OpenVPN 虚拟网安装与部署.docx
《OpenVPN 虚拟网安装与部署.docx》由会员分享,可在线阅读,更多相关《OpenVPN 虚拟网安装与部署.docx(26页珍藏版)》请在冰豆网上搜索。
OpenVPN虚拟网安装与部署
OpenVPN虚拟专用网安装与部署
1、介绍
虚拟专用网VPN(virtualprivatenetwork)是在公共网络中建立的安全网络连接,这个网络连接和普通意义上的网络连接不同之处在于,它采用了专有的隧道协议,实现了数据的加密和完整性的检验、用户的身份认证,从而保证了信息在传输中不被偷看、篡改、复制,从网络连接的安全性角度来看,就类似于再公共网络中建立了一个专线网络一样,只补过这个专线网络是逻辑上的而不是物理的所以称为虚拟专用网。
VPN系统的结构图1所示,包括VPN服务器,VPN客户机和隧道。
由于使用Internet进行传输相对于租用专线来说,费用极为低廉,所以VPN的出现使企业通过Internet既安全又经济的传输私有的机密信息成为可能。
2、Windows操作系统中利用OpenVPN配置VPN
OpenVPN是一个开源的第三方虚拟专用网配置工具,可以利用固有设备搭建情形的VPN应用网关。
安装配置步骤如下:
1.下载安装OpenVPN:
请到(目前官网的最新版本就是2.1.1)
双击openvpn-2.1.1-install.exe后具体操作步骤如下:
(备注:
全选)
安装完毕后,easy-rsa文件夹在C:
\ProgramFiles\OpenVPN\目录下,同时OpenVPN服务器桌面右下角会出现一个新的本地连接,将名字改成OpenVPN。
(如何软件安装完后OpenVPN服务器桌面右下角没有新的连接出现,请双击C:
\ProgramFiles\OpenVPN\bin目录下的addtap.bat文件手动添加一个)
2.初始化配置:
(1)修改easy-rsa目录下的vars.bat.Sample的内容(最好用写字板打开,以免记事本打开会破坏文档格式),并将其改名为vars.bat,如下:
setKEY_COUNTRY=CN
setKEY_PROVINCE=BJ
setKEY_CITY=BeiJing
setKEY_ORG=cdtsm
setKEY_EMAIL=sunzhouyi@
(2)把easy-rsa下的f.sample改成f。
然后打开命令行(开始-运行-输入cmd)
C:
\DocumentsandSettings\ThinkPad>cd"\ProgramFiles\OpenVPN\easy-rsa"
C:
\ProgramFiles\OpenVPN\easy-rsa>vars
C:
\ProgramFiles\OpenVPN\easy-rsa>clean-all
系统找不到指定的文件。
已复制1个文件。
已复制1个文件。
3.生成根CA:
(1)C:
\ProgramFiles\OpenVPN\easy-rsa>vars
C:
\ProgramFiles\OpenVPN\easy-rsa>build-ca
Loading'screen'intorandomstate-done
Generatinga1024bitRSAprivatekey
...............................++++++
.......++++++
writingnewprivatekeyto'keys\ca.Key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[US]:
CN
StateorProvinceName(fullname)[CA]:
BJ
LocalityName(eg,city)[SanFrancisco]:
BeiJing
OrganizationName(eg,company)[OpenVPN]:
cdtsm
OrganizationalUnitName(eg,section)[]:
cdtsm
CommonName(eg,yournameoryourserver'shostname)[]:
cdtsm#服务器名
EmailAddress[mail@host.domain]:
sunzhouyi@
4.生成dh1024.pem文件,server使用TLS必须使用的一个文件。
(一)C:
\ProgramFiles\OpenVPN\easy-rsa>vars
C:
\ProgramFiles\OpenVPN\easy-rsa>build-dh
Loading'screen'intorandomstate-done
GeneratingDHparameters,1024bitlongsafeprime,generator2
Thisisgoingtotakealongtime
.....................................................................+..........
............................................+...............................+...
................+.....+.................+.......................+...............
...........+.............................................+......................
....................+...........................................+...............
...........................+....................................................
.+...................................++*++*++*
5.下面生成服务器端证书、客户端证书和TA证书:
首先生成server使用的证书:
(一)C:
\ProgramFiles\OpenVPN\easy-rsa>vars
C:
\ProgramFiles\OpenVPN\easy-rsa>build-key-serverCdtsmServer#服务器名
Loading'screen'intorandomstate-done
Generatinga1024bitRSAprivatekey
.......++++++
............++++++
writingnewprivatekeyto'keys\CdtsmServer.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[US]:
CN
StateorProvinceName(fullname)[CA]:
BJ
LocalityName(eg,city)[SanFrancisco]:
BeiJing
OrganizationName(eg,company)[OpenVPN]:
cdtsm
OrganizationalUnitName(eg,section)[]:
cdtsm
CommonName(eg,yournameoryourserver'shostname)[]:
cdtsm#服务器名
EmailAddress[mail@host.domain]:
sunzhouyi@
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
123456
Anoptionalcompanyname[]:
cdtsm
Usingconfigurationfromf
Loading'screen'intorandomstate-done
Checkthattherequestmatchesthesignature
Signatureok
TheSubject'sDistinguishedNameisasfollows
countryName:
PRINTABLE:
'CN'
stateOrProvinceName:
PRINTABLE:
'BJ'
localityName:
PRINTABLE:
'BeiJing'
organizationName:
PRINTABLE:
'cdtsm'
organizationalUnitName:
PRINTABLE:
'cdtsm'
commonName:
PRINTABLE:
'cdtsm'
emailAddress:
IA5STRING:
'sunzhouyi@'
CertificateistobecertifieduntilJul2504:
11:
082020GMT(3650days)
Signthecertificate?
[y/n]:
y
1outof1certificaterequestscertified,commit?
[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated
到此server端使用的证书生成完毕。
(2)生成可是为客户端生成client证书。
接下来生成客户端证书:
C:
\ProgramFiles\OpenVPN\easy-rsa>vars
C:
\ProgramFiles\OpenVPN\easy-rsa>build-keyCdtsmClient#客户端名
Loading'screen'intorandomstate-done
Generatinga1024bitRSAprivatekey
......++++++
.............................++++++
writingnewprivatekeyto'keys\CdtsmClient.key'
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[US]:
CN
StateorProvinceName(fullname)[CA]:
BJ
LocalityName(eg,city)[SanFrancisco]:
BeiJing
OrganizationName(eg,company)[OpenVPN]:
cdtsm
OrganizationalUnitName(eg,section)[]:
cdtsm
CommonName(eg,yournameoryourserver'shostname)[]:
CdtsmClient#客户端名
EmailAddress[mail@host.domain]:
sunzhouyi@
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:
123456
Anoptionalcompanyname[]:
cdtsm
Usingconfigurationfromf
Loading'screen'intorandomstate-done
Checkthattherequestmatchesthesignature
Signatureok
TheSubject'sDistinguishedNameisasfollows
countryName:
PRINTABLE:
'CN'
stateOrProvinceName:
PRINTABLE:
'BJ'
localityName:
PRINTABLE:
'BeiJing'
organizationName:
PRINTABLE:
'cdtsm'
organizationalUnitName:
PRINTABLE:
'cdtsm'
commonName:
PRINTABLE:
'CdtsmClient'
emailAddress:
IA5STRING:
'sunzhouyi@'
CertificateistobecertifieduntilJul2504:
13:
172020GMT(3650days)
Signthecertificate?
[y/n]:
y
1outof1certificaterequestscertified,commit?
[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated
到此客户端使用的client证书生成完毕。
(3)下面生成ta.key文件
最后生成ta.Key文件
C:
\ProgramFiles\OpenVPN\easy-rsa>openvpn--genkey--secretkeys/ta.Key
到此为止根ca、客户端、服务器端所需要的证书和密钥文件就已经全部准备就绪,接下来要做的是配置服务器端文件和客户端文件。
6.服务端和客户端的配置:
(一)服务器端的配置文件在C:
\ProgramFiles\OpenVPN\sample-config文件夹下:
server.ovpn内容示例如下:
#WhichlocalIPaddressshouldOpenVPN
#listenon?
(optional)
;locala.b.c.d
#WhichTCP/UDPportshouldOpenVPNlistenon?
#IfyouwanttorunmultipleOpenVPNinstances
#onthesamemachine,useadifferentport
#numberforeachone.Youwillneedto
#openupthisportonyourfirewall.
#申明使用的端口,默认1194
port1194
#TCPorUDPserver?
#申明使用的协议,默认使用UDP,如果使用HTTPproxy,必须使用TCP协议
;prototcp
protoudp
#"devtun"willcreatearoutedIPtunnel,
#"devtap"willcreateanethernettunnel.
#Use"devtap0"ifyouareethernetbridging
#andhaveprecreatedatap0virtualinterface
#andbridgeditwithyourethernetinterface.
#Ifyouwanttocontrolaccesspolicies
#overtheVPN,youmustcreatefirewall
#rulesforthetheTUN/TAPinterface.
#Onnon-Windowssystems,youcangive
#anexplicitunitnumber,suchastun0.
#OnWindows,use"dev-node"forthis.
#Onmostsystems,theVPNwillnotfunction
#unlessyoupartiallyorfullydisable
#thefirewallfortheTUN/TAPinterface.
#申明使用的设备可选tap和tun,tap是二层设备,支持链路层协议。
#tun是ip层的点对点协议,限制稍微多一些,本人习惯使用TAP设备
devtap
;devtun
#WindowsneedstheTAP-Win32adaptername
#fromtheNetworkConnectionspanelifyou
#havemorethanone.OnXPSP2orhigher,
#youmayneedtoselectivelydisablethe
#WindowsfirewallfortheTAPadapter.
#Non-Windowssystemsusuallydon'tneedthis.
;dev-nodeMyTap
#SSL/TLSrootcertificate(ca),certificate
#(cert),andprivatekey(key).Eachclient
#andtheservermusthavetheirowncertand
#keyfile.Theserverandallclientswill
#usethesamecafile.
#
#Seethe"easy-rsa"directoryforaseries
#ofscriptsforgeneratingRSAcertificates
#andprivatekeys.Remembertouse
#auniqueCommonNamefortheserver
#andeachoftheclientcertificates.
#
#AnyX509keymanagementsystemcanbeused.
#OpenVPNcanalsouseaPKCS#12formattedkeyfile
#(see"pkcs12"directiveinmanpage).
#OpenVPN使用的ROOTCA,使用build-ca生成的,用于验证客户是证书是否合法
caca.Crt
#Server使用的证书文件#服务器名
certCdtsmServer.Crt#服务器名
#Server使用的证书对应的key,注意文件的权限,防止被盗
keyCdtsmServer.key#Thisfileshouldbekeptsecret#服务器名
#Diffiehellmanparameters.
#Generateyourownwith:
#openssldhparam-outdh1024.pem1024
#Substitute2048for1024ifyouareusing
#2048bitkeys.
dhdh1024.pem
#ConfigureservermodeandsupplyaVPNsubnet
#forOpenVPNtodrawclientaddressesfrom.
#Theserverwilltake10.8.0.1foritself,
#therestwillbemadeavailabletoclients.
#Eachclientwillbeabletoreachtheserver
#on10.8.0.1.Commentthislineoutifyouare
#ethernetbridging.Seethemanpageformoreinfo.
server192.168.100.0255.255.255.0
#Maintainarecordofclient<->virtualIPaddress
#associationsinthisfile.IfOpenVPNgoesdownor
#isrestarted,reconnectingclientsca