OpenVPN服务器端部署完成后,就需要配置客户端的使用了,下面分别以Windows和Linux为例进行客户端的安装和配置。
1、Windows客户端
1)安装OpenVPN GUI for Windows客户端
OpenVPN在windows上的客户端叫做OpenVPN GUI for windows,需要安装该软件包才能连接VPN,所以我先下载并安装该软件。软件官网被墙了,所以需要翻墙才能下载,软件的安装没有什么特殊的地方,只需要点击下一步直到完成即可。(补充一点,我的笔记本是windows7 64位操作系统,从官网下载的openvpn-2.0.9-gui-1.0.3-install.exe安装后一直报“All TAP-Win32 adapters on this system are currently in use.”错误,所以又下载了一个openvpn-2.1.1-gui-1.0.3-install-cn.exe,而这个客户端安装正常。可能是版本比较老,对windowsXP以后的系统支持不是特别好吧,不过现在很多人已经开始使用OpenVPN2.3以及更新的版本了,所以这个也没什么了,以后会测试OpenVPN的新版本。)
关于该错误,大家可以参考:http://blog.csdn.net/acuna1/article/details/8740816
2)准备客户端证书文件
从OpenVPN服务器端下载ca.crt、tom.crt、tom.key等文件,然后在OpenVPN GUI for Windows的安装目录C:\Program Files (x86)\OpenVPN\config\下创建一个名为tom的文件夹,然后将上面三个文件放到tom文件夹下。(此处以tom为例,可以换做别的,比如用户名为jerry,就创建一个jerry文件夹,把jerry的证书文件放到里面)
3)从OpenVPN的安装源文件中有/sample-config-files/client.conf客户端配置文件,所以下载/opt/tools/openvpn-2.0.9/sample-config-files/client.conf到tom文件夹下,并修改文件名为tom.ovpn,使用记事本或者notepad++等打开该文件,修改其中的内容。以下是我的配置:
client dev tun proto tcp remote 192.168.100.120 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert tom.crt key tom.key comp-lzo verb 3
4)打开OpenVPN GUI,在windows任务栏的右下角有一个OpenVPN的图标,在图标上右键,选择“Connect”,如果前面的设置都没有问题,就能连接成功,并分配一个10.8.0.0网段的IP地址。
OK,连接成功,好不容易看到这个界面,心里还真有那么一点小兴奋呢。
好吧,看到这个是不是有点郁闷呢,没关系,所有的问题终将解决,所差的不过是时间而已。不过,我不会在这里处理这个问题,先介绍Linux客户端的使用,后面再谈怎么解决这个问题。
2、Linux客户端
这个是Linux客户端的网络配置,一张网卡使用VMnet8,IP地址是192.168.100.170(因为192.168.100.120毕竟不是外网IP,而只有笔记本上有192.168.100.1的地址,所以无法使用虚拟机的桥接网络去做Linux客户端的网卡)。
依然是能ping通192.168.100.120,但是无法ping通172.16.100.120,更无法ping通172.16.100.128.
1)安装openvpn
Linux客户单安装openvpn的方法和服务器端的安装一致,所以这里就不再多做描述了,按照服务器端的安装方法操作就行。
2)同Windows客户端一样,需要将客户端证书文件放到openvpn的配置目录中,我们可以将在windows上使用的文件夹(如tom)打包成zip格式,然后上传到Linux客户端上。
mkdir -p /etc/openvpn cd /etc/openvpn rz -y #上传tom.zip unzip tom.zip mv tom/* . rm -rf tom.zip tom [[email protected] openvpn]# ll total 16 -rw-r--r--. 1 root root 1298 Sep 3 15:53 ca.crt -rw-r--r--. 1 root root 3838 Sep 3 15:45 tom.crt -rw-r--r--. 1 root root 916 Sep 3 15:45 tom.key -rw-r--r--. 1 root root 157 Sep 3 15:55 tom.ovpn mv tom.ovpn client.conf
3)启动VPN服务
/usr/local/sbin/openvpn --config /etc/openvpn/client.conf &
[[email protected] openvpn]# /usr/local/sbin/openvpn --config /etc/openvpn/client.co onf & [1] 33934 [[email protected] openvpn]# Sun Sep 4 00:20:59 2016 OpenVPN 2.0.9 x86_64-unknown-linux [SSL] [LZO] [EPOLL] built on Sep 4 2016 Sun Sep 4 00:20:59 2016 IMPORTANT: OpenVPN‘s default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Sun Sep 4 00:20:59 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Sun Sep 4 00:20:59 2016 WARNING: file ‘tom.key‘ is group or others accessible Sun Sep 4 00:20:59 2016 LZO compression initialized Sun Sep 4 00:20:59 2016 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Sun Sep 4 00:20:59 2016 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Sun Sep 4 00:20:59 2016 Local Options hash (VER=V4): ‘69109d17‘ Sun Sep 4 00:20:59 2016 Expected Remote Options hash (VER=V4): ‘c0103fa8‘ Sun Sep 4 00:20:59 2016 Attempting to establish TCP connection with 192.168.100.120:1194 Sun Sep 4 00:20:59 2016 TCP connection established with 192.168.100.120:1194 Sun Sep 4 00:20:59 2016 TCPv4_CLIENT link local: [undef] Sun Sep 4 00:20:59 2016 TCPv4_CLIENT link remote: 192.168.100.120:1194 Sun Sep 4 00:20:59 2016 TLS: Initial packet from 192.168.100.120:1194, sid=0d5aad96 c9343750 Sun Sep 4 00:20:59 2016 VERIFY OK: depth=1, /C=CN/ST=GD/L=Shenzhen/O=contoso.com/OU=Tech/CN=contoso.com_CA/[email protected] Sun Sep 4 00:20:59 2016 VERIFY OK: depth=0, /C=CN/ST=GD/L=Shenzhen/O=contoso.com/OU=Tech/CN=server/[email protected] Sun Sep 4 00:21:00 2016 Data Channel Encrypt: Cipher ‘BF-CBC‘ initialized with 128 bit key Sun Sep 4 00:21:00 2016 Data Channel Encrypt: Using 160 bit message hash ‘SHA1‘ for HMAC authentication Sun Sep 4 00:21:00 2016 Data Channel Decrypt: Cipher ‘BF-CBC‘ initialized with 128 bit key Sun Sep 4 00:21:00 2016 Data Channel Decrypt: Using 160 bit message hash ‘SHA1‘ for HMAC authentication Sun Sep 4 00:21:00 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Sun Sep 4 00:21:00 2016 [server] Peer Connection Initiated with 192.168.100.120:1194 Sun Sep 4 00:21:01 2016 SENT CONTROL [server]: ‘PUSH_REQUEST‘ (status=1) Sun Sep 4 00:21:01 2016 PUSH: Received control message: ‘PUSH_REPLY,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5‘ Sun Sep 4 00:21:01 2016 OPTIONS IMPORT: timers and/or timeouts modified Sun Sep 4 00:21:01 2016 OPTIONS IMPORT: --ifconfig/up options modified Sun Sep 4 00:21:01 2016 OPTIONS IMPORT: route options modified Sun Sep 4 00:21:01 2016 TUN/TAP device tun0 opened Sun Sep 4 00:21:01 2016 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500 Sun Sep 4 00:21:01 2016 /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.5 Sun Sep 4 00:21:01 2016 Initialization Sequence Completed Sun Sep 4 00:21:05 2016 Connection reset, restarting [0] Sun Sep 4 00:21:05 2016 TCP/UDP: Closing socket Sun Sep 4 00:21:05 2016 SIGUSR1[soft,connection-reset] received, process restarting Sun Sep 4 00:21:05 2016 Restart pause, 5 second(s) Sun Sep 4 00:21:10 2016 IMPORTANT: OpenVPN‘s default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Sun Sep 4 00:21:10 2016 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Sun Sep 4 00:21:10 2016 Re-using SSL/TLS context Sun Sep 4 00:21:10 2016 LZO compression initialized Sun Sep 4 00:21:10 2016 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ] Sun Sep 4 00:21:10 2016 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Sun Sep 4 00:21:10 2016 Local Options hash (VER=V4): ‘69109d17‘ Sun Sep 4 00:21:10 2016 Expected Remote Options hash (VER=V4): ‘c0103fa8‘ Sun Sep 4 00:21:10 2016 Attempting to establish TCP connection with 192.168.100.120:1194 Sun Sep 4 00:21:10 2016 TCP connection established with 192.168.100.120:1194 Sun Sep 4 00:21:10 2016 TCPv4_CLIENT link local: [undef] Sun Sep 4 00:21:10 2016 TCPv4_CLIENT link remote: 192.168.100.120:1194 Sun Sep 4 00:21:10 2016 TLS: Initial packet from 192.168.100.120:1194, sid=e2d8d4a8 e40aea31 Sun Sep 4 00:21:10 2016 VERIFY OK: depth=1, /C=CN/ST=GD/L=Shenzhen/O=contoso.com/OU=Tech/CN=contoso.com_CA/[email protected] Sun Sep 4 00:21:10 2016 VERIFY OK: depth=0, /C=CN/ST=GD/L=Shenzhen/O=contoso.com/OU=Tech/CN=server/[email protected] Sun Sep 4 00:21:10 2016 Data Channel Encrypt: Cipher ‘BF-CBC‘ initialized with 128 bit key Sun Sep 4 00:21:10 2016 Data Channel Encrypt: Using 160 bit message hash ‘SHA1‘ for HMAC authentication Sun Sep 4 00:21:10 2016 Data Channel Decrypt: Cipher ‘BF-CBC‘ initialized with 128 bit key Sun Sep 4 00:21:10 2016 Data Channel Decrypt: Using 160 bit message hash ‘SHA1‘ for HMAC authentication Sun Sep 4 00:21:10 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Sun Sep 4 00:21:10 2016 [server] Peer Connection Initiated with 192.168.100.120:1194 Sun Sep 4 00:21:12 2016 SENT CONTROL [server]: ‘PUSH_REQUEST‘ (status=1) Sun Sep 4 00:21:12 2016 PUSH: Received control message: ‘PUSH_REPLY,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5‘ Sun Sep 4 00:21:12 2016 OPTIONS IMPORT: timers and/or timeouts modified Sun Sep 4 00:21:12 2016 OPTIONS IMPORT: --ifconfig/up options modified Sun Sep 4 00:21:12 2016 OPTIONS IMPORT: route options modified Sun Sep 4 00:21:12 2016 Preserving previous TUN/TAP instance: tun0 Sun Sep 4 00:21:12 2016 Initialization Sequence Completed
好的,看到“Initialization Sequence Completed”基本上就表示连接成功,此时Linux客户端上执行ifconfig命令可以看到多了一个tun0的连接,IP地址为10.8.0.6,这就意味着Linux客户端成功连接到了OpenVPN.而且执行ping可以ping通OpenVPN Server的VPN网卡地址10.8.0.1.
再到OpenVPN Server上检查一下日志,可以看到日志中有记录IP地址为192.168.100.170的客户端成功连接到OpenVPN,至此Linux客户端的使用完成。