一:在 http://www.openvpn.se/download.html下载 openvpn安装包我这里是windows系统,直接下载了openvpn-2.0.9-gui-1.0.3-install.exe这个,下载完成后安装 一路next,傻瓜式的安装.此处省略....字!
安装完毕后,easy-rsa文件夹在C:\Program Files\OpenVPN\目录下,同时OpenVPN服务器桌面右下角会出现一个新的本地连接,将名字改成OpenVPN。
(如果软件安装完后OpenVPN服务器桌面右下角没有新的连接出现,请双击C:\Program Files\OpenVPN\bin目录下的addtap.bat 文件手动添加一个)
初始化配置:
1:修改easy-rsa目录下的vars.bat.Sample的内容(用写字板打开),并将其改名为vars.bat 如下:黄色底纹文字内容请自定义
set KEY_COUNTRY=CN
set KEY_PROVINCE=GD
set KEY_CITY=Shenzhen
set KEY_ORG=LFX
set KEY_EMAIL=jeason@outlook.com
2:把easy-rsa下的openssl.cnf.sample改成openssl.cnf。然后打开命令行(开始-运行-输入cmd)红色字体是要输入的内容
C:\Documents and Settings\ThinkPad>cd "\Program Files\OpenVPN\easy-rsa" C:\Program Files\OpenVPN\easy-rsa>vars --此步骤必须的
C:\Program Files\OpenVPN\easy-rsa>clean-all 蓝色字体是反馈内容
系统找不到指定的文件。
已复制 1 个文件。
已复制 1 个文件。
3:生成根CA:
C:\Program Files\OpenVPN\easy-rsa>vars
C:\Program Files\OpenVPN\easy-rsa>build-ca
Loading 'screen' into random state - done Generating a 1024 bit RSA private key ...............................++++++ .......++++++
writing new private key to 'keys\ca.Key' -----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [CA]:GD
Locality Name (eg, city)[SanFrancisco]:Shenzhen
Organization Name (eg, company) [OpenVPN]:LFX
Organization Name (eg, company) [OpenVPN]:LFX
Organizational Unit Name (eg, section) []:LFX
Common Name (eg, your name or your server's hostname) []:LFX
Email Address [mail@host.domain]:jeason@outlook.com
4:生成dh1024.pem文件,server使用TLS必须使用的一个文件。
C:\Program Files\OpenVPN\easy-rsa>vars
C:\Program Files\OpenVPN\easy-rsa>build-dh
Loading 'screen' into random state - done
Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time
.....................................................................+.......... ............................................+...............................+... ................+.....+.................+.......................+............... ...........+.............................................+...................... ....................+...........................................+............... ...........................+.................................................... .+...................................++*++*++*
5:下面生成服务器端证书、客户端证书和TA证书:
首先生成server使用的证书:
C:\Program Files\OpenVPN\easy-rsa>vars
C:\Program Files\OpenVPN\easy-rsa>build-key-server LFXServer
Loading 'screen' into random state - done Generating a 1024 bit RSA private key .......++++++ ............++++++
writing new private key to 'keys\CdtsmServer.key' -----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [CA]:GD
Locality Name (eg, city) [SanFrancisco]:Shenzhen
Organization Name (eg, company) [OpenVPN]:LFX
Oganizational Unit Name (eg, section) []:LFX
Common Name (eg, your name or your server's hostname) []:LFX
Email Address [mail@host.domain]:jeason@outlook.com
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:123456 --此处可以为空等安装部署完后可以再修改
An optional company name []:LFX
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'Shenzhen'
organizationName :PRINTABLE:'LFX'
organizationalUnitName:PRINTABLE:'LFX'
commonName :PRINTABLE:'LFX'
emailAddress :IA5STRING:'jeason@outlook.com'
Certificate is to be certified until Jul 25 04:11:08 2020 GMT (3650 days)
ign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries Data Base Updated
到此server端使用的证书生成完毕。6: 生成可是为客户端生成client证书。 接下来生成客户端证书:
C:\Program Files\OpenVPN\easy-rsa>vars
C:\Program Files\OpenVPN\easy-rsa>build-key JeasonClient
Loading 'screen' into random state - done Generating a 1024 bit RSA private key ......++++++
.............................++++++
writing new private key to 'keys\CdtsmClient.key' -----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [CA]:GD
Locality Name (eg, city) [SanFrancisco]:Shenzhen
Organization Name (eg, company) [OpenVPN]:LFX
Organizational Unit Name (eg, section) []:LFX
Common Name (eg, your name or your server's hostname) []:JeasonClient
Email Address [mail@host.domain]:jeason@outlook.com
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:123456 --此处可以为空等安装部署完后再修改
An optional company name []:LFX
Using configuration from openssl.cnf Loading 'screen' into random state - done Check that the request matches the signature Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'Shenzhen'
organizationName :PRINTABLE:'LFX'
organizationalUnitName:PRINTABLE:'LFX'
commonName :PRINTABLE:'JeasonClient'
emailAddress :IA5STRING:'jeason@outlook.com'
Certificate is to be certified until Jul 25 04:13:17 2020 GMT (3650 days) Sign the certificate? [y/n]:y
1out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries Data Base Updated
到此客户端使用的client证书生成完毕。
下面生成ta.key文件
C:\Program Files\OpenVPN\easy-rsa>openvpn --genkey --secret keys/ta.Key
到此为止根ca、客户端、服务器端所需要的证书和密钥文件就已经全部准备就绪,接下来要做的是配置服务器端文件和客户端文件。
二:在tomato路由上开启部署openvpn服务器
1.VPN服务器基本设置
在WAN口启用OpenVPN后面的框里打钩
接口类型选择TAP
协议选择TCP 端口根据自己填写 默认是1199
防火墙自动
授权方式TLS
额外的HMAC授权协议禁用
客户端IP地址池勾选DHCP
这里要注意 和 openvpn服务器的有点区别 如果勾选了dhcp那么客户端的流量不会走VPN但是可以连接到VPN服务器,如果不勾选就要手动设置地址段,客户端的流量会全部走VPN.
如图:
2.VPN服务器高级设置
轮询间隔 0
Direct client to redirectinterner traffic 不选
Respond to DNS 不选
加密方式默认
压缩自适应
TLS重新协商时间-1
管理客户端的特殊选项勾选
允许客户端之间互相访问勾选
自定义配置里填写如下配置
script-security 2
push "redirect-gateway"
duplicate-cn
keepalive 10 120
如图:
3 VPN服务器密匙设置
把前面制作的证书复制到服务器里,详情如下
ca.crt里面的文件复制到“证书颁发机构CA”
server.crt里面的文件复制到“服务器证书”
server.key里面的文件复制到“服务器密匙”
dh1024.pem里面的文件复制到“Diffie Hellman参数”
如图:
保存 启动 服务区就配置完毕
三:客户端的配置:
客户端的配置文件也在C:\Program Files\OpenVPN\sample-config目录
配置如下: 后面的汉字是注释红底黑字
client 作为客户端
dev tap 同服务器一致 TAP
dev-node Openvpn 这个OPENVPN是你虚拟网卡的名字 可以自定义 但是要一致
proto tcp 协议类型 同服务器一致
remote jeasonl.no-ip.org 1194 远程地址可以为域名或者IP地址 1194是服务端口同服务器一致
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt 这个是前面生成的
cert JeasonClient.crt 这个是客户证书 前面生成的
key JeasonClient.key 这个是证书密钥 前面生成的
ns-cert-type server
comp-lzo
verb 3
mute 20
-----------------我是华丽的分割线------------------
把配置文件client.ovpn复制到客户端机器的C:\Program Files\OpenVPN\config目录下,并且把服务器C:\Program Files\OpenVPN\easy-rsa\keys目录下的Client.crt、Client.csr、Client.key、ca.key、ca.crt、ta.key 文件一起复制到客户端机器的
C:\Program Files\OpenVPN\config 目录下(以上文件由服务器端生成,客户端需要向服务器端索取这七个文件
Client的配置到此结束.启动连接吧!
没有评论:
发表评论