2024年5月18日发(作者:茹雪莲)
RouterOS配置OpenVPN Server方法
一、OpenVPN证书制作
1、
1.1
下载Open VPN 并安装
安装Open VPN
Open VPN 安装完成。
安装完成后生成一个新网卡。
2、 制作证书
2.1 修改D:的以下部分
set HOME=%ProgramFiles%OpenVPNeasy-rsa
set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=FortFunston
setKEY_EMAIL=****************
请根据自身情况修改改为:
set KEY_COUNTRY=CN
set KEY_PROVINCE=Home911
set KEY_CITY=ChangChun
set KEY_ORG=QCC
setKEY_EMAIL=*********************
(注:修改文件用写字板)
2.2 Open VPN安全模式:
Open VPN 有两种安全模式。
一种基于使用 RSA 证书和密钥的 SSL/TLS。
一种使用预先分享的静态密钥。
本文采用SSL/TLS 模式。
TLS模式的优点是安全,而且便于管理用户。
默认情况下证书和用户是一对一的,多个用户使用同一证书会被踢出。
2.3 制作证书:
开始-->运行...-->键入cmd,回车,进入命令提示符-->进入D:OpenVPNeasy-rsa目录
D:OpenVPNeasy-rsa>
执行如下命令:
init-config
D:OpenVPNeasy-rsa>init-config <回车>
D:OpenVPNeasy-rsa>copy
已复制 1 个文件。
D:OpenVPNeasy-rsa>copy
已复制 1 个文件。
vars
D:OpenVPNeasy-rsa>vars <回车>
clean-all
D:OpenVPNeasy-rsa>clean-all <回车>
系统找不到指定的文件。
已复制 1 个文件。
已复制 1 个文件。
Vars
D:OpenVPNeasy-rsa>vars <回车>
build-ca
D:OpenVPNeasy-rsa>build-ca <回车> #生成根证书
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
............++++++
...++++++
writing new private key to ''
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: <回车>
State or Province Name (full name) [Office911]: <回车>
Locality Name (eg, city) [ChangChun]: <回车>
Organization Name (eg, company) [QCQ]: <回车>
Organizational Unit Name (eg, section) []:QCLZ <回车>
Common Name (eg, your name or your server's hostname) []:OVPN_IN One <回车>
EmailAddress[*********************]:
Vars
D:OpenVPNeasy-rsa>vars <回车>
build-dh
D:OpenVPNeasy-rsa>build-dh <回车> #这个有点慢,估计要半分钟
Loading 'screen' into random state - done
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...............+...................................+........+...................
.......+...+......................+.........+...................................
...................................................+............................
......................+.........................................................
.......+......................++*++*++*
Vars
D:OpenVPNeasy-rsa>vars <回车>
build-key-server server
D:OpenVPNeasy-rsa>build-key-server server <回车> #生成服务器端的密钥
Server 为服务器端文件名
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.......................++++++
..................................................................++++++
writing new private key to ''
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Office911]:
Locality Name (eg, city) [ChangChun]:
Organization Name (eg, company) [QCQ]:
Organizational Unit Name (eg, section) []:QCLZ
Common Name (eg, your name or your server's hostname) []:OVPN_IN One
EmailAddress[*********************]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1124
An optional company name []:
Using configuration from
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Office911'
localityName :PRINTABLE:'ChangChun'
organizationName :PRINTABLE:'QCQ'
organizationalUnitName:PRINTABLE:'QCLZ'
commonName :T61STRING:'OVPN_IN One'
emailAddress:IA5STRING:'*********************'
Certificate is to be certified until Nov 24 07:43:44 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Vars
D:OpenVPNeasy-rsa>vars <回车>
build-key client
D:OpenVPNeasy-rsa>build-key client <回车> #生成客户端的密钥
Client 为用户端文件名
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.............++++++
....++++++
writing new private key to ''
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Hubei]:
Locality Name (eg, city) [Wuhan]:
Organization Name (eg, company) [51NB]:
Organizational Unit Name (eg, section) []:CMWAP
Common Name (eg, your name or your server's hostname) []:client
EmailAddress[****************]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxxx #同上
An optional company name []:
Using configuration from
Loading 'screen' into random state - done
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Hubei'
localityName :PRINTABLE:'Wuhan'
organizationName :PRINTABLE:'51NB'
organizationalUnitName:PRINTABLE:'CMWAP'
commonName :PRINTABLE:'client'
emailAddress:IA5STRING:'****************'
Certificate is to be certified until Feb 1 05:31:40 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
制作好的证书在D:OpenVPNeasy-rsakey>下
二、配置RouterOS下OpenVPN Server
1、设置OpenVPN IP 地址池
2、建立profile
注:DNS添你本地的DNS(我这个是吉林联通的)
3、建立账户
4、导入证书
把 复制下。
在
5、制作OpenVPN Server 使用证书
6、配置OpenVPN Server
三、Windows配置文件编辑
1、复制客户端证书到配置文件夹
2、建立配置文件
在Config 文件夹下新建文本文件。
把以下红色文本复制粘帖到新建文本文件中去。
client
dev tun
proto tcp
remote 192.168.30.1 8080
tls-client
ca
keepalive 10 120
cipher AES-256-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3
route-method exe
route-delay 2
;route add 0.0.0.0 mask 0.0.0.0 192.168.222.1 metric 1
;script-security 2 system
大功告成
2024年5月18日发(作者:茹雪莲)
RouterOS配置OpenVPN Server方法
一、OpenVPN证书制作
1、
1.1
下载Open VPN 并安装
安装Open VPN
Open VPN 安装完成。
安装完成后生成一个新网卡。
2、 制作证书
2.1 修改D:的以下部分
set HOME=%ProgramFiles%OpenVPNeasy-rsa
set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=SanFrancisco
set KEY_ORG=FortFunston
setKEY_EMAIL=****************
请根据自身情况修改改为:
set KEY_COUNTRY=CN
set KEY_PROVINCE=Home911
set KEY_CITY=ChangChun
set KEY_ORG=QCC
setKEY_EMAIL=*********************
(注:修改文件用写字板)
2.2 Open VPN安全模式:
Open VPN 有两种安全模式。
一种基于使用 RSA 证书和密钥的 SSL/TLS。
一种使用预先分享的静态密钥。
本文采用SSL/TLS 模式。
TLS模式的优点是安全,而且便于管理用户。
默认情况下证书和用户是一对一的,多个用户使用同一证书会被踢出。
2.3 制作证书:
开始-->运行...-->键入cmd,回车,进入命令提示符-->进入D:OpenVPNeasy-rsa目录
D:OpenVPNeasy-rsa>
执行如下命令:
init-config
D:OpenVPNeasy-rsa>init-config <回车>
D:OpenVPNeasy-rsa>copy
已复制 1 个文件。
D:OpenVPNeasy-rsa>copy
已复制 1 个文件。
vars
D:OpenVPNeasy-rsa>vars <回车>
clean-all
D:OpenVPNeasy-rsa>clean-all <回车>
系统找不到指定的文件。
已复制 1 个文件。
已复制 1 个文件。
Vars
D:OpenVPNeasy-rsa>vars <回车>
build-ca
D:OpenVPNeasy-rsa>build-ca <回车> #生成根证书
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
............++++++
...++++++
writing new private key to ''
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: <回车>
State or Province Name (full name) [Office911]: <回车>
Locality Name (eg, city) [ChangChun]: <回车>
Organization Name (eg, company) [QCQ]: <回车>
Organizational Unit Name (eg, section) []:QCLZ <回车>
Common Name (eg, your name or your server's hostname) []:OVPN_IN One <回车>
EmailAddress[*********************]:
Vars
D:OpenVPNeasy-rsa>vars <回车>
build-dh
D:OpenVPNeasy-rsa>build-dh <回车> #这个有点慢,估计要半分钟
Loading 'screen' into random state - done
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...............+...................................+........+...................
.......+...+......................+.........+...................................
...................................................+............................
......................+.........................................................
.......+......................++*++*++*
Vars
D:OpenVPNeasy-rsa>vars <回车>
build-key-server server
D:OpenVPNeasy-rsa>build-key-server server <回车> #生成服务器端的密钥
Server 为服务器端文件名
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.......................++++++
..................................................................++++++
writing new private key to ''
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Office911]:
Locality Name (eg, city) [ChangChun]:
Organization Name (eg, company) [QCQ]:
Organizational Unit Name (eg, section) []:QCLZ
Common Name (eg, your name or your server's hostname) []:OVPN_IN One
EmailAddress[*********************]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1124
An optional company name []:
Using configuration from
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Office911'
localityName :PRINTABLE:'ChangChun'
organizationName :PRINTABLE:'QCQ'
organizationalUnitName:PRINTABLE:'QCLZ'
commonName :T61STRING:'OVPN_IN One'
emailAddress:IA5STRING:'*********************'
Certificate is to be certified until Nov 24 07:43:44 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Vars
D:OpenVPNeasy-rsa>vars <回车>
build-key client
D:OpenVPNeasy-rsa>build-key client <回车> #生成客户端的密钥
Client 为用户端文件名
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.............++++++
....++++++
writing new private key to ''
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Hubei]:
Locality Name (eg, city) [Wuhan]:
Organization Name (eg, company) [51NB]:
Organizational Unit Name (eg, section) []:CMWAP
Common Name (eg, your name or your server's hostname) []:client
EmailAddress[****************]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxxx #同上
An optional company name []:
Using configuration from
Loading 'screen' into random state - done
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'Hubei'
localityName :PRINTABLE:'Wuhan'
organizationName :PRINTABLE:'51NB'
organizationalUnitName:PRINTABLE:'CMWAP'
commonName :PRINTABLE:'client'
emailAddress:IA5STRING:'****************'
Certificate is to be certified until Feb 1 05:31:40 2016 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
制作好的证书在D:OpenVPNeasy-rsakey>下
二、配置RouterOS下OpenVPN Server
1、设置OpenVPN IP 地址池
2、建立profile
注:DNS添你本地的DNS(我这个是吉林联通的)
3、建立账户
4、导入证书
把 复制下。
在
5、制作OpenVPN Server 使用证书
6、配置OpenVPN Server
三、Windows配置文件编辑
1、复制客户端证书到配置文件夹
2、建立配置文件
在Config 文件夹下新建文本文件。
把以下红色文本复制粘帖到新建文本文件中去。
client
dev tun
proto tcp
remote 192.168.30.1 8080
tls-client
ca
keepalive 10 120
cipher AES-256-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3
route-method exe
route-delay 2
;route add 0.0.0.0 mask 0.0.0.0 192.168.222.1 metric 1
;script-security 2 system
大功告成