◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。
W2008搭建局域网NPV数据访问流程
摘要:
NPV的作用: 局域网内数据跳过本地直接访问。所以在局域网本地以外的地方建立NPV,则可达到局域网访问的作用。打开系统 ...
总字数:18012NPV的作用: 局域网内数据跳过本地直接访问。
所以在局域网本地以外的地方建立NPV,则可达到局域网访问的作用。
角色→添加角色
→网络策略和访问服务
→下一步
●√网络策略服务器
●√路由和远程访问服务
√远程访问服务
√路由
→下一步,安装完成。
打开系统 管理工具/【路由和远程访问】
→配置并启用路由和远程访问(红色未启动)
...,这些搭建方法网上很多,基本一样。
Win2008的VPN建好后如不小心删除了NAT或是其他的,不用将组件卸载或是重装,直接重建即可。
●重要的来了:
打开客户机的系统【控制面板】→Internet选项,
点击顶部菜单【连接】→选中框内的【VPN】,点击【设置】;
拨号设置→【属性】,选中顶部菜单【网络】;
→选中【TCP/IPV4】→【属性】
DNS地址手动改为:8.8.8.8
注:不执行上面的修改,连上VPN后本地网页打不开。
VPN连接成功后联网正常,本地网关屏蔽的某些网站连接正常。
如同墙内打不开外面的网,那是因为被封堵了,如果在墙外同样建立一个,则道理一样:
直接通过墙外建立的连接访问。
OpenNPV
win10openvpn搭建与安卓客户端使用(仅用于内网穿透,不可非法使用)
●配置服务端
docker run \
--name ipsec-vpn-server \
--restart=always \
-e VPN_IPSEC_PSK=PW.123.PSK.abc \
-e VPN_USER=jast02 \
-e VPN_PASSWORD=PW.abc.PSK.123 \
-p 500:500/udp \
-p 4500:4500/udp \
-v /lib/modules:/lib/modules:ro \
-d --privileged \
hwdsl2/ipsec-vpn-server
步骤:
使用宝塔面板安装:openvpn(Docker应用) 1.0.2,完成之后打开终端:
Last failed login: Fri Nov 8 20:08:24 CST 2024 from 218.92.0.246 on ssh:notty
There were 4 failed login attempts since the last successful login.
Last login: Fri Nov 8 20:08:14 2024 from localhost
2.4: Pulling from kylemanna/openvpn
188c0c94c7c5: Pull complete
67e020653bdb: Pull complete
ea7504435934: Pull complete
577cc4d838f3: Pull complete
5e1478772e2e: Pull complete
Digest: sha256:4de5e6690818c7c4025ae605369f681e813a7f9fe5d99feed988412c2d07987c
Status: Downloaded newer image for kylemanna/openvpn:2.4
docker.io/kylemanna/openvpn:2.4
Backing up /etc/openvpn/ovpn_env.sh -> /etc/openvpn/ovpn_env.sh.1731071931.bak
Backing up /etc/openvpn/openvpn.conf -> /etc/openvpn/openvpn.conf.1731071931.bak
Processing PUSH Config: 'block-outside-dns'
Processing Route Config: '192.168.254.0/24'
Processing PUSH Config: 'dhcp-option DNS 8.8.8.8'
Processing PUSH Config: 'dhcp-option DNS 8.8.4.4'
Processing PUSH Config: 'comp-lzo no'
Removing duplicate back-up: /etc/openvpn/ovpn_env.sh.1731071931.bak
removed '/etc/openvpn/ovpn_env.sh.1731071931.bak'
Removing duplicate back-up: /etc/openvpn/openvpn.conf.1731071931.bak
removed '/etc/openvpn/openvpn.conf.1731071931.bak'
Successfully generated config
Cleaning up before Exit ...
WARNING!!!
You are about to remove the EASYRSA_PKI at: /etc/openvpn/pki
and initialize a fresh PKI here.
Type the word 'yes' to continue, or any other input to abort.
Confirm removal: yes
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Enter New CA Key Passphrase:输入密码
Re-Enter New CA Key Passphrase: 重复输入密码
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................................................................................................................+++++
................................+++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
回车
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:ABCEFDPass2025@CHINA
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......+.........+..................................................+........................................................................................................................................................................................................................................................................................................+....................................+.....................................................................................................................+..........................................................................................+...............................................................++*++*++*++*
DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
.........+++++
...........................................................................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-72.JCMeIA/tmp.mpoFfi'
-----
Using configuration from /etc/openvpn/pki/easy-rsa-72.JCMeIA/tmp.kFHMnO
Enter pass phrase for /etc/openvpn/pki/private/ca.key:输入前面的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'138.138.138.168'
Certificate is to be certified until Feb 11 12:19:09 2027 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Using configuration from /etc/openvpn/pki/easy-rsa-147.nKNcbE/tmp.dnBkfD
Enter pass phrase for /etc/openvpn/pki/private/ca.key:重复输入前面的密码
An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem
Using SSL: openssl OpenSSL 1.1.1g 21 Apr 2020
Generating a RSA private key
...............+++++
.................................................................................................+++++
writing new private key to '/etc/openvpn/pki/easy-rsa-1.MdGLHj/tmp.DMLjBi'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /etc/openvpn/pki/easy-rsa-1.MdGLHj/tmp.ebJpMm
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'jast'
Certificate is to be certified until Feb 11 12:23:48 2027 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
ae1a787e0aaccd0cfd738dd73fd865634b167c931e20e26623303aef13c640c4
[root@cloud ~]#
如出现:
这个错误提示已经有容器使用这个名称ov2024,
须删除该容器或重命名该容器才能使用这个名称;
可以查看,再强制停止,再删除。
删除命令rm -f 容器名称
查看:
强制停止:
查看端口占用:
●服务端启动完成。
/etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<port protocol="tcp" port="20"/>
<port protocol="tcp" port="21"/>
<port protocol="tcp" port="22"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="39000-40000"/>
<port protocol="tcp" port="38898"/>
<port protocol="tcp" port="443"/>
<port protocol="tcp" port="1186"/>
<port protocol="udp" port="1186"/>
<rule family=ipv4>
<source address="172.17.0.0/16"/>
<accept>
</rule>
</zone>
故障排查
openvpn版本差异导致tls协商失败提示:
低版本侧错误日志如下:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
高版本侧错误日志如下:
openvpn[12593]: 172.20.12.37:1186 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
openvpn[12593]: 172.20.12.37:1186 OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
openvpn[12593]: 172.20.12.37:1186 TLS_ERROR: BIO read tls_read_plaintext error
openvpn[12593]: 172.20.12.37:1186 TLS Error: TLS object -> incoming plaintext read error
openvpn[12593]: 172.20.12.37:1186 TLS Error: TLS handshake failed
因为高版本可以向下兼容,所以此时应该在较高版本侧配置当中添加如下配置
tls-version-min 1.0
●配置客户端
服务器路径:
/opt/User2025.ovpn
下载后添加下面的内容:
注释掉最后一行:
redirect-gateway def1
PS:
停止 openvpndocker stop ov2024
启动 openvpndocker start ov2024
查看容器运行信息:
docker ps
重启docker:
systemctl restart docker
重启firewalld:
systemctl restart firewalld
查看服务器时间:
hwclock
查看镜像文件:
docker images
删除镜像文件:
docker rmi -f 镜像id(IMAGE ID)
客户端下载与教程地址
Win7:https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.8-I602-Win7.exe
Win10:https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.8-I602-Win10.exe
■EasyRSA 2 Certificate Management scripts
证书生成程序,这项需要打钩,不然安装完无法命令制作证书操作。
查看网络连接,运行 ncpa.cpl
参考
https://kui.li/675.html
https://kyo86.com/2022/10/08/openvpn/
https://blog.csdn.net/weizhen330/article/details/132244496
https://blog.csdn.net/qq_42761569/article/details/106538056
https://blog.csdn.net/sdhzdtwhm/article/details/135558435
Openvpn部署_tls key negotiation failed to occur within 60 seco-CSDN博客 *
Windows 10 搭建 开放虚拟专用网络实验(客户端与服务端)_win10怎么弄虚拟网络-CSDN博客 **
1分钟搭建一个VPN服务器_域名注册交流的技术博客_51CTO博客×
Centos7使用docke搭建openV_push "comp-lzo no-CSDN博客 ×
保存防火墙规则
设置防火墙
关闭firewalld防火墙,关闭开机自启
systemctl stop firewalld.service
systemctl disable firewalld.service
1
2
安装iptables,并设置开机自启
yum -y install iptables-services net-tools
systemctl enable iptables.service
vi 进入编辑
i 插入
:wq 保存退出(先按ESC)
ping 命令终止
Ctrl+z ;Ctrl+c
配置服务器防火墙规则,需要允许进入的 TCP/UDP 1186 端口流量,将其转发到 OpenVPN 服务器的特定内部 IP 地址:
# 允许 TCP 1186 端口的流量
sudo iptables -A INPUT -p tcp --dport 1186 -j ACCEPT
# 允许 UDP 1186 端口的流量
sudo iptables -A INPUT -p udp --dport 1186 -j ACCEPT
# 将进入的 TCP/UDP 1186 端口流量转发到内部 OpenVPN 服务器地址 192.168.1.10
sudo iptables -t nat -A PREROUTING -p tcp --dport 1186 -j DNAT --to-destination 192.168.1.10
sudo iptables -t nat -A PREROUTING -p udp --dport 1186 -j DNAT --to-destination 192.168.1.10
# 设置 NAT 标记,以便正确路由返回的流量
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
内页底部广告(PC版),后台可以自由更改
2KK8.com
2KK8.com
这里的内容可以随意更改,在后台-主题配置中设置。
百度推荐获取地址:http://tuijian.baidu.com/,百度推荐可能会有一些未知的问题,使用中有任何问题请直接联系百度官方客服!