本文并非部署OpenVPN Access Server,而是开源的OpenVPN服务端。文内所有操作均以root用户执行,若不是root用户,请适时使用sudo提权。
安装OpenVPN
在Ubuntu24.04上,可以直接使用apt包管理器安装OpenVPN,同时安装easy-rsa,方便后续签署证书使用。
apt install openvpn easy-rsa签署证书
通过easy-rsa工具,可以很方便的签署证书。一共需要签署CA证书、Server证书和Server私钥、Client证书和Client私钥。
通过以下命令初始化证书工作目录。
make-cadir /etc/openvpn/easy-rsa签署CA证书
在证书工作目录执行命令,根据提示进行交互。
./easyrsa init-pki
./easyrsa build-ca签署Server证书和Server私钥
在证书工作目录执行命令,根据提示进行交互。
./easyrsa gen-req myservername nopass
./easyrsa gen-dh
./easyrsa sign-req server myservername签署Client证书和Client私钥
在证书工作目录执行命令,根据提示进行交互。
./easyrsa gen-req myclient1 nopass
./easyrsa sign-req client myclient1部署CA证书、Server证书和Server私钥
将CA证书、Server证书和Server私钥部署到OpenVPN的配置目录,后续在配置文件内引用。
cp pki/dh.pem pki/ca.crt pki/issued/myservername.crt pki/private/myservername.key /etc/openvpn/配置Openvpn服务端配置文件
在Server端新建配置文件,样例见后文。
vi /etc/openvpn/server.conf配置文件样例
配置文件样例如下,可参考,也可参考下文的配置项。
#################################################
# Sample OpenVPN 2.6 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
;proto tcp
proto udp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable/open
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one.
# You may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" project at
# https://github.com/OpenVPN/easy-rsa
# for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
#
# If you do not want to maintain a CA
# and have a small number of clients
# you can also use self-signed certificates
# and use the peer-fingerprint option.
# See openvpn-examples man page for a
# configuration example.
ca ca.crt
cert myservername.crt
key myservername.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh dh2048.pem
# Allow to connect to really old OpenVPN versions
# without AEAD support (OpenVPN 2.3.x or older)
# This adds AES-256-CBC as fallback cipher and
# keeps the modern ciphers as well.
;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC
# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
topology subnet
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /var/log/openvpn/ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 1.2.3.4 255.255.255.255"
;push "route 192.168.20.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey tls-auth ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this on non-Windows
# systems after creating a dedicated user.
;user openvpn
;group openvpn
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
;log /var/log/openvpn/openvpn-server.log
log-append /var/log/openvpn/openvpn-server.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1
重要配置项
;local a.b.c.d # 监听IP,默认监听所有IP
port 1194 # 监听端口
proto udp # 监听协议(tcp/udp)
dev tun # 设备类型(tap/tun)
ca ca.crt # CA证书位置
cert myservername.crt # Server证书位置
key myservername.key # Server私钥位置
dh dh.pem # Diffie Hellman证书
topology subnet
server 10.8.0.0 255.255.255.0 # 客户端IP池
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 1.2.3.4 255.255.255.255" # 推送路由
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn-server.log
verb 3
explicit-exit-notify 1各配置解释已以注释标注,有以下2点需要注意。
ca、cert、key、dh这4个配置项的值为对应的文件位置。push配置可以有多个,push "route 1.2.3.4 255.255.255.255"表示向客户端推送1.2.3.4/32下一跳为OpenVPN网关的路由,具体使用方式可参考官方文档。
配置OpenVPN服务端iptables
由于OpenVPN对数据做了NAT,所以需要在iptables配置一条NAT规则。
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE上述配置命令的10.8.0.0/24部分需要修改为server.conf中的server字段配置的地址池,eth0部分需要修改为连接监听的网卡接口。
开启OpenVPN的Linux内核数据转发功能
由于OpenVPN需要通过Linux内核转发数据,需要开启对应功能。
修改内核参数配置文件。
vi /etc/sysctl.conf加入或者修改此配置项。
net.ipv4.ip_forward=1加载内核配置。
sysctl -p /etc/sysctl.conf启动OpenVPN服务
Ubuntu24.04默认通过systemd来管理OpenVPN服务,所以可以使用下列命令启动服务。
systemctl start openvpn@server.service也可以通过下列命令使服务开机自启。
systemctl start openvpn@server.service注意openvpn@server.service这个服务名中的server字段需要与配置文件的文件名server.conf的server对应。
编写客户端配置文件
根据服务端的配置,对应编写客户端的配置文件。
配置文件样例
##############################################
# Sample client-side OpenVPN 2.6 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 2.3.4.5 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user openvpn
;group openvpn
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
;ca ca.crt
;cert client.crt
;key client.key
# Verify server certificate by checking that the
# certificate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# Allow to connect to really old OpenVPN versions
# without AEAD support (OpenVPN 2.3.x or older)
# This adds AES-256-CBC as fallback cipher and
# keeps the modern ciphers as well.
;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
<ca>
-----BEGIN CERTIFICATE-----
MIIDRTCCAi2gAwIBAgIUWBMcL2t6jnx4Z3Ll15H5bUZPVT4wDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJYXBvbGxveGllMB4XDTI0MTIxOTA4NDUzM1oXDTM0MTIx
NzA4NDUzM1owFDESMBAGA1UEAwwJYXBvbGxveGllMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAstq7hT3P8K2lbKFPGY7r5trtbpOj7IktX7bISM6xHliy
9crJnAOmQ7ZqCyqaiUFcDEQM01qSsrUZgyU9AUL/VYGPvfh5hobcbK/71Lf5fmMD
9R2QdQg3p3Hov1fFC8rAwaRw375DNHR8u6mum1VWfYNKrGZ8ALuryqKKUsZeKz7U
GcskzDXBidiIrYP0/n0s1nts1PExabcWjIqxRaUUBitEGewr8cwq2c64x9lesyQz
MBMKHZ86ilHK5WzALhhgduKa27crrqJC6Sat/kTrq7wYUQCG5W4nELffyPQ0U4Mu
yk08CyMNMjixwPquuLoNwdsGhM+Oq1JUgKwlY0QS4wIDAQABo4GOMIGLMAwGA1Ud
EwQFMAMBAf8wHQYDVR0OBBYEFLW7Qq5GxnSzXJziBr/AvgH6B11iME8GA1UdIwRI
MEaAFLW7Qq5GxnSzXJziBr/AvgH6B11ioRikFjAUMRIwEAYDVQQDDAlhcG9sbG94
aWWCFFgTHC9reo58eGdy5deR+W1GT1U+MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B
AQsFAAOCAQEAloRC7tnFy8+sAu/I+Dr/6cyzMZX1249rYMRyIYcYZ6KpHHenyPKc
tnNBFzB/bsMbw0K1Yqgyi9qpf4bQ3ZSoO0OTTeLA07OWWC8dV/tiTCd8PSwwyGsH
g11toyr6XZc480CFLvfZFhWiKYuMi+6mOrehCvQn+xwXwvAWcfjH1OPqvQgG7FeL
NdeGmqTK24jMjrj/YVFdKpgbLaRCrSFI+0wplRcr/b9J0F+hi7c1jrc79p/Ih/OV
ldxgD+35dipsxtszn2z9zTaGiodS8g9YoSCokBzh56ihO5rElqBh5BbhxgSfRjHW
A/Osj9pOUWHMmM5NFOcU+nd3Qt/lolRVAQ==
-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAc2bVYwxrxE1E
L63PK+HMBWsdVlD1RkQz9/CivsxYq4PzHwrlPbV1hoZFjfzidWKfHWjB86c4w5IM
T++4U3OcokXK3Ifl/6yOBGY4h4oMbtfS/M7niNWchqidbJ9q+gH3PE/+woi1hgs0
/bzR6XEPoOJJ6bBHSed4MOvEyfdGV5mSq0oOuWQpc5hl5kS5Kt7eeJPiwoDwT37r
GhSvX07N0aE2MqEupu9Nrs3A1kAlabcLpH6jK6FI10h4PavBv3aCbhg/3xtvt/hi
iDW6925KqY2MQlNHPEgbwDFkZpKmlO5ndIDUxtvR25dvfFL6QEw3P7Xb4/cjoySe
t785R6+xAgMBAAECggEALU2dOgNAg8folnIQ3NGMLE5kOjo9AZgiawdlPrJigUcS
3zMCChfeNQXPauUzUA3pAuLV675TMZIcOcjBeicu8oLiohAK77IhqSbQ92K0tRuM
s86uWCPGgTvTyocs+e5TcyNgA21A6FZfIgDPJ6zn4BFz44le5VE463q8rY0LqCOD
WQOcGG+gxwk3pUnBeRaETXb3xkytT+pAtL2KE3CscG51x7Zqg0xoN7QJIOqCoT9v
3Wqrxcj90HRPYVkuS5ZtFOw47/fCLyY9Afpw8C+joHSoZMhyoCBv47piwNHwqYe7
eUXaaEGUvgZrSrEEyjQvAXCnhzRQTrjfo/NMLgmTyQKBgQDoBVn0gUecwoiW3CA6
5usHNXv+QKiqvaO44364Ttb8otkwqYGbjGFpuxfR3jkaEU9iNwcpaytB7qea+vUV
8ulXkB7kUyHv2kyqjcX1HmtrNoxXKQc7xsO5702ge0+GzVcmBjFEshg7hi/pL1Av
vP8nSJMrH339sbFFTb6broXuZQKBgQDUVyGs1bkcpDDDWmAMgxbO0wF+Bi/YsZqQ
Vzx22k0zD6aJpy4eVqFcDaDRie0hPPcGNBgqOZ+N+0r4Bp7jCgGLPWQa35Os0Tlr
rf0FQOo8Apg9sJoPL+hBgf30Ld4uCD6v4RIObRrzPNdogV00ppVtwH2uhc67ArKF
CnvnV7fxXQKBgQCcpdhI+uu1i6WabP4ZpoQxtsuDKnZ16FlcX8PTfe8qXGxUrWzC
7zFpqBZ57BYTYnJ9NffQ3/kxp4ZjXWIRMpKWOsiQkQwNmw497EAlsScHGKoBwsKO
ejD1HPsFCZv0wDhBhNbIsZEoxv0b64Sw5mJCTH6IE9gFa23rA4VYKKll/QKBgQDB
t3/sWsrXO1+VSUTpBUrwgwYQf/p0mYrl9gAeeggF9lg7qr5jRStOfMxjfY5NTX4b
Nbl6BDnw4PnDDt8zR/Sin+5Mqf3iornc5802VsOa3c8gMJZMFquv37TcaGAS5Miz
0gSUDquQjsgB+ksa9oLKrtq6Ni6k49ATmb3yD0+rrQKBgDyi/mXmomU6HQ1r0cOh
RAUf501H53XyHgLihVMc7QZcqczgdMeEGFZQzSWV+XbeZWI9wkdW9kdvBFNdOjwr
Nj/OtoviJhxtZgX3rY7IlQg0M8JYm2Fw4N/uAl/N8VqTI+B1AFVcVOTACaXvQBcW
3tCZJyPZC+lScZVZUw7/MerX
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIRAK9dWM2ux7UXATEs8ByW2Q0wDQYJKoZIhvcNAQELBQAw
FDESMBAGA1UEAwwJYXBvbGxveGllMB4XDTI0MTIxOTEwMDAyNVoXDTI3MDMyNDEw
MDAyNVowFDESMBAGA1UEAwwJbXljbGllbnQxMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAwHNm1WMMabcNRC+tzyvhzAVrHVZQ9UZEM/fwor7MWKuD8x8K
5T21dYaGRY384nVinx1owfOnOMOSDE/vuFNznKJFytyH5f+sjgRmOIeKDG7X0vzO
54jVnIaonWyfavoB9zxP/sKItYYLNP280elxD6DiSemwR0nneDDrxMn3RleZkqtK
DrlkKXOYZeZEuSre3niT4sKA8E9+6xoUr19OzdGhNjKhLqbvTa7NwNZAJam3C6R+
oyuhSNdIeD2rwb92gm4YP98bb7f4Yog1uvduSqmNjEJTRzxIG8AxZGaSppTuZ3SA
1Mbb0duXb3xS+kBMNz+12+P3I6Mknre/OUevsQIDAQABo4GgMIGdMAkGA1UdEwQC
MAAwHQYDVR0OBBYEFLqkxH7LvygFtJJOeq/09+UvRfESME8GA1UdIwRIMEaAFLW7
Qq5GxnSzXJziBr/AvgH6B11ioRikFjAUMRIwEAYDVQQDDAlhcG9sbG94aWWCFFgT
HC9reo58eGdy5deR+W1GT1U+MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQE
AwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAivY+L4LiBL+dlXkomCYOG7X7sS51IhPN
cY1kqudLC4uhKoz/8y14YMIb+PSAGZJvsi5ht/hlAQDOAXyFYeJ7WMUbF+wz5att
COfJNiiXCXGqpzB9bzSk9NaLHDI8olQl2T5q3H46o8vTnX4KZwR14M4jI/BsBHTm
8b85kk4Zx8IdzBjjDiHGnKtgnC+ctZklXCISpkQwqIUgWrNgVFALDELrjzaXE5Yy
PDKBTNeD9sa9yunfDMYA9vsSpdXi+ZuvYlfeKvFt07BDHkIJpBmguvILhSGMgI5m
6AuK6545eIUd7Qa9igV7RHgcJl4E5gRMqmPJzkgH6MpSfMIbUWU6TQ==
-----END CERTIFICATE-----
</cert>重要配置项
client # 声明文件为客户端配置文件
dev tun # 设备类型,需要与服务端一致
proto udp # 协议类型,需要与服务端一致
remote 2.3.4.5 1194 # 分别是服务端的IP和监听端口
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verb 3
# 将CA证书的内容复制到<ca></ca>标签对中。
<ca>
-----BEGIN CERTIFICATE-----
MIIDRTCCAi2gAwIBAgIUWBMcL2t6jnx4Z3Ll15H5bUZPVT4wDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJYXBvbGxveGllMB4XDTI0MTIxOTA4NDUzM1oXDTM0MTIx
NzA4NDUzM1owFDESMBAGA1UEAwwJYXBvbGxveGllMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAstq7hT3P8K2lbKFPGY7r5trtbpOj7IktX7bISM6xHliy
9crJnAOmQ7ZqCyqaiUFcDEQM01qSsrUZgyU9AUL/VYGPvfh5hobcbK/71Lf5fmMD
9R2QdQg3p3Hov1fFC8rAwaRw375DNHR8u6mum1VWfYNKrGZ8ALuryqKKUsZeKz7U
GcskzDXBidiIrYP0/n0s1nts1PExabcWjIqxRaUUBitEGewr8cwq2c64x9lesyQz
MBMKHZ86ilHK5WzALhhgduKa27crrqJC6Sat/kTrq7wYUQCG5W4nELffyPQ0U4Mu
yk08CyMNMjixwPquuLoNwdsGhM+Oq1JUgKwlY0QS4wIDAQABo4GOMIGLMAwGA1Ud
EwQFMAMBAf8wHQYDVR0OBBYEFLW7Qq5GxnSzXJziBr/AvgH6B11iME8GA1UdIwRI
MEaAFLW7Qq5GxnSzXJziBr/AvgH6B11ioRikFjAUMRIwEAYDVQQDDAlhcG9sbG94
aWWCFFgTHC9reo58eGdy5deR+W1GT1U+MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B
AQsFAAOCAQEAloRC7tnFy8+sAu/I+Dr/6cyzMZX1249rYMRyIYcYZ6KpHHenyPKc
tnNBFzB/bsMbw0K1Yqgyi9qpf4bQ3ZSoO0OTTeLA07OWWC8dV/tiTCd8PSwwyGsH
g11toyr6XZc480CFLvfZFhWiKYuMi+6mOrehCvQn+xwXwvAWcfjH1OPqvQgG7FeL
NdeGmqTK24jMjrj/YVFdKpgbLaRCrSFI+0wplRcr/b9J0F+hi7c1jrc79p/Ih/OV
ldxgD+35dipsxtszn2z9zTaGiodS8g9YoSCokBzh56ihO5rElqBh5BbhxgSfRjHW
A/Osj9pOUWHMmM5NFOcU+nd3Qt/lolRVAQ==
-----END CERTIFICATE-----
</ca>
# 将Client私钥的内容复制到<key></key>标签对中。
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAc2bVYwxrxE1E
L63PK+HMBWsdVlD1RkQz9/CivsxYq4PzHwrlPbV1hoZFjfzidWKfHWjB86c4w5IM
T++4U3OcokXK3Ifl/6yOBGY4h4oMbtfS/M7niNWchqidbJ9q+gH3PE/+woi1hgs0
/bzR6XEPoOJJ6bBHSed4MOvEyfdGV5mSq0oOuWQpc5hl5kS5Kt7eeJPiwoDwT37r
GhSvX07N0aE2MqEupu9Nrs3A1kAlabcLpH6jK6FI10h4PavBv3aCbhg/3xtvt/hi
iDW6925KqY2MQlNHPEgbwDFkZpKmlO5ndIDUxtvR25dvfFL6QEw3P7Xb4/cjoySe
t785R6+xAgMBAAECggEALU2dOgNAg8folnIQ3NGMLE5kOjo9AZgiawdlPrJigUcS
3zMCChfeNQXPauUzUA3pAuLV675TMZIcOcjBeicu8oLiohAK77IhqSbQ92K0tRuM
s86uWCPGgTvTyocs+e5TcyNgA21A6FZfIgDPJ6zn4BFz44le5VE463q8rY0LqCOD
WQOcGG+gxwk3pUnBeRaETXb3xkytT+pAtL2KE3CscG51x7Zqg0xoN7QJIOqCoT9v
3Wqrxcj90HRPYVkuS5ZtFOw47/fCLyY9Afpw8C+joHSoZMhyoCBv47piwNHwqYe7
eUXaaEGUvgZrSrEEyjQvAXCnhzRQTrjfo/NMLgmTyQKBgQDoBVn0gUecwoiW3CA6
5usHNXv+QKiqvaO44364Ttb8otkwqYGbjGFpuxfR3jkaEU9iNwcpaytB7qea+vUV
8ulXkB7kUyHv2kyqjcX1HmtrNoxXKQc7xsO5702ge0+GzVcmBjFEshg7hi/pL1Av
vP8nSJMrH339sbFFTb6broXuZQKBgQDUVyGs1bkcpDDDWmAMgxbO0wF+Bi/YsZqQ
Vzx22k0zD6aJpy4eVqFcDaDRie0hPPcGNBgqOZ+N+0r4Bp7jCgGLPWQa35Os0Tlr
rf0FQOo8Apg9sJoPL+hBgf30Ld4uCD6v4RIObRrzPNdogV00ppVtwH2uhc67ArKF
CnvnV7fxXQKBgQCcpdhI+uu1i6WabP4ZpoQxtsuDKnZ16FlcX8PTfe8qXGxUrWzC
7zFpqBZ57BYTYnJ9NffQ3/kxp4ZjXWIRMpKWOsiQkQwNmw497EAlsScHGKoBwsKO
ejD1HPsFCZv0wDhBhNbIsZEoxv0b64Sw5mJCTH6IE9gFa23rA4VYKKll/QKBgQDB
t3/sWsrXO1+VSUTpBUrwgwYQf/p0mYrl9gAeeggF9lg7qr5jRStOfMxjfY5NTX4b
Nbl6BDnw4PnDDt8zR/Sin+5Mqf3iornc5802VsOa3c8gMJZMFquv37TcaGAS5Miz
0gSUDquQjsgB+ksa9oLKrtq6Ni6k49ATmb3yD0+rrQKBgDyi/mXmomU6HQ1r0cOh
RAUf501H53XyHgLihVMc7QZcqczgdMeEGFZQzSWV+XbeZWI9wkdW9kdvBFNdOjwr
Nj/OtoviJhxtZgX3rY7IlQg0M8JYm2Fw4N/uAl/N8VqTI+B1AFVcVOTACaXvQBcW
3tCZJyPZC+lScZVZUw7/MerX
-----END PRIVATE KEY-----
</key>
# 将Client证书的内容复制到<cert></cert>标签对中。
<cert>
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIRAK9dWM2ux7UXATEs8ByW2Q0wDQYJKoZIhvcNAQELBQAw
FDESMBAGA1UEAwwJYXBvbGxveGllMB4XDTI0MTIxOTEwMDAyNVoXDTI3MDMyNDEw
MDAyNVowFDESMBAGA1UEAwwJbXljbGllbnQxMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAwHNm1WMMabcNRC+tzyvhzAVrHVZQ9UZEM/fwor7MWKuD8x8K
5T21dYaGRY384nVinx1owfOnOMOSDE/vuFNznKJFytyH5f+sjgRmOIeKDG7X0vzO
54jVnIaonWyfavoB9zxP/sKItYYLNP280elxD6DiSemwR0nneDDrxMn3RleZkqtK
DrlkKXOYZeZEuSre3niT4sKA8E9+6xoUr19OzdGhNjKhLqbvTa7NwNZAJam3C6R+
oyuhSNdIeD2rwb92gm4YP98bb7f4Yog1uvduSqmNjEJTRzxIG8AxZGaSppTuZ3SA
1Mbb0duXb3xS+kBMNz+12+P3I6Mknre/OUevsQIDAQABo4GgMIGdMAkGA1UdEwQC
MAAwHQYDVR0OBBYEFLqkxH7LvygFtJJOeq/09+UvRfESME8GA1UdIwRIMEaAFLW7
Qq5GxnSzXJziBr/AvgH6B11ioRikFjAUMRIwEAYDVQQDDAlhcG9sbG94aWWCFFgT
HC9reo58eGdy5deR+W1GT1U+MBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQE
AwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAivY+L4LiBL+dlXkomCYOG7X7sS51IhPN
cY1kqudLC4uhKoz/8y14YMIb+PSAGZJvsi5ht/hlAQDOAXyFYeJ7WMUbF+wz5att
COfJNiiXCXGqpzB9bzSk9NaLHDI8olQl2T5q3H46o8vTnX4KZwR14M4jI/BsBHTm
8b85kk4Zx8IdzBjjDiHGnKtgnC+ctZklXCISpkQwqIUgWrNgVFALDELrjzaXE5Yy
PDKBTNeD9sa9yunfDMYA9vsSpdXi+ZuvYlfeKvFt07BDHkIJpBmguvILhSGMgI5m
6AuK6545eIUd7Qa9igV7RHgcJl4E5gRMqmPJzkgH6MpSfMIbUWU6TQ==
-----END CERTIFICATE-----
</cert>各配置解释已以注释标注,有以下2点需要注意。
dev、proto、remote配置项的信息需要与服务端一致。
3个标签对中的证书需要对应填写证书的内容。