最全面、最详细的 openvpn 服务构建 iptables 配置 (a)
-
搭建Open××× Server 路由模式
- 1. 安装 CentOS
- 2. 安装 Open×××
- 3. 配置 Open×××
- 4. 配置Open××× Server防火墙
- 5. 配置 Open××× windows 客户端
- 6. 再做一个小测试 吊销客户端证书
- 7.使用 tap 设备的路由模式
-
搭建Open××× Server 桥接模式
- 1. 将Open××× 服务器的LAN 网卡和虚拟网卡桥接
- 2. 编辑服务器配置文件
- 3. 设置防火墙使数据包在新建的tap0 和 br0 借口上*传送
-
搭建Open××× Server 路由模式 + 口令认证+ MYSQL
- 1. 首先检查pam-devel包是否安装,否则从系统盘安装改软件包
- 2.检查Mysql是否安装,确认mysql-devel包已经安装,否则从系统盘安装改软件包
- 3.我们安装pam_mysql
- 4. 配置 mysql 数据库 和 pam
- 5. 生成 openvpn-auth-pam.so
- 6.配置服务器配置文
- 7.配置客户端配置文件
-
搭建Open××× Server 路由模式 + 口令认证+TEXT/POP3
- 1. 下载TEXT认证脚本 checkpsw.sh
- 2.配置服务器配置文件
- 3..配置客户端配置文件
- 4.更改 checkpsw.sh 中的PASSFILE 变量
- 5. 创建 /usr/local/etc/psw-file
- 6.同样的原理我们还可以使用POP3 认证
-
搭建Open××× Server 路由模式 + 口令认证+RADIUS
- 1. 搭建 Radius 服务器
- 2. 配置 radiusplugin
- 3.配置服务器配置文件
- 4.配置客户端配置文件
-
搭建Open××× Site to Site
- 1. vpn client 和 vpn server两台设备都将作为各自网络的GW
- 2. 配置openvpn server
- 3. 配置 ××× Client
- Open ××× 其它配置选项
- Open××× 配置参数详解
-
附录
- bridge-start
- bridge-stop
- checkpsw.sh
- checkpsw.pl
- connect
- disconnect
- 搭建Radius 服务器 windows 2003 - IAS
- Popauth.pl
- centos yum 光盘源
- freeradius+openvpn+mysql实现
- 生成Open×××自安装客户端的步骤
- Ethernet Bridging
- 为什么使用TUN模式时一个客户端占用4个私网IP地址?
Open××× 服务器搭建详解
环境简介:
服务器:CentOS 5.2 客户端:XP sp2
其他软件: openvpn-2.0.9.tar.gz
openvpn-2.0.9-gui-1.0.3-install.exe
lzo-2.03.tar.gz
openssl 为CentOS 5.2 自带
NTRadPing.exe radius 测试软件
pam_mysql-0.7RC1.tar.gz
radiusplugin_v2.0c.tar.gz
libgcrypt-1.2.4.tar.gz
libgpg-error-1.5.tar.bz2
所有测试都是在 VMware Workstation 5.5.1 上完成
- (一) 搭建Open××× Server 路由模式
目的:搭建一台 Open××× Server 使出差的员工也可以方便的访问到公司局域网中的共享资料。
网络环境:
Open××× Server 基本设定:连接方式采用路由方式,认证方式采用证书认证,虚拟设备使用tun(比tap更高效)
- 1. 安装 CentOS
这一步我就不详写了
注意:关闭SELinux ,iptables
- 2. 安装 Open×××
- a) 检测openssl 是否已安装。(一般系统已自带)
[root@localhost ~]# Whereis openssl
如果你的系统没有OpenSSL库,你需要 下载和安装它 。
- b) 安装 lzo
如果你想使用×××连接的压缩特性,或者你想将Open×××安装为一个RPM包,安装 LZO Library 。
下载: http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
解压到/root/Scripts 目录中,后面所有的软件到存放到这个目录
gzip –cd lzo-2.03.tar.gz | tar –xvf -
- make
make install
如果你使用Linux 2.2 或更早版本,下载 TUN/TAP driver 。对于Linux 2.4.7及以上版本的用户TUN/TAP 驱动已经捆绑到内核中。Linux 2.4.0 -> 2.4.6 的用户需要留意 INSTALL 文件末尾的注意信息。
- c) tarball 安装Open×××
现在下载 Open××× 的最新发布版: http://openvpn.net/release/openvpn-2.0.9.tar.gz
解压 gzip -dc openvpn-2.0.9.tar.gz | tar xvf -
cd openvpn-2.0.9
./configure
make
make install
如果你未下载 LZO Library ,将 --disable-lzo 加入到 configure 命令中。也可以启用其他的选型,比如 pthread (./configure --enable-pthread) 用来提高 SSL/TLS 动态密钥交换的响应速度。命令
./configure --help
将显示所有的配置选型。
- d) 配置 TUN/TAP 驱动
仅需一次的配置
如果你使用 Linux 2.4.7 或更高版本,十分幸运 TUN/TAP 驱动已经捆绑到内核中。你可以通过如下命令确认:
locate if_tun.h
此命令产生类似这样的信息 /usr/include/linux/if_tun.h 。
对于 Linux 2.4.7 或更高版本,如果你通过 tarball 安装,输入如下命令配置 TUN/TAP 设备节点(如果你通过 RPM 安装可以忽略这一步,因为RPM为你自动创建该节点):
mknod /dev/net/tun c 10 200
如果你使用 Linux 2.2,你需要获得 版本 1.1 的TUN/TAP kernel module 并按照安装说明进行操作。
每次系统启动后需要执行一次的配置
在 Linux 上使用 Open××× 或任何用到 TUN/TAP 设备的程序前需要载入 TUN/TAP kernel module:
modprobe tun
并且启用 IP 转发:
echo 1 > /proc/sys/net/ipv4/ip_forward
- 3. 配置 Open×××
a)生成证书 Key
设置环境变量
[root@openvpn ~]# vi /root/.bash_profile 追加如下内容(依据情况改变相应值)
D=/root/Scripts/openvpn-2.0.9/easy-rsa
KEY_CONFIG=$D/openssl.cnf
KEY_DIR=$D/keys
KEY_SIZE=1024
KEY_COUNTRY=CN
KEY_PROVINCE=GD
KEY_CITY=DG
KEY_ORG="ld"
KEY_EMAIL="colin_xia@luckydragongroup.com"
export KEY_CONFIG KEY_DIR KEY_SIZE KEY_COUNTRY KEY_PROVINCE KEY_CITY KEY_ORG KEY_EMAIL D
同时把以上内容直接粘贴到控制台。
[root@openvpn ~]# echo $D 可以看到变量已生效
[root@localhost local]# cd /root/Scripts/openvpn-2.0.9/easy-rsa/
初始化 PKI
Build:
代码:
./clean-all
./build-ca
Generating a 1024 bit RSA private key
....................................................++++++
...++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [DG]:
Organization Name (eg, company) [ld]:
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:colin
Email Address [colin_xia@luckydragongroup.com]:
# 建立 server key 代码: 代码:
./build-key-server server
Generating a 1024 bit RSA private key
..................++++++
..........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [DG]:
Organization Name (eg, company) [ld]:
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:server
Email Address [colin_xia@luckydragongroup.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/Scripts/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'DG'
organizationName :PRINTABLE:'ld'
organizationalUnitName:PRINTABLE:'it'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'colin_xia@luckydragongroup.com'
Certificate is to be certified until Nov 6 18:18:13 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#生成客户端 key
代码:
Generating a 1024 bit RSA private key
......++++++
...........................................................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [DG]:
Organization Name (eg, company) [ld]:
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同.
Email Address [colin_xia@luckydragongroup.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/Scripts/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'DG'
organizationName :PRINTABLE:'ld'
organizationalUnitName:PRINTABLE:'it'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'colin_xia@luckydragongroup.com'
Certificate is to be certified until Nov 6 18:18:36 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
依次类推生成其他客户端证书/key
代码:
./build-key client2
./build-key client3
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
build: 代码:
创建Diffie Hellman 参数。Diffie Hellman 用于增强安全性,在Open×××是必须的:
./build-dh
生成 ta.key
openvpn --genkey --secret ta.key
将 keys 下的所有文件打包下载到本地(除ca 的key,这个文件要单独保存)
b)创建Open××× 服务器配置文件
vi /usr/local/etc/server.conf
port 2194
proto udp
dev tun
server 10.9.0.0 255.255.255.0
push "route 172.18.2.0 255.255.255.0"
push "dhcp-option DNS 172.18.2.23"
push "dhcp-option DNS 202.96.128.86"
ifconfig-pool-persist /usr/local/etc/ipp.txt
ca /usr/local/etc/keys/ca.crt
cert /usr/local/etc/keys/server.crt
key /usr/local/etc/keys/server.key
dh /usr/local/etc/keys/dh1024.pem
tls-auth /usr/local/etc/keys/ta.key 0
keepalive 10 120
comp-lzo
status /var/log/openvpn-status.log
verb 4
persist-key
persist-tun
按照配置文件所设置的, copy 相应的.key .pem .crt文件至 /usr/local/etc/keys
c)启动Open×××
/usr/local/sbin/openvpn --config /usr/local/etc/server.conf
检查服务是否启动
lsof -i :2194
等调试结束后以后台进程的方式启动openvpn
/usr/local/sbin/openvpn --daemon --config /usr/local/etc/server.conf
并把这一句加入到 /etc/rc.local 中
4. 配置Open××× Server防火墙
配置的关键是允许 tun tap 连入,对从 Open××× 客户端来到公司局域网的流量做NAT
如下(