现在把openvpn的安装和配置方法写下来:
首先检测一下服务器上是否有LZO这个软件(LZO : real-time compression library, required for link compression):
#rpm -qa|grep lzo
要是显示有这个软件,那就可以直接跳到安装openvpn
配置LZO:
#./configure --with-lzo-headers="/usr/local/include" --with-lzo-lib= "/usr/local/lib"
#make
#make check
#make test (run a full test)
# make install (when logged in as root)
要没出现error那就表示已经安装好了,要出现了error可以等入http://www.oberhumer.com/opensource/lzo/
看一下howto
然后开始安装Openvpn:
$tar -zxvfopenvpn-2.0.5.tar.gz
$cd openvpn-2.0.5
$./configure
$make
$su
#make install
按照INSTALL文件中的说明,做如下操作:
#mknod /dev/net/tun c 10 200 #创建一个tun设备
#echo "alias char-major-10-200 tun" >;>; /etc/modprobe.conf
#echo 1 >; /proc/sys/net/ipv4/ip_forward #打开系统的转发功能
接下来就生成服务器客户端需要使用的keys了,为了方便,我们使用OpenVPN包自带的脚本生成。
#mkdir /etc/openvpn
#cp -r easy-rsa /etc/openvpn #切换到OpenVPN源代码目录执行
修改vars 文件
-------------CUT Here-------------
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export D=`pwd`
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=$D/openssl.cnf
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR=$D/keys
# Issue rm -rf warning
echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
# 定义你所在的国家,2个字符
export KEY_COUNTRY=CN
# 你所在的省份
export KEY_PROVINCE=Liaoning
# 你所在的城市
export KEY_CITY=Shenyang
# 你所在的组织
export KEY_ORG="ELM OpenVPN ORG"
# 你的单位
export KEY_OU="OpenVPN Service"
# 你的邮件地址
export KEY_EMAIL="elm@elm.freetcp.com"
-------------CUT Here-----------------
修改后保存,下面我们开始什成keys,以下为shell命令 "#" 为提示符
#. vars #使修改的变量生效
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
#./clean-all #初始化keys目录,创建所需要的文件和目录
#./build-ca #什成Root CA证书,用于签发Server和Client证书,请保护好keys/ca.key文件。
Generating a 1024 bit RSA private key
........................++++++
.............++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: #如果无需修改,直接回车
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [ELM OpenVPN ORG]:
Organizational Unit Name (eg, section) [OpenVPN Service]:
Common Name (eg, your name or your server's hostname) []:OpenVPN Root CA
Email Address [elm@elm.freetcp.com]:
# ls keys
ca.crt ca.key index.txt serial
我们可以看到ca.crt ca.key文件已经什成了。
下面我们为服务器生成 Diffie-Hellman 文件
# ./build-dh #TLS server 需要使用的一个文件
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..+..............................................................+.............
.......................................................+....+........+........
.+....................................................+.+.....................
...................................................................................
..........................................................+.......................
................+.................................+.............+..............
...................................................................+...............
........................................+.............................++*++*++*
创建并签发VPN Server使用的CA
# ./build-key-server server # server 为创建后的文件名,分别为server.crt server.key
Generating a 1024 bit RSA private key
......................++++++
...............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [ELM OpenVPN ORG]:
Organizational Unit Name (eg, section) [OpenVPN Service]:
Common Name (eg, your name or your server's hostname) []:Server No.1
Email Address [elm@elm.freetcp.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName RINTABLE:'CN'
stateOrProvinceName RINTABLE:'Liaoning'
localityName RINTABLE:'Shenyang'
organizationName RINTABLE:'ELM OpenVPN ORG'
organizationalUnitNameRINTABLE:'OpenVPN Service'
commonName RINTABLE:'Server No.1'
emailAddress :IA5STRING:'elm@elm.freetcp.com'
Certificate is to be certified until Feb 26 14:43:44 2015 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
接下来为VPN Client颁发CA证书,如果以后要为其他Client颁发证书,直接使用build-key命令签发新证书。
# ./build-key elm
Generating a 1024 bit RSA private key
........++++++
....................++++++
writing new private key to 'elm.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Liaoning]:
Locality Name (eg, city) [Shenyang]:
Organization Name (eg, company) [ELM OpenVPN ORG]:
Organizational Unit Name (eg, section) [OpenVPN Service]:
Common Name (eg, your name or your server's hostname) []:ELM #注意Common Name最好不要相同,如果相同[server要加duplicate-cn选项],那么Email地址也不能相同
Email Address [elm@elm.freetcp.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName RINTABLE:'CN'
stateOrProvinceName RINTABLE:'Liaoning'
localityName RINTABLE:'Shenyang'
organizationName RINTABLE:'ELM OpenVPN ORG'
organizationalUnitName:PRINTABLE:'OpenVPN Service'
commonName :PRINTABLE:'ELM'
emailAddress :IA5STRING:'elm@elm.freetcp.com'
Certificate is to be certified until Feb 26 14:45:36 2015 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
为防止恶意攻击(如DOS、UDP port flooding),我们生成一个"HMAC firewall"
#openvpn --genkey --secret keys/ta.key
生成证书吊销链文件,防止日后有人丢失证书,被非法用户接入VPN
#./make-crl vpncrl.pem
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
到现在为止,一切准备就绪,下面开始写配置文件,为了缩小篇幅,把原有注释都去掉了。
Server使用的配置文件server.conf
----------------CUT Here-------------
#申明本机使用的IP地址,也可以不说明
local 210.*.*.*
#申明使用的端口,默认1194
port 1194
#申明使用的协议,默认使用UDP,如果使用HTTP proxy,必须使用TCP协议
proto tcp
;proto udp
#申明使用的设备可选tap和tun,tap是二层设备,支持链路层协议。
#tun是ip层的点对点协议,限制稍微多一些。
#tun可以运行路由功能,tap只可以用作桥接功能,使用tun可以对登入vpn的用户设定策略性限制
;dev tap
dev tun
#OpenVPN使用的ROOT CA,使用build-ca生成的,用于验证客户是证书是否合法
ca ca.crt
#Server使用的证书文件
cert server.crt
#Server使用的证书对应的key,注意文件的权限,防止被盗
key server.key # This file should be kept secret
#CRL文件的申明,被吊销的证书链,这些证书将无法登录
crl-verify vpncrl.pem
#上面提到的生成的Diffie-Hellman文件
dh dh1024.pem
#这是一条命令的合集,如果你是OpenVPN的老用户,就知道这条命令的来由
#这条命令等效于:
# mode server #OpenVPN工作在Server模式,可以支持多client同时动态接入
# tls-server #使用TLS加密传输,本端为Server,Client端为tls-client
#
# if dev tun: #如果使用tun设备,等效于以下配置
# ifconfig 10.8.0.1 10.8.0.2 #设置本地tun设备的地址
# ifconfig-pool 10.8.0.4 10.8.0.251 #说明OpenVPN使用的地址池(用于分配给客户),分别是起始地址、结束地址
# route 10.8.0.0 255.255.255.0 #增加一条静态路由,省略下一跳地址,下一跳为对端地址,这里是: 10.8.0.2
# if client-to-client: #如果使用client-to-client这个选项
# push "route 10.8.0.0 255.255.255.0" #把这条路由发送给客户端,客户连接成功后自动加入路由表,省略了下一跳地址: 10.8.0.1
# else
# push "route 10.8.0.1" #否则发送本条路由,这是一个主机路由,省略了子网掩码和下一跳地址,分别为: 255.255.255.255 10.8.0.1
#
# if dev tap: #如果使用tap设备,则等效于以下命令
# ifconfig 10.8.0.1 255.255.255.0 #配置tap设备的地址
# ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 #客户端使用的地址池,分别是起始地址、结束地址、子网掩码
# push "route-gateway 10.8.0.1" #把环境变量route-gateway传递给客户机
#
server 10.8.0.0 255.255.255.0 #等效于以上命令
#用于记录某个Client获得的IP地址,类似于dhcpd.lease文件,
#防止openvpn重新启动后“忘记”Client曾经使用过的IP地址
ifconfig-pool-persist ipp.txt
#Bridge状态下类似DHCPD的配置,为客户分配地址,由于这里工作在路由模式,所以不使用
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
#通过VPN Server往Client push路由,client通过pull指令获得Server push的所有选项并应用
;push "route 192.168.10.0 255.255.255.0"
push "route 172.16.0.0 255.255.252.0" (改路由使得等入vpn的用户通过vpn服务进入到vpn服务器)
#VPN启动后,在VPN Server上增加的路由,VPN停止后自动删除
;route 10.9.0.0 255.255.255.252
#Run script or shell command cmd to validate client
#virtual addresses or routes. 具体查看manual
;learn-address ./script
#其他的一些需要PUSH给Client的选项
#
#使Client的默认网关指向VPN,让Client的所有Traffic都通过VPN走
;push "redirect-gateway"
#DHCP的一些选项,具体查看Manual
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
#如果可以让VPN Client之间相互访问直接通过openvpn程序转发,
#不用发送到tun或者tap设备后重新转发,优化Client to Client的访问效率
client-to-client
#如果Client使用的CA的Common Name有重复了,或者说客户都使用相同的CA
#和keys连接VPN,一定要打开这个选项,否则只允许一个人连接VPN
;duplicate-cn
#NAT后面使用VPN,如果VPN长时间不通信,NAT Session可能会失效,
#导致VPN连接丢失,为防止之类事情的发生,keepalive提供一个类似于ping的机制,
#下面表示每10秒通过VPN的Control通道ping对方,如果连续120秒无法ping通,
#认为连接丢失,并重新启动VPN,重新连接
#(对于mode server模式下的openvpn不会重新连接)。
keepalive 10 120
#上面提到的HMAC防火墙,防止DOS攻击,对于所有的控制信息,都使用HMAC signature,
#没有HMAC signature的控制信息不予处理,注意server端后面的数字肯定使用0,client使用1
tls-auth ta.key 0 # This file is secret
#对数据进行压缩,注意Server和Client一致
comp-lzo
#定义最大连接数
;max-clients 100
#定义运行openvpn的用户
user nobody
group nobody
#通过keepalive检测超时后,重新启动VPN,不重新读取keys,保留第一次使用的keys
persist-key
#通过keepalive检测超时后,重新启动VPN,一直保持tun或者tap设备是linkup的,
#否则网络连接会先linkdown然后linkup
persist-tun
#定期把openvpn的一些状态信息写到文件中,以便自己写程序计费或者进行其他操作
status openvpn-status.log
#记录日志,每次重新启动openvpn后删除原有的log信息
log /var/log/openvpn.log
#和log一致,每次重新启动openvpn后保留原有的log信息,新信息追加到文件最后
;log-append openvpn.log
#相当于debug level,具体查看manual
verb 3
--------------Cut Here-----------------
把server.conf文件保存到/etc/opennvpn目录中,并把使用easy-rsa下的脚本什成的key都复制到/etc/openvpn目录下,命令如下:
#cd /etc/openvpn
#cp easy-rsa/keys/ca.crt .
#cp easy-rsa/keys/server.crt .
#cp easy-rsa/keys/server.key .
#cp easy-rsa/keys/dh1024.pem .
#cp easy-rsa/keys/ta.key .
#cp easy-rsa/keys/vpncrl.pem .
创建OpenVPN启动脚本,可以在源代码目录中找到,在sample-scripts目录下的openvpn.init文件,将其复制到/etc/init.d/目录中,改名为openvpn
然后运行:
#chkconfig --add openvpn
#chkconfig openvpn on
立即启动openenvpn
#/etc/init.d/openvpn start
接下来配置客户端的配置文件client.conf:
Linux或Unix下使用扩展名为.conf Windows下使用的是.ovpn,并把需要使用的keys复制到配置文件所在目录ca.crt elm.crt elm.key ta.key
-------------Cut Here---------------------
# 申明我们是一个client,配置从server端pull过来,如IP地址,路由信息之类“Server使用push指令push过来的”
client
#指定接口的类型,严格和Server端一致
dev tun
;dev tap
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# 使用的协议,与Server严格一致
proto tcp
;proto udp
#设置Server的IP地址和端口,如果有多台机器做负载均衡,可以多次出现remote关键字
remote 210.*.*.* 1194
;remote my-server-2 1194
# 随机选择一个Server连接,否则按照顺序从上到下依次连接
;remote-random
# 始终重新解析Server的IP地址(如果remote后面跟的是域名),
# 保证Server IP地址是动态的使用DDNS动态更新DNS后,Client在自动重新连接时重新解析Server的IP地址
# 这样无需人为重新启动,即可重新接入VPN
resolv-retry infinite
# 在本机不邦定任何端口监听incoming数据,Client无需此操作,除非一对一的VPN有必要
nobind
# 和Server配置上的功能一样 如果使用了chroot或者su功能,最好打开下面2个选项,防止重新启动后找不到keys文件,或者nobody用户没有权限启动tun设备
persist-key
persist-tun
# 如果你使用HTTP代理连接VPN Server,把Proxy的IP地址和端口写到下面
# 如果代理需要验证,使用http-proxy server port [authfile] [auth-method]
# 其中authfile是一个2行的文本文件,用户名和密码各占一行,auth-method可以省略,详细信息查看Manual
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# 对于无线设备使用VPN的配置,看看就明白了
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# Root CA 文件的文件名,用于验证Server CA证书合法性,通过easy-rsa/build-ca生成的ca.crt,和Server配置里的ca.crt是同一个文件
ca ca.crt
# easy-rsa/build-key生成的key pair文件,上面生成key部分中有提到,不同客户使用不同的keys修改以下两行配置并使用他们的keys即可。
cert (用戶名).crt
key (用戶名).key
# Server使用build-key-server脚本什成的,在x509 v3扩展中加入了ns-cert-type选项
# 防止VPN client使用他们的keys + DNS hack欺骗vpn client连接他们假冒的VPN Server
# 因为他们的CA里没有这个扩展
ns-cert-type server
# 和Server配置里一致,ta.key也一致,注意最后参数使用的是1
tls-auth ta.key 1
# 压缩选项,和Server严格一致
comp-lzo
# Set log file verbosity.
verb 4
--------------Cut Here---------------------
如果想要vpn用戶可以訪問服務器後的内網就要在iptables上設置:
OPENVPN_IFACE="tun+"(VPN DEVICE)
OPENVPN_IP_RANGE ="10.8.0.0/24"
LAN_IP="172.16.*.*"(内網IP)
LAN_IFACE="eth1"
iptables -A INPUT -i $OPENVPN_IFACE -j ACCEPT(因為服務器要做内網的DNS SERVER所以INPUT也要accept)
iptables -A FORWARD -i $OPENVPN_IFACE -j ACCEPT(讓所有經過路由判斷後從openvpn interface進來的數據都可以進入内網)
iptables -t nat -A POSTROUTING -s $OPENVPN_IP_RANGE -o $ LAN_IFACE -j SNAT --to $LAN_IP
(要是對iptables有足夠的認識,可以在FORWARD CHAIN對進入内網的數據包做過濾,可以做到限制VPN用戶的訪問權限。)
以上的設置再加上在server.conf裏邊的一句“push "route 172.16.0.0 255.255.252.0" ”,就可以讓vpn用戶訪問server 的内網。
建立用戶的登入KEYS:
$cd /etc/openvpn/ easy-rsa/
$. vars
$./build-key (用戶名)
做到這裡已經openvpn已經算是完成了我需要的功能了。
參考:
FREEBSD VPN:
http://www.myitc.net/index.php?option=com_content&task=category§ionid=6&id=22&Itemid=47
CHINAUNIX.NET:
http://bbs.chinaunix.net/viewthread.php?tid=503434&extra=page%3D1%26filter%3Ddigest&page=1
No comments:
Post a Comment