Windows. Apply openvpn to Windows

Document directory

• How to configure the openvpn server verified by CA in Windows

How to configure the openvpn server verified by CA in Windows

Download and install openvpn:Http://openvpn.se/files/install_packages/openvpn-2.0.5-gui-1.0.3-install.exe
Use flashget or any other method to download the openvpn installation package and install it. Remember to select the easy-RSA script for managing the bat script of CA.
After installation, easy-RSA is in the C:/program files/openvpn/directory.
Start configuration below:
PutVars. bat. sample is renamed as vars. bat.And modify its content:
Set key_country = Cn
Set key_province = Liaoning
Set key_city = Shenyang
Set key_org = openvpn
Set key_mail = elm@elm.freetcp.com

You do not need to modify the other part. The above part is changed to your own configuration.

PutChange OpenSSL. CNF. Sample to OpenSSL. CNF.
Then enterCmd.exe

 

 

Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:/Documents and Settings/Administrator>Cd "/program files/openvpn/easy-RSA"
C:/program files/openvpn/easy-RSA>Vars
C:/program files/openvpn/easy-RSA>Clean-all.bat
The system cannot find the specified file.
1 file has been copied.
1 file has been copied.
C:/program files/openvpn/easy-RSA>
Generate Root CA
Form: build-ca.bat
Output: Keys/CA. CRT keys/CA. Key

 

 

C:/program files/openvpn/easy-RSA>Build-ca.bat
Using configuration from OpenSSL. CNF
Generating a 1024 bit RSA private key
... ++
...
Writing new private key to 'keys/CA. key'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [CN]:
State or province name (full name) [Liaoning]:
Locality name (eg, city) [Shenyang]:
Organization Name (eg, company) [openvpn]:
Organizational unit name (eg, section) []:Openvpn
Common name (eg, your name or your server's hostname) []:Openvpn rootca
Email Address [elm@elm.freetcp.com]:

C:/program files/openvpn/easy-RSA>

Generate the dh1024.pem file, which is required by the server to use TLS.
Form: build-dh.bat
Output: Keys/dh1024.pem

 

 

C:/program files/openvpn/easy-RSA>Build-dh.bat
Warning, not much extra random data, consider using the-Rand Option
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..................... + ............... + ........ + .................................
.................................... + ........................... + ...............
........................................ ........................................
........................................ ................................ ++ * ++

C:/program files/openvpn/easy-RSA>

The certificate used by the server is generated as follows:
Format: build-key-server.bat
Output: Keys/<FILENAME>. CRT <FILENAME>. CSR <FILENAME>. Key

C:/program files/openvpn/easy-RSA> Build-key-server.bat server01
Using configuration from OpenSSL. CNF
Generating a 1024 bit RSA private key
...
... ++
Writing new private key to 'keys/server01.key'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [CN]:
State or province name (full name) [Liaoning]:
Locality name (eg, city) [Shenyang]:
Organization Name (eg, company) [openvpn]:
Organizational unit name (eg, section) []: Openvpn org
Common name (eg, your name or your server's hostname) []: Server01
Email Address [elm@elm.freetcp.com]:
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from OpenSSL. CNF
Check that the request matches the signature
Signature OK
The subjects distinguished name is as follows
Countryname: printable: 'cn'
Stateorprovincename: printable: 'shanghaioning'
Localityname: printable: 'shenyang'
Organizationname: printable: 'openvpn'
Organizationalunitname: printable: 'openvpn org'
CommonName: printable: 'server01'
Emailaddress: ia5string: 'elm @ elm.freetcp.com'
Certificate is to be certified until Feb 9 10:01:34 2016 GMT (3650 days)
Sign the certificate? [Y/n]: Y

 

 

1 out of 1 certificate requests certified, commit? [Y/n]Y
Write out database with 1 new entries
Data Base updated
C:/program files/openvpn/easy-RSA>

The client certificate is started as follows:

Format: build-key.bat
Output: Keys/<FILENAME>. CRT keys/<FILENAME>. CSR keys/<FILENAME>. Key

C:/program files/openvpn/easy-RSA> Build-key.bat (ELM)
Using configuration from OpenSSL. CNF
Generating a 1024 bit RSA private key
........................................ ............. ++
........................................ ........... ++
Writing new private key to 'keys/Elm. key'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [CN]:
State or province name (full name) [Liaoning]:
Locality name (eg, city) [Shenyang]:
Organization Name (eg, company) [openvpn]:
Organizational unit name (eg, section) []: Openvpn org
Common name (eg, your name or your server's hostname) []: Elm
Email Address [elm@elm.freetcp.com]:
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from OpenSSL. CNF
Check that the request matches the signature
Signature OK
The subjects distinguished name is as follows
Countryname: printable: 'cn'
Stateorprovincename: printable: 'shanghaioning'
Localityname: printable: 'shenyang'
Organizationname: printable: 'openvpn'
Organizationalunitname: printable: 'openvpn org'
CommonName: printable: 'elm'
Emailaddress: ia5string: 'elm @ elm.freetcp.com'
Certificate is to be certified until Feb 9 10:05:53 2016 GMT (3650 days)
Sign the certificate? [Y/n]: Y

 

1 out of 1 certificate requests certified, commit? [Y/n]Y
Write out database with 1 new entries
Data Base updated
C:/program files/openvpn/easy-RSA>

The TA. Key file is generated below

Format: openvpn -- genkey -- secret keys/Ta. Key
Output: Keys/Ta. Key

C:/program files/openvpn/easy-RSA> Openvpn -- genkey -- secret keys/Ta. Key
C:/program files/openvpn/easy-RSA>
OK, the keys will be done, and the configuration file will be written below.
Server01.ovpn content:
---------------- Cut here-------------
Port 1194
PROTO UDP
Dev tap
CA. CRT
CERT server01.crt
Key server01.key # This file shocould be kept secret
; CRL-verify vpncrl. pem
DH dh1024.pem
Server 10.8.0.0 255.255.255.0
Ifconfig-pool-persist ipp.txt
Client-to-client
; Duplicate-CN
Keepalive 10 120
TLS-auth ta. Key 0 # This file is secret
Comp-lzo
Max-clients 100
User nobody
Group nobody
Persist-Key
Persist-Tun
Status openvpn-status.log
Verb 3

---------------- Cut here-------------
Put the configuration file in the C:/program files/openvpn/config/directory.
Set "ca. CRT"; "server01.crt"; "server01.key"; "server01.key"; "ta. Key"; "dh1024.pem" under easy-RSA/keys"
Copy to the directory where server01.ovpn is located.
Server configuration has ended. You can start the server. Right-click openvpn-Gui in the lower right corner and select connected.
If the server runs automatically after startup, modify "service" under "Administrative Tools" under "Control Panel" to set openvpn to Automatic startup.

Client configuration file: Client
----------------Cut here-------------
Dev tap
PROTO UDP
Remote 61.1.1.2 1194
; Remote my-server-2 1194
; Remote-random
Resolv-retry infinite
Nobind
User nobody
Group nobody
Route 192.168.0.0 255.255.252.0
Persist-Key
Persist-Tun
; Http-proxy-retry # retry on connection failures
; Http-proxy [Proxy Server] [proxy port #]
CA. CRT
CERT Elm. CRT
Key Elm. Key
NS-cert-type Server
TLS-auth ta. Key 1
Comp-lzo
# Set Log File verbosity.
Verb 4
----------------Cut here-------------

And put ca. CRT Elm. CRT Elm. Key ta. Key under easy-RSA/keys together in the <openvpn_home>/config directory of the client.
The client configuration has ended. You can connect to the server. Right-click openvpn-Gui in the lower right corner and select connected.

 

OK. The configuration is complete.

To issue a certificate to another user, follow these steps:
Access cmd.exe
CD <openvpn_home>/easy-RSA
Vars. bat
Build-kye.bat <FILENAME>
Files required by the client:
Client. ovpn (some configurations need to be modified)
CA. CRT
<Fielname>. CRT
<FILENAME>. Key (<FILENAME> is the file name, such as elm)
Ta. Key