|
|
发表于 2006-2-9 21:00:23| 字数 7,370| - 中国–湖北–武汉 电信
|
显示全部楼层
|阅读模式
基础篇
前言
为了突破CMWAP的种种限制,广大网友想出了各种办法,通过移动代理连接SSL VPN服务器上网是比较方便的一种,但是由于softether系列的稳定性、兼容性较差,我们不得不重新寻找更适合的软件。OpenVPN就是一款功能强大,可跨平台(支持Win 2000/XP/2003, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, 和 OpenBSD)使用的SSL VPN服务器软件(具体说明见官方主页官方主页,我就不翻译了)。经过这一段时间的测试(http://www.thinkpad.cn/forum/viewthread.php?tid=332066),虽然还存在不少问题,但是总体说来OpenVPN的表现不错。
本文是为CMWAP和CDMA上网的用户写的,所以有些配置不适合客户端使用宽带的人。
--------------------------------------------------------------------------------
感谢 myliyifei 的支持和配合(其实我是被他拖下水的),感谢 wyun 审稿,感谢参加测试的各位兄弟。
--------------------------------------------------------------------------------
Server端环境
OS:WINDOWS XP SP2
ADSL拨号上网
Step 1 OpenVPN安装配置
1.1 下载openvpn 并安装- 下载openvpn-2.0.5-gui-1.0.3版,地址 http://openvpn.se/files/install_packages/openvpn-2.0.5-gui-1.0.3-install.exe,安装。(例如:安装到F:\OPENVPN目录下,下文举例都用此目录)
- 安装完成后生成一个新网卡,并在网络连接里出现本地连接[X],把tcp/ip属性改成手动配置,192.168.10.1(根据实际情况更改) ,255.255.255.0,其余不填。
1.2 生成证书- 修改F:\OpenVPN\easy-rsa\vars.bat.sample的以下部分
- set HOME=%ProgramFiles%\OpenVPN\easy-rsa
- set KEY_COUNTRY=US
- set KEY_PROVINCE=CA
- set KEY_CITY=SanFrancisco
- set KEY_ORG=FortFunston
- set KEY_EMAIL=mail@host.domain
- set HOME=F:\OpenVPN\easy-rsa
- set KEY_COUNTRY=CN
- set KEY_PROVINCE=Hubei
- set KEY_CITY=Wuhan
- set KEY_ORG=51NB
- set KEY_EMAIL=MATONG_01@163.COM
- 生成证书
- OpenVPN 有两种安全模式,一种基于使用 RSA 证书和密钥的 SSL/TLS,一种使用预先分享的静态密钥。本文采用SSL/TLS 模式。TLS模式的优点是安全,而且便于管理用户。默认情况下证书和用户是一对一的,多个用户使用同一证书会被踢出。
- 开始-->运行...-->键入cmd,回车,进入命令提示符-->进入F:\OpenVPN\easy-rsa目录
- 执行如下命令
F:\OpenVPN\easy-rsa>init-config
F:\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat
已复制 1 个文件。
F:\OpenVPN\easy-rsa>copy openssl.cnf.sample openssl.cnf
已复制 1 个文件。 F:\OpenVPN\easy-rsa>vars
F:\OpenVPN\easy-rsa>clean-all
系统找不到指定的文件。
已复制 1 个文件。
已复制 1 个文件。 F:\OpenVPN\easy-rsa>vars
F:\OpenVPN\easy-rsa>build-ca #生成根证书
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.........++++++
.......................................++++++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Hubei]:
Locality Name (eg, city) [Wuhan]:
Organization Name (eg, company) [51NB]:
Organizational Unit Name (eg, section) []:CMWAP
Common Name (eg, your name or your server's hostname) []:fangzy #填自己的名字
Email Address [mail@host.domain]:
F:\OpenVPN\easy-rsa>build-dh #这个有点慢,估计要半分钟
Loading 'screen' into random state - done
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
....................+...........................................................
...............+......................+........+................................
.....................................+..........................................
..........................+..+.....................+......+.....................
.......+.+...............................................+......................
...........................................................+.........+..........
..........+.................................+.........................+.........
...................................................+..............+.............
............+...........................+...........................+....+......
................................................................................
.....................+..............................+...........................
................................................................................
..........+.....................++*++*++* F:\OpenVPN\easy-rsa>build-key-server server #生成服务器端的密钥,server为服务器名
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.........++++++
....................................++++++
writing new private key to 'keys\server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Hubei]:
Locality Name (eg, city) [Wuhan]:
Organization Name (eg, company) [51NB]:
Organizational Unit Name (eg, section) []:CMWAP
Common Name (eg, your name or your server's hostname) []:server #填自己的名字
Email Address [mail@host.domain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxxx #输入4位以上的密码
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Hubei'
localityName :PRINTABLE:'Wuhan'
organizationName :PRINTABLE:'51NB'
organizationalUnitName:PRINTABLE:'CMWAP'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Feb 1 05:30:29 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated F:\OpenVPN\easy-rsa>build-key client #生成客户端的密钥,client为用户名
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.............++++++
....++++++
writing new private key to 'keys\client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Hubei]:
Locality Name (eg, city) [Wuhan]:
Organization Name (eg, company) [51NB]:
Organizational Unit Name (eg, section) []:CMWAP
Common Name (eg, your name or your server's hostname) []:client
Email Address [mail@host.domain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxxx
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Hubei'
localityName :PRINTABLE:'Wuhan'
organizationName :PRINTABLE:'51NB'
organizationalUnitName:PRINTABLE:'CMWAP'
commonName :PRINTABLE:'client'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Feb 1 05:31:40 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated - 生成多个客户端密钥,执行build-key client1 …… build-key xyz。
- 复制证书文件
刚才生成的证书文件在F:\OpenVPN\easy-rsa\keys下,服务器端需要的文件为ca.crt,dh1024.pem,server.crt,server.key ,客户端需要的文件为:ca.crt client.crt client.key(xxx.crt xxx.key),配置.ovpn文件时需要用到。
1.3 配置server.ovpn文件- 在\OpenVPN\config目录下创建server.ovpn文件将ca.crt,dh1024.pem,server.crt,server.key复制到F:\OpenVPN\KEY目录下
- 服务器端文件示例:
server.ovpn
- port 443
- proto tcp-server
- dev tun
- server 192.168.10.0 255.255.255.0
- keepalive 20 180
- ca F:\\OPENVPN\\KEY\\ca.crt
- cert F:\\OPENVPN\\KEY\\server.crt
- key F:\\OPENVPN\\KEY\\server.key
- dh F:\\OPENVPN\\KEY\\dh1024.pem
- push "redirect-gateway def1"
- push "dhcp-option DNS 192.168.10.1"
- mode server
- tls-server
- status F:\\OpenVPN\\log\\openvpn-status.log
- comp-lzo
- verb 4
|
评分
-
查看全部评分
|
狗仔卡
离线
提升卡
置顶卡
变色卡
