为 Azure 虚拟 WAN 配置 OpenVPN 客户端Configure an OpenVPN client for Azure Virtual WAN

本文可帮助你配置 OpenVPN ® 协议 客户端。This article helps you configure OpenVPN ® Protocol clients.

准备阶段Before you begin

创建用户 VPN(点到站点)配置。Create a User VPN (point-to-site) configuration. 请确保选择“OpenVPN”作为隧道类型。Make sure that you select "OpenVPN" for tunnel type. 有关步骤,请参阅为 Azure 虚拟 WAN 创建 P2S 配置For steps, see Create a P2S configuration for Azure Virtual WAN.

Windows 客户端Windows clients

  1. 从官方 OpenVPN 网站下载并安装 OpenVPN 客户端(版本 2.4 或更高版本)。Download and install the OpenVPN client (version 2.4 or higher) from the official OpenVPN website.

  2. 下载网关的 VPN 配置文件。Download the VPN profile for the gateway. 可通过 Azure 门户中的“点到站点配置”选项卡或 PowerShell 中的“New-AzVpnClientConfiguration”来完成此操作。This can be done from the Point-to-site configuration tab in the Azure portal, or 'New-AzVpnClientConfiguration' in PowerShell.

  3. 解压缩该配置文件。Unzip the profile. 接下来,使用记事本打开 OpenVPN 文件夹中的 vpnconfig.ovpn 配置文件。Next, open the vpnconfig.ovpn configuration file from the OpenVPN folder using Notepad.

  4. 导出你创建并上传到网关上 P2S 配置的点到站点客户端证书。Export the point-to-site client certificate you created and uploaded to your P2S configuration on the gateway. 使用以下文章链接:Use the following article links:

  5. .pfx 中提取私钥和 base64 指纹。Extract the private key and the base64 thumbprint from the .pfx. 有多种方法可执行此操作。There are multiple ways to do this. 其中一种方法是在计算机上使用 OpenSSL。Using OpenSSL on your machine is one way. profileinfo.txt 文件包含 CA 和客户端证书的私钥与指纹。The profileinfo.txt file contains the private key and the thumbprint for the CA and the Client certificate. 请务必使用客户端证书的指纹。Be sure to use the thumbprint of the client certificate.

    openssl pkcs12 -in "filename.pfx" -nodes -out "profileinfo.txt"
    
  6. 在记事本中打开 profileinfo.txtOpen profileinfo.txt in Notepad. 若要获取客户端(子)证书的指纹,请选择并复制子证书的“-----BEGIN CERTIFICATE-----”与“-----END CERTIFICATE-----”之间的文本(包括这两行)。To get the thumbprint of the client (child) certificate, select the text (including and between)"-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" for the child certificate and copy it. 查看 subject=/ 行可以识别子证书。You can identify the child certificate by looking at the subject=/ line.

  7. 切换到执行步骤 3 时在记事本中打开的 vpnconfig.ovpn 文件。Switch to the vpnconfig.ovpn file you opened in Notepad from step 3. 找到下面所示的节,并替换“cert”与“/cert”之间的所有内容。Find the section shown below and replace everything between "cert" and "/cert".

    # P2S client certificate
    # please fill this field with a PEM formatted cert
    <cert>
    $CLIENTCERTIFICATE
    </cert>
    
  8. 在记事本中打开 profileinfo.txtOpen the profileinfo.txt in Notepad. 若要获取私钥,请选择并复制“-----BEGIN PRIVATE KEY-----”与“-----END PRIVATE KEY-----”之间的文本(包括这两行)。To get the private key, select the text (including and between) "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----" and copy it.

  9. 返回到记事本中的 vpnconfig.ovpn 文件,并找到此节。Go back to the vpnconfig.ovpn file in Notepad and find this section. 粘贴私钥,替换“key”与“/key”之间的所有内容。Paste the private key replacing everything between and "key" and "/key".

    # P2S client root certificate private key
    # please fill this field with a PEM formatted key
    <key>
    $PRIVATEKEY
    </key>
    
  10. 不要更改任何其他字段。Do not change any other fields. 使用客户端输入中的已填充的配置连接到 VPN。Use the filled in configuration in client input to connect to the VPN.

  11. 将 vpnconfig.ovpn 文件复制到 C:\Program Files\OpenVPN\config 文件夹。Copy the vpnconfig.ovpn file to C:\Program Files\OpenVPN\config folder.

  12. 右键单击系统托盘中的 OpenVPN 图标,然后单击“连接”。Right-click the OpenVPN icon in the system tray and click connect.

Mac 客户端Mac clients

  1. 下载并安装 OpenVPN 客户端,如 TunnelBlickDownload and install an OpenVPN client, such as TunnelBlick.

  2. 下载网关的 VPN 配置文件。Download the VPN profile for the gateway. 可通过 Azure 门户中的“点到站点配置”选项卡,或使用 PowerShell 中的“New-AzVpnClientConfiguration”来完成此操作。This can be done from the point-to-site configuration tab in the Azure portal, or by using 'New-AzVpnClientConfiguration' in PowerShell.

  3. 解压缩该配置文件。Unzip the profile. 在某个文本编辑器中打开 OpenVPN 文件夹中的 vpnconfig.ovpn 配置文件。Open the vpnconfig.ovpn configuration file from the OpenVPN folder in a text editor.

  4. 使用 base64 中的 P2S 客户端证书公钥填写 P2S 客户端证书部分。Fill in the P2S client certificate section with the P2S client certificate public key in base64. 在 PEM 格式的证书中,可以直接打开 .cer 文件并在证书标头之间复制 base64 密钥。In a PEM formatted certificate, you can simply open the .cer file and copy over the base64 key between the certificate headers. 有关如何导出证书以获取编码公钥的信息,请使用以下文章链接:Use the following article links for information about how to export a certificate to get the encoded public key:

  5. 使用 base64 中的 P2S 客户端证书私钥填写私钥部分。Fill in the private key section with the P2S client certificate private key in base64. 有关如何提取私钥的信息,请参阅 OpenVPN 站点上的导出私钥See the Export your private key on the OpenVPN site for information about how to extract a private key.

  6. 不要更改任何其他字段。Do not change any other fields. 使用客户端输入中的已填充的配置连接到 VPN。Use the filled in configuration in client input to connect to the VPN.

  7. 双击配置文件以在 Tunnelblick 中创建配置文件。Double-click the profile file to create the profile in Tunnelblick.

  8. 启动应用程序文件夹中的 Tunnelblick。Launch Tunnelblick from the applications folder.

  9. 单击系统托盘中的 Tunnelblick 图标,然后单击“连接”。Click on the Tunnelblick icon in the system tray and pick connect.

重要

仅 iOS 11.0 及更高版本和 MacOS 10.13 及更高版本支持 OpenVPN 协议。Only iOS 11.0 and above and MacOS 10.13 and above are supported with OpenVPN protocol.

iOS 客户端iOS clients

  1. 从 App store 中安装 OpenVPN 客户端(版本 2.4 或更高版本)。Install the OpenVPN client (version 2.4 or higher) from the App store.

  2. 下载网关的 VPN 配置文件。Download the VPN profile for the gateway. 可通过 Azure 门户中的“点到站点配置”选项卡,或使用 PowerShell 中的“New-AzVpnClientConfiguration”来完成此操作。This can be done from the point-to-site configuration tab in the Azure portal, or by using 'New-AzVpnClientConfiguration' in PowerShell.

  3. 解压缩该配置文件。Unzip the profile. 在某个文本编辑器中打开 OpenVPN 文件夹中的 vpnconfig.ovpn 配置文件。Open the vpnconfig.ovpn configuration file from the OpenVPN folder in a text editor.

  4. 使用 base64 中的 P2S 客户端证书公钥填写 P2S 客户端证书部分。Fill in the P2S client certificate section with the P2S client certificate public key in base64. 在 PEM 格式的证书中,可以直接打开 .cer 文件并在证书标头之间复制 base64 密钥。In a PEM formatted certificate, you can simply open the .cer file and copy over the base64 key between the certificate headers. 有关如何导出证书以获取编码公钥的信息,请使用以下文章链接:Use the following article links for information about how to export a certificate to get the encoded public key:

  5. 使用 base64 中的 P2S 客户端证书私钥填写私钥部分。Fill in the private key section with the P2S client certificate private key in base64. 有关如何提取私钥的信息,请参阅 OpenVPN 站点上的导出私钥See Export your private key on the OpenVPN site for information about how to extract a private key.

  6. 不要更改任何其他字段。Do not change any other fields.

  7. 将配置文件 (.ovpn) 通过电子邮件发送到你的电子邮件帐户,该帐户是在 iPhone 上的邮件应用中配置的。E-mail the profile file (.ovpn) to your email account that is configured in the mail app on your iPhone.

  8. 在 iPhone 上的邮件应用中打开电子邮件,并点击附加的文件Open the e-mail in the mail app on the iPhone, and tap the attached file

    打开电子邮件

  9. 如果没有看到“复制到 OpenVPN”选项,请点击“更多”。Tap on More if you do not see Copy to OpenVPN option

    更多

  10. 点击“复制到 OpenVPN”Tap on Copy to OpenVPN

    复制到 OpenVPN

  11. 在“导入配置文件”页面中点击“添加” Tap on ADD in the Import Profile page

    添加

  12. 在“导入的配置文件”页面中点击“添加” Tap on ADD in the Imported Profile page

    点击“添加”

  13. 启动 OpenVPN 应用,并将“配置文件”页面中的开关向右滑动以进行连接Launch the OpenVPN app and slide the switch in the Profile page right to connect

    连接

Linux 客户端Linux clients

  1. 打开新的终端会话。Open a new Terminal session. 可以同时按“Ctrl + Alt + T”打开新会话。You can open a new session by pressing 'Ctrl + Alt + t' at the same time.

  2. 输入以下命令以安装所需的组件:Enter the following command to install needed components:

    sudo apt-get install openvpn
    sudo apt-get -y install network-manager-openvpn
    sudo service network-manager restart
    
  3. 下载网关的 VPN 配置文件。Download the VPN profile for the gateway. 可以通过 Azure 门户中的“点到站点配置”选项卡完成此操作。This can be done from the Point-to-site configuration tab in the Azure portal.

  4. 导出你创建并上传到网关上 P2S 配置的点到站点客户端证书。Export the P2S client certificate you created and uploaded to your P2S configuration on the gateway. 使用以下文章链接:Use the following article links:

  5. 从 .pfx 中提取私钥和 base64 指纹。Extract the private key and the base64 thumbprint from the .pfx. 有多种方法可执行此操作。There are multiple ways to do this. 其中一种方法是在计算机上使用 OpenSSL。Using OpenSSL on your computer is one way.

    openssl pkcs12 -in "filename.pfx" -nodes -out "profileinfo.txt"
    

    profileinfo.txt 文件将包含 CA 和客户端证书的私钥与指纹。The profileinfo.txt file will contain the private key and the thumbprint for the CA, and the Client certificate. 请务必使用客户端证书的指纹。Be sure to use the thumbprint of the client certificate.

  6. 在文本编辑器中打开 profileinfo.txtOpen profileinfo.txt in a text editor. 若要获取客户端(子)证书的指纹,请选择并复制子证书的“-----BEGIN CERTIFICATE-----”与“-----END CERTIFICATE-----”之间的文本(包括这两行)。To get the thumbprint of the client (child) certificate, select the text including and between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" for the child certificate and copy it. 查看 subject=/ 行可以识别子证书。You can identify the child certificate by looking at the subject=/ line.

  7. 打开 vpnconfig.ovpn 文件并找到下面所示的节。Open the vpnconfig.ovpn file and find the section shown below. 替换“cert”与“/cert”之间的所有内容。Replace everything between the and "cert" and "/cert".

    # P2S client certificate
    # please fill this field with a PEM formatted cert
    <cert>
    $CLIENTCERTIFICATE
    </cert>
    
  8. 在文本编辑器中打开 profileinfo.txt。Open the profileinfo.txt in a text editor. 若要获取私钥,请选择并复制“-----BEGIN PRIVATE KEY-----”与“-----END PRIVATE KEY-----”之间的文本(包括这两行)。To get the private key, select the text including and between "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----" and copy it.

  9. 在文本编辑器中打开 vpnconfig.ovpn 文件,并找到此节。Open the vpnconfig.ovpn file in a text editor and find this section. 粘贴私钥,替换“key”与“/key”之间的所有内容。Paste the private key replacing everything between and "key" and "/key".

    # P2S client root certificate private key
    # please fill this field with a PEM formatted key
    <key>
    $PRIVATEKEY
    </key>
    
  10. 不要更改任何其他字段。Do not change any other fields. 使用客户端输入中的已填充的配置连接到 VPN。Use the filled in configuration in client input to connect to the VPN.

  11. 若要使用命令行进行连接,请键入以下命令:To connect using the command line, type the following command:

    sudo openvpn –-config <name and path of your VPN profile file>&
    
  12. 要使用 GUI 进行连接,请转到系统设置。To connect using the GUI, go to system settings.

  13. 单击 + 添加新的 VPN 连接。Click + to add a new VPN connection.

  14. 在“添加 VPN”下,选择“从文件导入...” Under Add VPN, pick Import from file…

  15. 浏览到配置文件,然后双击或选择“打开”。Browse to the profile file and double-click or pick Open.

  16. 单击“添加 VPN”窗口上的“添加” 。Click Add on the Add VPN window.

    从文件导入

  17. 可以通过在“网络设置”页面上或在系统托盘中的网络图标下打开 VPN 进行连接 。You can connect by turning the VPN ON on the Network Settings page, or under the network icon in the system tray.

后续步骤Next steps

有关用户 VPN(点到站点)的详细信息,请参阅创建用户 VPN 连接For more information about User VPN (point-to-site), see Create User VPN connections.

“OpenVPN”是 OpenVPN Inc. 的商标。"OpenVPN" is a trademark of OpenVPN Inc.