Debian 文档中的示例 OpenVPN 配置https://wiki.debian.org/OpenVPN给出以下代码。
服务器/etc/openvpn/tun0.conf:
dev tun0
ifconfig 10.9.8.1 10.9.8.2
secret /etc/openvpn/static.key
客户端/etc/openvpn/tun0.conf:
remote your-server.org
dev tun0
ifconfig 10.9.8.2 10.9.8.1
secret /etc/openvpn/static.key
我的问题是:如何调整它来处理多个客户端?无需在客户端上硬编码 IP?
答案1
我是另一个这样的懒惰和缺乏经验的人。我无法使用 wireguard 或 vxlan 隧道,因为我不知道我的所有 VPN 客户端(预先声明点对点隧道),并且我的客户端不与 VPN 服务器共享 l2 网段(这将允许多播 vxlan)。此外,我无法轻松地使用 vxlan 通过 NAT 建立隧道。最后,我可能想从 macOS 计算机连接。所以,OpenVPN 就是我。
服务器配置
创建证书。服务器的公共证书就足够了。您可以使用 easy-rsa,也可以使用 openssl 自行创建。我更喜欢 openssl。
在 RHEL 9 上,执行以下操作
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
dnf install -y openvpn easy-rsa openssl
当使用 easy-rsa 时,它被安装到
/usr/share/easy-rsa/3.0.8/easyrsa
使用 openssl 时,创建证书颁发机构和服务器证书。使用-nodes
openssl 的参数可避免必须为生成的证书指定密码。
openssl req -nodes -x509 -newkey rsa:4096 -sha256 -days 3650 -keyout ca-key.pem -out ca-cert.pem -subj "/CN=TestCA"
openssl req -nodes -newkey rsa:4096 -keyout server-key.pem -out server-csr.pem -subj "/CN=localhost"
openssl x509 -req -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -out server-cert.pem -days 365
openssl dhparam -out dh.pem 2048
按照示例创建配置https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf
proto udp
dev tun
ca ca-cert.pem
cert /root/server-cert.pem
key /root/server-key.pem
dh /root/dh.pem
verify-client-cert none
auth-user-pass-verify /bin/true via-env
script-security 3
server 11.8.0.0 255.255.255.0
push "route 11.0.0.0 255.0.0.0"
push "redirect-gateway local"
topology subnet
explicit-exit-notify 1
现在运行服务器
# openvpn --config openvpn.config
2023-07-20 23:32:55 WARNING: Compression for sending and receiving enabled. Compression has been used in the past to break encryption. Allowing compression allows attacks that break encryption. Using "--allow-compression yes" is strongly discouraged for common usage. See --compress in the manual page for more information
2023-07-20 23:32:55 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-07-20 23:32:55 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional may accept clients which do not present a certificate
2023-07-20 23:32:55 OpenVPN 2.5.9 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 16 2023
2023-07-20 23:32:55 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
2023-07-20 23:32:55 WARNING: --keepalive option is missing from server config
2023-07-20 23:32:55 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-07-20 23:32:55 TUN/TAP device tun0 opened
2023-07-20 23:32:55 net_iface_mtu_set: mtu 1500 for tun0
2023-07-20 23:32:55 net_iface_up: set tun0 up
2023-07-20 23:32:55 net_addr_v4_add: 11.8.0.1/24 dev tun0
2023-07-20 23:32:55 Could not determine IPv4/IPv6 protocol. Using AF_INET
2023-07-20 23:32:55 UDPv4 link local (bound): [AF_INET][undef]:1194
2023-07-20 23:32:55 UDPv4 link remote: [AF_UNSPEC]
2023-07-20 23:32:55 Initialization Sequence Completed
客户端配置
复制ca-cert.pem
到所有客户端。然后在 NetworkManager GUI 中为 KDE 配置客户端。
不要忘记启用“仅用于此连接上的资源”,从https://serverfault.com/a/469131/116739,否则您的所有流量将默认通过 VPN,而这可能不是您想要的。
答案2
尝试
server 10.9.8.0 255.255.255.0
在服务器上,
client
在客户端上。服务器应该10.9.8.1
为自己获取范围内的第一个地址(),然后将其他地址分发给客户端;客户端应该接受这些分配。