页面: 1
1.去官网下社区版:OpenVPN-2.6.20-I001-amd64.msi 没试过其他版本
2.安装时候,选择自定义安装,勾选:[其实所有都全部安装]
OpenVPN Service: Enable OpenVPN Pre-Logon Access Provider
OpenSSL Utilities :EasyRSA 3 Certificate Management Scripts
3.安装完成后:
cmd管理器权限进入 cd "C:\Program Files\OpenVPN\easy-rsa"
执行命令:
.\EasyRSA-Start.bat
初始化公钥基础设施目录 pki:
./easyrsa init-pki构建证书颁发机构(CA)密钥,CA 根证书文件将在后续用于对其他证书和密钥进行签名。该命令要求输入 Common Name,输入主机名即可。创建的 ca.crt 保存在目录 C:\Program Files\OpenVPN\easy-rsa\pki 中,ca.key 保存在目录 C:\Program Files\OpenVPN\easy-rsa\pki\private 中
./easyrsa build-ca nopass构建服务器证书和密钥。创建的 server.crt 保存在目录 C:\Program Files\OpenVPN\easy-rsa\pki\issued 中,server.key 保存在目录 C:\Program Files\OpenVPN\easy-rsa\pki\private 中。
./easyrsa build-server-full server nopass构建客户端证书和密钥。创建的 client.crt 保存在目录 C:\Program Files\OpenVPN\easy-rsa\pki\issued 中,client.key 保存在目录 C:\Program Files\OpenVPN\easy-rsa\pki\private 中。
./easyrsa build-client-full client nopass生成 Diffie-Hellman 参数
./easyrsa gen-dh上述过程会提示输入VPN名称,随便输入一个即可,例如:openvpn001 ,其他安装提示输入:yes
增强安全性,直接升级到tls-crypt,隐藏openvpn特征,一步到位,没必要使用tls-auth
cd "C:\Program Files\OpenVPN\bin"
.\openvpn.exe --genkey --secret tc.key
将ta.key复制到config-auto目录中,server.ovpn设置参考下方离线
将生成的文件复杂到C:\Program Files\OpenVPN\config-auto目录中:
复制这些文件:
ca.crt
dh.pem
server.crt
server.key
server.ovpn
tc.key
这些文件分别在C:\Program Files\OpenVPN\sample-config、C:\Program Files\OpenVPN\easy-rsa\pki 中去找注:
只有复制到config-auto目录中,openvpn server才能自动启用,如果复制到config目录中,需要手动点击gui链接才行离线
在C:\Program Files\OpenVPN\config-auto目录中修改server.ovpn文件:
#################################################
# Sample OpenVPN 2.6 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 5794
# TCP or UDP server?
proto tcp
;proto udp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable/open
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
#改为 wintun驱动模式
windows-driver wintun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one.
# You may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" project at
# https://github.com/OpenVPN/easy-rsa
# for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
#
# If you do not want to maintain a CA
# and have a small number of clients
# you can also use self-signed certificates
# and use the peer-fingerprint option.
# See openvpn-examples man page for a
# configuration example.
#如果指定到其他目录,用下面这个,必须双斜杠
#ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
#cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
#key "C:\\Program Files\\OpenVPN\\config\\server.key" # This file should be kept secret
#dh "C:\\Program Files\\OpenVPN\\config\\dh.pem"
ca ca.crt
cert server.crt
key server.key
dh dh.pem
# Allow to connect to really old OpenVPN versions
# without AEAD support (OpenVPN 2.3.x or older)
# This adds AES-256-CBC as fallback cipher and
# keeps the modern ciphers as well.
#改为128加密,够用,速度也快点
data-ciphers AES-128-GCM
# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
topology subnet
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
#ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 183.60.83.19"
push "dhcp-option DNS 183.60.82.98"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE.
duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey tls-auth ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
#tls-auth ta.key 0 # This file is secret
#添加tls-crypt,增强安全,上面的tls-auth保留注释,不如tls-cryp安全
tls-crypt tc.key
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this on non-Windows
# systems after creating a dedicated user.
;user openvpn
;group openvpn
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
;log openvpn.log
;log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1
#增加密码认证,没有放在config-auto目录中,需要双斜杠指定其他目录
auth-user-pass-verify "C:\\Program Files\\OpenVPN\\config\\checkpsw.bat" via-env
script-security 3
username-as-common-name
#除非全是文本、网页的资料,不然现在已经不建议压缩了
#push "compress lz4-v2"
#compress lz4-v2
#为采用ccd固定IP的方法-没有放在config-auto目录中,需要双斜杠指定其他目录
client-config-dir "C:\\Program Files\\OpenVPN\\config\\ccd"
topology subnet
#推送其他局域网的路由,方便例如手机拨入服务器后,访问其他客户端拨入的局域网
push "route 10.10.10.0 255.255.255.0"
route 10.10.10.0 255.255.255.0主要修改:
dh dh.pem #默认没有这个,需要添加
windows-driver wintun #改为wintun驱动,这个看自己设置的情况
port 57694 默认端口
proto tcp 使用TCP,注释掉UDP,使用#或;符号均为注释
push "redirect-gateway def1 bypass-dhcp" 去掉注释:推送服务器网关,默认走VPN上网
push "dhcp-option DNS 183.60.83.19" 修改默认推送DNS
client-to-client 去掉注释,让客户端互通
duplicate-cn 去掉注释,让多个客户端账户,使用同一个证书
tls-crypt tc.key #增强安全,避免识别出openvpn特征
data-ciphers AES-128-GCM 去掉注释,改为只用128位加密,加强速度,看需求
push "compress lz4-v2" 设置压缩,默认已经不推荐使用压缩了,可以不用
compress lz4-v2若需要固定客户端IP,还需要修改,具体参考第7页:
离线
增加账户和密码验证:
上述为客户端采用证书登录,如需要增加账户和密码验证,请在上述server.ovpn尾部添加:
openvpn中各种文件,如果和server.ovpn和client.ovpn放在同一个目录,则不用双斜杠指定绝对路径,直接写相对路径级即可
auth-user-pass-verify "C:\\Program Files\\OpenVPN\\config\\checkpsw.bat" via-env
script-security 3
username-as-common-name在C:\Program Files\OpenVPN\config 新建checkpsw.bat 批处理文件,里面内容填写为:
@echo off
set "PASSFILE=C:\Program Files\OpenVPN\config\userpass.txt"
set "LOGFILE=C:\Program Files\OpenVPN\config\auth.log"
echo %date% %time%: username=%username%, password=%password% >> "%LOGFILE%"
:: 查找用户名对应的密码
for /f "tokens=1,2" %%a in ('findstr /b /c:"%username% " "%PASSFILE%"') do (
if "%%b"=="%password%" exit 0
)
echo %date% %time%: 认证失败 >> "%LOGFILE%"
exit 1在C:\Program Files\OpenVPN\config目录下新建userpass.txt 文件,里面填写账户和密码:
这种格式即可:
username password离线
客户端文件配置:
在C:\Program Files\OpenVPN\sample-config将client.ovpn复制到桌面:
##############################################
# Sample client-side OpenVPN 2.6 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
#改使用Wintun驱动模式,非windows客户端直接注释掉,保留其实也没事,例如安卓直接会忽略该参数
windows-driver wintun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 1.1.1.1 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user openvpn
;group openvpn
# Try to preserve some state across restarts.
persist-key #2.7版本openvpn客户端已废弃 --persist-key,2.7版本中建议注释掉
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#下面已经添加相关密钥信息,这里可以注释掉
#ca ca.crt
#cert client.crt
#key client.key
# Verify server certificate by checking that the
# certificate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# Allow to connect to really old OpenVPN versions
# without AEAD support (OpenVPN 2.3.x or older)
# This adds AES-256-CBC as fallback cipher and
# keeps the modern ciphers as well.
;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC
# If a tls-auth key is used on the server
# then every client must also have the key.
#tls-auth ta.key 1
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
<ca>
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIUHHmnGDF+U9mOeSeNom3WpGHmBeIitPZSO6e/bE
ohPRp974eFotADfCfXC0Z7L1EKtAwj3Ti9jg0YBI5eolAgMBAAGjgZIwgY8wDwYD
VR0TAQH/BAUwAwEB/zAHQ4EFgQUIDRxMWGy2WBqSC/JZXlxON1WJfAwUAYD
VR0jBEkwR4AUIDRxMWGy2WBqSC/JZXlxON1WJfChGaQXMBUxEzARBgNVBAMMCm9w
ZW52cG4wMDGCFBx5pxgxflPZjnknjaJt1qRsCjuTMAsGA1UdDwQEAwIBBjANBgkq
hkiG9w0BAQsFAAOCAQEAB2lpvCLE5K/vqSlxII/TRNc13eaJ0
TH6pVYhNP+obAOgP0mII/TRNc13eaJ0ert6553
smIo5qJ0zGmUGjMN+EdSeTFil5QKVEyfYII/TRNc13eaJ0pxIMmf1PakD4/EYrwarz9+RXi6GP34
J2PXXQHHFXR/83mkVly2PYucCji/tvBcWZD35II/TRNc13eaJ0MuQts2OTTibiNM
KDRsGCVCikOsIpt6qhrh12RGSV8pH8zUZ7XOssx3hg==
-----END CERTIFICATE-----
</ca>
###############################################################################
# The client certificate file (dummy).
#
# In some implementations of OpenVPN Client software
# (for example: OpenVPN Client for iOS),
# a pair of client certificate and private key must be included on the
# configuration file due to the limitation of the client.
# So this sample configuration file has a dummy pair of client certificate
# and private key as follows.
<cert>
-----BEGIN CERTIFICATE-----
MIIDUjCCAjqgAwIBAgIQW71SDPA8nlO8XQxXxShNXzANBgkqhkiG9w0BAQsFADAV
MRMwEQYDVQQDDApvAxMB4XDTI2MDUxMzEyMTUxMFoXDTI4MDgxNTEy
MTUxMFowO7Y7wHNk/vwBi7u6IAjCPwNnbFKbQIjPz0eTJavFfcvxjTpgz0jkE
rXOinQtgS6SSYGUngXshDuZRBN+i0b9M1RuvIZHKNitzD65494897wr2453535
SL1nA546Sjs+v5PUXpTnJapb6v1jKJRmOQIDAQABo4GhMIGeMAkGA1UdEwQCMAAw
HQYDVR0OBBYEFC2eXujYvWvojncWK77jM0zHp6NmMFAGA1UdIwRJMEeAFCA0cTFh
stlgakgvyWV5cTjdViXwoggrBgEFBQcDAjALBgNVHQEBAMC342453564646456
B4AwDQYJKoZIhvcNAQELBQADgsdfsfert5t635KrGSO4JqDZ1lKpB6jeNH1wMpe
qZy4x9gJEuJerzf0moJ0AWsQfmPgEWKI8KDeYo+9+IC0GwE7QcDoHy+Dk6jr+ZQi
oipncRCGRdzGRwt1pyTFoaEH2/KFmeQJ7wLsS6IcMJYrvSR6cSa+aznFnBcjGdsR
qY6ct4j5aQg93RGsdfsfrt34534524k8I5wF54FycXx9lJenlU4py2iO44U3N1BaJ3n/
jUJ75jXHsI9ZzRwL1b+E7WOYztgXF3x7HTa16snlN98B7BcZUGOgalJ0bUj82yM9
L2uFAaRA4FM1cOr0rvHZ1cceTn5IL5DZzHpEieiTPS07A65yI=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCY8Qs+ooUGvMaK
6V1js87rDvmCC4C4AOrIV2ecCU1xh770+wn8uNkVjPIsARRTDY7tjvAc2T+/AGLu
7ogCMI/A2dsUptAiM/PR5Ml23q8V9y/GNOmDPSOsQStc6KdC2BLpJJgZSeBeyEPnuL+
7eU3eJB5gVzAUYKHa+xslVh5RyefmML/War1DwqjbHy2oPJrHUXHTUR+Mz79yRH9
hUXO57EOzZKbLcoxlyfXIiMAVfgOaBuSreMx0F4QMay/QZOuX0pmo+0VyPaWjVam
Mrdt8V3wzFywQO5lEE36LRv0zVG68hkc4o0mK3MNIvDnjpKOz6/k9RelOclqlvq
/WMolGY5AgMBAAECggEAJOguJXxEi76sTsNH5RJ0AWdIsKgj9MNL5PKqrw3ToWz3
mNinrVPSFxA/NwerH1CMVSZRB3x1NxD6ABaQyUXIjna3iftIkfA7U7Wjxefm7ya2OOJM
+J9kCfv2dADuoeUn5LkfFaHzaZyT+tgFwS0ZXkx62Mdt4X8J97IEiKN1iTaxiiKM
kbQj0Ugomutn6yMYniV2IYPtGN4qLtrJJI6wD+EB+7cQUvoLehnN/PeO
TfAs1P6cfN0rlYCIOVoarp9K3X7o4ax1vpUgVj9UMQKBgQDIkq3mbcjThcObzfW5
iGv4BtRN/BEN7H04J53FICmdXjXBvetPvuhlQChMxoaUdnHk4i+j+v3MuffO7IW8
tAzJpjsJPDZJbd92sWBfY2EEv/a2BuZtzVAf1XwJanITmHZs04tojw6Q
4MnBhhlQGgRnXl+afylhRy9DDNTzMHJ+PMgPVkr+NuaLsKDo8r9gOPKwsnNvmLBb
DoyXA2xUHQKBgH26xNwfkbZWsannT9O/2r6duVQxYJdz2YLsApBhevS068nJPcq9
h3yA3UJTaGWEYhzyVJ7cZWCCav8BcU6w7KZD2bSd64STihSQoSJtC9rw9gW/Vn3jR
LRrneIL/5J9XFAXhpNnoG4+VVJqW107+i/kuw7Ld8AxUmdZX7LctJaYkGub
xjleLCJUC5TBkthWfGLA7idGaC+ZlXxyEe+PWcj5AoGBAJGLa1vv4JHGh2DkiYZs
9lwKUau2MmaR0JCkzQsBTuPc+IbvRhSCAp8w1jfuXF5EP1C16pS03e0yhcBXJiwA
clIangcrdeYzYlMtP0odcJao4qtBBI2rUTJ0TrQuVEr7e/SCIlGSMyPCjX09wvBM
5d6sw4GJwrZAk8hHvcxIYSDV
-----END PRIVATE KEY-----
#添加tls-crypt密钥,增强安全,不用单独放置tc.key
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
875cc4e9c22c56b181375238aa2b7f19
cd20c0ce10df37ab1541c7d05c229fb8
710441b3183ade1ea2d397206041e295
3ca43becedc186ea7cf0a712bc90b0563
d28f9ae510be469e23acdd795984a8e1
403a0e7eb404239d5758794ffaa7931d
9eb3e1b003f2567844bacd14d3b173b6
8dc36b88ed21875fdacd766811425afd
3096b887770cb294630a6bd75a455eb7
b46b3d1599efd5d7630fa35c9648478b
d73433b0551a8f90c942e51939e13ab6
a5bec7fc7c50d6de1613f7024803bf3b
dd55db369d0abe27f2e4453b9e46cb5b
b44c5896493a02b112875815a7673aa3
dd0c0c4627ef2c384de82f383d4d5fe8
-----END OpenVPN Static key V1-----
</tls-crypt>
auth-user-pass
#看情况要不要设置推送网关
#pull-filter ignore "dhcp-option DNS"
#pull-filter ignore redirect-gateway
#route 192.168.0.0 255.255.255.0 vpn_gateway
#route 10.8.0.0 255.255.255.0 vpn_gateway
#route-nopull
auth-nocache主要修改:
windows-driver wintun #添加这行,windows客户端可以使用Wintun驱动,提升速度,安卓其他设备不用
remote 1.2.3.4 1194 默认IP和端口auth-user-pass 添加账户和密码验证,和上述向对应,上面server.ovpn若没用添加账户和密码验证,这里也不用添加
auth-nocache #不添加会提示此配置可能会将密码缓存到内存中
persist-key #OpenVPN 2.7+ 已废弃 --persist-key,如果使用2.7版本,请注释掉还需要复制配合放到客户端配置文件目录下一起使用,
ca ca.crt
cert client.crt
key client.key
tc.key建议直接将上述的密钥直接复制到client.ovpn尾部即可,这样客户端直接导入ovpn直接使用方便很多,无需再导入证书,顺便注释掉上面三个证书和私钥,看了不爽
如果添加tls-crypt的tc.key到这里 ,tc.key放到client.ovpn目录下即可,当然还是建议和私钥一起放到这里,统一也方便。
参考:
<ca>
把你的 ca.crt 完整内容复制粘贴到这里
</ca>
<cert>
把客户端证书 client.crt 完整内容粘贴到这里
</cert>
<key>
把客户端私钥 client.key 完整内容粘贴到这里
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
把客户端私钥 tc.key 完整内容粘贴到这里
</tls-crypt>格式如下
参考:
<ca>
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIUHHmnGDF+U9mOeSeNom3WpGwKO5MwDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAwwKb3BlbnZwbjAwMTAeFw0yNjA1MTMxMjE0NDhaFw0zNjA1
MTAxMjE0NDhaMBUxEzARBgNVBAMdfggwMDEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCnItzjzL43nrnOUewieKEDOfjKXS7lcfqq4dwZZ9bA
vuMQr0FRDCOPSfI8mfHSJVSoMjNFjfD8CJYNelos5H5xtYkyIQpmwf/SmKH675ws
Bm5JHgPm9JFFdH/Xlr5tA5hQGAOAweE+m+rjTO76pi0TzI4AxqCZ6bxn/pBEGvO
VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUIDRxMWGy2WBqSC/JZXlxON1WJfAwUAYD
VR0jBEkwR4AUIDRxMWGy2WBqSC/JZXlxON1WJfChGaQXMBUxEzARBgNVBAMMCm9w
ZWw2cG4wMDGCFBx5pxgxflP35sfgdgRsCjuTMAsGA1UdDwQEAwIBBjANBgkq
hkiG9w0BAQsFAAOCAQEAB2lpvCLE5K/vUr9cjibN08arJ7onCiVJkbpYbzSe
ypCWeYchz6hl7W6P/AeIhONwfj8QbH2qWshY5iCTDo3vEVRI/fm3WiTdotGQFPMS
DMwDnaH1FGAx15iBqErWZAS7YdgsgVYhNP+obAOgP0m
smIo5qJ0zGmUGjMN+EdSeTFil5QKVEyfYpxIMmfy1PakD4/EYrwarz9+RXi6GP34
J2PXXQHHFXR/83mkVly2PYucCji/tvBcWZD35II/TRNc13eaJ0MuQts2OTTibLNM
KDRsGCVCikOsIpt6qhrh12RGSV8pH8zUZ7XOssx3hg==
-----END CERTIFICATE-----
</ca>
###############################################################################
# The client certificate file (dummy).
#
# In some implementations of OpenVPN Client software
# (for example: OpenVPN Client for iOS),
# a pair of client certificate and private key must be included on the
# configuration file due to the limitation of the client.
# So this sample configuration file has a dummy pair of client certificate
# and private key as follows.
<cert>
-----BEGIN CERTIFICATE-----
MIIDUjCCAjqgAwIBAgIQW71SDKJGjbPA8nlO8XQxXxShNXANBgkqhkiG9w0BAQsFADAV
MRMwEQYDVQQDDApvcGVudnBuMDAxMB4XDTI2M7567DUxMzEyMTUxMFoXDTI4MDgxNTEy
MTUxMFowETEPMAwer0GA1UEAwwGY2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAmPELPqKFBrzGiuldY7PO6w75gguAuADqyFdnnAlNcYe+9PsJ/LjZ
FYzyLAEUUw2O7Y7wHNk/vwBi7u6IAjCPwNnbFKbQIj0eTJavFfcvxjTpgz0jkE
rXOinQtgS6SSYGUngXshD57i/u3lN3iQeYFcwFGCh2vsbJVYeUcnn5jC/1mq9Q8K
SL1nA546Sjs+v5PUXpTnJapb6v1jKJRmOQIDAQABo4GhMIGeMAkGA1UdEwQCMAAw
HQYDVR0OBBYEFC2eXujYvWvojncWK77jM0zHp6NmMFAGA1UdIwRJMEeAFCA0cTFh
stlgakgvyWV5cTjdViXwoRmkFzAVMRMwEQYDVQQDDApvcGVudnBuMDAxghQceacY
MX5T2Y55J42ibdakbAo7kzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMC
B4AwDQYJKoZIhvcNAQEwr3453538KrGSO4JqDZ1lKpB6jeNH1wMpe
qZy4x9gJEuJerzf0moJ0AWsQfmPgEWKI8KDeYo+9+IC0GwE7QcDoHy+Dk6jr+ZQi
oipncRCGRdzGRwt1pyTFoaEHret2/KFmeQJ7wLsS6IcMJYrvSR6cSa+aznFnBcjGdsR
qY6ct4j5aQg9dsGZzQ+4g2s/adk8I5wF54FycXx9lJenlU4py2iO44U3N1BaJ3n/
jUJ75jXHsI9ZzRwL1b+E7WOYztgXF3x7HTa16snlN98B7ghjBcZUGOgalJ0bUj82yM9
L2uFAaRA4FM1cOr0rvHZ1cceTn5IL5DZzHpEieiTPSLG07A65yI=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCB34gEAAoIBAQCY8Qs+ooUGvMaK
6V1js87rDvmCC4C4AOrIV2ecCU1xh770+wn8uNkVjPIsARRTDY7tjvAc2T+/AGLu
7ogCMI/A2dsUptAiM/PR5Mlq8V9y/GNOmDPSOQStc6KdC2BLpJJgZSeBeyEPnuL+
7eU3eJB5gVzAUYKHa5+xslVh5RyefmML/War1DwqjbHy2oPJrHUXHTUR+Mz79yRH9
hUXO57EOzZKbLcoxlyfXIiMOaBuSreMx0F4QMy/QuX0pmo+0VyPaWjVamO
TfAs1P6cfN0rlYCIOVoarp9K3X7o4ax1vpUgVj9UMQKBgQDIkq3mbcjThcObzfW5
iGv4BtRN/BEN7H04J53FICmdXjXBvetPvuhlQ4JHChMxoaUdnHk4i+j+v3MuffO7IW8
tAzJpjsJPDZJbd92sWBfY2EEv/a2BuZtzVAf1XK2Fc7EUDtncJgefXxD9AMKWmrk
oXANU9F/qt8sqNAe0qZD07VHzQKBgQDDNLubQrCM9IMA0jeNfe0cXXyxNuQxqopq
EubkgZqZPIG26otag+yxfq2s51OKi0fMM+APByeyVfczfWwJanITmHZs04tojw6Q
4MnBhhlQGgRnXl+afylhRy9DDNTzMHJ+PMgPVkr+NuaLsKDo8r9gOPKwsnNvmLBb
DoyXA2xUHQKBgH26xNwfkbZWsannT9O/2r6duVQxYJdz2YLsApBhevS068nJPcq9
h3yA3UJTaGWEYhzyVJ7cZWCCav8BcUw7KZdD2bSd64STihSQoSJtC9rw9gW/Vn3jR
LRrneIL/5J9XFAXhpNnoG4+VVJqW107+i/kuw7Ld8AxUvjG0Jpl6Crc5AoGBAKZ4
yC2GWC49L6N5oyqlY5q3F2nCGCVK/TOs3v+sj31zHmQx7ZnJvAc6sz4rIRGb6iT5
cHEgdvgdW+2rXoFBJ/we2SH5x7Y/5NUey35xeFFv060tqcnweQvmdZX7LctJaYkGub
xjleLCJUC5TBkthWfGLA7idGaC+ZlXxyEe+Pcj5AoGBAJGLa1Zs
9lwKUau2MmaR0JCkzQsBTuPc+IbvRhSCAp8w1jfuXF5EP1C16pS03e0yhcBXJiwA
clIangcrdeYzYlMtP0odcJao4qtBBI2rUTJ0TrQKlde/SCIlGSMyPCjX09wvBM
5d6sw4GJwrZAk8hHvcxIYSDV
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
e43434f6ccc69d04df7240aess3d8e4
d07523c213d8d6e45451r45retetbbd7
24fb7ef510c2a7d912c5ad368209d860
d75a6dc017f883d20fbcc9c57698e0ac
8ce2cdaa5820e843feeb8187a3844fe3
787e9d82af4980b15f332141c33b502c
58f751ca0315bd237a3e67173881059
84511ca70a0431387a48575fd3154454
69028c1333997065728911f691b1fbf6
aa9706aba7295996695f03619b6b600
e6709a873459505d6d99b214be6e86a
5d0a1aaa26ef0d3b5490e2d8030f1305
55137e18df068b53267eb1a16caa1f0a
4c75734cdsdfdf25ec0a46d8fbb6cec73
ee8764d1912ccdabf5d172c0c5e3e5e6
-----END OpenVPN Static key V1-----
</tls-auth>离线
服务器设置转发:不然可能直接访问内网,无法通过VPN服务器上网 (ICS共享方式)
ICS共享性能和稳定性小于RRAS路由转发,轻度使用都差不多。
注:如果使用RRAS路由转发,无需开启下面注册表,直接在RRAS添加静态路由即可
regedit打开注册表:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\]
将IPEnableRouter 默认值0 修改为 十进制:1共享网卡:
控制面板\网络和 Internet\网络连接\ 打开默认本地上网链接:属性-共享-勾选允许其他其用户通过此计算机来链接
家庭网络链接选择:OpenVPN TAP-Windows6 即为:安装openvpn server 时创建的虚拟网卡确保:系统服务中,openvpn相关系统服务设置为自动启动
防火墙开启相关端口:建议使用TCP,国内营运商对UDP会QOS
服务器默认VPN IP:10.8.0.2
离线
如何为客户端固定IP:
一、采用ccd方法:
1.在C:\Program Files\OpenVPN\config-auto\ 新建一个ccd文件夹
2.打开:C:\Program Files\OpenVPN\config-auto\server.ovpn
#ifconfig-pool-persist ipp.txt #采用ccd方式,可以注释掉这行
client-config-dir "C:\\Program Files\\OpenVPN\\config-auto\\ccd" #新建一个ccd文件夹,选择路径
topology subnet 2.7版本自带,都不用去掉注释或
client-config-dir ccd 若ccd和server.ovpn在同一个文件夹,例如config-auto下,直接注释掉这行即可2.
新建用户名对应的文件,
例如:C:\Program Files\OpenVPN\config\userpass.txt 中有一个user001用户名
需要为user001用户拨入后固定为10.8.0.55
那么在ccd文件下,先新建user001.txt,打开后输入需要固定的IP地址
ifconfig-push 10.8.0.55 255.255.255.0
重命名user001.txt,删除掉txt拓展名,变为user001的文件 非常重要:不是文件夹,也不是txt文件
重启VPN服务。
二、采用ipp方法: 未成功
1.打开 C:\Program Files\OpenVPN\config-auto\server.ovpn
ifconfig-pool-persist ipp.txt #默认为保留,不能注释
topology subnet #不添加不行2.打开C:\Program Files\OpenVPN\config-auto\ipp.txt
填写用户名对应的IP地址
user001,10.8.0.40,3.若使用证书登录,没用密码登录,这里需要填写为:client.crt 中 Subject: CN=vpn001 vpn001这个名称。没试过
离线
局域网互通
例如:局域网A、VPN服务器C、局域网B: 局域网A采用VPN拨入到VPN服务器C,局域网B采用VPN拨入到VPN服务器C,让局域网A和局域网C互通
解决局域网没有公网IP的,无法远程访问内网的需求
若只是访问NAS,则不用这么复杂。直接NAS作为openvpn客户端拨号,指定一个IP:10.8.0.100 ,前面设置好client to client后,就直接可以用10.8.0.100访问了局域网A:以家里网段:10.10.10.0为例 局域网B:以手机或公司电脑为例。这里不要求局域网A能访问局域网B,只要局域网B能正常访问局域网A即可
解决在外面访问家里电脑和NAS的需求
打开:C:\Program Files\OpenVPN\config-auto\server.vpn
添加:
topology subnet #这行前面如有添加客户端固定IP的设置,一般都有了,无需再添加
push "route 10.10.10.0 255.255.255.0" #推送添加局域网A,家里的网段
route 10.10.10.0 255.255.255.0 #添加局域网A,家里的网段的路由家里openvpn客户端以群晖NAS为例:
1.添加NAS作为客户端访问openvpn的账号:
C:\Program Files\OpenVPN\config\userpass.txt 中添加一个例如:nasuer01 1234562.打开
C:\Program Files\OpenVPN\config\ccd #按住固客户端IP方式,添加一个文件后,最好固定一个IP3.在nasuer01文件添加IP和路由:主要第二个添加局域网A、家里的路由网段
ifconfig-push 10.8.0.220 255.255.255.0
iroute 10.10.10.0 255.255.255.04.群晖-控制面板-网络-网络界面-新增-创建VPN配置文件:选择openvpn
输入账号和密码和.ovpn文件(ovpn最好包含私钥、证书,省的再单独添加,可以参考上述说明)
下一步后:
使用远程网络的默认网关:不用打勾,不然NAS上网全部走VPN了
允许其他网络设备通过此NAS上网:正常也不用打勾,除非此NAS需要作为网关给其他电脑上网
VPN连接丢失时重新连接:打勾 保持不断线
5.群晖的防火墙开通10.8.0.0(VPN网段)访问所有端口
6.局域网B,手机为例。不用任何设置,这时候可以Ping通NAS IP 了,但无法ping通NAS所在的局域网其他IP (例如IP:10.10.10.90)
7.需要在局域网(10.10.10.90)的默认网关中添加路由才行,一般为路由器地址:例如:10.10.10.10
添加静态路由:
目的IP:10.8.0.0 255.255.255.0 接口:LAN 网关:10.10.10.220(NAS地址)原因:
10.10.10.220 这台NAS没做「路由转发+允许回程」
默认只转发进来,不做回程路由应答。
手机流量流程:
手机 → VPN → 10.10.10.220 → 能到 10.10.10.90
但 10.10.10.90 的回包不知道发往哪里,回不去VPN隧道,所以不通。
感谢豆包,是豆包帮忙解决这个问题的。
如客户端电脑不是NAS ,为windows电脑:
需要开启windows电脑转发功能:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\]
将IPEnableRouter 默认值0 修改为 十进制:1将路由器中添加的静态路由网关指向该电脑IP
设置好防火墙相关放行,即可。
还可以参考:https://juejin.cn/post/7503462035272777778
离线
关于使用ovpn-dco-win、wintun、TAP-Windows6模式
2.6的openvpn版本支持ovpn-dco-win、wintun、TAP-Windows6三种驱动模式,默认的即为ovpn-dco-win
2.7版本后支持ovpn-dco-win、TAP-Windows6两种种驱动模式,移除了wintun驱动
速度对比:ovpn-dco-win(udp) 》 wintun 》TAP-Windows6
若Win服务器安装2.7版本,不使用UDP模式,则无法使用ovpn-dco-win内核转发模式,服务器会切换到TAP-Windows6
那还不如服务器安装2.6版本,直接是Wintun驱动(要单独开启网卡转发功能,因为Wintun不支持ICS网卡共享)
服务端要是采用ovpn-dco-win,必须使用UDP端口
反之客户端使用2.7版本,采用TCP协议的话,拨号后,虽然直接是ovpn-dco-win驱动,但未开启内核转发,相当于降级使用,还不如使用wintun来的稳定(问AI的)
所以:在使用TCP模式的情况下,建议服务器安装2.6版本,开启Wintun模式,客户端也安装2.6版,直接ovpn指定使用wintun模式。这样稳定性要比使用ovpn-dco-win降级使用强,速度也比使用TAP-Windows6快
使用Wintun驱动,ovpn添加一行:windows-driver wintun
dev tun
windows-driver wintun若使用Wintun驱动,因为Wintun为三层不支持二层的ICS共享(即服务器网卡共享给虚拟wintun网卡)
可以用命令开启相关转发,下面命令没试过,看的网上的,可以分别尝试1和2两个命令,看哪个有效Windows Server 2012不支持该命令
1.
Set-ExecutionPolicy Bypass -Scope Process -Force
New-NetNat -Name VPNNat -InternalIPInterfaceAddressPrefix 10.8.0.0/242.
netsh routing ip nat install
netsh routing ip nat add interface "你的物理网卡名" full
netsh routing ip nat add interface "Wintun" private那么Windows Server 2012想启用服务器转发,可以安装远程访问-路由-只安装NAT功能即可。
选择访问internet 接口为:服务器主机网卡,内部专用接口:Wintun虚拟网卡,即可
其他客户端拨入,参考上面家里NAS作为Openvpn拨入,也能互通
RRAS路由的性能是使用内核直接转发,性能和稳定性远远好于ICS网卡共享(问AI的),无论使用ovpn-dco-win还是TAP-Windows6,都建议安装RRAS路由进行NAT转发 (推荐国内UDP会QOS情况下,安装2.6版本,使用Wintun,并走RRAS NAT 上网),另外RRAS系统默认延迟启动,所以可能要等一会儿(不建议改为自动启动)
PowerShell 命令一键安装NAT(不用安装IIS)
Install-WindowsFeature RemoteAccess, Routing -IncludeManagementTools注:启用RRAS路由,可以不用开启注册表中IPEnableRouter=1 系统转发,直接在RRAS,添加静态路由,0.0.0.0 0.0.0.0 10.10.0.14 (服务器网卡地址)
上述设置和版本均为Windows系统
离线
如果更新OpenVPN默认安装Wintun驱动 :问了gemini AI 说,不建议手动去更新,默认就使用0.8最好
2.6版本的内置的Wintun驱动为:0.8版本,到2.7后就删除了Wintun驱动,而官方最新驱动为0.14版本。其实不更新问题也不大,有点强迫症的话,不更新不舒服。
Wintun官方只给了Wintun.dll的驱动文件,无法直接更新。
我们另辟蹊径,下载tailscale,这软件也是利用Wintun创建的虚拟网卡。(NAS已经备份,因为担心后续版本不知道会不会还有该驱动)
如果先安装OpenVPN后,再安装tailscale,系统会替换掉默认Wintun虚拟网卡,生成一个tailscale虚拟网卡。
1.如果不删除tailscale的话,那么可以进行下面操作:重新创建一个OpenVPN虚拟网卡
cd C:\Program Files\OpenVPN\bin
tapctl.exe create --hwid wintun --name OpenVPN-Wintun若登录OpenVPN有报错,或者无法登录,需要在客户端.ovpn中添加这行:
windows-driver wintun
dev-node OpenVPN-Wintun 这就是行2.如果非要删除掉tailscale,那么系统也会删除自动上述创建的OpenVPN WinTUN虚拟网卡,所以卸载tailscale,先备份一下Wintun驱动。
位置:
C:\Windows\System32\drivers\wintun.sys重新安装OpenVPN,然后禁用创建的Wintun虚拟网卡,用刚才备份的wintun.sys,到C:\Windows\System32\drivers\wintun.sys 替换掉即可。
重启虚拟网卡即可,另外不和tailscale 共存,这行也可以删除:dev-node OpenVPN-Wintun
由于非官方方法,稳定性,可靠性待验证
tailscale 和 wintun.sys 0.14版本的驱动已经备份在NAS
折腾完后拨入VPN可能无法上网,因为RRAS NAT接口发生了变化,还需要重新设置一些,还是不建议折腾了,除非电脑需要安装openvpn和tailscale,这样会导致wintun虚拟网卡冲突,再进行折腾吧。
离线
这样折腾有没有意义:问了gemini,给的答案,哈哈,回答的挺不错的
哈哈,你能有这个觉悟,说明你已经成功避开了绝大多数技术爱好者都踩过的“折腾陷阱”
坦白讲,对于 99% 的人来说,手动去升级这个驱动确实是一点意义都没有,就是在浪费生命。 这种折腾属于典型的“低边际效应行为”——你付出了研究、替换、测试、甚至排错的时间,得到的可能只是一个心理安慰,甚至还会收获一堆莫名的 Bug
生命苦短,在网络和技术工具这块,我们应该把时间和精力投放在回报率更高、更能提升效率或技能的地方。以下这几个方向,绝对比折腾驱动更有价值:
1. 探索网络架构升级:拥抱更现代的协议
如果你觉得当前的 VPN 速度慢、延迟高,折腾 OpenVPN 的驱动是治标不治本。你应该把精力放在更换更现代的协议上:
研究 WireGuard 或 Tailscale: 如果你的网络环境允许,尝试从 OpenVPN 迁移到 WireGuard。WireGuard 运行在内核态,架构极简,它的速度和延迟表现是 OpenVPN 怎么优化驱动都赶不上的。
折腾 Netmaker 或 Headscale: 学习如何构建自己的异地组网(Mesh VPN),这能让你真正理解现代软件定义网络(SDN)的架构,对个人技术提升极大。
2. 深入网络原理:攻克核心知识点
与其盲目升级一个 wintun.dll,不如借此机会搞懂它背后的底层原理。这些知识是通用的,无论以后出到 Wintun 2.0 还是 3.0,你都能一眼看穿本质:
弄懂 TAP 与 TUN 的区别: 搞清楚为什么 OpenVPN 以前用 TAP(第二层数据链路层,走 MAC 包),现在推荐用 TUN/Wintun(第三层网络层,走 IP 包)。
学习数据路由与分流(Routing & Split Tunneling): 研究如何通过配置文件,让国内流量走直连,特定流量走 VPN。掌握了路由表(Routing Table)和 CIDR 的计算,你就能自由掌控网络流量的去向。
3. 提升自动化与生产力:让工具为你服务
把折腾驱动的琐碎时间,用来优化你的工作流:
基础设施即代码(IaC): 尝试用 Ansible 或 Docker-compose 来一键部署和管理你的 OpenVPN/WireGuard 服务端。学会了 Docker,你以后部署任何服务都是秒级完成,不再需要手动配置环境。
脚本化运维: 编写 Shell 或 PowerShell 脚本,实现客户端的一键连接、断线自动重连、或是定时备份配置文件。
?️总结你的新原则:技术人的“断舍离”
建议你以后在技术折腾上建立一个ROI(投入产出比)
把精力从“给汽车雨刮器片升级涂层”(折腾驱动),挪到“学习如何驾驶或者换一辆跑车”(优化协议和架构)上。把工具当成工具,用它创造价值,而不是被工具本身给玩了。离线
页面: 1