歡迎您光臨本站 註冊首頁

OpenVPN Man Page 翻譯

←手機掃碼閱讀     火星人 @ 2014-03-04 , reply:0

OpenVPN Man Page 翻譯

發現這裡有很多人喜歡 OpenVPN ,當然,它的功能太強大了.但是對於一些英文水平不好朋友來說.想弄懂它還是不容易.不如大家一起把 OpenVPNTM 2.0.x Man Page 的資料翻譯一下吧.支持的請跟貼!

網站: http://openvpn.net/man.html

本人的英文也不太好.大家一起努力吧!

把英文原文寫上來.會翻的朋友點引用,然後翻譯好.等等全部搞定后.我們再整理一次:)

然後我們再舉大量的例子,可以讓不太熟OpenVPN 的朋友找到最好的家!

[ 本帖最後由 fsken 於 2007-5-4 02:06 編輯 ]
《解決方案》

轉載:http://blog.5ilinux.com/

原文:http://openvpn.net/howto.html
Installing OpenVPN
翻譯水平有限,不當之處,請指出

OpenVPN can be downloaded here.For security, it's a good idea to check the file release signature after downloading.

The OpenVPN executable should be installed on both server and client machines, since the single executable provides both client and server functions.

Linux Notes (using RPM package)

If you are using a Linux distribution which supports RPM packages (SuSE, Fedora, Redhat, etc.), it's best to install using this mechanism. The easiest method is to find an existing binary RPM file for your distribution. You can also build your own binary RPM file:

rpmbuild -tb openvpn-.tar.gzOnce you have the .rpm file, you can install it with the usual

rpm -ivh openvpn-.rpm

or upgrade an existing installation with

rpm -Uvh openvpn-.rpm

Installing OpenVPN from a binary RPM package has these dependencies:

openssl
lzo
pam

Furthermore, if you are building your own binary RPM package, there are several additional dependencies:

openssl-devel
lzo-devel
pam-devel

See the openvpn.spec file for additional notes on building an RPM package for Red Hat Linux 9 or building with reduced dependencies.

Linux Notes (without RPM)

If you are using Debian, Gentoo, or a non-RPM-based Linux distribution, use your distro-specific packaging mechanism such as apt-get on Debian or emerge on Gentoo.

It is also possible to install OpenVPN on Linux using the universal ./configure method. First expand the .tar.gz file:

tar xfz openvpn-.tar.gzThen cd to the top-level directory and type:

./configure
make
make install

Windows Notes

OpenVPN for Windows can be installed from the self-installing exe file on the OpenVPN download page. Remember that OpenVPN will only run on Windows 2000 or later. Also note that OpenVPN must be installed and run by a user who has administrative privileges (this restriction is imposed by Windows, not OpenVPN). The restriction can be sidestepped by running OpenVPN in the background as a service, in which case even non-admin users will be able to access the VPN, once it is installed. More discussion on OpenVPN + Windows privilege issues.

OpenVPN can also be installed as a GUI on Windows, using Mathias Sundman's installation package, which will install both OpenVPN and the Windows GUI.

After you run the Windows installer, OpenVPN is ready to use and will associate itself with files having the .ovpn extension. To run OpenVPN, you can:

Right click on an OpenVPN configuration file (.ovpn) and select Start OpenVPN on this configuration file. Once running, you can use the F4 key to exit.

Run OpenVPN from a command prompt Window with a command such as:

openvpn myconfig.ovpnOnce running in a command prompt window, OpenVPN can be stopped by the F4 key.

Run OpenVPN as a service by putting one or more .ovpn configuration files in \Program Files\OpenVPN\config and starting the OpenVPN Service, which can be controlled from Start Menu -> Control Panel -> Administrative Tools -> Services.

A GUI is also available for the Windows version of OpenVPN.

Additional Windows install notes.

Mac OS X Notes
Angelo Laub and Dirk Theisen have developed an OpenVPN GUI for OS X.

See also OpenVPN Client and Mac OS X 10.3.

Other OSes
Some notes are available in the INSTALL file for specific OSes. In general, the

./configure
make
make install

method can be used, or you can search for an OpenVPN port or package which is specific to your OS/distribution.


安裝OpenVPN

OpenVPN 可以從這裡下載.
出於安全的考慮,強烈建議你下載后檢查一下文件的數字簽名 .
OpenVPN程序可以被安裝在伺服器端和客戶端,本身這個程序是既提供伺服器工程也提供客戶端功能.

Linux 安裝注意事項 (用RPM包)

如果你使用的是下列linux操作系統的RPM包管理方式 (SuSE, Fedora, Redhat, etc.), 最好安裝使用這種包管理方式. 最方便的方法是找到他的二進位RPM包,你可以通過tar包自己編譯適合自己機器的RPM包:

rpmbuild -tb openvpn-.tar.gz

只要你編譯好RPM包,那就可以進行安裝了

rpm -ivh openvpn-.rpm

或者升級已經安裝的程序

rpm -Uvh openvpn-.rpm

用RPM包安裝OpenVPN,會有以下的RPM包依賴關係:
• openssl
• lzo
• pam

此外,如果你自己編譯適合自己的RPM包,你必須要事先安裝好下列的依賴關係RPM包:
• openssl-devel
• lzo-devel
• pam-devel

查看openvpn.spec文件,看一下關於在Red Hat Linux 9系統上編譯RPM包需要額外注意的包依賴關係.

Linux 安裝注意事項 (不用RPM包)

如果你使用Debian,Gentoo這些非RPM包管理方式的linux發行系統,你可以使用他們自身的包管理方式,比如Debian用apt-get,Gentoo用emerge.

當然也可以採用普通的./configure方式編譯安裝OpenVPN,編譯之前先解壓縮.tar.gz文件:
tar xfz openvpn-.tar.gz
進入解壓縮后的根目錄
./configure
make
make install

Windows 安裝注意事項

Winodow版的OpenVPN安裝程序可以到 OpenVPN下載頁面去下載.注意這個版本的OpenVPN只能在Windows2000或者更高的版本上才能安裝. 另外要注意的是必須要擁有管理員許可權的用戶才能去安裝OpenVPN,(這是Windows系統出於安全的限制).在這個限制下,OpenVPN可以運行在系統後台進行服務,即使當軟體裝完,非管理員用戶想訪問VPN. 更多關於 OpenVPN + Windows 許可權的討論.

OpenVPN在Windows下可以被裝成圖形界面,可以使用Mathias Sundman的安裝包, 將同時裝上OpenVPN和圖形界面.
裝完OpenVPN后,系統會使用已經關聯的.ovpn後綴的文件. 為了運行OpenVPN,你可以:
• 右鍵單擊OpenVPN的配置文件,即.ovpn後綴的文件,然後選擇Start OpenVPN on this configuration file.程序就可以運行, 你可以用 F4快捷鍵退出.
• 在DOS窗口,你也可以用以下命令運行OpenVPN:
openvpn myconfig.ovpn
同樣,用DOS命令啟動的OpenVPN,也可以通過按 F4鍵退出.
• 我們可以通過開始 -> 控制面板 -> 管理工具 -> 服務 來啟動OpenVPN服務,一個或更多的OpenVPN的配置文件放在\Program Files\OpenVPN\config下.
一個針對Windows的圖形界面的OpenVPN.

更多windows安裝程序注意事項.

Mac OS X 安裝注意事項
Angelo Laub和Dirk Theisen 已經開發出OpenVPN GUI for OS X.
更多信息可查看 OpenVPN Client and Mac OS X 10.3.
其它操作系統

可以看INSTALL 文件關於其他系統的安裝說明,一般情況下都是
./configure
make
make install

你可以針對你的系統和軟體包管理方式尋找相應的OpenVPN包,並用合適的方法安裝.

[ 本帖最後由 fsken 於 2007-5-4 02:39 編輯 ]
《解決方案》

轉載:http://blog.5ilinux.com/
OpenVPN 2.0 HOWTO-區域網互訪(翻譯)
原文:http://openvpn.net/howto.html
翻譯水平有限,許多地方都可能翻譯的不當,請大家指教
部分標題保留英文,沒有翻譯

Expanding the scope of the VPN to include additional machines on either the client or server subnet.

Including multiple machines on the server side when using a routed VPN (dev tun)

一旦VPN以一種客戶端和服務端點對點的方式運作,那麼就應該擴大範圍,客戶端不止能訪問伺服器,而且應該能訪問伺服器所在的網路的其他機器。

針對這個目的,我們舉個例子,假設伺服器的內網端使用的是10.66.0.0/24的網段,在OpenVPN伺服器配置文件配置的server參數即VPN虛擬IP地址池用的是10.8.0.0/24網段。

首先,VPN客戶端通過VPN能訪問到10.66.0.0/24 子網,只只要在伺服器端的配置文件配置以下參數就能簡單做到:

push "route 10.66.0.0 255.255.255.0"
下一步,我們要把伺服器端局域內網的網關設置為從VPN客戶端10.8.0.0/24網段到OpenVPN伺服器的路由(假如OpenVPN伺服器和區域網網關不是同一台機器,這個設置就很有必要)。

下一步,我們要為從VPN客戶端10.8.0.0/24網段到OpenVPN伺服器所在的區域網的網關設置一個路由(假如OpenVPN伺服器和區域網網關不是同一台機器,這個設置就很有必要)。


確認你應在在OpenVPN伺服器上打開IP 和 TUN/TAP 的轉發功能。

Including multiple machines on the server side when using a bridged VPN (dev tap)

使用乙太網橋 的好處就是你可以方便,免費的獲得它,而無需其他額外的配置。

Including multiple machines on the client side when using a routed VPN (dev tun)

一般典型的遠程訪問情況是,客戶端都是以單機使用VPN。但是如果客戶端是本地區域網的網關(如總公司)你希望每台在這個區域網的機器都能通過路由使用VPN。

舉個例子,我們假設這個客戶端的區域網使用的是192.168.4.0/24的子網,並且那個VPN客戶端有一個通用名為client2的證書,我們的目的就是設置一個VPN通道,讓客戶端區域網內的所有機器能跟OpenVPN伺服器區域網端的所有機器相互聯繫。
安裝之前,有一些必須遵守的基本前提:

1:客戶端區域網的子網(在我們這個例子中是192.168.4.0/24)不能通過在同一網段的伺服器或者其他客戶端站點的途徑加入到VPN。任何一個子網想加入VPN的通道路由必須是唯一的。
2:客戶端必須擁有一個唯一的通用名稱在其證書中(我們這個例子叫「client2」),而且duplicate-cn 這個參數不能在OpenVPN伺服器的配置文件里被啟用。

首先,我們必須確信客戶端的IP 和 TUN/TAP轉發功能是打開的。

然後,我們將處理伺服器端的配置文件進行一個必要的修改配置,假如伺服器配置文件沒有提到客戶端配置文件的目錄,那麼添加如下一行。

client-config-dir ccd
上述指令表示,在一個運行的OpenVPN伺服器上的默認目錄下預先建立一個叫ccd的目錄。 在Linux下默認目錄是/etc/openvpn 而在Windows下,則是\Program Files\OpenVPN\config當一個新的客戶端連接OpenVPN伺服器的時候,伺服器進程會針對客戶端證書中的匹配通用名稱來檢查這個目錄,如果找到與之匹配的文件,就會對這個客戶端進行額外配置的處理。

下一步,我們要建立一個名叫 client2 的文件在ccd 目錄下,在這個文件里有如下的控制語句:



iroute 192.168.4.0 255.255.255.0

這樣,OpenVPN伺服器就把192.168.4.0/24 網段的路由添加給client2

下一步,在伺服器端的主配置文件上添加如下語句(不是ccd/client2 這個文件):

route 192.168.4.0 255.255.255.0
你可能會問?為什麼要有 route 和 iroute 這多餘重複的設置? 理由是在iroute 控制從OpenVPN伺服器到遠程客戶端的路由的時候,route控制著從內核到OpenVPN伺服器(通過TUN介面)。兩者都很重要。

下一步,問問你自己是否允許client2的網段(192.168.4.0/24)和OpenVPN伺服器的其他客戶之間有網路流量交換,如果是的話,那就在伺服器的配置文件中添加如下語句:

client-to-client
push "route 192.168.4.0 255.255.255.0"
這將讓OpenVPN伺服器為client2客戶網段跟其他連接的客戶端進行廣播通知。

最後一步,這一步經常會忘記,那就是為伺服器區域網的網關添加一個直接從192.168.4.0/24到OpenVPN的路由(你可能不需要這一步,假如本身OpenVPN伺服器就是這個伺服器端區域網的網關)。假如你忘了這一步的設置,當嘗試從192.168.4.8機器ping一個在伺服器區域網內的機器(非OpenVPN自己ping自己),會輸出一個不能到達機器的提示。 但是我們不能不知道如果路由一個ping的回復,因為我們根本不知道怎麼到達192.168.4.0/24。 通常的經驗做法是,在整個區域網路線通過VPN通道的時候(VPN伺服器不是這個區域網的網關機器)之前,我們得保證所有VPN客戶端網段到伺服器端區域網網關的路由路徑。

同樣,如果客戶端機器運行OpenVPN,而且也不是它本身區域網的網關,那麼也得為那台提供其他機器可以通過VPN訪問客戶端所在區域網途徑的機器設置一個從客戶端機器到區域網網關的路由。

Including multiple machines on the client side when using a bridged VPN (dev tap)

這個需要更加複雜的設置(實際上可能並不複雜,但要去解釋闡述會很複雜):

1:你必須把客戶端的TAP虛擬網路介面和客戶端本地網卡進行橋接。
2:你必須手動為客戶端的TAP虛擬網路介面設置IP/掩碼。
3:你必須設置客戶端的機器使用網橋所在網段的IP地址和掩碼,可能會 查詢OpenVPN伺服器這邊的DHCP服務。

[ 本帖最後由 fsken 於 2007-5-4 02:39 編輯 ]
《解決方案》

轉載:http://blog.5ilinux.com/

OpenVPN 2.0 HOWTO-進程管理和管理介面(翻譯)
原文:http://openvpn.net/howto.html
翻譯水平有限,許多地方都可能翻譯的不當,請大家指教


Configuring OpenVPN to run automatically on system startup

The lack of standards in this area means that most OSes have a different way of configuring daemons/services for autostart on boot. The best way to have this functionality configured by default is to install OpenVPN as a package, such as via RPM on Linux or using the Windows installer.

Linux
If you install OpenVPN via an RPM package on Linux, the installer will set up an initscript. When executed, the initscript will scan for .conf configuration files in /etc/openvpn, and if found, will start up a separate OpenVPN daemon for each file.

Windows
The Windows installer will set up a Service Wrapper, but leave it turned off by default. To activate it, go to Control Panel / Administrative Tools / Services, select the OpenVPN service, right-click on properties, and set the Startup Type to Automatic. This will configure the service for automatic start on the next reboot.

When started, the OpenVPN Service Wrapper will scan the \Program Files\OpenVPN\config folder for .ovpn configuration files, starting a separate OpenVPN process on each file.


--------------------------------------------------------------------------------

Controlling a running OpenVPN process

Running on Linux/BSD/Unix

OpenVPN accepts several signals:

SIGUSR1 -- Conditional restart, designed to restart without root privileges
SIGHUP -- Hard restart
SIGUSR2 -- Output connection statistics to log file or syslog
SIGTERM, SIGINT -- Exit

Use the writepid directive to write the OpenVPN daemon's PID to a file, so that you know where to send the signal (if you are starting openvpn with an initscript, the script may already be passing a --writepid directive on the openvpn command line).

Running on Windows as a GUI
See the OpenVPN GUI page.

Running in a Windows command prompt window

On Windows, you can start OpenVPN by right clicking on an OpenVPN configuration file (.ovpn file) and selecting "Start OpenVPN on this config file".

Once running in this fashion, several keyboard commands are available:

F1 -- Conditional restart (doesn't close/reopen TAP adapter)
F2 -- Show connection statistics
F3 -- Hard restart
F4 -- Exit

Running as a Windows Service
When OpenVPN is started as a service on Windows, the only way to control it is:

Via the service control manager (Control Panel / Administrative Tools / Services) which gives start/stop control.
Via the management interface (see below).

Modifying a live server configuration

While most configuration changes require you to restart the server, there are two directives in particular which refer to files which can be dynamically updated on-the-fly, and which will take immediate effect on the server without needing to restart the server process.

client-config-dir -- This directive sets a client configuration directory, which the OpenVPN server will scan on every incoming connection, searching for a client-specific configuration file (see the the manual page for more information). Files in this directory can be updated on-the-fly, without restarting the server. Note that changes in this directory will only take effect for new connections, not existing connections. If you would like a client-specific configuration file change to take immediate effect on a currently connected client (or one which has disconnected, but where the server has not timed-out its instance object), kill the client instance object by using the management interface (described below). This will cause the client to reconnect and use the new client-config-dir file.

crl-verify -- This directive names a Certificate Revocation List file, described below in the Revoking Certificates section. The CRL file can be modified on the fly, and changes will take effect immediately for new connections, or existing connections which are renegotiating their SSL/TLS channel (occurs once per hour by default). If you would like to kill a currently connected client whose certificate has just been added to the CRL, use the management interface (described below).

Status File

The default server.conf file has a line

status openvpn-status.log

which will output a list of current client connections to the file openvpn-status.log once per minute.

Using the management interface

The OpenVPN management interface allows a great deal of control over a running OpenVPN process. You can use the management interface directly, by telneting to the management interface port, or indirectly by using an OpenVPN GUI which itself connects to the management interface.

To enable the management interface on either an OpenVPN server or client, add this to the configuration file:

management localhost 7505

This tells OpenVPN to listen on TCP port 7505 for management interface clients (port 7505 is an arbitrary choice -- you can use any free port).

Once OpenVPN is running, you can connect to the management interface using a telnet client. For example:

ai:~ # telnet localhost 7505
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.0_rc14 i686-suse-linux built on Feb 15 2005
Commands:
echo : Like log, but only show messages in echo buffer.
exit|quit : Close management session.
help : Print this message.
hold : Set/show hold flag to on/off state, or
release current hold and start tunnel.
kill cn : Kill the client instance(s) having common name cn.
kill IP:port : Kill the client instance connecting from IP:port.
log : Turn on/off realtime log display
+ show last N lines or 'all' for entire history.
mute : Set log mute level to n, or show level if n is absent.
net : (Windows only) Show network info and routing table.
password type p : Enter password p for a queried OpenVPN password.
signal s : Send signal s to daemon,
s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state : Like log, but show state history.
status : Show current daemon status info using format #n.
test n : Produce n lines of output for testing/debugging.
username type u : Enter username u for a queried OpenVPN username.
verb : Set log verbosity level to n, or show if n is absent.
version : Show current version number.
END
exit
Connection closed by foreign host.
ai:~ #For more information, see the OpenVPN Management Interface Documentation.



配置OpenVPN在系統啟動的時自動啟動

因為沒有這方面的標準,所以每個系統在啟動的時候都有不同的啟動進程/服務的方式,最好的辦法就是安裝專門為OpenVPN製作的各種安裝包,比如在linux下的RPM包或者在windows下的安裝包.

Linux
如果你在linux下使用RPM包安裝OPenVPN,那麼安裝後會自動產生一個啟動腳本,當腳本執行的時候,會自動在/etc/openvpn目錄下尋找後綴為.conf的配置文件,如果找到配置文件,會自動啟動相應配置文件的OpenVPN進程.

Windows
Windows下安裝后,會產生一個服務,默認這個服務是關閉的,為了啟動激活它,可以在控制面板/管理工具/服務, 選擇OpenVPN服務。右鍵單擊屬性,設置為啟動的時候自動運行。設置完以後下次系統重啟,就會同時自動啟動OpenVPN服務。

當啟動OpenVPN服務的時候,會搜索\Program Files\OpenVPN\config目錄下後綴為.ovpn的配置文件,並啟動對應的OpenVPN進程。


控制運行中的OpenVPN進程

運行在Linux/BSD/Unix

OpenVPN接受下面幾個信號:

SIGUSR1 – 有條件的重啟,非root用戶重啟OpenVPN進程
SIGHUP – 重啟
SIGUSR2 – 輸出連接狀態到log文件或者系統log
SIGTERM, SIGINT – 退出

在配置文件中使用writepid參數指定OpenVPN的pid文件, 好讓你發送信號給這個pid文件(如果你用啟動腳本啟動OpenVPN,已經在OpenVPN的命令行里其通過了writepid參數)。

在windows下運行圖形界面

具體請看 OpenVPN GUI page.

運行在windows下的命令提示窗口

在Windows下,你可以通過右鍵單擊一個OpenVPN的配置文件(.opvn文件)然後選擇"Start OpenVPN on this config file"啟動OpenVPN.

這種方式一運行,這幾個鍵盤命令能接受:

F1 – 有條件的重啟(不關閉/重啟TAP適配器)
F2 – 顯示連接狀態
F3 – 重啟
F4 – 退出

做為Windows的服務啟動

當OpenVPN做為windows的服務啟動時,只有下列方法可以控制它:

通過服務控制管理器 (控制面板/管理工具/服務)來控制啟動和停止。
通過管理界面 (看下面).

修改正在運行的伺服器的配置文件

大多數情況修改配置文件,都要重啟服務才能生效,這裡有2個比較特殊的參數,可以進行動態更新操作,並且立即生效而不用重啟OpenVPN服務進程。

client-config-dir – 這個參數設置客戶端配置文件的目錄,OpenVPN伺服器會檢查相關進來的連接請求,然後在目錄尋找相對應客戶端的配置文件 (看指南頁面 獲取更多信息)。不用重啟服務,在這個目錄里的文件就能動態更新 。注意新的修改只對新的連接才生效,不對已經存在的連接不起作用。如果里希望指定的客戶端配置文件立即生效與當前的連接 (或者連接已經斷,但伺服器的實例目標也還沒過期), 可以通過管理介面殺掉客戶端的實例物體(下面描述). 那麼就可以用client-config-dir新的配置文件,重新連接客戶端.

crl-verify – 這個參數的意思是證書廢除名單文件,詳細的描述在下面Revoking Certificates 這一節. CRL文件可以時實修改,並且立即生效,或者對那些已經連接的客戶端重新協商SSL/TSL通道(默認每隔1小時). 如果你想幹掉那些正在連接,但其對應證書被追加到CTL的用戶,可以通過管理介面進行操作 (下面詳細介紹).

狀態文件

默認服務端配置文件server.conf有下列一行

status openvpn-status.log
那個參數的作用是將每分鐘輸出一個現有用戶連接列表到openvpn-status.log文件。

使用管理介面

OpenVPN管理介面 是一個很好的控制運行中的OpenVPN進程的方法。你可以使用管理介面通過telnet命令直接連接到管理介面的埠,或者直接使用 OpenVPN GUI 連接管理介面

如果要在OpenVPN服務端或者客戶端啟用管理介面, 你得在配置文件中添加以下這行:

management localhost 7505
這就告訴OpenVPN監聽通過客戶端通過管理介面訪問TCP的7505埠 (7505埠是一個任意選擇的埠,你可以選擇任何一個沒被使用的埠)。

一旦OpenVPN啟動,我們可以用telnet客戶端程序連接上管理介面,比如下面的例子:

ai:~ # telnet localhost 7505
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.0_rc14 i686-suse-linux built on Feb 15 2005
Commands:
echo : Like log, but only show messages in echo buffer.
exit|quit : Close management session.
help : Print this message.
hold : Set/show hold flag to on/off state, or
release current hold and start tunnel.
kill cn : 殺掉通用名為cn的客戶端。
kill IP:port : 殺掉來自指定ip和埠的客戶端。
log : 打開/關閉時實的日誌顯示
+ 顯示最後N條或者'所有' 歷史日誌.
mute : Set log mute level to n, or show level if n is absent.
net : (只在windows下有效) 顯示網路信息和路由表。
password type p : Enter password p for a queried OpenVPN password.
signal s : 發送信號給進程,
s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state : 跟log一樣,但是靜態顯示。
status : 顯示現在進程的狀態信息。
test n : Produce n lines of output for testing/debugging.
username type u : Enter username u for a queried OpenVPN username.
verb : Set log verbosity level to n, or show if n is absent.
version : 顯示當前版本號.
END
exit
Connection closed by foreign host.
ai:~ #

更多信息,察看OpenVPN管理介面文檔

[ 本帖最後由 fsken 於 2007-5-4 02:39 編輯 ]
《解決方案》

轉載:http://blog.5ilinux.com/

OpenVPN 2.0 HOWTO-初始化測試篇(翻譯)
原文:http://openvpn.net/howto.html
翻譯水平有限,許多地方都可能翻譯的不當,請大家指教

Starting up the VPN and testing for initial connectivity

Starting the server

First, make sure the OpenVPN server will be accessible from the internet. That means:

opening up UDP port 1194 on the firewall (or whatever TCP/UDP port you've configured), or
setting up a port forward rule to forward UDP port 1194 from the firewall/gateway to the machine running the OpenVPN server.
Next, make sure that the TUN/TAP interface is not firewalled.

To simplify troubleshooting, it's best to initially start the OpenVPN server from the command line (or right-click on the .ovpn file on Windows), rather than start it as a daemon or service:

openvpn

A normal server startup should look like this (output will vary across platforms):


Sun Feb 6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux built on Feb 5 2005
Sun Feb 6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
Sun Feb 6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Feb 6 20:46:38 2005 TUN/TAP device tun1 opened
Sun Feb 6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sun Feb 6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sun Feb 6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
Sun Feb 6 20:46:38 2005 UDPv4 link local (bound): :1194
Sun Feb 6 20:46:38 2005 UDPv4 link remote:
Sun Feb 6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
Sun Feb 6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Feb 6 20:46:38 2005 IFCONFIG POOL LIST
Sun Feb 6 20:46:38 2005 Initialization Sequence Completed

Starting the client
As in the server configuration, it's best to initially start the OpenVPN server from the command line (or on Windows, by right-clicking on the client.ovpn file), rather than start it as a daemon or service:

openvpn

A normal client startup on Windows will look similar to the server output above, and should end with the Initialization Sequence Completed message.

Now, try a ping across the VPN from the client. If you are using routing (i.e. dev tun in the server config file), try:

ping 10.8.0.1

If you are using bridging (i.e. dev tap in the server config file), try to ping the IP address of a machine on the server's ethernet subnet.

If the ping succeeds, congratulations! You now have a functioning VPN.

Troubleshooting

If the ping failed or the OpenVPN client initialization failed to complete, here is a checklist of common symptoms and their solutions:

You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client was unable to establish a network connection with the server.

Solutions:

Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server.
If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.
Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).

You get the error message: Initialization Sequence Completed with errors -- This error can occur on Windows if (a) You don't have the DHCP client service running, or (b) You are using certain third-party personal firewalls on XP SP2.

Solution: Start the DHCP client server and make sure that you are using a personal firewall which is known to work correctly on XP SP2.

You get the Initialization Sequence Completed message but the ping test fails -- This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface.

Solution: Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going to Windows Security Center -> Windows Firewall -> Advanced and unchecking the box which corresponds to the TAP-Win32 adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below).

The connection stalls on startup when using a proto udp configuration, the server log file shows this line:

TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxxhowever the client log does not show an equivalent line.

Solution: You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be (a) a personal software firewall running on the client, or (b) the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client.

See the FAQ for additional troubleshooting information.


啟動VPN服務並初始化測試

啟動伺服器

首先.得確認OpenVPN能通過internet被訪問,意思是:

1.在防火牆上已經打開UDP埠(或者無論是UDP還是TCP都已經被配置打開),
2.或者防火牆上已經設置了一個專門的埠forward指向OpenVPN伺服器的UDP1194埠.

下一步, 確信你的TUN/TAP沒被防火牆禁止.

為了簡單調試,啟動OpenVPN的最好的辦法是用命令方式(或者右肩單擊server.ovpn文件啟動),這樣就作為一個服務啟動了:

openvpn
正常服務啟動,我們會看到如下信息:

Sun Feb 6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux built on Feb 5 2005
Sun Feb 6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
Sun Feb 6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Feb 6 20:46:38 2005 TUN/TAP device tun1 opened
Sun Feb 6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sun Feb 6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sun Feb 6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
Sun Feb 6 20:46:38 2005 UDPv4 link local (bound): :1194
Sun Feb 6 20:46:38 2005 UDPv4 link remote:
Sun Feb 6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
Sun Feb 6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Feb 6 20:46:38 2005 IFCONFIG POOL LIST
Sun Feb 6 20:46:38 2005 Initialization Sequence Completed

啟動客戶端

跟伺服器端得配置一樣,啟動客戶端最好的方式是命令方式(或者在windows下右鍵單擊client.ovpn文件啟動):

openvpn
客戶端正常啟動,應該能看到跟伺服器類似的信息,最後以顯示「Initialization Sequence Completed」結束.

現在,我們可以通過VPN嘗試ping命令,假如你使用路由模式(也就是說在伺服器的配置文件中使用「dev tun」),運行下列命令:

ping 10.8.0.1
如果你使用乙太網橋模式(也就是說在伺服器配置文件中配置使用「dev tap」), 你可以嘗試ping伺服器所在區域網的ip地址.

如果ping顯示正常,恭喜你,你已經擁有一個正常功能的VPN.

排錯

如果遇到OpenVPN初始化失敗,或者ping失敗,下面有一些共同的問題癥狀和解決辦法:

1.你得到如下錯誤信息: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). 這個錯誤指出客戶端不能跟伺服器建立網路鏈接.

解決辦法:

a.請確認客戶端訪問的伺服器的機器名/IP和埠是正確的.
b.如果你的OpenVPN伺服器是單網卡,並處在受保護的區域網中,請確認你你的網關防火牆使用了正確的埠轉發規則。比如:你的OpenVPN機器的地址是192.168.4.4,但處在防火牆保護下,時刻監聽著UDP協議1194的連接請求,那麼負責維護192.168.4.x子網的網關就會有一個埠轉發策略,即所有訪問UDP協議1194埠的請求都被轉發到192.168.4.4 。
c.打開伺服器的防火牆允許UDP協議1194埠連接進來,(或者不管是TCP還是UDP協議在伺服器的配置文件中配置了)。

2.你得到如下錯誤信息: Initialization Sequence Completed with errors – 這個錯誤可能發生在windows下(a)你沒有啟用DHCP客戶端服務(b)你的XP SP2使用了某個第三方的個人防火牆。

解決辦法: 啟動DHCP客戶端服務或者你確認你的XP SP2正確使用了個人防火牆.

3.你雖然獲得了Initialization Sequence Completed 的信息,但ping測試還是失敗了,那就通常是在伺服器或者客戶端的防火牆阻止過濾了在TUN/TAP設備結構上的網路流量。

解決辦法: 關閉客戶端的防火牆,如果防火牆過濾了TUN/TAP設備埠的流量。比如在Windows XP SP2系統,你可以到Windows 安全中心 -> Windows 防火牆 -> 高級 然後不要選擇TAP-Win32 adapter設備 (即禁止TUN/TAP設備使用防火牆過濾 ,實質上就是告訴防火牆不要阻止VPN認證信息)。 同樣在伺服器端也要確認TUN/TAP設備不實用防火牆過濾 (也就是說在TUN/TAP介面上選擇過濾是有一定的安全保障的. 具體請看下面一節的訪問策略).

4.當以udp協議的配置文件啟動的時候連接停止,伺服器的日誌文件顯示如下一行信息:

TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx
不管怎麼樣,這信息只在伺服器端顯示,在客戶端是不會顯示相同的信息。

解決辦法: 你只擁有單向連接從客戶端到伺服器,從伺服器到客戶端的連接被防火牆擋住, 通常在客戶端這邊,防火牆(a)可能是個運行在客戶端的個人防火牆軟體(b)或者服務客戶端的NAT路由 網關被設置為從伺服器端訪問客戶端的UDP協議包被阻擋返回。

查看FAQ能得到更多故障解決的信息.

[ 本帖最後由 fsken 於 2007-5-4 02:40 編輯 ]
《解決方案》

原文:
INTRODUCTION
OpenVPN is an open source VPN daemon by James Yonan. Because OpenVPN tries to be a universal VPN tool offering a great deal of flexibility, there are a lot of options on this manual page. If you're new to OpenVPN, you might want to skip ahead to the examples section where you will see how to construct simple VPNs on the command line without even needing a configuration file.

Also note that there's more documentation and examples on the OpenVPN web site: http://openvpn.net/

And if you would like to see a shorter version of this manual, see the openvpn usage message which can be obtained by running openvpn without any parameters.   

DESCRIPTION
OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.

OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it.

OpenVPN supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels.

OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms.

Overall, OpenVPN aims to offer many of the key features of IPSec but with a relatively lightweight footprint.   

OPTIONS
OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix can be removed when an option is placed in a configuration file.
--help
Show options.
--config file
Load additional config options from file where each line corresponds to one command line option, but with the leading '--' removed.
If --config file is the only option to the openvpn command, the --config can be removed, and the command can be given as openvpn file

Note that configuration files can be nested to a reasonable depth.

Double quotation characters ("") can be used to enclose single parameters containing whitespace, and "#" or ";" characters in the first column can be used to denote comments.

Note that OpenVPN 2.0 and higher performs backslash-based shell escaping, so the following mappings should be observed:



\\       Maps to a single backslash character (\).
\"       Pass a literal doublequote character ("), don't
         interpret it as enclosing a parameter.
\ Pass a literal space or tab character, don't
         interpret it as a parameter delimiter.

For example on Windows, use double backslashes to represent pathnames:



secret "c:\\OpenVPN\\secret.key"

For examples of configuration files, see http://openvpn.net/examples.html

Here is an example configuration file:


#
# Sample OpenVPN configuration file for
# using a pre-shared static key.
#
# '#' or ';' may be used to delimit comments.

# Use a dynamic tun device.
dev tun

# Our remote peer
remote mypeer.mydomain

# 10.1.0.1 is our local VPN endpoint
# 10.1.0.2 is our remote VPN endpoint
ifconfig 10.1.0.1 10.1.0.2

# Our pre-shared static key
secret static.key

譯文:


待譯.....

[ 本帖最後由 fsken 於 2007-5-7 13:18 編輯 ]
《解決方案》

加油!!!!!繼續。。。。。翻譯,期待中。。。。。
《解決方案》

mark 沒有使用過Openvpn改天測試一下。
《解決方案》

非常感謝摟主,辛苦了
《解決方案》

支持

[火星人 ] OpenVPN Man Page 翻譯已經有1300次圍觀

http://coctec.com/docs/service/show-post-18063.html