MS-Windows下安裝OpenVPN問題請教
我根據網上資料在Windows下安裝OpenVPN. 現在啟動不了, 請幫忙看下是為什麼. 謝謝!
系統: MS-Windows XP SP2 VPN: openvpn-2.1_rc4-install.exe
安裝過程一路默認, 安裝目錄: C:\Program Files\OpenVPN
安裝步驟:
1. 修改easy-rsa目錄下的vars.bat.sample. 下面是修改部分:
...
set HOME=C:\Program Files\OpenVPN\easy-rsa
...
set KEY_COUNTRY=CN
set KEY_PROVINCE=GuangDong
set KEY_CITY=ShenZhen
set KEY_ORG=micc.com
set KEY_EMAIL=support@micc.com
...
2. 生產keys. 在DOS下運行, 下面是Log:
C:\Program Files\OpenVPN\easy-rsa>init-config.bat
C:\Program Files\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat
已複製 1 個文件。
C:\Program Files\OpenVPN\easy-rsa>copy openssl.cnf.sample openssl.cnf
已複製 1 個文件。
C:\Program Files\OpenVPN\easy-rsa>vars.bat
C:\Program Files\OpenVPN\easy-rsa>clean-all.bat
系統找不到指定的文件。
已複製 1 個文件。
已複製 1 個文件。
C:\Program Files\OpenVPN\easy-rsa>build-ca.bat
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
...++++++
.....................++++++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:Support
Common Name (eg, your name or your server's hostname) []:Support RootCA
Email Address [support@micc.com]:
C:\Program Files\OpenVPN\easy-rsa>build-dh.bat
Loading 'screen' into random state - done
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...............................+.......................+.............................+.......................................
...........+.........................+..............+................................+..............+........................
...................................................................................................................+.........
C:\Program Files\OpenVPN\easy-rsa>build-key-server.bat Server-Support
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..........++++++
...............................................................++++++
writing new private key to 'keys\Server-Support.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:Support
Common Name (eg, your name or your server's hostname) []:Server-Support
Email Address [support@micc.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:micc
An optional company name []:Micc
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GuangDong'
localityName :PRINTABLE:'ShenZhen'
organizationName :PRINTABLE:'micc.com'
organizationalUnitName:PRINTABLE:'Support'
commonName :PRINTABLE:'Server-Support'
emailAddress :IA5STRING:'support@micc.com'
Certificate is to be certified until Nov 10 02:42:49 2017 GMT (3650 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
C:\Program Files\OpenVPN\easy-rsa>build-key.bat Client-Support
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.......++++++
....++++++
writing new private key to 'keys\Client-Support.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) []:Support
Common Name (eg, your name or your server's hostname) []:Client-Support
Email Address [support@micc.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:micc-client
An optional company name []:Micc
Using configuration from openssl.cnf
Loading 'screen' into random state - done
DEBUG: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GuangDong'
localityName :PRINTABLE:'ShenZhen'
organizationName :PRINTABLE:'micc.com'
organizationalUnitName:PRINTABLE:'Support'
commonName :PRINTABLE:'Client-Support'
emailAddress :IA5STRING:'support@micc.com'
Certificate is to be certified until Nov 10 02:44:53 2017 GMT (3650 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
C:\Program Files\OpenVPN\easy-rsa>
3. 拷貝伺服器文件到C:\Program Files\OpenVPN\config\keys目錄 ( keys是手動建立的 )
ca.crt, dh1024.pem, Server-Support.crt, Server-Support.key
4. 在目錄C:\Program Files\OpenVPN\config中添加文件server.ovpn, 內容如下:
port 443
proto tcp-server
dev tun
server 10.8.0.0 255.255.255.0
keepalive 20 180
ca "C:\\Program Files\\OpenVPN\\config\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\keys\\Server-Support.crt"
key "C:\\Program Files\\OpenVPN\\config\\keys\\Server-Support.key"
dh "C:\\Program Files\\OpenVPN\\config\\keys\\dh1024.pem"
push "redirect-gateway def1"
push "dhcp-option DNS 202.96.134.133"
mode server
tls-server
status "C:\\Program Files\\OpenVPN\\log\\openvpn-status.log"
comp-lzo
verb 4
5. 啟動服務, Connect...
提示錯誤:
...
Tue Nov 13 10:48:26 2007 us=951000 OpenVPN 2.1_rc4 Win32-MinGW built on Apr 25 2007
Tue Nov 13 10:48:27 2007 us=71000 Diffie-Hellman initialized with 1024 bit key
Tue Nov 13 10:48:27 2007 us=101000 TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Nov 13 10:48:27 2007 us=101000 TCP/UDP: Socket bind failed on local address :443: Address already in use (WSAEADDRINUSE)
Tue Nov 13 10:48:27 2007 us=101000 Exiting
這是什麼地方錯了?
《解決方案》
我把server.ovpn改下, 現在可以啟動了:
port 1194
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\config\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\keys\\Server-CTMS-Support.crt"
key "C:\\Program Files\\OpenVPN\\config\\keys\\Server-CTMS-Support.key"
dh "C:\\Program Files\\OpenVPN\\config\\keys\\dh1024.pem"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.1 255.255.255.0"
push "dhcp-option WINS 192.168.0.1"
push "dhcp-option DNS 202.96.134.133"
push "dhcp-option DOMAIN acme.com.local"
keepalive 10 120
comp-lzo
max-clients 4
persist-key
persist-tun
status "C:\\Program Files\\OpenVPN\\log\\openvpn-status.log"
verb 3
客戶端的配置是:
client
proto udp
dev tun
remote 10.8.0.1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\keys\\Client-CTMS-Support.crt"
key "C:\\Program Files\\OpenVPN\\config\\keys\\Client-CTMS-Support.key"
status "C:\\Program Files\\OpenVPN\\log\\openvpn-client-status.log"
comp-lzo
verb 3
客戶端是伺服器機器上的VM虛擬XP里安裝的. 現在老是連接不上, connecting.... 一直重複.
Wed Nov 14 15:38:22 2007 OpenVPN 2.1_rc4 Win32-MinGW built on Apr 25 2007
Wed Nov 14 15:38:22 2007 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Nov 14 15:38:23 2007 LZO compression initialized
Wed Nov 14 15:38:23 2007 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Nov 14 15:38:23 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Nov 14 15:38:23 2007 Local Options hash (VER=V4): '41690919'
Wed Nov 14 15:38:23 2007 Expected Remote Options hash (VER=V4): '530fdded'
Wed Nov 14 15:38:23 2007 Socket Buffers: R= S=
Wed Nov 14 15:38:23 2007 UDPv4 link local:
Wed Nov 14 15:38:23 2007 UDPv4 link remote: 10.8.0.1:1194
Wed Nov 14 15:39:23 2007 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Nov 14 15:39:23 2007 TLS Error: TLS handshake failed
Wed Nov 14 15:39:23 2007 TCP/UDP: Closing socket
Wed Nov 14 15:39:23 2007 SIGUSR1 received, process restarting
Wed Nov 14 15:39:23 2007 Restart pause, 2 second(s)
......
[ 本帖最後由 lidexiang 於 2007-11-14 15:51 編輯 ]
《解決方案》
原帖由 lidexiang 於 2007-11-13 11:33 發表 http://bbs.chinaunix.net/images/common/back.gif
Wed Nov 14 15:39:23 2007 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Nov 14 15:39:23 2007 TLS Error: TLS handshake failed
問題似乎出在證書上,在檢查下證書。
《解決方案》
我按你的CLIENT連不上去,是不是在伺服器上要做OPENVPN網卡和本地網卡的橋接呀
