首先下载最新的 openvpn
cd/d C:\Program Files\OpenVPN\easy-rsa
init-config.bat然后可以编辑一下 1
vars.bat
@echo off
set HOME=%~dp0
set KEY_CONFIG=openssl-1.0.0.cnf
set KEY_DIR=keys
set KEY_SIZE=2048
set KEY_COUNTRY=CN
set KEY_PROVINCE=BJ
set KEY_CITY=Ouroboros
set KEY_ORG=Ouroboros
set KEY_EMAIL=Ouroboros@Ouroboros.com
set KEY_CN=Ouroboros
set KEY_NAME=Ouroboros
set KEY_OU=Ouroboros
set PKCS11_MODULE_PATH=changeme
set PKCS11_PIN=1234调用 1
vars.bat
1
clean-all.bat
1
keys
C:\Program Files\OpenVPN\easy-rsa>vars.bat
C:\Program Files\OpenVPN\easy-rsa>clean-all.bat
The system cannot find the file specified.
1 file(s) copied.
1 file(s) copied.
C:\Program Files\OpenVPN\easy-rsa>1
build-ca.bat
C:\Program Files\OpenVPN\easy-rsa>build-ca.bat
WARNING: can't open config file: /etc/ssl/openssl.cnf
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
.............................+++
.....................................................................................+++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [Ouroboros]:
Organization Name (eg, company) [Ouroboros]:
Organizational Unit Name (eg, section) [Ouroboros]:
Common Name (eg, your name or your server's hostname) [Ouroboros]:
Name [Ouroboros]:
Email Address [Ouroboros@Ouroboros.com]:
C:\Program Files\OpenVPN\easy-rsa>1
build-key-server.bat server
C:\Program Files\OpenVPN\easy-rsa>build-key-server.bat server
WARNING: can't open config file: /etc/ssl/openssl.cnf
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
......................+++
........+++
writing new private key to 'keys\server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [Ouroboros]:
Organization Name (eg, company) [Ouroboros]:
Organizational Unit Name (eg, section) [Ouroboros]:
Common Name (eg, your name or your server's hostname) [Ouroboros]:server
Name [Ouroboros]:
Email Address [Ouroboros@Ouroboros.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
WARNING: can't open config file: /etc/ssl/openssl.cnf
Using configuration from openssl-1.0.0.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'Ouroboros'
organizationName :PRINTABLE:'Ouroboros'
organizationalUnitName:PRINTABLE:'Ouroboros'
commonName :PRINTABLE:'server'
name :PRINTABLE:'Ouroboros'
emailAddress :IA5STRING:'Ouroboros@Ouroboros.com'
Certificate is to be certified until Oct 20 20:20:52 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
C:\Program Files\OpenVPN\easy-rsa>1
build-key.bat client_someone
C:\Program Files\OpenVPN\easy-rsa>build-key.bat client_someone
WARNING: can't open config file: /etc/ssl/openssl.cnf
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
.........................................................................+++
...........................................................+++
writing new private key to 'keys\client_someone.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [Ouroboros]:
Organization Name (eg, company) [Ouroboros]:
Organizational Unit Name (eg, section) [Ouroboros]:
Common Name (eg, your name or your server's hostname) [Ouroboros]:client_someone
Name [Ouroboros]:
Email Address [Ouroboros@Ouroboros.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
WARNING: can't open config file: /etc/ssl/openssl.cnf
Using configuration from openssl-1.0.0.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'Ouroboros'
organizationName :PRINTABLE:'Ouroboros'
organizationalUnitName:PRINTABLE:'Ouroboros'
commonName :T61STRING:'client_someone'
name :PRINTABLE:'Ouroboros'
emailAddress :IA5STRING:'Ouroboros@Ouroboros.com'
Certificate is to be certified until Oct 20 20:22:03 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
C:\Program Files\OpenVPN\easy-rsa>1
build-dh.bat
C:\Program Files\OpenVPN\easy-rsa>build-dh.bat
WARNING: can't open config file: /etc/ssl/openssl.cnf
Loading 'screen' into random state - done
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..........................................................................
....+........+.....+............................+.................+.......
....+.......+......+.........+............................................
.
.
....................................................................++*++*
C:\Program Files\OpenVPN\easy-rsa>好了, 现在到 keys 里看看, 有这么些文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
01.pem
02.pem
ca.crt
ca.key
client_someone.crt
client_someone.csr
client_someone.key
dh2048.pem
index.txt
index.txt.attr
serial
server.crt
server.csr
server.key
其中, 这些放到服务端 1
openvpn\config
1
2
3
4
ca.key
ca.crt
server.crt
server.key
这些放到客户端 1
openvpn\config
1
2
3
ca.crt
client_someone.crt
client_someone.key
再编写 1
server.ovpn
1
client.ovpn
1
server.ovpn
port 2333
proto tcp
dev tap
server 10.8.0.0 255.255.255.0
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
push "redirect-gateway def1"
push "dhcp-option DNS 114.114.114.114"
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3接着是 1
client.ovpn
client
dev tap
proto tcp
remote OPEN_VPN_SERVER_IP 2333
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client_someone.crt
key client_someone.key
remote-cert-tls server
comp-lzo
verb 3分别把这两个 1
.ovpn
1
openvpn\config
最后还要配置一下服务器:
- 启动
1
Routing and Remote Access
- 在
1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
1
IPEnableRouter
1
DWORD
1
1
- 最后设置一下联网的网卡的连接共享, 注意 TAP 的名字, 最好不要有中文, 如下图
设置完后重启即可