免费注册 查看新帖 |

ChinaUnix.net

  平台 论坛 博客 文库
12下一页
最近访问板块 发新帖
查看: 10115 | 回复: 12

[vpn] OpenVPN Man Page 翻译 [复制链接]

论坛徽章:
0
发表于 2007-05-04 01:58 |显示全部楼层
发现这里有很多人喜欢 OpenVPN ,当然,它的功能太强大了.但是对于一些英文水平不好朋友来说.想弄懂它还是不容易.不如大家一起把 OpenVPNTM 2.0.x Man Page 的资料翻译一下吧.支持的请跟贴!

网站: http://openvpn.net/man.html

本人的英文也不太好.大家一起努力吧!

把英文原文写上来.会翻的朋友点引用,然后翻译好.等等全部搞定后.我们再整理一次

然后我们再举大量的例子,可以让不太熟OpenVPN 的朋友找到最好的家!

[ 本帖最后由 fsken 于 2007-5-4 02:06 编辑 ]

论坛徽章:
0
发表于 2007-05-04 01:58 |显示全部楼层
转载:http://blog.5ilinux.com/

原文:http://openvpn.net/howto.html
Installing OpenVPN
翻译水平有限,不当之处,请指出

OpenVPN can be downloaded here.For security, it's a good idea to check the file release signature after downloading.

The OpenVPN executable should be installed on both server and client machines, since the single executable provides both client and server functions.

Linux Notes (using RPM package)

If you are using a Linux distribution which supports RPM packages (SuSE, Fedora, Redhat, etc.), it's best to install using this mechanism. The easiest method is to find an existing binary RPM file for your distribution. You can also build your own binary RPM file:

rpmbuild -tb openvpn-[version].tar.gzOnce you have the .rpm file, you can install it with the usual

rpm -ivh openvpn-[details].rpm

or upgrade an existing installation with

rpm -Uvh openvpn-[details].rpm

Installing OpenVPN from a binary RPM package has these dependencies:

openssl
lzo
pam

Furthermore, if you are building your own binary RPM package, there are several additional dependencies:

openssl-devel
lzo-devel
pam-devel

See the openvpn.spec file for additional notes on building an RPM package for Red Hat Linux 9 or building with reduced dependencies.

Linux Notes (without RPM)

If you are using Debian, Gentoo, or a non-RPM-based Linux distribution, use your distro-specific packaging mechanism such as apt-get on Debian or emerge on Gentoo.

It is also possible to install OpenVPN on Linux using the universal ./configure method. First expand the .tar.gz file:

tar xfz openvpn-[version].tar.gzThen cd to the top-level directory and type:

./configure
make
make install

Windows Notes

OpenVPN for Windows can be installed from the self-installing exe file on the OpenVPN download page. Remember that OpenVPN will only run on Windows 2000 or later. Also note that OpenVPN must be installed and run by a user who has administrative privileges (this restriction is imposed by Windows, not OpenVPN). The restriction can be sidestepped by running OpenVPN in the background as a service, in which case even non-admin users will be able to access the VPN, once it is installed. More discussion on OpenVPN + Windows privilege issues.

OpenVPN can also be installed as a GUI on Windows, using Mathias Sundman's installation package, which will install both OpenVPN and the Windows GUI.

After you run the Windows installer, OpenVPN is ready to use and will associate itself with files having the .ovpn extension. To run OpenVPN, you can:

Right click on an OpenVPN configuration file (.ovpn) and select Start OpenVPN on this configuration file. Once running, you can use the F4 key to exit.

Run OpenVPN from a command prompt Window with a command such as:

openvpn myconfig.ovpnOnce running in a command prompt window, OpenVPN can be stopped by the F4 key.

Run OpenVPN as a service by putting one or more .ovpn configuration files in \Program Files\OpenVPN\config and starting the OpenVPN Service, which can be controlled from Start Menu -> Control Panel -> Administrative Tools -> Services.

A GUI is also available for the Windows version of OpenVPN.

Additional Windows install notes.

Mac OS X Notes
Angelo Laub and Dirk Theisen have developed an OpenVPN GUI for OS X.

See also OpenVPN Client and Mac OS X 10.3.

Other OSes
Some notes are available in the INSTALL file for specific OSes. In general, the

./configure
make
make install

method can be used, or you can search for an OpenVPN port or package which is specific to your OS/distribution.


安装OpenVPN

OpenVPN 可以从这里下载.
出于安全的考虑,强烈建议你下载后检查一下文件的数字签名 .
OpenVPN程序可以被安装在服务器端和客户端,本身这个程序是既提供服务器工程也提供客户端功能.

Linux 安装注意事项 (用RPM包)

如果你使用的是下列linux操作系统的RPM包管理方式 (SuSE, Fedora, Redhat, etc.), 最好安装使用这种包管理方式. 最方便的方法是找到他的二进制RPM包,你可以通过tar包自己编译适合自己机器的RPM包:

rpmbuild -tb openvpn-[version].tar.gz

只要你编译好RPM包,那就可以进行安装了

rpm -ivh openvpn-[details].rpm

或者升级已经安装的程序

rpm -Uvh openvpn-[details].rpm

用RPM包安装OpenVPN,会有以下的RPM包依赖关系:
• openssl
• lzo
• pam

此外,如果你自己编译适合自己的RPM包,你必须要事先安装好下列的依赖关系RPM包:
• openssl-devel
• lzo-devel
• pam-devel

查看openvpn.spec文件,看一下关于在Red Hat Linux 9系统上编译RPM包需要额外注意的包依赖关系.

Linux 安装注意事项 (不用RPM包)

如果你使用Debian,Gentoo这些非RPM包管理方式的linux发行系统,你可以使用他们自身的包管理方式,比如Debian用apt-get,Gentoo用emerge.

当然也可以采用普通的./configure方式编译安装OpenVPN,编译之前先解压缩.tar.gz文件:
tar xfz openvpn-[version].tar.gz
进入解压缩后的根目录
./configure
make
make install

Windows 安装注意事项

Winodow版的OpenVPN安装程序可以到 OpenVPN下载页面去下载.注意这个版本的OpenVPN只能在Windows2000或者更高的版本上才能安装. 另外要注意的是必须要拥有管理员权限的用户才能去安装OpenVPN,(这是Windows系统出于安全的限制).在这个限制下,OpenVPN可以运行在系统后台进行服务,即使当软件装完,非管理员用户想访问VPN. 更多关于 OpenVPN + Windows 权限的讨论.

OpenVPN在Windows下可以被装成图形界面,可以使用Mathias Sundman的安装包, 将同时装上OpenVPN和图形界面.
装完OpenVPN后,系统会使用已经关联的.ovpn后缀的文件. 为了运行OpenVPN,你可以:
• 右键单击OpenVPN的配置文件,即.ovpn后缀的文件,然后选择Start OpenVPN on this configuration file.程序就可以运行, 你可以用 F4快捷键退出.
• 在DOS窗口,你也可以用以下命令运行OpenVPN:
openvpn myconfig.ovpn
同样,用DOS命令启动的OpenVPN,也可以通过按 F4键退出.
• 我们可以通过开始 -> 控制面板 -> 管理工具 -> 服务 来启动OpenVPN服务,一个或更多的OpenVPN的配置文件放在\Program Files\OpenVPN\config下.
一个针对Windows的图形界面的OpenVPN.

更多windows安装程序注意事项.

Mac OS X 安装注意事项
Angelo Laub和Dirk Theisen 已经开发出OpenVPN GUI for OS X.
更多信息可查看 OpenVPN Client and Mac OS X 10.3.
其它操作系统

可以看INSTALL 文件关于其他系统的安装说明,一般情况下都是
./configure
make
make install

你可以针对你的系统和软件包管理方式寻找相应的OpenVPN包,并用合适的方法安装.

[ 本帖最后由 fsken 于 2007-5-4 02:39 编辑 ]

论坛徽章:
0
发表于 2007-05-04 01:59 |显示全部楼层
转载:http://blog.5ilinux.com/
OpenVPN 2.0 HOWTO-局域网互访(翻译)
原文:http://openvpn.net/howto.html
翻译水平有限,许多地方都可能翻译的不当,请大家指教
部分标题保留英文,没有翻译

Expanding the scope of the VPN to include additional machines on either the client or server subnet.

Including multiple machines on the server side when using a routed VPN (dev tun)

一旦VPN以一种客户端和服务端点对点的方式运作,那么就应该扩大范围,客户端不止能访问服务器,而且应该能访问服务器所在的网络的其他机器。

针对这个目的,我们举个例子,假设服务器的内网端使用的是10.66.0.0/24的网段,在OpenVPN服务器配置文件配置的server参数即VPN虚拟IP地址池用的是10.8.0.0/24网段。

首先,VPN客户端通过VPN能访问到10.66.0.0/24 子网,只只要在服务器端的配置文件配置以下参数就能简单做到:

push "route 10.66.0.0 255.255.255.0"
下一步,我们要把服务器端局域内网的网关设置为从VPN客户端10.8.0.0/24网段到OpenVPN服务器的路由(假如OpenVPN服务器和局域网网关不是同一台机器,这个设置就很有必要)。

下一步,我们要为从VPN客户端10.8.0.0/24网段到OpenVPN服务器所在的局域网的网关设置一个路由(假如OpenVPN服务器和局域网网关不是同一台机器,这个设置就很有必要)。


确认你应在在OpenVPN服务器上打开IP 和 TUN/TAP 的转发功能。

Including multiple machines on the server side when using a bridged VPN (dev tap)

使用以太网桥 的好处就是你可以方便,免费的获得它,而无需其他额外的配置。

Including multiple machines on the client side when using a routed VPN (dev tun)

一般典型的远程访问情况是,客户端都是以单机使用VPN。但是如果客户端是本地局域网的网关(如总公司)你希望每台在这个局域网的机器都能通过路由使用VPN。

举个例子,我们假设这个客户端的局域网使用的是192.168.4.0/24的子网,并且那个VPN客户端有一个通用名为client2的证书,我们的目的就是设置一个VPN通道,让客户端局域网内的所有机器能跟OpenVPN服务器局域网端的所有机器相互联系。
安装之前,有一些必须遵守的基本前提:

1:客户端局域网的子网(在我们这个例子中是192.168.4.0/24)不能通过在同一网段的服务器或者其他客户端站点的途径加入到VPN。任何一个子网想加入VPN的通道路由必须是唯一的。
2:客户端必须拥有一个唯一的通用名称在其证书中(我们这个例子叫“client2”),而且duplicate-cn 这个参数不能在OpenVPN服务器的配置文件里被启用。

首先,我们必须确信客户端的IP 和 TUN/TAP转发功能是打开的。

然后,我们将处理服务器端的配置文件进行一个必要的修改配置,假如服务器配置文件没有提到客户端配置文件的目录,那么添加如下一行。

client-config-dir ccd
上述指令表示,在一个运行的OpenVPN服务器上的默认目录下预先建立一个叫ccd的目录。 在Linux下默认目录是/etc/openvpn 而在Windows下,则是\Program Files\OpenVPN\config当一个新的客户端连接OpenVPN服务器的时候,服务器进程会针对客户端证书中的匹配通用名称来检查这个目录,如果找到与之匹配的文件,就会对这个客户端进行额外配置的处理。

下一步,我们要建立一个名叫 client2 的文件在ccd 目录下,在这个文件里有如下的控制语句:



iroute 192.168.4.0 255.255.255.0

这样,OpenVPN服务器就把192.168.4.0/24 网段的路由添加给client2

下一步,在服务器端的主配置文件上添加如下语句(不是ccd/client2 这个文件):

route 192.168.4.0 255.255.255.0
你可能会问?为什么要有 route 和 iroute 这多余重复的设置? 理由是在iroute 控制从OpenVPN服务器到远程客户端的路由的时候,route控制着从内核到OpenVPN服务器(通过TUN接口)。两者都很重要。

下一步,问问你自己是否允许client2的网段(192.168.4.0/24)和OpenVPN服务器的其他客户之间有网络流量交换,如果是的话,那就在服务器的配置文件中添加如下语句:

client-to-client
push "route 192.168.4.0 255.255.255.0"
这将让OpenVPN服务器为client2客户网段跟其他连接的客户端进行广播通知。

最后一步,这一步经常会忘记,那就是为服务器局域网的网关添加一个直接从192.168.4.0/24到OpenVPN的路由(你可能不需要这一步,假如本身OpenVPN服务器就是这个服务器端局域网的网关)。假如你忘了这一步的设置,当尝试从192.168.4.8机器ping一个在服务器局域网内的机器(非OpenVPN自己ping自己),会输出一个不能到达机器的提示。 但是我们不能不知道如果路由一个ping的回复,因为我们根本不知道怎么到达192.168.4.0/24。 通常的经验做法是,在整个局域网路线通过VPN通道的时候(VPN服务器不是这个局域网的网关机器)之前,我们得保证所有VPN客户端网段到服务器端局域网网关的路由路径。

同样,如果客户端机器运行OpenVPN,而且也不是它本身局域网的网关,那么也得为那台提供其他机器可以通过VPN访问客户端所在局域网途径的机器设置一个从客户端机器到局域网网关的路由。

Including multiple machines on the client side when using a bridged VPN (dev tap)

这个需要更加复杂的设置(实际上可能并不复杂,但要去解释阐述会很复杂):

1:你必须把客户端的TAP虚拟网络接口和客户端本地网卡进行桥接。
2:你必须手动为客户端的TAP虚拟网络接口设置IP/掩码。
3:你必须设置客户端的机器使用网桥所在网段的IP地址和掩码,可能会 查询OpenVPN服务器这边的DHCP服务。

[ 本帖最后由 fsken 于 2007-5-4 02:39 编辑 ]

论坛徽章:
0
发表于 2007-05-04 02:00 |显示全部楼层
转载:http://blog.5ilinux.com/

OpenVPN 2.0 HOWTO-进程管理和管理接口(翻译)
原文:http://openvpn.net/howto.html
翻译水平有限,许多地方都可能翻译的不当,请大家指教


Configuring OpenVPN to run automatically on system startup

The lack of standards in this area means that most OSes have a different way of configuring daemons/services for autostart on boot. The best way to have this functionality configured by default is to install OpenVPN as a package, such as via RPM on Linux or using the Windows installer.

Linux
If you install OpenVPN via an RPM package on Linux, the installer will set up an initscript. When executed, the initscript will scan for .conf configuration files in /etc/openvpn, and if found, will start up a separate OpenVPN daemon for each file.

Windows
The Windows installer will set up a Service Wrapper, but leave it turned off by default. To activate it, go to Control Panel / Administrative Tools / Services, select the OpenVPN service, right-click on properties, and set the Startup Type to Automatic. This will configure the service for automatic start on the next reboot.

When started, the OpenVPN Service Wrapper will scan the \Program Files\OpenVPN\config folder for .ovpn configuration files, starting a separate OpenVPN process on each file.


--------------------------------------------------------------------------------

Controlling a running OpenVPN process

Running on Linux/BSD/Unix

OpenVPN accepts several signals:

SIGUSR1 -- Conditional restart, designed to restart without root privileges
SIGHUP -- Hard restart
SIGUSR2 -- Output connection statistics to log file or syslog
SIGTERM, SIGINT -- Exit

Use the writepid directive to write the OpenVPN daemon's PID to a file, so that you know where to send the signal (if you are starting openvpn with an initscript, the script may already be passing a --writepid directive on the openvpn command line).

Running on Windows as a GUI
See the OpenVPN GUI page.

Running in a Windows command prompt window

On Windows, you can start OpenVPN by right clicking on an OpenVPN configuration file (.ovpn file) and selecting "Start OpenVPN on this config file".

Once running in this fashion, several keyboard commands are available:

F1 -- Conditional restart (doesn't close/reopen TAP adapter)
F2 -- Show connection statistics
F3 -- Hard restart
F4 -- Exit

Running as a Windows Service
When OpenVPN is started as a service on Windows, the only way to control it is:

Via the service control manager (Control Panel / Administrative Tools / Services) which gives start/stop control.
Via the management interface (see below).

Modifying a live server configuration

While most configuration changes require you to restart the server, there are two directives in particular which refer to files which can be dynamically updated on-the-fly, and which will take immediate effect on the server without needing to restart the server process.

client-config-dir -- This directive sets a client configuration directory, which the OpenVPN server will scan on every incoming connection, searching for a client-specific configuration file (see the the manual page for more information). Files in this directory can be updated on-the-fly, without restarting the server. Note that changes in this directory will only take effect for new connections, not existing connections. If you would like a client-specific configuration file change to take immediate effect on a currently connected client (or one which has disconnected, but where the server has not timed-out its instance object), kill the client instance object by using the management interface (described below). This will cause the client to reconnect and use the new client-config-dir file.

crl-verify -- This directive names a Certificate Revocation List file, described below in the Revoking Certificates section. The CRL file can be modified on the fly, and changes will take effect immediately for new connections, or existing connections which are renegotiating their SSL/TLS channel (occurs once per hour by default). If you would like to kill a currently connected client whose certificate has just been added to the CRL, use the management interface (described below).

Status File

The default server.conf file has a line

status openvpn-status.log

which will output a list of current client connections to the file openvpn-status.log once per minute.

Using the management interface

The OpenVPN management interface allows a great deal of control over a running OpenVPN process. You can use the management interface directly, by telneting to the management interface port, or indirectly by using an OpenVPN GUI which itself connects to the management interface.

To enable the management interface on either an OpenVPN server or client, add this to the configuration file:

management localhost 7505

This tells OpenVPN to listen on TCP port 7505 for management interface clients (port 7505 is an arbitrary choice -- you can use any free port).

Once OpenVPN is running, you can connect to the management interface using a telnet client. For example:

ai:~ # telnet localhost 7505
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 15 2005
Commands:
echo [on|off] [N|all] : Like log, but only show messages in echo buffer.
exit|quit : Close management session.
help : Print this message.
hold [on|off|release] : Set/show hold flag to on/off state, or
release current hold and start tunnel.
kill cn : Kill the client instance(s) having common name cn.
kill IP:port : Kill the client instance connecting from IP:port.
log [on|off] [N|all] : Turn on/off realtime log display
+ show last N lines or 'all' for entire history.
mute [n] : Set log mute level to n, or show level if n is absent.
net : (Windows only) Show network info and routing table.
password type p : Enter password p for a queried OpenVPN password.
signal s : Send signal s to daemon,
s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n] : Show current daemon status info using format #n.
test n : Produce n lines of output for testing/debugging.
username type u : Enter username u for a queried OpenVPN username.
verb [n] : Set log verbosity level to n, or show if n is absent.
version : Show current version number.
END
exit
Connection closed by foreign host.
ai:~ #For more information, see the OpenVPN Management Interface Documentation.



配置OpenVPN在系统启动的时自动启动

因为没有这方面的标准,所以每个系统在启动的时候都有不同的启动进程/服务的方式,最好的办法就是安装专门为OpenVPN制作的各种安装包,比如在linux下的RPM包或者在windows下的安装包.

Linux
如果你在linux下使用RPM包安装OPenVPN,那么安装后会自动产生一个启动脚本,当脚本执行的时候,会自动在/etc/openvpn目录下寻找后缀为.conf的配置文件,如果找到配置文件,会自动启动相应配置文件的OpenVPN进程.

Windows
Windows下安装后,会产生一个服务,默认这个服务是关闭的,为了启动激活它,可以在控制面板/管理工具/服务, 选择OpenVPN服务。右键单击属性,设置为启动的时候自动运行。设置完以后下次系统重启,就会同时自动启动OpenVPN服务。

当启动OpenVPN服务的时候,会搜索\Program Files\OpenVPN\config目录下后缀为.ovpn的配置文件,并启动对应的OpenVPN进程。


控制运行中的OpenVPN进程

运行在Linux/BSD/Unix

OpenVPN接受下面几个信号:

SIGUSR1 – 有条件的重启,非root用户重启OpenVPN进程
SIGHUP – 重启
SIGUSR2 – 输出连接状态到log文件或者系统log
SIGTERM, SIGINT – 退出

在配置文件中使用writepid参数指定OpenVPN的pid文件, 好让你发送信号给这个pid文件(如果你用启动脚本启动OpenVPN,已经在OpenVPN的命令行里其通过了writepid参数)。

在windows下运行图形界面

具体请看 OpenVPN GUI page.

运行在windows下的命令提示窗口

在Windows下,你可以通过右键单击一个OpenVPN的配置文件(.opvn文件)然后选择"Start OpenVPN on this config file"启动OpenVPN.

这种方式一运行,这几个键盘命令能接受:

F1 – 有条件的重启(不关闭/重启TAP适配器)
F2 – 显示连接状态
F3 – 重启
F4 – 退出

做为Windows的服务启动

当OpenVPN做为windows的服务启动时,只有下列方法可以控制它:

通过服务控制管理器 (控制面板/管理工具/服务)来控制启动和停止。
通过管理界面 (看下面).

修改正在运行的服务器的配置文件

大多数情况修改配置文件,都要重启服务才能生效,这里有2个比较特殊的参数,可以进行动态更新操作,并且立即生效而不用重启OpenVPN服务进程。

client-config-dir – 这个参数设置客户端配置文件的目录,OpenVPN服务器会检查相关进来的连接请求,然后在目录寻找相对应客户端的配置文件 (看指南页面 获取更多信息)。不用重启服务,在这个目录里的文件就能动态更新 。注意新的修改只对新的连接才生效,不对已经存在的连接不起作用。如果里希望指定的客户端配置文件立即生效与当前的连接 (或者连接已经断,但服务器的实例目标也还没过期), 可以通过管理接口杀掉客户端的实例物体(下面描述). 那么就可以用client-config-dir新的配置文件,重新连接客户端.

crl-verify – 这个参数的意思是证书废除名单文件,详细的描述在下面Revoking Certificates 这一节. CRL文件可以时实修改,并且立即生效,或者对那些已经连接的客户端重新协商SSL/TSL通道(默认每隔1小时). 如果你想干掉那些正在连接,但其对应证书被追加到CTL的用户,可以通过管理接口进行操作 (下面详细介绍).

状态文件

默认服务端配置文件server.conf有下列一行

status openvpn-status.log
那个参数的作用是将每分钟输出一个现有用户连接列表到openvpn-status.log文件。

使用管理接口

OpenVPN管理接口 是一个很好的控制运行中的OpenVPN进程的方法。你可以使用管理接口通过telnet命令直接连接到管理接口的端口,或者直接使用 OpenVPN GUI 连接管理接口

如果要在OpenVPN服务端或者客户端启用管理接口, 你得在配置文件中添加以下这行:

management localhost 7505
这就告诉OpenVPN监听通过客户端通过管理接口访问TCP的7505端口 (7505端口是一个任意选择的端口,你可以选择任何一个没被使用的端口)。

一旦OpenVPN启动,我们可以用telnet客户端程序连接上管理接口,比如下面的例子:

ai:~ # telnet localhost 7505
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.0_rc14 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 15 2005
Commands:
echo [on|off] [N|all] : Like log, but only show messages in echo buffer.
exit|quit : Close management session.
help : Print this message.
hold [on|off|release] : Set/show hold flag to on/off state, or
release current hold and start tunnel.
kill cn : 杀掉通用名为cn的客户端。
kill IP:port : 杀掉来自指定ip和端口的客户端。
log [on|off] [N|all] : 打开/关闭时实的日志显示
+ 显示最后N条或者'所有' 历史日志.
mute [n] : Set log mute level to n, or show level if n is absent.
net : (只在windows下有效) 显示网络信息和路由表。
password type p : Enter password p for a queried OpenVPN password.
signal s : 发送信号给进程,
s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : 跟log一样,但是静态显示。
status [n] : 显示现在进程的状态信息。
test n : Produce n lines of output for testing/debugging.
username type u : Enter username u for a queried OpenVPN username.
verb [n] : Set log verbosity level to n, or show if n is absent.
version : 显示当前版本号.
END
exit
Connection closed by foreign host.
ai:~ #

更多信息,察看OpenVPN管理接口文档

[ 本帖最后由 fsken 于 2007-5-4 02:39 编辑 ]

论坛徽章:
0
发表于 2007-05-04 02:03 |显示全部楼层
转载:http://blog.5ilinux.com/

OpenVPN 2.0 HOWTO-初始化测试篇(翻译)
原文:http://openvpn.net/howto.html
翻译水平有限,许多地方都可能翻译的不当,请大家指教

Starting up the VPN and testing for initial connectivity

Starting the server

First, make sure the OpenVPN server will be accessible from the internet. That means:

opening up UDP port 1194 on the firewall (or whatever TCP/UDP port you've configured), or
setting up a port forward rule to forward UDP port 1194 from the firewall/gateway to the machine running the OpenVPN server.
Next, make sure that the TUN/TAP interface is not firewalled.

To simplify troubleshooting, it's best to initially start the OpenVPN server from the command line (or right-click on the .ovpn file on Windows), rather than start it as a daemon or service:

openvpn [server config file]

A normal server startup should look like this (output will vary across platforms):


Sun Feb 6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 5 2005
Sun Feb 6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
Sun Feb 6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Feb 6 20:46:38 2005 TUN/TAP device tun1 opened
Sun Feb 6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sun Feb 6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sun Feb 6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
Sun Feb 6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194
Sun Feb 6 20:46:38 2005 UDPv4 link remote: [undef]
Sun Feb 6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
Sun Feb 6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Feb 6 20:46:38 2005 IFCONFIG POOL LIST
Sun Feb 6 20:46:38 2005 Initialization Sequence Completed

Starting the client
As in the server configuration, it's best to initially start the OpenVPN server from the command line (or on Windows, by right-clicking on the client.ovpn file), rather than start it as a daemon or service:

openvpn [client config file]

A normal client startup on Windows will look similar to the server output above, and should end with the Initialization Sequence Completed message.

Now, try a ping across the VPN from the client. If you are using routing (i.e. dev tun in the server config file), try:

ping 10.8.0.1

If you are using bridging (i.e. dev tap in the server config file), try to ping the IP address of a machine on the server's ethernet subnet.

If the ping succeeds, congratulations! You now have a functioning VPN.

Troubleshooting

If the ping failed or the OpenVPN client initialization failed to complete, here is a checklist of common symptoms and their solutions:

You get the error message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). This error indicates that the client was unable to establish a network connection with the server.

Solutions:

Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the OpenVPN server.
If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.
Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).

You get the error message: Initialization Sequence Completed with errors -- This error can occur on Windows if (a) You don't have the DHCP client service running, or (b) You are using certain third-party personal firewalls on XP SP2.

Solution: Start the DHCP client server and make sure that you are using a personal firewall which is known to work correctly on XP SP2.

You get the Initialization Sequence Completed message but the ping test fails -- This usually indicates that a firewall on either server or client is blocking VPN network traffic by filtering on the TUN/TAP interface.

Solution: Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going to Windows Security Center -> Windows Firewall -> Advanced and unchecking the box which corresponds to the TAP-Win32 adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated VPN traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below).

The connection stalls on startup when using a proto udp configuration, the server log file shows this line:

TLS: Initial packet from x.x.x.x, sid=xxxxxxxx xxxxxxxxhowever the client log does not show an equivalent line.

Solution: You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be (a) a personal software firewall running on the client, or (b) the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client.

See the FAQ for additional troubleshooting information.


启动VPN服务并初始化测试

启动服务器

首先.得确认OpenVPN能通过internet被访问,意思是:

1.在防火墙上已经打开UDP端口(或者无论是UDP还是TCP都已经被配置打开),
2.或者防火墙上已经设置了一个专门的端口forward指向OpenVPN服务器的UDP1194端口.

下一步, 确信你的TUN/TAP没被防火墙禁止.

为了简单调试,启动OpenVPN的最好的办法是用命令方式(或者右肩单击server.ovpn文件启动),这样就作为一个服务启动了:

openvpn [server config file]
正常服务启动,我们会看到如下信息:

Sun Feb 6 20:46:38 2005 OpenVPN 2.0_rc12 i686-suse-linux [SSL] [LZO] [EPOLL] built on Feb 5 2005
Sun Feb 6 20:46:38 2005 Diffie-Hellman initialized with 1024 bit key
Sun Feb 6 20:46:38 2005 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Feb 6 20:46:38 2005 TUN/TAP device tun1 opened
Sun Feb 6 20:46:38 2005 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Sun Feb 6 20:46:38 2005 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Sun Feb 6 20:46:38 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
Sun Feb 6 20:46:38 2005 UDPv4 link local (bound): [undef]:1194
Sun Feb 6 20:46:38 2005 UDPv4 link remote: [undef]
Sun Feb 6 20:46:38 2005 MULTI: multi_init called, r=256 v=256
Sun Feb 6 20:46:38 2005 IFCONFIG POOL: base=10.8.0.4 size=62
Sun Feb 6 20:46:38 2005 IFCONFIG POOL LIST
Sun Feb 6 20:46:38 2005 Initialization Sequence Completed

启动客户端

跟服务器端得配置一样,启动客户端最好的方式是命令方式(或者在windows下右键单击client.ovpn文件启动):

openvpn [client config file]
客户端正常启动,应该能看到跟服务器类似的信息,最后以显示“Initialization Sequence Completed”结束.

现在,我们可以通过VPN尝试ping命令,假如你使用路由模式(也就是说在服务器的配置文件中使用“dev tun”),运行下列命令:

ping 10.8.0.1
如果你使用以太网桥模式(也就是说在服务器配置文件中配置使用“dev tap”), 你可以尝试ping服务器所在局域网的ip地址.

如果ping显示正常,恭喜你,你已经拥有一个正常功能的VPN.

排错

如果遇到OpenVPN初始化失败,或者ping失败,下面有一些共同的问题症状和解决办法:

1.你得到如下错误信息: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity). 这个错误指出客户端不能跟服务器建立网络链接.

解决办法:

a.请确认客户端访问的服务器的机器名/IP和端口是正确的.
b.如果你的OpenVPN服务器是单网卡,并处在受保护的局域网中,请确认你你的网关防火墙使用了正确的端口转发规则。比如:你的OpenVPN机器的地址是192.168.4.4,但处在防火墙保护下,时刻监听着UDP协议1194的连接请求,那么负责维护192.168.4.x子网的网关就会有一个端口转发策略,即所有访问UDP协议1194端口的请求都被转发到192.168.4.4 。
c.打开服务器的防火墙允许UDP协议1194端口连接进来,(或者不管是TCP还是UDP协议在服务器的配置文件中配置了)。

2.你得到如下错误信息: Initialization Sequence Completed with errors – 这个错误可能发生在windows下(a)你没有启用DHCP客户端服务(b)你的XP SP2使用了某个第三方的个人防火墙。

解决办法: 启动DHCP客户端服务或者你确认你的XP SP2正确使用了个人防火墙.

3.你虽然获得了Initialization Sequence Completed 的信息,但ping测试还是失败了,那就通常是在服务器或者客户端的防火墙阻止过滤了在TUN/TAP设备结构上的网络流量。

解决办法: 关闭客户端的防火墙,如果防火墙过滤了TUN/TAP设备端口的流量。比如在Windows XP SP2系统,你可以到Windows 安全中心 -> Windows 防火墙 -> 高级 然后不要选择TAP-Win32 adapter设备 (即禁止TUN/TAP设备使用防火墙过滤 ,实质上就是告诉防火墙不要阻止VPN认证信息)。 同样在服务器端也要确认TUN/TAP设备不实用防火墙过滤 (也就是说在TUN/TAP接口上选择过滤是有一定的安全保障的. 具体请看下面一节的访问策略).

4.当以udp协议的配置文件启动的时候连接停止,服务器的日志文件显示如下一行信息:

TLS: Initial packet from x.x.x.x, sid=xxxxxxxx xxxxxxxx
不管怎么样,这信息只在服务器端显示,在客户端是不会显示相同的信息。

解决办法: 你只拥有单向连接从客户端到服务器,从服务器到客户端的连接被防火墙挡住, 通常在客户端这边,防火墙(a)可能是个运行在客户端的个人防火墙软件(b)或者服务客户端的NAT路由 网关被设置为从服务器端访问客户端的UDP协议包被阻挡返回。

查看FAQ能得到更多故障解决的信息.

[ 本帖最后由 fsken 于 2007-5-4 02:40 编辑 ]

论坛徽章:
0
发表于 2007-05-04 02:03 |显示全部楼层
原文:
INTRODUCTION
OpenVPN is an open source VPN daemon by James Yonan. Because OpenVPN tries to be a universal VPN tool offering a great deal of flexibility, there are a lot of options on this manual page. If you're new to OpenVPN, you might want to skip ahead to the examples section where you will see how to construct simple VPNs on the command line without even needing a configuration file.

Also note that there's more documentation and examples on the OpenVPN web site: http://openvpn.net/

And if you would like to see a shorter version of this manual, see the openvpn usage message which can be obtained by running openvpn without any parameters.   

DESCRIPTION
OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.

OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it.

OpenVPN supports conventional encryption using a pre-shared secret key (Static Key mode) or public key security (SSL/TLS mode) using client & server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels.

OpenVPN is designed to work with the TUN/TAP virtual networking interface that exists on most platforms.

Overall, OpenVPN aims to offer many of the key features of IPSec but with a relatively lightweight footprint.   

OPTIONS
OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix can be removed when an option is placed in a configuration file.
--help
Show options.
--config file
Load additional config options from file where each line corresponds to one command line option, but with the leading '--' removed.
If --config file is the only option to the openvpn command, the --config can be removed, and the command can be given as openvpn file

Note that configuration files can be nested to a reasonable depth.

Double quotation characters ("") can be used to enclose single parameters containing whitespace, and "#" or ";" characters in the first column can be used to denote comments.

Note that OpenVPN 2.0 and higher performs backslash-based shell escaping, so the following mappings should be observed:



\\       Maps to a single backslash character (\).
\"       Pass a literal doublequote character ("), don't
         interpret it as enclosing a parameter.
\[SPACE] Pass a literal space or tab character, don't
         interpret it as a parameter delimiter.

For example on Windows, use double backslashes to represent pathnames:



secret "c:\\OpenVPN\\secret.key"

For examples of configuration files, see http://openvpn.net/examples.html

Here is an example configuration file:


#
# Sample OpenVPN configuration file for
# using a pre-shared static key.
#
# '#' or ';' may be used to delimit comments.

# Use a dynamic tun device.
dev tun

# Our remote peer
remote mypeer.mydomain

# 10.1.0.1 is our local VPN endpoint
# 10.1.0.2 is our remote VPN endpoint
ifconfig 10.1.0.1 10.1.0.2

# Our pre-shared static key
secret static.key

译文:


待译.....

[ 本帖最后由 fsken 于 2007-5-7 13:18 编辑 ]

论坛徽章:
0
发表于 2007-05-11 15:48 |显示全部楼层
加油!!!!!继续。。。。。翻译,期待中。。。。。

论坛徽章:
0
发表于 2007-05-12 11:58 |显示全部楼层
mark 没有使用过Openvpn改天测试一下。

论坛徽章:
0
发表于 2007-05-16 10:16 |显示全部楼层
非常感谢搂主,辛苦了

论坛徽章:
0
发表于 2007-07-06 03:15 |显示全部楼层
支持
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

基于案例的 SQL 优化实战训练营

讲师:中电福富特级专家梁敬彬,参与本次课程培训,你将收获:
1. 能编写出较为高效的 SQL;
2. 能解决70%以上的数据库常见优化问题;
3. 能得到老师提供的高效的相关工具和解决方案;
4. 能举一反三,收获不仅仅是 SQL 优化。
现在购票享受8.8折优惠!
----------------------------------------
优惠时间:2019年3月20日前

大会官网>>
  

北京盛拓优讯信息技术有限公司. 版权所有 16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122
中国互联网协会会员  联系我们:huangweiwei@it168.com
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP