Windows下使用CA验证的OpenVPN Server的配置方法

来源：互联网发布：java未来发展前景编辑：程序博客网时间：2024/04/28 19:49

四月 12, 2007 at 9:11 下午由 Kim Chow · Filed under windows

应N多网友的要求，决定开始写Windows下OpenVPN的安装手册了，其实Windows下比linux简单，
因为使用网站提供的安装包，很容易就把OpenVPN安装上了，只需配置就OK了。

本文描述如何在Windows下使用CA的OpenVPN Server的配置方法。

有疑问大家关注:
http://elm.freetcp.com
http://wenzk.cublog.cn

不废话了，下面开始吧:)

下载安装OpenVPN：

用Flashget或者其它任何方式下载OpenVPN的安装包，然后安装，记得选上easy-rsa这部分脚本，
用于管理CA的bat脚本。
http://openvpn.se/files/install_packages/openvpn-2.0.5-gui-1.0.3-install.exe

安装完毕后，easy-rsa在C:/Program Files/OpenVPN/目录下。

下面开始配置：
把easy-rsa目录下的vars.bat.sample改名为vars.bat，并且修改其内容：
==================================
set KEY_COUNTRY=CN
set KEY_PROVINCE=Liaoning
set KEY_CITY=Shenyang
set KEY_ORG=OpenVPN
set KEY_EMAIL=elm@elm.freetcp.com
==================================
其它部分就不用修改了，上面部分修改成你自己的配置。

把easy-rsa下的openssl.cnf.sample改成openssl.cnf。

然后进入cmd.exe
=============================================
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.

C:/Documents and Settings/Administrator>cd “/Program Files/OpenVPN/easy-rsa”

C:/Program Files/OpenVPN/easy-rsa>vars

C:/Program Files/OpenVPN/easy-rsa>clean-all.bat
系统找不到指定的文件。
已复制         1 个文件。
已复制         1 个文件。

C:/Program Files/OpenVPN/easy-rsa>

生成Root CA
格式: build-ca.bat
输出: keys/ca.crt keys/ca.key
======================================================================
C:/Program Files/OpenVPN/easy-rsa>build-ca.bat
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
……++++++
………++++++
writing new private key to ‘keys/ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:OpenVPN ORG
Common Name (eg, your name or your server’s hostname) []:OpenVPN RootCA
Email Address [elm@elm.freetcp.com]:

C:/Program Files/OpenVPN/easy-rsa>

生成dh1024.pem文件，Server使用TLS必须使用的一个文件。
格式: build-dh.bat
输出: keys/dh1024.pem
============================================================================
C:/Program Files/OpenVPN/easy-rsa>build-dh.bat
warning, not much extra random data, consider using the -rand option
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
…………………+……………+……..+……………………………
………………………………+………………………+……………
………………………………….+…………………………………
…………………………………..+……………+………………….
……………………………………………………………………..
…………………..+…………………………….+…………………
……………………..+…………………….+………..+……………
…….+…………………….+……………………………………….
……..+….+…………………………………………………………
……………………………………………………………………..
…+….+.+…………………………………….+…………………….
…………………………………………………………..+………..
……………..+……………………………………………..+……..
……………………………………………………..+…+………….
…..+…………………….+………..+………………………………
…………….+………………….+……………………………….+..
…………………………………………………………..+………+.
……+………………………………………………..+…………….
………………………….+..+………………………..+……………
……………………………………….+…………………..+………
……………………………………………………………………..
………………………………………………………………….+…
……………………………..+………….+…………………………
…………………………………………………….+.+……..+…….
……………………………………….+……………………………
…+………………………………………………………………….
…………+…………………………………………..+…………….
………………………+……………………………………+……..+
………+………+……………………………………+…………….+
..+………………………………………………………………..+..
…..+..+………………..+…………………+……………………….
……………………………………………………………………..
………..+………+….+…………………….+………..+…….+.+…..
……………………………………………..+…………….+………
……….+……………………………………………………………
…………….+………………………………………..+……….+….
……………………………………………………………………..
……………..+…………………………………..+………………..
……………………………………………………………………+.
…….+……………………………………………….+..+………….
+…………………………..+…+……………………..+……………
………………………………………………….+………………+..
……………………………………………………………………..
………………………………………………+…………………….
….+…………………..+…………………..+………………………
…………..+………………………………………………………..
……………………………………………….+……………………
………………………………………………………………..+…..
……+…………………………….+………………………………..
……………………………………………+………………+………
…………..+…………………..+…………………………………..
……………………………………………………………………..
…..+………………..+………………………+…………………….
……………………………………………………………………..
………………………………………………………………++*++*++
*

C:/Program Files/OpenVPN/easy-rsa>

下面开始生成Server使用的证书了：
格式: build-key-server.bat <filename>
输出: keys/<filename>.crt <filename>.csr <filename>.key
================================================================================
C:/Program Files/OpenVPN/easy-rsa>build-key-server.bat server01
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
…………….++++++
…..++++++
writing new private key to ‘keys/server01.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:OpenVPN ORG
Common Name (eg, your name or your server’s hostname) []:Server01
Email Address [elm@elm.freetcp.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :P RINTABLE:’CN’
stateOrProvinceName   :P RINTABLE:’Liaoning’
localityName          :P RINTABLE:’Shenyang’
organizationName      :P RINTABLE:’OpenVPN’
organizationalUnitName:PRINTABLE:’OpenVPN ORG’
commonName            :P RINTABLE:’Server01′
emailAddress          :IA5STRING:’elm@elm.freetcp.com’
Certificate is to be certified until Feb 9 10:01:34 2016 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:/Program Files/OpenVPN/easy-rsa>

下面开始为client办法证书：
格式: build-key.bat <filename>
输出: keys/<filename>.crt keys/<filename>.csr keys/<filename>.key
===========================================================================
C:/Program Files/OpenVPN/easy-rsa>build-key.bat elm
Using configuration from openssl.cnf
Generating a 1024 bit RSA private key
……………………………………………..++++++
……………………………………………++++++
writing new private key to ‘keys/elm.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) []:OpenVPN ORG
Common Name (eg, your name or your server’s hostname) []:ELM
Email Address [elm@elm.freetcp.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName           :P RINTABLE:’CN’
stateOrProvinceName   :P RINTABLE:’Liaoning’
localityName          :P RINTABLE:’Shenyang’
organizationName      :P RINTABLE:’OpenVPN’
organizationalUnitName:PRINTABLE:’OpenVPN ORG’
commonName            :P RINTABLE:’ELM’
emailAddress          :IA5STRING:’elm@elm.freetcp.com’
Certificate is to be certified until Feb 9 10:05:53 2016 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:/Program Files/OpenVPN/easy-rsa>

下面生成ta.key文件
格式: openvpn –genkey –secret keys/ta.key
输出: keys/ta.key
=========================================================================
C:/Program Files/OpenVPN/easy-rsa>openvpn –genkey –secret keys/ta.key

C:/Program Files/OpenVPN/easy-rsa>

OK，那些keys就搞定了，下面开始写配置文件。
server01.ovpn内容：
—————-CUT Here————-
port 1194
proto udp
dev tap
ca ca.crt
cert server01.crt
key server01.key # This file should be kept secret
;crl-verify vpncrl.pem
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
comp-lzo
;max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
————–Cut Here—————–
把配置文件放到C:/Program Files/OpenVPN/config/目录下。
把easy-rsa/keys/下的 ca.crt server01.crt server01.key ta.key dh1024.pem
复制到server01.ovpn所在目录。

Server的配置已经结束，可以启动Server了，在右下角OpenVPN-gui上点右键，然后选择connected。
需要服务器启动后自动运行，修改 “控制面板” 下面的 “管理工具” 下的 “服务” 把OpenVPN设置成自动启动。

Client的配置文件：
————-Cut Here———————
client
dev tap
proto udp

remote 61.1.1.2 1194
;remote my-server-2 1194

;remote-random

resolv-retry infinite
nobind
user nobody
group nobody
route 192.168.0.0 255.255.252.0
persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

ca ca.crt
cert elm.crt
key elm.key

ns-cert-type server
tls-auth ta.key 1
comp-lzo
# Set log file verbosity.
verb 4
————–Cut Here———————
并且把easy-rsa/keys下的ca.crt elm.crt elm.key ta.key一起放到Client的
<OPENVPN_HOME>/config目录下。

Client的配置已经结束，可以连接Server了，在右下角OpenVPN-gui上点右键，然后选择connected。

OK，整个配置就完成了。

需要为其它用户颁发证书，只需如下步骤：
进入cmd.exe

cd <OPENVPN_HOME>/easy-rsa
vars.bat
build-kye.bat <filename>

Client所需要的文件：

client.ovpn (需要修改部分配置)
ca.crt
<fielname>.crt
<filename>.key (<filename>为文件名，如: elm 等)
ta.key

OK，日后有空看怎么配置使用User/Pass。