In windows, use openvpn in linux to log on to the Intranet of the remote server, and use linuxopenvpn.

Source: Internet
Author: User
Tags openvpn gui

In windows, use openvpn in linux to log on to the Intranet of the remote server, and use linuxopenvpn.

Requirement: in some environments with strict network requirements, we are unable to remotely access the company's Intranet in a remote location, which brings us great inconvenience. However, we can achieve it easily through openvpn, next we will introduce it.

Note: This experiment is performed when the firewall is disabled. Even if the firewall is enabled, no restrictions are imposed on the nat table.

1. Network Environment:

Company openvpn server (linux): wan 75.126.207.84

Lan 10.61.53.84


Local server (windows): wan 115.238.239.132

Lan 10.10.1.132

2. software installation required:

Openvpn version: openvpn-2.2.2.tar.gz (linux, available to http://openvpn.net download)

Openvpn-2.2.2-install.exe (windows)

Lzo-2.03.tar.gz

Gcc-c ++ openssl-devel

Note: openvpn2.3 or a later version does not recognize lzo compilation programs and cannot be installed. It can be used normally after version 2.0 is changed.

The openvpn server and client versions must be consistent; otherwise, the connection may fail.


3. Build a linux server environment:

(1) Software Installation

A) yum-y install gcc-c ++ openssl-devel

B) lzo compilation and Installation

Cd/usr/local/src

Wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz

Tar -zxvflzo-2.03.tar.gz

Cd lzo-2.03

./Configure -- prefix =/usr/local/lzo

Make & make install

C) install openvpn2.2.2

Cd/usr/local/src

Tar-zxvf openvpn-2.2.2.tar.gz

Cd openvpn-2.2.2

. /Configure -- prefix =/usr/local/openvpn -- with-lzo-headers =/usr/local/lzo/include -- with-lzo-lib =/usr/local/lzo/ lib -- with-ssl-headers =/usr/include/openssl -- with-ssl-lib =/usr/lib64/openssl

Make & make install

(2) configure the certificate

Mkdir-p/etc/openvpn

Cp-R/usr/local/src/openvpn-2.2.2/easy-rsa/etc/openvpn

Cd/etc/openvpn/easy-rsa/2.0

Vim vars

# Create an environment variable and set the script for the required variables

Source vars

./Clean-all

# Create the files and directories required to generate the ca certificate and key file

./Build-ca

# Generate a ca certificate and press Enter. After the certificate is executed, the relevant certificate files are generated in the keys directory.

./Build-dh

# Generate the Diffie-Hellman file for encryption. The dh1024.pem file will be generated in the keys directory.

 

./Build-key-server xuyou

# Generate the server certificate and key file. You only need to enter y in the last two places. xuyou. crt xuyou. csr xuyou. key is generated in the keys directory.

Copy the generated server-side ca certificate and key file to/etc/openvpn/

Cp ca. crt ca. key xuyou. crt xuyou. csr xuyou. key/etc/openvpn

./Build-key test

# Generate the client certificate and key file. You only need to enter y in the last two places. test. crt test. csr test. key is generated in the keys directory.

Pack the certificate and key file generated by the key for the client to use

Mkdir mykey

Cp ca. key ca. crt test. csr test. crt test. key mykey/

Tar-zcvf mykey.tar.gz mykey

Modify openvpn server configuration file

Cp/usr/local/src/openvpn-2.2.2/sample-config-files/server. conf/etc/openvpn. conf

Vim openvpn. conf

# Set the listening IP address. The default value is to listen to all IP addresses. local. b. c. d # Set the listening port. The corresponding port 1194 must be enabled in the firewall # Set the TCP or UDP protocol? Proto tcp proto udp # Set the Route IP channel for creating tun or the Ethernet channel for creating tap # It is easy to control the Route IP, so we recommend using it; however, if IPX and so on must # use the second layer for communication, you can use the tap mode, that is, tap # Ethernet bridging; dev tap dev tun # Windows needs to give the NIC a name, set here, not required for linux; dev-node MyTap # The key here. SSL/TLS root certificate (ca), # certificate (cert), and private key (key) must be specified) # The ca file is required by both the server and client, but does not need ca. key # specify the respective. crt and. key # note the path. You can use the relative path starting with the configuration file as the root, # You can also use the absolute path # store it with caution. key file <span style = "color: # ff0000;"> ca/etc/openvpn/ca. crt cert/etc/openvpn/xuyou. crt key/etc/openvpn/xuyou. key # This file shocould be kept secret </span> # specify Diffie hellman parameters. <span style = "color: # ff0000;"> dh/etc/openvpn/dh1024.pem </span> # configure the CIDR block used by the VPN, openVPN automatically provides DHCP # service based on this network segment, but it cannot be the same as the LAN segment of any party. Ensure that the unique server 10.8.0.0 255.255.255.0 # maintains a table corresponding to the client and virtual IP address, to facilitate client re-connection, you can obtain the same IP ifconfig-pool-persist ipp.txt # configured as the Ethernet bridge mode, but you need to use the bridge function of the system # This is not required here; server-bridge 10.8.0.4 255.255.0 10.8.0.50 10.8.0.100 # create a route for the client to access the internal server of the company network. # Remember that the internal server of the company network also needs to have available routes to return to the client; push "route 192.168.20.0 255.255.255.0" <span style = "color: # ff0000;"> push "route 10.0.0.0 255.0.0.0" </span> # specify an IP address or route for a specific client, this route is usually followed by the Client # Intranet segment, rather than the network segment connected to the server # ccd is the directory under/etc/openvpn, in this example, the client Common # Name is the file Name, and the following command is used to write a fixed IP address # For example, the Common Name is client1, in/etc/openvpn/ccd/client1, write: # ifconfig-push 10.9.0.1 10.9.0.2; client-config-dir ccd; route 192.168.40.128 255.255.255.255.248 # To Set firewall and other permissions for different clients # to allow them to automatically run the corresponding script, see man; learn-address. /script # If the client wants all traffic to be transmitted over the VPN, you can use this statement # It will automatically change the gateway of the client to the VPN Server. It is recommended to disable it # once set, please be careful with the DHCP settings on the server; push "redirect-gateway" # Use the DHCP function of OpenVPN to provide the specified DNS and WINS for the client; push "dhcp-option DNS 10.8.0.1 "; push "dhcp-option WINS 10.8.0.1" # direct communication is not allowed between clients by default, unless you comment out the following statements from client-to-client # If you want clients with the same Common Name to log on, you can also comment out the following statements, we recommend that each client use a Common Name that is not used for testing. duplicate-cn # Set the Server Detection interval and timeout value for keepalive 10 120 # The following are some security enhancement measures, for more information, see # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # Generate with: # openvpn -- genkey -- secret ta. key ## The server and each client must have # a copy of this key. # The second parameter shocould be 0 # on the server and 1 on the clients .; tls-auth ta. key 0 # This file is secret # Select a cryptographic cipher. # This config item must be copied to # the client config file as well .; cipher BF-CBC # Blowfish (default); cipher AES-128-CBC # AES; cipher DES-EDE3-CBC # Triple-DES # Use lzo compressed communication, the server and client must be configured with comp-lzo # set the maximum number of users; max-clients 100 # Run OpenVPN with nobody users and groups (secure); user nobody; group nobody # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # output short log, refresh every minute to display the current client status/var/log/openvpn/openvpn-status.log # default log is recorded in the system log, but it can also be directed to other places # It is recommended that you do not set the debugging, and then define <span style = "color: # ff0000; "> log/var/log/openvpn. log-append/var/log/openvpn. log </span> # Set the log level #0 is silent, warning t for fatal errors #4 is reasonable for general usage #5 and 6 can help to debug connection problems #9 is extremely verbose verb 3 # Silence repeating messages. at most 20 # sequential messages of the same message # category will be output to the log .; mute 20
Start openvpn

/Usr/local/openvpn/sbin/openvpn -- daemon -- config/etc/openvpn. conf

Check whether port 1194 is enabled,

Lsof-I: 1194

Ip a has the virtual network card tun0 and the allocated virtual ip address is 10.8.0.1.

4. windows client environment setup:

Install openvpn-2.2.2-install.exe

Set/usr/local/src/openvpn-2.2.2/sample-config-files/client. decompress the conf file and the generated client certificate and key file to the C: \ Program Files (x86) \ OpenVPN \ config directory.

Edit client. conf and rename the file name to client. ovpn.

Change the remote ip address to the ip address and port of the linux server.

############################################### Sample client-side OpenVPN 2.0 config file ## for connecting to multi-client server.     ##                                            ## This configuration can be used by multiple ## clients, however each client should have   ## its own cert and key files.                ##                                            ## On Windows, you might want to rename this  ## file so it has a .ovpn extension           ################################################ Specify that we are a client and that we# will be pulling certain config file directives# from the server.client# Use the same setting as you are using on# the server.# On most systems, the VPN will not function# unless you partially or fully disable# the firewall for the TUN/TAP interface.;dev tapdev tun# Windows needs the TAP-Win32 adapter name# from the Network Connections panel# if you have more than one.  On XP SP2,# you may need to disable the firewall# for the TAP adapter.;dev-node MyTap# Are we connecting to a TCP or# UDP server?  Use the same setting as# on the server.;proto tcpproto udp# The hostname/IP and port of the server.# You can have multiple remote entries# to load balance between the servers.<span style="color:#ff0000;">remote 75.126.207.84 1194</span>;remote my-server-2 1194# Choose a random host from the remote# list for load-balancing.  Otherwise# try hosts in the order specified.;remote-random# Keep trying indefinitely to resolve the# host name of the OpenVPN server.  Very useful# on machines which are not permanently connected# to the internet such as laptops.resolv-retry infinite# Most clients don't need to bind to# a specific local port number.nobind# Downgrade privileges after initialization (non-Windows only);user nobody;group nobody# Try to preserve some state across restarts.persist-keypersist-tun# If you are connecting through an# HTTP proxy to reach the actual OpenVPN# server, put the proxy server/IP and# port number here.  See the man page# if your proxy server requires# authentication.;http-proxy-retry # retry on connection failures;http-proxy [proxy server] [proxy port #]# Wireless networks often produce a lot# of duplicate packets.  Set this flag# to silence duplicate packet warnings.;mute-replay-warnings# SSL/TLS parms.# See the server config file for more# description.  It's best to use# a separate .crt/.key file pair# for each client.  A single ca# file can be used for all clients.<span style="color:#ff0000;">ca ca.crtcert test.crtkey test.key</span># Verify server certificate by checking# that the certicate has the nsCertType# field set to "server".  This is an# important precaution to protect against# a potential attack discussed here:#  http://openvpn.net/howto.html#mitm## To use this feature, you will need to generate# your server certificates with the nsCertType# field set to "server".  The build-key-server# script in the easy-rsa folder will do this.ns-cert-type server# If a tls-auth key is used on the server# then every client must also have the key.;tls-auth ta.key 1# Select a cryptographic cipher.# If the cipher option is used on the server# then you must also specify it here.;cipher x# Enable compression on the VPN link.# Don't enable this unless it is also# enabled in the server config file.comp-lzo# Set log file verbosity.verb 3# Silence repeating messages;mute 20
Start the desktop icon OpenVPN GUI to connect

After the link is successfully linked, it is displayed in green. If you move the mouse over it, the following figure is displayed:

The local connection also displays the virtual network card information:

Ping the Intranet of the remote server:

Use an intranet address to connect to a remote server:

This proves that the local server can access the company's intranet server through openvpn.

Finally, the windows Client Connection log is attached:


How to remotely log on to a Linux server on a Windows PC?

To connect to a Linux terminal directly, use secure CRT to connect to linux through SSH.
To connect to the graphic interface, install Xmanager in windows. For linux configuration, see the following webpage: www.linuxeden.com/...0.html
Follow this step.

Because the company's route VPN can be less powerful, you want to set up a VPN Server on the company's Intranet, either linux or windows

Then you should choose "PEX vpn". It is software-only and compatible with all systems and cannot meet your needs. Baidu can directly search for vpn. It is easy to use.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.