虚拟专用网VPN | 易学教程

在技术分享之前，在说一下今年的三个技术分享方向： python，java和运维开发

技术分享的目的，

一是自己正好在做这个实验，顺手就发出来了。

二是有的伙伴正好要用到，发出来给这部分朋友作为参考学习

三.帮助一些没有基础，想要转行的朋友，尽快适应企业的技术要求。

发表文章，看上去很简单，其实从写到发表，没有四个小时搞不定，发的比较慢，希望大家能够见谅。

言归正传，我们来看看VPN的搭建

VPN直译就是虚拟专用通道，是提供给企业之间或者个人与公司之间安全数据传输的隧道，OpenVPN无疑是Linux下开源VPN的先锋，提供了良好的性能和友好的用户GUI。

OpenVPN允许参与建立VPN的单点使用预设的私钥，第三方证书，或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库，以及SSLv3/TLSv1协议。OpenVPN能在Linux、xBSD、Mac OS X与Windows 2000/XP上运行。

虚拟专用网VPN

openvpn实现SSL VPN
最终实现vpnclient可以与vpnserver后端的内网主机通信

==============================================================
项目拓扑：
内网主机 vpnserver vpnclient
192.168.2.0/24 192.168.2.250 20.20.20.2 20.20.20.1
==============================================================

在内网主机上指定网关：

[root@intra_host ~]# ip route del
RTNETLINK answers: No such process
[root@intra_host ~]# ip route add dev eth0 default via 192.168.2.250
[root@intra_host ~]# ip route
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.25
169.254.0.0/16 dev eth0 scope link
default via 192.168.2.250 dev eth0

VNP Server配置：
一、添加内、外网接口地址

[root@vpnserver ~]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:16:3e:2e:3d:b1 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.250/24 brd 192.168.2.255 scope global eth0
[root@vpnserver ~]# ip addr show eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:16:3e:2e:3d:11 brd ff:ff:ff:ff:ff:ff
inet 20.20.20.1/24 brd 20.20.20.255 scope global eth1
[root@vpnserver ~]# ip route
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.250
20.20.20.0/24 dev eth1 proto kernel scope link src 20.20.20.1
169.254.0.0/16 dev eth1 scope link

[root@vpnserver ~]# echo 1 > /proc/sys/net/ipv4/ip_forward

二、VPN Server配置

－－－－－－生成用于身份验证和加密通信的相关证书文件－－－－－－

vpnserver：私钥证书 CA的证书
vpnclient：私钥证书 CA的证书

[root@vpnserver OpenVPN]# rpm -ivh lzo2-2.02-3.el5.rf.i386.rpm //用于数据压缩
warning: lzo2-2.02-3.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing... ########################################### [100%]
1:lzo2 ########################################### [100%]
[root@vpnserver OpenVPN]# rpm -ivh openvpn-2.0.9-1.el5.rf.i386.rpm
warning: openvpn-2.0.9-1.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing... ########################################### [100%]
1:openvpn ########################################### [100%]
[root@vpnserver OpenVPN]#

==CA服务器配置并为vpnserver和vpnclient签名==
生成CA私钥和证书文件：
=================================================================================
[root@vpnserver OpenVPN]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/
[root@vpnserver easy-rsa]# ls
2.0 build-key build-req make-crl revoke-full
build-ca build-key-pass build-req-pass openssl.cnf sign-req
build-dh build-key-pkcs12 clean-all README vars
build-inter build-key-server list-crl revoke-crt Windows
[root@vpnserver easy-rsa]# chmod +x *
[root@vpnserver easy-rsa]# vim vars //修改配置文件，主要是方便下面执行./build-ca脚本时，选择方便
[root@vpnserver easy-rsa]# tail -n 5 vars
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG="openvpn-tianyun"
export KEY_EMAIL="tianyun@126.com"

[root@vpnserver easy-rsa]# source vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn-2.0.9/easy-rsa/keys

[root@vpnserver easy-rsa]# ./clean-all
[root@vpnserver easy-rsa]# ./build-ca //生成ca私钥和证书
Generating a 1024 bit RSA private key
..........................++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [OpenVPN-ROOT]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: ca.tianyun.com
Email Address [tianyun@126.com]:

[root@vpnserver easy-rsa]# ls //查看生成了keys目录
2.0 build-key-pass clean-all README Windows
build-ca build-key-pkcs12 keys revoke-crt
build-dh build-key-server list-crl revoke-full
build-inter build-req make-crl sign-req
build-key build-req-pass openssl.cnf vars

[root@vpnserver easy-rsa]# ls keys/
ca.crt ca.key index.txt serial

生成vpnserver的私钥和证书：
=================================================================================
[root@vpnserver easy-rsa]# ./build-key-server //执行此脚本，要添加<name>
usage: build-key-server <name>

[root@vpnserver easy-rsa]# ./build-key-server vpnserver
Generating a 1024 bit RSA private key
..................................................++++++
.........................++++++
writing new private key to 'vpnserver.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [openvpn-tianyun]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:vpnserver.tianyun.com
Email Address [tianyun@126.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'openvpn-tianyun'
commonName :PRINTABLE:'vpnserver.tianyun.com'
emailAddress :IA5STRING:'tianyun@126.com'
Certificate is to be certified until Jun 29 04:03:05 2023 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@vpnserver easy-rsa]# ls keys/
01.pem index.txt serial vicvpnserver.csr
ca.crt index.txt.attr serial.old vicvpnserver.key
ca.key index.txt.old vicvpnserver.crt

为每一个client生成的私钥和证书：

生成Client的密钥和证书，在openvpn中，这种配置方法是每一个登陆的VPN客户端需要有一个证书，每个证书在同一时刻只能供一个客户端连接（如果有两个机器安装相同证书，同时拨服务器，都能拨上，但是只有第一个拨上的才能连通网络）。所以需要建立许多份证书。
=================================================================================
[root@vpnserver easy-rsa]# ./build-key client1
Generating a 1024 bit RSA private key
............................++++++
...................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [OpenVPN-ROOT]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: client1.tianyun.com
Email Address [tianyun@126.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'OpenVPN-ROOT'
commonName :PRINTABLE:'client1.tianyun.com'
emailAddress :IA5STRING:'tianyun@126.com'
Certificate is to be certified until Nov 6 11:38:59 2022 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@vpnserver easy-rsa]# ls keys/
01.pem client1.crt index.txt.attr serial.old
02.pem client1.csr index.txt.attr.old vicvpnserver.crt
ca.crt client1.key index.txt.old vicvpnserver.csr
ca.key index.txt serial vicvpnserver.key

将证书和私钥分发给相应的客户端主机：

[root@vpnserver easy-rsa]# pwd
/usr/share/doc/openvpn-2.0.9/easy-rsa
[root@vpnserver easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...........+...+.........................+.........+........................+.........................+..........+....................+........................+
...........................+..................................+................................................+.............+............................+............
.....................+..+............+................................................................+.........................+...........................+.........
...........+.......................+.....................................+.................................................+...........................+.................
.......................+...........+..............................+....................................+......+..........................................................
.............................................+..............................................+.................+....................................+.......................
................................++*++*++*

配置vpn server端

[root@vpnserver keys]# pwd
/usr/share/doc/openvpn-2.0.9/easy-rsa/keys
[root@vpnserver keys]# cp ca.crt vpnserver.crt vpnserver.key /etc/openvpn/
[root@vpnserver keys]# ls /etc/openvpn/
ca.crt vpnserver.crt vpnserver.key

[root@vpnserver easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.............................................................+.......+.....................+......................................++*++*++*

[root@vpnserver easy-rsa]# cp keys/dh1024.pem /etc/openvpn/

[root@vpnserver ~]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/ //openvpn server配置文件
[root@vpnserver ~]# vim /etc/openvpn/server.conf
[root@vpnserver ~]# grep '^[^#]' /etc/openvpn/server.conf
local 20.20.20.1
port 1194
proto udp
dev tap
ca ca.crt
cert vpnserver.crt
key vpnserver.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
#配置VPN使用的网段，OpenVPN会自动提供基于该网段的DHCP服务，但不能和任何一方的局域网段重复，保证唯一server端ip默认会设为.1的地址
ifconfig-pool-persist ipp.txt
# 维持一个客户端和virtual IP的对应表，以方便客户端重新连接可以获得同样的IP
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
push "route 192.168.2.0 255.255.255.0"

# 为客户端创建对应的路由,以另其通达公司网内部服务器但记住，公司网内部服务器也需要有可用路由返回到客户端
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
;client-to-client
duplicate-cn
keepalive 10 120
# 设置服务端检测的间隔和超时时间每10秒ping一次，如果120秒没有回应则认为对方已经down
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
# 使用lzo压缩的通讯,服务端和客户端都必须配置
max-clients 100
user nobody
group nobody
persist-key
persist-tun
# 重启时仍保留一些状态
status openvpn-status.log
log openvpn.log
verb 3
# 设置日志要记录的级别。0只记录错误信息。4能记录普通的信息。5和6在连接出现问题时能帮助调试。9是极端的，所有信息都会显示，甚至连包头等信息都显示（像tcpdump）
mute 20
# 相同信息的数量，如果连续出现20条相同的信息，将不记录到日志中。

[root@vpnserver ~]# service openvpn start
正在启动 openvpn： [确定]
[root@vpnserver ~]# chkconfig openvpn on
[root@vpnserver ~]# ip addr show dev tap0
4: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether e2:93:9e:d2:00:2c brd ff:ff:ff:ff:ff:ff
inet 10.8.0.1/24 brd 10.8.0.255 scope global tap0
[root@vpnserver ~]# ip route
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.250
10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.1
20.20.20.0/24 dev eth1 proto kernel scope link src 20.20.20.1
169.254.0.0/16 dev eth1 scope link

－－－－－－－－－－－配置vpn client端－－－－－－－－－－－－

[root@vpnclient ~]# ip addr add dev eth0 20.20.20.2/24
[root@vpnclient ~]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:24:1d:39:8e:d9 brd ff:ff:ff:ff:ff:ff
inet 20.20.20.2/24 scope global eth0
[root@vpnclient ~]# ip route
20.20.20.0/24 dev eth0 proto kernel scope link src 20.20.20.2
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
169.254.0.0/16 dev eth0 scope link

[root@vpnclient OpenVPN]# rpm -ivh lzo2-2.02-3.el5.rf.i386.rpm
warning: lzo2-2.02-3.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing... ########################################### [100%]
1:lzo2 ########################################### [100%]
[root@vpnclient OpenVPN]# rpm -ivh openvpn-2.0.9-1.el5.rf.i386.rpm
warning: openvpn-2.0.9-1.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing... ########################################### [100%]
1:openvpn ########################################### [100%]

在修改配置文件前，先把client1.key client1.crt拷到本机
[root@vpnclient openvpn]# cd /etc/openvpn/
[root@vpnclient openvpn]# ls c* //复制三个文件到该目录
ca.crt client1.crt client1.key

[root@vpnclient OpenVPN]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf /etc/openvpn/

[root@vpnclient OpenVPN]# vi /etc/openvpn/client.conf
[root@vpnclient OpenVPN]# grep '^[^#]' /etc/openvpn/client.conf
client
dev tap
;dev-node MyTap
proto udp
remote 20.20.20.1 1194 //拨号地址
;remote-random
nobind
user nobody
group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert client1.crt
key client1.key
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
mute 20

[root@vpnclient ~]# service openvpn restart
正在关闭openvpn： [确定]
正在启动 openvpn： [确定]
[root@vpnclient ~]# chkconfig openvpn on

[root@vpnclient ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:24:1d:39:8e:d9 brd ff:ff:ff:ff:ff:ff
inet 20.20.20.2/8 brd 20.255.255.255 scope global eth0
inet 20.20.20.2/24 brd 20.20.20.255 scope global eth0
3: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
5: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether de:a2:1e:12:e7:6a brd ff:ff:ff:ff:ff:ff
inet 10.8.0.2/24 brd 10.8.0.255 scope global tap0

[root@vpnclient ~]# ip route
192.168.2.0/24 via 10.8.0.1 dev tap0
10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.2
20.20.20.0/24 dev eth0 proto kernel scope link src 20.20.20.2
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
169.254.0.0/16 dev eth0 scope link
20.0.0.0/8 dev eth0 proto kernel scope link src 20.20.20.2

本文分享自微信公众号 - 大数据架构师专家（xinsz08）。
如有侵权，请联系 support@oschina.cn 删除。
本文参与“OSC源创计划”，欢迎正在阅读的你也加入，一起分享。

来源：oschina

链接：https://my.oschina.net/u/3116148/blog/4638948

标签

openvpn