cat /dev/net/tun若返回信息为:cat: /dev/net/tun: File descriptor in bad state 说明tun/tap已经可以使用; 如果返回:cat: /dev/net/tun: No such device 或其他则说明tun/tap没有被正确配置,发TK联系客服申请开通tun/tap。
apt-get install openvpn lzop使用easyrsa3制作证书
下载:https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.7/EasyRSA-3.1.7.tgz
1.vars文件设置:
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA *vars* file. This is" >&2
echo "no longer necessary and is disallowed. See the section called" >&2
echo "*How to use this file* near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_NS_SUPPORT "yes"
set_var EASYRSA_CERT_EXPIRE 7300
set_var EASYRSA_CA_EXPIRE 146002.服务端:
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa sign server server
./easyrsa gen-dh3.客户端: 创建client端证书,需要单独把easyrsa3文件夹拷贝出来一份,删除里面的PKI目录,然后进入到此目录
root@iZ2zeeymlvj6czzwa25q5pZ:/etc/openvpn# cp -r EasyRSA-3.1.7 EasyRSA-3.1.7-c1
root@iZ2zeeymlvj6czzwa25q5pZ:/etc/openvpn# cd EasyRSA-3.1.7-c1/
root@iZ2zeeymlvj6czzwa25q5pZ:/etc/openvpn/EasyRSA-3.1.7-c1# rm -rf pki/
./easyrsa init-pki
./easyrsa gen-req client nopass
cd ../EasyRSA-3.1.7
./easyrsa import-req ../EasyRSA-3.1.7-c1/pki/reqs/client.req client
./easyrsa sign client client至此,server和client端证书已制作完毕
openvpn server端需要的是
/etc/openvpn/EasyRSA-3.1.7/pki/ca.crt <制作server证书的文件夹>
/etc/openvpn/EasyRSA-3.1.7/pki/private/server.key <制作server证书的文件夹>
/etc/openvpn/EasyRSA-3.1.7/pki/issued/server.crt <制作server证书的文件夹>
/etc/openvpn/EasyRSA-3.1.7/pki/dh.pem
openvpn client端需要的是
/etc/openvpn/EasyRSA-3.1.7/pki/ca.crt <制作server证书的文件夹>
/etc/openvpn/EasyRSA-3.1.7/pki/issued/client.crt <制作server证书的文件夹>
/etc/openvpn/EasyRSA-3.1.7-c1/pki/private/client.key <制作client证书的文件夹>
root@iZ2zeeymlvj6czzwa25q5pZ:/etc/openvpn# mkdir config
root@iZ2zeeymlvj6czzwa25q5pZ:/etc/openvpn# cp EasyRSA-3.1.7/pki/ca.crt config/
root@iZ2zeeymlvj6czzwa25q5pZ:/etc/openvpn# cp EasyRSA-3.1.7/pki/dh.pem config/
root@iZ2zeeymlvj6czzwa25q5pZ:/etc/openvpn# cp EasyRSA-3.1.7/pki/issued/server.crt config/
root@iZ2zeeymlvj6czzwa25q5pZ:/etc/openvpn# cp EasyRSA-3.1.7/pki/private/server.key config/
服务端配置:
root@iZ2zeeymlvj6czzwa25q5pZ:~# useradd -s /sbin/nologin openvpn
root@iZ2zeeymlvj6czzwa25q5pZ:~# mkdir /var/log/openvpn
root@iZ2zeeymlvj6czzwa25q5pZ:~# chown -R openvpn:openvpn /var/log/openvpn
port 28711
proto tcp
dev tun
ca /etc/openvpn/config/ca.crt
cert /etc/openvpn/config/server.crt
key /etc/openvpn/config/server.key
dh /etc/openvpn/config/dh.pem
server 10.17.146.0 255.255.255.0
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 100
user openvpn
group openvpn
ifconfig-pool-persist ipp.txt
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 4
mute 20
client-to-client
duplicate-cn
client-config-dir /etc/openvpn/ccdccd里面新建一个client文件
写入:
ifconfig-push 10.17.146.5 10.17.146.6持久化让使用client证书文件的客户端分配静态IP:10.17.146.5报错: There is a problem in your selection of –ifconfig endpoints [local=10.17.146.7, remote=10.17.146.8]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of –dev tun when used with the TAP-WIN32 driver. Try ‘openvpn –show-valid-subnets’ option for more info.错误在:10.17.146.7/30是10.17.146.4/30子网的广播地址解决:这个子网可用的ip是10.17.146.5-10.17.146.6
子网掩码在线计算器:子网掩码计算器-在线工具
推送默认网关:
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"redirect-gateway → 推送默认网关。
def1 → 不会直接覆盖原有默认路由,而是添加两条更精确的 /1 路由,把所有流量引到 VPN。这样客户端原有的网关配置还保留,避免路由表错乱。
bypass-dhcp → 保留客户端本地 DHCP 的访问(防止断网)。
iptables -t nat -A POSTROUTING -s 10.17.146.0/24 -o enp3s0 -j MASQUERADE
默认网关的网卡:ip route |awk ‘/^default/{print $(NF-1)}’
net.ipv4.ip_forward = 1
内嵌证书、key:
<ca>
</ca>
<cert>
</cert>
<key>
</key>
<dh>
</dh>
客户端配置
client
dev tun
proto tcp
remote 210.14.75.1 28711
resolv-retry infinite
nobind
ca /etc/openvpn/config/ca.crt
cert /etc/openvpn/config/client.crt
key /etc/openvpn/config/client.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
compress lz4-v2
persist-key
persist-tun
key-direction 1内嵌证书、key:
<ca>
</ca>
<cert>
</cert>
<key>
</key>
客户端设置服务自动启动:/lib/systemd/system/openvpn.service
# This service is actually a systemd target,
# but we are using a service since targets cannot be reloaded.
[Unit]
Description=OpenVPN service
After=network.target
[Service]
ExecStart=/usr/sbin/openvpn --config /etc/openvpn/config/client.conf
[Install]
WantedBy=multi-user.target
systemctl enable --now openvpn服务端设置服务自动启动:/lib/systemd/system/openvpn.service
[Unit]
Description=OpenVPN Server
After=network.target
After=syslog.target
[Install]
WantedBy=multi-user.target
[Service]
ExecStart=/usr/sbin/openvpn --config /etc/openvpn/config/server.conf
ExecStartPost=/usr/sbin/iptables -t nat -A POSTROUTING -s 10.17.146.0/24 -o enp3s0 -j MASQUERADE
ExecStopPost=/usr/sbin/iptables -t nat -D POSTROUTING -s 10.17.146.0/24 -o enp3s0 -j MASQUERADE
systemctl enable --now openvpnWARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless “allow-compression yes” is also set.
这个警告你遇到的是 OpenVPN 2.5+ 版本引入的压缩算法安全提示。
⚠️ 为什么会有这个警告?
- 旧版本 OpenVPN 常用comp-lzo或comp来压缩数据。
- 但压缩结合加密,会导致潜在的CRIME/BREACH攻击(攻击者可以利用数据压缩的特性推测密文中的内容)。
- 所以新版本 OpenVPN默认禁用压缩,如果配置中写了comp-lzo或compress,就会给出这个 WARNING。
解决方法:
不写comp-lzo或compress。
Fri Oct 10 17:10:41 2025 MANAGEMENT: >STATE:1760087441,RESOLVE,,,,,,
Fri Oct 10 17:10:41 2025 TCP/UDP: Preserving recently used remote address: [AF_INET]58.212.110.190:28711
Fri Oct 10 17:10:41 2025 ovpn-dco device [OpenVPN Data Channel Offload] opened
Fri Oct 10 17:11:02 2025 dco connect error: 信号灯超时时间已到 (errno=121)
Fri Oct 10 17:11:02 2025 Closing DCO interface
Fri Oct 10 17:11:02 2025 SIGUSR1[soft,dco-connect-error] received, process restarting
Fri Oct 10 17:11:02 2025 MANAGEMENT: >STATE:1760087462,RECONNECTING,dco-connect-error,,,,,
这个日志表明你的OpenVPN 启用了 DCO(Data Channel Offload)模式,但在连接阶段遇到了驱动层的超时错误 (errno=121, 信号灯超时)。
原因: 网络设备或防火墙阻止了隧道初始化
解决方法:systemctl stop firewalld;systemctl disable firewalld