若尘的博客

本博客附属若尘互联网论坛

OpenVPN虚拟专用网安装和部署

1、介绍

虚拟专用网VPN(virt ual private network)是在公共网络中建立的安全网络连接,这个网络连接和普通意义上的网络连接不同之处在于,它采用了专有的隧道协议,实现了数据的加密和完整性的检验、用户的身份认证,从而保证了信息在传输中不被偷看、篡改、复制,从网络连接的安全性角度来看,就类似于再公共网络中建立了一个专线网络一样,只补过这个专线网络是逻辑上的而不是物理的所以称为虚拟专用网。VPN系统的结构图1所示,包括VPN服务器,VPN客户机和隧道。由于使用Internet进行传输相对于租用专线来说,费用极为低廉,所以VPN的出现使企业通过Internet既安全又经济的传输私有的机密信息成为可能。
这里写图片描述

2010081109201925.jpg

2、Windows操作系统中利用OpenVPN配置VPN

OpenVPN是一个开源的第三方虚拟专用网配置工具,可以利用固有设备搭建情形的VPN应用网关。

安装配置步骤如下:

1.下载安装OpenVPN:

  请到http://openvpn.net/index.php/open-source/downloads.html官方网站下载最新版本:openvpn-2.1.1-install.exe  (目前官网的最新版本就是2.1.1)

双击 openvpn-2.1.1-install.exe 后具体操作步骤如下:
这里写图片描述
这里写图片描述
这里写图片描述
这里写图片描述
这里写图片描述
这里写图片描述
这里写图片描述

安装完毕后,easy-rsa文件夹在C:\Program Files\OpenVPN\目录下,同时OpenVPN服务器桌面右下角会出现一个新的本地连接,将名字改成OpenVPN。

(如何软件安装完后OpenVPN服务器桌面右下角没有新的连接出现,请双击C:\Program Files\OpenVPN\bin目录下的addtap.bat 文件手动添加一个)

1.初始化配置:

(一)修改easy-rsa目录下的vars.bat.Sample的内容(最好用写字板打开,以免记事本打开会破坏文档格式),并将其改名为vars.bat ,如下:

set KEY_COUNTRY=CN

set KEY_PROVINCE=BJ

set KEY_CITY=BeiJing

set KEY_ORG=cdtsm

set KEY_EMAIL=sunzhouyi@cdtsm.com

(二)把easy-rsa下的openssl.cnf.sample改成openssl.cnf。然后打开命令行(开始-运行-输入cmd)

C:\Documents and Settings\ThinkPad

Which local IP address should OpenVPN

listen on? (optional)

;local a.b.c.d

Which TCP/UDP port should OpenVPN listen on?

If you want to run multiple OpenVPN instances

on the same machine, use a different port

number for each one. You will need to

open up this port on your firewall.

申明使用的端口,默认1194

port 1194

TCP or UDP server?

申明使用的协议,默认使用UDP,如果使用HTTP proxy,必须使用TCP协议

;proto tcp

proto udp

“dev tun” will create a routed IP tunnel,

“dev tap” will create an ethernet tunnel.

Use “dev tap0” if you are ethernet bridging

and have precreated a tap0 virtual interface

and bridged it with your ethernet interface.

If you want to control access policies

over the VPN, you must create firewall

rules for the the TUN/TAP interface.

On non-Windows systems, you can give

an explicit unit number, such as tun0.

On Windows, use “dev-node” for this.

On most systems, the VPN will not function

unless you partially or fully disable

the firewall for the TUN/TAP interface.

申明使用的设备可选tap和tun,tap是二层设备,支持链路层协议。

tun是ip层的点对点协议,限制稍微多一些,本人习惯使用TAP设备

dev tap

;dev tun

Windows needs the TAP-Win32 adapter name

from the Network Connections panel if you

have more than one. On XP SP2 or higher,

you may need to selectively disable the

Windows firewall for the TAP adapter.

Non-Windows systems usually don’t need this.

;dev-node MyTap

SSL/TLS root certificate (ca), certificate

(cert), and private key (key). Each client

and the server must have their own cert and

key file. The server and all clients will

use the same ca file.

#

See the “easy-rsa” directory for a series

of scripts for generating RSA certificates

and private keys. Remember to use

a unique Common Name for the server

and each of the client certificates.

#

Any X509 key management system can be used.

OpenVPN can also use a PKCS #12 formatted key file

(see “pkcs12” directive in man page).

OpenVPN使用的ROOT CA,使用build-ca生成的,用于验证客户是证书是否合法

ca ca.crt

Server使用的证书文件

cert CdtsmServer.csrt

Server使用的证书对应的key,注意文件的权限,防止被盗

key CdtsmServer.key # This file should be kept secret

Diffie hellman parameters.

Generate your own with:

openssl dhparam -out dh1024.pem 1024

Substitute 2048 for 1024 if you are using

2048 bit keys.

dh dh1024.pem

Configure server mode and supply a VPN subnet

for OpenVPN to draw client addresses from.

The server will take 10.8.0.1 for itself,

the rest will be made available to clients.

Each client will be able to reach the server

on 10.8.0.1. Comment this line out if you are

ethernet bridging. See the man page for more info.

server 192.168.100.0 255.255.255.0 –此处是指定OpenVPN服务器内网ip 和 子网掩码

Maintain a record of client <-> virtual IP address

associations in this file. If OpenVPN goes down or

is restarted, reconnecting clients can be assigned

the same virtual IP address from the pool that was

previously assigned.

ifconfig-pool-persist ipp.txt

Configure server mode for ethernet bridging.

You must first use your OS’s bridging capability

to bridge the TAP interface with the ethernet

NIC interface. Then you must manually set the

IP/netmask on the bridge interface, here we

assume 10.8.0.4/255.255.255.0. Finally we

must set aside an IP range in this subnet

(start=10.8.0.50 end=10.8.0.100) to allocate

to connecting clients. Leave this line commented

out unless you are ethernet bridging.

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

Configure server mode for ethernet bridging

using a DHCP-proxy, where clients talk

to the OpenVPN server-side DHCP server

to receive their IP address allocation

and DNS server addresses. You must first use

your OS’s bridging capability to bridge the TAP

interface with the ethernet NIC interface.

Note: this mode only works on clients (such as

Windows), where the client-side TAP adapter is

bound to a DHCP client.

;server-bridge

Push routes to the client to allow it

to reach other private subnets behind

the server. Remember that these

private subnets will also need

to know to route the OpenVPN client

address pool (10.8.0.0/255.255.255.0)

back to the OpenVPN server.

VPN启动后,在VPN Server上增加的路由,VPN停止后自动删除

;route 192.168.3.0 255.255.255.0

;route 10.10.22.0 255.255.255.0

;route 121.194.12.0 255.255.255.0

To assign specific IP addresses to specific

clients or if a connecting client has a private

subnet behind it that should also have VPN access,

use the subdirectory “ccd” for client-specific

configuration files (see man page for more info).

EXAMPLE: Suppose the client

站长统计
今日IP[28]
今日PV[32]
昨日IP[44]
昨日PV[49]
当前在线[1]

having the certificate common name “Thelonious”

also has a small subnet behind his connecting

machine, such as 192.168.40.128/255.255.255.248.

First, uncomment out these lines:

把以下几条路由发送给客户端,客户连接成功后自动加入路由表

client-config-dir ccd

push “route 192.168.3.0 255.255.255.0”

push “route 10.10.22.0 255.255.255.0”

push “route 121.194.12.0 255.255.255.0”

push “route 192.168.15.0 255.255.255.0”

Then create a file ccd/Thelonious with this line:

iroute 192.168.40.128 255.255.255.248

This will allow Thelonious’ private subnet to

access the VPN. This example will only work

if you are routing, not bridging, i.e. you are

using “dev tun” and “server” directives.

EXAMPLE: Suppose you want to give

Thelonious a fixed VPN IP address of 10.9.0.1.

First uncomment out these lines:

;client-config-dir ccd

;route 10.9.0.0 255.255.255.252

Then add this line to ccd/Thelonious:

ifconfig-push 10.9.0.1 10.9.0.2

Suppose that you want to enable different

firewall access policies for different groups

of clients. There are two methods:

(1) Run multiple OpenVPN daemons, one for each

group, and firewall the TUN/TAP interface

for each group/daemon appropriately.

(2) (Advanced) Create a script to dynamically

modify the firewall in response to access

from different clients. See man

page for more info on learn-address script.

;learn-address ./script

If enabled, this directive will configure

all clients to redirect their default

network gateway through the VPN, causing

all IP traffic such as web browsing and

and DNS lookups to go through the VPN

(The OpenVPN server machine may need to NAT

or bridge the TUN/TAP interface to the internet

in order for this to work properly).

;push “redirect-gateway def1 bypass-dhcp”

Certain Windows-specific network settings

can be pushed to clients, such as DNS

or WINS server addresses. CAVEAT:

http://openvpn.net/faq.html#dhcpcaveats

The addresses below refer to the public

DNS servers provided by opendns.com.

向客户端发送DNS

push “dhcp-option DNS 10.10.22.243”

push “dhcp-option WINS 202.106.0.20”

Uncomment this directive to allow different

clients to be able to “see” each other.

By default, clients will only see the server.

To force clients to only see the server, you

will also need to appropriately firewall the

server’s TUN/TAP interface.

如果可以让VPN Client之间相互访问直接通过openvpn程序转发,

不用发送到tun或者tap设备后重新转发,优化Client to Client的访问效率

client-to-client

Uncomment this directive if multiple clients

might connect with the same certificate/key

files or common names. This is recommended

only for testing purposes. For production use,

each client should have its own certificate/key

pair.

#

IF YOU HAVE NOT GENERATED INDIVIDUAL

CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

EACH HAVING ITS OWN UNIQUE “COMMON NAME”,

UNCOMMENT THIS LINE OUT.

如果Client使用的CA的Common Name有重复了,或者说客户都使用相同的CA

和keys连接VPN,一定要打开这个选项,否则只允许一个人连接VPN

;duplicate-cn

The keepalive directive causes ping-like

messages to be sent back and forth over

the link so that each side knows when

the other side has gone down.

Ping every 10 seconds, assume that remote

peer is down if no ping received during

a 120 second time period.

下面表示每10秒通过VPN的Control通道ping对方,如果连续120秒无法ping通,

认为连接丢失,并重新启动VPN,重新连接

(对于mode server模式下的openvpn不会重新连接)。

keepalive 10 120

For extra security beyond that provided

by SSL/TLS, create an “HMAC firewall”

to help block DoS attacks and UDP port flooding.

#

Generate with:

openvpn –genkey –secret ta.key

#

The server and each client must have

a copy of this key.

The second parameter should be ‘0’

on the server and ‘1’ on the clients.

上面提到的HMAC防火墙,防止DOS攻击,对于所有的控制信息,都使用HMAC signature,

没有HMAC signature的控制信息不予处理,注意server端后面的数字肯定使用0,

client使用1

tls-auth ta.key 0 # This file is secret

Select a cryptographic cipher.

This config item must be copied to

the client config file as well.

;cipher BF-CBC # Blowfish (default)

;cipher AES-128-CBC # AES

;cipher DES-EDE3-CBC # Triple-DES

Enable compression on the VPN link.

If you enable it here, you must also

enable it in the client config file.

对数据进行压缩,注意Server和Client一致

comp-lzo

The maximum number of concurrently connected

clients we want to allow.

定义最大连接数

max-clients 20

It’s a good idea to reduce the OpenVPN

daemon’s privileges after initialization.

#

You can uncomment this out on

non-Windows systems.

定义运行openvpn的用户

user nobody

group nobody

The persist options will try to avoid

accessing certain resources on restart

that may no longer be accessible because

of the privilege downgrade.

通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys

persist-key

通过keepalive检测超时后,重新启动VPN,一直保持tun或者tap设备是linkup的,

否则网络连接会先linkdown然后linkup

persist-tun

Output a short status file showing

current connections, truncated

and rewritten every minute.

定期把openvpn的一些状态信息写到文件中,以便自己写程序计费或者进行其他操作

status openvpn-status.log

By default, log messages will go to the syslog (or

on Windows, if running as a service, they will go to

the “\Program Files\OpenVPN\log” directory).

Use log or log-append to override this default.

“log” will truncate the log file on OpenVPN startup,

while “log-append” will append to it. Use one

or the other (but not both).

;log openvpn.log

;log-append openvpn.log

Set the appropriate level of log

file verbosity.

#

0 is silent, except for fatal errors

4 is reasonable for general usage

5 and 6 can help to debug connection problems

9 is extremely verbose

verb 3

Silence repeating messages. At most 20

sequential messages of the same message

category will be output to the log.

;mute 20

把配置文件server.ovpn复制到C:\Program Files\OpenVPN\config目录下,把C:\Program Files\OpenVPN\easy-rsa\keys目录下的ca.crt、ca.key、CdtsmServer.crt、CdtsmServer.csr、CdtsmServer.key、dh1024.pem、ta.key 复制到C:\Program Files\OpenVPN\config目录下,到此server端的配置完成,可以启动server了,如果需要服务器启动后自动运行,修改“控制面板”下面的“管理工具”下面的“服务”把OpenVPN设置成自动启动。

Server端的配置到此结束,接下来连接Server如果服务器桌面右下角没有此图标2010081109222232.jpg请双击桌面上的OpenVPN GUI2010081109230228.jpg图标,启动后用鼠标右键点击服务器桌面右下角图标2010081109222232.jpg[1]出现如下图片:

2010081109241587.jpg

点击Connect连接,连接成功后2010081109244273.jpg,红色的小电脑图标编程绿色的。

(二)客户端的配置文件也在C:\Program Files\OpenVPN\sample-config目录

client.ovpn内容示例如下:

# Specify that we are a client and that we

will be pulling certain config file directives

from the server.

申明我们是一个client,配置从server端pull过来,如IP地址,路由信息之类

“Server使用push指令push过来的”

client

Use the same setting as you are using on

the server.

On most systems, the VPN will not function

unless you partially or fully disable

the firewall for the TUN/TAP interface.

指定接口的类型,严格和Server端一致

dev tap

;dev tun

Windows needs the TAP-Win32 adapter name

from the Network Connections panel

if you have more than one. On XP SP2,

you may need to disable the firewall

for the TAP adapter.

;dev-node MyTap

Are we connecting to a TCP or

UDP server? Use the same setting as

on the server.

使用的协议,与Server严格一致

;proto tcp

proto udp

The hostname/IP and port of the server.

You can have multiple remote entries

to load balance between the servers.

设置Server的IP地址和端口,如果有多台机器做负载均衡,可以多次出现

remote关键字

remote 58.30.12.* 1194 –此处为OpenVPN的外网ip

;remote my-server-2 1194

Choose a random host from the remote

list for load-balancing. Otherwise

try hosts in the order specified.

随机选择一个Server连接,否则按照顺序从上到下依次连接

remote-random

Keep trying indefinitely to resolve the

host name of the OpenVPN server. Very useful

on machines which are not permanently connected

to the internet such as laptops.

始终重新解析Server的IP地址(如果remote后面跟的是域名),

保证Server IP地址是动态的使用DDNS动态更新DNS后,Client在自动重新连接时重新解析Server的IP地址

这样无需人为重新启动,即可重新接入VPN

resolv-retry infinite

Most clients don’t need to bind to

a specific local port number.

在本机不邦定任何端口监听incoming数据,Client无需此操作,除非一对一

的VPN有必要

nobind

Downgrade privileges after initialization (non-Windows only)

运行openvpn用户的身份,旧版本在win下需要把这两行注释掉,新版本无需此操作

user nobody

group nobody

Try to preserve some state across restarts.

和Server配置上的功能一样 如果使用了chroot或者su功能,最好打开下面2个选项,#防止重新启动后找不到keys文件,或者nobody用户没有权限启动tun设备

persist-key

persist-tun

If you are connecting through an

HTTP proxy to reach the actual OpenVPN

server, put the proxy server/IP and

port number here. See the man page

if your proxy server requires

authentication.

;http-proxy-retry # retry on connection failures

;http-proxy [proxy server] [proxy port #]

Wireless networks often produce a lot

of duplicate packets. Set this flag

to silence duplicate packet warnings.

;mute-replay-warnings

SSL/TLS parms.

See the server config file for more

description. It’s best to use

a separate .crt/.key file pair

for each client. A single ca

file can be used for all clients.

Root CA 文件的文件名,用于验证Server CA证书合法性,通过easy-rsa/build-ca

生成的ca.crt,和Server配置里的ca.crt是同一个文件

ca ca.crt

cert CdtsmClient.crt

key CdtsmClient.key

Verify server certificate by checking

that the certicate has the nsCertType

field set to “server”. This is an

important precaution to protect against

a potential attack discussed here:

http://openvpn.net/howto.html#mitm

#

To use this feature, you will need to generate

your server certificates with the nsCertType

field set to “server”. The build-key-server

script in the easy-rsa folder will do this.

Server使用build-key-server脚本什成的,在x509 v3扩展中加入了

ns-cert-type选项

防止VPN client使用他们的keys + DNS hack欺骗vpn client连接他们假冒的

VPN Server

因为他们的CA里没有这个扩展

ns-cert-type server

If a tls-auth key is used on the server

then every client must also have the key.

和Server配置里一致,ta.key也一致,注意最后参数使用的是1

tls-auth ta.key 1

Select a cryptographic cipher.

If the cipher option is used on the server

then you must also specify it here.

;cipher x

Enable compression on the VPN link.

Don’t enable this unless it is also

enabled in the server config file.

压缩选项,和Server严格一致

comp-lzo

Set log file verbosity.

verb 3

Silence repeating messages

;mute 20

把配置文件client.ovpn复制到客户端机器的C:\Program Files\OpenVPN\config目录下,并且把服务器C:\Program Files\OpenVPN\easy-rsa\keys目录下的CdtsmClient.crt、CdtsmClient.csr、CdtsmClient.key、ca.key、ca.crt、ta.key 文件一起复制到客户端机器的C:\Program Files\OpenVPN\config 目录下(以上文件由服务器端生成,客户端需要向服务器端索取这七个文件)

 Client的配置到此结束,可以和Server连接了如果服务器桌面右下角没有此图标2010081109385419.jpg请双击桌面上的OpenVPN GUI2010081109230228.jpg[1]图标,启动后用鼠标右键点击服务器桌面右下角图标出现如下图片:2010081109241587.jpg[1]

点击Connect连接,连接成功后2010081109244273.jpg[1],红色的小电脑图标编程绿色的。

此时可以在你客户端去ping服务器端的内网IP或OpenVPN服务器端启动后生成的IP,如果ping通证明已经相互连接上

备注:OpenVPN服务器一定要有外网IP,因为客户端在连接的时候请求的是OpenVPN服务器的外网的IP,把OpenVPN服务器端本地连接的Internet设置为共享如图
这里写图片描述

,这样客户端的OpenVPN连接后才能起到作用。

阅读更多
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

不良信息举报

OpenVPN虚拟专用网安装和部署

最多只允许输入30个字

加入CSDN,享受更精准的内容推荐,与500万程序员共同成长!
关闭
关闭