在Linux中安装和配置OpenVPN Server Easy-RSA 3(RHEL/CentOS 7)
时间:2020-01-09 10:40:59 来源:igfitidea点击:
OpenVPN通常被称为基于SSL的VPN,因为它使用SSL/TLS协议来保护连接。
但是,OpenVPN服务器也将HMAC与摘要(或者哈希)算法结合使用,以确保传递的数据包的完整性。
可以将其配置为使用预共享密钥以及X.509证书。
其他基于SSL的VPN通常不提供这些功能。
什么是VPN?
简而言之,VPN允许管理员在不同网段的多台计算机之间创建"本地"网络。
在某些情况下,这些机器可以位于同一LAN上,它们可以通过广阔的Internet彼此隔开,或者甚至可以跨多种连接媒体进行连接,例如无线上行链路,卫星,等等。
VPN中的P来自增加的保护,以使该虚拟网络变为私有。
与在隧道外部的所有其他通信相比,在VPN上流动的网络通信通常被称为(VPN)隧道内部。
安装和配置OpenVPN服务器
要安装和设置openvpn服务器,首先要安装EPEL存储库,通过它我们可以安装openvpnrpm及其依赖项。
[root@node2 ~]# yum -y install epel-release
接下来,一旦我们的仓库安装成功,使用yum命令安装openvpn和easy-rsarpm。
[root@node2 ~]# yum -y install openvpn easy-rsa
说明:
与版本2相比,Easy-RSA 3具有完全不同的脚本集,但是在Easy-RSA 3中创建CA以及创建服务器和客户端密钥的总体思路是相似的。
首先,在/etc/openvpn中创建系统" easy-rsa"目录的副本,然后切换至"/etc/openvpn/easy-rsa /"目录,
[root@node2 ~]# cd /usr/share/easy-rsa/3.0.3
以下是" easy-rsa 3"目录下可用的文件列表
[root@node2 3.0.3]# ls -l total 48 -rwxr-xr-x 1 root root 35985 Aug 22 2016 easyrsa -rw-r--r-- 1 root root 4560 Sep 3 2014 openssl-1.0.cnf drwxr-xr-x 2 root root 4096 Apr 16 19:05 x509-types
我们将这些文件复制到我们的自定义目录/etc/openvpn/easy-rsa /中。
[root@node2 3.0.3]# cp -rf * /etc/openvpn/easy-rsa/ [root@node2 3.0.3]# cd /etc/openvpn/easy-rsa/ [root@node2 easy-rsa]# ls -l total 48 -rwxr-xr-x 1 root root 35985 Apr 16 19:11 easyrsa drwxr-xr-x 2 root root 4096 Apr 16 19:09 keys -rw-r--r-- 1 root root 4560 Apr 16 19:11 openssl-1.0.cnf drwxr-xr-x 2 root root 4096 Apr 16 19:11 x509-types
初始化Easy-RSA 3 PKI
在这种情况下,初始化过程将清除easy-rsa 3下的pki目录的内容,并创建" private"和" reqs"子目录。
[root@node2 easy-rsa]# ./easyrsa init-pki init-pki complete; you Jan now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
生成CA证书
build-ca子命令首先在easy-rsa 3下生成一个证书签名请求(CSR),然后对该请求进行自签名。
系统将提示我们输入用于CA密钥的密码以及一些组织信息。
重要的提示:
每当我们签署服务器或者客户端证书的证书请求时,都需要输入此密码:
[root@node2 easy-rsa]# ./easyrsa build-ca Generating a 2048 bit RSA private key ...........................+++ ...........................................+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/ca.key.docNHm1tdU' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ---- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ---- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server CA creation complete and you Jan now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/pki/ca.crt
生成Diffie-Hellman参数
接下来,运行命令以初始化和构建CA文件,并在easy-rsa 3下生成Diffie-Hellman参数。
[root@node2 easy-rsa]# ./easyrsa gen-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .....................................................+........................................................................+...+.............................................................................................+...........................................................................................................................................................................................................................+.............................................................................................................................................................................................................+.................................................+....+.........................................................................................+....+.....................................................................................................................................................................................................................................................................................................+..............................................................................................................................................................................................................................+............................................................................................................................................................................................................................................c.d.........s...................+..............................+........................................................................................................++*++* DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem
生成独立的密钥对和请求(CSR)
接下来,为OpenVPN服务器生成一个证书,并使用easy-rsa 3脚本(即easyrsa)对其进行签名。
在下面的示例中,我们创建一个名为"node2"的密钥,以匹配我们在上述OpenVPN服务器配置文件中引用的密钥。
我们创建此证书时不需要密码,因此OpenVPN服务器无需每次sysadmin交互即可访问它,但是在签署服务器证书时会提示我们输入密码:
[root@node2 easy-rsa]# ./easyrsa gen-req node2 nopass Generating a 2048 bit RSA private key .....................................+++ .........................................+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/node2.key.c8WE211mjv' ---- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ---- Common Name (eg: your user, host, or server name) [node2]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/node2.req key: /etc/openvpn/easy-rsa/pki/private/node2.key
[root@node2 easy-rsa]# ./easyrsa sign server node2
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = node2
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'node2'
Certificate is to be certified until Apr 13 14:09:43 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/node2.crt
复制OpenVPN服务器的证书
现在,我们创建一个/etc/openvpn/keys目录,并从easy-rsa 3目录中复制OpenVPN服务器所需的重要密钥和证书:
[root@node2 easy-rsa]# mkdir /etc/openvpn/keys/ [root@node2 easy-rsa]# chmod 750 /etc/openvpn/keys [root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/keys/ [root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/keys/dh2048.pem [root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/issued/node2.crt /etc/openvpn/keys/ [root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/private/node2.key /etc/openvpn/keys/
为客户端生成证书
每当我们要添加新用户时,请切换到/etc/openvpn/easy-rsa目录并运行以下命令以生成证书请求,然后对其进行签名:
[root@node2 easy-rsa]# cd /etc/openvpn/easy-rsa
其中我使用客户端名称作为hynman,我们可以根据环境进行更改。
[root@node2 easy-rsa]# ./easyrsa gen-req hynman nopass Generating a 2048 bit RSA private key .............+++ ...........................................................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/pki/private/hynman.key.3h2S55BG8q' ---- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ---- Common Name (eg: your user, host, or server name) [hynman]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/pki/reqs/hynman.req key: /etc/openvpn/easy-rsa/pki/private/hynman.key
[root@node2 easy-rsa]# ./easyrsa sign client hynman
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
commonName = hynman
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'hynman'
Certificate is to be certified until Apr 13 14:11:20 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/hynman.crt
将客户端密钥复制到/etc/openvpn/keys /
[root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/issued/hynman.crt /etc/openvpn/keys/ [root@node2 easy-rsa]# cp -a /etc/openvpn/easy-rsa/pki/private/hynman.key /etc/openvpn/keys/
客户端/服务器模式的初始设置
为了设置基本的OpenVPN服务器,我们首先使用以下步骤创建服务器配置文件:
在服务器端使用以下条目创建以下文件
[root@node2 openvpn]# vim /etc/openvpn/server.conf port 1194 proto udp dev tun comp-lzo management 127.0.0.1 1194 keepalive 10 120 persist-key persist-tun ifconfig-pool-persist ipp.txt status openvpn-status.log verb 3 server 172.16.0.0 255.255.255.0 push "route 192.168.0.0 255.255.255.0" push "dhcp-option DNS 192.168.0.5" push "dhcp-option DOMAIN example.com" ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/node2.crt key /etc/openvpn/keys/node2.key # This file should be kept secret dh /etc/openvpn/keys/dh2048.pem
在服务器上禁用防火墙
为了本文的目的,我们将禁用防火墙和selinux。
因为它不在本文的范围之内。
我将写另一篇有关OpenVPN服务器的防火墙安装和配置的文章。
[root@node2 ~]# systemctl stop firewalld [root@node2 ~]# systemctl disable firewalld Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
SELinux也被禁用
[root@node2 ~]# getenforce Disabled
启用并启动OpenVPN服务器
现在,我们在openvpn服务器端的所有配置都已完成。
启用并启动服务。
[root@node2 easy-rsa]# systemctl -f enable [email protected] Created symlink from /etc/systemd/system/multi-user.target.wants/[email protected] to /usr/lib/systemd/system/[email protected]. [root@node2 easy-rsa]# systemctl start [email protected]
检查隧道是否在OpenVPN服务器上成功创建。
[root@node2 openvpn]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:df:87:41 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.31/8 brd 10.255.255.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fedf:8741/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:95:c3:cd brd ff:ff:ff:ff:ff:ff
inet 192.168.0.105/24 brd 192.168.0.255 scope global noprefixroute dynamic eth1
valid_lft 3327sec preferred_lft 3327sec
inet6 2401:4900:2742:d79f:a00:27ff:fe95:c3cd/64 scope global mngtmpaddr dynamic
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe95:c3cd/64 scope link
valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff
14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 172.16.0.1 peer 172.16.0.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::b522:32f4:7576:a549/64 scope link flags 800
valid_lft forever preferred_lft forever
接下来将客户端证书复制到/etc/openvpn下的客户端节点。
说明:
复制这些证书文件之前,请确保在客户端节点上安装了openvpn rpm。
[root@node2 keys]# scp /etc/openvpn/keys/hynman.* node3:/etc/openvpn/ Warning: Permanently added the ECDSA host key for IP address '10.0.2.32' to the list of known hosts. root@node3's password: hynman.crt 100% 4410 3.1MB/s 00:00 hynman.key 100% 1704 1.0MB/s 00:00 [root@node2 keys]# scp /etc/openvpn/keys/ca.crt node3:/etc/openvpn/ root@node3's password: ca.crt 100% 1151 310.2KB/s 00:00
OpenVPN客户端配置
在openvpn客户端节点上安装EPEL存储库
[root@node3 ~]# yum -y install epel-release
接下来在openvpn客户端节点上安装openvpn rpm
[root@node3 ~]# yum search openvpn
在openvpn客户端,需要安装与服务器上相同的openvpn软件包。
然后在openvpn客户端节点上创建具有以下内容的/etc/openvpn/client.conf文件
[root@node3 openvpn]# vim /etc/openvpn/client.conf client dev tun proto udp remote node2.example.com 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert hynman.crt key hynman.key comp-lzo verb 3 ns-cert-type server script-security 2 down /etc/openvpn/client.down up /etc/openvpn/client.up
说明:
其中用VPN服务器替换node2.example.com。
VPN通常会将自己的DNS设置推送给客户端。
如果我们想自动更新resolv.conf,我们还想触发一个脚本,当VPN连接和断开连接时,脚本才能正确管理resolv.conf。
将两个脚本复制到openvpn客户端节点上的/etc/openvpn目录中。
[root@node3 ~]# cp /usr/share/doc/openvpn-2.4.7/contrib/pull-resolv-conf/client.down /etc/openvpn/ [root@node3 ~]# cp /usr/share/doc/openvpn-2.4.7/contrib/pull-resolv-conf/client.up /etc/openvpn/
最后,请确保我们从服务器复制的ca.crt,hynman.crt和hynman.key文件位于/etc/openvpn目录中
[root@node3 ~]# cd /etc/openvpn/
确保" hynman.key"在openvpn客户端上不可读:
[root@node3 openvpn]# chmod 640 hynman.key
同时将client.down和client.up设为可执行文件
[root@node3 openvpn]# chmod u+x client.down client.up
验证文件及其在openvpn客户端节点上的权限
[root@node3 openvpn]# ls -l total 36 -rw-------. 1 root root 1151 Apr 16 19:55 ca.crt drwxr-x---. 2 root openvpn 4096 Apr 16 20:43 client -rw-r--r--. 1 root root 259 Apr 16 20:49 client.conf -rwxr--r--. 1 root root 1698 Apr 16 19:48 client.down -rwxr--r--. 1 root root 2928 Apr 16 19:48 client.up -rw-------. 1 root root 4410 Apr 16 19:55 hynman.crt -rw-r-----. 1 root root 1704 Apr 16 19:55 hynman.key drwxr-x---. 2 root openvpn 4096 Apr 16 19:58 server
在客户端上禁用防火墙
我将在本文的openvpn客户端上禁用防火墙和selinux,因为这会增加本文的篇幅。
我可能还会写另一篇有关防火墙规则的文章,以安装和配置OpenVPN。
[root@node3 ~]# systemctl stop firewalld [root@node3 ~]# systemctl disable firewalld
SELinux也被禁用
[root@node3 ~]# getenforce Disabled
启用并启动OpenVPN客户端服务
我们在openvpn客户端的所有配置均已完成,我们可以启动openvpn客户端服务。
[root@node3 openvpn]# systemctl -f enable [email protected] Created symlink from /etc/systemd/system/multi-user.target.wants/[email protected] to /usr/lib/systemd/system/[email protected]. [root@node3 openvpn]# systemctl start [email protected]
检查openvpn客户端上的服务状态,以确保没有错误
[root@node3 openvpn]# systemctl status [email protected] ● [email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On client Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled) Active: active (running) since Tue 2019-04-16 19:56:58 IST; 2min 53s ago Main PID: 11281 (openvpn) Status: "Initialization Sequence Completed" CGroup: /system.slice/system-openvpn.slice/[email protected] └─11281 /usr/sbin/openvpn --cd /etc/openvpn/--config client.conf Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 ROUTE_GATEWAY 10.0.2.2/255.0.0.0 IFACE=eth0 HWADDR=08:00:27:df:87:41 Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 TUN/TAP device tun0 opened Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 TUN/TAP TX queue length set to 100 Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 /sbin/ip link set dev tun0 up mtu 1500 Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 /sbin/ip addr add dev tun0 local 172.16.0.6 peer 172.16.0.5 Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 /etc/openvpn/client.up tun0 1500 1553 172.16.0.6 172.16.0.5 init Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 /sbin/ip route add 192.168.0.0/24 via 172.16.0.5 Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 /sbin/ip route add 172.16.0.1/32 via 172.16.0.5 Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 WARNING: this configuration Jan cache passwords in memory -- use the auth-nocache option to prevent this Apr 16 19:59:49 node3.example.com openvpn[11281]: Tue Apr 16 19:59:49 2019 Initialization Sequence Completed
如果一切顺利,那么必须在我们的openvpn客户端上成功创建隧道
[root@node3 openvpn]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:df:87:41 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.32/8 brd 10.255.255.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fedf:8741/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:95:c3:cd brd ff:ff:ff:ff:ff:ff
inet 10.0.3.15/24 brd 10.0.3.255 scope global noprefixroute dynamic eth1
valid_lft 75484sec preferred_lft 75484sec
inet6 fe80::19d9:1da:ac06:fec0/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:b0:af:fb brd ff:ff:ff:ff:ff:ff
6: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 172.16.0.6 peer 172.16.0.5/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::55b6:ffb9:2cee:5343/64 scope link flags 800
valid_lft forever preferred_lft forever
我们可以通过ping服务器的VPN地址来验证连接是否正常运行:
来自openvpn客户端
[root@node3 openvpn]# ping -c 4 172.16.0.1 PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data. 64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=1.51 ms 64 bytes from 172.16.0.1: icmp_seq=2 ttl=64 time=2.03 ms 64 bytes from 172.16.0.1: icmp_seq=3 ttl=64 time=2.56 ms 64 bytes from 172.16.0.1: icmp_seq=4 ttl=64 time=2.34 ms --- 172.16.0.1 ping statistics -- 4 packets transmitted, 4 received, 0% packet loss, time 3078ms rtt min/avg/max/mdev = 1.514/2.115/2.565/0.394 ms
来自openvpn服务器
[root@node2 openvpn]# ping -c 4 172.16.0.6 PING 172.16.0.6 (172.16.0.6) 56(84) bytes of data. 64 bytes from 172.16.0.6: icmp_seq=1 ttl=64 time=1.32 ms 64 bytes from 172.16.0.6: icmp_seq=2 ttl=64 time=1.50 ms 64 bytes from 172.16.0.6: icmp_seq=3 ttl=64 time=37.9 ms 64 bytes from 172.16.0.6: icmp_seq=4 ttl=64 time=4.08 ms --- 172.16.0.6 ping statistics -- 4 packets transmitted, 4 received, 0% packet loss, time 3060ms rtt min/avg/max/mdev = 1.323/11.221/37.974/15.484 ms
因此,我们的VPN配置按预期工作。
