Windows平台下实现搭建OpenVpn虚拟专用网络Word格式.docx
《Windows平台下实现搭建OpenVpn虚拟专用网络Word格式.docx》由会员分享,可在线阅读,更多相关《Windows平台下实现搭建OpenVpn虚拟专用网络Word格式.docx(29页珍藏版)》请在冰豆网上搜索。
,将名字改外"
vpn"
,如下图:
图7
2.服务器端OpenVpn详细配置
A.修改vars.bat.sample
在C:
\ProgramFiles\OpenVPN\easy-rsa目录下用写字板打开。
(不建议使用记事本打开,记事本打开有可能会破坏此文档的格式)
如下:
setKEY_COUNTRY=CN
setKEY_PROVINCE=BJ
setKEY_CITY=BJ
setKEY_ORG=LHJ
setKEY_EMAIL=381364654@QQ.COM
B.命令行配置
开始-运行-输入cmd
(1)cdC:
\ProgramFiles\OpenVPN\easy-rsa
(2)init-config
(3)vars------------此步骤是必须的,以后的各个证书生成之前都需要进行初始化
(4)clean-all
(5)生成根证书CA
vars
build-ca
(6)生成dh1024.pem文件,server使用TLS必须使用的一个文件。
build-dh
图8
(7)生成服务器端证书
图9
build-key-server
server01
图10
图11
到此server端使用的证书生成完毕。
(8)生成客户端证书
图12
build-key
client01
图13
图14
(9)生成ta.key文件
图15
openvpn
--genkey
--secret
keys/ta.Key
图16
到此为止根ca、客户端、服务器端所需要的证书和密钥文件就已经全部准备就绪,接下来要做的是配置服务器端文件和客户端文件。
C.服务器端文件配置
(1)服务器端的配置文件在C:
\Program
Files\OpenVPN\sample-config文件夹下:
server.ovpn内容如下(备注:
以下的批注部分为当处的说明,严格按照这种格式,一处的格式不对,在启动openvpn服务器时都有可能连接不上)
#################################################
#SampleOpenVPN2.0configfilefor#
#multi-clientserver.#
##
#Thisfileisfortheserverside#
#ofamany-clients<
->
one-server#
#OpenVPNconfiguration.#
#OpenVPNalsosupports#
#single-machine<
single-machine#
#configurations(SeetheExamplespage#
#onthewebsiteformoreinfo).#
#ThisconfigshouldworkonWindows#
#orLinux/BSDsystems.Rememberon#
#Windowstoquotepathnamesanduse#
#doublebackslashes,e.g.:
#
#"
C:
\\ProgramFiles\\OpenVPN\\config\\foo.key"
#Commentsareprecededwith'
#'
or'
;
'
#WhichlocalIPaddressshouldOpenVPN
#listenon?
(optional)
local168.168.168.170
#WhichTCP/UDPportshouldOpenVPNlistenon?
#IfyouwanttorunmultipleOpenVPNinstances
#onthesamemachine,useadifferentport
#numberforeachone.Youwillneedto
#openupthisportonyourfirewall.
port8081
#TCPorUDPserver?
prototcp
protoudp
devtun"
willcreatearoutedIPtunnel,
devtap"
willcreateanethernettunnel.
#Use"
devtap0"
ifyouareethernetbridging
#andhaveprecreatedatap0virtualinterface
#andbridgeditwithyourethernetinterface.
#Ifyouwanttocontrolaccesspolicies
#overtheVPN,youmustcreatefirewall
#rulesforthetheTUN/TAPinterface.
#Onnon-Windowssystems,youcangive
#anexplicitunitnumber,suchastun0.
#OnWindows,use"
dev-node"
forthis.
#Onmostsystems,theVPNwillnotfunction
#unlessyoupartiallyorfullydisable
#thefirewallfortheTUN/TAPinterface.
devtap
devtun
#WindowsneedstheTAP-Win32adaptername
#fromtheNetworkConnectionspanelifyou
#havemorethanone.OnXPSP2orhigher,
#youmayneedtoselectivelydisablethe
#WindowsfirewallfortheTAPadapter.
#Non-Windowssystemsusuallydon'
tneedthis.
dev-nodeMyTap
#SSL/TLSrootcertificate(ca),certificate
#(cert),andprivatekey(key).Eachclient
#andtheservermusthavetheirowncertand
#keyfile.Theserverandallclientswill
#usethesamecafile.
#
#Seethe"
easy-rsa"
directoryforaseries
#ofscriptsforgeneratingRSAcertificates
#andprivatekeys.Remembertouse
#auniqueCommonNamefortheserver
#andeachoftheclientcertificates.
#AnyX509keymanagementsystemcanbeused.
#OpenVPNcanalsouseaPKCS#12formattedkeyfile
#(see"
pkcs12"
directiveinmanpage).
caca.crt
certserver01.crt
keyserver01.key#Thisfileshouldbekeptsecret
#Diffiehellmanparameters.
#Generateyourownwith:
#openssldhparam-outdh1024.pem1024
#Substitute2048for1024ifyouareusing
#2048bitkeys.
dhdh1024.pem
#ConfigureservermodeandsupplyaVPNsubnet
#forOpenVPNtodrawclientaddressesfrom.
#Theserverwilltake10.8.0.1foritself,
#therestwillbemadeavailabletoclients.
#Eachclientwillbeabletoreachtheserver
#on10.8.0.1.Commentthislineoutifyouare
#ethernetbridging.Seethemanpageformoreinfo.
server10.8.0.0255.255.255.0
#Maintainarecordofclient<
virtualIPaddress
#associationsinthisfile.IfOpenVPNgoesdownor
#isrestarted,reconnectingclientscanbeassigned
#thesamevirtualIPaddressfromthepoolthatwas
#previouslyassigned.
ifconfig-pool-persistipp.txt
#Configureservermodeforethernetbridging.
#YoumustfirstuseyourOS'
sbridgingcapability
#tobridgetheTAPinterfacewiththeethernet
#NICinterface.Thenyoumustmanuallysetthe
#IP/netmaskonthebridgeinterface,herewe
#assume10.8.0.4/255.255.255.0.Finallywe
#mustsetasideanIPrangeinthissubnet
#(start=10.8.0.50end=10.8.0.100)toallocate
#toconnectingclients.Leavethislinecommented
#outunlessyouareethernetbridging.
server-bridge10.8.0.4255.255.255.010.8.0.5010.8.0.100
#Configureservermodeforethernetbridging
#usingaDHCP-proxy,whereclientstalk
#totheOpenVPNserver-sideDHCPserver
#toreceivetheirIPaddressallocation
#andDNSserveraddresses.Youmustfirstuse
#yourOS'
sbridgingcapabilitytobridgetheTAP
#interfacewiththeethernetNICinterface.
#Note:
thismodeonlyworksonclients(suchas
#Windows),wheretheclient-sideTAPadapteris
#boundtoaDHCPclient.
server-bridge
#Pushroutestotheclienttoallowit
#toreachotherprivatesubnetsbehind
#theserver.Rememberthatthese
#privatesubnetswillalsoneed
#toknowtoroutetheOpenVPNclient
#addresspool(10.8.0.0/255.255.255.0)
#backtotheOpenVPNserver.
push"
route192.168.10.0255.255.255.0"
#route-methodexe
#route-delay2
#ToassignspecificIPaddressestospecific
#clientsorifaconnectingclienthasaprivate
#subnetbehinditthatshouldalsohaveVPNaccess,
#usethesubdirectory"
ccd"
forclient-specific
#configurationfiles(seemanpageformoreinfo).
#EXAMPLE:
Supposetheclient
#havingthecertificatecommonname"
Thelonious"
#alsohasasmallsubnetbehindhisconnecting
#machine,suchas192.168.40.128/255.255.255.248.
#First,uncommentouttheselines:
client-config-dirccd
route168.168.168.0255.255.255.0"
#Thencreateafileccd/Theloniouswiththisline:
#iroute192.168.40.128255.255.255.248
#ThiswillallowThelonious'
privatesubnetto
#accesstheVPN.Thisexamplewillonlywork
#ifyouarerouting,notbridging,i.e.youare
#using"
and"
server"
directives.
Supposeyouwanttogive
#TheloniousafixedVPNIPaddressof10.9.0.1.
#Firstuncommentouttheselines:
route10.9.0.0255.255.255.252
#Thenaddthislinetoccd/Thelonious:
#ifconfig-push10.9.0.110.9.0.2
#Supposethatyouwanttoenabledifferent
#firewallaccesspoliciesfordifferentgroups
#ofclients.Therearetwomethods:
#
(1)RunmultipleOpenVPNdaemons,oneforeach
#group,andfirewalltheTUN/TAPinterface
#foreachgroup/daemonappropriately.
#
(2)(Advanced)Createascripttodynamically
#modifythefirewallinresponsetoaccess
#fromdifferentclients.Seeman
#pageformoreinfoonlearn-addressscript.
learn-address./script
#Ifenabled,thisdirectivewillconfigure
#allclientstoredirecttheirdefault
#networkgatewaythroughtheVPN,causing
#allIPtrafficsuchaswebbrowsingand
#andDNSlookupstogothroughtheVPN
#(TheOpenVPNservermachinemayneedtoNAT
#orbridgetheTUN/TAPinterfacetotheinternet
#inorderforthistoworkproperly).
redirect-gatewaydef1bypass-dhcp"
#CertainWindows-specificnetworksettings
#canbepushedtoclients,suchasDNS
#orWINSserveraddresses.CAVEAT:
#
#Theaddressesbelowrefertothepublic
#DNSserversprovidedby.
dhcp-optionDNS59.108.107.42"
dhcp-optionDNS202.106.0.20"
#Uncommentthisdirectivetoallowdifferent
#clientstobeableto"
see"
eachother.
#Bydefault,clientswillonlyseetheserver.
#Toforceclientstoonlyseetheserver,you
#willalsoneedtoappropriatelyfirewallthe
#server'
sTUN/TAPinterface.
client-to-client
#Uncommentthisdirectiveifmultipleclients
#mightconnectwiththesamecertificate/key
#filesorcommonnames.Thisisrecommended
#onlyfortestingpurposes.Forproductionuse,
#eachclientshouldhaveitsowncertificate/key
#pair.
#IFYOUHAVENOTGENERATEDINDIVIDUAL
#CERTIFICATE/KEYPAIRSFOREACHCLIENT,
#EACHHAVINGITSOWNUNIQUE"
COMMONNAME"
#UNCOMMENTTHISLINEOUT.
duplicate-cn
#Thekeepalivedirectivecausesping-like
#messagestobesentbackandforthover
#thelinksothateachsideknowswhen
#theothersidehasgonedown.
#Pingevery10seconds,assumethatremote
#peerisdownifnopingreceivedduring
#a120secondtimeperiod.
keepalive10120
#Forextrasecuritybeyondthatprovided
#bySSL/TLS,createan"
HMACfirewall"
#tohelpblockDoSattacksandUDPportflooding.
#Generatewith:
#openvpn--genkey--secretta.key
#Theserverandeachclientmusthave
#acopyofthiskey.
#Thesecondparametershouldbe'
0'
#ontheserverand'
1'
ontheclients.
tls-authta.key0#Thisfileissecret
#Selectacryptographiccipher.
#Thisconfigitemmustbecopiedto
#theclientconfigfileaswell.
cipherBF-CBC