sslnginx 配置ssl报错,求帮忙看看什么情况
点击联系发帖人
时间:2017-10-20 05:20
关于SSL的证书双向认证来个大神帮忙看看 - -真格学网-IT技术综合网站
关于SSL的证书双向认证来个大神帮忙看看 -
来源:本网整理 &责任编辑:小易 &时间: 14:32:57
关于SSL正确的说法是()A。在TCP上提供机密性、...问:跪求答案啊答:选A。求教weblogic环境访问https中关于SSL安全认证答:请问你是需要申请SSL证书,还是想问SSL证书的配置问题?1、申请SSL证书,你可要到沃通CA申请付费SSL或者免费SSL;2、weblogic环境SSL证书配置方法--BEAWeblogic9.0请按照以下步骤在BEAWeblogin9.0上安装SSL证书:A:一旦您申请的SSL证书...关于SSLVPN的问题问:校外开放的校园网络,使用VPN嗯,首先打开加载项出现在页面上,下载的SS...答:关闭防火墙关于SSL的证书双向认证来个大神帮忙看看-(图2)关于SSL的证书双向认证来个大神帮忙看看-(图4)关于SSL的证书双向认证来个大神帮忙看看-(图6)关于SSL的证书双向认证来个大神帮忙看看-(图8)关于SSL的证书双向认证来个大神帮忙看看-(图10)关于SSL的证书双向认证来个大神帮忙看看-(图12)本网有用户碰到这样的问题:关于SSL的证书双向认证来个大神帮忙看看 - ,具体问题如下:
高分!关于ssh,ss,vpn,和极路由的一系列问题2个回答-最新回答:日最佳答案:ssh一种加密的远程连接方式ss不懂vpn就是代理买服务器其需要钱看你什么需求了一般不贵也就10防抓取,真格学网提供内容。关于SS的问题,大神们是怎么解决的1个回答-提问时间:日世嘉SS机,很早以前了,年轻的玩家可定没机会见到,但内容还是仙一的啊,是仙剑第一次走出国门啊,之后在近几年的TGS等上都有仙防抓取,真格学网提供内容。tomcatssl双向认证的配置双向认证,也不需要导入,只需要从服务器上配置一下即可。tomcat的证书导入,是需要导...证书都导入完毕后,直接修改配置文件server.xml&!--Defi防抓取,真格学网提供内容。
关于SSL和伪静态的求助答:RewriteRule^index/(.*)/(.*)[/]$index.php?ctl=$1&act=$2orRewriteRule^index/(.*)/(.*)/$i防抓取,真格学网提供内容。就老是碰到这个异常不知道错在哪了下面附上代码
关于SSL中,回话秘钥的产生问:SSL握手阶段有四步,前两步客户端和服务器都会产生random,并且发送给...答:其实这个预主密钥应该是一个客户端的会话公钥,客户端将这个公钥秘密的穿给服务器,服务器防抓取,真格学网提供内容。Client的Java代码:
internet选项内容下清除SSL状态关于SSL是什么东东答:安全套接字层(SSL)是一套提供身份验证、保密性和数据完整性的加密技术。SSL最常用来在Web浏览器和Web服务器之间建立安全通信通道。防抓取,真格学网提供内容。
import java.io.BufferedW
import java.io.OutputS
import java.io.OutputStreamW
import java.util.concurrent.TimeU
import javax.net.ssl.SSLS
import javax.net.ssl.SSLSocketF
public class SSLClient {
public static void main(String[] args) throws Exception {
System.setProperty("javax.net.debug", "ssl,handshake");
System.setProperty("javax.net.ssl.keyStore", "C:/Users/Administrator/kclient.keystore");
System.setProperty("javax.net.ssl.keyStorePassword", "123456");
System.setProperty("javax.net.ssl.trustStore", "C:/Users/Administrator/tserver.keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "123456");
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory
.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(
"localhost", 8443);
OutputStream outputStream = sslsocket.getOutputStream();
BufferedWriter bufferedWriter = new BufferedWriter(
new OutputStreamWriter(outputStream));
bufferedWriter.write("沉睡的雄狮\n");
bufferedWriter.flush();
TimeUnit.SECONDS.sleep(2000);
求教weblogic环境访问https中关于SSL安全认证答:请问你是需要申请SSL证书,还是想问SSL证书的配置问题?1、申请SSL证书,你可要到沃通CA申请付费SSL或者免费SSL;2、weblogic环境SSL证书配置方法--BEAWeblogic9.0请按照以下步骤在BEAWeblogin9.0上安装SSL证书:A:一旦您申请的SSL证书...防抓取,真格学网提供内容。Server的Java代码
关于网络安全的SSL问题问:求教下,我在腾讯云买了一个主机,并且建立了几个网站,访问格式基本是X...答:按照确定的域名购买,如果有很多二级、三级域名可以买多域通配证书,具体可以淘宝Gwrog获取SS防抓取,真格学网提供内容。
import java.io.BufferedR
import java.io.InputS
import java.io.InputStreamR
import javax.net.ssl.SSLServerS
import javax.net.ssl.SSLServerSocketF
import javax.net.ssl.SSLS
public class SSLServer {
public static void main(String[] args) throws Exception {
System.setProperty("javax.net.debug", "ssl,handshake");
System.setProperty("javax.net.ssl.keyStore", "C:/Users/Administrator/kserver.keystore");
System.setProperty("javax.net.ssl.keyStorePassword", "123456");
System.setProperty("javax.net.ssl.trustStore", "C:/Users/Administrator/tclient.store");
System.setProperty("javax.net.ssl.trustStorePassword", "123456");
SSLServerSocketFactory serverSocketFactory = (SSLServerSocketFactory) SSLServerSocketFactory
.getDefault();
SSLServerSocket serverSocket = (SSLServerSocket) serverSocketFactory
.createServerSocket(9100);
// 要求客户端身份验证
serverSocket.setNeedClientAuth(true);
while (true) {
SSLSocket socket = (SSLSocket) serverSocket.accept();
Accepter accepter = new Accepter(socket);
accepter.service();
static class Accepter implements Runnable {
private SSLS
public Accepter(SSLSocket socket) {
this.socket =
public void service() {
Thread thread = new Thread(this);
thread.start();
public void run() {
InputStream inputStream = socket.getInputStream();
InputStreamReader inputstreamreader = new InputStreamReader(
inputStream);
BufferedReader bufferedreader = new BufferedReader(
inputstreamreader);
String string =
while ((string = bufferedreader.readLine()) != null) {
System.out.println(string+);
System.out.flush();
} catch (Exception e) {
// replace with other code
e.printStackTrace();
求教weblogic环境访问https中关于SSL安全认证答:WeblogicSSL证书操作指南,更多版本请到沃通CA网站查看更多Weblogic环境SSL证书部署指南。1、首先访问Oracle官网下载您需要的Weblogic版本,(Weblogic10.3.6以上版本支持sha2算法的证书,如有不支持请尽快升级)安装好Weblogic后找到登陆界面。...防抓取,真格学网提供内容。下面是我tomcat的端口信息:
ssl双向认证客户端需要哪些证书验证,如果通过,再进行后面的处理。客户端安装服务器根证书ca.crt到客户端信任证书库中,服务器端安装服务器根证书ca.crt到服务器信任证书库中。SSL握手时,服务器防抓取,真格学网提供内容。
ssl双向认证中,是否需要将服务端的证书导入到客户端的密钥库验证,如果通过,再进行后面的处理。客户端安装服务器根证书ca.crt到客户端信任证书库中,服务器端安装服务器根证书ca.crt到服务器信任证防抓取,真格学网提供内容。我的项目结构
ssl双向认证中,ssl是如何检测CA证书是否通过申请?1、你的问题就是有错误的。"SSL是如何检测CA证书是否通过申请"是指什么?双方都会检测对方的证书的合法性,都是通过通过判断对方证书的签发者(C防抓取,真格学网提供内容。
高分!关于ssh,ss,vpn,和极路由的一系列问题2个回答-最新回答:日最佳答案:ssh一种加密的远程连接方式ss不懂vpn就是代理买服务器其需要钱看你什么需求了一般不贵也就10防抓取,真格学网提供内容。关于SS的问题,大神们是怎么解决的1个回答-提问时间:日世嘉SS机,很早以前了,年轻的玩家可定没机会见到,但内容还是仙一的啊,是仙剑第一次走出国门啊,之后在近几年的TGS等上都有仙防抓取,真格学网提供内容。tomcatssl双向认证的配置双向认证,也不需要导入,只需要从服务器上配置一下即可。tomcat的证书导入,是需要导...证书都导入完毕后,直接修改配置文件server.xml&!--Defi防抓取,真格学网提供内容。
SSLtomcat6双向认证配置,并且证书是第三方权威机构的CA证...建议你到百度Baidu或谷歌GOOGLE搜索一下,看看有没有相关信息资料可以帮你。防抓取,真格学网提供内容。本网根据需求用户需求,为用户寻得以下其他网友提供的解决方法,方法仅供参考,具体如下:JavaSSLAPI的双向认证中,证书不是客户端发过来的吗?为什么...这里官方下载最新的JDKDOC是HTML格式的,下载后38M左右,解压170多M,全中文的,需要注册为SUN的会员。另外我有CH防抓取,真格学网提供内容。用户提供的解决方案1:apache2ssl双向认证apache2ssl双向认证在网上看了很多资料,没有一个比较完整的,现在配置成功了,写个记...这就是签名以后的服务器证书。打开浏览器把ca的证书(ca.crt)导入浏览器防抓取,真格学网提供内容。
高分!关于ssh,ss,vpn,和极路由的一系列问题2个回答-最新回答:日最佳答案:ssh一种加密的远程连接方式ss不懂vpn就是代理买服务器其需要钱看你什么需求了一般不贵也就10防抓取,真格学网提供内容。关于SS的问题,大神们是怎么解决的1个回答-提问时间:日世嘉SS机,很早以前了,年轻的玩家可定没机会见到,但内容还是仙一的啊,是仙剑第一次走出国门啊,之后在近几年的TGS等上都有仙防抓取,真格学网提供内容。tomcatssl双向认证的配置双向认证,也不需要导入,只需要从服务器上配置一下即可。tomcat的证书导入,是需要导...证书都导入完毕后,直接修改配置文件server.xml&!--Defi防抓取,真格学网提供内容。忘了说了我这改成8443还是那个异常
ssl双向认证和单向认证的区别安全性相对于要高一些双向认证SSL协议的具体通讯过程,这种情况要求服务器和客户端双方都有证书。单向认证SSL协议不需要客户端拥有CA证书,以及在协商对称密码方案...防抓取,真格学网提供内容。用户提供的解决方案2:weblogic支持ssl双向认证配置完成后但是用https访问不起首先要确定443端口是否已经启动。(如果你修改了ssl端口为443的话)。如果没有,就要找原因了,443端口需要root用户才能启动防抓取,真格学网提供内容。
高分!关于ssh,ss,vpn,和极路由的一系列问题2个回答-最新回答:日最佳答案:ssh一种加密的远程连接方式ss不懂vpn就是代理买服务器其需要钱看你什么需求了一般不贵也就10防抓取,真格学网提供内容。关于SS的问题,大神们是怎么解决的1个回答-提问时间:日世嘉SS机,很早以前了,年轻的玩家可定没机会见到,但内容还是仙一的啊,是仙剑第一次走出国门啊,之后在近几年的TGS等上都有仙防抓取,真格学网提供内容。tomcatssl双向认证的配置双向认证,也不需要导入,只需要从服务器上配置一下即可。tomcat的证书导入,是需要导...证书都导入完毕后,直接修改配置文件server.xml&!--Defi防抓取,真格学网提供内容。我顶
关于SS线路切换,求助1个回答-提问时间:日最佳答案:你的这些问题我也遇到过,给你一些宏命令来解决吧,让战斗更简单化用焦点宏可以解决你的问题。放逐如果焦点死了或者不存在,清除焦点2防抓取,真格学网提供内容。用户提供的解决方案3:关于Strings和Stringss1个回答-提问时间:日最佳答案:S该语句表示只是声明了一个引用变量,但是并没有初始化引用,所以对变量s的任何操作(除了初始化赋值外防抓取,真格学网提供内容。
高分!关于ssh,ss,vpn,和极路由的一系列问题2个回答-最新回答:日最佳答案:ssh一种加密的远程连接方式ss不懂vpn就是代理买服务器其需要钱看你什么需求了一般不贵也就10防抓取,真格学网提供内容。关于SS的问题,大神们是怎么解决的1个回答-提问时间:日世嘉SS机,很早以前了,年轻的玩家可定没机会见到,但内容还是仙一的啊,是仙剑第一次走出国门啊,之后在近几年的TGS等上都有仙防抓取,真格学网提供内容。tomcatssl双向认证的配置双向认证,也不需要导入,只需要从服务器上配置一下即可。tomcat的证书导入,是需要导...证书都导入完毕后,直接修改配置文件server.xml&!--Defi防抓取,真格学网提供内容。我顶。
关于SS转换成剩余污泥的问题,进水SS200mg/L,出水SS20mg...1个回答-提问时间:日是的,是的,是的更多关于关于SS的问题&&防抓取,真格学网提供内容。如果您还有更好的解决方法,请在最下面评论中留下您的解决方法关于缩写SS的问题2个回答-提问时间:日最佳答案:这些字母只是概括地表示每一部的内容而已,并不是特指哪个角色!美少女战士(作品第一部)美少女战士R(R意为Romance,另外也可以防抓取,真格学网提供内容。关于ssl多线程参数的传递问:void*sock_read(int*client)//shortevent,void*arg{charbuf[102...答:void*sock_read(int*client)//shortevent,void*arg{charbuf[1024];memset(buf,0,1024);intd=SSL_read(*client,buf,1024);//接收客户端的数据包perror("SSL_read");printf("d=%d\n",d);?????}staticvoidsock_accept(intserver...关于SSL和伪静态的求助答:RewriteRule^index/(.*)/(.*)[/]$index.php?ctl=$1&act=$2orRewriteRule^index/(.*)/(.*)/$index.php?ctl=$1&act=$2加一条正则
本文相关:Linux 下 OpenVPN 安装和 Windows OpenVPN GUI 安装笔记 - 程序员小辉
最后更新日期:
: 首次整理
: 加入 ip forward 的说明
: 加入 OpenVPN 2.1 新版本中的
script-security 配置参数说明。
基于伟大的 GFW 越来越牛B,网站的正常维护如 FTP、pop & smtp 的邮件收发、在 google 查技术资料,都经常被 GFW 强行断开。为了解决这个问题,于是我在自己的国外主机上安装了一个 OpenVPN,当时记录了一下安装的经过。
今天正好又有一个朋友问及 OpenVPN 安装的事情,于是我重新整理一下这篇(), 希望对大家有所帮助。
当时在安装 OpenVPN 的时候,得到了 WenZK 的指导帮助。在此表示感谢。
一. OpenVPN 安装环境
Server 端的环境
redhat, kernel版本: 2.4.20-31.9, IP 为 70.8.7.6
kernel 需要支持 tun 设备, 需要加载 iptables 模块.
检查 tun 是否安装:
root@a [/]# modinfo tun
/lib/modules/2.4.20-31.9/kernel/drivers/net/tun.o
description:
如果没有 modinfo 命令, 直接找一下, 看看 kernel 里是否有 tun.o 文件:
find -name tun.o
./lib/modules/2.4.20/kernel/drivers/net/tun.o
检查iptables 模块, 查看是否有下列文件:
/etc/init.d/iptables
OpenSSL。如果需要启用 SSL 连接,则需要先安装 OpenSSL。安装 OpenSSL 的方法在这里不做介绍,具体可以用 Google 搜索。CentOS 下可以用 yum install:
yum install openssl
yum install openssl-devel
安装的 OpenVPN 的版本: 2.0.5. 现在似乎已经有一个更新的版本了. 可在 上下载.
Client 端的环境:
Windows XP PRO SP2
OpenVPN GUI For windows 1.0.3 , 可在
注意: OpenVPN GUI for windows 的版本要和 OpenVPN Server 的版本配套.
例如, 服务器装的是 OpenVPN 2.0.5, 那么下载的 OpenVPN GUI fow windows 应该是: openvpn-2.0.5-gui-1.0.3-install.exe
OpenVPN GUI的所有历史版本:
二. OpenVPN 服务端安装过程
/dev/server/-install-openvpn.htm
用 SecureCRT 登录到 host, 进入根目录
下载 LZO,解压到lzo-2.02.
wget /opensource/lzo/download/lzo-2.02.tar.gz
下载 OpenVPN, 解压到openvpn-2.0.5
wget http://openvpn.net/release/openvpn-2.0.5.tar.gz
cd /lzo-2.02
./configure
make check
make install
安装 OpenVPN
cd /openvpn-2.0.5
./configure
# 或用指定dir: (注:下述命令, 应该在一行写完. 为了方便显示, 这里分成了四行)
# ./configure --with-lzo-headers=/usr/local/include
--with-lzo-lib=/usr/local/lib
--with-ssl-headers=/usr/local/include/openssl
--with-ssl-lib=/usr/local/lib
make install
生成证书Key
初始化 PKI
(如果没有 export 命令也可以用 setenv [name] [value] 命令)
cd /openvpn-2.0.5/easy-rsa
export D=`pwd`
export KEY_CONFIG=$f
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG=""
export KEY_EMAIL="your-email [at] "
./clean-all
./build-ca
Generating a 1024 bit RSA private key
................++++++
........++++++
writing new private key to 'ca.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server
Email Address [your-email [at] ]:
# 建立 server key
代码: 代码:
./build-key-server server
Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server
Email Address [your-email [at] ]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:
Using configuration from /openvpn-2.0.5/easy-f
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
:PRINTABLE:'CN'
stateOrProvinceName
:PRINTABLE:'GD'
localityName
:PRINTABLE:'SZ'
organizationName
:PRINTABLE:''
organizationalUnitName:PRINTABLE:''
commonName
:PRINTABLE:'server'
emailAddress
:IA5STRING:'your-email [at] '
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#生成客户端 key
./build-key client1
Generating a 1024 bit RSA private key
.....++++++
......++++++
writing new private key to 'client1.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:client1
#重要: 每个不同的 client 生成的证书, 名字必须不同.
Email Address [your-email [at] ]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:
Using configuration from /openvpn-2.0.5/easy-f
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
:PRINTABLE:'CN'
stateOrProvinceName
:PRINTABLE:'GD'
localityName
:PRINTABLE:'SZ'
organizationName
:PRINTABLE:''
organizationalUnitName:PRINTABLE:''
commonName
:PRINTABLE:'client1'
emailAddress
:IA5STRING:'your-email [at] '
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
依次类推生成其他客户端证书/key
./build-key client2
./build-key client3
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
生成 Diffie Hellman 参数 。代码:
./build-dh
将 keys 下的所有文件打包下载到本地
tar -cf mykeys.tar /openvpn-2.0.5/easy-rsa/keys
cp mykeys.tar /sys/public_html/mykeys.tar
将 mykeys.tar 移到 web public(绝对路径因人而异) 上, 然后用 /mykeys.tar 方式将其下载到本地保存, 然后将其从server删除:
rm /sys/public_html/mykeys.tar
也可以用其他方法把 key file搞到本地,例如 ftp.
创建服务端配置文件
从样例文件创建:
cd $dir/sample-config-files/ # 进入源代码解压目录下的sample-config-files子目录
cp server.conf /usr/local/etc
# cp服务器配置文件到/usr/local/etc
vi /usr/local/etc/server.conf
我建立的server.conf 的内容稍后另附.
创建客户端配置文件
cd $dir/sample-config-files/
#进入源代码解压目录下的sample-config-files子目录
cp client.conf /usr/local/etc
#cp客户端配置文件到/usr/local/etc
vi /usr/local/etc/client.conf
我建立的client.conf 的内容稍后另附.
启动Openvpn: openvpn [server config file]
/usr/local/sbin/openvpn --config /usr/local/etc/server.conf
三. OpenVPN GUI For Windows 客户端安装过程
安装 OpenVPN GUI For Windows, 到
下载. 目前的版本是 1.0.3. 注意: OpenVPN GUI 的版本要和 OpenVPN Server 的版本配套. 详见第一节一. 安装环境中的说明.
依屏幕指示安装openvpn gui.
配置 openvpn gui
安装结束后, 进入安装文件夹下的 config 目录, 然后将上面第 10 步建立的 client.conf 文件从 server 上下载到此文件夹, 并更名为 client.ovpn
同时, 将第8 步打包的 mykeys.tar 中的下列证书文件解压到此文件夹:
client1.crt
client1.csr
client1.key
然后双击 client.ovpn 即可启动 openvpn, 或者通过 OpenVPN GUI 的控制启动 VPN.
如果双击 client.ovpn 没有反应, 则在任务栏点 OpenVPN GUI 的小图标右键, 选择 edit config, 将内容复制过去再保存. 然后再点右键中的 connect即可.
如果需要第二台机器上使用 vpn , 进行同样的配置, 只需要将 client1.crt, client1.csr, client1.key 换成对应的 client2.xxx 即可, 然后将 client.ovpn 中的对应key文件值改掉.
四. OpenVPN 配置样例文件
OpenVPN 服务端:server.conf
local 70.8.7.6
ca /openvpn-2.0.5/easy-rsa/keys/ca.crt
cert /openvpn-2.0.5/easy-rsa/keys/server.crt
key /openvpn-2.0.5/easy-rsa/keys/server.key
# This file should be kept secret
dh /openvpn-2.0.5/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
persist-key
persist-tun
status /openvpn-2.0.5/easy-rsa/keys/openvpn-status.log
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 70.88.98.10"
# name server 地址, 如何获取见随后说明
push "dhcp-option DNS 70.88.99.11"
# name server 地址, 如何获取见随后说明
说明: 有些 domain 被 GFW 封掉了, 这时, 如果要访问这些网站, 应该将 server 上的
push 到 client.
上面示例中的 dns ip: 70.88.98.10, 70.88.99.10, 可以在 /etc/resolv.conf 中找到:
vi /etc/resolv.conf
nameserver
70.88.98.10
nameserver
70.88.99.11
OpenVPN 客户端: client.ovpn
remote 70.8.7.6 1194
persist-key
persist-tun
cert client1.crt
key client1.key
ns-cert-type server
redirect-gateway def1
五. OpenVPN 访问外网的设置
VPN连接成功后, 还需要设置路由, 才能透过VPN访问Internet. 在 linux host 上添加路由:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 70.8.7.6
/etc/init.d/iptables save
/etc/init.d/iptables restart
不同的机器,-o eth0 参数可能不一样,具体可输入 ifconfig 查看,搞清 ip(70.8.7.6)所在的网卡号.
同时, 需要将 ip forward 打开. 不要用 echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 这种方式重启后无效. 先查看一下:
sysctl -a | grep for
#查看结果:
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1
如果你的主机上列数值不是为1, 则要将其改成1, 例如:
sysctl -w net.ipv4.ip_forward=1
开启域名服务器
如果你需要访问一些已经被GFW封掉了域名的网站, 但你的 OpenVPN 服务器没有被封的话,那么你需要在你的主机上开启 name server, 并将 dns push 给 client。 一般的独立主机, 都带有 private dns server.
rpm -qa | grep bind
/etc/init.d/named start
另外, 必须保证 server.conf 配置中, 有这三个配置:
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 70.88.98.10"
# name server 地址
push "dhcp-option DNS 70.88.99.11"
# name server 地址
当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-AA-B0-60-2B
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.8.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.8.0.5
DHCP Server . . . . . . . . . . . : 10.8.0.5
DNS Servers . . . . . . . . . . . : 10.8.0.1
70.88.98.10
70.88.99.11
Lease Obtained. . . . . . . . . . : 日 5:13:52
Lease Expires . . . . . . . . . . : 日 5:13:52
六. 设置 OpenVPN 服务器 reboot后自动启动 openvpn
vi /etc/rc.local
然后在最后面加入此行:
/usr/local/sbin/openvpn --config /usr/local/etc/server.conf > /dev/null 2>&1 &
七. OpenVPN 测试
VPN 登录上去之后, 测试 MSN, QQ, IE 等网络应用, 也可以尝试访问一些被 GFW 禁掉的网站, 当然, 前提是你的 VPN 服务器不在境内.
八. 使用 OpenVPN 的强烈注意事项
不建议用 VPN 登录 paypal 帐户和 google adsense 帐户. 否则有可能导致帐户受限或带来其他风险.
十. 一些补充
补充:今天用 yum -y update 升级了 CentOS 之后,发现 OpenVPN 连接不上去了,老是说用户检验出错。经检查 server log,发现有以下日志:
Thu Feb 10 11:13:07 2011 us=.***.**:45771 TLS: Initial packet from 222.244.***.**:45771, sid=eec450eb 8673ceef
Thu Feb 10 11:13:10 2011 us=.244.***.**:45771 openvpn_execve: external program may not be called unless '--script-secur
ity 2' or higher is enabled.
Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier.
See --help t
ext or man page for detailed info.
Thu Feb 10 11:13:10 2011 us=.244.***.**:45771 TLS Auth Error: user-pass-verify script failed to execute: /usr/bin/php -
q /home/xiaohui/openvpn-manager/admin/openvpn-auth.php
Thu Feb 10 11:13:10 2011 us=.244.***.**:45771 TLS Auth Error: Auth Username/Password verification failed for peer
经查,原来是 CentOS 在进行
yum update 时,将 OpenVPN
也由2.0 升级到了 2.1。而 OpenVPN 2.1 最大的改变之一,就是加了一个 script-security参数。如果按我的这篇教程进行安装,但装的是 OpenVPN 2.1 及以上版本的话,记得在 server.conf 中再加上这么一行配置即可:
script-security 3
相关文章:
前一篇:下一篇:
第 1 楼& Rony 发表于
很详细。 非常感谢。
第 2 楼& 拉拉 发表于
第 3 楼& flintt 发表于
启动openvpn的终端关闭后,好像sever端停止了vpn的服务
第 4 楼& rrt 发表于
明显有硬伤,我只问一句,lz你自己严格按照你的文档做了没有。
结果怎么样?
我很怀疑你的iptables的nat设置。
XiaoHui 回复于
02:37: 如果有错误,还请麻烦指出。:)
有时候我记不清设置,都是直接看这篇笔记来做的。我按这个文档,装了不下十台 VPN SERVER了。
第 5 楼& gniudad 发表于
不错,感谢。
我也按这个文档装了不下10台了。哈哈。
只是文中:如果你的主机上列数值不是为1, 则要将其改成1, 例如:
sysctl -w net.ipv4.ip_forward=1
我以为全部要改成1,但好像只要最后一项改1就行了。
第 6 楼& tt 发表于
为什么我在做这一步# 建立 server key 代码: 代码: ./build-key-server server
的时候出错:error loading extension section server,请指教。
XiaoHui 回复于
22:34: 抱歉,今天才看到你的邮件。
我没有遇到过这个错误。你确认你的环境变量、软件版本、目录设置,都是按我说的来做的吗?
刚才在GOOGLE搜索了一下,你看看这里:
注意最后的一个贴子,他说他解决了这个问题。你看看对你有用没。
第 7 楼& marion 发表于
搞多公钥-私钥对有什么必要?
为什么不用 duplicate-cn?
第 8 楼& zengw 发表于
我做到这一步:
cd /openvpn-2.0.5/easy-rsa
export D=`pwd`
export KEY_CONFIG=$f
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG="dvdmaster"
export KEY_EMAIL=""
./clean-all
mkdir:无法创建目录'pwd/keys': 没有那个文件或目录
XiaoHui 回复于
03:12: 你所使用的 OPENVPN,版本号是多少?
第 9 楼& zengw 发表于
OPENvpn 是2.0.9的,LZO是2.02的,Linux是redhat9的,内核为2.4.20;虚拟机是5.5.1版本的;
XiaoHui 回复于
20:21: 你尝试自己先手工把那几个目录建好看看。我没折腾过 OpenVPN 2.0.9。直接用文中的步骤安装 2.0.5 是没有问题的。
第 10 楼& zengw 发表于
以下是我的操作跟出错代码:
[root@localhost openvpn-2.0.9]# cd easy-rsa/
[root@localhost easy-rsa]# ls
revoke-crt
build-key-pass
build-req-pass
revoke-full
build-key-pkcs12
build-inter
build-key-server
[root@localhost easy-rsa]# pwd
/openvpn-2.0.9/easy-rsa
[root@localhost easy-rsa]# ./clean-all
you must define KEY_DIR
[root@localhost easy-rsa]# export D='pwd'
[root@localhost easy-rsa]# export KEY_CONFIG=$f
[root@localhost easy-rsa]# export KEY_DIR=$D/keys
[root@localhost easy-rsa]# export KEY_SIZE=1024
[root@localhost easy-rsa]# export KEY_COUNTRY=CN
[root@localhost easy-rsa]# export KEY_PROVINCE=GD
[root@localhost easy-rsa]# export KEY_CITY=SZ
[root@localhost easy-rsa]# export KEY_ORG=&dvdmaster&
[root@localhost easy-rsa]# export KEY_EMAIL=&&
[root@localhost easy-rsa]# ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on pwd/keys
[root@localhost easy-rsa]# ./clean-all
[root@localhost easy-rsa]# ./build-ca
error on line -1 of f
1984:error::system library:fopen:No such file or directory:bss_file.c:104:fopen('f','rb')
1984:error::BIO routines:BIO_new_file:no such file:bss_file.c:107:
1984:error:0E064072:configuration file routines:CONF_load:no such file:conf_def.c:197:[root@localhost easy-rsa]#
第 11 楼& zengw 发表于
能给我发一个openvpn2.0.5的安装包吗?网上找不到了
XiaoHui 回复于
第 12 楼& zengw 发表于
问题已经得到解决,TKS!
第 13 楼& harley_chen 发表于
我也设置了,
vpn连接后, 还是没办法上网,不能ping外网...
nat功能也开了...
第 14 楼& zengw 发表于
没做/etc/init.d/named start 这一步,完成后我用Windows vpn客户端拨号到vmware上去成功了并能上网,但是公司另一台PC拨号拨上去后却不能上网,其获得的IP和DNS均正常!请问是不是跟没做/etc/init.d/named start 这一步有关,但是跟vmware同一台PC上的Windows却可以上网!
第 15 楼& ks 发表于
我用freebsd和windowsxp,都已经配置安装完毕,客户端也分配到ip,但是互相之间却无法ping通
我已经在server端的配置文件中配置了local的地址,server端的ifconfig显示如下
tun0: flags=8051&UP,POINTOPOINT,RUNNING,MULTICAST& metric 0 mtu 1500
inet 192.168.10.1 --& 192.168.10.2 netmask 0xffffffff
在server端本机ping 192.168.10.1也ping不通
client端ipconfig 显示的ip正常 只是没有网关
请问是什么原因
XiaoHui 回复于
08:02: 你本地局域网的 IP 段是多少?是不是SERVER指定的IP段,与本地局域网指定的相冲突?
第 16 楼& poppy 发表于
我在安装Openvpn的过程中,出现了这么个问题:
#modprobe tun
FATAL: Could not load /lib/modules/2.6.18-ovz028stab053.5-smp/modules.dep: No such file or directory
而且/lib/modules/下面是空的。。
我检查了下
没有tun设备~~
# modinfo tun
modinfo: could not open /lib/modules/2.6.18-ovz028stab053.5-smp/modules.dep
郁闷了。。是系统没有加载tun设备呢? 还是我哪个地方要开启tun设备?
怎么解决这个tun设备的问题啊。。谢谢了
第 17 楼& kingstar 发表于
看了这篇文章之后才装的 OPENVPN,稳妥起见,下载的 OPENVPN 版本正是楼主例文中的 2.0.5。
我在 theplanet 的主机上安装成功。终于破墙了。
才看到。我也顶一下。:)
XiaoHui 是不是写了个 HOOK,将网站文章的评论 和 论坛回贴,同步了?
我看见论坛里好多回贴的都标着“通过
评论系统发表”。:)
原帖由 FlyFire 于
21:44 发表
XiaoHui 是不是写了个 HOOK,将网站文章的评论 和 论坛回贴,同步了?
我看见论坛里好多回贴的都标着“通过
评论系统发表”。:)
点头。我做了一个关联。如果论坛上讨论的话题,是我网站上发表的文章,就建立关联。然后用定时程序,将网站的评论和论坛的回贴进行同步。
第 21 楼& 王菲菲 发表于
成功了到底是一种什么情况。我是第一次用linux,第一次设置VPN。谢谢!怎么测试他的成功。
XiaoHui 回复于
01:27: 连接成功后,任务栏图标区的 OPENVPN GUI的 ICON, 会由暗红色变成绿色。
第 22 楼& 秋天的树 发表于
第 23 楼& pan 发表于
我的服务器跟客户机连接不上。我们电信网一个IP下有几个主机,而且IP是动态生成的,不知道是不是跟这个有关系?
XiaoHui 回复于
18:56: 你自己看日志记录,确保是连接到了正确的服务器上。
第 24 楼& liusir 发表于
上面安装不成功的,可能是 OPENVPN 不同版本的问题引起的差异。我刚才严格按 XIAOHUI 文档里说的 OPENVPN版本进行了安装,一路绿灯,成功了。:)
第 25 楼& pan 发表于
想在Windows下装个Redhat虚拟机,Redhat作服务器,Windows作客户机,但他们共用一个ip,而且ip是动态分配的,这样他们之间的openvpn能建立起来吗?
server.conf的local怎么写?
XiaoHui 回复于
03:54: 不懂,没试过。虚拟机应该可以分配不同的IP的。
第 26 楼& luo 发表于
请问openvpn如何把两个不同区域的局域局连成一个局域网,就是说,两个公司,不同城市,两台linux做点对点连接后,下面的客户端可以互通?
第 27 楼& luo 发表于
按楼主的配置,winxp连接openvpn一直提示‘connecting to client has failed’,下面是客户端的日志。楼主帮我看看
Fri May 29 15:03:43 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov
Fri May 29 15:03:43 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.
OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri May 29 15:03:43 2009 LZO compression initialized
Fri May 29 15:03:43 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri May 29 15:03:43 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Fri May 29 15:03:43 2009 Local Options hash (VER=V4): '69109d17'
Fri May 29 15:03:43 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
Fri May 29 15:03:43 2009 Attempting to establish TCP connection with 192.168.1.222:1194
Fri May 29 15:03:43 2009 TCP connection established with 192.168.1.222:1194
Fri May 29 15:03:43 2009 TCPv4_CLIENT link local: [undef]
Fri May 29 15:03:43 2009 TCPv4_CLIENT link remote: 192.168.1.222:1194
Fri May 29 15:03:43 2009 TLS: Initial packet from 192.168.1.222:1194, sid=9e2dc9b0 29a67f10
Fri May 29 15:03:43 2009 VERIFY OK: depth=1, /C=CN/ST=GD/L=SZ/O=kemei/OU=kemei/CN=server/emailAddress=system-
Fri May 29 15:03:43 2009 VERIFY OK: nsCertType=SERVER
Fri May 29 15:03:43 2009 VERIFY OK: depth=0, /C=CN/ST=GD/O=kemei/OU=kemei/CN=server/emailAddress=system-
Fri May 29 15:03:43 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri May 29 15:03:43 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 29 15:03:43 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri May 29 15:03:43 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 29 15:03:43 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri May 29 15:03:43 2009 [server] Peer Connection Initiated with 192.168.1.222:1194
Fri May 29 15:03:45 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri May 29 15:03:45 2009 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,route 10.8.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Fri May 29 15:03:45 2009 OPTIONS IMPORT: timers and/or timeouts modified
Fri May 29 15:03:45 2009 OPTIONS IMPORT: --ifconfig/up options modified
Fri May 29 15:03:45 2009 OPTIONS IMPORT: route options modified
Fri May 29 15:03:45 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri May 29 15:03:45 2009 There are no TAP-Win32 adapters on this system.
You should be able to create a TAP-Win32 adapter by going to Start -& All Programs -& OpenVPN -& Add a new TAP-Win32 virtual ethernet adapter.
Fri May 29 15:03:45 2009 Exiting
XiaoHui 回复于
07:05: >> Fri May 29 15:03:45 2009 There are no TAP-Win32 adapters on this system. You should be able to create a TAP-Win32 adapter by going to Start -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter
看这句LOG, 貌似是你 TAP 的驱动没装上?
第 28 楼& luo 发表于
上面那个问题我已经搞定了。原因是我下载了错误的for WIN版本导致虚拟网卡没有装上,但是现在又是有一问题就是我可以拔号上去了,但如何访问对方的局域网??目前这样我只能访问服务器那台,服务器或客户端还需要进行行怎么样的设置呢?
第 29 楼& xukai 发表于
Wed Jun 03 13:40:30 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov
Wed Jun 03 13:40:30 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.
OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jun 03 13:40:30 2009 Cannot load certificate file xukai.crt: error::scd: error::BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Wed Jun 03 13:40:30 2009 Exiting
我按照楼主的做下来,连接的时候的报错,上面是log中的文件。
报错是connecting to client has failed.
XiaoHui 回复于
01:10: 证书的配置没有做对。
第 30 楼& xukai 发表于
Wed Jun 03 16:10:32 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov
Wed Jun 03 16:10:32 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.
OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jun 03 16:10:32 2009 LZO compression initialized
Wed Jun 03 16:10:32 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun 03 16:10:32 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 03 16:10:32 2009 Local Options hash (VER=V4): ''
Wed Jun 03 16:10:32 2009 Expected Remote Options hash (VER=V4): '530fdded'
Wed Jun 03 16:10:32 2009 UDPv4 link local (bound): [undef]:1194
Wed Jun 03 16:10:32 2009 UDPv4 link remote: 192.168.242.144:1194
Wed Jun 03 16:10:32 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:34 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:37 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:38 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:40 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:42 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:45 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:47 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:50 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:52 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:55 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:56 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:58 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:01 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:03 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:06 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:08 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:11 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:13 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:15 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:17 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:19 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:21 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:24 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:25 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:27 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:29 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:31 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:32 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jun 03 16:11:32 2009 TLS Error: TLS handshake failed
Wed Jun 03 16:11:32 2009 TCP/UDP: Closing socket
Wed Jun 03 16:11:32 2009 SIGUSR1[soft,tls-error] received, process restarting
Wed Jun 03 16:11:32 2009 Restart pause, 2 second(s)
上面的问题解决了,现在老这样了,请问怎么回事?
XiaoHui 回复于
05:32: 客户端与服务端的物理链接不通。确认 1194 端口是开的,客户端与服务端能够正常PING通。下面是 OPENVPN 官方解释,你自己对照排除一下:
You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client was unable to establish a network connection with the server.
Solutions:
Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server.
If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.
Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).
第 31 楼& luo 发表于
客户端连入服务端后。可以ping通服务端的lan wan tun ip,,但是连接服务端的lan同一交换下的电脑,有的可以连通,有的不行,,就比如127 77 5 212 这些IP都可以连通,其它IP又不能联通,不知道是什么原因,是因为路由的原因吗?获取的掩码是255.255.255.252,而且拔入后访问共享,比如访问77这台的默认共享c$,不需要提示输入用户和密码,直接就可以打开共享了,这我觉得有安全问题,这问xiaohui这是什么原因,怎么解决呀。
XiaoHui 回复于
01:06: 我装 VPN 只是为了穿墙,这种情况我不知道,没折腾过。不好意思。:)
第 32 楼& terry76 发表于
请教一下,不知道为什么我vpn进去后,能访问内网,但用不用server push过来的dns,仍是用着拔号连接的dns,客户机是win7系统。
XiaoHui 回复于
08:12: 这个我就搞不清了,没在 WIN7下测试过。
第 33 楼& lz 发表于
Wed Jul 15 10:43:22 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov
Wed Jul 15 10:43:22 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.
OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jul 15 10:43:22 2009 Cannot load certificate file lz.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Wed Jul 15 10:43:22 2009 Exiting
按照你的配置顺利安装成功,客户端连接也正常。可过了几天之后我又建立了几个用户就连不上了。开始建的用户能连上,后建的几个一个也连不上。上面是日志,麻烦帮我分析下是什么原因?谢谢
XiaoHui 回复于
22:20: 你用的是证书校验方式吧?看提示,是你的证书有问题。 lz.crt load 失败。既然之前连接成功,就按以前的步骤,重做一下证书,并确保客户端的配置文件里,指定了正确的证书文件名。
第 34 楼& lz 发表于
是证书校验方式。证书和以前生成的方法是一样的啊,客户端配置文件也改了。用./build-key生成客户端有什么特别需要注意的么?除了做./build-key,还需要运行别的东西么?另外我生成客户端时提示:"you must define KEY_DIR",然后运行了一遍你文档里export的那些命令之后就可以使用了。
客户端配置如下:
remote 192.168.0.20 1194
persist-key
persist-tun
cert lz.crt
key lz.key
ns-cert-type server
redirect-gateway def1
XiaoHui 回复于
02:04: 我许久没有接触 OpenVPN 这块了,技术细节我记不太清了,一时也没时间帮你分析。既然你第一次生成是正确的,而后面几次生成证书不对,那肯定是后面的步骤有错误或遗漏的地方。再仔细找找,排除一下原因。或者,全部重新生成一次证书(包括服务器证书)。
安装和配置的过程中,最好把你做的每一步的命令都记录一下,这样以后出问题或新做证书,也方便排查或实施。
第 35 楼& rinkey 发表于
WRwRThu Jul 16 16:36:24 2009 us=921733 client1/202.127.207.101:2239 MULTI: bad source address from client [202.127.207.101], packet dropped
客户端链接的时候,server的log里面有很多这样的记录,这是什么意思?怎么解决
XiaoHui 回复于
04:13: 我没接触过这个错误,查了一下资料,网上有篇关于这个错误的解决方案,你参考一下:
在 OpenVPN 自己的newsgroup 上,有一个关于这个的讨论:
第 36 楼& rinkey 发表于
openVPN服务器有两块网卡eth0 为公网IP,eth1为内网网关IP,并做了NAT。服务器买开启VPN时,内网的主机可以PING 通eth1和公网IP,但是开启VPN以后内网就PING不通了。而VPN client 也PING 不通内网主机。 怎么解决?
因为不怎么熟悉linux,所以基本全部按照楼主命令的来做,
到最后开启vpn的时候,显示这样,(这里只列出最后一部分显示信息)
用的putty,最后命令一直停在那里,也不见开启1194端口,很奇怪,希望有人给予解答
最好能聊q,嘿嘿,这样太不方便,q:
Fri Jul 17 01:49:47 2009 us=708255 TUN/TAP device tun0 opened
Fri Jul 17 01:49:47 2009 us=708281 TUN/TAP TX queue length set to 100
Fri Jul 17 01:49:47 2009 us=708312 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri Jul 17 01:49:47 2009 us=715115 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Fri Jul 17 01:49:47 2009 us=717906 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Jul 17 01:49:47 2009 us=717952 Socket Buffers: R=[1072] S=[1072]
Fri Jul 17 01:49:47 2009 us=717974 UDPv4 link local (bound): 210.127.253.11:1194
Fri Jul 17 01:49:47 2009 us=717985 UDPv4 link remote: [undef]
Fri Jul 17 01:49:47 2009 us=718003 MULTI: multi_init called, r=256 v=256
Fri Jul 17 01:49:47 2009 us=718036 IFCONFIG POOL: base=10.8.0.4 size=62
Fri Jul 17 01:49:47 2009 us=718069 Initialization Sequence Completed
第 38 楼& sail 发表于
Fri Aug 21 18:22:36 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct
Fri Aug 21 18:22:36 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.
OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Aug 21 18:22:36 2009 Cannot load certificate file client.crt: error::system library:fopen:No such file or directory: error::BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Fri Aug 21 18:22:36 2009 Exiting
这是我的客户端的问题 不知道怎么回事
XiaoHui 回复于
03:57: 客户端证书错误。
第 39 楼& 朵朵 发表于
根据这个做 我成功 谢谢xiaohui
第 40 楼& 王菲菲 发表于
Server 端的环境
redhat, kernel版本: 2.4.20-31.9, IP 为 70.8.7.6
“IP 为 70.8.7.6”是在什么时候设的?
XiaoHui 回复于
18:09: 安装 SERVER OS 时指定的。
我的安装终于可以连接上了,但是连上去以后访问不了网站,我也输入了echo 1 & /proc/sys/net/ipv4/ip_forward,但就是死活访问不了,怎么回事啊?
XiaoHui 回复于
sysctl -a | grep for
看一下 ipfoward 是否打开了。
第 42 楼& 藤苇 发表于
我遇到一个问题我没法解决,想向你咨询下
[root@localhost root]# /usr/local/sbin/openvpn --config /usr/local/etc/server.conf
Sun Sep 27 17:41:12 2009 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] built on Sep 27 2009
Sun Sep 27 17:41:12 2009 Cannot open dh1024.pem for DH parameters:error::system library:fopen:NO such file or directory:error::BIO routines:BIO_new_file:no such file
Sun Sep 27 14:41:12 2009 Exiting
这是怎么一回事呢?急急急!!!
XiaoHui 回复于
04:44: 没有 Diffie Hellman 参数或文件的位置没有设置正确。见第七步代码:
./build-dh
第 43 楼& 藤苇 发表于
./build-dh
这一步我做了都是按照你上面说的去做的
export D=`pwd` 只是这一步没做。
export KEY_CONFIG=root/openvpn-2.0.9/easy-f
export KEY_DIR=root/openvpn-2.0.9/easy-rsa/keys
第 44 楼& 藤苇 发表于
在root/openvpn-2.0.9/easy-rsa/keys下生成了这个文件dh1024.pem 。
第 45 楼& 藤苇 发表于
D=`pwd` 是什么意思呢?
XiaoHui 回复于
17:22: pwd 表示当前工作目录
第 46 楼& 藤苇 发表于
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.
# This configuration can be used by multiple #
# clients, however each client should have
# its own cert and key files.
# On Windows, you might want to rename this
# file so it has a .ovpn extension
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.
On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server?
Use the same setting as
# on the server.
;proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 172.16.37.83 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing.
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.
Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.
See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets.
Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description.
It's best to use
# a separate .crt/.key file pair
# for each client.
A single ca
# file can be used for all clients.
cert client1.crt
key client1.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".
This is an
# important precaution to protect against
# a potential attack discussed here:
http://openvpn.net/howto.html#mitm
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".
The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
# Set log file verbosity.
# Silence repeating messages
服务器配置
#################################################
# Sample OpenVPN 2.0 config file for
# multi-client server.
# This file is for the server side
# of a many-clients &-& one-server
# OpenVPN configuration.
# OpenVPN also supports
# single-machine &-& single-machine
# configurations (See the Examples page
# on the web site for more info).
# This config should work on Windows
# or Linux/BSD systems.
Remember on
# Windows to quote pathnames and use
# double backslashes, e.g.:
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# Comments are preceded with '#' or ';'
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.
You will need to
# open up this port on your firewall.
# TCP or UDP server?
;proto udp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one.
On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).
Each client
# and the server must have their own cert and
# key file.
The server and all clients will
# use the same ca file.
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.
Remember to use
# a unique Common Name for the server
# and each of the client certificates.
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt
key /root/openvpn-2.0.9/easy-rsa/keys/server.key
# This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.0.0.0 255.255.255.0
# Maintain a record of client &-& virtual IP address
# associations in this file.
If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.
Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.
Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.
Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Push routes to the client to allow it
# to reach other p10.8.0.1rivate subnets behind
# the server.
Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.11.0 255.255.255.0"
;push "route 192.168.13.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
client-config-dir /usr/local/etc/ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.
This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
client-config-dir /usr/local/etc/ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients.
There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
group, and firewall the TUN/TAP interface
for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
modify the firewall in response to access
from different clients.
page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel.
Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.
This is recommended
# only for testing purposes.
For production use,
# each client should have its own certificate/key
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
# Generate with:
openvpn --genkey --secret ta.key
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC
# Blowfish (default)
;cipher AES-128-CBC
;cipher DES-EDE3-CBC
# Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.
# or the other (but not both).
openvpn.log
;log-append
openvpn.log
# Set the appropriate level of log
# file verbosity.
# 0 is silent, except for fatal errors/root/openvpn-2.0.9/easy-rsa/keys
# 4 is reasonable for genera/root/openvpn-2.0.9/easy-rsa/keysl usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
# Silence repeating messages.
At most 20
# sequential messages of the same message
# category will be output to the log.
openvpn服务器是red hat Linux
客户机是windows server 2000 两个网卡 开起了rip协议
server ip: 172.16.37.83
虚拟ip 10.0.0.1;
client1 ip:172.16.37.110
192.168.11.1
虚拟IP 10.0.0.5;
client2 ip: 172.16.19.22. 192.168.12.1
虚拟ip 10.0.0.13;
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110
172.16.19.22 192.168.11.1 192.168.12.1
ping不通 10.0.0.5 10.0.0.13
client1 中可ping通 172.16.37.83 172.16.37.110
172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13
ping不通 10.0.0.1
client2中可ping通 172.16.37.83 172.16.37.110
172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13
ping不通 10.0.0.1
楼主这是哪出现了问题呢?拜托拜托
XiaoHui 回复于
01:47: Tooooooo looooooooog, 看着头晕又不方便比较。 能不能把 #的注释去掉再贴上来。
第 47 楼& 藤苇 发表于
;dev-node MyTap
;proto udp
remote 172.16.37.83 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
cert client1.crt
key client1.key
;ns-cert-type server
;tls-auth ta.key 1
服务器配置
;local a.b.c.d
;proto udp
;dev-node MyTap
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt
key /root/openvpn-2.0.9/easy-rsa/keys/server.key # This file should be kept secret
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;push &route 192.168.11.0 255.255.255.0&
;push &route 192.168.13.0 255.255.255.0&
client-config-dir /usr/local/etc/ccd
;route 192.168.40.128 255.255.255.248
client-config-dir /usr/local/etc/ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push &redirect-gateway&
;push &dhcp-option DNS 10.8.0.1&
;push &dhcp-option WINS 10.8.0.1&
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log
;log openvpn.log
;log-append openvpn.log
openvpn服务器是red hat Linux
客户机是windows server 2000 两个网卡 开起了rip协议
server ip: 172.16.37.83 虚拟ip 10.0.0.1;
client1 ip:172.16.37.110 192.168.11.1 虚拟IP 10.0.0.5;
client2 ip: 172.16.19.22. 192.168.12.1 虚拟ip 10.0.0.13;
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13
client1 中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1
client2中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1
192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1
楼主这是哪出现了问题呢?拜托拜托
我的QQ是加我
第 48 楼& 藤苇 发表于
;dev-node MyTap
;proto udp
remote 172.16.37.83 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
cert client1.crt
key client1.key
;ns-cert-type server
;tls-auth ta.key 1
服务器配置
;local a.b.c.d
;proto udp
;dev-node MyTap
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt
key /root/openvpn-2.0.9/easy-rsa/keys/server.key # This file should be kept secret
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;push "route 192.168.11.0 255.255.255.0"
;push "route 192.168.13.0 255.255.255.0"
client-config-dir /usr/local/etc/ccd
;route 192.168.40.128 255.255.255.248
client-config-dir /usr/local/etc/ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log
;log openvpn.log
;log-append openvpn.log
openvpn服务器是red hat Linux
客户机是windows server 2000 两个网卡 开起了rip协议
server ip: 172.16.37.83 虚拟ip 10.0.0.1;
client1 ip:172.16.37.110 192.168.11.1 虚拟IP 10.0.0.5;
client2 ip: 172.16.19.22. 192.168.12.1 虚拟ip 10.0.0.13;
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13 192.168.11.1 192.168.12.1
client1 中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1
client2中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1
192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1
楼主这是哪出现了问题呢?拜托拜托
我的QQ是加我
第 49 楼& 藤苇 发表于
在以上的“在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13”修改一下
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13 192.168.11.1 192.168.12.1
XiaoHui 回复于
04:27: 看了一下,配置很正常。有几个参数我没有用过,如client-config-dir 等。你可以参考我文中第四小节的样例文件,先用最简单的配置搭建起来再说。
如果能连接但 Ping 不通,要看看是不是配置了 iptables。可参见第五节。
第 50 楼& 藤苇 发表于
可以连接但ping不通,
red hat Linux 中的网络配置要怎么设置呢?
第 51 楼& 藤苇 发表于
Microsoft Windows 2000 [Version 5.00.2195]
(C) 版权所有
Microsoft Corp.
C:\Documents and Settings\Administrator&ipconfig/all
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : 2000serv-qh80ma
Primary DNS Suffix
. . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter 本地连接 3:
Connection-specific DNS Suffix
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-C2-18-82-DA
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.0.0.5
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.0.0.6
DNS Servers . . . . . . . . . . . : 10.0.0.1
70.88.98.10
70.88.99.11
Lease Obtained. . . . . . . . . . : 日 20:43:19
Lease Expires . . . . . . . . . . : 日 20:43:19
Ethernet adapter 本地连接 2:
Connection-specific DNS Suffix
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-0C-29-2E-84-B5
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.11.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.37.110
DNS Servers . . . . . . . . . . . : 218.30.19.40
61.134.1.4
Ethernet adapter 本地连接:
Connection-specific DNS Suffix
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-0C-29-2E-84-AB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.37.110
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 192.168.11.1
DNS Servers . . . . . . . . . . . : 218.30.19.40
61.134.1.4
C:\Documents and Settings\Administrator&ping 10.0.0.1
Pinging 10.0.0.1 with 32 bytes of data:
Reply from 172.16.37.110: TTL expired in transit.
Reply from 172.16.37.110: TTL expired in transit.
Reply from 172.16.37.110: TTL expired in transit.
Reply from 172.16.37.110: TTL expired in transit.
Ping statistics for 10.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum =
0ms, Average =
C:\Documents and Settings\Administrator&ping 10.0.0.13
Pinging 10.0.0.13 with 32 bytes of data:
Reply from 10.0.0.13: bytes=32 time&10ms TTL=128
Reply from 10.0.0.13: bytes=32 time&10ms TTL=128
Reply from 10.0.0.13: bytes=32 time&10ms TTL=128
Reply from 10.0.0.13: bytes=32 time&10ms TTL=128
Ping statistics for 10.0.0.13:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Min}
关于SSL的证书双向认证来个大神帮忙看看 -
来源:本网整理 &责任编辑:小易 &时间: 14:32:57
关于SSL正确的说法是()A。在TCP上提供机密性、...问:跪求答案啊答:选A。求教weblogic环境访问https中关于SSL安全认证答:请问你是需要申请SSL证书,还是想问SSL证书的配置问题?1、申请SSL证书,你可要到沃通CA申请付费SSL或者免费SSL;2、weblogic环境SSL证书配置方法--BEAWeblogic9.0请按照以下步骤在BEAWeblogin9.0上安装SSL证书:A:一旦您申请的SSL证书...关于SSLVPN的问题问:校外开放的校园网络,使用VPN嗯,首先打开加载项出现在页面上,下载的SS...答:关闭防火墙关于SSL的证书双向认证来个大神帮忙看看-(图2)关于SSL的证书双向认证来个大神帮忙看看-(图4)关于SSL的证书双向认证来个大神帮忙看看-(图6)关于SSL的证书双向认证来个大神帮忙看看-(图8)关于SSL的证书双向认证来个大神帮忙看看-(图10)关于SSL的证书双向认证来个大神帮忙看看-(图12)本网有用户碰到这样的问题:关于SSL的证书双向认证来个大神帮忙看看 - ,具体问题如下:
高分!关于ssh,ss,vpn,和极路由的一系列问题2个回答-最新回答:日最佳答案:ssh一种加密的远程连接方式ss不懂vpn就是代理买服务器其需要钱看你什么需求了一般不贵也就10防抓取,真格学网提供内容。关于SS的问题,大神们是怎么解决的1个回答-提问时间:日世嘉SS机,很早以前了,年轻的玩家可定没机会见到,但内容还是仙一的啊,是仙剑第一次走出国门啊,之后在近几年的TGS等上都有仙防抓取,真格学网提供内容。tomcatssl双向认证的配置双向认证,也不需要导入,只需要从服务器上配置一下即可。tomcat的证书导入,是需要导...证书都导入完毕后,直接修改配置文件server.xml&!--Defi防抓取,真格学网提供内容。
关于SSL和伪静态的求助答:RewriteRule^index/(.*)/(.*)[/]$index.php?ctl=$1&act=$2orRewriteRule^index/(.*)/(.*)/$i防抓取,真格学网提供内容。就老是碰到这个异常不知道错在哪了下面附上代码
关于SSL中,回话秘钥的产生问:SSL握手阶段有四步,前两步客户端和服务器都会产生random,并且发送给...答:其实这个预主密钥应该是一个客户端的会话公钥,客户端将这个公钥秘密的穿给服务器,服务器防抓取,真格学网提供内容。Client的Java代码:
internet选项内容下清除SSL状态关于SSL是什么东东答:安全套接字层(SSL)是一套提供身份验证、保密性和数据完整性的加密技术。SSL最常用来在Web浏览器和Web服务器之间建立安全通信通道。防抓取,真格学网提供内容。
import java.io.BufferedW
import java.io.OutputS
import java.io.OutputStreamW
import java.util.concurrent.TimeU
import javax.net.ssl.SSLS
import javax.net.ssl.SSLSocketF
public class SSLClient {
public static void main(String[] args) throws Exception {
System.setProperty("javax.net.debug", "ssl,handshake");
System.setProperty("javax.net.ssl.keyStore", "C:/Users/Administrator/kclient.keystore");
System.setProperty("javax.net.ssl.keyStorePassword", "123456");
System.setProperty("javax.net.ssl.trustStore", "C:/Users/Administrator/tserver.keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "123456");
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory
.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(
"localhost", 8443);
OutputStream outputStream = sslsocket.getOutputStream();
BufferedWriter bufferedWriter = new BufferedWriter(
new OutputStreamWriter(outputStream));
bufferedWriter.write("沉睡的雄狮\n");
bufferedWriter.flush();
TimeUnit.SECONDS.sleep(2000);
求教weblogic环境访问https中关于SSL安全认证答:请问你是需要申请SSL证书,还是想问SSL证书的配置问题?1、申请SSL证书,你可要到沃通CA申请付费SSL或者免费SSL;2、weblogic环境SSL证书配置方法--BEAWeblogic9.0请按照以下步骤在BEAWeblogin9.0上安装SSL证书:A:一旦您申请的SSL证书...防抓取,真格学网提供内容。Server的Java代码
关于网络安全的SSL问题问:求教下,我在腾讯云买了一个主机,并且建立了几个网站,访问格式基本是X...答:按照确定的域名购买,如果有很多二级、三级域名可以买多域通配证书,具体可以淘宝Gwrog获取SS防抓取,真格学网提供内容。
import java.io.BufferedR
import java.io.InputS
import java.io.InputStreamR
import javax.net.ssl.SSLServerS
import javax.net.ssl.SSLServerSocketF
import javax.net.ssl.SSLS
public class SSLServer {
public static void main(String[] args) throws Exception {
System.setProperty("javax.net.debug", "ssl,handshake");
System.setProperty("javax.net.ssl.keyStore", "C:/Users/Administrator/kserver.keystore");
System.setProperty("javax.net.ssl.keyStorePassword", "123456");
System.setProperty("javax.net.ssl.trustStore", "C:/Users/Administrator/tclient.store");
System.setProperty("javax.net.ssl.trustStorePassword", "123456");
SSLServerSocketFactory serverSocketFactory = (SSLServerSocketFactory) SSLServerSocketFactory
.getDefault();
SSLServerSocket serverSocket = (SSLServerSocket) serverSocketFactory
.createServerSocket(9100);
// 要求客户端身份验证
serverSocket.setNeedClientAuth(true);
while (true) {
SSLSocket socket = (SSLSocket) serverSocket.accept();
Accepter accepter = new Accepter(socket);
accepter.service();
static class Accepter implements Runnable {
private SSLS
public Accepter(SSLSocket socket) {
this.socket =
public void service() {
Thread thread = new Thread(this);
thread.start();
public void run() {
InputStream inputStream = socket.getInputStream();
InputStreamReader inputstreamreader = new InputStreamReader(
inputStream);
BufferedReader bufferedreader = new BufferedReader(
inputstreamreader);
String string =
while ((string = bufferedreader.readLine()) != null) {
System.out.println(string+);
System.out.flush();
} catch (Exception e) {
// replace with other code
e.printStackTrace();
求教weblogic环境访问https中关于SSL安全认证答:WeblogicSSL证书操作指南,更多版本请到沃通CA网站查看更多Weblogic环境SSL证书部署指南。1、首先访问Oracle官网下载您需要的Weblogic版本,(Weblogic10.3.6以上版本支持sha2算法的证书,如有不支持请尽快升级)安装好Weblogic后找到登陆界面。...防抓取,真格学网提供内容。下面是我tomcat的端口信息:
ssl双向认证客户端需要哪些证书验证,如果通过,再进行后面的处理。客户端安装服务器根证书ca.crt到客户端信任证书库中,服务器端安装服务器根证书ca.crt到服务器信任证书库中。SSL握手时,服务器防抓取,真格学网提供内容。
ssl双向认证中,是否需要将服务端的证书导入到客户端的密钥库验证,如果通过,再进行后面的处理。客户端安装服务器根证书ca.crt到客户端信任证书库中,服务器端安装服务器根证书ca.crt到服务器信任证防抓取,真格学网提供内容。我的项目结构
ssl双向认证中,ssl是如何检测CA证书是否通过申请?1、你的问题就是有错误的。"SSL是如何检测CA证书是否通过申请"是指什么?双方都会检测对方的证书的合法性,都是通过通过判断对方证书的签发者(C防抓取,真格学网提供内容。
高分!关于ssh,ss,vpn,和极路由的一系列问题2个回答-最新回答:日最佳答案:ssh一种加密的远程连接方式ss不懂vpn就是代理买服务器其需要钱看你什么需求了一般不贵也就10防抓取,真格学网提供内容。关于SS的问题,大神们是怎么解决的1个回答-提问时间:日世嘉SS机,很早以前了,年轻的玩家可定没机会见到,但内容还是仙一的啊,是仙剑第一次走出国门啊,之后在近几年的TGS等上都有仙防抓取,真格学网提供内容。tomcatssl双向认证的配置双向认证,也不需要导入,只需要从服务器上配置一下即可。tomcat的证书导入,是需要导...证书都导入完毕后,直接修改配置文件server.xml&!--Defi防抓取,真格学网提供内容。
SSLtomcat6双向认证配置,并且证书是第三方权威机构的CA证...建议你到百度Baidu或谷歌GOOGLE搜索一下,看看有没有相关信息资料可以帮你。防抓取,真格学网提供内容。本网根据需求用户需求,为用户寻得以下其他网友提供的解决方法,方法仅供参考,具体如下:JavaSSLAPI的双向认证中,证书不是客户端发过来的吗?为什么...这里官方下载最新的JDKDOC是HTML格式的,下载后38M左右,解压170多M,全中文的,需要注册为SUN的会员。另外我有CH防抓取,真格学网提供内容。用户提供的解决方案1:apache2ssl双向认证apache2ssl双向认证在网上看了很多资料,没有一个比较完整的,现在配置成功了,写个记...这就是签名以后的服务器证书。打开浏览器把ca的证书(ca.crt)导入浏览器防抓取,真格学网提供内容。
高分!关于ssh,ss,vpn,和极路由的一系列问题2个回答-最新回答:日最佳答案:ssh一种加密的远程连接方式ss不懂vpn就是代理买服务器其需要钱看你什么需求了一般不贵也就10防抓取,真格学网提供内容。关于SS的问题,大神们是怎么解决的1个回答-提问时间:日世嘉SS机,很早以前了,年轻的玩家可定没机会见到,但内容还是仙一的啊,是仙剑第一次走出国门啊,之后在近几年的TGS等上都有仙防抓取,真格学网提供内容。tomcatssl双向认证的配置双向认证,也不需要导入,只需要从服务器上配置一下即可。tomcat的证书导入,是需要导...证书都导入完毕后,直接修改配置文件server.xml&!--Defi防抓取,真格学网提供内容。忘了说了我这改成8443还是那个异常
ssl双向认证和单向认证的区别安全性相对于要高一些双向认证SSL协议的具体通讯过程,这种情况要求服务器和客户端双方都有证书。单向认证SSL协议不需要客户端拥有CA证书,以及在协商对称密码方案...防抓取,真格学网提供内容。用户提供的解决方案2:weblogic支持ssl双向认证配置完成后但是用https访问不起首先要确定443端口是否已经启动。(如果你修改了ssl端口为443的话)。如果没有,就要找原因了,443端口需要root用户才能启动防抓取,真格学网提供内容。
高分!关于ssh,ss,vpn,和极路由的一系列问题2个回答-最新回答:日最佳答案:ssh一种加密的远程连接方式ss不懂vpn就是代理买服务器其需要钱看你什么需求了一般不贵也就10防抓取,真格学网提供内容。关于SS的问题,大神们是怎么解决的1个回答-提问时间:日世嘉SS机,很早以前了,年轻的玩家可定没机会见到,但内容还是仙一的啊,是仙剑第一次走出国门啊,之后在近几年的TGS等上都有仙防抓取,真格学网提供内容。tomcatssl双向认证的配置双向认证,也不需要导入,只需要从服务器上配置一下即可。tomcat的证书导入,是需要导...证书都导入完毕后,直接修改配置文件server.xml&!--Defi防抓取,真格学网提供内容。我顶
关于SS线路切换,求助1个回答-提问时间:日最佳答案:你的这些问题我也遇到过,给你一些宏命令来解决吧,让战斗更简单化用焦点宏可以解决你的问题。放逐如果焦点死了或者不存在,清除焦点2防抓取,真格学网提供内容。用户提供的解决方案3:关于Strings和Stringss1个回答-提问时间:日最佳答案:S该语句表示只是声明了一个引用变量,但是并没有初始化引用,所以对变量s的任何操作(除了初始化赋值外防抓取,真格学网提供内容。
高分!关于ssh,ss,vpn,和极路由的一系列问题2个回答-最新回答:日最佳答案:ssh一种加密的远程连接方式ss不懂vpn就是代理买服务器其需要钱看你什么需求了一般不贵也就10防抓取,真格学网提供内容。关于SS的问题,大神们是怎么解决的1个回答-提问时间:日世嘉SS机,很早以前了,年轻的玩家可定没机会见到,但内容还是仙一的啊,是仙剑第一次走出国门啊,之后在近几年的TGS等上都有仙防抓取,真格学网提供内容。tomcatssl双向认证的配置双向认证,也不需要导入,只需要从服务器上配置一下即可。tomcat的证书导入,是需要导...证书都导入完毕后,直接修改配置文件server.xml&!--Defi防抓取,真格学网提供内容。我顶。
关于SS转换成剩余污泥的问题,进水SS200mg/L,出水SS20mg...1个回答-提问时间:日是的,是的,是的更多关于关于SS的问题&&防抓取,真格学网提供内容。如果您还有更好的解决方法,请在最下面评论中留下您的解决方法关于缩写SS的问题2个回答-提问时间:日最佳答案:这些字母只是概括地表示每一部的内容而已,并不是特指哪个角色!美少女战士(作品第一部)美少女战士R(R意为Romance,另外也可以防抓取,真格学网提供内容。关于ssl多线程参数的传递问:void*sock_read(int*client)//shortevent,void*arg{charbuf[102...答:void*sock_read(int*client)//shortevent,void*arg{charbuf[1024];memset(buf,0,1024);intd=SSL_read(*client,buf,1024);//接收客户端的数据包perror("SSL_read");printf("d=%d\n",d);?????}staticvoidsock_accept(intserver...关于SSL和伪静态的求助答:RewriteRule^index/(.*)/(.*)[/]$index.php?ctl=$1&act=$2orRewriteRule^index/(.*)/(.*)/$index.php?ctl=$1&act=$2加一条正则
本文相关:Linux 下 OpenVPN 安装和 Windows OpenVPN GUI 安装笔记 - 程序员小辉
最后更新日期:
: 首次整理
: 加入 ip forward 的说明
: 加入 OpenVPN 2.1 新版本中的
script-security 配置参数说明。
基于伟大的 GFW 越来越牛B,网站的正常维护如 FTP、pop & smtp 的邮件收发、在 google 查技术资料,都经常被 GFW 强行断开。为了解决这个问题,于是我在自己的国外主机上安装了一个 OpenVPN,当时记录了一下安装的经过。
今天正好又有一个朋友问及 OpenVPN 安装的事情,于是我重新整理一下这篇(), 希望对大家有所帮助。
当时在安装 OpenVPN 的时候,得到了 WenZK 的指导帮助。在此表示感谢。
一. OpenVPN 安装环境
Server 端的环境
redhat, kernel版本: 2.4.20-31.9, IP 为 70.8.7.6
kernel 需要支持 tun 设备, 需要加载 iptables 模块.
检查 tun 是否安装:
root@a [/]# modinfo tun
/lib/modules/2.4.20-31.9/kernel/drivers/net/tun.o
description:
如果没有 modinfo 命令, 直接找一下, 看看 kernel 里是否有 tun.o 文件:
find -name tun.o
./lib/modules/2.4.20/kernel/drivers/net/tun.o
检查iptables 模块, 查看是否有下列文件:
/etc/init.d/iptables
OpenSSL。如果需要启用 SSL 连接,则需要先安装 OpenSSL。安装 OpenSSL 的方法在这里不做介绍,具体可以用 Google 搜索。CentOS 下可以用 yum install:
yum install openssl
yum install openssl-devel
安装的 OpenVPN 的版本: 2.0.5. 现在似乎已经有一个更新的版本了. 可在 上下载.
Client 端的环境:
Windows XP PRO SP2
OpenVPN GUI For windows 1.0.3 , 可在
注意: OpenVPN GUI for windows 的版本要和 OpenVPN Server 的版本配套.
例如, 服务器装的是 OpenVPN 2.0.5, 那么下载的 OpenVPN GUI fow windows 应该是: openvpn-2.0.5-gui-1.0.3-install.exe
OpenVPN GUI的所有历史版本:
二. OpenVPN 服务端安装过程
/dev/server/-install-openvpn.htm
用 SecureCRT 登录到 host, 进入根目录
下载 LZO,解压到lzo-2.02.
wget /opensource/lzo/download/lzo-2.02.tar.gz
下载 OpenVPN, 解压到openvpn-2.0.5
wget http://openvpn.net/release/openvpn-2.0.5.tar.gz
cd /lzo-2.02
./configure
make check
make install
安装 OpenVPN
cd /openvpn-2.0.5
./configure
# 或用指定dir: (注:下述命令, 应该在一行写完. 为了方便显示, 这里分成了四行)
# ./configure --with-lzo-headers=/usr/local/include
--with-lzo-lib=/usr/local/lib
--with-ssl-headers=/usr/local/include/openssl
--with-ssl-lib=/usr/local/lib
make install
生成证书Key
初始化 PKI
(如果没有 export 命令也可以用 setenv [name] [value] 命令)
cd /openvpn-2.0.5/easy-rsa
export D=`pwd`
export KEY_CONFIG=$f
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG=""
export KEY_EMAIL="your-email [at] "
./clean-all
./build-ca
Generating a 1024 bit RSA private key
................++++++
........++++++
writing new private key to 'ca.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server
Email Address [your-email [at] ]:
# 建立 server key
代码: 代码:
./build-key-server server
Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server
Email Address [your-email [at] ]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:
Using configuration from /openvpn-2.0.5/easy-f
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
:PRINTABLE:'CN'
stateOrProvinceName
:PRINTABLE:'GD'
localityName
:PRINTABLE:'SZ'
organizationName
:PRINTABLE:''
organizationalUnitName:PRINTABLE:''
commonName
:PRINTABLE:'server'
emailAddress
:IA5STRING:'your-email [at] '
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#生成客户端 key
./build-key client1
Generating a 1024 bit RSA private key
.....++++++
......++++++
writing new private key to 'client1.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [SZ]:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:client1
#重要: 每个不同的 client 生成的证书, 名字必须不同.
Email Address [your-email [at] ]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd1234
An optional company name []:
Using configuration from /openvpn-2.0.5/easy-f
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName
:PRINTABLE:'CN'
stateOrProvinceName
:PRINTABLE:'GD'
localityName
:PRINTABLE:'SZ'
organizationName
:PRINTABLE:''
organizationalUnitName:PRINTABLE:''
commonName
:PRINTABLE:'client1'
emailAddress
:IA5STRING:'your-email [at] '
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
依次类推生成其他客户端证书/key
./build-key client2
./build-key client3
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
生成 Diffie Hellman 参数 。代码:
./build-dh
将 keys 下的所有文件打包下载到本地
tar -cf mykeys.tar /openvpn-2.0.5/easy-rsa/keys
cp mykeys.tar /sys/public_html/mykeys.tar
将 mykeys.tar 移到 web public(绝对路径因人而异) 上, 然后用 /mykeys.tar 方式将其下载到本地保存, 然后将其从server删除:
rm /sys/public_html/mykeys.tar
也可以用其他方法把 key file搞到本地,例如 ftp.
创建服务端配置文件
从样例文件创建:
cd $dir/sample-config-files/ # 进入源代码解压目录下的sample-config-files子目录
cp server.conf /usr/local/etc
# cp服务器配置文件到/usr/local/etc
vi /usr/local/etc/server.conf
我建立的server.conf 的内容稍后另附.
创建客户端配置文件
cd $dir/sample-config-files/
#进入源代码解压目录下的sample-config-files子目录
cp client.conf /usr/local/etc
#cp客户端配置文件到/usr/local/etc
vi /usr/local/etc/client.conf
我建立的client.conf 的内容稍后另附.
启动Openvpn: openvpn [server config file]
/usr/local/sbin/openvpn --config /usr/local/etc/server.conf
三. OpenVPN GUI For Windows 客户端安装过程
安装 OpenVPN GUI For Windows, 到
下载. 目前的版本是 1.0.3. 注意: OpenVPN GUI 的版本要和 OpenVPN Server 的版本配套. 详见第一节一. 安装环境中的说明.
依屏幕指示安装openvpn gui.
配置 openvpn gui
安装结束后, 进入安装文件夹下的 config 目录, 然后将上面第 10 步建立的 client.conf 文件从 server 上下载到此文件夹, 并更名为 client.ovpn
同时, 将第8 步打包的 mykeys.tar 中的下列证书文件解压到此文件夹:
client1.crt
client1.csr
client1.key
然后双击 client.ovpn 即可启动 openvpn, 或者通过 OpenVPN GUI 的控制启动 VPN.
如果双击 client.ovpn 没有反应, 则在任务栏点 OpenVPN GUI 的小图标右键, 选择 edit config, 将内容复制过去再保存. 然后再点右键中的 connect即可.
如果需要第二台机器上使用 vpn , 进行同样的配置, 只需要将 client1.crt, client1.csr, client1.key 换成对应的 client2.xxx 即可, 然后将 client.ovpn 中的对应key文件值改掉.
四. OpenVPN 配置样例文件
OpenVPN 服务端:server.conf
local 70.8.7.6
ca /openvpn-2.0.5/easy-rsa/keys/ca.crt
cert /openvpn-2.0.5/easy-rsa/keys/server.crt
key /openvpn-2.0.5/easy-rsa/keys/server.key
# This file should be kept secret
dh /openvpn-2.0.5/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
persist-key
persist-tun
status /openvpn-2.0.5/easy-rsa/keys/openvpn-status.log
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 70.88.98.10"
# name server 地址, 如何获取见随后说明
push "dhcp-option DNS 70.88.99.11"
# name server 地址, 如何获取见随后说明
说明: 有些 domain 被 GFW 封掉了, 这时, 如果要访问这些网站, 应该将 server 上的
push 到 client.
上面示例中的 dns ip: 70.88.98.10, 70.88.99.10, 可以在 /etc/resolv.conf 中找到:
vi /etc/resolv.conf
nameserver
70.88.98.10
nameserver
70.88.99.11
OpenVPN 客户端: client.ovpn
remote 70.8.7.6 1194
persist-key
persist-tun
cert client1.crt
key client1.key
ns-cert-type server
redirect-gateway def1
五. OpenVPN 访问外网的设置
VPN连接成功后, 还需要设置路由, 才能透过VPN访问Internet. 在 linux host 上添加路由:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 70.8.7.6
/etc/init.d/iptables save
/etc/init.d/iptables restart
不同的机器,-o eth0 参数可能不一样,具体可输入 ifconfig 查看,搞清 ip(70.8.7.6)所在的网卡号.
同时, 需要将 ip forward 打开. 不要用 echo 1 > /proc/sys/net/ipv4/ip_forward 的方式, 这种方式重启后无效. 先查看一下:
sysctl -a | grep for
#查看结果:
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1
如果你的主机上列数值不是为1, 则要将其改成1, 例如:
sysctl -w net.ipv4.ip_forward=1
开启域名服务器
如果你需要访问一些已经被GFW封掉了域名的网站, 但你的 OpenVPN 服务器没有被封的话,那么你需要在你的主机上开启 name server, 并将 dns push 给 client。 一般的独立主机, 都带有 private dns server.
rpm -qa | grep bind
/etc/init.d/named start
另外, 必须保证 server.conf 配置中, 有这三个配置:
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 70.88.98.10"
# name server 地址
push "dhcp-option DNS 70.88.99.11"
# name server 地址
当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-AA-B0-60-2B
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.8.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.8.0.5
DHCP Server . . . . . . . . . . . : 10.8.0.5
DNS Servers . . . . . . . . . . . : 10.8.0.1
70.88.98.10
70.88.99.11
Lease Obtained. . . . . . . . . . : 日 5:13:52
Lease Expires . . . . . . . . . . : 日 5:13:52
六. 设置 OpenVPN 服务器 reboot后自动启动 openvpn
vi /etc/rc.local
然后在最后面加入此行:
/usr/local/sbin/openvpn --config /usr/local/etc/server.conf > /dev/null 2>&1 &
七. OpenVPN 测试
VPN 登录上去之后, 测试 MSN, QQ, IE 等网络应用, 也可以尝试访问一些被 GFW 禁掉的网站, 当然, 前提是你的 VPN 服务器不在境内.
八. 使用 OpenVPN 的强烈注意事项
不建议用 VPN 登录 paypal 帐户和 google adsense 帐户. 否则有可能导致帐户受限或带来其他风险.
十. 一些补充
补充:今天用 yum -y update 升级了 CentOS 之后,发现 OpenVPN 连接不上去了,老是说用户检验出错。经检查 server log,发现有以下日志:
Thu Feb 10 11:13:07 2011 us=.***.**:45771 TLS: Initial packet from 222.244.***.**:45771, sid=eec450eb 8673ceef
Thu Feb 10 11:13:10 2011 us=.244.***.**:45771 openvpn_execve: external program may not be called unless '--script-secur
ity 2' or higher is enabled.
Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier.
See --help t
ext or man page for detailed info.
Thu Feb 10 11:13:10 2011 us=.244.***.**:45771 TLS Auth Error: user-pass-verify script failed to execute: /usr/bin/php -
q /home/xiaohui/openvpn-manager/admin/openvpn-auth.php
Thu Feb 10 11:13:10 2011 us=.244.***.**:45771 TLS Auth Error: Auth Username/Password verification failed for peer
经查,原来是 CentOS 在进行
yum update 时,将 OpenVPN
也由2.0 升级到了 2.1。而 OpenVPN 2.1 最大的改变之一,就是加了一个 script-security参数。如果按我的这篇教程进行安装,但装的是 OpenVPN 2.1 及以上版本的话,记得在 server.conf 中再加上这么一行配置即可:
script-security 3
相关文章:
前一篇:下一篇:
第 1 楼& Rony 发表于
很详细。 非常感谢。
第 2 楼& 拉拉 发表于
第 3 楼& flintt 发表于
启动openvpn的终端关闭后,好像sever端停止了vpn的服务
第 4 楼& rrt 发表于
明显有硬伤,我只问一句,lz你自己严格按照你的文档做了没有。
结果怎么样?
我很怀疑你的iptables的nat设置。
XiaoHui 回复于
02:37: 如果有错误,还请麻烦指出。:)
有时候我记不清设置,都是直接看这篇笔记来做的。我按这个文档,装了不下十台 VPN SERVER了。
第 5 楼& gniudad 发表于
不错,感谢。
我也按这个文档装了不下10台了。哈哈。
只是文中:如果你的主机上列数值不是为1, 则要将其改成1, 例如:
sysctl -w net.ipv4.ip_forward=1
我以为全部要改成1,但好像只要最后一项改1就行了。
第 6 楼& tt 发表于
为什么我在做这一步# 建立 server key 代码: 代码: ./build-key-server server
的时候出错:error loading extension section server,请指教。
XiaoHui 回复于
22:34: 抱歉,今天才看到你的邮件。
我没有遇到过这个错误。你确认你的环境变量、软件版本、目录设置,都是按我说的来做的吗?
刚才在GOOGLE搜索了一下,你看看这里:
注意最后的一个贴子,他说他解决了这个问题。你看看对你有用没。
第 7 楼& marion 发表于
搞多公钥-私钥对有什么必要?
为什么不用 duplicate-cn?
第 8 楼& zengw 发表于
我做到这一步:
cd /openvpn-2.0.5/easy-rsa
export D=`pwd`
export KEY_CONFIG=$f
export KEY_DIR=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=CN
export KEY_PROVINCE=GD
export KEY_CITY=SZ
export KEY_ORG="dvdmaster"
export KEY_EMAIL=""
./clean-all
mkdir:无法创建目录'pwd/keys': 没有那个文件或目录
XiaoHui 回复于
03:12: 你所使用的 OPENVPN,版本号是多少?
第 9 楼& zengw 发表于
OPENvpn 是2.0.9的,LZO是2.02的,Linux是redhat9的,内核为2.4.20;虚拟机是5.5.1版本的;
XiaoHui 回复于
20:21: 你尝试自己先手工把那几个目录建好看看。我没折腾过 OpenVPN 2.0.9。直接用文中的步骤安装 2.0.5 是没有问题的。
第 10 楼& zengw 发表于
以下是我的操作跟出错代码:
[root@localhost openvpn-2.0.9]# cd easy-rsa/
[root@localhost easy-rsa]# ls
revoke-crt
build-key-pass
build-req-pass
revoke-full
build-key-pkcs12
build-inter
build-key-server
[root@localhost easy-rsa]# pwd
/openvpn-2.0.9/easy-rsa
[root@localhost easy-rsa]# ./clean-all
you must define KEY_DIR
[root@localhost easy-rsa]# export D='pwd'
[root@localhost easy-rsa]# export KEY_CONFIG=$f
[root@localhost easy-rsa]# export KEY_DIR=$D/keys
[root@localhost easy-rsa]# export KEY_SIZE=1024
[root@localhost easy-rsa]# export KEY_COUNTRY=CN
[root@localhost easy-rsa]# export KEY_PROVINCE=GD
[root@localhost easy-rsa]# export KEY_CITY=SZ
[root@localhost easy-rsa]# export KEY_ORG=&dvdmaster&
[root@localhost easy-rsa]# export KEY_EMAIL=&&
[root@localhost easy-rsa]# ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on pwd/keys
[root@localhost easy-rsa]# ./clean-all
[root@localhost easy-rsa]# ./build-ca
error on line -1 of f
1984:error::system library:fopen:No such file or directory:bss_file.c:104:fopen('f','rb')
1984:error::BIO routines:BIO_new_file:no such file:bss_file.c:107:
1984:error:0E064072:configuration file routines:CONF_load:no such file:conf_def.c:197:[root@localhost easy-rsa]#
第 11 楼& zengw 发表于
能给我发一个openvpn2.0.5的安装包吗?网上找不到了
XiaoHui 回复于
第 12 楼& zengw 发表于
问题已经得到解决,TKS!
第 13 楼& harley_chen 发表于
我也设置了,
vpn连接后, 还是没办法上网,不能ping外网...
nat功能也开了...
第 14 楼& zengw 发表于
没做/etc/init.d/named start 这一步,完成后我用Windows vpn客户端拨号到vmware上去成功了并能上网,但是公司另一台PC拨号拨上去后却不能上网,其获得的IP和DNS均正常!请问是不是跟没做/etc/init.d/named start 这一步有关,但是跟vmware同一台PC上的Windows却可以上网!
第 15 楼& ks 发表于
我用freebsd和windowsxp,都已经配置安装完毕,客户端也分配到ip,但是互相之间却无法ping通
我已经在server端的配置文件中配置了local的地址,server端的ifconfig显示如下
tun0: flags=8051&UP,POINTOPOINT,RUNNING,MULTICAST& metric 0 mtu 1500
inet 192.168.10.1 --& 192.168.10.2 netmask 0xffffffff
在server端本机ping 192.168.10.1也ping不通
client端ipconfig 显示的ip正常 只是没有网关
请问是什么原因
XiaoHui 回复于
08:02: 你本地局域网的 IP 段是多少?是不是SERVER指定的IP段,与本地局域网指定的相冲突?
第 16 楼& poppy 发表于
我在安装Openvpn的过程中,出现了这么个问题:
#modprobe tun
FATAL: Could not load /lib/modules/2.6.18-ovz028stab053.5-smp/modules.dep: No such file or directory
而且/lib/modules/下面是空的。。
我检查了下
没有tun设备~~
# modinfo tun
modinfo: could not open /lib/modules/2.6.18-ovz028stab053.5-smp/modules.dep
郁闷了。。是系统没有加载tun设备呢? 还是我哪个地方要开启tun设备?
怎么解决这个tun设备的问题啊。。谢谢了
第 17 楼& kingstar 发表于
看了这篇文章之后才装的 OPENVPN,稳妥起见,下载的 OPENVPN 版本正是楼主例文中的 2.0.5。
我在 theplanet 的主机上安装成功。终于破墙了。
才看到。我也顶一下。:)
XiaoHui 是不是写了个 HOOK,将网站文章的评论 和 论坛回贴,同步了?
我看见论坛里好多回贴的都标着“通过
评论系统发表”。:)
原帖由 FlyFire 于
21:44 发表
XiaoHui 是不是写了个 HOOK,将网站文章的评论 和 论坛回贴,同步了?
我看见论坛里好多回贴的都标着“通过
评论系统发表”。:)
点头。我做了一个关联。如果论坛上讨论的话题,是我网站上发表的文章,就建立关联。然后用定时程序,将网站的评论和论坛的回贴进行同步。
第 21 楼& 王菲菲 发表于
成功了到底是一种什么情况。我是第一次用linux,第一次设置VPN。谢谢!怎么测试他的成功。
XiaoHui 回复于
01:27: 连接成功后,任务栏图标区的 OPENVPN GUI的 ICON, 会由暗红色变成绿色。
第 22 楼& 秋天的树 发表于
第 23 楼& pan 发表于
我的服务器跟客户机连接不上。我们电信网一个IP下有几个主机,而且IP是动态生成的,不知道是不是跟这个有关系?
XiaoHui 回复于
18:56: 你自己看日志记录,确保是连接到了正确的服务器上。
第 24 楼& liusir 发表于
上面安装不成功的,可能是 OPENVPN 不同版本的问题引起的差异。我刚才严格按 XIAOHUI 文档里说的 OPENVPN版本进行了安装,一路绿灯,成功了。:)
第 25 楼& pan 发表于
想在Windows下装个Redhat虚拟机,Redhat作服务器,Windows作客户机,但他们共用一个ip,而且ip是动态分配的,这样他们之间的openvpn能建立起来吗?
server.conf的local怎么写?
XiaoHui 回复于
03:54: 不懂,没试过。虚拟机应该可以分配不同的IP的。
第 26 楼& luo 发表于
请问openvpn如何把两个不同区域的局域局连成一个局域网,就是说,两个公司,不同城市,两台linux做点对点连接后,下面的客户端可以互通?
第 27 楼& luo 发表于
按楼主的配置,winxp连接openvpn一直提示‘connecting to client has failed’,下面是客户端的日志。楼主帮我看看
Fri May 29 15:03:43 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov
Fri May 29 15:03:43 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.
OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri May 29 15:03:43 2009 LZO compression initialized
Fri May 29 15:03:43 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri May 29 15:03:43 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Fri May 29 15:03:43 2009 Local Options hash (VER=V4): '69109d17'
Fri May 29 15:03:43 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'
Fri May 29 15:03:43 2009 Attempting to establish TCP connection with 192.168.1.222:1194
Fri May 29 15:03:43 2009 TCP connection established with 192.168.1.222:1194
Fri May 29 15:03:43 2009 TCPv4_CLIENT link local: [undef]
Fri May 29 15:03:43 2009 TCPv4_CLIENT link remote: 192.168.1.222:1194
Fri May 29 15:03:43 2009 TLS: Initial packet from 192.168.1.222:1194, sid=9e2dc9b0 29a67f10
Fri May 29 15:03:43 2009 VERIFY OK: depth=1, /C=CN/ST=GD/L=SZ/O=kemei/OU=kemei/CN=server/emailAddress=system-
Fri May 29 15:03:43 2009 VERIFY OK: nsCertType=SERVER
Fri May 29 15:03:43 2009 VERIFY OK: depth=0, /C=CN/ST=GD/O=kemei/OU=kemei/CN=server/emailAddress=system-
Fri May 29 15:03:43 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri May 29 15:03:43 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 29 15:03:43 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri May 29 15:03:43 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri May 29 15:03:43 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri May 29 15:03:43 2009 [server] Peer Connection Initiated with 192.168.1.222:1194
Fri May 29 15:03:45 2009 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri May 29 15:03:45 2009 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,route 10.8.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Fri May 29 15:03:45 2009 OPTIONS IMPORT: timers and/or timeouts modified
Fri May 29 15:03:45 2009 OPTIONS IMPORT: --ifconfig/up options modified
Fri May 29 15:03:45 2009 OPTIONS IMPORT: route options modified
Fri May 29 15:03:45 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri May 29 15:03:45 2009 There are no TAP-Win32 adapters on this system.
You should be able to create a TAP-Win32 adapter by going to Start -& All Programs -& OpenVPN -& Add a new TAP-Win32 virtual ethernet adapter.
Fri May 29 15:03:45 2009 Exiting
XiaoHui 回复于
07:05: >> Fri May 29 15:03:45 2009 There are no TAP-Win32 adapters on this system. You should be able to create a TAP-Win32 adapter by going to Start -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter
看这句LOG, 貌似是你 TAP 的驱动没装上?
第 28 楼& luo 发表于
上面那个问题我已经搞定了。原因是我下载了错误的for WIN版本导致虚拟网卡没有装上,但是现在又是有一问题就是我可以拔号上去了,但如何访问对方的局域网??目前这样我只能访问服务器那台,服务器或客户端还需要进行行怎么样的设置呢?
第 29 楼& xukai 发表于
Wed Jun 03 13:40:30 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov
Wed Jun 03 13:40:30 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.
OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jun 03 13:40:30 2009 Cannot load certificate file xukai.crt: error::scd: error::BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Wed Jun 03 13:40:30 2009 Exiting
我按照楼主的做下来,连接的时候的报错,上面是log中的文件。
报错是connecting to client has failed.
XiaoHui 回复于
01:10: 证书的配置没有做对。
第 30 楼& xukai 发表于
Wed Jun 03 16:10:32 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov
Wed Jun 03 16:10:32 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.
OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jun 03 16:10:32 2009 LZO compression initialized
Wed Jun 03 16:10:32 2009 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun 03 16:10:32 2009 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 03 16:10:32 2009 Local Options hash (VER=V4): ''
Wed Jun 03 16:10:32 2009 Expected Remote Options hash (VER=V4): '530fdded'
Wed Jun 03 16:10:32 2009 UDPv4 link local (bound): [undef]:1194
Wed Jun 03 16:10:32 2009 UDPv4 link remote: 192.168.242.144:1194
Wed Jun 03 16:10:32 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:34 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:37 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:38 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:40 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:42 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:45 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:47 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:50 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:52 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:55 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:56 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:10:58 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:01 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:03 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:06 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:08 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:11 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:13 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:15 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:17 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:19 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:21 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:24 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:25 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:27 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:29 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:31 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Wed Jun 03 16:11:32 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jun 03 16:11:32 2009 TLS Error: TLS handshake failed
Wed Jun 03 16:11:32 2009 TCP/UDP: Closing socket
Wed Jun 03 16:11:32 2009 SIGUSR1[soft,tls-error] received, process restarting
Wed Jun 03 16:11:32 2009 Restart pause, 2 second(s)
上面的问题解决了,现在老这样了,请问怎么回事?
XiaoHui 回复于
05:32: 客户端与服务端的物理链接不通。确认 1194 端口是开的,客户端与服务端能够正常PING通。下面是 OPENVPN 官方解释,你自己对照排除一下:
You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client was unable to establish a network connection with the server.
Solutions:
Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server.
If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.
Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).
第 31 楼& luo 发表于
客户端连入服务端后。可以ping通服务端的lan wan tun ip,,但是连接服务端的lan同一交换下的电脑,有的可以连通,有的不行,,就比如127 77 5 212 这些IP都可以连通,其它IP又不能联通,不知道是什么原因,是因为路由的原因吗?获取的掩码是255.255.255.252,而且拔入后访问共享,比如访问77这台的默认共享c$,不需要提示输入用户和密码,直接就可以打开共享了,这我觉得有安全问题,这问xiaohui这是什么原因,怎么解决呀。
XiaoHui 回复于
01:06: 我装 VPN 只是为了穿墙,这种情况我不知道,没折腾过。不好意思。:)
第 32 楼& terry76 发表于
请教一下,不知道为什么我vpn进去后,能访问内网,但用不用server push过来的dns,仍是用着拔号连接的dns,客户机是win7系统。
XiaoHui 回复于
08:12: 这个我就搞不清了,没在 WIN7下测试过。
第 33 楼& lz 发表于
Wed Jul 15 10:43:22 2009 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov
Wed Jul 15 10:43:22 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.
OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jul 15 10:43:22 2009 Cannot load certificate file lz.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Wed Jul 15 10:43:22 2009 Exiting
按照你的配置顺利安装成功,客户端连接也正常。可过了几天之后我又建立了几个用户就连不上了。开始建的用户能连上,后建的几个一个也连不上。上面是日志,麻烦帮我分析下是什么原因?谢谢
XiaoHui 回复于
22:20: 你用的是证书校验方式吧?看提示,是你的证书有问题。 lz.crt load 失败。既然之前连接成功,就按以前的步骤,重做一下证书,并确保客户端的配置文件里,指定了正确的证书文件名。
第 34 楼& lz 发表于
是证书校验方式。证书和以前生成的方法是一样的啊,客户端配置文件也改了。用./build-key生成客户端有什么特别需要注意的么?除了做./build-key,还需要运行别的东西么?另外我生成客户端时提示:"you must define KEY_DIR",然后运行了一遍你文档里export的那些命令之后就可以使用了。
客户端配置如下:
remote 192.168.0.20 1194
persist-key
persist-tun
cert lz.crt
key lz.key
ns-cert-type server
redirect-gateway def1
XiaoHui 回复于
02:04: 我许久没有接触 OpenVPN 这块了,技术细节我记不太清了,一时也没时间帮你分析。既然你第一次生成是正确的,而后面几次生成证书不对,那肯定是后面的步骤有错误或遗漏的地方。再仔细找找,排除一下原因。或者,全部重新生成一次证书(包括服务器证书)。
安装和配置的过程中,最好把你做的每一步的命令都记录一下,这样以后出问题或新做证书,也方便排查或实施。
第 35 楼& rinkey 发表于
WRwRThu Jul 16 16:36:24 2009 us=921733 client1/202.127.207.101:2239 MULTI: bad source address from client [202.127.207.101], packet dropped
客户端链接的时候,server的log里面有很多这样的记录,这是什么意思?怎么解决
XiaoHui 回复于
04:13: 我没接触过这个错误,查了一下资料,网上有篇关于这个错误的解决方案,你参考一下:
在 OpenVPN 自己的newsgroup 上,有一个关于这个的讨论:
第 36 楼& rinkey 发表于
openVPN服务器有两块网卡eth0 为公网IP,eth1为内网网关IP,并做了NAT。服务器买开启VPN时,内网的主机可以PING 通eth1和公网IP,但是开启VPN以后内网就PING不通了。而VPN client 也PING 不通内网主机。 怎么解决?
因为不怎么熟悉linux,所以基本全部按照楼主命令的来做,
到最后开启vpn的时候,显示这样,(这里只列出最后一部分显示信息)
用的putty,最后命令一直停在那里,也不见开启1194端口,很奇怪,希望有人给予解答
最好能聊q,嘿嘿,这样太不方便,q:
Fri Jul 17 01:49:47 2009 us=708255 TUN/TAP device tun0 opened
Fri Jul 17 01:49:47 2009 us=708281 TUN/TAP TX queue length set to 100
Fri Jul 17 01:49:47 2009 us=708312 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Fri Jul 17 01:49:47 2009 us=715115 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Fri Jul 17 01:49:47 2009 us=717906 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Jul 17 01:49:47 2009 us=717952 Socket Buffers: R=[1072] S=[1072]
Fri Jul 17 01:49:47 2009 us=717974 UDPv4 link local (bound): 210.127.253.11:1194
Fri Jul 17 01:49:47 2009 us=717985 UDPv4 link remote: [undef]
Fri Jul 17 01:49:47 2009 us=718003 MULTI: multi_init called, r=256 v=256
Fri Jul 17 01:49:47 2009 us=718036 IFCONFIG POOL: base=10.8.0.4 size=62
Fri Jul 17 01:49:47 2009 us=718069 Initialization Sequence Completed
第 38 楼& sail 发表于
Fri Aug 21 18:22:36 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct
Fri Aug 21 18:22:36 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.
OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Aug 21 18:22:36 2009 Cannot load certificate file client.crt: error::system library:fopen:No such file or directory: error::BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Fri Aug 21 18:22:36 2009 Exiting
这是我的客户端的问题 不知道怎么回事
XiaoHui 回复于
03:57: 客户端证书错误。
第 39 楼& 朵朵 发表于
根据这个做 我成功 谢谢xiaohui
第 40 楼& 王菲菲 发表于
Server 端的环境
redhat, kernel版本: 2.4.20-31.9, IP 为 70.8.7.6
“IP 为 70.8.7.6”是在什么时候设的?
XiaoHui 回复于
18:09: 安装 SERVER OS 时指定的。
我的安装终于可以连接上了,但是连上去以后访问不了网站,我也输入了echo 1 & /proc/sys/net/ipv4/ip_forward,但就是死活访问不了,怎么回事啊?
XiaoHui 回复于
sysctl -a | grep for
看一下 ipfoward 是否打开了。
第 42 楼& 藤苇 发表于
我遇到一个问题我没法解决,想向你咨询下
[root@localhost root]# /usr/local/sbin/openvpn --config /usr/local/etc/server.conf
Sun Sep 27 17:41:12 2009 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] built on Sep 27 2009
Sun Sep 27 17:41:12 2009 Cannot open dh1024.pem for DH parameters:error::system library:fopen:NO such file or directory:error::BIO routines:BIO_new_file:no such file
Sun Sep 27 14:41:12 2009 Exiting
这是怎么一回事呢?急急急!!!
XiaoHui 回复于
04:44: 没有 Diffie Hellman 参数或文件的位置没有设置正确。见第七步代码:
./build-dh
第 43 楼& 藤苇 发表于
./build-dh
这一步我做了都是按照你上面说的去做的
export D=`pwd` 只是这一步没做。
export KEY_CONFIG=root/openvpn-2.0.9/easy-f
export KEY_DIR=root/openvpn-2.0.9/easy-rsa/keys
第 44 楼& 藤苇 发表于
在root/openvpn-2.0.9/easy-rsa/keys下生成了这个文件dh1024.pem 。
第 45 楼& 藤苇 发表于
D=`pwd` 是什么意思呢?
XiaoHui 回复于
17:22: pwd 表示当前工作目录
第 46 楼& 藤苇 发表于
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.
# This configuration can be used by multiple #
# clients, however each client should have
# its own cert and key files.
# On Windows, you might want to rename this
# file so it has a .ovpn extension
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.
On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server?
Use the same setting as
# on the server.
;proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 172.16.37.83 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing.
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.
Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.
See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets.
Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description.
It's best to use
# a separate .crt/.key file pair
# for each client.
A single ca
# file can be used for all clients.
cert client1.crt
key client1.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".
This is an
# important precaution to protect against
# a potential attack discussed here:
http://openvpn.net/howto.html#mitm
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".
The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
# Set log file verbosity.
# Silence repeating messages
服务器配置
#################################################
# Sample OpenVPN 2.0 config file for
# multi-client server.
# This file is for the server side
# of a many-clients &-& one-server
# OpenVPN configuration.
# OpenVPN also supports
# single-machine &-& single-machine
# configurations (See the Examples page
# on the web site for more info).
# This config should work on Windows
# or Linux/BSD systems.
Remember on
# Windows to quote pathnames and use
# double backslashes, e.g.:
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# Comments are preceded with '#' or ';'
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.
You will need to
# open up this port on your firewall.
# TCP or UDP server?
;proto udp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one.
On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).
Each client
# and the server must have their own cert and
# key file.
The server and all clients will
# use the same ca file.
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.
Remember to use
# a unique Common Name for the server
# and each of the client certificates.
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt
key /root/openvpn-2.0.9/easy-rsa/keys/server.key
# This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.0.0.0 255.255.255.0
# Maintain a record of client &-& virtual IP address
# associations in this file.
If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.
Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.
Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.
Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Push routes to the client to allow it
# to reach other p10.8.0.1rivate subnets behind
# the server.
Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.11.0 255.255.255.0"
;push "route 192.168.13.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
client-config-dir /usr/local/etc/ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.
This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
client-config-dir /usr/local/etc/ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients.
There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
group, and firewall the TUN/TAP interface
for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
modify the firewall in response to access
from different clients.
page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel.
Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.
This is recommended
# only for testing purposes.
For production use,
# each client should have its own certificate/key
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
# Generate with:
openvpn --genkey --secret ta.key
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC
# Blowfish (default)
;cipher AES-128-CBC
;cipher DES-EDE3-CBC
# Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.
# or the other (but not both).
openvpn.log
;log-append
openvpn.log
# Set the appropriate level of log
# file verbosity.
# 0 is silent, except for fatal errors/root/openvpn-2.0.9/easy-rsa/keys
# 4 is reasonable for genera/root/openvpn-2.0.9/easy-rsa/keysl usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
# Silence repeating messages.
At most 20
# sequential messages of the same message
# category will be output to the log.
openvpn服务器是red hat Linux
客户机是windows server 2000 两个网卡 开起了rip协议
server ip: 172.16.37.83
虚拟ip 10.0.0.1;
client1 ip:172.16.37.110
192.168.11.1
虚拟IP 10.0.0.5;
client2 ip: 172.16.19.22. 192.168.12.1
虚拟ip 10.0.0.13;
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110
172.16.19.22 192.168.11.1 192.168.12.1
ping不通 10.0.0.5 10.0.0.13
client1 中可ping通 172.16.37.83 172.16.37.110
172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13
ping不通 10.0.0.1
client2中可ping通 172.16.37.83 172.16.37.110
172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13
ping不通 10.0.0.1
楼主这是哪出现了问题呢?拜托拜托
XiaoHui 回复于
01:47: Tooooooo looooooooog, 看着头晕又不方便比较。 能不能把 #的注释去掉再贴上来。
第 47 楼& 藤苇 发表于
;dev-node MyTap
;proto udp
remote 172.16.37.83 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
cert client1.crt
key client1.key
;ns-cert-type server
;tls-auth ta.key 1
服务器配置
;local a.b.c.d
;proto udp
;dev-node MyTap
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt
key /root/openvpn-2.0.9/easy-rsa/keys/server.key # This file should be kept secret
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;push &route 192.168.11.0 255.255.255.0&
;push &route 192.168.13.0 255.255.255.0&
client-config-dir /usr/local/etc/ccd
;route 192.168.40.128 255.255.255.248
client-config-dir /usr/local/etc/ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push &redirect-gateway&
;push &dhcp-option DNS 10.8.0.1&
;push &dhcp-option WINS 10.8.0.1&
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log
;log openvpn.log
;log-append openvpn.log
openvpn服务器是red hat Linux
客户机是windows server 2000 两个网卡 开起了rip协议
server ip: 172.16.37.83 虚拟ip 10.0.0.1;
client1 ip:172.16.37.110 192.168.11.1 虚拟IP 10.0.0.5;
client2 ip: 172.16.19.22. 192.168.12.1 虚拟ip 10.0.0.13;
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13
client1 中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1
client2中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1
192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1
楼主这是哪出现了问题呢?拜托拜托
我的QQ是加我
第 48 楼& 藤苇 发表于
;dev-node MyTap
;proto udp
remote 172.16.37.83 1194
;remote my-server-2 1194
;remote-random
resolv-retry infinite
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
cert client1.crt
key client1.key
;ns-cert-type server
;tls-auth ta.key 1
服务器配置
;local a.b.c.d
;proto udp
;dev-node MyTap
ca /root/openvpn-2.0.9/easy-rsa/keys/ca.crt
cert /root/openvpn-2.0.9/easy-rsa/keys/server.crt
key /root/openvpn-2.0.9/easy-rsa/keys/server.key # This file should be kept secret
dh /root/openvpn-2.0.9/easy-rsa/keys/dh1024.pem
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;push "route 192.168.11.0 255.255.255.0"
;push "route 192.168.13.0 255.255.255.0"
client-config-dir /usr/local/etc/ccd
;route 192.168.40.128 255.255.255.248
client-config-dir /usr/local/etc/ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status /root/openvpn-2.0.9/easy-rsa/keys/openvpn-status.log
;log openvpn.log
;log-append openvpn.log
openvpn服务器是red hat Linux
客户机是windows server 2000 两个网卡 开起了rip协议
server ip: 172.16.37.83 虚拟ip 10.0.0.1;
client1 ip:172.16.37.110 192.168.11.1 虚拟IP 10.0.0.5;
client2 ip: 172.16.19.22. 192.168.12.1 虚拟ip 10.0.0.13;
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13 192.168.11.1 192.168.12.1
client1 中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1
client2中可ping通 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1
192.168.12.1 10.0.0.5 10.0.0.13 ping不通 10.0.0.1
楼主这是哪出现了问题呢?拜托拜托
我的QQ是加我
第 49 楼& 藤苇 发表于
在以上的“在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13”修改一下
在server中可ping通10.0.0.1 172.16.37.83 172.16.37.110 172.16.19.22 192.168.11.1 192.168.12.1 ping不通 10.0.0.5 10.0.0.13 192.168.11.1 192.168.12.1
XiaoHui 回复于
04:27: 看了一下,配置很正常。有几个参数我没有用过,如client-config-dir 等。你可以参考我文中第四小节的样例文件,先用最简单的配置搭建起来再说。
如果能连接但 Ping 不通,要看看是不是配置了 iptables。可参见第五节。
第 50 楼& 藤苇 发表于
可以连接但ping不通,
red hat Linux 中的网络配置要怎么设置呢?
第 51 楼& 藤苇 发表于
Microsoft Windows 2000 [Version 5.00.2195]
(C) 版权所有
Microsoft Corp.
C:\Documents and Settings\Administrator&ipconfig/all
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : 2000serv-qh80ma
Primary DNS Suffix
. . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter 本地连接 3:
Connection-specific DNS Suffix
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-C2-18-82-DA
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.0.0.5
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.0.0.6
DNS Servers . . . . . . . . . . . : 10.0.0.1
70.88.98.10
70.88.99.11
Lease Obtained. . . . . . . . . . : 日 20:43:19
Lease Expires . . . . . . . . . . : 日 20:43:19
Ethernet adapter 本地连接 2:
Connection-specific DNS Suffix
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-0C-29-2E-84-B5
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.11.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.37.110
DNS Servers . . . . . . . . . . . : 218.30.19.40
61.134.1.4
Ethernet adapter 本地连接:
Connection-specific DNS Suffix
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-0C-29-2E-84-AB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.16.37.110
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 192.168.11.1
DNS Servers . . . . . . . . . . . : 218.30.19.40
61.134.1.4
C:\Documents and Settings\Administrator&ping 10.0.0.1
Pinging 10.0.0.1 with 32 bytes of data:
Reply from 172.16.37.110: TTL expired in transit.
Reply from 172.16.37.110: TTL expired in transit.
Reply from 172.16.37.110: TTL expired in transit.
Reply from 172.16.37.110: TTL expired in transit.
Ping statistics for 10.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum =
0ms, Average =
C:\Documents and Settings\Administrator&ping 10.0.0.13
Pinging 10.0.0.13 with 32 bytes of data:
Reply from 10.0.0.13: bytes=32 time&10ms TTL=128
Reply from 10.0.0.13: bytes=32 time&10ms TTL=128
Reply from 10.0.0.13: bytes=32 time&10ms TTL=128
Reply from 10.0.0.13: bytes=32 time&10ms TTL=128
Ping statistics for 10.0.0.13:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Min}
我要回帖
更多关于 tomcat配置ssl证书 的文章
更多推荐
- ·一个单元格引用另一个单元格的数据查找引用多个数据并加在一起?
- ·怎么样登录云空间下载安装呢?
- ·数控车床简单图纸编程图纸编程(发那克系统),有谁会的帮帮谢谢
- ·张铭新李新亮教授的学术成果和荣誉果
- ·2023年春节新疆快递现在停运了吗2024年具体哪天停运?
- ·如何编译micropython在esp8266刷python的固件
- ·hplaserjefp11086和哪个驱动通用
- ·win10怎么固态硬盘安装win7系统统
- ·电磁脉冲发生器式冲击波发生器多长时间换一次
- ·红米手机多少钱与qq手机助手不兼容有办法解决吗
- ·一台双速电动葫芦速度其他功能正常,快升时先慢后快是什么原因? 哪位高手请指导一下,谢谢。
- ·STOPB三菱plc故障报警程序是什么故障
- ·iPhone 换vmware硬盘扩容容这事儿靠谱吗
- ·型号转换gpt为mbr分区-30的mbr是哪个厂家的
- ·求助 win10开不了热点 显示我们win10无法开启热点设置移动热点
- ·如何解除 hart协议eja变送器选型样本 模拟量1默认输出12ma
- ·佳能墨盒怎么加墨水mg2580故障说明
- ·indilinx vertex bd4 怎么跳线量产
- ·头插改为尾插
- ·如何用光功率计用于测量测速网元1和网元2之间光纤的衰耗
- ·sslnginx 配置ssl报错,求帮忙看看什么情况
- ·暴风tv 55ai4a 评测和暴风tv 50x3配置有什么不同
- ·wallpaper壁纸下载守望一排屁股那个壁纸叫啥
- ·红米note4x稳定版root3双网通版的稳定版MIUI9什么时候出
- ·有懂机械键盘换轴的不,都有什么轴,什么意思啊,还有发出清脆声音的是什么啊
- ·thinkpadx270指纹设置 x270相对于k22-80有什么优势
- ·风行g65yd49y49英寸怎么样
- ·ns版switch nba2k18实体版怎么安装实体版
- ·我的苹果手机百分之50关机还有百分之70-80的电,怎么在用的时候
- ·浪费水资源浪费数据向那个部门投拆
- ·失业金领取标准还没领完,到新单位就不能领了,若是后面再失业还可以领吗?
- ·柬埔寨进口关税查询,越南,泰国哪个关税优惠
- ·漳浦房价有那位大哥借我一百万 我快疯了 有那位大哥借我一百万 现在我急的要用钱啊
- ·矮人的 军事省和四川省建筑经济学校省都怎么建
- ·微信微信不绑定银行卡充值值有短信提醒么
- ·泉州市有正规的保利艺术品拍卖公司司吗?
