Windows下使用CA驗證的OpenVPN Server的配置方法

來源:互聯網
上載者:User

下載安裝OpenVPN:

用Flashget或者其它任何方式下載OpenVPN的安裝包,然後安裝,記得選上easy-rsa這部分指令碼,
用於管理CA的bat指令碼。
http://openvpn.se/files/install_packages/openvpn-2.0.5-gui-1.0.3-install.exe

安裝完畢後,easy-rsa在C:\Program Files\OpenVPN\目錄下。

下面開始配置:
把easy-rsa目錄下的vars.bat.sample改名為vars.bat,並且修改其內容:
==================================
set KEY_COUNTRY=CN
set KEY_PROVINCE=Liaoning
set KEY_CITY=Shenyang
set KEY_ORG=OpenVPN
set KEY_EMAIL=elm@elm.freetcp.com
==================================
其它部分就不用修改了,上面部分修改成你自己的配置。

把easy-rsa下的openssl.cnf.sample改成openssl.cnf。

然後進入cmd.exe
=============================================
Microsoft Windows XP [版本 5.1.2600]
(C) 著作權 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>cd "\Program Files\OpenVPN\easy-rsa"

C:\Program Files\OpenVPN\easy-rsa>vars

C:\Program Files\OpenVPN\easy-rsa>clean-all.bat
系統找不到指定的檔案。
已複製         1 個檔案。
已複製         1 個檔案。

C:\Program Files\OpenVPN\easy-rsa>

產生Root CA
格式: build-ca.bat
輸出: keys/ca.crt keys/ca.key
======================================================================
C:\Program Files\OpenVPN\easy-rsa>build-ca.bat
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
......++++++
.........++++++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:OpenVPN ORG
Common Name (eg, your name or your server's hostname) []:OpenVPN RootCA
Email Address [elm@elm.freetcp.com]:

C:\Program Files\OpenVPN\easy-rsa>

產生dh1024.pem檔案,Server使用TLS必須使用的一個檔案。
格式: build-dh.bat
輸出: keys/dh1024.pem
============================================================================
C:\Program Files\OpenVPN\easy-rsa>build-dh.bat
warning, not much extra random data, consider using the -rand option
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.....................+...............+........+.................................
....................................+...........................+...............
........................................+.......................................
.........................................+...............+......................
................................................................................
.......................+..................................+.....................
..........................+.........................+...........+...............
.......+.........................+..............................................
........+....+..................................................................
................................................................................
...+....+.+...........................................+.........................
....................................................................+...........
.................+.....................................................+........
..............................................................+...+.............
.....+.........................+...........+....................................
................+......................+.....................................+..
....................................................................+.........+.
......+........................................................+................
...............................+..+.............................+...............
..............................................+.......................+.........
................................................................................
............................................................................+...
...................................+.............+..............................
.............................................................+.+........+.......
..............................................+.................................
...+............................................................................
............+..................................................+................
...........................+..........................................+........+
.........+.........+..........................................+................+
..+..........................................................................+..
.....+..+....................+.....................+............................
................................................................................
...........+.........+....+.........................+...........+.......+.+.....
.....................................................+................+.........
..........+.....................................................................
................+...............................................+..........+....
................................................................................
.................+.........................................+....................
..............................................................................+.
.......+.......................................................+..+.............
+................................+...+..........................+...............
..........................................................+..................+..
................................................................................
......................................................+.........................
....+.......................+.......................+...........................
..............+.................................................................
.......................................................+........................
..........................................................................+.....
......+..................................+......................................
...................................................+..................+.........
..............+.......................+.........................................
................................................................................
.....+....................+...........................+.........................
................................................................................
........................................................................++*++*++
*

C:\Program Files\OpenVPN\easy-rsa>

下面開始產生Server使用的認證了:
格式: build-key-server.bat <filename>
輸出: keys/<filename>.crt <filename>.csr <filename>.key
================================================================================
C:\Program Files\OpenVPN\easy-rsa>build-key-server.bat server01
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
................++++++
.....++++++
writing new private key to 'keys\server01.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:OpenVPN ORG
Common Name (eg, your name or your server's hostname) []:Server01
Email Address [elm@elm.freetcp.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'Liaoning'
localityName          :PRINTABLE:'Shenyang'
organizationName      :PRINTABLE:'OpenVPN'
organizationalUnitName:PRINTABLE:'OpenVPN ORG'
commonName            :PRINTABLE:'Server01'
emailAddress          :IA5STRING:'elm@elm.freetcp.com'
Certificate is to be certified until Feb  9 10:01:34 2016 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\Program Files\OpenVPN\easy-rsa>

下面開始為client辦法認證:
格式: build-key.bat <filename>
輸出: keys/<filename>.crt keys/<filename>.csr keys/<filename>.key
===========================================================================
C:\Program Files\OpenVPN\easy-rsa>build-key.bat elm
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
.....................................................++++++
...................................................++++++
writing new private key to 'keys\elm.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:OpenVPN ORG
Common Name (eg, your name or your server's hostname) []:ELM
Email Address [elm@elm.freetcp.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'Liaoning'
localityName          :PRINTABLE:'Shenyang'
organizationName      :PRINTABLE:'OpenVPN'
organizationalUnitName:PRINTABLE:'OpenVPN ORG'
commonName            :PRINTABLE:'ELM'
emailAddress          :IA5STRING:'elm@elm.freetcp.com'
Certificate is to be certified until Feb  9 10:05:53 2016 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\Program Files\OpenVPN\easy-rsa>

下面產生ta.key檔案
格式: openvpn --genkey --secret keys/ta.key
輸出: keys/ta.key
=========================================================================
C:\Program Files\OpenVPN\easy-rsa>openvpn --genkey --secret keys/ta.key

C:\Program Files\OpenVPN\easy-rsa>

OK,那些keys就搞定了,下面開始寫設定檔。
server01.ovpn內容:
----------------CUT Here-------------
port 1194
proto udp
dev tap
ca ca.crt
cert server01.crt
key server01.key # This file should be kept secret
;crl-verify vpncrl.pem
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
--------------Cut Here-----------------
把設定檔放到C:\Program Files\OpenVPN\config\目錄下。
把easy-rsa\keys\下的 ca.crt server01.crt server01.key ta.key dh1024.pem
複製到server01.ovpn所在目錄。

Server的配置已經結束,可以啟動Server了,在右下角OpenVPN-gui上點右鍵,然後選擇connected。
需要伺服器啟動後自動運行,修改 "控制台" 下面的 "管理工具" 下的 "服務" 把OpenVPN設定成自動啟動。

Client的設定檔:
-------------Cut Here---------------------
client
dev tap
proto udp

remote 61.1.1.2 1194
;remote my-server-2 1194

;remote-random

resolv-retry infinite
nobind
user nobody
group nobody
route 192.168.0.0 255.255.252.0
persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

ca ca.crt
cert elm.crt
key elm.key

ns-cert-type server
tls-auth ta.key 1
comp-lzo
# Set log file verbosity.
verb 4
--------------Cut Here---------------------
並且把easy-rsa/keys下的ca.crt elm.crt elm.key ta.key一起放到Client的
<OPENVPN_HOME>\config目錄下。

Client的配置已經結束,可以串連Server了,在右下角OpenVPN-gui上點右鍵,然後選擇connected。


OK,整個配置就完成了。

需要為其它使用者頒發認證,只需如下步驟:
進入cmd.exe

cd <OPENVPN_HOME>\easy-rsa
vars.bat
build-kye.bat <filename>

Client所需要的檔案:

client.ovpn (需要修改部分配置)
ca.crt
<fielname>.crt
<filename>.key (<filename>為 檔案名稱,如: elm 等)
ta.key

相關文章

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.