Windows ADSL PPPOE下openVPN安装配置单网卡共享上网 |
| 发表者:分类:网络安全2014-11-06 15:44:01 阅读[3535] |
OpenVPN是一款功能强大,可跨平台(支持Win 2000/XP/2003, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, 和 OpenBSD)使用的SSL VPN服务器软件(具体说明见官方主页官方主页)。
第一步:安装openvpn
这一部分是服务端跟客户端都要做的工作,操作完全相同
双击 openvpn-2.1_beta16-install.exe进行安装,点击
NEXT,I Agree,NEXT之后开始选择安装路径,我手动修改为C:\Program Files\OpenVPN 。
点击 Install 开始安装,安装过程中,弹出 硬件安装窗口,点击仍然继续,安装虚拟
网卡。点击 next,Finish 完成安装。
OPENVPN安装
服务器配置:
说明: 架设OPENVPN服务器,服务器方面做的工作比较多,客户端相对来说就比较简单。
服务器采用RSA证书和密钥验证方式对客户端进行验证,默认情况下证书和用户是一对一的,
多个用户使用同一证书会被踢出。所以首先要做的工作就是证书的制作。
在进行操作之前,首先进行初始化工作:
修改C:\Program Files\OPENVPN\easy-rsa\vars.bat.sample的以下部分
set HOME=%ProgramFiles%\OpenVPN\easy-rsa
set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=FortFunston
set KEY_EMAIL=mail@domain.com
(请根据自身情况修改)改为
set HOME=C:\Program Files\OPENVPN\easy-rsa
set KEY_COUNTRY=CN #(国家)
set KEY_PROVINCE=GuangDong #(省份)
set KEY_CITY=ShenZhen #(城市)
set KEY_ORG=oovc.com #(组织)
set KEY_EMAIL=admin@oovc.com #(邮件地址)
上面#开始的是注释,请不要写到文件中。
打开命令提示符:
开始-->运行...-->键入cmd,回车,进入命令提示符
或者 开始-->程序-->附件-->命令提示符
进入openvpn\easy-rsa目录。
命令如下:
c: 回车
cd \openvpn\easy-rsa 回车
init-config
vars
clean-all
上面是初始化工作,以后,在进行证书制作工作时,仍旧需要进行初始化,
但只需要进入openvpn\easy-rsa目录,运行vars就可以了,不需要上面那些
步骤了 。
下面开始证书的制作:
生成根证书
build-ca
build-dh
生成服务端密钥
build-key-server server
注意,配置server端密钥时,
Common Name 要唯一, 可以配置成 server
生成客户端密钥
build-key client
注意:
Common Name 要唯一,可以配置成 client
生成的密钥存放于openvpn\easy\rsa\keys目录下
可以将密钥 复制到\OPENVPN\config 目录里面。
这样,就不需要在配置文件中写明路径了。
接下来开始配置服务器
将生成的ca.crt,dh1024.pem,server.crt,server.key复制到C:\Program Files\OPENVPN\KEY目录下
这四个文件是服务端运行所需要的文件。
ca.crt client.crt client.key 是客户端所需要的文件,复制到客户端C:\Program Files\OPENVPN\KEY目录下
在\OpenVPN\config目录下创建server.ovpn文件,可以打开记事本,把内容写进去之后,
再另存为server.ovpn文件就行。
服务器端文件示例:(server.ovpn)
port 443 # 端口号,根据需要,自行修改,如果是用http代理连接,请不要修改
proto tcp-server
dev tun
server 10.8.0.0 255.255.255.0 # 虚拟局域网网段设置,请根据需要自行修改
keepalive 20 180
ca C:\\Program Files\\OPENVPN\\KEY\\ca.crt #CA证书存放位置,请根据实际情况自行修改
cert C:\\Program Files\\OPENVPN\\KEY\\server.crt #服务器证书存放位置,请根据实际情况自行修改
key C:\\Program Files\\OPENVPN\\KEY\\server.key #服务器密钥存放位置,请根据实际情况自行修改
dh C:\\Program Files\\OPENVPN\\KEY\\dh1024.pem #dh1024.pem存放位置,请根据实际情况自行修改
push "redirect-gateway def1"
push "dhcp-option DNS 202.96.128.68" #DNS,请根据实际情况自行修改
mode server
tls-server
status C:\\Program Files\\OPENVPN\\log\\openvpn-status.log #LOG记录文件存放位置,请根据实际情况自行修改
comp-lzo
verb 4
客户端设置:
在客户端安装完成之后,需要将 ca.crt client.crt client.key 这三个文件拷贝到 openvpn\key目录下
,这三个文件由服务端生成,所以,连接谁的服务器,就需要跟谁索取这三个文件
然后,编辑一个 client.ovpn的配置文件存放到 openvpn\config目录下,客户端就可以进行连接了。
客户端文件示例:(client.ovpn)
client
dev tun
proto tcp-client
remote vpn.yjvps.com 1194 #服务器域名/IP 和端口
resolv-retry infinite
nobind
http-proxy 192.168.1.1 80 #这里填入你的代理服务器地址和端口
mute-replay-warnings
ca C:\\Program Files\\OPENVPN\\KEY\\ca.crt
cert C:\\Program Files\\OPENVPN\\KEY\\client.crt #这里改成每个客户端相应的证书
key C:\\Program Files\\OPENVPN\\KEY\\client.key #这里改成每个客户端相应的密钥
comp-lzo
verb 4
status openvpn-status.log
以下是本次实施openvpn 所真实配置的服务器端配置文件内容:
;local a.b.c.d
port 1194
;proto tcp
proto tcp
;dev tap
dev tap
;dev-node MyTap
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 172.16.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
push "route 0.0.0.0 0.0.0.0"
;push "route 192.168.20.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
;client-config-dir ccd
;route 0.0.0.0 0.0.0.0
;learn-address ./script
push "redirect-gateway"
push "dhcp-option DNS 202.103.24.68"
push "dhcp-option DNS 8.8.8.8"
;push "dhcp-option WINS 10.8.0.1"
client-to-client
#duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
mute 20
以下是客户端openvpn 真实配置文件
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tap
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto tcp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote yxrclq.vicp.net 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
mute 20
本次实施openvpn 的网段为 172.16.0.0/24
如果要实施客户机通过openvpn 服务器上网,
那么可以在windows 系统中,使用ICS共享上网功能。
设置VPN SERVER上的”internet连接共享“来实现clinet通过VPN SERVER上网。
打开 对宽带连接 点右键 —属性—高级, 打上勾,网络连接 选择 openvpn软件安装时 生成的 “本地连接4”。
然后点确定。
这时“本地连接4” 会自动配置IP。
IP: 192.168.0.1
子网掩码:255.255.255.0
这样与openvpn 网络不通。
修改IP为:
IP: 172.16.0.1
子网掩码:255.255.255.0
所有配置完成后。
到服务器端,使用openvpn 连接上服务器端vpn.会自动分配置IP 172.16.0.1
再到客户端,使用openvpn 打开客户端vpn 连接上主服务器。
会自动分配置一个IP。
最后测试客户机openvpn 都可以,正常上网。
转载请标明出处【Windows ADSL PPPOE下openVPN安装配置单网卡共享上网】。
《www.micoder.cc》
虚拟化云计算,系统运维,安全技术服务.
| Tags: | [阅读全文...] |
最新评论