routero 3.22设置为openvpn 证书登陆（附设置图解）

Windows 下使用 CA 验证的 OpenVPN 的配置方法 应N多网友的要求，决定开始写Windows下OpenVPN的安装手册了，其实Windows下比linux简单， 因为使用网站提供的安装包，很容易就把OpenVPN安装上了，只需配置就OK了。 本文描述如何在Windows下使用CA的OpenVPN Server的配置方法。 有疑问大家关注: http://elm.freetcp.com http://wenzk.cublog.cn 不废话了，下面开始吧:) 下载安装OpenVPN： 用Flashget或者其它任何方式下载OpenVPN的安装包，然后安装，记得选上easy-rsa这部分脚本， 用于管理CA的bat脚本。 http://openvpn.se/files/install_packages/openvpn-2.0.5-gui-1.0.3-install.exe 安装完毕后，easy-rsa在C:\Program Files\OpenVPN\目录下。 下面开始配置： 把easy-rsa目录下的vars.bat.sample改名为vars.bat，并且修改其内容： ================================== set KEY_COUNTRY=CN set KEY_PROVINCE=Liaoning set KEY_CITY=Shenyang set KEY_ORG=OpenVPN set [email protected] ================================== 其它部分就不用修改了，上面部分修改成你自己的配置。 把easy-rsa下的openssl.cnf.sample改成openssl.cnf。 然后进入cmd.exe ============================================= Microsoft Windows XP [版本 5.1.2600] (C) 版权所有 1985-2001 Microsoft Corp. C:\Documents and Settings\Administrator>cd "\Program Files\OpenVPN\easy-rsa" C:\Program Files\OpenVPN\easy-rsa>vars C:\Program Files\OpenVPN\easy-rsa>clean-all.bat 系统找不到指定的文件。 已复制         1 个文件。 已复制         1 个文件。 C:\Program Files\OpenVPN\easy-rsa> 生成Root CA 格式: build-ca.bat 输出: keys/ca.crt keys/ca.key ====================================================================== C:\Program Files\OpenVPN\easy-rsa>build-ca.bat Using configuration from openssl.cnf Generating a 1024 bit RSA private key ......++++++ .........++++++ writing new private key to 'keys\ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Liaoning]: Locality Name (eg, city) [Shenyang]: Organization Name (eg, company) [OpenVPN]: Organizational Unit Name (eg, section) []:OpenVPN ORG Common Name (eg, your name or your server's hostname) []:OpenVPN RootCA Email Address [[email protected]]: C:\Program Files\OpenVPN\easy-rsa> 生成dh1024.pem文件，Server使用TLS必须使用的一个文件。 格式: build-dh.bat 输出: keys/dh1024.pem ============================================================================ C:\Program Files\OpenVPN\easy-rsa>build-dh.bat warning, not much extra random data, consider using the -rand option Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .....................+...............+........+................................. ....................................+...........................+............... ........................................+....................................... .........................................+...............+...................... ................................................................................ .......................+..................................+..................... ..........................+.........................+...........+............... .......+.........................+.............................................. ........+....+.................................................................. ................................................................................ ...+....+.+...........................................+......................... ....................................................................+........... .................+.....................................................+........ ..............................................................+...+............. .....+.........................+...........+.................................... ................+......................+.....................................+.. ....................................................................+.........+. ......+........................................................+................ ...............................+..+.............................+............... ..............................................+.......................+......... ................................................................................ ............................................................................+... ...................................+.............+.............................. .............................................................+.+........+....... ..............................................+................................. ...+............................................................................ ............+..................................................+................ ...........................+..........................................+........+ .........+.........+..........................................+................+ ..+..........................................................................+.. .....+..+....................+.....................+............................ ................................................................................ ...........+.........+....+.........................+...........+.......+.+..... .....................................................+................+......... ..........+..................................................................... ................+...............................................+..........+.... ................................................................................ .................+.........................................+.................... ..............................................................................+. .......+.......................................................+..+............. +................................+...+..........................+............... ..........................................................+..................+.. ................................................................................ ......................................................+......................... ....+.......................+.......................+........................... ..............+................................................................. .......................................................+........................ ..........................................................................+..... ......+..................................+...................................... ...................................................+..................+......... ..............+.......................+......................................... ................................................................................ .....+....................+...........................+......................... ................................................................................ ........................................................................++*++*++ * C:\Program Files\OpenVPN\easy-rsa> 下面开始生成Server使用的证书了： 格式: build-key-server.bat 输出: keys/.crt .csr .key ================================================================================ C:\Program Files\OpenVPN\easy-rsa>build-key-server.bat server01 Using configuration from openssl.cnf Generating a 1024 bit RSA private key ................++++++ .....++++++ writing new private key to 'keys\server01.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Liaoning]: Locality Name (eg, city) [Shenyang]: Organization Name (eg, company) [OpenVPN]: Organizational Unit Name (eg, section) []:OpenVPN ORG Common Name (eg, your name or your server's hostname) []:Server01 Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from openssl.cnf Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName           :PRINTABLE:'CN' stateOrProvinceName   :PRINTABLE:'Liaoning' localityName          :PRINTABLE:'Shenyang' organizationName      :PRINTABLE:'OpenVPN' organizationalUnitName:PRINTABLE:'OpenVPN ORG' commonName            :PRINTABLE:'Server01' emailAddress          :IA5STRING:'[email protected]' Certificate is to be certified until Feb  9 10:01:34 2016 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated C:\Program Files\OpenVPN\easy-rsa> 下面开始为client办法证书： 格式: build-key.bat 输出: keys/.crt keys/.csr keys/.key =========================================================================== C:\Program Files\OpenVPN\easy-rsa>build-key.bat elm Using configuration from openssl.cnf Generating a 1024 bit RSA private key .....................................................++++++ ...................................................++++++ writing new private key to 'keys\elm.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Liaoning]: Locality Name (eg, city) [Shenyang]: Organization Name (eg, company) [OpenVPN]: Organizational Unit Name (eg, section) []:OpenVPN ORG Common Name (eg, your name or your server's hostname) []:ELM Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from openssl.cnf Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName           :PRINTABLE:'CN' stateOrProvinceName   :PRINTABLE:'Liaoning' localityName          :PRINTABLE:'Shenyang' organizationName      :PRINTABLE:'OpenVPN' organizationalUnitName:PRINTABLE:'OpenVPN ORG' commonName            :PRINTABLE:'ELM' emailAddress          :IA5STRING:'[email protected]' Certificate is to be certified until Feb  9 10:05:53 2016 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated C:\Program Files\OpenVPN\easy-rsa> 下面生成ta.key文件 格式: openvpn --genkey --secret keys/ta.key 输出: keys/ta.key ========================================================================= C:\Program Files\OpenVPN\easy-rsa>openvpn --genkey --secret keys/ta.key C:\Program Files\OpenVPN\easy-rsa> OK，那些keys就搞定了，下面开始写配置文件。 server01.ovpn内容： ----------------CUT Here------------- port 1194 proto udp dev tap ca ca.crt cert server01.crt key server01.key # This file should be kept secret ;crl-verify vpncrl.pem dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-to-client ;duplicate-cn keepalive 10 120 tls-auth ta.key 0 # This file is secret comp-lzo ;max-clients 100 user nobody group nobody persist-key persist-tun status openvpn-status.log verb 3 --------------Cut Here----------------- 把配置文件放到C:\Program Files\OpenVPN\config\目录下。 把easy-rsa\keys\下的 ca.crt server01.crt server01.key ta.key dh1024.pem 复制到server01.ovpn所在目录。 Server的配置已经结束，可以启动Server了，在右下角OpenVPN-gui上点右键，然后选择connected。 需要服务器启动后自动运行，修改 "控制面板" 下面的 "管理工具" 下的 "服务" 把OpenVPN设置成自动启动。 Client的配置文件： -------------Cut Here--------------------- client dev tap proto udp remote 61.1.1.2 1194 ;remote my-server-2 1194 ;remote-random resolv-retry infinite nobind user nobody group nobody route 192.168.0.0 255.255.252.0 persist-key persist-tun ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] ca ca.crt cert elm.crt key elm.key ns-cert-type server tls-auth ta.key 1 comp-lzo # Set log file verbosity. verb 4 --------------Cut Here--------------------- 并且把easy-rsa/keys下的ca.crt elm.crt elm.key ta.key一起放到Client的 \config目录下。 Client的配置已经结束，可以连接Server了，在右下角OpenVPN-gui上点右键，然后选择connected。 OK，整个配置就完成了。 需要为其它用户颁发证书，只需如下步骤： 进入cmd.exe cd \easy-rsa vars.bat build-kye.bat Client所需要的文件： client.ovpn (需要修改部分配置) ca.crt .crt .key (为 文件名，如: elm 等) ta.key 我自己的client配置文件 client.ovpn client dev tun proto tcp remote 服务器ip 1194 resolv-retry infinite nobind user nobody group nobody persist-key persist-tun ca ca.crt cert client.crt key client.key ns-cert-type server auth-user-pass verb 4 将server01.crt server01.key 和 dh1024.pem(???不上传不知道行不)通过 ftp 上传道 ros 然后按 crt key pem 顺序导入 下面是几个关键的routeros设置图 1、这里是设置的关键，我用ip池总连接失败，只有指定本地和远端地址了，知道如何解决的请在评论解答下，谢谢！   2   3   4、最后设置open vpn server   连接后图标这样   最后就剩在客户端执行下静态路由命令 route add 内网ip段如 192.168.3.0  mask 255.255.255.0 vpn连接后的远端ip（如192.168.6.1） 如下格式： route add 192.168.3.0 mask 255.255.255.0 192.168.6.10 不然只能ping通远端ip 不能访问远端内网的机器 openvpn windows版本软件我下载的是 http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe