wstngfw中使用Viscosity连接OpenV-P-N服务器
在本例中,将假设以下设置:
| 站点 A | 站点 B | ||
| 名称 | Beijing Office(北京办公室) | 名称 | Shenzheng Office(深圳办公室) |
| WAN IP | 192.168.10.46 | WAN IP | 192.168.20.46 |
| LAN 子网 | 192.168.11.0/24 | LAN 子网 | 192.168.21.0/24 |
| LAN IP | 192.168.11.6 | LAN IP | 192.168.21.6 |
注意:隧道网络填入的信息必须严格匹配网段,192.168.21.82/28 不符合要求,必须改为 192.168.21.80/28
1. 配置 Shenzheng的设备
a. 添加 openvpn 服务端
高级选项中的内容: push "route 192.168.21.0 255.255.255.0";mute 10;comp-lzo;
b. 为要连接到服务器的每个设备生成客户端证书
>>> Installing pfSense-pkg-openvpn-client-export... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. The following 4 package(s) will be affected (of 0 checked):New packages to be INSTALLED:pfSense-pkg-openvpn-client-export: 1.4.18_3 [pfSense]openvpn-client-export: 2.4.7 [pfSense]zip: 3.0_1 [pfSense]p7zip: 16.02_1 [pfSense]Number of packages to be installed: 4The process will require 18 MiB more space. 12 MiB to be downloaded. [1/4] Fetching pfSense-pkg-openvpn-client-export-1.4.18_3.txz: ... done [2/4] Fetching openvpn-client-export-2.4.7.txz: .......... done [3/4] Fetching zip-3.0_1.txz: .......... done [4/4] Fetching p7zip-16.02_1.txz: .......... done Checking integrity... done (0 conflicting) [1/4] Installing openvpn-client-export-2.4.7... [1/4] Extracting openvpn-client-export-2.4.7: .......... done [2/4] Installing zip-3.0_1... [2/4] Extracting zip-3.0_1: .......... done [3/4] Installing p7zip-16.02_1... [3/4] Extracting p7zip-16.02_1: .......... done [4/4] Installing pfSense-pkg-openvpn-client-export-1.4.18_3... [4/4] Extracting pfSense-pkg-openvpn-client-export-1.4.18_3: .......... done Saving updated package information... done. Loading package configuration... done. Configuring package components... Loading package instructions... Custom commands... Writing configuration... done. >>> Cleaning up cache... done. 成功
c. 导出CA证书(Shenzheng-VPN-CA.crt)(但是不需要导出CA密钥),导出客户端证书(Shenzheng-VPN-Client01.crt)和客户端密钥(Shenzheng-VPN-Client01.key),
以及导出TLS密钥(Shenzheng-TLS-AUTH.key)
Shenzheng-VPN-config.conf 文件内容
#-- Config Auto Generated By HG-NGFW for Viscosity --##viscosity startonopen false #viscosity dhcp true #viscosity dnssupport true #viscosity name VPNServerdev tun persist-tun persist-key cipher AES-256-CBC auth SHA tls-client client resolv-retry infinite remote 192.168.20.46 1194 udp verify-x509-name "Shenzheng-VPN-Server" name auth-user-pass remote-cert-tls server compress lzoca Shenzheng-VPN-CA.crt tls-auth Shenzheng-TLS-AUTH.key 1 cert Shenzheng-VPN-Client01.crt key Shenzheng-VPN-Client01.key
2. 使用Beijing站点内网windows7系统测试隧道的连通性
a. 配置Viscosity客户端
故障日志:
======================= End
