Thursday, December 30, 2010

OpenVPN 2.1.4 (on Windows XP)

 OpenVPN 2.1.4 -- released on 2010.11.09 (on Windows XP)
1.install
http://swupdate.openvpn.net/community/releases/openvpn-2.2-beta5-install.exe
install path : c:/myapp/OpenVPN

2.openVPN server configure
"Note:
We do not use the script file(*.bat),
becouse some error occur on windows XP when I used."


(1. Generate openssl.cnf from sample
c:\>cd  c:\myapp\OpenVPN\easy-rsa\
easy-rsa>copy openssl.cnf.sample openssl.cnf

(2. Edit openssl.cnf
Reference vars.bat.sample fill parameter in openssl.cnf

dir        = $ENV::KEY_DIR        # Where everything is kept
default_bits        = $ENV::KEY_SIZE
countryName_default        = $ENV::KEY_COUNTRY
stateOrProvinceName_default    = $ENV::KEY_PROVINCE
localityName_default        = $ENV::KEY_CITY
0.organizationName_default    = $ENV::KEY_ORG
emailAddress_default        = $ENV::KEY_EMAIL
Modified as below:
dir        = ./keys        # Where everything is kept
default_bits        = 1024
countryName_default        = TW # 2 letter code
stateOrProvinceName_default    = TW
localityName_default        = city
0.organizationName_default    = org
emailAddress_default        = oopsmonk@XXX.com

(3. clean keys
remove "keys" folder if exist and init keys
easy-rsa>mkdir keys
easy-rsa>copy index.txt.start keys\index.txt
easy-rsa>copy serial.start keys\serial.

(4. generate dh file and ca key
build a dh file for the server side.
1024 is the default_bits parameter.
easy-rsa>openssl dhparam -out keys\dh1024.pem 1024 
easy-rsa>openssl req -days 3650 -nodes -new -x509 -keyout .\keys\ca.key -out .\keys\ca.crt -config openssl.cnf
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.............................................++++++
.....................++++++
writing new private key to '.\keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [TW]:
State or Province Name (full name) [TW]:
Locality Name (eg, city) [CITY]:
Organization Name (eg, company) [ORG]:
Organizational Unit Name (eg, section) []:user
Common Name (eg, your name or your server's hostname) []:oopsmonk
Email Address [oopsmonk@XXX.com]: 
 
(5. Edit C:\myapp\OpenVPN\easy-rsa\build-key-server.bat
@echo off
cd C:\myapp\OpenVPN\easy-rsa
rem build a request for a cert that will be valid for ten years
openssl req -days 3650 -nodes -new -keyout .\keys\%1.key -out .\keys\%1.csr -config openssl.cnf
rem sign the cert request with our ca, creating a cert/key pair
openssl ca -days 3650 -out .\keys\%1.crt -in .\keys\%1.csr -extensions server -config openssl.cnf
rem delete any .old files created in this process, to avoid future file creation errors
del /q .\keys\*.old

(6. generate server key
easy-rsa>build-key-server.bat server
fill the "Organizational Unit Name" and "Common Name" others use default.
Country Name (2 letter code) [TW]:
State or Province Name (full name) [TW]:
Locality Name (eg, city) [city]:
Organization Name (eg, company) [org]:
Organizational Unit Name (eg, section) []:user 
Common Name (eg, your name or your server's hostname) []:oopsmonk
Email Address [oopsmonk@XXX.com]:

Country Name (2 letter code) [TW]:
State or Province Name (full name) [TW]:
Locality Name (eg, city) [city]:
Organization Name (eg, company) [org]:
Organizational Unit Name (eg, section) []:user
Common Name (eg, your name or your server's hostname) []:oopsmonk
Email Address [oopsmonk@XXX.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcdefg
An optional company name []:user

Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'TW'
stateOrProvinceName   :PRINTABLE:'TW'
localityName          :PRINTABLE:'city'
organizationName      :PRINTABLE:'org'
organizationalUnitName:PRINTABLE:'user'
commonName            :PRINTABLE:'oopsmonk'
emailAddress          :IA5STRING:'oopsmonk@XXX.com'
Certificate is to be certified until Dec 28 02:26:25 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

(7. copy files to config folder.
copy keys\(ca.crt、ca.key、dh1024.pem、server.crt、server.key) to C:\myapp\OpenVPN\config
easy-rsa>copy ..\sample-config\server.ovpn ..\config

(8. Edit C:\myapp\OpenVPN\config\server.ovpn
#oopsmonk host IP
local 192.168.0.123
#use https port debualt is 1194
port 443
#We used tcp defualt is udp.
proto tcp
#in Windows use tap.
dev tap

(9.click OpenVPN GUI select "connect"

3.clinet configure
(1. Edit C:\myapp\OpenVPN\easy-rsa\build-key.bat
@echo off
cd C:\myapp\OpenVPN\easy-rsa
rem build a request for a cert that will be valid for ten years
openssl req -days 3650 -nodes -new -keyout .\keys\%1.key -out .\keys\%1.csr -config openssl.cnf
rem sign the cert request with our ca, creating a cert/key pair
openssl ca -days 3650 -out .\keys\%1.crt -in .\keys\%1.csr -config openssl.cnf
rem delete any .old files created in this process, to avoid future file creation errors
del /q .\keys\*.old

(2. build clinet key for sam.
easy-rsa>build-key.bat sam

Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..............++++++
................................................................................
.....................................................++++++
writing new private key to '.\keys\sam.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [TW]:
State or Province Name (full name) [TW]:
Locality Name (eg, city) [city]:
Organization Name (eg, company) [org]:
Organizational Unit Name (eg, section) []:user 
Common Name (eg, your name or your server's hostname) []:sam
Email Address [oopsmonk@XXX.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:XXXXXXXX
An optional company name []:user
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'TW'
stateOrProvinceName   :PRINTABLE:'TW'
localityName          :PRINTABLE:'city'
organizationName      :PRINTABLE:'org'
organizationalUnitName:PRINTABLE:'user'
commonName            :PRINTABLE:'sam'
emailAddress          :IA5STRING:'oopsmonk@XXX.com'
Certificate is to be certified until Dec 28 02:39:28 2020 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

(3. setup client
copy (ca.crt, sam.crt, sam.key) to "C:\myapp\OpenVPN\config" folder on client PC
copy sample-config\client.ovnp to \OpenVPN\config\

(4. copy client.ovnp from C:\myapp\OpenVPN\sample-config 
to C:\myapp\OpenVPN\config
check client.ovnp
#be the same with server setting
dev tap
proto tcp
#192.168.0.123 is server ip, and 443 is https port
remote 192.168.0.123 443
ca ca.crt
cert sam.crt
key sam.key

(5. click OpenVPN GUI select "connect", and enjoy it.

No comments:

Post a Comment