3360 字
17 分钟
环境配置
系统级配置
Ubuntu
## Basicsudo cp /etc/apt/sources.list /etc/apt/sources.list.baksudo nano /etc/apt/sources.list# 替换为清华源。注意:请务必将配置中的 jammy 替换为自己系统的实际版本代号,例如20.04是focal,22.04是jammy,24.04是nobledeb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy main restricted universe multiversedeb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-updates main restricted universe multiversedeb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-backports main restricted universe multiversedeb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ jammy-security main restricted universe multiverse
sudo apt updatesudo apt install -y fishchsh -s $(which fish)echo $SHELL
sudo timedatectl set-timezone Asia/Shanghaidate
sudo apt install -y vim git openssh-server htopgit config --global user.name "aLinChe"git config --global user.email "1129332011@qq.com"git config --global core.editor vimgit config --global color.ui true
vim ~/.vimrc:set mouse=a:set nu:set et:set sw=4:set sts=4:set hlsearch
sudo apt install python3 python3-pippython -m pip install --upgrade pippip config set global.index-url https://mirrors.tuna.tsinghua.edu.cn/pypi/web/simplepip3 config list
## Docker# https://docs.docker.com/desktop/setup/install/linux/ubuntu/for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove $pkg; done
# Add Docker's official GPG key:sudo apt-get updatesudo apt-get install ca-certificates curlsudo install -m 0755 -d /etc/apt/keyringssudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.ascsudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:echo \"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \$(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \sudo tee /etc/apt/sources.list.d/docker.list > /dev/nullsudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo usermod -aG docker ${USER}docker version
docker pull alinche/echodocker images -a
## Nixsh <(curl -L https://nixos.org/nix/install) --daemonnix-channel --add https://github.com/nix-community/home-manager/archive/master.tar.gz home-managernix-channel --updatenix-shell '<home-manager>' -A installvim ~/.config/home-manager/home.nix# nix = {# package = pkgs.nix;# settings.experimental-features = [ "nix-command" "flakes" ];# settings.access-tokens = "github.com=<your-github-access-token>";# };
# programs = {# direnv = {# enable = true;# enableBashIntegration = true;# nix-direnv.enable = true;# };
# fish.enable = true;# # bash.enable = true; # 使用 nix bash 管理# };mv ~/.bashrc ~/.bashrc.backupmv ~/.profile ~/.profile.backup
home-manager switch
## else# diskdf -h /tmpsudo vgdisplaysudo lvdisplaysudo lvextend -l +100%FREE /dev/ubuntu-vg/ubuntu-lvsudo resize2fs /dev/ubuntu-vg/ubuntu-lv
lsblksudo fdisk /dev/sdap -> d -> n -> wsudo partprobesudo resize2fs /dev/sda2
# hostnamesudo hostnamectl set-hostname aLinChe# netplansudo vim /etc/netplan/50-cloud-init.yaml# systemctlsystemctl --user list-unit-files --type=service --state=enabled
## Linux Kernalmake menuconfiggrep "=m" .configgrep "=y" .config
bear -- make -nmake ARCH=x86_64 compile_commands.json -j$(nproc) # x86_64make -j$(nproc)sudo make modules_installsudo make install
make -j$(nproc) bzImagecp arch/x86/boot/bzImage vmlinuz-x86_64# if ARM aarch64: make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- -j$(nproc) # arch/arm64/boot/Image
# make menuconfigKernel hacking ---> Compile-time checks and compiler options ---> [*] Compile the kernel with debug info [*] Provide GDB scripts for kernel debuggingDevice Drivers ---> Network device support ---> [*] Network core driver support <*> Virtual eXtensible Local Area Network (VXLAN) <*> Universal TUN/TAP device driver support [*] Ethernet driver support ---> -*- PHY Device support and infrastructu ---> -*- MDIO bus device drivers ---> # USB网卡: <*> USB Network Adapters ---> # 无线网卡: [*] Wireless LAN ---> # 虚拟机网卡: <*> VMware VMXNET3 ethernet driver <M> Simulated networking device <M> Failover driver Virtio drivers --->Networking support ---> Networking options ---> [*] TCP/IP networking [*] IP: advanced router [*] IP: policy routing <*> The IPv6 protocol ---> <*> 802.1d Ethernet BridgingArch
https://archlinux.org/download/ # archinstall
systemctl stop reflector.servicevim /etc/pacman.d/mirrorlistServer = http://mirrors.tuna.tsinghua.edu.cn/archlinux/$repo/os/$archServer = https://mirrors.tuna.tsinghua.edu.cn/archlinux/$repo/os/$archServer = http://mirrors.hust.edu.cn/archlinux/$repo/os/$archServer = https://mirrors.hust.edu.cn/archlinux/$repo/os/$arch
pacman -Sy pacman-mirrorlistcat /etc/pacman.d/mirrorlist.pacnew | grep China -A 42cat /etc/pacman.d/mirrorlist.pacnew | grep China -A 42 > /etc/pacman.d/mirrorlistvim /etc/pacman.d/mirrorlist
vim /etc/pacman.conf
fdisk /dev/sda # mnwlsblkmkfs.ext4 /dev/sda1mount /dev/sda1 /mnt/
pacstrap -i /mnt base base-devel linux linux-firmwaregenfstab -U -p /mnt > /mnt/etc/fstabarch-chroot /mnt
echo ArchKK > /etc/hostnamepacman -S iw wpa_supplicant wireless_tools net-toolspacman -S networkmanagersystemctl enable NetworkManagerpacman -S opensshsystemctl enable sshdpacman -S dialog
ln -s -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtimehwclock --systohcdate
vim /etc/locale.gen # zh_CN.UTF-8locale-genecho LANG=en_US.UTF-8 > /etc/locale.confcat /etc/locale.conf
useradd -m -G wheel -s /bin/bash kkArchpasswd kkArchpacman -S fishchsh -s /bin/fish kkArch
pacman -S grubgrub-install /dev/sdagrub-mkconfig -o /boot/grub/grub.cfg
exitrebootNixOS
https://github.com/oeasy1412/nixos_config/Windows
## LTSC is all you need.https://next.itellyou.cn/Original/
## MAShttps://massgrave.dev/irm https://get.activated.win | iex
## WSL2“控制面板”->“程序”->“启用或关闭Windows功能”中勾选“适用于 Linux 的 Windows 子系统”和“虚拟机平台”重启计算机。重启后,以管理员身份打开PowerShell:wsl --set-default-version 2通过 Microsoft Store 搜索"Ubuntu"点击"获取"进行安装# 法2:wsl --list --online (wsl --install -d Ubuntu-22.04)
## WSL迁移到D盘wsl -l -vwsl --shutdownwsl --export Arch D:\WSL2\Arch\arch.tarwsl --unregister Archwsl --import D:\WSL2\Arch D:\WSL2\Arch\Arch.tar --version 2del D:\WSL2\Arch\Arch.tarArch.exe config --default-user [your name]# 同理 wsl --import Ubuntu-22.04 D:\WSL2\Ubuntu-22.04 D:\WSL2\Ubuntu-22.04\Ubun.tar --version 2
## disk 硬盘盒启动 + Ventoy安装系统diskpartlist disk # 确认新硬盘是磁盘1(根据容量931GB判断)select disk 1 # 选中您的机械硬盘(⚠️绝对不要选错磁盘!)clean # 删除所有分区(新硬盘可安全执行)convert gpt # 转换为GPT分区表(兼容大硬盘)create partition primary # 创建主分区(默认占用全部空间)format fs=ntfs quick # 快速格式化为NTFS文件系统assign letter=E # 手动分配驱动器号为E(可替换为F,G等)exit软件级配置
Conda
## pythonhttps://www.python.org/downloads/ # Windows## conda## 安装curl -O https://mirrors.tuna.tsinghua.edu.cn/anaconda/archive/Anaconda3-2025.06-1-Linux-x86_64.shchmod +x Anaconda3-2025.06-1-Linux-x86_64.shbash ./Anaconda3-2025.06-1-Linux-x86_64.sh
conda info --envsconda deactivateconda config --set auto_activate_base false## d2lconda create -n d2l-env python=3.11conda activate d2l-envconda config --add channels https://mirrors.tuna.tsinghua.edu.cn/anaconda/pkgs/main/conda config --add channels https://mirrors.tuna.tsinghua.edu.cn/anaconda/cloud/pytorch/conda config --add channels https://mirrors.tuna.tsinghua.edu.cn/anaconda/cloud/conda-forge/pip install jupyter torch torchvisionpip install d2lconda install ipykernelpython -m ipykernel install --user --name d2l-env --display-name "d2l"# rmconda remove --name d2l-env --allconda env list# 导出环境配置conda activate d2l-envconda env export > d2l-env.yml# 复用# conda env create -f d2l-env.yaml --name new_torch_envconda env create -n NewProject --file d2l-env.ymlconda activate NewProjectconda config --showconda env list
## ROCmhttps://github.com/likelovewant/ROCmLibs-for-gfx1103-AMD780M-APU/ # 鸡哥无界14X(conda create -n ROCm python=3.11conda activate ROCm# pip install torch==2.7.1 torchvision==0.22.1 torchaudio==2.7.1 --index-url https://download.pytorch.org/whl/rocm6.3pip install torch torchvision torchaudio --index-url https://download.pytorch.org/whl/cu118pip install jupyter d2lconda install ipykernelpython -m ipykernel install --user --name ROCm --display-name "ROCm"
## jupyterjupyter kernelspec listjupyter nbconvert --to script a.ipynb # html markdown pdfjupyter notebook listjupyter notebook --ip=0.0.0.0 --port=8888 --allow-rootCUDA
## nvidia 驱动ubuntu-drivers devices# 安装推荐驱动(或手动指定版本)sudo ubuntu-drivers autoinstallsudo rebootnvidia-smi
https://developer.nvidia.com/cuda-downloads/ # is all you need## PATHsudo ln -s /usr/local/cuda-12.2 /usr/local/cudaexport PATH=/usr/local/cuda/bin${PATH:+:${PATH}}export LD_LIBRARY_PATH=/usr/local/cuda/lib64${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}export PATH="$HOME/anaconda3/bin:$PATH"
## 重装# 清理旧驱动sudo apt purge '^nvidia-.*' && sudo apt autoremove# 安装推荐版本(如575 => cuda12.9)sudo apt install nvidia-driver-575# 禁用 Nouveau 驱动echo "blacklist nouveau" | sudo tee /etc/modprobe.d/blacklist-nouveau.confsudo update-initramfs -usudo reboot
sudo nvidia-smi -pm 1nvidia-smiwatch -n 1 nvidia-smi
## e.g. GTX1060 特化版本# 安装 535 驱动sudo apt install -y nvidia-driver-535# 重建内核模块sudo dpkg-reconfigure nvidia-dkms-535sudo update-initramfs -u# 添加 CUDA 12.2 官方仓库wget https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2204/x86_64/cuda-ubuntu2204.pinsudo mv cuda-ubuntu2204.pin /etc/apt/preferences.d/cuda-repository-pin-600# 下载并安装CUDA 12.2的本地仓库包wget https://developer.download.nvidia.com/compute/cuda/12.2.0/local_installers/cuda-repo-ubuntu2204-12-2-local_12.2.0-535.54.03-1_amd64.debsudo dpkg -i cuda-repo-ubuntu2204-12-2-local_12.2.0-535.54.03-1_amd64.deb# 将密钥环复制到正确位置sudo cp /var/cuda-repo-ubuntu2204-12-2-local/cuda-*-keyring.gpg /usr/share/keyrings/sudo apt update# 安装CUDA 12.2工具包(不包含驱动,因为已单独安装)sudo apt install -y cuda-toolkit-12-2
sudo ln -s /usr/local/cuda-12.2 /usr/local/cuda
conda install -c nvidia cudnn cudatoolkit=12.2tailscale
https://tailscale.com/## 安装Tailscale### Linuxcurl -fsSL https://tailscale.com/install.sh | sh### Windowshttps://mirrors.scutosc.cn/repository/tailscale/stable/tailscale-setup-latest.exe### MacOShttps://mirrors.scutosc.cn/repository/tailscale/stable/Tailscale-latest-macos.pkg### Andriodrelease: https://github.com/tailscale/tailscale-android/releases/you can also accelerate your download here: https://hub.samuka007.com/tailscale/tailscale-android/releases (x
## 如何使用### Linux# 将返回的链接COPY到浏览器打开,在浏览器登录验证sudo tailscale up# 打开开机自启sudo systemctl enable tailscaled### Windows- Windows点击右下角的 `∧` ,点击 `Log in`### MacOS- 副歌v我50(x### Andriod- 直接打开登录
# 查看组网情况tailscale status# IP Name User OS status
# Moretailscale status --jsontailscale settailscale configuretailscale filescp A B # from A to Btailscale iptailscale netchecktailscale configure
## handscalesudo apt install iproute2wget https://github.com/juanfont/headscale/releases/download/v0.26.0/headscale_0.26.0_linux_amd64.debsudo dpkg -i headscale_0.26.0_linux_amd64.deb
sudo headscale users create kkubun# 生成预授权密钥sudo headscale preauthkeys create --reusable -e 180d -u <用户ID>sudo headscale preauthkeys ls -u kkubun# 为整个组织创建密钥headscale preauthkeys create -u 0 -e 180d -r -o
sudo headscale nodes lssudo headscale nodes list-routessudo headscale users ls
tailscale up --login-server=http://<headscale-server>:8080 --authkey <key>
## 流量出口## serverecho 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.confecho 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.confsudo sysctl -p # 立即生效# iptablessudo iptables -A FORWARD -i tailscale0 -j ACCEPTsudo iptables -A FORWARD -o tailscale0 -m state --state RELATED,ESTABLISHED -j ACCEPT# 添加流量伪装规则(替换 youreth0 为实际外网网卡名)sudo iptables -t nat -A POSTROUTING -o youreth0 -j MASQUERADE# 保存规则(若使用 netfilter-persistent)sudo netfilter-persistent save
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.confecho 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.confsudo sysctl -p /etc/sysctl.d/99-tailscale.conf
sudo tailscale up --advertise-exit-nodesudo tailscale up --advertise-routes=192.168.199.0/24 --advertise-exit-node --accept-routessudo tailscale set --advertise-exit-node
 Edit route settings -> Use as exit node# ip route show default# 停止宣告出口节点sudo tailscale up --advertise-exit-node=false
## clientsudo tailscale up --exit-node=<节点IP或主机名> --exit-node-allow-lan-access# 清除出口节点配置sudo tailscale up --exit-node=""// tailscale ACLs{ // ============ 1. 定义用户组 ============ "groups": { "group:infra": ["oeasy1412@github"], "group:developers": [], "group:support": [], },
// ============ 2. 定义标签及所有者 ============ "tagOwners": { "tag:prod-servers": ["group:infra"], "tag:dev-servers": ["group:infra"], "tag:public-resources": ["group:infra"], "tag:exit-node": ["group:infra"], "tag:user-devices": ["autogroup:admin"], },
// ============ 主机别名 ============ "hosts": { "corp-network": "192.168.199.0/24", },
// ============ 3. 核心访问规则 ============ "acls": [ // ---- 基础访问规则 ---- // 禁止所有流量(覆盖默认allow-all) // { "action": "deny", "src": ["*"], "dst": ["*:*"] }, // 允许用户访问自己的设备 { "action": "accept", "src": ["autogroup:member"], // 所有已认证成员 "dst": ["autogroup:self:*"], },
// ---- 生产环境访问 ---- // 基础设施团队可访问所有生产服务器 { "action": "accept", "src": ["group:infra"], "dst": ["tag:prod-servers:*"], // "srcPosture": ["posture:secure-access"], }, // 支持团队只能访问特定端口 { "action": "accept", "src": ["group:support"], "dst": [ "tag:prod-servers:22", "tag:prod-servers:80", "tag:prod-servers:443", "tag:prod-servers:8080", ], },
// ---- 开发环境访问 ---- // 开发者访问开发服务器 { "action": "accept", "src": ["group:developers"], "dst": ["tag:dev-servers:*"], },
// ==== 公共资源访问 ==== // 允许访问公共资源 { "action": "accept", // "src": ["*"], "src": ["autogroup:member"], "dst": ["tag:public-resources:*"], },
// ==== 出口节点规则 ==== { "action": "accept", "src": ["group:infra"], "dst": ["tag:exit-node:*"], }, // 允许 infra 组的成员使用出口节点访问互联网 { "action": "accept", "src": ["group:infra"], "dst": ["autogroup:internet:*"], }, // 允许 infra 组的成员访问公司子网 { "action": "accept", "src": ["group:infra"], "dst": ["corp-network:*"], }, ],
// ============ 自动审批设置 ============ "autoApprovers": { "exitNode": ["group:infra", "tag:exit-node"], "routes": { "192.168.199.0/24": ["group:infra"], }, },
// ============ 安全要求 ============ // "postures": { // "posture:secure-access": [ // "node:tsAutoUpdate", // 必须开启自动更新 // "node:tsReleaseTrack == 'stable'", // 必须使用稳定版本 // "node:os != 'windows'", // 禁止从Windows设备访问 // "node:hasSSHKeys == true" // 必须配置SSH密钥 // ], // },
// ============ 4. SSH访问控制 ============ "ssh": [ // 管理员可SSH到所有设备 { "action": "accept", "src": ["group:infra"], "dst": [ "tag:prod-servers", "tag:dev-servers", "tag:public-resources", "tag:exit-node", ], "users": ["root", "autogroup:nonroot"], },
// 开发者只能SSH到开发服务器 { "action": "check", "src": ["group:developers"], "dst": ["tag:dev-servers"], "users": ["autogroup:nonroot"], }, ],
// ============ 5. 规则测试 ============ "tests": [ // 验证管理员访问权限 { "src": "oeasy1412@github", "accept": ["tag:prod-servers:22"], "deny": ["tag:dev-servers:22"], }, ],}codex
https://www.bilibili.com/video/BV1wm4UzfEbr/cline with VSCode
{ "mcpServers": { "context7": { "command": "npx.cmd", "args": [ "-y", "@upstash/context7-mcp" ], "disabled": false, "autoApprove": [] }, "filesystem": { "command": "npx.cmd", "args": [ "-y", "@modelcontextprotocol/server-filesystem" ], "disabled": false, "autoApprove": [] }, "excel": { "command": "cmd", "args": [ "/c", "uvx", "excel-mcp-server", "stdio" ], "disabled": false, "autoApprove": [] }, // STDIO "alinche_math": { "timeout": 60, "type": "stdio", "command": "D:\\VScode\\PyPI\\my-MCP\\alinche_math\\.venv\\Scripts\\python.exe", "args": [ "main.py", "stdio" ], "disabled": false, "autoApprove": [], "cwd": "D:\\VScode\\PyPI\\my-MCP\\alinche_math" } // SSE "alinche_math": { "url": "http://localhost:8000/sse", "disabled": false, "autoApprove": [] }, // streamable HTTP "alinche_math": { "url": "http://localhost:8000/mcp", "disabled": false, "autoApprove": [] }, // PyPI 个人发布的pip包程序 "alinche-math-mcp-server": { "autoApprove": [], "disabled": false, "timeout": 10, "type": "stdio", "command": "cmd", "args": [ "/c", "uvx", "alinche-math-mcp-server", "stdio" ] } }}Obsidian
https://www.bilibili.com/video/BV1fZCyBYEuT/Sunshine & Moonlight
https://github.com/LizardByte/Sunshine/https://github.com/moonlight-stream/
https://github.com/Axixi2233/moonlight-android/ # 阿西西安卓端修改版Termux
https://github.com/termux/termux-app/https://github.com/termux/termux-api/
vim $PREFIX/etc/apt/sources.list # 自带nanodeb https://mirrors.tuna.tsinghua.edu.cn/termux/apt/termux-main stable main# termux-change-repo # 使用Termux提供的交互式工具更换镜像源# pkg install tsinghua.sources# pkg install ustc.sources
pkg update && pkg upgradepkg install vim openssh termux-services# pkg install htop clang (可选)
whoamipasswdifconfigsshd# ssh 安卓用户名@IP -p 8022pkg i termux-servicessv-enable ssh-agentsv-enable sshd # sv status sshdvim $PREFIX/etc/termux-login.shif tty -s; then if pgrep -x "sshd" > /dev/null; then echo "sshd is already running." else sshd echo "Started sshd." fi termux-wake-lock # 阻止手机休眠时CPU和网络被挂起 echo "Welcome Termux!"fi
vim $PREFIX/etc/ssh/sshd_configClientAliveInterval 60ClientAliveCountMax 3
# scp 传输文件scp ./main.cpp myHand:~/cpp# 在您的电脑上创建或编辑SSH客户端配置文件Host myHand HostName 192.168.1.100 # 请替换为您手机的实际局域网IP Port 8022 User u0_a118 # 请替换为Termux中`whoami`命令返回的用户名 ServerAliveInterval 60 ServerAliveCountMax 3 IdentityFile C:\Users\Name\.ssh\myHand_id_rsa # 使用密钥认证(推荐)
termux-setup-storage # 允许访问手机的存储空间
termux-vibrate
termux-media-player play "storage/shared/Music/a.mp3"
termux-camera-infotermux-camera-photo storage/shared/a.jpg
termux-microphone-record -f storage/shared/a.m4a -l 0
ls storage/shared/Android/data/am start com.tencent.mobileqq/.activity.SplashActivity
termux-battery-statustermux-notification图吧工具箱
https://tbtool.dawnstd.cn/MinGW-w64
https://winlibs.com/OpenVPN
# sudo apt update && sudo apt upgrade -ysudo apt install openvpn easy-rsa -ymkdir ~/openvpn-cacd ~/openvpn-cavim varsset_var EASYRSA_REQ_COUNTRY "CN"set_var EASYRSA_REQ_PROVINCE "Beijing"set_var EASYRSA_REQ_CITY "Beijing"set_var EASYRSA_REQ_ORG "MyVPN"set_var EASYRSA_REQ_EMAIL "admin@myvpn.com"set_var EASYRSA_REQ_OU "MyVPN CA"set_var EASYRSA_KEY_SIZE 4096set_var EASYRSA_CA_EXPIRE 3650set_var EASYRSA_CERT_EXPIRE 1080
sudo ln -s /usr/share/easy-rsa/easyrsa ./easyrsa./easyrsa init-pki./easyrsa build-ca nopass # openvpn-CA## 生成服务器证书和密钥./easyrsa gen-req server nopass # 这里假设你的name=openvpn-server./easyrsa sign-req server server./easyrsa gen-dh # 等待openvpn --genkey secret pki/ta.key
## 创建客户端证书请求和密钥./easyrsa gen-req client1 nopass./easyrsa sign-req client client1
sudo mkdir /etc/openvpn/serversudo cp ./pki/ca.crt /etc/openvpn/server/sudo cp ./pki/issued/server.crt /etc/openvpn/server/sudo cp ./pki/private/server.key /etc/openvpn/server/sudo cp ./pki/dh.pem /etc/openvpn/server/sudo cp ./pki/ta.key /etc/openvpn/server/
sudo vim /etc/openvpn/server/server.conf## --- 修改server.conf ---port 1194proto tcp-serverproto tcp6-serverdev tun
# 证书路径ca /etc/openvpn/server/ca.crtcert /etc/openvpn/server/server.crtkey /etc/openvpn/server/server.keydh /etc/openvpn/server/dh.pemtls-crypt /etc/openvpn/server/ta.key
# 网络配置;topology subnetserver 10.8.0.0 255.255.255.0push "redirect-gateway def1 bypass-dhcp"push "dhcp-option DNS 1.1.1.1"push "dhcp-option DNS 8.8.8.8";push "route 192.168.1.0 255.255.255.0"client-to-client;client-config-dir /etc/openvpn/ccd
# 安全强化cipher AES-256-GCMauth SHA512tls-version-min 1.2tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
# 连接设置keepalive 10 120user nobodygroup nogrouppersist-keypersist-tun
# 日志记录status /var/log/openvpn/openvpn-status.loglog /var/log/openvpn/openvpn.logverb 3
# 额外安全措施# reneg-sec 3600 # 每小时重新协商密钥# remote-cert-tls client# verify-client-cert require
## --- 配置转发设置 ---sudo vim /etc/sysctl.conf# 取消注释#net.ipv4.ip_forward=1sudo sysctl -psudo ufw allow 1194/tcpsudo ufw allow ssh
# 设置 NAT 规则 (伪装): 这是为了让 VPN 客户端能通过服务器访问互联网# sudo vim /etc/ufw/before.rules# NAT table rules for OpenVPN# *nat# :POSTROUTING ACCEPT [0:0]# -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE# COMMITsudo vim /etc/default/ufwDEFAULT_FORWARD_POLICY="ACCEPT"
sudo mkdir -p /etc/openvpn/ccdsudo vim /etc/openvpn/ccd/client1ifconfig-push 10.8.0.6 10.8.0.1iroute 192.168.1.0 255.255.255.0
sudo systemctl -f enable openvpn-server@server.servicesudo systemctl start openvpn-server@server.service
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o wlp3s0 -j MASQUERADEsudo iptables -A FORWARD -i wlp3s0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPTsudo iptables -A FORWARD -i tun0 -o wlp3s0 -j ACCEPT
sudo ip6tables -A FORWARD -i tun0 -o eno1 -j ACCEPTsudo ip6tables -A FORWARD -i eno1 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo apt install iptables-persistentsudo netfilter-persistent save
## --- client ---vim ./client.ovpn
############################################### OpenVPN 客户端配置文件# 最后更新: 2025-09-03##############################################
client
# 网络设置dev tunproto tcp-clientproto tcp6-client;proto udp
# 服务器连接信息remote scut6.alinche.dpdns.org 1194;remote your-server-ip 1194 # 备用服务器地址resolv-retry infinite
# 连接行为nobindpersist-keypersist-tunremote-cert-tls serververify-x509-name C10VPN-server name
# 安全设置cipher AES-256-GCMauth SHA256auth-nocachetls-version-min 1.2tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384;ignore-unknown-option block-outside-dns;reneg-sec 3600
# 性能优化;sndbuf 0;rcvbuf 0;comp-lzo no # 禁用压缩(安全推荐);compress lz4-v2 # 如果需要压缩则启用
# 日志和诊断verb 3;mute 20;log openvpn.log # 启用日志记录(调试时使用)
# 证书和密钥嵌入部分<ca>-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----</ca>
<cert>-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----</cert>
<key>-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----</key>
<tls-crypt>-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----</tls-crypt>
## 数据来源sudo cat /etc/openvpn/server/ca.crtsudo cat ./pki/issued/client1.crtsudo cat ./pki/private/client1.keysudo cat /etc/openvpn/server/ta.key
# sudo openssl verify -CAfile /etc/openvpn/server/ca.crt ./pki/issued/client1.crt
## --- ddns-go --- (可选)docker run -d --name ddns-go --restart=always --net=host -v /opt/ddns-go:/root jeessy/ddns-go# 访问 http://docker对应主机IP:9876/