Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| zh:docs:guide-user:services:vpn:openvpn:server [2022/05/27 05:02] – [1. 准备工作] yodo | zh:docs:guide-user:services:vpn:openvpn:server [2022/05/27 05:36] – [OpenVPN 服务器] yodo | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| ====== OpenVPN 服务器 ====== | ====== OpenVPN 服务器 ====== | ||
| - | {{section> | + | {{section> |
| ===== 简介 ===== | ===== 简介 ===== | ||
| Line 9: | Line 9: | ||
| ===== 目标 ===== | ===== 目标 ===== | ||
| - | {{section> | + | {{section> |
| ===== 实现过程(命令、配置) ===== | ===== 实现过程(命令、配置) ===== | ||
| Line 51: | Line 51: | ||
| </ | </ | ||
| ==== 2. 证书体系建立 ==== | ==== 2. 证书体系建立 ==== | ||
| - | Use [[https:// | + | 使用 |
| - | Utilize private key password protection if necessary. | + | 如有必要,可使用私钥密码保护。 |
| <code bash> | <code bash> | ||
| - | # Configuration parameters | + | # 配置参数 |
| export EASYRSA_PKI=" | export EASYRSA_PKI=" | ||
| export EASYRSA_REQ_CN=" | export EASYRSA_REQ_CN=" | ||
| Line 61: | Line 61: | ||
| export EASYRSA_CERT_EXPIRE=" | export EASYRSA_CERT_EXPIRE=" | ||
| - | # Remove and re-initialize | + | # 清空,并初始化 |
| easyrsa init-pki | easyrsa init-pki | ||
| - | # Generate | + | # 生成 |
| easyrsa gen-dh | easyrsa gen-dh | ||
| - | # Create a new CA | + | # 新建 |
| easyrsa build-ca nopass | easyrsa build-ca nopass | ||
| - | # Generate server keys and certificate | + | # 生成服务器秘钥和证书 |
| easyrsa build-server-full server nopass | easyrsa build-server-full server nopass | ||
| openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/ | openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/ | ||
| - | # Generate client keys and certificate | + | # 生成客户端秘钥和证书 |
| easyrsa build-client-full client nopass | easyrsa build-client-full client nopass | ||
| openvpn --tls-crypt-v2 ${EASYRSA_PKI}/ | openvpn --tls-crypt-v2 ${EASYRSA_PKI}/ | ||
| Line 81: | Line 81: | ||
| ==== 3. 防火墙设置 ==== | ==== 3. 防火墙设置 ==== | ||
| - | Consider | + | 将 VPN 网络视为私有网络。 |
| - | Assign | + | 将 VPN 接口 tun+ 分配给防火墙 |
| - | Allow access to VPN server from WAN zone. | + | 允许从 WAN 区域访问 |
| <code bash> | <code bash> | ||
| - | # Configure firewall | + | # 配置防火墙 |
| uci rename firewall.@zone[0]=" | uci rename firewall.@zone[0]=" | ||
| uci rename firewall.@zone[1]=" | uci rename firewall.@zone[1]=" | ||