OpenVpn改造全过程

一、部署OpenVPN服务

1、开启转发功能并生效

# 不存在该配置则添加
# grep 'net.ipv4.ip_forward = 1' /etc/sysctl.conf || echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
# sysctl -p

2、安装依赖包

# yum -y install epel-release
# yum -y install openvpn easy-rsa openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig

3、复制服务端配置文件到配置目录

[root@sanhui_anmi_vpn 14:34 ~]
# cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/

二、服务端证书生成与整理

1、复制easy-rsa

[root@sanhui_anmi_vpn 14:34 ~]
# mkdir /etc/openvpn/easy-rsa
[root@sanhui_anmi_vpn 14:34 ~]
# cp -r /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa/
[root@sanhui_anmi_vpn 14:34 ~]
# cd /etc/openvpn/easy-rsa/
[root@sanhui_anmi_vpn 14:35 /etc/openvpn/easy-rsa]
# ls
easyrsa  openssl-easyrsa.cnf  x509-types
[root@sanhui_anmi_vpn 14:35 /etc/openvpn/easy-rsa]
# cp /usr/share/doc/easy-rsa-3.0.8/vars.example ./vars

2、ca证书生成

#修改证书相关配置，根据需要自定义，也可忽略
[root@sanhui_anmi_vpn 14:36 /etc/openvpn/easy-rsa]
# vim vars
set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "Zhejiang"
set_var EASYRSA_REQ_CITY        "Hangzhou"
set_var EASYRSA_REQ_ORG         "duyan"
set_var EASYRSA_REQ_EMAIL       "z@dyrj3.wecom.work"
set_var EASYRSA_REQ_OU          "My openvpn"

[root@sanhui_anmi_vpn 14:39 /etc/openvpn/easy-rsa]
# ./easyrsa init-pki #初始化pki，生成目录文件结构

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

[root@sanhui_anmi_vpn 14:40 /etc/openvpn/easy-rsa]
# ./easyrsa build-ca nopass #创建ca证书

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating RSA private key, 2048 bit long modulus
......................................+++
..............................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #回车

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt # ca存放路径

3、server.crt 生成

[root@sanhui_anmi_vpn 14:40 /etc/openvpn/easy-rsa]
# ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
....................................+++
................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-2155.NGKx5f/tmp.oB4vWc'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: #回车

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key #密钥key的路径

4、为证书签名、签约

[root@sanhui_anmi_vpn 14:43 /etc/openvpn/easy-rsa]
# ./easyrsa sign server server # 第二哥server上面服务端证书CN名字，可自定义

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-2182.ZT93NU/tmp.V3XxlS
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Sep  2 06:44:33 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
# 服务端证书路径

5、创建 Diffie-Hellman,确保key穿越不安全网络的命令

[root@sanhui_anmi_vpn 14:44 /etc/openvpn/easy-rsa]
# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..................+......................+...........................................................+.................................................................................++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

6、创建ta密钥，如果不使用在配置文件中禁用

[root@sanhui_anmi_vpn 14:51 /etc/openvpn]
# openvpn --genkey --secret ta.key

7、创建客户端证书

[root@sanhui_anmi_vpn 14:52 /etc/openvpn]
# cd /etc/openvpn/client/
[root@sanhui_anmi_vpn 14:52 /etc/openvpn/client]
# cp -r /usr/share/easy-rsa/3.0.8/* /etc/openvpn/client/
[root@sanhui_anmi_vpn 14:53 /etc/openvpn/client]
# cp /usr/share/doc/easy-rsa-3.0.8/vars.example ./vars

[root@sanhui_anmi_vpn 15:00 /etc/openvpn/client]
# ./easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/openvpn/client/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/pki 

[root@sanhui_anmi_vpn 15:01 /etc/openvpn/client]
# ./easyrsa gen-req lingchen  nopass #lingchen为证书名，自定义

Note: using Easy-RSA configuration from: /etc/openvpn/client/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
........................+++
.............+++
writing new private key to '/etc/openvpn/client/pki/easy-rsa-2407.rz77Y8/tmp.B1uGN5'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [lingchen]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/pki/reqs/lingchen.req
key: /etc/openvpn/client/pki/private/lingchen.key #key路径

8、为客户端证书签约

[root@sanhui_anmi_vpn 15:02 /etc/openvpn/client]
# cd /etc/openvpn/easy-rsa/
[root@sanhui_anmi_vpn 15:04 /etc/openvpn/easy-rsa]
# ./easyrsa import-req /etc/openvpn/client/pki/reqs/lingchen.req lingchen

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

The request has been successfully imported with a short name of: lingchen
You may now use this name to perform signing operations on this request.

[root@sanhui_anmi_vpn 15:05 /etc/openvpn/easy-rsa]
# ./easyrsa sign client  lingchen  
# 第一个参数client固定参数表示客户端，第二个是倒入客户端证书名

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = lingchen


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-2469.WwEaRm/tmp.ZP1DNV
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'lingchen'
Certificate is to be certified until Sep  2 07:06:17 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/lingchen.crt #最终客户端证书路径

三、整理所有证书

1、整理服务端证书

[root@sanhui_anmi_vpn 15:08 /etc/openvpn]
# mkdir server_certs
[root@sanhui_anmi_vpn 15:09 /etc/openvpn]
# cd /etc/openvpn/server_certs/
[root@sanhui_anmi_vpn 15:09 /etc/openvpn/certs]
# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server_certs/
[root@sanhui_anmi_vpn 15:09 /etc/openvpn/certs]
# cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/server_certs/
[root@sanhui_anmi_vpn 15:10 /etc/openvpn/certs]
# cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/server_certs/
[root@sanhui_anmi_vpn 15:10 /etc/openvpn/certs]
# cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server_certs/

[root@sanhui_anmi_vpn 15:10 /etc/openvpn/certs]
# ll
total 20
-rw------- 1 root root 1172 May 31 15:09 ca.crt
-rw------- 1 root root  424 May 31 15:10 dh.pem
-rw------- 1 root root 4552 May 31 15:10 server.crt
-rw------- 1 root root 1704 May 31 15:10 server.key

2、整理客户端证书

[root@sanhui_anmi_vpn 15:11 /etc/openvpn]
# mkdir client_certs
[root@sanhui_anmi_vpn 15:12 /etc/openvpn]
# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client_certs/
[root@sanhui_anmi_vpn 15:14 /etc/openvpn]
# cp /etc/openvpn/easy-rsa/pki/issued/lingchen.crt /etc/openvpn/client_certs/
[root@sanhui_anmi_vpn 15:14 /etc/openvpn]
# cp /etc/openvpn/client/pki/private/lingchen.key /etc/openvpn/client_certs/

[root@sanhui_anmi_vpn 15:15 /etc/openvpn]
# cd client_certs/
[root@sanhui_anmi_vpn 15:16 /etc/openvpn/client_certs]
# ll
total 16
-rw------- 1 root root 1172 May 31 15:14 ca.crt
-rw------- 1 root root 4438 May 31 15:14 lingchen.crt
-rw------- 1 root root 1704 May 31 15:15 lingchen.key

四、修改配置文件

1、修改服务端配置文件server.conf

[root@iZbp1edjsc1mvzazb3m58mZ openvpn]# grep -vE "^#|^$" server.conf
;local a.b.c.d
local 10.10.10.10
port 1194
;proto tcp
proto udp
dev tap
;dev tun
;dev-node MyTap
ca ./server_certs/ca.crt
cert ./server_certs/server.crt
key ./server_certs/server.key  # This file should be kept secret
dh ./server_certs/dh.pem
topology subnet # 子网拓扑
server 10.8.24.0 255.255.248.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
client-config-dir ccd
push "route 10.72.146.159 255.255.255.255" #单台机器，或者整个网断
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
comp-lzo
max-clients 1000
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         /var/log/openvpn.log
;log-append  openvpn.log
verb 4 #显示调试信息 一般3
;mute 20
explicit-exit-notify 1 #客户端退出发出通知重练次数

[root@sanhui_anmi_vpn 16:14 /etc/openvpn]
# mkdir ccd

五、启动服务端

[root@sanhui_anmi_vpn 16:08 /etc/openvpn]
# systemctl restart openvpn@server
# systemctl enable openvpn@server

# 如果看状态有没有运行，就查看下log,一般上能解决大部分问题

六、创建客户端ovpn（win）client.conf（linux）文件

# cat /etc/openvpn/lingchen.conf
client
proto udp
dev tap
remote xxxxx  1194
<ca>
${ca}
</ca>
<cert>
${cert}
</cert>
<key>
${key}
</key>
resolv-retry infinite
nobind
mute-replay-warnings
;ns-cert-type server
remote-cert-tls server
keepalive 20 120
comp-lzo
route-delay 3
persist-key
persist-tun
cipher AES-256-CBC
;status openvpn-status.log
;log-append openvpn.log
verb 4
mute 20
auth-nocache


[root@xxxx 17:12 /etc/openvpn]
# cp lingchen.conf /etc/openvpn/client.conf
# systemctl restart openvpn@client
# systemctl enable openvpn@client


[root@sanhui_anmi_vpn 17:12 /etc/openvpn]
# ping 10.8.8.2
PING 10.8.8.2 (10.8.8.2) 56(84) bytes of data.
64 bytes from 10.8.8.2: icmp_seq=1 ttl=64 time=10.1 ms
64 bytes from 10.8.8.2: icmp_seq=2 ttl=64 time=10.9 ms
64 bytes from 10.8.8.2: icmp_seq=3 ttl=64 time=8.73 ms
^C
--- 10.8.8.2 ping statistics ---

七、 windows安装客户端 win oven linux 名为client.conf

借鉴引用一下网上兄弟们的图

OpenVpn改造全过程

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-D8BGWd3x-1573639723011)(http://majinlei.com/images/pasted-764.png)]

OpenVpn改造全过程

以上为openvpn整个搭建过程，若客户端连接的时候，一直连不上报错，则你可以试着查看下安全组设置。亲测！

九、批量创建客户端证书

[root@ecs-955f ~]# cat new_client.sh 
#!/bin/bash

Username=$1
cd /etc/openvpn/client/easy-rsa/3.0.6
./easyrsa gen-req $Username nopass

cd /etc/openvpn/easy-rsa/3.0.6/
./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.6/pki/reqs/$Username.req $Username
./easyrsa sign client $Username

mkdir /etc/openvpn/client/$Username/
cp /etc/openvpn/easy-rsa/3.0.6/pki/ca.crt /etc/openvpn/client/$Username/
cp /etc/openvpn/easy-rsa/3.0.6/pki/issued/$Username.crt /etc/openvpn/client/$Username/
cp /etc/openvpn/client/easy-rsa/3.0.6/pki/private/$Username.key /etc/openvpn/client/$Username/
cp /etc/openvpn/example.ovpn /etc/openvpn/client/$Username/$Username.ovpn
sed -i "s|Username|$Username|g" /etc/openvpn/client/$Username/$Username.ovpn
cd /etc/openvpn/client/
zip -r -m ${Username}.zip $Username/

cat build_vpn.sh
#!/bin/sh
#coding=utf-8

Username=$1

cd /etc/openvpn/client/pki/reqs
[ -e ${Username}.req ] && Username="" || echo "无重复用户名,继续build"
if [ "${Username}" == "" ];
then
    echo 'ERROR:需要不重复的用户名'
    exit
fi

#(echo -n `date "+%Y-%m-%d %H:%M:%S----"` && find /etc/openvpn/ -type f -name "index.txt" | xargs cat |grep ${Username} ) >> ~/vpn_change_log

cd /etc/openvpn/client/
/usr/bin/expect <<-EOF
spawn ./easyrsa gen-req $Username nopass
expect {
     "." { send "\r"; exp_continue }
}
EOF

cd /etc/openvpn/easy-rsa
./easyrsa import-req /etc/openvpn/client/pki/reqs/$Username.req $Username
/usr/bin/expect <<-EOF
spawn ./easyrsa sign client ${Username}
expect {
     "yes" { send "yes \n" }
}
expect eof
EOF

#(echo -n `date "+%Y-%m-%d %H:%M:%S----"` && find /etc/openvpn/ -type f -name "index.txt" | xargs cat |grep ${Username} ) >> ~/vpn_change_log

#mkdir /etc/openvpn/client/$Username/
#cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client/$Username/
mv /etc/openvpn/easy-rsa/pki/issued/$Username.crt /etc/openvpn/client_certs/
mv /etc/openvpn/client/pki/private/$Username.key /etc/openvpn/client_certs/
#cp /etc/openvpn/example.ovpn /etc/openvpn/client/$Username/$Username.ovpn
#sed -i "s|Username|$Username|g" /etc/openvpn/client/$Username/$Username.ovpn
CA=`cat /etc/openvpn/client_certs/ca.crt`
CRT=`cat /etc/openvpn/client_certs/$Username.crt`
KEY=`cat /etc/openvpn/client_certs/$Username.key`


echo "ifconfig-push ${Username} 255.255.248.0
push \"route 10.8.24.0 255.255.248.0 10.8.24.1\"" > /etc/openvpn/ccd/${Username}


cat > /etc/openvpn/client/ovpn/$Username.conf<<EOF
client
proto udp
dev tap
remote 10.10.10.10 1194
<ca>
${CA}
</ca>
<cert>
${CRT}
</cert>
<key>
${KEY}
</key>
resolv-retry infinite
nobind
mute-replay-warnings
ns-cert-type server
remote-cert-tls server
keepalive 20 120
comp-lzo
route-delay 3
persist-key
persist-tun
cipher AES-256-CBC
;status openvpn-status.log
;log-append openvpn.log
verb 4
mute 20
auth-nocache
EOF

十、吊销证书

[root@zbp1oply5q1damu7d4 ~]# cd /etc/openvpn/easy-rsa/3.0.6/
[root@zbp1oply5q1damu7d4 3.0.6]# ./easyrsa revoke yufeng

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


Please confirm you wish to revoke the certificate with the following subject:

subject= 
    commonName                = yufeng


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa/3.0.6/pki/safessl-easyrsa.cnf
Revoking Certificate B07C203D1F47CACE1881C3EBBA7836B1.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

[root@zbp1oply5q1damu7d4 3.0.6]# ./easyrsa gen-crl

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Using configuration from /etc/openvpn/easy-rsa/3.0.6/pki/safessl-easyrsa.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/3.0.6/pki/crl.pem

此时，证书还未删除，需要更新crl.pem文件，根据上述提示路径查看,还可以这样查看

[root@zbp1oply5q1damu7d4 3.0.6]# find /etc/openvpn/ -type f -name "index.txt" | xargs cat
V    221027150551Z        A3C8AA65C5ACE512C6C154FA1A0197A1    unknown    /CN=server
V    221027152255Z        D283BEB5C5E8E1F30CF27569263E158B    unknown    /CN=username
R    221028022432Z    191113072909Z    B07C203D1F47CACE1881C3EBBA7836B1    unknown    /CN=yufeng

V 为可用，R 为注销，修改服务端配置文件

[root@zbp1oply5q1damu7d4 3.0.6]# tail -1 /etc/openvpn/server.conf
crl-verify /etc/openvpn/easy-rsa/3.0.6/pki/crl.pem

[root@zbp1oply5q1damu7d4 3.0.6]# systemctl restart openvpn@server

最终发现，yufeng无法再连接服务器。假设需要重新生成，则需删除吊销的证书再生成新的

[root@zbp1oply5q1damu7d4 3.0.6]# cd /etc/openvpn/
[root@zbp1oply5q1damu7d4 openvpn]# find . -type f -name "yufeng.*" | xargs rm
[root@zbp1oply5q1damu7d4 openvpn]# ls
certs  client  easy-rsa  example.ovpn  ipp.txt  openvpn.log  openvpn-status.log  server  server.conf  server.conf.bak
[root@zbp1oply5q1damu7d4 openvpn]# cd client/
[root@zbp1oply5q1damu7d4 client]# ls
yufeng  easy-rsa  username
[root@zbp1oply5q1damu7d4 client]# cd yufeng/
[root@zbp1oply5q1damu7d4 dalin]# ls
ca.crt

openvpn@server

最终发现，yufeng无法再连接服务器。假设需要重新生成，则需删除吊销的证书再生成新的

[root@zbp1oply5q1damu7d4 3.0.6]# cd /etc/openvpn/
[root@zbp1oply5q1damu7d4 openvpn]# find . -type f -name "yufeng.*" | xargs rm
[root@zbp1oply5q1damu7d4 openvpn]# ls
certs  client  easy-rsa  example.ovpn  ipp.txt  openvpn.log  openvpn-status.log  server  server.conf  server.conf.bak
[root@zbp1oply5q1damu7d4 openvpn]# cd client/
[root@zbp1oply5q1damu7d4 client]# ls
yufeng  easy-rsa  username
[root@zbp1oply5q1damu7d4 client]# cd yufeng/
[root@zbp1oply5q1damu7d4 dalin]# ls
ca.crt

OpenVpn改造全过程

一、部署OpenVPN服务

1、开启转发功能并生效

# 不存在该配置则添加
# grep 'net.ipv4.ip_forward = 1' /etc/sysctl.conf || echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
# sysctl -p

2、安装依赖包

# yum -y install epel-release
# yum -y install openvpn easy-rsa openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig

3、复制服务端配置文件到配置目录

[root@sanhui_anmi_vpn 14:34 ~]
# cp /usr/share/doc/openvpn-2.4.12/sample/sample-config-files/server.conf /etc/openvpn/

二、服务端证书生成与整理

1、复制easy-rsa

[root@sanhui_anmi_vpn 14:34 ~]
# mkdir /etc/openvpn/easy-rsa
[root@sanhui_anmi_vpn 14:34 ~]
# cp -r /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa/
[root@sanhui_anmi_vpn 14:34 ~]
# cd /etc/openvpn/easy-rsa/
[root@sanhui_anmi_vpn 14:35 /etc/openvpn/easy-rsa]
# ls
easyrsa  openssl-easyrsa.cnf  x509-types
[root@sanhui_anmi_vpn 14:35 /etc/openvpn/easy-rsa]
# cp /usr/share/doc/easy-rsa-3.0.8/vars.example ./vars

2、ca证书生成

#修改证书相关配置，根据需要自定义，也可忽略
[root@sanhui_anmi_vpn 14:36 /etc/openvpn/easy-rsa]
# vim vars
set_var EASYRSA_REQ_COUNTRY     "CN"
set_var EASYRSA_REQ_PROVINCE    "Zhejiang"
set_var EASYRSA_REQ_CITY        "Hangzhou"
set_var EASYRSA_REQ_ORG         "duyan"
set_var EASYRSA_REQ_EMAIL       "z@dyrj3.wecom.work"
set_var EASYRSA_REQ_OU          "My openvpn"

[root@sanhui_anmi_vpn 14:39 /etc/openvpn/easy-rsa]
# ./easyrsa init-pki #初始化pki，生成目录文件结构

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

[root@sanhui_anmi_vpn 14:40 /etc/openvpn/easy-rsa]
# ./easyrsa build-ca nopass #创建ca证书

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating RSA private key, 2048 bit long modulus
......................................+++
..............................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: #回车

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt # ca存放路径

3、server.crt 生成

[root@sanhui_anmi_vpn 14:40 /etc/openvpn/easy-rsa]
# ./easyrsa gen-req server nopass

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
....................................+++
................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-2155.NGKx5f/tmp.oB4vWc'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]: #回车

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key #密钥key的路径

4、为证书签名、签约

[root@sanhui_anmi_vpn 14:43 /etc/openvpn/easy-rsa]
# ./easyrsa sign server server # 第二哥server上面服务端证书CN名字，可自定义

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-2182.ZT93NU/tmp.V3XxlS
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Sep  2 06:44:33 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt
# 服务端证书路径

5、创建 Diffie-Hellman,确保key穿越不安全网络的命令

[root@sanhui_anmi_vpn 14:44 /etc/openvpn/easy-rsa]
# ./easyrsa gen-dh

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..................+......................+...........................................................+.................................................................................++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

6、创建ta密钥，如果不使用在配置文件中禁用

[root@sanhui_anmi_vpn 14:51 /etc/openvpn]
# openvpn --genkey --secret ta.key

7、创建客户端证书

[root@sanhui_anmi_vpn 14:52 /etc/openvpn]
# cd /etc/openvpn/client/
[root@sanhui_anmi_vpn 14:52 /etc/openvpn/client]
# cp -r /usr/share/easy-rsa/3.0.8/* /etc/openvpn/client/
[root@sanhui_anmi_vpn 14:53 /etc/openvpn/client]
# cp /usr/share/doc/easy-rsa-3.0.8/vars.example ./vars

[root@sanhui_anmi_vpn 15:00 /etc/openvpn/client]
# ./easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/openvpn/client/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/pki 

[root@sanhui_anmi_vpn 15:01 /etc/openvpn/client]
# ./easyrsa gen-req lingchen  nopass #lingchen为证书名，自定义

Note: using Easy-RSA configuration from: /etc/openvpn/client/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
........................+++
.............+++
writing new private key to '/etc/openvpn/client/pki/easy-rsa-2407.rz77Y8/tmp.B1uGN5'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [lingchen]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/pki/reqs/lingchen.req
key: /etc/openvpn/client/pki/private/lingchen.key #key路径

8、为客户端证书签约

[root@sanhui_anmi_vpn 15:02 /etc/openvpn/client]
# cd /etc/openvpn/easy-rsa/
[root@sanhui_anmi_vpn 15:04 /etc/openvpn/easy-rsa]
# ./easyrsa import-req /etc/openvpn/client/pki/reqs/lingchen.req lingchen

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017

The request has been successfully imported with a short name of: lingchen
You may now use this name to perform signing operations on this request.

[root@sanhui_anmi_vpn 15:05 /etc/openvpn/easy-rsa]
# ./easyrsa sign client  lingchen  
# 第一个参数client固定参数表示客户端，第二个是倒入客户端证书名

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
    commonName                = lingchen


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-2469.WwEaRm/tmp.ZP1DNV
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'lingchen'
Certificate is to be certified until Sep  2 07:06:17 2024 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/pki/issued/lingchen.crt #最终客户端证书路径

三、整理所有证书

1、整理服务端证书

[root@sanhui_anmi_vpn 15:08 /etc/openvpn]
# mkdir server_certs
[root@sanhui_anmi_vpn 15:09 /etc/openvpn]
# cd /etc/openvpn/server_certs/
[root@sanhui_anmi_vpn 15:09 /etc/openvpn/certs]
# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/server_certs/
[root@sanhui_anmi_vpn 15:09 /etc/openvpn/certs]
# cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/server_certs/
[root@sanhui_anmi_vpn 15:10 /etc/openvpn/certs]
# cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/server_certs/
[root@sanhui_anmi_vpn 15:10 /etc/openvpn/certs]
# cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/server_certs/

[root@sanhui_anmi_vpn 15:10 /etc/openvpn/certs]
# ll
total 20
-rw------- 1 root root 1172 May 31 15:09 ca.crt
-rw------- 1 root root  424 May 31 15:10 dh.pem
-rw------- 1 root root 4552 May 31 15:10 server.crt
-rw------- 1 root root 1704 May 31 15:10 server.key

2、整理客户端证书

[root@sanhui_anmi_vpn 15:11 /etc/openvpn]
# mkdir client_certs
[root@sanhui_anmi_vpn 15:12 /etc/openvpn]
# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client_certs/
[root@sanhui_anmi_vpn 15:14 /etc/openvpn]
# cp /etc/openvpn/easy-rsa/pki/issued/lingchen.crt /etc/openvpn/client_certs/
[root@sanhui_anmi_vpn 15:14 /etc/openvpn]
# cp /etc/openvpn/client/pki/private/lingchen.key /etc/openvpn/client_certs/

[root@sanhui_anmi_vpn 15:15 /etc/openvpn]
# cd client_certs/
[root@sanhui_anmi_vpn 15:16 /etc/openvpn/client_certs]
# ll
total 16
-rw------- 1 root root 1172 May 31 15:14 ca.crt
-rw------- 1 root root 4438 May 31 15:14 lingchen.crt
-rw------- 1 root root 1704 May 31 15:15 lingchen.key

四、修改配置文件

1、修改服务端配置文件server.conf

[root@iZbp1edjsc1mvzazb3m58mZ openvpn]# grep -vE "^#|^$" server.conf
;local a.b.c.d
local 10.10.10.10
port 1194
;proto tcp
proto udp
dev tap
;dev tun
;dev-node MyTap
ca ./server_certs/ca.crt
cert ./server_certs/server.crt
key ./server_certs/server.key  # This file should be kept secret
dh ./server_certs/dh.pem
topology subnet # 子网拓扑
server 10.8.24.0 255.255.248.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
client-config-dir ccd
push "route 10.72.146.159 255.255.255.255" #单台机器，或者整个网断
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
comp-lzo
max-clients 1000
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         /var/log/openvpn.log
;log-append  openvpn.log
verb 4 #显示调试信息 一般3
;mute 20
explicit-exit-notify 1 #客户端退出发出通知重练次数

[root@sanhui_anmi_vpn 16:14 /etc/openvpn]
# mkdir ccd

五、启动服务端

[root@sanhui_anmi_vpn 16:08 /etc/openvpn]
# systemctl restart openvpn@server
# systemctl enable openvpn@server

# 如果看状态有没有运行，就查看下log,一般上能解决大部分问题

六、创建客户端ovpn（win）client.conf（linux）文件

# cat /etc/openvpn/lingchen.conf
client
proto udp
dev tap
remote xxxxx  1194
<ca>
${ca}
</ca>
<cert>
${cert}
</cert>
<key>
${key}
</key>
resolv-retry infinite
nobind
mute-replay-warnings
;ns-cert-type server
remote-cert-tls server
keepalive 20 120
comp-lzo
route-delay 3
persist-key
persist-tun
cipher AES-256-CBC
;status openvpn-status.log
;log-append openvpn.log
verb 4
mute 20
auth-nocache


[root@xxxx 17:12 /etc/openvpn]
# cp lingchen.conf /etc/openvpn/client.conf
# systemctl restart openvpn@client
# systemctl enable openvpn@client


[root@sanhui_anmi_vpn 17:12 /etc/openvpn]
# ping 10.8.8.2
PING 10.8.8.2 (10.8.8.2) 56(84) bytes of data.
64 bytes from 10.8.8.2: icmp_seq=1 ttl=64 time=10.1 ms
64 bytes from 10.8.8.2: icmp_seq=2 ttl=64 time=10.9 ms
64 bytes from 10.8.8.2: icmp_seq=3 ttl=64 time=8.73 ms
^C
--- 10.8.8.2 ping statistics ---

七、 windows安装客户端 win oven linux 名为client.conf

借鉴引用一下网上兄弟们的图

OpenVpn改造全过程

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-D8BGWd3x-1573639723011)(http://majinlei.com/images/pasted-764.png)]

OpenVpn改造全过程

以上为openvpn整个搭建过程，若客户端连接的时候，一直连不上报错，则你可以试着查看下安全组设置。亲测！

九、批量创建客户端证书

[root@ecs-955f ~]# cat new_client.sh 
#!/bin/bash

Username=$1
cd /etc/openvpn/client/easy-rsa/3.0.6
./easyrsa gen-req $Username nopass

cd /etc/openvpn/easy-rsa/3.0.6/
./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.6/pki/reqs/$Username.req $Username
./easyrsa sign client $Username

mkdir /etc/openvpn/client/$Username/
cp /etc/openvpn/easy-rsa/3.0.6/pki/ca.crt /etc/openvpn/client/$Username/
cp /etc/openvpn/easy-rsa/3.0.6/pki/issued/$Username.crt /etc/openvpn/client/$Username/
cp /etc/openvpn/client/easy-rsa/3.0.6/pki/private/$Username.key /etc/openvpn/client/$Username/
cp /etc/openvpn/example.ovpn /etc/openvpn/client/$Username/$Username.ovpn
sed -i "s|Username|$Username|g" /etc/openvpn/client/$Username/$Username.ovpn
cd /etc/openvpn/client/
zip -r -m ${Username}.zip $Username/

cat build_vpn.sh
#!/bin/sh
#coding=utf-8

Username=$1

cd /etc/openvpn/client/pki/reqs
[ -e ${Username}.req ] && Username="" || echo "无重复用户名,继续build"
if [ "${Username}" == "" ];
then
    echo 'ERROR:需要不重复的用户名'
    exit
fi

#(echo -n `date "+%Y-%m-%d %H:%M:%S----"` && find /etc/openvpn/ -type f -name "index.txt" | xargs cat |grep ${Username} ) >> ~/vpn_change_log

cd /etc/openvpn/client/
/usr/bin/expect <<-EOF
spawn ./easyrsa gen-req $Username nopass
expect {
     "." { send "\r"; exp_continue }
}
EOF

cd /etc/openvpn/easy-rsa
./easyrsa import-req /etc/openvpn/client/pki/reqs/$Username.req $Username
/usr/bin/expect <<-EOF
spawn ./easyrsa sign client ${Username}
expect {
     "yes" { send "yes \n" }
}
expect eof
EOF

#(echo -n `date "+%Y-%m-%d %H:%M:%S----"` && find /etc/openvpn/ -type f -name "index.txt" | xargs cat |grep ${Username} ) >> ~/vpn_change_log

#mkdir /etc/openvpn/client/$Username/
#cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/client/$Username/
mv /etc/openvpn/easy-rsa/pki/issued/$Username.crt /etc/openvpn/client_certs/
mv /etc/openvpn/client/pki/private/$Username.key /etc/openvpn/client_certs/
#cp /etc/openvpn/example.ovpn /etc/openvpn/client/$Username/$Username.ovpn
#sed -i "s|Username|$Username|g" /etc/openvpn/client/$Username/$Username.ovpn
CA=`cat /etc/openvpn/client_certs/ca.crt`
CRT=`cat /etc/openvpn/client_certs/$Username.crt`
KEY=`cat /etc/openvpn/client_certs/$Username.key`


echo "ifconfig-push ${Username} 255.255.248.0
push \"route 10.8.24.0 255.255.248.0 10.8.24.1\"" > /etc/openvpn/ccd/${Username}


cat > /etc/openvpn/client/ovpn/$Username.conf<<EOF
client
proto udp
dev tap
remote 10.10.10.10 1194
<ca>
${CA}
</ca>
<cert>
${CRT}
</cert>
<key>
${KEY}
</key>
resolv-retry infinite
nobind
mute-replay-warnings
ns-cert-type server
remote-cert-tls server
keepalive 20 120
comp-lzo
route-delay 3
persist-key
persist-tun
cipher AES-256-CBC
;status openvpn-status.log
;log-append openvpn.log
verb 4
mute 20
auth-nocache
EOF

十、吊销证书

[root@zbp1oply5q1damu7d4 ~]# cd /etc/openvpn/easy-rsa/3.0.6/
[root@zbp1oply5q1damu7d4 3.0.6]# ./easyrsa revoke yufeng

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


Please confirm you wish to revoke the certificate with the following subject:

subject= 
    commonName                = yufeng


Type the word 'yes' to continue, or any other input to abort.
  Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa/3.0.6/pki/safessl-easyrsa.cnf
Revoking Certificate B07C203D1F47CACE1881C3EBBA7836B1.
Data Base Updated

IMPORTANT!!!

Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.

[root@zbp1oply5q1damu7d4 3.0.6]# ./easyrsa gen-crl

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Using configuration from /etc/openvpn/easy-rsa/3.0.6/pki/safessl-easyrsa.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/3.0.6/pki/crl.pem

此时，证书还未删除，需要更新crl.pem文件，根据上述提示路径查看,还可以这样查看

[root@zbp1oply5q1damu7d4 3.0.6]# find /etc/openvpn/ -type f -name "index.txt" | xargs cat
V    221027150551Z        A3C8AA65C5ACE512C6C154FA1A0197A1    unknown    /CN=server
V    221027152255Z        D283BEB5C5E8E1F30CF27569263E158B    unknown    /CN=username
R    221028022432Z    191113072909Z    B07C203D1F47CACE1881C3EBBA7836B1    unknown    /CN=yufeng

V 为可用，R 为注销，修改服务端配置文件

[root@zbp1oply5q1damu7d4 3.0.6]# tail -1 /etc/openvpn/server.conf
crl-verify /etc/openvpn/easy-rsa/3.0.6/pki/crl.pem

[root@zbp1oply5q1damu7d4 3.0.6]# systemctl restart openvpn@server

最终发现，yufeng无法再连接服务器。假设需要重新生成，则需删除吊销的证书再生成新的

[root@zbp1oply5q1damu7d4 3.0.6]# cd /etc/openvpn/
[root@zbp1oply5q1damu7d4 openvpn]# find . -type f -name "yufeng.*" | xargs rm
[root@zbp1oply5q1damu7d4 openvpn]# ls
certs  client  easy-rsa  example.ovpn  ipp.txt  openvpn.log  openvpn-status.log  server  server.conf  server.conf.bak
[root@zbp1oply5q1damu7d4 openvpn]# cd client/
[root@zbp1oply5q1damu7d4 client]# ls
yufeng  easy-rsa  username
[root@zbp1oply5q1damu7d4 client]# cd yufeng/
[root@zbp1oply5q1damu7d4 dalin]# ls
ca.crt

openvpn@server

最终发现，yufeng无法再连接服务器。假设需要重新生成，则需删除吊销的证书再生成新的

[root@zbp1oply5q1damu7d4 3.0.6]# cd /etc/openvpn/
[root@zbp1oply5q1damu7d4 openvpn]# find . -type f -name "yufeng.*" | xargs rm
[root@zbp1oply5q1damu7d4 openvpn]# ls
certs  client  easy-rsa  example.ovpn  ipp.txt  openvpn.log  openvpn-status.log  server  server.conf  server.conf.bak
[root@zbp1oply5q1damu7d4 openvpn]# cd client/
[root@zbp1oply5q1damu7d4 client]# ls
yufeng  easy-rsa  username
[root@zbp1oply5q1damu7d4 client]# cd yufeng/
[root@zbp1oply5q1damu7d4 dalin]# ls
ca.crt

OpenVpn改造全过程 2022年 05月 31 日

OpenVpn改造全过程

一、部署OpenVPN服务

1、开启转发功能并生效

2、安装依赖包

3、复制服务端配置文件到配置目录

二、服务端证书生成与整理

1、复制easy-rsa

2、ca证书生成

3、server.crt 生成

4、为证书签名、签约

5、创建 Diffie-Hellman,确保key穿越不安全网络的命令

6、创建ta密钥，如果不使用在配置文件中禁用

7、创建客户端证书

8、为客户端证书签约

三、整理所有证书

1、整理服务端证书

2、整理客户端证书

四、修改配置文件

1、修改服务端配置文件server.conf

五、启动服务端

六、创建客户端ovpn（win）client.conf（linux）文件

七、 windows安装客户端 win oven linux 名为client.conf

借鉴引用一下网上兄弟们的图

以上为openvpn整个搭建过程，若客户端连接的时候，一直连不上报错，则你可以试着查看下安全组设置。亲测！

九、批量创建客户端证书

十、 吊销证书

此时，证书还未删除，需要更新crl.pem文件，根据上述提示路径查看,还可以这样查看

OpenVpn改造全过程

OpenVpn改造全过程

一、部署OpenVPN服务

1、开启转发功能并生效

2、安装依赖包

3、复制服务端配置文件到配置目录

二、服务端证书生成与整理

1、复制easy-rsa

2、ca证书生成

3、server.crt 生成

4、为证书签名、签约

5、创建 Diffie-Hellman,确保key穿越不安全网络的命令

6、创建ta密钥，如果不使用在配置文件中禁用

7、创建客户端证书

8、为客户端证书签约

三、整理所有证书

1、整理服务端证书

2、整理客户端证书

四、修改配置文件

1、修改服务端配置文件server.conf

五、启动服务端

六、创建客户端ovpn（win）client.conf（linux）文件

七、 windows安装客户端 win oven linux 名为client.conf

借鉴引用一下网上兄弟们的图

以上为openvpn整个搭建过程，若客户端连接的时候，一直连不上报错，则你可以试着查看下安全组设置。亲测！

九、批量创建客户端证书

十、 吊销证书

此时，证书还未删除，需要更新crl.pem文件，根据上述提示路径查看,还可以这样查看

评论区

评论一下~

暂无评论，要不来一发？

OpenVpn改造全过程
2022年 05月 31 日

十、吊销证书

十、吊销证书