【安装完成openvpn以后,启动不成功。 】 | IT修真院·坑乎
问题已收录 安装完成openvpn以后,启动不成功。
我也踩过这个坑( 1 )
已统计您的踩坑,无需重复点击
回答(1)
详细描述
图片
文本
编辑于2022-06-25
  • [西安|结业弟子]JAVA-李龙
    0

    注意:

    ip

    key

    有一些报错,如果解决不了,直接# ;注释就可以,目前感觉没有什么影响、

    绿色的就是要修改的配置文件

    配置文件修改的正确与否,关系到你的成功连接

    还有要根据错误日志的报错来一步步进行修改

    (错误日志更新一次注销一次,在这就不放出来了)

    # Which local IP address should OpenVPN

    # listen on? (optional)

    ;local 39.107.239.240


    # Which TCP/UDP port should OpenVPN listen on?

    # If you want to run multiple OpenVPN instances

    # on the same machine, use a different port

    # number for each one.  You will need to

    # open up this port on your firewall.

    port 1194


    # TCP or UDP server?

    ;proto tcp

    proto udp


    # "dev tun" will create a routed IP tunnel,

    # "dev tap" will create an ethernet tunnel.

    # Use "dev tap0" if you are ethernet bridging

    # and have precreated a tap0 virtual interface

    # and bridged it with your ethernet interface.

    # If you want to control access policies

    # over the VPN, you must create firewall

    # rules for the the TUN/TAP interface.

    # On non-Windows systems, you can give

    # an explicit unit number, such as tun0.

    # On Windows, use "dev-node" for this.

    # On most systems, the VPN will not function

    # unless you partially or fully disable

    # the firewall for the TUN/TAP interface.

    ;dev tap

    dev tun


    # Windows needs the TAP-Win32 adapter name

    # from the Network Connections panel if you

    # have more than one.  On XP SP2 or higher,

    # you may need to selectively disable the

    # Windows firewall for the TAP adapter.

    # Non-Windows systems usually don't need this.

    ;dev-node MyTap


    # SSL/TLS root certificate (ca), certificate

    # (cert), and private key (key).  Each client

    # and the server must have their own cert and

    # key file.  The server and all clients will

    # use the same ca file.

    #

    # See the "easy-rsa" directory for a series

    # of scripts for generating RSA certificates

    # and private keys.  Remember to use

    # a unique Common Name for the server

    # and each of the client certificates.

    #

    # Any X509 key management system can be used.

    # OpenVPN can also use a PKCS #12 formatted key file

    # (see "pkcs12" directive in man page).

    ca /etc/openvpn/ca.crt

    cert /etc/openvpn/server.crt

    key /etc/openvpn/server.key  # This file should be kept secret


    # Diffie hellman parameters.

    # Generate your own with:

    #   openssl dhparam -out dh2048.pem 2048

    dh /etc/openvpn/dh.pem


    # Network topology

    # Should be subnet (addressing via IP)

    # unless Windows clients v2.0.9 and lower have to

    # be supported (then net30, i.e. a /30 per client)

    # Defaults to net30 (not recommended)

    ;topology subnet


    # Configure server mode and supply a VPN subnet

    # for OpenVPN to draw client addresses from.

    # The server will take 10.8.0.1 for itself,

    # the rest will be made available to clients.

    # Each client will be able to reach the server

    # on 10.8.0.1. Comment this line out if you are

    # ethernet bridging. See the man page for more info.

    server 10.8.0.0 255.255.255.0


    # Maintain a record of client <-> virtual IP address

    # associations in this file.  If OpenVPN goes down or

    # is restarted, reconnecting clients can be assigned

    # the same virtual IP address from the pool that was

    # previously assigned.

    ifconfig-pool-persist ipp.txt


    # Configure server mode for ethernet bridging.

    # You must first use your OS's bridging capability

    # to bridge the TAP interface with the ethernet

    # NIC interface.  Then you must manually set the

    # IP/netmask on the bridge interface, here we

    # assume 10.8.0.4/255.255.255.0.  Finally we

    # must set aside an IP range in this subnet

    # (start=10.8.0.50 end=10.8.0.100) to allocate

    # to connecting clients.  Leave this line commented

    # out unless you are ethernet bridging.

    ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100


    # Configure server mode for ethernet bridging

    # using a DHCP-proxy, where clients talk

    # to the OpenVPN server-side DHCP server

    # to receive their IP address allocation

    # and DNS server addresses.  You must first use

    # your OS's bridging capability to bridge the TAP

    # interface with the ethernet NIC interface.

    # Note: this mode only works on clients (such as

    # Windows), where the client-side TAP adapter is

    # bound to a DHCP client.

    ;server-bridge


    # Push routes to the client to allow it

    # to reach other private subnets behind

    # the server.  Remember that these

    # private subnets will also need

    # to know to route the OpenVPN client

    # address pool (10.8.0.0/255.255.255.0)

    # back to the OpenVPN server.

    push "route 0.0.0.0 0.0.0.0"

    push "route 10.0.0.0 255.255.255.0"


    # To assign specific IP addresses to specific

    # clients or if a connecting client has a private

    # subnet behind it that should also have VPN access,

    # use the subdirectory "ccd" for client-specific

    # configuration files (see man page for more info).


    # EXAMPLE: Suppose the client

    # having the certificate common name "Thelonious"

    # also has a small subnet behind his connecting

    # machine, such as 192.168.40.128/255.255.255.248.

    # First, uncomment out these lines:

    ;client-config-dir ccd

    ;route 192.168.40.128 255.255.255.248

    # Then create a file ccd/Thelonious with this line:

    #   iroute 192.168.40.128 255.255.255.248

    # This will allow Thelonious' private subnet to

    # access the VPN.  This example will only work

    # if you are routing, not bridging, i.e. you are

    # using "dev tun" and "server" directives.


    # EXAMPLE: Suppose you want to give

    # Thelonious a fixed VPN IP address of 10.9.0.1.

    # First uncomment out these lines:

    ;client-config-dir ccd

    ;route 10.9.0.0 255.255.255.252

    # Then add this line to ccd/Thelonious:

    #   ifconfig-push 10.9.0.1 10.9.0.2


    # Suppose that you want to enable different

    # firewall access policies for different groups

    # of clients.  There are two methods:

    # (1) Run multiple OpenVPN daemons, one for each

    #     group, and firewall the TUN/TAP interface

    #     for each group/daemon appropriately.

    # (2) (Advanced) Create a script to dynamically

    #     modify the firewall in response to access

    #     from different clients.  See man

    #     page for more info on learn-address script.

    ;learn-address ./script


    # If enabled, this directive will configure

    # all clients to redirect their default

    # network gateway through the VPN, causing

    # all IP traffic such as web browsing and

    # and DNS lookups to go through the VPN

    # (The OpenVPN server machine may need to NAT

    # or bridge the TUN/TAP interface to the internet

    # in order for this to work properly).

    push "redirect-gateway def1 bypass-dhcp"


    # Certain Windows-specific network settings

    # can be pushed to clients, such as DNS

    # or WINS server addresses.  CAVEAT:

    # http://openvpn.net/faq.html#dhcpcaveats

    # The addresses below refer to the public

    # DNS servers provided by opendns.com.

    push "dhcp-option DNS 223.5.5.5"

    push "dhcp-option DNS 114.114.114.114"


    # Uncomment this directive to allow different

    # clients to be able to "see" each other.

    # By default, clients will only see the server.

    # To force clients to only see the server, you

    # will also need to appropriately firewall the

    # server's TUN/TAP interface.

    client-to-client(注释不注释都可以


    # Uncomment this directive if multiple clients

    # might connect with the same certificate/key

    # files or common names.  This is recommended

    # only for testing purposes.  For production use,

    # each client should have its own certificate/key

    # pair.

    #

    # IF YOU HAVE NOT GENERATED INDIVIDUAL

    # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

    # EACH HAVING ITS OWN UNIQUE "COMMON NAME",

    # UNCOMMENT THIS LINE OUT.

    ;duplicate-cn


    # The keepalive directive causes ping-like

    # messages to be sent back and forth over

    # the link so that each side knows when

    # the other side has gone down.

    # Ping every 10 seconds, assume that remote

    # peer is down if no ping received during

    # a 120 second time period.

    keepalive 10 120


    # For extra security beyond that provided

    # by SSL/TLS, create an "HMAC firewall"

    # to help block DoS attacks and UDP port flooding.

    #

    # Generate with:

    #   openvpn --genkey --secret ta.key

    #

    # The server and each client must have

    # a copy of this key.

    # The second parameter should be '0'

    # on the server and '1' on the clients.

    ;tls-auth ta.key 0 # This file is secret


    # Select a cryptographic cipher.

    # This config item must be copied to

    # the client config file as well.

    # Note that v2.4 client/server will automatically

    # negotiate AES-256-GCM in TLS mode.

    # See also the ncp-cipher option in the manpage

    cipher AES-256-CBC


    # Enable compression on the VPN link and push the

    # option to the client (v2.4+ only, for earlier

    # versions see below)

    ;compress lz4-v2

    ;push "compress lz4-v2"


    # For compression compatible with older clients use comp-lzo

    # If you enable it here, you must also

    # enable it in the client config file.

    comp-lzo


    # The maximum number of concurrently connected

    # clients we want to allow.

    max-clients 100


    # It's a good idea to reduce the OpenVPN

    # daemon's privileges after initialization.

    #

    # You can uncomment this out on

    # non-Windows systems.

    user nobody

    group nobody


    # The persist options will try to avoid

    # accessing certain resources on restart

    # that may no longer be accessible because

    # of the privilege downgrade.

    persist-key

    persist-tun


    # Output a short status file showing

    # current connections, truncated

    # and rewritten every minute.

    status openvpn-status.log


    # By default, log messages will go to the syslog (or

    # on Windows, if running as a service, they will go to

    # the "\Program Files\OpenVPN\log" directory).

    # Use log or log-append to override this default.

    # "log" will truncate the log file on OpenVPN startup,

    # while "log-append" will append to it.  Use one

    # or the other (but not both).

    log         openvpn.log

    log-append  openvpn.log


    # Set the appropriate level of log

    # file verbosity.

    #

    # 0 is silent, except for fatal errors

    # 4 is reasonable for general usage

    # 5 and 6 can help to debug connection problems

    # 9 is extremely verbose

    verb 3


    # Silence repeating messages.  At most 20

    # sequential messages of the same message

    # category will be output to the log.

    mute 20


    # Notify the client that when the server restarts so it

    # can automatically reconnect.

    explicit-exit-notify 1


    编辑于2018-05-10