安装 Tunnelblick
在安装
brew install easy-rsa openvpn运行脚本生成服务端配置文件
#server-conf
#server
# Configuration parameters
OVPN_DIR="/usr/local/etc/openvpn"
OVPN_PKI="/usr/local/etc/pki"
OVPN_PORT="1194"
OVPN_PROTO="tcp"
OVPN_POOL="10.8.0.0 255.255.255.0"
OVPN_DNS="${OVPN_POOL%.* *}.1"
OVPN_SERV="xxxip"
OVPN_ID="server"
# Remove and re-initialize the PKI directory
easyrsa init-pki
# Generate DH parameters
easyrsa gen-dh
# Create a new CA
easyrsa --batch build-ca nopass
# Generate a key pair and sign locally for a server
EASYRSA_CERT_EXPIRE=3650 easyrsa build-server-full ${OVPN_ID} nopass
EASYRSA_CRL_DAYS=3650 easyrsa gen-crl
cp ${OVPN_PKI}/crl.pem ${OVPN_DIR}
chown nobody:nogroup ${OVPN_DIR}/crl.pem
# Generate TLS PSK
openvpn --genkey --secret ${OVPN_PKI}/tc.pem
# Configuration parameters
OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)"
OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)"
OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)"
NL=$'\n'
# Configure VPN service and generate client profiles
OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)"
OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)"
OVPN_EKU="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt -purpose)"
OVPN_CONF_SERVER="\
local ::
dev tun
port ${OVPN_PORT}
proto ${OVPN_PROTO}
server ${OVPN_POOL}
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
crl-verify crl.pem
push \"dhcp-option DNS ${OVPN_DNS}\"
push \"redirect-gateway def1\"
push \"persist-tun\"
push \"persist-key\"
<dh>${NL}${OVPN_DH}${NL}</dh>"
OVPN_CONF_COMMON="\
<tls-crypt>${NL}${OVPN_TC}${NL}</tls-crypt>
<key>${NL}${OVPN_KEY}${NL}</key>
<cert>${NL}${OVPN_CERT}${NL}</cert>
<ca>${NL}${OVPN_CA}${NL}</ca>"
cat << EOF > ${OVPN_DIR}/${OVPN_ID}.conf
${OVPN_CONF_SERVER}
${OVPN_CONF_COMMON}
EOF将 openvpn文件夹拷贝一份
cp -r openvpn openvpn.tblk双击openvpn.tblk会自动用Tunnelblick打开
注意:mac这货找不到监听的1194端口,但是能telnet,处处是坑,还以为有啥问题呢。
参考 https://neddy-tek.medium.com/openvpn-server-and-client-set-up-on-macos-3bb1fb84b29d
添加用户
#adduser
#client
# Configuration parameters
OVPN_DIR="/usr/local/etc/openvpn"
OVPN_PKI="/usr/local/etc/pki"
OVPN_PORT="1194"
OVPN_PROTO="tcp"
OVPN_POOL="10.8.0.0 255.255.255.0"
OVPN_DNS="${OVPN_POOL%.* *}.1"
OVPN_SERV="xxxip"
OVPN_ID=$1
# Generate a key pair and sign locally for a client
EASYRSA_CERT_EXPIRE=3650 easyrsa build-client-full ${OVPN_ID} nopass
# Configuration parameters
OVPN_DH="$(cat ${OVPN_PKI}/dh.pem)"
OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" ${OVPN_PKI}/tc.pem)"
OVPN_CA="$(openssl x509 -in ${OVPN_PKI}/ca.crt)"
NL=$'\n'
# Configure VPN service and generate client profiles
OVPN_KEY="$(cat ${OVPN_PKI}/private/${OVPN_ID}.key)"
OVPN_CERT="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt)"
OVPN_EKU="$(openssl x509 -in ${OVPN_PKI}/issued/${OVPN_ID}.crt -purpose)"
OVPN_CONF_CLIENT="\
dev tun
nobind
client
remote ${OVPN_SERV} ${OVPN_PORT} ${OVPN_PROTO}
auth-nocache
remote-cert-tls server"
OVPN_CONF_COMMON="\
<tls-crypt>${NL}${OVPN_TC}${NL}</tls-crypt>
<key>${NL}${OVPN_KEY}${NL}</key>
<cert>${NL}${OVPN_CERT}${NL}</cert>
<ca>${NL}${OVPN_CA}${NL}</ca>"
cat << EOF > ${OVPN_DIR}/${OVPN_ID}.ovpn
${OVPN_CONF_CLIENT}
${OVPN_CONF_COMMON}
EOF删除用户
#deluser
#client
# Configuration parameters
OVPN_DIR="/usr/local/etc/openvpn"
OVPN_PKI="/usr/local/etc/pki"
OVPN_ID=$1
easyrsa --batch revoke ${OVPN_ID}
EASYRSA_CRL_DAYS=3650 easyrsa gen-crl
rm -f ${OVPN_DIR}/crl.pem
cp ${OVPN_PKI}/crl.pem ${OVPN_DIR}
rm -rf ${OVPN_PKI}/issued/${OVPN_ID}.crt
rm -rf ${OVPN_PKI}/private/${OVPN_ID}.key
rm -rf ${OVPN_PKI}/reqs/${OVPN_ID}.req