OpenVPN虚拟专用网安装与部署.docx

OpenVPN虚拟专用网安装与部署1、介绍 虚拟专用网VPN(virt ual private network)是在公共网络中建立的安全网络连接，这个网络连接和普通意义上的网络连接不同之处在于，它采用了专有的隧道协议，实现了数据的加密和完整性的检验、用户的身份认证，从而保证了信息在传输中不被偷看、篡改、复制，从网络连接的安全性角度来看，就类似于再公共网络中建立了一个专线网络一样，只补过这个专线网络是逻辑上的而不是物理的所以称为虚拟专用网。VPN系统的结构图1所示，包括VPN服务器，VPN客户机和隧道。由于使用Internet进行传输相对于租用专线来说，费用极为低廉，所以VPN的出现使企业通过Internet既安全又经济的传输私有的机密信息成为可能。2、Windows操作系统中利用OpenVPN配置VPN OpenVPN是一个开源的第三方虚拟专用网配置工具，可以利用固有设备搭建情形的VPN应用网关。安装配置步骤如下：1.下载安装OpenVPN： 请到/index.php/open-source/downloads.html官方网站下载最新版本：openvpn-2.2.1-install.exe （目前官网的最新版本就是2.2.1）双击 openvpn-2.2.1-install.exe 后具体操作步骤如下：.安装完毕后，easy-rsa文件夹在C:Program FilesOpenVPN目录下，同时OpenVPN服务器桌面右下角会出现一个新的本地连接，将名字改成: net99123vpnPS:如果软件安装完后OpenVPN服务器桌面右下角没有新的连接出现，请双击C:Program FilesOpenVPNbin目录下的addtap.bat 文件手动添加一个1.初始化配置：（一）修改easy-rsa目录下的vars.bat.Sample的内容（最好用写字板打开，以免记事本打开会破坏文档格式）如下：#一般将密钥大小改为2048bit(在第40行)export KEY_SIZE=2048#然后根据你的应用需要对第45行到49行的字段值进行修改set KEY_COUNTRY=CNset KEY_PROVINCE=HNset KEY_CITY=smxset KEY_ORG=net99123set KEY_EMAIL=（二）打开命令行（开始-运行-输入cmd）C:Documents and SettingsThinkPadcd Program FilesOpenVPNeasy-rsaC:Program FilesOpenVPNeasy-rsainit-config已复制 1 个文件C:Program FilesOpenVPNeasy-rsavars -此步骤必须的C:Program FilesOpenVPNeasy-rsaclean-all系统找不到指定的文件。已复制 1 个文件。已复制 1 个文件。3.生成根CA：C:Program FilesOpenVPNeasy-rsavars -此步骤必须的C:Program FilesOpenVPNeasy-rsabuild-caPS:提示找不到f 没听过不完美也不缺憾吗。Loading screen into random state - doneGenerating a 1024 bit RSA private key.+.+writing new private key to keysca.Key-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) US:CNState or Province Name (full name) CA:HNLocality Name (eg, city) SanFrancisco:smxOrganization Name (eg, company) OpenVPN:net99123Organizational Unit Name (eg, section) :net99123Common Name (eg, your name or your servers hostname) :net99123seEmail Address mailhost.domain:4.生成dh1024.pem文件PS:server使用TLS必须使用的一个文件。C:Program FilesOpenVPNeasy-rsavars -此步骤必须的C:Program FilesOpenVPNeasy-rsabuild-dh 好长时间 慢慢等.ingLoading screen into random state - doneGenerating DH parameters, 1024 bit long safe prime, generator 2This is going to take a long time.+.+.+*+*+*5.下面生成服务器端证书、客户端证书和TA证书： 首先生成server使用的证书：C:Program FilesOpenVPNeasy-rsavarsC:Program FilesOpenVPNeasy-rsabuild-key-server serverLoading screen into random state - doneGenerating a 1024 bit RSA private key.+.+writing new private key to keysserver.key-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) US:CNState or Province Name (full name) CA:HNLocality Name (eg, city) SanFrancisco:smxOrganization Name (eg, company) OpenVPN:net99123Organizational Unit Name (eg, section) :net99123Common Name (eg, your name or your servers hostname) :net99123seEmail Address mailhost.domain:Please enter the following extra attributesto be sent with your certificate requestA challenge password :123456 -此处可以为空等安装部署完后可以在修改An optional company name :cdtsmUsing configuration from fLoading screen into random state - doneCheck that the request matches the signatureSignature okThe Subjects Distinguished Name is as followscountryName :PRINTABLE:CNstateOrProvinceName :PRINTABLE:BJlocalityName :PRINTABLE:BeiJingorganizationName :PRINTABLE:cdtsmorganizationalUnitName:PRINTABLE:cdtsmcommonName :PRINTABLE:cdtsmemailAddress :IA5STRING:Certificate is to be certified until Jul 25 04:11:08 2020 GMT (3650 days)Sign the certificate? y/n:y1 out of 1 certificate requests certified, commit? y/nyWrite out database with 1 new entriesData Base Updated到此server端使用的证书生成完毕。生成客户端证书：C:Program FilesOpenVPNeasy-rsavarsC:Program FilesOpenVPNeasy-rsabuild-key client Loading screen into random state - done Generating a 1024 bit RSA private key.+.+writing new private key to keysclient.key-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) US:CNState or Province Name (full name) CA:HNLocality Name (eg, city) SanFrancisco:smxOrganization Name (eg, company) OpenVPN:net99123Organizational Unit Name (eg, section) :net99123Common Name (eg, your name or your servers hostname) :net99123PS:此处留意点，要不一样。Email Address mailhost.domain:Please enter the following extra attributesto be sent with your certificate requestA challenge password :123456 -此处可以为空等安装部署完后再修改An optional company name :cdtsmUsing configuration from fLoading screen into random state - doneCheck that the request matches the signatureSignature okThe Subjects Distinguished Name is as followscountryName :PRINTABLE:CNstateOrProvinceName :PRINTABLE:BJlocalityName :PRINTABLE:BeiJingorganizationName :PRINTABLE:cdtsmorganizationalUnitName:PRINTABLE:cdtsmcommonName :PRINTABLE:clientemailAddress :IA5STRING:Certificate is to be certified until Jul 25 04:13:17 2020 GMT (3650 days)Sign the certificate? y/n:y1 out of 1 certificate requests certified, commit? y/nyWrite out database with 1 new entriesData Base Updated到此客户端使用的client证书生成完毕。生成ta.Key文件C:Program FilesOpenVPNeasy-rsaopenvpn -genkey -secret keys/ta.Key到此为止根ca、客户端、服务器端所需要的证书和密钥文件就已经全部准备就绪，接下来要做的是配置服务器端文件和客户端文件。6.服务端和客户端的配置：（一）服务器端的配置文件在C:Program FilesOpenVPNsample-config文件夹下：server.ovpn内容示例如下： 把配置文件server.ovpn复制到C:Program FilesOpenVPNconfig目录下，把C:Program FilesOpenVPNeasy-rsakeys目录下的ca.crt、ca.key、server.crt、server.csr、server.key、dh1024.pem、ta.key 复制到C:Program FilesOpenVPNconfig目录下，到此server端的配置完成，可以启动server了，如果需要服务器启动后自动运行，修改“控制面板”下面的“管理工具”下面的“服务”把OpenVPN设置成自动启动。PS:SERVER端共复制7个文件啊，不要少了。 Server端的配置到此结束，接下来连接Server如