檔名       

位置

目的

  保密

ca.crt

server + all clients

Root CA certificate

NO

ca.key

 key signing machine only

Root CA key

YES

dh{n}.pem

server only

 Diffie Hellman parameters

NO

server.crt

server only

Server Certificate

NO

server.key

server only

Server Key

YES

client1.crt

client1 only

Client1 Certificate

NO

client1.key

client1 only

Client1 Key

YES

client2.crt

client2 only

Client2 Certificate

NO

client2.key

client2 only

Client2 Key

YES

client3.crt

client3 only

Client3 Certificate

NO

client3.key

client3 only

Client3 Key

YES

Note that in the above sequence, most queried parameters were defaulted to the values set in thevars orvars.bat files. The only parameter which must be explicitly entered is theCommon Name. In the example above, I used "OpenVPN-CA".

Generate certificate & key for server

Next, we will generate a certificate and private key for the server. On Linux/BSD/Unix:

./build-key-server server

On Windows:

build-key-server server

As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Generate certificates & keys for 3 clients

Generating client certificates is very similar to the previous step. On Linux/BSD/Unix:

./build-key client1
./build-key client2
./build-key client3

On Windows:

build-key client1
build-key client2
build-key client3

If you would like to password-protect your client keys, substitute the build-key-pass script.

Remember that for each client, make sure to type the appropriate Common Namewhen prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client.

Generate Diffie Hellman parameters

Diffie Hellman parameters must be generated for the OpenVPN server. On Linux/BSD/Unix:

./build-dh

On Windows:

build-dh

Output:

Key Files

Now we will find our newly-generated keys and certificates in the keyssubdirectory. Here is an explanation of the relevant files:

The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel.

Now wait, you may say. Shouldn't it be possible to set up the PKI without a pre-existing secure channel?

The answer is ostensibly yes. In the example above, for the sake of brevity, we generated all private keys in the same place. With a bit more effort, we could have done this differently. For example, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client. This could have been done without ever requiring that a secret .key file leave the hard drive of the machine on which it was generated.

Creating configuration files for server and clients

Getting the sample config files

It's best to use the OpenVPN sample configuration files as a starting point for your own configuration. These files can also be found in

• the sample-config-files directory of the OpenVPN source distribution
• the sample-config-files directory in /usr/share/doc/packages/openvpnor/usr/share/doc/openvpn if you installed from an RPM or DEB package
• Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files on Windows

Note that on Linux, BSD, or unix-like OSes, the sample configuration files are namedserver.conf andclient.conf. On Windows they are namedserver.ovpnandclient.ovpn.

Editing the server configuration file

The sample server configuration file is an ideal starting point for an OpenVPN server configuration. It will create a VPN using a virtualTUN network interface (for routing), will listen for client connections onUDP port 1194 (OpenVPN's official port number), and distribute virtual addresses to connecting clients from the10.8.0.0/24 subnet.

Before you use the sample configuration file, you should first edit the ca, cert, key, and dh parameters to point to the files you generated in thePKI section above.

At this point, the server configuration file is usable, however you still might want to customize it further:

• If you are using Ethernet bridging, you must use server-bridge and dev tapinstead ofserver anddev tun.
• If you want your OpenVPN server to listen on a TCP port instead of a UDP port, useproto tcp instead ofproto udp (If you want OpenVPN to listen on both a UDP and TCP port, you must run two separate OpenVPN instances).
• If you want to use a virtual IP address range other than 10.8.0.0/24, you should modify theserver directive. Remember that this virtual IP address range should be a private range which is currently unused on your network.
• Uncomment out the client-to-client directive if you would like connecting clients to be able to reach each other over the VPN. By default, clients will only be able to reach the server.
• If you are using Linux, BSD, or a Unix-like OS, you can improve security by uncommenting out theuser nobody andgroup nobody directives.

If you want to run multiple OpenVPN instances on the same machine, each using a different configuration file, it is possible if you:

• Use a different port number for each instance (the UDP and TCP protocols use different port spaces so you can run one daemon listening on UDP-1194 and another on TCP-1194).
• If you are using Windows, each OpenVPN configuration taneeds to have its own TAP-Windows adapter. You can add additional adapters by going toStart Menu -> All Programs -> TAP-Windows -> Add a new TAP-Windows virtual ethernet adapter.
• If you are running multiple OpenVPN instances out of the same directory, make sure to edit directives which create output files so that multiple instances do not overwrite each other's output files. These directives includelog,log-append,status, and ifconfig-pool-persist.

Editing the client configuration files

The sample client configuration file (client.conf on Linux/BSD/Unix orclient.ovpnon Windows) mirrors the default directives set in the sample server configuration file.

• Like the server configuration file, first edit the ca, cert, and key parameters to point to the files you generated in thePKI section above. Note that each client should have its owncert/key pair. Only the cafile is universal across the OpenVPN server and all clients.
• Next, edit the remotedirective to point to the hostname/IP address and port number of the OpenVPN server (if your OpenVPN server will be running on a single-NIC machine behind a firewall/NAT-gateway, use the public IP address of the gateway, and a port number which you have configured the gateway to forward to the OpenVPN server).
• Finally, ensure that the client configuration file is consistent with the directives used in the server configuration. The major thing to check for is that thedev (tun or tap) andproto (udp or tcp) directives are consistent. Also make sure thatcomp-lzo andfragment, if used, are present in both client and server config files.

Starting up the VPN and testing for initial connectivity

Starting the server

First, make sure the OpenVPN server will be accessible from the internet. That means:

• opening up UDP port 1194 on the firewall (or whatever TCP/UDP port you've configured), or
• setting up a port forward rule to forward UDP port 1194 from the firewall/gateway to the machine running the OpenVPN server.

To simplify troubleshooting, it's best to initially start the OpenVPN server from the command line (or right-click on the.ovpn file on Windows), rather than start it as a daemon or service:

openvpn [server config file] 

A normal server startup should look like this (output will vary across platforms):

Starting the client

As in the server configuration, it's best to initially start the OpenVPN server from the command line (or on Windows, by right-clicking on theclient.ovpn file), rather than start it as a daemon or service:

openvpn [client config file] 

A normal client startup on Windows will look similar to the server output above, and should end with theInitialization Sequence Completed message.

Now, try a ping across the VPN from the client. If you are using routing (i.e.dev tunin the server config file), try:

ping 10.8.0.1

If you are using bridging (i.e. dev tap in the server config file), try to ping the IP address of a machine on the server's ethernet subnet.

If the ping succeeds, congratulations! You now have a functioning VPN.

Troubleshooting

If the ping failed or the OpenVPN client initialization failed to complete, here is a checklist of common symptoms and their solutions:

• You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client was unable to establish a network connection with the server.

  Solutions:

  • Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server.
  • If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that saysforward UDP port 1194 from my public IP address to 192.168.4.4.
  • Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).
• You get the error message: Initialization Sequence Completed with errors-- This error can occur on Windows if (a) You don't have the DHCP client service running, or (b) You are using certain third-party personal firewalls on XP SP2.

  Solution: Start the DHCP client server and make sure that you are using a personal firewall which is known to work correctly on XP SP2.

• You get the Initialization Sequence Completedmessage but the ping test fails -- This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface.

  Solution: Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going toWindows Security Center -> Windows Firewall -> Advanced and unchecking the box which corresponds to the TAP-Windows adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See theaccess policies section below).

• The connection stalls on startup when using a proto udpconfiguration, the server log file shows this line:

  TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx

  however the client log does not show an equivalent line.

  Solution: You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be (a) a personal software firewall running on the client, or (b) the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client.

See the FAQ for additional troubleshooting information.

Configuring OpenVPN to run automatically on system startup

The lack of standards in this area means that most OSes have a different way of configuring daemons/services for autostart on boot. The best way to have this functionality configured by default is to install OpenVPN as a package, such as via RPM on Linux or using the Windows installer.

Linux

If you install OpenVPN via an RPM or DEB package on Linux, the installer will set up aninitscript. When executed, the initscript will scan for.conf configuration files in/etc/openvpn, and if found, will start up a separate OpenVPN daemon for each file.

Windows

The Windows installer will set up a Service Wrapper, but leave it turned off by default. To activate it, go to Control Panel / Administrative Tools / Services, select the OpenVPN service, right-click on properties, and set the Startup Type to Automatic. This will configure the service for automatic start on the next reboot.

When started, the OpenVPN Service Wrapper will scan the \Program Files\OpenVPN\config folder for.ovpn configuration files, starting a separate OpenVPN process on each file.

Controlling a running OpenVPN process

Running on Linux/BSD/Unix

OpenVPN accepts several signals:

• SIGUSR1 -- Conditional restart, designed to restart without root privileges
• SIGHUP -- Hard restart
• SIGUSR2 -- Output connection statistics to log file or syslog
• SIGTERM, SIGINT -- Exit

Use the writepid directive to write the OpenVPN daemon's PID to a file, so that you know where to send the signal (if you are starting openvpn with aninitscript, the script may already be passing a--writepid directive on theopenvpn command line).

Running on Windows as a GUI

Running in a Windows command prompt window

On Windows, you can start OpenVPN by right clicking on an OpenVPN configuration file (.ovpn file) and selecting "Start OpenVPN on this config file".

Once running in this fashion, several keyboard commands are available:

• F1 -- Conditional restart (doesn't close/reopen TAP adapter)
• F2 -- Show connection statistics
• F3 -- Hard restart
• F4 -- Exit

Running as a Windows Service

When OpenVPN is started as a service on Windows, the only way to control it is:

• Via the service control manager (Control Panel / Administrative Tools / Services) which gives start/stop control.
• Via the management interface (see below).

Modifying a live server configuration

While most configuration changes require you to restart the server, there are two directives in particular which refer to files which can be dynamically updated on-the-fly, and which will take immediate effect on the server without needing to restart the server process.

client-config-dir -- This directive sets a client configuration directory, which the OpenVPN server will scan on every incoming connection, searching for a client-specific configuration file (see thethe manual page for more information). Files in this directory can be updated on-the-fly, without restarting the server. Note that changes in this directory will only take effect for new connections, not existing connections. If you would like a client-specific configuration file change to take immediate effect on a currently connected client (or one which has disconnected, but where the server has not timed-out its instance object), kill the client instance object by using the management interface (described below). This will cause the client to reconnect and use the newclient-config-dir file.

crl-verify -- This directive names a Certificate Revocation List file, described below in theRevoking Certificates section. The CRL file can be modified on the fly, and changes will take effect immediately for new connections, or existing connections which are renegotiating their SSL/TLS channel (occurs once per hour by default). If you would like to kill a currently connected client whose certificate has just been added to the CRL, use the management interface (described below).

Status File

The default server.conf file has a line

status openvpn-status.log

which will output a list of current client connections to the file openvpn-status.logonce per minute.

Using the management interface

The OpenVPN management interface allows a great deal of control over a running OpenVPN process. You can use the management interface directly, by telneting to the management interface port, or indirectly by using anOpenVPN GUI which itself connects to the management interface.

To enable the management interface on either an OpenVPN server or client, add this to the configuration file:

management localhost 7505

This tells OpenVPN to listen on TCP port 7505 for management interface clients (port 7505 is an arbitrary choice -- you can use any free port).

Once OpenVPN is running, you can connect to the management interface using a telnet client. For example:

Expanding the scope of the VPN to include additional machines on either

相關推薦

OpenVPN 安裝、配置客戶端和服務端，以及OpenVPN的使用 (Windows 平臺)

OpenVPN 開源，好用，而且免費，感謝 OpenVPN 團隊開發此產品。 簡介 OpenVPN允許參與建立VPN的單點使用公開金鑰、電子證書、或者使用者名稱／密碼來進行身份驗證。它大量使用了OpenSSL加密庫中的SSLv3/TLSv1協議函式庫。目前OpenVP

Linux下面安裝ftp客戶端和服務端vsftp

在Linux下面使用ftp工具，必須有客戶端和服務端。 1、使用環境客戶端為Redhat Linux6.4系統，需要到iso檔案中找到對應的Packages包，版本一定要和os版本保持一致，Linux6.4系統的ftp版本號為ftp-0.17-53.el6.x86_64.rpm ，上傳到伺服

網路程式設計套接字、網路位元組序及用udp寫客戶端和服務端聊天程式

認識IP地址 IP協議有兩個版本：IPV4和IPV6。 IPV4:IPV4版本的IP地址是4位元組無符號整數。那麼就存在IP地址資源匱乏的時候，這時可以採用兩種方法： DHCP:ip地址動態分配（應用層協議）； NAT： 地址替換； 但是這兩種方法只是暫時的有I

網路程式設計二(套接字Socket、客戶端和服務端通訊問題)

在客戶機/伺服器工作模式中，在Server端，要準備接受多個Client端計算機的通訊。為此，除用IP地址標識Internet上的計算機之外，另還引入埠號，用埠號標識正在Server端後臺服務的執行緒。埠號與IP地址的組合稱為網路套接字（socket）。 Java語言在

eclipse中配置webservice的客戶端和服務端

一.在Java專案中釋出一個WebService服務： 建立一個JavaWebService的web專案,建立相對應的com.test.javabean，com.test.servlet，com.test.webservice包 1.*類St

客戶端和服務端如何使用Token和Session

cnblogs blank style ssi exception font 統一 判斷 用戶 一、我們先解釋一下他的含義： 1、Token的引入：Token是在客戶端頻繁向服務端請求數據，服務端頻繁的去數據庫查詢用戶名和密碼並進行對比，判斷用戶名和密碼正確與否，並作

基於thrift的java和python分別作為客戶端和服務端的調用實現

Coding except arr pes com ssa utf-8 encoding 中文亂碼 前面已經實現了純java的thrift的實現。 現在實現實現一下python作為客戶端和服務端的thrift的調用 1.python作為客戶端，java作為服務端 java服

Netty實現客戶端和服務端通信簡單例子

啟動服務 ali tty 過程 等等 服務器初始化 讀寫操作 extends ask Netty是建立在NIO基礎之上，Netty在NIO之上又提供了更高層次的抽象。 在Netty裏面，Accept連接可以使用單獨的線程池去處理，讀寫操作又是另外的線程池來處理。 Accep

netty4----netty5的客戶端和服務端

服務端 處理 sock 一個 servers 線程不安全 inbound nio owa 服務端： package com.server; import io.netty.bootstrap.ServerBootstrap; import io.netty.channe

客戶端和服務端根路徑“/”的區別

name 根路徑 ber AC jsp 後端 ffffff http 最簡 文章來源 ： https://blog.csdn.net/zwt520123/article/details/76794446 JSP 變為 HTML 的問題 由上面可以看到，整個 Web

Python學習筆記1：簡單實現ssh客戶端和服務端

bsp dev bre 客戶端 break 基於 bin listen 客戶 實現基於python 3.6。 server端： 1 __author__ = "PyDev2018" 2 3 import socket,os 4 server = socket.s

linux網絡編程之用socket實現簡單客戶端和服務端的通信（基於UDP）

服務端 msg ets lin fgets err n) stderr tcp 單客戶端和服務端的通信（基於UDP） 代碼 服務端代碼socket3.c #include<sys/types.h> #include<sys/socket.h>

Netty學習（3）: 客戶端和服務端的例子

服務端： package com.server; import io.netty.bootstrap.ServerBootstrap; import io.netty.channel.Channel; import io.netty.channel.ChannelFuture; import

zookeeper客戶端和服務端互動分析

原文連結 ZkClient        在使用ZooKeeper的Java客戶端時，經常需要處理幾個問題：重複註冊watcher、session失效重連、異常處理。      

python UDP客戶端和服務端對話

‘’’ UDP客戶端 ‘’’ import socket #1,建立socker物件dgram SOCK_DGRAM—UDP s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM) #傳送資料 while True: a=input(“請輸入你

阿裏雲Ubuntu下安裝、配置權限和導入本地mongodb

版本 str 完成 ise xen mooc 操作 輸入 ubunt ---恢復內容開始--- 第一部分：首先先在Ubuntu下安裝好mongodb，步驟如下： 首先我們需要借助遠程管理工具鏈接到阿裏雲上的ubuntu系統，接著進行如下操作 一、導出軟件源的公鑰 sud

Redis---客戶端和服務端

Redis---客戶端和服務端   文章轉載自：http://redisbook.readthedocs.io/en/latest/internal/redis.html http://www.spongeliu.com/category/linux https://blo

zookeeper之客戶端和服務端的區別

客戶端是叢集外的訪問，服務端才是叢集上的提供服務的。   使用bin/zkServer.sh start開啟的zookeeper上的一個服務端，而使用bin/zkCli.sh是將客戶端連到服務端上。 客戶端可以通過服務端建立znode,刪除znode，寫znode,讀znod

基於TCP的客戶端和服務端資料傳輸

功能描述： 從客戶端向服務端傳送字串，服務端接收之後，把字串轉成大寫，並返回給客戶端， 客戶端程式碼 import java.io.IOException; import java.io.InputStream; import java.io.OutputStrea

python實現一個簡單的thirft客戶端和服務端

建立thrift檔案 service Hello { string get() } 使用thrift 建立服務需要的元件 thrift --gen py hello.thrif