Skip to content

Instantly share code, notes, and snippets.

@shellexy

shellexy/openvpn 配置.txt

Last active July 30, 2017 15:35
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save shellexy/628cd0c3c978f60d2cab355b02306d85 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save shellexy/628cd0c3c978f60d2cab355b02306d85 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
openvpn 配置.txt
配置
安装::
sudo aptitude install openvpn udev lzop easy-rsa
生成 CA 证书::
sudo su
make-cadir /etc/openvpn/easy-rsa/2.0
cd /etc/openvpn/easy-rsa/2.0
source vars
./clean-all
./build-ca
生成服务器端证书和密钥,server为名字可以自定义::
./build-key-server server
此步也是会提示输入一些信息,前面的信息直接回车按默认信息,提示 Sign the certificate? [y/n]:时输入 y,提示1 out of 1 certificate requests certified, commit? [y/n] 也是输入 y。
生成客户端证书和密钥,client为名字可以自定义,注意前面的./build-key-server与./build-key client输入的名字不能相同::
./build-key client
前面的信息直接回车按默认信息,提示Sign the certificate? [y/n]:时输入y,提示1 out of 1 certificate requests certified, commit? [y/n] 也是输入y
生成其他的客户端就是执行::
./build-key 你想添加的客户端的名字
生成的证书和密钥存放在/etc/openvpn/easy-rsa/2.0/keys/下面。
---------------------
编辑/etc/openvpn/server.conf 为::
local 192.168.1.101 #这里替换成你的vps的IP#
port 10037 #相应的端口
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server 10.168.2.0 255.255.255.0 #客户端使用的IP段,不要与你本机的网段冲突#
;push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 172.68.2.0 255.255.255.0 vpn_gateway"
push "route 3.0.0.0 255.0.0.0 vpn_gateway"
push "route 4.0.0.0 255.0.0.0 vpn_gateway"
push "route 8.0.0.0 255.0.0.0 vpn_gateway"
push "route 17.0.0.0 255.0.0.0 vpn_gateway"
push "route 198.0.0.0 255.0.0.0 vpn_gateway"
push "route 209.0.0.0 255.0.0.0 vpn_gateway"
push "route 210.0.0.0 255.0.0.0 vpn_gateway"
push "route 216.0.0.0 255.0.0.0 vpn_gateway"
push "route 61.0.0.0 255.0.0.0 vpn_gateway"
push "route 64.0.0.0 255.0.0.0 vpn_gateway"
push "route 66.0.0.0 255.0.0.0 vpn_gateway"
push "route 70.0.0.0 255.0.0.0 vpn_gateway"
push "route 72.0.0.0 255.0.0.0 vpn_gateway"
push "route 74.0.0.0 255.0.0.0 vpn_gateway"
push "route 173.0.0.0 255.0.0.0 vpn_gateway"
push "route 204.0.0.0 255.0.0.0 vpn_gateway"
push "route 69.0.0.0 255.0.0.0 vpn_gateway"
push "route 199.0.0.0 255.0.0.0 vpn_gateway"
push "route 203.0.0.0 255.0.0.0 vpn_gateway"
push "route 31.0.0.0 255.0.0.0 vpn_gateway"
push "route 69.58.0.0 255.255.0.0 vpn_gateway"
push "route 46.0.0.0 255.0.0.0 vpn_gateway"
push "route 107.0.0.0 255.0.0.0 vpn_gateway"
;client-to-client # 注释使得客户端不能直接相互访问
duplicate-cn # 允许多个相同 Common Name 的客户端同时登陆
keepalive 30 120 # 设置服务端检测的间隔和超时时间 每 30 秒 ping 一次,如果 120 秒没有回应则认为对方已经 down
;cipher BF-CBC # 默认就用加密算法 Blowfish
comp-lzo
max-clients 50
persist-key # 通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys
;persist-tun # 通过keepalive检测超时后,重新启动VPN,一直保持tun或者tap设备是linkup的,否则网络连接会先linkdown然后linkup
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20
-----------------------------
设置IP转发::
iptables -t nat -A POSTROUTING -s 10.168.2.0/255.255.255.0 -j SNAT --to-source "你VPS的对应IP"
修改/etc/sysctl.conf 的内容为::
net.ipv4.ip_forward = 1
重新载入/etc/sysctl.conf使其生效,执行如下命令::
sysctl -p
#note #openvpn 同时支持 tcp udp
在/etc/openvpn/下创建两个 .conf 的配置文件,如: server_tcp.conf 和 server_udp.conf
将配置文件中的 proto 项分别设置为 proto tcp 和 proto_udp
这样在启动 openvpn 的时候就会根据这两个配置文件启动两个进程
$ sudo service openvpn start
* Starting virtual private network daemon(s)...
* Autostarting VPN 'server_tcp'
* Autostarting VPN 'server_udp'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment