{"id":12079,"date":"2017-06-24T00:00:00","date_gmt":"2017-06-23T16:00:00","guid":{"rendered":"https:\/\/fgchen.com\/wpedu2\/2017\/06\/24\/%e3%80%90openvpn%e3%80%91-%e5%ae%89%e8%a3%9d%e3%80%81%e9%99%a4%e9%8c%af-%e9%87%8d%e9%bb%9e%e6%95%b4%e7%90%86\/"},"modified":"2026-03-30T14:48:52","modified_gmt":"2026-03-30T06:48:52","slug":"%e3%80%90openvpn%e3%80%91-%e5%ae%89%e8%a3%9d%e3%80%81%e9%99%a4%e9%8c%af-%e9%87%8d%e9%bb%9e%e6%95%b4%e7%90%86","status":"publish","type":"post","link":"https:\/\/fgchen.com\/wpedu\/2017\/06\/%e3%80%90openvpn%e3%80%91-%e5%ae%89%e8%a3%9d%e3%80%81%e9%99%a4%e9%8c%af-%e9%87%8d%e9%bb%9e%e6%95%b4%e7%90%86\/","title":{"rendered":"\u3010OpenVPN\u3011 \u5b89\u88dd\u3001\u9664\u932f \u91cd\u9ede\u6574\u7406"},"content":{"rendered":"\u56e0\u70ba\u5b78\u6821\u67b6\u8a2d\u7684\u9632\u706b\u7246\u4f7f\u5f97\u5728\u5916\u7121\u6cd5\u9023\u7dda\u8fa6\u516c\u5ba4\u7684\u96fb\u8166\u3001\u4e3b\u6a5f\u4ec0\u9ebc\u7684\uff0c\u9664\u975e\u8981\u8acb\u96fb\u7b97\u4e2d\u5fc3\u8a2d\u5b9a\u958b\u653e\u2026\uff0c\u56e0\u6b64\uff0c\u52d5\u5ff5\uff0c\u628a\u4e00\u53f0\u53ef\u5c0d\u5916\u7684Linux\u4e3b\u6a5f\u8a2d\u7f6eOpenVPN\uff0c\u63d0\u4f9b\u5728\u5b78\u6821\u5916\u6642\uff0c\u505a\u70ba\u8df3\u677f\u4ee5\u9023\u7dda\u5230\u5728\u5b78\u6821\u7684\u4e3b\u6a5f\u8cc7\u6e90\u3002\nOpenVPN\u53ef\u88dd\u5728Linux\u6216Windows\u4e0a\uff0c\u5176\u7a0b\u5f0f\u6838\u5fc3\u4fc2Server\u7aef\u8207Client\u7aef\u540c\u9ad4\u7684\u8a2d\u8a08\uff0c\u8981\u505a\u70baServer\u7aef\u6216Client\u7aef\uff0c\u900f\u904e\u8a2d\u5b9a\u6a94Server.conf\u6216client.ovpn\u4f86\u52a0\u4ee5\u8b8a\u5316\u3002\n\u9023\u7dda\u9a57\u8b49\u6709\u4e8c\u7a2e\u65b9\u5f0f\uff1a\u6578\u4f4d\u6191\u8b49\u8207\u5e33\u865f\u5bc6\u78bc\uff0c\u6578\u4f4d\u6191\u8b49\u9700\u8981\u7522\u751f\u6bcf\u4e00\u500b\u4f7f\u7528\u7aef\u6240\u9700\u8981\u7684\u6191\u8b49(\u4e0d\u7ba1\u662fserver\u6216client)\u3002\n\u901a\u8a0a\u5354\u5b9a\uff1aUDP\u6216TCP\uff0c\u4e00\u958b\u59cb\u5efa\u7f6e\u9810\u8a2d\u662fUDP\uff0c\u4f46\u662fUDP\/1194\u9019\u500b\u57e0\u4e00\u76f4\u7121\u6cd5\u9023\u7dda\uff0c\u731c\u6e2c\u61c9\u8a72\u662f\u96fb\u7b97\u4e2d\u5fc3\u7684\u9632\u706b\u7246\u904e\u6ffe\u6389(\u6700\u8fd1\u5b78\u6821\u96fb\u7b97\u4e2d\u5fc3\u5f04\u4e86\u4e00\u500b\u5f88\u5947\u602a\u7684\u4f5c\u6cd5\uff0c\u5168\u5b78\u6821\u7684\u7db2\u8def\u8b8a\u6210\u4e00\u500bNAT\u67b6\u69cb\uff0c\u901a\u901a\u900f\u904e\u4e2d\u83ef\u96fb\u4fe1\u7684NAT\u7db2\u9032\u51fa\u7db2\u969b\u7db2\u8def\u2026\uff0c\u641e\u5f97\u7db2\u8def\u8b8a\u5f97\u8907\u96dc\uff0c\u7db2\u8def\u8def\u7531\u908f\u8f2f\u4e0d\u55ae\u7d14)\uff0c\u641e\u4e86\u5f88\u4e45(1\u5929\u591a)\uff0c\u63db\u7528tcp\/1194\u901a\u4e86\u2026\u3002\n\n

\u63a8\u85a6\u7684\u7db2\u8def\u6559\u5b78\uff1aHow To Setup and Configure an OpenVPN Server on CentOS 7<\/a><\/h3>\n\n

server.conf<\/h3>\n\n
#################################################\n# Sample OpenVPN 2.0 config file for            #\n# multi-client server.                          #\n#                                               #\n# This file is for the server side              #\n# of a many-clients <-> one-server              #\n# OpenVPN configuration.                        #\n#                                               #\n# OpenVPN also supports                         #\n# single-machine <-> single-machine             #\n# configurations (See the Examples page         #\n# on the web site for more info).               #\n#                                               #\n# This config should work on Windows            #\n# or Linux\/BSD systems.  Remember on            #\n# Windows to quote pathnames and use            #\n# double backslashes, e.g.:                     #\n# \"C:\\Program Files\\OpenVPN\\config\\foo.key\" #\n#                                               #\n# Comments are preceded with '#' or ';'         #\n#################################################\n# Which local IP address should OpenVPN\n# listen on? (optional)\n;local a.b.c.d\nlocal 192.192.246.126\n# Which TCP\/UDP port should OpenVPN listen on?\n# If you want to run multiple OpenVPN instances\n# on the same machine, use a different port\n# number for each one.  You will need to\n# open up this port on your firewall.\nport 1194\n# TCP or UDP server?\nproto tcp\n;proto udp\n# \"dev tun\" will create a routed IP tunnel,\n# \"dev tap\" will create an ethernet tunnel.\n# Use \"dev tap0\" if you are ethernet bridging\n# and have precreated a tap0 virtual interface\n# and bridged it with your ethernet interface.\n# If you want to control access policies\n# over the VPN, you must create firewall\n# rules for the the TUN\/TAP interface.\n# On non-Windows systems, you can give\n# an explicit unit number, such as tun0.\n# On Windows, use \"dev-node\" for this.\n# On most systems, the VPN will not function\n# unless you partially or fully disable\n# the firewall for the TUN\/TAP interface.\n;dev tap\ndev tun\n# Windows needs the TAP-Win32 adapter name\n# from the Network Connections panel if you\n# have more than one.  On XP SP2 or higher,\n# you may need to selectively disable the\n# Windows firewall for the TAP adapter.\n# Non-Windows systems usually don't need this.\n;dev-node MyTap\n# SSL\/TLS root certificate (ca), certificate\n# (cert), and private key (key).  Each client\n# and the server must have their own cert and\n# key file.  The server and all clients will\n# use the same ca file.\n#\n# See the \"easy-rsa\" directory for a series\n# of scripts for generating RSA certificates\n# and private keys.  Remember to use\n# a unique Common Name for the server\n# and each of the client certificates.\n#\n# Any X509 key management system can be used.\n# OpenVPN can also use a PKCS #12 formatted key file\n# (see \"pkcs12\" directive in man page).\nca ca.crt\ncert server.crt\nkey server.key  # This file should be kept secret\n# Diffie hellman parameters.\n# Generate your own with:\n#   openssl dhparam -out dh2048.pem 2048\ndh dh2048.pem\n# Network topology\n# Should be subnet (addressing via IP)\n# unless Windows clients v2.0.9 and lower have to\n# be supported (then net30, i.e. a \/30 per client)\n# Defaults to net30 (not recommended)\n;topology subnet\n# Configure server mode and supply a VPN subnet\n# for OpenVPN to draw client addresses from.\n# The server will take 10.8.0.1 for itself,\n# the rest will be made available to clients.\n# Each client will be able to reach the server\n# on 10.8.0.1. Comment this line out if you are\n# ethernet bridging. See the man page for more info.\nserver 10.8.0.0 255.255.255.0\n# Maintain a record of client <-> virtual IP address\n# associations in this file.  If OpenVPN goes down or\n# is restarted, reconnecting clients can be assigned\n# the same virtual IP address from the pool that was\n# previously assigned.\nifconfig-pool-persist ipp.txt\n# Configure server mode for ethernet bridging.\n# You must first use your OS's bridging capability\n# to bridge the TAP interface with the ethernet\n# NIC interface.  Then you must manually set the\n# IP\/netmask on the bridge interface, here we\n# assume 10.8.0.4\/255.255.255.0.  Finally we\n# must set aside an IP range in this subnet\n# (start=10.8.0.50 end=10.8.0.100) to allocate\n# to connecting clients.  Leave this line commented\n# out unless you are ethernet bridging.\n;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100\n# Configure server mode for ethernet bridging\n# using a DHCP-proxy, where clients talk\n# to the OpenVPN server-side DHCP server\n# to receive their IP address allocation\n# and DNS server addresses.  You must first use\n# your OS's bridging capability to bridge the TAP\n# interface with the ethernet NIC interface.\n# Note: this mode only works on clients (such as\n# Windows), where the client-side TAP adapter is\n# bound to a DHCP client.\n;server-bridge\n# Push routes to the client to allow it\n# to reach other private subnets behind\n# the server.  Remember that these\n# private subnets will also need\n# to know to route the OpenVPN client\n# address pool (10.8.0.0\/255.255.255.0)\n# back to the OpenVPN server.\n;push \"route 120.107.96.0 255.255.255.0\"\n;push \"route 192.168.20.0 255.255.255.0\"\n# To assign specific IP addresses to specific\n# clients or if a connecting client has a private\n# subnet behind it that should also have VPN access,\n# use the subdirectory \"ccd\" for client-specific\n# configuration files (see man page for more info).\n# EXAMPLE: Suppose the client\n# having the certificate common name \"Thelonious\"\n# also has a small subnet behind his connecting\n# machine, such as 192.168.40.128\/255.255.255.248.\n# First, uncomment out these lines:\n;client-config-dir ccd\n;route 192.168.40.128 255.255.255.248\n# Then create a file ccd\/Thelonious with this line:\n#   iroute 192.168.40.128 255.255.255.248\n# This will allow Thelonious' private subnet to\n# access the VPN.  This example will only work\n# if you are routing, not bridging, i.e. you are\n# using \"dev tun\" and \"server\" directives.\n# EXAMPLE: Suppose you want to give\n# Thelonious a fixed VPN IP address of 10.9.0.1.\n# First uncomment out these lines:\n;client-config-dir ccd\n;route 10.9.0.0 255.255.255.252\n# Then add this line to ccd\/Thelonious:\n#   ifconfig-push 10.9.0.1 10.9.0.2\n# Suppose that you want to enable different\n# firewall access policies for different groups\n# of clients.  There are two methods:\n# (1) Run multiple OpenVPN daemons, one for each\n#     group, and firewall the TUN\/TAP interface\n#     for each group\/daemon appropriately.\n# (2) (Advanced) Create a script to dynamically\n#     modify the firewall in response to access\n#     from different clients.  See man\n#     page for more info on learn-address script.\n;learn-address .\/script\n# If enabled, this directive will configure\n# all clients to redirect their default\n# network gateway through the VPN, causing\n# all IP traffic such as web browsing and\n# and DNS lookups to go through the VPN\n# (The OpenVPN server machine may need to NAT\n# or bridge the TUN\/TAP interface to the internet\n# in order for this to work properly).\n;push \"redirect-gateway def1 bypass-dhcp\"\n# Certain Windows-specific network settings\n# can be pushed to clients, such as DNS\n# or WINS server addresses.  CAVEAT:\n# http:\/\/openvpn.net\/faq.html#dhcpcaveats\n# The addresses below refer to the public\n# DNS servers provided by opendns.com.\n;push \"dhcp-option DNS 208.67.222.222\"\n;push \"dhcp-option DNS 208.67.220.220\"\npush \"dhcp-option DNS 8.8.8.8\"\npush \"dhcp-option DNS 8.8.4.4\"\n# Uncomment this directive to allow different\n# clients to be able to \"see\" each other.\n# By default, clients will only see the server.\n# To force clients to only see the server, you\n# will also need to appropriately firewall the\n# server's TUN\/TAP interface.\n;client-to-client\n# Uncomment this directive if multiple clients\n# might connect with the same certificate\/key\n# files or common names.  This is recommended\n# only for testing purposes.  For production use,\n# each client should have its own certificate\/key\n# pair.\n#\n# IF YOU HAVE NOT GENERATED INDIVIDUAL\n# CERTIFICATE\/KEY PAIRS FOR EACH CLIENT,\n# EACH HAVING ITS OWN UNIQUE \"COMMON NAME\",\n# UNCOMMENT THIS LINE OUT.\n;duplicate-cn\n# The keepalive directive causes ping-like\n# messages to be sent back and forth over\n# the link so that each side knows when\n# the other side has gone down.\n# Ping every 10 seconds, assume that remote\n# peer is down if no ping received during\n# a 120 second time period.\nkeepalive 10 120\n# For extra security beyond that provided\n# by SSL\/TLS, create an \"HMAC firewall\"\n# to help block DoS attacks and UDP port flooding.\n#\n# Generate with:\n#   openvpn --genkey --secret ta.key\n#\n# The server and each client must have\n# a copy of this key.\n# The second parameter should be '0'\n# on the server and '1' on the clients.\n;tls-auth ta.key 0 # This file is secret\n# Select a cryptographic cipher.\n# This config item must be copied to\n# the client config file as well.\n# Note that 2.4 client\/server will automatically\n# negotiate AES-256-GCM in TLS mode.\n# See also the ncp-cipher option in the manpage\ncipher AES-256-CBC\n# Enable compression on the VPN link and push the\n# option to the client (2.4+ only, for earlier\n# versions see below)\n;compress lz4-v2\n;push \"compress lz4-v2\"\n# For compression compatible with older clients use comp-lzo\n# If you enable it here, you must also\n# enable it in the client config file.\n;comp-lzo\n# The maximum number of concurrently connected\n# clients we want to allow.\n;max-clients 100\n# It's a good idea to reduce the OpenVPN\n# daemon's privileges after initialization.\n#\n# You can uncomment this out on\n# non-Windows systems.\nuser nobody\ngroup nobody\n# The persist options will try to avoid\n# accessing certain resources on restart\n# that may no longer be accessible because\n# of the privilege downgrade.\npersist-key\npersist-tun\n# Output a short status file showing\n# current connections, truncated\n# and rewritten every minute.\nstatus openvpn-status.log\n# By default, log messages will go to the syslog (or\n# on Windows, if running as a service, they will go to\n# the \"Program FilesOpenVPNlog\" directory).\n# Use log or log-append to override this default.\n# \"log\" will truncate the log file on OpenVPN startup,\n# while \"log-append\" will append to it.  Use one\n# or the other (but not both).\nlog         openvpn.log\n;log-append  openvpn.log\n# Set the appropriate level of log\n# file verbosity.\n#\n# 0 is silent, except for fatal errors\n# 4 is reasonable for general usage\n# 5 and 6 can help to debug connection problems\n# 9 is extremely verbose\nverb 3\n# Silence repeating messages.  At most 20\n# sequential messages of the same message\n# category will be output to the log.\n;mute 20\n# Notify the client that when the server restarts so it\n# can automatically reconnect.\n;explicit-exit-notify 1<\/pre>\n\n
client.ovpn<\/h3>\n\n
client\ndev tun\nproto tcp\nremote VPN_SERVER_IP  1194\nresolv-retry infinite\npersist-key\npersist-tun\nverb 3\nca \"C:\\Users\\Wells\\OpenVPN\\ca.crt\"\ncert \"C:\\Users\\Wells\\OpenVPN\\client.crt\"\nkey \"C:\\Users\\Wells\\OpenVPN\\client.key\"\n<\/pre>\n\n
\u8def\u7531\u3001\u9632\u706b\u7246\u7b49\u9664\u932f\u6307\u4ee4<\/h2>\n\n
Linux<\/h3>\n\n
    \n    
  • nmap\n
      \n    
    • nmap –min-parallelism 100 -sT -sU localhost<\/li>\n<\/ul>\n<\/li>\n    
    • netstat<\/li>\n<\/ul>\n\n
      Windows<\/h3>\n\n
        \n    
      • ipconfig<\/li>\n    
      • route print<\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"
        \u56e0\u70ba\u5b78\u6821\u67b6\u8a2d\u7684\u9632\u706b\u7246\u4f7f\u5f97\u5728\u5916\u7121\u6cd5\u9023\u7dda\u8fa6\u516c\u5ba4\u7684\u96fb\u8166\u3001\u4e3b\u6a5f\u4ec0\u9ebc\u7684\uff0c\u9664\u975e\u8981\u8acb\u96fb\u7b97\u4e2d\u5fc3\u8a2d … <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","fifu_image_url":"","fifu_image_alt":"","footnotes":""},"categories":[252],"tags":[157,158,159],"class_list":["post-12079","post","type-post","status-publish","format-standard","hentry","category-252","tag-centos-7","tag-linux","tag-openvpn"],"_links":{"self":[{"href":"https:\/\/fgchen.com\/wpedu\/wp-json\/wp\/v2\/posts\/12079","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fgchen.com\/wpedu\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fgchen.com\/wpedu\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fgchen.com\/wpedu\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fgchen.com\/wpedu\/wp-json\/wp\/v2\/comments?post=12079"}],"version-history":[{"count":1,"href":"https:\/\/fgchen.com\/wpedu\/wp-json\/wp\/v2\/posts\/12079\/revisions"}],"predecessor-version":[{"id":13691,"href":"https:\/\/fgchen.com\/wpedu\/wp-json\/wp\/v2\/posts\/12079\/revisions\/13691"}],"wp:attachment":[{"href":"https:\/\/fgchen.com\/wpedu\/wp-json\/wp\/v2\/media?parent=12079"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fgchen.com\/wpedu\/wp-json\/wp\/v2\/categories?post=12079"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fgchen.com\/wpedu\/wp-json\/wp\/v2\/tags?post=12079"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}