一、环境准备:
-
操作系统 Windows Server 2012R2
-
阿里云美国服务器
-
客户端服务端单网卡
二、服务端安装部署:
-
打开安装包进行安装,客户端跟服务器安装方式一样,都需要安装
-
接受下一步
-
下面两个选项默认不勾选,我们需要勾选不然安装完无法命令行制作证书操作
-
选择安装目录
-
安装完成
-
安装完成后系统会多出一张网卡TAP的 “本地连接2
-
要想客户端能够通过服务端上网需要调整服务端本地网卡共享
三、服务端配置-生成相关证书配置:
-
修改文件vars.bat.sample 在C:\Program Files\OpenVPN\easy-rsa 目录下用写字板打开 根据需求修改相关配置信息 -
set KEY_COUNTRY=CN set KEY_PROVINCE=JiangYin set KEY_CITY=WuXi set KEY_ORG=KNOWFAR set KEY_EMAIL=112561265@qq.com set KEY_CN=Jumbot set KEY_NAME=Jumbot set KEY_OU=Jumbot set PKCS11_MODULE_PATH=Jumbot set PKCS11_PIN=1234
-
以下进去命令行操作
-
C:\Program Files\OpenVPN\easy-rsa>init-config.bat C:\Program Files\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat 已复制 1 个文件。 C:\Program Files\OpenVPN\easy-rsa>vars.bat C:\Program Files\OpenVPN\easy-rsa>clean-all.bat 系统找不到指定的文件。 已复制 1 个文件。 已复制 1 个文件。 C:\Program Files\OpenVPN\easy-rsa>build-ca.bat Loading 'screen' into random state - done Generating a 1024 bit RSA private key .....................++++++ ...........++++++ writing new private key to 'keys\ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [JiangYin]: Locality Name (eg, city) [WuXi]: Organization Name (eg, company) [KNOWFAR]: Organizational Unit Name (eg, section) [Jumbot]: Common Name (eg, your name or your server's hostname) [Jumbot]:CA Name [Jumbot]: Email Address [112561265@qq.com]: C:\Program Files\OpenVPN\easy-rsa> C:\Program Files\OpenVPN\easy-rsa>build-dh.bat Loading 'screen' into random state - done Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .......+.....+.................................................................+ ................................................................................ .........................+................................+..................... ................................................................................ .............................................................+.................. ................................................................................ .................+.................................................++*++*++* C:\Program Files\OpenVPN\easy-rsa>build-key-server.bat server Loading 'screen' into random state - done Generating a 1024 bit RSA private key ....++++++ ..................................................++++++ writing new private key to 'keys\server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [JiangYin]: Locality Name (eg, city) [WuXi]: Organization Name (eg, company) [KNOWFAR]: Organizational Unit Name (eg, section) [Jumbot]: Common Name (eg, your name or your server's hostname) [Jumbot]:server Name [Jumbot]: Email Address [112561265@qq.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:201888 An optional company name []: Using configuration from openssl-1.0.0.cnf Loading 'screen' into random state - done Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'JiangYin' localityName :PRINTABLE:'WuXi' organizationName :PRINTABLE:'KNOWFAR' organizationalUnitName:PRINTABLE:'Jumbot' commonName :PRINTABLE:'server' name :PRINTABLE:'Jumbot' emailAddress :IA5STRING:'112561265@qq.com' Certificate is to be certified until Jun 2 12:35:53 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated C:\Program Files\OpenVPN\easy-rsa> C:\Program Files\OpenVPN\easy-rsa>build-key.bat client Loading 'screen' into random state - done Generating a 1024 bit RSA private key ................++++++ ..............................................++++++ writing new private key to 'keys\client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [JiangYin]: Locality Name (eg, city) [WuXi]: Organization Name (eg, company) [KNOWFAR]: Organizational Unit Name (eg, section) [Jumbot]: Common Name (eg, your name or your server's hostname) [Jumbot]:lijian Name [Jumbot]: Email Address [112561265@qq.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:201888 An optional company name []: Using configuration from openssl-1.0.0.cnf Loading 'screen' into random state - done Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'JiangYin' localityName :PRINTABLE:'WuXi' organizationName :PRINTABLE:'KNOWFAR' organizationalUnitName:PRINTABLE:'Jumbot' commonName :PRINTABLE:'lijian' name :PRINTABLE:'Jumbot' emailAddress :IA5STRING:'112561265@qq.com' Certificate is to be certified until Jun 2 12:36:27 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated C:\Program Files\OpenVPN\easy-rsa> C:\Program Files\OpenVPN\easy-rsa> C:\Program Files\OpenVPN\easy-rsa>..\bin\openvpn --genkey --secret keys\ta.key
-
生成后文件夹下产生如下文件:
-
创建服务端配置文件
把配置文件server.ovpn放到C:\Program Files\OpenVPN\config目录下
把C:\Program Files\OpenVPN\easy-rsa\keys目录下的
ca.crt、ca.key、server01.crt、server01.csr、server01.key、dh1024.pem、ta.key 复制到
C:\Program Files\OpenVPN\config目录下。
server.ovpn文件内容如下:
-
port 8080 proto tcp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret ;crl-verify vpncrl.pem dh dh1024.pem server 192.168.89.0 255.255.255.0 ifconfig-pool-persist ipp.txt ;push "redirect-gateway def1 bypass-dhcp" ;push "dhcp-option DNS 218.85.157.99" ;push "dhcp-option DNS 223.5.5.5" ;push "route 192.168.88.0 255.255.255.0" client-to-client ;duplicate-cn keepalive 10 120 tls-auth ta.key 0 # This file is secret comp-lzo ;max-clients 100 user nobody group nobody persist-key persist-tun status openvpn-status.log verb 4
-
配置文件如下:
-
启动服务端
四、客户端配置:
-
创建客户端配置文件:
把配置文件client.ovpn放到客户端机器的C:\Program Files\OpenVPN\config目录下,并且把服务器C:\Program Files\OpenVPN\easy-rsa\keys目录下的
client01.crt、client01.csr、client01.key、ca.key、ca.crt、ta.key 文件一起复制到
客户端C:\Program Files\OpenVPN\config目录下 (以上文件为服务端生成,客户端需要在服务端拷贝这7个文件过来)
client.ovpn配置文件如下:
-
client dev tun proto tcp remote 服务端IP 8080 ;remote my-server-2 8080 ;remote-random resolv-retry infinite nobind user nobody group nobody ;route 192.168.0.0 255.255.252.0 persist-key persist-tun ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] ca ca.crt cert client.crt key client.key ns-cert-type server tls-auth ta.key 1 comp-lzo # Set log file verbosity. verb 4
-
配置文件如下:
-
客户端连接后如下:
[责任编辑:jumbot]
