![nixsky[www.nixsky.com]](/templets/images/toplogo.gif)
OpenVPN能在多平台上运行,如:BSD,Linux,M$等.
在两个点的网关上跑OpenVPN,让两点的LAN能互相访问.拓扑如下:
[ Lan A (10.0.0.0/16) ] --- [ Vpn Server/Gateway ]
|
[ Internet ]
|
[ Vpn Client/Gateway ] --- [ Lan B (172.16.250.0/24) ]
OpenVPN验证方式有证书及用户名/密码两种,下面使用证书来验证.
所需要安装包:
bash, openvpn等.
1. 建立配置目录
# mkdir /etc/openvpn
# cp -r /usr/local/share/examples/openvpn/easy-rsa/ /etc/openvpn/
2. 修改vars
# cd /etc/openvpn/easy-rsa
# vi vars
export KEY_COUNTRY=CN
export KEY_PROVINCE=GuangDong
export KEY_CITY=GuangZhou
export KEY_ORG="OpenVPN-Congli"
export KEY_EMAIL="congli@congli.org.cn"
3. 令环境变量生效
# bash
# . vars
4. 初始化keys目录
# ./clean-all
5. 生成Root CA证书, 用于签发Server及Client证书.
# ./build-ca
(注: 如无需要修改按回车即可)
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GuangDong]:
Locality Name (eg, city) [GuangZhou]:
Organization Name (eg, company) [OpenVPN-Congli]:
Organizational Unit Name (eg, section) []:OpenVPN Service
Common Name (eg, your name or your server's hostname) []:OpenVPN Root CA
Email Address [congli@congli.org.cn]:
6. 为服务器生成Diffie-Hellman文件
# ./build-dh
(注: 在keys目录下, 生成dh1024.pem文件)
7. 创建并签发VPN Server使用的证书,Common Name与命令行参数一致,生成文件keys/server.*.
# ./build-key-server server
(注: "server"为创建后的文件名,分别为server.crt, server.key)
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GuangDong]:
Locality Name (eg, city) [GuangZhou]:
Organization Name (eg, company) [OpenVPN-Congli]:
Organizational Unit Name (eg, section) []:OpenVPN Service
Common Name (eg, your name or your server's hostname) []:server
Email Address [congli@congli.org.cn]:
A challenge password []:
An optional company name []:
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
8. 为防止恶意攻击(如DOS, UDP port flooding), 生成一个"HMAC firewall"
# openvpn --genkey --secret keys/ta.key
9. 创建并签发VPN Client使用的证书,Common Name与命令行参数一致,生成文件keys/client.*.
# ./build-key client
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GuangDong]:
Locality Name (eg, city) [GuangZhou]:
Organization Name (eg, company) [OpenVPN-Congli]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:client
Email Address [congli@congli.org.cn]:
10. 在keys目录下面,保存了上面所生成的证书等文件,
Server端需要下面文件并复制到/etc/openvpn:
ca.crt (Root CA)
dh1024.pem (Diffie-Hellman文件)
ta.key
server.crt (服务端证书)
server.key (服务端证书)
Client端需要下面文件并复制到/etc/openvpn:
ca.crt (根证书)
ta.key
client.crt (客户端证书)
client.key (客户端证书)
11. 编辑服务端配置文件
# vi /etc/openvpn/server.conf
端口
port 1194
proto tcp
proto udp
dev tap
dev tun1
Root CA
ca ca.crt
Server端的证书
cert server.crt
key server.key
Diffie-Hellman
dh dh1024.pem
VPN虚拟网段
server 172.16.254.0 255.255.255.0
ifconfig-pool-persist ipp.txt
Client之间可相互访问
client-to-client
允许一个User同时登录次
duplicate-cn
等价于ping 10和ping-restart 120, 对于VPN机器有可能断开外网联结或都重起, 或者VPN Client先于VPN Server运行的情况下很重要, Client会重新连接.
keepalive 10 120
SSL/TLS
tls-auth ta.key 0
开启压缩支持
comp-lzo
max-clients 100
初始化完成后,改变OpenVPN进程的用户ID为nobody
user nobody
group nobody
persist-key
persist-tun
默认每分钟更新状态文件, 记录Client的真实ip, 虚拟ip等信息
status openvpn-status.log
log /var/log/openvpn.log
log-append openvpn.log
verb 4
mute 20
说明使用插件, openvpn为插件的参数, 使用pam的service name
plugin /usr/local/lib/openvpn-auth-pam.so openvpn
client-connect ./connect.sh
client-disconnect ./disconnect.sh
############################################
############################################
不请求客户的证书, 使用User/Pass验证
client-cert-not-required
使用客户提供的UserName作为Common Name
username-as-common-name
############################################
############################################
client-config-dir ccd
给Client端加上访问Server端LAN的路由
push "route 10.0.0.0 255.255.0.0"
给Server端加上访问Client LAN的路由
route 172.16.250.0 255.255.255.0
12. 给Client固定一个虚拟IP及有服务端添加访问Client路由
# mkdir /etc/openvpn/ccd
# vi /etc/openvpn/ccd/client
ifconfig-push 172.16.254.5 172.16.254.6 (虚拟IP)
iroute 172.16.250.0 255.255.255.0 (Client端的网段)
13. 测试Server端
# openvpn --config /etc/openvpn/server.conf --cd /etc/openvpn
(最后出现"Initialization Sequence Completed"字样表示通过)
14. 编辑Client端配置文件
# vi /etc/openvpn/client.conf
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
dev tun0
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
# VPN Server的IP及port
remote vpnserver.congli.cn 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
http-proxy-retry # retry on connection failures
http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth ta.key 1
# select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
mute 20
15. 测试Client端
# openvpn --config /etc/openvpn/client.conf --cd /etc/openvpn
(最后出现"Initialization Sequence Completed"字样表示通过)
16. 随开机启动
Server端:
# vi /etc/rc.local
/usr/local/sbin/openvpn --config /etc/openvpn/server.conf --cd /etc/openvpn &
Client端:
# vi /etc/rc.local
/usr/local/sbin/openvpn --config /etc/openvpn/client.conf --cd /etc/openvpn &
到此大功告成!
提供一个不同平台通用的脚本,方便调试,
#!/bin/sh
# Run OpenVPN at Daemon for FreeBSD
command="/usr/local/sbin/openvpn"
config_file="server.conf"
config_path="/etc/openvpn-ca"
pid_file="/var/run/openvpn.pid"
flags="--config ${config_path}/${config_file} --cd ${config_path} --writepid ${pid_file} --daemon --client-connect ${config_path}/connect.sh --client-disconnect ${config_path}/disconnect.sh"
case "$1" in
start)
${command} ${flags}
exit 0
restart)
kill `cat ${pid_file}`
${command} ${flags}
exit 0
stop)
kill `cat ${pid_file}`
exit 0
*)
echo "Usage: $0 {start|restart|stop}"
exit 3
esac
Power by nixsky Copyright 2004-2008