openVPN,服务端是windows系统,客户端是ARM64 + LINUX,服务端和客户端的证书都是在ubuntu上用easyRSA生成的。
问题现象
windows启动openVPN服务器后,从arm客户端去连接windows服务端,客户端提示Your certificate is no yet valid的警告,无法创建VPN连接。
原因&解决
因为我的ARM客户机不能从网络获取当前时间,也就导致系统时间是一个出厂时间,这就导致证书生效期(2021/04/22)超前 客户机系统时间(2020/01/01),所以客户机判定证书不可用。
解决办法是手动更新客户机的系统时间,使用如下Linux命令:
date -s "20210422 10:30:00"
这样系统的当前时间就被设置在了证书的有效时间内,问题解决。
支持。根据查询科技网得知,openvpn支持v2,openvpn有较好的兼容性,能完美兼容v2。openvpn又称开源vpn,是一个功能齐全的SSL-VPN解决方案,为远程访问等企业级场景提供了许多选项来控制VPN客户端的安全性,同时也能保护服务器安全。 1. 修改 C:\ProgramFiles\OpenVPN\easy-rsa\vars.bat.sample
set KEY_COUNTRY=CN #(国家)
set KEY_PROVINCE=JS #(省份)
set KEY_CITY=SuZhou #(城市)
set KEY_ORG=OpenVPN #(组织)
set KEY_EMAIL=mail@host.domain #(邮件地址)
2. DOS 下配置CA等信息
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>cd "C:\Program Files\OpenVPN\easy-rsa"
C:\Program Files\OpenVPN\easy-rsa>init-config
C:\Program Files\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat
已复制 1 个文件。
C:\Program Files\OpenVPN\easy-rsa>vars
C:\Program Files\OpenVPN\easy-rsa>clean-all
已复制 1 个文件。
已复制 1 个文件。
C:\Program Files\OpenVPN\easy-rsa>build-ca
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
................++++++
....++++++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [SuZhou]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]: OpenVPN-CA
Name [changeme]:
Email Address [mail@host.domain]:
C:\Program Files\OpenVPN\easy-rsa>build-dh
Loading 'screen' into random state - done
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
................................................................................
.............................................+................+.................
........+.......................+...............................................
........................................................+.......................
.........+....+.................................................................
.........................................................................+......
...................................+.....+....................................+.
.....................................................................+..........
........................................................+.......................
...+.............++*++*++*
C:\Program Files\OpenVPN\easy-rsa>build-key-server server
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.++++++
....++++++
writing new private key to 'keys\server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [SuZhou]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]: server
Name [changeme]:
Email Address [mail@host.domain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl-1.0.0.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'JS'
localityName :PRINTABLE:'SuZhou'
organizationName :PRINTABLE:'OpenVPN'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'server'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Oct 13 07:18:46 2025 GMT (3650 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated
C:\Program Files\OpenVPN\easy-rsa>build-key client
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.....++++++
............................++++++
writing new private key to 'keys\client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [JS]:
Locality Name (eg, city) [SuZhou]:
Organization Name (eg, company) [OpenVPN]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]: client
Name [changeme]:
Email Address [mail@host.domain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl-1.0.0.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'JS'
localityName :PRINTABLE:'SuZhou'
organizationName :PRINTABLE:'OpenVPN'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'client'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Oct 13 07:20:05 2025 GMT (3650 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
Write out database with 1 new entries
Data Base Updated
C:\Program Files\OpenVPN\easy-rsa>
3. 拷贝文件
将 ca.crt、dh1024.pem、server.crt、server.key 复制到服务器 C:\Program
Files\OpenVPN\config 目录下
将 ca.crt、client.crt、client.key 复制到客户端 C:\Program Files\OpenVPN\config 目录下
4. C:\ProgramFiles\OpenVPN\config 目录下创建 client.ovpn、server.ovpn
server.ovpn
local 192.168.1.101
port 1194
proto tcp
proto udp
dev tap
dev tun
dev-node MyTap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 172.16.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
server-bridge
push "route 0.0.0.0 0.0.0.0"
push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.20.0 255.255.255.0"
client-config-dir ccd
route 192.168.40.128 255.255.255.248
client-config-dir ccd
route 10.9.0.0 255.255.255.252
learn-address ./script
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth ta.key 0
cipher BF-CBC
cipher AES-128-CBC
cipher DES-EDE3-CBC
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
log-append openvpn.log
verb 3
mute 20
client.open
client
dev tap
proto tcp
remote 192.168.1.101 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\client.crt"
key "C:\\Program Files\\OpenVPN\\config\\client.key"
comp-lzo
verb 3
mute 20
欢迎分享,转载请注明来源:夏雨云
微信扫一扫
支付宝扫一扫
评论列表(0条)