相关资料
游戏发现多半是二层广播,我们这边采用 Bridge(TAP) 网络,二层和三层的对比:https://community.openvpn.net/openvpn/wiki/BridgingAndRouting
安装
1
2
3
4
5
|
sudo pacman -Sy openvpn
sudo apt install openvpn
sudo apt install policykit-1
|
生成 PKI 证书
和 Nebula 一样,OpenVPN 需要一个 CA 证书,并为每台机器(无论是服务器还是客户端)签发一张证书,用于双向认证
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
openssl req -new -x509 -days 365250 -noenc -sha256 -newkey ed25519 \
-subj "/C=CN/O=MisakaNet/OU=Network/CN=MisakaOVPN CA" \
-keyout rootCA.key -out rootCA.crt
openssl x509 -noout -text -in rootCA.crt
export OVPN_NODE_NAME="server"
openssl x509 -req -days 365250 -CA rootCA.crt -CAkey rootCA.key -CAcreateserial \
-in <(openssl req -new -noenc -newkey ed25519 \
-keyout ${OVPN_NODE_NAME}.key \
-subj "/C=CN/O=MisakaNet/OU=Network/CN=OVPN ${OVPN_NODE_NAME}") \
-out ${OVPN_NODE_NAME}.crt
openssl x509 -noout -text -in ${OVPN_NODE_NAME}.crt
openssl verify -CAfile rootCA.crt ${OVPN_NODE_NAME}.crt
openssl dhparam -out dh2048.pem 2048
|
配置服务端
在 /etc/openvpn/server 文件夹中创建配置文件,并放入证书,例如:
1
2
3
4
5
6
| /etc/openvpn/server
├── access.conf
├── Access.crt
├── Access.key
├── dh2048.pem
└── rootCA.crt
|
示例的配置文件为:/etc/openvpn/server/access.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| mode server
proto udp
port 1194
dev tapovpn
ifconfig 10.25.0.1 255.255.255.0
keepalive 10 120
verb 3
server-bridge 10.25.0.1 255.255.255.0 10.25.0.2 10.25.0.254
client-to-client
duplicate-cn
cipher AES-256-GCM
ca rootCA.crt
cert Access.crt
key Access.key
dh dh2048.pem
|
启动,以及设置自启。access 替换为自己的配置文件名称
1
2
3
| sudo systemctl start openvpn-server@access
sudo systemctl status openvpn-server@access
sudo systemctl enable openvpn-server@access
|
配置客户端
在 /etc/openvpn/client 文件夹中创建配置文件,并放入证书,例如:
1
2
3
4
5
| /etc/openvpn/client
├── rootCA.crt
├── turing.conf
├── Turing.crt
└── Turing.key
|
示例的配置文件为:/etc/openvpn/client/turing.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| remote ddns.hf.rootless.cc 1194
proto udp
connect-retry 5 60
resolv-retry infinite
nobind
dev tapovpn
keepalive 10 120
verb 3
client
cipher AES-256-GCM
ca rootCA.crt
cert Turing.crt
key Turing.key
|
启动,以及设置自启。turing 替换为自己的配置文件名称
1
2
3
| sudo systemctl start openvpn-client@turing
sudo systemctl status openvpn-client@turing
sudo systemctl enable openvpn-client@turing
|
适用于 Windows/Android 的单 OVPN 配置
Windows/Android 系统导入配置时仅支持单文件,可以使用以下方法合并为单文件(在 … 中填写完整证书信息):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| remote ddns.hf.rootless.cc 1194
proto udp
connect-retry 5 60
resolv-retry infinite
nobind
dev tapovpn
keepalive 10 120
verb 3
client
cipher AES-256-GCM
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
|
指定 IPv4/IPv6 链接
使用 proto udp4/udp6 来指定连接版本