You are about to sign the following certificate.Please check over the details shown below for accuracy.Note that this requesthas not been cryptographically verified.Please be sure it came from a trustedsource or that you have verified the request checksum with the sender.Request subject, to be signedas a server certificate for3650 days:subject= commonName = serverType the word 'yes' to continue,or any other input to abort.Confirm request details:yes
## rules.before## Rules that should be run before the ufw command line added rules. Custom# rules should be added to one of these chains:# ufw-before-input# ufw-before-output# ufw-before-forward## START OPENVPN RULES# NAT table rules*nat:POSTROUTING ACCEPT [0:0]# Allow traffic from OpenVPN client to eth0 (change to the interface you discovered!)-A POSTROUTING -s 10.8.0.0/8-o eth0-j MASQUERADECOMMIT# END OPENVPN RULES# Don't delete these required lines, otherwise there will be errors*filter...
...# The hostname/IP and port of the server.# You can have multiple remote entries# to load balance between the servers.remote your_server_ip1194...
〜/客户CONFIGS / base.conf
接下来，通过删除每行开头的“ ; ”来取消注释user和group指令：
〜/客户CONFIGS / base.conf
# Downgrade privileges after initialization (non-Windows only)user nobodygroup nogroup
找到设置ca ， cert和key的指令。注释掉这些指令，因为您将很快在文件中添加证书和密钥：
〜/客户CONFIGS / base.conf
# SSL/TLS parms.# See the server config file for more# description. It's best to use# a separate .crt/.key file pair# for each client. A single ca# file can be used for all clients.#ca ca.crt#cert client.crt#key client.key
While the exact applications used to accomplish this transfer will depend on your device’s operating system and your personal preferences, a dependable and secure method is to use SFTP (SSH file transfer protocol) or SCP (Secure Copy) on the backend. This will transport your client’s VPN authentication files over an encrypted connection.
Here is an example SFTP command using the client1.ovpn example which you can run from your local computer (macOS or Linux). It places the .ovpn file in your home directory:
This section covers how to install a client VPN profile on Windows, macOS, Linux, iOS, and Android. None of these client instructions are dependent on one another, so feel free to skip to whichever is applicable to your device.
The OpenVPN connection will have the same name as whatever you called the .ovpn file. In regards to this tutorial, this means that the connection is named client1.ovpn , aligning with the first client file you generated.
Download the OpenVPN client application for Windows from OpenVPN’s Downloads page . Choose the appropriate installer version for your version of Windows.
OpenVPN needs administrative privileges to install.
After installing OpenVPN, copy the .ovpn file to:
When you launch OpenVPN, it will automatically see the profile and makes it available.
You must run OpenVPN as an administrator each time it’s used, even by administrative accounts. To do this without having to right-click and select Run as administrator every time you use the VPN, you must preset this from an administrative account. This also means that standard users will need to enter the administrator’s password to use OpenVPN. On the other hand, standard users can’t properly connect to the server unless the OpenVPN application on the client has admin rights, so the elevated privileges are necessary.
To set the OpenVPN application to always run as an administrator, right-click on its shortcut icon and go to Properties . At the bottom of the Compatibility tab, click the button to Change settings for all users . In the new window, check Run this program as an administrator .
Each time you launch the OpenVPN GUI, Windows will ask if you want to allow the program to make changes to your computer. Click Yes . Launching the OpenVPN client application only puts the applet in the system tray so that you can connect and disconnect the VPN as needed; it does not actually make the VPN connection.
Once OpenVPN is started, initiate a connection by going into the system tray applet and right-clicking on the OpenVPN applet icon. This opens the context menu. Select client1 at the top of the menu (that’s your client1.ovpn profile) and choose Connect .
A status window will open showing the log output while the connection is established, and a message will show once the client is connected.
Disconnect from the VPN the same way: Go into the system tray applet, right-click the OpenVPN applet icon, select the client profile and click Disconnect .
Tunnelblick is a free, open source OpenVPN client for macOS. You can download the latest disk image from the Tunnelblick Downloads page . Double-click the downloaded .dmg file and follow the prompts to install.
Towards the end of the installation process, Tunnelblick will ask if you have any configuration files. For simplicity, answer No and let Tunnelblick finish. Open a Finder window and double-click client1.ovpn . Tunnelblick will install the client profile. Administrative privileges are required.
Launch Tunnelblick by double-clicking Tunnelblick in the Applications folder. Once Tunnelblick has been launched, there will be a Tunnelblick icon in the menu bar at the top right of the screen for controlling connections. Click on the icon, and then the Connect menu item to initiate the VPN connection. Select the client1 connection.
If you are using Linux, there are a variety of tools that you can use depending on your distribution. Your desktop environment or window manager might also include connection utilities.
The most universal way of connecting, however, is to just use the OpenVPN software.
On Ubuntu or Debian, you can install it just as you did on the server by typing:
sudo apt updatesudo apt install openvpn
On CentOS you can enable the EPEL repositories and then install it by typing:
If you are using CentOS, change the group directive from nogroup to nobody to match the distribution’s available groups:
Now, you can connect to the VPN by just pointing the openvpn command to the client configuration file:
sudo openvpn --config client1.ovpn
This should connect you to your VPN.
From the iTunes App Store, search for and install OpenVPN Connect , the official iOS OpenVPN client application. To transfer your iOS client configuration onto the device, connect it directly to a computer.
The process of completing the transfer with iTunes is outlined here. Open iTunes on the computer and click on iPhone > apps . Scroll down to the bottom to the File Sharing section and click the OpenVPN app. The blank window to the right, OpenVPN Documents , is for sharing files. Drag the .ovpn file to the OpenVPN Documents window.
Now launch the OpenVPN app on the iPhone. You will receive a notification that a new profile is ready to import. Tap the green plus sign to import it.
OpenVPN is now ready to use with the new profile. Start the connection by sliding the Connect button to the On position. Disconnect by sliding the same button to Off .
The VPN switch under Settings cannot be used to connect to the VPN. If you try, you will receive a notice to only connect using the OpenVPN app.
Open the Google Play Store. Search for and install Android OpenVPN Connect , the official Android OpenVPN client application.
You can transfer the .ovpn profile by connecting the Android device to your computer by USB and copying the file over. Alternatively, if you have an SD card reader, you can remove the device’s SD card, copy the profile onto it and then insert the card back into the Android device.
Start the OpenVPN app and tap the menu to import the profile.
Then navigate to the location of the saved profile (the screenshot uses /sdcard/Download/ ) and select the file. The app will make a note that the profile was imported.
To connect, simply tap the Connect button. You’ll be asked if you trust the OpenVPN application. Choose OK to initiate the connection. To disconnect from the VPN, go back to the OpenVPN app and choose Disconnect .
Step 11 — Testing Your VPN Connection (Optional)
Note: This method for testing your VPN connection will only work if you opted to route all your traffic through the VPN in Step 5.
Once everything is installed, a simple check confirms everything is working properly. Without having a VPN connection enabled, open a browser and go to DNSLeakTest .
The site will return the IP address assigned by your internet service provider and as you appear to the rest of the world. To check your DNS settings through the same website, click on Extended Test and it will tell you which DNS servers you are using.
Now connect the OpenVPN client to your server’s VPN and refresh the browser. A completely different IP address (that of your VPN server) should now appear, and this is how you appear to the world. Again, DNSLeakTest’sExtended Test will check your DNS settings and confirm you are now using the DNS resolvers pushed by your VPN.
Step 12 — Revoking Client Certificates
Occasionally, you may need to revoke a client certificate to prevent further access to the OpenVPN server.
To do so, navigate to the EasyRSA directory on your CA machine:
Next, run the easyrsa script with the revoke option, followed by the client name you wish to revoke:
./easyrsa revoke client2
This will ask you to confirm the revocation by entering yes :
Please confirm you wish to revoke the certificate with the following subject:subject= commonName = client2Type the word 'yes' to continue,or any other input to abort.Continuewith revocation:yes
After confirming the action, the CA will fully revoke the client’s certificate. However, your OpenVPN server currently has no way to check whether any clients’ certificates have been revoked and the client will still have access to the VPN. To correct this, create a certificate revocation list (CRL) on your CA machine:
This will generate a file called crl.pem . Securely transfer this file to your OpenVPN server:
The client should no longer be able to successfully connect to the server using the old credential.
To revoke additional clients, follow this process:
Revoke the certificate with the ./easyrsa revoke client_name command
Generate a new CRL
Transfer the new crl.pem file to your OpenVPN server and copy it to the /etc/openvpn directory to overwrite the old list.
Restart the OpenVPN service.
You can use this process to revoke any certificates that you’ve previously issued for your server.
You are now securely traversing the internet protecting your identity, location, and traffic from snoopers and censors. If at this point you no longer need to issue certificates, it’s recommended that you turn off your CA machine or otherwise disconnect it from the internet until you need to add or revoke certificates. This will help to prevent attackers from gaining access to your VPN.
To configure more clients, you only need to follow steps 4 and 9-11 for each additional device. To revoke access to clients, just follow step 12 .