OpenVPN服务器配置

2009-12-23  vclyin

系统信息:

OSdebian lenny

关键字:VPN OpenVPN SSL OpenSSL 证书

参考文章:

Debian 5.0.2下源代码安装OpenVPN笔记[使用Mysql+PAM认证]第二版

http://blog.csdn.net/zubin006/archive/2009/09/16/4560223.aspx

 

Linux OpenVPN 安装和 Windows OpenVPN GUI 安装笔记

http://www.xiaohui.com/dev/server/20070514-install-openvpn.htm

 

OpenVPN服务器搭建详解

http://www.linuxha.cn/openvpn_learn_all.htm

 

一、下载所需的软件

1、安装所需的编译工具

#aptitude install gcc g++ make

 

2、下载LZO

#mkdir /home/src_software/

#cd /home/src_software/

#wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz

说明:lzo是一个实用的无损压缩工具

 

3、下载openssl

#cd /home/src_software/

#wget http://www.openssl.org/source/openssl-0.9.8.tar.gz

说明:OpenVPN依赖OpenSSL库,用于加密

 

4、下载openvpn

#cd /home/src_software

#wget http://www.openvpn.net/release/openvpn-2.0.9.tar.gz

   

二、安装OpenVPN以及相关软件

1、安装lzo

#cd /home/src_software/

#tar –zxvf lzo-2.03.tar.gz

#cd lzo-2.03

#./configure –prefix=/usr/local/lzo && make && make install

编辑/etc/ld.so.conf

#cat >> /etc/ld.so.conf << EOF

Include /etc/ld.so.conf.d/*.conf

/lib

/lib64

/usr/lib

/usr/lib64

/usr/local/lib

/usr/local/lib64

EOF

编辑完成后运行

#ldconfig

使用/etc/ld.so.conf中的内容生效,即动态库生效

 

2、安装openssl

#cd ..

#tar –zxvf openssl-0.9.8.tar.gz

#cd openssl-0.9.8

#./config –prefix=/usr/local/openssl && make && make install

 

3、安装openvpn

#cd ..

#tar –zxvf openvpn-2.0.9.tar.gz

#cd openvpn-2.0.9

#./configure –prefix=/usr/local/openvpn && make && make install

三、配置OpenVPN Server

1、创建配置环境

#mkdir –p /etc/openvpn

#cp –R /home/src_software/openvpn-2.0.9/easy-rsa /etc/openvpn

#cd /etc/openvpn/easy-rsa/2.0

#ls

结果是程序以及脚本,这个简要的说明一下:

vars                    脚本,是用来创建环境变量,设置所需要的变量的脚本

clean-all             脚本,是创建生成CA证书及密钥 文件所需要的文件和目录

build-ca                     脚本,生成CA证书(交互)

build-dh              脚本,生成Diffie-Hellman文件(交互)

build-key-server 脚本,生成服务器端密钥(交互)

build-key             脚本,生成客户端密钥(交互)

pkitool                脚本,直接使用vars的环境变量设置直接生成证书(非交互)

 

2、生成CA证书及密钥[注意字符输入不要出错]

初始化系统环境变量,你可以看一下这个脚本的内容就知道它在干什么了:

#./vars

NOTE: If you run ./clean-all, I will be doing a rm –rf on /etc/openvpn/easy-rsa/2.0/keys

请理解警告的意思

#chmod +rwx *

修改vars文件,内容如下:

export KEY_COUNTRY=”CN”

export KEY_PROVINCE=”BJ”

export KEY_CITY=”BeiJing”

export KEY_ORG=”NCS”

export KEY_EMAIL=crf@ncs-cyber.com.cn

 

#source ./vars

 

3、生成并初始化keys文件夹

#./clean-all

#./build-ca

Generating a 1024 bit RSA private key

....++++++

.++++++

writing new private key to 'ca.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BeiJing]:

Organization Name (eg, company) [NCS]:

Organizational Unit Name (eg, section) []:ncs

Common Name (eg, your name or your server's hostname) [NCS CA]:

Email Address [ncs@ncs-cyber.com.cn]:

#ls keys

可以看到已经生成了ca.crt ca.key文件

 

4、生成Diffie-Hellman文件

#./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

......+................................+...+................+..............+....+....+......................................................................+......................................................................................................................................................................................................+.......+........+........++*++*++*

#ls –l keys/dh1024.pem

可以看到生成了1024为的Diffie-Hellman文件

 

5、生成服务器使用的VPN server ca证书

#./build-key-server ncs-server

根据提示输入相关信息,ncs-server是你为CA证书其的一个名字,以server名字为例,生成的服务器使用的CA证书文件为:ncs-server.crtncs-server.key

Generating a 1024 bit RSA private key

.......................................++++++

..........++++++

writing new private key to 'ncs-server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BeiJing]:

Organization Name (eg, company) [NCS]:

Organizational Unit Name (eg, section) []:ncs

Common Name (eg, your name or your server's hostname) [ncs-server]:

Email Address [ncs@ncs-cyber.com.cn]:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'BJ'

localityName          :PRINTABLE:'BeiJing'

organizationName      :PRINTABLE:'NCS'

organizationalUnitName:PRINTABLE:'ncs'

commonName            :PRINTABLE:'ncs-server'

emailAddress          :IA5STRING:'ncs@ncs-cyber.com.cn'

Certificate is to be certified until Sep 25 09:20:49 2019 GMT (3650 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

将生成的CA证书及密钥拷贝到/etc/openvpn/下:

#cp keys{ca.crt,ca.key,ncs-server.crt,ncs-server.key,dh1024.pem} /etc/openvpn/

 

6、生成客户端CA证书及密钥

生成客户端CA证书及密钥使用:build-key程序即可

#./build-key ncs-user1

根据提示输入相关信息,将在keys目录下生成ncs-user1.crtncs-user1.csrncs-user1.key三个客户端证书

Generating a 1024 bit RSA private key

..................++++++

..............++++++

writing new private key to 'user1.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BeiJing]:

Organization Name (eg, company) [NCS]:

Organizational Unit Name (eg, section) []:ncs

Common Name (eg, your name or your server's hostname) [user1]:

Email Address [ncs@ncs-cyber.com.cn]:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'CN'

stateOrProvinceName   :PRINTABLE:'BJ'

localityName          :PRINTABLE:'BeiJing'

organizationName      :PRINTABLE:'NCS'

organizationalUnitName:PRINTABLE:'ncs'

commonName            :PRINTABLE:'user1'

emailAddress          :IA5STRING:'ncs@ncs-cyber.com.cn'

Certificate is to be certified until Sep 25 09:22:32 2019 GMT (3650 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

ca.crtca.keyncs-user1.crtncs-user1.csrncs-user1.key五个文件打包,以便客户端vpn使用

#mkdir userkey

#cp keys/{ca.crt,ca.key,user1.csr,user1.crt,user1.key} userkey/

#tar –zcvf user-key.tar.gz user-key

上面这件打包文件要COPY到客户端时使用

 

7、生成openvpn配置文件

创建openvpn配置文件最好的方法是先看openvpn的样例文件,在源码目录下的sample-config-files下,本例为服务器配置文件名:server.conf

客户端配置文件名为:client.conf

可以根据需要修改。

#cp /home/src_software/openvpn-2.0.9/sample-config-files/server.conf

/etc/openvpn /openvpn.conf

#mkdir –p /usr/local/openvpn/logs

#groupadd nobody

#vim /etc/openvpn /openvpn.conf

#################################################

# Sample OpenVPN 2.0 config file for            #

# multi-client server.                          #

#                                               #

# This file is for the server side              #

# of a many-clients <-> one-server              #

# OpenVPN configuration.                        #

#                                               #

# OpenVPN also supports                         #

# single-machine <-> single-machine             #

# configurations (See the Examples page         #

# on the web site for more info).               #

#                                               #

# This config should work on Windows            #

# or Linux/BSD systems.  Remember on            #

# Windows to quote pathnames and use            #

# double backslashes, e.g.:                     #

# "C:\\Program Files\\OpenVPN\\config\\foo.key" #

#                                               #

# Comments are preceded with '#' or ';'         #

#################################################

 

# Which local IP address should OpenVPN

# listen on? (optional)

;local a.b.c.d

 

# Which TCP/UDP port should OpenVPN listen on?

# If you want to run multiple OpenVPN instances

# on the same machine, use a different port

# number for each one.  You will need to

# open up this port on your firewall.

#port 1194

port 2009

 

# TCP or UDP server?

;proto tcp

#proto udp

proto tcp

 

# "dev tun" will create a routed IP tunnel,

# "dev tap" will create an ethernet tunnel.

# Use "dev tap0" if you are ethernet bridging

# and have precreated a tap0 virtual interface

# and bridged it with your ethernet interface.

# If you want to control access policies

# over the VPN, you must create firewall

# rules for the the TUN/TAP interface.

# On non-Windows systems, you can give

# an explicit unit number, such as tun0.

# On Windows, use "dev-node" for this.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

;dev tap

dev tun

 

# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel if you

# have more than one.  On XP SP2 or higher,

# you may need to selectively disable the

# Windows firewall for the TAP adapter.

# Non-Windows systems usually don't need this.

;dev-node MyTap

 

# SSL/TLS root certificate (ca), certificate

# (cert), and private key (key).  Each client

# and the server must have their own cert and

# key file.  The server and all clients will

# use the same ca file.

#

# See the "easy-rsa" directory for a series

# of scripts for generating RSA certificates

# and private keys.  Remember to use

# a unique Common Name for the server

# and each of the client certificates.

#

# Any X509 key management system can be used.

# OpenVPN can also use a PKCS #12 formatted key file

# (see "pkcs12" directive in man page).

ca /etc/openvpn/ca.crt

cert /etc/openvpn/ncs-server.crt

key /etc/openvpn/ncs-server.key  # This file should be kept secret

 

# Diffie hellman parameters.

# Generate your own with:

#   openssl dhparam -out dh1024.pem 1024

# Substitute 2048 for 1024 if you are using

# 2048 bit keys.

dh /etc/openvpn/dh1024.pem

 

# Configure server mode and supply a VPN subnet

# for OpenVPN to draw client addresses from.

# The server will take 10.8.0.1 for itself,

# the rest will be made available to clients.

# Each client will be able to reach the server

# on 10.8.0.1. Comment this line out if you are

# ethernet bridging. See the man page for more info.

server 192.168.0.0 255.255.255.0

 

# Maintain a record of client <-> virtual IP address

# associations in this file.  If OpenVPN goes down or

# is restarted, reconnecting clients can be assigned

# the same virtual IP address from the pool that was

# previously assigned.

ifconfig-pool-persist ipp.txt

 

# Configure server mode for ethernet bridging.

# You must first use your OS's bridging capability

# to bridge the TAP interface with the ethernet

# NIC interface.  Then you must manually set the

# IP/netmask on the bridge interface, here we

# assume 10.8.0.4/255.255.255.0.  Finally we

# must set aside an IP range in this subnet

# (start=10.8.0.50 end=10.8.0.100) to allocate

# to connecting clients.  Leave this line commented

# out unless you are ethernet bridging.

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

 

# Push routes to the client to allow it

# to reach other private subnets behind

# the server.  Remember that these

# private subnets will also need

# to know to route the OpenVPN client

# address pool (10.8.0.0/255.255.255.0)

# back to the OpenVPN server.

;push "route 192.168.10.0 255.255.255.0"

push "route 192.168.0.0 255.255.255.0"

;push "route 192.168.20.0 255.255.255.0"

 

# To assign specific IP addresses to specific

# clients or if a connecting client has a private

# subnet behind it that should also have VPN access,

# use the subdirectory "ccd" for client-specific

# configuration files (see man page for more info).

 

# EXAMPLE: Suppose the client

# having the certificate common name "Thelonious"

# also has a small subnet behind his connecting

# machine, such as 192.168.40.128/255.255.255.248.

# First, uncomment out these lines:

;client-config-dir ccd

;route 192.168.40.128 255.255.255.248

# Then create a file ccd/Thelonious with this line:

#   iroute 192.168.40.128 255.255.255.248

# This will allow Thelonious' private subnet to

# access the VPN.  This example will only work

# if you are routing, not bridging, i.e. you are

# using "dev tun" and "server" directives.

 

# EXAMPLE: Suppose you want to give

# Thelonious a fixed VPN IP address of 10.9.0.1.

# First uncomment out these lines:

;client-config-dir ccd

;route 10.9.0.0 255.255.255.252

# Then add this line to ccd/Thelonious:

#   ifconfig-push 10.9.0.1 10.9.0.2

 

# Suppose that you want to enable different

# firewall access policies for different groups

# of clients.  There are two methods:

# (1) Run multiple OpenVPN daemons, one for each

#     group, and firewall the TUN/TAP interface

#     for each group/daemon appropriately.

# (2) (Advanced) Create a script to dynamically

#     modify the firewall in response to access

#     from different clients.  See man

#     page for more info on learn-address script.

;learn-address ./script

 

# If enabled, this directive will configure

# all clients to redirect their default

# network gateway through the VPN, causing

# all IP traffic such as web browsing and

# and DNS lookups to go through the VPN

# (The OpenVPN server machine may need to NAT

# the TUN/TAP interface to the internet in

# order for this to work properly).

# CAVEAT: May break client's network config if

# client's local DHCP server packets get routed

# through the tunnel.  Solution: make sure

# client's local DHCP server is reachable via

# a more specific route than the default route

# of 0.0.0.0/0.0.0.0.

;push "redirect-gateway"

 

# Certain Windows-specific network settings

# can be pushed to clients, such as DNS

# or WINS server addresses.  CAVEAT:

# http://openvpn.net/faq.html#dhcpcaveats

;push "dhcp-option DNS 10.8.0.1"

push "dhcp-option DNS 202.106.0.20"

;push "dhcp-option DNS 192.168.0.1"

;push "dhcp-option WINS 10.8.0.1"

 

# Uncomment this directive to allow different

# clients to be able to "see" each other.

# By default, clients will only see the server.

# To force clients to only see the server, you

# will also need to appropriately firewall the

# server's TUN/TAP interface.

;client-to-client

client-to-client

 

# Uncomment this directive if multiple clients

# might connect with the same certificate/key

# files or common names.  This is recommended

# only for testing purposes.  For production use,

# each client should have its own certificate/key

# pair.

#

# IF YOU HAVE NOT GENERATED INDIVIDUAL

# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

# EACH HAVING ITS OWN UNIQUE "COMMON NAME",

# UNCOMMENT THIS LINE OUT.

;duplicate-cn

duplicate-cn

 

# The keepalive directive causes ping-like

# messages to be sent back and forth over

# the link so that each side knows when

# the other side has gone down.

# Ping every 10 seconds, assume that remote

# peer is down if no ping received during

# a 120 second time period.

keepalive 10 120

 

# For extra security beyond that provided

# by SSL/TLS, create an "HMAC firewall"

# to help block DoS attacks and UDP port flooding.

#

# Generate with:

#   openvpn --genkey --secret ta.key

#

# The server and each client must have

# a copy of this key.

# The second parameter should be '0'

# on the server and '1' on the clients.

;tls-auth ta.key 0 # This file is secret

 

# Select a cryptographic cipher.

# This config item must be copied to

# the client config file as well.

;cipher BF-CBC        # Blowfish (default)

;cipher AES-128-CBC   # AES

;cipher DES-EDE3-CBC  # Triple-DES

 

# Enable compression on the VPN link.

# If you enable it here, you must also

# enable it in the client config file.

comp-lzo

 

# The maximum number of concurrently connected

# clients we want to allow.

;max-clients 100

 

# It's a good idea to reduce the OpenVPN

# daemon's privileges after initialization.

#

# You can uncomment this out on

# non-Windows systems.

;user nobody

user nobody

;group nobody

group nobody

 

# The persist options will try to avoid

# accessing certain resources on restart

# that may no longer be accessible because

# of the privilege downgrade.

persist-key

persist-tun

 

# Output a short status file showing

# current connections, truncated

# and rewritten every minute.

status /usr/local/openvpn/logs/openvpn-status.log

 

# By default, log messages will go to the syslog (or

# on Windows, if running as a service, they will go to

# the "\Program Files\OpenVPN\log" directory).

# Use log or log-append to override this default.

# "log" will truncate the log file on OpenVPN startup,

# while "log-append" will append to it.  Use one

# or the other (but not both).

;log         openvpn.log

log         /usr/local/openvpn/logs/openvpn.log

;log-append  openvpn.log

log-append  /usr/local/openvpn/logs/openvpn.log

 

# Set the appropriate level of log

# file verbosity.

#

# 0 is silent, except for fatal errors

# 4 is reasonable for general usage

# 5 and 6 can help to debug connection problems

# 9 is extremely verbose

verb 3

 

# Silence repeating messages.  At most 20

# sequential messages of the same message

# category will be output to the log.

;mute 20

 

启动OpenVPN Server

#/usr/local/openvpn/sbin/openvpn –config

 /etc/openvpn/openvpn.conf

   

附:tunlinux中的虚拟网卡:在OpenVPN中还有一个dev tap的选项,也是虚拟网卡:

#”dev tun”将创建可路由的IP隧道

#”dev tap”将创建以太网隧道

内核2.6以上都有分配,如果没有的话需要加载:

#mkdir /dev/net

#mknod /dev/net/tun c 10 200

#ls –l /dev/net/tun

Crw-r—r—1 root root 10, 200 Sep 5 06:45 /dev/net/tun

 

四、WINDOWS XP客户端安装及设置

下载客户端[切记版本要对上号,否则就会产生一些麻烦]:

http://www.openvpn.net/release/openvpn-2.0.9-install.exe

http://www.openvpn.net/release/openvpn-2.1_rc19-install.exe

 

双击openvpn-2.0.9-install.exewindows上安装vpn客户端,将之前产生的ncs-user1-key.tar.gz压缩文件解压到C:\Program Files\OpenVPN\config:

内容如下:

##############################################

# Sample client-side OpenVPN 2.0 config file #

# for connecting to multi-client server.     #

#                                            #

# This configuration can be used by multiple #

# clients, however each client should have   #

# its own cert and key files.                #

#                                            #

# On Windows, you might want to rename this  #

# file so it has a .ovpn extension           #

##############################################

 

# Specify that we are a client and that we

# will be pulling certain config file directives

# from the server.

client

 

# Use the same setting as you are using on

# the server.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

;dev tap

dev tun

 

# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel

# if you have more than one.  On XP SP2,

# you may need to disable the firewall

# for the TAP adapter.

;dev-node MyTap

 

# Are we connecting to a TCP or

# UDP server?  Use the same setting as

# on the server.

;proto tcp

;proto udp

proto tcp

 

# The hostname/IP and port of the server.

# You can have multiple remote entries

# to load balance between the servers.

;remote my-server-1 1194

remote 59.58.97.5 5194

;remote my-server-2 1194

 

# Choose a random host from the remote

# list for load-balancing.  Otherwise

# try hosts in the order specified.

;remote-random

 

# Keep trying indefinitely to resolve the

# host name of the OpenVPN server.  Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite

 

# Most clients don't need to bind to

# a specific local port number.

nobind

 

# Downgrade privileges after initialization (non-Windows only)

;user nobody

;group nobody

 

# Try to preserve some state across restarts.

persist-key

persist-tun

 

# If you are connecting through an

# HTTP proxy to reach the actual OpenVPN

# server, put the proxy server/IP and

# port number here.  See the man page

# if your proxy server requires

# authentication.

;http-proxy-retry # retry on connection failures

;http-proxy [proxy server] [proxy port #]

 

# Wireless networks often produce a lot

# of duplicate packets.  Set this flag

# to silence duplicate packet warnings.

;mute-replay-warnings

 

# SSL/TLS parms.

# See the server config file for more

# description.  It's best to use

# a separate .crt/.key file pair

# for each client.  A single ca

# file can be used for all clients.

ca ca.crt

cert itcht-user1.crt

key itcht-user1.key

 

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to "server".  This is an

# important precaution to protect against

# a potential attack discussed here:

#  http://openvpn.net/howto.html#mitm

#

# To use this feature, you will need to generate

# your server certificates with the nsCertType

# field set to "server".  The build-key-server

# script in the easy-rsa folder will do this.

ns-cert-type server

 

# If a tls-auth key is used on the server

# then every client must also have the key.

;tls-auth ta.key 1

 

# Select a cryptographic cipher.

# If the cipher option is used on the server

# then you must also specify it here.

;cipher x

 

# Enable compression on the VPN link.

# Don't enable this unless it is also

# enabled in the server config file.

comp-lzo

 

# Set log file verbosity.

verb 3

 

# Silence repeating messages

;mute 20

      

五、连接OpenVPN服务器:

右键clien.ovpn文件,选择”Start OpenVPN on this config file”:

Sun Sep 27 17:40:30 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006

Sun Sep 27 17:40:30 2009 IMPORTANT: OpenVPN's default port number is now 1194, b

ased on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earl

ier used 5000 as the default port.

Sun Sep 27 17:40:30 2009 WARNING: No server certificate verification method has

been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Sun Sep 27 17:40:30 2009 LZO compression initialized

Sun Sep 27 17:40:30 2009 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:

0 EL:0 ]

Sun Sep 27 17:40:30 2009 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:

0 EL:0 AF:3/1 ]

Sun Sep 27 17:40:30 2009 Local Options hash (VER=V4): '69109d17'

Sun Sep 27 17:40:30 2009 Expected Remote Options hash (VER=V4): 'c0103fa8'

Sun Sep 27 17:40:30 2009 Attempting to establish TCP connection with 172.16.24.128:2009

Sun Sep 27 17:40:30 2009 TCP connection established with 172.16.24.128:2009

Sun Sep 27 17:40:30 2009 TCPv4_CLIENT link local: [undef]

Sun Sep 27 17:40:30 2009 TCPv4_CLIENT link remote: 172.16.24.128:2009

Sun Sep 27 17:40:30 2009 TLS: Initial packet from 172.16.24.128:2009, sid=288f14f7 7704a3dc

Sun Sep 27 17:40:30 2009 VERIFY OK: depth=1, /C=CN/ST=BJ/L=BeiJing/O=NCS/OU=ncs/CN=NCS_CA/emailAddress=ncs@ncs-cyber.com.cn

Sun Sep 27 17:40:30 2009 VERIFY OK: depth=0, /C=CN/ST=BJ/L=BeiJing/O=NCS/OU=ncs/CN=ncs-server/emailAddress=ncs@ncs-cyber.com.cn

Sun Sep 27 17:40:31 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with

128 bit key

Sun Sep 27 17:40:31 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1'for HMAC authentication

Sun Sep 27 17:40:31 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with

128 bit key

Sun Sep 27 17:40:31 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1'for HMAC authentication

Sun Sep 27 17:40:31 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Sun Sep 27 17:40:31 2009 [ncs-server] Peer Connection Initiated with 172.16.24.128:2009

Sun Sep 27 17:40:32 2009 SENT CONTROL [ncs-server]: 'PUSH_REQUEST' (status=1)

Sun Sep 27 17:40:32 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 202.106.0.20,route 192.168.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 192.168.0.6 192.168.0.5'

Sun Sep 27 17:40:32 2009 OPTIONS IMPORT: timers and/or timeouts modified

Sun Sep 27 17:40:32 2009 OPTIONS IMPORT: --ifconfig/up options modified

Sun Sep 27 17:40:32 2009 OPTIONS IMPORT: route options modified

Sun Sep 27 17:40:32 2009 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options

modified

Sun Sep 27 17:40:32 2009 TAP-WIN32 device [本地连接 2] opened: \\.\Global\{5BAE8

EBF-FCBC-4CAE-A39D-5EE02E769432}.tap

Sun Sep 27 17:40:32 2009 TAP-Win32 Driver Version 8.4

Sun Sep 27 17:40:32 2009 TAP-Win32 MTU=1500

Sun Sep 27 17:40:32 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.0.6/255.255.255.252 on

interface {5BAE8EBF-FCBC-4CAE-A39D-5EE02E769432} [

DHCP-serv: 192.168.0.5, lease-time: 31536000]

Sun Sep 27 17:40:32 2009 Successful ARP Flush on interface [2] {5BAE8EBF-FCBC-4CAE-A39D-5EE02E769432}

Sun Sep 27 17:40:32 2009 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down

Sun Sep 27 17:40:32 2009 Route: Waiting for TUN/TAP interface to come up...

Sun Sep 27 17:40:33 2009 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up

Sun Sep 27 17:40:33 2009 route ADD 192.168.0.0 MASK 255.255.255.0 192.168.0.5

Sun Sep 27 17:40:33 2009 Route addition via IPAPI succeeded

Sun Sep 27 17:40:33 2009 route ADD 192.168.0.0 MASK 255.255.255.0 192.168.0.5

Sun Sep 27 17:40:33 2009 Route addition via IPAPI succeeded

Sun Sep 27 17:40:33 2009 Initialization Sequence Completed
 
OK,成功了!

    来自: vclyin > 《OpenVPN》

    以文找文   |   举报

    猜你喜欢
    发表评论评论公约
    喜欢该文的人也喜欢 更多