OpenVPN教程-绝对实用

ff7ym
1 ℃
2020-06-07

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

OpenVPN虚拟专用网安装与部署OpenVPN虚拟专用网安装与部署OpenVPN虚拟专用网安装与部署1、介绍虚拟专用网VPN(virtualprivatenetwork)是在公共网络中建立的安全网络连接，这个网络连接和普通意义上的网络连接不同之处在于，它采用了专有的隧道协议，实现了数据的加密和完整性的检验、用户的身份认证，从而保证了信息在传输中不被偷看、篡改、复制，从网络连接的安全性角度来看，就类似于再公共网络中建立了一个专线网络一样，只补过这个专线网络是逻辑上的而不是物理的所以称为虚拟专用网。VPN系统的结构图1所示，包括VPN服务器，VPN客户机和隧道。由于使用Internet进行传输相对于租用专线来说，费用极为低廉，所以VPN的出现使企业通过Internet既安全又经济的传输私有的机密信息成为可能。2、Windows操作系统中利用OpenVPN配置VPNOpenVPN是一个开源的第三方虚拟专用网配置工具，可以利用固有设备搭建情形的VPN应用网关。安装配置步骤如下：1.下载安装OpenVPN：请到官方网站下载最新版本：openvpn-2.1.1-install.exe（目前官网的最新版本就是2.1.1）双击openvpn-2.1.1-install.exe后具体操作步骤如下：安装完毕后，easy-rsa文件夹在C:\ProgramFiles\OpenVPN\目录下，同时OpenVPN服务器桌面右下角会出现一个新的本地连接，将名字改成OpenVPN。(如何软件安装完后OpenVPN服务器桌面右下角没有新的连接出现，请双击C:\ProgramFiles\OpenVPN\bin目录下的addtap.bat文件手动添加一个)1.初始化配置：（一）修改easy-rsa目录下的vars.bat.Sample的内容（最好用写字板打开，以免记事本打开会破坏文档格式），并将其改名为vars.bat，如下：setKEY_COUNTRY=CNsetKEY_PROVINCE=BJsetKEY_CITY=BeiJingsetKEY_ORG=cdtsmsetKEY_EMAIL=sunzhouyi@cdtsm.com（二）把easy-rsa下的openssl.cnf.sample改成openssl.cnf。然后打开命令行（开始-运行-输入cmd）C:\DocumentsandSettings\ThinkPadcd\ProgramFiles\OpenVPN\easy-rsaC:\ProgramFiles\OpenVPN\easy-rsavars--此步骤必须的C:\ProgramFiles\OpenVPN\easy-rsaclean-all系统找不到指定的文件。已复制1个文件。已复制1个文件。3.生成根CA：（一）C:\ProgramFiles\OpenVPN\easy-rsavarsC:\ProgramFiles\OpenVPN\easy-rsabuild-caLoading'screen'intorandomstate-doneGeneratinga1024bitRSAprivatekey...............................++++++.......++++++writingnewprivatekeyto'keys\ca.Key'-----Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[US]:CNStateorProvinceName(fullname)[CA]:BJLocalityName(eg,city)[SanFrancisco]:BeiJingOrganizationName(eg,company)[OpenVPN]:cdtsmOrganizationalUnitName(eg,section)[]:cdtsmCommonName(eg,yournameoryourserver'shostname)[]:cdtsmEmailAddress[mail@host.domain]:sunzhouyi@cdtsm.com4.生成dh1024.pem文件，server使用TLS必须使用的一个文件。（一）C:\ProgramFiles\OpenVPN\easy-rsavarsC:\ProgramFiles\OpenVPN\easy-rsabuild-dhLoading'screen'intorandomstate-doneGeneratingDHparameters,1024bitlongsafeprime,generator2Thisisgoingtotakealongtime.....................................................................+......................................................+...............................+...................+.....+.................+.......................+..........................+.............................................+..........................................+...........................................+..........................................+.....................................................+...................................++*++*++*5.下面生成服务器端证书、客户端证书和TA证书：首先生成server使用的证书：（一）C:\ProgramFiles\OpenVPN\easy-rsavarsC:\ProgramFiles\OpenVPN\easy-rsabuild-key-serverCdtsmServerLoading'screen'intorandomstate-doneGeneratinga1024bitRSAprivatekey.......++++++............++++++writingnewprivatekeyto'keys\CdtsmServer.key'-----Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[US]:CNStateorProvinceName(fullname)[CA]:BJLocalityName(eg,city)[SanFrancisco]:BeiJingOrganizationName(eg,company)[OpenVPN]:cdtsmOrganizationalUnitName(eg,section)[]:cdtsmCommonName(eg,yournameoryourserver'shostname)[]:cdtsmEmailAddress[mail@host.domain]:sunzhouyi@cdtsm.comPleaseenterthefollowing'extra'attributestobesentwithyourcertificaterequestAchallengepassword[]:123456--此处可以为空等安装部署完后可以在修改Anoptionalcompanyname[]:cdtsmUsingconfigurationfromopenssl.cnfLoading'screen'intorandomstate-doneCheckthattherequestmatchesthesignatureSignatureokTheSubject'sDistinguishedNameisasfollowscountryName:PRINTABLE:'CN'stateOrProvinceName:PRINTABLE:'BJ'localityName:PRINTABLE:'BeiJing'organizationName:PRINTABLE:'cdtsm'organizationalUnitName:PRINTABLE:'cdtsm'commonName:PRINTABLE:'cdtsm'emailAddress:IA5STRING:'sunzhouyi@cdtsm.com'CertificateistobecertifieduntilJul2504:11:082020GMT(3650days)Signthecertificate?[y/n]:y1outof1certificaterequestscertified,commit?[y/n]yWriteoutdatabasewith1newentriesDataBaseUpdated到此server端使用的证书生成完毕。（二）生成可是为客户端生成client证书。接下来生成客户端证书：C:\ProgramFiles\OpenVPN\easy-rsavarsC:\ProgramFiles\OpenVPN\easy-rsabuild-keyCdtsmClientLoading'screen'intorandomstate-doneGeneratinga1024bitRSAprivatekey......++++++.............................++++++writingnewprivatekeyto'keys\CdtsmClient.key'-----Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[US]:CNStateorProvinceNa