1.install
http://swupdate.openvpn.net/community/releases/openvpn-2.2-beta5-install.exe
install path : c:/myapp/OpenVPN
2.openVPN server configure
"Note:
We do not use the script file(*.bat),
becouse some error occur on windows XP when I used."
(1. Generate openssl.cnf from sample
c:\>cd c:\myapp\OpenVPN\easy-rsa\ easy-rsa>copy openssl.cnf.sample openssl.cnf
(2. Edit openssl.cnf
Reference vars.bat.sample fill parameter in openssl.cnf
dir = $ENV::KEY_DIR # Where everything is kept default_bits = $ENV::KEY_SIZE countryName_default = $ENV::KEY_COUNTRY stateOrProvinceName_default = $ENV::KEY_PROVINCE localityName_default = $ENV::KEY_CITY 0.organizationName_default = $ENV::KEY_ORG emailAddress_default = $ENV::KEY_EMAILModified as below:
dir = ./keys # Where everything is kept default_bits = 1024 countryName_default = TW # 2 letter code stateOrProvinceName_default = TW localityName_default = city 0.organizationName_default = org emailAddress_default = oopsmonk@XXX.com
(3. clean keys
remove "keys" folder if exist and init keys
easy-rsa>mkdir keys easy-rsa>copy index.txt.start keys\index.txt easy-rsa>copy serial.start keys\serial.
(4. generate dh file and ca key
build a dh file for the server side.
1024 is the default_bits parameter.
easy-rsa>openssl dhparam -out keys\dh1024.pem 1024
easy-rsa>openssl req -days 3650 -nodes -new -x509 -keyout .\keys\ca.key -out .\keys\ca.crt -config openssl.cnf
Loading 'screen' into random state - done Generating a 1024 bit RSA private key .............................................++++++ .....................++++++ writing new private key to '.\keys\ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [TW]: State or Province Name (full name) [TW]: Locality Name (eg, city) [CITY]: Organization Name (eg, company) [ORG]: Organizational Unit Name (eg, section) []:user Common Name (eg, your name or your server's hostname) []:oopsmonk Email Address [oopsmonk@XXX.com]:
(5. Edit C:\myapp\OpenVPN\easy-rsa\build-key-server.bat
@echo off cd C:\myapp\OpenVPN\easy-rsa rem build a request for a cert that will be valid for ten years openssl req -days 3650 -nodes -new -keyout .\keys\%1.key -out .\keys\%1.csr -config openssl.cnf rem sign the cert request with our ca, creating a cert/key pair openssl ca -days 3650 -out .\keys\%1.crt -in .\keys\%1.csr -extensions server -config openssl.cnf rem delete any .old files created in this process, to avoid future file creation errors del /q .\keys\*.old
(6. generate server key
easy-rsa>build-key-server.bat serverfill the "Organizational Unit Name" and "Common Name" others use default.
Country Name (2 letter code) [TW]: State or Province Name (full name) [TW]: Locality Name (eg, city) [city]: Organization Name (eg, company) [org]: Organizational Unit Name (eg, section) []:user
Common Name (eg, your name or your server's hostname) []:oopsmonk Email Address [oopsmonk@XXX.com]: Country Name (2 letter code) [TW]: State or Province Name (full name) [TW]: Locality Name (eg, city) [city]: Organization Name (eg, company) [org]: Organizational Unit Name (eg, section) []:user Common Name (eg, your name or your server's hostname) []:oopsmonk Email Address [oopsmonk@XXX.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:abcdefg An optional company name []:user Using configuration from openssl.cnf Loading 'screen' into random state - done Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'TW' stateOrProvinceName :PRINTABLE:'TW' localityName :PRINTABLE:'city' organizationName :PRINTABLE:'org' organizationalUnitName:PRINTABLE:'user' commonName :PRINTABLE:'oopsmonk' emailAddress :IA5STRING:'oopsmonk@XXX.com' Certificate is to be certified until Dec 28 02:26:25 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
(7. copy files to config folder.
copy keys\(ca.crt、ca.key、dh1024.pem、server.crt、server.key) to C:\myapp\OpenVPN\config
easy-rsa>copy ..\sample-config\server.ovpn ..\config
(8. Edit C:\myapp\OpenVPN\config\server.ovpn
#oopsmonk host IP local 192.168.0.123 #use https port debualt is 1194 port 443 #We used tcp defualt is udp. proto tcp #in Windows use tap. dev tap
(9.click OpenVPN GUI select "connect"
3.clinet configure
(1. Edit C:\myapp\OpenVPN\easy-rsa\build-key.bat
@echo off cd C:\myapp\OpenVPN\easy-rsa rem build a request for a cert that will be valid for ten years openssl req -days 3650 -nodes -new -keyout .\keys\%1.key -out .\keys\%1.csr -config openssl.cnf rem sign the cert request with our ca, creating a cert/key pair openssl ca -days 3650 -out .\keys\%1.crt -in .\keys\%1.csr -config openssl.cnf rem delete any .old files created in this process, to avoid future file creation errors del /q .\keys\*.old
(2. build clinet key for sam.
easy-rsa>build-key.bat sam
Loading 'screen' into random state - done Generating a 1024 bit RSA private key ..............++++++ ................................................................................ .....................................................++++++ writing new private key to '.\keys\sam.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [TW]: State or Province Name (full name) [TW]: Locality Name (eg, city) [city]: Organization Name (eg, company) [org]: Organizational Unit Name (eg, section) []:user
Common Name (eg, your name or your server's hostname) []:samEmail Address [oopsmonk@XXX.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:XXXXXXXX An optional company name []:user Using configuration from openssl.cnf Loading 'screen' into random state - done Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'TW' stateOrProvinceName :PRINTABLE:'TW' localityName :PRINTABLE:'city' organizationName :PRINTABLE:'org' organizationalUnitName:PRINTABLE:'user' commonName :PRINTABLE:'sam' emailAddress :IA5STRING:'oopsmonk@XXX.com' Certificate is to be certified until Dec 28 02:39:28 2020 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
(3. setup client
copy (ca.crt, sam.crt, sam.key) to "C:\myapp\OpenVPN\config" folder on client PC
copy sample-config\client.ovnp to \OpenVPN\config\
(4. copy client.ovnp from C:\myapp\OpenVPN\sample-config
to C:\myapp\OpenVPN\config
check client.ovnp
#be the same with server setting
dev tapproto tcp
#192.168.0.123 is server ip, and 443 is https port remote 192.168.0.123 443 ca ca.crt cert sam.crt key sam.key
(5. click OpenVPN GUI select "connect", and enjoy it.
No comments:
Post a Comment