Windows平台下实现搭建OpenVpn虚拟专用网络.docx
- 文档编号:7263927
- 上传时间:2023-01-22
- 格式:DOCX
- 页数:29
- 大小:600.28KB
Windows平台下实现搭建OpenVpn虚拟专用网络.docx
《Windows平台下实现搭建OpenVpn虚拟专用网络.docx》由会员分享,可在线阅读,更多相关《Windows平台下实现搭建OpenVpn虚拟专用网络.docx(29页珍藏版)》请在冰豆网上搜索。
Windows平台下实现搭建OpenVpn虚拟专用网络
Windows平台下实现搭建OpenVpn虚拟专用网络
一、环境准备
1.操作系统:
适用于Windows平台
2.公网地址:
XXX.XXX.XXX.XXX:
端口
3.内网地址:
XXX.XXX.XXX.XXX
4.路由器做好端口影射
5.单网卡
6.openvpn-2.1.1-install.exe
以下利用公司提前准备好的环境来在Windows平台下实现OpenVpn虚拟专用网服务器的搭建;公司准备好的环境条件有:
A.操作系统:
Windows2008ServerR2(32位)
B.公网地址:
59.108.107.42
C.内网地址:
168.168.168.170
D.影射端口:
8081和8082(端口使用一个即可,以下配置中使用的是8081)
E.单网卡
二、服务器端安装部署
1.安装openvpn-2.1.1-install.exe
图1
图2
图3
图4
图5
图6
安装完毕后,在网络连接中会出现一个新的"本地连接2",将名字改外"vpn",如下图:
图7
2.服务器端OpenVpn详细配置
A.修改vars.bat.sample
在C:
\ProgramFiles\OpenVPN\easy-rsa目录下用写字板打开。
(不建议使用记事本打开,记事本打开有可能会破坏此文档的格式)
如下:
setKEY_COUNTRY=CN
setKEY_PROVINCE=BJ
setKEY_CITY=BJ
setKEY_ORG=LHJ
setKEY_EMAIL=381364654@QQ.COM
B.命令行配置
开始-运行-输入cmd
(1)cdC:
\ProgramFiles\OpenVPN\easy-rsa
图1
(2)init-config
图2
(3)vars------------此步骤是必须的,以后的各个证书生成之前都需要进行初始化
图3
(4)clean-all
图4
(5)生成根证书CA
vars
图5
build-ca
图6
(6)生成dh1024.pem文件,server使用TLS必须使用的一个文件。
vars
图7
build-dh
图8
(7)生成服务器端证书
vars
图9
build-key-server server01
图10
图11
到此server端使用的证书生成完毕。
(8)生成客户端证书
vars
图12
build-key client01
图13
图14
(9)生成ta.key文件
vars
图15
openvpn --genkey --secret keys/ta.Key
图16
到此为止根ca、客户端、服务器端所需要的证书和密钥文件就已经全部准备就绪,接下来要做的是配置服务器端文件和客户端文件。
C.服务器端文件配置
(1)服务器端的配置文件在C:
\Program Files\OpenVPN\sample-config文件夹下:
server.ovpn内容如下(备注:
以下的批注部分为当处的说明,严格按照这种格式,一处的格式不对,在启动openvpn服务器时都有可能连接不上)
#################################################
#SampleOpenVPN2.0configfilefor#
#multi-clientserver.#
##
#Thisfileisfortheserverside#
#ofamany-clients<->one-server#
#OpenVPNconfiguration.#
##
#OpenVPNalsosupports#
#single-machine<->single-machine#
#configurations(SeetheExamplespage#
#onthewebsiteformoreinfo).#
##
#ThisconfigshouldworkonWindows#
#orLinux/BSDsystems.Rememberon#
#Windowstoquotepathnamesanduse#
#doublebackslashes,e.g.:
#
#"C:
\\ProgramFiles\\OpenVPN\\config\\foo.key"#
##
#Commentsareprecededwith'#'or';'#
#################################################
#WhichlocalIPaddressshouldOpenVPN
#listenon?
(optional)
local168.168.168.170
#WhichTCP/UDPportshouldOpenVPNlistenon?
#IfyouwanttorunmultipleOpenVPNinstances
#onthesamemachine,useadifferentport
#numberforeachone.Youwillneedto
#openupthisportonyourfirewall.
port8081
#TCPorUDPserver?
prototcp
;protoudp
#"devtun"willcreatearoutedIPtunnel,
#"devtap"willcreateanethernettunnel.
#Use"devtap0"ifyouareethernetbridging
#andhaveprecreatedatap0virtualinterface
#andbridgeditwithyourethernetinterface.
#Ifyouwanttocontrolaccesspolicies
#overtheVPN,youmustcreatefirewall
#rulesforthetheTUN/TAPinterface.
#Onnon-Windowssystems,youcangive
#anexplicitunitnumber,suchastun0.
#OnWindows,use"dev-node"forthis.
#Onmostsystems,theVPNwillnotfunction
#unlessyoupartiallyorfullydisable
#thefirewallfortheTUN/TAPinterface.
devtap
;devtun
#WindowsneedstheTAP-Win32adaptername
#fromtheNetworkConnectionspanelifyou
#havemorethanone.OnXPSP2orhigher,
#youmayneedtoselectivelydisablethe
#WindowsfirewallfortheTAPadapter.
#Non-Windowssystemsusuallydon'tneedthis.
;dev-nodeMyTap
#SSL/TLSrootcertificate(ca),certificate
#(cert),andprivatekey(key).Eachclient
#andtheservermusthavetheirowncertand
#keyfile.Theserverandallclientswill
#usethesamecafile.
#
#Seethe"easy-rsa"directoryforaseries
#ofscriptsforgeneratingRSAcertificates
#andprivatekeys.Remembertouse
#auniqueCommonNamefortheserver
#andeachoftheclientcertificates.
#
#AnyX509keymanagementsystemcanbeused.
#OpenVPNcanalsouseaPKCS#12formattedkeyfile
#(see"pkcs12"directiveinmanpage).
caca.crt
certserver01.crt
keyserver01.key#Thisfileshouldbekeptsecret
#Diffiehellmanparameters.
#Generateyourownwith:
#openssldhparam-outdh1024.pem1024
#Substitute2048for1024ifyouareusing
#2048bitkeys.
dhdh1024.pem
#ConfigureservermodeandsupplyaVPNsubnet
#forOpenVPNtodrawclientaddressesfrom.
#Theserverwilltake10.8.0.1foritself,
#therestwillbemadeavailabletoclients.
#Eachclientwillbeabletoreachtheserver
#on10.8.0.1.Commentthislineoutifyouare
#ethernetbridging.Seethemanpageformoreinfo.
server10.8.0.0255.255.255.0
#Maintainarecordofclient<->virtualIPaddress
#associationsinthisfile.IfOpenVPNgoesdownor
#isrestarted,reconnectingclientscanbeassigned
#thesamevirtualIPaddressfromthepoolthatwas
#previouslyassigned.
ifconfig-pool-persistipp.txt
#Configureservermodeforethernetbridging.
#YoumustfirstuseyourOS'sbridgingcapability
#tobridgetheTAPinterfacewiththeethernet
#NICinterface.Thenyoumustmanuallysetthe
#IP/netmaskonthebridgeinterface,herewe
#assume10.8.0.4/255.255.255.0.Finallywe
#mustsetasideanIPrangeinthissubnet
#(start=10.8.0.50end=10.8.0.100)toallocate
#toconnectingclients.Leavethislinecommented
#outunlessyouareethernetbridging.
;server-bridge10.8.0.4255.255.255.010.8.0.5010.8.0.100
#Configureservermodeforethernetbridging
#usingaDHCP-proxy,whereclientstalk
#totheOpenVPNserver-sideDHCPserver
#toreceivetheirIPaddressallocation
#andDNSserveraddresses.Youmustfirstuse
#yourOS'sbridgingcapabilitytobridgetheTAP
#interfacewiththeethernetNICinterface.
#Note:
thismodeonlyworksonclients(suchas
#Windows),wheretheclient-sideTAPadapteris
#boundtoaDHCPclient.
;server-bridge
#Pushroutestotheclienttoallowit
#toreachotherprivatesubnetsbehind
#theserver.Rememberthatthese
#privatesubnetswillalsoneed
#toknowtoroutetheOpenVPNclient
#addresspool(10.8.0.0/255.255.255.0)
#backtotheOpenVPNserver.
;push"route192.168.10.0255.255.255.0"
#route-methodexe
#route-delay2
#ToassignspecificIPaddressestospecific
#clientsorifaconnectingclienthasaprivate
#subnetbehinditthatshouldalsohaveVPNaccess,
#usethesubdirectory"ccd"forclient-specific
#configurationfiles(seemanpageformoreinfo).
#EXAMPLE:
Supposetheclient
#havingthecertificatecommonname"Thelonious"
#alsohasasmallsubnetbehindhisconnecting
#machine,suchas192.168.40.128/255.255.255.248.
#First,uncommentouttheselines:
;client-config-dirccd
;push"route168.168.168.0255.255.255.0"
#Thencreateafileccd/Theloniouswiththisline:
#iroute192.168.40.128255.255.255.248
#ThiswillallowThelonious'privatesubnetto
#accesstheVPN.Thisexamplewillonlywork
#ifyouarerouting,notbridging,i.e.youare
#using"devtun"and"server"directives.
#EXAMPLE:
Supposeyouwanttogive
#TheloniousafixedVPNIPaddressof10.9.0.1.
#Firstuncommentouttheselines:
;client-config-dirccd
;route10.9.0.0255.255.255.252
#Thenaddthislinetoccd/Thelonious:
#ifconfig-push10.9.0.110.9.0.2
#Supposethatyouwanttoenabledifferent
#firewallaccesspoliciesfordifferentgroups
#ofclients.Therearetwomethods:
#
(1)RunmultipleOpenVPNdaemons,oneforeach
#group,andfirewalltheTUN/TAPinterface
#foreachgroup/daemonappropriately.
#
(2)(Advanced)Createascripttodynamically
#modifythefirewallinresponsetoaccess
#fromdifferentclients.Seeman
#pageformoreinfoonlearn-addressscript.
;learn-address./script
#Ifenabled,thisdirectivewillconfigure
#allclientstoredirecttheirdefault
#networkgatewaythroughtheVPN,causing
#allIPtrafficsuchaswebbrowsingand
#andDNSlookupstogothroughtheVPN
#(TheOpenVPNservermachinemayneedtoNAT
#orbridgetheTUN/TAPinterfacetotheinternet
#inorderforthistoworkproperly).
;push"redirect-gatewaydef1bypass-dhcp"
#CertainWindows-specificnetworksettings
#canbepushedtoclients,suchasDNS
#orWINSserveraddresses.CAVEAT:
#
#Theaddressesbelowrefertothepublic
#DNSserversprovidedby.
push"dhcp-optionDNS59.108.107.42"
push"dhcp-optionDNS202.106.0.20"
#Uncommentthisdirectivetoallowdifferent
#clientstobeableto"see"eachother.
#Bydefault,clientswillonlyseetheserver.
#Toforceclientstoonlyseetheserver,you
#willalsoneedtoappropriatelyfirewallthe
#server'sTUN/TAPinterface.
client-to-client
#Uncommentthisdirectiveifmultipleclients
#mightconnectwiththesamecertificate/key
#filesorcommonnames.Thisisrecommended
#onlyfortestingpurposes.Forproductionuse,
#eachclientshouldhaveitsowncertificate/key
#pair.
#
#IFYOUHAVENOTGENERATEDINDIVIDUAL
#CERTIFICATE/KEYPAIRSFOREACHCLIENT,
#EACHHAVINGITSOWNUNIQUE"COMMONNAME",
#UNCOMMENTTHISLINEOUT.
;duplicate-cn
#Thekeepalivedirectivecausesping-like
#messagestobesentbackandforthover
#thelinksothateachsideknowswhen
#theothersidehasgonedown.
#Pingevery10seconds,assumethatremote
#peerisdownifnopingreceivedduring
#a120secondtimeperiod.
keepalive10120
#Forextrasecuritybeyondthatprovided
#bySSL/TLS,createan"HMACfirewall"
#tohelpblockDoSattacksandUDPportflooding.
#
#Generatewith:
#openvpn--genkey--secretta.key
#
#Theserverandeachclientmusthave
#acopyofthiskey.
#Thesecondparametershouldbe'0'
#ontheserverand'1'ontheclients.
tls-authta.key0#Thisfileissecret
#Selectacryptographiccipher.
#Thisconfigitemmustbecopiedto
#theclientconfigfileaswell.
;cipherBF-CBC
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- Windows 平台 实现 搭建 OpenVpn 虚拟 专用 网络
![提示](https://static.bdocx.com/images/bang_tan.gif)