大概是个博客

OpenVPN可以透过特定的port，连上远程的server，如此可以跟远程的server处在同一个 local LAN，从而达到突破公司防火墙的目的。一般公司对于对外的联机，通常只会开放 port 80 (http) 及port 443 (https SSL)，所以其它的网络功能都被限制住了；而透过 OpenVPN ，可以借用port 443 连到外面的server，再由没有限制的server执行各种网络功能，有效穿越 firewall。

OpenVPN 是免费软件，但基本操作上有点难，不过只要依步骤来，还是 ok 的了。
第一次设定如下：

1. 执行 init-config –第一次设定
2. 执行 vars –这个文件的内容要依你的数据修改
   clean-all
   build-ca –生成 CA 文件
3. 执行 build-key-server server –生成server key 文件
4. 执行 build-key client1
   build-key client2
   build-key client3 –生成client key 文件，看有几个client 要用就生成几个。

生成出来的文件，依下表server或client(n)需要，复制到C:\Program Files\OpenVPN\config 目录。

比较复杂的是改server端及client端的config 文件，我把config-example 目录中附的范例修改，有改动的部份列在下面，并稍加说明，请参考。改完同样复制到C:\Program Files\OpenVPN\config 目录。

Server
...
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 4431 # TCP or UDP server?
proto tcp2
;proto udp
...
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key3
...
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
;server 10.8.0.0 255.255.255.0
server 192.168.0.0 255.255.255.04
...
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
push "redirect-gateway"5
...

Client
...
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp2
;proto udp # The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote your.openvpn.server 4436
...
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
http-proxy proxy.your.company.com 80807
...
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client2.crt
key client2.key3
...

最后，Windows 中，在系统托盘中右键菜单的config 选项上按右键就可以执行。或由下面的命令执行:
openvpn --config server.ovpn
另外，Windows 中也可以以service 型式执行。

1. 用 SSL 用的 443 port
2. 使用 proxy 要用 tcp
3. 这三行用你产生出来的 key 档案
4. 换成我常用的 192.168.0 网段
5. client端连上后用将 default gateway 改成连到 server
6. server 的位置及使用的 port，用 SSL 用的 443 port
7. 你公司 proxy 的位置及 port

相关评论

• 暂无相关评论

大概属于[ISA Server, Network] | [ 引用] | [ 评论RSS ] | [添加评论] | [ 1,130 Views]

上一篇: 关于爱普达的注册机
下一篇: [转]新SID的诞生之系统封装