{"id":1007,"date":"2010-04-02T20:29:49","date_gmt":"2010-04-02T12:29:49","guid":{"rendered":"http:\/\/blog.nuface.tw\/?p=1007"},"modified":"2018-05-11T16:28:32","modified_gmt":"2018-05-11T08:28:32","slug":"openvpn-%e5%bb%ba%e7%bd%ae%e7%ad%86%e8%a8%98%e7%ac%ac5%e9%9b%86","status":"publish","type":"post","link":"https:\/\/blog.nuface.tw\/?p=1007","title":{"rendered":"OpenVPN \u5efa\u7f6e\u7b46\u8a18(\u7b2c5\u96c6)"},"content":{"rendered":"<p>\u9019\u4e00\u96c6\u7684\u91cd\u9ede\u70baconfig \u7684\u6a94\u8a2d\u5b9a\uff0c\u770b\u8d77\u4f86\u61c9\u8a72\u6bd4\u8f03\u7c21\u55ae\u4e00\u9ede\uff0c\u6bd4\u8f03\u7e41\u8907\u7684\u4f5c\u696d\uff0c\u5728\u524d\u9762\u5927\u81f4\u4e0a\u90fd\u5b8c\u6210\u4e86..<\/p>\n<p><!--more--><br \/>\n<img decoding=\"async\" src=\"http:\/\/openvpn.net\/templates\/telethra\/img\/ovpntech_logo-s.gif\" alt=\"OpenVPN Logo\" \/><br \/>\nLogo Ref <a href=\"http:\/\/openvpn.net\/\"> Open VPN Project <\/a><br \/>\n\u524d\u60c5\u63d0\u8981\uff1a<a href=\"\/\/blog.nuface.tw\/?p=941\">OpenVPN \u5efa\u7f6e\u7b46\u8a18(\u7b2c4\u96c6)<\/a><\/p>\n<p>\u9996\u5148\u7531OpenVPN\u9810\u5148\u8a2d\u8a08\u597d\u7684\u8a2d\u5b9a\u6a94\uff0cserver.conf \u958b\u59cb\u505a\u4fee\u6539\u3002\u6709\u4e00\u500bsample \u6a94\u653e\u5728\/usr\/share\/doc\/openvpn-2.1_rc7\/sample-config-files \u9019\u500b\u76ee\u9304\u4e0b\u3002\u5148\u8907\u88fd\u5230\/etc\/openvpn \u4e0b\u3002<\/p>\n<blockquote><p><code><br \/>\n[root@openvpn ~]#cp \/usr\/share\/doc\/openvpn-2.1_rc7\/sample-config-files\/server.conf \/etc\/openvpn\/server.conf<br \/>\n<\/code><\/p><\/blockquote>\n<p>\u63a5\u8457\u53bb\u505a\u4e00\u500bta key, \u53bb\u9632Dos \u53ca UDP port flooding \u653b\u64ca\u3002<\/p>\n<blockquote><p><code><br \/>\n[root@openvpn ~]#openvpn --genkey --secret ta.key<br \/>\n<\/code><\/p><\/blockquote>\n<p>\u63a5\u8457\u7de8\u8f2f\u4e00\u4e0b server.conf \u9019\u500b\u8a2d\u5b9a\u6a94\uff01<br \/>\n<code><br \/>\nport 1194<br \/>\nproto udp<br \/>\ndev tun<br \/>\nca \/etc\/openvpn\/easy-rsa\/2.0\/keys\/ca.crt<br \/>\ncert \/etc\/openvpn\/easy-rsa\/2.0\/keys\/server.crt<br \/>\nkey \/etc\/openvpn\/easy-rsa\/2.0\/keys\/server.key<br \/>\ndh \/etc\/openvpn\/easy-rsa\/2.0\/keys\/dh2048.pem<br \/>\nserver 10.8.0.0 255.255.255.0<br \/>\n#\u9019\u500bpuch route \u4e3b\u8981\u662f\u8981\u8d70100\u7684\u7db2\u6bb5\u5230\u5c0f\u745e\u7684\u8890\u5bc6\u82b1\u5712<br \/>\npush \"route 192.168.100.0 255.255.255.0\"<br \/>\ntls-auth ta.key 0<br \/>\ncomp-lzo<br \/>\npersist-key<br \/>\npersist-tun<br \/>\nstatus openvpn-status.log<br \/>\nverb 3<br \/>\n<\/code><\/p>\n<p>\u4ee5\u4e0a\u662f\u5c0f\u745e\u7684OpenVPN Server \u7aef\u7684\u8a2d\u5b9a\u6a94\u3002\u9019\u500b\u6a94\u5f04\u597d\uff0c\u5c31\u53ef\u4ee5\u555f\u52d5 VPN Server \u56c9\u3002<\/p>\n<blockquote><p><code><br \/>\n[root@openvpn ~]#service openvpn start<br \/>\n<\/code><\/p><\/blockquote>\n<p>\u9019\u6642\u5019\uff0c\u57f7\u884c\u4e00\u4e0bifconfig \uff0c\u6703\u770b\u5230\u591a\u4e00\u500b\u7db2\u8def\u4ecb\u9762\u51fa\u4f86\u3002<\/p>\n<blockquote><p><code><br \/>\n[root@openvpn ~]#ifconfig<br \/>\ntun0      Link encap:UNSPEC  HWaddr<br \/>\ninet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255<br \/>\n<\/code><\/p><\/blockquote>\n<p>\u63a5\u8457\u4f86\u505a\u4e00\u4e9b\u9632\u706b\u7246\u7684\u8a2d\u5b9a\u3002\u5148\u628a\u6a23\u7248\u7684firewall \u8907\u88fd\u5230\/etc\/openvpn \u4e0b\uff0c\u4f86\u4fee\u6539\u3002<\/p>\n<blockquote><p><code><br \/>\n[root@openvpn ~]#cp \/usr\/share\/doc\/openvpn-2.1_rc7\/sample-config-files\/firewall.sh \/etc\/openvpn\/.<br \/>\n<\/code><\/p><\/blockquote>\n<p>\u5c0d firewall \u505a\u4e00\u4e9b\u4fee\u6539\u3002\uff08\u6709\u52a0\u7684\u53ca\u6539\u7684\u624d\u6709\u5217\u51fa\uff0c\u5176\u5b83\u7684\u4fdd\u7559\u539f\u4f86\u7684\u5beb\u6cd5)<\/p>\n<blockquote><p><code><br \/>\n#!\/bin\/bash<br \/>\necho \"1\" > \/proc\/sys\/net\/ipv4\/ip_forward<br \/>\nPRIVATE=192.168.100.0\/24<br \/>\n# Anything coming from the Internet should have a real Internet address<br \/>\n#iptables -A FORWARD -i eth0 -s 192.168.0.0\/16 -j DROP<br \/>\n#iptables -A FORWARD -i eth0 -s 172.16.0.0\/12 -j DROP<br \/>\n#iptables -A FORWARD -i eth0 -s 10.0.0.0\/8 -j DROP<br \/>\n#iptables -A INPUT -i eth0 -s 192.168.0.0\/16 -j DROP<br \/>\n#iptables -A INPUT -i eth0 -s 172.16.0.0\/12 -j DROP<br \/>\n#iptables -A INPUT -i eth0 -s 10.0.0.0\/8 -j DROP<\/p>\n<p># Check source address validity on packets going out to internet<br \/>\n#iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP<\/p>\n<p># Masquerade local subnet<br \/>\n# iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE<\/p>\n<p><\/code><\/p><\/blockquote>\n<p>\u6539\u597d\u5f8c\uff0c\u57f7\u884c\u9019\u500bscripts<\/p>\n<blockquote><p><code><br \/>\n[root@openvpn ~]#.\/firewall<br \/>\n<\/code><\/p><\/blockquote>\n<p>\u76ee\u524dserver \u7aef\u61c9\u8a72\u662fOK \u4e86\uff0c\u63a5\u8457\u8981\u4f86\u8a2d\u5b9a\u4e00\u4e0bClient \u7aef\u3002<\/p>\n<p>\u5c0f\u745e\u4f7f\u7528\u7684client \u7aef\u662fWinxp Service Pack 2 \uff0c\u8acb\u6ce8\u610f\uff0c &#8220;\u6688\u5012XP&#8221; \u81f3\u5c11\u8981\u5728Service Pack2 \u4ee5\u4e0a\u7684\u7248\u672c\uff0c\u624d\u4e0d\u6703\u6709\u554f\u984c\u3002<\/p>\n<p>\u5148\u4e0b\u8f09Windows \u4e0a\u4f7f\u7528\u7684OpenVPN GUI \u8edf\u9ad4\uff0c\u53ef\u4ee5\u5728http:\/\/openvpn.se\/files\/install_packages\/\u4e0a\u4e0b\u8f09\uff0c\u5c0f\u745e\u4f7f\u7528\u7684\u662fopenvpn-2.0.9-gui-1.0.3-install.exe \uff0c\u770b\u8d77\u4f86\u6bd4\u8f03\u65b0\u4e00\u9ede\u3002<\/p>\n<p>\u4e0b\u8f09\u5f8c\uff0c\u57f7\u884c\u5b89\u88dd\u3002\u5b89\u88dd\u5b8c\u5f8c\uff0c\u6703\u7522\u751f\u4e00\u5f35\uff0cTAP-WIN32 \u7684\u7db2\u8def\u4ecb\u9762\u5361\uff0c\u6211\u628a\u5b83\u6539\u540d\u5b57\u70baOpenVPN_Tap\u3002\u9019\u500b\u6703\u5f8c\u9762\u7684\u8a2d\u5b9a\u6a94\u4e2d\uff0c\u6703\u7528\u5230\u9019\u500b\u540d\u5b57\u3002<\/p>\n<p>\u8edf\u9ad4\u88dd\u5b8c\u5f8c\uff0c\u5728\u5de5\u5177\u5217\u7684\u53f3\u4e0b\u65b9\uff0c\u6703\u51fa\u73fe\u4e00\u500bOpenVPN GUI \u7684\u5c0f\u5716\u793a\u3002<br \/>\n<img decoding=\"async\" src=\"http:\/\/blog.nuface.tw\/wp-content\/uploads\/2010\/04\/unconnect-openvpn-icon.gif\" alt=\"unconnect-openvpn-icon\" \/><\/p>\n<p>\u63a5\u8457\u5230 C:\\Program Files\\OpenVPN\\config \u4e0b\u9762\u7684\u5efa\u7acb\u4e00\u500bnuface_client1 \u7684\u76ee\u9304\u3002<\/p>\n<p>\u5c07Server \u4e0a\u7684\u5e7e\u500bKey File \u4e0b\u8f09\u5230client\u7aef\uff0cca.crt \/ client1.crt \/ client1.key \/ client1.csr \/ ta.key<br \/>\n\u6700\u597d\u4f7f\u7528\u5b89\u5168\u7684\u65b9\u5f0f\uff0cFTP \u5230\u5c0f\u745e\u7684\u96fb\u8166\uff0c\u8acb\u53c3\u8003 <a href=\"http:\/\/blog.nuface.tw\/?p=398\">\u5404\u9805\u7db2\u8def\u670d\u52d9 + SSL \u61c9\u7528<\/a>\uff0c\u4e0d\u904e\u76ee\u524d\u90fd\u5728\u5167\u7db2\u4e2d\uff0c\u6240\u4ee5\u5c0f\u745e\u5077\u61f6\uff0c\u5c31\u76f4\u63a5FTP \u6349\u4e0b\u4f86\uff0c\u653e\u5230C:\\Program Files\\OpenVPN\\config\\nuface_client1 \u76ee\u9304\u4e0b<\/p>\n<p>\u63a5\u8457\u5728\u8a72\u76ee\u9304\u4e0b\uff0c\u5efa\u7acb\u4e00\u500bnuface_client1.ovpn \u6a94\u6848\uff0c\u5167\u5bb9\u5982\u4e0b:<\/p>\n<blockquote><p><code><br \/>\nclient<br \/>\ndev tun<br \/>\ndev-node OpenVPN_Tap<br \/>\nproto udp<br \/>\nremote 192.168.2.198 1194<br \/>\nresolv-retry infinite<br \/>\nnobind<br \/>\npersist-key<br \/>\npersist-tun<br \/>\nca ca.crt<br \/>\ncert client1.crt<br \/>\nkey client1.key<br \/>\nns-cert-type server<br \/>\ntls-auth ta.key 1<br \/>\ncomp-lzo<br \/>\nverb 3<br \/>\n<\/code><\/p><\/blockquote>\n<p>\u63a5\u8457\u5c31\u53ef\u4ee5\u5728\u53f3\u4e0b\u89d2\u7684OpenVPN \u5c0f\u5716\u793a\u4e0a\uff0c\u6309\u53f3\u9375\uff0c\u9078\u64c7connect<br \/>\n<img decoding=\"async\" src=\"http:\/\/blog.nuface.tw\/wp-content\/uploads\/2010\/04\/openvpn_process_connect.gif\" alt=\"openvpn connect process\" \/><\/p>\n<p>\u9023\u7dda\u904e\u7a0b\u7684\u756b\u9762<br \/>\n<img decoding=\"async\" src=\"http:\/\/blog.nuface.tw\/wp-content\/uploads\/2010\/04\/openvpn_process_connect_message.gif\" alt=\"OpenVPN \u9023\u7dda\u904e\u7a0b\" \/><\/p>\n<p>\u9023\u7dda\u6210\u529f\u7684\u756b\u9762<br \/>\n<img decoding=\"async\" src=\"http:\/\/blog.nuface.tw\/wp-content\/uploads\/2010\/04\/connect-openvpn-icon.gif\" alt=\"OpenVPN \u9023\u7dda\u6210\u529fIcon\" \/><\/p>\n<p>\u76ee\u524d\u5df1\u7d93\u8ddfOpenVPN Server \u6210\u529f\u5efa\u7acb\u9023\u7dda\uff0c\u4e5f\u53d6\u5f97IP<br \/>\n<img decoding=\"async\" src=\"http:\/\/blog.nuface.tw\/wp-content\/uploads\/2010\/04\/openvpn_get_ip.gif\" alt=\"openvpn \u53d6\u5f97IP\" \/><\/p>\n<p>\u65bcDos\u547d\u4ee4\u5217\u6a21\u5f0f \u4e0b\u4f7f\u7528route print \u6aa2\u8996\u4e00\u4e0brouting table\uff0c\u67e5\u770b\uff0c\u8981\u5f80192.168.100.0\/24 \u7db2\u6bb5\u7684\u5c01\u5305\u3002\u76ee\u524d\u6703\u8d70\u523010.8.0.6\uff0c\u7531OpenVPN_Tap\u9019\u5f35\u5361\u9001\u51fa\uff0c\u4e5f\u5c31\u662f\u8d70VPN \u7684\u9023\u7dda\u3002<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/blog.nuface.tw\/wp-content\/uploads\/2010\/04\/openvpn_route_table.gif\" alt=\"ip route\" \/><\/p>\n<p>\u5230\u6b64\u5927\u81f4\u641e\u5b9a\uff0c\u63a5\u8457\u8981\u4f86\u8a2d\u5b9a\u5c0f\u745e\u7684\u53e6\u4e00\u53f0\u8890\u5bc6\u82b1\u5712\uff0c\u9019\u500b\u7559\u5230\u4e0b\u4e00\u96c6\u518d\u4f86\u8aaa\u5427\uff01\u5f85\u7e8c\u56c9\uff01 ^_^<\/p>\n<p><a href=\"http:\/\/blog.nuface.tw\/?p=1151\">OpenVPN \u5efa\u7f6e\u7b46\u8a18(\u7b2c6\u96c6)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u9019\u4e00\u96c6\u7684\u91cd\u9ede\u70baconfig \u7684\u6a94\u8a2d\u5b9a\uff0c\u770b\u8d77\u4f86\u61c9\u8a72\u6bd4\u8f03\u7c21\u55ae\u4e00\u9ede\uff0c\u6bd4\u8f03\u7e41\u8907\u7684\u4f5c\u696d\uff0c\u5728\u524d\u9762\u5927\u81f4\u4e0a\u90fd\u5b8c\u6210\u4e86..<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23,24],"tags":[72,123,107,133,108],"class_list":["post-1007","post","type-post","status-publish","format-standard","hentry","category-mistech","category-mistech-net","tag-open-vpn","tag-openvpn","tag-tap","tag-tap-win32","tag-tun"],"_links":{"self":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts\/1007","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1007"}],"version-history":[{"count":38,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts\/1007\/revisions"}],"predecessor-version":[{"id":1923,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts\/1007\/revisions\/1923"}],"wp:attachment":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1007"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1007"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}