代码之源 2015-08-03
虚拟专用网(VPN)常指几种通过其它网络建立连接技术。它之所以被称为“虚拟”,是因为各个节点间的连接不是通过物理线路实现的,而“专用”是指如果没有网络所有者的正确授权是不能被公开访问到。
OpenVPN软件借助TUN/TAP驱动使用TCP和UDP协议来传输数据。UDP协议和TUN驱动允许NAT后的用户建立到OpenVPN服务器的连接。此外,OpenVPN允许指定自定义端口。它提供了更多的灵活配置,可以帮助你避免防火墙限制。
OpenVPN中,由OpenSSL库和传输层安全协议(TLS)提供了安全和加密。TLS是SSL协议的一个改进版本。
OpenSSL提供了两种加密方法:对称和非对称。下面,我们展示了如何配置OpenVPN的服务器端,以及如何配置使用带有公共密钥基础结构(PKI)的非对称加密和TLS协议。
首先,我们必须安装OpenVPN软件。在Ubuntu 15.04和其它带有‘apt’包管理器的Unix系统中,可以通过如下命令安装:
<span class="pln">sudo apt</span><span class="pun">-</span><span class="kwd">get</span><span class="pln"> install openvpn</span>
然后,我们必须配置一个密钥对,这可以通过默认的“openssl”工具完成。但是,这种方式十分难。这也是我们使用“easy-rsa”来实现此目的的原因。接下来的命令会将“easy-rsa”安装到系统中。
<span class="pln">sudo apt</span><span class="pun">-</span><span class="kwd">get</span><span class="pln"> unstall easy</span><span class="pun">-</span><span class="pln">rsa</span>
注意: 所有接下来的命令要以超级用户权限执行,如在使用sudo -i
命令后执行,或者你可以使用sudo -E
作为接下来所有命令的前缀。
开始之前,我们需要拷贝“easy-rsa”到openvpn文件夹。
<span class="pln">mkdir </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">easy</span><span class="pun">-</span><span class="pln">rsa</span>
<span class="pln">cp </span><span class="pun">-</span><span class="pln">r </span><span class="pun">/</span><span class="pln">usr</span><span class="pun">/</span><span class="pln">share</span><span class="pun">/</span><span class="pln">easy</span><span class="pun">-</span><span class="pln">rsa </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">easy</span><span class="pun">-</span><span class="pln">rsa</span>
<span class="pln">mv </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">easy</span><span class="pun">-</span><span class="pln">rsa</span><span class="pun">/</span><span class="pln">easy</span><span class="pun">-</span><span class="pln">rsa </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">easy</span><span class="pun">-</span><span class="pln">rsa</span><span class="pun">/</span><span class="lit">2.0</span>
然后进入到该目录
<span class="pln">cd </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">easy</span><span class="pun">-</span><span class="pln">rsa</span><span class="pun">/</span><span class="lit">2.0</span>
这里,我们开始密钥生成进程。
首先,我们编辑一个“vars”文件。为了简化生成过程,我们需要在里面指定数据。这里是“vars”文件的一个样例:
<span class="kwd">export</span><span class="pln"> KEY_COUNTRY</span><span class="pun">=</span><span class="str">"CN"</span>
<span class="kwd">export</span><span class="pln"> KEY_PROVINCE</span><span class="pun">=</span><span class="str">"BJ"</span>
<span class="kwd">export</span><span class="pln"> KEY_CITY</span><span class="pun">=</span><span class="str">"Beijing"</span>
<span class="kwd">export</span><span class="pln"> KEY_ORG</span><span class="pun">=</span><span class="str">"Linux.CN"</span>
<span class="kwd">export</span><span class="pln"> KEY_EMAIL</span><span class="pun">=</span><span class="str">"[email protected]"</span>
<span class="kwd">export</span><span class="pln"> KEY_OU</span><span class="pun">=</span><span class="pln">server</span>
希望这些字段名称对你而言已经很清楚,不需要进一步说明了。
其次,我们需要拷贝openssl配置。另外一个版本已经有现成的配置文件,如果你没有特定要求,你可以使用它的上一个版本。这里是1.0.0版本。
<span class="pln">cp openssl</span><span class="pun">-</span><span class="lit">1.0</span><span class="pun">.</span><span class="lit">0.cnf</span><span class="pln"> openssl</span><span class="pun">.</span><span class="pln">cnf</span>
第三,我们需要加载环境变量,这些变量已经在前面一步中编辑好了。
<span class="pln">source </span><span class="pun">./</span><span class="pln">vars</span>
生成密钥的最后一步准备工作是清空旧的证书和密钥,以及生成新密钥的序列号和索引文件。可以通过以下命令完成。
<span class="pun">./</span><span class="pln">clean</span><span class="pun">-</span><span class="pln">all</span>
现在,我们完成了准备工作,准备好启动生成进程了。让我们先来生成证书。
<span class="pun">./</span><span class="pln">build</span><span class="pun">-</span><span class="pln">ca</span>
在对话中,我们可以看到默认的变量,这些变量是我们先前在“vars”中指定的。我们可以检查一下,如有必要进行编辑,然后按回车几次。对话如下
<span class="typ">Generating</span><span class="pln"> a </span><span class="lit">2048</span><span class="pln"> bit RSA </span><span class="kwd">private</span><span class="pln"> key</span>
<span class="pun">.............................................+++</span>
<span class="pun">...................................................................................................+++</span>
<span class="pln">writing </span><span class="kwd">new</span><span class="kwd">private</span><span class="pln"> key to </span><span class="str">'ca.key'</span>
<span class="pun">-----</span>
<span class="typ">You</span><span class="pln"> are about to be asked to enter information that will be incorporated</span>
<span class="kwd">into</span><span class="pln"> your certificate request</span><span class="pun">.</span>
<span class="typ">What</span><span class="pln"> you are about to enter </span><span class="kwd">is</span><span class="pln"> what </span><span class="kwd">is</span><span class="pln"> called a </span><span class="typ">Distinguished</span><span class="typ">Name</span><span class="kwd">or</span><span class="pln"> a DN</span><span class="pun">.</span>
<span class="typ">There</span><span class="pln"> are quite a few fields but you can leave some blank</span>
<span class="typ">For</span><span class="pln"> some fields there will be a </span><span class="kwd">default</span><span class="pln"> value</span><span class="pun">,</span>
<span class="typ">If</span><span class="pln"> you enter </span><span class="str">'.'</span><span class="pun">,</span><span class="pln"> the field will be left blank</span><span class="pun">.</span>
<span class="pun">-----</span>
<span class="typ">Country</span><span class="typ">Name</span><span class="pun">(</span><span class="lit">2</span><span class="pln"> letter code</span><span class="pun">)</span><span class="pun">[</span><span class="pln">CN</span><span class="pun">]:</span>
<span class="typ">State</span><span class="kwd">or</span><span class="typ">Province</span><span class="typ">Name</span><span class="pun">(</span><span class="pln">full name</span><span class="pun">)</span><span class="pun">[</span><span class="pln">BJ</span><span class="pun">]:</span>
<span class="typ">Locality</span><span class="typ">Name</span><span class="pun">(</span><span class="pln">eg</span><span class="pun">,</span><span class="pln"> city</span><span class="pun">)</span><span class="pun">[</span><span class="typ">Beijing</span><span class="pun">]:</span>
<span class="typ">Organization</span><span class="typ">Name</span><span class="pun">(</span><span class="pln">eg</span><span class="pun">,</span><span class="pln"> company</span><span class="pun">)</span><span class="pun">[</span><span class="typ">Linux</span><span class="pun">.</span><span class="pln">CN</span><span class="pun">]:</span>
<span class="typ">Organizational</span><span class="typ">Unit</span><span class="typ">Name</span><span class="pun">(</span><span class="pln">eg</span><span class="pun">,</span><span class="pln"> section</span><span class="pun">)</span><span class="pun">[</span><span class="typ">Tech</span><span class="pun">]:</span>
<span class="typ">Common</span><span class="typ">Name</span><span class="pun">(</span><span class="pln">eg</span><span class="pun">,</span><span class="pln"> your name </span><span class="kwd">or</span><span class="pln"> your server</span><span class="str">'s hostname) [Linux.CN CA]:</span>
<span class="str">Name [EasyRSA]:</span>
<span class="str">Email Address [[email protected]]:</span>
接下来,���们需要生成一个服务器密钥
<span class="pun">./</span><span class="pln">build</span><span class="pun">-</span><span class="pln">key</span><span class="pun">-</span><span class="pln">server server</span>
该命令的对话如下:
<span class="typ">Generating</span><span class="pln"> a </span><span class="lit">2048</span><span class="pln"> bit RSA </span><span class="kwd">private</span><span class="pln"> key</span>
<span class="pun">........................................................................+++</span>
<span class="pun">............................+++</span>
<span class="pln">writing </span><span class="kwd">new</span><span class="kwd">private</span><span class="pln"> key to </span><span class="str">'server.key'</span>
<span class="pun">-----</span>
<span class="typ">You</span><span class="pln"> are about to be asked to enter information that will be incorporated</span>
<span class="kwd">into</span><span class="pln"> your certificate request</span><span class="pun">.</span>
<span class="typ">What</span><span class="pln"> you are about to enter </span><span class="kwd">is</span><span class="pln"> what </span><span class="kwd">is</span><span class="pln"> called a </span><span class="typ">Distinguished</span><span class="typ">Name</span><span class="kwd">or</span><span class="pln"> a DN</span><span class="pun">.</span>
<span class="typ">There</span><span class="pln"> are quite a few fields but you can leave some blank</span>
<span class="typ">For</span><span class="pln"> some fields there will be a </span><span class="kwd">default</span><span class="pln"> value</span><span class="pun">,</span>
<span class="typ">If</span><span class="pln"> you enter </span><span class="str">'.'</span><span class="pun">,</span><span class="pln"> the field will be left blank</span><span class="pun">.</span>
<span class="pun">-----</span>
<span class="typ">Country</span><span class="typ">Name</span><span class="pun">(</span><span class="lit">2</span><span class="pln"> letter code</span><span class="pun">)</span><span class="pun">[</span><span class="pln">CN</span><span class="pun">]:</span>
<span class="typ">State</span><span class="kwd">or</span><span class="typ">Province</span><span class="typ">Name</span><span class="pun">(</span><span class="pln">full name</span><span class="pun">)</span><span class="pun">[</span><span class="pln">BJ</span><span class="pun">]:</span>
<span class="typ">Locality</span><span class="typ">Name</span><span class="pun">(</span><span class="pln">eg</span><span class="pun">,</span><span class="pln"> city</span><span class="pun">)</span><span class="pun">[</span><span class="typ">Beijing</span><span class="pun">]:</span>
<span class="typ">Organization</span><span class="typ">Name</span><span class="pun">(</span><span class="pln">eg</span><span class="pun">,</span><span class="pln"> company</span><span class="pun">)</span><span class="pun">[</span><span class="typ">Linux</span><span class="pun">.</span><span class="pln">CN</span><span class="pun">]:</span>
<span class="typ">Organizational</span><span class="typ">Unit</span><span class="typ">Name</span><span class="pun">(</span><span class="pln">eg</span><span class="pun">,</span><span class="pln"> section</span><span class="pun">)</span><span class="pun">[</span><span class="typ">Tech</span><span class="pun">]:</span>
<span class="typ">Common</span><span class="typ">Name</span><span class="pun">(</span><span class="pln">eg</span><span class="pun">,</span><span class="pln"> your name </span><span class="kwd">or</span><span class="pln"> your server</span><span class="str">'s hostname) [Linux.CN server]:</span>
<span class="str">Name [EasyRSA]:</span>
<span class="str">Email Address [[email protected]]:</span>
<span class="str">Please enter the following '</span><span class="pln">extra</span><span class="str">' attributes</span>
<span class="str">to be sent with your certificate request</span>
<span class="str">A challenge password []:</span>
<span class="str">An optional company name []:</span>
<span class="str">Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf</span>
<span class="str">Check that the request matches the signature</span>
<span class="str">Signature ok</span>
<span class="str">The Subject'</span><span class="pln">s </span><span class="typ">Distinguished</span><span class="typ">Name</span><span class="kwd">is</span><span class="kwd">as</span><span class="pln"> follows</span>
<span class="pln">countryName </span><span class="pun">:</span><span class="pln">PRINTABLE</span><span class="pun">:</span><span class="str">'CN'</span>
<span class="pln">stateOrProvinceName </span><span class="pun">:</span><span class="pln">PRINTABLE</span><span class="pun">:</span><span class="str">'BJ'</span>
<span class="pln">localityName </span><span class="pun">:</span><span class="pln">PRINTABLE</span><span class="pun">:</span><span class="str">'Beijing'</span>
<span class="pln">organizationName </span><span class="pun">:</span><span class="pln">PRINTABLE</span><span class="pun">:</span><span class="str">'Linux.CN'</span>
<span class="pln">organizationalUnitName</span><span class="pun">:</span><span class="pln">PRINTABLE</span><span class="pun">:</span><span class="str">'Tech'</span>
<span class="pln">commonName </span><span class="pun">:</span><span class="pln">PRINTABLE</span><span class="pun">:</span><span class="str">'Linux.CN server'</span>
<span class="pln">name </span><span class="pun">:</span><span class="pln">PRINTABLE</span><span class="pun">:</span><span class="str">'EasyRSA'</span>
<span class="pln">emailAddress </span><span class="pun">:</span><span class="pln">IA5STRING</span><span class="pun">:</span><span class="str">'[email protected]'</span>
<span class="typ">Certificate</span><span class="kwd">is</span><span class="pln"> to be certified </span><span class="kwd">until</span><span class="typ">May</span><span class="lit">22</span><span class="lit">19</span><span class="pun">:</span><span class="lit">00</span><span class="pun">:</span><span class="lit">25</span><span class="lit">2025</span><span class="pln"> GMT </span><span class="pun">(</span><span class="lit">3650</span><span class="pln"> days</span><span class="pun">)</span>
<span class="typ">Sign</span><span class="pln"> the certificate</span><span class="pun">?</span><span class="pun">[</span><span class="pln">y</span><span class="pun">/</span><span class="pln">n</span><span class="pun">]:</span><span class="pln">y</span>
<span class="lit">1</span><span class="kwd">out</span><span class="pln"> of </span><span class="lit">1</span><span class="pln"> certificate requests certified</span><span class="pun">,</span><span class="pln"> commit</span><span class="pun">?</span><span class="pun">[</span><span class="pln">y</span><span class="pun">/</span><span class="pln">n</span><span class="pun">]</span><span class="pln">y</span>
<span class="typ">Write</span><span class="kwd">out</span><span class="pln"> database </span><span class="kwd">with</span><span class="lit">1</span><span class="kwd">new</span><span class="pln"> entries</span>
<span class="typ">Data</span><span class="typ">Base</span><span class="typ">Updated</span>
这里,最后两个关于“签署证书”和“提交”的问题,我们必须回答“yes”。
现在,我们已经有了证书和服务器密钥。下一步,就是去省城Diffie-Hellman密钥。执行以下命令,耐心等待。在接下来的几分钟内,我们将看到许多点和加号。
<span class="pun">./</span><span class="pln">build</span><span class="pun">-</span><span class="pln">dh</span>
该命令的输出样例如下
<span class="typ">Generating</span><span class="pln"> DH parameters</span><span class="pun">,</span><span class="lit">2048</span><span class="pln"> bit </span><span class="kwd">long</span><span class="pln"> safe prime</span><span class="pun">,</span><span class="pln"> generator </span><span class="lit">2</span>
<span class="typ">This</span><span class="kwd">is</span><span class="pln"> going to take a </span><span class="kwd">long</span><span class="pln"> time</span>
<span class="pun">................................+................<许多的点></span>
在漫长的等待之后,我们可以继续生成最后的密钥了,该密钥用于TLS验证。命令如下:
<span class="pln">openvpn </span><span class="pun">--</span><span class="pln">genkey </span><span class="pun">--</span><span class="pln">secret keys</span><span class="pun">/</span><span class="pln">ta</span><span class="pun">.</span><span class="pln">key</span>
现在,生成完毕,我们可以移动所有生成的文件到最后的位置中。
<span class="pln">cp </span><span class="pun">-</span><span class="pln">r </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">easy</span><span class="pun">-</span><span class="pln">rsa</span><span class="pun">/</span><span class="lit">2.0</span><span class="pun">/</span><span class="pln">keys</span><span class="str">/ /</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span>
最后,我们来创建OpenVPN配置文件。让我们从样例中拷贝过来吧:
<span class="pln">cp </span><span class="pun">/</span><span class="pln">usr</span><span class="pun">/</span><span class="pln">share</span><span class="pun">/</span><span class="pln">doc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">examples</span><span class="pun">/</span><span class="pln">sample</span><span class="pun">-</span><span class="pln">config</span><span class="pun">-</span><span class="pln">files</span><span class="pun">/</span><span class="pln">server</span><span class="pun">.</span><span class="pln">conf</span><span class="pun">.</span><span class="pln">gz </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span>
<span class="pln">cd </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span>
<span class="pln">gunzip </span><span class="pun">-</span><span class="pln">d </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">server</span><span class="pun">.</span><span class="pln">conf</span><span class="pun">.</span><span class="pln">gz</span>
然后编辑
<span class="pln">vim </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">server</span><span class="pun">.</span><span class="pln">conf</span>
我们需要指定密钥的自定义路径
<span class="pln">ca </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">keys</span><span class="pun">/</span><span class="pln">ca</span><span class="pun">.</span><span class="pln">crt</span>
<span class="pln">cert </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">keys</span><span class="pun">/</span><span class="pln">server</span><span class="pun">.</span><span class="pln">crt</span>
<span class="pln">key </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">keys</span><span class="pun">/</span><span class="pln">server</span><span class="pun">.</span><span class="pln">key </span><span class="com"># This file should be kept secret</span>
<span class="pln">dh </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">keys</span><span class="pun">/</span><span class="pln">dh2048</span><span class="pun">.</span><span class="pln">pem</span>
一切就绪。在重启OpenVPN后,服务器端配置就完成了。
<span class="pln">service openvpn restart</span>
假定我们有一台装有类Unix操作系统的设备,比如Ubuntu 15.04,并安装有OpenVPN。我们想要连接到前面建立的OpenVPN服务器。首先,我们需要为客户端生成密钥。为了生成该密钥,请转到服务器上的对应目录中:
<span class="pln">cd </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">easy</span><span class="pun">-</span><span class="pln">rsa</span><span class="pun">/</span><span class="lit">2.0</span>
加载环境变量
<span class="pln">source vars</span>
然后创建客户端密钥
./build-key client
我们将看到一个与先前关于服务器密钥生成部分的章节描述一样的对话,填入客户端的实际信息。
如果需要密码保护密钥,你需要运行另外一个命令,命令如下
<span class="pun">./</span><span class="pln">build</span><span class="pun">-</span><span class="pln">key</span><span class="pun">-</span><span class="kwd">pass</span><span class="pln"> client</span>
在此种情况下,在建立VPN连接时,会提示你输入密码。
现在,我们需要将以下文件从服务器拷贝到客户端/etc/openvpn/keys/���件夹。
服务器文件列表:
在此之后,我们转到客户端,准备配置文件。配置文件位于/etc/openvpn/client.conf,内容如下
<span class="pln">dev tun</span>
<span class="pln">proto udp</span>
<span class="com"># 远程 OpenVPN 服务器的 IP 和 端口号</span>
<span class="pln">remote </span><span class="lit">111.222</span><span class="pun">.</span><span class="lit">333.444</span><span class="lit">1194</span>
<span class="pln">resolv</span><span class="pun">-</span><span class="kwd">retry</span><span class="pln"> infinite</span>
<span class="pln">ca </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">keys</span><span class="pun">/</span><span class="pln">ca</span><span class="pun">.</span><span class="pln">crt</span>
<span class="pln">cert </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">keys</span><span class="pun">/</span><span class="pln">client</span><span class="pun">.</span><span class="pln">crt</span>
<span class="pln">key </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">keys</span><span class="pun">/</span><span class="pln">client</span><span class="pun">.</span><span class="pln">key</span>
<span class="pln">tls</span><span class="pun">-</span><span class="pln">client</span>
<span class="pln">tls</span><span class="pun">-</span><span class="pln">auth </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">/</span><span class="pln">keys</span><span class="pun">/</span><span class="pln">ta</span><span class="pun">.</span><span class="pln">key </span><span class="lit">1</span>
<span class="pln">auth SHA1</span>
<span class="pln">cipher BF</span><span class="pun">-</span><span class="pln">CBC</span>
<span class="pln">remote</span><span class="pun">-</span><span class="pln">cert</span><span class="pun">-</span><span class="pln">tls server</span>
<span class="pln">comp</span><span class="pun">-</span><span class="pln">lzo</span>
<span class="pln">persist</span><span class="pun">-</span><span class="pln">key</span>
<span class="pln">persist</span><span class="pun">-</span><span class="pln">tun</span>
<span class="pln">status openvpn</span><span class="pun">-</span><span class="pln">status</span><span class="pun">.</span><span class="pln">log</span>
<span class="pln">log </span><span class="pun">/</span><span class="kwd">var</span><span class="pun">/</span><span class="pln">log</span><span class="pun">/</span><span class="pln">openvpn</span><span class="pun">.</span><span class="pln">log</span>
<span class="pln">verb </span><span class="lit">3</span>
<span class="pln">mute </span><span class="lit">20</span>
在此之后,我们需要重启OpenVPN以接受新配置。
<span class="pln">service openvpn restart</span>
好了,客户端配置完成。
安卓设备上的OpenVPN配置和Unix系统上的十分类似,我们需要一个含有配置文件、密钥和证书的包。文件列表如下:
客户端密钥生成方式和先前章节所述的一样。
配置文件内容如下
<span class="pln">client tls</span><span class="pun">-</span><span class="pln">client</span>
<span class="pln">dev tun</span>
<span class="pln">proto udp</span>
<span class="com"># 远程 OpenVPN 服务器的 IP 和 端口号</span>
<span class="pln">remote </span><span class="lit">111.222</span><span class="pun">.</span><span class="lit">333.444</span><span class="lit">1194</span>
<span class="pln">resolv</span><span class="pun">-</span><span class="kwd">retry</span><span class="pln"> infinite</span>
<span class="pln">nobind</span>
<span class="pln">ca ca</span><span class="pun">.</span><span class="pln">crt</span>
<span class="pln">cert client</span><span class="pun">.</span><span class="pln">crt</span>
<span class="pln">key client</span><span class="pun">.</span><span class="pln">key</span>
<span class="pln">dh dh2048</span><span class="pun">.</span><span class="pln">pem</span>
<span class="pln">persist</span><span class="pun">-</span><span class="pln">tun</span>
<span class="pln">persist</span><span class="pun">-</span><span class="pln">key</span>
<span class="pln">verb </span><span class="lit">3</span>
<span class="pln">mute </span><span class="lit">20</span>
所有这些文件我们必须移动我们设备的SD卡上。
然后,我们需要安装一个OpenVPN Connect 应用。
接下来,配置过程很是简单:
搞定。现在,我们的安卓设备已经通过安全的VPN连接连接到我们的专用网。
虽然OpenVPN初始配置花费不少时间,但是简易的客户端配置为我们弥补了时间上的损失,也提供了从任何设备连接的能力。此外,OpenVPN提供了一个很高的安全等级,以及从不同地方连接的能力,包括位于NAT后面的客户端。因此,OpenVPN可以同时在家和企业中使用。
via: http://linoxide.com/ubuntu-how-to/configure-openvpn-server-client-ubuntu-15-04/
作者:Ivan Zabrovskiy 译者:GOLinux 校对:wxy