以前要连回公司网络就要在我的机器上装openVPN的客户端,我的原则就是在我自己的机器上能少装软件就少装特别这种驻留后台的。另外想网络这种事本来就应该是路由器去管吗,所以考虑把openVPN客户端搞到我的路由器上,然后在路由器上加路由表就好了。说干就干吧
openvpn工作原理的东西我就不讲了,因为我也不具体的清楚。首先openvpn其实是不分客户段与服务器端的都是共用 openvpn一个命令只是配置文件不同。我的路由器上没有外接U盘和SD卡一类东西所有的配置文件就都只能写到/tmp目录下了,在该目录 建立新目录 openvpncl 下面至少要包含client.conf[关于配置文件的说明我写到了最后点请开阅读]
另外就是两个CRT加一个KEY文件也要放到同一目录下ca.crt client.crt client.key接下来就是最激动人心的部分了开始连接吧
openvpn --config /tmp/openvpncl/client.conf --daemon
我们公司是在服务器段做的路由表命令,之后就可以看到在你的路由表里增加了几条路由
其中通过介面tun0走的线路 都是要走vpn的链路。130.0/255.255.254.0是我连接外网用的。这之后只有我的路由已经连接到了vpn,要想让居于网里的所有机器都可以走vpn还需要最后一步修改你的iptable表增加一条规则
iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE
恭喜你现在你局域网里的任意一台机器 都不用装任何软件都可以通过你的路由表来走了
##################################
Sample client-side OpenVPN 2.0 config file
for connecting to multi-client server.
This configuration can be used by multiple
clients, however each client should have
its own cert and key files.
On Windows, you might want to rename this
file so it has a .ovpn extension
##################################
Specify that we are a client and that we
will be pulling certain config file directives
from the server.
client
Use the same setting as you are using on
the server.
On most systems, the VPN will not function
unless you partially or fully disable
the firewall for the TUN/TAP interface.
;dev tap dev tun
Windows needs the TAP-Win32 adapter name
from the Network Connections panel
if you have more than one. On XP SP2,
you may need to disable the firewall
for the TAP adapter.
;dev-node MyTap
Are we connecting to a TCP or
UDP server? Use the same setting as
on the server.
;proto tcp proto udp
The hostname/IP and port of the server.
You can have multiple remote entries
to load balance between the servers.
remote my-server-1 1194 ;remote my-server-2 1194
Choose a random host from the remote
list for load-balancing. Otherwise
try hosts in the order specified.
;remote-random
Keep trying indefinitely to resolve the
host name of the OpenVPN server. Very useful
on machines which are not permanently connected
to the internet such as laptops.
resolv-retry infinite
Most clients don't need to bind to
a specific local port number.
nobind
Downgrade privileges after initialization (non-Windows only)
;user nobody ;group nobody
Try to preserve some state across restarts.
persist-key persist-tun
If you are connecting through an
HTTP proxy to reach the actual OpenVPN
server, put the proxy server/IP and
port number here. See the man page
if your proxy server requires
authentication.
;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #]
Wireless networks often produce a lot
of duplicate packets. Set this flag
to silence duplicate packet warnings.
;mute-replay-warnings
SSL/TLS parms.
See the server config file for more
description. It's best to use
a separate .crt/.key file pair
for each client. A single ca
file can be used for all clients.
ca ca.crt cert client.crt key client.key
Verify server certificate by checking
that the certicate has the nsCertType
field set to "server". This is an
important precaution to protect against
a potential attack discussed here:
http://openvpn.net/howto.html#mitm
To use this feature, you will need to generate
your server certificates with the nsCertType
field set to "server". The build-key-server
script in the easy-rsa folder will do this.
;ns-cert-type server
If a tls-auth key is used on the server
then every client must also have the key.
;tls-auth ta.key 1
Select a cryptographic cipher.
If the cipher option is used on the server
then you must also specify it here.
;cipher x
Enable compression on the VPN link.
Don't enable this unless it is also
enabled in the server config file.
comp-lzo
Set log file verbosity.
verb 3
Silence repeating messages
;mute 20