Open-VPN

安装准备:

yum -y install openssl-devel openssl
yum -y install gcc gcc-c++

lzo下载与安装:

wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.04.tar.gz

openvpn下载与安装:

wget http://openvpn.net/release/openvpn-2.1_rc15.tar.gz

1.安装LZO安装包

#LZO软件包用于压缩隧道通信数据,以此来提高传输速度
[[email protected] download]# tar -zxvf lzo-2.03.tar.gz
[[email protected] download]# cd lzo-2.03
[[email protected] lzo-2.03]# ./configure --prefix=/usr
[[email protected] lzo-2.03]# make && make install

2.安装OpenVPN软件包

[[email protected] download]# tar -zxvf openvpn-2.0.9.tar.gz
[[email protected] download]# cd openvpn-2.0.9
[[email protected] openvpn-2.0.9]# ./configure --with-lzo-lib=/usr
[[email protected] openvpn-2.0.9]# make && make install

3.OpenVPN服务器端的配置:

(1)生成CA的详细信息:
cd /root/download/openvpn-2.0.9/easy-rsa/2.0,进入此目录后需对vars文件最后部分的信息进行修改,如下示:

[[email protected] 2.0]# cat vars
# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don‘t edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"

# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don‘t leave any of these fields blank.
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="beijing"
export KEY_ORG="bjbj"
export KEY_EMAIL="[email protected]"

(2).初始化

[[email protected] 2.0]# source vars     //初始化vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/download/openvpn-2.0.9/easy-rsa/2.0/keys

根据上面的提示,继续输入以下命令:

[[email protected] 2.0]# ./clean-all    //初始化keys目录
[[email protected] 2.0]# cd keys/
[[email protected] keys]# ls
index.txt  serial

(3)生成CA证书过程

[[email protected] 2.0]# ./build-ca    //如果没有修改可一路按回车即可
Generating a 1024 bit RSA private key
............................................++++++
..++++++
writing new private key to ‘ca.key‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [bjbj]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server‘s hostname) [bjbj CA]:
Email Address [[email protected]]:

再次进入keys目录查看证书是否生成成功:
[[email protected] 2.0]# cd keys/
[[email protected] keys]# ls
ca.crt  ca.key  index.txt  serial

(4)为服务器生成Diffie-Hellman文件,后面配置OpenVPN Server时需用到此文件,命令如下:

[[email protected] 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
............................................................................................................+...................................+..........+................................................+.............+.......................+........+..............................................................+...........................+........................+...........................................................+........................++*++*++*

再次查看keys目录内的文件,增加了一个dh文件,如下示:
[[email protected] 2.0]# cd keys/
[[email protected] keys]# ls
ca.crt  ca.key  dh1024.pem  index.txt  serial

(5)为服务器生成证书文件:

[[email protected] 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
....................++++++
...++++++
writing new private key to ‘server.key‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [bjbj]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server‘s hostname) [server]:
Email Address [[email protected]]:

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/download/openvpn-2.0.9/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject‘s Distinguished Name is as follows
countryName           :PRINTABLE:‘CN‘
stateOrProvinceName   :PRINTABLE:‘BJ‘
localityName          :PRINTABLE:‘beijing‘
organizationName      :PRINTABLE:‘bjbj‘
commonName            :PRINTABLE:‘server‘
emailAddress          :IA5STRING:‘[email protected]‘
Certificate is to be certified until Nov 21 05:28:04 2025 GMT (3650 days)
Sign the certificate? [y/n]:y    //输入y

1 out of 1 certificate requests certified, commit? [y/n]y    //输入y
Write out database with 1 new entries
Data Base Updated
[[email protected] 2.0]# cd keys/
[[email protected] keys]# ls
01.pem  ca.key      index.txt       index.txt.old  serial.old  server.csr
ca.crt  dh1024.pem  index.txt.attr  serial         server.crt  server.key

(6)为客户端生成证书文件:

这里我准备生成两个证书,一个是client1,另一个为client2。
//在OpenVPN体系中,每一个登录的VPN客户端要有一个证书,每个证书在同一时刻只能供一个客户端连接,如果有两个机器安装相同的证书,而时同时连接服务器,虽然都能连接成功,第二个连接上的客户端会出现每隔5分钟就会断掉,如果在现实环境中出现了此种现象请检查是否证书被占用。

创建第一个证书client1:
[[email protected] 2.0]# ./build-key client1
Generating a 1024 bit RSA private key
.................................++++++
........................++++++
writing new private key to ‘client1.key‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [bjbj]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server‘s hostname) [client1]:client1   //输入client1
Email Address [[email protected]]:

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/download/openvpn-2.0.9/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject‘s Distinguished Name is as follows
countryName           :PRINTABLE:‘CN‘
stateOrProvinceName   :PRINTABLE:‘BJ‘
localityName          :PRINTABLE:‘beijing‘
organizationName      :PRINTABLE:‘bjbj‘
commonName            :PRINTABLE:‘client1‘
emailAddress          :IA5STRING:‘[email protected]‘
Certificate is to be certified until Nov 21 05:32:26 2025 GMT (3650 days)
Sign the certificate? [y/n]:y   

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

同理创建client2,client3。。。
[[email protected] 2.0]# cd keys/
[[email protected] keys]# ls
01.pem  06.pem       client1.csr  client3.crt  client4.key  client6.csr     index.txt.attr.old  server.csr
02.pem  07.pem       client1.key  client3.csr  client5.crt  client6.key     index.txt.old       server.key
03.pem  ca.crt       client2.crt  client3.key  client5.csr  dh1024.pem      serial
04.pem  ca.key       client2.csr  client4.crt  client5.key  index.txt       serial.old
05.pem  client1.crt  client2.key  client4.csr  client6.crt  index.txt.attr  server.crt

(7)修改OpenVPN服务器的配置文件/etc/server.conf

复制样例文件到/etc/目录下,生成配置文件,然后对其进行修改:
[[email protected] ~]# cp -p /root/download/openvpn-2.0.9/sample-config-files/server.conf  /etc/server.conf
编辑/etc/server.conf:

a)将proto  udp  改成 tcp

b)找到ca  cert  key 开头的三行,将在上面使用“build-ca"生成的ROOT CA证书的完整路径写入此三个字符串的后面,如下示:
ca /root/download/openvpn-2.0.9/easy-rsa/2.0/keys/ca.crt
cert /root/download/openvpn-2.0.9/easy-rsa/2.0/keys/server.crt
key /root/download/openvpn-2.0.9/easy-rsa/2.0/keys/server.key

c)找到dh开头的一行,将在上面使用“build-dh"生成的dh文件的全路径写下来,如下示:
dh /root/download/openvpn-2.0.9/easy-rsa/2.0/keys/dh1024.pem

d)将server那行的内容改为如下:
server 10.172.200.0 255.255.255.0
//指定vpn隧道的虚拟子网---VPN服务器分配给VPN客户端的内网IP,这里最好不要为VPN客户端分配一个与VPN服务器所在内网相同网段的IP,这样OpenVPN服务启动后,VPN服务器将无法与内网计算机进行通信

e)local 10.10.2.192  侦听客户端VPN请求接口的IP

f)dev tun      // 定义使用的设备可选tap和tun,tap是二层设备,支持链路层协议。tun是ip层的点对点协议,限制稍微多一些,建议使用tun。默认使用

g)client-to-client  // 如果让Client之间可以相互看见,去掉本行的注释掉,否则客户端之间无法相互访问

h)keepalive 10 120  //保持联接,每10秒ping一次,若是120秒未收到封包,即认定 客户端断线

i)push "route  10.10.0.0 255.255.0.0 "    //向客户端通告服务器端LAN网段(指定VPN客户端与内网计算机通讯的路由条目)

j)max-clients 10   //定义最大客户端连接数

k)persist-key  //通过keepalive检测超时后,重新启动VPN,不重新读取私钥,保留第一次使用的私钥

l)persist-tun   //通过keepalive检测超时后,重新启动VPN,一直保持tun或者tap设备是linkup的,否则网络连接会先linkdown然后linkup

m)push “dhcp-option DNS 8.8.8.8” //为VPN客户端指定DNS服务器IP。

可以通过client-config-dir(在server.conf有中例子)为特定VPN客户端指定固定IP地址。 client-config-dir指明 Client 的专有配置文件目录,例如,要为用户指定一个 IP 地址(如192.168.0.5)而不是让VPN 服务器自动分配,可以在配置目录/etc/openvpn/ccd下建立一个qin文件,内容ifconfig-push 192.168.0.5
配置如下:

[[email protected] ~]# cat /etc/server.conf
local 10.10.2.192
port 1194
proto tcp
dev tun
ca /root/download/openvpn-2.0.9/easy-rsa/2.0/keys/ca.crt
cert /root/download/openvpn-2.0.9/easy-rsa/2.0/keys/server.crt
key /root/download/openvpn-2.0.9/easy-rsa/2.0/keys/server.key
dh /root/download/openvpn-2.0.9/easy-rsa/2.0/keys/dh1024.pem
server 10.172.200.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.0.0 255.255.0.0"
push "route 10.10.2.0 255.255.255.0"
push "redirect-gateway"
push “dhcp-option DNS 8.8.8.8”
keepalive 10 120
comp-lzo
max-clients 10
persist-key
persist-tun
status openvpn-status.log
verb 3

客户端拨入OpenVPN后,默认网关会指向OpenVPN服务器,为了能使客户端可以上网,需要在服务端开启nat功能
首先,打开ip forward功能:开启系统自身转发功能,开启后才能实现数据包在不同网段间的转发

[[email protected] 2.0]# sed -i ‘/net.ipv4.ip_forward/s/0/1/g‘ /etc/sysctl.conf
                  echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
[[email protected] 2.0]# echo 1 > /proc/sys/net/ipv4/ip_forward
[[email protected] 2.0]# iptables -t nat -A POSTROUTING -s 10.172.200.0/24 -o eth0 -j MASQUERADE     #访问外网
[[email protected] 2.0]#iptables -t nat -A POSTROUTING -s 10.172.200.0/255.255.255.0 -d 10.10.0.0/255.255.0.0 -j SNAT --to-source 10.10.2.192   #访问其他网段
[[email protected] 2.0]# iptables-save > /etc/sysconfig/iptables

查看NAT转换表:

iptables -t nat -vL

清空iptables表:
[[email protected] ~]# iptables -D INPUT 3  //删除input的第3条规则  

[[email protected] ~]# iptables -t nat -D POSTROUTING 1  //删除nat表中postrouting的第一条规则  

[[email protected] ~]# iptables -F INPUT   //清空 filter表INPUT所有规则  

[[email protected] ~]# iptables -F    //清空所有规则  

[[email protected] ~]# iptables -t nat -F POSTROUTING   //清空nat表POSTROUTING所有规则

*PREROUTING-->FORWARD-->PSOTROUTING*

(8)启动VPN服务:

/usr/local/sbin/openvpn  --config  /etc/server.conf &
当看到“Initialization Sequence Completed”字样,表示启动成功。

设置开机启动:
echo "/usr/local/sbin/openvpn --config /etc/server.conf" >> /etc/rc.local

(9)验证服务:
[[email protected] ~]#  lsof -i:1194
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
openvpn 14577 root    5u  IPv4 808662      0t0  TCP *:openvpn (LISTEN)

服务器端配置完成!

4.OpenVPN客户端的安装:

(1)下载OpenVPN GUI For Windows:(本实验中为:openvpn-2.0.9-gui-1.0.3-install.exe)

(2)执行openvpn-2.0.9-gui-1.0.3-install.exe安装程序进行安装(与安装其它软件相同),一切采用默认设置直至安装完成

(3)将ca.crt 、client1.crt  client1.key复制到C:\Program Files\OpenVPN\config #不同用户使用不同的证书(此证书是在服务器端安装过程中生成,请参考服务器安装部分设置),每个证书包括 .crt .key两个文件,如client2.crt和client2.key

(4)正确运行后,电脑的右下角会出现openvpn的图标,如下图示左数第二个图标即是OpenVPN连接图标。右键点击选择Edit Config来修改客户端配置文件,配置文件内容请自行查看。

(5)主要修改windows下安装目录里面OpenVPN\config\*.ovpn的配置:

client             #说明这个是客户端配置文件
dev tun            #这个和服务器一样就可以
remote 10.10.2.192 1194    #这个ip要修改为OpenVPN服务器的ip地址
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert
cert "C:\\Program Files\\OpenVPN\\config\\client2.crt"
key "C:\\Program Files\\OpenVPN\\config\\client2.key"              

comp-lzo            #启用lzo压缩

client.ovpn全配置如下:

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 10.10.2.192 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don‘t need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It‘s best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\client1.crt"
key "C:\\Program Files\\OpenVPN\\config\\client1.key"

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don‘t enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

(6)最后连接vpn的client,会自动创建一个虚拟网卡,连接VPN客户端后虚拟网卡会自动连接并获取10.172.200.X的IP地址,VPN客户端变绿色。


Open-VPN

时间: 2024-10-14 20:58:25

Open-VPN的相关文章

[原创] 关于免费VPN我踩过的那些坑

关于免费VPN我踩过的那些坑 因为工作的关系,笔者经常需要用到VPN, 访问国外国网站,你懂的. 我曾经试着自己购买VPS搭建过VPN, 被封了后就没心情再维护了,毕竟直接买VPN比VPS便宜太多.时间一长,也就有了一些经验. 这里总结成表格的形式,分享给大家: [NydusVPN] 知乎推荐的香港VPN, 比直通车好,线路稳定性好,办公游戏适合.注册前7天内可以无条件退款哦.  官方网站  [Astrill] 老牌VPN,但近两年被封底得太厉害,现在已经不太给力了. 注册第一个月能免费使用(付

通过SoftEther VPN自建VPN服务器

SoftEther VPN是日本政府的研究和开发项目的一项工作,由日本的经济.贸易和工业部资助,由信息化推进机构管理.SoftEther VPN在日本筑波大学开发的免费软件.具有终极兼容许多设备的高性能VPN.支持Windows.Mac.智能手机.平板电脑(iPhone\iPad\Android\WindowsRT)和思科或其他VPN路由器.SoftEther VPN也接受OpenVPN和MS-SSTP VPN客户端. 可以从http://www.softether-download.com/(

使用express vpn导致国内网站无法访问的问题

一直在付费使用express vpn,网速很快. 但是最近发现一个问题,使用express vpnFQ之后,国外的网站访问正常,但是国内的网站却无法访问. 我的使用环境:win 10, 使用express vpn dns, expess vpn auto connect. 为了找到原因,在express vpn连接上的条件下,打开cmd窗口,依次ping baidu.com和163.com,结果为找不到域名对应的IP地址. 然后我再关闭express vpn连接,重新ping,发现IP地址解析正

openvpn实现分流,指定IP走VPN,其它走本地网络

最近研究了Openvpn好久.现在写一点心得出来. 客户需求:看香港某几个网站使用openvpn翻墙过去,其它所有访问不能用翻墙,要走本地. 系统环境: Centos x64位 6.8, 使用在线yum安装 一.服务器端配置 详细配置参考其它配置文档 [[email protected] openvpn]# rpm -qa | grep openvpn openvpn-2.3.11-1.el6.x86_64 生成ta.key文件,用于tls-auth认证. # openvpn --genkey

centos pptp 客户端连接vpn

vpn翻墙现在很普遍,无论是个人还是公司,都会用的到.对于个人实现很容易,直接购买一个云主机,现在的云主机都有这样的服务,购买后直接就可以使用.有的vpn对使用也有一定数量限制,如:只允许多少个客户端连接,但对于公司来说,根本无法满足. 所以经过摸索总于有了答案.通过跳转的方法实现,在云主机上搭建pptp vpn,再在公司内部找一台机器搭建shadowsocks,通过它可以实现智能翻墙,很方便,一个账号多人可以使用,vpn账号也很安全,在公司外是无法使用的.是不是很棒. 下面介绍公司内网机器vp

如何在ASA防火墙上实现ipsec vpn

博主QQ:819594300 博客地址:http://zpf666.blog.51cto.com/ 有什么疑问的朋友可以联系博主,博主会帮你们解答,谢谢支持! 本文章介绍三个部分内容: ①ipsec vpn故障排查 ②如何在ASA防火墙上配置ipsec VPN ③防火墙与路由器配置ipsec VPN的区别 说明:在ASA防火墙配置ipsec VPN与路由器的差别不是很大,而且原理相同,就是个别命令不一样. 一.ipsec VPN故障排查 1.show crypto isakmp sa命令 通过这

【DCN】Gre over ipsec vpn

流量被加密的过程: 首先数据包进入路由器,路由器查询路由表,进入Tu0,数据被GRE封包,再次查询路由表,到物理接口,触发加密图,数据加密,再送出路由器. GRE OVER  IPSEC VPN 的出现解决了IPSEC VPN不能加密组播及广播报文的问题使得IPSEC VPN不能在动态路由协议中得到应用,而使用GRE OVER IPSEC VPN的好处就是GRE能够很好的封闭组播及广播流量,再被IPSEC VPN加密传输使得这一方案得到广泛应用. GRE OVER IPSEC VPN 的ACL表

CentOS:[6]安装VPN服务器pptpd

一.检查服务器是否有必要的支持.如果检查结果没有这些支持的话,是不能安装pptp的,执行指令: #modprobe ppp-compress-18 && echo ok 这条执行执行后,显示"ok"则表明通过.不过接下来还需要做另一个检查,输入指令: #cat /dev/net/tun 如果这条指令显示结果为下面的文本,则表明通过: cat: /dev/net/tun: File descriptor in bad state 上述两条均通过,才能安装pptp.否则就只

远程路由访问VPN

Remoteaccess VPN VPN server 端 第一阶段 1.       策略 2  Pre-share(不是单纯的key,而是group+key) 2  DH GROUP2 2.      AM(3个包)密码的安全性由HASH来保障 第1.5阶段 1.      xauth(1.安全2.用户认证3.AAA) 2.      mode-config(推送策略1.ip 2.DNS 3.tunnel split 4.dns split等等) 第2阶段QM (策略) Remote acc

Azure配置Site To Site VPN

本文介绍如何在在Azure和本地数据中心之间建立Site To Site VPN 1. 添加本地网络 点击新建 点击添加本地网络 输入名称,IP地址并点击 输入起始IP,现在CIDR,并点击√ .完成本地网络的添加 2. 注册DNS服务器 点击新建 点击网络服务-虚拟网络-注册DNS服务器 输入名称,DNS IP地址,点击注册DNS服务器 3. 配置Site to Site 选择对应的虚拟网络,并点击 点击配置 选择DNS服务器,勾选连接本地网络,选择连接到的本地网络,然后点击保存 4. 创建网