服务器使用树莓派3b+,操作系统选FreeBSD14.1,由于FreeBSD无法识别树莓派的WiFi,只能使用有线网络。
环境服务器端准备工作初始化生成CA制作服务器证书制作加密材料制作dh.pem创建服务器端配置文件编辑/etc/rc.conf以启动openvpn服务服务器启用NAT客户端制作客户端证书和密钥对制作客户端配置文件配置文件示例server.conf 内容如下client.conf 内容如下
xxxxxxxxxx$ mkdir ~/easy-rsa$ ln -s /usr/local/share/easy-rsa/* ~/easy-rsa/$ sudo chown lidapeng ~/easy-rsa$ chmod 700 ~/easy-rsa注意:以后所有工作都在 /home/lidapeng/easy-rsa/ 目录下完成。
进入 /home/lidapeng/easy-rsa/ 目录,先运行 easyrsa init-pki 行初始化,然后创建 vars 文件,内容如下:
xxxxxxxxxxset_var EASYRSA_REQ_COUNTRY "CN"set_var EASYRSA_REQ_PROVINCE "GuangDong"set_var EASYRSA_REQ_CITY "Guangzhou"set_var EASYRSA_REQ_ORG "dapeng.li"set_var EASYRSA_REQ_EMAIL "lidapeng@dapeng.li"set_var EASYRSA_REQ_OU "Community"set_var EASYRSA_REQ_CN "p3b.dapeng.li"set_var EASYRSA_ALGO "ec"set_var EASYRSA_DIGEST "sha512"运行以下命令:
xxxxxxxxxx$ easyrsa bulid-ca nopass命令执行完成后会生成两个文件:
创建目录 /usr/local/etc/openvpn/ ,并将ca.crt复制该目录中。
xxxxxxxxxx$ sudo mkdir /usr/local/etc/openvpn$ sudo cp pki/ca.crt /usr/local/etc/openvpn/执行以下命令生成服务器私钥(pki/private/server.key)和证书请求文件(pki/reqs/server.req):
xxxxxxxxxx$ easyrsa gen-req server nopass执行以下命令生成服务器证书(pki/issued/server.crt):
xxxxxxxxxx$ easyrsa sign-req server server将以上server.crt和server.key复制到 /usr/local/etc/openvpn/ 目录中,以便openvpn服务启动时找到它们。
运行以下命令生成ta.key,并将其复制到 /usr/local/etc/openvpn/ 目录中:
xxxxxxxxxx$ openvpn --genkey secret ta.key$ sudo cp tar.key /usr/local/etc/openvpn/运行以下命令生成dh.pem,并将其复制到 /usr/local/etc/openvpn/ 目录中:
xxxxxxxxxx$ easyrsa gen-dh$ sudo cp pki/dh.pem /usr/local/etc/openvpn//usr/local/etc/openvpn/server.conf ,内容如下:
xport 19proto udpdev tunca ca.crtcert server.crtkey server.keydh dh.pemtls-crypt ta.keycomp-lzoserver 10.8.0.0 255.255.255.0push "redirect-gateway local def1 bypass-dns"push "dhcp-option DNS 8.8.8.8"duplicate-cnlog-append /var/log/openvpn/openvpn.logtopology subnetpersist-keypersist-tunkeepalive 10 60cipher AES-256-GCMverb 3daemonuser nobodygroup nogroup添加以下行:
xxxxxxxxxxopenvpn_enable="yes"openvpn_if="tun"openvpn_configfile="/usr/local/etc/openvpn/server.conf"编辑 /boot/loader.conf ,加入以下内容:
xxxxxxxxxxnet.inet.ip.fw.default_to_accept="1"编辑/etc/rc.conf,加入以下内容:
xxxxxxxxxxfirewall_enable="YES"firewall_type="open"gateway_enable="YES"natd_enalbe="YES"natd_interface="ue0"natd_flags="-dynamic -m"完成后重启。
在 /home/lidapeng/easy-rsa 目录中运行以下命令:
xxxxxxxxxx$ easyrsa gen-req client1 nopass$ easyrsa sign-req client client1文件名为 client.ovpn ,内容如下:
xxxxxxxxxxclientdev tunproto tcpport 19resolv-retry infinitenobindcomp-lzopersist-keypersist-tunremote 【服务器地址】<ca>ca.crt文件中的内容</ca><cert>clinet1.crt中的内容</cert><key>clinet1.key中的内容</key><tls-crypt>ta.key中的内容</tls-crypt>OpenVPN安装后会在 /usr/local/share/examples/openvpn/ 中生成一些配置文件的示例,其中 sample-config-files 里面的 server.conf 和 client.conf 这两个文件可供参考。
xxxxxxxxxx################################################## Sample OpenVPN 2.6 config file for ## multi-client server. ## ## This file is for the server side ## of a many-clients <-> one-server ## OpenVPN configuration. ## ## OpenVPN also supports ## single-machine <-> single-machine ## configurations (See the Examples page ## on the web site for more info). ## ## This config should work on Windows ## or Linux/BSD systems. Remember on ## Windows to quote pathnames and use ## double backslashes, e.g.: ## "C:\\Program Files\\OpenVPN\\config\\foo.key" ## ## Comments are preceded with '#' or ';' ################################################### Which local IP address should OpenVPN# listen on? (optional);local a.b.c.d# Which TCP/UDP port should OpenVPN listen on?# If you want to run multiple OpenVPN instances# on the same machine, use a different port# number for each one. You will need to# open up this port on your firewall.port 1194# TCP or UDP server?;proto tcpproto udp# "dev tun" will create a routed IP tunnel,# "dev tap" will create an ethernet tunnel.# Use "dev tap0" if you are ethernet bridging# and have precreated a tap0 virtual interface# and bridged it with your ethernet interface.# If you want to control access policies# over the VPN, you must create firewall# rules for the TUN/TAP interface.# On non-Windows systems, you can give# an explicit unit number, such as tun0.# On Windows, use "dev-node" for this.# On most systems, the VPN will not function# unless you partially or fully disable/open# the firewall for the TUN/TAP interface.;dev tapdev tun# Windows needs the TAP-Win32 adapter name# from the Network Connections panel if you# have more than one.# You may need to selectively disable the# Windows firewall for the TAP adapter.# Non-Windows systems usually don't need this.;dev-node MyTap# SSL/TLS root certificate (ca), certificate# (cert), and private key (key). Each client# and the server must have their own cert and# key file. The server and all clients will# use the same ca file.## See the "easy-rsa" project at# https://github.com/OpenVPN/easy-rsa# for generating RSA certificates# and private keys. Remember to use# a unique Common Name for the server# and each of the client certificates.## Any X509 key management system can be used.# OpenVPN can also use a PKCS #12 formatted key file# (see "pkcs12" directive in man page).## If you do not want to maintain a CA# and have a small number of clients# you can also use self-signed certificates# and use the peer-fingerprint option.# See openvpn-examples man page for a# configuration example.ca ca.crtcert server.crtkey server.key # This file should be kept secret# Diffie hellman parameters.# Generate your own with:# openssl dhparam -out dh2048.pem 2048dh dh2048.pem# Allow to connect to really old OpenVPN versions# without AEAD support (OpenVPN 2.3.x or older)# This adds AES-256-CBC as fallback cipher and# keeps the modern ciphers as well.;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC# Network topology# Should be subnet (addressing via IP)# unless Windows clients v2.0.9 and lower have to# be supported (then net30, i.e. a /30 per client)# Defaults to net30 (not recommended)topology subnet# Configure server mode and supply a VPN subnet# for OpenVPN to draw client addresses from.# The server will take 10.8.0.1 for itself,# the rest will be made available to clients.# Each client will be able to reach the server# on 10.8.0.1. Comment this line out if you are# ethernet bridging. See the man page for more info.server 10.8.0.0 255.255.255.0# Maintain a record of client <-> virtual IP address# associations in this file. If OpenVPN goes down or# is restarted, reconnecting clients can be assigned# the same virtual IP address from the pool that was# previously assigned.ifconfig-pool-persist ipp.txt# Configure server mode for ethernet bridging.# You must first use your OS's bridging capability# to bridge the TAP interface with the ethernet# NIC interface. Then you must manually set the# IP/netmask on the bridge interface, here we# assume 10.8.0.4/255.255.255.0. Finally we# must set aside an IP range in this subnet# (start=10.8.0.50 end=10.8.0.100) to allocate# to connecting clients. Leave this line commented# out unless you are ethernet bridging.;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100# Configure server mode for ethernet bridging# using a DHCP-proxy, where clients talk# to the OpenVPN server-side DHCP server# to receive their IP address allocation# and DNS server addresses. You must first use# your OS's bridging capability to bridge the TAP# interface with the ethernet NIC interface.# Note: this mode only works on clients (such as# Windows), where the client-side TAP adapter is# bound to a DHCP client.;server-bridge# Push routes to the client to allow it# to reach other private subnets behind# the server. Remember that these# private subnets will also need# to know to route the OpenVPN client# address pool (10.8.0.0/255.255.255.0)# back to the OpenVPN server.;push "route 192.168.10.0 255.255.255.0";push "route 192.168.20.0 255.255.255.0"# To assign specific IP addresses to specific# clients or if a connecting client has a private# subnet behind it that should also have VPN access,# use the subdirectory "ccd" for client-specific# configuration files (see man page for more info).# EXAMPLE: Suppose the client# having the certificate common name "Thelonious"# also has a small subnet behind his connecting# machine, such as 192.168.40.128/255.255.255.248.# First, uncomment out these lines:;client-config-dir ccd;route 192.168.40.128 255.255.255.248# Then create a file ccd/Thelonious with this line:# iroute 192.168.40.128 255.255.255.248# This will allow Thelonious' private subnet to# access the VPN. This example will only work# if you are routing, not bridging, i.e. you are# using "dev tun" and "server" directives.# EXAMPLE: Suppose you want to give# Thelonious a fixed VPN IP address of 10.9.0.1.# First uncomment out these lines:;client-config-dir ccd;route 10.9.0.0 255.255.255.252# Then add this line to ccd/Thelonious:# ifconfig-push 10.9.0.1 10.9.0.2# Suppose that you want to enable different# firewall access policies for different groups# of clients. There are two methods:# (1) Run multiple OpenVPN daemons, one for each# group, and firewall the TUN/TAP interface# for each group/daemon appropriately.# (2) (Advanced) Create a script to dynamically# modify the firewall in response to access# from different clients. See man# page for more info on learn-address script.;learn-address ./script# If enabled, this directive will configure# all clients to redirect their default# network gateway through the VPN, causing# all IP traffic such as web browsing and# DNS lookups to go through the VPN# (The OpenVPN server machine may need to NAT# or bridge the TUN/TAP interface to the internet# in order for this to work properly).;push "redirect-gateway def1 bypass-dhcp"# Certain Windows-specific network settings# can be pushed to clients, such as DNS# or WINS server addresses. CAVEAT:# http://openvpn.net/faq.html#dhcpcaveats# The addresses below refer to the public# DNS servers provided by opendns.com.;push "dhcp-option DNS 208.67.222.222";push "dhcp-option DNS 208.67.220.220"# Uncomment this directive to allow different# clients to be able to "see" each other.# By default, clients will only see the server.# To force clients to only see the server, you# will also need to appropriately firewall the# server's TUN/TAP interface.;client-to-client# Uncomment this directive if multiple clients# might connect with the same certificate/key# files or common names. This is recommended# only for testing purposes. For production use,# each client should have its own certificate/key# pair.## IF YOU HAVE NOT GENERATED INDIVIDUAL# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,# EACH HAVING ITS OWN UNIQUE "COMMON NAME",# UNCOMMENT THIS LINE.;duplicate-cn# The keepalive directive causes ping-like# messages to be sent back and forth over# the link so that each side knows when# the other side has gone down.# Ping every 10 seconds, assume that remote# peer is down if no ping received during# a 120 second time period.keepalive 10 120# For extra security beyond that provided# by SSL/TLS, create an "HMAC firewall"# to help block DoS attacks and UDP port flooding.## Generate with:# openvpn --genkey tls-auth ta.key## The server and each client must have# a copy of this key.# The second parameter should be '0'# on the server and '1' on the clients.;tls-auth ta.key 0 # This file is secret# The maximum number of concurrently connected# clients we want to allow.;max-clients 100# It's a good idea to reduce the OpenVPN# daemon's privileges after initialization.## You can uncomment this on non-Windows# systems after creating a dedicated user.;user openvpn;group openvpn# The persist options will try to avoid# accessing certain resources on restart# that may no longer be accessible because# of the privilege downgrade.persist-keypersist-tun# Output a short status file showing# current connections, truncated# and rewritten every minute.status openvpn-status.log# By default, log messages will go to the syslog (or# on Windows, if running as a service, they will go to# the "\Program Files\OpenVPN\log" directory).# Use log or log-append to override this default.# "log" will truncate the log file on OpenVPN startup,# while "log-append" will append to it. Use one# or the other (but not both).;log openvpn.log;log-append openvpn.log# Set the appropriate level of log# file verbosity.## 0 is silent, except for fatal errors# 4 is reasonable for general usage# 5 and 6 can help to debug connection problems# 9 is extremely verboseverb 3# Silence repeating messages. At most 20# sequential messages of the same message# category will be output to the log.;mute 20# Notify the client that when the server restarts so it# can automatically reconnect.explicit-exit-notify 1xxxxxxxxxx############################################### Sample client-side OpenVPN 2.6 config file ## for connecting to multi-client server. ## ## This configuration can be used by multiple ## clients, however each client should have ## its own cert and key files. ## ## On Windows, you might want to rename this ## file so it has a .ovpn extension ################################################ Specify that we are a client and that we# will be pulling certain config file directives# from the server.client# Use the same setting as you are using on# the server.# On most systems, the VPN will not function# unless you partially or fully disable# the firewall for the TUN/TAP interface.;dev tapdev tun# Windows needs the TAP-Win32 adapter name# from the Network Connections panel# if you have more than one. On XP SP2,# you may need to disable the firewall# for the TAP adapter.;dev-node MyTap# Are we connecting to a TCP or# UDP server? Use the same setting as# on the server.;proto tcpproto udp# The hostname/IP and port of the server.# You can have multiple remote entries# to load balance between the servers.remote my-server-1 1194;remote my-server-2 1194# Choose a random host from the remote# list for load-balancing. Otherwise# try hosts in the order specified.;remote-random# Keep trying indefinitely to resolve the# host name of the OpenVPN server. Very useful# on machines which are not permanently connected# to the internet such as laptops.resolv-retry infinite# Most clients don't need to bind to# a specific local port number.nobind# Downgrade privileges after initialization (non-Windows only);user openvpn;group openvpn# Try to preserve some state across restarts.persist-keypersist-tun# If you are connecting through an# HTTP proxy to reach the actual OpenVPN# server, put the proxy server/IP and# port number here. See the man page# if your proxy server requires# authentication.;http-proxy-retry # retry on connection failures;http-proxy [proxy server] [proxy port #]# Wireless networks often produce a lot# of duplicate packets. Set this flag# to silence duplicate packet warnings.;mute-replay-warnings# SSL/TLS parms.# See the server config file for more# description. It's best to use# a separate .crt/.key file pair# for each client. A single ca# file can be used for all clients.ca ca.crtcert client.crtkey client.key# Verify server certificate by checking that the# certificate has the correct key usage set.# This is an important precaution to protect against# a potential attack discussed here:# http://openvpn.net/howto.html#mitm## To use this feature, you will need to generate# your server certificates with the keyUsage set to# digitalSignature, keyEncipherment# and the extendedKeyUsage to# serverAuth# EasyRSA can do this for you.remote-cert-tls server# Allow to connect to really old OpenVPN versions# without AEAD support (OpenVPN 2.3.x or older)# This adds AES-256-CBC as fallback cipher and# keeps the modern ciphers as well.;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC# If a tls-auth key is used on the server# then every client must also have the key.;tls-auth ta.key 1# Set log file verbosity.verb 3# Silence repeating messages;mute 20