Ubuntu12.04下OpenVPN安裝和客戶端配置
一、實驗環境:
1.物理拓撲:
目的:利用VPN Server,使Client01和Client02能夠互訪。
2.主機配置:
主機名 IP(Static) 系統 配置 用途
vpnserver 118.90.3.21 Ubuntu-12.04-server-amd64 2CPU,1G RAM,10G DISK,1網絡卡 VPN伺服器
Client01 192.168.10.100 CentOS-6.3-x86_64-minimal 2CPU,1G RAM,10G DISK,1網絡卡 VPN客戶端
Client02 172.16.10.100 Windows 7 ultimate sp1 x64 2CPU,1G RAM,10G DISK,1網絡卡 VPN客戶端
二、OpenVPN Server搭建
1.安裝OpenVPN及元件,在Ubuntu系統可以直接通過apt-get安裝:
[email protected]:~# sudo apt-get install openvpn udev lzop
2.拷貝OpenVPN配置檔案到/etc/openvpn下:
[email protected]:~# cp -r /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
3.解壓OpenVPN配置檔案:
[email protected]:~# sudo gzip -d /etc/openvpn/server.conf.gz
4.修改vars檔案部分內容,修改部分如下:
[email protected]:~# vi /etc/openvpn/easy-rsa/2.0/vars
1 2 3 4 5 6 7 8 9 10 11 12 |
# Don't leave any of these fields blank.
export KEY_COUNTRY= "CN"
export KEY_PROVINCE= "CA"
export KEY_CITY= "BJ"
export KEY_ORG= "EZCLOUD"
export KEY_EMAIL= "[email protected]"
export [email protected]
export KEY_CN=changeme
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
|
5.生成服務端CA證書:
[email protected]:~# cd /etc/openvpn/easy-rsa/2.0
[email protected]:/etc/openvpn/easy-rsa/2.0# cp openssl-1.0.0.cnf openssl.cnf
[email protected]:/etc/openvpn/easy-rsa/2.0# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
[email protected]:/etc/openvpn/easy-rsa/2.0# ./clean-all
[email protected]:/etc/openvpn/easy-rsa/2.0# ./build-ca /*互動資訊全部“回車”即可*/
6.生成伺服器端證書和金鑰,server為名字可以自定義:
[email protected]:/etc/openvpn/easy-rsa/2.0# ./build-key-server server
此步驟會提示輸入一些資訊,前面的資訊直接回車按預設資訊;
提示Sign the certificate? [y/n]:時輸入y;
提示1 out of 1 certificate requests certified, commit? [y/n] 時輸入y。
7.生成客戶端(client01、client02)證書和金鑰:
[email protected]:/etc/openvpn/easy-rsa/2.0# ./build-key client01
和伺服器端證書建立一樣,前面的資訊直接回車按預設資訊;
提示Sign the certificate? [y/n]:時輸入y;
提示1 out of 1 certificate requests certified, commit? [y/n] 時輸入y。
生成第二個證書時執行./build-key client02,步驟相同;
生成後的證書儲存在 /etc/openvpn/easy-rsa/2.0/keys下。
8.生成Diffie Hellman引數:
[email protected]:/etc/openvpn/easy-rsa/2.0# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...........................................................................................................+.......................+...........................................................................................+.....................+........+.............................+..................+.......+......................+.............+.....+...........+...........................+......+....+.+...................................................................+..++*++*++*
9.配置OpenVPN服務:
[email protected]:~# mkdir -p /etc/openvpn/serverkey
[email protected]:~# cp /etc/openvpn/easy-rsa/2.0/ca.crt /etc/openvpn/serverkey
[email protected]:~# cp /etc/openvpn/easy-rsa/2.0/server.crt /etc/openvpn/serverkey
[email protected]:~# cp /etc/openvpn/easy-rsa/2.0/server.key /etc/openvpn/serverkey
[email protected]:~# cp /etc/openvpn/easy-rsa/2.0/dh1024.pem /etc/openvpn/serverkey
[email protected]:~# vi /etc/openvpn/server.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
local 118.90.3.21 #伺服器IP地址;
port 1194 #使用埠;
proto udp #使用協議;
dev tun #也可以選擇tap模式;
ca /etc/openvpn/serverkey/ca.crt
cert /etc/openvpn/serverkey/server.crt
key /etc/openvpn/serverkey/server.key # This file should be kept secret
dh /etc/openvpn/serverkey/dh1024.pem
server 10.8.0.0 255.255.255.0 #給客戶的分配的IP段,不要衝突;
push "route 10.8.0.0 255.255.255.0"
push "dhcp-option DNS 202.106.0.20"
;client-to-client
;duplicate-cn
keepalive 10 120
comp-lzo
;user nobody
;group nogroup
persist-key
persist-tun
status openvpn-status. log
; log openvpn. log
; log -append openvpn. log
verb 3
;mute 20
|
10.安全配置:
[email protected]:~# sudo apt-get install iptables
[email protected]:~# sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
[email protected]:~# iptables-save > /etc/iptables.rules
[email protected]:~# vi /etc/network/if-up.d/iptables
1 2 |
#!/bin/sh
iptables - restore < / etc / iptables.rules
|
[email protected]:~# chmod +x /etc/network/if-up.d/iptables
11.轉發配置:
[email protected]:~# vi /etc/sysctl.conf
內容如下:
1 2 3 4 5 |
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf. default .send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf. default .accept_redirects = 0
|
重新載入/etc/sysctl.conf使其生效:
[email protected]:~# sysctl -p
12.重啟OpenVPN和網路服務:
[email protected]:~# /etc/init.d/openvpn restart
* Stopping virtual private network daemon(s)...
* Stopping VPN 'server'
...done.
* Starting virtual private network daemon(s)...
* Autostarting VPN 'server'
[email protected]:~# /etc/init.d/networking restart
* Running /etc/init.d/networking restart is deprecated because it may not enable again some interfaces
* Reconfiguring network interfaces...
ssh stop/waiting
ssh start/running, process 26647
...done.
13.檢查OpenVPN服務執行情況:
[email protected]:~# lsof -i:1194
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
openvpn 27419 root 5u IPv4 3823413 0t0 UDP 118.90.3.21:openvpn
[email protected]:~# netstat -an |grep 1194
udp 0 0 118.90.3.21:1194 0.0.0.0:*
三、Linux OpenVPN客戶端配置
Client01使用CentOS作業系統,使用其他作業系統配置類同,選擇該系統目的是讓大家瞭解不同作業系統下OpenVPN的安裝過程。
1.建立儲存庫的配置檔案:
[[email protected] ~]# vi /etc/yum.repos.d/naulinux-school.repo
2.安裝OpenVPN rpm包
[[email protected] ~]# yum --enablerepo=naulinux-school install openvpn
3.拷貝ca.crt client01.crt client01.key檔案到/etc/openvpn目錄下
[[email protected] ~]# ls
ca.crt client01.crt client01.key client00.ovpn
4.編輯/etc/openvpn/client01.ovpn檔案
[[email protected] ~]#vi /etc/openvpn/client01.ovpn
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
client
dev tun
proto udp
remote 118.90 . 3.21 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client01.crt
key /etc/openvpn/client01.key
ns-cert-type server
redirect-gateway
keepalive 10 120
comp-lzo
verb 3
mute 20
route-method exe
route-delay 2
|
5.啟動客戶端openvpn服務:
[[email protected] ~]# openvpn /etc/openvpn/client01.ovpn
四、Windows OpenVPN客戶端配置
Client02安裝Windows版VPN軟體openvpn-2.0.9-gui-1.0.3-install.exe,一般採用預設安裝即可,詳細步驟如下:
1.雙擊安裝檔案,進入安裝嚮導,Next下一步:
2.同意安裝許可:
3.選擇安裝元件,預設即可:
4.選擇安裝目錄,預設是C:\Program Files(x86)\OpenVPN,也可選擇安裝到其他位置:
5.載入安裝TAP-Win32驅動,選擇“仍然繼續”:
6.繼續完成安裝:
7.安裝完成:
8.開啟安裝目錄OpenVPN安裝目錄,進入config資料夾,將ca.crt client02.crt client02.key檔案拷貝到config資料夾內,並建立一個 client02.ovpn文字檔案,內容如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
client
dev tun
proto udp
remote 118.90.3.21 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client02.crt
key client02.key
ns-cert-type server
redirect-gateway
keepalive 10 120
comp-lzo
verb 3
mute 20
route-method exe
route-delay 2
|
9.雙機桌面的""圖示,桌面右下角會出現一個,雙機該圖示連線,會彈出對話方塊顯示連線過程,連線成功後右下角圖示會變成。
10.Show Status:
Mon Mar 18 10:38:23 2013 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Mon Mar 18 10:38:23 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Mar 18 10:38:23 2013 LZO compression initialized
Mon Mar 18 10:38:23 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Mar 18 10:38:23 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Mar 18 10:38:23 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Mar 18 10:38:23 2013 Local Options hash (VER=V4): '41690919'
Mon Mar 18 10:38:23 2013 Expected Remote Options hash (VER=V4): '530fdded'
Mon Mar 18 10:38:23 2013 UDPv4 link local: [undef]
Mon Mar 18 10:38:23 2013 UDPv4 link remote: 118.90.3.21:1194
Mon Mar 18 10:38:23 2013 TLS: Initial packet from 118.90.3.21:1194, sid=bebb96bc a0184fa3
Mon Mar 18 10:38:23 2013 VERIFY OK: depth=1, /C=CN/ST=CA/L=BJ/O=EZCLOUD/OU=changeme/CN=changeme/name=changeme/[email protected]
Mon Mar 18 10:38:23 2013 VERIFY OK: nsCertType=SERVER
Mon Mar 18 10:38:23 2013 VERIFY OK: depth=0, /C=CN/ST=CA/L=BJ/O=EZCLOUD/OU=changeme/CN=server/name=changeme/[email protected]
Mon Mar 18 10:38:24 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Mar 18 10:38:24 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Mar 18 10:38:24 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Mar 18 10:38:24 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Mar 18 10:38:24 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Mar 18 10:38:24 2013 [server] Peer Connection Initiated with 118.90.3.21:1194
Mon Mar 18 10:38:26 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Mar 18 10:38:26 2013 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,dhcp-option DNS 202.106.0.20,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Mon Mar 18 10:38:26 2013 OPTIONS IMPORT: timers and/or timeouts modified
Mon Mar 18 10:38:26 2013 OPTIONS IMPORT: --ifconfig/up options modified
Mon Mar 18 10:38:26 2013 OPTIONS IMPORT: route options modified
Mon Mar 18 10:38:26 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Mar 18 10:38:26 2013 ROUTE default_gateway=192.168.10.254
Mon Mar 18 10:38:26 2013 TAP-WIN32 device [本地連線 2] opened: \\.\Global\{4C7B4F34-1EBF-4873-AF44-B239888B14E9}.tap
Mon Mar 18 10:38:26 2013 TAP-Win32 Driver Version 9.9
Mon Mar 18 10:38:26 2013 TAP-Win32 MTU=1500
Mon Mar 18 10:38:26 2013 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {4C7B4F34-1EBF-4873-AF44-B239888B14E9} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Mon Mar 18 10:38:26 2013 Successful ARP Flush on interface [18] {4C7B4F34-1EBF-4873-AF44-B239888B14E9}
Mon Mar 18 10:38:28 2013 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Mon Mar 18 10:38:28 2013 C:\WINDOWS\system32\route.exe ADD 118.90.3.21 MASK 255.255.255.255 192.168.10.254
操作完成!
Mon Mar 18 10:38:28 2013 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 0.0.0.0 192.168.10.254
操作完成!
Mon Mar 18 10:38:28 2013 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 10.8.0.5
操作完成!
Mon Mar 18 10:38:28 2013 C:\WINDOWS\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
操作完成!
Mon Mar 18 10:38:29 2013 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
操作完成!
Mon Mar 18 10:38:29 2013 Initialization Sequence Completed