我先把我的主機貼出來給您參考：

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d(我在家使用ip分享器，所以主機是虛擬的)
local 192.168.1.101

# TCP or UDP server?預設使用udp
;proto tcp
proto udp

;dev tap預設使用tun模式
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one.  On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap有設定tap模式才需設定，但非windows系統不需要

預設不動
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

我改為2048，若您也改了，記得這邊也要改！
dh dh2048.pem

設定虛疑ip段
server 192.168.2.0 255.255.255.0

這邊會把有連線過的用戶端ip記錄成ipp.txt
ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.這邊指的似乎是說設定橋接模式的設定，故我未設定
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.強制設定才能讓用戶端才能連到別台用戶端
push "route 192.168.2.0 255.255.255.0"

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248這邊是要設定固定用戶端ip用的，須在config子目錄下再建一個ccd目錄，裡面的檔案格式，請容有人需要，我再貼資料
client-config-dir ccd
route 192.168.2.0 255.255.255.0

# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients.  There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
#     group, and firewall the TUN/TAP interface
#     for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
#     modify the firewall in response to access
#     from different clients.  See man
#     page for more info on learn-address script.
;learn-address ./script

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel.  Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.這邊的設定跟跳版有關，我尚未學會跳版
;push "redirect-gateway"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats這邊也是跟跳版有關的，會讓用戶端改用伺服器端的dns跟wins解析
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.預設是取消，只會讓用戶端連到伺服器端，若需要用戶端對用戶端請刪除分號
client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.  This is recommended
# only for testing purposes.  For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.這邊是說，若只想建同一帳號多人使用就必須刪掉分號
;duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.預設不動，指的是若remote端經過120秒後ping不到，改每十秒再ping一次(意思應該是這樣啦，若翻錯請指正)
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)這邊是加密方式，我忘了預設是啥了，改了後，用戶端也必須一致！
cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.預設似乎有打開，這邊有設定，一樣在用戶端也須設定
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.用戶端最大允許量
;max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.這邊是給非windows系統使用
;user nobody
;group nobody

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.我忘了這是在作啥的？好像就預設不動它了
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.將狀態寫入log檔
status openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
;log         openvpn.log
;log-append  openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

有設定到的東西，在用戶端也一定要配合才能喔。

底下是用戶端的設定：

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.預設不動
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.看是tun還是tap模式
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.若是tap模式，請將MyTap改成正確的名稱
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.使用tcp或udp連結
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.設定跟伺服器連接的位置
remote sse-cmm.dyndns.org 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.這邊似乎是若有架多個伺服器，用戶端可以自行選擇伺服器
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.預設不動，字面的意思似乎是會持續跟解析辨認主機
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.預設不動，指的似乎是跟用戶端指定埠號
nobind

# Downgrade privileges after initialization (non-Windows only)預設不動，非windows系統使用
;user nobody
;group nobody

# Try to preserve some state across restarts.預設不動，不清楚作用
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.用戶端若需透過proxy連接伺服器，這邊必須設定
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.預設不動，這邊是給無線用戶端設定使用的，若用戶端是使用無線上網，可能需要設定
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.這邊用戶端給的名字是啥就得改成一樣
ca ca.crt
cert john.crt
key john.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.預設不動，不清楚在作啥的
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.預設不動
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.伺服器改了加密方法時，這邊也要改
;cipher x
cipher AES-128-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.伺服器有設定要壓縮，這邊也要設；若伺服器沒設，這邊也得mark起來
comp-lzo

# Set log file verbosity.預設不動
verb 3

# Silence repeating messages預設不動
;mute 20

以上，請參考看看。

[ 本文最後由 sse-cmm 於 2008-8-31 22:52 編輯 ]

那請問有辦法強迫連到SERVER端嗎(跳板那樣)

樓主這麼忙，還肯騰出時間補圖，真是太感謝你了^^

原文由 a152222 於 2008-8-18 00:47 發表
那請問有辦法強迫連到SERVER端嗎(跳板那樣)

跳版的部份，真是不好意思，
我去年玩的時候還沒玩出心得來耶，
暫時還不能幫您喔。最近真的比較忙，
剛才才把公務忙到一個段落了，明天看看吧。

關於跳版的部份，主機我之前曾設定過這部份：
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel.  Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"

把它打開，用戶端真的會以伺服器為gateway，
但還須要設定什麼，我就...
因為我失敗了，所以，很抱歉，有空才能玩看看才會知道喔。

[ 本文最後由 sse-cmm 於 2008-8-18 21:29 編輯 ]

原文由 sse-cmm 於 2008-8-17 18:28 發表
我先把我的主機貼出來給您參考：

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d(我在家使用ip分享器，所以主機是虛擬的)
local 192.168.1.101

# TCP or UDP server?預設 ...

以下這是我的 server.ovpn 設定... Server 是 Win2K Server, VPN 版本是 2.1_rc9; 其中我必須將 Server 端的 RAS 啟動, 才能夠在連線成功後順利 (其實速度也是超慢... =.=) 使用內部資源, 另外有關硬體防火牆部份, 我只開了 wan-lan 的 1194 rule, 及 對映 1194 port forwarding.

;local a.b.c.d     #這個部份我沒變動, 讓它自動偵測

port 1194

# TCP or UDP server?
proto tcp
;proto udp

dev tap     #如果使用 tun, 則會導致無法 ping  vpn server, 及 mount volume
;dev tun

;dev-node MyTap

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

dh dh1024.pem

server 192.168.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

push "route 192.168.0.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248

;client-config-dir ccd
;route 10.9.0.0 255.255.255.252

;learn-address ./script

push "redirect-gateway"

;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

client-to-client

duplicate-cn

keepalive 10 120

;tls-auth ta.key 0 # This file is secret

;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

comp-lzo

;max-clients 100

;user nobody
;group nobody

persist-key
persist-tun

status openvpn-status.log

;log         openvpn.log
;log-append  openvpn.log

verb 3

;mute 20

另外我的 client.ovpn 設定如下 :

client

dev tap
;dev tun

;dev-node MyTap

proto tcp
;proto udp

remote xxx.xxx.xxx.xxx 1194
;remote my-server-2 1194

;remote-random

resolv-retry infinite

nobind

;user nobody
;group nobody

persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

;mute-replay-warnings

ca ca.crt
cert user1.crt
key user1.key

;ns-cert-type server

;tls-auth ta.key 1

;cipher x

comp-lzo

verb 3

;mute 20

真的是萬分抱歉, 一直打擾您, 還請多多見諒...  

[ 本文最後由 eddie1 於 2008-8-18 20:19 編輯 ]

沒想到您已經回文了，
那我再仔細看看有何意見可給您。

這好像n年前在玩rx的bot喔...^^"

原文由 eddie1 於 2008-8-17 17:58 發表
問題回報 : 目前改使用 tap, 已可正常連線, 能 ping & net view, 且 mount shared folder 也正常. 但是連線速度超慢.... 還在努力測試中...
再次感謝樓主指點, 如果還有何改進方式, 還請不吝指教.

改用tap的話，由於之前在試跳板時，
有用過，但失敗了，所以就又改回預設的。

速度超慢喔？
之前我在公司使用P4主機xp系統當作openvpn主機，
那時是正常的哩，速度因為家中只能牽2m/256k的adsl，
所以拉檔案都約170~200k在跑。

之後公司防火牆擋太離譜後，
改用家裡的電腦當openvpn主機，
家裡的電腦比公司好很多，
這時有設加密跟加壓，速度也沒慢下來，
不知道是不是主機的關係？
因為我沒有p3的電腦，
所以，很抱歉，我目前無法給您任何建議囉。
(但若有想要什麼會再回文補充的)

另，樓上要架跳版的，若急的話，
可以到官網查看資料，只不過都是英文，
當初我也是k的很久。

不然，我只能在星期五後才能實驗，
因為星期一到四我另一台電腦每晚要錄電視節目，
csi、x檔案等等，所以只能在星期五至日才能玩。

不過，也得我真的有空....
這星期周末我得到高雄一趟，
所以...有後續消息請再持續關注本串文，哈！
(不過，不要抱太大希望啦，我都很想要有孫悟空的分身法術呢，唉~~)

(我才剛回到家，洗完澡、吃完飯><")

由於您說您一定得使用tap，我看了看，
原文有一段是說：
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

指的，似乎是..您必須在網路連線那邊必須先弄一個bridge的東西來，
可是我怎麼記得這個東西似乎只有xp以上的系統才有呢？
我很久沒碰2000了，請您試看看有沒有辦法作這個出來。

嗯？您有打開push "redirect-gateway"喔？
我之前打開後，那似乎是要作跳板的設定哩，
那時我測試失敗就把它給關了。
不然用戶端出不去。

[ 本文最後由 sse-cmm 於 2008-8-18 21:31 編輯 ]

我瘋了.... 這幾天想重設一些參數後再試看看,  結果卻一直發生錯誤....
原本以為是 Win2008 的問題, 結果換回 Win2K / WinXP 卻都一樣..... 確認了步驟如下 :
1. 修改 vars.bat.sample 內容
2. init-config.bat
3. vars.bat
4. clean-all.bat
5. build-dh.bat
6. build-ca.bat
7. build-key-server.bat server
此時卻發生 找不到 C:\Program Files\OpenVPN\easy-rsa\keys\*.old 的錯誤!!
剛才又再試了一次, 發現原來錯誤是... openvpn-2.1_rc9-install.exe 這個版本有問題, 不知道有哪位大大知道問題何在嗎?
謝謝哦

是這樣的喔？
我查了我的電腦...
因為是去年就下載的，
看起來是2.1.rc7這個版本，
我記得可以下載舊的版本不是嗎？

http://openvpn.net/release/openvpn-2.0.7-install.exe

另一個會發生找不到old的原因，
之前發生過是因為輸入的資訊跟原始不合。

[ 本文最後由 sse-cmm 於 2008-8-25 18:44 編輯 ]

原文由 sse-cmm 於 2008-8-25 18:43 發表
是這樣的喔？
我查了我的電腦...
因為是去年就下載的，
看起來是2.1.rc7這個版本，
我記得可以下載舊的版本不是嗎？

http://openvpn.net/release/openvpn-2.0.7-install.exe

另一個會發生找不到old的原因， ...

感謝您的再次回覆, 剛剛已下載了 2.1rc7, 晚些再來試試~
不過可以確定的是我在 2.1rc9 上做的嘗試, 所鍵入的數值絕對是沒錯誤的... 而且這次使用 2.0.9 時, 所鍵入的數值與其中一次 2.1rc9 上所鍵入的是一樣的. 且一次就成功了...
另外這次在 2.0.9 上測試所使用的 server.ovpn 及 client.ovpn 是使用您所提供的參數, 但是連線之後卻一樣無法 ping 到 VPN server... (OS : WIN2008), 防火牆也確定有開始正確的 port...
實在是頭痛...  
PS : 疑... 樓主您所提供的下載是更舊的 2.0.7 耶...

原文由 eddie1 於 2008-8-25 19:13 發表
PS : 疑... 樓主您所提供的下載是更舊的 2.0.7 耶...

因為您之前的一段話：「剛才又再試了一次, 發現原來錯誤是... openvpn-2.1_rc9-install.exe 這個版本有問題」，
所以，我才會想說是版本的問題嗎？
才會給您舊版的連結。
但rc9是穩定版，似乎不太可能會有問題耶。

對了，那您應該有建keys這個子目錄吧？

還有，我可能會誤導您們，
其實，建議只安裝gui版的就好，
不要再安裝非gui的版本，
因為要自動啟動、使用等等比較方便。

那請問您是安裝了非gui版？還是gui版？
還是二個都有安裝呢？