一、环境准备:
- 操作系统Windows
- 客户端服务端单网卡,路由器做好端口映射
- 安装包附件下载 openvpn-install-2.3.10-I601-x86_64.rar
1,说明
init-config # init-config 会把 vars.bat.sample 复制为 var.bat vars # vars.bat 用来设置一些变量,主要就是配置文件中修改的那部分 clean-all # 会清掉 C: \Program File\OpenVPN\easy-rsa\keys 目录,再把 index.txt 和 serial 文件放进来。 build-ca # 生成根证书 build-dh.bat # 生成 dh1024.pem 文件,Server 使用 TLS(OpenSSL) 必须要有的文件 build-key-server server # 生成服务端密钥和证书 # 这一步像 build-dh.bat 一样有些东西要填写,之后就是该回答 y 的 y 一下,关键就一个: # Common Name 必须填,且不能与执行 build-dh 时相同,否则会报: # failed to update database # TXT_DB error number 2 # 找不到 C:\Program Files\OpenVPN\easy-rsa\keys\*.old # 三个文件 server01.key、server01.csr 和 server01.crt 也会生成,但文件 server01.crt 的大小是 0 字节无效的,就要重新再来,看到 Data Base Updated 才行。 # 要生成多个服务端的密钥和证书则继续 build-key-server server02 ...... build-key client #客户端生成密钥和证书 # build-ca和build-key-server一样要输入一堆东西,这里注意的是 Common Name 不能与执行 build-key-server 时输入的一样,与 build-ca 的 Common Name 一样我试过没什么关系,否则也是报: # failed to update database # TXT_DB error number 2 # 找不到 C:\Program Files\OpenVPN\easy-rsa\keys\*.old # 要生成其他的客户端密钥和证书,可以继续 build-key client02 ...... ..\bin\openvpn --genkey --secret keys\ta.key # 生成 ta.key 文件 这一步是可选操作,生成的ta.key主要用于防御DoS、UDP淹没等恶意攻击。命令中的第3个参数keys/ta.key表示生成的文件路径(含文件名)。
2、根据需求修改相关配置信息 C:\Program Files\OpenVPN\easy-rsa\vars.bat
set KEY_COUNTRY=CN set KEY_PROVINCE=FuJian set KEY_CITY=FuZhou set KEY_ORG=FYLUO set KEY_EMAIL=eagle@fyluo.com set KEY_CN=Eagle set KEY_NAME=Eagle set KEY_OU=Eagle set PKCS11_MODULE_PATH=Eagle set PKCS11_PIN=1234
3、以下进去命令行操作
C:\Program Files\OpenVPN\easy-rsa>vars.bat C:\Program Files\OpenVPN\easy-rsa>clean-all.bat 系统找不到指定的文件。 已复制 1 个文件。 已复制 1 个文件。
C:\Program Files\OpenVPN\easy-rsa>build-ca.bat #创建根证书 Loading 'screen' into random state - done Generating a 1024 bit RSA private key .....................++++++ ...........++++++ writing new private key to 'keys\ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [FuJian]: Locality Name (eg, city) [FuZhou]: Organization Name (eg, company) [FYLUO]: Organizational Unit Name (eg, section) [Eagle]: Common Name (eg, your name or your server's hostname) [Eagle]: Name [Eagle]: Email Address [eagle@fyluo.com]:
C:\Program Files\OpenVPN\easy-rsa>build-dh.bat Loading 'screen' into random state - done Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .......+.....+.................................................................+ ................................................................................ .........................+................................+..................... ................................................................................ .............................................................+.................. ................................................................................ .................+.................................................++*++*++*
C:\Program Files\OpenVPN\easy-rsa>build-key-server.bat server #创建server端证书和私钥文件
Loading 'screen' into random state - done Generating a 1024 bit RSA private key ....++++++ ..................................................++++++ writing new private key to 'keys\server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [FuJian]: Locality Name (eg, city) [FuZhou]: Organization Name (eg, company) [FYLUO]: Organizational Unit Name (eg, section) [Eagle]: Common Name (eg, your name or your server's hostname) [Eagle]:server #这里和上面的名称要一样 Name [Eagle]: Email Address [eagle@fyluo.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 设置密码 An optional company name []: Using configuration from openssl-1.0.0.cnf Loading 'screen' into random state - done Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'FuJian' localityName :PRINTABLE:'FuZhou' organizationName :PRINTABLE:'FYLUO' organizationalUnitName:PRINTABLE:'Eagle' commonName :PRINTABLE:'server' name :PRINTABLE:'Eagle' emailAddress :IA5STRING:'eagle@fyluo.com' Certificate is to be certified until Jun 2 12:35:53 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
C:\Program Files\OpenVPN\easy-rsa>build-key.bat client #创建客户端证书与私钥文件,多个客户端重复运行此命令 client1..client2 Loading 'screen' into random state - done Generating a 1024 bit RSA private key ................++++++ ..............................................++++++ writing new private key to 'keys\client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [FuJian]: Locality Name (eg, city) [FuZhou]: Organization Name (eg, company) [FYLUO]: Organizational Unit Name (eg, section) [Eagle]: Common Name (eg, your name or your server's hostname) [Eagle]: Name [Eagle]: Email Address [eagle@fyluo.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 设置密码 An optional company name []: Using configuration from openssl-1.0.0.cnf Loading 'screen' into random state - done Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'FuJian' localityName :PRINTABLE:'FuZhou' organizationName :PRINTABLE:'FYLUO' organizationalUnitName:PRINTABLE:'Eagle' commonName :PRINTABLE:'cli' name :PRINTABLE:'Eagle' emailAddress :IA5STRING:'eagle@fyluo.com' Certificate is to be certified until Jun 2 12:36:27 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated C:\Program Files\OpenVPN\easy-rsa>
4,服务端配置
把配置文件server.ovpn放到C:\Program Files\OpenVPN\config目录下,把C:\Program Files\OpenVPN\easy-rsa\keys目录下的
ca.crt、ca.key、server01.crt、server01.csr、server01.key、dh2048.pem、复制到C:\Program Files\OpenVPN\config目录下。
server.ovpn的文件内容如下。请根据需要进行调整。
port 8080 #访问端口 proto tcp #协议类型,也可用UDP dev tun
ca ca.crt 这个文件名需要和生成的服务端文件一致 cert server.crt 这个文件名需要和生成的服务端文件一致 key server.key 这个文件名需要和生成的服务端文件一致
;crl-verify vpncrl.pem dh dh1024.pem 这个文件名需要和生成的服务端文件一致 server 192.168.89.0 255.255.255.0 #虚拟局域网网段设置,请根据需要自行修改 ifconfig-pool-persist ipp.txt #在openvpn重启时,再次连接的客户端将依然被分配和以前一样的IP地址 push "redirect-gateway def1 bypass-dhcp" #客户端所有网络通信通过vpn,这个可以选择的,如果注释掉的话那就是本地的数据包还是从本地出去,不强制走VPN push "dhcp-option DNS 218.85.157.99" #指定客户端使用的主DNS push "dhcp-option DNS 223.5.5.5" #指定客户端使用的备DNS push "route 192.168.88.0 255.255.255.0" client-to-client #开启客户端互访keepalive 5 30服务端5秒监测一次,如果30秒没响应就认定客户端down了
;duplicate-cn tls-auth ta.key 0 #防DDOS攻击,服务器端0,客户端1 comp-lzo #vpn2.4中被弃用,在配置中具有此选项可能导致客户端无法连接到服务器 ;max-clients 100 user nobody group nobody persist-key persist-tun status openvpn-status.log verb 4
5、客户端配置:
- 创建客户端配置文件:
把配置文件client.ovpn放到客户端机器的C:\Program Files\OpenVPN\config目录下
把服务器C:\Program Files\OpenVPN\easy-rsa\keys目录下的client01.crt、client01.csr、client01.key、 ca.crt、文件一起复制到客户端config目录下
client.ovpn配置文件如下:
client dev tun proto tcp remote 服务端IP 8080 resolv-retry infinite nobind user nobody group nobody ;route 192.168.0.0 255.255.252.0 persist-key persist-tun ca ca.crt cert client.crt 这个文件名需要和生成的客户端文件一致 key client.key 这个文件名需要和生成的客户端文件一致 ns-cert-type server tls-auth ta.key 1 comp-lzo # Set log file verbosity. verb 4
在大多数情况下,每个连接文件需要一个TUN / TAP接口。在Windows中,强烈建议使用配置文件将接口与其连接永久关联: dev-node TAP_Serv强制OpenVPN将连接绑定到名为“ Tap_Serv”的网络接口。
6,开机自启
二,为客户端分配静态IP
格式:
ifconfig-push ${IP} ${NETMASK} 如果使用net30子网的时候${NETMASK}就是${IP}的下一位,比如ifconfig-push 10.8.0.1 10.8.0.2
在服务端的server.conf配置文件中开启
client-config-dir ccd #开启客户端静态IP分配
/etc/openvpn/ccd #Linux版本默认位置
windows版本的默认位置在config文件夹下的ccd文件夹
cdd文件夹中的文件为对应客户端所使用的登录名称
以上设置可配置使用test帐号登录的客户端ip地扯为192.168.100.5,每个账户创建一个文件写入静态IP
如果发现客户端与服务端之间的传输速率非常低,可以在服务器配置中增加缓冲区:(这一点非常重要)
sndbuf 393216 rcvbuf 393216 push "sndbuf 393216" push "rcvbuf 393216"