Introduction to OpenVPN Windows Edition installation configuration

Source: Internet
Author: User
Tags auth install openssl vars keep alive

In recent time, spent a lot of time in the configuration of OpenVPN. Spend a lot of time to solve the resource sharing access, the client through the server to ask the amount of external network.

After a hard work finally succeeded. Now write down the approximate process as a note

1 Windows version OpenVPN installation. Download the corresponding system version directly installed. In addition, to install OpenSSL, it is recommended to download the WINOPENSSL installation directly.

Note: The server side should be checked all. Otherwise, the certificate cannot be created.


2 Creating a Certificate

2.1 Server, open the installation directory under Easy-rsa, first modify the Vars-bat-sample, modify the content.

Note that common name, others like it.

2.2 Run the command line (note Administrator permissions)

Init-config

VARs

Clean-all

2.3 Create CA:BUILD-CA, get ca,crt,ca.key two letter public documents. Where CA.CRT is a public file, both servers and clients are used.

2.4 Create a service-side certificate: Build-key-server Server certificate file name, get 3 files: SERVER.CRT,SERVER.KEY,SERVER.CSR.

2.5 Create a client certificate: Build-key Client (the certificate file name for clients), get 3 files: CLIENT.CRT,CLIENT.KEY,CLIENT.CSR.

Note: Different client certificates are generated, noting that common fields are distinguished.

2.6 Create Dee-Herman Exchange Password: BUILD-DH, this is optional. The build time is about more than 10 minutes. Get 1 Files: Dh4096.pem (different version file names may be different)

2.7 Open Tls-auth, optional, non-essential

Open one by one Genkey one by one secret Keys/ta.key

Get 1 Files: Ta.key.

2.8 If you need to create a new user again, the command line executes VARs, and then directly Build-key (the new user file name).

3 Configuration Run

3.1 Server-side:

Copy under openvpn/easy-rsa/keys/: CA.CRT, Server.crt,server.key,dh4096.pem,ta.key

In the Openvpn/sample-config directory, copy the Server.ovpn to the Openvpn/config directory, and then open it with a text editor. The content is modified as follows:

port:1194

Proto UDP

Dev Tun #注: tested, in the window system, want to access the Internet through the server, Tap/tun can be. No problem. It's not a myth to tap.

CA ca.crt

Cert SERVER.CRT

Key Server.key

DH Dh4096.pem

Server 10.8.0.0 255.255.255.0

Push "Route 0.0.0.0 0.0.0.0" #推网关. In the window system, you want to surf through the server, preferably with

Ifconfig-pool-persit ipp.txt #此处注意: Server-side runtime to pay attention to permissions, non-administrator rights may not be able to write to the default installation directory C disk, the runtime prompts an error.

Push "Redirect-gateway def1 bypass-dhcp"

Push "Dhcp-options DNS ..." #推DNS. in the window system, you want to surf through the server, preferably with

Push "Dhcp-options DNS ..." # in Window system, want to surf through the server, preferably plus

Keep Alive 10 200

Tls-auth Ta.key 0 #这个如果刚才不生成ta. Key, you can not.

Cipher AES-256-CBC #默认加密方式, different versions may be different

Com-lzo

Persists-key

Persists-tun

Status Server-log #这个是简单日志, written directly in this directory, easy to open when error

Verb 3

; explice-exit-notify 1 #可选, XP system does not support

3.2 Client

Client

port:1194

Proto UDP

Dev Tun #注: tested, in the window system, want to access the Internet through the server, Tap/tun can be. No problem. It's not a myth to tap.

Remote server IP port (1194)

Resolv-retry Infinite

Nobind

Persists-key

Persists-tun

CA ca.crt

Cert CLIENT.CRT

Key Client.key

REMOTE-CERT-TLS Server

Tls-auth Ta.key 1 #这个如果刚才不生成ta. Key, you can not. The client rule is 1.

Cipher AES-256-CBC #默认加密方式, different versions may be different

Com-lzo

Status Client-log #这个是简单日志, written directly in this directory, easy to open when error

Verb 3

4 Key: Clients to access the server-side network resources, be sure to enable Internet Connection Sharing on the server-side physical network card ...

On the server-side physical network card properties, open Internet Connection Sharing: Allows other network users to connect through the computer's Internet connection.

This allows access to server-side shared resources ... If not, push the gateway ....

If you want to use the server-side extranet, it is best to push the DNS together .... These three things to do, the server intranet must pass. Most of the external network is available.

If it is not, server-side if it is the server system, directly installed NAT service.

This article is pure original, all manual input. Reprint please do not change.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.