下载安装Open×××:

用Flashget或者其它任何方式下载Open×××的安装包,然后安装,记得选上easy-rsa这部分脚本,
用于管理CA的bat脚本。

http://open***.se/files/install_packages/open***-2.0.5-gui-1.0.3-install.exe

安装完毕后,easy-rsa在C:\Program Files\Open×××\目录下。

下面开始配置:
把easy-rsa目录下的vars.bat.sample改名为vars.bat,并且修改其内容:
==================================
set KEY_COUNTRY=CN
set KEY_PROVINCE=Liaoning
set KEY_CITY=Shenyang
set KEY_ORG=Open×××
set KEY_EMAIL=elm@elm.freetcp.com
==================================
其它部分就不用修改了,上面部分修改成你自己的配置。

把easy-rsa下的openssl.cnf.sample改成openssl.cnf。

然后进入cmd.exe
=============================================
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>cd “\Program Files\Open×××\easy-rsa”

C:\Program Files\Open×××\easy-rsa>vars

C:\Program Files\Open×××\easy-rsa>clean-all.bat
系统找不到指定的文件。
已复制         1 个文件。
已复制         1 个文件。

C:\Program Files\Open×××\easy-rsa>

生成Root CA
格式: build-ca.bat
输出: keys/ca.crt keys/ca.key
======================================================================
C:\Program Files\Open×××\easy-rsa>build-ca.bat
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
……++++++
………++++++
writing new private key to ‘keys\ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [Open×××]:
Organizational Unit Name (eg, section) []:Open××× ORG
Common Name (eg, your name or your server’s hostname) []:Open××× RootCA
Email Address [elm@elm.freetcp.com]:

C:\Program Files\Open×××\easy-rsa>

生成dh1024.pem文件,Server使用TLS必须使用的一个文件。
格式: build-dh.bat
输出: keys/dh1024.pem
============================================================================
C:\Program Files\Open×××\easy-rsa>build-dh.bat
warning, not much extra random data, consider using the -rand option
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
…………………+……………+……..+……………………………
………………………………+………………………+……………
………………………………….+…………………………………
…………………………………..+……………+………………….
……………………………………………………………………..
…………………..+…………………………….+…………………
……………………..+…………………….+………..+……………
…….+…………………….+……………………………………….
……..+….+…………………………………………………………
……………………………………………………………………..
…+….+.+…………………………………….+…………………….
…………………………………………………………..+………..
……………..+……………………………………………..+……..
……………………………………………………..+…+………….
…..+…………………….+………..+………………………………
…………….+………………….+……………………………….+..
…………………………………………………………..+………+.
……+………………………………………………..+…………….
………………………….+..+………………………..+……………
……………………………………….+…………………..+………
……………………………………………………………………..
………………………………………………………………….+…
……………………………..+………….+…………………………
…………………………………………………….+.+……..+…….
……………………………………….+……………………………
…+………………………………………………………………….
…………+…………………………………………..+…………….
………………………+……………………………………+……..+
………+………+……………………………………+…………….+
..+………………………………………………………………..+..
…..+..+………………..+…………………+……………………….
……………………………………………………………………..
………..+………+….+…………………….+………..+…….+.+…..
……………………………………………..+…………….+………
……….+……………………………………………………………
…………….+………………………………………..+……….+….
……………………………………………………………………..
……………..+…………………………………..+………………..
……………………………………………………………………+.
…….+……………………………………………….+..+………….
+…………………………..+…+……………………..+……………
………………………………………………….+………………+..
……………………………………………………………………..
………………………………………………+…………………….
….+…………………..+…………………..+………………………
…………..+………………………………………………………..
……………………………………………….+……………………
………………………………………………………………..+…..
……+…………………………….+………………………………..
……………………………………………+………………+………
…………..+…………………..+…………………………………..
……………………………………………………………………..
…..+………………..+………………………+…………………….
……………………………………………………………………..
………………………………………………………………++*++*++
*

C:\Program Files\Open×××\easy-rsa>

下面开始生成Server使用的证书了:
格式: build-key-server.bat <filename>
输出: keys/<filename>.crt <filename>.csr <filename>.key
================================================================================
C:\Program Files\Open×××\easy-rsa>build-key-server.bat server01
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
…………….++++++
…..++++++
writing new private key to ‘keys\server01.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [Open×××]:
Organizational Unit Name (eg, section) []:Open××× ORG
Common Name (eg, your name or your server’s hostname) []:Server01
Email Address [elm@elm.freetcp.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :P RINTABLE:’CN’
stateOrProvinceName   :P RINTABLE:’Liaoning’
localityName          :P RINTABLE:’Shenyang’
organizationName      :P RINTABLE:’Open×××’
organizationalUnitName:PRINTABLE:’Open××× ORG’
commonName            :P RINTABLE:’Server01′
emailAddress          :IA5STRING:’elm@elm.freetcp.com’
Certificate is to be certified until Feb  9 10:01:34 2016 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\Program Files\Open×××\easy-rsa>

下面开始为client办法证书:
格式: build-key.bat <filename>
输出: keys/<filename>.crt keys/<filename>.csr keys/<filename>.key
===========================================================================
C:\Program Files\Open×××\easy-rsa>build-key.bat elm
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
……………………………………………..++++++
……………………………………………++++++
writing new private key to ‘keys\elm.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [Open×××]:
Organizational Unit Name (eg, section) []:Open××× ORG
Common Name (eg, your name or your server’s hostname) []:ELM
Email Address [elm@elm.freetcp.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :P RINTABLE:’CN’
stateOrProvinceName   :P RINTABLE:’Liaoning’
localityName          :P RINTABLE:’Shenyang’
organizationName      :P RINTABLE:’Open×××’
organizationalUnitName:PRINTABLE:’Open××× ORG’
commonName            :P RINTABLE:’ELM’
emailAddress          :IA5STRING:’elm@elm.freetcp.com’
Certificate is to be certified until Feb  9 10:05:53 2016 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\Program Files\Open×××\easy-rsa>

下面生成ta.key文件
格式: open*** –genkey –secret keys/ta.key
输出: keys/ta.key
=========================================================================
C:\Program Files\Open×××\easy-rsa>open*** –genkey –secret keys/ta.key

C:\Program Files\Open×××\easy-rsa>

OK,那些keys就搞定了,下面开始写配置文件。
server01.o***内容:
—————-CUT Here————-
port 1194
proto udp
dev tap
ca ca.crt
cert server01.crt
key server01.key # This file should be kept secret
;crl-verify ***crl.pem
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status open***-status.log
verb 3
————–Cut Here—————–
把配置文件放到C:\Program Files\Open×××\config\目录下。
把easy-rsa\keys\下的 ca.crt server01.crt server01.key ta.key dh1024.pem
复制到server01.o***所在目录。

Server的配置已经结束,可以启动Server了,在右下角Open×××-gui上点右键,然后选择connected。
需要服务器启动后自动运行,修改 “控制面板” 下面的 “管理工具” 下的 “服务” 把Open×××设置成自动启动。

Client的配置文件:
————-Cut Here———————
client
dev tap
proto udp

remote 61.1.1.2 1194
;remote my-server-2 1194

;remote-random

resolv-retry infinite
nobind
user nobody
group nobody
route 192.168.0.0 255.255.252.0
persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

ca ca.crt
cert elm.crt
key elm.key

ns-cert-type server
tls-auth ta.key 1
comp-lzo
# Set log file verbosity.
verb 4
————–Cut Here———————
并且把easy-rsa/keys下的ca.crt elm.crt elm.key ta.key一起放到Client的
<OPEN×××_HOME>\config目录下。

Client的配置已经结束,可以连接Server了,在右下角Open×××-gui上点右键,然后选择connected。

OK,整个配置就完成了。

需要为其它用户颁发证书,只需如下步骤:
进入cmd.exe

cd <OPEN×××_HOME>\easy-rsa
vars.bat
build-kye.bat <filename>

Client所需要的文件:

client.o*** (需要修改部分配置)
ca.crt
<fielname>.crt
<filename>.key (<filename>为 文件名,如: elm 等)
ta.key