One, OpenVPN server-side configuration file details
#################################################
# Example of a server-side configuration file for OpenVPN 2.0 for multiple clients
#
# This file is used for multi-client <-> single server-side OpenVPN server-side configuration
#
# OpenVPN also supports stand-alone <-> stand-alone configurations (see the sample page on the site for more information)
#
# This configuration supports Windows or LINUX/BSD systems. Also, on Windows, remember to enclose the path in double quotes,
# and use two backslashes, for example: "C:\\Program Files\\openvpn\\config\\foo.key"
#
# ' # ' or '; ' The beginning of all is the annotation content
#################################################
#OpenVPN应该监听本机的哪些IP地址?
#该命令是可选的, if not set, all IP addresses on this computer are monitored by default.
; local a.b.c.d
# which TCP/UDP Port should OpenVPN listen to?
# If you want to run multiple OpenVPN instances on the same computer, you can use different port numbers to differentiate them.
# In addition, you need to open these ports on the firewall.
Port 1194
#OpenVPN使用TCP还是UDP协议?
;p Roto TCP
Proto UDP
# Specifies the type of communication tunnel created by OpenVPN.
# "Dev Tun" will create a routed IP tunnel,
# "Dev Tap" will create an Ethernet tunnel.
#
# If you are Ethernet bridging mode and have created a virtual interface called ' Tap0 ' to bridge the Ethernet interface in advance, you can use the ' dev tap0 '
#
# If you want to control the VPN access policy, you must create a firewall rule for the Tun/tap interface.
#
# in non-Windows systems, you can give a definite unit number, such as "Tun0".
# in Windows, you can also use ' Dev-node '.
# In most systems, VPN will not work unless you partially disable or disable the Tun/tap interface's firewall altogether.
;d EV Tap
Dev Tun
# If you want to configure multiple tunnels, you need to use the name of the TAP-WIN32 adapter in the Network connection panel (for example, "Mytap").
# in XP SP2 or later systems, you may want to selectively disable the firewall for the TAP adapter
# Typically, non-Windows systems do not require this directive.
;d Ev-node Mytap
# Set the SSL/TLS root certificate (CA), certificate (CERT), and private key (key).
# each client and server side requires their respective certificate and private key files.
# The same CA certificate file will be used by both the server side and all clients.
#
# through a series of scripts in the Easy-rsa directory, you can generate the required certificate and private key.
# Remember, server-side and per-client certificates must use unique common Name.
#
# You can also use any key management system that follows the X509 standard to generate certificates and private keys.
# OpenVPN also supports the use of a PKCS #12格式的密钥文件 (see the "PKCS12" instructions on the site's manual page for details)
CA ca.crt
Cert SERVER.CRT
Key Server.key # The file should be kept secret
# Specifies the Diffie Herman parameter.
# You can use the following name command to generate your parameters:
# OpenSSL Dhparam-out Dh1024.pem 1024
# If you're using a 2048-bit key, use 2048 to replace 1024 of them.
DH Dh1024.pem
# Set server-side mode and provide a VPN subnet for assigning IP addresses to clients from.
# in the example here, the server side itself will consume 10.8.0.1, and the rest will provide client use.
# If you are using Ethernet bridging mode, please comment out the line. For more information, see the Official manual page.
Server 10.8.0.0 255.255.255.0
# Specifies the file that is used to record the association relationship between the client and the virtual IP address.
# when the OpenVPN is restarted, the reconnected client is assigned the same virtual IP address as the previous assignment
Ifconfig-pool-persist Ipp.txt
# This directive is only for Ethernet bridging mode.
# First, you must use the operating system bridge capability to bridge the Ethernet network card interface with the tap interface.
# Then, you need to manually set the bridge interface IP address, subnet mask;
# Here, we assume the 10.8.0.4 and 255.255.255.0.
# Finally, we must specify an IP range for the subnet (for example, from 10.8.0.50 to 10.8.0.100 end) so that it can be assigned to the connected client.
# If you are not an Ethernet bridging mode, simply comment out the line instructions.
; Server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# This directive is only for Ethernet bridging mode using the DHCP proxy.
# At this point, the client will request a server-side DHCP server to obtain the IP address and DNS server address assigned to it.
#
# before that, you need to bridge the Ethernet network card interface with the tap interface first.
# Note: This directive is only for OpenVPN clients, and the tap adapter for that client needs to be bound to a DHCP client.
; Server-bridge
# Push routing information to the client to allow clients to connect to other private subnets behind the server.
# (in short, allow the client to access the other local area network where the VPN server is located)
# Remember, these private subnets will also feed the OpenVPN client's address pool (10.8.0.0/255.255.255.0) back to the OpenVPN server.
;p ush "Route 192.168.10.0 255.255.255.0"
;p ush "Route 192.168.20.0 255.255.255.0"
# Assign the specified IP address to the specified client, or there is a private subnet behind the client that wants to access the VPN.
# then you can use the CCD subdirectory for the client's configuration file.
# (in short, allow the client's local area network member to access the VPN)
# For example: Suppose there is a small subnet behind a client with a common name of "Thelonious" that wants to connect to the VPN, which is 192.168.40.128/255.255.255.248.
# First, you need to remove the comments for the following two lines of instruction:
; Client-config-dir CCD
; Route 192.168.40.128 255.255.255.248
# then create a file ccd/thelonious that contains:
# Iroute 192.168.40.128 255.255.255.248
#这样客户端所在的局域网就可以访问VPN了.
# Note that this instruction can only take effect if you are based on a route, not a bridging mode.
# For example, you use the "Dev Tun" and "server" directives.
# Another example: Suppose you want to assign a fixed IP address to the Thelonious 10.9.0.1.
# First, you need to remove the comments for the following two lines of instruction:
; Client-config-dir CCD
; Route 10.9.0.0 255.255.255.252
# then add the following directive to the file ccd/thelonious:
# Ifconfig-push 10.9.0.1 10.9.0.2
# If you want to enable different firewall access policies for different groups of clients, you can use the following two methods:
# (1) Run multiple OpenVPN daemons, each of which corresponds to a group, and the appropriate firewall rules are enabled for each process (group).
# (2) (advanced) Create a script that dynamically modifies a firewall rule that responds to a different customer.
# For more information about learn-address scripts, please refer to the Official manual page.
; learn-address./script
# If this directive is enabled, the default gateway for all clients will be redirected to the VPN, which will cause all client traffic, such as Web browsers, DNS queries, to be VPN.
# (to ensure it works, the OpenVPN server's computer may need to be connected using NAT or bridging technology between the Tun/tap interface and Ethernet)
;p ush "Redirect-gateway def1 bypass-dhcp"
# Some specific Windows network settings can be pushed to the client, such as DNS or WINS server addresses.
# The following addresses are from the public DNS server provided by opendns.com.
;p ush "Dhcp-option DNS 208.67.222.222"
;p ush "Dhcp-option DNS 208.67.220.220"
# A comment that removes the directive will allow different clients to be "visible" (allowing clients to access each other).
# By default, clients can only "see" the server. To ensure that the client sees only the server, you can also set the appropriate firewall rules on the server-side Tun/tap interface.
; client-to-client
# If multiple clients may connect using the same certificate/private key file or common name, you can cancel the comment for that directive.
# This directive is recommended for testing purposes only. For production-use environments, each client should have its own certificate and private key.
# If you don't generate the common name unique certificate/private key for each client, you can cancel the comment for that line (but not recommended).
;d UPLICATE-CN
# KeepAlive directives will cause messages similar to ping to be sent back and forth so that the server side and the client know when the other is shut down.
# ping once every 10 seconds, if no reply is received within 120 seconds, the remote connection is closed.
KeepAlive 10 120
# For additional security considerations beyond SSL/TLS, creating an "HMAC Firewall" can help protect against Dos attacks and UDP port inundation attacks.
# You can use the following command to generate:
# OpenVPN--genkey--secret Ta.key
#
# The server and each client need to have a copy of the key.
# The second parameter should be ' 0 ' on the server side and the client should be ' 1 '.
Tls-auth Ta.key 0 # The file should be kept confidential.
# Select a password encryption algorithm.
# This configuration item must also be replicated to each client configuration file.
; cipher BF-CBC # Blowfish (default)
; Cipher AES-128-CBC # AES
; Cipher DES-EDE3-CBC # Triple-des
# Enable compression on the VPN connection.
# If you have this directive enabled here, you should also enable it in each client profile.
Comp-lzo
# Maximum number of clients that allow concurrent connections
; max-clients 100
# After the initialization is done, it's a good idea to lower the OpenVPN daemon's permissions.
# This directive is limited to use in non-Windows systems.
; user Nobody
; Group Nobody
The # persistence option avoids access to some resources that are inaccessible after a reboot because of reduced user rights.
Persist-key
Persist-tun
# Output a short state file to display the current connection state, which is emptied and rewritten once every minute.
Status Openvpn-status.log
# By default, log messages are written to syslog (in Windows systems, log messages are written to the log folder in the OpenVPN installation directory if run as a service).
# You can use log or log-append to change this default.
# "Log" mode clears the log file before each boot.
# "Log-append" which is appended after the previous log content.
# You can use one of two ways (but don't use them at the same time).
; Log Openvpn.log
; Log-append Openvpn.log
# set the appropriate redundancy level (0~9) for the log file. The higher the redundancy level, the more detail the output information.
#
# 0 indicates a silent run and only fatal errors are logged.
# 4 represents a reasonable general usage.
# 5 and 6 can help debug connection errors.
# 9 indicates extreme redundancy, outputting very detailed log information.
Verb 3
# The silence of repetition information.
# only the first 20 of the information in the same category will be exported to the log file.
; Mute 20
Second, OpenVPN client-side configuration file Detailed description
##############################################
# Sample Client configuration file for OpenVPN 2.0 for multiple clients
#
# This profile can be used by multiple clients, but each client should have its own certificate and key file
#
# The suffix for this profile on Windows should be '. Ovpn ' and in the LINUX/BSD system it is '. conf '
##############################################
# Specifies that this is a client and we will get some configuration file directives from the server
Client
# In most systems, VPN will not work unless you partially disable or disable the Tun/tap interface's firewall altogether.
;d EV Tap
Dev Tun
# in Windows systems, this instruction is required if you want to configure multiple tunnels.
# You need to use the name of the TAP-WIN32 adapter in the Network connection panel (for example, "Mytap").
# in XP SP2 or later systems, you may need to disable the firewall for the tap adapter.
;d Ev-node Mytap
# Specifies whether the connected server uses TCP or UDP protocol.
# Here you need to use the same settings as the server side.
;p Roto TCP
Proto UDP
# Specifies the host name (or IP) of the server and the port number.
# If you have multiple VPN servers, you can set up multiple remote commands to achieve load balancing.
Remote My-server-1 1194
; Remote My-server-2 1194
# If multiple remote directives are specified, enabling the directive will randomly connect one of the servers.
# Otherwise, the client will attempt to connect to the server in the order specified.
; remote-random
# enable this directive to automatically reconnect when a connection to a server is interrupted, which is useful in the event of a network instability (for example, a portable computer wireless network).
Resolv-retry Infinite
# Most clients do not need to bind the machine-specific port number
Nobind
# after initialization, reduce OpenVPN permissions (this directive is limited to non-Windows systems)
; user Nobody
; Group Nobody
The # persistence option avoids access to certain resources that are inaccessible as a result of user rights degradation during a reboot.
Persist-key
Persist-tun
# If you are connecting to the actual VPN server through an HTTP proxy, specify the host name (or IP) and port number of the proxy server here.
# If your proxy server requires identity authentication, please refer to the Official manual page.
; http-proxy-retry # Auto Retry when connection fails
; http-proxy [Proxy Server] [proxy port #]
# Wireless networks typically produce a large number of duplicate packets. Setting this identity ignores warning messages for duplicate packets.
; mute-replay-warnings
# SSL/TLS parameter configuration.
# For more information please refer to the server-side configuration file.
# It is best to allocate. crt/.key file pairs separately for each client.
# A single CA certificate can be used by all clients.
CA ca.crt
Cert CLIENT.CRT
Key Client.key
# Specifies that the server-side certificate is validated by checking whether the Nscerttype field of the certificate is "server".
# This is an important measure to prevent potential attacks.
#
# To use this feature, you need to set the Nscerttype field to "server" when generating the server-side certificate
# The Build-key-server script file in the Easy-rsa folder can be used for that purpose.
Ns-cert-type Server
# If the server side uses the Tls-auth key, then each client should also have the key.
; Tls-auth Ta.key 1
# Specifies the encryption algorithm for the password.
# If the cipher directive option is enabled on the server side, you must also specify it here.
; cipher x
# Enable compression in VPN connection.
# The Enable/disable for this directive should be consistent with the server side.
Comp-lzo
# Set the log file redundancy level (0~9).
# 0 indicates a silent run and only fatal errors are logged.
# 4 represents a reasonable general usage.
# 5 and 6 can help debug connection errors.
# 9 indicates extreme redundancy, outputting very detailed log information.
Verb 3
# Ignore too much duplicate information.
# only the first 20 of the information in the same category will be exported to the log file.
; Mute 20