OpenVPN 虚拟网安装与部署Word文件下载.docx

1、set KEY_ORG=cdtsmset KEY_EMAIL=sunzhouyi（2）把easy-rsa下的f.sample改成f。然后打开命令行（开始-运行-输入cmd）C:Documents and SettingsThinkPadcd Program FilesOpenVPNeasy-rsaProgram FilesOpenVPNeasy-rsavarsclean-all系统找不到指定的文件。已复制 1 个文件。3.生成根CA：（1）C:build-caLoading screen into random state - doneGenerating a 1024 bit RSA pri

2、vate key.+.+writing new private key to keysca.Key-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields

3、there will be a default value,If you enter ., the field will be left blank.Country Name （2 letter code） US:CNState or Province Name （full name） CA:BJLocality Name （eg, city） SanFrancisco:BeiJingOrganization Name （eg, company） OpenVPN:cdtsmOrganizational Unit Name （eg, section） :Common Name （eg, your

4、 name or your servers hostname） :cdtsm #服务器名Email Address mailhost.domain:sunzhouyi4.生成dh1024.pem文件，server使用TLS必须使用的一个文件。（一）C:build-dhGenerating DH parameters, 1024 bit long safe prime, generator 2This is going to take a long time.+.+.+.+.+.+.+.+.+.+.+.+.+.+*+*+*5.下面生成服务器端证书、客户端证书和TA证书： 首先生成server使用

5、的证书： （一）C:build-key-server CdtsmServer #服务器名.+keysCdtsmServer.keyPlease enter the following extra attributesto be sent with your certificate requestA challenge password :123456An optional company name :Using configuration from fCheck that the request matches the signatureSignature okThe Subjects Dis

6、tinguished Name is as followscountryName :PRINTABLE:CNstateOrProvinceName :BJlocalityName :BeiJingorganizationName :cdtsmorganizationalUnitName:commonName :emailAddress :IA5STRING:sunzhouyiCertificate is to be certified until Jul 25 04:11:08 2020 GMT （3650 days）Sign the certificate? y/n:y1 out of 1

7、certificate requests certified, commit? y/nyWrite out database with 1 new entriesData Base Updated到此server端使用的证书生成完毕。（2）生成可是为客户端生成client证书。 接下来生成客户端证书： C:build-key CdtsmClient #客户端名 Loading Generating a 1024 bit RSA private key.+.+keysCdtsmClient.keyCdtsmClient #客户端名CdtsmClient13:17 2020 GMT （3650 d

8、ays）到此客户端使用的client证书生成完毕。（3）下面生成ta.key文件 最后生成ta.Key文件openvpn -genkey -secret keys/ta.Key到此为止根ca、客户端、服务器端所需要的证书和密钥文件就已经全部准备就绪，接下来要做的是配置服务器端文件和客户端文件。6.服务端和客户端的配置：（一）服务器端的配置文件在C:Program FilesOpenVPNsample-config文件夹下：server.ovpn内容示例如下：# Which local IP address should OpenVPN# listen on? （optional）;local

9、a.b.c.d# Which TCP/UDP port should OpenVPN listen on?# If you want to run multiple OpenVPN instances# on the same machine, use a different port# number for each one. You will need to# open up this port on your firewall.#申明使用的端口，默认1194port 1194# TCP or UDP server?#申明使用的协议，默认使用UDP，如果使用HTTP proxy，必须使用T

10、CP协议proto tcpproto udp# dev tun will create a routed IP tunnel,dev tap will create an ethernet tunnel.# Use dev tap0 if you are ethernet bridging# and have precreated a tap0 virtual interface# and bridged it with your ethernet interface.# If you want to control access policies# over the VPN, you mus

11、t create firewall# rules for the the TUN/TAP interface.# On non-Windows systems, you can give# an explicit unit number, such as tun0.# On Windows, use dev-node for this.# On most systems, the VPN will not function# unless you partially or fully disable# the firewall for the TUN/TAP interface.#申明使用的设

12、备可选tap和tun，tap是二层设备，支持链路层协议。#tun是ip层的点对点协议，限制稍微多一些，本人习惯使用TAP设备dev tapdev tun# Windows needs the TAP-Win32 adapter name# from the Network Connections panel if you# have more than one. On XP SP2 or higher,# you may need to selectively disable the# Windows firewall for the TAP adapter.# Non-Windows sys

13、tems usually dont need this.dev-node MyTap# SSL/TLS root certificate （ca）, certificate# （cert）, and private key （key）. Each client# and the server must have their own cert and# key file. The server and all clients will# use the same ca file.# See the easy-rsa directory for a series# of scripts for g

14、enerating RSA certificates# and private keys. Remember to use# a unique Common Name for the server# and each of the client certificates.# Any X509 key management system can be used.# OpenVPN can also use a PKCS #12 formatted key file# （see pkcs12 directive in man page）.#OpenVPN使用的ROOT CA，使用build-ca生

15、成的，用于验证客户是证书是否合法ca ca.Crt #Server使用的证书文件#服务器名cert CdtsmServer.Crt #服务器名#Server使用的证书对应的key，注意文件的权限，防止被盗key CdtsmServer.key # This file should be kept secret #服务器名# Diffie hellman parameters.# Generate your own with:# openssl dhparam -out dh1024.pem 1024# Substitute 2048 for 1024 if you are using# 204

16、8 bit keys. dh dh1024.pem# Configure server mode and supply a VPN subnet# for OpenVPN to draw client addresses from.# The server will take 10.8.0.1 for itself,# the rest will be made available to clients.# Each client will be able to reach the server# on 10.8.0.1. Comment this line out if you are# ethernet bridging. See the man page for more info.server 192.168.100.0 255.255.255.0# Maintain a record of client virtual IP address# associations in this file. If OpenVPN goes down or# is restarted, reconnecting clients ca