How to configure the openvpn server verified by CA in Windows

Source: Internet
Author: User

Download and install openvpn:

Use flashget or any other method to download the openvpn installation package and install it. Remember to select the easy-RSA script,
The bat script used to manage the CA.
Http://openvpn.se/files/install_packages/openvpn-2.0.5-gui-1.0.3-install.exe

After installation, easy-RSA is in the c: \ Program Files \ openvpn \ directory.

Start configuration below:
Change vars. bat. sample in the easy-RSA directory to vars. BAT and modify the content:
========================================
Set key_country = Cn
Set key_province = Liaoning
Set key_city = Shenyang
Set key_org = openvpn
Set key_mail = elm@elm.freetcp.com
========================================
You do not need to modify the other part. The above part is changed to your own configuration.

Change OpenSSL. CNF. Sample Under easy-RSA to OpenSSL. CNF.

Then, access cmd.exe.
========================================================== =====
Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C: \ Documents ents and Settings \ Administrator> Cd "\ Program Files \ openvpn \ easy-RSA"

C: \ Program Files \ openvpn \ easy-RSA> vars

Clean-all.bat c: \ Program Files \ openvpn \ easy-RSA>
The system cannot find the specified file.
1 file has been copied.
1 file has been copied.

C: \ Program Files \ openvpn \ easy-RSA>

Generate Root CA
Form: build-ca.bat
Output: Keys/CA. CRT keys/CA. Key
========================================================== ====================================
Build-ca.bat c: \ Program Files \ openvpn \ easy-RSA>
Using configuration from OpenSSL. CNF
Generating a 1024 bit RSA private key
... ++
...
Writing new private key to 'keys \ ca. key'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [CN]:
State or province name (full name) [Liaoning]:
Locality name (eg, city) [Shenyang]:
Organization Name (eg, company) [openvpn]:
Organizational unit name (eg, section) []: openvpn org
Common name (eg, your name or your server's hostname) []: openvpn rootca
Email Address [elm@elm.freetcp.com]:

C: \ Program Files \ openvpn \ easy-RSA>

Generate the dh1024.pem file, which is required by the server to use TLS.
Form: build-dh.bat
Output: Keys/dh1024.pem
========================================================== ==========================================
Build-dh.bat c: \ Program Files \ openvpn \ easy-RSA>
Warning, not much extra random data, consider using the-Rand Option
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..................... + ............... + ........ + .................................
.................................... + ........................... + ...............
........................................ + .......................................
......................................... + ............... + ......................
........................................ ........................................
....................... + .................................. + .....................
.......................... + ......................... + ........... + ...............
....... + ......................... + ....................................... .......
........ + .... + ....................................... ...........................
........................................ ........................................
... + .... +. + ....................................... .... + .........................
........................................ ............................ + ...........
................. + ....................................... .............. + ........
........................................ ...................... +... + .............
..... + ......................... + ........... + ....................................
................ + ...................... + ..................................... + ..
........................................ ............................ + ......... +.
...... + ....................................... ................. + ................
............................... + .. + ............................. + ...............
........................................ ...... + ....................... + .........
........................................ ........................................
........................................ .................................... +...
................................... + ............. + ..............................
........................................ ..................... +. + ........ + .......
........................................ ...... + .................................
... + ....................................... .....................................
............ + ....................................... ........... + ................
........................... + .......................................... + ........ +
......... + ......... + .......................................... + ................ +
.. + ....................................... ................................... + ..
..... + .. + .................... + ..................... + ............................
........................................ ........................................
........... + ......... + .... + ......................... + ........... + ....... +. + .....
........................................ ............. + ................ + .........
.......... + ....................................... ..............................
................ + ....................................... ........ + .......... + ....
........................................ ........................................
................. + ....................................... .. + ....................
........................................ ...................................... +.
....... + ....................................... ................ + .. + .............
+ ................................ +... + .......................... + ...............
........................................ .................. + .................. + ..
........................................ ........................................
........................................ .............. + .........................
.... + ....................... + ....................... + ...........................
.............. + ....................................... ..........................
........................................ ............... + ........................
........................................ .................................. + .....
...... + .................................. + ......................................
........................................ ........... + .................. + .........
.............. + ....................... + ....................................... ..
........................................ ........................................
..... + .................... + ........................... + .........................
........................................ ........................................
........................................ ................................ ++ * ++
*

C: \ Program Files \ openvpn \ easy-RSA>

The certificate used by the server is generated as follows:
Format: build-key-server.bat
Output: Keys/<FILENAME>. CRT <FILENAME>. CSR <FILENAME>. Key
========================================================== ==========================================================
C: \ Program Files \ openvpn \ easy-RSA> build-key-server.bat server01
Using configuration from OpenSSL. CNF
Generating a 1024 bit RSA private key
...
... ++
Writing new private key to 'keys \ server01.key'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [CN]:
State or province name (full name) [Liaoning]:
Locality name (eg, city) [Shenyang]:
Organization Name (eg, company) [openvpn]:
Organizational unit name (eg, section) []: openvpn org
Common name (eg, your name or your server's hostname) []: server01
Email Address [elm@elm.freetcp.com]:

Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from OpenSSL. CNF
Check that the request matches the signature
Signature OK
The subjects distinguished name is as follows
Countryname: printable: 'cn'
Stateorprovincename: printable: 'shanghaioning'
Localityname: printable: 'shenyang'
Organizationname: printable: 'openvpn'
Organizationalunitname: printable: 'openvpn org'
CommonName: printable: 'server01'
Emailaddress: ia5string: 'elm @ elm.freetcp.com'
Certificate is to be certified until Feb 9 10:01:34 2016 GMT (3650 days)
Sign the certificate? [Y/n]: Y


1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base updated

C: \ Program Files \ openvpn \ easy-RSA>

The client certificate is started as follows:
Format: build-key.bat
Output: Keys/<FILENAME>. CRT keys/<FILENAME>. CSR keys/<FILENAME>. Key
========================================================== ==========================================
C: \ Program Files \ openvpn \ easy-RSA> build-key.bat elm
Using configuration from OpenSSL. CNF
Generating a 1024 bit RSA private key
........................................ ............. ++
........................................ ........... ++
Writing new private key to 'keys \ Elm. key'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [CN]:
State or province name (full name) [Liaoning]:
Locality name (eg, city) [Shenyang]:
Organization Name (eg, company) [openvpn]:
Organizational unit name (eg, section) []: openvpn org
Common name (eg, your name or your server's hostname) []: elm
Email Address [elm@elm.freetcp.com]:

Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from OpenSSL. CNF
Check that the request matches the signature
Signature OK
The subjects distinguished name is as follows
Countryname: printable: 'cn'
Stateorprovincename: printable: 'shanghaioning'
Localityname: printable: 'shenyang'
Organizationname: printable: 'openvpn'
Organizationalunitname: printable: 'openvpn org'
CommonName: printable: 'elm'
Emailaddress: ia5string: 'elm @ elm.freetcp.com'
Certificate is to be certified until Feb 9 10:05:53 2016 GMT (3650 days)
Sign the certificate? [Y/n]: Y


1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base updated

C: \ Program Files \ openvpn \ easy-RSA>

The TA. Key file is generated below
Format: openvpn -- genkey -- secret keys/Ta. Key
Output: Keys/Ta. Key
========================================================== ======================================
C: \ Program Files \ openvpn \ easy-RSA> openvpn -- genkey -- secret keys/Ta. Key

C: \ Program Files \ openvpn \ easy-RSA>

OK, the keys will be done, and the configuration file will be written below.
Server01.ovpn content:
---------------- Cut here -------------
Port 1194
PROTO UDP
Dev tap
CA. CRT
CERT server01.crt
Key server01.key # This file shocould be kept secret
; CRL-verify vpncrl. pem
DH dh1024.pem
Server 10.8.0.0 255.255.255.0
Ifconfig-pool-persist ipp.txt
Client-to-client
; Duplicate-CN
Keepalive 10 120
TLS-auth ta. Key 0 # This file is secret
Comp-lzo
Max-clients 100
User nobody
Group nobody
Persist-Key
Persist-Tun
Status openvpn-status.log
Verb 3
-------------- Cut here -----------------
Place the configuration file in the c: \ Program Files \ openvpn \ config \ directory.
Set ca. CRT server01.crt server01.key ta. Key dh1024.pem under easy-RSA \ keys \.
Copy to the directory where server01.ovpn is located.

Server configuration has ended. You can start the server. Right-click openvpn-Gui in the lower right corner and select connected.
If the server runs automatically after startup, modify "service" under "Administrative Tools" under "Control Panel" to set openvpn to Automatic startup.

Client configuration file:
------------- Cut here ---------------------
Client
Dev tap
PROTO UDP

Remote 61.1.1.2 1194
; Remote my-server-2 1194

; Remote-random

Resolv-retry infinite
Nobind
User nobody
Group nobody
Route 192.168.0.0 255.255.252.0
Persist-Key
Persist-Tun

; Http-proxy-retry # retry on connection failures
; Http-proxy [Proxy Server] [proxy port #]

CA. CRT
CERT Elm. CRT
Key Elm. Key

NS-cert-type Server
TLS-auth ta. Key 1
Comp-lzo
# Set Log File verbosity.
Verb 4
-------------- Cut here ---------------------
And put ca. CRT Elm. CRT Elm. Key ta. Key under easy-RSA/keys together to the client's
<Openvpn_home> \ config directory.

The client configuration has ended. You can connect to the server. Right-click openvpn-Gui in the lower right corner and select connected.


OK. The configuration is complete.

To issue a certificate to another user, follow these steps:
Access cmd.exe

CD <openvpn_home> \ easy-RSA
Vars. bat
Build-kye.bat <FILENAME>

Files required by the client:

Client. ovpn (some configurations need to be modified)
CA. CRT
<Fielname>. CRT
<FILENAME>. Key (<FILENAME> is the file name, such as elm)
Ta. Key

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.