系统环境"Ubuntu 24.04.3 LTS”,VERSION="24.04.3 LTS (Noble Numbat)"ID_LIKE=debian;
在线安装openvpn社区版详细步骤,客户端有Windows、iPhone、Mac、ubuntu等,证书优化要求.ovpn文件内置完整秘钥;
方案一手动命令创建步骤
方案二一键部署生成脚本
定义路径:
根目录:/etc/openvpn
客户端配置:/etc/openvpn/ccd(命名为linux、mac、windows、iPhone)
客户端证书:/etc/openvpn/client(均已linux、mac、windows、iPhone加相应后缀命名)
Esayrsa根目录:/etc/openvpn/easyrsa
服务端:/etc/openvpn/server(均已默认命名生成)
公司Mac地址:192.168.3.0/24
家庭Windows地址:192.168.31.0/24、192.168.1.0/24
外地Linux桌面版地址:192.168.1.0/24
iPhone动态不稳定:地址不稳定动态
我将为您提供详细的OpenVPN社区版安装配置方案,支持多个客户端并优化证书配置。
# 更新系统
sudo apt update && sudo apt upgrade -y
# 安装OpenVPN和EasyRSA
sudo apt install openvpn easy-rsa -y
# 创建目录结构
sudo mkdir -p /etc/openvpn/{server,client,ccd,easyrsa,logs}# 复制EasyRSA模板
sudo cp -r /usr/share/easy-rsa/* /etc/openvpn/easyrsa/
cd /etc/openvpn/easyrsa
# 初始化PKI
sudo ./easyrsa init-pki
# 创建CA证书(按提示输入信息)
sudo ./easyrsa build-ca nopass
# 创建服务器证书
sudo ./easyrsa gen-req server nopass
sudo ./easyrsa sign-req server server
# 创建Diffie-Hellman参数
sudo ./easyrsa gen-dh
# 创建HMAC密钥
sudo openvpn --genkey secret /etc/openvpn/easyrsa/ta.key# 为每个客户端生成证书
for CLIENT in linux mac windows iphone; do
sudo ./easyrsa gen-req $CLIENT nopass
sudo ./easyrsa sign-req client $CLIENT
done
# 复制所有证书到相应目录
sudo cp /etc/openvpn/easyrsa/pki/ca.crt /etc/openvpn/server/
sudo cp /etc/openvpn/easyrsa/pki/issued/server.crt /etc/openvpn/server/
sudo cp /etc/openvpn/easyrsa/pki/private/server.key /etc/openvpn/server/
sudo cp /etc/openvpn/easyrsa/pki/dh.pem /etc/openvpn/server/
sudo cp /etc/openvpn/easyrsa/ta.key /etc/openvpn/server/
# 复制客户端证书
for CLIENT in linux mac windows iphone; do
sudo mkdir -p /etc/openvpn/client/$CLIENT
sudo cp /etc/openvpn/easyrsa/pki/ca.crt /etc/openvpn/client/$CLIENT/
sudo cp /etc/openvpn/easyrsa/pki/issued/${CLIENT}.crt /etc/openvpn/client/$CLIENT/
sudo cp /etc/openvpn/easyrsa/pki/private/${CLIENT}.key /etc/openvpn/client/$CLIENT/
sudo cp /etc/openvpn/easyrsa/ta.key /etc/openvpn/client/$CLIENT/
done创建 /etc/openvpn/server/server.conf:
sudo tee /etc/openvpn/server/server.conf > /dev/null << 'EOF'
port 1194
proto udp
dev tun
# 证书配置
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
tls-auth /etc/openvpn/server/ta.key 0
# 网络配置
server 10.8.0.0 255.255.255.0
topology subnet
push "route 10.8.0.0 255.255.255.0"
# 推送特定网络路由
push "route 192.168.3.0 255.255.255.0" # 公司Mac
push "route 192.168.31.0 255.255.255.0" # 家庭Windows
push "route 192.168.1.0 255.255.255.0" # 家庭/外地Linux
# 客户端配置目录
client-config-dir /etc/openvpn/ccd
# 保持连接
keepalive 10 120
# 安全设置
cipher AES-256-CBC
auth SHA256
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
# 其他设置
user nobody
group nogroup
persist-key
persist-tun
status /etc/openvpn/logs/openvpn-status.log
log-append /etc/openvpn/logs/openvpn.log
verb 3
mute 20
explicit-exit-notify 1
EOF# 创建CCD配置文件
sudo tee /etc/openvpn/ccd/linux > /dev/null << 'EOF'
ifconfig-push 10.8.0.10 255.255.255.0
iroute 192.168.1.0 255.255.255.0
EOF
sudo tee /etc/openvpn/ccd/mac > /dev/null << 'EOF'
ifconfig-push 10.8.0.20 255.255.255.0
iroute 192.168.3.0 255.255.255.0
EOF
sudo tee /etc/openvpn/ccd/windows > /dev/null << 'EOF'
ifconfig-push 10.8.0.30 255.255.255.0
iroute 192.168.31.0 255.255.255.0
iroute 192.168.1.0 255.255.255.0
EOF
sudo tee /etc/openvpn/ccd/iphone > /dev/null << 'EOF'
ifconfig-push 10.8.0.40 255.255.255.0
EOF# 启用IP转发
sudo sed -i '/net.ipv4.ip_forward/s/^#//g' /etc/sysctl.conf
sudo sysctl -p
# 配置防火墙(如果使用UFW)
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable
# 或者配置iptables
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
sudo iptables-save > /etc/iptables/rules.v4为每个客户端创建包含完整密钥的配置文件:
create_ovpn_config() {
CLIENT=$1
cat > /tmp/${CLIENT}.ovpn << EOF
client
dev tun
proto udp
remote $(curl -s ifconfig.me) 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
verb 3
mute 20
# 内嵌证书和密钥
<ca>
$(cat /etc/openvpn/client/${CLIENT}/ca.crt)
</ca>
<cert>
$(cat /etc/openvpn/client/${CLIENT}/${CLIENT}.crt)
</cert>
<key>
$(cat /etc/openvpn/client/${CLIENT}/${CLIENT}.key)
</key>
<tls-auth>
$(cat /etc/openvpn/client/${CLIENT}/ta.key)
</tls-auth>
EOF
sudo cp /tmp/${CLIENT}.ovpn /etc/openvpn/client/${CLIENT}/
}
# 为所有客户端创建配置文件
for CLIENT in linux mac windows iphone; do
create_ovpn_config $CLIENT
done# 启动OpenVPN服务
sudo systemctl start openvpn-server@server
sudo systemctl enable openvpn-server@server
# 检查状态
sudo systemctl status openvpn-server@server
sudo tail -f /etc/openvpn/logs/openvpn.log创建安装脚本 install_openvpn.sh:
#!/bin/bash
# OpenVPN一键部署脚本
set -e
echo "=== OpenVPN服务器一键部署 ==="
# 1. 安装必要软件
echo "[1/8] 安装OpenVPN和依赖..."
apt update
apt install -y openvpn easy-rsa curl ufw
# 2. 创建目录结构
echo "[2/8] 创建目录结构..."
mkdir -p /etc/openvpn/{server,client,ccd,easyrsa,logs}
# 3. 配置EasyRSA
echo "[3/8] 配置EasyRSA..."
cp -r /usr/share/easy-rsa/* /etc/openvpn/easyrsa/
cd /etc/openvpn/easyrsa
# 初始化PKI
export EASYRSA_BATCH=1
export EASYRSA_REQ_CN="OpenVPN-CA"
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh
openvpn --genkey secret /etc/openvpn/easyrsa/ta.key
# 4. 生成客户端证书
echo "[4/8] 生成客户端证书..."
for CLIENT in linux mac windows iphone; do
./easyrsa gen-req $CLIENT nopass
./easyrsa sign-req client $CLIENT
done
# 5. 复制证书文件
echo "[5/8] 复制证书文件..."
cp pki/ca.crt /etc/openvpn/server/
cp pki/issued/server.crt /etc/openvpn/server/
cp pki/private/server.key /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
cp ta.key /etc/openvpn/server/
# 创建客户端目录和证书
for CLIENT in linux mac windows iphone; do
mkdir -p /etc/openvpn/client/$CLIENT
cp pki/ca.crt /etc/openvpn/client/$CLIENT/
cp pki/issued/${CLIENT}.crt /etc/openvpn/client/$CLIENT/
cp pki/private/${CLIENT}.key /etc/openvpn/client/$CLIENT/
cp ta.key /etc/openvpn/client/$CLIENT/
done
# 6. 配置服务器
echo "[6/8] 配置服务器..."
cat > /etc/openvpn/server/server.conf << 'EOF'
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
tls-auth /etc/openvpn/server/ta.key 0
server 10.8.0.0 255.255.255.0
topology subnet
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"
push "route 192.168.31.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"
client-config-dir /etc/openvpn/ccd
keepalive 10 120
cipher AES-256-CBC
auth SHA256
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
user nobody
group nogroup
persist-key
persist-tun
status /etc/openvpn/logs/openvpn-status.log
log-append /etc/openvpn/logs/openvpn.log
verb 3
mute 20
explicit-exit-notify 1
EOF
# 7. 配置客户端静态IP
echo "[7/8] 配置客户端静态IP..."
cat > /etc/openvpn/ccd/linux << 'EOF'
ifconfig-push 10.8.0.10 255.255.255.0
iroute 192.168.1.0 255.255.255.0
EOF
cat > /etc/openvpn/ccd/mac << 'EOF'
ifconfig-push 10.8.0.20 255.255.255.0
iroute 192.168.3.0 255.255.255.0
EOF
cat > /etc/openvpn/ccd/windows << 'EOF'
ifconfig-push 10.8.0.30 255.255.255.0
iroute 192.168.31.0 255.255.255.0
iroute 192.168.1.0 255.255.255.0
EOF
cat > /etc/openvpn/ccd/iphone << 'EOF'
ifconfig-push 10.8.0.40 255.255.255.0
EOF
# 8. 生成.ovpn客户端文件
echo "[8/8] 生成客户端配置文件..."
get_public_ip() {
curl -s ifconfig.me || hostname -I | awk '{print $1}'
}
PUBLIC_IP=$(get_public_ip)
for CLIENT in linux mac windows iphone; do
cat > /etc/openvpn/client/${CLIENT}/${CLIENT}.ovpn << EOF
client
dev tun
proto udp
remote ${PUBLIC_IP} 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
verb 3
mute 20
<ca>
$(cat /etc/openvpn/client/${CLIENT}/ca.crt)
</ca>
<cert>
$(cat /etc/openvpn/client/${CLIENT}/${CLIENT}.crt)
</cert>
<key>
$(cat /etc/openvpn/client/${CLIENT}/${CLIENT}.key)
</key>
<tls-auth>
$(cat /etc/openvpn/client/${CLIENT}/ta.key)
</tls-auth>
EOF
done
# 9. 配置网络和防火墙
echo "[9/8] 配置网络转发..."
sed -i '/net.ipv4.ip_forward/s/^#//g' /etc/sysctl.conf
sysctl -p
ufw allow 1194/udp
ufw allow OpenSSH
echo "y" | ufw enable
# 10. 启动服务
systemctl start openvpn-server@server
systemctl enable openvpn-server@server
echo "=== 部署完成 ==="
echo "客户端配置文件位置:"
for CLIENT in linux mac windows iphone; do
echo "/etc/openvpn/client/${CLIENT}/${CLIENT}.ovpn"
done
echo ""
echo "请将对应的.ovpn文件下载到相应设备使用"
echo "服务器公网IP: ${PUBLIC_IP}"使用脚本:
# 添加执行权限
chmod +x install_openvpn.sh
# 执行脚本(需要root权限)
sudo ./install_openvpn.sh安装OpenVPN GUI
将 windows.ovpn 复制到 C:\Program Files\OpenVPN\config\
连接即可
安装Tunnelblick
双击 mac.ovpn 导入配置
连接即可
sudo apt install openvpn
sudo openvpn --config linux.ovpn安装OpenVPN Connect
通过邮件/AirDrop发送 iphone.ovpn 到手机
在OpenVPN应用中导入并连接
# 查看服务状态
sudo systemctl status openvpn-server@server
# 查看日志
sudo tail -f /etc/openvpn/logs/openvpn.log
# 查看连接状态
sudo cat /etc/openvpn/logs/openvpn-status.log
# 重启服务
sudo systemctl restart openvpn-server@server
# 生成新客户端证书
cd /etc/openvpn/easyrsa
sudo ./easyrsa gen-req newclient nopass
sudo ./easyrsa sign-req client newclient这个配置已经优化了证书管理,所有密钥都内嵌在.ovpn文件中,方便客户端直接使用,无需额外文件。每个客户端都有固定的IP地址和对应的网络路由。