Windows 下使用 CA 验证的 OpenVPN 的配置方法
应N多网友的要求,决定开始写Windows下OpenVPN的安装手册了,其实Windows下比linux简单,
因为使用网站提供的安装包,很容易就把OpenVPN安装上了,只需配置就OK了。
本文描述如何在Windows下使用CA的OpenVPN Server的配置方法。
有疑问大家关注:
http://elm.freetcp.com
http://wenzk.cublog.cn
不废话了,下面开始吧:)
下载安装OpenVPN:
用Flashget或者其它任何方式下载OpenVPN的安装包,然后安装,记得选上easy-rsa这部分脚本,
用于管理CA的bat脚本。
http://openvpn.se/files/install_packages/openvpn-2.0.5-gui-1.0.3-install.exe
安装完毕后,easy-rsa在C:\Program Files\OpenVPN\目录下。
下面开始配置:
把easy-rsa目录下的vars.bat.sample改名为vars.bat,并且修改其内容:
==================================
set KEY_COUNTRY=CN
set KEY_PROVINCE=Liaoning
set KEY_CITY=Shenyang
set KEY_ORG=OpenVPN
set KEY_EMAIL=elm@elm.freetcp.com
==================================
其它部分就不用修改了,上面部分修改成你自己的配置。
把easy-rsa下的openssl.cnf.sample改成openssl.cnf。
然后进入cmd.exe
=============================================
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>cd "\Program Files\OpenVPN\easy-rsa"
C:\Program Files\OpenVPN\easy-rsa>vars
C:\Program Files\OpenVPN\easy-rsa>clean-all.bat
系统找不到指定的文件。
已复制 1 个文件。
已复制 1 个文件。
C:\Program Files\OpenVPN\easy-rsa>
生成Root CA
格式: build-ca.bat
输出: keys/ca.crt keys/ca.key
======================================================================
C:\Program Files\OpenVPN\easy-rsa>build-ca.bat
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
......++++++
.........++++++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:OpenVPN ORG
Common Name (eg, your name or your server's hostname) []:OpenVPN RootCA
Email Address [elm@elm.freetcp.com]:
C:\Program Files\OpenVPN\easy-rsa>
生成dh1024.pem文件,Server使用TLS必须使用的一个文件。
格式: build-dh.bat
输出: keys/dh1024.pem
============================================================================
C:\Program Files\OpenVPN\easy-rsa>build-dh.bat
warning, not much extra random data, consider using the -rand option
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.....................+...............+........+.................................
....................................+...........................+...............
........................................+.......................................
.........................................+...............+......................
................................................................................
.......................+..................................+.....................
..........................+.........................+...........+...............
.......+.........................+..............................................
........+....+..................................................................
................................................................................
...+....+.+...........................................+.........................
....................................................................+...........
.................+.....................................................+........
..............................................................+...+.............
.....+.........................+...........+....................................
................+......................+.....................................+..
....................................................................+.........+.
......+........................................................+................
...............................+..+.............................+...............
..............................................+.......................+.........
................................................................................
............................................................................+...
...................................+.............+..............................
.............................................................+.+........+.......
..............................................+.................................
...+............................................................................
............+..................................................+................
...........................+..........................................+........+
.........+.........+..........................................+................+
..+..........................................................................+..
.....+..+....................+.....................+............................
................................................................................
...........+.........+....+.........................+...........+.......+.+.....
.....................................................+................+.........
..........+.....................................................................
................+...............................................+..........+....
................................................................................
.................+.........................................+....................
..............................................................................+.
.......+.......................................................+..+.............
+................................+...+..........................+...............
..........................................................+..................+..
................................................................................
......................................................+.........................
....+.......................+.......................+...........................
..............+.................................................................
.......................................................+........................
..........................................................................+.....
......+..................................+......................................
...................................................+..................+.........
..............+.......................+.........................................
................................................................................
.....+....................+...........................+.........................
................................................................................
........................................................................++*++*++
*
C:\Program Files\OpenVPN\easy-rsa>
下面开始生成Server使用的证书了:
格式: build-key-server.bat
输出: keys/.crt .csr .key
================================================================================
C:\Program Files\OpenVPN\easy-rsa>build-key-server.bat server01
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
................++++++
.....++++++
writing new private key to 'keys\server01.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:OpenVPN ORG
Common Name (eg, your name or your server's hostname) []:Server01
Email Address [elm@elm.freetcp.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Liaoning'
localityName :PRINTABLE:'Shenyang'
organizationName :PRINTABLE:'OpenVPN'
organizationalUnitName:PRINTABLE:'OpenVPN ORG'
commonName :PRINTABLE:'Server01'
emailAddress :IA5STRING:'elm@elm.freetcp.com'
Certificate is to be certified until Feb 9 10:01:34 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
C:\Program Files\OpenVPN\easy-rsa>
下面开始为client办法证书:
格式: build-key.bat
输出: keys/.crt keys/.csr keys/.key
===========================================================================
C:\Program Files\OpenVPN\easy-rsa>build-key.bat elm
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
.....................................................++++++
...................................................++++++
writing new private key to 'keys\elm.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:OpenVPN ORG
Common Name (eg, your name or your server's hostname) []:ELM
Email Address [elm@elm.freetcp.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Liaoning'
localityName :PRINTABLE:'Shenyang'
organizationName :PRINTABLE:'OpenVPN'
organizationalUnitName:PRINTABLE:'OpenVPN ORG'
commonName :PRINTABLE:'ELM'
emailAddress :IA5STRING:'elm@elm.freetcp.com'
Certificate is to be certified until Feb 9 10:05:53 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
C:\Program Files\OpenVPN\easy-rsa>
下面生成ta.key文件
格式: openvpn --genkey --secret keys/ta.key
输出: keys/ta.key
=========================================================================
C:\Program Files\OpenVPN\easy-rsa>openvpn --genkey --secret keys/ta.key
C:\Program Files\OpenVPN\easy-rsa>
OK,那些keys就搞定了,下面开始写配置文件。
server01.ovpn内容:
----------------CUT Here-------------
port 1194
proto udp
dev tap
ca ca.crt
cert server01.crt
key server01.key # This file should be kept secret
;crl-verify vpncrl.pem
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
--------------Cut Here-----------------
把配置文件放到C:\Program Files\OpenVPN\config\目录下。
把easy-rsa\keys\下的 ca.crt server01.crt server01.key ta.key dh1024.pem
复制到server01.ovpn所在目录。
Server的配置已经结束,可以启动Server了,在右下角OpenVPN-gui上点右键,然后选择connected。
需要服务器启动后自动运行,修改 "控制面板" 下面的 "管理工具" 下的 "服务" 把OpenVPN设置成自动启动。
Client的配置文件:
-------------Cut Here---------------------
client
dev tap
proto udp
remote 61.1.1.2 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
nobind
user nobody
group nobody
route 192.168.0.0 255.255.252.0
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
ca ca.crt
cert elm.crt
key elm.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
# Set log file verbosity.
verb 4
--------------Cut Here---------------------
并且把easy-rsa/keys下的ca.crt elm.crt elm.key ta.key一起放到Client的
\config目录下。
Client的配置已经结束,可以连接Server了,在右下角OpenVPN-gui上点右键,然后选择connected。
OK,整个配置就完成了。
需要为其它用户颁发证书,只需如下步骤:
进入cmd.exe
cd \easy-rsa
vars.bat
build-kye.bat
Client所需要的文件:
client.ovpn (需要修改部分配置)
ca.crt
.crt
.key (为 文件名,如: elm 等)
ta.key
我自己的client配置文件 client.ovpn
client
dev tun
proto tcp
remote 服务器ip 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
auth-user-pass
verb 4
将server01.crt server01.key 和 dh1024.pem(???不上传不知道行不)通过 ftp 上传道 ros
然后按 crt key pem 顺序导入
下面是几个关键的routeros设置图
1、这里是设置的关键,我用ip池总连接失败,只有指定本地和远端地址了,知道如何解决的请在评论解答下,谢谢!
2
3
4、最后设置open vpn server
连接后图标这样
最后就剩在客户端执行下静态路由命令
route add 内网ip段如 192.168.3.0 mask 255.255.255.0 vpn连接后的远端ip(如192.168.6.1)
如下格式:
route add 192.168.3.0 mask 255.255.255.0 192.168.6.10
不然只能ping通远端ip 不能访问远端内网的机器
openvpn windows版本软件我下载的是
http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe
相关推荐
在C/S模型中,Server需要认证Client的证书,而每一个Client持有独一无二的证书(比如一个设备的MAC地址),此时需要的证书是一个CA,一个Server证书和大量的Client的证书,如果一个一个的生成,效率速度都非常的慢,...
路由器怎么设置vpn连接.doc
D-Link,DI-7000,路由器vpn怎么设置.doc
网络系统管理赛项软件包(服务模块软件包、普通PC软件包、无线地勘系统等)
windows 2003环境SSL证书安装
启明星辰天清汉马防火墙,USG-FW-310DP管理证书,使用方法参考对应的操作手册,已另外上传
与原版open-build-master相比,我做了稍稍修改,已经包含Open虚拟专网2.5源代码和依赖项源代码,需要VS2019、ActivePerl、WDK10,可以直接按照我写的教程进行编译,100%可编译。
https证书,解决当前由http切换到https的限定,可以更新
一个基于DELPHI的远程屏幕传输(差异截图)
Book Description Angular 2 introduces an entirely new paradigm of applications. It wholly embraces all the newest concepts that are built into the next generation of browsers, and it cuts away all the...
H3CMSR系列路由器二层vpn接入功能典型配置案例归纳.pdf
路由器vpn怎样设置参考.doc
SM2数字证书,充分借鉴与吸收了X509数字证书的格式与优点,在考虑RSA算法的优缺点之后,推出的基于商密公钥算法的SM2证书规范,至此,商密算法的数字证书在商用密码应用安全性评估中成为了必须要检测的一个重要环节...
根据本人运维经验,结合openVPN社区相关案例,针对TAP-Windows-adapter安装失败“an error occured installing the TAP device driver”错误提示,提出五种解决方案
安装OpenVPN 保护OpenVPN 在局域网中安装Orthanc ? 先决条件 Ansible> 2.5 Ansible> 2.9(用于SSH-sec角色) 在客户端计算机和服务器计算机之间已正确配置SSH身份验证。 安装 克隆项目并安装角色: git clone...
非常详细的告诉你华为路由器的高级设置方法,是你在说明书上所看不到的。
华硕RT-16 梅林固件 378.50 这个版本后,不再更新N16的固件了,用这个型号的童鞋可以死心了
交叉编译器3.4.5,下载解压,按照交叉编译器安装过程安装。
win10mi版+Linux CentOS-7+苹果系统驱动加满的无敌合集
ARM9平台上的嵌入式Linux系统移植研究