歡迎您光臨本站 註冊首頁

記錄我配置openvpn server for windows 2003橋接方式的過程

←手機掃碼閱讀     火星人 @ 2014-03-04 , reply:0

 以下是我在windows服務端/客戶端配置openvpn橋接方式的過程,以前用的是linux server + win client,並且是路由方式,這樣的橋接方式是第一次做,我把配置過程寫出來,供大家參考。
 
 感謝wenzk和各位給我的幫助!
 
 
 windows2000不支持網卡之間的橋接,xp和2003可以,所以,做為一台正式的伺服器來說,只有選擇win 2003做為openvpn伺服器。
 前面我在已經有服務運行的2003上安裝openvpn服務端,服務運行以後服務端始終拿不到ip地址10.8.0.1。後來重新安裝了一台2003,在上面一切正常。
 
 <<<<<<<<<<<<<<<
 
 服務端環境:
 win2003系統,兩塊網卡,一塊接內網,一塊接公網,openvpn服務安裝后,增加一塊虛擬tap網卡。
 
 客戶端環境:
 客戶端既有處於公網的主機,也有處於公司或組織的內網的主機,2000及其以上的系統,安裝openvpn客戶端。
 
 認證方式:
 使用公私鑰的方式進行認證。
 
 >>>>>>>>>>>>>>>
 
 <<<<<<<<<<<<<<<
 
 網卡橋接過程:
 建議在openvpn服務啟動前把橋接做好。
 橋接應該是在內網網卡與tap網卡之間做,而不是外網網卡與tap網卡之間,這是我花了一些時間才想通的問題。http://www.pavelec.net/adam/openvpn/bridge/ 這裡有介紹。
 注意:做了橋接以後,內網網卡上的ip設置立即失效,網橋上也沒有ip設置(這時候內網連接會立即斷開),接下來手工去網橋上設置內網的ip地址。
 提醒:網橋連接的操作要麼是在伺服器上直接做,要麼是通過公網ip遠程連接上去做,如果是通過內網ip遠程連接上去做的話,橋接做好,連接立即斷開,這一點上我吃了虧,害得我多跑腿。。。
 網橋ip設置好,就可以啟服務了。
 
 >>>>>>>>>>>>>>>
 
 服務端生成眾多公私鑰的過程不在介紹,bbs里很多。
 
 服務端配置文件(服務端的公網ip是a.b.c.d,內網ip是192.168.100.22,openvpn客戶端連接上來以後分配給它們的內網ip地址的範圍是從192.168.100.50到192.168.100.60。注意:50到60這一段內網ip不要分配給其他任何內網的主機或伺服器,避免造成ip地址衝突):
 
 # Which local IP address should OpenVPN
 # listen on? (optional)
 # 一般可以不寫這句配置語句,讓openvpn在所有ip上監聽,但是我發現使用udp協議時不寫這句配置語句,那麼在啟動時會有問題。
 local a.b.c.d
 
 # Which TCP/UDP port should OpenVPN listen on?
 # If you want to run multiple OpenVPN instances
 # on the same machine, use a different port
 # number for each one.  You will need to
 # open up this port on your firewall.
 port 1194
 
 # TCP or UDP server?
 proto udp
 
 # "dev tun" will create a routed IP tunnel,
 # "dev tap" will create an ethernet tunnel.
 # Use "dev tap0" if you are ethernet bridging
 # and have precreated a tap0 virtual interface
 # and bridged it with your ethernet interface.
 # If you want to control access policies
 # over the VPN, you must create firewall
 # rules for the the TUN/TAP interface.
 # On non-Windows systems, you can give
 # an explicit unit number, such as tun0.
 # On Windows, use "dev-node" for this.
 # On most systems, the VPN will not function
 # unless you partially or fully disable
 # the firewall for the TUN/TAP interface.
 # 這裡只能使用tap設備,而不能使用tun設備
 dev tap
 ;dev tun
 
 # Windows needs the TAP-Win32 adapter name
 # from the Network Connections panel if you
 # have more than one.  On XP SP2 or higher,
 # you may need to selectively disable the
 # Windows firewall for the TAP adapter.
 # Non-Windows systems usually don't need this.
 ;dev-node MyTap
 ;dev-node tap-bridge
 
 # SSL/TLS root certificate (ca), certificate
 # (cert), and private key (key).  Each client
 # and the server must have their own cert and
 # key file.  The server and all clients will
 # use the same ca file.
 #
 # See the "easy-rsa" directory for a series
 # of scripts for generating RSA certificates
 # and private keys.  Remember to use
 # a unique Common Name for the server
 # and each of the client certificates.
 #
 # Any X509 key management system can be used.
 # OpenVPN can also use a PKCS #12 formatted key file
 # (see "pkcs12" directive in man page).
 # 以下幾個文件沒有寫路徑,所以這些文件必須放在和本配置文件同一目錄下。
 ca ca.crt
 cert server.crt
 key server.key  # This file should be kept secret
 
 # Diffie hellman parameters.
 # Generate your own with:
 #   openssl dhparam -out dh1024.pem 1024
 # Substitute 2048 for 1024 if you are using
 # 2048 bit keys.
 dh dh1024.pem
 
 # Configure server mode and supply a VPN subnet
 # for OpenVPN to draw client addresses from.
 # The server will take 10.8.0.1 for itself,
 # the rest will be made available to clients.
 # Each client will be able to reach the server
 # on 10.8.0.1. Comment this line out if you are
 # ethernet bridging. See the man page for more info.
 ;server 10.8.0.0 255.255.255.0
 
 # Maintain a record of client <-> virtual IP address
 # associations in this file.  If OpenVPN goes down or
 # is restarted, reconnecting clients can be assigned
 # the same virtual IP address from the pool that was
 # previously assigned.
 ifconfig-pool-persist ipp.txt
 
 # Configure server mode for ethernet bridging.
 # You must first use your OS's bridging capability
 # to bridge the TAP interface with the ethernet
 # NIC interface.  Then you must manually set the
 # IP/netmask on the bridge interface, here we
 # assume 10.8.0.4/255.255.255.0.  Finally we
 # must set aside an IP range in this subnet
 # (start=10.8.0.50 end=10.8.0.100) to allocate
 # to connecting clients.  Leave this line commented
 # out unless you are ethernet bridging.
 # 指定Openvpn服務端的IP地址是192.168.100.22
 # 指定為Openvpn客戶端分配的IP地址範圍是192.168.100.50到60。
 server-bridge 192.168.100.22 255.255.255.0 192.168.100.50 192.168.100.60
 
 # Push routes to the client to allow it
 # to reach other private subnets behind
 # the server.  Remember that these
 # private subnets will also need
 # to know to route the OpenVPN client
 # address pool (10.8.0.0/255.255.255.0)
 # back to the OpenVPN server.
 ;push "route 192.168.10.0 255.255.255.0"
 ;push "route 192.168.20.0 255.255.255.0"
 
 ;push "route 10.8.0.0 255.255.255.0 net_gateway"
 
 # To assign specific IP addresses to specific
 # clients or if a connecting client has a private
 # subnet behind it that should also have VPN access,
 # use the subdirectory "ccd" for client-specific
 # configuration files (see man page for more info).
 
 # EXAMPLE: Suppose the client
 # having the certificate common name "Thelonious"
 # also has a small subnet behind his connecting
 # machine, such as 192.168.40.128/255.255.255.248.
 # First, uncomment out these lines:
 ;client-config-dir ccd
 ;route 192.168.40.128 255.255.255.248
 # Then create a file ccd/Thelonious with this line:
 #   iroute 192.168.40.128 255.255.255.248
 # This will allow Thelonious' private subnet to
 # access the VPN.  This example will only work
 # if you are routing, not bridging, i.e. you are
 # using "dev tun" and "server" directives.
 
 # EXAMPLE: Suppose you want to give
 # Thelonious a fixed VPN IP address of 10.9.0.1.
 # First uncomment out these lines:
 ;client-config-dir ccd
 ;route 10.9.0.0 255.255.255.252
 # Then add this line to ccd/Thelonious:
 #   ifconfig-push 10.9.0.1 10.9.0.2
 
 # Suppose that you want to enable different
 # firewall access policies for different groups
 # of clients.  There are two methods:
 # (1) Run multiple OpenVPN daemons, one for each
 #     group, and firewall the TUN/TAP interface
 #     for each group/daemon appropriately.
 # (2) (Advanced) Create a script to dynamically
 #     modify the firewall in response to access
 #     from different clients.  See man
 #     page for more info on learn-address script.
 ;learn-address ./script
 
 # If enabled, this directive will configure
 # all clients to redirect their default
 # network gateway through the VPN, causing
 # all IP traffic such as web browsing and
 # and DNS lookups to go through the VPN
 # (The OpenVPN server machine may need to NAT
 # the TUN/TAP interface to the internet in
 # order for this to work properly).
 # CAVEAT: May break client's network config if
 # client's local DHCP server packets get routed
 # through the tunnel.  Solution: make sure
 # client's local DHCP server is reachable via
 # a more specific route than the default route
 # of 0.0.0.0/0.0.0.0.
 ;push "redirect-gateway"
 
 # Certain Windows-specific network settings
 # can be pushed to clients, such as DNS
 # or WINS server addresses.  CAVEAT:
 # http://openvpn.net/faq.html#dhcpcaveats
 ;push "dhcp-option DNS 10.8.0.1"
 ;push "dhcp-option WINS 10.8.0.1"
 
 # Uncomment this directive to allow different
 # clients to be able to "see" each other.
 # By default, clients will only see the server.
 # To force clients to only see the server, you
 # will also need to appropriately firewall the
 # server's TUN/TAP interface.
 ;client-to-client
 
 # Uncomment this directive if multiple clients
 # might connect with the same certificate/key
 # files or common names.  This is recommended
 # only for testing purposes.  For production use,
 # each client should have its own certificate/key
 # pair.
 #
 # IF YOU HAVE NOT GENERATED INDIVIDUAL
 # CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
 # EACH HAVING ITS OWN UNIQUE "COMMON NAME",
 # UNCOMMENT THIS LINE OUT.
 ;duplicate-cn
 
 # The keepalive directive causes ping-like
 # messages to be sent back and forth over
 # the link so that each side knows when
 # the other side has gone down.
 # Ping every 10 seconds, assume that remote
 # peer is down if no ping received during
 # a 120 second time period.
 keepalive 10 120
 
 # For extra security beyond that provided
 # by SSL/TLS, create an "HMAC firewall"
 # to help block DoS attacks and UDP port flooding.
 #
 # Generate with:
 #   openvpn --genkey --secret ta.key
 #
 # The server and each client must have
 # a copy of this key.
 # The second parameter should be '0'
 # on the server and '1' on the clients.
 tls-auth ta.key 0 # This file is secret
 
 # Select a cryptographic cipher.
 # This config item must be copied to
 # the client config file as well.
 ;cipher BF-CBC        # Blowfish (default)
 ;cipher AES-128-CBC   # AES
 ;cipher DES-EDE3-CBC  # Triple-DES
 # 從效率考慮,我不加密數據。如果需要加密數據的話,把下面這句話去掉就可以了。
 cipher none
 
 # Enable compression on the VPN link.
 # If you enable it here, you must also
 # enable it in the client config file.
 # 從效率考慮,數據壓縮一定要用。
 comp-lzo
 
 # The maximum number of concurrently connected
 # clients we want to allow.
 max-clients 10
 
 # It's a good idea to reduce the OpenVPN
 # daemon's privileges after initialization.
 #
 # You can uncomment this out on
 # non-Windows systems.
 ;user nobody
 ;group nobody
 
 # The persist options will try to avoid
 # accessing certain resources on restart
 # that may no longer be accessible because
 # of the privilege downgrade.
 persist-key
 persist-tun
 
 # Output a short status file showing
 # current connections, truncated
 # and rewritten every minute.
 status openvpn-status.log
 
 # By default, log messages will go to the syslog (or
 # on Windows, if running as a service, they will go to
 # the "\Program Files\OpenVPN\log" directory).
 # Use log or log-append to override this default.
 # "log" will truncate the log file on OpenVPN startup,
 # while "log-append" will append to it.  Use one
 # or the other (but not both).
 log-append  openvpn.log
 
 # Set the appropriate level of log
 # file verbosity.
 #
 # 0 is silent, except for fatal errors
 # 4 is reasonable for general usage
 # 5 and 6 can help to debug connection problems
 # 9 is extremely verbose
 verb 4
 
 # Silence repeating messages.  At most 20
 # sequential messages of the same message
 # category will be output to the log.
 ;mute 20
 
 
 從服務端複製ca.crt、client.crt、client.key、ta.key到客戶端配置文件同一目錄下。
 
 
 客戶端配置文件:
 
 client
 
 # Use the same setting as you are using on
 # the server.
 # On most systems, the VPN will not function
 # unless you partially or fully disable
 # the firewall for the TUN/TAP interface.
 dev tap
 
 # Windows needs the TAP-Win32 adapter name
 # from the Network Connections panel
 # if you have more than one.  On XP SP2,
 # you may need to disable the firewall
 # for the TAP adapter.
 ;dev-node MyTap
 
 # Are we connecting to a TCP or
 # UDP server?  Use the same setting as
 # on the server.
 proto udp
 
 # The hostname/IP and port of the server.
 # You can have multiple remote entries
 # to load balance between the servers.
 remote  a.b.c.d 1194
 
 # Choose a random host from the remote
 # list for load-balancing.  Otherwise
 # try hosts in the order specified.
 ;remote-random
 
 # Keep trying indefinitely to resolve the
 # host name of the OpenVPN server.  Very useful
 # on machines which are not permanently connected
 # to the internet such as laptops.
 resolv-retry infinite
 
 # Most clients don't need to bind to
 # a specific local port number.
 nobind
 
 # Downgrade privileges after initialization (non-Windows only)
 ;user nobody
 ;group nobody
 
 # Try to preserve some state across restarts.
 persist-key
 persist-tun
 
 # If you are connecting through an
 # HTTP proxy to reach the actual OpenVPN
 # server, put the proxy server/IP and
 # port number here.  See the man page
 # if your proxy server requires
 # authentication.
 ;http-proxy-retry # retry on connection failures
 ;http-proxy  
 
 # Wireless networks often produce a lot
 # of duplicate packets.  Set this flag
 # to silence duplicate packet warnings.
 ;mute-replay-warnings
 
 # SSL/TLS parms.
 # See the server config file for more
 # description.  It's best to use
 # a separate .crt/.key file pair
 # for each client.  A single ca
 # file can be used for all clients.
 ca ca.crt
 cert client.crt
 key client.key
 
 # Verify server certificate by checking
 # that the certicate has the nsCertType
 # field set to "server".  This is an
 # important precaution to protect against
 # a potential attack discussed here:
 #  http://openvpn.net/howto.html#mitm
 #
 # To use this feature, you will need to generate
 # your server certificates with the nsCertType
 # field set to "server".  The build-key-server
 # script in the easy-rsa folder will do this.
 ;ns-cert-type server
 
 # If a tls-auth key is used on the server
 # then every client must also have the key.
 tls-auth ta.key 1
 
 # Select a cryptographic cipher.
 # If the cipher option is used on the server
 # then you must also specify it here.
 # 加密方式和服務端對應
 cipher none
 
 # Enable compression on the VPN link.
 # Don't enable this unless it is also
 # enabled in the server config file.
 comp-lzo
 
 # Set log file verbosity.
 verb 3
 
 # Silence repeating messages
 ;mute 20
 
 
 
 客戶端可以連接上服務端,並且得到服務端指定ip地址範圍里的一個ip地址。
 
 接下來我準備搞定客戶端訪問內網的問題,搞定以後我再接著寫。
 
 ==========================
 橋接模式服務啟動以後,不需要設置路由,客戶端撥號上來以後,得到內網IP,直接就可以訪問內網,所以到這裡橋接模式就做好了。
 
 從安全形度考慮,建議大家不要用默認的1194埠。
 
 希望這篇文章對大家有一些幫助。


[火星人 ] 記錄我配置openvpn server for windows 2003橋接方式的過程已經有969次圍觀

http://coctec.com/docs/service/show-post-21253.html