Openvpn 重续证书
CyberSicko
hava a nice day.
Xshell 7 (Build 0093)
Copyright (c) 2020 NetSarang Computer, Inc. All rights reserved.
Type `help' to learn how to use Xshell prompt.
[C:\~]$
Connecting to 172.17.21.25:22...
Could not connect to '172.17.21.25' (port 22): Connection failed.
Type `help' to learn how to use Xshell prompt.
[C:\~]$
Connecting to 172.17.21.25:22...
Could not connect to '172.17.21.25' (port 22): Connection failed.
Type `help' to learn how to use Xshell prompt.
[C:\~]$
Connecting to 172.17.21.26:22...
Connection established.
To escape to local shell, press Ctrl+Alt+].
WARNING! The remote SSH server rejected X11 forwarding request.
Welcome to Alibaba Cloud Elastic Compute Service !
Last login: Wed Mar 15 16:39:34 2023 from 172.17.21.25
[yangchaojie@t3 ~]$ ssh -p 22 root@172.17.21.25
The authenticity of host '172.17.21.25 (172.17.21.25)' can't be established.
ECDSA key fingerprint is SHA256:VY15Lar9HjcUt2OwYClxK4L2AnLJBAh/GheCVG3iep4.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Host key verification failed.
[yangchaojie@t3 ~]$ ssh -p 22 root@172.17.21.25
The authenticity of host '172.17.21.25 (172.17.21.25)' can't be established.
ECDSA key fingerprint is SHA256:VY15Lar9HjcUt2OwYClxK4L2AnLJBAh/GheCVG3iep4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '172.17.21.25' (ECDSA) to the list of known hosts.
root@172.17.21.25's password:
Last login: Fri Nov 25 15:00:03 2022 from 192.168.112.30
Welcome to Alibaba Cloud Elastic Compute Service !
[root@t2 ~]# ls
centos7-vpn.sh client.tar.gz epel-release-latest-7.noarch.rpm influxdb-1.7.6.x86_64.rpm master.zip telegraf-1.15.3-1.x86_64.rpm
client controlsfx.jar grafana-7.1.0-1.x86_64.rpm influxdb-1.8.3.x86_64.rpm nginx
[root@t2 ~]# cd /opt/
[root@t2 opt]# ls
project
[root@t2 opt]# cd project/
[root@t2 project]# ls
db.sqlite3 manage.py nohup.out Pipfile Pipfile.lock requirements.txt start.sh static templates vpn vpn_ms
[root@t2 project]# cd vpn
[root@t2 vpn]# ls
admin.py apps.py context_processors.py __init__.py migrations models.py __pycache__ tests.py views.py
[root@t2 vpn]# cd /etc/
[root@t2 etc]# ls
adjtime cron.weekly gdbinit.d issue.net motd polkit-1 rsyslog.conf sysctl.d
adjtime.rpmsave crypttab GeoIP.conf kernel mtab popt.d rsyslog.d systemd
aliases csh.cshrc gnupg krb5.conf my.cnf postfix rwtab system-lsb
aliases.db csh.login grafana krb5.conf.d my.cnf.d ppp rwtab.d system-release
alinux-release dbus-1 GREP_COLORS ld.so.cache netconfig prelink.conf.d sasl2 telegraf
alternatives default groff ld.so.conf NetworkManager printcap securetty terminfo
anacrontab depmod.d group ld.so.conf.d networks profile security tmpfiles.d
anolis-release dhcp group- libaudit.conf nfs.conf profile.d selinux tuned
asound.conf DIR_COLORS grub2.cfg libnl nfsmount.conf protocols services udev
at.deny DIR_COLORS.256color grub.d libreport nscd.conf python sestatus.conf update-motd.d
audisp DIR_COLORS.lightbgcolor gshadow libuser.conf nsswitch.conf rc0.d shadow vconsole.conf
audit docker gshadow- locale.conf nsswitch.conf.bak rc1.d shadow- vimrc
bash_completion.d dracut.conf gss localtime nsswitch.conf.rpmnew rc2.d shells virc
bashrc dracut.conf.d gssproxy login.defs ntp.conf rc3.d skel wgetrc
binfmt.d e2fsck.conf host.conf logrotate.conf oci-register-machine.conf rc4.d ssh wireguard
centos-release environment hostname logrotate.d oci-umount rc5.d ssl wpa_supplicant
chkconfig.d ethertypes hosts lsb-release.d oci-umount.conf rc6.d statetab X11
chrony.conf exports hosts.allow lvm openldap rc.d statetab.d xdg
chrony.keys exports.d hosts.deny machine-id openvpn rc.local subgid xinetd.d
cloud favicon.png idmapd.conf magic opt redhat-release subuid yum
containers filesystems image-id mailcap os-release request-key.conf sudo.conf yum.conf
cron.d firewalld influxdb mail.rc pam.d request-key.d sudoers yum.repos.d
cron.daily fonts init.d man_db.conf passwd resolv.conf sudoers.d
cron.deny fstab inittab mime.types passwd- resolv.conf.save sudo-ldap.conf
cron.hourly fuse.conf inputrc mke2fs.conf pkcs11 rpc sysconfig
cron.monthly gcrypt iproute2 modprobe.d pki rpm sysctl.conf
crontab gdbinit issue modules-load.d pm rsyncd.conf sysctl.conf.rpmsave
[root@t2 etc]# cd op
openldap/ openvpn/ opt/
[root@t2 etc]# cd op
openldap/ openvpn/ opt/
[root@t2 etc]# cd openvpn/
[root@t2 openvpn]# ls
ca.crt ccd checkpsw.sh client dh.pem easy-rsa ipp.txt openvpn-password.log psw-file server server.conf server_crt server.crt server.key
[root@t2 openvpn]# ls
ca.crt ccd checkpsw.sh client dh.pem easy-rsa ipp.txt openvpn-password.log psw-file server server.conf server_crt server.crt server.key
[root@t2 openvpn]# openssl x509 -noout -text in server.crt
unknown option in
usage: x509 args
-inform arg - input format - default PEM (one of DER, NET or PEM)
-outform arg - output format - default PEM (one of DER, NET or PEM)
-keyform arg - private key format - default PEM
-CAform arg - CA format - default PEM
-CAkeyform arg - CA key format - default PEM
-in arg - input file - default stdin
-out arg - output file - default stdout
-passin arg - private key password source
-serial - print serial number value
-subject_hash - print subject hash value
-subject_hash_old - print old-style (MD5) subject hash value
-issuer_hash - print issuer hash value
-issuer_hash_old - print old-style (MD5) issuer hash value
-hash - synonym for -subject_hash
-subject - print subject DN
-issuer - print issuer DN
-email - print email address(es)
-startdate - notBefore field
-enddate - notAfter field
-purpose - print out certificate purposes
-dates - both Before and After dates
-modulus - print the RSA key modulus
-pubkey - output the public key
-fingerprint - print the certificate fingerprint
-alias - output certificate alias
-noout - no certificate output
-ocspid - print OCSP hash values for the subject name and public key
-ocsp_uri - print OCSP Responder URL(s)
-trustout - output a "trusted" certificate
-clrtrust - clear all trusted purposes
-clrreject - clear all rejected purposes
-addtrust arg - trust certificate for a given purpose
-addreject arg - reject certificate for a given purpose
-setalias arg - set certificate alias
-days arg - How long till expiry of a signed certificate - def 30 days
-checkend arg - check whether the cert expires in the next arg seconds
exit 1 if so, 0 if not
-signkey arg - self sign cert with arg
-x509toreq - output a certification request object
-req - input is a certificate request, sign and output.
-CA arg - set the CA certificate, must be PEM format.
-CAkey arg - set the CA key, must be PEM format
missing, it is assumed to be in the CA file.
-CAcreateserial - create serial number file if it does not exist
-CAserial arg - serial file
-set_serial - serial number to use
-text - print the certificate in text form
-C - print out C code forms
-<dgst> - digest to use, see openssl dgst -h output for list
-extfile - configuration file with X509V3 extensions to add
-extensions - section from config file with X509V3 extensions to add
-clrext - delete extensions before signing and input certificate
-nameopt arg - various certificate name options
-engine e - use engine e, possibly a hardware device.
-certopt arg - various certificate text options
-checkhost host - check certificate matches "host"
-checkemail email - check certificate matches "email"
-checkip ipaddr - check certificate matches "ipaddr"
[root@t2 openvpn]# openssl x509 -noout -text -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
95:a6:bd:d4:02:d2:63:dc:bd:08:39:14:6e:a3:3c:94
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=micvs
Validity
Not Before: Dec 12 04:50:26 2020 GMT
Not After : Mar 17 04:50:26 2023 GMT
Subject: CN=micvs_server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d8:2e:eb:0a:e8:e1:9f:87:b8:79:61:ab:96:75:
be:87:8e:33:74:80:d0:0b:aa:8e:7d:56:39:04:e4:
89:d4:38:a9:77:fc:c0:60:27:f7:1c:0f:cc:cb:30:
2f:c9:92:ed:06:06:c7:b3:5b:9e:fc:c3:f5:ca:8a:
d0:8d:ff:28:e4:29:03:41:5b:fd:8b:97:f9:d1:17:
2f:ce:37:8e:36:dd:d9:e0:94:7e:a6:16:9f:2e:98:
13:13:20:05:fa:3a:1a:17:55:87:0b:68:51:4c:7f:
64:32:13:94:5e:31:3a:12:5e:02:33:1e:67:99:a7:
0f:ee:2e:a9:5c:0d:d4:31:e4:8b:8f:ea:70:3d:1b:
d9:81:5d:2a:5f:6f:1c:d2:89:f9:e7:85:01:ee:6d:
ec:64:4e:5d:1b:91:e7:f7:98:eb:24:85:fe:bc:7c:
28:3a:2f:8a:ca:bf:50:53:db:66:59:4a:fa:2e:eb:
1f:81:f5:64:86:f0:1e:a3:87:52:95:59:6d:39:5d:
0b:71:bc:48:70:d2:cc:7f:bd:0c:2e:2d:0e:7a:0b:
01:3e:1b:63:3d:d8:af:8c:42:50:be:aa:6e:11:a9:
0f:10:71:38:22:95:42:83:d6:02:c3:2d:b2:83:01:
11:18:c9:b9:eb:28:72:b6:72:fe:e0:2c:98:0c:01:
8a:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
5C:E3:7F:82:65:F7:D7:A6:09:05:4F:88:09:E9:C2:75:5F:5F:B4:CE
X509v3 Authority Key Identifier:
keyid:51:93:EB:47:9A:69:76:9B:5D:46:5F:EC:C6:8D:50:2D:18:6D:8D:11
DirName:/CN=micvs
serial:8F:B4:36:E7:E5:0C:1A:B6
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
DNS:micvs_server
Signature Algorithm: sha256WithRSAEncryption
64:e1:1c:b9:c4:58:1b:69:93:d6:be:38:39:b1:ca:c1:41:89:
e4:12:16:b8:b7:66:6a:15:1e:75:41:d9:93:af:d2:ff:d0:78:
47:0a:cd:3d:de:cf:fc:26:f7:d1:76:6c:fc:b4:9c:78:53:b9:
02:0a:35:fd:83:78:4e:ef:b4:ba:60:93:b9:64:b6:fb:25:9c:
2a:53:ec:ec:b4:6d:a5:5e:15:46:c1:c1:6f:2c:99:cf:36:91:
10:07:05:27:91:ff:20:3e:29:8f:20:b3:58:34:04:b6:d0:b1:
e9:a3:27:d8:81:77:cf:f0:19:8e:5c:a1:5e:39:d1:a3:ba:e4:
bf:9e:0d:57:a3:6c:b4:b0:10:81:29:08:d0:55:35:b8:72:b9:
b4:2a:04:18:99:e2:08:70:6b:1f:fc:ee:2f:94:4c:59:0c:e9:
66:1a:fa:a5:e6:6f:a2:f3:66:18:22:da:17:a2:a8:76:01:06:
98:f7:a2:8a:b5:1e:ca:b0:ae:6f:eb:f4:1a:6e:e2:89:cd:87:
39:67:28:79:f6:f4:86:7d:de:5e:b1:10:3c:a7:72:69:fd:58:
9d:1e:9f:54:e2:06:3c:a7:39:4c:a5:d0:4b:12:15:8a:c7:95:
06:41:33:f4:74:0d:68:7c:5e:f5:67:f2:d1:cc:fc:e3:aa:14:
49:09:5a:7b
[root@t2 openvpn]# ls
ca.crt ccd checkpsw.sh client dh.pem easy-rsa ipp.txt openvpn-password.log psw-file server server.conf server_crt server.crt server.key
[root@t2 openvpn]# mkdir cert_2023-208
[root@t2 openvpn]# ls
ca.crt cert_2023-208 client easy-rsa openvpn-password.log server server_crt server.key
ccd checkpsw.sh dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd cert_2023-208/
[root@t2 cert_2023-208]# ls
[root@t2 cert_2023-208]# cd ..
[root@t2 openvpn]# ls
ca.crt cert_2023-208 client easy-rsa openvpn-password.log server server_crt server.key
ccd checkpsw.sh dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd easy-rsa/
[root@t2 easy-rsa]# ls
build COPYING.md doc KNOWN_ISSUES op_test.orig README.md release-keys wop_test.sh
ChangeLog distro easyrsa3 Licensing op_test.sh README.quickstart.md wop_test.bat
[root@t2 easy-rsa]# cd ..
[root@t2 openvpn]# ls
ca.crt cert_2023-208 client easy-rsa openvpn-password.log server server_crt server.key
ccd checkpsw.sh dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd cert_2023-208/
[root@t2 cert_2023-208]# ls
[root@t2 cert_2023-208]# cp -r /etc/open
openldap/ openvpn/
[root@t2 cert_2023-208]# cp -r /etc/open
openldap/ openvpn/
[root@t2 cert_2023-208]# cp -r /etc/openvpn/easy-rsa ./
[root@t2 cert_2023-208]# ls
easy-rsa
[root@t2 cert_2023-208]# cd easy-rsa/
[root@t2 easy-rsa]# ls
build COPYING.md doc KNOWN_ISSUES op_test.orig README.md release-keys wop_test.sh
ChangeLog distro easyrsa3 Licensing op_test.sh README.quickstart.md wop_test.bat
[root@t2 easy-rsa]# ./easyrsa3/
easyrsa pki/ x509-types/
[root@t2 easy-rsa]# cd easyrsa3/
[root@t2 easyrsa3]# ls
easyrsa openssl-easyrsa.cnf pki vars vars.example x509-types
[root@t2 easyrsa3]# rm -rf pki/
[root@t2 easyrsa3]# ls
easyrsa openssl-easyrsa.cnf vars vars.example x509-types
[root@t2 easyrsa3]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /etc/openvpn/cert_2023-208/easy-rsa/easyrsa3/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/cert_2023-208/easy-rsa/easyrsa3/pki
[root@t2 easyrsa3]# ls
easyrsa openssl-easyrsa.cnf pki vars vars.example x509-types
[root@t2 easyrsa3]# ./easyrsa --batch build-ca nopass
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating RSA private key, 2048 bit long modulus
...................+++
.......................................................+++
e is 65537 (0x10001)
[root@t2 easyrsa3]# EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopassEASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass^C
[root@t2 easyrsa3]# EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass
Note: using Easy-RSA configuration from: /etc/openvpn/cert_2023-208/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
............+++
................................................................+++
writing new private key to '/etc/openvpn/cert_2023-208/easy-rsa/easyrsa3/pki/easy-rsa-14928.jQN2WT/tmp.EkeT0G'
-----
Using configuration from /etc/openvpn/cert_2023-208/easy-rsa/easyrsa3/pki/easy-rsa-14928.jQN2WT/tmp.DmWly1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Mar 14 07:15:04 2033 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
[root@t2 easyrsa3]# EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full client nopass
Note: using Easy-RSA configuration from: /etc/openvpn/cert_2023-208/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
......+++
.................................+++
writing new private key to '/etc/openvpn/cert_2023-208/easy-rsa/easyrsa3/pki/easy-rsa-15028.kmnt4D/tmp.rZUlnF'
-----
Using configuration from /etc/openvpn/cert_2023-208/easy-rsa/easyrsa3/pki/easy-rsa-15028.kmnt4D/tmp.cqwOFp
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client'
Certificate is to be certified until Mar 14 07:15:19 2033 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
[root@t2 easyrsa3]# EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
Note: using Easy-RSA configuration from: /etc/openvpn/cert_2023-208/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Using configuration from /etc/openvpn/cert_2023-208/easy-rsa/easyrsa3/pki/easy-rsa-15103.TnYFbh/tmp.RbHEgL
An updated CRL has been created.
CRL file: /etc/openvpn/cert_2023-208/easy-rsa/easyrsa3/pki/crl.pem
[root@t2 easyrsa3]# cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem ../../
[root@t2 easyrsa3]# ls
easyrsa openssl-easyrsa.cnf pki vars vars.example x509-types
[root@t2 easyrsa3]# cd ..
[root@t2 easy-rsa]# ls
build COPYING.md doc KNOWN_ISSUES op_test.orig README.md release-keys wop_test.sh
ChangeLog distro easyrsa3 Licensing op_test.sh README.quickstart.md wop_test.bat
[root@t2 easy-rsa]# cd ..
[root@t2 cert_2023-208]# ls
ca.crt ca.key crl.pem easy-rsa server.crt server.key
[root@t2 cert_2023-208]# chown nobody:nobody crl.pem
[root@t2 cert_2023-208]# openssl verify -CAfile ca.crt -purpose sslserver server.crt
server.crt: OK
[root@t2 cert_2023-208]# cd ..
[root@t2 openvpn]# ls
ca.crt cert_2023-208 client easy-rsa openvpn-password.log server server_crt server.key
ccd checkpsw.sh dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd client/
[root@t2 client]# ls
[root@t2 client]# cd ..
[root@t2 openvpn]# ls
ca.crt cert_2023-208 client easy-rsa openvpn-password.log server server_crt server.key
ccd checkpsw.sh dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd server
[root@t2 server]# l
-bash: l: command not found
[root@t2 server]# cd ..
[root@t2 openvpn]# ls
ca.crt cert_2023-208 client easy-rsa openvpn-password.log server server_crt server.key
ccd checkpsw.sh dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd server
[root@t2 server]# ls
[root@t2 server]# cd ..
[root@t2 openvpn]# ls
ca.crt cert_2023-208 client easy-rsa openvpn-password.log server server_crt server.key
ccd checkpsw.sh dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd server
[root@t2 server]# cd ..
[root@t2 openvpn]# cd server_crt/
[root@t2 server_crt]# ls
ca.crt dh.pem server.crt server.key
[root@t2 server_crt]# cd ..
[root@t2 openvpn]# ls
ca.crt cert_2023-208 client easy-rsa openvpn-password.log server server_crt server.key
ccd checkpsw.sh dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd cert_2023-208/
[root@t2 cert_2023-208]# ls
ca.crt ca.key crl.pem easy-rsa server.crt server.key
[root@t2 cert_2023-208]# cd ..
[root@t2 openvpn]# ls
ca.crt cert_2023-208 client easy-rsa openvpn-password.log server server_crt server.key
ccd checkpsw.sh dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd server_crt/
[root@t2 server_crt]# ls
ca.crt dh.pem server.crt server.key
[root@t2 server_crt]# ls
ca.crt dh.pem server.crt server.key
[root@t2 server_crt]# zip ./* Expires_2023年3月17日.zip
zip warning: missing end signature--probably not a zip file (did you
zip warning: remember to use binary mode when you transferred it?)
zip warning: (if you are trying to read a damaged archive try -F)
zip error: Zip file structure invalid (./ca.crt)
[root@t2 server_crt]# ls
ca.crt dh.pem server.crt server.key
[root@t2 server_crt]# zip Expires_2023年3月17日.zip ./*
adding: ca.crt (deflated 27%)
adding: dh.pem (deflated 18%)
adding: server.crt (deflated 45%)
adding: server.key (deflated 23%)
[root@t2 server_crt]# LS
-bash: LS: command not found
[root@t2 server_crt]# LS
-bash: LS: command not found
[root@t2 server_crt]# ls
ca.crt dh.pem Expires_2023年3月17日.zip server.crt server.key
[root@t2 server_crt]# ls
ca.crt dh.pem Expires_2023年3月17日.zip server.crt server.key
[root@t2 server_crt]# cd ..
[root@t2 openvpn]# ls
ca.crt cert_2023-208 client easy-rsa openvpn-password.log server server_crt server.key
ccd checkpsw.sh dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd cert_2023-208/
[root@t2 cert_2023-208]# ;s
-bash: syntax error near unexpected token `;'
[root@t2 cert_2023-208]# ls
ca.crt ca.key crl.pem easy-rsa server.crt server.key
[root@t2 cert_2023-208]# cp ca.crt ca.key crl.pem server.crt server.key /etc/openvpn/server
server/ server.conf server_crt/ server.crt server.key
[root@t2 cert_2023-208]# cp ca.crt ca.key crl.pem server.crt server.key /etc/openvpn/server_crt/
cp: overwrite ‘/etc/openvpn/server_crt/ca.crt’? y
cp: overwrite ‘/etc/openvpn/server_crt/server.crt’? y
cp: overwrite ‘/etc/openvpn/server_crt/server.key’? y
[root@t2 cert_2023-208]# ls
ca.crt ca.key crl.pem easy-rsa server.crt server.key
[root@t2 cert_2023-208]# cd ..
[root@t2 openvpn]# ls
ca.crt cert_2023-208 client easy-rsa openvpn-password.log server server_crt server.key
ccd checkpsw.sh dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd server_crt/
[root@t2 server_crt]# ls
ca.crt ca.key crl.pem dh.pem Expires_2023年3月17日.zip server.crt server.key
[root@t2 server_crt]# cd ..
[root@t2 openvpn]# ls
ca.crt cert_2023-208 client easy-rsa openvpn-password.log server server_crt server.key
ccd checkpsw.sh dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# vim server.conf
[root@t2 openvpn]# ls
ca.crt cert_2023-208 client easy-rsa openvpn-password.log server server_crt server.key
ccd checkpsw.sh dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd ..
[root@t2 etc]# ls
adjtime cron.weekly gdbinit.d issue.net motd polkit-1 rsyslog.conf sysctl.d
adjtime.rpmsave crypttab GeoIP.conf kernel mtab popt.d rsyslog.d systemd
aliases csh.cshrc gnupg krb5.conf my.cnf postfix rwtab system-lsb
aliases.db csh.login grafana krb5.conf.d my.cnf.d ppp rwtab.d system-release
alinux-release dbus-1 GREP_COLORS ld.so.cache netconfig prelink.conf.d sasl2 telegraf
alternatives default groff ld.so.conf NetworkManager printcap securetty terminfo
anacrontab depmod.d group ld.so.conf.d networks profile security tmpfiles.d
anolis-release dhcp group- libaudit.conf nfs.conf profile.d selinux tuned
asound.conf DIR_COLORS grub2.cfg libnl nfsmount.conf protocols services udev
at.deny DIR_COLORS.256color grub.d libreport nscd.conf python sestatus.conf update-motd.d
audisp DIR_COLORS.lightbgcolor gshadow libuser.conf nsswitch.conf rc0.d shadow vconsole.conf
audit docker gshadow- locale.conf nsswitch.conf.bak rc1.d shadow- vimrc
bash_completion.d dracut.conf gss localtime nsswitch.conf.rpmnew rc2.d shells virc
bashrc dracut.conf.d gssproxy login.defs ntp.conf rc3.d skel wgetrc
binfmt.d e2fsck.conf host.conf logrotate.conf oci-register-machine.conf rc4.d ssh wireguard
centos-release environment hostname logrotate.d oci-umount rc5.d ssl wpa_supplicant
chkconfig.d ethertypes hosts lsb-release.d oci-umount.conf rc6.d statetab X11
chrony.conf exports hosts.allow lvm openldap rc.d statetab.d xdg
chrony.keys exports.d hosts.deny machine-id openvpn rc.local subgid xinetd.d
cloud favicon.png idmapd.conf magic opt redhat-release subuid yum
containers filesystems image-id mailcap os-release request-key.conf sudo.conf yum.conf
cron.d firewalld influxdb mail.rc pam.d request-key.d sudoers yum.repos.d
cron.daily fonts init.d man_db.conf passwd resolv.conf sudoers.d
cron.deny fstab inittab mime.types passwd- resolv.conf.save sudo-ldap.conf
cron.hourly fuse.conf inputrc mke2fs.conf pkcs11 rpc sysconfig
cron.monthly gcrypt iproute2 modprobe.d pki rpm sysctl.conf
crontab gdbinit issue modules-load.d pm rsyncd.conf sysctl.conf.rpmsave
[root@t2 etc]# cd openvpn/
[root@t2 openvpn]# ls
ca.crt cert_2023-208 client easy-rsa openvpn-password.log server server_crt server.key
ccd checkpsw.sh dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd cert_2023-208/
[root@t2 cert_2023-208]# ls
ca.crt ca.key crl.pem easy-rsa server.crt server.key
[root@t2 cert_2023-208]# cp ca.crt ca.key crl.pem server.crt server.key /etc/openvpn/
cp: overwrite ‘/etc/openvpn/ca.crt’? y
cp: overwrite ‘/etc/openvpn/server.crt’? y
cp: overwrite ‘/etc/openvpn/server.key’? y
[root@t2 cert_2023-208]# cd ..
[root@t2 openvpn]# ls
ca.crt ccd checkpsw.sh crl.pem easy-rsa openvpn-password.log server server_crt server.key
ca.key cert_2023-208 client dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# vim server.conf
[root@t2 openvpn]# systemctl restart openvpn
Failed to restart openvpn.service: Unit not found.
[root@t2 openvpn]# systemctl status openvpn
Unit openvpn.service could not be found.
[root@t2 openvpn]# systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2022-11-25 14:59:33 CST; 3 months 20 days ago
Main PID: 24698 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─24698 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
^C
[root@t2 openvpn]# systemctl restart openvpn@server.service
[root@t2 openvpn]# systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2023-03-17 15:25:09 CST; 1s ago
Main PID: 15869 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─15869 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Mar 17 15:25:09 t2 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Mar 17 15:25:09 t2 openvpn[15869]: Fri Mar 17 15:25:09 2023 DEPRECATED OPTION: --client-cert-not-required, use --verify-client-cert instead
Mar 17 15:25:09 t2 systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@t2 openvpn]# systemctl stop openvpn@server.service
[root@t2 openvpn]# systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Fri 2023-03-17 15:25:35 CST; 2s ago
Process: 15869 ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS)
Main PID: 15869 (code=exited, status=0/SUCCESS)
Status: "Initialization Sequence Completed"
Mar 17 15:25:09 t2 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Mar 17 15:25:09 t2 openvpn[15869]: Fri Mar 17 15:25:09 2023 DEPRECATED OPTION: --client-cert-not-required, use --verify-client-cert instead
Mar 17 15:25:09 t2 systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
Mar 17 15:25:35 t2 systemd[1]: Stopping OpenVPN Robust And Highly Flexible Tunneling Application On server...
Mar 17 15:25:35 t2 systemd[1]: Stopped OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@t2 openvpn]# systemctl start openvpn@server.service
[root@t2 openvpn]# systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2023-03-17 15:25:43 CST; 29s ago
Main PID: 15925 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─15925 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Mar 17 15:25:43 t2 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Mar 17 15:25:43 t2 openvpn[15925]: Fri Mar 17 15:25:43 2023 DEPRECATED OPTION: --client-cert-not-required, use --verify-client-cert instead
Mar 17 15:25:43 t2 systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@t2 openvpn]# cd /var/lo
local/ lock/ log/
[root@t2 openvpn]# cd /var/log/
anaconda/ audit/ chrony/ grafana/ influxdb/ journal/ openvpn/ rhsm/ sa/ telegraf/ tuned/
[root@t2 openvpn]# cd /var/log/openvpn/
[root@t2 openvpn]# ls
openvpn.log
[root@t2 openvpn]# tail -f openvpn.log
Fri Mar 17 15:26:21 2023 58.33.81.92:49850 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Mar 17 15:26:21 2023 58.33.81.92:63785 Connection reset, restarting [0]
Fri Mar 17 15:26:21 2023 58.33.81.92:63785 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Mar 17 15:26:22 2023 58.33.81.92:57615 TLS: Initial packet from [AF_INET]58.33.81.92:57615, sid=e879fe27 d222dded
Fri Mar 17 15:26:22 2023 58.33.81.92:57615 Connection reset, restarting [0]
Fri Mar 17 15:26:22 2023 58.33.81.92:57615 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Mar 17 15:26:22 2023 TCP connection established with [AF_INET]101.85.37.188:13366
Fri Mar 17 15:26:22 2023 101.85.37.188:13366 TLS: Initial packet from [AF_INET]101.85.37.188:13366, sid=37c74b71 7dbb2f42
Fri Mar 17 15:26:22 2023 101.85.37.188:13366 Connection reset, restarting [0]
Fri Mar 17 15:26:22 2023 101.85.37.188:13366 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Mar 17 15:26:37 2023 TCP connection established with [AF_INET]58.33.81.92:49851
Fri Mar 17 15:26:37 2023 58.33.81.92:49851 TCP connection established with [AF_INET]58.33.81.92:63787
Fri Mar 17 15:26:38 2023 58.33.81.92:63787 TCP connection established with [AF_INET]58.33.81.92:57617
Fri Mar 17 15:26:38 2023 58.33.81.92:49851 TLS: Initial packet from [AF_INET]58.33.81.92:49851, sid=64e00504 c4fb8b9b
Fri Mar 17 15:26:38 2023 58.33.81.92:49851 Connection reset, restarting [0]
Fri Mar 17 15:26:38 2023 58.33.81.92:49851 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Mar 17 15:26:38 2023 58.33.81.92:63787 TLS: Initial packet from [AF_INET]58.33.81.92:63787, sid=0fada2a3 e7c94ebb
Fri Mar 17 15:26:38 2023 58.33.81.92:63787 Connection reset, restarting [0]
Fri Mar 17 15:26:38 2023 58.33.81.92:63787 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Mar 17 15:26:39 2023 58.33.81.92:57617 TLS: Initial packet from [AF_INET]58.33.81.92:57617, sid=76ba2f59 a275c4f9
Fri Mar 17 15:26:39 2023 58.33.81.92:57617 Connection reset, restarting [0]
Fri Mar 17 15:26:39 2023 58.33.81.92:57617 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Mar 17 15:26:41 2023 TCP connection established with [AF_INET]101.85.37.188:13379
Fri Mar 17 15:26:41 2023 101.85.37.188:13379 TLS: Initial packet from [AF_INET]101.85.37.188:13379, sid=7ec36c11 e1ee83e9
Fri Mar 17 15:26:41 2023 101.85.37.188:13379 Connection reset, restarting [0]
Fri Mar 17 15:26:41 2023 101.85.37.188:13379 SIGUSR1[soft,connection-reset] received, client-instance restarting
^C
[root@t2 openvpn]# sudo reboot
Connection to 172.17.21.25 closed by remote host.
Connection to 172.17.21.25 closed.
[yangchaojie@t3 ~]$ ssh -p 22 root@172.17.21.25
root@172.17.21.25's password:
Last login: Fri Mar 17 15:08:33 2023 from 172.17.21.26
Welcome to Alibaba Cloud Elastic Compute Service !
[root@t2 ~]# ls
centos7-vpn.sh client.tar.gz epel-release-latest-7.noarch.rpm influxdb-1.7.6.x86_64.rpm master.zip telegraf-1.15.3-1.x86_64.rpm
client controlsfx.jar grafana-7.1.0-1.x86_64.rpm influxdb-1.8.3.x86_64.rpm nginx
[root@t2 ~]# cd /etc/openvpn/
[root@t2 openvpn]# ls
ca.crt ccd checkpsw.sh crl.pem easy-rsa openvpn-password.log server server_crt server.key
ca.key cert_2023-208 client dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# vim server.conf
[root@t2 openvpn]# ls
ca.crt ccd checkpsw.sh crl.pem easy-rsa openvpn-password.log server server_crt server.key
ca.key cert_2023-208 client dh.pem ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# rm -rf server.key ca.key ca.crt dh.pem
[root@t2 openvpn]# ls
ccd cert_2023-208 checkpsw.sh client crl.pem easy-rsa ipp.txt openvpn-password.log psw-file server server.conf server_crt server.crt
[root@t2 openvpn]# cd easy-rsa/
[root@t2 easy-rsa]# ls
build COPYING.md doc KNOWN_ISSUES op_test.orig README.md release-keys wop_test.sh
ChangeLog distro easyrsa3 Licensing op_test.sh README.quickstart.md wop_test.bat
[root@t2 easy-rsa]# cd ..
[root@t2 openvpn]# ls
ccd cert_2023-208 checkpsw.sh client crl.pem easy-rsa ipp.txt openvpn-password.log psw-file server server.conf server_crt server.crt
[root@t2 openvpn]# rm -rf easy-rsa/
[root@t2 openvpn]# ;s
-bash: syntax error near unexpected token `;'
[root@t2 openvpn]# ls
ccd cert_2023-208 checkpsw.sh client crl.pem ipp.txt openvpn-password.log psw-file server server.conf server_crt server.crt
[root@t2 openvpn]# cp cert_2023-208/ ./
cp: omitting directory ‘cert_2023-208/’
[root@t2 openvpn]# cp cert_2023-208/* ./
cp: overwrite ‘./crl.pem’? y
cp: omitting directory ‘cert_2023-208/easy-rsa’
cp: overwrite ‘./server.crt’? ^C
[root@t2 openvpn]# cp -y cert_2023-208/* ./
cp: invalid option -- 'y'
Try 'cp --help' for more information.
[root@t2 openvpn]# cp y cert_2023-208/* ./
cp: cannot stat ‘y’: No such file or directory
cp: overwrite ‘./ca.crt’? ^C
[root@t2 openvpn]# ls
ca.crt ca.key ccd cert_2023-208 checkpsw.sh client crl.pem ipp.txt openvpn-password.log psw-file server server.conf server_crt server.crt
[root@t2 openvpn]# \cp cert_2023-208/* ./
cp: omitting directory ‘cert_2023-208/easy-rsa’
[root@t2 openvpn]# ls
ca.crt ccd checkpsw.sh crl.pem openvpn-password.log server server_crt server.key
ca.key cert_2023-208 client ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# ls
ca.crt ccd checkpsw.sh crl.pem openvpn-password.log server server_crt server.key
ca.key cert_2023-208 client ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd cert_2023-208/
[root@t2 cert_2023-208]# ls
ca.crt ca.key crl.pem easy-rsa server.crt server.key
[root@t2 cert_2023-208]# cd easy-rsa/
[root@t2 easy-rsa]# ls
build COPYING.md doc KNOWN_ISSUES op_test.orig README.md release-keys wop_test.sh
ChangeLog distro easyrsa3 Licensing op_test.sh README.quickstart.md wop_test.bat
[root@t2 easy-rsa]# cd easyrsa3/
[root@t2 easyrsa3]# ls
easyrsa openssl-easyrsa.cnf pki vars vars.example x509-types
[root@t2 easyrsa3]# cd pki/
[root@t2 pki]# ls
ca.crt crl.pem index.txt.attr index.txt.old openssl-easyrsa.cnf renewed revoked serial
certs_by_serial index.txt index.txt.attr.old issued private reqs safessl-easyrsa.cnf serial.old
[root@t2 pki]# cd ..
[root@t2 easyrsa3]# ls
easyrsa openssl-easyrsa.cnf pki vars vars.example x509-types
[root@t2 easyrsa3]# cd ..
[root@t2 easy-rsa]# ls
build COPYING.md doc KNOWN_ISSUES op_test.orig README.md release-keys wop_test.sh
ChangeLog distro easyrsa3 Licensing op_test.sh README.quickstart.md wop_test.bat
[root@t2 easy-rsa]# cd ..
[root@t2 cert_2023-208]# ls
ca.crt ca.key crl.pem easy-rsa server.crt server.key
[root@t2 cert_2023-208]# cd ..
[root@t2 openvpn]# ls
ca.crt ccd checkpsw.sh crl.pem openvpn-password.log server server_crt server.key
ca.key cert_2023-208 client ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# vim server.conf
[root@t2 openvpn]# vim server.conf
[root@t2 openvpn]# vim server.conf
[root@t2 openvpn]# systemctl restart openvpn
openvpn@ openvpn-client@ openvpn-server@ openvpn@server.service
[root@t2 openvpn]# systemctl restart openvpn@
openvpn@ openvpn@server.service
[root@t2 openvpn]# systemctl restart openvpn@server.service
[root@t2 openvpn]# ls
ca.crt ccd checkpsw.sh crl.pem openvpn-password.log server server_crt server.key
ca.key cert_2023-208 client ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# sz ca.crt
[root@t2 openvpn]# ls
ca.crt ccd checkpsw.sh crl.pem openvpn-password.log server server_crt server.key
ca.key cert_2023-208 client ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd /var/log/openvpn/
[root@t2 openvpn]# ls
openvpn.log
[root@t2 openvpn]# tail -f openvpn.log
Fri Mar 17 15:34:10 2023 --pull-filter ignored for --mode server
Fri Mar 17 15:34:10 2023 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
Fri Mar 17 15:34:10 2023 OpenVPN 2.4.12 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 17 2022
Fri Mar 17 15:34:10 2023 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Fri Mar 17 15:34:10 2023 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Fri Mar 17 15:34:10 2023 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Fri Mar 17 15:34:10 2023 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Mar 17 15:34:10 2023 OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
Fri Mar 17 15:34:10 2023 Cannot load DH parameters from /etc/openvpn/crl.pem
Fri Mar 17 15:34:10 2023 Exiting due to fatal error
c^H^C
[root@t2 openvpn]#
[root@t2 openvpn]# ls
openvpn.log
[root@t2 openvpn]# cd ..
[root@t2 log]# ls
anaconda cron grubby_prune_debug maillog messages-20230312 secure-20230312 wtmp
audit cron-20230219 influxdb maillog-20230219 openvpn spooler yum.log
boot.log cron-20230226 journal maillog-20230226 openvpn-status.log spooler-20230219 yum.log-20210101
boot.log-20200711 cron-20230305 kern maillog-20230305 rhsm spooler-20230226 yum.log-20220101
btmp cron-20230312 kern-20230219 maillog-20230312 sa spooler-20230305 yum.log-20230101
btmp-20230301 ecs_network_optimization.log kern-20230226 messages secure spooler-20230312
chrony firewalld kern-20230305 messages-20230219 secure-20230219 tallylog
cloudinit-deploy.log grafana kern-20230312 messages-20230226 secure-20230226 telegraf
cloud-init.log grubby lastlog messages-20230305 secure-20230305 tuned
[root@t2 log]# cd ..
[root@t2 var]# ls
adm cache db empty games gopher kerberos lib local lock log mail nis opt preserve run spool tmp yp
[root@t2 var]# cd /etc/
alternatives/ dbus-1/ groff/ logrotate.d/ pki/ rc4.d/ ssl/ wireguard/
audisp/ default/ grub.d/ lsb-release.d/ pm/ rc5.d/ statetab.d/ wpa_supplicant/
audit/ depmod.d/ gss/ lvm/ polkit-1/ rc6.d/ sudoers.d/ X11/
bash_completion.d/ dhcp/ gssproxy/ modprobe.d/ popt.d/ rc.d/ sysconfig/ xdg/
binfmt.d/ docker/ influxdb/ modules-load.d/ postfix/ request-key.d/ sysctl.d/ xinetd.d/
chkconfig.d/ dracut.conf.d/ init.d/ my.cnf.d/ ppp/ rpm/ systemd/ yum/
cloud/ exports.d/ iproute2/ NetworkManager/ prelink.conf.d/ rsyslog.d/ system-lsb/ yum.repos.d/
containers/ firewalld/ .java/ oci-umount/ profile.d/ rwtab.d/ telegraf/
cron.d/ fonts/ kernel/ openldap/ python/ sasl2/ terminfo/
cron.daily/ gcrypt/ krb5.conf.d/ openvpn/ rc0.d/ security/ tmpfiles.d/
cron.hourly/ gdbinit.d/ ld.so.conf.d/ opt/ rc1.d/ selinux/ tuned/
cron.monthly/ gnupg/ libnl/ pam.d/ rc2.d/ skel/ udev/
cron.weekly/ grafana/ libreport/ pkcs11/ rc3.d/ ssh/ update-motd.d/
[root@t2 var]# cd /etc/
alternatives/ dbus-1/ groff/ logrotate.d/ pki/ rc4.d/ ssl/ wireguard/
audisp/ default/ grub.d/ lsb-release.d/ pm/ rc5.d/ statetab.d/ wpa_supplicant/
audit/ depmod.d/ gss/ lvm/ polkit-1/ rc6.d/ sudoers.d/ X11/
bash_completion.d/ dhcp/ gssproxy/ modprobe.d/ popt.d/ rc.d/ sysconfig/ xdg/
binfmt.d/ docker/ influxdb/ modules-load.d/ postfix/ request-key.d/ sysctl.d/ xinetd.d/
chkconfig.d/ dracut.conf.d/ init.d/ my.cnf.d/ ppp/ rpm/ systemd/ yum/
cloud/ exports.d/ iproute2/ NetworkManager/ prelink.conf.d/ rsyslog.d/ system-lsb/ yum.repos.d/
containers/ firewalld/ .java/ oci-umount/ profile.d/ rwtab.d/ telegraf/
cron.d/ fonts/ kernel/ openldap/ python/ sasl2/ terminfo/
cron.daily/ gcrypt/ krb5.conf.d/ openvpn/ rc0.d/ security/ tmpfiles.d/
cron.hourly/ gdbinit.d/ ld.so.conf.d/ opt/ rc1.d/ selinux/ tuned/
cron.monthly/ gnupg/ libnl/ pam.d/ rc2.d/ skel/ udev/
cron.weekly/ grafana/ libreport/ pkcs11/ rc3.d/ ssh/ update-motd.d/
[root@t2 var]# cd /etc/openvpn/
[root@t2 openvpn]# ls
ca.crt ccd checkpsw.sh crl.pem openvpn-password.log server server_crt server.key
ca.key cert_2023-208 client ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# vim server.conf
[root@t2 openvpn]# ls
ca.crt ccd checkpsw.sh crl.pem openvpn-password.log server server_crt server.key
ca.key cert_2023-208 client ipp.txt psw-file server.conf server.crt
[root@t2 openvpn]# cd cert_2023-208/
[root@t2 cert_2023-208]# ls
ca.crt ca.key crl.pem easy-rsa server.crt server.key
[root@t2 cert_2023-208]# cd easy-rsa/
[root@t2 easy-rsa]# ls
build COPYING.md doc KNOWN_ISSUES op_test.orig README.md release-keys wop_test.sh
ChangeLog distro easyrsa3 Licensing op_test.sh README.quickstart.md wop_test.bat
[root@t2 easy-rsa]# cd easyrsa3/
[root@t2 easyrsa3]# ls
easyrsa openssl-easyrsa.cnf pki vars vars.example x509-types
[root@t2 easyrsa3]# cd pki/
[root@t2 pki]# ls
ca.crt crl.pem index.txt.attr index.txt.old openssl-easyrsa.cnf renewed revoked serial
certs_by_serial index.txt index.txt.attr.old issued private reqs safessl-easyrsa.cnf serial.old
[root@t2 pki]# cd private/
[root@t2 private]# ls
ca.key client.key server.key
[root@t2 private]# cd ..
[root@t2 pki]# ls
ca.crt crl.pem index.txt.attr index.txt.old openssl-easyrsa.cnf renewed revoked serial
certs_by_serial index.txt index.txt.attr.old issued private reqs safessl-easyrsa.cnf serial.old
[root@t2 pki]# cd ..
[root@t2 easyrsa3]# ls
easyrsa openssl-easyrsa.cnf pki vars vars.example x509-types
[root@t2 easyrsa3]# cd x509-types/
[root@t2 x509-types]# ls
ca client code-signing COMMON email kdc server serverClient
[root@t2 x509-types]# cd ..
[root@t2 easyrsa3]# ls
easyrsa openssl-easyrsa.cnf pki vars vars.example x509-types
[root@t2 easyrsa3]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /etc/openvpn/cert_2023-208/easy-rsa/easyrsa3/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..........................................................................................................................................................................................................................................................................................................................................................+.......................+...................................+.........................+...............................+.............................................................................................+.....................................................................................................................+........................................................................................................................................+..........................................................+.....................................+.....................................................................................+.................+......................................+...................+.............................................................+...............+..................................................................................................................................+..............................................................................................................................................................................................................................................................................................................................................................................+...............................................+....................................................................+...................................................+.....................................................................................................................................................................................................................................................................................+....+.............................................................+..........................+.............................................................................................................................................................................+...................................+................................................................................+.......................................................................................................................................................+..............................................................................................................................+................................................................................+...+.............................................................+..........................+.................................................................................................................................................................................................................................................................................................................+..........................................................+....+...................................................................................+........................+.......................................................+......................................................................................+..............+...............................................................+..........+..............................................................................................................................................................................................................................................................................................+..........................................................................................................................................................................+..................................................................................................................................................+.................+..............................+..............................................................+......................................................+............................................+.......................................+.....................................................................................................................+.........................................................................+.....................................................+........................................+................................+.............................................................................................................................................................................................................................................................................................................................................................................................................................................................+...........................................................................................................+..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+........................+....................................................................................................................................................................................+....................................+..........+................................................................................................................................+......+.+....+...............................................................+..................................................................................................................................................................+..............+......................................................+..............+........+....+.....................................................+.................................................................................................................................+.......................+....................................................................................................................................................................................................................................................................................+.......+.............................................................................................+..................................................................................+............................................................................+......................................................................+..+..........................................................................................+......................................................................+...........................+.....................................................................................................................................+..............................................................................................................................................+..........................................+.........+..........................+........................................................................................................................................................+...................................................................................................................+...................+.................................................................................................................................................................................................................................................................................+............+..........................+............+...............................................................................................................+...........................................................................................................................................+............................................................................................................................................................................................................................................................................................................................++*++*
DH parameters of size 2048 created at /etc/openvpn/cert_2023-208/easy-rsa/easyrsa3/pki/dh.pem
[root@t2 easyrsa3]# ls
easyrsa openssl-easyrsa.cnf pki vars vars.example x509-types
[root@t2 easyrsa3]# cd pki/
[root@t2 pki]# ls
ca.crt crl.pem index.txt index.txt.attr.old issued private reqs safessl-easyrsa.cnf serial.old
certs_by_serial dh.pem index.txt.attr index.txt.old openssl-easyrsa.cnf renewed revoked serial
[root@t2 pki]# cp dh.pem /etc/openvpn/
[root@t2 pki]# cd ../../../
[root@t2 cert_2023-208]# ls
ca.crt ca.key crl.pem easy-rsa server.crt server.key
[root@t2 cert_2023-208]# cd ..
[root@t2 openvpn]# ls
ca.crt ccd checkpsw.sh crl.pem ipp.txt psw-file server.conf server.crt
ca.key cert_2023-208 client dh.pem openvpn-password.log server server_crt server.key
[root@t2 openvpn]# vim server.conf
[root@t2 openvpn]# systemctl restart openvpn@server.service
[root@t2 openvpn]# systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2023-03-17 15:44:05 CST; 8s ago
Main PID: 2483 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─2483 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Mar 17 15:44:05 t2 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
Mar 17 15:44:05 t2 openvpn[2483]: Fri Mar 17 15:44:05 2023 DEPRECATED OPTION: --client-cert-not-required, use --verify-client-cert instead
Mar 17 15:44:05 t2 systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
[root@t2 openvpn]#
评论
还没有评论