张微波的BLOG: OpenVPN 2.0 HOWTO-基本配置篇(翻译)

« OpenVPN 2.0 HOWTO-安全证书篇(翻译) | 首页 | 随笔 »

August 15, 2006

OpenVPN 2.0 HOWTO-基本配置篇(翻译)

原文:http://openvpn.net/howto.html
翻译水平有限,许多地方都可能翻译的不当,请大家指教

Creating configuration files for server and clients

Getting the sample config files

It's best to use the OpenVPN sample configuration files as a starting point for your own configuration. These files can also be found in

the sample-config-files directory of the OpenVPN source distribution
the sample-config-files directory in /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn-2.0 if you installed from an RPM package
Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files on Windows

Note that on Linux, BSD, or unix-like OSes, the sample configuration files are named server.conf and client.conf. On Windows they are named server.ovpn and client.ovpn.

Editing the server configuration file

The sample server configuration file is an ideal starting point for an OpenVPN server configuration. It will create a VPN using a virtual TUN network interface (for routing), will listen for client connections on UDP port 1194 (OpenVPN's official port number), and distribute virtual addresses to connecting clients from the 10.8.0.0/24 subnet.

Before you use the sample configuration file, you should first edit the ca, cert, key, and dh parameters to point to the files you generated in the PKI section above.

At this point, the server configuration file is usable, however you still might want to customize it further:

If you are using Ethernet bridging, you must use server-bridge and dev tap instead of server and dev tun.
If you want your OpenVPN server to listen on a TCP port instead of a UDP port, use proto tcp instead of proto udp (If you want OpenVPN to listen on both a UDP and TCP port, you must run two separate OpenVPN instances).
If you want to use a virtual IP address range other than 10.8.0.0/24, you should modify the server directive. Remember that this virtual IP address range should be a private range which is currently unused on your network.
Uncomment out the client-to-client directive if you would like connecting clients to be able to reach each other over the VPN. By default, clients will only be able to reach the server.
If you are using Linux, BSD, or a Unix-like OS, you can improve security by uncommenting out the user nobody and group nobody directives.

If you want to run multiple OpenVPN instances on the same machine, each using a different configuration file, it is possible if you:

Use a different port number for each instance (the UDP and TCP protocols use different port spaces so you can run one daemon listening on UDP-1194 and another on TCP-1194).
If you are using Windows, each OpenVPN configuration needs to have its own TAP-Win32 adapter. You can add additional adapters by going to Start Menu -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter.
If you are running multiple OpenVPN instances out of the same directory, make sure to edit directives which create output files so that multiple instances do not overwrite each other's output files. These directives include log, log-append, status, and ifconfig-pool-persist.

Editing the client configuration files

The sample client configuration file (client.conf on Linux/BSD/Unix or client.ovpn on Windows) mirrors the default directives set in the sample server configuration file.

Like the server configuration file, first edit the ca, cert, and key parameters to point to the files you generated in the PKI section above. Note that each client should have its own cert/key pair. Only the ca file is universal across the OpenVPN server and all clients.

Next, edit the remote directive to point to the hostname/IP address and port number of the OpenVPN server (if your OpenVPN server will be running on a single-NIC machine behind a firewall/NAT-gateway, use the public IP address of the gateway, and a port number which you have configured the gateway to forward to the OpenVPN server).

Finally, ensure that the client configuration file is consistent with the directives used in the server configuration. The major thing to check for is that the dev (tun or tap) and proto (udp or tcp) directives are consistent. Also make sure that comp-lzo and fragment, if used, are present in both client and server config files.

为服务器和客户端创建配置文件

获取示例的配置的文件

最好使用OpenVPN本身的示例配置文件做为自己的配置文件，这些文件能在下列地方找到

1.在OpenVPN 源代码包里的sample-config-files目录
2.如果你用RPM包的方式安装，sample-config-files目录应该在/usr/share/doc/packages/openvpn 或者 /usr/share/doc/openvpn-2.0目录下
3.开始 ->程序 -> OpenVPN -> OpenVPN Sample Configuration Files on Windows

注意在Linux, BSD, 和类Unix系统，那些示例的配置文件被分别命名为server.conf 和 client.conf. 而在Windows系统，则被命名为server.ovpn 和client.ovpn.

修改服务器端的配置文件

一个很好的建议是使用程序的示例配置文件作为服务器的启动配置文件. 它将利用VPN建立一个虚拟的点对点网络通道,时刻用UDP端口1194监听用户端的连接(1194是OpenVPN官方默认的端口),并且把虚拟地址10.8.0.0/24分配给用户.

在你使用示例配置文件之前,你应该修改配置文件中关于ca, cert, key, 和 dh 参数,让其指定到你生产的PKI

以下几点,如果你想配置服务器继续能正常使用,你将还要进行进一步的配置:

1.如果你要用到以太网桥, 你在得在配置文件中使用”server-bridge”和” dev tap”参数而不是使用”server”和”dev tun”参数.
2.如果你希望OpenVPN服务器通过TCP端口监听,而不是UDP端口监听, 应该使用tcp协议而不是udp协议 (如果你想同时监听UTP和TCP端口,那你就需要运行2个OpenVPN进程).
3.如果你想修改虚拟Ip地址段10.8.0.0/24, 那你就修改server的参数.记住你设置的虚拟IP地址段最好是私有的网段,而且并没有被你的内网所使用.
4.如果你希望通过VPN而实现客户端之间的相互访问.那你得把”client-to-client”这个配置项前面的注释先去掉,默认是只能访问服务器.
5.如果你使用Linux, BSD, 或者其它类Unix系统, 为了进一步提高安全,你可以单独把nobody用户或者组做为程序运行的用户或者组.

如果你在一台机器上运行多个OpenVPN进程,如果可以的话,每个进程最好使用不同的配置文件:

1.为不同的进程使用的监听端口(UDP协议和TCP协议被用在不同的场合,所以你应该设置一个进程专门监听UDP1194端口,而另外一个进程专门监听TCP1194端口).
2.如果你使用Windows版本, 那么每个进程的OpenVPN要使用单独的属于自己进程的TAP-Win32网卡. 你可以通过以下途径添加一个新的TAP-Win32 网卡:开始-> 程序 -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter.
3.如果你运行的多个OPenVPN进程不在相同的目录,那你得确信你程序运行以后产生的文件不要相互覆盖,这些文件包括,比如:log, log-append, status, and ifconfig-pool-persist.

修改客户端的[配置文件

示例配置文件 (在Linux/BSD/Unix 是client.conf,而在Windows端是client.ovpn) 可以从服务端的配置文件镜像一份过来,然后进行适当的改动

1.像服务器的配置文件一样,首先应该修改ca, cert, 和key 参数到指定的已经生成的额PKI文件. 注意每个客户端应该拥有自己的证书和密匙,只有CA相关的证书和密匙才是服务器和客户端都需要的.
2.下一步,你得修改远程OpenVPN服务器IP地址和端口Next, (如果你的OpenVPN服务器用单独的网卡运行在防火墙或者网关后面,那你的IP地址设置是指向网关的IP地址,而端口是指向网关负责forward到OpenVPN服务器1194端口的端口).
3.最后要确认的是客户端的配置是否跟服务端的配置所匹配,,我们要检查是使用的dev设备(tun还是tap),协议(tcp还是udp)相互是否设置一致,当然还得确认comp-lzo和fragment, 如果被使用,那么客户端和服务器端都得配置.

由 frank 发表于 August 15, 2006 4:40 PM