openvpn工具箱使用教程

⑴ Centos7使用docker搭建openvpn

执行完命令后可在目录 /data/openvpn 中看到相应的配置文件；

执行过程中需要先设置ca密码（如123456），Common Name可不设置直接按回车继续，接着需要输入ca密码更新密钥库以及生成crl文件；

其中 openvpn-client 为自定义名称，生成的过程需要输入ca密码；

注意 openvpn-client 名称需与第三步生成时命名一致，此时生成的配置文件 openvpn-client.ovpn 即可用于客户端连接；

需要注意防火墙规则，其中1194为udp端口，可在其他机器上通过nc命令测试是否可连接

修改配置文件 /etc/sysconfig/iptables ，在*filter中的COMMIT命令前增加以下配置

重启iptables， systemctl restart iptables ，如未生效需重启docker

安装好客户端后，导入openvpn客户端配置文件即可，ccip.cc检查当前ip；

⑵ 如何使用OpenVPN和PrivacyIDEA搭建双因素认证的远程接入

第一种，使用PAM的privacyidea_pam.py模块。OpneVPN使用PAM认证，PAM调用privacyidea_pam.py模块和PrivacyIDEA做验证。
第二种，直接集成OpenVPN和FreeRADIUS。OpenVPN使用radius认证，FreeRADIUS向PrivacyIDEA验证。
第三种，在OpenVPN中使用RADIUS的PAM模块。

⑶ Openvpn构建线上局域网

参考大佬链接，搭建没有问题，在调试阶段不对 CentOS 7 搭建OpenVPN服务器_Centos7搭建vpn | abcdocker运维博客 (i4t.com)

每一个登陆的VPN客户端需要有一个证书，每个证书在同一时刻只可以一个客户端连接(可以修改配置文件)

生成过程比较慢，在此期间不要去中断它

启动成功会多一个 tun0的虚拟网卡

要导出对应的client端key 根证书 ca.crt , client.crt , client.key , ta.key

安装client http://down.i4t.com/openvpn-install-2.4.7-I606-Win10.exe

配置如下

如果一直链接不上请确认

我是在安全组卡了很久，这两只是client 与服务端链接成功，说明我们搭建openvpn已经完成了
这时已经可以直接登录到server端；

到这我们搭建openvpn已经完成了
这时已经可以直接登录到server端，但是无法登录局域网内的其他机器，因为server端未开转发
开转发还会遇到安全组问题，因此要使用SNAT替换访问的ip

参考链接 基础知识Iptables - (jianshu.com)

工具使用tcpmp 监听网卡 参考链接 tcpmp详细教程 - (jianshu.com)
#监听tun0网卡上访问 192.168.10.118数据
tcpmp -n -i tun0 host 192.168.10.118

在客户端ping ，发现有去无会，一看ip都是10.8.x.x 肯定无法过安全组，因此用iptables替换ip，整个服务就可用了

⑷ openvpn设置clientopenwrt

方法如下：
1、将OP的路由通过无线client模式连接到上级无线路由器（inter）端，网络接口中的wwan（无线client接口）使用DHCP或者PPPOE认证到上级路由，设置完毕保存应用。
2、将OP的路由通过无线client模式链接到上级无线路由器（inter）端，无线设置中将接口选择为lan，进行桥接，网络接口中的br-lan关闭DHCP配置，防火墙转发开启、出入开启请自行测试。

⑸ 如何在Windows环境下安装并配置OpenVPN

Step 1 OpenVPN安装配置
1.1 下载openvpn 并安装
· 下载openvpn-2.0.5-gui-1.0.3版，地址 http://openvpn.se/files/install_packages/openvpn-2.0.5-gui-1.0.3-install.exe，安装。(例如：安装到F:\OPENVPN目录下，下文举例都用此目录)
· 安装完成后生成一个新网卡，并在网络连接里出现本地连接[X]，把tcp/ip属性改成手动配置,192.168.10.1(根据实际情况更改) ,255.255.255.0，其余不填。
1.2 生成证书
· 修改F:\OpenVPN\easy-rsa\vars.bat.sample的以下部分
CODE:
set HOME=%ProgramFiles%\OpenVPN\easy-rsa
set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=FortFunston
set [email protected]
（请根据自身情况修改）改为
CODE:
set HOME=F:\OpenVPN\easy-rsa
set KEY_COUNTRY=CN
set KEY_PROVINCE=Hubei
set KEY_CITY=Wuhan
set KEY_ORG=51NB
set [email protected]
· 生成证书
o OpenVPN 有两种安全模式，一种基于使用 RSA 证书和密钥的 SSL/TLS，一种使用预先分享的静态密钥。本文采用SSL/TLS 模式。TLS模式的优点是安全，而且便于管理用户。默认情况下证书和用户是一对一的，多个用户使用同一证书会被踢出。
o 开始-->运行-->键入cmd，回车，进入命令提示符-->进入F:\OpenVPN\easy-rsa目录
QUOTE:
F:\OpenVPN\easy-rsa>
o 执行如下命令
CODE:
init-config

QUOTE:
F:\OpenVPN\easy-rsa>init-config
F:\OpenVPN\easy-rsa> vars.bat.sample vars.bat
已复制 1 个文件。
F:\OpenVPN\easy-rsa> openssl.cnf.sample openssl.cnf
已复制 1 个文件。
CODE:
vars

CODE:
clean-all

QUOTE:
F:\OpenVPN\easy-rsa>vars
F:\OpenVPN\easy-rsa>clean-all
系统找不到指定的文件。
已复制 1 个文件。
已复制 1 个文件。

CODE:

vars
build-ca
build-dh

QUOTE:
F:\OpenVPN\easy-rsa>vars
F:\OpenVPN\easy-rsa>build-ca #生成根证书
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
writing new private key to 'keys\ca.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) [CN]:
State or Province Name (full name) [Hubei]:
Locality Name (eg, city) [Wuhan]:
Organization Name (eg, company) [51NB]:
Organizational Unit Name (eg, section) []:CMWAP
Common Name (eg, your name or your server's hostname) []:fangzy #填自己的名字
Email Address [[email protected]]:
F:\OpenVPN\easy-rsa>build-dh #这个有点慢，估计要半分钟
Loading 'screen' into random state - done
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time

CODE:
build-key-server server

QUOTE:
F:\OpenVPN\easy-rsa>build-key-server server #生成服务器端的密钥，server为服务器名
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
writing new private key to 'keys\server.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Hubei]:
Locality Name (eg, city) [Wuhan]:
Organization Name (eg, company) [51NB]:
Organizational Unit Name (eg, section) []:CMWAP
Common Name (eg, your name or your server's hostname) []:server #填自己的名字
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxxx #输入4位以上的密码
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Hubei'
localityName :PRINTABLE:'Wuhan'
organizationName :PRINTABLE:'51NB'
organizationalUnitName:PRINTABLE:'CMWAP'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Feb 1 05:30:29 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

CODE:
build-key client
QUOTE:
F:\OpenVPN\easy-rsa>build-key client #生成客户端的密钥，client为用户名
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
writing new private key to 'keys\client.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Hubei]:
Locality Name (eg, city) [Wuhan]:
Organization Name (eg, company) [51NB]:
Organizational Unit Name (eg, section) []:CMWAP
Common Name (eg, your name or your server's hostname) []:client
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxxx
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Hubei'
localityName :PRINTABLE:'Wuhan'
organizationName :PRINTABLE:'51NB'
organizationalUnitName:PRINTABLE:'CMWAP'
commonName :PRINTABLE:'client'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Feb 1 05:31:40 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
生成多个客户端密钥，执行build-key client1 …… build-key xyz。

复制证书文件
刚才生成的证书文件在F:\OpenVPN\easy-rsa\keys下，服务器端需要的文件为ca.crt,dh1024.pem,server.crt,server.key ，客户端需要的文件为：ca.crt client.crt client.key(xxx.crt xxx.key)，配置.ovpn文件时需要用到。
1.3 配置server.ovpn文件
· 在\OpenVPN\config目录下创建server.ovpn文件将ca.crt,dh1024.pem,server.crt,server.key复制到F:\OpenVPN\config目录下
· 服务器端文件示例：
server.ovpn
CODE:

port 1198
proto tcp-server
dev tun
server 192.168.10.0 255.255.255.0
keepalive 20 180
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.10.1"
mode server
tls-server
status openvpn-status.log
comp-lzo
verb 4
1.4 客户端安装与配置
o 安装OpenVPN，同1.1，但是不用更改本地连接设置。
o 配置OpenVPN
§ 在\OpenVPN\config目录下创建client.ovpn文件，将ca.crt client.crt client.key 复制到 \OpenVPN\config
目录下，这3个文件由服务器端生成并发放。
§ 客户端文件示例：
client.ovpn
CODE:
client
dev tun
proto tcp-client
remote jacky.10dig.com 1198 #这里填入remote server add,可用IP或者域名，
#若Server是动态IP，可到http://www.wingdns.com/注册动态域名绑定动态IP。
#如Client所连接Server使用路由上网，则需要使用NAT将地址映射到Server端。
resolv-retry infinite
nobind
http-proxy 10.0.0.172 80 #这里填入你的代理服务器地址和端口，没有代理则不用这行
mute-replay-warnings
ca ca.crt
cert client.crt #这里改成每个客户端相应的证书
key client.key #这里改成每个客户端相应的证书
comp-lzo
verb 4
status openvpn-status.log
右击openvpn-gui图标，点connect，即可连接。

The End
Thank you for your reading...

⑹ open-vpn参数参考

1、open-vpn路由设置
主要由 route-nopull、vpn_gateway、net_gateway 三个参数决定
route-nopull ：当客户端加入这个参数后,openvpn 连接后不会添加路由,也就是不会有任何网络请求走 openvpn.
vpn_gateway：指定需要走vpn的路由；
net_gateway：指定不需要走vpn的路由； max-routes 参数表示可以添加路由的条数,默认只允许添加100条路由,如果少于100条路由可不加这个参数.
route-nopull
route 139.9.114.177 255.255.255.255 vpn_gateway
route 192.168.6.0 255.255.255.0 vpn_gateway
route 192.168.5.0 255.255.255.0 vpn_gateway
route 192.168.1.0 255.255.255.0 net_gateway

⑺ 使用花生壳怎样搭建Openvpn

Openvpn是虚拟专用通道，简单来说就是一个虚拟局域网。Openvpn部署在内网，但是Openvpn 服务器端的网络并没有公网ip地址，要怎样才能在外网连接呢？没有固定公网IP,需要借助一些网络辅助实现VPN的搭建和访问,类似应用有花生壳、nat123、dnspod等等。通过使用花生壳主机映射功能，达到外网连接Openvpn，详细操作过程如下：
1.搭建Openvpn服务器端和访问端.

2.修改OpenVPN服务器端的server.ovpn文件，将proto udp 更改为proto tcp；
3.在服务端安装并设置端口映射.
应用名称：Openvpn（可自定义）。
内网主机：填写服务器内网的ip地址或者计算机名称（不支持中文）；选择主机映射。
4.在访问端上安装花生壳访问者，然后填写域名，点击诊断。
5.修改Openvpn 客户端的client文件，将proto udp更改为tcp；将remote my-server-1 1194更改为remote 域名（设置端口映射的域名）1194。运行Openvpn 客户端，出现绿色代表连接成功。
6.搭建Openvpn成功后，可以检验一下。就以搭建一个远程桌面为例：
服务器端获取虚拟ip地址为10.0.0.1，客户端获取虚拟ip地址为10.0.0.6。在访问端开启远程桌面，在服务器端点击运行——mstsc——输入客户端虚拟ip地址10.0.0.6 进行连接，出现如下界面代表连接成功。

⑻ OpenVPN的使用

 1.  修改 C:\ProgramFiles\OpenVPN\easy-rsa\vars.bat.sample

set KEY_COUNTRY=CN                    #(国家)

set KEY_PROVINCE=JS                    #(省份)

set KEY_CITY=SuZhou                        #(城市) 

set KEY_ORG=OpenVPN               #(组织)

set [email protected]    #(邮件地址) 

2.  DOS 下配置CA等信息

Microsoft Windows XP [版本 5.1.2600]

(C) 版权所有 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator> cd "C:\Program Files\OpenVPN\easy-rsa"

C:\Program Files\OpenVPN\easy-rsa> init-config

C:\Program Files\OpenVPN\easy-rsa>  vars.bat.sample vars.bat

已复制         1 个文件。

C:\Program Files\OpenVPN\easy-rsa> vars

C:\Program Files\OpenVPN\easy-rsa> clean-all

已复制         1 个文件。

已复制         1 个文件。

C:\Program Files\OpenVPN\easy-rsa> build-ca

Loading 'screen' into random state - done

Generating a 1024 bit RSA private key

................++++++

....++++++

writing new private key to 'keys\ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [JS]:

Locality Name (eg, city) [SuZhou]:

Organization Name (eg, company) [OpenVPN]:

Organizational Unit Name (eg, section) [changeme]:

Common Name (eg, your name or your server's hostname) [changeme]: OpenVPN-CA

Name [changeme]:

Email Address [[email protected]]:

C:\Program Files\OpenVPN\easy-rsa> build-dh

Loading 'screen' into random state - done

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

................................................................................

.............................................+................+.................

........+.......................+...............................................

........................................................+.......................

.........+....+.................................................................

.........................................................................+......

...................................+.....+....................................+.

.....................................................................+..........

........................................................+.......................

...+.............++*++*++*

C:\Program Files\OpenVPN\easy-rsa> build-key-server server

Loading 'screen' into random state - done

Generating a 1024 bit RSA private key

.++++++

....++++++

writing new private key to 'keys\server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [JS]:

Locality Name (eg, city) [SuZhou]:

Organization Name (eg, company) [OpenVPN]:

Organizational Unit Name (eg, section) [changeme]:

Common Name (eg, your name or your server's hostname) [changeme]: server

Name [changeme]:

Email Address [[email protected]]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from openssl-1.0.0.cnf

Loading 'screen' into random state - done

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'JS'

localityName          :PRINTABLE:'SuZhou'

organizationName      :PRINTABLE:'OpenVPN'

organizationalUnitName:PRINTABLE:'changeme'

commonName            :PRINTABLE:'server'

name                 :PRINTABLE:'changeme'

emailAddress          :IA5STRING:'[email protected]'

Certificate is to be certified until Oct 13 07:18:46 2025 GMT (3650 days)

Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries

Data Base Updated

C:\Program Files\OpenVPN\easy-rsa> build-key client

Loading 'screen' into random state - done

Generating a 1024 bit RSA private key

.....++++++

............................++++++

writing new private key to 'keys\client.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [JS]:

Locality Name (eg, city) [SuZhou]:

Organization Name (eg, company) [OpenVPN]:

Organizational Unit Name (eg, section) [changeme]:

Common Name (eg, your name or your server's hostname) [changeme]: client

Name [changeme]:

Email Address [[email protected]]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from openssl-1.0.0.cnf

Loading 'screen' into random state - done

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'JS'

localityName          :PRINTABLE:'SuZhou'

organizationName      :PRINTABLE:'OpenVPN'

organizationalUnitName:PRINTABLE:'changeme'

commonName            :PRINTABLE:'client'

name                 :PRINTABLE:'changeme'

emailAddress          :IA5STRING:'[email protected]'

Certificate is to be certified until Oct 13 07:20:05 2025 GMT (3650 days)

Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries

Data Base Updated

C:\Program Files\OpenVPN\easy-rsa>

3. 拷贝文件

将 ca.crt、dh1024.pem、server.crt、server.key 复制到服务器 C:\Program

Files\OpenVPN\config 目录下

将 ca.crt、client.crt、client.key 复制到客户端 C:\Program Files\OpenVPN\config 目录下

4. C:\ProgramFiles\OpenVPN\config 目录下创建 client.ovpn、server.ovpn

server.ovpn

local 192.168.1.101

port 1194

proto tcp

;proto udp

dev tap

;dev tun

;dev-node MyTap

ca ca.crt

cert server.crt

key server.key 

dh dh1024.pem

server 172.16.1.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

;server-bridge

push "route 0.0.0.0 0.0.0.0"

push "redirect-gateway def1 bypass-dhcp"

;push "route 192.168.20.0 255.255.255.0"

client-config-dir ccd

;route 192.168.40.128 255.255.255.248

;client-config-dir ccd

;route 10.9.0.0 255.255.255.252

;learn-address ./script

;push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 223.5.5.5"

push "dhcp-option DNS 223.6.6.6"

client-to-client

plicate-cn

keepalive 10 120

;tls-auth ta.key 0

;cipher BF-CBC       

;cipher AES-128-CBC   

;cipher DES-EDE3-CBC 

comp-lzo

max-clients 100

;user nobody

;group nobody

persist-key

persist-tun

status openvpn-status.log

;log         openvpn.log

;log-append  openvpn.log

verb 3

mute 20

client.open

client

dev tap

proto tcp

remote 192.168.1.101 1194

resolv-retry infinite

nobind

persist-key

persist-tun

mute-replay-warnings

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"

cert "C:\\Program Files\\OpenVPN\\config\\client.crt"

key "C:\\Program Files\\OpenVPN\\config\\client.key"

comp-lzo

verb 3

mute 20

⑼ Windows 7上OpenVPN怎么设置使用

从问题来看只是安装了OpenVPN，但是没有对其进行配置。此外OpenVPN分服务器端和客户端(安装程序一样，只是配置文件不一样)。
OpenVPN客户端不是安装了就能用，需要服务器端才能起作用。比如OpenVPN客户端装在Windows 7笔记本上，服务器端用的是Windows2003 VPS。
需要进行的操作为：
(1)对服务器端进行设置
(2)在服务器端并生成相应的文件(包括server.ovpn, ca.crt, client.key, client.crt)，确保配置正确后启动服务器端。
(3)复制客户端需要的文件(ca.crt, client.key, client.crt)到客户端，制作client.ovpn,启动客户端连接服务器端。

⑽ Windows 7上OpenVPN怎么设置使用

将解压出来的文件夹config内的配置文件覆盖openvpn安装目录下的config内的文件。
在config文件夹下有一个文本mypass.txt，请将VPN帐号和密码输入：第一行VPN用户名，第二行VPN密码。
上面的搞定后，点击桌面上的“OpenVPN GUI”【Vista或Win 7/8必须右键，以管理员身份运行】右下角会出现一个像电脑的小图标，右键就可选择VPN服务器。