OpenVPN使用user/passwd完成验证登录[修正版] OpenVPN使用user/passwd完成验证登录1，为什么要使用user/passwd？比常规openvpn管理方便，删除用户只需要在pwd.file文件中删除用户或者修改密码即可，告别繁琐的操作，具体配置如下：一,首先openvpn配置完成，可参考前面几篇文章点此即可二：修改openvpn服务主配置文件，添加如下内容；如果加上client-cert-not-required则代表只使用用户名密码方式验证登录，如果不加，则代表需要证书和用户名密码双重验证登录！tail -3 /usr/local/openvpn/etc/server.confauth-user-pass-verify /usr/local/openvpn/etc/checkpsw.sh via-envclient-cert-not-required username-as-common-name如：[root@node scripts]# cat /etc/openvpn/server.conf local 10.0.0.20 port 1194 proto tcp dev tun ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh1024.pem server 172.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.10.0 255.255.255.0" client-config-dir ccd/DEFAULT duplicate-cn keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log log openvpn.log verb 3 auth-user-pass-verify /etc/openvpn/scripts/checkpwd.sh via-env username-as-common-name script-security 3 client-to-client 创建scripts目录并且将脚本放进去，如下：[root@node scripts]# cat /etc/openvpn/scripts/checkpwd.sh #!/bin/sh ########################################################### # checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se> PASSFILE="/etc/openvpn/scripts/pwd-file" LOG_FILE="/var/log/openvpn-password.log" TIME_STAMP=`date "+%Y-%m-%d %T"` ########################################################### if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 [root@node scripts]# 创建密码文件[root@node scripts]# cat /etc/openvpn/scripts/pwd-file linuxeacom 123 [root@node scripts]# ll total 8 -rwxr-xr-x 1 root root 969 Mar 19 02:02 checkpwd.sh -r-------- 1 nobody nobody 15 Mar 19 02:08 pwd-file [root@node scripts]# 修改权限[root@node tools]# chmod 400 pwd-file [root@node tools]# chown nobody.nobody pwd-file [root@node tools]# chmod +x checkpwd.sh 随机生成密码给linuxeacom用户[root@node tools]# yum install expect [root@node tools]# mkpasswd -l 15 ^ukhvlhv30bCtiY [root@node tools]# vim pwd-file linuxeacom ^ukhvlhv30bCtiY windows客户端配置文件修改linuxecom.ovpn，目录为：C:\Program Files (x86)\OpenVPN\config\linuxeacom而后在客户端中加上auth-user-pass ，并且创建一个文件叫做pwd.txt，将用户和密码保存在里面，在auth-user-pass 后面写上即可（需要放在同一目录下）client dev tun ;dev-node MyTap proto tcp ;proto udp remote 10.0.0.20 1194 ;remote 117.74.136.195 9504 ;remote 180.167.10.194 9000 ;remote my-server-2 1194 ;remote-random resolv-retry infinite nobind ;user nobody ;group nobody persist-key persist-tun ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] ;mute-replay-warnings ca ca.crt cert linuxeacom.crt key linuxeacom.key ns-cert-type server ;tls-auth ta.key 1 ;cipher x comp-lzo verb 3 ;mute 20 auth-user-pass pwd.txt #存放密码 tls-client ;ns-cert-type server route-method exe route-delay 2 登录即可查看日志：[root@node openvpn]# tail -3 openvpn.log Sat Mar 19 02:13:28 2016 linuxeacom/10.0.0.1:51664 MULTI: primary virtual IP for linuxeacom/10.0.0.1:51664: 172.8.0.6 Sat Mar 19 02:13:31 2016 linuxeacom/10.0.0.1:51664 PUSH: Received control message: 'PUSH_REQUEST' Sat Mar 19 02:13:31 2016 linuxeacom/10.0.0.1:51664 SENT CONTROL [linuxeacom]: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,route 172.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 172.8.0.6 172.8.0.5' (status=1) [root@node openvpn]# status日志：[root@node openvpn]# tail openvpn-status.log OpenVPN CLIENT LIST Updated,Sat Mar 19 02:15:11 2016 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since linuxeacom,10.0.0.1:51664,4456,6008,Sat Mar 19 02:13:28 2016 ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref 172.8.0.6,linuxeacom,10.0.0.1:51664,Sat Mar 19 02:13:28 2016 GLOBAL STATS Max bcast/mcast queue length,0 END [root@node openvpn]# 本章文件借鉴于：https://ylw6006.blog.51cto.com/470441/1009004/，尽管此文章神坑居多，不过本章已经填坑完毕！

Centos下使用OpenVPN登录（4） linux下拨号vpnopenvpn安装包下载：wget https://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz tar xf lzo-2.06.tar.gz cd lzo-2.06 ./configure make && make install wget https://openvpn.net/release/openvpn-2.1.2.tar.gz tar xf openvpn-2.1.2.tar.gz cd openvpn-2.1.2 yum -y install openssl* ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib make && make install 在linux客户端上创建配置文件目录mkdir /etc/openvpn -p cd /etc/openvpn/ 将windows上的文件压缩后拿到linux上unzip linuxeacom.zip cd linuxeacom 修改linuxecom.ovpn为linuxecom.confmv linuxecom.ovpn linuxecom.conf 执行拨号/usr/local/sbin/openvpn --config /etc/openvpn/linuxeacom/linuxecom.conf 拨号成功：在服务器查看，10.0.0.3已结成功拨号[root@node ~]# cat /var/log/openvpn-status.log OpenVPN CLIENT LIST Updated,Sun Mar 13 06:48:50 2016 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since linuxeacom,10.0.0.3:53345,4165,5671,Sun Mar 13 06:48:18 2016 ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref 172.16.1.6,linuxeacom,10.0.0.3:53345,Sun Mar 13 06:48:40 2016 GLOBAL STATS Max bcast/mcast queue length,0 END [root@node ~]#

OpenVPN吊销用户和增加用户(3) 增加用户：如果你不是第一次创建用户，只需要source ./vars即可[root@node 2.0]# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys [root@node 2.0]# ./build-key mark Generating a 1024 bit RSA private key 如果你没有关闭此链接终端，在添加只需要./build-key 用户即可吊销证书：[root@node 2.0]# ./revoke-full mark Using configuration from /usr/local/openvpn-2.1.2/easy-rsa/2.0/openssl.cnf Revoking Certificate 03. Data Base Updated Using configuration from /usr/local/openvpn-2.1.2/easy-rsa/2.0/openssl.cnf mark.crt: C = CN, ST = shanghai, L = Shanghai, O = Fort-Funston, CN = mark, emailAddress = usertzc@163.com error 23 at 0 depth lookup:certificate revoked [root@node 2.0]# 吊销完成会生成crl.pem[root@node keys]# cat crl.pem -----BEGIN X509 CRL----- MIIBVzCBwTANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJDTjERMA8GA1UECBMI c2hhbmdoYWkxETAPBgNVBAcTCFNoYW5naGFpMRUwEwYDVQQKEwxGb3J0LUZ1bnN0 b24xEDAOBgNVBAMTB2xpbnV4ZWExHjAcBgkqhkiG9w0BCQEWD3VzZXJ0emNAMTYz LmNvbRcNMTYwMzEzMTEyMDQ1WhcNMTYwNDEyMTEyMDQ1WjAUMBICAQMXDTE2MDMx MzExMjA0NVowDQYJKoZIhvcNAQEEBQADgYEAR+GRn1ckiFrTh0A8joXCxu0tJMnw tQzr4VFEJRTxoe5K4CAXgyKdmuDLgoMCMJkCuc4ltlqVIN5KSBSGE3xwhTVeopiY GJZkkW5KEpOW7rqrTnzttQpw5jzhsAedoL8E/EBcUvPtYOXCc1tUx81B/ThV8CQS iotOPDXuqdLK/dw= -----END X509 CRL----- [root@node keys]# 查看已经吊销的：（R）[root@node keys]# cat index.txt V 260308144601Z 01 unknown /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=server/emailAddress=usertzc@163.com V 260308145051Z 02 unknown /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=linuxeacom/emailAddress=usertzc@163.com R 260311112004Z 160313112045Z 03 unknown /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=mark/emailAddress=usertzc@163.com [root@node keys]# 而后在配置文件夹加上如下：vim server.confcrl-verify /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys/crl.pem当然，你也可以这样crl-verify /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys/*.pem 只要是keys下的以pem结尾的pem，则全部都掉线修改完成后reload或者restart openvpn/etc/init.d/openvpn reload /etc/init.d/openvpn restart ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 具体如下： cp keys/crl.pem /etc/openvpn/keys/ echo 'crl-verify /etc/openvpn/keys/crl.pem' >>/etc/openvpn/server.conf tail -2 /etc/openvpn/server.conf +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 重启vpn服务/etc/init.d/openvpn restart 重启后图标就绿不了了不重启和reload的，只需要在将备份的pem文件覆盖吊销后的文件即可：[root@node keys]# cp crl.pem /tmp/crl.pem.1 [root@node 2.0]# ./revoke-full mark1 [root@node keys]# cat /tmp/crl.pem.1 >> crl.pem 取消吊销人员注释掉crl-verify /etc/openvpn/keys/crl.pem重启服务即可，如果需要单个取消，则吊销每个人员时候需要将吊销后插上的Pem文件特殊存放在单独的文件夹内，在配置文件中添加多行，每行指定一个人员即可，如：1，./revoke-full mark后会产生一个pem文件2，新建以吊销用户为命名文件夹，将pem复制进去mkdir /etc/openvpn/keys/markcp /etc/openvpn/kyes/crl.pem ./mark3，在配置文件中定义vim server.conf/etc/openvpn/keys/mark/crl.pem

OpenVPN对后端主机访问的两种方式（2） openvpn servere有两块网卡，分别eth1和eth2，eth1为公网地址：10.0.0.4，eth2是内网网段，ip为192.168.10.10openvpn分配的客户端地址是172.16.1.0/24，如下图所示：在前面一张文章中如何安装已经实现点此直达安装openvpn，此时已经能够拨号连接，但是无法访问后端主机如果，需要访问后端主机则需要在每台被客户端访问的机器添加路由如下所示：1，route add default gw 192.168.10.11添加vpnserver主机的内网ip为被客户端访问主机的网关2，route add -net 172.16.1.0/24 gw 192.168.10.11添加net即可以上两种只需要添加一个即可注意：这种方式比较麻烦，意味着每一台内网机器（vpn访问的）都需要添加路由，这种方式在重启就会失效，则需要配置静态路由1,/etc/sysconfig/static-router 默认不存在，需要创建 2,/etc/sysconfig/network-scripts/route-eth0 3,/etc/rc.local NAT模式上面的方法，需要在每台服务器上设置，较为麻烦，我们可以修改iptables即可首先，关闭掉防火墙一，添加[root@node ~]# /sbin/iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth1-j SNAT --to-source 192.168.10.11 删除[root@node ~]# /sbin/iptables -t nat -D POSTROUTING -s 172.16.1.0/24 -o eth1-j SNAT --to-source 192.168.10.11 二，如果你的地址不是固定，则可以使用如下这条：[root@node ~]#/sbin/iptables -t nat -I POSTROUTING -s 172.16.1.0/24 -o eth1 -j MASQUERADE 注意：这是iptables的nat转换规则，其中：1,-o eth1是为vpn服务器内网网卡2,192.168.10.11为vpn服务器内网网卡ip3,-j MASQUERADE自动转换，固定转换-j SNAT --to-source 192.168.10.11这种方式需要停止掉防火墙，有一个原则就是，你需要在调试好VPN后才能调试防火墙，这样可能不是很友好，于是我们可以不需要停止防火墙就能使用，如下：注释掉iptables两条规则，因为在默认中FORWARD是拒绝转发的，注释掉即可#-A INPUT -p tcp --dprot 1194 -j ACCEPT #-A FORWARD -j REJECT --reject-with icmp-host-prohibited 启动iptables/etc/init.d/iptables start 添加规则：[root@node ~]# /sbin/iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth1 -j SNAT --to-source 192.168.10.11 查看[root@node ~]# iptables -L -nv Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 25 1780 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 4 572 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 22 packets, 3156 bytes) pkts bytes target prot opt in out source destination [root@node ~]# vim /etc/sysconfig/iptables 如果不想注释，也可以添加iptables -A INPUT -i tun+ -j ACCEPTiptables -A FORWARD -i tun+ -j ACCEPTiptables -A INPUT -i tap+ -j ACCEPTiptables -A FORWARD -i tap+ -i ACCEPTiptables -A INPUT -i eth1 -j ACCEPTiptables -A FORWARD -i eth1 -j ACCEPT至于其他细节配置则需要详细的配置实现openvpn路由方式和NAT方式，NAT模式更加方便部署，路由的方式可以使用批量部署下发静态路由文件即可

openvpn2.1.2搭建安装篇（1） 安装openvpn:cd /usr/local下载lzo压缩模块，用于压缩传输的数据：wget https://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz tar xf lzo-2.06.tar.gz cd lzo-2.06 ./configure make && make install cd .. 由于openvpn依赖于openssl，因此安装：yum install -y openssl* https://openvpn.net/release/openvpn-2.1.2.tar.gz tar xf openvpn-2.1.2.tar.gz cd openvpn-2.1.2 ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib make && make install cd .. 需要指定lzo模块的路径https://openvpn.net/release/建立证书:由于客户端和服务器是公用一个ca证书，先创建此证书cd /usr/local/openvpn-2.1.2/easy-rsa/2.0/ cp vars vars`date +%T-%F` vim vars 修改export KEY_COUNTRY="CN" export KEY_PROVINCE="shanghai" export KEY_CITY="Shanghai" export KEY_ORG="Fort-Funston" export KEY_EMAIL="usertzc@163.com" [root@node 2.0]# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/openvpn-2.1.2/easy-rsa/2.0/keys [root@node 2.0]# 运行clean-all将会清楚keys所有文件，第一次需要执行[root@node 2.0]# ./clean-all 生成ca [root@node 2.0]# ./build-ca Generating a 1024 bit RSA private key ....................................++++++ ...++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [shanghai]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:linuxea Name []: Email Address [usertzc@163.com]: [root@node 2.0]# 将会生成ca文件，如下：[root@node 2.0]# ll keys/ total 12 -rw-r--r-- 1 root root 1220 Mar 10 06:42 ca.crt -rw------- 1 root root 916 Mar 10 06:42 ca.key -rw-r--r-- 1 root root 0 Mar 10 06:40 index.txt -rw-r--r-- 1 root root 3 Mar 10 06:40 serial [root@node 2.0]# 生成server key[root@node 2.0]# ./build-key-server server 一路回车，y即可生成如下：[root@node 2.0]# ll keys/ total 40 -rw-r--r-- 1 root root 3882 Mar 10 06:46 01.pem -rw-r--r-- 1 root root 1220 Mar 10 06:42 ca.crt -rw------- 1 root root 916 Mar 10 06:42 ca.key -rw-r--r-- 1 root root 111 Mar 10 06:46 index.txt -rw-r--r-- 1 root root 21 Mar 10 06:46 index.txt.attr -rw-r--r-- 1 root root 0 Mar 10 06:40 index.txt.old -rw-r--r-- 1 root root 3 Mar 10 06:46 serial -rw-r--r-- 1 root root 3 Mar 10 06:40 serial.old -rw-r--r-- 1 root root 3882 Mar 10 06:46 server.crt -rw-r--r-- 1 root root 676 Mar 10 06:46 server.csr -rw------- 1 root root 916 Mar 10 06:46 server.key 生成客户端证书和秘钥文件：[root@node 2.0]# ./build-key linuxeacom 一路回车，y即可生成内容如下：[root@node 2.0]# ll keys/ total 64 -rw-r--r-- 1 root root 3882 Mar 10 06:46 01.pem -rw-r--r-- 1 root root 3769 Mar 10 06:50 02.pem -rw-r--r-- 1 root root 1220 Mar 10 06:42 ca.crt -rw------- 1 root root 916 Mar 10 06:42 ca.key -rw-r--r-- 1 root root 226 Mar 10 06:50 index.txt -rw-r--r-- 1 root root 21 Mar 10 06:50 index.txt.attr -rw-r--r-- 1 root root 21 Mar 10 06:46 index.txt.attr.old -rw-r--r-- 1 root root 111 Mar 10 06:46 index.txt.old -rw-r--r-- 1 root root 3769 Mar 10 06:50 linuxeacom.crt -rw-r--r-- 1 root root 684 Mar 10 06:50 linuxeacom.csr -rw------- 1 root root 916 Mar 10 06:50 linuxeacom.key -rw-r--r-- 1 root root 3 Mar 10 06:50 serial -rw-r--r-- 1 root root 3 Mar 10 06:46 serial.old -rw-r--r-- 1 root root 3882 Mar 10 06:46 server.crt -rw-r--r-- 1 root root 676 Mar 10 06:46 server.csr -rw------- 1 root root 916 Mar 10 06:46 server.key 生成秘钥协议文件在keys下-rw-r--r-- 1 root root 245 Mar 10 06:56 dh1024.pem [root@node 2.0]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .......................................................................................+.............+..........+.....................+.......................+...+...............+........+.................+...........+......+..................................+....+..............................................................................+............................................+..+................................+.......................................................................................................................................+..+........................................................................+.++*++*++* [root@node 2.0]# 创建配置文件和证书目录[root@node ~]# mkdir /etc/openvpn 复制文件到/etc/openvpn下[root@node 2.0]# cp -ap keys /etc/openvpn/ [root@node 2.0]# cp /usr/local/openvpn-2.1.2/sample-config-files/* /etc/openvpn/ 为了方便起见，过滤冒号，#号和空格[root@node openvpn]# mv server.conf server.conf.bak [root@node openvpn]# grep -vE "^;|#|^$" server.conf.bak >> ./server.conf local openvpn地址 port 1194 端口 proto udp 协议 dev tun ca ca.crt 证书 cert server.crt 证书 dh dh1024.pem 验证 server 10.8.0.0 255.255.255.0 客户端的ip ifconfig-pool-persist ipp.txt keepalive 10 120 10秒钟ping一次，120秒未收到回复则认为客户端断开 comp-lzo persist-key 当超时，重新启动保持上一次使用的key persist-tun 通过keepalive检测vpn超时，重新启动vpn后，保持tun或者tap设备自带连接状态 status openvpn-status.log 日志 verb 3 日志级别冗余 [root@node openvpn]# 修改后的配置文件如下：[root@node openvpn]# vim server.conf local 10.0.0.4 port 1194 proto tcp dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem server 172.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 log /var/log/openvpn.log 调试服务器环境iptables [root@node openvpn]# iptables -A INPUT -p tcp --dport 1194 -j ACCEPT [root@node openvpn]# setenforce 0 setenforce: SELinux is disabled 打开内核转发[root@node openvpn]# sed -ri 's@(.*_fo.*= ).*@\11@g' /etc/sysctl.conf [root@node openvpn]# sysctl -p 启动：指定配置文件启动[root@node openvpn]# /usr/local/openvpn-2.1.2/ --config /etc/openvpn/server.conf 开机启动：echo '/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &' >>/etc/rc.local 也可以复制脚本启动：[root@node openvpn]# cp /usr/local/openvpn-2.1.2/sample-scripts/openvpn.init /etc/init.d/openvpn [root@node openvpn]# chmod +X /etc/init.d/openvpn [root@node openvpn]# chkconfig --add openvpn 启动脚本需要修改：将*.conf改成server.conf，这里主要是由于配置文件过多，读取错误配置文件导致，所以这里需要明确指明使用哪个配置文件启动for c in `/bin/ls server.conf 2>/dev/null`; do [root@node openvpn]# ps -ef|grep vpn root 2934 1 0 08:01 ? 00:00:00 /usr/local/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn root 2950 2011 0 08:02 pts/0 00:00:00 grep vpn [root@node openvpn]# 客户端使用：https://openvpn.net/release/openvpn-2.1.2-install.exe下载ca.crt linuxeacom.crt linuxeacom.key到windows安装目录C:\Program Files (x86)\OpenVPN\config下，并且在config下创建linuxea目录，将ca.crt linuxeacom.crt linuxeacom.key复制到linuxea中将修改好的配置文件下载到C:\Program Files (x86)\OpenVPN\config\linuxeacom\下叫做Linuxeacom.ovpn，内容如下：客户端配置文件：[root@node openvpn]# egrep -v "^#|^;|^$" client.conf client dev tun proto tcp tcp协议 remote 10.0.0.4 1194 服务端地址 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert linuxeacom.crt 用户的key key linuxeacom.key ns-cert-type server comp-lzo verb 3 登录后查看日志：[root@node openvpn]# cat /var/log/openvpn.log Thu Mar 10 08:42:01 2016 MULTI: multi_create_instance called Thu Mar 10 08:42:01 2016 Re-using SSL/TLS context Thu Mar 10 08:42:01 2016 LZO compression initialized Thu Mar 10 08:42:01 2016 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Thu Mar 10 08:42:01 2016 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Thu Mar 10 08:42:01 2016 Local Options hash (VER=V4): 'c0103fa8' Thu Mar 10 08:42:01 2016 Expected Remote Options hash (VER=V4): '69109d17' Thu Mar 10 08:42:01 2016 TCP connection established with 10.0.0.3:59364 Thu Mar 10 08:42:01 2016 TCPv4_SERVER link local: [undef] Thu Mar 10 08:42:01 2016 TCPv4_SERVER link remote: 10.0.0.3:59364 Thu Mar 10 08:42:01 2016 10.0.0.3:59364 TLS: Initial packet from 10.0.0.3:59364, sid=698dad12 0424ce72 Thu Mar 10 08:42:01 2016 10.0.0.3:59364 VERIFY OK: depth=1, /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=linuxea/emailAddress=usertzc@163.com Thu Mar 10 08:42:01 2016 10.0.0.3:59364 VERIFY OK: depth=0, /C=CN/ST=shanghai/L=Shanghai/O=Fort-Funston/CN=linuxeacom/emailAddress=usertzc@163.com Thu Mar 10 08:42:01 2016 10.0.0.3:59364 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Mar 10 08:42:01 2016 10.0.0.3:59364 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Mar 10 08:42:01 2016 10.0.0.3:59364 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Thu Mar 10 08:42:01 2016 10.0.0.3:59364 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Mar 10 08:42:01 2016 10.0.0.3:59364 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Thu Mar 10 08:42:01 2016 10.0.0.3:59364 [linuxeacom] Peer Connection Initiated with 10.0.0.3:59364 Thu Mar 10 08:42:01 2016 linuxeacom/10.0.0.3:59364 MULTI: Learn: 10.8.0.6 -> linuxeacom/10.0.0.3:59364 Thu Mar 10 08:42:01 2016 linuxeacom/10.0.0.3:59364 MULTI: primary virtual IP for linuxeacom/10.0.0.3:59364: 10.8.0.6 Thu Mar 10 08:42:03 2016 linuxeacom/10.0.0.3:59364 PUSH: Received control message: 'PUSH_REQUEST' Thu Mar 10 08:42:03 2016 linuxeacom/10.0.0.3:59364 SENT CONTROL [linuxeacom]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1) 如果拨不上，请查看驱动是否安装，配置是否出错