一、環境准備:
- 操作系統Windows
- 客戶端服務端單網卡,路由器做好端口映射
- 安裝包附件下載 openvpn-install-2.3.10-I601-x86_64.rar
1,說明
init-config # init-config 會把 vars.bat.sample 復制為 var.bat vars # vars.bat 用來設置一些變量,主要就是配置文件中修改的那部分 clean-all # 會清掉 C: \Program File\OpenVPN\easy-rsa\keys 目錄,再把 index.txt 和 serial 文件放進來。 build-ca # 生成根證書 build-dh.bat # 生成 dh1024.pem 文件,Server 使用 TLS(OpenSSL) 必須要有的文件 build-key-server server # 生成服務端密鑰和證書 # 這一步像 build-dh.bat 一樣有些東西要填寫,之后就是該回答 y 的 y 一下,關鍵就一個: # Common Name 必須填,且不能與執行 build-dh 時相同,否則會報: # failed to update database # TXT_DB error number 2 # 找不到 C:\Program Files\OpenVPN\easy-rsa\keys\*.old # 三個文件 server01.key、server01.csr 和 server01.crt 也會生成,但文件 server01.crt 的大小是 0 字節無效的,就要重新再來,看到 Data Base Updated 才行。 # 要生成多個服務端的密鑰和證書則繼續 build-key-server server02 ...... build-key client #客戶端生成密鑰和證書 # build-ca和build-key-server一樣要輸入一堆東西,這里注意的是 Common Name 不能與執行 build-key-server 時輸入的一樣,與 build-ca 的 Common Name 一樣我試過沒什么關系,否則也是報: # failed to update database # TXT_DB error number 2 # 找不到 C:\Program Files\OpenVPN\easy-rsa\keys\*.old # 要生成其他的客戶端密鑰和證書,可以繼續 build-key client02 ...... ..\bin\openvpn --genkey --secret keys\ta.key # 生成 ta.key 文件 這一步是可選操作,生成的ta.key主要用於防御DoS、UDP淹沒等惡意攻擊。命令中的第3個參數keys/ta.key表示生成的文件路徑(含文件名)。
2、根據需求修改相關配置信息 C:\Program Files\OpenVPN\easy-rsa\vars.bat
set KEY_COUNTRY=CN set KEY_PROVINCE=FuJian set KEY_CITY=FuZhou set KEY_ORG=FYLUO set KEY_EMAIL=eagle@fyluo.com set KEY_CN=Eagle set KEY_NAME=Eagle set KEY_OU=Eagle set PKCS11_MODULE_PATH=Eagle set PKCS11_PIN=1234
3、以下進去命令行操作
C:\Program Files\OpenVPN\easy-rsa>vars.bat C:\Program Files\OpenVPN\easy-rsa>clean-all.bat 系統找不到指定的文件。 已復制 1 個文件。 已復制 1 個文件。
C:\Program Files\OpenVPN\easy-rsa>build-ca.bat #創建根證書 Loading 'screen' into random state - done Generating a 1024 bit RSA private key .....................++++++ ...........++++++ writing new private key to 'keys\ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [FuJian]: Locality Name (eg, city) [FuZhou]: Organization Name (eg, company) [FYLUO]: Organizational Unit Name (eg, section) [Eagle]: Common Name (eg, your name or your server's hostname) [Eagle]: Name [Eagle]: Email Address [eagle@fyluo.com]:
C:\Program Files\OpenVPN\easy-rsa>build-dh.bat Loading 'screen' into random state - done Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .......+.....+.................................................................+ ................................................................................ .........................+................................+..................... ................................................................................ .............................................................+.................. ................................................................................ .................+.................................................++*++*++*
C:\Program Files\OpenVPN\easy-rsa>build-key-server.bat server #創建server端證書和私鑰文件
Loading 'screen' into random state - done Generating a 1024 bit RSA private key ....++++++ ..................................................++++++ writing new private key to 'keys\server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [FuJian]: Locality Name (eg, city) [FuZhou]: Organization Name (eg, company) [FYLUO]: Organizational Unit Name (eg, section) [Eagle]: Common Name (eg, your name or your server's hostname) [Eagle]:server #這里和上面的名稱要一樣 Name [Eagle]: Email Address [eagle@fyluo.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 設置密碼 An optional company name []: Using configuration from openssl-1.0.0.cnf Loading 'screen' into random state - done Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'FuJian' localityName :PRINTABLE:'FuZhou' organizationName :PRINTABLE:'FYLUO' organizationalUnitName:PRINTABLE:'Eagle' commonName :PRINTABLE:'server' name :PRINTABLE:'Eagle' emailAddress :IA5STRING:'eagle@fyluo.com' Certificate is to be certified until Jun 2 12:35:53 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
C:\Program Files\OpenVPN\easy-rsa>build-key.bat client #創建客戶端證書與私鑰文件,多個客戶端重復運行此命令 client1..client2 Loading 'screen' into random state - done Generating a 1024 bit RSA private key ................++++++ ..............................................++++++ writing new private key to 'keys\client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [FuJian]: Locality Name (eg, city) [FuZhou]: Organization Name (eg, company) [FYLUO]: Organizational Unit Name (eg, section) [Eagle]: Common Name (eg, your name or your server's hostname) [Eagle]: Name [Eagle]: Email Address [eagle@fyluo.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 設置密碼 An optional company name []: Using configuration from openssl-1.0.0.cnf Loading 'screen' into random state - done Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'FuJian' localityName :PRINTABLE:'FuZhou' organizationName :PRINTABLE:'FYLUO' organizationalUnitName:PRINTABLE:'Eagle' commonName :PRINTABLE:'cli' name :PRINTABLE:'Eagle' emailAddress :IA5STRING:'eagle@fyluo.com' Certificate is to be certified until Jun 2 12:36:27 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated C:\Program Files\OpenVPN\easy-rsa>
4,服務端配置
把配置文件server.ovpn放到C:\Program Files\OpenVPN\config目錄下,把C:\Program Files\OpenVPN\easy-rsa\keys目錄下的
ca.crt、ca.key、server01.crt、server01.csr、server01.key、dh2048.pem、復制到C:\Program Files\OpenVPN\config目錄下。
server.ovpn的文件內容如下。請根據需要進行調整。
port 8080 #訪問端口 proto tcp #協議類型,也可用UDP dev tun
ca ca.crt 這個文件名需要和生成的服務端文件一致 cert server.crt 這個文件名需要和生成的服務端文件一致 key server.key 這個文件名需要和生成的服務端文件一致
;crl-verify vpncrl.pem dh dh1024.pem 這個文件名需要和生成的服務端文件一致 server 192.168.89.0 255.255.255.0 #虛擬局域網網段設置,請根據需要自行修改 ifconfig-pool-persist ipp.txt #在openvpn重啟時,再次連接的客戶端將依然被分配和以前一樣的IP地址 push "redirect-gateway def1 bypass-dhcp" #客戶端所有網絡通信通過vpn,這個可以選擇的,如果注釋掉的話那就是本地的數據包還是從本地出去,不強制走VPN push "dhcp-option DNS 218.85.157.99" #指定客戶端使用的主DNS push "dhcp-option DNS 223.5.5.5" #指定客戶端使用的備DNS push "route 192.168.88.0 255.255.255.0" client-to-client #開啟客戶端互訪keepalive 5 30服務端5秒監測一次,如果30秒沒響應就認定客戶端down了
;duplicate-cn tls-auth ta.key 0 #防DDOS攻擊,服務器端0,客戶端1 comp-lzo #vpn2.4中被棄用,在配置中具有此選項可能導致客戶端無法連接到服務器 ;max-clients 100 user nobody group nobody persist-key persist-tun status openvpn-status.log verb 4
5、客戶端配置:
- 創建客戶端配置文件:
把配置文件client.ovpn放到客戶端機器的C:\Program Files\OpenVPN\config目錄下
把服務器C:\Program Files\OpenVPN\easy-rsa\keys目錄下的client01.crt、client01.csr、client01.key、 ca.crt、文件一起復制到客戶端config目錄下
client.ovpn配置文件如下:
client dev tun proto tcp remote 服務端IP 8080 resolv-retry infinite nobind user nobody group nobody ;route 192.168.0.0 255.255.252.0 persist-key persist-tun ca ca.crt cert client.crt 這個文件名需要和生成的客戶端文件一致 key client.key 這個文件名需要和生成的客戶端文件一致 ns-cert-type server tls-auth ta.key 1 comp-lzo # Set log file verbosity. verb 4
在大多數情況下,每個連接文件需要一個TUN / TAP接口。在Windows中,強烈建議使用配置文件將接口與其連接永久關聯: dev-node TAP_Serv強制OpenVPN將連接綁定到名為“ Tap_Serv”的網絡接口。
6,開機自啟
二,為客戶端分配靜態IP
格式:
ifconfig-push ${IP} ${NETMASK} 如果使用net30子網的時候${NETMASK}就是${IP}的下一位,比如ifconfig-push 10.8.0.1 10.8.0.2
在服務端的server.conf配置文件中開啟
client-config-dir ccd #開啟客戶端靜態IP分配
/etc/openvpn/ccd #Linux版本默認位置
windows版本的默認位置在config文件夾下的ccd文件夾
cdd文件夾中的文件為對應客戶端所使用的登錄名稱
以上設置可配置使用test帳號登錄的客戶端ip地扯為192.168.100.5,每個賬戶創建一個文件寫入靜態IP
如果發現客戶端與服務端之間的傳輸速率非常低,可以在服務器配置中增加緩沖區:(這一點非常重要)
sndbuf 393216 rcvbuf 393216 push "sndbuf 393216" push "rcvbuf 393216"