1、set KEY_ORG=cdtsmset KEY_EMAIL=sunzhouyi(2)把easy-rsa下的f.sample改成f。然后打开命令行(开始-运行-输入cmd)C:Documents and SettingsThinkPadcd Program FilesOpenVPNeasy-rsaProgram FilesOpenVPNeasy-rsavarsclean-all系统找不到指定的文件。已复制 1 个文件。3.生成根CA:(1)C:build-caLoading screen into random state - doneGenerating a 1024 bit RSA pri
2、vate key.+.+writing new private key to keysca.Key-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields
3、there will be a default value,If you enter ., the field will be left blank.Country Name (2 letter code) US:CNState or Province Name (full name) CA:BJLocality Name (eg, city) SanFrancisco:BeiJingOrganization Name (eg, company) OpenVPN:cdtsmOrganizational Unit Name (eg, section) :Common Name (eg, your
4、 name or your servers hostname) :cdtsm #服务器名Email Address mailhost.domain:sunzhouyi4.生成dh1024.pem文件,server使用TLS必须使用的一个文件。(一)C:build-dhGenerating DH parameters, 1024 bit long safe prime, generator 2This is going to take a long time.+.+.+.+.+.+.+.+.+.+.+.+.+.+*+*+*5.下面生成服务器端证书、客户端证书和TA证书: 首先生成server使用
5、的证书: (一)C:build-key-server CdtsmServer #服务器名.+keysCdtsmServer.keyPlease enter the following extra attributesto be sent with your certificate requestA challenge password :123456An optional company name :Using configuration from fCheck that the request matches the signatureSignature okThe Subjects Dis
6、tinguished Name is as followscountryName :PRINTABLE:CNstateOrProvinceName :BJlocalityName :BeiJingorganizationName :cdtsmorganizationalUnitName:commonName :emailAddress :IA5STRING:sunzhouyiCertificate is to be certified until Jul 25 04:11:08 2020 GMT (3650 days)Sign the certificate? y/n:y1 out of 1
7、certificate requests certified, commit? y/nyWrite out database with 1 new entriesData Base Updated到此server端使用的证书生成完毕。(2)生成可是为客户端生成client证书。 接下来生成客户端证书: C:build-key CdtsmClient #客户端名 Loading Generating a 1024 bit RSA private key.+.+keysCdtsmClient.keyCdtsmClient #客户端名CdtsmClient13:17 2020 GMT (3650 d
8、ays)到此客户端使用的client证书生成完毕。(3)下面生成ta.key文件 最后生成ta.Key文件openvpn -genkey -secret keys/ta.Key到此为止根ca、客户端、服务器端所需要的证书和密钥文件就已经全部准备就绪,接下来要做的是配置服务器端文件和客户端文件。6.服务端和客户端的配置:(一)服务器端的配置文件在C:Program FilesOpenVPNsample-config文件夹下:server.ovpn内容示例如下:# Which local IP address should OpenVPN# listen on? (optional);local
9、a.b.c.d# Which TCP/UDP port should OpenVPN listen on?# If you want to run multiple OpenVPN instances# on the same machine, use a different port# number for each one. You will need to# open up this port on your firewall.#申明使用的端口,默认1194port 1194# TCP or UDP server?#申明使用的协议,默认使用UDP,如果使用HTTP proxy,必须使用T
10、CP协议proto tcpproto udp# dev tun will create a routed IP tunnel,dev tap will create an ethernet tunnel.# Use dev tap0 if you are ethernet bridging# and have precreated a tap0 virtual interface# and bridged it with your ethernet interface.# If you want to control access policies# over the VPN, you mus
11、t create firewall# rules for the the TUN/TAP interface.# On non-Windows systems, you can give# an explicit unit number, such as tun0.# On Windows, use dev-node for this.# On most systems, the VPN will not function# unless you partially or fully disable# the firewall for the TUN/TAP interface.#申明使用的设
12、备可选tap和tun,tap是二层设备,支持链路层协议。#tun是ip层的点对点协议,限制稍微多一些,本人习惯使用TAP设备dev tapdev tun# Windows needs the TAP-Win32 adapter name# from the Network Connections panel if you# have more than one. On XP SP2 or higher,# you may need to selectively disable the# Windows firewall for the TAP adapter.# Non-Windows sys
13、tems usually dont need this.dev-node MyTap# SSL/TLS root certificate (ca), certificate# (cert), and private key (key). Each client# and the server must have their own cert and# key file. The server and all clients will# use the same ca file.# See the easy-rsa directory for a series# of scripts for g
14、enerating RSA certificates# and private keys. Remember to use# a unique Common Name for the server# and each of the client certificates.# Any X509 key management system can be used.# OpenVPN can also use a PKCS #12 formatted key file# (see pkcs12 directive in man page).#OpenVPN使用的ROOT CA,使用build-ca生
15、成的,用于验证客户是证书是否合法ca ca.Crt #Server使用的证书文件#服务器名cert CdtsmServer.Crt #服务器名#Server使用的证书对应的key,注意文件的权限,防止被盗key CdtsmServer.key # This file should be kept secret #服务器名# Diffie hellman parameters.# Generate your own with:# openssl dhparam -out dh1024.pem 1024# Substitute 2048 for 1024 if you are using# 204
16、8 bit keys. dh dh1024.pem# Configure server mode and supply a VPN subnet# for OpenVPN to draw client addresses from.# The server will take 10.8.0.1 for itself,# the rest will be made available to clients.# Each client will be able to reach the server# on 10.8.0.1. Comment this line out if you are# ethernet bridging. See the man page for more info.server 192.168.100.0 255.255.255.0# Maintain a record of client virtual IP address# associations in this file. If OpenVPN goes down or# is restarted, reconnecting clients ca
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1