小波波 2011-06-15
OpenVpn网桥模式1 客户端/服务端
实现目的:远端机器通过安装OpenVpn客户端,配置证书,连接OpenVpn服务器,从而获得OpenVpn服务器分发所连接的内网Ip,实现与内网的通信(只是实验)
1.系统硬件环境
#openSSL,bridge-util 及相关依赖
Fedora5 系统,多网口网闸设备 一台
PC 两台
2.网络环境
iptables off状态
3.OpenVpn(服务端)安装
所在目录 : /root/scripts/
1) 需要的软件包
openvpn-2.0.9.tar.gz
lzo-2.03.tar.gz
2) 安装
# tar -zxvf lzo-2.03.tar.gz # cd lzo-2.03 && ./configure && make && make install # tar -zxvf openvpn-2.0.9.tar.gz # cd openvpn-2.0.9 && ./configure && make && make install
4.OpenVpn(服务端)配置
# cd /etc/openvpn/
1)拷贝创建CA证书的easy-rsa
# cp -ra /root/scripts/openvpn-2.0.9/easy-rsa .
2)拷贝示例配置文件
# cp /root/scripts/openvpn-2.0.9/sample-config-files/server.conf config/ # cp /root/scripts/openvpn-2.0.9/sample-scripts/bridge-start . # cp /root/scripts/openvpn-2.0.9/sample-scripts/bridge-stop . # ln -s /etc/config/server.conf /etc/openvpn/
3)修改证书变量
# vi easy-rsa/vars
export KEY_COUNTRY=ZN export KEY_PROVINCE=BeiJing export KEY_CITY=BeiJing export KEY_ORG="RFGZ" export [email protected]
4)初始化PKI
# cd easy-rsa/ # source vars # ./clean-all # ./build-ca
5)创建服务器密钥 !Common Name必须填写server,其余默认即可
# ./build-key-server server
6)创建客户端密钥跟证书 !Common Name对应填写client1,其作为今后识别客户端的标识
# ./build-key client1
7)创建Diffie Hellman参数--Diffie Hellman参数是增强安全性的,在OpenVpn是必须的
# ./build-dh
8)修改配置文件
网桥配置文件:
# cd /etc/openvpn/ # vi bridge-start
#!/bin/bash ################################# # Set up Ethernet bridge on Linux # Requires: bridge-utils ################################# # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged, # for example tap="tap0 tap1 tap2". tap="tap0" # Define physical ethernet interface to be bridged # with TAP interface(s) above. eth="eth3" eth_ip="1.1.1.239" eth_netmask="255.255.255.0" eth_broadcast="1.1.1.255" for t in $tap; do openvpn --mktun --dev $t done brctl addbr $br brctl addif $br $eth for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done ifconfig $eth 0.0.0.0 promisc up ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
服务配置文件
# vi server.conf
local 192.168.0.221 port 1194 proto tcp dev tap0 ca ./easy-rsa/keys/ca.crt cert ./easy-rsa/keys/server.crt key ./easy-rsa/keys/server.key # This file should be kept secret dh ./easy-rsa/keys/dh1024.pem ifconfig-pool-persist ipp.txt #为客户端分配 200~209 间的IP server-bridge 10.0.0.200 255.255.255.0 10.0.0.200 10.0.0.209 client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 4
5.OpenV# cd /etc/openvpn/
先开启网桥
# ./bridge-start
# openvpn server.conf
以” Initialization Sequence Completed”结尾的提示,证明服务端启动成功pn服务端
6.OpenVpn(客户端)安装
XP环境下:
openvpn-2.0.9-gui-1.0.3-install.exe*客户端版本要与服务器端OpenVpn版本一致
安装完成后系统添加一个 TAP-Win32 Adapter 适配器7.OpenVpn(客户端)配置
证书:
将服务器端生成的证书 ca.crt ,ca.key,client1.crt,client1.csr,client1.key拷贝至安装目录下的config文件夹中配置文件: 在config文件夹中创建client.ovpn配置文件:
client dev tap proto tcp remote 192.168.0.221 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 4
8.启动OpenVpn客户端,连接至服务端
右键托盘OpenVpnGuiConnect
链接成功后托盘图标变绿,本地Ip添加了10.0.0.200