记录日常 2010-05-07
OpenVPN所有的通信都基于一个单一的IP端口,默认且推荐使用UDP协议通讯,同时TCP也被支持。OpenVPN连接能通过大多数的代理服务器,并且能够在NAT的环境中很好地工作。服务端具有向客户端“推送”某些网络配置信息的功能,这些信息包括:IP地址、路由设置等。OpenVPN提供了两种虚拟网络接口:通用Tun/Tap驱动,通过它们,可以建立三层IP隧道,或者虚拟二层以太网,后者可以传送任何类型的二层以太网络数据。传送的数据可通过LZO算法压缩。IANA(Internet Assigned Numbers Authority)指定给OpenVPN的官方端口为1194。OpenVPN 2.0以后版本每个进程可以同时管理数个并发的隧道。
服务器端配置:192.168.229.201为VPN服务器内网IP;192.168.90.10为外网IP;
演示环境中服务器的eth0为虚拟机的桥接网卡,可连接公网,eth1为vm9,模拟内网,客户端的网卡也为vm9,默认不能连接公网!
[root@server1 ~]# ifconfig |grep 'inet addr'
inet addr:192.168.90.10 Bcast:192.168.90.255 Mask:255.255.255.0
inet addr:192.168.229.201 Bcast:192.168.229.255 Mask:255.255.255.0
inet addr:127.0.0.1 Mask:255.0.0.0
服务器系统版本为rhel5.4,openvpn版本为2.0.9,lzo版本为2.0.3
[root@server1 ~]# modinfo tun
filename: /lib/modules/2.6.18-8.el5/kernel/drivers/net/tun.ko
alias: char-major-10-200
license: GPL
author: (C) 1999-2004 Max Krasnyansky <[email protected]>
description: Universal TUN/TAP device driver
srcversion: C0FE3C11A88F4A24924EFDD
depends:
vermagic: 2.6.18-8.el5 SMP mod_unload 686 REGPARM 4KSTACKS gcc-4.1
下载源码包并编译安装:
[root@server1 ~]# cd /usr/local/src/tarbag/
[root@server1 tarbag]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
[root@server1 tarbag]# wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
[root@server1 tarbag]# tar zxvf lzo-2.03.tar.gz -C ../software/
[root@server1 tarbag]# tar -zxvf openvpn-2.0.9.tar.gz -C ../software/
LZO是一个实时无损压缩工具,在安装openvpn时需要安装LZO软件包, 这个软件包是一个解压缩库文件,openvpn所使用的一个软件包, 如在configure时没有发现此包将会出现configure错误.
[root@server1 tarbag]# cd ../software/lzo-2.03/
[root@server1 lzo-2.03]# ./configure --prefix=/usr/local/lzo && make && make install
[root@server1 lzo-2.03]# ls /usr/local/lzo/
include lib
编译安装openvpn需要有openssl库支持
[root@server1 lzo-2.03]# cd ../openvpn-2.0.9/
[root@server1 openvpn-2.0.9]#./configure --prefix=/usr/local/openvpn --with-lzo-headers=/usr/local/lzo/include --with-lzo-lib=/usr/local/lzo/lib --with-ssl-headers=/usr/include/openssl --with-ssl-lib=/usr/lib && make && make install
[root@server1 openvpn-2.0.9]# echo $?
0
[root@server1 openvpn-2.0.9]# ls /usr/local/openvpn/
man sbin
[root@server1 ~]#mkdir /usr/local/openvpn/etc
[root@server1 ~]# cp -r /usr/local/src/software/openvpn-2.0.9/easy-rsa/ /usr/local/openvpn/etc/
[root@server1 ~]# cp /usr/local/src/software/openvpn-2.0.9/sample-config-files/server.conf /usr/local/openvpn/etc/
[root@server1 ~]# tail -n 5 /usr/local/openvpn/etc/easy-rsa/2.0/vars
export KEY_COUNTRY="CN"
export KEY_PROVINCE="FJ"
export KEY_CITY="FZ"
export KEY_ORG="yang.com"
export KEY_EMAIL="[email protected]"
[root@server1 ~]# cd /usr/local/openvpn/etc/easy-rsa/2.0/
[root@server1 2.0]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/openvpn/etc/easy-rsa/2.0/keys
[root@server1 2.0]# ./clean-all
生成ca证书,用于签发server和client
[root@server1 2.0]# ./build-ca
Generating a 1024 bit RSA private key
...............++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [FJ]:
Locality Name (eg, city) [FZ]:
Organization Name (eg, company) [yang.com]:
Organizational Unit Name (eg, section) []:JSB
Common Name (eg, your name or your server's hostname) [yang.com CA]:server1.yang.com
Email Address [[email protected]]:
[root@server1 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
生成服务器证书
[root@server1 2.0]# ./build-key-server server1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'FJ'
localityName :PRINTABLE:'FZ'
organizationName :PRINTABLE:'yang.com'
organizationalUnitName:PRINTABLE:'JSB'
commonName :PRINTABLE:'server1.yang.com'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Jan 19 16:38:10 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
生成客户端证书
[root@server1 2.0]# ./build-key bleach
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'FJ'
localityName :PRINTABLE:'FZ'
organizationName :PRINTABLE:'yang.com'
organizationalUnitName:PRINTABLE:'JSB'
commonName :PRINTABLE:'bleach.yang.com'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Jan 19 16:40:09 2020 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@server1 2.0]# cd keys/
[root@server1 keys]# mkdir /usr/local/openvpn/etc/keys
[root@server1 keys]# cp ca.crt dh1024.pem server1.crt server1.key /usr/local/openvpn/etc/keys/
[root@server1 keys]# ls /usr/local/openvpn/etc/keys/
ca.crt dh1024.pem server1.crt server1.key
[root@server1 ~]# vi /usr/local/openvpn/etc/server.conf
local 192.168.229.201
port 1194
proto tcp
dev tun
ca /usr/local/openvpn/etc/keys/ca.crt
cert /usr/local/openvpn/etc/keys/server1.crt
key /usr/local/openvpn/etc/keys/server1.key
dh /usr/local/openvpn/etc/keys/dh1024.pem
server 1.1.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
(注:先前未声明 “push "redirect-gateway"”参数,客户端拨号后出现"NOTE: unable to redirect default gateway -- Cannot read current default gateway from system",未获取到网关,声明该参数后重启服务,客户端即可获取到网关,万事ok! 若实在获取不到网关,可在客户端上手动添加一条路由,windows下的命令为 :route add 网络地址 mask 子网掩码 网关ip
;LINUX:route add default gw "网关ip")