Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
zh:docs:guide-user:services:vpn:openvpn:server [2022/05/27 05:02] – [1. 准备工作] yodozh:docs:guide-user:services:vpn:openvpn:server [2022/05/27 05:36] – [OpenVPN 服务器] yodo
Line 2: Line 2:
  
 ====== OpenVPN 服务器 ====== ====== OpenVPN 服务器 ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>zh:meta:infobox:howto_links#CLI命令技能&noheader&nofooter&noeditbutton}}
  
 ===== 简介 ===== ===== 简介 =====
Line 9: Line 9:
  
 ===== 目标 ===== ===== 目标 =====
-{{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}}+{{section>zh:docs:guide-user:services:vpn:wireguard:server#目标&noheader&nofooter&noeditbutton}}
  
 ===== 实现过程(命令、配置) ===== ===== 实现过程(命令、配置) =====
Line 51: Line 51:
 </code> </code>
 ==== 2. 证书体系建立 ==== ==== 2. 证书体系建立 ====
-Use [[https://github.com/OpenVPN/easy-rsa#overview|EasyRSA]] to manage the PKI. +使用 [[https://github.com/OpenVPN/easy-rsa#overview|EasyRSA]] 管理 PKI 体系
-Utilize private key password protection if necessary.+如有必要,可使用私钥密码保护。
  
 <code bash> <code bash>
-Configuration parameters+配置参数
 export EASYRSA_PKI="${OVPN_PKI}" export EASYRSA_PKI="${OVPN_PKI}"
 export EASYRSA_REQ_CN="ovpnca" export EASYRSA_REQ_CN="ovpnca"
Line 61: Line 61:
 export EASYRSA_CERT_EXPIRE="3650" # Increases the client cert expiry from the default of 825 days to match the CA expiry export EASYRSA_CERT_EXPIRE="3650" # Increases the client cert expiry from the default of 825 days to match the CA expiry
  
-Remove and re-initialize PKI directory+清空,并初始化 PKI 目录
 easyrsa init-pki easyrsa init-pki
  
-Generate DH parameters+生成 DH 参数
 easyrsa gen-dh easyrsa gen-dh
  
-Create a new CA+新建 CA
 easyrsa build-ca nopass easyrsa build-ca nopass
  
-Generate server keys and certificate+生成服务器秘钥和证书
 easyrsa build-server-full server nopass easyrsa build-server-full server nopass
 openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem
  
-Generate client keys and certificate+生成客户端秘钥和证书
 easyrsa build-client-full client nopass easyrsa build-client-full client nopass
 openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \ openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \
Line 81: Line 81:
  
 ==== 3. 防火墙设置 ==== ==== 3. 防火墙设置 ====
-Consider VPN network as private. +将 VPN 网络视为私有网络。 
-Assign VPN interface to LAN zone to minimize firewall setup. +将 VPN 接口 tun+ 分配给防火墙 LAN 区域的涵盖设备,以最小化防火墙设置。 
-Allow access to VPN server from WAN zone. +允许从 WAN 区域访问 VPN 服务器。
 <code bash> <code bash>
-Configure firewall+配置防火墙
 uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[0]="lan"
 uci rename firewall.@zone[1]="wan" uci rename firewall.@zone[1]="wan"
  • Last modified: 2022/10/27 18:35
  • by vgaetera