{"id":3040,"date":"2025-12-07T16:31:54","date_gmt":"2025-12-07T08:31:54","guid":{"rendered":"https:\/\/linuxjk.cn\/?p=3040"},"modified":"2026-02-12T10:21:48","modified_gmt":"2026-02-12T02:21:48","slug":"openvpn%e7%a4%be%e5%8c%ba%e7%89%88%e6%9c%8d%e5%8a%a1%e7%ab%af%e9%83%a8%e7%bd%b2%e6%96%87%e6%a1%a3","status":"publish","type":"post","link":"https:\/\/linuxjk.cn\/?p=3040","title":{"rendered":"openvpn\u793e\u533a\u7248\u670d\u52a1\u7aef\u90e8\u7f72\u6587\u6863"},"content":{"rendered":"\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">\u76ee\u5f55<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#Anolis_810_%E7%B3%BB%E7%BB%9F_OpenVPN_%E6%9C%8D%E5%8A%A1%E7%AB%AF%E5%AE%8C%E6%95%B4%E9%83%A8%E7%BD%B2%E6%B5%81%E7%A8%8B%EF%BC%88%E4%BC%98%E5%8C%96%E7%89%88%EF%BC%89\" >Anolis 8.10 \u7cfb\u7edf OpenVPN \u670d\u52a1\u7aef\u5b8c\u6574\u90e8\u7f72\u6d41\u7a0b\uff08\u4f18\u5316\u7248\uff09<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%F0%9F%93%8B_%E7%9B%AE%E5%BD%95\" >\ud83d\udccb \u76ee\u5f55<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E4%B8%80%E3%80%81%E7%8E%AF%E5%A2%83%E5%87%86%E5%A4%87\" >\u4e00\u3001\u73af\u5883\u51c6\u5907<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#11_%E7%B3%BB%E7%BB%9F%E4%BF%A1%E6%81%AF%E6%A3%80%E6%9F%A5\" >1.1 \u7cfb\u7edf\u4fe1\u606f\u68c0\u67e5<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#12_%E5%AE%89%E8%A3%85%E4%BE%9D%E8%B5%96%E5%8C%85\" >1.2 \u5b89\u88c5\u4f9d\u8d56\u5305<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#13_%E5%88%9B%E5%BB%BA%E5%B7%A5%E4%BD%9C%E7%9B%AE%E5%BD%95%E7%94%A8%E4%BA%8E%E7%BC%96%E8%AF%91%E5%AE%89%E8%A3%85\" >1.3 \u521b\u5efa\u5de5\u4f5c\u76ee\u5f55(\u7528\u4e8e\u7f16\u8bd1\u5b89\u88c5)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E4%BA%8C%E3%80%81%E7%BC%96%E8%AF%91%E5%AE%89%E8%A3%85_OpenVPN\" >\u4e8c\u3001\u7f16\u8bd1\u5b89\u88c5 OpenVPN<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#21_%E4%B8%8B%E8%BD%BD%E6%BA%90%E7%A0%81\" >2.1 \u4e0b\u8f7d\u6e90\u7801<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#22_%E7%BC%96%E8%AF%91%E5%AE%89%E8%A3%85\" >2.2 \u7f16\u8bd1\u5b89\u88c5<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#23_%E5%88%9B%E5%BB%BA%E5%BF%85%E8%A6%81%E7%9B%AE%E5%BD%95\" >2.3 \u521b\u5efa\u5fc5\u8981\u76ee\u5f55<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#24_%E9%85%8D%E7%BD%AE_systemd_%E6%9C%8D%E5%8A%A1\" >2.4 \u914d\u7f6e systemd \u670d\u52a1<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E4%B8%89%E3%80%81%E9%85%8D%E7%BD%AE_PKI_%E8%AF%81%E4%B9%A6%E4%BD%93%E7%B3%BB\" >\u4e09\u3001\u914d\u7f6e PKI \u8bc1\u4e66\u4f53\u7cfb<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#31_%E5%88%9D%E5%A7%8B%E5%8C%96_Easy-RSA\" >3.1 \u521d\u59cb\u5316 Easy-RSA<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#32_%E9%85%8D%E7%BD%AE_PKI_%E5%8F%82%E6%95%B0%EF%BC%88%E6%8E%A8%E8%8D%90%EF%BC%89\" >3.2 \u914d\u7f6e PKI \u53c2\u6570\uff08\u63a8\u8350\uff09<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#33_%E5%88%9D%E5%A7%8B%E5%8C%96_PKI_%E5%B9%B6%E5%88%9B%E5%BB%BA_CA\" >3.3 \u521d\u59cb\u5316 PKI \u5e76\u521b\u5efa CA<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#34_%E7%94%9F%E6%88%90%E6%9C%8D%E5%8A%A1%E5%99%A8%E8%AF%81%E4%B9%A6%EF%BC%88%E5%AE%8C%E6%95%B4%E6%AD%A5%E9%AA%A4%EF%BC%89\" >3.4 \u751f\u6210\u670d\u52a1\u5668\u8bc1\u4e66\uff08\u5b8c\u6574\u6b65\u9aa4\uff09<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#35_%E7%94%9F%E6%88%90_DH_%E5%8F%82%E6%95%B0\" >3.5 \u751f\u6210 DH \u53c2\u6570<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#36_%E7%94%9F%E6%88%90_TLS_%E8%AE%A4%E8%AF%81%E5%AF%86%E9%92%A5\" >3.6 \u751f\u6210 TLS \u8ba4\u8bc1\u5bc6\u94a5<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#37_%E7%94%9F%E6%88%90_CRL%EF%BC%88%E8%AF%81%E4%B9%A6%E5%90%8A%E9%94%80%E5%88%97%E8%A1%A8%EF%BC%89\" >3.7 \u751f\u6210 CRL\uff08\u8bc1\u4e66\u540a\u9500\u5217\u8868\uff09<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#38_%E7%94%9F%E6%88%90%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%AF%81%E4%B9%A6%EF%BC%88%E7%A4%BA%E4%BE%8B%EF%BC%89\" >3.8 \u751f\u6210\u5ba2\u6237\u7aef\u8bc1\u4e66\uff08\u793a\u4f8b\uff09<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#39_%E5%A4%8D%E5%88%B6%E8%AF%81%E4%B9%A6%E5%88%B0%E6%9C%8D%E5%8A%A1%E5%99%A8%E9%85%8D%E7%BD%AE%E7%9B%AE%E5%BD%95\" >3.9 \u590d\u5236\u8bc1\u4e66\u5230\u670d\u52a1\u5668\u914d\u7f6e\u76ee\u5f55<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E5%9B%9B%E3%80%81%E9%85%8D%E7%BD%AE_OpenVPN_%E6%9C%8D%E5%8A%A1%E5%99%A8\" >\u56db\u3001\u914d\u7f6e OpenVPN \u670d\u52a1\u5668<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#41_%E5%88%9B%E5%BB%BA%E6%9C%8D%E5%8A%A1%E5%99%A8%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6\" >4.1 \u521b\u5efa\u670d\u52a1\u5668\u914d\u7f6e\u6587\u4ef6<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#42_%E9%85%8D%E7%BD%AE%E4%BC%98%E5%8C%96%E5%BB%BA%E8%AE%AE\" >4.2 \u914d\u7f6e\u4f18\u5316\u5efa\u8bae<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#43_%E5%88%9B%E5%BB%BA%E5%AE%A2%E6%88%B7%E7%AB%AF%E7%89%B9%E5%AE%9A%E9%85%8D%E7%BD%AE%EF%BC%88%E5%8F%AF%E9%80%89%EF%BC%89\" >4.3 \u521b\u5efa\u5ba2\u6237\u7aef\u7279\u5b9a\u914d\u7f6e\uff08\u53ef\u9009\uff09<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E4%BA%94%E3%80%81%E9%85%8D%E7%BD%AE%E7%BD%91%E7%BB%9C%E8%BD%AC%E5%8F%91\" >\u4e94\u3001\u914d\u7f6e\u7f51\u7edc\u8f6c\u53d1<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#51_%E5%90%AF%E7%94%A8_IP_%E8%BD%AC%E5%8F%91\" >5.1 \u542f\u7528 IP \u8f6c\u53d1<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-28\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#52_%E9%85%8D%E7%BD%AE%E9%98%B2%E7%81%AB%E5%A2%99%EF%BC%88firewalld%EF%BC%89\" >5.2 \u914d\u7f6e\u9632\u706b\u5899\uff08firewalld\uff09<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-29\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#53_%E9%85%8D%E7%BD%AE%E9%98%B2%E7%81%AB%E5%A2%99%EF%BC%88iptables%EF%BC%89\" >5.3 \u914d\u7f6e\u9632\u706b\u5899\uff08iptables\uff09<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-30\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#54_%E5%88%9B%E5%BB%BA%E9%98%B2%E7%81%AB%E5%A2%99%E8%A7%84%E5%88%99%E6%8C%81%E4%B9%85%E5%8C%96%E8%84%9A%E6%9C%AC%EF%BC%88%E5%8F%AF%E9%80%89%EF%BC%8C%E8%87%AA%E5%8A%A8%E6%89%A7%E8%A1%8C%E4%B8%8A%E8%BF%B0%E9%85%8D%E7%BD%AE%EF%BC%89\" >5.4 \u521b\u5efa\u9632\u706b\u5899\u89c4\u5219\u6301\u4e45\u5316\u811a\u672c\uff08\u53ef\u9009\uff0c\u81ea\u52a8\u6267\u884c\u4e0a\u8ff0\u914d\u7f6e\uff09<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-31\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#55_%E9%AA%8C%E8%AF%81%E7%BD%91%E7%BB%9C%E9%85%8D%E7%BD%AE\" >5.5 \u9a8c\u8bc1\u7f51\u7edc\u914d\u7f6e<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-32\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E5%85%AD%E3%80%81%E5%90%AF%E5%8A%A8%E5%92%8C%E9%AA%8C%E8%AF%81%E6%9C%8D%E5%8A%A1\" >\u516d\u3001\u542f\u52a8\u548c\u9a8c\u8bc1\u670d\u52a1<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-33\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#61_%E6%B5%8B%E8%AF%95%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6\" >6.1 \u6d4b\u8bd5\u914d\u7f6e\u6587\u4ef6<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-34\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#62_%E5%90%AF%E5%8A%A8%E6%9C%8D%E5%8A%A1\" >6.2 \u542f\u52a8\u670d\u52a1<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-35\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#63_%E9%AA%8C%E8%AF%81%E6%9C%8D%E5%8A%A1%E8%BF%90%E8%A1%8C\" >6.3 \u9a8c\u8bc1\u670d\u52a1\u8fd0\u884c<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-36\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#64_%E6%9F%A5%E7%9C%8B%E6%97%A5%E5%BF%97\" >6.4 \u67e5\u770b\u65e5\u5fd7<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-37\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E4%B8%83%E3%80%81%E7%94%9F%E6%88%90%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE\" >\u4e03\u3001\u751f\u6210\u5ba2\u6237\u7aef\u914d\u7f6e<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-38\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#71_%E5%88%9B%E5%BB%BA%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE%E7%9B%AE%E5%BD%95\" >7.1 \u521b\u5efa\u5ba2\u6237\u7aef\u914d\u7f6e\u76ee\u5f55<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-39\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#72_%E5%88%9B%E5%BB%BA%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE%E6%A8%A1%E6%9D%BF\" >7.2 \u521b\u5efa\u5ba2\u6237\u7aef\u914d\u7f6e\u6a21\u677f<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-40\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#73_%E5%88%9B%E5%BB%BA%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE%E7%94%9F%E6%88%90%E8%84%9A%E6%9C%AC%EF%BC%88%E6%94%B9%E8%BF%9B%E7%89%88%EF%BC%89\" >7.3 \u521b\u5efa\u5ba2\u6237\u7aef\u914d\u7f6e\u751f\u6210\u811a\u672c\uff08\u6539\u8fdb\u7248\uff09<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-41\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#74_%E7%94%9F%E6%88%90%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6\" >7.4 \u751f\u6210\u5ba2\u6237\u7aef\u914d\u7f6e\u6587\u4ef6<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-42\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#75_%E5%88%9B%E5%BB%BA%E9%85%8D%E7%BD%AE%E4%B8%8B%E8%BD%BD%E6%9C%8D%E5%8A%A1%EF%BC%88%E5%8F%AF%E9%80%89%EF%BC%89\" >7.5 \u521b\u5efa\u914d\u7f6e\u4e0b\u8f7d\u670d\u52a1\uff08\u53ef\u9009\uff09<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-43\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E5%85%AB%E3%80%81%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%BF%9E%E6%8E%A5%E6%B5%8B%E8%AF%95\" >\u516b\u3001\u5ba2\u6237\u7aef\u8fde\u63a5\u6d4b\u8bd5<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-44\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#81_Linux_%E5%AE%A2%E6%88%B7%E7%AB%AF\" >8.1 Linux \u5ba2\u6237\u7aef<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-45\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#82_Windows_%E5%AE%A2%E6%88%B7%E7%AB%AF\" >8.2 Windows \u5ba2\u6237\u7aef<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-46\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#83_macOS_%E5%AE%A2%E6%88%B7%E7%AB%AF\" >8.3 macOS \u5ba2\u6237\u7aef<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-47\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#84_Android_%E5%AE%A2%E6%88%B7%E7%AB%AF\" >8.4 Android \u5ba2\u6237\u7aef<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-48\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#85_iOS_%E5%AE%A2%E6%88%B7%E7%AB%AF\" >8.5 iOS \u5ba2\u6237\u7aef<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-49\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#86_%E9%AA%8C%E8%AF%81%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%BF%9E%E6%8E%A5\" >8.6 \u9a8c\u8bc1\u5ba2\u6237\u7aef\u8fde\u63a5<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-50\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#87_%E5%9C%A8%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%9F%A5%E7%9C%8B%E5%B7%B2%E8%BF%9E%E6%8E%A5%E5%AE%A2%E6%88%B7%E7%AB%AF\" >8.7 \u5728\u670d\u52a1\u5668\u67e5\u770b\u5df2\u8fde\u63a5\u5ba2\u6237\u7aef<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-51\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E4%B9%9D%E3%80%81%E8%AF%81%E4%B9%A6%E7%AE%A1%E7%90%86\" >\u4e5d\u3001\u8bc1\u4e66\u7ba1\u7406<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-52\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#91_%E6%9F%A5%E7%9C%8B%E8%AF%81%E4%B9%A6%E4%BF%A1%E6%81%AF\" >9.1 \u67e5\u770b\u8bc1\u4e66\u4fe1\u606f<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-53\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#92_%E5%90%8A%E9%94%80%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%AF%81%E4%B9%A6\" >9.2 \u540a\u9500\u5ba2\u6237\u7aef\u8bc1\u4e66<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-54\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#93_%E7%BB%AD%E6%9C%9F%E8%AF%81%E4%B9%A6\" >9.3 \u7eed\u671f\u8bc1\u4e66<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-55\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#94_%E5%A4%87%E4%BB%BD_PKI\" >9.4 \u5907\u4efd PKI<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-56\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#95_%E6%81%A2%E5%A4%8D_PKI\" >9.5 \u6062\u590d PKI<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-57\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E5%8D%81%E3%80%81%E5%AE%89%E5%85%A8%E5%8A%A0%E5%9B%BA\" >\u5341\u3001\u5b89\u5168\u52a0\u56fa<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-58\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#101_%E5%90%AF%E7%94%A8_TLS-Crypt%EF%BC%88%E6%8E%A8%E8%8D%90%EF%BC%8C%E6%9B%BF%E4%BB%A3_TLS-Auth%EF%BC%89\" >10.1 \u542f\u7528 TLS-Crypt\uff08\u63a8\u8350\uff0c\u66ff\u4ee3 TLS-Auth\uff09<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-59\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#102_%E9%99%90%E5%88%B6_TLS_%E5%8A%A0%E5%AF%86%E5%A5%97%E4%BB%B6\" >10.2 \u9650\u5236 TLS \u52a0\u5bc6\u5957\u4ef6<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-60\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#103_%E5%90%AF%E7%94%A8%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%BF%9E%E6%8E%A5%E6%97%A5%E5%BF%97%E5%AE%A1%E8%AE%A1\" >10.3 \u542f\u7528\u5ba2\u6237\u7aef\u8fde\u63a5\u65e5\u5fd7\u5ba1\u8ba1<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-61\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#104_%E9%99%90%E5%88%B6%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%AE%BF%E9%97%AE%E8%8C%83%E5%9B%B4\" >10.4 \u9650\u5236\u5ba2\u6237\u7aef\u8bbf\u95ee\u8303\u56f4<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-62\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#105_%E5%90%AF%E7%94%A8%E5%8F%8C%E5%9B%A0%E7%B4%A0%E8%AE%A4%E8%AF%81%EF%BC%88%E5%8F%AF%E9%80%89%EF%BC%89\" >10.5 \u542f\u7528\u53cc\u56e0\u7d20\u8ba4\u8bc1\uff08\u53ef\u9009\uff09<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-63\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E5%8D%81%E4%B8%80%E3%80%81%E7%9B%91%E6%8E%A7%E5%92%8C%E7%BB%B4%E6%8A%A4\" >\u5341\u4e00\u3001\u76d1\u63a7\u548c\u7ef4\u62a4<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-64\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#111_%E5%88%9B%E5%BB%BA%E7%9B%91%E6%8E%A7%E8%84%9A%E6%9C%AC\" >11.1 \u521b\u5efa\u76d1\u63a7\u811a\u672c<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-65\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#112_%E6%97%A5%E5%BF%97%E8%BD%AE%E8%BD%AC%E9%85%8D%E7%BD%AE\" >11.2 \u65e5\u5fd7\u8f6e\u8f6c\u914d\u7f6e<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-66\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#113_%E6%80%A7%E8%83%BD%E4%BC%98%E5%8C%96\" >11.3 \u6027\u80fd\u4f18\u5316<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-67\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#114_%E5%91%8A%E8%AD%A6%E9%80%9A%E7%9F%A5%EF%BC%88%E5%8F%AF%E9%80%89%EF%BC%89\" >11.4 \u544a\u8b66\u901a\u77e5\uff08\u53ef\u9009\uff09<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-68\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E5%8D%81%E4%BA%8C%E3%80%81%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98%E6%8E%92%E6%9F%A5\" >\u5341\u4e8c\u3001\u5e38\u89c1\u95ee\u9898\u6392\u67e5<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-69\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#121_%E6%9C%8D%E5%8A%A1%E6%97%A0%E6%B3%95%E5%90%AF%E5%8A%A8\" >12.1 \u670d\u52a1\u65e0\u6cd5\u542f\u52a8<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-70\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#122_%E5%AE%A2%E6%88%B7%E7%AB%AF%E6%97%A0%E6%B3%95%E8%BF%9E%E6%8E%A5\" >12.2 \u5ba2\u6237\u7aef\u65e0\u6cd5\u8fde\u63a5<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-71\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#123_%E8%BF%9E%E6%8E%A5%E6%88%90%E5%8A%9F%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%86%85%E7%BD%91\" >12.3 \u8fde\u63a5\u6210\u529f\u4f46\u65e0\u6cd5\u8bbf\u95ee\u5185\u7f51<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-72\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#124_%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%A2%91%E7%B9%81%E6%96%AD%E7%BA%BF\" >12.4 \u5ba2\u6237\u7aef\u9891\u7e41\u65ad\u7ebf<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-73\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#125_%E6%80%A7%E8%83%BD%E9%97%AE%E9%A2%98%EF%BC%88%E9%80%9F%E5%BA%A6%E6%85%A2%EF%BC%89\" >12.5 \u6027\u80fd\u95ee\u9898\uff08\u901f\u5ea6\u6162\uff09<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-74\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#126_%E8%AF%81%E4%B9%A6%E8%BF%87%E6%9C%9F\" >12.6 \u8bc1\u4e66\u8fc7\u671f<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-75\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#127_DNS_%E8%A7%A3%E6%9E%90%E9%97%AE%E9%A2%98\" >12.7 DNS \u89e3\u6790\u95ee\u9898<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-76\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E5%8D%81%E4%B8%89%E3%80%81%E5%B7%A5%E4%BD%9C%E5%8E%9F%E7%90%86%E8%AF%A6%E8%A7%A3\" >\u5341\u4e09\u3001\u5de5\u4f5c\u539f\u7406\u8be6\u89e3<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-77\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#131_%E8%BF%9E%E6%8E%A5%E5%BB%BA%E7%AB%8B%E6%B5%81%E7%A8%8B\" >13.1 \u8fde\u63a5\u5efa\u7acb\u6d41\u7a0b<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-78\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#132_%E6%95%B0%E6%8D%AE%E5%8C%85%E5%B0%81%E8%A3%85%E8%BF%87%E7%A8%8B\" >13.2 \u6570\u636e\u5305\u5c01\u88c5\u8fc7\u7a0b<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-79\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#133_%E5%85%B3%E9%94%AE%E7%BB%84%E4%BB%B6%E4%BD%9C%E7%94%A8\" >13.3 \u5173\u952e\u7ec4\u4ef6\u4f5c\u7528<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-80\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#134_%E5%AE%89%E5%85%A8%E6%9C%BA%E5%88%B6\" >13.4 \u5b89\u5168\u673a\u5236<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-81\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#135_NAT_%E8%BD%AC%E6%8D%A2%E8%AF%A6%E8%A7%A3\" >13.5 NAT \u8f6c\u6362\u8be6\u89e3<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-82\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#136_%E6%80%A7%E8%83%BD%E6%8C%87%E6%A0%87\" >13.6 \u6027\u80fd\u6307\u6807<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-83\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E5%8D%81%E5%9B%9B%E3%80%81%E5%BF%AB%E9%80%9F%E6%A3%80%E6%9F%A5%E6%B8%85%E5%8D%95\" >\u5341\u56db\u3001\u5feb\u901f\u68c0\u67e5\u6e05\u5355<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-84\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E5%8D%81%E4%BA%94%E3%80%81%E6%80%BB%E7%BB%93\" >\u5341\u4e94\u3001\u603b\u7ed3<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-85\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E2%9C%85_%E9%83%A8%E7%BD%B2%E6%B5%81%E7%A8%8B%E5%AE%8C%E6%95%B4%E6%80%A7%E6%A3%80%E6%9F%A5\" >\u2705 \u90e8\u7f72\u6d41\u7a0b\u5b8c\u6574\u6027\u68c0\u67e5<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-86\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%F0%9F%93%9D_%E5%85%B3%E9%94%AE%E6%94%B9%E8%BF%9B%E7%82%B9\" >\ud83d\udcdd \u5173\u952e\u6539\u8fdb\u70b9<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-87\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%F0%9F%9A%80_%E5%BF%AB%E9%80%9F%E5%BC%80%E5%A7%8B%EF%BC%88%E7%B2%BE%E7%AE%80%E7%89%88%EF%BC%89\" >\ud83d\ude80 \u5feb\u901f\u5f00\u59cb\uff08\u7cbe\u7b80\u7248\uff09<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-88\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#OpenVPN_LDAP_docker%E9%83%A8%E7%BD%B2%EF%BC%9A%E4%BB%93%E5%BA%93%E5%9C%B0%E5%9D%80\" >OpenVPN LDAP docker\u90e8\u7f72\uff1a\u4ed3\u5e93\u5730\u5740<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-89\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E7%89%B9%E6%80%A7\" >\u7279\u6027<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-90\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E7%9B%AE%E5%BD%95%E7%BB%93%E6%9E%84\" >\u76ee\u5f55\u7ed3\u6784<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-91\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E5%BF%AB%E9%80%9F%E5%BC%80%E5%A7%8B\" >\u5feb\u901f\u5f00\u59cb<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-92\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#1_%E5%8A%A0%E8%BD%BD%E9%95%9C%E5%83%8F\" >1. \u52a0\u8f7d\u955c\u50cf<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-93\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#2_%E9%85%8D%E7%BD%AE%E7%8E%AF%E5%A2%83%E5%8F%98%E9%87%8F\" >2. \u914d\u7f6e\u73af\u5883\u53d8\u91cf<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-94\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#3_%E8%AE%BE%E7%BD%AE%E7%9B%AE%E5%BD%95%E6%9D%83%E9%99%90\" >3. \u8bbe\u7f6e\u76ee\u5f55\u6743\u9650<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-95\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#4_%E5%90%AF%E5%8A%A8%E5%AE%B9%E5%99%A8\" >4. \u542f\u52a8\u5bb9\u5668<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-96\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#5_%E6%9F%A5%E7%9C%8B%E8%BF%90%E8%A1%8C%E7%8A%B6%E6%80%81\" >5. \u67e5\u770b\u8fd0\u884c\u72b6\u6001<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-97\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E9%85%8D%E7%BD%AE%E8%AF%B4%E6%98%8E\" >\u914d\u7f6e\u8bf4\u660e<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-98\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#LDAP_%E8%AE%A4%E8%AF%81%E9%85%8D%E7%BD%AE\" >LDAP \u8ba4\u8bc1\u914d\u7f6e<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-99\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E7%AB%AF%E5%8F%A3%E9%85%8D%E7%BD%AE\" >\u7aef\u53e3\u914d\u7f6e<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-100\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E7%BD%91%E7%BB%9C%E9%85%8D%E7%BD%AE\" >\u7f51\u7edc\u914d\u7f6e<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-101\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E8%AF%81%E4%B9%A6%E7%AE%A1%E7%90%86\" >\u8bc1\u4e66\u7ba1\u7406<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-102\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E4%BD%BF%E7%94%A8%E7%8E%B0%E6%9C%89%E8%AF%81%E4%B9%A6%EF%BC%88%E4%BB%8E%E6%97%A7%E7%89%88%E6%9C%AC%E8%BF%81%E7%A7%BB%EF%BC%89\" >\u4f7f\u7528\u73b0\u6709\u8bc1\u4e66\uff08\u4ece\u65e7\u7248\u672c\u8fc1\u79fb\uff09<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-103\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E7%94%9F%E6%88%90%E6%96%B0%E8%AF%81%E4%B9%A6\" >\u751f\u6210\u65b0\u8bc1\u4e66<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-104\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E6%9B%B4%E6%96%B0%E8%AF%81%E4%B9%A6\" >\u66f4\u65b0\u8bc1\u4e66<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-105\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#LDAP%E8%AE%A4%E8%AF%81%E6%B5%8B%E8%AF%95\" >LDAP\u8ba4\u8bc1\u6d4b\u8bd5<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-106\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E8%BF%9B%E5%85%A5%E5%AE%B9%E5%99%A8\" >\u8fdb\u5165\u5bb9\u5668<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-107\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E5%88%9B%E5%BB%BA%E6%B5%8B%E8%AF%95%E6%96%87%E4%BB%B6\" >\u521b\u5efa\u6d4b\u8bd5\u6587\u4ef6<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-108\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E6%89%A7%E8%A1%8C%E8%AE%A4%E8%AF%81%E8%84%9A%E6%9C%AC\" >\u6267\u884c\u8ba4\u8bc1\u811a\u672c<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-109\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E6%9F%A5%E7%9C%8B%E8%AE%A4%E8%AF%81%E6%97%A5%E5%BF%97\" >\u67e5\u770b\u8ba4\u8bc1\u65e5\u5fd7<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-110\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E9%80%80%E5%87%BA%E5%AE%B9%E5%99%A8\" >\u9000\u51fa\u5bb9\u5668<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-111\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E7%9B%AE%E5%BD%95%E6%9D%83%E9%99%90%E8%AE%BE%E7%BD%AE\" >\u76ee\u5f55\u6743\u9650\u8bbe\u7f6e<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-112\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E5%85%B3%E9%94%AE%E7%9B%AE%E5%BD%95%E6%9D%83%E9%99%90\" >\u5173\u952e\u76ee\u5f55\u6743\u9650<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-113\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E7%9B%AE%E5%BD%95%E8%AF%B4%E6%98%8E\" >\u76ee\u5f55\u8bf4\u660e<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-114\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#logs_%E7%9B%AE%E5%BD%95\" >logs\/ \u76ee\u5f55<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-115\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#clients_%E7%9B%AE%E5%BD%95\" >clients\/ \u76ee\u5f55<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-116\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E4%B8%80%E9%94%AE%E8%AE%BE%E7%BD%AE%E6%9D%83%E9%99%90\" >\u4e00\u952e\u8bbe\u7f6e\u6743\u9650<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-117\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E9%A6%96%E6%AC%A1%E9%83%A8%E7%BD%B2%E5%BF%AB%E9%80%9F%E8%AE%BE%E7%BD%AE\" >\u9996\u6b21\u90e8\u7f72\u5feb\u901f\u8bbe\u7f6e<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-118\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE\" >\u5ba2\u6237\u7aef\u914d\u7f6e<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-119\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E7%94%9F%E6%88%90%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE\" >\u751f\u6210\u5ba2\u6237\u7aef\u914d\u7f6e<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-120\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E7%BB%B4%E6%8A%A4%E6%93%8D%E4%BD%9C\" >\u7ef4\u62a4\u64cd\u4f5c<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-121\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E6%9F%A5%E7%9C%8B%E8%BF%9E%E6%8E%A5%E7%8A%B6%E6%80%81\" >\u67e5\u770b\u8fde\u63a5\u72b6\u6001<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-122\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E9%87%8D%E5%90%AF%E6%9C%8D%E5%8A%A1\" >\u91cd\u542f\u670d\u52a1<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-123\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E5%A4%87%E4%BB%BD%E4%B8%8E%E6%81%A2%E5%A4%8D\" >\u5907\u4efd\u4e0e\u6062\u590d<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-124\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E9%87%8D%E6%96%B0%E6%9E%84%E5%BB%BA%E9%95%9C%E5%83%8F\" >\u91cd\u65b0\u6784\u5efa\u955c\u50cf<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-125\" href=\"https:\/\/linuxjk.cn\/?p=3040\/#%E7%9B%B8%E5%85%B3%E6%96%87%E6%A1%A3\" >\u76f8\u5173\u6587\u6863<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h1 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Anolis_810_%E7%B3%BB%E7%BB%9F_OpenVPN_%E6%9C%8D%E5%8A%A1%E7%AB%AF%E5%AE%8C%E6%95%B4%E9%83%A8%E7%BD%B2%E6%B5%81%E7%A8%8B%EF%BC%88%E4%BC%98%E5%8C%96%E7%89%88%EF%BC%89\"><\/span>Anolis 8.10 \u7cfb\u7edf OpenVPN \u670d\u52a1\u7aef\u5b8c\u6574\u90e8\u7f72\u6d41\u7a0b\uff08\u4f18\u5316\u7248\uff09<span class=\"ez-toc-section-end\"><\/span><\/h1>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%F0%9F%93%8B_%E7%9B%AE%E5%BD%95\"><\/span>\ud83d\udccb \u76ee\u5f55<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#%E4%B8%80%E7%8E%AF%E5%A2%83%E5%87%86%E5%A4%87\">\u4e00\u3001\u73af\u5883\u51c6\u5907<\/a><\/li>\n\n\n\n<li><a href=\"#%E4%BA%8C%E7%BC%96%E8%AF%91%E5%AE%89%E8%A3%85-openvpn\">\u4e8c\u3001\u7f16\u8bd1\u5b89\u88c5 OpenVPN<\/a><\/li>\n\n\n\n<li><a href=\"#%E4%B8%89%E9%85%8D%E7%BD%AE-pki-%E8%AF%81%E4%B9%A6%E4%BD%93%E7%B3%BB\">\u4e09\u3001\u914d\u7f6e PKI \u8bc1\u4e66\u4f53\u7cfb<\/a><\/li>\n\n\n\n<li><a href=\"#%E5%9B%9B%E9%85%8D%E7%BD%AE-openvpn-%E6%9C%8D%E5%8A%A1%E5%99%A8\">\u56db\u3001\u914d\u7f6e OpenVPN \u670d\u52a1\u5668<\/a><\/li>\n\n\n\n<li><a href=\"#%E4%BA%94%E9%85%8D%E7%BD%AE%E7%BD%91%E7%BB%9C%E8%BD%AC%E5%8F%91\">\u4e94\u3001\u914d\u7f6e\u7f51\u7edc\u8f6c\u53d1<\/a><\/li>\n\n\n\n<li><a href=\"#%E5%85%AD%E5%90%AF%E5%8A%A8%E5%92%8C%E9%AA%8C%E8%AF%81%E6%9C%8D%E5%8A%A1\">\u516d\u3001\u542f\u52a8\u548c\u9a8c\u8bc1\u670d\u52a1<\/a><\/li>\n\n\n\n<li><a href=\"#%E4%B8%83%E7%94%9F%E6%88%90%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE\">\u4e03\u3001\u751f\u6210\u5ba2\u6237\u7aef\u914d\u7f6e<\/a><\/li>\n\n\n\n<li><a href=\"#%E5%85%AB%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%BF%9E%E6%8E%A5%E6%B5%8B%E8%AF%95\">\u516b\u3001\u5ba2\u6237\u7aef\u8fde\u63a5\u6d4b\u8bd5<\/a><\/li>\n\n\n\n<li><a href=\"#%E4%B9%9D%E8%AF%81%E4%B9%A6%E7%AE%A1%E7%90%86\">\u4e5d\u3001\u8bc1\u4e66\u7ba1\u7406<\/a><\/li>\n\n\n\n<li><a href=\"#%E5%8D%81%E5%AE%89%E5%85%A8%E5%8A%A0%E5%9B%BA\">\u5341\u3001\u5b89\u5168\u52a0\u56fa<\/a><\/li>\n\n\n\n<li><a href=\"#%E5%8D%81%E4%B8%80%E7%9B%91%E6%8E%A7%E5%92%8C%E7%BB%B4%E6%8A%A4\">\u5341\u4e00\u3001\u76d1\u63a7\u548c\u7ef4\u62a4<\/a><\/li>\n\n\n\n<li><a href=\"#%E5%8D%81%E4%BA%8C%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98%E6%8E%92%E6%9F%A5\">\u5341\u4e8c\u3001\u5e38\u89c1\u95ee\u9898\u6392\u67e5<\/a><\/li>\n\n\n\n<li><a href=\"#%E5%8D%81%E4%B8%89%E5%B7%A5%E4%BD%9C%E5%8E%9F%E7%90%86%E8%AF%A6%E8%A7%A3\">\u5341\u4e09\u3001\u5de5\u4f5c\u539f\u7406\u8be6\u89e3<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E4%B8%80%E3%80%81%E7%8E%AF%E5%A2%83%E5%87%86%E5%A4%87\"><\/span>\u4e00\u3001\u73af\u5883\u51c6\u5907<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"11_%E7%B3%BB%E7%BB%9F%E4%BF%A1%E6%81%AF%E6%A3%80%E6%9F%A5\"><\/span>1.1 \u7cfb\u7edf\u4fe1\u606f\u68c0\u67e5<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u67e5\u770b\u7cfb\u7edf\u7248\u672c<br>cat \/etc\/os-release<br>\u200b<br># \u67e5\u770b\u5185\u6838\u7248\u672c<br>uname -r<br>\u200b<br># \u68c0\u67e5 TUN \u6a21\u5757\u652f\u6301<br>lsmod | grep tun<br>modprobe tun<br>echo \"tun\" &gt;&gt; \/etc\/modules-load.d\/tun.conf<br>\u200b<br># \u786e\u8ba4 TUN \u8bbe\u5907\u5b58\u5728<br>ls -l \/dev\/net\/tun<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"12_%E5%AE%89%E8%A3%85%E4%BE%9D%E8%B5%96%E5%8C%85\"><\/span>1.2 \u5b89\u88c5\u4f9d\u8d56\u5305<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u66f4\u65b0\u7cfb\u7edf<br>dnf update -y<br>\u200b<br># \u5b89\u88c5 EPEL \u4ed3\u5e93<br>dnf install epel-release -y<br>\u200b<br># \u5b89\u88c5\u7f16\u8bd1\u5de5\u5177\u94fe<br>dnf groupinstall -y \"Development Tools\"<br>\u200b<br># \u5b89\u88c5 OpenVPN \u7f16\u8bd1\u4f9d\u8d56<br>dnf install -y \\<br> &nbsp; &nbsp;gcc \\<br> &nbsp; &nbsp;make \\<br> &nbsp;  rpm-build \\<br> &nbsp;  pkgconfig \\<br> &nbsp; &nbsp;wget \\<br> &nbsp;  tar \\<br> &nbsp;  openssl-devel \\<br> &nbsp;  zlib-devel \\<br> &nbsp;  pam-devel \\<br> &nbsp;  systemd-devel \\<br> &nbsp;  krb5-devel \\<br> &nbsp;  libnl3-devel \\<br> &nbsp;  lzo-devel \\<br> &nbsp;  lz4-devel \\<br> &nbsp;  libcap-ng-devel \\<br> &nbsp;  net-tools \\<br> &nbsp;  iptables-services \\<br> &nbsp;  pkcs11-helper \\<br> &nbsp;  pkcs11-helper-devel<br>\u200b<br># \u5b89\u88c5 Easy-RSA<br>dnf install easy-rsa -y<br>#\u6216\u76f4\u63a5\u4e0b\u8f7d<br>wget https:\/\/github.com\/OpenVPN\/easy-rsa\/releases\/download\/v3.2.4\/EasyRSA-3.2.4.tgz<br>tar -xvf EasyRSA-3.2.4.tgz -C \/server\/tools<br>\u200b<br># \u9a8c\u8bc1\u5173\u952e\u4f9d\u8d56<br>rpm -qa | grep -E \"(gcc|openssl-devel|lz4-devel|easy-rsa)\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"13_%E5%88%9B%E5%BB%BA%E5%B7%A5%E4%BD%9C%E7%9B%AE%E5%BD%95%E7%94%A8%E4%BA%8E%E7%BC%96%E8%AF%91%E5%AE%89%E8%A3%85\"><\/span>1.3 \u521b\u5efa\u5de5\u4f5c\u76ee\u5f55(\u7528\u4e8e\u7f16\u8bd1\u5b89\u88c5)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u521b\u5efa\u5de5\u5177\u76ee\u5f55<br>mkdir -p \/server\/tools<br>cd \/server\/tools<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E4%BA%8C%E3%80%81%E7%BC%96%E8%AF%91%E5%AE%89%E8%A3%85_OpenVPN\"><\/span>\u4e8c\u3001\u7f16\u8bd1\u5b89\u88c5 OpenVPN<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"21_%E4%B8%8B%E8%BD%BD%E6%BA%90%E7%A0%81\"><\/span>2.1 \u4e0b\u8f7d\u6e90\u7801<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u4e0b\u8f7d OpenVPN 2.6.17\uff08\u63a8\u8350\u4f7f\u7528\u56fd\u5185\u955c\u50cf\u52a0\u901f\uff09<br>wget https:\/\/github.com\/OpenVPN\/openvpn\/releases\/download\/v2.6.17\/openvpn-2.6.17.tar.gz<br>\u200b<br># \u5982\u4e0b\u8f7d\u6162\uff0c\u4f7f\u7528\u955c\u50cf\u52a0\u901f<br># wget https:\/\/ghproxy.com\/https:\/\/github.com\/OpenVPN\/openvpn\/releases\/download\/v2.6.17\/openvpn-2.6.17.tar.gz<br>\u200b<br># \u9a8c\u8bc1\u4e0b\u8f7d\u5b8c\u6574\u6027\uff08\u53ef\u9009\uff09<br>sha256sum openvpn-2.6.17.tar.gz<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"22_%E7%BC%96%E8%AF%91%E5%AE%89%E8%A3%85\"><\/span>2.2 \u7f16\u8bd1\u5b89\u88c5<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u89e3\u538b\u6e90\u7801<br>tar -zxf openvpn-2.6.17.tar.gz -C \/server\/tools<br>cd \/server\/tools\/openvpn-2.6.17<br>\u200b<br># \u914d\u7f6e\u7f16\u8bd1\u53c2\u6570<br>.\/configure \\<br> &nbsp; &nbsp;--prefix=\/usr\/local \\<br> &nbsp; &nbsp;--sysconfdir=\/etc\/openvpn \\<br> &nbsp; &nbsp;--enable-systemd \\<br> &nbsp; &nbsp;--enable-lz4 \\<br> &nbsp; &nbsp;--enable-lzo \\<br> &nbsp; &nbsp;--enable-pkcs11 \\<br> &nbsp; &nbsp;--enable-async-push<br>\u200b<br># \u67e5\u770b\u914d\u7f6e\u6458\u8981<br># \u786e\u8ba4\u663e\u793a\uff1a<br># systemd support: yes<br># LZ4 compression: yes<br>\u200b<br># \u7f16\u8bd1\uff08\u4f7f\u7528\u591a\u6838\u52a0\u901f\uff09<br>make -j$(nproc)<br>\u200b<br># \u5b89\u88c5<br>make install<br>\u200b<br># \u9a8c\u8bc1\u5b89\u88c5<br>\/usr\/local\/sbin\/openvpn --version<br># \u5e94\u663e\u793a\uff1aOpenVPN 2.6.17<br>\u200b<br># \u521b\u5efa\u7b26\u53f7\u94fe\u63a5\uff08\u65b9\u4fbf\u4f7f\u7528\uff09<br>ln -sf \/usr\/local\/sbin\/openvpn \/usr\/sbin\/openvpn<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"23_%E5%88%9B%E5%BB%BA%E5%BF%85%E8%A6%81%E7%9B%AE%E5%BD%95\"><\/span>2.3 \u521b\u5efa\u5fc5\u8981\u76ee\u5f55<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u521b\u5efa\u914d\u7f6e\u76ee\u5f55\u7ed3\u6784<br>mkdir -p \/etc\/openvpn\/server\/{keys,ccd,logs}<br>mkdir -p \/etc\/openvpn\/client<br>mkdir -p \/var\/log\/openvpn<br>\u200b<br># \u76ee\u5f55\u8bf4\u660e\uff1a<br># \/etc\/openvpn\/server\/ &nbsp; &nbsp; &nbsp; - \u670d\u52a1\u5668\u914d\u7f6e\u6839\u76ee\u5f55<br># \/etc\/openvpn\/server\/keys\/  - \u8bc1\u4e66\u548c\u5bc6\u94a5\u5b58\u653e\u76ee\u5f55<br># \/etc\/openvpn\/server\/ccd\/ &nbsp; - \u5ba2\u6237\u7aef\u7279\u5b9a\u914d\u7f6e\u76ee\u5f55<br># \/etc\/openvpn\/server\/logs\/  - \u65e5\u5fd7\u76ee\u5f55<br># \/var\/log\/openvpn\/ &nbsp; &nbsp; &nbsp; &nbsp;  - \u7cfb\u7edf\u65e5\u5fd7\u76ee\u5f55<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"24_%E9%85%8D%E7%BD%AE_systemd_%E6%9C%8D%E5%8A%A1\"><\/span>2.4 \u914d\u7f6e systemd \u670d\u52a1<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u521b\u5efa systemd \u670d\u52a1\u6587\u4ef6<br>cat &gt; \/etc\/systemd\/system\/openvpn-server@.service &lt;&lt;'EOF'<br>[Unit]<br>Description=OpenVPN service for %I<br>After=network-online.target<br>Wants=network-online.target<br>Documentation=man:openvpn(8)<br>Documentation=https:\/\/community.openvpn.net\/openvpn\/wiki\/Openvpn24ManPage<br>\u200b<br>[Service]<br>Type=notify<br>PrivateTmp=true<br>WorkingDirectory=\/etc\/openvpn\/server<br>ExecStart=\/usr\/local\/sbin\/openvpn --status \/var\/log\/openvpn\/%i-status.log --status-version 2 --cd \/etc\/openvpn\/server --config %i.conf<br>CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE<br>LimitNPROC=100<br>DeviceAllow=\/dev\/null rw<br>DeviceAllow=\/dev\/net\/tun rw<br>ProtectSystem=true<br>ProtectHome=true<br>KillMode=process<br>RestartSec=5s<br>Restart=on-failure<br>\u200b<br>[Install]<br>WantedBy=multi-user.target<br>EOF<br>\u200b<br># \u91cd\u65b0\u52a0\u8f7d systemd<br>systemctl daemon-reload<br>\u200b<br># \u9a8c\u8bc1\u670d\u52a1\u6587\u4ef6<br>systemctl cat openvpn-server@server<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E4%B8%89%E3%80%81%E9%85%8D%E7%BD%AE_PKI_%E8%AF%81%E4%B9%A6%E4%BD%93%E7%B3%BB\"><\/span>\u4e09\u3001\u914d\u7f6e PKI \u8bc1\u4e66\u4f53\u7cfb<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"31_%E5%88%9D%E5%A7%8B%E5%8C%96_Easy-RSA\"><\/span>3.1 \u521d\u59cb\u5316 Easy-RSA<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u8fdb\u5165\u5de5\u4f5c\u76ee\u5f55<br>cd \/etc\/openvpn\/server<br>mkdir -p easy-rsa<br>cd easy-rsa<br>\u200b<br># \u590d\u5236 Easy-RSA \u811a\u672c<br>#\uff08yum\u5b89\u88c5\uff09<br>cp -r \/usr\/share\/easy-rsa\/3\/* .<br>#\uff08github\u4e0b\u8f7d\uff09<br>cp -r \/server\/tools\/EasyRSA-3.2.4\/* .<br># \u786e\u8ba4\u590d\u5236\u6210\u529f<br>ls -l easyrsa<br>.\/easyrsa --version<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"32_%E9%85%8D%E7%BD%AE_PKI_%E5%8F%82%E6%95%B0%EF%BC%88%E6%8E%A8%E8%8D%90%EF%BC%89\"><\/span>3.2 \u914d\u7f6e PKI \u53c2\u6570\uff08\u63a8\u8350\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u521b\u5efa vars \u914d\u7f6e\u6587\u4ef6<br>cat &gt; vars &lt;&lt;'EOF'<br># Easy-RSA \u914d\u7f6e\u53d8\u91cf<br>\u200b<br># \u8bc1\u4e66\u4fe1\u606f\uff08\u6839\u636e\u5b9e\u9645\u60c5\u51b5\u4fee\u6539\uff09<br>set_var EASYRSA_REQ_COUNTRY &nbsp; &nbsp;\"CN\"<br>set_var EASYRSA_REQ_PROVINCE &nbsp; \"Shanghai\"<br>set_var EASYRSA_REQ_CITY &nbsp; &nbsp; &nbsp; \"Shanghai\"<br>set_var EASYRSA_REQ_ORG &nbsp; &nbsp; &nbsp; &nbsp;\"linuxjk.cn\"<br>set_var EASYRSA_REQ_EMAIL &nbsp; &nbsp; &nbsp;\"zhangpeng@linuxjk.cn\"<br>set_var EASYRSA_REQ_OU &nbsp; &nbsp; &nbsp; &nbsp; \"IT Department\"<br>\u200b<br># \u8bc1\u4e66\u6709\u6548\u671f\uff08\u5929\uff09<br>set_var EASYRSA_CA_EXPIRE &nbsp; &nbsp; &nbsp;3650 &nbsp; &nbsp;# CA\u8bc1\u4e6610\u5e74<br>set_var EASYRSA_CERT_EXPIRE &nbsp; &nbsp;3650 &nbsp; &nbsp;# \u670d\u52a1\u5668\/\u5ba2\u6237\u7aef\u8bc1\u4e6610\u5e74<br>\u200b<br># \u5bc6\u94a5\u53c2\u6570<br>set_var EASYRSA_KEY_SIZE &nbsp; &nbsp; &nbsp; 2048<br>set_var EASYRSA_ALGO &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; rsa<br>set_var EASYRSA_CURVE &nbsp; &nbsp; &nbsp; &nbsp;  secp384r1<br>set_var EASYRSA_DIGEST &nbsp; &nbsp; &nbsp; &nbsp; \"sha256\"<br>\u200b<br># CRL \u6709\u6548\u671f<br>set_var EASYRSA_CRL_DAYS &nbsp; &nbsp; &nbsp; 3650<br>EOF<br>\u200b<br># \u8ba9\u914d\u7f6e\u751f\u6548<br>chmod +x vars<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"33_%E5%88%9D%E5%A7%8B%E5%8C%96_PKI_%E5%B9%B6%E5%88%9B%E5%BB%BA_CA\"><\/span>3.3 \u521d\u59cb\u5316 PKI \u5e76\u521b\u5efa CA<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u521d\u59cb\u5316 PKI \u76ee\u5f55\u7ed3\u6784<br>.\/easyrsa init-pki<br>\u200b<br># \u6784\u5efa CA\uff08\u65e0\u5bc6\u7801\u6a21\u5f0f\uff0c\u9002\u5408\u81ea\u52a8\u5316\uff09<br>.\/easyrsa build-ca nopass<br>\u200b<br># \u63d0\u793a\u8f93\u5165 Common Name\uff0c\u8f93\u5165\u793a\u4f8b\uff1a<br># Common Name: OpenVPN-CA<br>\u200b<br># \u26a0\ufe0f \u751f\u4ea7\u73af\u5883\u63a8\u8350\u4f7f\u7528\u5e26\u5bc6\u7801\u7684 CA\uff1a<br># .\/easyrsa build-ca<br># \u4f1a\u63d0\u793a\u8bbe\u7f6e CA \u79c1\u94a5\u5bc6\u7801<br>\u200b<br># \u9a8c\u8bc1 CA \u8bc1\u4e66<br>openssl x509 -in pki\/ca.crt -noout -text | grep -A 2 \"Validity\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"34_%E7%94%9F%E6%88%90%E6%9C%8D%E5%8A%A1%E5%99%A8%E8%AF%81%E4%B9%A6%EF%BC%88%E5%AE%8C%E6%95%B4%E6%AD%A5%E9%AA%A4%EF%BC%89\"><\/span>3.4 \u751f\u6210\u670d\u52a1\u5668\u8bc1\u4e66\uff08\u5b8c\u6574\u6b65\u9aa4\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># ===== \u65b9\u6cd51\uff1a\u6807\u51c6\u5206\u6b65\u9aa4\uff08\u63a8\u8350\u7528\u4e8e\u751f\u4ea7\u73af\u5883\uff09=====<br>\u200b<br># \u6b65\u9aa41\uff1a\u751f\u6210\u670d\u52a1\u5668\u79c1\u94a5\u548c\u8bc1\u4e66\u8bf7\u6c42<br>.\/easyrsa gen-req server nopass<br># \u63d0\u793a\u8f93\u5165 Common Name\uff0c\u8f93\u5165\uff1aserver\uff08\u6216\u670d\u52a1\u5668FQDN\uff09<br>\u200b<br># \u6b65\u9aa42\uff1a\u7b7e\u53d1\u670d\u52a1\u5668\u8bc1\u4e66<br>.\/easyrsa sign-req server server<br># \u8f93\u5165 yes \u786e\u8ba4<br># \u5982\u679c CA \u6709\u5bc6\u7801\uff0c\u9700\u8981\u8f93\u5165\u5bc6\u7801<br>\u200b<br># ===== \u65b9\u6cd52\uff1a\u5feb\u6377\u547d\u4ee4\uff08\u7b49\u540c\u4e8e\u4e0a\u8ff0\u4e24\u6b65\uff09=====<br># .\/easyrsa build-server-full server nopass<br>\u200b<br># \u9a8c\u8bc1\u670d\u52a1\u5668\u8bc1\u4e66<br>openssl x509 -in pki\/issued\/server.crt -noout -text | head -20<br>\u200b<br># \u9a8c\u8bc1\u8bc1\u4e66\u94fe<br>openssl verify -CAfile pki\/ca.crt pki\/issued\/server.crt<br># \u5e94\u663e\u793a\uff1apki\/issued\/server.crt: OK<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"35_%E7%94%9F%E6%88%90_DH_%E5%8F%82%E6%95%B0\"><\/span>3.5 \u751f\u6210 DH \u53c2\u6570<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u751f\u6210 2048 \u4f4d DH \u53c2\u6570\uff08\u63a8\u8350\uff0c\u7ea6\u9700 2-5 \u5206\u949f\uff09<br>.\/easyrsa gen-dh<br>\u200b<br># \u5982\u9700\u66f4\u9ad8\u5b89\u5168\u6027\uff084096 \u4f4d\uff0c\u53ef\u80fd\u9700\u8981 20-30 \u5206\u949f\uff09<br># \u5148\u4fee\u6539 vars: set_var EASYRSA_KEY_SIZE 4096<br># \u7136\u540e\u6267\u884c: .\/easyrsa gen-dh<br>\u200b<br># \u9a8c\u8bc1\u751f\u6210<br>ls -lh pki\/dh.pem<br># \u5e94\u663e\u793a\u7ea6 424 \u5b57\u8282\u7684\u6587\u4ef6<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"36_%E7%94%9F%E6%88%90_TLS_%E8%AE%A4%E8%AF%81%E5%AF%86%E9%92%A5\"><\/span>3.6 \u751f\u6210 TLS \u8ba4\u8bc1\u5bc6\u94a5<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u751f\u6210 tls-auth \u5bc6\u94a5\uff08\u9632 DDoS \u653b\u51fb\uff09<br>openvpn --genkey secret pki\/ta.key<br>\u200b<br># \u9a8c\u8bc1\u751f\u6210<br>ls -lh pki\/ta.key<br>cat pki\/ta.key | head -5<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"37_%E7%94%9F%E6%88%90_CRL%EF%BC%88%E8%AF%81%E4%B9%A6%E5%90%8A%E9%94%80%E5%88%97%E8%A1%A8%EF%BC%89\"><\/span>3.7 \u751f\u6210 CRL\uff08\u8bc1\u4e66\u540a\u9500\u5217\u8868\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u751f\u6210\u521d\u59cb CRL<br>.\/easyrsa gen-crl<br><br># \u9a8c\u8bc1<br>ls -lh pki\/crl.pem<br>openssl crl -in pki\/crl.pem -noout -text<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"38_%E7%94%9F%E6%88%90%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%AF%81%E4%B9%A6%EF%BC%88%E7%A4%BA%E4%BE%8B%EF%BC%89\"><\/span>3.8 \u751f\u6210\u5ba2\u6237\u7aef\u8bc1\u4e66\uff08\u793a\u4f8b\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u5b9a\u4e49\u5ba2\u6237\u7aef\u540d\u79f0<br>CLIENT_NAME=\"client1\"<br><br># ===== \u65b9\u6cd51\uff1a\u5b8c\u6574\u6b65\u9aa4\uff08\u63a8\u8350\uff09=====<br># \u6b65\u9aa41\uff1a\u751f\u6210\u8bc1\u4e66\u8bf7\u6c42<br>.\/easyrsa gen-req $CLIENT_NAME nopass<br># Common Name: client1<br><br># \u6b65\u9aa42\uff1a\u7b7e\u53d1\u5ba2\u6237\u7aef\u8bc1\u4e66\uff08\u6ce8\u610f\u7c7b\u578b\u662f client\uff09<br>.\/easyrsa sign-req client $CLIENT_NAME<br># \u8f93\u5165 yes \u786e\u8ba4<br><br># ===== \u65b9\u6cd52\uff1a\u5feb\u6377\u547d\u4ee4 =====<br># .\/easyrsa build-client-full $CLIENT_NAME nopass<br><br># \u9a8c\u8bc1\u5ba2\u6237\u7aef\u8bc1\u4e66<br>openssl verify -CAfile pki\/ca.crt pki\/issued\/$CLIENT_NAME.crt<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"39_%E5%A4%8D%E5%88%B6%E8%AF%81%E4%B9%A6%E5%88%B0%E6%9C%8D%E5%8A%A1%E5%99%A8%E9%85%8D%E7%BD%AE%E7%9B%AE%E5%BD%95\"><\/span>3.9 \u590d\u5236\u8bc1\u4e66\u5230\u670d\u52a1\u5668\u914d\u7f6e\u76ee\u5f55<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">cd \/etc\/openvpn\/server\/easy-rsa<br><br># \u590d\u5236 CA \u8bc1\u4e66<br>cp pki\/ca.crt \/etc\/openvpn\/server\/keys\/<br><br># \u590d\u5236\u670d\u52a1\u5668\u8bc1\u4e66\u548c\u79c1\u94a5<br>cp pki\/issued\/server.crt \/etc\/openvpn\/server\/keys\/<br>cp pki\/private\/server.key \/etc\/openvpn\/server\/keys\/<br><br># \u590d\u5236 DH \u53c2\u6570\uff08\u91cd\u547d\u540d\u4ee5\u4fbf\u8bc6\u522b\uff09<br>cp pki\/dh.pem \/etc\/openvpn\/server\/keys\/dh2048.pem<br><br># \u590d\u5236 TLS \u8ba4\u8bc1\u5bc6\u94a5<br>cp pki\/ta.key \/etc\/openvpn\/server\/keys\/<br><br># \u590d\u5236 CRL\uff08\u53ef\u9009\u4f46\u63a8\u8350\uff09<br>cp pki\/crl.pem \/etc\/openvpn\/server\/keys\/<br><br># \u8bbe\u7f6e\u4e25\u683c\u6743\u9650\uff08\u91cd\u8981\uff01\uff09<br>#\u79c1\u94a5600\uff0c\u516c\u94a5644<br>chmod 600 \/etc\/openvpn\/server\/keys\/server.key<br>chmod 600 \/etc\/openvpn\/server\/keys\/ta.key<br>chmod 644 \/etc\/openvpn\/server\/keys\/*.crt<br>chmod 644 \/etc\/openvpn\/server\/keys\/dh2048.pem<br>chmod 644 \/etc\/openvpn\/server\/keys\/crl.pem<br><br># \u8bbe\u7f6e\u6240\u6709\u8005<br>chown -R root:root \/etc\/openvpn\/server\/keys<br><br># \u9a8c\u8bc1\u6587\u4ef6\u5b8c\u6574\u6027<br>ls -lh \/etc\/openvpn\/server\/keys\/<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">root@anolis810:\/etc\/openvpn\/server\/easy-rsa# ls -lh \/etc\/openvpn\/server\/keys\/<br>\u603b\u7528\u91cf 28K<br>-rw-r--r-- 1 root root 1.2K 12\u6708  4 09:40 ca.crt<br>-rw-r--r-- 1 root root  646 12\u6708  4 09:41 crl.pem<br>-rw-r--r-- 1 root root  424 12\u6708  4 09:40 dh2048.pem<br>-rw-r--r-- 1 root root 4.5K 12\u6708  4 09:40 server.crt<br>-rw------- 1 root root 1.7K 12\u6708  4 09:40 server.key<br>-rw------- 1 root root  636 12\u6708  4 09:40 ta.key<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%9B%9B%E3%80%81%E9%85%8D%E7%BD%AE_OpenVPN_%E6%9C%8D%E5%8A%A1%E5%99%A8\"><\/span>\u56db\u3001\u914d\u7f6e OpenVPN \u670d\u52a1\u5668<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"41_%E5%88%9B%E5%BB%BA%E6%9C%8D%E5%8A%A1%E5%99%A8%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6\"><\/span>4.1 \u521b\u5efa\u670d\u52a1\u5668\u914d\u7f6e\u6587\u4ef6<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">cat &gt; \/etc\/openvpn\/server\/server.conf &lt;&lt;'EOF'<br>#################################################<br># OpenVPN 2.6.17 \u670d\u52a1\u5668\u914d\u7f6e\u6587\u4ef6<br># \u7cfb\u7edf: Anolis 8.10<br># \u521b\u5efa\u65f6\u95f4: 2025-12-03<br>#################################################<br>\u200b<br># ===== \u57fa\u672c\u7f51\u7edc\u8bbe\u7f6e =====<br># \u76d1\u542c\u7aef\u53e3\uff08\u9ed8\u8ba4 1194\uff09<br>port 1194<br>\u200b<br># \u534f\u8bae\u7c7b\u578b\uff08UDP \u6027\u80fd\u66f4\u597d\uff0cTCP \u66f4\u7a33\u5b9a\uff09<br>proto udp<br># \u5982\u9700\u4f7f\u7528 TCP\uff0c\u53d6\u6d88\u4e0b\u884c\u6ce8\u91ca\u5e76\u6ce8\u91ca\u4e0a\u4e00\u884c<br># proto tcp<br>\u200b<br># \u865a\u62df\u7f51\u5361\u7c7b\u578b\uff08TUN=\u8def\u7531\u6a21\u5f0f\uff0cTAP=\u6865\u63a5\u6a21\u5f0f\uff09<br>dev tun<br>\u200b<br># \u7f51\u7edc\u62d3\u6251\uff08subnet \u662f\u63a8\u8350\u6a21\u5f0f\uff09<br>topology subnet<br>\u200b<br># ===== \u8bc1\u4e66\u548c\u5bc6\u94a5\u8def\u5f84 =====<br># CA \u6839\u8bc1\u4e66<br>ca keys\/ca.crt<br>\u200b<br># \u670d\u52a1\u5668\u8bc1\u4e66<br>cert keys\/server.crt<br>\u200b<br># \u670d\u52a1\u5668\u79c1\u94a5\uff08\u4e25\u683c\u4fdd\u5bc6\uff01\uff09<br>key keys\/server.key<br>\u200b<br># Diffie-Hellman \u53c2\u6570<br>dh keys\/dh2048.pem<br>\u200b<br># TLS \u8ba4\u8bc1\u5bc6\u94a5\uff080 = \u670d\u52a1\u5668\u6a21\u5f0f\uff09<br>tls-auth keys\/ta.key 0<br>\u200b<br># \u8bc1\u4e66\u540a\u9500\u5217\u8868\uff08\u63a8\u8350\u542f\u7528\uff09<br>crl-verify keys\/crl.pem<br>\u200b<br># ===== \u52a0\u5bc6\u548c\u5b89\u5168\u8bbe\u7f6e =====<br># \u6570\u636e\u901a\u9053\u52a0\u5bc6\u7b97\u6cd5\uff08OpenVPN 2.6+ \u63a8\u8350\uff09<br>cipher AES-256-GCM<br>\u200b<br># \u652f\u6301\u7684\u52a0\u5bc6\u7b97\u6cd5\u5217\u8868\uff08\u534f\u5546\u7528\uff09<br>data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC<br>\u200b<br># \u8ba4\u8bc1\u7b97\u6cd5<br>auth SHA256<br>\u200b<br># TLS \u6700\u4f4e\u7248\u672c\uff08\u589e\u5f3a\u5b89\u5168\uff09<br>tls-version-min 1.2<br>\u200b<br># TLS \u52a0\u5bc6\u5957\u4ef6\uff08\u53ef\u9009\uff0c\u66f4\u4e25\u683c\u7684\u5b89\u5168\u7b56\u7565\uff09<br># tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256<br>\u200b<br># ===== VPN \u7f51\u7edc\u914d\u7f6e =====<br># VPN \u5b50\u7f51\uff08\u670d\u52a1\u5668\u81ea\u52a8\u83b7\u5f97 10.8.0.1\uff09<br>server 10.8.0.0 255.255.255.0<br>\u200b<br># \u7ef4\u62a4\u5ba2\u6237\u7aef IP \u5206\u914d\u5173\u7cfb\uff08\u91cd\u542f\u540e\u4fdd\u6301\uff09<br>ifconfig-pool-persist \/var\/log\/openvpn\/ipp.txt<br>\u200b<br># ===== \u8def\u7531\u8bbe\u7f6e =====<br># \u63a8\u9001\u8def\u7531\u5230\u5ba2\u6237\u7aef\uff08\u8bbf\u95ee\u516c\u53f8\u5185\u7f51\uff09<br># \u5047\u8bbe\u516c\u53f8\u5185\u7f51\u662f 192.168.1.0\/24<br>#push \"route 192.168.1.0 255.255.255.0\"<br>push \"route 10.0.0.0 255.255.255.0\"<br>\u200b<br># \u63a8\u9001\u6240\u6709\u6d41\u91cf\u8d70 VPN\uff08\u5168\u5c40\u4ee3\u7406\u6a21\u5f0f\uff0c\u5c06\u5ba2\u6237\u7aef\u6240\u6709\u6d41\u91cf\u90fd\u8def\u7531\u5230 VPN,\u53ef\u80fd\u5f71\u54cd\u901f\u5ea6\uff09<br># push \"redirect-gateway def1 bypass-dhcp\"<br>\u200b<br># \u63a8\u9001 DNS \u670d\u52a1\u5668(\u5ba2\u6237\u7aef\u8fde\u63a5 VPN \u540e\uff0c\u4f1a\u4f7f\u7528\u8fd9\u4e9b DNS \u670d\u52a1\u5668\u89e3\u6790\u57df\u540d)<br># \u4e3b DNS\uff1aWindows Server\uff08\u89e3\u6790\u5185\u7f51\u57df\u540d\uff09<br>push \"dhcp-option DNS 192.168.1.112\"<br># \u5907\u7528 DNS\uff1a\u516c\u7f51 DNS\uff08\u89e3\u6790\u5916\u7f51\u57df\u540d\uff0c\u63d0\u9ad8\u901f\u5ea6\uff09<br>push \"dhcp-option DNS 8.8.8.8\"<br>push \"dhcp-option DNS 223.5.5.5\" &nbsp;# \u963f\u91cc DNS\uff08\u56fd\u5185\u63a8\u8350\uff09<br>\u200b<br># \u63a8\u9001 AD \u57df\u540e\u7f00<br>push \"dhcp-option DOMAIN example.local\"<br>\u200b<br>\u200b<br># \u63a8\u9001 NTP \u670d\u52a1\u5668\uff08\u7edf\u4e00\u65f6\u95f4\u540c\u6b65\uff09<br># push \"dhcp-option NTP 192.168.1.1\"<br>\u200b<br># ===== \u5ba2\u6237\u7aef\u914d\u7f6e =====<br># \u5141\u8bb8\u5ba2\u6237\u7aef\u4e4b\u95f4\u901a\u4fe1\uff08\u6309\u9700\u542f\u7528\uff09<br>client-to-client<br>\u200b<br># \u6700\u5927\u5ba2\u6237\u7aef\u8fde\u63a5\u6570(\u5728\u5f53\u524d \/24 \u7f51\u6bb5\u5185# \u6700\u591a\u53ef\u8bbe\u4e3a 252)<br>max-clients 200<br>\u200b<br># \u540c\u4e00\u8bc1\u4e66\u53ea\u5141\u8bb8\u4e00\u4e2a\u5ba2\u6237\u7aef\u8fde\u63a5\uff08\u63a8\u8350\uff09<br># duplicate-cn \u9ed8\u8ba4\u7981\u7528\uff0c\u751f\u4ea7\u73af\u5883\u4e0d\u8981\u542f\u7528<br>\u200b<br># \u5ba2\u6237\u7aef\u7279\u5b9a\u914d\u7f6e\u76ee\u5f55(\u4e3a\u4e0d\u540c\u5ba2\u6237\u7aef\u5206\u914d\u56fa\u5b9a IP \u6216\u7279\u5b9a\u8def\u7531\u89c4\u5219)\uff0c\u521b\u5efa\u5ba2\u6237\u7aef\u8bc1\u4e66\u65f6\u7684Common name<br>#\/etc\/openvpn\/server\/ccd\/client1 \u6587\u4ef6\u53ef\u914d\u7f6e client1 \u7684\u4e13\u5c5e\u8bbe\u7f6e<br>client-config-dir ccd<br>\u200b<br># ===== \u8fde\u63a5\u4fdd\u6301 =====<br># \u6bcf 10 \u79d2 ping \u4e00\u6b21\uff0c120 \u79d2\u65e0\u54cd\u5e94\u5219\u65ad\u7ebf<br>keepalive 10 120<br>\u200b<br># ===== \u538b\u7f29\u8bbe\u7f6e =====<br># LZ4 \u538b\u7f29\uff08LZ4 \u538b\u7f29\u7b97\u6cd5\uff0c\u51cf\u5c11\u4f20\u8f93\u6570\u636e\u91cf,\u964d\u4f4e\u5e26\u5bbd\u6d88\u8017,LZ4 \u538b\u7f29\/\u89e3\u538b\u901f\u5ea6\u5feb\uff0cCPU \u5360\u7528\u4f4e)<br>#\u6ce8\u610f: \u5ba2\u6237\u7aef\u4e5f\u5fc5\u987b\u652f\u6301 LZ4<br>compress lz4-v2<br>push \"compress lz4-v2\"<br>\u200b<br># \u6216\u7981\u7528\u538b\u7f29\uff08\u66f4\u5b89\u5168\uff0c\u9632 VORACLE \u653b\u51fb\uff09<br># comp-lzo no<br># push \"comp-lzo no\"<br>\u200b<br># ===== \u6743\u9650\u548c\u5b89\u5168 =====<br># \u964d\u4f4e\u8fd0\u884c\u6743\u9650\uff08\u542f\u52a8\u540e\u5207\u6362\u5230 nobody \u7528\u6237,\u5373\u4f7f OpenVPN \u88ab\u653b\u7834\uff0c\u653b\u51fb\u8005\u4e5f\u53ea\u6709 nobody \u7528\u6237\u6743\u9650\uff09<br>user nobody<br>group nobody<br>\u200b<br># \u91cd\u542f\u540e\u4fdd\u6301\u5bc6\u94a5\u548c TUN \u8bbe\u5907<br>persist-key<br>persist-tun<br>\u200b<br># ===== \u65e5\u5fd7\u8bbe\u7f6e =====<br># \u72b6\u6001\u65e5\u5fd7\uff08\u663e\u793a\u8fde\u63a5\u7684\u5ba2\u6237\u7aef\uff09<br>status \/var\/log\/openvpn\/openvpn-status.log<br>\u200b<br># \u8fd0\u884c\u65e5\u5fd7\uff08log-append:\u8ffd\u52a0\u6a21\u5f0f;log: \u8986\u76d6\u6a21\u5f0f\uff08\u6bcf\u6b21\u542f\u52a8\u6e05\u7a7a\u65e7\u65e5\u5fd7\uff09\uff09<br>log-append \/var\/log\/openvpn\/openvpn.log<br>\u200b<br># \u65e5\u5fd7\u8be6\u7ec6\u7ea7\u522b\uff080=\u9759\u9ed8, 3=\u6b63\u5e38, 9=\u6781\u8be6\u7ec6\uff09<br>verb 3<br>\u200b<br># \u91cd\u590d\u6d88\u606f\u9759\u9ed8\uff08\u907f\u514d\u65e5\u5fd7\u5237\u5c4f\uff09<br>mute 20<br>\u200b<br># ===== \u6027\u80fd\u4f18\u5316 =====<br># \u53d1\u9001\/\u63a5\u6536\u7f13\u51b2\u533a\u5927\u5c0f\uff08\u5b57\u8282\uff09<br>sndbuf 393216<br>rcvbuf 393216<br>push \"sndbuf 393216\"<br>push \"rcvbuf 393216\"<br>\u200b<br># \u5feb\u901f I\/O\uff08\u51cf\u5c11 CPU \u4f7f\u7528\uff09<br>fast-io<br>\u200b<br># ===== \u7ba1\u7406\u63a5\u53e3\uff08\u53ef\u9009\uff09=====<br># \u542f\u7528\u7ba1\u7406\u63a5\u53e3\uff08\u7528\u4e8e\u76d1\u63a7\uff0c\u4ec5\u672c\u5730\u8bbf\u95ee\uff09<br>management 127.0.0.1 7505<br>\u200b<br># ===== \u5176\u4ed6\u9009\u9879 =====<br># UDP \u6a21\u5f0f\u4e0b\u663e\u5f0f\u9000\u51fa\u901a\u77e5(\u5ba2\u6237\u7aef\u65ad\u5f00\u65f6\u660e\u786e\u901a\u77e5\u670d\u52a1\u5668)<br>explicit-exit-notify 1<br>\u200b<br># \u811a\u672c\u5b89\u5168\u7ea7\u522b\uff08\u5141\u8bb8\u8fd0\u884c\u5916\u90e8\u811a\u672c,0: \u7981\u6b62\u811a\u672c;1: \u53ea\u5141\u8bb8\u5185\u7f6e\u811a\u672c;2: \u5141\u8bb8\u6240\u6709\u811a\u672c\uff08\u542b shell \u547d\u4ee4\uff09\uff09<br># script-security 2<br>\u200b<br># \u5ba2\u6237\u7aef\u8fde\u63a5\/\u65ad\u5f00\u65f6\u6267\u884c\u81ea\u5b9a\u4e49\u811a\u672c<br># client-connect \/etc\/openvpn\/server\/scripts\/client-connect.sh<br># client-disconnect \/etc\/openvpn\/server\/scripts\/client-disconnect.sh<br>EOF<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"42_%E9%85%8D%E7%BD%AE%E4%BC%98%E5%8C%96%E5%BB%BA%E8%AE%AE\"><\/span>4.2 \u914d\u7f6e\u4f18\u5316\u5efa\u8bae<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u6839\u636e\u5b9e\u9645\u9700\u6c42\u8c03\u6574\u914d\u7f6e<br>\u200b<br># \u573a\u666f1\uff1a\u4ec5\u8bbf\u95ee\u5185\u7f51\uff08\u63a8\u8350\uff0c\u4e0d\u5f71\u54cd\u5ba2\u6237\u7aef\u4e0a\u7f51\uff09<br># \u4fdd\u6301\u5f53\u524d\u914d\u7f6e\uff1apush \"route 192.168.1.0 255.255.255.0\"<br>\u200b<br># \u573a\u666f2\uff1a\u5168\u5c40\u4ee3\u7406\uff08\u6240\u6709\u6d41\u91cf\u8d70 VPN\uff09<br># \u542f\u7528\uff1apush \"redirect-gateway def1 bypass-dhcp\"<br>\u200b<br># \u573a\u666f3\uff1a\u53cc\u6808\u652f\u6301\uff08IPv4 + IPv6\uff09<br># \u6dfb\u52a0\uff1a<br># server-ipv6 fd00:abcd::\/64<br># push \"route-ipv6 2000::\/3\"<br>\u200b<br># \u573a\u666f4\uff1a\u591a\u4e2a\u5185\u7f51\u6bb5<br># \u6dfb\u52a0\u591a\u6761 push \"route\" \u6307\u4ee4<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"43_%E5%88%9B%E5%BB%BA%E5%AE%A2%E6%88%B7%E7%AB%AF%E7%89%B9%E5%AE%9A%E9%85%8D%E7%BD%AE%EF%BC%88%E5%8F%AF%E9%80%89%EF%BC%89\"><\/span>4.3 \u521b\u5efa\u5ba2\u6237\u7aef\u7279\u5b9a\u914d\u7f6e\uff08\u53ef\u9009\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u4e3a client1 \u5206\u914d\u56fa\u5b9a IP<br>cat &gt; \/etc\/openvpn\/server\/ccd\/client1 &lt;&lt;EOF<br># \u56fa\u5b9a IP \u5206\u914d\uff08\u5fc5\u987b\u5728 server \u7f51\u6bb5\u5185\uff09<br>ifconfig-push 192.168.1.1 255.255.255.0<br><br># \u63a8\u9001\u7279\u5b9a\u8def\u7531<br>push \"route 192.168.1.0 255.255.255.0\"<br><br># \u9650\u5236\u5e26\u5bbd\uff08\u5355\u4f4d\uff1a\u5b57\u8282\/\u79d2\uff09<br># shaper 1024000<br>EOF<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E4%BA%94%E3%80%81%E9%85%8D%E7%BD%AE%E7%BD%91%E7%BB%9C%E8%BD%AC%E5%8F%91\"><\/span>\u4e94\u3001\u914d\u7f6e\u7f51\u7edc\u8f6c\u53d1<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"51_%E5%90%AF%E7%94%A8_IP_%E8%BD%AC%E5%8F%91\"><\/span>5.1 \u542f\u7528 IP \u8f6c\u53d1<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u4e34\u65f6\u542f\u7528<br>sysctl -w net.ipv4.ip_forward=1<br><br># \u6c38\u4e45\u542f\u7528<br>cat &gt;&gt; \/etc\/sysctl.conf &lt;&lt;EOF<br># OpenVPN IP \u8f6c\u53d1<br>net.ipv4.ip_forward = 1<br><br># \u53ef\u9009\uff1aIPv6 \u8f6c\u53d1<br># net.ipv6.conf.all.forwarding = 1<br>EOF<br><br># \u5e94\u7528\u914d\u7f6e<br>sysctl -p<br><br># \u9a8c\u8bc1<br>sysctl net.ipv4.ip_forward<br># \u5e94\u663e\u793a\uff1anet.ipv4.ip_forward = 1<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"52_%E9%85%8D%E7%BD%AE%E9%98%B2%E7%81%AB%E5%A2%99%EF%BC%88firewalld%EF%BC%89\"><\/span>5.2 \u914d\u7f6e\u9632\u706b\u5899\uff08firewalld\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u68c0\u67e5 firewalld \u72b6\u6001<br>systemctl status firewalld<br><br># \u5982\u679c\u672a\u542f\u52a8\uff0c\u542f\u52a8 firewalld<br>systemctl enable --now firewalld<br><br># \u83b7\u53d6\u7f51\u5361\u540d\u79f0\uff08\u901a\u5e38\u662f eth0 \u6216 ens33\uff09<br>INTERFACE=$(ip route | grep default | awk '{print $5}')<br>echo \"\u5916\u7f51\u7f51\u5361: $INTERFACE\"<br><br># \u6dfb\u52a0 OpenVPN \u670d\u52a1<br>firewall-cmd --permanent --add-service=openvpn<br><br># \u6216\u76f4\u63a5\u5f00\u653e\u7aef\u53e3\uff08\u5982\u679c\u4e0a\u8ff0\u547d\u4ee4\u65e0\u6548\uff09<br>firewall-cmd --permanent --add-port=1194\/udp<br><br># \u6dfb\u52a0 NAT \u4f2a\u88c5\uff08\u5173\u952e\uff01\uff09<br>firewall-cmd --permanent --add-masquerade<br><br># \u6dfb\u52a0\u76f4\u63a5\u89c4\u5219\uff08NAT \u8f6c\u53d1\uff09<br>firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 \\<br>    -s 10.8.0.0\/24 -o $INTERFACE -j MASQUERADE<br><br># \u5141\u8bb8 VPN \u6d41\u91cf\u8f6c\u53d1<br>firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 \\<br>    -i tun0 -j ACCEPT<br>firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 \\<br>    -o tun0 -j ACCEPT<br><br># \u91cd\u8f7d\u9632\u706b\u5899<br>firewall-cmd --reload<br><br># \u9a8c\u8bc1\u89c4\u5219<br>firewall-cmd --list-all<br>firewall-cmd --direct --get-all-rules<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">[root@localhost easy-rsa]# firewall-cmd --list-all<br>public (active)<br>  target: default<br>  icmp-block-inversion: no<br>  interfaces: ens192<br>  sources: <br>  services: cockpit dhcpv6-client openvpn ssh<br>  ports: 1194\/udp<br>  protocols: <br>  forward: no<br>  masquerade: yes<br>  forward-ports: <br>  source-ports: <br>  icmp-blocks: <br>  rich rules: <br>\trule priority=\"1\" family=\"ipv4\" source address=\"192.168.20.222\" port port=\"37017\" protocol=\"tcp\" accept<br>\trule priority=\"10\" family=\"ipv4\" port port=\"37017\" protocol=\"tcp\" drop<br>[root@localhost easy-rsa]# firewall-cmd --direct --get-all-rules<br>ipv4 nat POSTROUTING 0 -s 10.8.0.0\/24 -o ens192 -j MASQUERADE<br>ipv4 filter FORWARD 0 -i tun0 -j ACCEPT<br>ipv4 filter FORWARD 0 -o tun0 -j ACCEPT<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"53_%E9%85%8D%E7%BD%AE%E9%98%B2%E7%81%AB%E5%A2%99%EF%BC%88iptables%EF%BC%89\"><\/span>5.3 \u914d\u7f6e\u9632\u706b\u5899\uff08iptables\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u5982\u679c\u4f7f\u7528 iptables\uff08\u66ff\u4ee3 firewalld\uff09<br>\u200b<br># \u505c\u6b62 firewalld<br>systemctl stop firewalld<br>systemctl disable firewalld<br>\u200b<br># \u5b89\u88c5\u5e76\u542f\u52a8 iptables<br>dnf install iptables-services -y<br>systemctl enable --now iptables<br>\u200b<br># \u6dfb\u52a0\u89c4\u5219<br>INTERFACE=$(ip route | grep default | awk '{print $5}')<br>\u200b<br># NAT \u8f6c\u53d1\u89c4\u5219<br>iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o $INTERFACE -j MASQUERADE<br>\u200b<br># \u5141\u8bb8\u8f6c\u53d1<br>iptables -A FORWARD -i tun0 -j ACCEPT<br>iptables -A FORWARD -o tun0 -j ACCEPT<br>\u200b<br># \u4fdd\u5b58\u89c4\u5219<br>service iptables save<br>\u200b<br># \u9a8c\u8bc1\u89c4\u5219<br>iptables -t nat -L -n -v | grep 10.8.0.0<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"54_%E5%88%9B%E5%BB%BA%E9%98%B2%E7%81%AB%E5%A2%99%E8%A7%84%E5%88%99%E6%8C%81%E4%B9%85%E5%8C%96%E8%84%9A%E6%9C%AC%EF%BC%88%E5%8F%AF%E9%80%89%EF%BC%8C%E8%87%AA%E5%8A%A8%E6%89%A7%E8%A1%8C%E4%B8%8A%E8%BF%B0%E9%85%8D%E7%BD%AE%EF%BC%89\"><\/span>5.4 \u521b\u5efa\u9632\u706b\u5899\u89c4\u5219\u6301\u4e45\u5316\u811a\u672c\uff08\u53ef\u9009\uff0c\u81ea\u52a8\u6267\u884c\u4e0a\u8ff0\u914d\u7f6e\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">cat &gt; \/etc\/openvpn\/server\/firewall-rules.sh &lt;&lt;'EOF'<br>#!\/bin\/bash<br># OpenVPN \u9632\u706b\u5899\u89c4\u5219\u811a\u672c<br>\u200b<br># \u83b7\u53d6\u5916\u7f51\u7f51\u5361<br>INTERFACE=$(ip route | grep default | awk '{print $5}')<br>\u200b<br>if command -v firewall-cmd &amp;&gt; \/dev\/null; then<br> &nbsp; &nbsp;# \u4f7f\u7528 firewalld<br> &nbsp; &nbsp;echo \"\u68c0\u6d4b\u5230 firewalld\uff0c\u5e94\u7528\u89c4\u5219...\"<br> &nbsp;  firewall-cmd --permanent --add-masquerade<br> &nbsp;  firewall-cmd --permanent --add-service=openvpn<br> &nbsp;  firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 \\<br> &nbsp; &nbsp; &nbsp; &nbsp;-s 10.8.0.0\/24 -o $INTERFACE -j MASQUERADE<br> &nbsp;  firewall-cmd --reload<br>else<br> &nbsp; &nbsp;# \u4f7f\u7528 iptables<br> &nbsp; &nbsp;echo \"\u4f7f\u7528 iptables\uff0c\u5e94\u7528\u89c4\u5219...\"<br> &nbsp;  iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o $INTERFACE -j MASQUERADE<br> &nbsp;  iptables -A FORWARD -i tun0 -j ACCEPT<br> &nbsp;  iptables -A FORWARD -o tun0 -j ACCEPT<br> &nbsp; &nbsp;service iptables save<br>fi<br>\u200b<br>echo \"\u9632\u706b\u5899\u89c4\u5219\u5df2\u5e94\u7528\"<br>EOF<br>\u200b<br>chmod +x \/etc\/openvpn\/server\/firewall-rules.sh<br>\u200b<br># \u6267\u884c\u811a\u672c<br>\/etc\/openvpn\/server\/firewall-rules.sh<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"55_%E9%AA%8C%E8%AF%81%E7%BD%91%E7%BB%9C%E9%85%8D%E7%BD%AE\"><\/span>5.5 \u9a8c\u8bc1\u7f51\u7edc\u914d\u7f6e<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u68c0\u67e5 IP \u8f6c\u53d1<br>cat \/proc\/sys\/net\/ipv4\/ip_forward<br># \u5e94\u663e\u793a\uff1a1<br>\u200b<br># \u68c0\u67e5 NAT \u89c4\u5219<br>iptables -t nat -L -n -v | grep 10.8.0.0<br># \u6216<br>firewall-cmd --direct --get-rules ipv4 nat POSTROUTING<br>\u200b<br># \u68c0\u67e5\u8def\u7531<br>ip route<br>\u200b<br># \u6d4b\u8bd5 DNS \u89e3\u6790\uff08\u53ef\u9009\uff09<br>nslookup www.baidu.com 8.8.8.8<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%85%AD%E3%80%81%E5%90%AF%E5%8A%A8%E5%92%8C%E9%AA%8C%E8%AF%81%E6%9C%8D%E5%8A%A1\"><\/span>\u516d\u3001\u542f\u52a8\u548c\u9a8c\u8bc1\u670d\u52a1<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"61_%E6%B5%8B%E8%AF%95%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6\"><\/span>6.1 \u6d4b\u8bd5\u914d\u7f6e\u6587\u4ef6<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u6d4b\u8bd5\u914d\u7f6e\u8bed\u6cd5<br>openvpn --config \/etc\/openvpn\/server\/server.conf --test-crypto<br><br># \u524d\u53f0\u8fd0\u884c\u6d4b\u8bd5\uff08\u67e5\u770b\u8be6\u7ec6\u8f93\u51fa\uff0c\u6309 Ctrl+C \u505c\u6b62\uff09<br>openvpn --config \/etc\/openvpn\/server\/server.conf<br><br># \u89c2\u5bdf\u8f93\u51fa\uff0c\u786e\u4fdd\u6ca1\u6709\u9519\u8bef<br># \u6b63\u786e\u7684\u8f93\u51fa\u6700\u540e\u4f1a\u663e\u793a\uff1a<br># Initialization Sequence Completed<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"62_%E5%90%AF%E5%8A%A8%E6%9C%8D%E5%8A%A1\"><\/span>6.2 \u542f\u52a8\u670d\u52a1<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u542f\u52a8\u670d\u52a1<br>systemctl start openvpn-server@server<br><br># \u8bbe\u7f6e\u5f00\u673a\u81ea\u542f<br>systemctl enable openvpn-server@server<br><br># \u68c0\u67e5\u670d\u52a1\u72b6\u6001<br>systemctl status openvpn-server@server<br><br># \u5e94\u663e\u793a\uff1a<br># Active: active (running)<br># Status: \"Initialization Sequence Completed\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"63_%E9%AA%8C%E8%AF%81%E6%9C%8D%E5%8A%A1%E8%BF%90%E8%A1%8C\"><\/span>6.3 \u9a8c\u8bc1\u670d\u52a1\u8fd0\u884c<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u68c0\u67e5\u8fdb\u7a0b<br>ps aux | grep openvpn<br><br># \u68c0\u67e5\u76d1\u542c\u7aef\u53e3<br>ss -tunlp | grep 1194<br># \u5e94\u663e\u793a\uff1audp   UNCONN 0  0  *:1194  *:*<br><br># \u6216\u4f7f\u7528 netstat<br>netstat -tunlp | grep 1194<br><br># \u68c0\u67e5 TUN \u8bbe\u5907<br>ip addr show tun0<br># \u5e94\u663e\u793a\uff1ainet 10.8.0.1\/24<br><br># \u68c0\u67e5\u8def\u7531\u8868<br>ip route | grep tun0<br># \u5e94\u663e\u793a\uff1a10.8.0.0\/24 dev tun0<br><br># \u4ece\u670d\u52a1\u5668 ping VPN \u7f51\u5173<br>ping -c 3 10.8.0.1<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"64_%E6%9F%A5%E7%9C%8B%E6%97%A5%E5%BF%97\"><\/span>6.4 \u67e5\u770b\u65e5\u5fd7<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u67e5\u770b\u5b9e\u65f6\u65e5\u5fd7<br>tail -f \/var\/log\/openvpn\/openvpn.log<br><br># \u67e5\u770b systemd \u65e5\u5fd7<br>journalctl -u openvpn-server@server -f<br><br># \u67e5\u770b\u6700\u8fd1 50 \u884c\u65e5\u5fd7<br>journalctl -u openvpn-server@server -n 50<br><br># \u67e5\u770b\u72b6\u6001\u6587\u4ef6\uff08\u663e\u793a\u8fde\u63a5\u7684\u5ba2\u6237\u7aef\uff09<br>cat \/var\/log\/openvpn\/openvpn-status.log<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E4%B8%83%E3%80%81%E7%94%9F%E6%88%90%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE\"><\/span>\u4e03\u3001\u751f\u6210\u5ba2\u6237\u7aef\u914d\u7f6e<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"71_%E5%88%9B%E5%BB%BA%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE%E7%9B%AE%E5%BD%95\"><\/span>7.1 \u521b\u5efa\u5ba2\u6237\u7aef\u914d\u7f6e\u76ee\u5f55<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">mkdir -p \/etc\/openvpn\/client-configs\/{files,keys,base}<br>cd \/etc\/openvpn\/client-configs<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"72_%E5%88%9B%E5%BB%BA%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE%E6%A8%A1%E6%9D%BF\"><\/span>7.2 \u521b\u5efa\u5ba2\u6237\u7aef\u914d\u7f6e\u6a21\u677f<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u83b7\u53d6\u670d\u52a1\u5668\u516c\u7f51 IP<br>SERVER_IP=$(curl -s ifconfig.me)<br>echo \"\u670d\u52a1\u5668\u516c\u7f51 IP: $SERVER_IP\"<br>\u200b<br># \u5982\u679c\u65e0\u6cd5\u83b7\u53d6\uff0c\u624b\u52a8\u8bbe\u7f6e<br># SERVER_IP=\"YOUR_PUBLIC_IP\"<br>\u200b<br>cat &gt; \/etc\/openvpn\/client-configs\/base.conf &lt;&lt;EOF<br>##############################################<br># OpenVPN \u5ba2\u6237\u7aef\u914d\u7f6e\u6587\u4ef6<br># \u670d\u52a1\u5668: $SERVER_IP<br># \u751f\u6210\u65f6\u95f4: $(date)<br>##############################################<br>\u200b<br># \u5ba2\u6237\u7aef\u6a21\u5f0f<br>client<br>\u200b<br># \u4f7f\u7528 TUN \u8bbe\u5907\uff08\u4e0e\u670d\u52a1\u5668\u4e00\u81f4\uff09<br>dev tun<br>\u200b<br># \u534f\u8bae\uff08\u4e0e\u670d\u52a1\u5668\u4e00\u81f4\uff09<br>proto udp<br># \u5982\u670d\u52a1\u5668\u4f7f\u7528 TCP\uff0c\u6539\u4e3a\uff1aproto tcp<br>\u200b<br># \u670d\u52a1\u5668\u5730\u5740\u548c\u7aef\u53e3<br>remote $SERVER_IP 1194<br>\u200b<br># \u5982\u6709\u591a\u4e2a\u670d\u52a1\u5668\uff08\u9ad8\u53ef\u7528\uff09<br># remote server1.example.com 1194<br># remote server2.example.com 1194<br># remote-random<br>\u200b<br># \u4fdd\u6301\u5c1d\u8bd5\u8fde\u63a5<br>resolv-retry infinite<br>\u200b<br># \u4e0d\u7ed1\u5b9a\u672c\u5730\u7aef\u53e3<br>nobind<br>\u200b<br># \u52a0\u5bc6\u8bbe\u7f6e\uff08\u4e0e\u670d\u52a1\u5668\u4e00\u81f4\uff09<br>cipher AES-256-GCM<br>auth SHA256<br>\u200b<br># TLS \u8ba4\u8bc1\uff08\u65b9\u5411\u4e3a 1\uff0c\u4e0e\u670d\u52a1\u5668\u7684 0 \u5bf9\u5e94\uff09<br>key-direction 1<br>\u200b<br># \u538b\u7f29\u8bbe\u7f6e\uff08\u4e0e\u670d\u52a1\u5668\u4e00\u81f4\uff09<br>compress lz4-v2<br>\u200b<br># \u91cd\u542f\u540e\u4fdd\u6301<br>persist-key<br>persist-tun<br>\u200b<br># \u964d\u4f4e\u6743\u9650\uff08Linux\/macOS \u5ba2\u6237\u7aef\uff09<br># user nobody<br># group nobody<br>\u200b<br># \u65e5\u5fd7\u7ea7\u522b<br>verb 3<br>\u200b<br># \u9759\u9ed8\u91cd\u590d\u6d88\u606f<br>mute 20<br>\u200b<br># \u811a\u672c\u5b89\u5168\u7ea7\u522b\uff08\u5982\u9700\u8fd0\u884c\u811a\u672c\uff09<br># script-security 2<br>\u200b<br># \u9a8c\u8bc1\u670d\u52a1\u5668\u8bc1\u4e66\uff08\u589e\u5f3a\u5b89\u5168\uff09<br>remote-cert-tls server<br>\u200b<br># \u4ee5\u4e0b\u5185\u5bb9\u7531\u751f\u6210\u811a\u672c\u81ea\u52a8\u6dfb\u52a0<br># &lt;ca&gt;...&lt;\/ca&gt;<br># &lt;cert&gt;...&lt;\/cert&gt;<br># &lt;key&gt;...&lt;\/key&gt;<br># &lt;tls-auth&gt;...&lt;\/tls-auth&gt;<br>EOF<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"73_%E5%88%9B%E5%BB%BA%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE%E7%94%9F%E6%88%90%E8%84%9A%E6%9C%AC%EF%BC%88%E6%94%B9%E8%BF%9B%E7%89%88%EF%BC%89\"><\/span>7.3 \u521b\u5efa\u5ba2\u6237\u7aef\u914d\u7f6e\u751f\u6210\u811a\u672c\uff08\u6539\u8fdb\u7248\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">cat &gt; \/etc\/openvpn\/client-configs\/make_config.sh &lt;&lt;'EOF'<br>#!\/bin\/bash<br>#################################################<br># OpenVPN \u5ba2\u6237\u7aef\u914d\u7f6e\u751f\u6210\u811a\u672c<br># \u7528\u6cd5: .\/make_config.sh &lt;client_name&gt;<br>#################################################<br>\u200b<br># \u914d\u7f6e\u53d8\u91cf<br>BASE_CONFIG=\"\/etc\/openvpn\/client-configs\/base.conf\"<br>OUTPUT_DIR=\"\/etc\/openvpn\/client-configs\/files\"<br>KEY_DIR=\"\/etc\/openvpn\/server\/easy-rsa\/pki\"<br>TA_KEY=\"\/etc\/openvpn\/server\/keys\/ta.key\"<br>\u200b<br># \u989c\u8272\u8f93\u51fa<br>RED='\\033[0;31m'<br>GREEN='\\033[0;32m'<br>YELLOW='\\033[1;33m'<br>NC='\\033[0m' # No Color<br>\u200b<br># \u68c0\u67e5\u53c2\u6570<br>if [ $# -ne 1 ]; then<br> &nbsp; &nbsp;echo -e \"${RED}\u7528\u6cd5: $0 &lt;\u5ba2\u6237\u7aef\u540d\u79f0&gt;${NC}\"<br> &nbsp; &nbsp;echo -e \"${YELLOW}\u793a\u4f8b: $0 client1${NC}\"<br> &nbsp; &nbsp;exit 1<br>fi<br>\u200b<br>CLIENT_NAME=$1<br>\u200b<br># \u68c0\u67e5\u8bc1\u4e66\u662f\u5426\u5b58\u5728<br>if [ ! -f \"$KEY_DIR\/issued\/${CLIENT_NAME}.crt\" ]; then<br> &nbsp; &nbsp;echo -e \"${RED}\u9519\u8bef\uff1a\u5ba2\u6237\u7aef\u8bc1\u4e66\u4e0d\u5b58\u5728: ${CLIENT_NAME}.crt${NC}\"<br> &nbsp; &nbsp;echo -e \"${YELLOW}\u8bf7\u5148\u751f\u6210\u5ba2\u6237\u7aef\u8bc1\u4e66\uff1a${NC}\"<br> &nbsp; &nbsp;echo \"  cd \/etc\/openvpn\/server\/easy-rsa\"<br> &nbsp; &nbsp;echo \"  .\/easyrsa gen-req $CLIENT_NAME nopass\"<br> &nbsp; &nbsp;echo \"  .\/easyrsa sign-req client $CLIENT_NAME\"<br> &nbsp; &nbsp;exit 1<br>fi<br>\u200b<br># \u68c0\u67e5\u79c1\u94a5\u662f\u5426\u5b58\u5728<br>if [ ! -f \"$KEY_DIR\/private\/${CLIENT_NAME}.key\" ]; then<br> &nbsp; &nbsp;echo -e \"${RED}\u9519\u8bef\uff1a\u5ba2\u6237\u7aef\u79c1\u94a5\u4e0d\u5b58\u5728: ${CLIENT_NAME}.key${NC}\"<br> &nbsp; &nbsp;exit 1<br>fi<br>\u200b<br># \u521b\u5efa\u8f93\u51fa\u76ee\u5f55<br>mkdir -p ${OUTPUT_DIR}<br>\u200b<br># \u751f\u6210\u914d\u7f6e\u6587\u4ef6<br>OUTPUT_FILE=\"${OUTPUT_DIR}\/${CLIENT_NAME}.ovpn\"<br>\u200b<br># \u590d\u5236\u57fa\u7840\u914d\u7f6e<br>cat ${BASE_CONFIG} &gt; ${OUTPUT_FILE}<br>\u200b<br># \u6dfb\u52a0\u8bc1\u4e66\u548c\u5bc6\u94a5\uff08\u5185\u5d4c\u65b9\u5f0f\uff09<br>echo \"\" &gt;&gt; ${OUTPUT_FILE}<br>echo \"&lt;ca&gt;\" &gt;&gt; ${OUTPUT_FILE}<br>cat ${KEY_DIR}\/ca.crt &gt;&gt; ${OUTPUT_FILE}<br>echo \"&lt;\/ca&gt;\" &gt;&gt; ${OUTPUT_FILE}<br>\u200b<br>echo \"\" &gt;&gt; ${OUTPUT_FILE}<br>echo \"&lt;cert&gt;\" &gt;&gt; ${OUTPUT_FILE}<br># \u63d0\u53d6\u8bc1\u4e66\u90e8\u5206\uff08\u53bb\u6389\u989d\u5916\u5185\u5bb9\uff09<br>sed -n '\/BEGIN CERTIFICATE\/,\/END CERTIFICATE\/p' ${KEY_DIR}\/issued\/${CLIENT_NAME}.crt &gt;&gt; ${OUTPUT_FILE}<br>echo \"&lt;\/cert&gt;\" &gt;&gt; ${OUTPUT_FILE}<br>\u200b<br>echo \"\" &gt;&gt; ${OUTPUT_FILE}<br>echo \"&lt;key&gt;\" &gt;&gt; ${OUTPUT_FILE}<br>cat ${KEY_DIR}\/private\/${CLIENT_NAME}.key &gt;&gt; ${OUTPUT_FILE}<br>echo \"&lt;\/key&gt;\" &gt;&gt; ${OUTPUT_FILE}<br>\u200b<br>echo \"\" &gt;&gt; ${OUTPUT_FILE}<br>echo \"&lt;tls-auth&gt;\" &gt;&gt; ${OUTPUT_FILE}<br>cat ${TA_KEY} &gt;&gt; ${OUTPUT_FILE}<br>echo \"&lt;\/tls-auth&gt;\" &gt;&gt; ${OUTPUT_FILE}<br>\u200b<br># \u8bbe\u7f6e\u6743\u9650<br>chmod 600 ${OUTPUT_FILE}<br>\u200b<br># \u6210\u529f\u63d0\u793a<br>echo -e \"${GREEN}===== \u5ba2\u6237\u7aef\u914d\u7f6e\u751f\u6210\u6210\u529f =====${NC}\"<br>echo -e \"${GREEN}\u6587\u4ef6\u4f4d\u7f6e: ${OUTPUT_FILE}${NC}\"<br>echo \"\"<br>echo -e \"${YELLOW}\u4f20\u8f93\u65b9\u5f0f\uff1a${NC}\"<br>echo \"  1. SCP \u4f20\u8f93\uff1a\"<br>echo \" &nbsp; &nbsp; scp ${OUTPUT_FILE} user@client:\/path\/\"<br>echo \"\"<br>echo \"  2. \u67e5\u770b\u5185\u5bb9\uff08\u590d\u5236\u7c98\u8d34\uff09\uff1a\"<br>echo \" &nbsp; &nbsp; cat ${OUTPUT_FILE}\"<br>echo \"\"<br>echo \"  3. \u751f\u6210\u4e8c\u7ef4\u7801\uff08\u79fb\u52a8\u8bbe\u5907\u5bfc\u5165\uff09\uff1a\"<br>echo \" &nbsp; &nbsp; qrencode -t ansiutf8 &lt; ${OUTPUT_FILE}\"<br>echo \"\"<br>echo -e \"${YELLOW}Windows \u5ba2\u6237\u7aef\uff1a${NC}\"<br>echo \"  \u5c06 .ovpn \u6587\u4ef6\u590d\u5236\u5230 C:\\\\Program Files\\\\OpenVPN\\\\config\\\\\"<br>echo \"\"<br>echo -e \"${YELLOW}Linux \u5ba2\u6237\u7aef\uff1a${NC}\"<br>echo \"  sudo openvpn --config ${CLIENT_NAME}.ovpn\"<br>echo \"\"<br>echo -e \"${YELLOW}\u79fb\u52a8\u8bbe\u5907\uff08Android\/iOS\uff09\uff1a${NC}\"<br>echo \"  \u4f7f\u7528 OpenVPN Connect \u5e94\u7528\u5bfc\u5165 .ovpn \u6587\u4ef6\"<br>echo \"\"<br>EOF<br>\u200b<br>chmod +x \/etc\/openvpn\/client-configs\/make_config.sh<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"74_%E7%94%9F%E6%88%90%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6\"><\/span>7.4 \u751f\u6210\u5ba2\u6237\u7aef\u914d\u7f6e\u6587\u4ef6<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u8fdb\u5165\u914d\u7f6e\u76ee\u5f55<br>cd \/etc\/openvpn\/client-configs<br><br># \u4e3a client1 \u751f\u6210\u914d\u7f6e<br>.\/make_config.sh client1<br><br># \u4e3a\u591a\u4e2a\u5ba2\u6237\u7aef\u6279\u91cf\u751f\u6210<br>for client in alice bob charlie manager; do<br>    # \u5148\u751f\u6210\u8bc1\u4e66\uff08\u5982\u679c\u8fd8\u6ca1\u751f\u6210\uff09<br>    cd \/etc\/openvpn\/server\/easy-rsa<br>    .\/easyrsa gen-req $client nopass<br>    .\/easyrsa sign-req client $client<br>    <br>    # \u751f\u6210\u914d\u7f6e\u6587\u4ef6<br>    cd \/etc\/openvpn\/client-configs<br>    .\/make_config.sh $client<br>done<br><br># \u67e5\u770b\u751f\u6210\u7684\u6587\u4ef6<br>ls -lh \/etc\/openvpn\/client-configs\/files\/<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"75_%E5%88%9B%E5%BB%BA%E9%85%8D%E7%BD%AE%E4%B8%8B%E8%BD%BD%E6%9C%8D%E5%8A%A1%EF%BC%88%E5%8F%AF%E9%80%89%EF%BC%89\"><\/span>7.5 \u521b\u5efa\u914d\u7f6e\u4e0b\u8f7d\u670d\u52a1\uff08\u53ef\u9009\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u5b89\u88c5 Python3\uff08\u5982\u679c\u672a\u5b89\u88c5\uff09<br>dnf install python3 -y<br>\u200b<br># \u521b\u5efa\u7b80\u5355\u7684 HTTP \u670d\u52a1\u5668\u811a\u672c<br>cat &gt; \/etc\/openvpn\/client-configs\/start-http-server.sh &lt;&lt;'EOF'<br>#!\/bin\/bash<br># \u4e34\u65f6 HTTP \u670d\u52a1\u5668\uff0c\u7528\u4e8e\u4e0b\u8f7d\u5ba2\u6237\u7aef\u914d\u7f6e<br>\u200b<br>cd \/etc\/openvpn\/client-configs\/files<br>python3 -m http.server 8000 --bind 0.0.0.0<br>EOF<br>\u200b<br>chmod +x \/etc\/openvpn\/client-configs\/start-http-server.sh<br>\u200b<br># \u4f7f\u7528\u65b9\u6cd5\uff08\u4e34\u65f6\uff09\uff1a<br># .\/start-http-server.sh<br># \u7136\u540e\u5728\u6d4f\u89c8\u5668\u8bbf\u95ee\uff1ahttp:\/\/\u670d\u52a1\u5668IP:8000\/client1.ovpn<br>\u200b<br># \u26a0\ufe0f \u6ce8\u610f\uff1a\u8fd9\u53ea\u662f\u4e34\u65f6\u65b9\u6848\uff0c\u4e0b\u8f7d\u540e\u7acb\u5373\u505c\u6b62\u670d\u52a1\uff01<br># \u751f\u4ea7\u73af\u5883\u5e94\u4f7f\u7528 HTTPS \u6216 SFTP<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%85%AB%E3%80%81%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%BF%9E%E6%8E%A5%E6%B5%8B%E8%AF%95\"><\/span>\u516b\u3001\u5ba2\u6237\u7aef\u8fde\u63a5\u6d4b\u8bd5<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"81_Linux_%E5%AE%A2%E6%88%B7%E7%AB%AF\"><\/span>8.1 Linux \u5ba2\u6237\u7aef<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u5b89\u88c5 OpenVPN \u5ba2\u6237\u7aef<br># Debian\/Ubuntu<br>apt update &amp;&amp; apt install openvpn -y<br>\u200b<br># RHEL\/CentOS\/Anolis<br>dnf install epel-release -y<br>dnf install openvpn -y<br>\u200b<br># \u4f20\u8f93\u914d\u7f6e\u6587\u4ef6\uff08\u5728\u670d\u52a1\u5668\u6267\u884c\uff09<br>scp \/etc\/openvpn\/client-configs\/files\/client1.ovpn user@client_ip:\/tmp\/<br>\u200b<br># \u5728\u5ba2\u6237\u7aef\u8fde\u63a5\uff08\u524d\u53f0\u6d4b\u8bd5\uff09<br>sudo openvpn --config \/tmp\/client1.ovpn<br>\u200b<br># \u540e\u53f0\u8fd0\u884c<br>sudo openvpn --config \/tmp\/client1.ovpn --daemon<br>\u200b<br># \u4f7f\u7528 systemd \u7ba1\u7406\uff08\u63a8\u8350\uff09<br>sudo cp \/tmp\/client1.ovpn \/etc\/openvpn\/client\/client1.conf<br>sudo systemctl start openvpn-client@client1<br>sudo systemctl enable openvpn-client@client1<br>\u200b<br># \u67e5\u770b\u72b6\u6001<br>sudo systemctl status openvpn-client@client1<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"82_Windows_%E5%AE%A2%E6%88%B7%E7%AB%AF\"><\/span>8.2 Windows \u5ba2\u6237\u7aef<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">1. \u4e0b\u8f7d OpenVPN GUI<br> &nbsp; https:\/\/openvpn.net\/community-downloads\/<br> &nbsp; <br>2. \u5b89\u88c5 OpenVPN GUI\uff08\u7ba1\u7406\u5458\u6743\u9650\uff09<br>\u200b<br>3. \u5c06 client1.ovpn \u590d\u5236\u5230\u914d\u7f6e\u76ee\u5f55\uff1a<br> &nbsp; C:\\Program Files\\OpenVPN\\config\\<br> &nbsp; <br>4. \u53f3\u952e\u4efb\u52a1\u680f OpenVPN \u56fe\u6807\uff0c\u9009\u62e9 \"\u8fde\u63a5\"<br>\u200b<br>5. \u67e5\u770b\u8fde\u63a5\u65e5\u5fd7\uff1a<br> &nbsp; \u53f3\u952e \u2192 \"\u67e5\u770b\u65e5\u5fd7\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"83_macOS_%E5%AE%A2%E6%88%B7%E7%AB%AF\"><\/span>8.3 macOS \u5ba2\u6237\u7aef<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">1. \u4e0b\u8f7d Tunnelblick<br> &nbsp; https:\/\/tunnelblick.net\/downloads.html<br> &nbsp; <br>2. \u5b89\u88c5 Tunnelblick<br>\u200b<br>3. \u53cc\u51fb client1.ovpn \u6587\u4ef6\uff0c\u81ea\u52a8\u5bfc\u5165\u914d\u7f6e<br>\u200b<br>4. \u70b9\u51fb Tunnelblick \u56fe\u6807\uff0c\u9009\u62e9 \"\u8fde\u63a5\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"84_Android_%E5%AE%A2%E6%88%B7%E7%AB%AF\"><\/span>8.4 Android \u5ba2\u6237\u7aef<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">1. \u5728 Google Play \u5b89\u88c5 \"OpenVPN Connect\"<br><br>2. \u4f20\u8f93 .ovpn \u6587\u4ef6\u5230\u624b\u673a<br>   - \u65b9\u6cd51\uff1a\u901a\u8fc7\u90ae\u4ef6\u53d1\u9001<br>   - \u65b9\u6cd52\uff1a\u901a\u8fc7 USB \u4f20\u8f93<br>   - \u65b9\u6cd53\uff1a\u626b\u63cf\u4e8c\u7ef4\u7801\uff08\u9700\u5b89\u88c5 qrencode\uff09<br><br>3. \u6253\u5f00 OpenVPN Connect \u2192 \u5bfc\u5165 \u2192 \u9009\u62e9 .ovpn \u6587\u4ef6<br><br>4. \u70b9\u51fb\u8fde\u63a5<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"85_iOS_%E5%AE%A2%E6%88%B7%E7%AB%AF\"><\/span>8.5 iOS \u5ba2\u6237\u7aef<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">1. \u5728 App Store \u5b89\u88c5 \"OpenVPN Connect\"<br><br>2. \u4f20\u8f93 .ovpn \u6587\u4ef6<br>   - \u901a\u8fc7 AirDrop<br>   - \u901a\u8fc7\u90ae\u4ef6\u9644\u4ef6<br>   - \u901a\u8fc7 iCloud Drive<br><br>3. \u6253\u5f00\u6587\u4ef6\uff0c\u9009\u62e9 \"\u5bfc\u5165\u5230 OpenVPN\"<br><br>4. \u70b9\u51fb\u8fde\u63a5<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"86_%E9%AA%8C%E8%AF%81%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%BF%9E%E6%8E%A5\"><\/span>8.6 \u9a8c\u8bc1\u5ba2\u6237\u7aef\u8fde\u63a5<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># ===== \u5728\u5ba2\u6237\u7aef\u6267\u884c =====<br><br># \u68c0\u67e5 VPN \u63a5\u53e3<br>ip addr show tun0<br># \u6216 Windows: ipconfig \/all<br><br># \u5e94\u663e\u793a\u5206\u914d\u7684 IP\uff08\u5982 10.8.0.6\uff09<br><br># \u68c0\u67e5\u8def\u7531<br>ip route<br># \u5e94\u663e\u793a\uff1a10.8.0.0\/24 dev tun0<br><br># Ping VPN \u670d\u52a1\u5668<br>ping 10.8.0.1<br><br># Ping \u5185\u7f51\u670d\u52a1\u5668\uff08\u5982 192.168.1.100\uff09<br>ping 192.168.1.100<br><br># \u68c0\u67e5\u516c\u7f51 IP\uff08\u9a8c\u8bc1\u662f\u5426\u8d70 VPN\uff09<br>curl ifconfig.me<br># \u5e94\u663e\u793a\u4e3a OpenVPN \u670d\u52a1\u5668\u7684\u516c\u7f51 IP<br><br># \u6d4b\u8bd5 DNS \u89e3\u6790<br>nslookup www.baidu.com<br><br># Trace \u8def\u7531<br>traceroute -n 8.8.8.8<br># \u7b2c\u4e00\u8df3\u5e94\u8be5\u662f 10.8.0.1<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"87_%E5%9C%A8%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%9F%A5%E7%9C%8B%E5%B7%B2%E8%BF%9E%E6%8E%A5%E5%AE%A2%E6%88%B7%E7%AB%AF\"><\/span>8.7 \u5728\u670d\u52a1\u5668\u67e5\u770b\u5df2\u8fde\u63a5\u5ba2\u6237\u7aef<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u67e5\u770b\u72b6\u6001\u6587\u4ef6<br>cat \/var\/log\/openvpn\/openvpn-status.log<br><br># \u793a\u4f8b\u8f93\u51fa\uff1a<br># CLIENT_LIST,client1,10.8.0.6,192.168.1.100:53241,11223344,22334455,Sun Dec  3 18:30:00 2025<br><br># \u5b9e\u65f6\u76d1\u63a7\u8fde\u63a5<br>watch -n 2 'cat \/var\/log\/openvpn\/openvpn-status.log | grep CLIENT_LIST'<br><br># \u67e5\u770b\u5b9e\u65f6\u65e5\u5fd7<br>tail -f \/var\/log\/openvpn\/openvpn.log<br><br># \u4f7f\u7528\u7ba1\u7406\u63a5\u53e3\u67e5\u8be2\uff08\u5982\u679c\u542f\u7528\uff09<br>echo \"status\" | nc 127.0.0.1 7505<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E4%B9%9D%E3%80%81%E8%AF%81%E4%B9%A6%E7%AE%A1%E7%90%86\"><\/span>\u4e5d\u3001\u8bc1\u4e66\u7ba1\u7406<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"91_%E6%9F%A5%E7%9C%8B%E8%AF%81%E4%B9%A6%E4%BF%A1%E6%81%AF\"><\/span>9.1 \u67e5\u770b\u8bc1\u4e66\u4fe1\u606f<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">cd \/etc\/openvpn\/server\/easy-rsa<br><br># \u67e5\u770b CA \u8bc1\u4e66<br>openssl x509 -in pki\/ca.crt -noout -text<br><br># \u67e5\u770b\u8bc1\u4e66\u6709\u6548\u671f<br>openssl x509 -in pki\/issued\/client1.crt -noout -dates<br><br># \u67e5\u770b\u6240\u6709\u5df2\u7b7e\u53d1\u8bc1\u4e66<br>cat pki\/index.txt<br><br># \u67e5\u770b\u8bc1\u4e66\u5217\u8868<br>ls -lh pki\/issued\/<br><br># \u67e5\u770b\u79c1\u94a5<br>ls -lh pki\/private\/<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"92_%E5%90%8A%E9%94%80%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%AF%81%E4%B9%A6\"><\/span>9.2 \u540a\u9500\u5ba2\u6237\u7aef\u8bc1\u4e66<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">cd \/etc\/openvpn\/server\/easy-rsa<br>\u200b<br># \u540a\u9500\u8bc1\u4e66\uff08\u5047\u8bbe\u540a\u9500 client1\uff09<br>.\/easyrsa revoke client1<br>\u200b<br># \u63d0\u793a\u786e\u8ba4\uff0c\u8f93\u5165\uff1ayes<br>\u200b<br># \u91cd\u65b0\u751f\u6210 CRL<br>.\/easyrsa gen-crl<br>\u200b<br># \u66f4\u65b0\u670d\u52a1\u5668\u7684 CRL<br>cp pki\/crl.pem \/etc\/openvpn\/server\/keys\/<br>\u200b<br># \u91cd\u542f OpenVPN \u670d\u52a1<br>systemctl restart openvpn-server@server<br>\u200b<br># \u9a8c\u8bc1 CRL<br>openssl crl -in \/etc\/openvpn\/server\/keys\/crl.pem -noout -text<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"93_%E7%BB%AD%E6%9C%9F%E8%AF%81%E4%B9%A6\"><\/span>9.3 \u7eed\u671f\u8bc1\u4e66<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># OpenVPN \u8bc1\u4e66\u7eed\u671f\u9700\u8981\u91cd\u65b0\u7b7e\u53d1<br>\u200b<br># \u65b9\u6cd51\uff1a\u91cd\u65b0\u751f\u6210\uff08\u63a8\u8350\uff09<br>cd \/etc\/openvpn\/server\/easy-rsa<br>\u200b<br># \u5148\u540a\u9500\u65e7\u8bc1\u4e66\uff08\u53ef\u9009\uff09<br># .\/easyrsa revoke client1<br>\u200b<br># \u5220\u9664\u65e7\u8bc1\u4e66\u6587\u4ef6<br>rm -f pki\/issued\/client1.crt<br>rm -f pki\/private\/client1.key<br>rm -f pki\/reqs\/client1.req<br>\u200b<br># \u91cd\u65b0\u751f\u6210<br>.\/easyrsa gen-req client1 nopass<br>.\/easyrsa sign-req client client1<br>\u200b<br># \u91cd\u65b0\u751f\u6210\u5ba2\u6237\u7aef\u914d\u7f6e<br>cd \/etc\/openvpn\/client-configs<br>.\/make_config.sh client1<br>\u200b<br># \u65b9\u6cd52\uff1a\u5ef6\u957f\u6709\u6548\u671f\uff08\u4fee\u6539 vars \u540e\u91cd\u65b0\u7b7e\u53d1\uff09<br># \u7f16\u8f91 vars\uff0c\u589e\u52a0 EASYRSA_CERT_EXPIRE<br># \u7136\u540e\u91cd\u65b0\u6267\u884c\u4e0a\u8ff0\u6b65\u9aa4<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"94_%E5%A4%87%E4%BB%BD_PKI\"><\/span>9.4 \u5907\u4efd PKI<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u521b\u5efa\u5907\u4efd\u811a\u672c<br>cat &gt; \/root\/backup-openvpn-pki.sh &lt;&lt;'EOF'<br>#!\/bin\/bash<br># OpenVPN PKI \u5907\u4efd\u811a\u672c<br>\u200b<br>BACKUP_DIR=\"\/backup\/openvpn\"<br>DATE=$(date +%Y%m%d_%H%M%S)<br>BACKUP_FILE=\"$BACKUP_DIR\/openvpn-pki-$DATE.tar.gz\"<br>\u200b<br># \u521b\u5efa\u5907\u4efd\u76ee\u5f55<br>mkdir -p $BACKUP_DIR<br>\u200b<br># \u5907\u4efd PKI<br>tar -czf $BACKUP_FILE \\<br> &nbsp;  \/etc\/openvpn\/server\/easy-rsa\/pki \\<br> &nbsp;  \/etc\/openvpn\/server\/server.conf \\<br> &nbsp;  \/etc\/openvpn\/server\/keys<br>\u200b<br># \u4fdd\u7559\u6700\u8fd1 7 \u5929\u7684\u5907\u4efd<br>find $BACKUP_DIR -name \"openvpn-pki-*.tar.gz\" -mtime +7 -delete<br>\u200b<br>echo \"\u5907\u4efd\u5b8c\u6210: $BACKUP_FILE\"<br>ls -lh $BACKUP_FILE<br>EOF<br>\u200b<br>chmod +x \/root\/backup-openvpn-pki.sh<br>\u200b<br># \u624b\u52a8\u6267\u884c<br>\/root\/backup-openvpn-pki.sh<br>\u200b<br># \u6dfb\u52a0\u5230 crontab\uff08\u6bcf\u5929\u51cc\u6668 2 \u70b9\u5907\u4efd\uff09<br>crontab -e<br># \u6dfb\u52a0\uff1a0 2 * * * \/root\/backup-openvpn-pki.sh &gt;&gt; \/var\/log\/openvpn-backup.log 2&gt;&amp;1<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"95_%E6%81%A2%E5%A4%8D_PKI\"><\/span>9.5 \u6062\u590d PKI<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u4ece\u5907\u4efd\u6062\u590d<br>cd \/<br>tar -xzf \/backup\/openvpn\/openvpn-pki-20251203_020000.tar.gz<br><br># \u91cd\u542f\u670d\u52a1<br>systemctl restart openvpn-server@server<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%8D%81%E3%80%81%E5%AE%89%E5%85%A8%E5%8A%A0%E5%9B%BA\"><\/span>\u5341\u3001\u5b89\u5168\u52a0\u56fa<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"101_%E5%90%AF%E7%94%A8_TLS-Crypt%EF%BC%88%E6%8E%A8%E8%8D%90%EF%BC%8C%E6%9B%BF%E4%BB%A3_TLS-Auth%EF%BC%89\"><\/span>10.1 \u542f\u7528 TLS-Crypt\uff08\u63a8\u8350\uff0c\u66ff\u4ee3 TLS-Auth\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># TLS-Crypt \u6bd4 TLS-Auth \u66f4\u5b89\u5168\uff0c\u52a0\u5bc6\u63a7\u5236\u901a\u9053<br><br># \u751f\u6210 TLS-Crypt \u5bc6\u94a5<br>cd \/etc\/openvpn\/server\/keys<br>openvpn --genkey secret tc.key<br><br># \u4fee\u6539\u670d\u52a1\u5668\u914d\u7f6e<br># \u5c06 tls-auth \u6539\u4e3a tls-crypt<br>sed -i 's\/tls-auth keys\\\/ta.key 0\/tls-crypt keys\\\/tc.key\/' \/etc\/openvpn\/server\/server.conf<br><br># \u4fee\u6539\u5ba2\u6237\u7aef\u914d\u7f6e\u6a21\u677f<br>sed -i 's\/key-direction 1\/\/' \/etc\/openvpn\/client-configs\/base.conf<br>sed -i 's\/&lt;tls-auth&gt;\/&lt;tls-crypt&gt;\/' \/etc\/openvpn\/client-configs\/base.conf<br>sed -i 's\/&lt;\\\/tls-auth&gt;\/&lt;\\\/tls-crypt&gt;\/' \/etc\/openvpn\/client-configs\/base.conf<br><br># \u91cd\u65b0\u751f\u6210\u5ba2\u6237\u7aef\u914d\u7f6e<br># \u5e76\u91cd\u542f\u670d\u52a1\u5668<br>systemctl restart openvpn-server@server<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"102_%E9%99%90%E5%88%B6_TLS_%E5%8A%A0%E5%AF%86%E5%A5%97%E4%BB%B6\"><\/span>10.2 \u9650\u5236 TLS \u52a0\u5bc6\u5957\u4ef6<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u7f16\u8f91\u670d\u52a1\u5668\u914d\u7f6e<br>cat &gt;&gt; \/etc\/openvpn\/server\/server.conf &lt;&lt;'EOF'<br>\u200b<br># \u9650\u5236 TLS \u52a0\u5bc6\u5957\u4ef6\uff08\u4ec5\u5141\u8bb8\u5f3a\u52a0\u5bc6\uff09<br>tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384<br>EOF<br>\u200b<br># \u91cd\u542f\u670d\u52a1<br>systemctl restart openvpn-server@server<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"103_%E5%90%AF%E7%94%A8%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%BF%9E%E6%8E%A5%E6%97%A5%E5%BF%97%E5%AE%A1%E8%AE%A1\"><\/span>10.3 \u542f\u7528\u5ba2\u6237\u7aef\u8fde\u63a5\u65e5\u5fd7\u5ba1\u8ba1<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u521b\u5efa\u811a\u672c\u76ee\u5f55<br>mkdir -p \/etc\/openvpn\/server\/scripts<br>\u200b<br># \u521b\u5efa\u8fde\u63a5\u65e5\u5fd7\u811a\u672c<br>cat &gt; \/etc\/openvpn\/server\/scripts\/client-connect.sh &lt;&lt;'EOF'<br>#!\/bin\/bash<br># \u5ba2\u6237\u7aef\u8fde\u63a5\u65e5\u5fd7<br>\u200b<br>LOG_FILE=\"\/var\/log\/openvpn\/connections.log\"<br>DATE=$(date \"+%Y-%m-%d %H:%M:%S\")<br>\u200b<br>echo \"$DATE | CONNECT | Client: $common_name | IP: $trusted_ip:$trusted_port | VPN_IP: $ifconfig_pool_remote_ip\" &gt;&gt; $LOG_FILE<br>EOF<br>\u200b<br>cat &gt; \/etc\/openvpn\/server\/scripts\/client-disconnect.sh &lt;&lt;'EOF'<br>#!\/bin\/bash<br># \u5ba2\u6237\u7aef\u65ad\u5f00\u65e5\u5fd7<br>\u200b<br>LOG_FILE=\"\/var\/log\/openvpn\/connections.log\"<br>DATE=$(date \"+%Y-%m-%d %H:%M:%S\")<br>\u200b<br>echo \"$DATE | DISCONNECT | Client: $common_name | Duration: ${time_duration}s | RX: ${bytes_received} bytes | TX: ${bytes_sent} bytes\" &gt;&gt; $LOG_FILE<br>EOF<br>\u200b<br>chmod +x \/etc\/openvpn\/server\/scripts\/*.sh<br>\u200b<br># \u5728\u670d\u52a1\u5668\u914d\u7f6e\u4e2d\u542f\u7528\u811a\u672c<br>cat &gt;&gt; \/etc\/openvpn\/server\/server.conf &lt;&lt;'EOF'<br>\u200b<br># \u5ba2\u6237\u7aef\u8fde\u63a5\/\u65ad\u5f00\u811a\u672c<br>script-security 2<br>client-connect \/etc\/openvpn\/server\/scripts\/client-connect.sh<br>client-disconnect \/etc\/openvpn\/server\/scripts\/client-disconnect.sh<br>EOF<br>\u200b<br># \u521b\u5efa\u65e5\u5fd7\u6587\u4ef6<br>touch \/var\/log\/openvpn\/connections.log<br>chmod 644 \/var\/log\/openvpn\/connections.log<br>\u200b<br># \u91cd\u542f\u670d\u52a1<br>systemctl restart openvpn-server@server<br>\u200b<br># \u67e5\u770b\u8fde\u63a5\u65e5\u5fd7<br>tail -f \/var\/log\/openvpn\/connections.log<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"104_%E9%99%90%E5%88%B6%E5%AE%A2%E6%88%B7%E7%AB%AF%E8%AE%BF%E9%97%AE%E8%8C%83%E5%9B%B4\"><\/span>10.4 \u9650\u5236\u5ba2\u6237\u7aef\u8bbf\u95ee\u8303\u56f4<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u65b9\u6cd51\uff1a\u4f7f\u7528\u5ba2\u6237\u7aef\u914d\u7f6e\u76ee\u5f55\uff08CCD\uff09<br>\u200b<br># \u4e3a client1 \u521b\u5efa\u9650\u5236\u914d\u7f6e<br>cat &gt; \/etc\/openvpn\/server\/ccd\/client1 &lt;&lt;EOF<br># \u4ec5\u5141\u8bb8\u8bbf\u95ee\u7279\u5b9a\u7f51\u6bb5<br>iroute 192.168.100.0 255.255.255.0<br>\u200b<br># \u7981\u6b62\u8bbf\u95ee\u5176\u4ed6\u7f51\u6bb5\uff08\u901a\u8fc7\u4e0d\u63a8\u9001\u8def\u7531\u5b9e\u73b0\uff09<br>EOF<br>\u200b<br># \u65b9\u6cd52\uff1a\u4f7f\u7528 iptables \u89c4\u5219<br>\u200b<br># \u5141\u8bb8 client1\uff0810.8.0.10\uff09\u8bbf\u95ee 192.168.1.0\/24<br>iptables -A FORWARD -s 10.8.0.10 -d 192.168.1.0\/24 -j ACCEPT<br>\u200b<br># \u7981\u6b62\u8bbf\u95ee\u5176\u4ed6\u5185\u7f51<br>iptables -A FORWARD -s 10.8.0.10 -d 192.168.0.0\/16 -j REJECT<br>\u200b<br># \u4fdd\u5b58\u89c4\u5219<br>service iptables save<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"105_%E5%90%AF%E7%94%A8%E5%8F%8C%E5%9B%A0%E7%B4%A0%E8%AE%A4%E8%AF%81%EF%BC%88%E5%8F%AF%E9%80%89%EF%BC%89\"><\/span>10.5 \u542f\u7528\u53cc\u56e0\u7d20\u8ba4\u8bc1\uff08\u53ef\u9009\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u5b89\u88c5 Google Authenticator PAM \u6a21\u5757<br>dnf install google-authenticator qrencode -y<br>\u200b<br># \u914d\u7f6e PAM<br>cat &gt;&gt; \/etc\/pam.d\/openvpn &lt;&lt;'EOF'<br>auth required pam_google_authenticator.so<br>EOF<br>\u200b<br># \u5728\u670d\u52a1\u5668\u914d\u7f6e\u4e2d\u542f\u7528<br>cat &gt;&gt; \/etc\/openvpn\/server\/server.conf &lt;&lt;'EOF'<br>\u200b<br># \u542f\u7528 PAM \u8ba4\u8bc1<br>plugin \/usr\/lib64\/openvpn\/plugins\/openvpn-plugin-auth-pam.so openvpn<br>EOF<br>\u200b<br># \u4e3a\u6bcf\u4e2a\u7528\u6237\u751f\u6210\u5bc6\u94a5<br># su - openvpn_user<br># google-authenticator<br>\u200b<br># \u91cd\u542f\u670d\u52a1<br>systemctl restart openvpn-server@server<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%8D%81%E4%B8%80%E3%80%81%E7%9B%91%E6%8E%A7%E5%92%8C%E7%BB%B4%E6%8A%A4\"><\/span>\u5341\u4e00\u3001\u76d1\u63a7\u548c\u7ef4\u62a4<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"111_%E5%88%9B%E5%BB%BA%E7%9B%91%E6%8E%A7%E8%84%9A%E6%9C%AC\"><\/span>11.1 \u521b\u5efa\u76d1\u63a7\u811a\u672c<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">cat &gt; \/usr\/local\/bin\/openvpn-monitor.sh &lt;&lt;'EOF'<br>#!\/bin\/bash<br># OpenVPN \u76d1\u63a7\u811a\u672c<br>\u200b<br>echo \"========== OpenVPN \u670d\u52a1\u76d1\u63a7 ==========\"<br>echo \"\u65f6\u95f4: $(date)\"<br>echo \"\"<br>\u200b<br># 1. \u670d\u52a1\u72b6\u6001<br>echo \"\u3010\u670d\u52a1\u72b6\u6001\u3011\"<br>systemctl is-active openvpn-server@server &amp;&amp; echo \"\u2713 \u670d\u52a1\u8fd0\u884c\u6b63\u5e38\" || echo \"\u2717 \u670d\u52a1\u672a\u8fd0\u884c\"<br>echo \"\"<br>\u200b<br># 2. \u76d1\u542c\u7aef\u53e3<br>echo \"\u3010\u76d1\u542c\u7aef\u53e3\u3011\"<br>ss -tunlp | grep 1194 || echo \"\u2717 \u7aef\u53e3\u672a\u76d1\u542c\"<br>echo \"\"<br>\u200b<br># 3. TUN \u8bbe\u5907<br>echo \"\u3010TUN \u8bbe\u5907\u3011\"<br>ip addr show tun0 2&gt;\/dev\/null | grep inet || echo \"\u2717 TUN \u8bbe\u5907\u672a\u521b\u5efa\"<br>echo \"\"<br>\u200b<br># 4. \u5df2\u8fde\u63a5\u5ba2\u6237\u7aef<br>echo \"\u3010\u5df2\u8fde\u63a5\u5ba2\u6237\u7aef\u3011\"<br>CLIENT_COUNT=$(grep \"^CLIENT_LIST\" \/var\/log\/openvpn\/openvpn-status.log 2&gt;\/dev\/null | wc -l)<br>echo \"\u5f53\u524d\u8fde\u63a5\u6570: $CLIENT_COUNT\"<br>grep \"^CLIENT_LIST\" \/var\/log\/openvpn\/openvpn-status.log 2&gt;\/dev\/null | \\<br> &nbsp; &nbsp;awk -F',' '{print \"  - \"$2\" (\"$3\")\"}' || echo \"  \u65e0\u5ba2\u6237\u7aef\u8fde\u63a5\"<br>echo \"\"<br>\u200b<br># 5. \u6d41\u91cf\u7edf\u8ba1<br>echo \"\u3010\u6d41\u91cf\u7edf\u8ba1\u3011\"<br>if [ -f \/sys\/class\/net\/tun0\/statistics\/rx_bytes ]; then<br> &nbsp; &nbsp;RX=$(cat \/sys\/class\/net\/tun0\/statistics\/rx_bytes)<br> &nbsp; &nbsp;TX=$(cat \/sys\/class\/net\/tun0\/statistics\/tx_bytes)<br> &nbsp; &nbsp;echo \"  \u63a5\u6536: $(numfmt --to=iec-i --suffix=B $RX)\"<br> &nbsp; &nbsp;echo \"  \u53d1\u9001: $(numfmt --to=iec-i --suffix=B $TX)\"<br>else<br> &nbsp; &nbsp;echo \"  \u65e0\u6cd5\u83b7\u53d6\u6d41\u91cf\u7edf\u8ba1\"<br>fi<br>echo \"\"<br>\u200b<br># 6. \u6700\u8fd1\u9519\u8bef\u65e5\u5fd7<br>echo \"\u3010\u6700\u8fd1\u9519\u8bef\u3011\"<br>tail -10 \/var\/log\/openvpn\/openvpn.log | grep -i error || echo \"  \u65e0\u9519\u8bef\"<br>echo \"\"<br>\u200b<br># 7. \u7cfb\u7edf\u8d44\u6e90<br>echo \"\u3010\u7cfb\u7edf\u8d44\u6e90\u3011\"<br>echo \"  CPU: $(top -bn1 | grep \"Cpu(s)\" | awk '{print $2}')%\"<br>echo \"  \u5185\u5b58: $(free -h | grep Mem | awk '{print $3\"\/\"$2}')\"<br>echo \"\"<br>\u200b<br>echo \"=========================================\"<br>EOF<br>\u200b<br>chmod +x \/usr\/local\/bin\/openvpn-monitor.sh<br>\u200b<br># \u6267\u884c\u76d1\u63a7<br>\/usr\/local\/bin\/openvpn-monitor.sh<br>\u200b<br># \u6dfb\u52a0\u5230 crontab\uff08\u6bcf\u5c0f\u65f6\u6267\u884c\u4e00\u6b21\uff09<br>crontab -e<br># \u6dfb\u52a0\uff1a0 * * * * \/usr\/local\/bin\/openvpn-monitor.sh &gt;&gt; \/var\/log\/openvpn-monitor.log<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"112_%E6%97%A5%E5%BF%97%E8%BD%AE%E8%BD%AC%E9%85%8D%E7%BD%AE\"><\/span>11.2 \u65e5\u5fd7\u8f6e\u8f6c\u914d\u7f6e<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u521b\u5efa logrotate \u914d\u7f6e<br>cat &gt; \/etc\/logrotate.d\/openvpn &lt;&lt;'EOF'<br>\/var\/log\/openvpn\/*.log {<br> &nbsp;  daily<br> &nbsp;  rotate 30<br> &nbsp;  missingok<br> &nbsp;  notifempty<br> &nbsp;  compress<br> &nbsp;  delaycompress<br> &nbsp;  sharedscripts<br> &nbsp;  postrotate<br> &nbsp; &nbsp; &nbsp;  \/bin\/systemctl reload openvpn-server@server &gt; \/dev\/null 2&gt;&amp;1 || true<br> &nbsp;  endscript<br>}<br>EOF<br>\u200b<br># \u6d4b\u8bd5 logrotate<br>logrotate -d \/etc\/logrotate.d\/openvpn<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"113_%E6%80%A7%E8%83%BD%E4%BC%98%E5%8C%96\"><\/span>11.3 \u6027\u80fd\u4f18\u5316<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u8c03\u6574\u7cfb\u7edf\u53c2\u6570<br>cat &gt;&gt; \/etc\/sysctl.conf &lt;&lt;'EOF'<br># OpenVPN \u6027\u80fd\u4f18\u5316<br>net.core.rmem_max = 134217728<br>net.core.wmem_max = 134217728<br>net.core.rmem_default = 67108864<br>net.core.wmem_default = 67108864<br>net.ipv4.tcp_rmem = 4096 87380 67108864<br>net.ipv4.tcp_wmem = 4096 65536 67108864<br>net.ipv4.tcp_congestion_control = bbr<br>EOF<br>\u200b<br>sysctl -p<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"114_%E5%91%8A%E8%AD%A6%E9%80%9A%E7%9F%A5%EF%BC%88%E5%8F%AF%E9%80%89%EF%BC%89\"><\/span>11.4 \u544a\u8b66\u901a\u77e5\uff08\u53ef\u9009\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u5b89\u88c5\u90ae\u4ef6\u5de5\u5177<br>dnf install mailx -y<br>\u200b<br># \u521b\u5efa\u544a\u8b66\u811a\u672c<br>cat &gt; \/usr\/local\/bin\/openvpn-alert.sh &lt;&lt;'EOF'<br>#!\/bin\/bash<br># OpenVPN \u544a\u8b66\u811a\u672c<br>\u200b<br>ADMIN_EMAIL=\"admin@example.com\"<br>\u200b<br># \u68c0\u67e5\u670d\u52a1\u72b6\u6001<br>if ! systemctl is-active --quiet openvpn-server@server; then<br> &nbsp; &nbsp;echo \"OpenVPN \u670d\u52a1\u5df2\u505c\u6b62\uff01\" | mail -s \"OpenVPN \u544a\u8b66\" $ADMIN_EMAIL<br> &nbsp;  systemctl start openvpn-server@server<br>fi<br>\u200b<br># \u68c0\u67e5 TUN \u8bbe\u5907<br>if ! ip addr show tun0 &amp;&gt;\/dev\/null; then<br> &nbsp; &nbsp;echo \"TUN \u8bbe\u5907\u5f02\u5e38\uff01\" | mail -s \"OpenVPN \u544a\u8b66\" $ADMIN_EMAIL<br>fi<br>EOF<br>\u200b<br>chmod +x \/usr\/local\/bin\/openvpn-alert.sh<br>\u200b<br># \u6dfb\u52a0\u5230 crontab\uff08\u6bcf 5 \u5206\u949f\u68c0\u67e5\u4e00\u6b21\uff09<br>crontab -e<br># *\/5 * * * * \/usr\/local\/bin\/openvpn-alert.sh<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%8D%81%E4%BA%8C%E3%80%81%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98%E6%8E%92%E6%9F%A5\"><\/span>\u5341\u4e8c\u3001\u5e38\u89c1\u95ee\u9898\u6392\u67e5<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"121_%E6%9C%8D%E5%8A%A1%E6%97%A0%E6%B3%95%E5%90%AF%E5%8A%A8\"><\/span>12.1 \u670d\u52a1\u65e0\u6cd5\u542f\u52a8<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u95ee\u9898\uff1asystemctl start \u5931\u8d25<br>\u200b<br># \u6392\u67e5\u6b65\u9aa4\uff1a<br># 1. \u67e5\u770b\u8be6\u7ec6\u65e5\u5fd7<br>journalctl -xeu openvpn-server@server<br>\u200b<br># 2. \u68c0\u67e5\u914d\u7f6e\u6587\u4ef6\u8bed\u6cd5<br>openvpn --config \/etc\/openvpn\/server\/server.conf --test-crypto<br>\u200b<br># 3. \u524d\u53f0\u8fd0\u884c\u67e5\u770b\u8be6\u7ec6\u9519\u8bef<br>openvpn --config \/etc\/openvpn\/server\/server.conf<br>\u200b<br># \u5e38\u89c1\u9519\u8bef\uff1a<br># \u9519\u8bef1\uff1a\u8bc1\u4e66\u6587\u4ef6\u4e0d\u5b58\u5728<br># \u89e3\u51b3\uff1a\u68c0\u67e5 keys \u76ee\u5f55\u4e0b\u6587\u4ef6\u662f\u5426\u9f50\u5168<br>\u200b<br># \u9519\u8bef2\uff1a\u6743\u9650\u95ee\u9898<br># \u89e3\u51b3\uff1achmod 600 \/etc\/openvpn\/server\/keys\/server.key<br>\u200b<br># \u9519\u8bef3\uff1a\u7aef\u53e3\u88ab\u5360\u7528<br># \u89e3\u51b3\uff1ass -tunlp | grep 1194  # \u67e5\u627e\u5360\u7528\u8fdb\u7a0b<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"122_%E5%AE%A2%E6%88%B7%E7%AB%AF%E6%97%A0%E6%B3%95%E8%BF%9E%E6%8E%A5\"><\/span>12.2 \u5ba2\u6237\u7aef\u65e0\u6cd5\u8fde\u63a5<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u95ee\u9898\uff1a\u5ba2\u6237\u7aef\u8fde\u63a5\u8d85\u65f6<br>\u200b<br># \u670d\u52a1\u5668\u7aef\u6392\u67e5\uff1a<br># 1. \u68c0\u67e5\u9632\u706b\u5899<br>firewall-cmd --list-all | grep 1194<br>iptables -L -n | grep 1194<br>\u200b<br># 2. \u68c0\u67e5\u7aef\u53e3\u76d1\u542c<br>ss -tunlp | grep 1194<br>\u200b<br># 3. \u68c0\u67e5\u670d\u52a1\u72b6\u6001<br>systemctl status openvpn-server@server<br>\u200b<br># 4. \u68c0\u67e5\u65e5\u5fd7<br>tail -f \/var\/log\/openvpn\/openvpn.log<br>\u200b<br># \u5ba2\u6237\u7aef\u6392\u67e5\uff1a<br># 1. Ping \u670d\u52a1\u5668 IP<br>ping \u670d\u52a1\u5668IP<br>\u200b<br># 2. Telnet \u6d4b\u8bd5\u7aef\u53e3<br>telnet \u670d\u52a1\u5668IP 1194<br>\u200b<br># 3. \u68c0\u67e5\u5ba2\u6237\u7aef\u65e5\u5fd7<br># Windows: C:\\Program Files\\OpenVPN\\log\\<br># Linux: journalctl -u openvpn-client@client1<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"123_%E8%BF%9E%E6%8E%A5%E6%88%90%E5%8A%9F%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E5%86%85%E7%BD%91\"><\/span>12.3 \u8fde\u63a5\u6210\u529f\u4f46\u65e0\u6cd5\u8bbf\u95ee\u5185\u7f51<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u95ee\u9898\uff1aVPN \u8fde\u63a5\u6210\u529f\uff0c\u4f46 ping \u4e0d\u901a\u5185\u7f51<br>\u200b<br># \u6392\u67e5\u6b65\u9aa4\uff1a<br># 1. \u68c0\u67e5\u670d\u52a1\u5668 IP \u8f6c\u53d1<br>cat \/proc\/sys\/net\/ipv4\/ip_forward<br># \u5e94\u8be5\u662f 1<br>\u200b<br># 2. \u68c0\u67e5 NAT \u89c4\u5219<br>iptables -t nat -L -n -v | grep 10.8.0.0<br>\u200b<br># 3. \u68c0\u67e5\u8def\u7531<br># \u5728\u5ba2\u6237\u7aef\u6267\u884c\uff1a<br>ip route | grep tun0<br>\u200b<br># 4. \u68c0\u67e5\u9632\u706b\u5899<br>iptables -L FORWARD -n -v<br>\u200b<br># 5. \u5728\u670d\u52a1\u5668\u6293\u5305<br>tcpdump -i tun0 -n icmp<br>\u200b<br># \u89e3\u51b3\u65b9\u6848\uff1a<br># \u91cd\u65b0\u5e94\u7528 NAT \u89c4\u5219<br>INTERFACE=$(ip route | grep default | awk '{print $5}')<br>iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o $INTERFACE -j MASQUERADE<br>service iptables save<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"124_%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%A2%91%E7%B9%81%E6%96%AD%E7%BA%BF\"><\/span>12.4 \u5ba2\u6237\u7aef\u9891\u7e41\u65ad\u7ebf<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u95ee\u9898\uff1aVPN \u8fde\u63a5\u4e0d\u7a33\u5b9a<br>\u200b<br># \u6392\u67e5\uff1a<br># 1. \u68c0\u67e5 keepalive \u8bbe\u7f6e<br>grep keepalive \/etc\/openvpn\/server\/server.conf<br>\u200b<br># 2. \u8c03\u6574\u53c2\u6570\uff08\u5728\u670d\u52a1\u5668\u914d\u7f6e\u4e2d\uff09<br>keepalive 5 60 &nbsp;# \u964d\u4f4e\u8d85\u65f6\u65f6\u95f4<br>\u200b<br># 3. \u68c0\u67e5\u7f51\u7edc\u8d28\u91cf<br># \u5728\u5ba2\u6237\u7aef\u6267\u884c\uff1a<br>ping -i 0.5 10.8.0.1 &nbsp;# \u6d4b\u8bd5\u5ef6\u8fdf\u548c\u4e22\u5305<br>\u200b<br># 4. \u8c03\u6574 MTU\uff08\u5982\u679c\u6709\u5206\u7247\u95ee\u9898\uff09<br># \u5728\u670d\u52a1\u5668\u914d\u7f6e\u4e2d\u6dfb\u52a0\uff1a<br>mssfix 1400<br>tun-mtu 1500<br>\u200b<br># \u91cd\u542f\u670d\u52a1<br>systemctl restart openvpn-server@server<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"125_%E6%80%A7%E8%83%BD%E9%97%AE%E9%A2%98%EF%BC%88%E9%80%9F%E5%BA%A6%E6%85%A2%EF%BC%89\"><\/span>12.5 \u6027\u80fd\u95ee\u9898\uff08\u901f\u5ea6\u6162\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u6392\u67e5\uff1a<br># 1. \u68c0\u67e5\u52a0\u5bc6\u7b97\u6cd5<br># \u4f7f\u7528 AES-128-GCM \u66ff\u4ee3 AES-256-GCM\uff08\u901f\u5ea6\u66f4\u5feb\uff09<br>\u200b<br># 2. \u7981\u7528\u538b\u7f29<br># \u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\u538b\u7f29\u4f1a\u964d\u4f4e\u6027\u80fd<br>\u200b<br># 3. \u8c03\u6574\u7f13\u51b2\u533a<br>sndbuf 393216<br>rcvbuf 393216<br>\u200b<br># 4. \u4f7f\u7528 UDP \u800c\u4e0d\u662f TCP<br>\u200b<br># 5. \u6d4b\u8bd5\u5e26\u5bbd<br># \u5728\u5ba2\u6237\u7aef\u6267\u884c\uff1a<br>iperf3 -c 10.8.0.1<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"126_%E8%AF%81%E4%B9%A6%E8%BF%87%E6%9C%9F\"><\/span>12.6 \u8bc1\u4e66\u8fc7\u671f<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u95ee\u9898\uff1a\u8bc1\u4e66\u8fc7\u671f\u5bfc\u81f4\u65e0\u6cd5\u8fde\u63a5<br>\u200b<br># \u68c0\u67e5\u8bc1\u4e66\u6709\u6548\u671f<br>openssl x509 -in \/etc\/openvpn\/server\/keys\/server.crt -noout -dates<br>\u200b<br># \u89e3\u51b3\u65b9\u6848\uff1a\u7eed\u671f\u8bc1\u4e66\uff08\u53c2\u89c1 9.3 \u8282\uff09<br>cd \/etc\/openvpn\/server\/easy-rsa<br>.\/easyrsa renew server nopass<br>cp pki\/issued\/server.crt \/etc\/openvpn\/server\/keys\/<br>systemctl restart openvpn-server@server<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"127_DNS_%E8%A7%A3%E6%9E%90%E9%97%AE%E9%A2%98\"><\/span>12.7 DNS \u89e3\u6790\u95ee\u9898<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u95ee\u9898\uff1a\u8fde\u63a5 VPN \u540e\u65e0\u6cd5\u89e3\u6790\u57df\u540d<br>\u200b<br># \u5728\u5ba2\u6237\u7aef\u68c0\u67e5 DNS<br>cat \/etc\/resolv.conf &nbsp;# Linux<br>ipconfig \/all &nbsp; &nbsp; &nbsp; &nbsp; # Windows<br>\u200b<br># \u89e3\u51b3\u65b9\u6848\uff1a<br># 1. \u5728\u670d\u52a1\u5668\u914d\u7f6e\u4e2d\u63a8\u9001\u6b63\u786e\u7684 DNS<br>push \"dhcp-option DNS 8.8.8.8\"<br>push \"dhcp-option DNS 114.114.114.114\"<br>\u200b<br># 2. \u68c0\u67e5\u5ba2\u6237\u7aef\u662f\u5426\u5e94\u7528\u4e86 DNS<br># Linux \u5ba2\u6237\u7aef\u53ef\u80fd\u9700\u8981\uff1a<br>sudo resolvconf -u<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%8D%81%E4%B8%89%E3%80%81%E5%B7%A5%E4%BD%9C%E5%8E%9F%E7%90%86%E8%AF%A6%E8%A7%A3\"><\/span>\u5341\u4e09\u3001\u5de5\u4f5c\u539f\u7406\u8be6\u89e3<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"131_%E8%BF%9E%E6%8E%A5%E5%BB%BA%E7%AB%8B%E6%B5%81%E7%A8%8B\"><\/span>13.1 \u8fde\u63a5\u5efa\u7acb\u6d41\u7a0b<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502 &nbsp; \u5ba2\u6237\u7aef &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 OpenVPN \u670d\u52a1\u5668\u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; \u5185\u7f51\u670d\u52a1\u5668 \u2502<br>\u2502 (\u5bb6\u91cc\u7535\u8111)  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502  (\u516c\u53f8 VPS) &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 (192.168.1.x)\u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2518 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 1. TCP\/UDP \u8fde\u63a5\u5230 1194 \u7aef\u53e3 &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500&gt;\u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 2. TLS \u63e1\u624b\uff08\u4ea4\u6362\u8bc1\u4e66\uff09 &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502&lt;\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500&gt;\u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; - \u9a8c\u8bc1\u670d\u52a1\u5668\u8bc1\u4e66 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; - \u9a8c\u8bc1\u5ba2\u6237\u7aef\u8bc1\u4e66 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; - \u9a8c\u8bc1 tls-auth HMAC &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 3. \u534f\u5546\u52a0\u5bc6\u53c2\u6570 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502&lt;\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500&gt;\u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; - \u52a0\u5bc6\u7b97\u6cd5: AES-256-GCM &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; - \u8ba4\u8bc1\u7b97\u6cd5: SHA256 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; - DH \u5bc6\u94a5\u4ea4\u6362 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 4. \u5efa\u7acb\u52a0\u5bc6\u96a7\u9053 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; \u521b\u5efa tun0 (10.8.0.6) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502 &nbsp; \u521b\u5efa tun0 (10.8.0.1) &nbsp; &nbsp; &nbsp;  \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 5. \u63a5\u6536\u8def\u7531\u63a8\u9001 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502&lt;\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; route add 192.168.1.0\/24 &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; via 10.8.0.1 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 6. \u8bbf\u95ee\u5185\u7f51 (192.168.1.100) &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550&gt;\u2502 7. NAT \u8f6c\u6362\u5e76\u8f6c\u53d1 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; \u52a0\u5bc6\u6570\u636e\u5305 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500&gt;\u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; \u5916\u5c42: UDP \u5230\u516c\u7f51IP:1194 &nbsp; &nbsp; &nbsp; &nbsp; \u2502 &nbsp; \u6e90IP: 192.168.1.1 &nbsp; &nbsp; &nbsp; &nbsp;  \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; \u5185\u5c42: 10.8.0.6 -&gt; 192.168.1.100 \u2502 &nbsp; \u76ee\u6807IP: 192.168.1.100 &nbsp; &nbsp;  \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 8. \u8fd4\u56de\u6570\u636e &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502&lt;\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2502<br> &nbsp; &nbsp; &nbsp; \u2502 9. \u52a0\u5bc6\u540e\u8fd4\u56de &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502&lt;\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br> &nbsp; &nbsp; &nbsp; \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2502 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"132_%E6%95%B0%E6%8D%AE%E5%8C%85%E5%B0%81%E8%A3%85%E8%BF%87%E7%A8%8B\"><\/span>13.2 \u6570\u636e\u5305\u5c01\u88c5\u8fc7\u7a0b<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">\u539f\u59cb\u6570\u636e\u5305:<br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502 IP Header: 10.8.0.6 \u2192 192.168.1.100 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br>\u2502 TCP\/UDP Header &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br>\u2502 Application Data (HTTP\/SSH\/etc.) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2193 OpenVPN \u52a0\u5bc6<br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502 AES-256-GCM \u52a0\u5bc6 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br>\u2502 HMAC-SHA256 \u8ba4\u8bc1 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br>\u2502 [\u52a0\u5bc6\u540e\u7684\u539f\u59cb\u6570\u636e\u5305] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2193 UDP\/TCP \u5c01\u88c5<br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502 \u5916\u5c42 IP: \u5ba2\u6237\u7aef\u516c\u7f51IP \u2192 \u670d\u52a1\u5668\u516c\u7f51IP &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br>\u2502 UDP Header: \u6e90\u7aef\u53e3\u968f\u673a \u2192 \u76ee\u6807\u7aef\u53e3 1194 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br>\u2502 OpenVPN Header &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br>\u2502 [\u52a0\u5bc6\u6570\u636e] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2193 \u4e92\u8054\u7f51\u4f20\u8f93<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2193 \u670d\u52a1\u5668\u89e3\u5bc6<br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502 IP Header: 10.8.0.6 \u2192 192.168.1.100 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br>\u2502 TCP\/UDP Header &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br>\u2502 Application Data &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2193 NAT \u8f6c\u6362<br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502 IP Header: 192.168.1.1 \u2192 192.168.1.100 &nbsp; &nbsp; &nbsp; &nbsp;  \u2502  \u2190 \u6e90IP\u6539\u4e3a\u670d\u52a1\u5668\u5185\u7f51IP<br>\u2502 TCP\/UDP Header &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br>\u2502 Application Data &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  \u2193 \u8f6c\u53d1\u5230\u5185\u7f51\u670d\u52a1\u5668<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"133_%E5%85%B3%E9%94%AE%E7%BB%84%E4%BB%B6%E4%BD%9C%E7%94%A8\"><\/span>13.3 \u5173\u952e\u7ec4\u4ef6\u4f5c\u7528<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u7ec4\u4ef6<\/th><th>\u4f5c\u7528<\/th><th>\u5b89\u5168\u7ea7\u522b<\/th><\/tr><\/thead><tbody><tr><td><strong>ca.crt<\/strong><\/td><td>CA \u6839\u8bc1\u4e66\uff0c\u9a8c\u8bc1\u670d\u52a1\u5668\u548c\u5ba2\u6237\u7aef\u8bc1\u4e66<\/td><td>\u516c\u5f00<\/td><\/tr><tr><td><strong>server.crt<\/strong><\/td><td>\u670d\u52a1\u5668\u8bc1\u4e66\uff0c\u8bc1\u660e\u670d\u52a1\u5668\u8eab\u4efd<\/td><td>\u516c\u5f00<\/td><\/tr><tr><td><strong>server.key<\/strong><\/td><td>\u670d\u52a1\u5668\u79c1\u94a5\uff0c<strong>\u7edd\u5bf9\u4fdd\u5bc6<\/strong><\/td><td>\ud83d\udd12 \u79c1\u5bc6<\/td><\/tr><tr><td><strong>dh.pem<\/strong><\/td><td>Diffie-Hellman \u53c2\u6570\uff0c\u5bc6\u94a5\u4ea4\u6362<\/td><td>\u516c\u5f00<\/td><\/tr><tr><td><strong>ta.key<\/strong><\/td><td>TLS \u8ba4\u8bc1\u5bc6\u94a5\uff0c\u9632 DDoS \u548c\u7aef\u53e3\u626b\u63cf<\/td><td>\ud83d\udd12 \u79c1\u5bc6<\/td><\/tr><tr><td><strong>client.crt<\/strong><\/td><td>\u5ba2\u6237\u7aef\u8bc1\u4e66\uff0c\u8bc1\u660e\u5ba2\u6237\u7aef\u8eab\u4efd<\/td><td>\u534a\u516c\u5f00<\/td><\/tr><tr><td><strong>client.key<\/strong><\/td><td>\u5ba2\u6237\u7aef\u79c1\u94a5\uff0c<strong>\u7edd\u5bf9\u4fdd\u5bc6<\/strong><\/td><td>\ud83d\udd12 \u79c1\u5bc6<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"134_%E5%AE%89%E5%85%A8%E6%9C%BA%E5%88%B6\"><\/span>13.4 \u5b89\u5168\u673a\u5236<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">\u591a\u5c42\u5b89\u5168\u9632\u62a4:<br>\u251c\u2500\u2500 \u7b2c1\u5c42: TLS \u8bc1\u4e66\u53cc\u5411\u8ba4\u8bc1<br>\u2502 &nbsp; \u251c\u2500\u2500 \u670d\u52a1\u5668\u9a8c\u8bc1\u5ba2\u6237\u7aef\u8bc1\u4e66<br>\u2502 &nbsp; \u2514\u2500\u2500 \u5ba2\u6237\u7aef\u9a8c\u8bc1\u670d\u52a1\u5668\u8bc1\u4e66<br>\u2502<br>\u251c\u2500\u2500 \u7b2c2\u5c42: tls-auth HMAC \u9a8c\u8bc1<br>\u2502 &nbsp; \u251c\u2500\u2500 \u9632\u6b62\u7aef\u53e3\u626b\u63cf<br>\u2502 &nbsp; \u251c\u2500\u2500 \u9632\u6b62 DDoS \u653b\u51fb<br>\u2502 &nbsp; \u2514\u2500\u2500 \u4e22\u5f03\u975e\u6cd5\u6570\u636e\u5305\uff08\u5728 TLS \u63e1\u624b\u524d\uff09<br>\u2502<br>\u251c\u2500\u2500 \u7b2c3\u5c42: \u6570\u636e\u52a0\u5bc6<br>\u2502 &nbsp; \u251c\u2500\u2500 AES-256-GCM\uff08\u5bf9\u79f0\u52a0\u5bc6\uff09<br>\u2502 &nbsp; \u2514\u2500\u2500 \u6bcf\u4e2a\u4f1a\u8bdd\u72ec\u7acb\u5bc6\u94a5<br>\u2502<br>\u251c\u2500\u2500 \u7b2c4\u5c42: \u6570\u636e\u5b8c\u6574\u6027<br>\u2502 &nbsp; \u251c\u2500\u2500 HMAC-SHA256 \u8ba4\u8bc1<br>\u2502 &nbsp; \u2514\u2500\u2500 \u9632\u6b62\u6570\u636e\u7be1\u6539<br>\u2502<br>\u2514\u2500\u2500 \u7b2c5\u5c42: \u524d\u5411\u4fdd\u5bc6<br> &nbsp;  \u2514\u2500\u2500 Diffie-Hellman \u5bc6\u94a5\u4ea4\u6362<br> &nbsp; &nbsp; &nbsp;  \u5373\u4f7f\u79c1\u94a5\u6cc4\u9732\uff0c\u5386\u53f2\u4f1a\u8bdd\u4ecd\u7136\u5b89\u5168<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"135_NAT_%E8%BD%AC%E6%8D%A2%E8%AF%A6%E8%A7%A3\"><\/span>13.5 NAT \u8f6c\u6362\u8be6\u89e3<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u5ba2\u6237\u7aef\u8bbf\u95ee\u5185\u7f51\u670d\u52a1\u5668\u7684 NAT \u8fc7\u7a0b<br>\u200b<br># \u7b2c1\u6b65\uff1a\u5ba2\u6237\u7aef\u53d1\u9001\u6570\u636e\u5305<br>\u6e90IP: 10.8.0.6 (VPN \u5ba2\u6237\u7aef)<br>\u76ee\u6807IP: 192.168.1.100 (\u5185\u7f51\u670d\u52a1\u5668)<br>\u200b<br># \u7b2c2\u6b65\uff1aOpenVPN \u670d\u52a1\u5668\u63a5\u6536\u5e76\u89e3\u5bc6<br>\u6570\u636e\u5305\u5230\u8fbe tun0 \u63a5\u53e3<br>\u200b<br># \u7b2c3\u6b65\uff1aLinux \u5185\u6838\u8def\u7531\u51b3\u7b56<br>ip route \u67e5\u8be2\uff1a192.168.1.100 \u5728\u5185\u7f51\uff0c\u901a\u8fc7 eth0 \u8f6c\u53d1<br>\u200b<br># \u7b2c4\u6b65\uff1aiptables POSTROUTING\uff08NAT \u8f6c\u6362\uff09<br>\u89c4\u5219\uff1aiptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE<br>\u6548\u679c\uff1a<br>  \u6e90IP: 10.8.0.6 \u2192 192.168.1.1 (\u670d\u52a1\u5668\u5185\u7f51IP)<br>  \u76ee\u6807IP: 192.168.1.100 (\u4e0d\u53d8)<br>\u200b<br># \u7b2c5\u6b65\uff1a\u6570\u636e\u5305\u4ece eth0 \u53d1\u51fa\u5230\u5185\u7f51<br>\u6e90IP: 192.168.1.1<br>\u76ee\u6807IP: 192.168.1.100<br>\u200b<br># \u7b2c6\u6b65\uff1a\u5185\u7f51\u670d\u52a1\u5668\u54cd\u5e94<br>\u6e90IP: 192.168.1.100<br>\u76ee\u6807IP: 192.168.1.1<br>\u200b<br># \u7b2c7\u6b65\uff1a\u670d\u52a1\u5668\u63a5\u6536\u54cd\u5e94\uff0ciptables \u53cd\u5411 NAT<br>\u6e90IP: 192.168.1.100 (\u4e0d\u53d8)<br>\u76ee\u6807IP: 192.168.1.1 \u2192 10.8.0.6<br>\u200b<br># \u7b2c8\u6b65\uff1aOpenVPN \u52a0\u5bc6\u5e76\u901a\u8fc7\u96a7\u9053\u8fd4\u56de\u5ba2\u6237\u7aef<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"136_%E6%80%A7%E8%83%BD%E6%8C%87%E6%A0%87\"><\/span>13.6 \u6027\u80fd\u6307\u6807<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u9879\u76ee<\/th><th>\u5178\u578b\u503c<\/th><th>\u8bf4\u660e<\/th><\/tr><\/thead><tbody><tr><td><strong>\u5ef6\u8fdf\u589e\u52a0<\/strong><\/td><td>10-30ms<\/td><td>\u53d6\u51b3\u4e8e\u52a0\u5bc6\u7b97\u6cd5\u548c\u670d\u52a1\u5668\u6027\u80fd<\/td><\/tr><tr><td><strong>\u541e\u5410\u91cf<\/strong><\/td><td>50-500 Mbps<\/td><td>\u53d6\u51b3\u4e8e CPU\u3001\u52a0\u5bc6\u7b97\u6cd5\u3001\u7f51\u7edc\u5e26\u5bbd<\/td><\/tr><tr><td><strong>CPU \u4f7f\u7528<\/strong><\/td><td>5-20%<\/td><td>AES-NI \u786c\u4ef6\u52a0\u901f\u53ef\u5927\u5e45\u964d\u4f4e<\/td><\/tr><tr><td><strong>\u5185\u5b58\u5360\u7528<\/strong><\/td><td>10-50MB<\/td><td>\u6bcf\u4e2a\u5ba2\u6237\u7aef\u7ea6 1-2MB<\/td><\/tr><tr><td><strong>\u8fde\u63a5\u5efa\u7acb\u65f6\u95f4<\/strong><\/td><td>1-3 \u79d2<\/td><td>\u5305\u62ec TLS \u63e1\u624b\u548c\u5bc6\u94a5\u4ea4\u6362<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%8D%81%E5%9B%9B%E3%80%81%E5%BF%AB%E9%80%9F%E6%A3%80%E6%9F%A5%E6%B8%85%E5%8D%95\"><\/span>\u5341\u56db\u3001\u5feb\u901f\u68c0\u67e5\u6e05\u5355<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u521b\u5efa\u4e00\u952e\u68c0\u67e5\u811a\u672c<br>cat &gt; \/usr\/local\/bin\/openvpn-check.sh &lt;&lt;'EOF'<br>#!\/bin\/bash<br>echo \"===== OpenVPN \u5b8c\u6574\u68c0\u67e5 =====\"<br>\u200b<br>echo -e \"\\n[1] \u670d\u52a1\u72b6\u6001:\"<br>systemctl is-active openvpn-server@server &amp;&amp; echo \"\u2713 \u8fd0\u884c\u4e2d\" || echo \"\u2717 \u672a\u8fd0\u884c\"<br>\u200b<br>echo -e \"\\n[2] \u76d1\u542c\u7aef\u53e3:\"<br>ss -tunlp | grep 1194 &amp;&amp; echo \"\u2713 \u6b63\u5e38\u76d1\u542c\" || echo \"\u2717 \u672a\u76d1\u542c\"<br>\u200b<br>echo -e \"\\n[3] TUN \u8bbe\u5907:\"<br>ip addr show tun0 2&gt;\/dev\/null &amp;&amp; echo \"\u2713 \u5df2\u521b\u5efa\" || echo \"\u2717 \u672a\u521b\u5efa\"<br>\u200b<br>echo -e \"\\n[4] IP \u8f6c\u53d1:\"<br>[ $(cat \/proc\/sys\/net\/ipv4\/ip_forward) -eq 1 ] &amp;&amp; echo \"\u2713 \u5df2\u542f\u7528\" || echo \"\u2717 \u672a\u542f\u7528\"<br>\u200b<br>echo -e \"\\n[5] NAT \u89c4\u5219:\"<br>iptables -t nat -L -n | grep -q 10.8.0.0 &amp;&amp; echo \"\u2713 \u5df2\u914d\u7f6e\" || echo \"\u2717 \u672a\u914d\u7f6e\"<br>\u200b<br>echo -e \"\\n[6] \u8bc1\u4e66\u6587\u4ef6:\"<br>for file in ca.crt server.crt server.key dh2048.pem ta.key; do<br> &nbsp;  [ -f \/etc\/openvpn\/server\/keys\/$file ] &amp;&amp; echo \"\u2713 $file\" || echo \"\u2717 $file \u7f3a\u5931\"<br>done<br>\u200b<br>echo -e \"\\n[7] \u5df2\u8fde\u63a5\u5ba2\u6237\u7aef:\"<br>grep \"^CLIENT_LIST\" \/var\/log\/openvpn\/openvpn-status.log 2&gt;\/dev\/null | wc -l<br>\u200b<br>echo -e \"\\n[8] \u6700\u8fd1\u9519\u8bef:\"<br>tail -10 \/var\/log\/openvpn\/openvpn.log | grep -i error || echo \"\u2713 \u65e0\u9519\u8bef\"<br>\u200b<br>echo -e \"\\n===== \u68c0\u67e5\u5b8c\u6210 =====\"<br>EOF<br>\u200b<br>chmod +x \/usr\/local\/bin\/openvpn-check.sh<br>\/usr\/local\/bin\/openvpn-check.sh<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%8D%81%E4%BA%94%E3%80%81%E6%80%BB%E7%BB%93\"><\/span>\u5341\u4e94\u3001\u603b\u7ed3<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E2%9C%85_%E9%83%A8%E7%BD%B2%E6%B5%81%E7%A8%8B%E5%AE%8C%E6%95%B4%E6%80%A7%E6%A3%80%E6%9F%A5\"><\/span>\u2705 \u90e8\u7f72\u6d41\u7a0b\u5b8c\u6574\u6027\u68c0\u67e5<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u6b65\u9aa4<\/th><th>\u72b6\u6001<\/th><th>\u8bf4\u660e<\/th><\/tr><\/thead><tbody><tr><td>\u73af\u5883\u51c6\u5907<\/td><td>\u2705<\/td><td>\u7cfb\u7edf\u68c0\u67e5\u3001\u4f9d\u8d56\u5b89\u88c5<\/td><\/tr><tr><td>OpenVPN \u7f16\u8bd1<\/td><td>\u2705<\/td><td>\u6e90\u7801\u7f16\u8bd1\u3001systemd \u914d\u7f6e<\/td><\/tr><tr><td>PKI \u8bc1\u4e66\u4f53\u7cfb<\/td><td>\u2705<\/td><td>CA\u3001\u670d\u52a1\u5668\u3001\u5ba2\u6237\u7aef\u8bc1\u4e66<\/td><\/tr><tr><td>\u670d\u52a1\u5668\u914d\u7f6e<\/td><td>\u2705<\/td><td>\u5b8c\u6574\u7684 server.conf \u914d\u7f6e<\/td><\/tr><tr><td>\u7f51\u7edc\u8f6c\u53d1<\/td><td>\u2705<\/td><td>IP \u8f6c\u53d1\u3001NAT\u3001\u9632\u706b\u5899<\/td><\/tr><tr><td>\u5ba2\u6237\u7aef\u914d\u7f6e<\/td><td>\u2705<\/td><td>\u914d\u7f6e\u751f\u6210\u811a\u672c\u3001\u591a\u5e73\u53f0\u652f\u6301<\/td><\/tr><tr><td>\u8fde\u63a5\u6d4b\u8bd5<\/td><td>\u2705<\/td><td>\u5404\u5e73\u53f0\u5ba2\u6237\u7aef\u8fde\u63a5\u6307\u5357<\/td><\/tr><tr><td>\u8bc1\u4e66\u7ba1\u7406<\/td><td>\u2705<\/td><td>\u540a\u9500\u3001\u7eed\u671f\u3001\u5907\u4efd<\/td><\/tr><tr><td>\u5b89\u5168\u52a0\u56fa<\/td><td>\u2705<\/td><td>TLS-Crypt\u3001\u5ba1\u8ba1\u65e5\u5fd7\u3001\u8bbf\u95ee\u63a7\u5236<\/td><\/tr><tr><td>\u76d1\u63a7\u7ef4\u62a4<\/td><td>\u2705<\/td><td>\u76d1\u63a7\u811a\u672c\u3001\u65e5\u5fd7\u8f6e\u8f6c\u3001\u6027\u80fd\u4f18\u5316<\/td><\/tr><tr><td>\u6545\u969c\u6392\u67e5<\/td><td>\u2705<\/td><td>\u5e38\u89c1\u95ee\u9898\u548c\u89e3\u51b3\u65b9\u6848<\/td><\/tr><tr><td>\u5de5\u4f5c\u539f\u7406<\/td><td>\u2705<\/td><td>\u8be6\u7ec6\u7684\u6280\u672f\u539f\u7406\u8bf4\u660e<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%F0%9F%93%9D_%E5%85%B3%E9%94%AE%E6%94%B9%E8%BF%9B%E7%82%B9\"><\/span>\ud83d\udcdd \u5173\u952e\u6539\u8fdb\u70b9<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u5b8c\u6574\u7684\u8bc1\u4e66\u751f\u6210\u6d41\u7a0b<\/strong>\uff1a\u8865\u5145\u4e86 <code>gen-req<\/code> + <code>sign-req<\/code> \u7684\u5b8c\u6574\u6b65\u9aa4<\/li>\n\n\n\n<li><strong>\u5ba2\u6237\u7aef\u914d\u7f6e\u751f\u6210<\/strong>\uff1a\u63d0\u4f9b\u4e86\u6539\u8fdb\u7684\u81ea\u52a8\u5316\u811a\u672c<\/li>\n\n\n\n<li><strong>\u5b89\u5168\u52a0\u56fa<\/strong>\uff1a\u589e\u52a0\u4e86 TLS-Crypt\u3001\u5ba1\u8ba1\u65e5\u5fd7\u3001\u8bbf\u95ee\u63a7\u5236\u7b49\u5185\u5bb9<\/li>\n\n\n\n<li><strong>\u76d1\u63a7\u548c\u7ef4\u62a4<\/strong>\uff1a\u63d0\u4f9b\u4e86\u5b8c\u6574\u7684\u76d1\u63a7\u811a\u672c\u548c\u65e5\u5fd7\u7ba1\u7406<\/li>\n\n\n\n<li><strong>\u6545\u969c\u6392\u67e5<\/strong>\uff1a\u5217\u4e3e\u4e86\u5e38\u89c1\u95ee\u9898\u548c\u8be6\u7ec6\u7684\u89e3\u51b3\u65b9\u6848<\/li>\n\n\n\n<li><strong>\u5de5\u4f5c\u539f\u7406<\/strong>\uff1a\u589e\u52a0\u4e86\u8be6\u7ec6\u7684\u6280\u672f\u539f\u7406\u56fe\u89e3<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%F0%9F%9A%80_%E5%BF%AB%E9%80%9F%E5%BC%80%E5%A7%8B%EF%BC%88%E7%B2%BE%E7%AE%80%E7%89%88%EF%BC%89\"><\/span>\ud83d\ude80 \u5feb\u901f\u5f00\u59cb\uff08\u7cbe\u7b80\u7248\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># 1. \u5b89\u88c5\u4f9d\u8d56<br>dnf install -y epel-release easy-rsa openssl-devel lz4-devel<br>\u200b<br># 2. \u7f16\u8bd1\u5b89\u88c5 OpenVPN<br>wget https:\/\/github.com\/OpenVPN\/openvpn\/releases\/download\/v2.6.17\/openvpn-2.6.17.tar.gz<br>tar -zxf openvpn-2.6.17.tar.gz &amp;&amp; cd openvpn-2.6.17<br>.\/configure --prefix=\/usr\/local --sysconfdir=\/etc\/openvpn --enable-systemd<br>make -j$(nproc) &amp;&amp; make install<br>\u200b<br># 3. \u914d\u7f6e PKI<br>cd \/etc\/openvpn\/server &amp;&amp; mkdir easy-rsa &amp;&amp; cd easy-rsa<br>cp -r \/usr\/share\/easy-rsa\/3\/* .<br>.\/easyrsa init-pki<br>.\/easyrsa build-ca nopass<br>.\/easyrsa build-server-full server nopass<br>.\/easyrsa gen-dh<br>openvpn --genkey secret pki\/ta.key<br>\u200b<br># 4. \u590d\u5236\u8bc1\u4e66<br>mkdir -p \/etc\/openvpn\/server\/keys<br>cp pki\/{ca.crt,issued\/server.crt,private\/server.key,dh.pem,ta.key} \/etc\/openvpn\/server\/keys\/<br>chmod 600 \/etc\/openvpn\/server\/keys\/server.key<br>\u200b<br># 5. \u521b\u5efa\u914d\u7f6e\u6587\u4ef6\uff08\u4f7f\u7528\u672c\u6587\u6863\u7b2c\u56db\u8282\u7684\u5b8c\u6574\u914d\u7f6e\uff09<br>\u200b<br># 6. \u542f\u7528\u7f51\u7edc\u8f6c\u53d1<br>sysctl -w net.ipv4.ip_forward=1<br>echo \"net.ipv4.ip_forward = 1\" &gt;&gt; \/etc\/sysctl.conf<br>\u200b<br># 7. \u914d\u7f6e\u9632\u706b\u5899<br>firewall-cmd --permanent --add-masquerade<br>firewall-cmd --permanent --add-service=openvpn<br>firewall-cmd --reload<br>\u200b<br># 8. \u542f\u52a8\u670d\u52a1<br>systemctl enable --now openvpn-server@server<br>\u200b<br># 9. \u751f\u6210\u5ba2\u6237\u7aef\u8bc1\u4e66\u548c\u914d\u7f6e<br>cd \/etc\/openvpn\/server\/easy-rsa<br>.\/easyrsa build-client-full client1 nopass<br>\/etc\/openvpn\/client-configs\/make_config.sh client1<\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"OpenVPN_LDAP_docker%E9%83%A8%E7%BD%B2%EF%BC%9A%E4%BB%93%E5%BA%93%E5%9C%B0%E5%9D%80\"><\/span>OpenVPN LDAP docker\u90e8\u7f72\uff1a<a href=\"http:\/\/gitlab.linuxjk.cn\/root\/zp_scripts\/-\/tree\/master\/%E5%AE%89%E8%A3%85%E9%83%A8%E7%BD%B2\/openvpn\" data-type=\"link\" data-id=\"http:\/\/gitlab.linuxjk.cn\/root\/zp_scripts\/-\/tree\/master\/%E5%AE%89%E8%A3%85%E9%83%A8%E7%BD%B2\/openvpn\">\u4ed3\u5e93\u5730\u5740<\/a><span class=\"ez-toc-section-end\"><\/span><\/h1>\n\n\n\n<p>\u57fa\u4e8e OpenVPN 2.6.17 + LDAP \u8ba4\u8bc1\u7684 Docker \u5bb9\u5668\u5316\u90e8\u7f72\u65b9\u6848\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%89%B9%E6%80%A7\"><\/span>\u7279\u6027<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2705 <strong>\u517c\u5bb9\u8001\u7248\u672c\u8bc1\u4e66<\/strong>\uff1a\u5b8c\u5168\u517c\u5bb9 OpenVPN 2.4 \u53ca\u66f4\u65e9\u7248\u672c\u751f\u6210\u7684\u8bc1\u4e66<\/li>\n\n\n\n<li>\u2705 <strong>LDAP \u8ba4\u8bc1<\/strong>\uff1a\u652f\u6301 Windows Active Directory \u8ba4\u8bc1<\/li>\n\n\n\n<li>\u2705 <strong>\u5bb9\u5668\u5316\u90e8\u7f72<\/strong>\uff1a\u57fa\u4e8e Docker Compose\uff0c\u5feb\u901f\u90e8\u7f72<\/li>\n\n\n\n<li>\u2705 <strong>\u914d\u7f6e\u7075\u6d3b<\/strong>\uff1a\u4f7f\u7528 .env \u6587\u4ef6\u7ba1\u7406\u654f\u611f\u4fe1\u606f<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%9B%AE%E5%BD%95%E7%BB%93%E6%9E%84\"><\/span>\u76ee\u5f55\u7ed3\u6784<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">.<br>\u251c\u2500\u2500 docker-compose.yml &nbsp; &nbsp; &nbsp; &nbsp;  # \u8fd0\u884c\u65f6\u914d\u7f6e<br>\u251c\u2500\u2500 .env &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  # \u73af\u5883\u53d8\u91cf\u914d\u7f6e\uff08LDAP\u5bc6\u7801\u7b49\uff09<br>\u251c\u2500\u2500 openvpn-ldap_2.6.17.tar &nbsp; &nbsp; # \u6784\u5efa\u597d\u7684\u955c\u50cf<br>\u251c\u2500\u2500 README.md &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # \u672c\u6587\u6863<br>\u251c\u2500\u2500 setup-permissions.sh &nbsp; &nbsp; &nbsp;  # \u6743\u9650\u8bbe\u7f6e\u811a\u672c<br>\u251c\u2500\u2500 ENV\u914d\u7f6e\u8bf4\u660e.md &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  # \u8be6\u7ec6\u914d\u7f6e\u6587\u6863<br>\u2502<br>\u251c\u2500\u2500 config\/ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # OpenVPN\u914d\u7f6e\u6587\u4ef6<br>\u2502 &nbsp; \u2514\u2500\u2500 server.conf<br>\u251c\u2500\u2500 scripts\/ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  # \u8fd0\u884c\u65f6\u811a\u672c<br>\u2502 &nbsp; \u251c\u2500\u2500 entrypoint.sh<br>\u2502 &nbsp; \u251c\u2500\u2500 healthcheck.sh<br>\u2502 &nbsp; \u2514\u2500\u2500 auth-ldap.sh<br>\u251c\u2500\u2500 pki\/ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  # \u8bc1\u4e66\u6587\u4ef6<br>\u2502 &nbsp; \u251c\u2500\u2500 ca.crt<br>\u2502 &nbsp; \u251c\u2500\u2500 server.crt<br>\u2502 &nbsp; \u251c\u2500\u2500 server.key<br>\u2502 &nbsp; \u2514\u2500\u2500 dh.pem<br>\u251c\u2500\u2500 clients\/ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  # CCD\u5ba2\u6237\u7aef\u914d\u7f6e\u76ee\u5f55<br>\u251c\u2500\u2500 logs\/ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # \u65e5\u5fd7\u76ee\u5f55<br>\u2502<br>\u2514\u2500\u2500 src\/ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  # \u955c\u50cf\u6784\u5efa\u8d44\u6e90<br> &nbsp;  \u251c\u2500\u2500 Dockerfile<br> &nbsp;  \u251c\u2500\u2500 docker-compose.yml<br> &nbsp;  \u251c\u2500\u2500 .dockerignore<br> &nbsp;  \u251c\u2500\u2500 openvpn-2.6.17.tar.gz<br> &nbsp;  \u251c\u2500\u2500 EasyRSA-3.1.7.tgz<br> &nbsp;  \u251c\u2500\u2500 config\/<br> &nbsp;  \u2514\u2500\u2500 scripts\/<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%BF%AB%E9%80%9F%E5%BC%80%E5%A7%8B\"><\/span>\u5feb\u901f\u5f00\u59cb<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"1_%E5%8A%A0%E8%BD%BD%E9%95%9C%E5%83%8F\"><\/span>1. \u52a0\u8f7d\u955c\u50cf<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u5bfc\u5165\u5df2\u6784\u5efa\u597d\u7684 OpenVPN 2.6.17 \u955c\u50cf<br>docker load -i openvpn-ldap_2.6.17.tar<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"2_%E9%85%8D%E7%BD%AE%E7%8E%AF%E5%A2%83%E5%8F%98%E9%87%8F\"><\/span>2. \u914d\u7f6e\u73af\u5883\u53d8\u91cf<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u7f16\u8f91 <code>.env<\/code> \u6587\u4ef6\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vim .env<\/pre>\n\n\n\n<p>\u914d\u7f6eLDAP\u76f8\u5173\u53c2\u6570\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># LDAP\u670d\u52a1\u5668\u914d\u7f6e<br>LDAP_AD_SERVER=192.168.99.190<br>LDAP_AD_PORT=389<br>LDAP_DOMAIN=suitbim.com<br>LDAP_BASE_DN=DC=suitbim,DC=com<br>LDAP_ADMIN_UPN=Administrator@suitbim.com<br>LDAP_ADMIN_PASS=your_password_here<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"3_%E8%AE%BE%E7%BD%AE%E7%9B%AE%E5%BD%95%E6%9D%83%E9%99%90\"><\/span>3. \u8bbe\u7f6e\u76ee\u5f55\u6743\u9650<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo bash setup-permissions.sh<\/pre>\n\n\n\n<p>\u6216\u624b\u52a8\u8bbe\u7f6e\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo chown -R root:root logs\/ clients\/<br>sudo chmod 755 logs\/ clients\/<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"4_%E5%90%AF%E5%8A%A8%E5%AE%B9%E5%99%A8\"><\/span>4. \u542f\u52a8\u5bb9\u5668<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">docker compose up -d<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"5_%E6%9F%A5%E7%9C%8B%E8%BF%90%E8%A1%8C%E7%8A%B6%E6%80%81\"><\/span>5. \u67e5\u770b\u8fd0\u884c\u72b6\u6001<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u67e5\u770b\u5bb9\u5668\u72b6\u6001<br>docker compose ps<br>\u200b<br># \u67e5\u770b\u65e5\u5fd7<br>docker compose logs -f openvpn<br>\u200b<br># \u67e5\u770b\u8ba4\u8bc1\u65e5\u5fd7<br>docker compose exec openvpn tail -f \/var\/log\/openvpn\/auth.log<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E9%85%8D%E7%BD%AE%E8%AF%B4%E6%98%8E\"><\/span>\u914d\u7f6e\u8bf4\u660e<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"LDAP_%E8%AE%A4%E8%AF%81%E9%85%8D%E7%BD%AE\"><\/span>LDAP \u8ba4\u8bc1\u914d\u7f6e<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u6240\u6709LDAP\u914d\u7f6e\u901a\u8fc7 <code>.env<\/code> \u6587\u4ef6\u7ba1\u7406\uff0c\u652f\u6301\u4ee5\u4e0b\u914d\u7f6e\u9879\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u914d\u7f6e\u9879<\/th><th>\u8bf4\u660e<\/th><th>\u793a\u4f8b<\/th><\/tr><\/thead><tbody><tr><td><code>LDAP_AD_SERVER<\/code><\/td><td>AD\u670d\u52a1\u5668\u5730\u5740<\/td><td>192.168.99.190<\/td><\/tr><tr><td><code>LDAP_AD_PORT<\/code><\/td><td>LDAP\u7aef\u53e3<\/td><td>389 (\u6807\u51c6) \u6216 636 (LDAPS)<\/td><\/tr><tr><td><code>LDAP_DOMAIN<\/code><\/td><td>AD\u57df\u540d<\/td><td>suitbim.com<\/td><\/tr><tr><td><code>LDAP_BASE_DN<\/code><\/td><td>\u57fa\u7840DN<\/td><td>DC=suitbim,DC=com<\/td><\/tr><tr><td><code>LDAP_ADMIN_UPN<\/code><\/td><td>\u7ba1\u7406\u5458\u8d26\u6237<\/td><td><a href=\"mailto:Administrator@suitbim.com\">Administrator@suitbim.com<\/a><\/td><\/tr><tr><td><code>LDAP_ADMIN_PASS<\/code><\/td><td>\u7ba1\u7406\u5458\u5bc6\u7801<\/td><td>your_password<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>\u5bc6\u7801\u7279\u6b8a\u5b57\u7b26\u5904\u7406<\/strong>\uff1a<\/p>\n\n\n\n<p>\u5728 <code>.env<\/code> \u6587\u4ef6\u4e2d\uff0c\u5927\u90e8\u5206\u7279\u6b8a\u5b57\u7b26\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u6b63\u5e38\u5bc6\u7801<br>LDAP_ADMIN_PASS=P@ssw0rd123<br><br># \u5305\u542b\u7279\u6b8a\u5b57\u7b26\uff08$ \" ' \\ \u7a7a\u683c\uff09<br>LDAP_ADMIN_PASS=P@ss$w0rd#\"123<\/pre>\n\n\n\n<p>\u26a0\ufe0f <strong>\u6ce8\u610f<\/strong>\uff1a\u5982\u679c\u5bc6\u7801\u4ee5 <code>$<\/code> \u5f00\u5934\u540e\u8ddf\u5b57\u6bcd\uff08\u5982 <code>$abc<\/code>\uff09\uff0c\u5efa\u8bae\u6539\u5bc6\u7801\u6216\u7528\u5f15\u53f7\u5305\u56f4\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%AB%AF%E5%8F%A3%E9%85%8D%E7%BD%AE\"><\/span>\u7aef\u53e3\u914d\u7f6e<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u9ed8\u8ba4\u4f7f\u7528 UDP 3394 \u7aef\u53e3\uff0c\u53ef\u5728 <code>docker-compose.yml<\/code> \u4e2d\u4fee\u6539\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ports:<br>  - \"3394:3394\/udp\"  # \u4e3b\u673a\u7aef\u53e3:\u5bb9\u5668\u7aef\u53e3\/\u534f\u8bae<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%BD%91%E7%BB%9C%E9%85%8D%E7%BD%AE\"><\/span>\u7f51\u7edc\u914d\u7f6e<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>VPN\u7f51\u7edc\u9ed8\u8ba4\u914d\u7f6e\u4e3a <code>172.20.0.0\/16<\/code>\uff0c\u5bb9\u5668IP\u4e3a <code>172.20.0.10<\/code>\u3002<\/p>\n\n\n\n<p>\u5982\u9700\u4fee\u6539\uff0c\u8bf7\u540c\u6b65\u66f4\u65b0\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>docker-compose.yml<\/code> \u4e2d\u7684\u7f51\u7edc\u914d\u7f6e<\/li>\n\n\n\n<li><code>config\/server.conf<\/code> \u4e2d\u7684\u76f8\u5173\u8def\u7531\u914d\u7f6e<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E8%AF%81%E4%B9%A6%E7%AE%A1%E7%90%86\"><\/span>\u8bc1\u4e66\u7ba1\u7406<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E4%BD%BF%E7%94%A8%E7%8E%B0%E6%9C%89%E8%AF%81%E4%B9%A6%EF%BC%88%E4%BB%8E%E6%97%A7%E7%89%88%E6%9C%AC%E8%BF%81%E7%A7%BB%EF%BC%89\"><\/span>\u4f7f\u7528\u73b0\u6709\u8bc1\u4e66\uff08\u4ece\u65e7\u7248\u672c\u8fc1\u79fb\uff09<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u5982\u679c\u60a8\u6709\u4ece OpenVPN 2.4 \u6216\u66f4\u65e9\u7248\u672c\u8fc1\u79fb\u7684\u8bc1\u4e66\uff0c\u76f4\u63a5\u590d\u5236\u5230 <code>pki\/<\/code> \u76ee\u5f55\u5373\u53ef\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u4ece\u65e7\u670d\u52a1\u5668\u590d\u5236\u8bc1\u4e66\u6587\u4ef6<br>scp old-server:\/etc\/openvpn\/pki\/ca.crt .\/pki\/<br>scp old-server:\/etc\/openvpn\/pki\/server.crt .\/pki\/<br>scp old-server:\/etc\/openvpn\/pki\/server.key .\/pki\/<br>scp old-server:\/etc\/openvpn\/pki\/dh.pem .\/pki\/<br><br># \u542f\u52a8\u5bb9\u5668<br>docker compose up -d<\/pre>\n\n\n\n<p><strong>\u5df2\u9a8c\u8bc1<\/strong>\uff1aOpenVPN 2.4 \u751f\u6210\u7684\u8bc1\u4e66\u53ef\u4ee5\u5728 2.6.17 \u7248\u672c\u4e2d\u6b63\u5e38\u4f7f\u7528\uff0c\u5ba2\u6237\u7aef\u65e0\u9700\u66f4\u65b0\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%94%9F%E6%88%90%E6%96%B0%E8%AF%81%E4%B9%A6\"><\/span>\u751f\u6210\u65b0\u8bc1\u4e66<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u5728src\u76ee\u5f55\u4e0b\u4f7f\u7528EasyRSA\u751f\u6210\u8bc1\u4e66<br>cd src\/<br>tar -xzf EasyRSA-3.1.7.tgz<br>cd EasyRSA-3.1.7\/<br>.\/easyrsa init-pki<br>.\/easyrsa build-ca<br>.\/easyrsa build-server-full server nopass<br>.\/easyrsa gen-dh<br><br># \u590d\u5236\u8bc1\u4e66\u5230pki\u76ee\u5f55<br>cp pki\/ca.crt ..\/pki\/<br>cp pki\/issued\/server.crt ..\/pki\/<br>cp pki\/private\/server.key ..\/pki\/<br>cp pki\/dh.pem ..\/pki\/<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E6%9B%B4%E6%96%B0%E8%AF%81%E4%B9%A6\"><\/span>\u66f4\u65b0\u8bc1\u4e66<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u5c06\u65b0\u7684\u8bc1\u4e66\u6587\u4ef6\u590d\u5236\u5230 <code>pki\/<\/code> \u76ee\u5f55<\/li>\n\n\n\n<li>\u91cd\u542f\u5bb9\u5668\uff1adocker compose restart<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"LDAP%E8%AE%A4%E8%AF%81%E6%B5%8B%E8%AF%95\"><\/span>LDAP\u8ba4\u8bc1\u6d4b\u8bd5<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u5bb9\u5668\u542f\u52a8\u540e\uff0c\u5efa\u8bae\u624b\u52a8\u6d4b\u8bd5LDAP\u8ba4\u8bc1\u662f\u5426\u6b63\u5e38\u5de5\u4f5c\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E8%BF%9B%E5%85%A5%E5%AE%B9%E5%99%A8\"><\/span>\u8fdb\u5165\u5bb9\u5668<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">docker compose exec openvpn bash<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%88%9B%E5%BB%BA%E6%B5%8B%E8%AF%95%E6%96%87%E4%BB%B6\"><\/span>\u521b\u5efa\u6d4b\u8bd5\u6587\u4ef6<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u521b\u5efa\u5305\u542b\u7528\u6237\u540d\u548c\u5bc6\u7801\u7684\u6d4b\u8bd5\u6587\u4ef6<br># \u683c\u5f0f\uff1a\u7b2c\u4e00\u884c\u7528\u6237\u540d\uff0c\u7b2c\u4e8c\u884c\u5bc6\u7801<br>printf 'username\\npassword\\n' &gt; \/tmp\/test.txt<br><br># \u793a\u4f8b\uff1a\u4f7f\u7528\u771f\u5b9e\u8d26\u6237\u6d4b\u8bd5<br>printf 'zhangjian\\nZj*sz#10142\\n' &gt; \/tmp\/test.txt<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E6%89%A7%E8%A1%8C%E8%AE%A4%E8%AF%81%E8%84%9A%E6%9C%AC\"><\/span>\u6267\u884c\u8ba4\u8bc1\u811a\u672c<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u6267\u884cLDAP\u8ba4\u8bc1\u811a\u672c<br>.\/auth-ldap.sh \/tmp\/test.txt<br><br># \u68c0\u67e5\u9000\u51fa\u7801<br>echo \"\u9000\u51fa\u7801: $?\"<\/pre>\n\n\n\n<p><strong>\u9884\u671f\u7ed3\u679c<\/strong>\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u9000\u51fa\u7801\u4e3a <code>0<\/code> \u8868\u793a\u8ba4\u8bc1\u6210\u529f<\/li>\n\n\n\n<li>\u9000\u51fa\u7801\u4e3a <code>1<\/code> \u8868\u793a\u8ba4\u8bc1\u5931\u8d25<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E6%9F%A5%E7%9C%8B%E8%AE%A4%E8%AF%81%E6%97%A5%E5%BF%97\"><\/span>\u67e5\u770b\u8ba4\u8bc1\u65e5\u5fd7<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u67e5\u770b\u8ba4\u8bc1\u7ed3\u679c<br>tail -20 \/var\/log\/openvpn\/auth.log<\/pre>\n\n\n\n<p><strong>\u6210\u529f\u793a\u4f8b<\/strong>\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\u7528\u6237 [zhangjian] \u5c1d\u8bd5\u8ba4\u8bc1<br>\u89e3\u7801\u540e DN: [CN=\u5f20\u5065,OU=\u6570\u667a\u7ba1\u7406\u4e2d\u5fc3,OU=\u57ce\u5efa\u4fe1\u606f,DC=suitbim,DC=com]<br>\u7528\u6237 zhangjian \u8ba4\u8bc1\u6210\u529f [u:SUITBIM\\zhangjian]<\/pre>\n\n\n\n<p><strong>\u5931\u8d25\u793a\u4f8b<\/strong>\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\u7528\u6237 [testuser] \u5c1d\u8bd5\u8ba4\u8bc1<br>\u7528\u6237 testuser \u5728 AD \u4e2d\u4e0d\u5b58\u5728<\/pre>\n\n\n\n<p>\u6216<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\u8ba4\u8bc1\u5931\u8d25: ldap_bind: Invalid credentials (49)<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E9%80%80%E5%87%BA%E5%AE%B9%E5%99%A8\"><\/span>\u9000\u51fa\u5bb9\u5668<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">exit<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%9B%AE%E5%BD%95%E6%9D%83%E9%99%90%E8%AE%BE%E7%BD%AE\"><\/span>\u76ee\u5f55\u6743\u9650\u8bbe\u7f6e<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%85%B3%E9%94%AE%E7%9B%AE%E5%BD%95%E6%9D%83%E9%99%90\"><\/span>\u5173\u952e\u76ee\u5f55\u6743\u9650<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>logs\/ \u548c clients\/ \u76ee\u5f55<\/strong>\uff1a\u8fd9\u4e24\u4e2a\u76ee\u5f55\u5bb9\u5668\u4f1a\u5199\u5165\u6587\u4ef6\uff0c\u9700\u8981\u8bbe\u7f6e\u6b63\u786e\u7684\u6743\u9650\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u8bbe\u7f6e\u6b63\u786e\u7684\u6240\u6709\u8005\u548c\u6743\u9650<br>sudo chown -R root:root logs\/ clients\/<br>sudo chmod 755 logs\/ clients\/<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%9B%AE%E5%BD%95%E8%AF%B4%E6%98%8E\"><\/span>\u76ee\u5f55\u8bf4\u660e<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"logs_%E7%9B%AE%E5%BD%95\"><\/span>logs\/ \u76ee\u5f55<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u7528\u9014<\/strong>\uff1a\u5b58\u50a8OpenVPN\u8fd0\u884c\u65e5\u5fd7<\/li>\n\n\n\n<li><strong>\u521d\u59cb\u72b6\u6001<\/strong>\uff1a\u7a7a\u76ee\u5f55\uff08\u9996\u6b21\u90e8\u7f72\u65f6\uff09<\/li>\n\n\n\n<li><strong>\u6743\u9650\u8981\u6c42<\/strong>\uff1a755 (rwxr-xr-x)<\/li>\n\n\n\n<li><strong>\u5bb9\u5668\u4f1a\u81ea\u52a8\u521b\u5efa<\/strong>\uff1a<code>openvpn.log<\/code>\u3001<code>auth.log<\/code>\u3001<code>openvpn-status.log<\/code><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"clients_%E7%9B%AE%E5%BD%95\"><\/span>clients\/ \u76ee\u5f55<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u7528\u9014<\/strong>\uff1aCCD (Client Config Directory)\uff0c\u7528\u4e8e\u4e3a\u7279\u5b9a\u5ba2\u6237\u7aef\u5206\u914d\u56fa\u5b9aIP<\/li>\n\n\n\n<li><strong>\u521d\u59cb\u72b6\u6001<\/strong>\uff1a\u7a7a\u76ee\u5f55<\/li>\n\n\n\n<li><strong>\u6743\u9650\u8981\u6c42<\/strong>\uff1a755 (rwxr-xr-x)<\/li>\n\n\n\n<li><strong>\u4f7f\u7528\u573a\u666f<\/strong>\uff1a\u9700\u8981\u4e3a\u67d0\u4e2a\u5ba2\u6237\u7aef\u5206\u914d\u56fa\u5b9aIP\u6216\u63a8\u9001\u7279\u5b9a\u8def\u7531<\/li>\n<\/ul>\n\n\n\n<p><strong>\u793a\u4f8b<\/strong>\uff1a\u4e3a\u5ba2\u6237\u7aefclient1\u5206\u914d\u56fa\u5b9aIP<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"ifconfig-push 10.8.0.10 10.8.0.11\" &gt; clients\/client1<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E4%B8%80%E9%94%AE%E8%AE%BE%E7%BD%AE%E6%9D%83%E9%99%90\"><\/span>\u4e00\u952e\u8bbe\u7f6e\u6743\u9650<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u4f7f\u7528\u63d0\u4f9b\u7684\u811a\u672c\u81ea\u52a8\u8bbe\u7f6e\u6240\u6709\u6743\u9650\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo bash setup-permissions.sh<\/pre>\n\n\n\n<p>\u811a\u672c\u529f\u80fd\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u2705 \u4ea4\u4e92\u5f0f\u9009\u62e9\u662f\u5426\u6e05\u7a7a logs\/ \u548c clients\/ \u76ee\u5f55<\/li>\n\n\n\n<li>\u2705 \u81ea\u52a8\u8bbe\u7f6e\u6240\u6709\u6587\u4ef6\u548c\u76ee\u5f55\u7684\u6b63\u786e\u6743\u9650<\/li>\n\n\n\n<li>\u2705 \u9a8c\u8bc1\u6743\u9650\u8bbe\u7f6e\u7ed3\u679c<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E9%A6%96%E6%AC%A1%E9%83%A8%E7%BD%B2%E5%BF%AB%E9%80%9F%E8%AE%BE%E7%BD%AE\"><\/span>\u9996\u6b21\u90e8\u7f72\u5feb\u901f\u8bbe\u7f6e<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># 1. \u6e05\u7a7alogs\u76ee\u5f55\uff08\u53ef\u9009\uff0c\u5982\u6709\u65e7\u65e5\u5fd7\uff09<br>sudo rm -rf logs\/*<br><br># 2. \u786e\u4fddclients\u76ee\u5f55\u4e3a\u7a7a<br>sudo rm -rf clients\/*<br><br># 3. \u8bbe\u7f6e\u6743\u9650<br>sudo bash setup-permissions.sh<br><br># 4. \u542f\u52a8\u5bb9\u5668<br>docker compose up -d<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE\"><\/span>\u5ba2\u6237\u7aef\u914d\u7f6e<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%94%9F%E6%88%90%E5%AE%A2%E6%88%B7%E7%AB%AF%E9%85%8D%E7%BD%AE\"><\/span>\u751f\u6210\u5ba2\u6237\u7aef\u914d\u7f6e<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u751f\u6210\u5ba2\u6237\u7aef\u8bc1\u4e66\uff08\u5728EasyRSA\u76ee\u5f55\uff09\uff1a.\/easyrsa build-client-full client1 nopass<\/li>\n\n\n\n<li>\u521b\u5efa\u5ba2\u6237\u7aef\u914d\u7f6e\u6587\u4ef6 <code>client1.ovpn<\/code>\uff1a# \u5728src\u76ee\u5f55\u4e0b\u6267\u884c<br>docker compose run &#8211;rm openvpn ovpn_getclient client1 > ..\/clients\/client1.ovpn<\/li>\n\n\n\n<li>\u5c06\u914d\u7f6e\u6587\u4ef6\u5206\u53d1\u7ed9\u5ba2\u6237\u7aef\u4f7f\u7528<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%BB%B4%E6%8A%A4%E6%93%8D%E4%BD%9C\"><\/span>\u7ef4\u62a4\u64cd\u4f5c<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E6%9F%A5%E7%9C%8B%E8%BF%9E%E6%8E%A5%E7%8A%B6%E6%80%81\"><\/span>\u67e5\u770b\u8fde\u63a5\u72b6\u6001<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u67e5\u770b\u5b9e\u65f6\u65e5\u5fd7<br>docker compose logs -f openvpn<br><br># \u67e5\u770b\u8fde\u63a5\u72b6\u6001<br>docker compose exec openvpn cat \/etc\/openvpn\/openvpn-status.log<br><br># \u67e5\u770b\u8ba4\u8bc1\u65e5\u5fd7<br>docker compose exec openvpn cat \/var\/log\/openvpn\/auth.log<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E9%87%8D%E5%90%AF%E6%9C%8D%E5%8A%A1\"><\/span>\u91cd\u542f\u670d\u52a1<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u91cd\u542f\u5bb9\u5668<br>docker compose restart<br><br># \u5b8c\u5168\u91cd\u5efa\u5bb9\u5668<br>docker compose down<br>docker compose up -d<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%A4%87%E4%BB%BD%E4%B8%8E%E6%81%A2%E5%A4%8D\"><\/span>\u5907\u4efd\u4e0e\u6062\u590d<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>\u5907\u4efd\u914d\u7f6e\u548c\u8bc1\u4e66<\/strong>\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tar -czf openvpn-backup-$(date +%Y%m%d).tar.gz .env config\/ pki\/ scripts\/ docker-compose.yml<\/pre>\n\n\n\n<p><strong>\u6062\u590d\u914d\u7f6e<\/strong>\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tar -xzf openvpn-backup-YYYYMMDD.tar.gz<br>docker compose up -d<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E9%87%8D%E6%96%B0%E6%9E%84%E5%BB%BA%E9%95%9C%E5%83%8F\"><\/span>\u91cd\u65b0\u6784\u5efa\u955c\u50cf<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u5982\u679c\u955c\u50cf\u635f\u574f\u6216\u9700\u8981\u91cd\u65b0\u6784\u5efa\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd src\/<br>docker compose build<br>docker save openvpn-ldap:2.6.17 | gzip &gt; ..\/openvpn-ldap_2.6.17.tar<br>cd ..<br>docker load -i openvpn-ldap_2.6.17.tar<br>docker compose up -d<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%9B%B8%E5%85%B3%E6%96%87%E6%A1%A3\"><\/span>\u76f8\u5173\u6587\u6863<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"setup-permissions.sh\">setup-permissions.sh<\/a> &#8211; \u6743\u9650\u8bbe\u7f6e\u811a\u672c<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Anolis 8.10 \u7cfb\u7edf OpenVPN \u670d\u52a1\u7aef\u5b8c\u6574\u90e8\u7f72\u6d41\u7a0b\uff08\u4f18\u5316\u7248\uff09 \ud83d\udccb \u76ee\u5f55 \u4e00\u3001\u73af\u5883\u51c6\u5907 1.1 \u7cfb [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3040","post","type-post","status-publish","format-standard","hentry","category-vxhs888p"],"_links":{"self":[{"href":"https:\/\/linuxjk.cn\/index.php?rest_route=\/wp\/v2\/posts\/3040","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/linuxjk.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/linuxjk.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/linuxjk.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/linuxjk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3040"}],"version-history":[{"count":2,"href":"https:\/\/linuxjk.cn\/index.php?rest_route=\/wp\/v2\/posts\/3040\/revisions"}],"predecessor-version":[{"id":3155,"href":"https:\/\/linuxjk.cn\/index.php?rest_route=\/wp\/v2\/posts\/3040\/revisions\/3155"}],"wp:attachment":[{"href":"https:\/\/linuxjk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3040"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/linuxjk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3040"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/linuxjk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3040"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}