本文章记录于openvpn在ubuntu上配置,搭建于阿里云ECS
- 用的easyrsa3.0
生成ta.key 命令是用openvpn –genkey –secret ta.key
客户端配置:
client
dev tun
proto tcp
remote www.mobibrw.com 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM # 尽量使用GCM模式,CBC模式容易遭受Padding Oracle攻击
key-direction 1
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----
# insert base64 blob from ca.crt
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
# insert base64 blob from client1.crt
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
# insert base64 blob from client1.key
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
# insert ta.key
-----END OpenVPN Static key V1-----
</tls-auth>
服务端配置:
openvpn/server.confShell
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
client-to-client
keepalive 10 120
tls-auth ta.key 0
key-direction 0
cipher AES-256-GCM # 尽量使用GCM模式,CBC模式容易遭受Padding Oracle攻击
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3