张微波的BLOG: VPN Archives

首页

August 22, 2006

OpenVPN 2.0 HOWTO-局域网互访（翻译）

原文:http://openvpn.net/howto.html
翻译水平有限,许多地方都可能翻译的不当,请大家指教
部分标题保留英文，没有翻译

Expanding the scope of the VPN to include additional machines on either the client or server subnet.

Including multiple machines on the server side when using a routed VPN (dev tun)

一旦VPN以一种客户端和服务端点对点的方式运作，那么就应该扩大范围，客户端不止能访问服务器，而且应该能访问服务器所在的网络的其他机器。

针对这个目的，我们举个例子，假设服务器的内网端使用的是10.66.0.0/24的网段，在OpenVPN服务器配置文件配置的server参数即VPN虚拟IP地址池用的是10.8.0.0/24网段。

首先，VPN客户端通过VPN能访问到10.66.0.0/24 子网，只只要在服务器端的配置文件配置以下参数就能简单做到：

push "route 10.66.0.0 255.255.255.0"

下一步，我们要把服务器端局域内网的网关设置为从VPN客户端10.8.0.0/24网段到OpenVPN服务器的路由（假如OpenVPN服务器和局域网网关不是同一台机器，这个设置就很有必要）。

下一步，我们要为从VPN客户端10.8.0.0/24网段到OpenVPN服务器所在的局域网的网关设置一个路由（假如OpenVPN服务器和局域网网关不是同一台机器，这个设置就很有必要）。

确认你应在在OpenVPN服务器上打开IP 和 TUN/TAP 的转发功能。

Including multiple machines on the server side when using a bridged VPN (dev tap)

使用以太网桥的好处就是你可以方便，免费的获得它，而无需其他额外的配置。

Including multiple machines on the client side when using a routed VPN (dev tun)

一般典型的远程访问情况是，客户端都是以单机使用VPN。但是如果客户端是本地局域网的网关（如总公司）你希望每台在这个局域网的机器都能通过路由使用VPN。

举个例子，我们假设这个客户端的局域网使用的是192.168.4.0/24的子网，并且那个VPN客户端有一个通用名为client2的证书，我们的目的就是设置一个VPN通道，让客户端局域网内的所有机器能跟OpenVPN服务器局域网端的所有机器相互联系。
安装之前，有一些必须遵守的基本前提：

1:客户端局域网的子网(在我们这个例子中是192.168.4.0/24)不能通过在同一网段的服务器或者其他客户端站点的途径加入到VPN。任何一个子网想加入VPN的通道路由必须是唯一的。
2:客户端必须拥有一个唯一的通用名称在其证书中（我们这个例子叫“client2”），而且duplicate-cn 这个参数不能在OpenVPN服务器的配置文件里被启用。

首先，我们必须确信客户端的IP 和 TUN/TAP转发功能是打开的。

然后，我们将处理服务器端的配置文件进行一个必要的修改配置，假如服务器配置文件没有提到客户端配置文件的目录，那么添加如下一行。

client-config-dir ccd

上述指令表示，在一个运行的OpenVPN服务器上的默认目录下预先建立一个叫ccd的目录。在Linux下默认目录是/etc/openvpn 而在Windows下，则是\Program Files\OpenVPN\config当一个新的客户端连接OpenVPN服务器的时候，服务器进程会针对客户端证书中的匹配通用名称来检查这个目录，如果找到与之匹配的文件，就会对这个客户端进行额外配置的处理。

下一步，我们要建立一个名叫 client2 的文件在ccd 目录下，在这个文件里有如下的控制语句：

iroute 192.168.4.0 255.255.255.0

这样，OpenVPN服务器就把192.168.4.0/24 网段的路由添加给client2

下一步，在服务器端的主配置文件上添加如下语句(不是ccd/client2 这个文件):

route 192.168.4.0 255.255.255.0

你可能会问？为什么要有 route 和 iroute 这多余重复的设置？理由是在iroute 控制从OpenVPN服务器到远程客户端的路由的时候，route控制着从内核到OpenVPN服务器（通过TUN接口）。两者都很重要。

下一步，问问你自己是否允许client2的网段（192.168.4.0/24）和OpenVPN服务器的其他客户之间有网络流量交换，如果是的话，那就在服务器的配置文件中添加如下语句：

client-to-client

push "route 192.168.4.0 255.255.255.0"

这将让OpenVPN服务器为client2客户网段跟其他连接的客户端进行广播通知。

最后一步，这一步经常会忘记，那就是为服务器局域网的网关添加一个直接从192.168.4.0/24到OpenVPN的路由（你可能不需要这一步，假如本身OpenVPN服务器就是这个服务器端局域网的网关）。假如你忘了这一步的设置，当尝试从192.168.4.8机器ping一个在服务器局域网内的机器（非OpenVPN自己ping自己），会输出一个不能到达机器的提示。但是我们不能不知道如果路由一个ping的回复，因为我们根本不知道怎么到达192.168.4.0/24。通常的经验做法是，在整个局域网路线通过VPN通道的时候（VPN服务器不是这个局域网的网关机器）之前，我们得保证所有VPN客户端网段到服务器端局域网网关的路由路径。

同样，如果客户端机器运行OpenVPN，而且也不是它本身局域网的网关，那么也得为那台提供其他机器可以通过VPN访问客户端所在局域网途径的机器设置一个从客户端机器到局域网网关的路由。

Including multiple machines on the client side when using a bridged VPN (dev tap)

这个需要更加复杂的设置（实际上可能并不复杂，但要去解释阐述会很复杂）：

1:你必须把客户端的TAP虚拟网络接口和客户端本地网卡进行桥接。
2:你必须手动为客户端的TAP虚拟网络接口设置IP/掩码。
3:你必须设置客户端的机器使用网桥所在网段的IP地址和掩码，可能会查询OpenVPN服务器这边的DHCP服务。

由 frank 发表于 9:48 PM | 回复 (0) | 引用

openvpn的妙用：wap包月配合openvpn享受掌中宽带

今天访问51nb网,无意中发现这里的网络技术区也有很多朋友在讨论openvpn技术，不过他们用openvpn大部分是用来配合廉价的wap包月来享受昂贵的掌中宽带。挺有创意。下面是其中的示意图

具体文章看这里：WAP包月配合VPN上网原理简介

由 frank 发表于 10:25 AM | 回复 (2) | 引用

August 20, 2006

OpenVPN的视频

网上闲逛，找到香港兄弟做的关于openvpn的视频，正好最近我也在研究openvpn，所以下来参考一下。

嘿嘿，是粤语的，幸亏以前经常看粤语片，还能马马虎虎听懂

有兴趣的朋友也可以去以下网站下载

openvpn的应用视频一

openvpn的应用视频二

August 19, 2006

OpenVPN 2.0 HOWTO-进程管理和管理接口(翻译)

原文:http://openvpn.net/howto.html
翻译水平有限,许多地方都可能翻译的不当,请大家指教

Configuring OpenVPN to run automatically on system startup

The lack of standards in this area means that most OSes have a different way of configuring daemons/services for autostart on boot. The best way to have this functionality configured by default is to install OpenVPN as a package, such as via RPM on Linux or using the Windows installer.

Linux
If you install OpenVPN via an RPM package on Linux, the installer will set up an initscript. When executed, the initscript will scan for .conf configuration files in /etc/openvpn, and if found, will start up a separate OpenVPN daemon for each file.

Windows
The Windows installer will set up a Service Wrapper, but leave it turned off by default. To activate it, go to Control Panel / Administrative Tools / Services, select the OpenVPN service, right-click on properties, and set the Startup Type to Automatic. This will configure the service for automatic start on the next reboot.

When started, the OpenVPN Service Wrapper will scan the \Program Files\OpenVPN\config folder for .ovpn configuration files, starting a separate OpenVPN process on each file.

--------------------------------------------------------------------------------

Controlling a running OpenVPN process

Running on Linux/BSD/Unix

OpenVPN accepts several signals:

SIGUSR1 -- Conditional restart, designed to restart without root privileges
SIGHUP -- Hard restart
SIGUSR2 -- Output connection statistics to log file or syslog
SIGTERM, SIGINT -- Exit

Use the writepid directive to write the OpenVPN daemon's PID to a file, so that you know where to send the signal (if you are starting openvpn with an initscript, the script may already be passing a --writepid directive on the openvpn command line).

Running on Windows as a GUI
See the OpenVPN GUI page.

Running in a Windows command prompt window

On Windows, you can start OpenVPN by right clicking on an OpenVPN configuration file (.ovpn file) and selecting "Start OpenVPN on this config file".

Once running in this fashion, several keyboard commands are available:

F1 -- Conditional restart (doesn't close/reopen TAP adapter)
F2 -- Show connection statistics
F3 -- Hard restart
F4 -- Exit

Running as a Windows Service
When OpenVPN is started as a service on Windows, the only way to control it is:

Via the service control manager (Control Panel / Administrative Tools / Services) which gives start/stop control.
Via the management interface (see below).

Modifying a live server configuration

While most configuration changes require you to restart the server, there are two directives in particular which refer to files which can be dynamically updated on-the-fly, and which will take immediate effect on the server without needing to restart the server process.

client-config-dir -- This directive sets a client configuration directory, which the OpenVPN server will scan on every incoming connection, searching for a client-specific configuration file (see the the manual page for more information). Files in this directory can be updated on-the-fly, without restarting the server. Note that changes in this directory will only take effect for new connections, not existing connections. If you would like a client-specific configuration file change to take immediate effect on a currently connected client (or one which has disconnected, but where the server has not timed-out its instance object), kill the client instance object by using the management interface (described below). This will cause the client to reconnect and use the new client-config-dir file.

crl-verify -- This directive names a Certificate Revocation List file, described below in the Revoking Certificates section. The CRL file can be modified on the fly, and changes will take effect immediately for new connections, or existing connections which are renegotiating their SSL/TLS channel (occurs once per hour by default). If you would like to kill a currently connected client whose certificate has just been added to the CRL, use the management interface (described below).

Status File

The default server.conf file has a line

status openvpn-status.log

which will output a list of current client connections to the file openvpn-status.log once per minute.

Using the management interface

The OpenVPN management interface allows a great deal of control over a running OpenVPN process. You can use the management interface directly, by telneting to the management interface port, or indirectly by using an OpenVPN GUI which itself connects to the management interface.

To enable the management interface on either an OpenVPN server or client, add this to the configuration file:

management localhost 7505

This tells OpenVPN to listen on TCP port 7505 for management interface clients (port 7505 is an arbitrary choice -- you can use any free port).

Once OpenVPN is running, you can connect to the management interface using a telnet client. For example:

ai:~ # telnet localhost 7505
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 15 2005
Commands:
echo [on|off] [N|all] : Like log, but only show messages in echo buffer.
exit|quit : Close management session.
help : Print this message.
hold [on|off|release] : Set/show hold flag to on/off state, or
release current hold and start tunnel.
kill cn : Kill the client instance(s) having common name cn.
kill IP:port : Kill the client instance connecting from IP:port.
log [on|off] [N|all] : Turn on/off realtime log display
+ show last N lines or 'all' for entire history.
mute [n] : Set log mute level to n, or show level if n is absent.
net : (Windows only) Show network info and routing table.
password type p : Enter password p for a queried OpenVPN password.
signal s : Send signal s to daemon,
s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n] : Show current daemon status info using format #n.
test n : Produce n lines of output for testing/debugging.
username type u : Enter username u for a queried OpenVPN username.
verb [n] : Set log verbosity level to n, or show if n is absent.
version : Show current version number.
END
exit
Connection closed by foreign host.
ai:~ #For more information, see the OpenVPN Management Interface Documentation.

配置OpenVPN在系统启动的时自动启动

因为没有这方面的标准，所以每个系统在启动的时候都有不同的启动进程/服务的方式，最好的办法就是安装专门为OpenVPN制作的各种安装包，比如在linux下的RPM包或者在windows下的安装包.

Linux
如果你在linux下使用RPM包安装OPenVPN，那么安装后会自动产生一个启动脚本，当脚本执行的时候，会自动在/etc/openvpn目录下寻找后缀为.conf的配置文件，如果找到配置文件，会自动启动相应配置文件的OpenVPN进程.

Windows
Windows下安装后，会产生一个服务，默认这个服务是关闭的，为了启动激活它，可以在控制面板/管理工具/服务, 选择OpenVPN服务。右键单击属性，设置为启动的时候自动运行。设置完以后下次系统重启，就会同时自动启动OpenVPN服务。

当启动OpenVPN服务的时候，会搜索\Program Files\OpenVPN\config目录下后缀为.ovpn的配置文件，并启动对应的OpenVPN进程。

控制运行中的OpenVPN进程

运行在Linux/BSD/Unix

OpenVPN接受下面几个信号:

SIGUSR1 – 有条件的重启，非root用户重启OpenVPN进程
SIGHUP – 重启
SIGUSR2 – 输出连接状态到log文件或者系统log
SIGTERM, SIGINT – 退出

在配置文件中使用writepid参数指定OpenVPN的pid文件，好让你发送信号给这个pid文件（如果你用启动脚本启动OpenVPN，已经在OpenVPN的命令行里其通过了writepid参数)。

在windows下运行图形界面

具体请看 OpenVPN GUI page.

运行在windows下的命令提示窗口

在Windows下，你可以通过右键单击一个OpenVPN的配置文件（.opvn文件）然后选择"Start OpenVPN on this config file"启动OpenVPN.

这种方式一运行，这几个键盘命令能接受：

F1 – 有条件的重启(不关闭/重启TAP适配器)
F2 – 显示连接状态
F3 – 重启
F4 – 退出

做为Windows的服务启动

当OpenVPN做为windows的服务启动时，只有下列方法可以控制它：

通过服务控制管理器 (控制面板/管理工具/服务)来控制启动和停止。
通过管理界面 (看下面).

修改正在运行的服务器的配置文件

大多数情况修改配置文件，都要重启服务才能生效，这里有2个比较特殊的参数，可以进行动态更新操作，并且立即生效而不用重启OpenVPN服务进程。

client-config-dir – 这个参数设置客户端配置文件的目录，OpenVPN服务器会检查相关进来的连接请求，然后在目录寻找相对应客户端的配置文件 (看指南页面获取更多信息)。不用重启服务，在这个目录里的文件就能动态更新。注意新的修改只对新的连接才生效，不对已经存在的连接不起作用。如果里希望指定的客户端配置文件立即生效与当前的连接 (或者连接已经断，但服务器的实例目标也还没过期), 可以通过管理接口杀掉客户端的实例物体(下面描述). 那么就可以用client-config-dir新的配置文件，重新连接客户端.

crl-verify – 这个参数的意思是证书废除名单文件，详细的描述在下面Revoking Certificates 这一节. CRL文件可以时实修改，并且立即生效，或者对那些已经连接的客户端重新协商SSL/TSL通道（默认每隔1小时）. 如果你想干掉那些正在连接，但其对应证书被追加到CTL的用户，可以通过管理接口进行操作 (下面详细介绍).

状态文件

默认服务端配置文件server.conf有下列一行

status openvpn-status.log

那个参数的作用是将每分钟输出一个现有用户连接列表到openvpn-status.log文件。

使用管理接口

OpenVPN管理接口是一个很好的控制运行中的OpenVPN进程的方法。你可以使用管理接口通过telnet命令直接连接到管理接口的端口，或者直接使用 OpenVPN GUI 连接管理接口

如果要在OpenVPN服务端或者客户端启用管理接口，你得在配置文件中添加以下这行：

management localhost 7505

这就告诉OpenVPN监听通过客户端通过管理接口访问TCP的7505端口 (7505端口是一个任意选择的端口，你可以选择任何一个没被使用的端口)。

一旦OpenVPN启动，我们可以用telnet客户端程序连接上管理接口，比如下面的例子：

ai:~ # telnet localhost 7505
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 15 2005
Commands:
echo [on|off] [N|all] : Like log, but only show messages in echo buffer.
exit|quit : Close management session.
help : Print this message.
hold [on|off|release] : Set/show hold flag to on/off state, or
release current hold and start tunnel.
kill cn : 杀掉通用名为cn的客户端。
kill IP:port : 杀掉来自指定ip和端口的客户端。
log [on|off] [N|all] : 打开/关闭时实的日志显示
+ 显示最后N条或者'所有' 历史日志.
mute [n] : Set log mute level to n, or show level if n is absent.
net : (只在windows下有效) 显示网络信息和路由表。
password type p : Enter password p for a queried OpenVPN password.
signal s : 发送信号给进程,
s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : 跟log一样,但是静态显示。
status [n] : 显示现在进程的状态信息。
test n : Produce n lines of output for testing/debugging.
username type u : Enter username u for a queried OpenVPN username.
verb [n] : Set log verbosity level to n, or show if n is absent.
version : 显示当前版本号.
END
exit
Connection closed by foreign host.
ai:~ #

更多信息，察看OpenVPN管理接口文档

由 frank 发表于 11:02 PM | 回复 (1) | 引用

August 18, 2006

OpenVPN 2.0 HOWTO-初始化测试篇(翻译)

原文:http://openvpn.net/howto.html
翻译水平有限,许多地方都可能翻译的不当,请大家指教

Starting up the VPN and testing for initial connectivity

Starting the server

First, make sure the OpenVPN server will be accessible from the internet. That means:

opening up UDP port 1194 on the firewall (or whatever TCP/UDP port you've configured), or
setting up a port forward rule to forward UDP port 1194 from the firewall/gateway to the machine running the OpenVPN server.
Next, make sure that the TUN/TAP interface is not firewalled.

To simplify troubleshooting, it's best to initially start the OpenVPN server from the command line (or right-click on the .ovpn file on Windows), rather than start it as a daemon or service:

openvpn [server config file]

A normal server startup should look like this (output will vary across platforms):

Sun Feb 6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 5 2005
Sun Feb 6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
Sun Feb 6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Feb 6 20:46:38 2005 TUN/TAP device tun1 opened
Sun Feb 6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sun Feb 6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sun Feb 6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
Sun Feb 6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194
Sun Feb 6 20:46:38 2005 UDPv4 link remote: [undef]
Sun Feb 6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
Sun Feb 6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Feb 6 20:46:38 2005 IFCONFIG POOL LIST
Sun Feb 6 20:46:38 2005 Initialization Sequence Completed

Starting the client
As in the server configuration, it's best to initially start the OpenVPN server from the command line (or on Windows, by right-clicking on the client.ovpn file), rather than start it as a daemon or service:

openvpn [client config file]

A normal client startup on Windows will look similar to the server output above, and should end with the Initialization Sequence Completed message.

Now, try a ping across the VPN from the client. If you are using routing (i.e. dev tun in the server config file), try:

ping 10.8.0.1

If you are using bridging (i.e. dev tap in the server config file), try to ping the IP address of a machine on the server's ethernet subnet.

If the ping succeeds, congratulations! You now have a functioning VPN.

Troubleshooting

If the ping failed or the OpenVPN client initialization failed to complete, here is a checklist of common symptoms and their solutions:

You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client was unable to establish a network connection with the server.

Solutions:

Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server.
If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.
Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).

You get the error message: Initialization Sequence Completed with errors -- This error can occur on Windows if (a) You don't have the DHCP client service running, or (b) You are using certain third-party personal firewalls on XP SP2.

Solution: Start the DHCP client server and make sure that you are using a personal firewall which is known to work correctly on XP SP2.

You get the Initialization Sequence Completed message but the ping test fails -- This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface.

Solution: Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going to Windows Security Center -> Windows Firewall -> Advanced and unchecking the box which corresponds to the TAP-Win32 adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below).

The connection stalls on startup when using a proto udp configuration, the server log file shows this line:

TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxxhowever the client log does not show an equivalent line.

Solution: You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be (a) a personal software firewall running on the client, or (b) the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client.

See the FAQ for additional troubleshooting information.

启动VPN服务并初始化测试

启动服务器

首先.得确认OpenVPN能通过internet被访问,意思是:

1.在防火墙上已经打开UDP端口(或者无论是UDP还是TCP都已经被配置打开),
2.或者防火墙上已经设置了一个专门的端口forward指向OpenVPN服务器的UDP1194端口.

下一步, 确信你的TUN/TAP没被防火墙禁止.

为了简单调试，启动OpenVPN的最好的办法是用命令方式（或者右肩单击server.ovpn文件启动），这样就作为一个服务启动了:

openvpn [server config file]

正常服务启动，我们会看到如下信息:

启动客户端

跟服务器端得配置一样，启动客户端最好的方式是命令方式（或者在windows下右键单击client.ovpn文件启动）:

openvpn [client config file]

客户端正常启动，应该能看到跟服务器类似的信息，最后以显示“Initialization Sequence Completed”结束.

现在，我们可以通过VPN尝试ping命令，假如你使用路由模式（也就是说在服务器的配置文件中使用“dev tun”），运行下列命令:

ping 10.8.0.1

如果你使用以太网桥模式（也就是说在服务器配置文件中配置使用“dev tap”）, 你可以尝试ping服务器所在局域网的ip地址.

如果ping显示正常，恭喜你，你已经拥有一个正常功能的VPN.

排错

如果遇到OpenVPN初始化失败，或者ping失败，下面有一些共同的问题症状和解决办法:

1.你得到如下错误信息: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). 这个错误指出客户端不能跟服务器建立网络链接.

解决办法：

a.请确认客户端访问的服务器的机器名/IP和端口是正确的.
b.如果你的OpenVPN服务器是单网卡，并处在受保护的局域网中，请确认你你的网关防火墙使用了正确的端口转发规则。比如：你的OpenVPN机器的地址是192.168.4.4，但处在防火墙保护下，时刻监听着UDP协议1194的连接请求，那么负责维护192.168.4.x子网的网关就会有一个端口转发策略，即所有访问UDP协议1194端口的请求都被转发到192.168.4.4 。
c.打开服务器的防火墙允许UDP协议1194端口连接进来，（或者不管是TCP还是UDP协议在服务器的配置文件中配置了）。

2.你得到如下错误信息: Initialization Sequence Completed with errors – 这个错误可能发生在windows下（a）你没有启用DHCP客户端服务（b）你的XP SP2使用了某个第三方的个人防火墙。

解决办法: 启动DHCP客户端服务或者你确认你的XP SP2正确使用了个人防火墙.

3.你虽然获得了Initialization Sequence Completed 的信息，但ping测试还是失败了，那就通常是在服务器或者客户端的防火墙阻止过滤了在TUN/TAP设备结构上的网络流量。

解决办法: 关闭客户端的防火墙，如果防火墙过滤了TUN/TAP设备端口的流量。比如在Windows XP SP2系统，你可以到Windows 安全中心 -> Windows 防火墙 -> 高级然后不要选择TAP-Win32 adapter设备 (即禁止TUN/TAP设备使用防火墙过滤，实质上就是告诉防火墙不要阻止VPN认证信息)。同样在服务器端也要确认TUN/TAP设备不实用防火墙过滤 (也就是说在TUN/TAP接口上选择过滤是有一定的安全保障的. 具体请看下面一节的访问策略).

4.当以udp协议的配置文件启动的时候连接停止，服务器的日志文件显示如下一行信息：

TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx

不管怎么样，这信息只在服务器端显示，在客户端是不会显示相同的信息。

解决办法: 你只拥有单向连接从客户端到服务器，从服务器到客户端的连接被防火墙挡住，通常在客户端这边，防火墙（a）可能是个运行在客户端的个人防火墙软件（b）或者服务客户端的NAT路由网关被设置为从服务器端访问客户端的UDP协议包被阻挡返回。

查看FAQ能得到更多故障解决的信息.

由 frank 发表于 8:50 AM | 回复 (0) | 引用

August 15, 2006

OpenVPN 2.0 HOWTO-基本配置篇(翻译)

原文:http://openvpn.net/howto.html
翻译水平有限,许多地方都可能翻译的不当,请大家指教

Creating configuration files for server and clients

Getting the sample config files

It's best to use the OpenVPN sample configuration files as a starting point for your own configuration. These files can also be found in

the sample-config-files directory of the OpenVPN source distribution
the sample-config-files directory in /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn-2.0 if you installed from an RPM package
Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files on Windows

Note that on Linux, BSD, or unix-like OSes, the sample configuration files are named server.conf and client.conf. On Windows they are named server.ovpn and client.ovpn.

Editing the server configuration file

The sample server configuration file is an ideal starting point for an OpenVPN server configuration. It will create a VPN using a virtual TUN network interface (for routing), will listen for client connections on UDP port 1194 (OpenVPN's official port number), and distribute virtual addresses to connecting clients from the 10.8.0.0/24 subnet.

Before you use the sample configuration file, you should first edit the ca, cert, key, and dh parameters to point to the files you generated in the PKI section above.

At this point, the server configuration file is usable, however you still might want to customize it further:

If you are using Ethernet bridging, you must use server-bridge and dev tap instead of server and dev tun.
If you want your OpenVPN server to listen on a TCP port instead of a UDP port, use proto tcp instead of proto udp (If you want OpenVPN to listen on both a UDP and TCP port, you must run two separate OpenVPN instances).
If you want to use a virtual IP address range other than 10.8.0.0/24, you should modify the server directive. Remember that this virtual IP address range should be a private range which is currently unused on your network.
Uncomment out the client-to-client directive if you would like connecting clients to be able to reach each other over the VPN. By default, clients will only be able to reach the server.
If you are using Linux, BSD, or a Unix-like OS, you can improve security by uncommenting out the user nobody and group nobody directives.

If you want to run multiple OpenVPN instances on the same machine, each using a different configuration file, it is possible if you:

Use a different port number for each instance (the UDP and TCP protocols use different port spaces so you can run one daemon listening on UDP-1194 and another on TCP-1194).
If you are using Windows, each OpenVPN configuration needs to have its own TAP-Win32 adapter. You can add additional adapters by going to Start Menu -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter.
If you are running multiple OpenVPN instances out of the same directory, make sure to edit directives which create output files so that multiple instances do not overwrite each other's output files. These directives include log, log-append, status, and ifconfig-pool-persist.

Editing the client configuration files

The sample client configuration file (client.conf on Linux/BSD/Unix or client.ovpn on Windows) mirrors the default directives set in the sample server configuration file.

Like the server configuration file, first edit the ca, cert, and key parameters to point to the files you generated in the PKI section above. Note that each client should have its own cert/key pair. Only the ca file is universal across the OpenVPN server and all clients.

Next, edit the remote directive to point to the hostname/IP address and port number of the OpenVPN server (if your OpenVPN server will be running on a single-NIC machine behind a firewall/NAT-gateway, use the public IP address of the gateway, and a port number which you have configured the gateway to forward to the OpenVPN server).

Finally, ensure that the client configuration file is consistent with the directives used in the server configuration. The major thing to check for is that the dev (tun or tap) and proto (udp or tcp) directives are consistent. Also make sure that comp-lzo and fragment, if used, are present in both client and server config files.

为服务器和客户端创建配置文件

获取示例的配置的文件

最好使用OpenVPN本身的示例配置文件做为自己的配置文件，这些文件能在下列地方找到

1.在OpenVPN 源代码包里的sample-config-files目录
2.如果你用RPM包的方式安装，sample-config-files目录应该在/usr/share/doc/packages/openvpn 或者 /usr/share/doc/openvpn-2.0目录下
3.开始 ->程序 -> OpenVPN -> OpenVPN Sample Configuration Files on Windows

注意在Linux, BSD, 和类Unix系统，那些示例的配置文件被分别命名为server.conf 和 client.conf. 而在Windows系统，则被命名为server.ovpn 和client.ovpn.

修改服务器端的配置文件

一个很好的建议是使用程序的示例配置文件作为服务器的启动配置文件. 它将利用VPN建立一个虚拟的点对点网络通道,时刻用UDP端口1194监听用户端的连接(1194是OpenVPN官方默认的端口),并且把虚拟地址10.8.0.0/24分配给用户.

在你使用示例配置文件之前,你应该修改配置文件中关于ca, cert, key, 和 dh 参数,让其指定到你生产的PKI

以下几点,如果你想配置服务器继续能正常使用,你将还要进行进一步的配置:

1.如果你要用到以太网桥, 你在得在配置文件中使用”server-bridge”和” dev tap”参数而不是使用”server”和”dev tun”参数.
2.如果你希望OpenVPN服务器通过TCP端口监听,而不是UDP端口监听, 应该使用tcp协议而不是udp协议 (如果你想同时监听UTP和TCP端口,那你就需要运行2个OpenVPN进程).
3.如果你想修改虚拟Ip地址段10.8.0.0/24, 那你就修改server的参数.记住你设置的虚拟IP地址段最好是私有的网段,而且并没有被你的内网所使用.
4.如果你希望通过VPN而实现客户端之间的相互访问.那你得把”client-to-client”这个配置项前面的注释先去掉,默认是只能访问服务器.
5.如果你使用Linux, BSD, 或者其它类Unix系统, 为了进一步提高安全,你可以单独把nobody用户或者组做为程序运行的用户或者组.

如果你在一台机器上运行多个OpenVPN进程,如果可以的话,每个进程最好使用不同的配置文件:

1.为不同的进程使用的监听端口(UDP协议和TCP协议被用在不同的场合,所以你应该设置一个进程专门监听UDP1194端口,而另外一个进程专门监听TCP1194端口).
2.如果你使用Windows版本, 那么每个进程的OpenVPN要使用单独的属于自己进程的TAP-Win32网卡. 你可以通过以下途径添加一个新的TAP-Win32 网卡:开始-> 程序 -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter.
3.如果你运行的多个OPenVPN进程不在相同的目录,那你得确信你程序运行以后产生的文件不要相互覆盖,这些文件包括,比如:log, log-append, status, and ifconfig-pool-persist.

修改客户端的[配置文件

示例配置文件 (在Linux/BSD/Unix 是client.conf,而在Windows端是client.ovpn) 可以从服务端的配置文件镜像一份过来,然后进行适当的改动

1.像服务器的配置文件一样,首先应该修改ca, cert, 和key 参数到指定的已经生成的额PKI文件. 注意每个客户端应该拥有自己的证书和密匙,只有CA相关的证书和密匙才是服务器和客户端都需要的.
2.下一步,你得修改远程OpenVPN服务器IP地址和端口Next, (如果你的OpenVPN服务器用单独的网卡运行在防火墙或者网关后面,那你的IP地址设置是指向网关的IP地址,而端口是指向网关负责forward到OpenVPN服务器1194端口的端口).
3.最后要确认的是客户端的配置是否跟服务端的配置所匹配,,我们要检查是使用的dev设备(tun还是tap),协议(tcp还是udp)相互是否设置一致,当然还得确认comp-lzo和fragment, 如果被使用,那么客户端和服务器端都得配置.

由 frank 发表于 4:40 PM | 回复 (0) | 引用

August 14, 2006

OpenVPN 2.0 HOWTO-安全证书篇(翻译)

原文:http://openvpn.net/howto.html
翻译水平有限,许多地方都可能翻译的不当,请大家指教

Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients

Overview

The first step in building an OpenVPN 2.0 configuration is to establish a PKI (public key infrastructure). The PKI consists of:

a separate certificate (also known as a public key) and private key for the server and each client, and
a master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates

OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established.

Both server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority (CA), and then by testing information in the now-authenticated certificate header, such as the certificate common name or certificate type (client or server).

This security model has a number of desirable features from the VPN perspective:

The server only needs its own certificate/key -- it doesn't need to know the individual certificates of every client which might possibly connect to it.
The server will only accept clients whose certificates were signed by the master CA certificate (which we will generate below). And because the server can perform this signature verification without needing access to the CA private key itself, it is possible for the CA key (the most sensitive key in the entire PKI) to reside on a completely different machine, even one without a network connection.
If a private key is compromised, it can be disabled by adding its certificate to a CRL (certificate revocation list). The CRL allows compromised certificates to be selectively rejected without requiring that the entire PKI be rebuilt.
The server can enforce client-specific access rights based on embedded certificate fields, such as the Common Name.

Generate the master Certificate Authority (CA) certificate & key

In this section we will generate a master CA certificate/key, a server certificate/key, and certificates/keys for 3 separate clients.

For PKI management, we will use a set of scripts bundled with OpenVPN.

If you are using Linux, BSD, or a unix-like OS, open a shell and cd to the easy-rsa subdirectory of the OpenVPN distribution. If you installed OpenVPN from an RPM file, the easy-rsa directory can usually be found in /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn-2.0 (it's best to copy this directory to another location such as /etc/openvpn, before any edits, so that future OpenVPN package upgrades won't overwrite your modifications). If you installed from a .tar.gz file, the easy-rsa directory will be in the top level directory of the expanded source tree.

If you are using Windows, open up a Command Prompt window and cd to \Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files):

init-config

Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.

Next, initialize the PKI. On Linux/BSD/Unix:

. ./vars
./clean-all
./build-ca

On Windows:
vars
clean-all
build-ca

The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command:

ai:easy-rsa # ./build-ca
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
Email Address [me@myhost.mydomain]:

Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "OpenVPN-CA".

Generate certificate & key for server

Next, we will generate a certificate and private key for the server. On Linux/BSD/Unix:
./build-key-server server
On Windows:
build-key-server server

As in the previous step, most parameters can be defaulted. When the Common Name is queried, enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1 out of 1 certificate requests certified, commit? [y/n]".

Generate certificates & keys for 3 clients

Generating client certificates is very similar to the previous step. On Linux/BSD/Unix:
./build-key client1
./build-key client2
./build-key client3

On Windows:
build-key client1
build-key client2
build-key client3

If you would like to password-protect your client keys, substitute the build-key-pass script.

Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client.

Generate Diffie Hellman parameters

Diffie Hellman parameters must be generated for the OpenVPN server. On Linux/BSD/Unix:

./build-dh

On Windows:
build-dh

Output:

ai:easy-rsa # ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.................+...........................................
...................+.............+.................+.........
......................................Key Files
Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:

Filename	Needed By	Purpose	Secret
ca.crt	server + all clients	Root CA certificate	NO
ca.key	key signing machine only	Root CA key	YES
dh{n}.pem	server only	Diffie Hellman parameters	NO
server.crt	server only	Server Certificate	NO
server.key	server only	Server Key	YES
client1.crt	client1 only	Client1 Certificate	NO
client1.key	client1 only	Client1 Key	YES
client2.crt	client2 only	Client2 Certificate	NO
client2.key	client2 only	Client2 Key	YES
client3.crt	client3 only	Client3 Certificate	NO
client3.key	client3 only	Client3 Key	YES

The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel.
Now wait, you may say. Shouldn't it be possible to set up the PKI without a pre-existing secure channel?
The answer is ostensibly yes. In the example above, for the sake of brevity, we generated all private keys in the same place. With a bit more effort, we could have done this differently. For example, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client. This could have been done without ever requiring that a secret .key file leave the hard drive of the machine on which it was generated.

建立自己的认证证书(CA),并为以此来为OpenVPN服务器生成认证的密匙和为多个用户生成密匙
概括
第一步,是建立一个OpenVPN 2.0配置需要的PKI(公匙). PKI 的组成:

针对服务器和每个客户端的独立证书(又称公匙)和私人密匙(称为私匙),
一个主要的认证的(CA)证书,用这个证书来对每个服务器和客户端的证书进行数字签名.

OpenVPN支持基于双向认证的证书, 这意味着用户对服务器的认证和服务器对用户的认证这两者之间必须建立相互信任的机制.

无论是服务器还是用户端进行认证,他们首先会先验证主要的认证(CA)证书,然后相互测试认证证书的数据包头,比如证书的通用名称或者认证类型.
这个安全的方式让VPN有很多可取的特点:

服务器只需要属于自己的认证密匙,而不需要知道每个用户的证书当哪些用户需要连接的时候.
服务器只接受那些通过主要(CA)证书进行数字签名的客户端证书. 因为服务器会进行这方面签名的检查,而无需访问CA密匙, 这很关键,因为CA证书(最敏感的核心,整个PKI)可能存在不同的机器,即使没有联网.
如果私匙作废,可以把那个证书名单添加到CRL(证书废除名单). 有了CRL就能直接阻止那些作废的证书的使用而不需要重建整个PKI.
服务器通过判断证书某个字段,比如通用名称(Common Name),来决定给用户相应的访问权限

创建主要认证(CA)证书的关键

在这一章节,我们将创建一个主要的CA证书,一个服务器的证书,以及3个客户端证书.
为了管理PKI,我们要用到OpenVPN本身自带的脚本程序.

如果你使用Linux, BSD, 或者类unix系统, 可以进入easy-rsa目录运行脚本. 如果你使用的是RPM包的安装方式安装OpenVPN,easy-rsa目录被安装在/usr/share/doc/packages/openvpn或者/usr/share/doc/openvpn-2.0目录下 (如果你要修改,最好把这个目录拷贝到另外的目录比如 /etc/openvpn下,这样以后OpenVPN软件进行升级就不会覆盖被修改的地方). 如果你是用.tar.gz的源代码进行安装, easy-rsa目录在源代码解压的根目录.

如果你运行windows系统，你进入DOS命令模式进入\Program Files\OpenVPN\easy-rsa. 目录运行以下批处理脚本，能拷贝配置文件到这里（会覆盖已经存在的vars.bat和openssl.cnf这两个文件):
init-config

现在修改vars文件(Windows下是vars.bat) 分别对KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL参数进行修改. 这些参数不要出现任何空白.

下一步在Linux/BSD/Unix系统建立PKI:
. ./vars
./clean-all
./build-ca

Windows系统如下操作:
vars
clean-all
build-ca

最后的命令(build-ca)将生成认证（CA）证书，这些密匙是跟openssl紧密结合的:

ai:easy-rsa # ./build-ca
Generating a 1024 bit RSA private key
............++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN-TEST]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:OpenVPN-CA
Email Address [me@myhost.mydomain]:

请注意上述顺序，最常用的参数默认在vars或者vars.bat文件已经指定. 只有“Common Name”这个参数需要被单独指定，在这个例子中，我们用"OpenVPN-CA".

建立服务器的认证证书和密匙

接下来，我们将为服务器建立认证证书和密匙，在Linux/BSD/Unix平台:
./build-key-server server

Windows平台下:
build-key-server server

与上一步差不多，大部分参数是默认的，当提问到” Common Name”时输入"server". 另外2个问题也必须回答y, "Sign the certificate? [y/n]" 和 "1 out of 1 certificate requests certified, commit? [y/n]".

建立3个客户端认证证书和密

生成客户端证书跟上一步差不多，在Linux/BSD/Unix平台上:
./build-key client1
./build-key client2
./build-key client3

Windows平台上:
build-key client1
build-key client2
build-key client3

如果你想保护你的客户端密匙，请运行build-key-pass脚本.

为了区分每个客户端，必须用适当的名称命名”Common Name”, 比如. "client1", "client2", or "client3". 通常是为每个客户端指定唯一的”common name”.

创建Diffie Hellman参数

OpenVPN服务器必须创建Diffie Hellman参数. 在Linux/BSD/Unix平台下:
./build-dh

Windows平台下:
build-dh

输出显示:
ai:easy-rsa # ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.................+...........................................
...................+.............+.................+.........
......................................

密匙文件

现在我们能在keys目录看到我们刚刚新生成的钥匙和证书. 这里对相关文件进行解释:

Filename	Needed By	Purpose	Secret
ca.crt	server + all clients	Root CA certificate	NO
ca.key	key signing machine only	Root CA key	YES
dh{n}.pem	server only	Diffie Hellman parameters	NO
server.crt	server only	Server Certificate	NO
server.key	server only	Server Key	YES
client1.crt	client1 only	Client1 Certificate	NO
client1.key	client1 only	Client1 Key	YES
client2.crt	client2 only	Client2 Certificate	NO
client2.key	client2 only	Client2 Key	YES
client3.crt	client3 only	Client3 Certificate	NO
client3.key	client3 only	Client3 Key	YES

最关键的最后一步是复制这一过程产生的所有文件到需要的机器，特别要注意的是拷贝那些密匙文件最好通过一些安全的渠道.

等到现在你怎么说，如果没有一个安全的通道，是不可能建立PKI?

答案显然是肯定的，在上面的例子中，出于简单考虑，我们把所有的私匙生成在相同的目录. 当然我们稍微做点改动，也可以通过不同的方式生成这些. 例如,不用在服务器上生成客户端的认证证书和钥匙，可以用户自己提供自己的私匙, 然后提交证书签署要求（CSR）到主要的认证证书机器.反过来，证书认证机器可以处理CSR，然后返回一个签名的证书给客户端. 这样我们不需要这个机器上事先生成密匙也能实现这个目标.

由 frank 发表于 10:15 PM | 回复 (0) | 引用

OpenVPN 2.0 HOWTO-方式和网络规划篇(翻译)

原文:http://openvpn.net/howto.html
翻译水平有限,不当之处,请指出

Determining whether to use a routed or bridged VPN

See FAQ for an overview of Routing vs. Ethernet Bridging. See also the OpenVPN Ethernet Bridging page for more notes and details on bridging.

Overall, routing is probably a better choice for most people, as it is more efficient and easier to set up (as far as the OpenVPN configuration itself) than bridging. Routing also provides a greater ability to selectively control access rights on a client-specific basis.

I would recommend using routing unless you need a specific feature which requires bridging, such as:

the VPN needs to be able to handle non-IP protocols such as IPX,
you are running applications over the VPN which rely on network broadcasts (such as LAN games), or
you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server.

--------------------------------------------------------------------------------

Numbering private subnets
Setting up a VPN often entails linking together private subnets from different locations.

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets (codified in RFC 1918):

10.0.0.0 10.255.255.255 (10/8 prefix)
172.16.0.0 172.31.255.255 (172.16/12 prefix)
192.168.0.0 192.168.255.255 (192.168/16 prefix)

While addresses from these netblocks should normally be used in VPN configurations, it's important to select addresses that minimize the probability of IP address or subnet conflicts. The types of conflicts that need to be avoided are:

conflicts from different sites on the VPN using the same LAN subnet numbering, or
remote access connections from sites which are using private subnets which conflict with your VPN subnets.

For example, suppose you use the popular 192.168.0.0/24 subnet as your private LAN subnet. Now you are trying to connect to the VPN from an internet cafe which is using the same subnet for its WiFi LAN. You will have a routing conflict because your machine won't know if 192.168.0.1 refers to the local WiFi gateway or to the same address on the VPN.

As another example, suppose you want to link together multiple sites by VPN, but each site is using 192.168.0.0/24 as its LAN subnet. This won't work without adding a complexifying layer of NAT translation, because the VPN won't know how to route packets between multiple sites if those sites don't use a subnet which uniquely identifies them.

The best solution is to avoid using 10.0.0.0/24 or 192.168.0.0/24 as private LAN network addresses. Instead, use something that has a lower probability of being used in a WiFi cafe, airport, or hotel where you might expect to connect from remotely. The best candidates are subnets in the middle of the vast 10.0.0.0/8 netblock (for example 10.66.77.0/24).

And to avoid cross-site IP numbering conflicts, always use unique numbering for your LAN subnets.

决定VPN是使用路由模式还是网桥模式

我们可以通过看FAQ来了解路由模式和网桥模式的概念.在以太网桥这个页面,我们可以看到更多关于OpenVPN以太网桥模式的信息.

总体来说,对大多数用户来说,路由模式是个更好的选择,它更加容易建立,也更加有效(根据OpenVPN自身的配置),路由模式能根据用户的具体情况提供更加强大的路径控制能力.

我一般建议你使用路由模式,除非是以下特殊的情况,你可以需要使用网桥模式,比如:
• VPN需要被使用在非IP协议的网络上,比如IPX协议的网络,
• 对于你在VPN运行的应用,需要依靠网络广播(比如网络游戏),等
• 不依靠Samba或者WINS服务器,只通过VPN浏览访问共享文件.

私有子网网段的规划

建立VPN往往会把各个地方的私有子网网段连接在一起.

互联网IP地址分配机构(IANA)已经保留了以下3个网段为私有子网网段所用(RFC 1918):
10.0.0.0 10.255.255.255 (10/8 prefix)
172.16.0.0 172.31.255.255 (172.16/12 prefix)
192.168.0.0 192.168.255.255 (192.168/16 prefix)

而这些保留的网段,通常用在VPN的配置中,选择这样的IP网段非常重要,它能减少不同情况的IP冲突,以下情况可能会有冲突,要尽量避免:
• 在VPN不同端使用相同的子网网段会出现冲突,或者
• 远程访问使用的私有网段跟VPN的子网网段冲突.

举个例子, 假如你的内部私网用的是最流行的192.168.0.0/24网段. 现在你在一个咖啡网吧想通过VPN连接你的内部网络,而他们的无限局域网的网段跟你的内部网段是一样的,那你就会碰到路由冲突的问题,因为你的机器没法排断192.168.0.1是指向无线网关的地址还是VPN那端的地址.

另外一个例子,你希望通过VPN连接多个网段,但是每个网段都使用192.168.0.0/24作为它们的局域网网段. 如果通过NAT进行网络地址翻译,这是行不通的, 因为VPN根本不清楚包含多少个网段,如网段不特殊指明.

最好的解决办法是是尽量避免使用类似10.0.0.0/24或者192.168.0.0/24这样的私有网络地址. 相反可以使用一些不经常被无线咖啡馆,机场,酒店使用的网段. 最佳选择是选择10.0.0.0/8的中间网段(比如 10.66.77.0/24).

为了避免交叉的IP冲突,往往需要为你的局域网配置独特的网段.

由 frank 发表于 2:54 PM | 回复 (1) | 引用

OpenVPN 2.0 HOWTO-安装篇(翻译)

原文:http://openvpn.net/howto.html
Installing OpenVPN
翻译水平有限,不当之处,请指出

OpenVPN can be downloaded here.For security, it's a good idea to check the file release signature after downloading.

The OpenVPN executable should be installed on both server and client machines, since the single executable provides both client and server functions.

Linux Notes (using RPM package)

If you are using a Linux distribution which supports RPM packages (SuSE, Fedora, Redhat, etc.), it's best to install using this mechanism. The easiest method is to find an existing binary RPM file for your distribution. You can also build your own binary RPM file:

rpmbuild -tb openvpn-[version].tar.gzOnce you have the .rpm file, you can install it with the usual

rpm -ivh openvpn-[details].rpm

or upgrade an existing installation with

rpm -Uvh openvpn-[details].rpm

Installing OpenVPN from a binary RPM package has these dependencies:

openssl
lzo
pam

Furthermore, if you are building your own binary RPM package, there are several additional dependencies:

openssl-devel
lzo-devel
pam-devel

See the openvpn.spec file for additional notes on building an RPM package for Red Hat Linux 9 or building with reduced dependencies.

Linux Notes (without RPM)

If you are using Debian, Gentoo, or a non-RPM-based Linux distribution, use your distro-specific packaging mechanism such as apt-get on Debian or emerge on Gentoo.

It is also possible to install OpenVPN on Linux using the universal ./configure method. First expand the .tar.gz file:

tar xfz openvpn-[version].tar.gzThen cd to the top-level directory and type:

./configure
make
make install

Windows Notes

OpenVPN for Windows can be installed from the self-installing exe file on the OpenVPN download page. Remember that OpenVPN will only run on Windows 2000 or later. Also note that OpenVPN must be installed and run by a user who has administrative privileges (this restriction is imposed by Windows, not OpenVPN). The restriction can be sidestepped by running OpenVPN in the background as a service, in which case even non-admin users will be able to access the VPN, once it is installed. More discussion on OpenVPN + Windows privilege issues.

OpenVPN can also be installed as a GUI on Windows, using Mathias Sundman's installation package, which will install both OpenVPN and the Windows GUI.

After you run the Windows installer, OpenVPN is ready to use and will associate itself with files having the .ovpn extension. To run OpenVPN, you can:

Right click on an OpenVPN configuration file (.ovpn) and select Start OpenVPN on this configuration file. Once running, you can use the F4 key to exit.

Run OpenVPN from a command prompt Window with a command such as:

openvpn myconfig.ovpnOnce running in a command prompt window, OpenVPN can be stopped by the F4 key.

Run OpenVPN as a service by putting one or more .ovpn configuration files in \Program Files\OpenVPN\config and starting the OpenVPN Service, which can be controlled from Start Menu -> Control Panel -> Administrative Tools -> Services.

A GUI is also available for the Windows version of OpenVPN.

Additional Windows install notes.

Mac OS X Notes
Angelo Laub and Dirk Theisen have developed an OpenVPN GUI for OS X.

See also OpenVPN Client and Mac OS X 10.3.

Other OSes
Some notes are available in the INSTALL file for specific OSes. In general, the

./configure
make
make install

method can be used, or you can search for an OpenVPN port or package which is specific to your OS/distribution.

安装OpenVPN

OpenVPN 可以从这里下载.
出于安全的考虑,强烈建议你下载后检查一下文件的数字签名 .
OpenVPN程序可以被安装在服务器端和客户端,本身这个程序是既提供服务器工程也提供客户端功能.

Linux 安装注意事项 (用RPM包)

如果你使用的是下列linux操作系统的RPM包管理方式 (SuSE, Fedora, Redhat, etc.), 最好安装使用这种包管理方式. 最方便的方法是找到他的二进制RPM包,你可以通过tar包自己编译适合自己机器的RPM包:

rpmbuild -tb openvpn-[version].tar.gz

只要你编译好RPM包,那就可以进行安装了

rpm -ivh openvpn-[details].rpm

或者升级已经安装的程序

rpm -Uvh openvpn-[details].rpm

用RPM包安装OpenVPN,会有以下的RPM包依赖关系:
• openssl
• lzo
• pam

此外,如果你自己编译适合自己的RPM包,你必须要事先安装好下列的依赖关系RPM包:
• openssl-devel
• lzo-devel
• pam-devel

查看openvpn.spec文件,看一下关于在Red Hat Linux 9系统上编译RPM包需要额外注意的包依赖关系.

Linux 安装注意事项 (不用RPM包)

如果你使用Debian,Gentoo这些非RPM包管理方式的linux发行系统,你可以使用他们自身的包管理方式,比如Debian用apt-get,Gentoo用emerge.

当然也可以采用普通的./configure方式编译安装OpenVPN,编译之前先解压缩.tar.gz文件:
tar xfz openvpn-[version].tar.gz
进入解压缩后的根目录
./configure
make
make install

Windows 安装注意事项

Winodow版的OpenVPN安装程序可以到 OpenVPN下载页面去下载.注意这个版本的OpenVPN只能在Windows2000或者更高的版本上才能安装. 另外要注意的是必须要拥有管理员权限的用户才能去安装OpenVPN,(这是Windows系统出于安全的限制).在这个限制下,OpenVPN可以运行在系统后台进行服务,即使当软件装完,非管理员用户想访问VPN. 更多关于 OpenVPN + Windows 权限的讨论.

OpenVPN在Windows下可以被装成图形界面,可以使用Mathias Sundman的安装包, 将同时装上OpenVPN和图形界面.
装完OpenVPN后,系统会使用已经关联的.ovpn后缀的文件. 为了运行OpenVPN,你可以:
• 右键单击OpenVPN的配置文件,即.ovpn后缀的文件,然后选择Start OpenVPN on this configuration file.程序就可以运行, 你可以用 F4快捷键退出.
• 在DOS窗口,你也可以用以下命令运行OpenVPN:
openvpn myconfig.ovpn
同样,用DOS命令启动的OpenVPN,也可以通过按 F4键退出.
• 我们可以通过开始 -> 控制面板 -> 管理工具 -> 服务来启动OpenVPN服务,一个或更多的OpenVPN的配置文件放在\Program Files\OpenVPN\config下.
一个针对Windows的图形界面的OpenVPN.

更多windows安装程序注意事项.

Mac OS X 安装注意事项
Angelo Laub和Dirk Theisen 已经开发出OpenVPN GUI for OS X.
更多信息可查看 OpenVPN Client and Mac OS X 10.3.
其它操作系统

可以看INSTALL 文件关于其他系统的安装说明,一般情况下都是
./configure
make
make install

你可以针对你的系统和软件包管理方式寻找相应的OpenVPN包,并用合适的方法安装.

由 frank 发表于 12:11 PM | 回复 (0) | 引用