OpenVPNWindowsGUI客户端安装配置说明

Linux环境下OpenVPN的配置第1章OpenVPN的安装环境1.1 服务器端的环境1.redhat, kernel版本:2.4.20-31.9, IP 为70.8.7.62.kernel需要支持tun设备, 需要加载iptables模块.检查tun 是否安装的命令:modinfo tun3.如果没有modinfo命令, 直接找一下, 看看kernel 里是否有tun.o文件:代码: find -name tun.o4.检查iptables模块, 查看是否有下列文件:/etc/init.d/iptables1.2 客户端的环境1.操作系统：WinXP2.客户端软件：OpenVPN GUI For windows 1.0.3 , 可在openvpn.se 下载注意: OpenVPN GUI for windows 的版本要和OpenVPN Server 的版本配套.例如, 服务器装的是OpenVPN 2.0.5, 那么下载的OpenVPN GUI fow windows 应该是: openvpn-2.0.5-gui-1.0.3-install.exe第2章服务器端安装OpenVPN2.1 软件下载1.下载LZO（/opensource/lzo/download/），解压到lzo-2.04 wget /opensource/lzo/download/lzo-2.04.tar.gztar zxvf lzo-2.04.tar.gz2.下载OpenVPN（/）, 解压到openvpn-2.2-beta3源码下载地址：/index.php/open-source/downloads.htmlwget /community/releases/openvpn-2.2-beta5.tar.gztar zxvf openvpn-2.2-beta3.tar.gz2.2 辅助软件安装1.安装LZOcd lzo-2.2./configuremakemake checkmake install2.安装opensslyum -y install openssl*2.3 OpenVPN安装cd openvpn-2.2-beta3./configure# 或用指定dir: (注:下述命令, 应该在一行写完. 为了方便显示, 这里分成了四行) ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib--with-ssl-headers=/usr/local/include/openssl --with-ssl-lib=/usr/local/libmakemake install2.4 生成OpenVPN证书Key2.4.1 生成证书初始化PKI2.4.1.1 准备证书生成工具mkdir /etc/openvpn/mkdir /etc/openvpn/toolscp easy-rsa/2.0/* /etc/openvpn/tools/cd /etc/openvpn/tools/2.4.1.2 准备证书生成工具初始化PKI (如果没有export 命令也可以用setenv [name] [value] 命令): . vars也可以不用设置直接执行下面的命令cd /openvpn-2.0.5/easy-rsa/2.0export D=`pwd`export KEY_CONFIG=$D/fexport KEY_DIR=$D/keysexport KEY_SIZE=1024export KEY_COUNTRY=CNexport KEY_PROVINCE=BJexport KEY_CITY=BJexport KEY_ORG="TSINGHUA"export KEY_EMAIL="liu-w@"export OPENSSL=/usr/bin/openssl或者：（1）修改f（2）source ./vars（3）./clean-all2.4.2清除所有证书文件#清除所有证书文件（keys目录）（2）source ./vars（3）./clean-all2.4.3 创建证书颁发机构(CA)./build-caGenerating a 1024 bit RSA private key .....................++++++ ...............................++++++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [BJ]:Locality Name (eg, city) [BJ]:Organization Name (eg, company) [TSINGHUA]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) [TSINGHUA CA]: Name []:Email Address [liu-w@]:2.4.4 建立server key./build-key-server serverGenerating a 1024 bit RSA private key ............................++++++ ..........................................................................++++++writing new private key to 'server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [BJ]:Locality Name (eg, city) [BJ]:Organization Name (eg, company) [TSINGHUA]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) [server]:Name []:Email Address [liu-w@]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /root/openvpn/openvpn-2.2-beta3/easy-rsa/2.0/f Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'CN'stateOrProvinceName :PRINTABLE:'BJ'localityName :PRINTABLE:'BJ'organizationName :PRINTABLE:'TSINGHUA'commonName :PRINTABLE:'server'emailAddress :IA5STRING:'liu-w@'Certificate is to be certified until Nov 17 20:01:55 2020 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated2.4.5 生成客户端key2.4.5.1 设置环境变量cd /root/.backup/easy-rsa/2.0export D=`pwd`export KEY_CONFIG=$D/fexport KEY_DIR=$D/keysexport KEY_SIZE=1024export KEY_COUNTRY=CNexport KEY_PROVINCE=BJexport KEY_CITY=BJexport KEY_ORG="TSINGHUA"export KEY_EMAIL="liu-w@"export OPENSSL=/usr/bin/openssl或者：（1）修改f（2）source ./vars2.4.5.2 生成客户端Key./build-key client1Generating a 1024 bit RSA private key ................................++++++ ...................................++++++writing new private key to 'client1.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [BJ]:Locality Name (eg, city) [BJ]:Organization Name (eg, company) [TSINGHUA]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) [client1]:Name []:Email Address [liu-w@]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /root/openvpn/openvpn-2.2-beta3/easy-rsa/2.0/f Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'CN'stateOrProvinceName :PRINTABLE:'BJ'localityName :PRINTABLE:'BJ'organizationName :PRINTABLE:'TSINGHUA'commonName :PRINTABLE:'client1'emailAddress :IA5STRING:'liu-w@'Certificate is to be certified until Nov 17 20:03:37 2020 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated2.4.6 生成带密码的客户端key./build-key --pass testGenerating a 1024 bit RSA private key............++++++ ...................................++++++writing new private key to 'test.key'Enter PEM pass phrase: XXXXXXVerifying - Enter PEM pass phrase: XXXXXX-----You are about to be asked to enter information that will be incorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [BJ]:Locality Name (eg, city) [BJ]:Organization Name (eg, company) [TSINGHUA]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) [test]:Name []:Email Address [liu-w@]:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /root/.backup/easy-rsa/2.0/fCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'CN'stateOrProvinceName :PRINTABLE:'BJ'localityName :PRINTABLE:'BJ'organizationName :PRINTABLE:'TSINGHUA'commonName :PRINTABLE:'test'emailAddress :IA5STRING:'liu-w@'Certificate is to be certified until Nov 18 03:06:44 2020 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated2.4.7 生成其它客户端key./build-key client2./build-key client3注意：在进入Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同2.4.8 生成Diffie Hellman参数export D=`pwd`export KEY_CONFIG=$D/fexport KEY_DIR=$D/keysexport KEY_SIZE=1024export KEY_COUNTRY=CNexport KEY_PROVINCE=BJexport KEY_CITY=BJexport KEY_ORG="TSINGHUA"export KEY_EMAIL="liu-w@"export OPENSSL=/usr/bin/openssl./build-dhPlease source the vars script first (i.e. "source ./vars")Make sure you have edited it to reflect your configuration.2.5 生成OpenVPN客户端证书目录mkdir client1mv -f client1* client1cp ca.key client1cp ca.crt client1touch client01.ovpnvim client01.ovpnclientdev tapproto tcpremote A.B.C.D 1194persist-keypersist-tunca ca.crtcert client1.crtkey client1.keyns-cert-type servercomp-lzoverb 3redirect-gateway def1第3章下载客户端证书将keys 下的所有文件打包下载到本地tar -cf mykeys.tar /openvpn-2.0.5/easy-rsa/keyscp mykeys.tar /home/dvdmastersys/public_html/mykeys.tar将mykeys.tar 移到web public(绝对路径因人而异) 上, 然后用/mykeys.tar 方式将其下载到本地保存, 然后将其从server删除rm /home/dvdmastersys/public_html/mykeys.tar第4章服务器端配置OpenVPN4.1 创建目录/etc/openvpnmkdir /etc/openvpn4.2 复制服务器端证书和配置文件到/etc/openvpncd /root/openvpn/openvpn-2.2-beta3/sample-keyscp dh1024.pem /etc/openvpn/cd /root/openvpn/openvpn-2.2-beta3/sample-scriptscp openvpn.init /etc/init.d/openvpncd /root/openvpn/openvpn-2.2-beta3/easy-rsa/2.0/keyscp * /etc/openvpn/# 进入源代码解压目录下的sample-config-files子目录cd /root/openvpn/openvpn-2.2-beta3//sample-config-files/ cp server.conf /etc/openvpn/server.conf4.3 配置OpenVPN服务端配置文件vim /etc/openvpn/server.conf################################################# # Sample OpenVPN 2.0 config file for ## multi-client server. ## # # This file is for the server side ## of a many-clients <-> one-server ## OpenVPN configuration. # # # # OpenVPN also supports # # single-machine <-> single-machine ## configurations (See the Examples page ## on the web site for more info). ## # # This config should work on Windows ## or Linux/BSD systems. Remember on ## Windows to quote pathnames and use ## double backslashes, e.g.: ## "C:\\Program Files\\OpenVPN\\config\\foo.key" ## # # Comments are preceded with '#' or ';' ################################################### Which local IP address should OpenVPN# listen on? (optional);local a.b.c.dlocal A.B.C.D# Which TCP/UDP port should OpenVPN listen on?# If you want to run multiple OpenVPN instances# on the same machine, use a different port# number for each one. You will need to# open up this port on your firewall.port 1194# TCP or UDP server?proto tcp;proto udp# "dev tun" will create a routed IP tunnel,# "dev tap" will create an ethernet tunnel.# Use "dev tap0" if you are ethernet bridging# and have precreated a tap0 virtual interface# and bridged it with your ethernet interface.# If you want to control access policies# over the VPN, you must create firewall# rules for the the TUN/TAP interface.# On non-Windows systems, you can give# an explicit unit number, such as tun0.# On Windows, use "dev-node" for this.# On most systems, the VPN will not function# unless you partially or fully disable# the firewall for the TUN/TAP interface.dev tap;dev tun;tun-ipv6# Windows needs the TAP-Win32 adapter name# from the Network Connections panel if you# have more than one. On XP SP2 or higher,# you may need to selectively disable the# Windows firewall for the TAP adapter.# Non-Windows systems usually don't need this.;dev-node MyTap# SSL/TLS root certificate (ca), certificate# (cert), and private key (key). Each client# and the server must have their own cert and# key file. The server and all clients will# use the same ca file.## See the "easy-rsa" directory for a series# of scripts for generating RSA certificates# and private keys. Remember to use# a unique Common Name for the server# and each of the client certificates.## Any X509 key management system can be used.# OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page).ca /etc/openvpn/ca.crtcert /etc/openvpn/server.crtkey /etc/openvpn/server.key # This file should be kept secret # Diffie hellman parameters.# Generate your own with:# openssl dhparam -out dh1024.pem 1024# Substitute 2048 for 1024 if you are using# 2048 bit keys.dh /etc/openvpn/dh1024.pem# Configure server mode and supply a VPN subnet# for OpenVPN to draw client addresses from.# The server will take 10.8.0.1 for itself,# the rest will be made available to clients.# Each client will be able to reach the server# on 10.8.0.1. Comment this line out if you are# ethernet bridging. See the man page for more info.server 10.8.0.0 255.255.255.0# Maintain a record of client <-> virtual IP address# associations in this file. If OpenVPN goes down or# is restarted, reconnecting clients can be assigned# the same virtual IP address from the pool that was# previously assigned.ifconfig-pool-persist ipp.txt# Configure server mode for ethernet bridging.# You must first use your OS's bridging capability# to bridge the TAP interface with the ethernet# NIC interface. Then you must manually set the# IP/netmask on the bridge interface, here we# assume 10.8.0.4/255.255.255.0. Finally we# must set aside an IP range in this subnet# (start=10.8.0.50 end=10.8.0.100) to allocate# to connecting clients. Leave this line commented# out unless you are ethernet bridging.;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100# Push routes to the client to allow it# to reach other private subnets behind# the server. Remember that these# private subnets will also need# to know to route the OpenVPN client# address pool (10.8.0.0/255.255.255.0)# back to the OpenVPN server.;push "route 192.168.10.0 255.255.255.0";push "route 192.168.20.0 255.255.255.0"push "route 202.112.50.0 255.255.255.0"# To assign specific IP addresses to specific# clients or if a connecting client has a private# subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific# configuration files (see man page for more info).# EXAMPLE: Suppose the client# having the certificate common name "Thelonious" # also has a small subnet behind his connecting# machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines:;client-config-dir ccd;route 192.168.40.128 255.255.255.248# Then create a file ccd/Thelonious with this line:# iroute 192.168.40.128 255.255.255.248# This will allow Thelonious' private subnet to# access the VPN. This example will only work# if you are routing, not bridging, i.e. you are# using "dev tun" and "server" directives.# EXAMPLE: Suppose you want to give# Thelonious a fixed VPN IP address of 10.9.0.1.# First uncomment out these lines:;client-config-dir ccd;route 10.9.0.0 255.255.255.252# Then add this line to ccd/Thelonious:# ifconfig-push 10.9.0.1 10.9.0.2# Suppose that you want to enable different# firewall access policies for different groups# of clients. There are two methods:# (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately.# (2) (Advanced) Create a script to dynamically# modify the firewall in response to access# from different clients. See man# page for more info on learn-address script.;learn-address ./script# If enabled, this directive will configure# all clients to redirect their default# network gateway through the VPN, causing# all IP traffic such as web browsing and# and DNS lookups to go through the VPN# (The OpenVPN server machine may need to NAT # the TUN/TAP interface to the internet in# order for this to work properly).# CA VEAT: May break client's network config if# client's local DHCP server packets get routed# through the tunnel. Solution: make sure# client's local DHCP server is reachable via# a more specific route than the default route# of 0.0.0.0/0.0.0.0.push "redirect-gateway"# Certain Windows-specific network settings# can be pushed to clients, such as DNS# or WINS server addresses. CA VEAT:# /faq.html#dhcpcaveats;push "dhcp-option DNS 10.8.0.1";push "dhcp-option WINS 10.8.0.1"push "dhcp-option DNS 10.8.0.1"push "dhcp-option WINS 10.8.0.1"push "dhcp-option DNS *.*.*.*"# Uncomment this directive to allow different# clients to be able to "see" each other.# By default, clients will only see the server.# To force clients to only see the server, you# will also need to appropriately firewall the# server's TUN/TAP interface.client-to-client# Uncomment this directive if multiple clients# might connect with the same certificate/key# files or common names. This is recommended# only for testing purposes. For production use,# each client should have its own certificate/key# pair.## IF YOU HA VE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,# EACH HA VING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT.;duplicate-cn# The keepalive directive causes ping-like# messages to be sent back and forth over# the link so that each side knows when# the other side has gone down.# Ping every 10 seconds, assume that remote# peer is down if no ping received during# a 120 second time period.keepalive 10 120# For extra security beyond that provided# by SSL/TLS, create an "HMAC firewall"# to help block DoS attacks and UDP port flooding.## Generate with:# openvpn --genkey --secret ta.key## The server and each client must have# a copy of this key.# The second parameter should be '0'# on the server and '1' on the clients.;tls-auth ta.key 0 # This file is secret# Select a cryptographic cipher.# This config item must be copied to# the client config file as well.;cipher BF-CBC # Blowfish (default);cipher AES-128-CBC # AES;cipher DES-EDE3-CBC # Triple-DES# Enable compression on the VPN link.# If you enable it here, you must also# enable it in the client config file.comp-lzo# The maximum number of concurrently connected# clients we want to allow.;max-clients 100# It's a good idea to reduce the OpenVPN# daemon's privileges after initialization.## You can uncomment this out on# non-Windows systems.;user nobody;group nobody# The persist options will try to avoid# accessing certain resources on restart# that may no longer be accessible because# of the privilege downgrade.persist-keypersist-tun# Output a short status file showing# current connections, truncated# and rewritten every minute.status /etc/openvpn/openvpn-status.log# By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory).# Use log or log-append to override this default.# "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one# or the other (but not both).;log openvpn.loglog-append /var/log/openvpn/openvpn.log# Set the appropriate level of log# file verbosity.## 0 is silent, except for fatal errors# 4 is reasonable for general usage# 5 and 6 can help to debug connection problems# 9 is extremely verboseverb 3# Silence repeating messages. At most 20# sequential messages of the same message# category will be output to the log.;mute 204.4 启动OpenVPN服务cd /etc/init.d/chkconfig openvpn onservice openvpn start4.5 创建客户端配置文件4.5.1 Linux客户端配置文件cd $dir/sample-config-files/ #进入源代码解压目录下的sample-config-files子目录cp client.conf etc/openvpn/client.confvim etc/openvpn/client.confclient;dev tun;tun-ipv6;proto udpdev tapproto tcpremote A.B.C.D 1194persist-keypersist-tunca ca.crtcert client1.crtkey client1.keyns-cert-type servercomp-lzoverb 3redirect-gateway def14.5.2 Windows客户端配置文件vim client01.ovpnclientdev tapproto tcpremote A.B.C.D 1194persist-keypersist-tunca ca.crtcert client1.crtkey client1.keyns-cert-type servercomp-lzoverb 3redirect-gateway def1第5章服务器端配置iptables服务器端配置iptables实现数据包转发5.1 打开路由VPN连接成功后, 还需要设置路由, 才能透过VPN访问Internet. 在linux host 上添加路由命令:iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source A.B.C.D(本机IP 地址)以下是写入iptables的命令文件：*nat:PREROUTING ACCEPT [0:0]:POSTROUTING ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth0 -j MASQUERADE-A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNA T --to-source A.B.C.DCOMMIT*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -i tun+ -j ACCEPT-A INPUT -i tap+ -j ACCEPT-A INPUT -i eth0 -j ACCEPT-A INPUT -s 127.0.0.1 -j ACCEPT-A INPUT -d 127.0.0.1 -j ACCEPT-A INPUT -p udp -m udp --dport 1194 -j ACCEPT-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT-A FORWARD -i tun+ -j ACCEPT-A FORWARD -i tap+ -j ACCEPT-A FORWARD -i eth0 -j ACCEPT#:RH-Firewall-1-INPUT - [0:0]-A INPUT -j RH-Firewall-1-INPUT-A FORWARD -j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT -i lo -j ACCEPT-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT-A RH-Firewall-1-INPUT -p 50 -j ACCEPT-A RH-Firewall-1-INPUT -p 51 -j ACCEPT-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELA TED -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibitedCOMMIT5.2 存盘/etc/init.d/iptables save5.3 重新启动iptables/etc/init.d/iptables restart1.注意事项5.4 打开ip forward需要将ip forward 打开. 不要用echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 这种方式重启后无效. 先查看一下:sysctl -a | grep for#显示结果:net.ipv4.conf.tun0.mc_forwarding = 0net.ipv4.conf.tun0.forwarding = 1net.ipv4.conf.eth0.mc_forwarding = 0net.ipv4.conf.eth0.forwarding = 1net.ipv4.conf.lo.mc_forwarding = 0net.ipv4.conf.lo.forwarding = 1net.ipv4.conf.default.mc_forwarding = 0net.ipv4.conf.default.forwarding = 1net.ipv4.conf.all.mc_forwarding = 0net.ipv4.conf.all.forwarding = 1net.ipv4.ip_forward = 1如果你的主机上列数值不是为1, 则要将其改成1sysctl -w net.ipv4.ip_forward=1编辑/etc/sysctl.confvim /etc/sysctl.conf把net.ipv4.ip_forward 设置为1net.ipv4.ip_forward = 1执行以下命令来启用改变：sysctl -p /etc/sysctl.conf5.5 开启域名服务器1.开始域名服务器如果你需要访问一些已经被GFW封掉了域名的网站, 但你的OpenVPN 服务器没有被封的话，那么你需要在你的主机上开启name server, 并将dns push 给client。

VPN安装使用说明部门：资科本部IT服务中心版本历史记录目录一、VPN安装 (4)二、OPENVPN版本说明 (9)三、VPN使用.................................................................................... 错误！未定义书签。

一、VPN安装1、双击VPN安装安装程序，启动安装程序，点击下一步。

2、点击“I Agree”。

3、点击“Next”。

4、点击“Install”。

5、点击“Next”。

6、点击“Finish”，安装过程结束，关闭说明文件即可。

7、普通用户（非管理员权限）帐号需要添加到“Network Configuration Operators”组内。

管理员权限的帐号无需添加到此组内。

8、安装完成，需要赋予User用户对OpenVPN程序目录内的log文件夹写的权限。

（默认log文件夹路径为：C:\Program Files\OpenVPN\log）安装说明：1、安装包简介。

各区的本地管理员帐号密码已集成在安装包内。

在普通用户下可直接运行安装，安装过程进行1-8项安装内容，用户无需干预。

2、普通用户（User权限）下运行安装包时，有以下情况：A.该地区本地管理员帐号密码包含在安装脚本内，安装过程自动进行1-8项安装内容，用户无需干预。

B.该地区本地管理员帐号密码更新或管理员帐号密码未被收录在安装内，安装程序会弹出请求管理员用户名密码的窗口。

C.如输入的管理员用户名密码错误，则安装程序会自动退出。

D.如输入正确管理员密码也无法运行安装程序，请手动登录至管理员帐号内运行安装程序。

3、使用administrator帐号运行此自动安装包时，VPN安装完成后会提示输入用户帐号，以添加到“Network Configuration Operators”组。

使用域用户登录的，请输入“sf\域帐号”；未加域的，直接输入用户登录帐号。

openvpn安装配置文档，使用系统默认账户和KEY以下1-10为使用openvpn设置的用户建立key登路10-15为使用系统自带用户登录设置1，安装lzo // LZO是一种高压缩比和解压速度极快的编码#tar zxvf lzo-2.03.tar.gz#cd lzo-2.03#./configure --prefix=/usr/local/lzo#make && make install2，安装openvpn#tar zxvf openvpn-2.0.9.tar.gz#cd openvpn-2.0.9#./configure --prefix=/usr/local/openvpn--with-lzo-headers=/usr/local/lzo/include --with-lzo-lib=/usr/local/lzo/lib--with-ssl-headers=/usr/include/openssl --with-ssl-lib=/usr/lib#make && make install3，生成证书和key#cd /root/openvpn-2.0.9#vi vars //内容如下export D=`pwd`export KEY_CONFIG=$D/fexport KEY_DIR=$D/keysecho NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR export KEY_SIZE=1024export KEY_COUNTRY=CNexport KEY_PROVINCE=BJexport KEY_CITY=BJexport KEY_ORG="OpenVPN-TEST"export KEY_EMAIL=luxinjun@#chmod a+x vars#source ./vars //如果没有执行这个或者没生效，将造成下面紫色字体部分每个变量都要执行#./clean-all //执行这步的时候说我在vars里面的环境变量没有生效，只有又执行了一下下面的部分，如果使用source vars生效了就跳过下面的export变量部分#export D=`pwd`#export KEY_CONFIG=$D/f#export KEY_DIR=$D/keys#export KEY_SIZE=1024#export KEY_COUNTRY=CN#export KEY_PROVINCE=BJ#export KEY_CITY=BJ#export KEY_ORG="OpenVPN-TEST"#export KEY_EMAIL=luxinjun@#./clean-all#./build-ca#./build-key-server server#./build-dh4，创建配置文件#mkdir /usr/local/openvpn/etc#copy openvpn-2.0.9/sample-config-files/server.conf/usr/local/openvpn/etc/#vi /usr/local//openvpn/etc/server.conf //现在配置内容文件如下[root@oracle etc]# cat server.conf | grep -v ^$ | grep -v ^# | sed 's/^;//'local a.b.c.dport 1194proto tcpproto udpdev tapdev tundev-node MyTapca /root/openvpn-2.0.9/easy-rsa/keys/ca.crtcert /root/openvpn-2.0.9/easy-rsa/keys/server.crtkey /root/openvpn-2.0.9/easy-rsa/keys/server.keydh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtserver-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100push "route 192.168.10.0 255.255.255.0"push "route 192.168.20.0 255.255.255.0"client-config-dir ccdroute 192.168.40.128 255.255.255.248client-config-dir ccdroute 10.9.0.0 255.255.255.252learn-address ./scriptpush "redirect-gateway"push "dhcp-option DNS 202.106.0.20"push "dhcp-option WINS 10.8.0.1"plugin /usr/local/openvpn/openvpn-auth-pam.so openvpnclient-cert-not-requiredusername-as-common-nameduplicate-cnkeepalive 10 120tls-auth ta.key 0 # This file is secretcipher BF-CBC # Blowfish (default)cipher AES-128-CBC # AEScipher DES-EDE3-CBC # Triple-DEScomp-lzomax-clients 100user nobodygroup nobodypersist-keypersist-tunstatus /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.loglog openvpn.loglog-append openvpn.logverb 3mute 205，将服务器的key文件放到安装目录下面#mkdir /usr/local/openvpn/etc/keys#cd /root/openvpn-2.0.9/easy-rsa/keys#cp ca.crt server.crt server.key dh1024.pem /usr/local/openvpn/etc/keys/6，现在启动看下是否能起来了#/usr/local/openvpn/sbin/openvpn --daemon --config /usr/local/openvpn/etc/server.conf起来后可以看到进程和1194端口已经打开就没问题7，部署客户端用key的方式访问：#cd /root/openvpn-2.0.9/easy-rsa/#./build-key luxinjun //这一步和第三项的建立服务器的key步骤一样build-key-server server配置完luxinjun用户的客户端文件后，将这几个文件下载到本地windows计算机，下载文件有：ca.crt、ca.key、luxinjun.crt、luxinjun.csr、luxinjun.key8，下载客户端配置文件client.conf 在客户端windows机器上重新命名为client.ovpn，文件内容如下：clientdev tunproto udpremote 172.16.142.128 1194resolv-retry infinitenobindpersist-keypersist-tunca "C:\\Program Files\\OpenVPN\\config\\ca.crt"cert "C:\\Program Files\\OpenVPN\\config\\luxinjun.crt"key "C:\\Program Files\\OpenVPN\\config\\luxinjun.key"comp-lzoverb 3#route-method exe //这两项如果在GUI连接过程中日志报错ROUTE: route addition failed.....至少有一个参数不正确,......就加这两项可以解决#route-delay 29，拨号终端客户端安装：安装文件：openvpn-2.0.9-gui-1.0.3-install.exe安装完成后，将刚才下载的那几个文件放入到C:\Program Files\OpenVPN\config目录下在图标openVPN GUI中就可以连接了。

OpenVpn服务端和客户端配置文件详解＃申明本机使用的IP地址，也可以不说明;local a.b。

c。

d#申明使用的端口，默认1194port 1194#申明使用的协议，默认使用UDP，如果使用HTTP proxy，必须使用TCP协议；proto tcpproto udp#申明使用的设备可选tap和tun，tap是二层设备，支持链路层协议。

＃tun是ip层的点对点协议，限制稍微多一些，本人习惯使用TAP设备dev tap；dev tun＃OpenVPN使用的ROOT CA,使用build-ca生成的,用于验证客户是证书是否合法ca ca.crt#Server使用的证书文件cert server。

crt＃Server使用的证书对应的key,注意文件的权限，防止被盗key server.key ＃ This file should be kept secret＃CRL文件的申明，被吊销的证书链，这些证书将无法登录crl—verify vpncrl。

pem#上面提到的生成的Diffie—Hellman文件dh dh1024.pem＃这是一条命令的合集，如果你是OpenVPN的老用户，就知道这条命令的来由#这条命令等效于：＃ mode server #OpenVPN工作在Server模式，可以支持多client同时动态接入# tls—server #使用TLS加密传输，本端为Server,Client端为tls—client＃＃ if dev tun: ＃如果使用tun设备，等效于以下配置# ifconfig 10.8。

0。

1 10.8.0.2 ＃设置本地tun设备的地址# ifconfig-pool 10.8。

0.4 10。

8。

0.251 ＃说明OpenVPN使用的地址池(用于分配给客户），分别是起始地址、结束地址＃ route 10.8。

0.0 255。

255。

255。

0 #增加一条静态路由，省略下一跳地址,下一跳为对端地址,这里是：10.8.0.2# if client—to-client: ＃如果使用client-to—client这个选项＃push “route 10.8。

FreeBSD8下OpenVPN及Windows OpenVPN GUI安装服务器操作系统：64位Freebsd8.0‐release & & IP:192.168.4.46前言：OpenVPN是一个开源的加密隧道构建工具，基于OpenSSL的SSL/TLS协议，可以在Internet中实现点对点的SSLVPN安全连接。

使用OpenVPN的好处是安全、易用和稳定，且认证方式灵活，具备实现SSLVPN解决方案的完整特性。

OpenVPN可以应用于Linux、Unix、Mac OS以及Windows等各种操作系统平台。

OpenVPN提供两种类型的虚拟网络接口：TUN和TAP，分别用于建议IP隧道、以太网桥接。

在Linux/unix中使用这两种虚拟设备，需要对应的内核模块支持。

RHEL5/FreeBSD8系统默认已编译好TUN模块，直接使用即可。

OpenVPN的官方站点是，目前稳定版为OpenVPN-2.0.9，我为了在Freebsd8下使用此版本，采用的是源码编译安装的办法。

一、安装前的准备工作OpenVPN是基于openssl的，所以需要安装openssl，在freebsd8下可采用port安装 cd /usr/ports/security/openssl && make install clean;安装bash：Freebsd8默认是使用的csh,为了更方便的安装和操作，可将csh切换到bash下 cd /usr/ports/shell/bash && make install clean切换bash chsh –s /usr/local/bin/bash二、安装服务器端及配置 cd /usr/local/src①首先下载及安装lzo软件包，用于压缩隧道通讯数据以加快传输速度。

wget /opensource/lzo/download/lzo-2.03.tar.gz tar zxvf lzo-2.03.tar.gzcd lzo-2.03./configure --prefix=/usr && make && make install②下载openvpn及安装wget /release/openvpn-2.0.9.tar.gztar zxvf openvpn-2.0.9./configure --with-lzo-lib=/usr && make && make installOpenVPN服务器的配置1)建立CA在OpenVPN源代码目录下有一个\easy-rsa\2.0目录，进入后修改vars文件最后部分的信息,即 vim /usr/local/src/openvpn-2.0.9/easy-ras/2.0/varsexport KEY_COUNTRY="CN"export KEY_PROVINCE="WH"export KEY_CITY="wuhan"export KEY_ORG="PKU"export KEY_EMAIL=" andrew.yu@"保存退出，再运行：source varsNOTE: If you run ./clean-all, I will be doing a rm -rf on /root/openvpn-2.0.9/easy-rsa/2.0/keysbash clean-allbash build-ca然后就是一段提示，要求输入信息，大部分信息默认就是上述vars文件里的信息，自己只需要填写“Organizational Unit Name”一项，这个我写的superbiizmis，以下为以前我在RHEL5.2下的截图：2)为服务器生成证书和密钥bash build-key-server server还是与上一步类似，自己只需要填写“Organizational Unit Name”一项，也可以不写,即均默认为default值。

目录1. 客户端安装 (2)1.1 Windows XP下安装 (2)1.2 Windows 7 下安装 (4)2. 配置使用 (6)3. 问题反馈................................................................................................. 错误！未定义书签。

1.客户端安装1.1Wind ows XP下安装1)双击安装文件openvpn-2.1.1-gui-1.0.3-install-cn.exe，点击“下一步”并接受许可证协议。

2)进入组件选件界面，选择默认勾选的组件即可，建议取消“自动运行”选项，如下图所示：3)点击“下一步”，选择安装路径，确定点击“安装”4)软件安装完成。

1.2Wind ows 7 下安装1)右键点击安装文件openvpn-2.1.1-gui-1.0.3-install-cn.exe，选择“以管理员身份运行”，如果出现“用户账户控制”对话框，点击“确定”，如图：2)进入组件选件界面，选择默认勾选的组件即可，建议取消“自动运行”选项，如下图所示：3)点击“下一步”，选择安装路径，确定点击“安装”4)如安装过程中弹出驱动安装确认对话框，选择“确定”后继续安装即可。

到此为止，软件安装完成。

2.配置使用1)把分配到的keys附件全部解压到OpenVPN安装路径的config文件夹下(默认安装的路径为C:\Program Files\OpenVPN\config)。

2)修改client.ovpn文件，找到cert 和key 项，cert admin.crtkey admin.key把红色字部分修改为提供给您的key和crt文件名，例如:cert lipan.crtkey lipan.key如果出现保存不成功的情况，请参照下图进行操作后，再次修改保存，如下图：然后“赋权”，允许都勾上点击“确定”后，重新进行修改操作。