windows 下VPN的搭建.docx
《windows 下VPN的搭建.docx》由会员分享,可在线阅读,更多相关《windows 下VPN的搭建.docx(14页珍藏版)》请在冰豆网上搜索。
windows下VPN的搭建
windows下VPN的搭建
一、环境准备:
1.操作系统Windows
2.服务器IP:
192.168.88.123 VPN:
192.168.89.1
3.客户端IP:
192.168.78.3
4.客户端服务端单网卡,路由器做好端口映射
5.安装包附件下载
二、服务端安装部署:
1.打开安装包进行安装,客户端跟服务器安装方式一样,都需要安装
1.接受下一步
2.下面两个选项默认不勾选,我们需要勾选不然安装完无法命令行制作证书操作
3.选择安装目录
4.安装完成,有些需要系统重启
5.安装完成后系统会多出一张网卡TAP的“本地连接2
6.要想客户端能够通过服务端上网需要调整服务端本地网卡共享
三、服务端配置-生成相关证书配置:
命令程序说明:
●init-config# init-config 会把 vars.bat.sample 复制为 var.bat
●vars# vars.bat 用来设置一些变量,主要就是配置文件中修改的那部分
●clean-all# 会清掉 C:
\Program File\OpenVPN\easy-rsa\keys 目录,再把 index.txt 和 serial 文件放进来。
●build-ca# 生成根证书
●build-dh.bat# 生成 dh1024.pem 文件,Server 使用 TLS(OpenSSL) 必须要有的文件
●build-key-server server # 生成服务端密钥和证书# server01 是自己定义的参数名,与上相应的就会生成 server01.key、server01.csr 和 server01.crt,也都是在 keys 目录里。
注意事项:
# 这一步像 build-dh.bat 一样有些东西要填写,之后就是该回答 y 的 y 一下,关键就一个:
# Common Name 必须填,且不能与执行 build-dh 时相同,否则会报:
# failed to update database
# TXT_DB error number 2
# 找不到 C:
\Program File\OpenVPN\easy-rsa\keys\*.old
# 三个文件 server01.key、server01.csr 和 server01.crt 也会生成,但文server01.crt 的大小是 0 字节无效的就要重新再来,看到 Data Base Updated 才行。
# 要生成多个服务端的密钥和证书则继续 build-key-server server02 ......
●build-keyclient #客户端生成密钥和证书
注意事项:
# build-ca和build-key-server一样要输入一堆东西,这里注意的是 Common Name 不能与执行 build-key-server 时输入的一样与 build-ca 的 Common Name 一样我试过没什么关系,否则也是报:
# failed to update database
# TXT_DB error number 2
# 找不到 C:
\Program Files\OpenVPN\easy-rsa\keys\*.old
# 每一个登陆的VPN客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接。
要生成其他的客户端密钥和证书,可以继续 build-key client02 ......
#生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击)
openvpn--genkey--secretkeys/ta.key
..\bin\openvpn --genkey --secret keys\ta.key
修改文件vars.bat.sample在C:
\ProgramFiles\OpenVPN\easy-rsa目录下用写字板打开根据需求修改相关配置信息
set KEY_COUNTRY=CN
set KEY_PROVINCE=FuJian
set KEY_CITY=FuZhou
set KEY_ORG=FYLUO
set KEY_EMAIL=eagle@
set KEY_CN=Eagle
set KEY_NAME=Eagle
set KEY_OU=Eagle
set PKCS11_MODULE_PATH=Eagle
set PKCS11_PIN=1234
以下进去命令行操作
C:
\Program Files\OpenVPN\easy-rsa>init-config.bat
C:
\Program Files\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat
已复制 1 个文件。
C:
\Program Files\OpenVPN\easy-rsa>vars.bat
C:
\Program Files\OpenVPN\easy-rsa>clean-all.bat
系统找不到指定的文件。
已复制 1 个文件。
已复制 1 个文件。
C:
\Program Files\OpenVPN\easy-rsa>build-ca.bat
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.....................++++++
...........++++++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [FuJian]:
Locality Name (eg, city) [FuZhou]:
Organization Name (eg, company) [FYLUO]:
Organizational Unit Name (eg, section) [Eagle]:
Common Name (eg, your name or your server's hostname) [Eagle]:
CA
Name [Eagle]:
Email Address [eagle@]:
C:
\Program Files\OpenVPN\easy-rsa>
C:
\Program Files\OpenVPN\easy-rsa>build-dh.bat
Loading 'screen' into random state - done
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
................................................................................
C:
\Program Files\OpenVPN\easy-rsa>build-key-server.bat server
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..................................................++++++
writing new private key to 'keys\server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [FuJian]:
Locality Name (eg, city) [FuZhou]:
Organization Name (eg, company) [FYLUO]:
Organizational Unit Name (eg, section) [Eagle]:
Common Name (eg, your name or your server's hostname) [Eagle]:
server
Name [Eagle]:
Email Address [eagle@]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
201888
An optional company name []:
Using configuration from openssl-f
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :
PRINTABLE:
'CN'
stateOrProvinceName :
PRINTABLE:
'FuJian'
localityName :
PRINTABLE:
'FuZhou'
organizationName :
PRINTABLE:
'FYLUO'
organizationalUnitName:
PRINTABLE:
'Eagle'
commonName :
PRINTABLE:
'server'
name :
PRINTABLE:
'Eagle'
emailAddress :
IA5STRING:
'eagle@'
Certificate is to be certified until Jun 2 12:
35:
53 2028 GMT (3650 days)
Sign the certificate?
[y/n]:
y
1 out of 1 certificate requests certified, commit?
[y/n]y
Write out database with 1 new entries
Data Base Updated
C:
\Program Files\OpenVPN\easy-rsa>
C:
\Program Files\OpenVPN\easy-rsa>build-key.bat client
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
................++++++
writing new private key to 'keys\client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [FuJian]:
Locality Name (eg, city) [FuZhou]:
Organization Name (eg, company) [FYLUO]:
Organizational Unit Name (eg, section) [Eagle]:
Common Name (eg, your name or your server's hostname) [Eagle]:
cli
Name [Eagle]:
Email Address [eagle@]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
201888
An optional company name []:
Using configuration from openssl-f
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :
PRINTABLE:
'CN'
stateOrProvinceName :
PRINTABLE:
'FuJian'
localityName :
PRINTABLE:
'FuZhou'
organizationName :
PRINTABLE:
'FYLUO'
organizationalUnitName:
PRINTABLE:
'Eagle'
commonName :
PRINTABLE:
'cli'
name :
PRINTABLE:
'Eagle'
emailAddress :
IA5STRING:
'eagle@'
Certificate is to be certified until Jun 2 12:
36:
27 2028 GMT (3650 days)
Sign the certificate?
[y/n]:
y
1 out of 1 certificate requests certified, commit?
[y/n]y
Write out database with 1 new entries
Data Base Updated
C:
\Program Files\OpenVPN\easy-rsa>
生成后文件夹下产生如下文件:
创建服务端配置文件
把配置文件server.ovpn放到C:
\ProgramFiles\OpenVPN\config目录下。
把C:
\ProgramFiles\OpenVPN\easy-rsa\keys目录下的ca.crt、ca.key、server.crt、server.csr、server.key、dh1024.pem、ta.key复制到C:
\ProgramFiles\OpenVPN\config目录下。
server.ovpn文件内容如下:
port 8080
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
;crl-verify vpncrl.pem
dh dh1024.pem
server 192.168.89.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 218.85.157.99"
push "dhcp-option DNS 223.5.5.5"
push "route 192.168.88.0 255.255.255.0"
client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret,服务器中配置此项,则客户端要相应配置tls-authta.key1
comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4
配置文件如下:
修改注册表:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters将IPEnableRouter改为1
关闭防火墙或将8080端口加入到防火墙允许通过的端口中去
启动服务端
四、客户端配置:
创建客户端配置文件:
把配置文件client.ovpn放到客户端机器的C:
\ProgramFiles\OpenVPN\config目录下,并且把服务器C:
\ProgramFiles\OpenVPN\easy-rsa\keys目录下的client01.crt、client01.csr、client01.key、ca.key、ca.crt、ta.key 文件一起复制到客户端C:
\ProgramFiles\OpenVPN\config目录下(以上文件为服务端生成,客户端需要在服务端拷贝这7个文件过来)
client.ovpn配置文件如下:
client
dev tun
proto tcp
remote 服务端IP 1194
;remote my-server-2 8080
resolv-retry infinite
nobind
user nobody
group nobody
;route 192.168.0.0 255.255.252.0
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
tls-auth ta.key 1#对应服务器端的tls-authta.key0,如果没有则会报错:
TLSError:
readingacknowledgementrecordfrompacket客户端不断重启
comp-lzo
# Set log file verbosity.
verb 4
配置文件如下:
客户端连接后如下:
查看客户端获取的IP
查看客户端获取路由表
五、网络联通性测试
以下测试客户端到服务端的内网网络测试
以下是拨号前客户端电脑的出口IP
客户端电脑拨号后的出口IP已经变成了服务端的出口IP