nat123+OpenVPN连接校园网

1.网络结构

服务器端：校园网 系统：xpsp3 pro vol 虚拟地址：10.8.0.1

客户端：任意 系统 win10 虚拟地址：10.8.0.6

2.软件安装

在两台电脑都安装OpenVPN xp专用版 和nat123软件(用于内网穿透 端口映射 也可以安花生壳)

操作系统软件Installer (32-bit), Windows XPopenvpn-install-2.3.10-I001-i686.exe

3.配置OpenVPN

服务器端

开始>所有程序>附件>右键以管理员权限 打开命令提示符，输入：

cd C:\Program Files\OpenVPN\easy-rsainit-configvarsclean-allbuild-ca 一路回车build-dhbuild-key-server server 一路回车 输入两次y结束build-key client 一路回车 输入两次y结束上面中 Common Name 分别改成 OpenVPN_CA server client1 client2 ...，密码随心情定openvpn –genkey –secret keys/ta.key 

把 C:\Program Files\OpenVPN\easy-rsa\keys下文件放在C:\Program Files\OpenVPN\config下用写字板或记事本打开并修改C:\Program Files (x86)\OpenVPN\sample-config下server.ovpn文件 把文件放到C:\Program Files\OpenVPN\config下dh dh2048.pem改为dh dh1024.pem去除push "redirect-gateway def1 bypass-dhcp"注释删除comp-lzo注释删去tls-auth ta.key 0前的注释 

客户端

把 C:\Program Files\OpenVPN\easy-rsa\keys下文件放在 C:\Program Files\OpenVPN\config下拷贝并修改服务器端C:\Program Files (x86)\OpenVPN\sample-config下client.ovpn文件把文件放到C:\Program Files\OpenVPN\config下修改remote 17075c29.all123.net 1194 修改为nat123分配的外网域名（服务器端地址）删除comp-lzo注释删去tls-auth ta.key 1 前的注释

4. 配置nat123

在官网注册一个账号登录

服务器端

点击添加映射 免费哦

主机地址localhost 选择全端口映射 并保存

客户端

登录nat123访问者

访问域名 为外网域名（17075c29.all123.net）

访问端口1194

5.XP开启NAT转发

win+R键 输入services.msc 

在客户端和服务器两台机器上都设置Routing and remote access服务为自动启动  win+R 键 输入regedit打开注册表 修改键值为1HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter= 1   重启电脑打开网络适配器并重命名适配器 上网网卡为LOCAL OpenVPN生成的虚拟网卡为VPN

win+R cmd 打开命令提示符输入：

netshroutingipnatinstalladd interface name="VPN" mode=privateadd interface name="LOCAL" mode=full

输入show interface并回车，如果出现:

NAT VPN 配置—————————模式              : 专用接口NAT LOCAL 配置—————————模式              : 地址和端口转

则设置完成。分别启动OpenVPN GUI 并连接，图标变为绿色则连接成功。

6.配置文件示例

server.ovpn

################################################## Sample OpenVPN 2.0 config file for            ## multi-client server.                          ##                                               ## This file is for the server side              ## of a many-clients <-> one-server              ## OpenVPN configuration.                        ##                                               ## OpenVPN also supports                         ## single-machine <-> single-machine             ## configurations (See the Examples page         ## on the web site for more info).               ##                                               ## This config should work on Windows            ## or Linux/BSD systems.  Remember on            ## Windows to quote pathnames and use            ## double backslashes, e.g.:                     ## "C:\\Program Files\\OpenVPN\\config\\foo.key" ##                                               ## Comments are preceded with '#' or ';'         ################################################### Which local IP address should OpenVPN# listen on? (optional);local a.b.c.d# Which TCP/UDP port should OpenVPN listen on?# If you want to run multiple OpenVPN instances# on the same machine, use a different port# number for each one.  You will need to# open up this port on your firewall.port 1194# TCP or UDP server?proto tcp;proto udp# "dev tun" will create a routed IP tunnel,# "dev tap" will create an ethernet tunnel.# Use "dev tap0" if you are ethernet bridging# and have precreated a tap0 virtual interface# and bridged it with your ethernet interface.# If you want to control access policies# over the VPN, you must create firewall# rules for the the TUN/TAP interface.# On non-Windows systems, you can give# an explicit unit number, such as tun0.# On Windows, use "dev-node" for this.# On most systems, the VPN will not function# unless you partially or fully disable# the firewall for the TUN/TAP interface.;dev tapdev tun# Windows needs the TAP-Win32 adapter name# from the Network Connections panel if you# have more than one.  On XP SP2 or higher,# you may need to selectively disable the# Windows firewall for the TAP adapter.# Non-Windows systems usually don't need this.;dev-node MyTap# SSL/TLS root certificate (ca), certificate# (cert), and private key (key).  Each client# and the server must have their own cert and# key file.  The server and all clients will# use the same ca file.## See the "easy-rsa" directory for a series# of scripts for generating RSA certificates# and private keys.  Remember to use# a unique Common Name for the server# and each of the client certificates.## Any X509 key management system can be used.# OpenVPN can also use a PKCS #12 formatted key file# (see "pkcs12" directive in man page).ca ca.crtcert server.crtkey server.key  # This file should be kept secret# Diffie hellman parameters.# Generate your own with:#   openssl dhparam -out dh2048.pem 2048dh dh1024.pem# Network topology# Should be subnet (addressing via IP)# unless Windows clients v2.0.9 and lower have to# be supported (then net30, i.e. a /30 per client)# Defaults to net30 (not recommended);topology subnet# Configure server mode and supply a VPN subnet# for OpenVPN to draw client addresses from.# The server will take 10.8.0.1 for itself,# the rest will be made available to clients.# Each client will be able to reach the server# on 10.8.0.1. Comment this line out if you are# ethernet bridging. See the man page for more info.server 10.8.0.0 255.255.255.0# Maintain a record of client <-> virtual IP address# associations in this file.  If OpenVPN goes down or# is restarted, reconnecting clients can be assigned# the same virtual IP address from the pool that was# previously assigned.ifconfig-pool-persist ipp.txt# Configure server mode for ethernet bridging.# You must first use your OS's bridging capability# to bridge the TAP interface with the ethernet# NIC interface.  Then you must manually set the# IP/netmask on the bridge interface, here we# assume 10.8.0.4/255.255.255.0.  Finally we# must set aside an IP range in this subnet# (start=10.8.0.50 end=10.8.0.100) to allocate# to connecting clients.  Leave this line commented# out unless you are ethernet bridging.;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100# Configure server mode for ethernet bridging# using a DHCP-proxy, where clients talk# to the OpenVPN server-side DHCP server# to receive their IP address allocation# and DNS server addresses.  You must first use# your OS's bridging capability to bridge the TAP# interface with the ethernet NIC interface.# Note: this mode only works on clients (such as# Windows), where the client-side TAP adapter is# bound to a DHCP client.;server-bridge# Push routes to the client to allow it# to reach other private subnets behind# the server.  Remember that these# private subnets will also need# to know to route the OpenVPN client# address pool (10.8.0.0/255.255.255.0)# back to the OpenVPN server.;push "route 192.168.20.0 255.255.255.0"# To assign specific IP addresses to specific# clients or if a connecting client has a private# subnet behind it that should also have VPN access,# use the subdirectory "ccd" for client-specific# configuration files (see man page for more info).# EXAMPLE: Suppose the client# having the certificate common name "Thelonious"# also has a small subnet behind his connecting# machine, such as 192.168.40.128/255.255.255.248.# First, uncomment out these lines:;client-config-dir ccd;route 192.168.40.128 255.255.255.248# Then create a file ccd/Thelonious with this line:#   iroute 192.168.40.128 255.255.255.248# This will allow Thelonious' private subnet to# access the VPN.  This example will only work# if you are routing, not bridging, i.e. you are# using "dev tun" and "server" directives.# EXAMPLE: Suppose you want to give# Thelonious a fixed VPN IP address of 10.9.0.1.# First uncomment out these lines:;client-config-dir ccd;route 10.9.0.0 255.255.255.252# Then add this line to ccd/Thelonious:#   ifconfig-push 10.9.0.1 10.9.0.2# Suppose that you want to enable different# firewall access policies for different groups# of clients.  There are two methods:# (1) Run multiple OpenVPN daemons, one for each#     group, and firewall the TUN/TAP interface#     for each group/daemon appropriately.# (2) (Advanced) Create a script to dynamically#     modify the firewall in response to access#     from different clients.  See man#     page for more info on learn-address script.;learn-address ./script# If enabled, this directive will configure# all clients to redirect their default# network gateway through the VPN, causing# all IP traffic such as web browsing and# and DNS lookups to go through the VPN# (The OpenVPN server machine may need to NAT# or bridge the TUN/TAP interface to the internet# in order for this to work properly).push "redirect-gateway def1 bypass-dhcp"# Certain Windows-specific network settings# can be pushed to clients, such as DNS# or WINS server addresses.  CAVEAT:# http://openvpn.net/faq.html#dhcpcaveats# The addresses below refer to the public# DNS servers provided by opendns.com.push "dhcp-option DNS 123.125.81.6";push "dhcp-option DNS 208.67.220.220"# Uncomment this directive to allow different# clients to be able to "see" each other.# By default, clients will only see the server.# To force clients to only see the server, you# will also need to appropriately firewall the# server's TUN/TAP interface.;client-to-client# Uncomment this directive if multiple clients# might connect with the same certificate/key# files or common names.  This is recommended# only for testing purposes.  For production use,# each client should have its own certificate/key# pair.## IF YOU HAVE NOT GENERATED INDIVIDUAL# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,# EACH HAVING ITS OWN UNIQUE "COMMON NAME",# UNCOMMENT THIS LINE OUT.;duplicate-cn# The keepalive directive causes ping-like# messages to be sent back and forth over# the link so that each side knows when# the other side has gone down.# Ping every 10 seconds, assume that remote# peer is down if no ping received during# a 120 second time period.keepalive 10 120# For extra security beyond that provided# by SSL/TLS, create an "HMAC firewall"# to help block DoS attacks and UDP port flooding.## Generate with:#   openvpn --genkey --secret ta.key## The server and each client must have# a copy of this key.# The second parameter should be '0'# on the server and '1' on the clients.tls-auth ta.key 0 # This file is secret# Select a cryptographic cipher.# This config item must be copied to# the client config file as well.# Note that 2.4 client/server will automatically# negotiate AES-256-GCM in TLS mode.# See also the ncp-cipher option in the manpagecipher AES-256-CBC# Enable compression on the VPN link and push the# option to the client (2.4+ only, for earlier# versions see below);compress lz4-v2;push "compress lz4-v2"# For compression compatible with older clients use comp-lzo# If you enable it here, you must also# enable it in the client config file.comp-lzo# The maximum number of concurrently connected# clients we want to allow.;max-clients 100# It's a good idea to reduce the OpenVPN# daemon's privileges after initialization.## You can uncomment this out on# non-Windows systems.;user nobody;group nobody# The persist options will try to avoid# accessing certain resources on restart# that may no longer be accessible because# of the privilege downgrade.persist-keypersist-tun# Output a short status file showing# current connections, truncated# and rewritten every minute.status openvpn-status.log# By default, log messages will go to the syslog (or# on Windows, if running as a service, they will go to# the "\Program Files\OpenVPN\log" directory).# Use log or log-append to override this default.# "log" will truncate the log file on OpenVPN startup,# while "log-append" will append to it.  Use one# or the other (but not both).;log         openvpn.log;log-append  openvpn.log# Set the appropriate level of log# file verbosity.## 0 is silent, except for fatal errors# 4 is reasonable for general usage# 5 and 6 can help to debug connection problems# 9 is extremely verboseverb 3# Silence repeating messages.  At most 20# sequential messages of the same message# category will be output to the log.;mute 20# Notify the client that when the server restarts so it# can automatically reconnect.

client.ovpn

############################################### Sample client-side OpenVPN 2.0 config file ## for connecting to multi-client server.     ##                                            ## This configuration can be used by multiple ## clients, however each client should have   ## its own cert and key files.                ##                                            ## On Windows, you might want to rename this  ## file so it has a .ovpn extension           ################################################ Specify that we are a client and that we# will be pulling certain config file directives# from the server.client# Use the same setting as you are using on# the server.# On most systems, the VPN will not function# unless you partially or fully disable# the firewall for the TUN/TAP interface.;dev tapdev tun# Windows needs the TAP-Win32 adapter name# from the Network Connections panel# if you have more than one.  On XP SP2,# you may need to disable the firewall# for the TAP adapter.;dev-node MyTap# Are we connecting to a TCP or# UDP server?  Use the same setting as# on the server.proto tcp;proto udp# The hostname/IP and port of the server.# You can have multiple remote entries# to load balance between the servers.remote 17075c29.all123.net 1194;remote my-server-2 1194# Choose a random host from the remote# list for load-balancing.  Otherwise# try hosts in the order specified.;remote-random# Keep trying indefinitely to resolve the# host name of the OpenVPN server.  Very useful# on machines which are not permanently connected# to the internet such as laptops.resolv-retry infinite# Most clients don't need to bind to# a specific local port number.nobind# Downgrade privileges after initialization (non-Windows only);user nobody;group nobody# Try to preserve some state across restarts.persist-keypersist-tun# If you are connecting through an# HTTP proxy to reach the actual OpenVPN# server, put the proxy server/IP and# port number here.  See the man page# if your proxy server requires# authentication.;http-proxy-retry # retry on connection failures;http-proxy [proxy server] [proxy port #]# Wireless networks often produce a lot# of duplicate packets.  Set this flag# to silence duplicate packet warnings.;mute-replay-warnings# SSL/TLS parms.# See the server config file for more# description.  It's best to use# a separate .crt/.key file pair# for each client.  A single ca# file can be used for all clients.ca ca.crtcert client.crtkey client.key# Verify server certificate by checking that the# certicate has the correct key usage set.# This is an important precaution to protect against# a potential attack discussed here:#  http://openvpn.net/howto.html#mitm## To use this feature, you will need to generate# your server certificates with the keyUsage set to#   digitalSignature, keyEncipherment# and the extendedKeyUsage to#   serverAuth# EasyRSA can do this for you.remote-cert-tls server# If a tls-auth key is used on the server# then every client must also have the key.tls-auth ta.key 1# Select a cryptographic cipher.# If the cipher option is used on the server# then you must also specify it here.# Note that 2.4 client/server will automatically# negotiate AES-256-GCM in TLS mode.# See also the ncp-cipher option in the manpagecipher AES-256-CBC# Enable compression on the VPN link.# Don't enable this unless it is also# enabled in the server config file.comp-lzo# Set log file verbosity.verb 3# Silence repeating messages;mute 20