我一直在尝试让我的 OVPN 服务器在没有客户端证书验证的情况下工作。
我的 server.conf 包含以下内容:
# Ports & protocols
port 1194
proto udp
dev tun
# Server certs and keys
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh2048.pem
# Server subnet
server 198.18.200.0 255.255.255.0
# Persist IP lease pool
ifconfig-pool-persist ipp.txt
# Pushing to a private subnet
push "route 192.168.10.234 255.255.255.0"
# Allowing duplicate common names for clients (no keys/certs)
duplicate-cn
# KeepAlive
keepalive 10 120
# Cryptographic cipher.
cipher AES-256-CBC
# privilege downgrade fix.
persist-key
persist-tun
# Output a short status log
status openvpn-status.log
# Verbosity level 4
verb 4
# Notify the client that when the server restarts
explicit-exit-notify 1
# Add PAM Auth plugin
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
# No need for client cert
client-cert-not-required
并且 client.conf 文件包含以下内容
# Define Client
client
dev tun
# protocol
proto udp-client
# Server
remote abc.efg.xyz
# Service port
port 1194
# Not binding to a specific port
nobind
# Try to preserve some state across restarts.
persist-key
persist-tun
# moderate verbosity
verb 4
mute 10
# Chosen yptographic cipher.
cipher AES-256-CBC
# cipher algorithm
auth SHA1
# Username and password are stored in this file
auth-user-pass f_secret
auth-nocache
我无法连接,当我检查日志时,它需要我 CA 文件。
Options error: You must define CA file (--ca) or CA path (--capath)
有人能告诉我如何避免使用 CA 文件吗?
答案1
您不能跳过服务器证书验证。否则,您的用户密码将面临风险。
尤其是在使用密码验证时,客户端需要验证其正在与谁对话。否则,网络路径上的任何人都可以冒充您的 VPN 网关并窃取您的用户密码。
答案2
也许您可以尝试在客户端使用适用于 Windows 的 OpenVPN Connect。通过使用此软件,您只需用户名和密码即可建立与 VPN 服务器的连接。无需配置和证书。 https://openvpn.net/client-connect-vpn-for-windows/