OBBYEFBYpLCwPEfwBiqE5nNftBx5jBsVlMFEG
A1UdIwRKMEiAFBYpLCwPEfwBiqE5nNftBx5jBsVloRqkGDAWMRQwEgYDVQQDDAtF
YXN5LVJTQSBDQYIUBAY1yXnehc9/prW5vj0B9VxX5W0wDAYDVR0TBAUwAwEB/zAL
BgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAJIirZpVler1ei7NECsy5Y4y
yTs60f5xHLAlb7x1EiwbcMbnV3t45UzQ4+fqbiAZ4hmn9hrHgHcocD14Epz6KOsF
gulfaBngIWMvGKjBSO4o3udLzNaq2A0q3lDNXOa2HjNR1hPopGzzU1odoD4bbjfU
Y/aEzKIk7FaDlRkyA1ZmtMuAvyPPxEefuZf9ay75Pte+JU1/Ar/htghm+TcCt+7C
h49xDmUBsMMbmIiQnWfet6Vtp5ry5/4jXObNr30VPiJ2cB+Lq8j21hrZHSiFIPYa
iC9qmGWFHfqfBCUOVggG1dOtKk7R50IbBfqTU56BO/VbyLY38j08nOOil0GQYNH6
LiZtFUzOtkOYQnoZbgbfAJimuENH6QQ8le926muJxEtMVtqGfB03mWjjEhysUH2o
vSHix5r6X1aLIZb+hXtdIl6YRsKXe+eQOwsv52js4neTXXR/1JW1z0cYlLYJVI4w
3oZn6zJkIgacOZ6CCovjXuHGWujUVz6fIa/y/ouSDQoiO3uh6jGrf/IpMOtNhXDc
MkCYgyb0miGLgrIPvo5ldCbqiBtWyj1VHe1p2oRROO1Q1k1Mx8anuSyjmWxbZhZ3
/46GHj46nCPXbjpGHGzTQBj65mTgAqgeyEeytnw2h6LT77lZnKgMkK99zAmpLeY9
Hu0k/Wy3HGzkX7eHcNxg
-----END CERTIFICATE-----

查看配置文件 /etc/openvpn/client/client.crt

[email protected]:~# cat /etc/openvpn/client/client.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2a:28:90:75:fc:8a:e8:7c:f8:40:6c:11:08:8e:b3:38
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Easy-RSA CA
        Validity
            Not Before: Aug 19 12:50:11 2019 GMT
            Not After : Aug 16 12:50:11 2029 GMT
        Subject: CN=client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:cd:76:ca:ea:bf:a1:6e:9c:39:44:4d:d1:e8:a1:
                    45:ab:b6:8e:81:f3:f5:56:3f:39:f8:f5:7c:96:6b:
                    79:9a:ff:f1:9a:36:6a:75:80:e4:45:c0:d6:41:28:
                    b5:83:62:c3:d4:0b:19:17:23:1e:a9:f3:9d:ed:69:
                    f5:14:d5:bf:15:0a:06:c1:c9:98:dd:8f:b6:c5:9c:
                    a2:78:8d:e4:a6:05:1d:fb:73:2f:0e:92:f8:f7:7b:
                    2a:78:74:dd:28:0f:7f:4e:ff:e5:af:a3:25:e4:1a:
                    15:e9:5b:fe:81:a7:28:94:50:04:11:f2:ac:23:44:
                    42:6a:55:12:b9:6e:29:4f:ee:75:34:e7:bd:6b:e2:
                    1a:f8:a9:37:98:56:50:b2:75:b0:b4:ae:51:ec:fe:
                    80:34:8d:44:41:0a:79:dc:50:e7:fa:a6:ba:32:68:
                    f2:db:6e:b5:e4:09:8e:fd:07:f5:82:28:da:4c:f4:
                    6e:22:ec:37:73:50:e6:4c:60:ae:46:e5:44:a3:3b:
                    59:50:12:c7:9b:ab:a4:56:5d:88:90:b3:0a:68:2e:
                    d5:38:bc:00:37:74:50:4a:33:95:3b:97:6c:8c:93:
                    1f:3a:38:49:b4:f6:df:9e:42:b4:6c:52:49:66:97:
                    0f:43:83:f6:8f:27:d4:2d:41:1f:fa:2f:72:d5:6b:
                    89:8a:51:b4:cc:18:da:44:46:8f:b3:b0:78:34:0f:
                    1f:08:cf:b8:72:2f:c3:0e:34:66:b2:2e:7a:cc:15:
                    f8:eb:50:7b:e4:ab:b4:47:33:eb:69:00:76:e9:22:
                    b2:d4:39:71:3c:13:b0:f3:2e:f9:ec:7f:2d:66:db:
                    f6:dd:2b:22:71:b3:fe:45:b9:fd:69:c4:2f:ae:f0:
                    30:e4:eb:75:1a:a7:1a:20:30:cd:d7:65:e7:71:2e:
                    3c:35:b0:75:9a:e6:35:7d:75:41:36:49:cb:45:10:
                    02:95:7a:bc:c9:c5:9d:bb:1a:07:8d:25:99:60:51:
                    73:a5:29:29:9a:37:b1:ea:a2:5c:20:c5:fc:94:05:
                    47:50:e0:f7:b3:c8:65:c1:27:55:73:df:a7:ff:28:
                    ba:12:19:73:c6:cf:70:57:ca:db:90:ca:5b:4a:c0:
                    65:f1:8d:c4:54:25:89:9a:57:85:7d:62:da:40:59:
                    b1:e3:00:c4:4b:5d:d7:14:c3:47:c7:f7:b2:56:de:
                    fc:06:0a:e1:07:49:dc:f7:c2:da:2e:56:4e:70:64:
                    e2:d9:bc:e3:0b:da:a0:b2:c2:a7:0e:37:66:ea:4f:
                    4a:97:a6:95:8d:34:c4:26:94:9d:df:5a:41:7f:c0:
                    ad:3e:9b:8d:e0:4a:f7:9f:5c:2b:49:6f:63:c7:da:
                    cf:2e:07
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                4B:FC:9B:01:82:36:D3:82:A4:2E:36:E7:6C:41:68:D0:57:03:4A:6E
            X509v3 Authority Key Identifier: 
                keyid:16:29:2C:2C:0F:11:FC:01:8A:A1:39:9C:D7:ED:07:1E:63:06:C5:65
                DirName:/CN=Easy-RSA CA
                serial:04:06:35:C9:79:DE:85:CF:7F:A6:B5:B9:BE:3D:01:F5:5C:57:E5:6D

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
    Signature Algorithm: sha256WithRSAEncryption
         9b:86:25:b6:15:50:bc:13:30:c8:83:85:25:50:f1:d7:39:a4:
         ec:8b:7e:c5:7f:5b:44:a3:aa:fc:56:fa:1d:88:d0:f5:a8:30:
         2a:06:61:6f:71:0c:22:a7:e2:ac:32:6f:75:0e:f2:2a:2f:42:
         83:f5:83:fa:6b:90:f0:5b:30:5b:46:8a:6b:b7:37:32:ec:8f:
         bf:21:0a:5a:9c:b1:59:96:64:25:ea:ab:d6:82:01:63:9b:a2:
         5b:89:b7:c5:67:96:9c:b9:f3:c7:c0:45:f5:65:9f:ba:57:b5:
         f5:6a:63:74:02:ed:6c:35:df:70:11:56:68:e4:e5:df:ae:0c:
         74:db:2b:b0:68:1d:01:a4:12:b4:cd:14:94:e8:2a:f9:0a:de:
         dd:d3:72:30:df:82:36:85:d2:1c:b5:5a:8b:41:19:32:92:fc:
         2d:a6:46:d3:e2:37:85:21:63:8d:2e:15:af:bb:ba:c9:25:a0:
         29:f4:3e:f5:dd:17:e3:ac:4a:e9:39:46:a6:46:43:ca:aa:be:
         ad:6a:ac:6a:40:4a:e7:2b:a6:6a:5e:ee:82:b0:d0:d3:e8:b1:
         2a:8b:34:5e:5d:5a:f4:0f:e6:da:a2:89:32:7a:cd:cb:16:7f:
         7e:12:59:dc:69:d2:e9:93:72:4e:91:b8:49:93:98:db:66:03:
         61:85:fb:4b:14:5f:0e:09:be:9a:fd:69:93:d4:eb:a1:18:1e:
         00:2a:38:8b:e6:98:c5:7a:68:ed:fa:c2:b4:27:00:17:fb:c2:
         bb:a2:36:6b:91:76:17:50:e8:ae:9a:5f:91:f2:2e:88:2a:32:
         c8:cc:97:10:c9:e1:54:8c:b2:2a:30:78:ee:d8:d4:14:9e:56:
         5b:5a:6c:e7:06:4a:28:c5:4d:ae:81:12:3f:22:0a:2f:71:ed:
         cd:2d:b9:8e:72:23:5e:33:8e:53:62:1c:94:18:5f:f9:50:b6:
         28:ff:a6:54:eb:0d:e8:60:ef:28:ac:3a:e6:da:07:c4:1a:9d:
         34:6b:6c:cc:7a:8e:75:ee:d4:71:3f:ea:e5:7d:a0:33:63:16:
         47:22:b3:d5:6f:fa:8d:c9:ee:4f:4f:b1:b8:59:a2:2c:a0:e7:
         1f:72:2a:ab:9a:98:83:30:51:f9:0b:ad:66:45:fe:b6:e5:cf:
         5d:05:bb:2f:7b:41:10:a3:e8:29:48:1d:87:ef:6f:6e:08:57:
         5f:e5:24:c2:26:df:2e:56:66:6a:cd:ec:25:49:a3:ed:01:2c:
         46:e3:83:2b:c4:48:de:86:65:54:9a:46:84:98:54:d4:cb:2b:
         92:7d:dd:32:be:74:c7:fc:8b:a5:dc:e3:49:3f:8f:11:58:68:
         ae:d1:55:ba:20:07:d1:a5
-----BEGIN CERTIFICATE-----
MIIFVDCCAzygAwIBAgIQKiiQdfyK6Hz4QGwRCI6zODANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0xOTA4MTkxMjUwMTFaFw0yOTA4MTYx
MjUwMTFaMBExDzANBgNVBAMMBmNsaWVudDCCAiIwDQYJKoZIhvcNAQEBBQADggIP
ADCCAgoCggIBAM12yuq/oW6cOURN0eihRau2joHz9VY/Ofj1fJZreZr/8Zo2anWA
5EXA1kEotYNiw9QLGRcjHqnzne1p9RTVvxUKBsHJmN2PtsWconiN5KYFHftzLw6S
+Pd7Knh03SgPf07/5a+jJeQaFelb/oGnKJRQBBHyrCNEQmpVErluKU/udTTnvWvi
GvipN5hWULJ1sLSuUez+gDSNREEKedxQ5/qmujJo8ttuteQJjv0H9YIo2kz0biLs
N3NQ5kxgrkblRKM7WVASx5urpFZdiJCzCmgu1Ti8ADd0UEozlTuXbIyTHzo4SbT2
355CtGxSSWaXD0OD9o8n1C1BH/ovctVriYpRtMwY2kRGj7OweDQPHwjPuHIvww40
ZrIueswV+OtQe+SrtEcz62kAdukistQ5cTwTsPMu+ex/LWbb9t0rInGz/kW5/WnE
L67wMOTrdRqnGiAwzddl53EuPDWwdZrmNX11QTZJy0UQApV6vMnFnbsaB40lmWBR
c6UpKZo3seqiXCDF/JQFR1Dg97PIZcEnVXPfp/8ouhIZc8bPcFfK25DKW0rAZfGN
xFQliZpXhX1i2kBZseMAxEtd1xTDR8f3slbe/AYK4QdJ3PfC2i5WTnBk4tm84wva
oLLCpw43ZupPSpemlY00xCaUnd9aQX/ArT6bjeBK959cK0lvY8fazy4HAgMBAAGj
gaIwgZ8wCQYDVR0TBAIwADAdBgNVHQ4EFgQUS/ybAYI204KkLjbnbEFo0FcDSm4w
UQYDVR0jBEowSIAUFiksLA8R/AGKoTmc1+0HHmMGxWWhGqQYMBYxFDASBgNVBAMM
C0Vhc3ktUlNBIENBghQEBjXJed6Fz3+mtbm+PQH1XFflbTATBgNVHSUEDDAKBggr
BgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAJuGJbYVULwT
MMiDhSVQ8dc5pOyLfsV/W0SjqvxW+h2I0PWoMCoGYW9xDCKn4qwyb3UO8iovQoP1
g/prkPBbMFtGimu3NzLsj78hClqcsVmWZCXqq9aCAWOboluJt8Vnlpy588fARfVl
n7pXtfVqY3QC7Ww133ARVmjk5d+uDHTbK7BoHQGkErTNFJToKvkK3t3TcjDfgjaF
0hy1WotBGTKS/C2mRtPiN4UhY40uFa+7uskloCn0PvXdF+OsSuk5RqZGQ8qqvq1q
rGpASucrpmpe7oKw0NPosSqLNF5dWvQP5tqiiTJ6zcsWf34SWdxp0umTck6RuEmT
mNtmA2GF+0sUXw4Jvpr9aZPU66EYHgAqOIvmmMV6aO36wrQnABf7wruiNmuRdhdQ
6K6aX5HyLogqMsjMlxDJ4VSMsioweO7Y1BSeVltabOcGSijFTa6BEj8iCi9x7c0t
uY5yI14zjlNiHJQYX/lQtij/plTrDehg7yisOubaB8QanTRrbMx6jnXu1HE/6uV9
oDNjFkcis9Vv+o3J7k9PsbhZoiyg5x9yKquamIMwUfkLrWZF/rblz10Fuy97QRCj
6ClIHYfvb24IV1/lJMIm3y5WZmrN7CVJo+0BLEbjgyvESN6GZVSaRoSYVNTLK5J9
3TK+dMf8i6Xc40k/jxFYaK7RVbogB9Gl
-----END CERTIFICATE-----

查看配置文件 /etc/openvpn/client/client.key

[email protected]:~# cat /etc/openvpn/client/client.key 
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDNdsrqv6FunDlE
TdHooUWrto6B8/VWPzn49XyWa3ma//GaNmp1gORFwNZBKLWDYsPUCxkXIx6p853t
afUU1b8VCgbByZjdj7bFnKJ4jeSmBR37cy8Okvj3eyp4dN0oD39O/+WvoyXkGhXp
W/6BpyiUUAQR8qwjREJqVRK5bilP7nU0571r4hr4qTeYVlCydbC0rlHs/oA0jURB
CnncUOf6proyaPLbbrXkCY79B/WCKNpM9G4i7DdzUOZMYK5G5USjO1lQEsebq6RW
XYiQswpoLtU4vAA3dFBKM5U7l2yMkx86OEm09t+eQrRsUklmlw9Dg/aPJ9QtQR/6
L3LVa4mKUbTMGNpERo+zsHg0Dx8Iz7hyL8MONGayLnrMFfjrUHvkq7RHM+tpAHbp
IrLUOXE8E7DzLvnsfy1m2/bdKyJxs/5Fuf1pxC+u8DDk63UapxogMM3XZedxLjw1
sHWa5jV9dUE2SctFEAKVerzJxZ27GgeNJZlgUXOlKSmaN7HqolwgxfyUBUdQ4Pez
yGXBJ1Vz36f/KLoSGXPGz3BXytuQyltKwGXxjcRUJYmaV4V9YtpAWbHjAMRLXdcU
w0fH97JW3vwGCuEHSdz3wtouVk5wZOLZvOML2qCywqcON2bqT0qXppWNNMQmlJ3f
WkF/wK0+m43gSvefXCtJb2PH2s8uBwIDAQABAoICAD802S2oMAA3/QH/MqDu4+D0
MxjVNNcIckwdMOuROoKtU+TN8qgdM5wlu4OmA1jczENx+pD8k9VShXXgz61OKA9P
205IN0eJi391NSIC/KD6GAQfpg1Et2RitmkCAnrtcYua+0yx0tk+ERmN3FiEVN5z
Ux02WzAqMohFjZIPypO1Vsckt0f18bgnTlwFyaNswySCL9/JVyVTg/jCQUS+eu7H
1aXmVTed8kSpkBxVE3isGqPr2enSYyiNbZt3boWOyDOy8UHJ1TAVeGO9OGLTQVNV
fPCMHUDx/jUlczY22gTQyZ1+bWZHP/mOqbRdCAmQVPi/It1dMk+NpkmvyRLQlymx
HQF0yxcK7uHCC52D62enCAanPU3yJpcMzfQcazwWonllWuRFaikl/tqk66drMo2R
VYBokfeiylJVipXbfGuTYtrZGcUCGT4uhN92D2woaBDpAoYVLBl/PaebLTe5Sb+F
ZJAj7nxY6bcV5GvrQq1p6r5xrGnTPqXN+naADTSR6Feyugy6kjOqJIFF/cY5mufG
XLTUwGRm9PjTT3h+xeWRsx28MvkOgbZU/7QcyGAbnlidMyNSlR/WqT4JD5LmRFK/
1n3RfnEIFdu1dhAIUOLSye2BMLvlw0o5leB02hbYYowUmTSHIdSpZqa2Wocf+mu6
N0ZTSAV72W7mh2HOLRNxAoIBAQD+8jt8z6u1X9ckI0pl6jbKKRbDZYeywoPFS9oX
3poFTEzUABYYGdV20eBKzokw4+7sMZb6cgpjUiwJzkZQnP3Www7wqgbY3TGC/e4d
iz9y96LtZtbfWBSX9A5Y+VqDcz7AfaAJzz+l4N7NB7DmF3UIlFn1Vp+uuCxaYbKA
v+219H9xnfqpJjZDV50+5RD8W4KLikWzMn42HdKarrMkN6fL/Aby3alzPQAElsZ6
6F9bJSWODOUUuagCZVz6+uaInJHnqz1RTyUd/LqaAmNp08TiNnB1pkBAHaog74ux
57kQIqlIQu1QxyHxf8OjS+2daeD/VaxxS3VKSgzxmVg3FHyJAoIBAQDOUDOQD3lX
zn+z8awlZ4PwANQZg0lI3NyU01t0pRkOjz7B0mrUMpsKQq6doWwZrn8SGdG8JqqY
4Rg1YUrhwWkmU7R+uyn76kAS6spGKbks/uf2OD9lbd5+ZTiJY889+uElpW+D8p8K
PLwHf+vWkKOkrcUurOMNDrsLS4y3PbWsvT5f9z77XEKLvqV1AgMn4F1R4AyCbX6W
4+48Cosp1CuI/3EeA70rzPCernlYhnQBwlUyx28wl1l/NnyRna1WQg8efDPBMqs4
rTwJv7yfCVPpnhjcmTVrqtdna4aZ1O6ASmZSktxt6DjFdg05+NC+fJKqiui134Ej
4ucjKcEM+FIPAoIBAQDWtfb3pIZ+GBs+qiIMNvaxx20OXsGsATmsvbcNh0G72IiT
uwbggVFP4m29Urgj3rLnZNQ8VDL/dsLz9y8s0SrO5jP855Ugqxj5sxYI968WCgzD
V2r7aljdqIM017wtHK/quWJBILP/5aR+lE2dWoAMG7SvdKbDJQTlkYYd/IYcSa/T
ZjMmpbHpgS5DO/PUNNV645bT1mCI/xDRiPQCOoUsvDK184y0KtmLA9hgxrcYMe6w
9ZcwnzMp4WgvT4M75nDS5Vqc0cT2vlQBRKWpCNq1kRehXcSauuD/H/9Mc1Vei3J6
EzN+Zlbl5q5DJr0VZ4hAQk0alWxQhpDkIDs1GCHRAoIBAFXwPHo+p9n2j2VCPuXZ
x7Cad78k28r5DP0FSWw+NUDGVGriHlPDvKc6fYf1rJTKBe5hSOcp6BgEc1QQ8eM1
8HnhlibQCb4Apq36lUVCrfrbN35tkaLLcEmQGkvIgpQbw9stnVUGJE9cWyp4k6Ft
4GyBYch+hZlz0F/1GWle0CVjMu9Ai0Ci/qk9QaiKrQvYPqcTP8K4n2l1ClCCR9Ol
qHjJhrHs9sie9n/yx2MjpoDxFRIw1tUTxljiNmNlncV3gNq++8P3OjFCn+ajsotA
lG6Ux2BkhUcTA+T1ejzr4GkaFKNCv4UcnUFLWlkSlskyFNnrQOI5do6fPo58Hwkr
CusCggEAUT9TOGQ7RihFcsaoDcPIb8aY79Kd9UUeH+wce37jjz0In5f1ns+tFy+w
ApDtwRrKJjwNMeT9HTjQlxxyR5QMQg1C6gcybCmjuX876X9d1XVviXd58W9zF3NA
EfxQ5WJggTtG0IsCFUqdt0hMP6OtFUAbRVtyI8efYf99WGtmIGwItBluHiOIm+Ne
Kxp1mnOhPjxHlg8J9u6ZIdExcuqFXWXHzZZsvVrqV21uXxI3EPMweUqDBVT5gddv
cbH04BsDbIv6kMKq0dvU2eTBeuuSHB1LX3BqD01a+g/zl9IQDVV0RX79WnhomZbm
yQqTdZUl6pGsOBeSsvhg5m+hKoNFjA==
-----END PRIVATE KEY-----

查看配置文件 /etc/openvpn/client/ta.key

[email protected]:~# cat /etc/openvpn/client/ta.key 
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
54699e0450f9016620d5a06ec2f7c68e
224ea20ef130843aa5198bd0c9939d12
374aaf575f521cba499609e946680abe
aeb92f44c9809894be77bd5106450882
b9cd9b853c3adf79a91abb8824ec471d
3c364dc4a689d119c056d2060f8c5fa5
8999da4c405cb17fc51b1d0c5556296c
a19c563d0d9404af3d98ea3430681ad8
076008a17724165c125d00b889c5e961
6d49e9f943c51776bc0f530f0858aa88
264565662ee65cb1b865cbb78e05d26c
087ececa81fdb8136d13a7617ca16d01
9237bf465a9e3f2eff2794120a6e2220
b9fc202d5f7352694a2ef98cefc5f779
383f7af6743607e1e6dce808143bc07e
20d61b1a070e87cc61f574c03cd0a76e
-----END OpenVPN Static key V1-----

将上面查询的ca、cert、key和tls-auth校验文件配置填入各自标签内

配置完成后如下所示

client
dev tun
proto tcp
remote 192.168.20.13 8080
float
cipher AES-256-GCM
comp-lzo adaptive
keepalive 10 60
remote-cert-tls server
key-direction 1
auth-nocache
resolv-retry infinite
nobind

<ca>
-----BEGIN CERTIFICATE-----
MIIFSzCCAzOgAwIBAgIUBAY1yXnehc9/prW5vj0B9VxX5W0wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODE5MTIxMjU0WhcNMjkw
ODE2MTIxMjU0WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAL202M03vD3iLoycOKYoMRSZysoOm6lVbMgRq3AE
gHz/yf5dRddQmJTfKMtkltwGhrCxt6TG69ABSVtEqmp6FUtGLgizg5VOmPcelzJm
6uWK2GsxLU458yBBmH78hinj91ZVTyAnDKCcE7u1clat5Ik6XVYfw3u9qGqZuMDG
I7UgvCxguzxz6u4cEkmn9925GzSNj/AOEflcKm9G9PeVTVw6HFSpU0owGCF8flh1
oEXbuWeI+KEiYYRyRxP+A92yZ9vZJRdKYKKfspMPf36TStZnOyvibkZ44IEnP35c
ci4tJgjTPb9epFqwXTo3sjbgzt/L9usrn4Me4qxSy5poq9oKG9a4RsZw8q2dc1l1
/Ovq8/cwGTPl90j7YsBcU2lO0XQ4lsCjtGd6ag+KK1wSFI+WNcndXUgfQuW8D5vg
HlkZnmm/v6Rnrq0FlO19utPr2ITJA7VkCfSU2HQ1TTbNERFRb1TLixLgrmcb1Uj5
O+avOWbgwqosfs9TqVS17bn0p8P3Jir+Hag1lGCfEUy7IVEb2VuDVkE48EjSh+Iq
myTmFTOh61JRXmo6ITxLV8Xfkua5YgDVU8fyNC3FN2czSykfZ9/TubsyPbvMPWmq
gM9zraY737EYNEplFbMGntVLewbSyZ2anvG8cp6SPwyqsCUqyG+FSuTU9/bcf97o
+GiRAgMBAAGjgZAwgY0wHQYDVR0OBBYEFBYpLCwPEfwBiqE5nNftBx5jBsVlMFEG
A1UdIwRKMEiAFBYpLCwPEfwBiqE5nNftBx5jBsVloRqkGDAWMRQwEgYDVQQDDAtF
YXN5LVJTQSBDQYIUBAY1yXnehc9/prW5vj0B9VxX5W0wDAYDVR0TBAUwAwEB/zAL
BgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAJIirZpVler1ei7NECsy5Y4y
yTs60f5xHLAlb7x1EiwbcMbnV3t45UzQ4+fqbiAZ4hmn9hrHgHcocD14Epz6KOsF
gulfaBngIWMvGKjBSO4o3udLzNaq2A0q3lDNXOa2HjNR1hPopGzzU1odoD4bbjfU
Y/aEzKIk7FaDlRkyA1ZmtMuAvyPPxEefuZf9ay75Pte+JU1/Ar/htghm+TcCt+7C
h49xDmUBsMMbmIiQnWfet6Vtp5ry5/4jXObNr30VPiJ2cB+Lq8j21hrZHSiFIPYa
iC9qmGWFHfqfBCUOVggG1dOtKk7R50IbBfqTU56BO/VbyLY38j08nOOil0GQYNH6
LiZtFUzOtkOYQnoZbgbfAJimuENH6QQ8le926muJxEtMVtqGfB03mWjjEhysUH2o
vSHix5r6X1aLIZb+hXtdIl6YRsKXe+eQOwsv52js4neTXXR/1JW1z0cYlLYJVI4w
3oZn6zJkIgacOZ6CCovjXuHGWujUVz6fIa/y/ouSDQoiO3uh6jGrf/IpMOtNhXDc
MkCYgyb0miGLgrIPvo5ldCbqiBtWyj1VHe1p2oRROO1Q1k1Mx8anuSyjmWxbZhZ3
/46GHj46nCPXbjpGHGzTQBj65mTgAqgeyEeytnw2h6LT77lZnKgMkK99zAmpLeY9
Hu0k/Wy3HGzkX7eHcNxg
-----END CERTIFICATE-----

</ca>

<cert>
-----BEGIN CERTIFICATE-----
MIIFVDCCAzygAwIBAgIQKiiQdfyK6Hz4QGwRCI6zODANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDDAtFYXN5LVJTQSBDQTAeFw0xOTA4MTkxMjUwMTFaFw0yOTA4MTYx
MjUwMTFaMBExDzANBgNVBAMMBmNsaWVudDCCAiIwDQYJKoZIhvcNAQEBBQADggIP
ADCCAgoCggIBAM12yuq/oW6cOURN0eihRau2joHz9VY/Ofj1fJZreZr/8Zo2anWA
5EXA1kEotYNiw9QLGRcjHqnzne1p9RTVvxUKBsHJmN2PtsWconiN5KYFHftzLw6S
+Pd7Knh03SgPf07/5a+jJeQaFelb/oGnKJRQBBHyrCNEQmpVErluKU/udTTnvWvi
GvipN5hWULJ1sLSuUez+gDSNREEKedxQ5/qmujJo8ttuteQJjv0H9YIo2kz0biLs
N3NQ5kxgrkblRKM7WVASx5urpFZdiJCzCmgu1Ti8ADd0UEozlTuXbIyTHzo4SbT2
355CtGxSSWaXD0OD9o8n1C1BH/ovctVriYpRtMwY2kRGj7OweDQPHwjPuHIvww40
ZrIueswV+OtQe+SrtEcz62kAdukistQ5cTwTsPMu+ex/LWbb9t0rInGz/kW5/WnE
L67wMOTrdRqnGiAwzddl53EuPDWwdZrmNX11QTZJy0UQApV6vMnFnbsaB40lmWBR
c6UpKZo3seqiXCDF/JQFR1Dg97PIZcEnVXPfp/8ouhIZc8bPcFfK25DKW0rAZfGN
xFQliZpXhX1i2kBZseMAxEtd1xTDR8f3slbe/AYK4QdJ3PfC2i5WTnBk4tm84wva
oLLCpw43ZupPSpemlY00xCaUnd9aQX/ArT6bjeBK959cK0lvY8fazy4HAgMBAAGj
gaIwgZ8wCQYDVR0TBAIwADAdBgNVHQ4EFgQUS/ybAYI204KkLjbnbEFo0FcDSm4w
UQYDVR0jBEowSIAUFiksLA8R/AGKoTmc1+0HHmMGxWWhGqQYMBYxFDASBgNVBAMM
C0Vhc3ktUlNBIENBghQEBjXJed6Fz3+mtbm+PQH1XFflbTATBgNVHSUEDDAKBggr
BgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAJuGJbYVULwT
MMiDhSVQ8dc5pOyLfsV/W0SjqvxW+h2I0PWoMCoGYW9xDCKn4qwyb3UO8iovQoP1
g/prkPBbMFtGimu3NzLsj78hClqcsVmWZCXqq9aCAWOboluJt8Vnlpy588fARfVl
n7pXtfVqY3QC7Ww133ARVmjk5d+uDHTbK7BoHQGkErTNFJToKvkK3t3TcjDfgjaF
0hy1WotBGTKS/C2mRtPiN4UhY40uFa+7uskloCn0PvXdF+OsSuk5RqZGQ8qqvq1q
rGpASucrpmpe7oKw0NPosSqLNF5dWvQP5tqiiTJ6zcsWf34SWdxp0umTck6RuEmT
mNtmA2GF+0sUXw4Jvpr9aZPU66EYHgAqOIvmmMV6aO36wrQnABf7wruiNmuRdhdQ
6K6aX5HyLogqMsjMlxDJ4VSMsioweO7Y1BSeVltabOcGSijFTa6BEj8iCi9x7c0t
uY5yI14zjlNiHJQYX/lQtij/plTrDehg7yisOubaB8QanTRrbMx6jnXu1HE/6uV9
oDNjFkcis9Vv+o3J7k9PsbhZoiyg5x9yKquamIMwUfkLrWZF/rblz10Fuy97QRCj
6ClIHYfvb24IV1/lJMIm3y5WZmrN7CVJo+0BLEbjgyvESN6GZVSaRoSYVNTLK5J9
3TK+dMf8i6Xc40k/jxFYaK7RVbogB9Gl
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDNdsrqv6FunDlE
TdHooUWrto6B8/VWPzn49XyWa3ma//GaNmp1gORFwNZBKLWDYsPUCxkXIx6p853t
afUU1b8VCgbByZjdj7bFnKJ4jeSmBR37cy8Okvj3eyp4dN0oD39O/+WvoyXkGhXp
W/6BpyiUUAQR8qwjREJqVRK5bilP7nU0571r4hr4qTeYVlCydbC0rlHs/oA0jURB
CnncUOf6proyaPLbbrXkCY79B/WCKNpM9G4i7DdzUOZMYK5G5USjO1lQEsebq6RW
XYiQswpoLtU4vAA3dFBKM5U7l2yMkx86OEm09t+eQrRsUklmlw9Dg/aPJ9QtQR/6
L3LVa4mKUbTMGNpERo+zsHg0Dx8Iz7hyL8MONGayLnrMFfjrUHvkq7RHM+tpAHbp
IrLUOXE8E7DzLvnsfy1m2/bdKyJxs/5Fuf1pxC+u8DDk63UapxogMM3XZedxLjw1
sHWa5jV9dUE2SctFEAKVerzJxZ27GgeNJZlgUXOlKSmaN7HqolwgxfyUBUdQ4Pez
yGXBJ1Vz36f/KLoSGXPGz3BXytuQyltKwGXxjcRUJYmaV4V9YtpAWbHjAMRLXdcU
w0fH97JW3vwGCuEHSdz3wtouVk5wZOLZvOML2qCywqcON2bqT0qXppWNNMQmlJ3f
WkF/wK0+m43gSvefXCtJb2PH2s8uBwIDAQABAoICAD802S2oMAA3/QH/MqDu4+D0
MxjVNNcIckwdMOuROoKtU+TN8qgdM5wlu4OmA1jczENx+pD8k9VShXXgz61OKA9P
205IN0eJi391NSIC/KD6GAQfpg1Et2RitmkCAnrtcYua+0yx0tk+ERmN3FiEVN5z
Ux02WzAqMohFjZIPypO1Vsckt0f18bgnTlwFyaNswySCL9/JVyVTg/jCQUS+eu7H
1aXmVTed8kSpkBxVE3isGqPr2enSYyiNbZt3boWOyDOy8UHJ1TAVeGO9OGLTQVNV
fPCMHUDx/jUlczY22gTQyZ1+bWZHP/mOqbRdCAmQVPi/It1dMk+NpkmvyRLQlymx
HQF0yxcK7uHCC52D62enCAanPU3yJpcMzfQcazwWonllWuRFaikl/tqk66drMo2R
VYBokfeiylJVipXbfGuTYtrZGcUCGT4uhN92D2woaBDpAoYVLBl/PaebLTe5Sb+F
ZJAj7nxY6bcV5GvrQq1p6r5xrGnTPqXN+naADTSR6Feyugy6kjOqJIFF/cY5mufG
XLTUwGRm9PjTT3h+xeWRsx28MvkOgbZU/7QcyGAbnlidMyNSlR/WqT4JD5LmRFK/
1n3RfnEIFdu1dhAIUOLSye2BMLvlw0o5leB02hbYYowUmTSHIdSpZqa2Wocf+mu6
N0ZTSAV72W7mh2HOLRNxAoIBAQD+8jt8z6u1X9ckI0pl6jbKKRbDZYeywoPFS9oX
3poFTEzUABYYGdV20eBKzokw4+7sMZb6cgpjUiwJzkZQnP3Www7wqgbY3TGC/e4d
iz9y96LtZtbfWBSX9A5Y+VqDcz7AfaAJzz+l4N7NB7DmF3UIlFn1Vp+uuCxaYbKA
v+219H9xnfqpJjZDV50+5RD8W4KLikWzMn42HdKarrMkN6fL/Aby3alzPQAElsZ6
6F9bJSWODOUUuagCZVz6+uaInJHnqz1RTyUd/LqaAmNp08TiNnB1pkBAHaog74ux
57kQIqlIQu1QxyHxf8OjS+2daeD/VaxxS3VKSgzxmVg3FHyJAoIBAQDOUDOQD3lX
zn+z8awlZ4PwANQZg0lI3NyU01t0pRkOjz7B0mrUMpsKQq6doWwZrn8SGdG8JqqY
4Rg1YUrhwWkmU7R+uyn76kAS6spGKbks/uf2OD9lbd5+ZTiJY889+uElpW+D8p8K
PLwHf+vWkKOkrcUurOMNDrsLS4y3PbWsvT5f9z77XEKLvqV1AgMn4F1R4AyCbX6W
4+48Cosp1CuI/3EeA70rzPCernlYhnQBwlUyx28wl1l/NnyRna1WQg8efDPBMqs4
rTwJv7yfCVPpnhjcmTVrqtdna4aZ1O6ASmZSktxt6DjFdg05+NC+fJKqiui134Ej
4ucjKcEM+FIPAoIBAQDWtfb3pIZ+GBs+qiIMNvaxx20OXsGsATmsvbcNh0G72IiT
uwbggVFP4m29Urgj3rLnZNQ8VDL/dsLz9y8s0SrO5jP855Ugqxj5sxYI968WCgzD
V2r7aljdqIM017wtHK/quWJBILP/5aR+lE2dWoAMG7SvdKbDJQTlkYYd/IYcSa/T
ZjMmpbHpgS5DO/PUNNV645bT1mCI/xDRiPQCOoUsvDK184y0KtmLA9hgxrcYMe6w
9ZcwnzMp4WgvT4M75nDS5Vqc0cT2vlQBRKWpCNq1kRehXcSauuD/H/9Mc1Vei3J6
EzN+Zlbl5q5DJr0VZ4hAQk0alWxQhpDkIDs1GCHRAoIBAFXwPHo+p9n2j2VCPuXZ
x7Cad78k28r5DP0FSWw+NUDGVGriHlPDvKc6fYf1rJTKBe5hSOcp6BgEc1QQ8eM1
8HnhlibQCb4Apq36lUVCrfrbN35tkaLLcEmQGkvIgpQbw9stnVUGJE9cWyp4k6Ft
4GyBYch+hZlz0F/1GWle0CVjMu9Ai0Ci/qk9QaiKrQvYPqcTP8K4n2l1ClCCR9Ol
qHjJhrHs9sie9n/yx2MjpoDxFRIw1tUTxljiNmNlncV3gNq++8P3OjFCn+ajsotA
lG6Ux2BkhUcTA+T1ejzr4GkaFKNCv4UcnUFLWlkSlskyFNnrQOI5do6fPo58Hwkr
CusCggEAUT9TOGQ7RihFcsaoDcPIb8aY79Kd9UUeH+wce37jjz0In5f1ns+tFy+w
ApDtwRrKJjwNMeT9HTjQlxxyR5QMQg1C6gcybCmjuX876X9d1XVviXd58W9zF3NA
EfxQ5WJggTtG0IsCFUqdt0hMP6OtFUAbRVtyI8efYf99WGtmIGwItBluHiOIm+Ne
Kxp1mnOhPjxHlg8J9u6ZIdExcuqFXWXHzZZsvVrqV21uXxI3EPMweUqDBVT5gddv
cbH04BsDbIv6kMKq0dvU2eTBeuuSHB1LX3BqD01a+g/zl9IQDVV0RX79WnhomZbm
yQqTdZUl6pGsOBeSsvhg5m+hKoNFjA==
-----END PRIVATE KEY-----
</key>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
54699e0450f9016620d5a06ec2f7c68e
224ea20ef130843aa5198bd0c9939d12
374aaf575f521cba499609e946680abe
aeb92f44c9809894be77bd5106450882
b9cd9b853c3adf79a91abb8824ec471d
3c364dc4a689d119c056d2060f8c5fa5
8999da4c405cb17fc51b1d0c5556296c
a19c563d0d9404af3d98ea3430681ad8
076008a17724165c125d00b889c5e961
6d49e9f943c51776bc0f530f0858aa88
264565662ee65cb1b865cbb78e05d26c
087ececa81fdb8136d13a7617ca16d01
9237bf465a9e3f2eff2794120a6e2220
b9fc202d5f7352694a2ef98cefc5f779
383f7af6743607e1e6dce808143bc07e
20d61b1a070e87cc61f574c03cd0a76e
-----END OpenVPN Static key V1-----
</tls-auth>

下载Openvpn 客户端并测试

导入配置文件,倘若配置成功,连接成功后会获取到一个由openvpn提供的ip地址,如下输出中的10.8.0.3

PS C:\Windows\system32> ipconfig

Windows IP 配置

以太网适配器 以太网 3:

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::9c3a:c952:e0ff:3949%6
   IPv4 地址 . . . . . . . . . . . . : 10.8.0.3
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . :

无线局域网适配器 WLAN:

   连接特定的 DNS 后缀 . . . . . . . : lan
   本地链接 IPv6 地址. . . . . . . . : fe80::c542:da26:5f36:78%21
   IPv4 地址 . . . . . . . . . . . . : 192.168.2.160
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . : 192.168.2.1

到这一步成功,即意味着openvpn服务的搭建、证书的配置都是正确的

公网测试Openvpn连接配置

我们修改连接的ip地址为公网IP,随后进行测试

倘若我们直接连接测试,会发现可以连接上,不过访问其余网段是有问题的

比如openvpn搭建的网段是192.168.20.0/24(即实验环境),那么只能访问到本网段的地址

倘若要连接其余网段的地址,还需要在Server端和Client端进行部分配置

修改Server端openvpn配置

在文件中添加路由推送,修改后的配置文件如下 “list push 'route”字段所示

[email protected]:~# cat /etc/config/openvpn

config openvpn 'server'
        option dev 'tun'
        option port '1194'
        option cipher 'AES-256-GCM'
        option keepalive '10 60'
        option ca '/etc/openvpn/certs/ca.crt'
        option cert '/etc/openvpn/certs/server.crt'
        option key '/etc/openvpn/certs/server.key'
        option dh '/etc/openvpn/certs/dh.pem'
        option tls_auth '/etc/openvpn/certs/ta.key 0'
        option server '10.8.0.0 255.255.255.0'
        option topology 'subnet'
        list push 'route 192.168.0.0 255.255.0.0'
        list push 'route 172.16.0.0 255.240.0.0'
        list push 'route 10.0.0.0 255.0.0.0'
        list push 'dhcp-option DNS 192.168.20.1'
        option tls_server '1'
        option auth_nocache '1'
        option verb '1'
        option client_to_client '1'
        option float '1'
        option comp_lzo 'adaptive'
        option persist_tun '1'
        option persist_key '1'
        option duplicate_cn '1'
        option enabled '1'
        option proto 'tcp-server'

添加完这些配置后,客户端在连接上服务器后,服务端会向客户端发送这些路由并注入到客户端的路由表中

修改iptables中NAT转发规则

打开命令行,登录至路由器,输入如下命令

查询iptables nat规则,可以在Chain POSTROUTING (policy ACCEPT)中看到新添加的nat规则

[email protected]:~# iptables -nL -t nat

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  10.8.0.0/24          0.0.0.0/0           
postrouting_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom postrouting rule chain */
zone_lan_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_wan_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_openvpn_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

至此完成openvpn的跨网段访问

局域网配置
上一篇: 网络互联-局域网-广域网
下一篇: 网络基础之 局域网与广域网一、局域网二、广域网