# 2048 bit keys. dh dh1024.pem
# Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info. server 10.8.0.0 255.255.255.0
# Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging. # You must first use your OS's bridging capability # to bridge the TAP interface with the ethernet # NIC interface. Then you must manually set the # IP/netmask on the bridge interface, here we # assume 10.8.0.4/255.255.255.0. Finally we # must set aside an IP range in this subnet # (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented # out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Configure server mode for ethernet bridging # using a DHCP-proxy, where clients talk # to the OpenVPN server-side DHCP server # to receive their IP address allocation
# and DNS server addresses. You must first use # your OS's bridging capability to bridge the TAP # interface with the ethernet NIC interface. # Note: this mode only works on clients (such as # Windows), where the client-side TAP adapter is # bound to a DHCP client. ;server-bridge
# Push routes to the client to allow it
# to reach other private subnets behind # the server. Remember that these # private subnets will also need
# to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server.
;push \#route-method exe #route-delay 2
# To assign specific IP addresses to specific # clients or if a connecting client has a private # subnet behind it that should also have VPN access, # use the subdirectory \# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name \# also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;client-config-dir ccd
;push \
# Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, i.e. you are # using \
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: ;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man
# page for more info on learn-address script. ;learn-address ./script
# If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT # or bridge the TUN/TAP interface to the internet # in order for this to work properly). ;push \
# Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats # The addresses below refer to the public # DNS servers provided by opendns.com. push \push \
# Uncomment this directive to allow different # clients to be able to \
# By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. client-to-client
# Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use, # each client should have its own certificate/key # pair. #
# IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE \# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down.
# Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120
# For extra security beyond that provided # by SSL/TLS, create an \
# to help block DoS attacks and UDP port flooding. #
# Generate with:
# openvpn --genkey --secret ta.key #
# The server and each client must have # a copy of this key.
# The second parameter should be '0' # on the server and '1' on the clients. tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to # the client config file as well.
;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo
# The maximum number of concurrently connected # clients we want to allow. ;max-clients 100
# It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. #
# You can uncomment this out on
# non-Windows systems. ;user nobody ;group nobody
# The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun
# Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log
# By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the \# Use log or log-append to override this default.
# \# while \# or the other (but not both). ;log openvpn.log ;log-append openvpn.log
# Set the appropriate level of log # file verbosity. #
# 0 is silent, except for fatal errors # 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3
# Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20
(2) 把配置文件server.ovpn复制到C:\\Program Files\\OpenVPN\\config目录下,把C:\\Program Files\\OpenVPN\\easy-rsa\\keys目录下的ca.crt、ca.key、server01.crt、server01.csr、server01.key、dh1024.pem、ta.key 复制到C:\\Program Files\\OpenVPN\\config目录下。 (3) regedit修改注册表