Mud: openvpn configuration file details, openvpn configuration file

Mud: openvpn configuration file details, openvpn configuration file

This document consistsXiuyi Lin FengProviding friendship sponsorship, first launchedThe world

In the previous article "build OpenVPN server in ubuntu 14.04", we mainly explained how to build and use openvpn. In this article, we will detail the configuration files related to openvpn.

Openvpn configuration files include vars, server. conf, and client. conf. The following describes the three configuration files one by one.

1. vars configuration file

The main content of the vars configuration file is as follows:

Cat vars | grep-vE "^ # | ^ $"

KEY_DIR defines the directory generated by the key.

KEY_SIZE defines the size of the generated private key, which is generally 1024 or 2048. The default value is 2048 bits. This is the basis for generating the dh2048 file by executing the build-dh command.

CA_EXPIRE defines the validity period of the CA certificate. The default value is 3650 days, that is, 10 years.

KEY_EXPIRE defines the key validity period. The default value is 3650 days, that is, 10 years.

The country in which KEY_COUNTRY is defined.

The province in which KEY_PROVINCE is defined.

The city in which KEY_CITY is defined.

The organization in which the KEY_ORG definition is located.

KEY_EMAIL defines the email address.

The Unit in which KEY_OU is defined.

KEY_NAME defines the name of the openvpn server.

The above is all the content of The vars configuration file. We can also use the default configuration for the vars configuration file.

Ii. server. conf server configuration file

The server configuration file server. conf is the most important of the three configuration files, and all the information pushed to the openvpn client is configured through this file.

Grep-vE "^ # | ^ $" server. conf

; Local a. B. c. d

Define the IP address of the openvpn listener. If the server is a single network card, you can leave it unspecified, but the server is recommended to specify multiple network cards.

Port 1194

Define the port for the openvpn listener. The default port is port 1194.

Proto tcp

; Proto udp

Defines the protocol used by openvpn. UDP is used by default. If it is a production environment, we recommend that you use the TCP protocol.

Dev tun

; Dev tap

Defines which mode is used when openvpn is running. openvpn has two modes: tap mode and tun mode.

The tap mode is the bridge mode. A tap device is created by software in the system. The device is a layer 2 device and supports the link layer protocol.

The tun mode is also the routing mode. A tun route is modeled in the system using the software. The tun is a Point-to-Point Protocol at the ip layer.

Which mode should be defined based on your business.

Ca. crt

Defines the CA certificate file used by openvpn. This file is generated using the build-ca command. The CA certificate is mainly used to verify the legitimacy of the client certificate.

Cert vpnilanni. crt

Defines the Certificate file used by the openvpn server.

Key vpnilanni. key

Defines the key file used by the openvpn server,This file must strictly control its security.

Dh dh2048.pem

Define the Diffie hellman file.

Server 10.8.0.0 255.255.255.0

Define the IP address segment allocated to the client when openvpn uses the tun routing mode.

Ifconfig-pool-persist ipp.txt

Define the relationship between the client and the virtual IP address. Especially when openvpn is restarted, the client connected again will still be assigned and the previous IP address will be disconnected.

Server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

Defines the IP address segment allocated to the client when openvpn uses the tap Bridge Mode.

; Push "route 192.168.10.0 255.255.255.0"

Route information pushed to the client. If the client IP address is 10.8.0.2 and you want to access the 192.168.10.0 CIDR Block, use this command.

; Client-config-dir ccd

This command can specify the Client IP address.

You can create a ccd directory in/etc/openvpn/and a file named after the client under the ccd directory. For example, to set the client ilanni to 10.8.0.100, you only need to include the following lines in the/etc/openvpn/ccd/ilanni file:

Ifconfig-push 10.8.0.200 255.255.255.0

Push "redirect-gateway def1 bypass-dhcp"

This command can be used to redirect the gateway of the client during FQ.

; Push "dhcp-option DNS 208.67.222.222"

The DNS information pushed to the client.

If the IP address of the client is 10.8.0.2 and you want to access the network segment 192.168.10.0, use this command. If there is a network segment, the push route keyword may appear multiple times. It also works with iptables.

Client-to-client

This command allows clients to access each other. By default, clients cannot access each other.

Duplicate-cn

Define whether multiple clients are allowed to access an openvpn certificate at the same time. It is not enabled by default.

Keepalive 10 120

Define the active connection retention period

Comp-lzo

Enable allow data compression. This is also required in the client configuration file.

Max-clients 100

Defines the maximum number of concurrent client connections

; User nobody

; Group nogroup

Defines the users and user groups used to run openvpn.

Persist-key

After the keepalive check times out, restart the VPN, and do not read the keys again. Keep the keys used for the first time.

Persist-tun

After keepalive detection times out, restart the VPN to keep the tun or tap device linkup. Otherwise, the network connection will be first linkdown and then linkup.

Status openvpn-status.log

Write some status information of openvpn to a file, such as the IP address obtained by the client.

Log openvpn. log

Record logs, and delete the original log information after each restart of openvpn. You can also customize the log location. The default value is in the/etc/openvpn/directory.

; Log-append openvpn. log

Record the log and append the original log information after each restart of openvpn.

Verb 3

Set the log record length level.

; Mute 20

Repeat log limit

The above is the content of the server. conf configuration file on the openvpn server.

3. client. conf client configuration file

The configuration file client. conf of the openvpn client is simple as follows:

Grep-vE "^ # | ^; | ^ $" client. ovpn

Client

Define this as a client, and pull the configuration from the server pull, such as the IP address and route information. The Server pushes the configuration using the push command.

Dev tun

Define the openvpn running mode, which must be exactly the same as that on the Server.

Proto tcp

Define the protocol used by openvpn, which must be strictly consistent with the Server.

Remote 192.168.1.8 1194

Set the IP address and port of the Server, which must be exactly the same as that of the Server.

If multiple machines perform load balancing, the remote keyword may appear multiple times.

; Remote-random

Select a Server connection randomly. Otherwise, connect from top to bottom. This option is disabled by default.

Resolv-retry infinite

Always re-resolve the Server IP address (if the remote address is followed by a domain name), ensure that the Server IP address is dynamically updated using DDNS, the Client re-resolves the IP address of the Server when automatically reconnecting. In this way, you can re-access the VPN without manual restart.

Nobind

It is defined that no port is bound on the local machine to listen for incoming data.

Persist-key

Persist-tun

Ca. crt

Defines the name of the CA certificate to verify the validity of the Server CA certificate. The file must be the same as the ca. crt file on the Server.

Cert laptop. crt

Define the client certificate file.

Key laptop. key

Defines the key file of the client.

Ns-cert-type server

Server is generated using the build-key-server script. The ns-cert-type option is added to the x509 v3 extension. Prevent clients from using their keys + DNS hack to spoof the vpn client to connect to their counterfeit VPN Server because their CA does not have this extension.

Comp-lzo

Enable data compression, which must be strictly consistent with that on the Server.

Verb 3

Set the log record length level.