OpenVPN 部署完整指南
OpenVPN部署环境为 Ubuntu24.04 服务端需具备公网IP地址。
root@ubtuntu:~# cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.2 LTS (Noble Numbat)"
一、环境准备和软件安装
1. 更新系统包列表
sudo apt update
2. 安装 OpenVPN 和 Easy-RSA
sudo apt install -y openvpn easy-rsa
输出示例:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
libccid libeac3 libpcsclite1 libpkcs11-helper1t64 opensc opensc-pkcs11 pcscd
Suggested packages:
pcmciautils openvpn-dco-dkms openvpn-systemd-resolved
The following NEW packages will be installed:
easy-rsa libccid libeac3 libpcsclite1 libpkcs11-helper1t64 opensc opensc-pkcs11 openvpn pcscd
0 upgraded, 9 newly installed, 0 to remove and 103 not upgraded.
Need to get 2,325 kB of archives.
After this operation, 7,068 kB of additional disk space will be used.
...
二、证书颁发机构 (CA) 设置
1. 创建 Easy-RSA 工作目录
mkdir -p ~/easy-rsa
ln -s /usr/share/easy-rsa/* ~/easy-rsa/
cd ~/easy-rsa
chmod 700 ~/easy-rsa
ls
输出示例:
easyrsa openssl-easyrsa.cnf vars.example x509-types
2. 初始化 PKI(公钥基础设施)
./easyrsa init-pki
输出示例:
Notice
------
'init-pki' complete; you may now create a CA or requests.
Your newly created PKI dir is:
* /root/easy-rsa/pki
Using Easy-RSA configuration:
* undefined
3. 创建根证书颁发机构 (CA)
./easyrsa build-ca
输出示例:
No Easy-RSA 'vars' configuration file exists!
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
Enter New CA Key Passphrase:
[输入密码,如不设密码按回车]
Confirm New CA Key Passphrase:
[重复密码]
..+.+...+..+....+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+......+.+..+.+.....+............+.........+....+.........+...+.........+........+..........+.....+............+.........+.+........+......+....+..+.........+.+...+...+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
....+......+..+....+.....+....+.........+.....+.+..+...+...............+.........+......+.+.....+.+..................+..+...+.........+...+.......+..+......+....+...+...+..+..........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..............................+.+..+................+.........+.....+.+......+........+...+..................+.......+..+.+.....+......+......+.........+................+...+............+.....+....+..................+........+.......+.....+.......+.....+...+...+.......+...+.....+..........+............+..+......+.........+.........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:OPENVPNCA
[输入 CA 名称,如 OPENVPNCA]
Notice
------
CA creation complete. Your new CA certificate is at:
* /root/easy-rsa/pki/ca.crt
三、服务器证书和密钥生成
1. 生成服务器证书请求
./easyrsa gen-req server nopass
输出示例:
No Easy-RSA 'vars' configuration file exists!
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
.......+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..........+.....+...+.+..............+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*............+...+...+.........+.................+...+.+.....+.+......+...+..+...+.........+.............+.....+...+.+...+..+...+..........+..+..................+...+............+......+.+.........+......+...+..+.+..............+...+.............+........+......+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...+......+...............+..+...+.......+..+......+....+...+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+......+.........+......+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+..........+...+...+...........+.+....................+...+.......+............+...+...+...............+.....+.......+............+...+.........+.....+.+...+.........+..............................+...+.........+...+..+...+...+..........+..+...+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:OPENVPNSERVER
[输入服务器名称,如 OPENVPNSERVER]
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /root/easy-rsa/pki/reqs/server.req
* key: /root/easy-rsa/pki/private/server.key
2. 签发服务器证书
./easyrsa sign-req server server
输出示例:
No Easy-RSA 'vars' configuration file exists!
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
You are about to sign the following certificate:
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate
for '825' days:
subject=
commonName = OPENVPNSERVER
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
[输入 yes 确认]
Using configuration from /root/easy-rsa/pki/openssl-easyrsa.cnf
Enter pass phrase for /root/easy-rsa/pki/private/ca.key:
[输入之前设置的 CA 密码,如未设密码直接回车]
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'OPENVPNSERVER'
Certificate is to be certified until May 14 13:03:07 2028 GMT (825 days)
Write out database with 1 new entries
Database updated
Notice
------
Certificate created at:
* /root/easy-rsa/pki/issued/server.crt
3. 生成 Diffie-Hellman 参数
./easyrsa gen-dh
输出示例:
No Easy-RSA 'vars' configuration file exists!
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
Generating DH parameters, 2048 bit long safe prime
....................+.........................................................+..................................................................................+.......................................................................+...................................................................................................................................................................................................................+.........................+.................................................................................................................................+.................................................................................................................................................................+...................................................................................................................................................................+...........................................................................+.............................................................................................................................................+...............................................................................................................................................................................................................................................+......................................................................................................................................................+.........................................................................................+....................................................................................+............................................................................................................................+..............................................................+....................................................................+........................................................................+...................+..........................................+...............................................................................................................................................................................................................+.............................+.......................................................................................................................................................................................................................................................................................................................................................+.........................+....................................+...................................................................................................+...................................................................................................+............+....................................+.................................................................................................................................................................+..................................................................................................................................................................................................+.....................................................................................................................................................+..................................................................................................................................................................................................................................................................................................................................................................................+........................................................................................+.................................................................................................................................................................................+............................+..........+...................................................+....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+.................................................................+...................................................+...........+........................................................................................................................................................+...................................................................................................+...........................................................+...........+.........................................................................................................+.........................................+..............................................................................................................................+................................................................................................................................................................................................+.................................................................................................................................................................................................+...........................................................................................................................................................................................+......+...................................+........................................................................................................................................................................+...........................................................................................................................................+..............................................................................................................................................................................................................+.....................................................................................................................................+......................................+.............................+.......................................................................................................................................................................................................+................................................................................................................................+..........+.................................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................................................+................................................+.....................................................................................................................................+..............................................................................................................................+...........+...+.......................................................................................................................................................+................................+.......+...+..............................................................................................................................................................................+................................................................................+..............................+...+...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+..................................................................................................................................................................................................+.......................................................+..........................................................+.......................................................................................................................................................................+............................................................................................................................................................................................................................................................+..........................................................................+.................................................................+......+.........................................................................................................................................................................................................+.................................+......................................................................+............................+....................................................................................+..........................+...................................................................................................................................................................................+.....................+...........................................................................................+.....................................................................................................................................................................................................................................+..............................+.................+......................................................................................................................................................................................................................................+...................................................................+.................................................................................................................................................................+....................+.....................................................................................................................................+........................................................................................................+...............................................................................................................................................................................................................................................................................................................................................+..................................................................................................................................................................................................+....................................................................................................................+...+.................................................................................+........+..............................................................................................................+.........................+..............................................................................................................................................................................................+...........................................................................................................................................................................................................................+............................+...........+............................................................................................................................................................................................+........................................................................+..............................+...........................+.............................................................................................+...............................................................................................................................................................................................................................................................................................................................................................................+...............................................+........................................................................................................................................................................................................................................+...............................................................................................................................................................................................+.............................................................................................................................................................................................+....+.............................................................................................+........................................................................................................................................................................................................+............+............................................................................................................................................................................+..............................................................................+..................................................+...........................................................................................................................................................................................................................+.....................................+....................................................................................................+..................................................................................................................................................................................................................................................................+.+.........................................................................................................................................................+.................+...................................................................+..........................................................................................................................................................................................................................................+................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+....................................................................................................................................................................+....................+.........+.........................................................................................................................................+.............+.................................................................................................................................................................................................................................................................+..................................................................................................+.........+..................................................................................................+.............+........+.......................................................................................................................................................................................................+...............+............................+............................................................................................+.........................................+......++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*++*
DH parameters appear to be ok.
Notice
------
DH parameters of size 2048 created at:
* /root/easy-rsa/pki/dh.pem
四、TLS 认证密钥生成
1. 生成 TLS-Auth 密钥
openvpn --genkey --secret ta.key
输出示例:
2026-02-09 12:55:25 DEPRECATED OPTION: The option --secret is deprecated.
2026-02-09 12:55:25 WARNING: Using --genkey --secret filename is DEPRECATED. Use --genkey secret filename instead.
# 提示新版使用openvpn --genkey secret ta.key
ls -la ta.key
输出示例:
-rw------- 1 root root 636 Feb 9 12:55 ta.key
五、客户端证书生成命令
1. 生成客户端证书请求
./easyrsa gen-req client1 nopass
输出示例:
No Easy-RSA 'vars' configuration file exists!
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
..+......+.....+.+...+...........+......+..........+.....+.+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.......+..+.+.........+...+......+.....+.....................+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.........+.+........+...+...+............+...+......+......+.......+..+.+...+.........+.....+.+......+........+......+.......+..................+.....+......+...+...+...+.......+..............+.+............+...........+.+......+........+.+...+.................+.+..+...............+.............+........+.........+.+..............+..........+......+.....+.+...+.....+.......+.....+.+........+.+...+........+....+...+...+...+...............+.........+..+.............+......+...........+.+...+.....+......+...+............+......+...+.+...+...........+....+............+.....+...+...+....+........+.+......+........+.+.....+............+.........+...+................+.....+.......+...+..+....+........+.+..+....+...+...+...+.........+.....+..................+.........+.+.........+...+...+..............+.+..+.......+.........+..............+.+..+...+......+................+........+......+.+..+............+......+............+.+..+.......+.....+......+.+...+.....+...+...+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...+...+...+....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+...................+..+...+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+...+..+.............+...+..+............+...+...+...+.+...+........+....+...............+.........+..+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client1]:
[输入客户端名称,如 client1 或直接回车使用默认值]
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /root/easy-rsa/pki/reqs/client1.req
* key: /root/easy-rsa/pki/private/client1.key
2. 签发客户端证书
./easyrsa sign-req client client1
输出示例:
No Easy-RSA 'vars' configuration file exists!
Using SSL:
* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
You are about to sign the following certificate:
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate
for '825' days:
subject=
commonName = client1
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
[输入 yes 确认]
Using configuration from /root/easy-rsa/pki/openssl-easyrsa.cnf
Enter pass phrase for /root/easy-rsa/pki/private/ca.key:
[输入 CA 密码,如未设密码直接回车]
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client1'
Certificate is to be certified until May 14 12:58:47 2028 GMT (825 days)
Write out database with 1 new entries
Database updated
Notice
------
Certificate created at:
* /root/easy-rsa/pki/issued/client1.crt
六、文件复制和权限设置
1. 复制服务器文件
sudo cp ~/easy-rsa/pki/ca.crt /etc/openvpn/server/
sudo cp ~/easy-rsa/pki/issued/server.crt /etc/openvpn/server/
sudo cp ~/easy-rsa/pki/private/server.key /etc/openvpn/server/
sudo cp ~/easy-rsa/pki/dh.pem /etc/openvpn/server/
sudo cp ~/easy-rsa/ta.key /etc/openvpn/server/
2. 设置文件权限
sudo chmod 644 /etc/openvpn/server/*.crt
sudo chmod 644 /etc/openvpn/server/*.pem
sudo chmod 600 /etc/openvpn/server/*.key
sudo chmod 644 /etc/openvpn/server/ta.key
3. OPENVPN服务配置
port 1194
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
auth SHA256
tls-auth /etc/openvpn/server/ta.key 0
server 10.0.9.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
4. 验证文件复制
ls -la /etc/openvpn/server/
输出示例:
total 36
drwxr-xr-x 2 root root 4096 Feb 9 13:06 .
drwxr-xr-x 4 root root 4096 Feb 9 13:18 ..
-rw-r--r-- 1 root root 1196 Feb 9 12:59 ca.crt
-rw-r--r-- 1 root root 424 Feb 9 13:04 dh.pem
-rw-r--r-- 1 root root 496 Feb 9 13:06 server.conf
-rw-r--r-- 1 root root 4631 Feb 9 13:03 server.crt
-rw------- 1 root root 1704 Feb 9 13:03 server.key
-rw-r--r-- 1 root root 636 Feb 9 13:04 ta.key
5. 链接server.conf
# OPENVPN配置默认启动/etc/openvpn/*.conf
ln -sf /etc/openvpn/server/server.conf /etc/openvpn/server.conf
ls
输出示例:
client server server.conf update-resolv-conf
七、网络配置和防火墙
1. 启用 IP 转发
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
输出示例:
net.ipv4.ip_forward = 1
2. 配置SNAT
vi /etc/ufw/before.rules
添加以下内容:
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.9.0/24 -o ens18 -j MASQUERADE
COMMIT
...其他内容...
验证配置:
root@ubtuntu:~# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE 0 -- 10.0.9.0/24 0.0.0.0/0
3. 配置防火墙
vi /etc/default/ufw
修改以下内容
# 禁用IPV6(可选)
IPV6=no
DEFAULT_OUTPUT_POLICY="ACCEPT"
# 转发设置为允许
DEFAULT_FORWARD_POLICY="ACCEPT"
4. 检查防火墙状态
ufw status verbose
输出示例:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
1194/udp ALLOW IN Anywhere
22/tcp ALLOW IN Anywhere
1194/tcp ALLOW IN Anywhere
八、服务器启动和验证
1. 启动 OpenVPN 服务
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
2. 检查服务状态
sudo systemctl status openvpn@server
正常输出示例:
● openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; preset: enabled)
Active: active (running) since Mon 2026-02-09 13:29:57 UTC; 13min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Main PID: 4213 (openvpn)
Status: "Initialization Sequence Completed"
Tasks: 1 (limit: 10)
Memory: 1.6M (peak: 1.9M)
CPU: 83ms
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─4213 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
Feb 09 13:29:57 ubtuntu systemd[1]: Started openvpn@server.service - OpenVPN connection to server.
3. 检查日志文件
sudo tail -f /var/log/openvpn/openvpn.log
正常输出示例:
2026-02-09 13:29:57 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
2026-02-09 13:29:57 TCPv4_SERVER link remote: [AF_UNSPEC]
2026-02-09 13:29:57 UID set to nobody
2026-02-09 13:29:57 GID set to nogroup
2026-02-09 13:29:57 Capabilities retained: CAP_NET_ADMIN
2026-02-09 13:29:57 MULTI: multi_init called, r=256 v=256
2026-02-09 13:29:57 IFCONFIG POOL IPv4: base=10.0.9.4 size=62
2026-02-09 13:29:57 IFCONFIG POOL LIST
2026-02-09 13:29:57 MULTI: TCP INIT maxclients=1024 maxevents=1029
2026-02-09 13:29:57 Initialization Sequence Completed
4. 检查端口监听
ss -tulpn | grep :1194
输出示例:
tcp LISTEN 0 4096 0.0.0.0:1194 0.0.0.0:* users:(("openvpn",pid=4213,fd=6))
九、客户端配置生成
1. 生成客户端证书与私钥
cd ~/easy-rsa
# 为客户端1生成证书
./easyrsa gen-req Client1 nopass
./easyrsa sign-req client Client1
# 为客户端2生成证书(可选)
./easyrsa gen-req client2 nopass
./easyrsa sign-req client client2
2. 生成客户端配置文件
cat > /etc/openvpn/client/client1.ovpn << EOF
client
dev tun
proto tcp
remote YOUR_SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
tun-mtu 1320
verb 3
<ca>
$(cat /etc/openvpn/server/ca.crt)
</ca>
<cert>
$(cat ~/easy-rsa/pki/issued/client1.crt)
</cert>
<key>
$(cat ~/easy-rsa/pki/private/client1.key)
</key>
<tls-auth>
$(cat /etc/openvpn/server/ta.key)
</tls-auth>
EOF
后续将 /etc/openvpn/client/client1.ovpn 导入客户端链接即可
十、Windows客户端下载
安装完成后导入配置链接即可
十一、故障排除和验证
1. 证书验证命令
# 验证 CA 证书
openssl x509 -in /etc/openvpn/server/ca.crt -text -noout | head -20
输出示例:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
39:19:00:d2:d5:33:ce:fd:71:36:f4:53:61:49:b0:5b:fc:df:43:68
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = OPENVPNCA
Validity
Not Before: Feb 9 12:51:46 2026 GMT
Not After : Feb 7 12:51:46 2036 GMT
Subject: CN = OPENVPNCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:af:02:1c:2f:e4:a1:4a:af:fb:4c:71:db:b2:e6:
...
2. 常见错误日志分析
sudo tail -20 /var/log/openvpn/openvpn.log
常见错误输出及解决方法:
错误 1:文件权限问题
2026-02-09 13:27:30 Cannot pre-load keyfile (ta.key)
2026-02-09 13:27:30 Exiting due to fatal error
解决方案:
sudo chmod 644 /etc/openvpn/server/ta.key
sudo chown nobody:nogroup /etc/openvpn/server/ta.key
错误 2:证书路径问题
Options error: --dh fails with 'dh.pem': No such file or directory (errno=2)
Options error: --ca fails with 'ca.crt': No such file or directory (errno=2)
解决方案:
sudo cp ~/easy-rsa/pki/dh.pem /etc/openvpn/server/
sudo cp ~/easy-rsa/pki/ca.crt /etc/openvpn/server/
错误 3:端口占用
2026-02-09 13:29:57 TCPv4_SERVER link local (bound): [AF_INET][undef]:1194: Address already in use (errno=98)
解决方案:
sudo systemctl stop openvpn@server
sudo killall openvpn
sudo systemctl start openvpn@server
3. 完整验证流程
# 1. 检查服务状态
systemctl status openvpn@server
# 2. 检查日志
tail -f /var/log/openvpn/openvpn.log
# 3. 检查端口监听
ss -tulpn | grep :1194
# 4. 检查防火墙
sudo ufw status
# 5. 测试连接(从另一台机器)
nc -zv YOUR_SERVER_IP 1194
4. 证书链验证
# 验证服务器证书是否由 CA 签发
openssl verify -CAfile /etc/openvpn/server/ca.crt /etc/openvpn/server/server.crt
成功输出示例:
/etc/openvpn/server/server.crt: OK
十二、部署检查清单
需要完成的项目
- OpenVPN 和 Easy-RSA 安装
- CA 证书生成
- 服务器证书和密钥
- Diffie-Hellman 参数生成
- TLS-Auth 密钥生成
- 客户端证书生成与密钥
- 文件权限设置
- 网络配置
- 防火墙规则
- 服务启动
- 端口监听验证
需要手动修改的项目
-
服务器配置文件
/etc/openvpn/server/server.conf:- 确认证书路径正确
- 修改服务器 IP 段(如 10.0.9.0/24)
- 确认协议类型(udp/tcp)
-
客户端配置文件:
- 将
YOUR_SERVER_IP替换为实际公网 IP - 确认端口号正确
- 确认协议类型匹配服务器
- 将
-
防火墙配置:
- 确认
before.rules中的网卡名称(如 ens18) - 确认 NAT 规则中的 IP 段匹配
- 确认
本文部署环境均为虚拟环境,仅供技术学习与交流。
