环境简介:
1.线上云服务器:信息如下
2.OpenVPN版本:2.4.7
3.easy-rsa版本:3.0.3
[root@zbp1oply5q1damu7d4 ~]# uname -r
3.10.0-862.el7.x86_64
[root@zbp1oply5q1damu7d4 ~]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[root@zbp1oply5q1damu7d4 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:ad:66:86 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.7/20 brd 172.17.15.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fead:6686/64 scope link
valid_lft forever preferred_lft foreverOpenVPN 搭建
一、环境准备
这边采用yum安装方式,故需要epel源
[root@zbp1oply5q1damu7d4 ~]# yum -y install epel-release
[root@zbp1oply5q1damu7d4 ~]# yum -y install openvpn easy-rsa openssl-devel lzo lzo-devel pam pam-devel automake pkgconfig二、配置easy-rsa-3.0
2.1 复制文件
[root@zbp1oply5q1damu7d4 ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
[root@zbp1oply5q1damu7d4 ~]# cd /etc/openvpn/easy-rsa/
[root@zbp1oply5q1damu7d4 easy-rsa]# rm 3 3.0
[root@zbp1oply5q1damu7d4 easy-rsa]# cd 3.0.6/
[root@zbp1oply5q1damu7d4 3.0.6]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
#正常情况下安装easy-rsa-3.0后,vars.example文件在/usr/share/doc/easy-rsa-1.0.6/目录下
#或者
mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/3.0.6/* /etc/openvpn/easy-rsa/# 编辑vars
set_var EASYRSA_REQ_COUNTRY "CN" #国家
set_var EASYRSA_REQ_PROVINCE "Zhejiang" #省
set_var EASYRSA_REQ_CITY "hangzhou" #城市
set_var EASYRSA_REQ_ORG "along" #组织
set_var EASYRSA_REQ_EMAIL "z@dyrj3.wecom.work" #邮箱
set_var EASYRSA_REQ_OU "My Openvpn" #公司
2.2 创建一个新的PKI和CA
[root@zbp1oply5q1damu7d4 3.0.6]# pwd
/etc/openvpn/easy-rsa/3.0.6
[root@zbp1oply5q1damu7d4 3.0.6]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3.0.6/pki
[root@zbp1oply5q1damu7d4 3.0.6]# ./easyrsa build-ca nopass #nopass 参数是取消设置密码,创建新的CA
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating RSA private key, 2048 bit long modulus
...........+++
.....+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:直接回车
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3.0.6/pki/ca.crt2.3 创建服务端证书
[root@zbp1oply5q1damu7d4 3.0.6]# ./easyrsa gen-req server nopass
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.........................................................+++
......+++
writing new private key to '/etc/openvpn/easy-rsa/3.0.6/pki/private/server.key.fuIrNtJQL9'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3.0.6/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3.0.6/pki/private/server.key2.4 签约服务端证书
[root@zbp1oply5q1damu7d4 3.0.6]# ./easyrsa sign server server
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 1080 days:
subject=
commonName = server
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/3.0.6/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Oct 27 15:05:51 2022 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.6/pki/issued/server.crt2.5 创建 Diffie-Hellman,确保key穿越不安全网络的命令
[root@zbp1oply5q1damu7d4 3.0.6]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
................................................+...................................................................................................................................++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3.0.6/pki/dh.pem此时,服务端证书已经齐全,下面创建客户端证书。
三、创建客户端证书
3.1 同理,复制文件,只不过这次是给客户端
[root@zbp1oply5q1damu7d4 ~]# cp -r /usr/share/easy-rsa/ /etc/openvpn/client/
[root@zbp1oply5q1damu7d4 ~]# cd /etc/openvpn/client/easy-rsa
[root@zbp1oply5q1damu7d4 easy-rsa]# cd 3.0.6/
[root@zbp1oply5q1damu7d4 easy-rsa]# find / -type f -name "vars.example" | xargs -i cp {} . && mv vars.example vars
[root@zbp1oply5q1damu7d4 3.0.6]# ls
easyrsa openssl-easyrsa.cnf vars x509-types
#或者,后面相应路径都得变,没有3.0.6
[root@localhost client]# cp -r /usr/share/easy-rsa/3.0.3/* /etc/openvpn/client
[root@localhost client]# cp /usr/share/doc/easy-rsa-3.0.3/vars.example ./vars
3.2 生成证书
[root@zbp1oply5q1damu7d4 3.0.6]# pwd
/etc/openvpn/client/easy-rsa/3.0.6
[root@zbp1oply5q1damu7d4 3.0.6]# ./easyrsa init-pki #创建新的pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/client/easy-rsa/3.0.6/pki
[root@zbp1oply5q1damu7d4 3.0.6]# ./easyrsa gen-req yufeng nopass #创建名为任意的客户端证书,同样没有密码。
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
....................................+++
.....+++
writing new private key to '/etc/openvpn/client/easy-rsa/3.0.6/pki/private/yufeng.key.Ur500mUeHr'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [yufeng]: 回车
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/client/easy-rsa/3.0.6/pki/reqs/username.req
key: /etc/openvpn/client/easy-rsa/3.0.6/pki/private/username.key3.3 创建客户端签约证书
#切换到服务端easy-rsa目录下:
cd /etc/openvpn/easy-rsa
#导入req
[root@zbp1oply5q1damu7d4 3.0.6]# ./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.6/pki/reqs/yufeng.req yufeng
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
The request has been successfully imported with a short name of: yufeng
You may now use this name to perform signing operations on this request.
[root@zbp1oply5q1damu7d4 3.0.6]# ./easyrsa sign client yufeng
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 1080 days:
subject=
commonName = username
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/3.0.6/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'yufeng'
Certificate is to be certified until Oct 27 15:22:55 2022 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3.0.6/pki/issued/username.crt四、整理一下所有证书
至此,客户端与服务端的所有证书生成完毕
先整理服务端需要证书
[root@zbp1oply5q1damu7d4 3.0.6]# mkdir /etc/openvpn/certs
[root@zbp1oply5q1damu7d4 3.0.6]# cd /etc/openvpn/certs
[root@zbp1oply5q1damu7d4 certs]# cp /etc/openvpn/easy-rsa/3.0.6/pki/dh.pem .
[root@zbp1oply5q1damu7d4 certs]# cp /etc/openvpn/easy-rsa/3.0.6/pki/ca.crt .
[root@zbp1oply5q1damu7d4 certs]# cp /etc/openvpn/easy-rsa/3.0.6/pki/issued/server.crt .
[root@zbp1oply5q1damu7d4 certs]# cp /etc/openvpn/easy-rsa/3.0.6/pki/private/server.key .
[root@zbp1oply5q1damu7d4 certs]# ll
total 20
-rw------- 1 root root 1172 Nov 12 23:26 ca.crt
-rw------- 1 root root 424 Nov 12 23:26 dh.pem
-rw------- 1 root root 4552 Nov 12 23:26 server.crt
-rw------- 1 root root 1704 Nov 12 23:26 server.key再整理客户端需要的证书
[root@zbp1oply5q1damu7d4 certs]# mkdir /etc/openvpn/client/yufeng
[root@zbp1oply5q1damu7d4 certs]# cp /etc/openvpn/easy-rsa/3.0.6/pki/ca.crt /etc/openvpn/client/yufeng/
[root@zbp1oply5q1damu7d4 certs]# cp /etc/openvpn/easy-rsa/3.0.6/pki/issued/yufeng.crt /etc/openvpn/client/yufeng/
[root@zbp1oply5q1damu7d4 certs]# cp /etc/openvpn/client/easy-rsa/3.0.6/pki/private/username.key /etc/openvpn/client/yufeng/
[root@zbp1oply5q1damu7d4 certs]# cd /etc/openvpn/client/yufeng/
[root@zbp1oply5q1damu7d4yufeng]# ll
total 16
-rw------- 1 root root 1172 Nov 12 23:28 ca.crt
-rw------- 1 root root 4438 Nov 12 23:29 yufeng.crt
-rw------- 1 root root 1704 Nov 12 23:29 yufeng.key
#这里客户端还缺一个最重要的配置,接着往下看五、服务器配置文件
[root@zbp1oply5q1damu7d4 openvpn]# vim server.conf
local 172.17.0.7 #监听地址
port 1194 #端口
proto udp #定义openvpn使用的协议,默认使用UDP。如果是生产环境的话,建议使用TCP协议
dev tun #tap模式也就是桥接模式,通过软件在系统中模拟出一个tap设备,该设备是一个二层设备,同时支持链路层协议。
#tun模式也就是路由模式,通过软件在系统中模拟出一个tun路由,tun是ip层的点对点协议。
ca /etc/openvpn/certs/ca.crt #定义openvpn使用的CA证书文件,该文件通过build-ca命令生成,CA证书主要用于验证客户证书的合法性。
cert /etc/openvpn/certs/server.crt #定义openvpn服务器端使用的证书文件
key /etc/openvpn/certs/server.key #定义openvpn服务器端使用的秘钥文件,该文件必须严格控制其安全性。
dh /etc/openvpn/certs/dh.pem #定义Diffie hellman文件。
topology subnet
server 10.8.0.0 255.255.255.0 #下发地址
ifconfig-pool-persist /etc/openvpn/ipp.txt #定义客户端和虚拟ip地址之间的关系。特别是在openvpn重启时,再次连接的客户端将依然被分配和断开之前的IP地址。
push "route 10.70.0.0 255.255.0.0"
push "route 10.72.0.0 255.255.0.0"
push "route 10.73.0.0 255.255.0.0"
push "route 10.79.0.0 255.255.0.0"
push "route 10.80.0.0 255.255.0.0"
push "route 10.81.0.0 255.255.0.0"
push "route 10.82.0.0 255.255.0.0"
push "route 172.17.0.0 255.255.255.0" #这里你云服务器有多少网段,使劲堆在这就行
client-to-client #这条命令可以使客户端之间能相互访问,默认设置下客户端间是不能相互访问的
keepalive 10 120
;cipher AES-256-CBC
comp-lzo #启用允许数据压缩,客户端配置文件也需要有这项
;max-clients 70 #定义最大客户端并发连接数量
user nobody #定义openvpn运行时使用的用户及用户组。
group nobody
persist-key #通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys
persist-tun #通过keepalive检测超时后,重新启动VPN,一直保持tun或者tap设备是linkup的。否则网络连接,会先linkdown然后再linkup。
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3 #设置日志记录冗长级别
crl-verify /etc/openvpn/easy-rsa/3.0.6/pki/crl.pem六、 启动服务
[root@zbp1oply5q1damu7d4 openvpn]# systemctl start openvpn@server
[root@zbp1oply5q1damu7d4 openvpn]# systemctl enable openvpn@server
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /usr/lib/systemd/system/openvpn@.service.
[root@zbp1oply5q1damu7d4 openvpn]# ps -aux | grep openvpn
openvpn 11359 0.0 0.2 77104 3996 ? Ss 00:03 0:00 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
root 11390 0.0 0.0 112708 980 pts/0 R+ 00:04 0:00 grep --color=auto openvpn
如果这个时候启动服务没有进程,且无报错,你试着可以看一下日志
[root@zbp1oply5q1damu7d4 openvpn]# cat openvpn.log
Tue Nov 12 23:53:19 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Tue Nov 12 23:53:19 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Tue Nov 12 23:53:20 2019 RESOLVE: Cannot resolve host address: 172.17.0.:1194 (Name or service not known)
Tue Nov 12 23:53:20 2019 Exiting due to fatal error
Tue Nov 12 23:54:30 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Tue Nov 12 23:54:30 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Tue Nov 12 23:54:30 2019 RESOLVE: Cannot resolve host address: 172.17.0.:1194 (Name or service not known)
Tue Nov 12 23:54:30 2019 Exiting due to fatal error
Tue Nov 12 23:54:44 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Tue Nov 12 23:54:44 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Tue Nov 12 23:54:44 2019 RESOLVE: Cannot resolve host address: 172.17.0.:1194 (Name or service not known)
Tue Nov 12 23:54:44 2019 Exiting due to fatal error
Tue Nov 12 23:55:31 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Tue Nov 12 23:55:31 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Tue Nov 12 23:55:31 2019 RESOLVE: Cannot resolve host address: 172.17.0.:1194 (Name or service not known)
Tue Nov 12 23:55:31 2019 Exiting due to fatal error
Wed Nov 13 00:02:19 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Wed Nov 13 00:02:19 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Wed Nov 13 00:02:19 2019 RESOLVE: Cannot resolve host address: 172.17.0.:1194 (Name or service not known)
Wed Nov 13 00:02:19 2019 Exiting due to fatal error
Wed Nov 13 00:02:28 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Wed Nov 13 00:02:28 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Wed Nov 13 00:02:28 2019 RESOLVE: Cannot resolve host address: 172.17.0.:1194 (Name or service not known)
Wed Nov 13 00:02:28 2019 Exiting due to fatal error
Wed Nov 13 00:02:31 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Wed Nov 13 00:02:31 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Wed Nov 13 00:02:31 2019 RESOLVE: Cannot resolve host address: 172.17.0.:1194 (Name or service not known)
Wed Nov 13 00:02:31 2019 Exiting due to fatal error
#一开始一直起不来,看了一下日志,发现IP写错了。七、给用户创建ovpn文件
这是最关键的,假如把之前三个证书给用户是没用的,连不上
[root@zbp1oply5q1damu7d4 yufeng]# cp /etc/openvpn/example.ovpn .
[root@zbp1oply5q1damu7d4 yufeng]# vim example.ovpnclient
proto udp
dev tun
remote 122.51.223.173 1194
ca ca.crt
cert Username.crt
key Username.key #对应用户所下载的证书
resolv-retry infinite
nobind
mute-replay-warnings
;ns-cert-type server
remote-cert-tls server
keepalive 20 120
comp-lzo
route-delay 3
persist-key
persist-tun
status openvpn-status.log
;log-append openvpn.log
verb 3
mute 20
auth-nocache八、 windows安装客户端
申明:由于编辑问题,借鉴引用一下网上兄弟们的图
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-D8BGWd3x-1573639723011)(http://majinlei.com/images/pasted-764.png)]
以上为openvpn整个搭建过程,若客户端连接的时候,一直连不上报错,则你可以试着查看下安全组设置。亲测!
九、批量创建客户端证书
这边有个小问题,就是需要输入回车和yes,搞不定!expect等都试过。
[root@ecs-955f ~]# cat new_client.sh
#!/bin/bash
Username=$1
cd /etc/openvpn/client/easy-rsa/3.0.6
./easyrsa gen-req $Username nopass
cd /etc/openvpn/easy-rsa/3.0.6/
./easyrsa import-req /etc/openvpn/client/easy-rsa/3.0.6/pki/reqs/$Username.req $Username
./easyrsa sign client $Username
mkdir /etc/openvpn/client/$Username/
cp /etc/openvpn/easy-rsa/3.0.6/pki/ca.crt /etc/openvpn/client/$Username/
cp /etc/openvpn/easy-rsa/3.0.6/pki/issued/$Username.crt /etc/openvpn/client/$Username/
cp /etc/openvpn/client/easy-rsa/3.0.6/pki/private/$Username.key /etc/openvpn/client/$Username/
cp /etc/openvpn/example.ovpn /etc/openvpn/client/$Username/$Username.ovpn
sed -i "s|Username|$Username|g" /etc/openvpn/client/$Username/$Username.ovpn
cd /etc/openvpn/client/
zip -r -m ${Username}.zip $Username/十、 吊销证书
[root@zbp1oply5q1damu7d4 ~]# cd /etc/openvpn/easy-rsa/3.0.6/
[root@zbp1oply5q1damu7d4 3.0.6]# ./easyrsa revoke yufeng
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Please confirm you wish to revoke the certificate with the following subject:
subject=
commonName = yufeng
Type the word 'yes' to continue, or any other input to abort.
Continue with revocation: yes
Using configuration from /etc/openvpn/easy-rsa/3.0.6/pki/safessl-easyrsa.cnf
Revoking Certificate B07C203D1F47CACE1881C3EBBA7836B1.
Data Base Updated
IMPORTANT!!!
Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted.
[root@zbp1oply5q1damu7d4 3.0.6]# ./easyrsa gen-crl
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Using configuration from /etc/openvpn/easy-rsa/3.0.6/pki/safessl-easyrsa.cnf
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/3.0.6/pki/crl.pem
此时,证书还未删除,需要更新crl.pem文件,根据上述提示路径查看,还可以这样查看
[root@zbp1oply5q1damu7d4 3.0.6]# find /etc/openvpn/ -type f -name "index.txt" | xargs cat
V 221027150551Z A3C8AA65C5ACE512C6C154FA1A0197A1 unknown /CN=server
V 221027152255Z D283BEB5C5E8E1F30CF27569263E158B unknown /CN=username
R 221028022432Z 191113072909Z B07C203D1F47CACE1881C3EBBA7836B1 unknown /CN=yufeng
V 为可用,R 为注销,修改服务端配置文件
[root@zbp1oply5q1damu7d4 3.0.6]# tail -1 /etc/openvpn/server.conf
crl-verify /etc/openvpn/easy-rsa/3.0.6/pki/crl.pem
[root@zbp1oply5q1damu7d4 3.0.6]# systemctl restart openvpn@server
最终发现,yufeng无法再连接服务器。假设需要重新生成,则需删除吊销的证书再生成新的
[root@zbp1oply5q1damu7d4 3.0.6]# cd /etc/openvpn/
[root@zbp1oply5q1damu7d4 openvpn]# find . -type f -name "yufeng.*" | xargs rm
[root@zbp1oply5q1damu7d4 openvpn]# ls
certs client easy-rsa example.ovpn ipp.txt openvpn.log openvpn-status.log server server.conf server.conf.bak
[root@zbp1oply5q1damu7d4 openvpn]# cd client/
[root@zbp1oply5q1damu7d4 client]# ls
yufeng easy-rsa username
[root@zbp1oply5q1damu7d4 client]# cd yufeng/
[root@zbp1oply5q1damu7d4 dalin]# ls
ca.crt
openvpn@server
最终发现,yufeng无法再连接服务器。假设需要重新生成,则需删除吊销的证书再生成新的
[root@zbp1oply5q1damu7d4 3.0.6]# cd /etc/openvpn/
[root@zbp1oply5q1damu7d4 openvpn]# find . -type f -name "yufeng.*" | xargs rm
[root@zbp1oply5q1damu7d4 openvpn]# ls
certs client easy-rsa example.ovpn ipp.txt openvpn.log openvpn-status.log server server.conf server.conf.bak
[root@zbp1oply5q1damu7d4 openvpn]# cd client/
[root@zbp1oply5q1damu7d4 client]# ls
yufeng easy-rsa username
[root@zbp1oply5q1damu7d4 client]# cd yufeng/
[root@zbp1oply5q1damu7d4 dalin]# ls
ca.crt
