Llinux OpenVPN安装
原理概述
OpenVpn的技术核心是虚拟网卡,其次是SSL协议实现这里重点对虚拟网卡及其在OpenVpn的中的工作机理进行介绍:
虚拟网卡是使用网络底层编程技术实现的一个驱动软件,安装后在主机上多出现一个网卡,可以像其它网卡一样进行配置。服务程序可以在应用层打开虚拟网卡,如果应用软件(如IE)向虚拟网卡发送数据,则服务程序可以读取到该数据,如果服务程序写合适的数据到虚拟网卡,应用软件也可以接收得到。虚拟网卡在很多的操作系统下都有相应的实现,这也是OpenVpn能够跨平台一个很重要的理由。
在OpenVpn中,如果用户访问一个远程的虚拟地址(属于虚拟网卡配用的地址系列,区别于真实地址),则操作系统会通过路由机制将数据包(TUN模式)或数据帧(TAP模式)发送到虚拟网卡上,服务程序接收该数据并进行相应的处理后,通过 SOCKET从外网上发送出去,远程服务程序通过SOCKET从外网上接收数据,并进行相应的处理后,发送给虚拟网卡,则应用软件可以接收到,完成了一个单向传输的过程,反之亦然。
安装环境描述
本安装过程在本地VM Ware虚拟机上进行。
Name | OS | IP | Type |
node1 | RHEL5.3 | 192.168.132.101 | server |
node2 | RHEL5.3 | 192.168.132.102 | client |
PC | Windows 7 | 192.168.132.1 | client |
安装过程
Linux 系统kernel 需要支持 tun 设备, 需要加载 iptables 模块。
安装前需要检查 tun 是否安装(默认RHEL5.3是安装的):
代码:
[root@node1 ~]#modinfo tun
filename: /lib/modules/2.6.18-128.el5/kernel/drivers/net/tun.ko
alias: char-major-10-200
license: GPL
author: (C) 1999-2004 Max Krasnyansky<[email protected]>
description: Universal TUN/TAP device driver
srcversion: 2900E7452AC08E0F4F0B7B8
depends:
vermagic: 2.6.18-128.el5 SMP mod_unload 686REGPARM 4KSTACKS gcc-4.1
module_sig: 883f35049492fa531b497468cdd12cf11282cc09f73e2959263978972085b5f0e095465f98d5ed00a0a7fdda22567f18978160a3795fc70d2b73234
OpenVPN如果需要启用 SSL 连接,则需要先安装 OpenSSL。
代码:
[root@node1 ~]# rpm -qa | grep ssl
openssl-0.9.8e-7.el5
[root@node1 ~]# yum install openssl-devel
本实验安装的 OpenVPN 的版本:2.2.1 现在最新版本是2.2.2,可在http://openvpn.net上下载。
服务器的安装
1. 通过SecureCRT或者XShell等登录到服务器,上传LZO和OpenVPN,LZO用于数据压缩,如果不想安装,可以在安装的过程中禁用LZO
代码:
[root@node1 ~]# ls
lzo-2.06.tar.gz openvpn-2.2.1.tar.gz
2. 解压并安装lzo
代码:
[root@node1 ~]# tar zxf lzo-2.06.tar.gz
[root@node1 ~]# cd lzo-2.06
[root@node1 lzo-2.06]# ./configure
[root@node1 lzo-2.06]# make && makeinstall
3. 解压并安装OpenVPN
代码:
[root@node1 ~]# tar zxf openvpn-2.2.1.tar.gz
[root@node1 ~]# cd openvpn-2.2.1
[root@node1 openvpn-2.2.1]# ./configure&& make && make install
4. 生成证书Key
没有报错信息说明安装成功,下一步才做就是配置OpenVPN服务器
初始化PKI
[root@node1 openvpn-2.2.1]# mkdir/etc/openvpn
[root@node1 openvpn-2.2.1]# cp -reasy-rsa/2.0/ /etc/openvpn/easy-rsa
[root@node1 openvpn-2.2.1]# cd/etc/openvpn/easy-rsa/
[root@node1 easy-rsa]# vi vars
将最下面的部分按照需要自己更改一下,之上的部分一般不用理会,如下所示:
export KEY_COUNTRY="CN"
export KEY_PROVINCE="BJ"
export KEY_CITY="Beijing"
export KEY_ORG="gyyx"
export KEY_EMAIL="[email protected]"
export KEY_EMAIL=[email protected]
export KEY_CN=gyyx
export KEY_NAME=gyyx
export KEY_OU=gyyx
export PKCS11_MODULE_PATH=gyyx
export PKCS11_PIN=1q2w3e4r
当然,也可以自己手动export变量,用vars的好处就是不用每次手动export
#Build ca
执行一下命令,一路回车即可
代码:
[root@node1easy-rsa]# . ./vars
NOTE: Ifyou run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
[root@node1easy-rsa]# ./clean-all #只有在第一次生成证书的时候才需要执行
[root@node1easy-rsa]# ./build-ca
Generatinga 1024 bit RSA private key
.............................................++++++
...++++++
writing newprivate key to ‘ca.key‘
-----
You areabout to be asked to enter information that will be incorporated
into yourcertificate request.
What youare about to enter is what is called a Distinguished Name or a DN.
There arequite a few fields but you can leave some blank
For somefields there will be a default value,
If youenter ‘.‘, the field will be left blank.
-----
CountryName (2 letter code) [CN]:
State orProvince Name (full name) [BJ]:
LocalityName (eg, city) [Beijing]:
OrganizationName (eg, company) [gyyx]:
OrganizationalUnit Name (eg, section) [gyyx]:
Common Name(eg, your name or your server‘s hostname) [gyyx]:
Name[gyyx]:
EmailAddress [[email protected]]:
#生成 Diffie Hellman 参数
代码:
[root@node1 easy-rsa]# ./build-dh
Generating DH parameters, 1024 bitlong safe prime, generator 2
This is going to take a long time
...............................................................+.........................................................................................................................................+..+.......+...............+......+.++*++*++*
#建立 server key
几乎也是一路回车,但是最后要两次确认,一定要输入y
代码:
[root@node1easy-rsa]# ./build-key-server server
Generating a 1024bit RSA private key
..........++++++
...............................++++++
writing newprivate key to ‘server.key‘
-----
You are about tobe asked to enter information that will be incorporated
into yourcertificate request.
What you areabout to enter is what is called a Distinguished Name or a DN.
There are quite afew fields but you can leave some blank
For some fieldsthere will be a default value,
If you enter ‘.‘,the field will be left blank.
-----
Country Name (2letter code) [CN]:
State or ProvinceName (full name) [BJ]:
Locality Name(eg, city) [Beijing]:
Organization Name(eg, company) [gyyx]:
OrganizationalUnit Name (eg, section) [gyyx]:
Common Name (eg,your name or your server‘s hostname) [server]:
Name [gyyx]:
Email Address[[email protected]]:
Please enter thefollowing ‘extra‘ attributes
to be sent withyour certificate request
A challengepassword []:
An optionalcompany name []:
Usingconfiguration from /etc/openvpn/easy-rsa/openssl-0.9.8.cnf
Check that therequest matches the signature
Signature ok
The Subject‘sDistinguished Name is as follows
countryName :PRINTABLE:‘CN‘
stateOrProvinceName :PRINTABLE:‘BJ‘
localityName :PRINTABLE:‘Beijing‘
organizationName :PRINTABLE:‘gyyx‘
organizationalUnitName:PRINTABLE:‘gyyx‘
commonName :PRINTABLE:‘server‘
name :PRINTABLE:‘gyyx‘
emailAddress :IA5STRING:‘[email protected]‘
Certificate is tobe certified until Jan 7 06:51:48 2022GMT (3650 days)
Sign thecertificate? [y/n]:y
1 out of 1 certificaterequests certified, commit? [y/n]y
Write outdatabase with 1 new entries
Data Base Updated
#生成客户端 key
与上生成服务端key的方式类似
代码:
[root@node1 easy-rsa]#./build-key client1
Generating a 1024 bit RSAprivate key
......................................................................++++++
...........++++++
writing new private keyto ‘client1.key‘
-----
You are about to be askedto enter information that will be incorporated
into your certificaterequest.
What you are about toenter is what is called a Distinguished Name or a DN.
There are quite a fewfields but you can leave some blank
For some fields therewill be a default value,
If you enter ‘.‘, thefield will be left blank.
-----
Country Name (2 lettercode) [CN]:
State or Province Name(full name) [BJ]:
Locality Name (eg, city)[Beijing]:
Organization Name (eg,company) [gyyx]:
Organizational Unit Name(eg, section) [gyyx]:
Common Name (eg, yourname or your server‘s hostname) [client1]:
Name [gyyx]:
Email Address[[email protected]]:
Please enter the following‘extra‘ attributes
to be sent with yourcertificate request
A challenge password []:
An optional company name[]:
Using configuration from/etc/openvpn/easy-rsa/openssl-0.9.8.cnf
Check that the requestmatches the signature
Signature ok
The Subject‘s DistinguishedName is as follows
countryName :PRINTABLE:‘CN‘
stateOrProvinceName :PRINTABLE:‘BJ‘
localityName :PRINTABLE:‘Beijing‘
organizationName :PRINTABLE:‘gyyx‘
organizationalUnitName:PRINTABLE:‘gyyx‘
commonName :PRINTABLE:‘client1‘
name :PRINTABLE:‘gyyx‘
emailAddress :IA5STRING:‘[email protected]‘
Certificate is to becertified until Jan 7 06:53:12 2022 GMT(3650 days)
Sign the certificate?[y/n]:y
1 out of 1 certificaterequests certified, commit? [y/n]y
Write out database with 1new entries
Data Base Updated
如果要生成其他客户端,如法炮制,但名字不可重复
代码:
[root@node1 easy-rsa]#./build-key client2
[root@node1 easy-rsa]#./build-key client3
可以看到keys目录下生成的证书和keys,将ca.crt、dh1024.pem、server.crt、server.key复制到/etc/openvpn
[root@node1 easy-rsa]# ls keys/
01.pem 02.pem ca.crt ca.key client1.crt client1.csr client1.key dh1024.pem index.txt index.txt.attr index.txt.attr.old index.txt.old serial serial.old server.crt server.csr server.key
[root@node1 easy-rsa]# cd keys/
[root@node1 keys]# cp ca.crt dh1024.pem server.crt server.key/etc/openvpn/
[root@node1 keys]# cd ../..
[root@node1 openvpn]# ls
ca.crt dh1024.pem easy-rsa server.crt server.key
[root@node1 openvpn]# vi server.conf
server.conf 内容如下所示
代码:
local192.168.132.101
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
keyserver.key
dh dh1024.pem
server 10.8.0.0255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
log openvpn.log
log-append openvpn.log
status openvpn-status.log
verb 3
客户端的安装
1 Linux客户端的配置
客户端同样是RHEL5.3,安装方式同上面服务端的安装方法一样,只是配置文件和证书、key不一样而已,将node1的ca.crt client1.crt client1.key拷贝到node2的/etc/openvpn目录
下面是node2的操作:
[root@node2 openvpn]# cd
[root@node2 ~]# cd/etc/openvpn/
[root@node2 openvpn]# ls
ca.crt client1.crt client1.key client.conf
然后编辑配置文件:
[root@node2 openvpn]# viclient.conf
client
dev tun
proto udp
remote 192.168.132.1011194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
keepalive 10 120
2 Windows客户端的配置
Windows客户端需要到官网下载Windows版本,双击安装,允许安装TAP设备。配置方式是一样的,同样需要ca.crt client1.crt client1.key三个文件,然后拷贝到OpenVPN的安装目录下的config下即可,比如我的OpenVPN装在D盘的Program配置文件的写法和Linux客户端一样,只是名字改为client.ovpn即可,如下图所示:
安装测试
Server端测试
在node1启动VPN Server,并查看tun设备
代码:
[root@node1 openvpn]#openvpn --config /etc/openvpn/server.conf --daemon
[root@node1 openvpn]# ipa
……省略……
5: tun0:<POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen100
link/[65534]
inet 10.8.0.1 peer 10.8.0.2/32 scope globaltun0
可以看到增加了一个tun0设备,且IP是10.8.0.1,说明VPN Server安装成功
Client端测试
Linux客户端
配置文件确认无误时,启动OpenVPN即可,启动方式和node1是一样的
[root@node2 openvpn]#openvpn --config /etc/openvpn/client.conf --daemon
[root@node2 openvpn]# ipa
……省略……
5: tun0:<POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen100
link/[65534]
inet 10.8.0.6 peer 10.8.0.5/32 scope globaltun0
可以看到tun0设备,node2自动获取了10.8.0.6的IP,说明拨号成功,可以ping Server 10.8.0.1测试,可以连通。
Windows客户端
双击OpenVPN图标,会在任务栏右侧出现一个红色小电脑,双击连接即可,如下图所示:
当小电脑变绿,说明拨号成功!此时我们也可以看到客户端自动获取的IP,如下图所示:
结论
到这里我们已经将服务端和客户端安装成功,因为是在虚拟机上测试,所以安装方法相对来说比较简单。实际应用中,我们可以通过客户端拨入公司VPN Server就可以通过VPN Server访问公司内部的局域网了。
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。
