Skip to content

Instantly share code, notes, and snippets.

@iaoedsz2008

iaoedsz2008/0.md

Last active June 22, 2022 15:53
Show Gist options
  • Save iaoedsz2008/45c6ac6f8996d75161d7dfa7074e80d6 to your computer and use it in GitHub Desktop.
Save iaoedsz2008/45c6ac6f8996d75161d7dfa7074e80d6 to your computer and use it in GitHub Desktop.
Download ZIP
Windows搭建OpenVPN服务器
Raw
0.md

Windows搭建OpenVPN服务器

安装OpenVPN

https://openvpn.net/community-downloads/

安装MSYS2

安装MSYS2是为了使用make命令运行Makefile脚本

https://github.com/msys2/msys2-installer/releases/latest

然后打开MSYS2命令行运行以下命令安装依赖包

pacman -S make curl

获取Makefile文件

在MSYS2窗口中运行以下命令

curl -O https://gist.githubusercontent.com/0x7cc/45c6ac6f8996d75161d7dfa7074e80d6/raw/c41d9bfd9407750eb3439f7457d8b3ec1870c48d/Makefile

创建配置文件

在MSYS2窗口中运行以下命令

OVPN=<openvpn.exe的完整路径> PUBIP=<服务器公网IP> make

若你的OpenVPN为全程默认安装,可以执行如下命令(记得改IP)

OVPN='/c/Program\ Files/OpenVPN/bin/openvpn.exe' PUBIP=1.2.3.4 make

此时不出意外的话,所需要的配置文件都已经生成好了 文件保存在C:\msys64\home下的用户名文件夹 其中dh2048.pem,root.crt,svc.crt,svc.pem,svc.ovpn,tlsauth.pem为服务端使用的文件 其他的*.ovpn为客户端使用的配置,密钥信息已内联其中,不需要其他文件

开启服务

将svc.ovpn拷贝到C:\Users\用户名\OpenVPN\config目录下

OpenVPN右下角图标正常连接即可

允许客户端访问互联网

openvpn中的客户端默认是只能访问局域网的,若想访问互联网需进行以下操作

  1. 打开注册表,将此值设置为1 step 1

  2. 重启服务器

  3. 更改适配器选项修改: step 2

  4. 客户端连接,此时就可以以服务器的IP访问互联网

Raw
Makefile
OVPN ?= openvpn
PUBIP ?= 127.0.0.1
# .SECONDARY with no prerequisites causes all targets to be treated as secondary (i.e., no target is removed because it is considered intermediate).
.SECONDARY:
.PHONY: def
def: svc.ovpn 001.ovpn 002.ovpn 003.ovpn 004.ovpn 005.ovpn 006.ovpn 007.ovpn 008.ovpn 009.ovpn
tar -cf ovpn.tar $^
# 所有配置已打包为ovpn.tar
# 若后续想要新增客户端
# 则当前文件夹的文件应保留
openssl.cnf:
echo '' > $@
echo '[ca]' >> $@
echo 'default_ca = CA_default' >> $@
echo '[CA_default]' >> $@
echo 'certs = certs' >> $@
echo 'database = index.txt' >> $@
echo 'new_certs_dir = newcerts' >> $@
echo 'certificate = cacert.pem' >> $@
echo 'serial = serial' >> $@
echo 'preserve = no' >> $@
echo 'policy = policy_match' >> $@
echo '[policy_match]' >> $@
echo 'countryName = match' >> $@
echo 'stateOrProvinceName = optional' >> $@
echo 'organizationName = match' >> $@
echo 'organizationalUnitName = optional' >> $@
echo 'commonName = supplied' >> $@
echo 'emailAddress = optional' >> $@
echo '[root]' >> $@
echo 'subjectKeyIdentifier = hash' >> $@
echo 'authorityKeyIdentifier = keyid:always,issuer' >> $@
echo 'basicConstraints = critical,CA:TRUE' >> $@
echo '[ovpnsvc]' >> $@
echo 'keyUsage = critical,digitalSignature,keyEncipherment' >> $@
echo 'extendedKeyUsage = critical,serverAuth' >> $@
echo 'basicConstraints = critical,CA:FALSE' >> $@
echo '[ovpncli]' >> $@
echo 'keyUsage = critical,digitalSignature' >> $@
echo 'extendedKeyUsage = critical,clientAuth' >> $@
echo 'basicConstraints = critical,CA:FALSE' >> $@
mkdir -p newcerts # 必须存在的文件夹
touch index.txt # 必须存在的文件
dh2048.pem:
openssl dhparam -out dh2048.pem 2048
tlsauth.pem:
$(OVPN) --genkey --secret tlsauth.pem
%.pem:
openssl genrsa -out $@ 2048
root.csr: root.pem
openssl req -new -key $< -out $@ -subj '/emailAddress=hello@gmail.com/countryName=US/stateOrProvinceName=California/organizationName=Hello LLC/commonName=Hello CA/organizationalUnitName=Hello CA'
svc.csr: svc.pem
openssl req -new -key $< -out $@ -subj '/emailAddress=hello@gmail.com/countryName=US/stateOrProvinceName=California/organizationName=Hello LLC/commonName=Hello LLC/organizationalUnitName=Hello Unit'
%.csr: %.pem
openssl req -new -key $< -out $@ -subj "/emailAddress=hello@gmail.com/countryName=US/stateOrProvinceName=California/organizationName=Hello LLC/commonName=$*/organizationalUnitName=Hello Unit"
root.crt: openssl.cnf root.pem root.csr
openssl ca -config openssl.cnf -extensions root -keyfile root.pem -selfsign -startdate 20000101000000Z -enddate 20991231235959Z -in root.csr -out $@ -notext -rand_serial -md sha256 -batch
svc.crt: openssl.cnf root.pem root.crt svc.csr svc.pem
openssl ca -config openssl.cnf -extensions ovpnsvc -keyfile root.pem -cert root.crt -startdate 20000101000000Z -enddate 20991231235959Z -in svc.csr -out $@ -notext -rand_serial -md sha256 -batch
%.crt: openssl.cnf root.pem root.crt %.csr %.pem
openssl ca -config openssl.cnf -extensions ovpncli -keyfile root.pem -cert root.crt -startdate 20000101000000Z -enddate 20991231235959Z -in $*.csr -out $@ -notext -rand_serial -md sha256 -batch
.DELETE_ON_ERROR:
svc.ovpn: root.crt svc.crt svc.pem dh2048.pem tlsauth.pem
echo '' > $@
echo 'local 0.0.0.0' >> $@
echo 'port 8000' >> $@
echo 'proto udp' >> $@
echo 'dev tun' >> $@
echo '<ca>' >> $@
cat root.crt >> $@
echo '</ca>' >> $@
echo '<cert>' >> $@
cat svc.crt >> $@
echo '</cert>' >> $@
echo '<key>' >> $@
cat svc.pem >> $@
echo '</key>' >> $@
echo '<dh>' >> $@
cat dh2048.pem >> $@
echo '</dh>' >> $@
echo 'server 10.0.0.0 255.255.255.0' >> $@
echo 'ifconfig-pool-persist ipp.txt' >> $@
echo 'push "redirect-gateway def1"' >> $@
echo 'push "dhcp-option DNS 8.8.8.8"' >> $@
echo 'push "dhcp-option DNS 1.1.1.1"' >> $@
echo 'keepalive 10 120' >> $@
echo 'key-direction 0' >> $@
echo '<tls-auth>' >> $@
cat tlsauth.pem >> $@
echo '</tls-auth>' >> $@
echo 'cipher AES-256-CBC' >> $@
echo 'persist-key' >> $@
echo 'persist-tun' >> $@
echo 'status openvpn-status.log' >> $@
echo 'verb 3' >> $@
echo 'explicit-exit-notify 1' >> $@
echo 'push "block-outside-dns"' >> $@
echo '' >> $@
.DELETE_ON_ERROR:
%.ovpn: root.crt %.crt %.pem tlsauth.pem
echo '' > $@
echo 'client' >> $@
echo 'dev tun' >> $@
echo 'proto udp' >> $@
echo 'remote $(PUBIP) 8000' >> $@
echo 'resolv-retry infinite' >> $@
echo 'nobind' >> $@
echo 'persist-key' >> $@
echo 'persist-tun' >> $@
echo '<ca>' >> $@
cat root.crt >> $@
echo '</ca>' >> $@
echo '<cert>' >> $@
cat $*.crt >> $@
echo '</cert>' >> $@
echo '<key>' >> $@
cat $*.pem >> $@
echo '</key>' >> $@
echo 'remote-cert-tls server' >> $@
echo 'key-direction 1' >> $@
echo '<tls-auth>' >> $@
cat tlsauth.pem >> $@
echo '</tls-auth>' >> $@
echo 'verb 3' >> $@
echo '' >> $@
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment