第一节：openvpn理论知识 · 项目案例

一、VPN基础 1、VPN应用分类 * 远程访问VPN服务即通过个人电脑远程拨号到企业办公网络 * 企业内部网络之间VPN 分支结构局域网和公司总部LAN之间VPN连接 * 互联网公司多IDC机房之间vpn服务不同机房之间业务管理和业务访问 2、常用的隧道协议 * PPTP 点对点隧道协议 * L2TP 第二层隧道协议 * IPSec 其实是一套协议包而不是一个独立的协议（IKE，AH，ESP） * SSLVPN 典型软件OpenVPN 3、OpenVPN产品介绍 OpenVPN是一个用于创建虚拟专用网络加密通道的软件包验证的方式：预设的私钥、用户名和密码、第三方证书 * openvpn的多种身份验证方式预共享私钥，第三方证书，用户名和密码 IDC机房互联注意事项：环境： IDC01： openvpn server 外网ip： 10.0.1.10/24 客户端： client ip： 192.168.1.2/24 IDC02 openvpn client 外网IP： 10.0.2.10/24 客户端： IP： 192.168.2.2/24 IDC03 openvpn client 外网IP： 10.0.3.10/24 客户端： IP： 192.168.3.2/24 1）在openvpn服务端额外添加 client-config-dir /usr/local/openvpn/ccd #vpn客户端加入内网路由，是其它机房可以访问本地机房的 push "route 192.168.1.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" push “route 192.168.3.0 255.255.255.0” #在vpn服务器端加入其它机房的内网路由 route 192.168.1.0 255.255.255.0 (vpnclient内网网段） route 192.168.3.0 255.255.255.0 (vpnclient内网网段） route 192.168.2.0 255.255.255.0 (vpnclient内网网段）然后在/usr/local/openvpn下建立ccd目录，在目录下建立IDC-2和IDC-3两个文件，内容如下在IDC-2文件下加入 iroute 192.168.2.0 255.255.255.0 ifconfig-push 10.8.0.5 10.8.0.6 在IDC-3文件下加入 iroute 192.168.3.0 255.255.255.0 ifconfig-push 10.8.0.9 10.8.0.10 含义：如果拨号的客户端为IDC-2或IDC-3，那么久不要在加一条自身的内网网段的路由，否则会造成不可通信 ~~~ --client-config-dir /etc/openvpn/ccd/ 通过该选项为存放客户端定制的配置文件指定一个目录，在一个VPN用户通过客户端验证之后，OpenVPN将会查找这个目录，通过这些文件可以使用--ifconfig-push来指定一个固定的客户端IP地址，也可以使用--iroute指定一个客户端自己拥有的子网。 --push "route 192.168.1.0 255.255.255.0" 这项指令是把VPNServer后端的子网推送给VPNClient，要不Client不知道如何到达这个子网。 --route 172.16.1.0 255.255.255.0 这项指令是给VPNServer添加一条路由，要不VPNServer不知道如何到达172.16.1.0网段。 --server 10.8.0.0 255.255.255.0 这项指令是给VPNClient分配IP地址。 1 cat /etc/openvpn/ccd/client wKiom1W3K5zyJCacAABsEzSF7jE260.jpg --iroute 172.16.1.0 255.255.255.0 为特定的客户端生产内部路由。 --ifconfig-push 10.8.0.4 10.8.0.5 这条指令就是给特定客户端指定分配的IP的，可以不使用，除非客户端比较多，你有必要进行区分。到此服务端的配置告一段落 ~~~ 案例：http://blog.51cto.com/wzlinux/1678272 第二部分：在centos7.3上部署openvpn 环境： openvpn：外网口：eth0 10.2.13.205/24 内网口： eth1 192.168.20.240/24 版本：openvpn-2.4.4 内部电脑server: node2：内网口： eth1： 192.168.20.152/24 node3：内网口：eth1： 192.168.20.153/24 vpn客户端：外网口： eth0： 10.2.13.174/24 一）服务上操作 * 安装openvpn软件及相关依赖包 [root@node6 ~]# yum -y install openssh-server openssl openssl-devel lzo lzo-devel pam-devel openvpn 查看openvpn包安装情况 [root@node6 ~]# rpm -ql openvpn /etc/openvpn /etc/openvpn/client /etc/openvpn/server /run/openvpn-client /run/openvpn-server /usr/lib/systemd/system/openvpn-client@.service /usr/lib/systemd/system/openvpn-server@.service /usr/lib/systemd/system/openvpn@.service /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/client.conf * 安装easy-rsa2.2.2 ~~~ [root@node6 ~]# wget http://soft.51yuki.cn/EasyRSA-2.2.2.tgz [root@node6 ~]# tar xf EasyRSA-2.2.2.tgz -C /etc/open openldap/ openvpn/ [root@node6 ~]# tar xf EasyRSA-2.2.2.tgz -C /etc/openvpn/ [root@node6 ~]# cd /etc/openvpn/ [root@node6 openvpn]# ll total 4 drwxr-xr-x. 2 root root 23 Mar 14 11:13 auth drwxr-x---. 2 root root 6 Sep 27 06:05 client drwxrwxr-x. 2 501 games 4096 Nov 9 2013 EasyRSA-2.2.2 drwxr-x---. 2 root root 6 Sep 27 06:05 server [root@node6 openvpn]# ln -s EasyRSA-2.2.2/ easyrsa ~~~ [root@node6 openvpn]# cp -r /usr/share/easy-rsa/3.0.3/ easy-rsa [root@node6 openvpn]# ll total 0 drwxr-xr-x. 2 root root 23 Mar 14 11:13 auth drwxr-x---. 2 root root 6 Sep 27 06:05 client drwxr-xr-x. 3 root root 62 Mar 14 11:30 easy-rsa drwxr-x---. 2 root root 6 Sep 27 06:05 server 配置vars ~~~ [root@node6 easyrsa]# cp vars{,.ori} [root@node6 easyrsa]# vim vars export KEY_COUNTRY="CN" export KEY_PROVINCE="SH" export KEY_CITY="shanghai" export KEY_ORG="Fort-Funston" export KEY_EMAIL="xhh_198605@163.com" export KEY_OU="ops" （以上也可以不修改，采用默认的即可） [root@node6 easyrsa]# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easyrsa/keys [root@node6 easyrsa]# ./clean-all [root@node6 easyrsa]# ll keys/ total 4 -rw-r--r--. 1 root root 0 Mar 14 11:52 index.txt -rw-r--r--. 1 root root 3 Mar 14 11:52 serial ~~~ * 创建一个新的CA ~~~ 采用默认即可，这里面的，就是刚刚vars里配置的参数 [root@node6 easyrsa]# ./build-ca Generating a 2048 bit RSA private key ......+++ ................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]:CN State or Province Name (full name) [SH]:SH Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [ops]: Common Name (eg, your name or your server's hostname) [Fort-Funston CA]: Name [EasyRSA]: Email Address [xhh_198605@163.com]: 查看 [root@node6 easyrsa]# ll keys/ total 12 -rw-r--r--. 1 root root 1732 Mar 14 11:55 ca.crt -rw-------. 1 root root 1704 Mar 14 11:55 ca.key -rw-r--r--. 1 root root 0 Mar 14 11:52 index.txt -rw-r--r--. 1 root root 3 Mar 14 11:52 serial 执行如下 [root@node6 easyrsa]# ./build-dh [root@node6 easyrsa]# ll keys/ total 16 -rw-r--r--. 1 root root 1732 Mar 14 11:55 ca.crt -rw-------. 1 root root 1704 Mar 14 11:55 ca.key -rw-r--r--. 1 root root 424 Mar 14 11:58 dh2048.pem -rw-r--r--. 1 root root 0 Mar 14 11:52 index.txt -rw-r--r--. 1 root root 3 Mar 14 11:52 serial （发现多了一个dh2048.pem） ~~~ * 生成服务器端证书 ~~~ [root@node6 easyrsa]# ./build-key-server server Generating a 2048 bit RSA private key ......................+++ .............................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [ops]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [xhh_198605@163.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easyrsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'shanghai' organizationName :PRINTABLE:'Fort-Funston' organizationalUnitName:PRINTABLE:'ops' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'xhh_198605@163.com' Certificate is to be certified until Mar 11 06:56:18 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 然后查看 [root@node6 easyrsa]# ll keys/ total 48 -rw-r--r--. 1 root root 5478 Mar 14 14:56 01.pem -rw-r--r--. 1 root root 1732 Mar 14 14:55 ca.crt -rw-------. 1 root root 1704 Mar 14 14:55 ca.key -rw-r--r--. 1 root root 128 Mar 14 14:56 index.txt -rw-r--r--. 1 root root 21 Mar 14 14:56 index.txt.attr -rw-r--r--. 1 root root 0 Mar 14 14:54 index.txt.old -rw-r--r--. 1 root root 3 Mar 14 14:56 serial -rw-r--r--. 1 root root 3 Mar 14 14:54 serial.old -rw-r--r--. 1 root root 5478 Mar 14 14:56 server.crt -rw-r--r--. 1 root root 1070 Mar 14 14:56 server.csr -rw-------. 1 root root 1704 Mar 14 14:56 server.key ~~~ * 生成客户端证书，有多少个客户端就生成多少个 ~~~ [root@node6 easyrsa]# ./build-key yuki Certificate is to be certified until Mar 11 07:30:26 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated ~~~ * 复制server端所使用到的key到/etc/openvpn/server ~~~ [root@node6 server]# cp ../EasyRSA-2.2.2/keys/{ca.crt,ca.key,dh2048.pem,server.crt,server.key} . [root@node6 server]# ll total 24 -rw-r--r--. 1 root root 1651 Mar 15 15:57 ca.crt -rw-------. 1 root root 1704 Mar 15 15:57 ca.key -rw-r--r--. 1 root root 424 Mar 15 15:57 dh2048.pem -rw-r--r--. 1 root root 5358 Mar 15 15:57 server.crt -rw-------. 1 root root 1704 Mar 15 15:57 server.key [root@node6 server]# openvpn --genkey --secret ta.key [root@node6 ~]#cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn/server [root@node6 server]# cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf . [root@node6 server]# cat server.conf local 10.2.13.205 port 52117 proto tcp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.20.0 255.255.255.0" client-to-client duplicate-cn keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC comp-lzo persist-key persist-tun status openvpn-status.log log /var/log/openvpn verb 3 ~~~ * 编写openvpn客户端配置 ~~~ [root@node6 openvpn]# cd client/ [root@node6 client]# ll total 0 [root@node6 client]# cp ../EasyRSA-2.2.2/keys/{ca.crt,yuki.crt,yuki.key} . [root@node6 client]# cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/client.conf . [root@node6 client]# cp ../server/ta.key . [root@node6 client]# ll total 24 -rw-r--r--. 1 root root 1651 Mar 15 16:01 ca.crt -rw-r--r--. 1 root root 3585 Mar 15 16:01 client.conf -rw-------. 1 root root 636 Mar 15 16:01 ta.key -rw-r--r--. 1 root root 5234 Mar 15 16:01 yuki.crt -rw-------. 1 root root 1704 Mar 15 16:01 yuki.key [root@node6 client]# mv client.conf yuki.conf [root@node6 client]# vim yuki.conf [root@localhost client]# cat yuki.conf client dev tun proto tcp remote 10.2.13.205 52117 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert yuki.crt key yuki.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC comp-lzo verb 3 ~~~ * 在openvpn服务器上配置防火墙并启动openvpn服务 ~~~ [root@node6 client]# vim /etc/sysctl.conf [root@node6 client]# sysctl -p net.ipv4.ip_forward = 1 [root@node6 client]# systemctl stop firewalld [root@node6 client]# systemctl disable firewalld Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service. [root@node6 ~]# yum -y install iptables-services 防止方形52117端口 [root@node6 ~]# iptables -I INPUT -p tcp --dport 52117 -j ACCEPT [root@node6 ~]# iptables -I INPUT -p udp --dport 52117 -j ACCEPT [root@node6 ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@node6 ~]# service iptables restart Redirecting to /bin/systemctl restart iptables.service 启动服务 [root@node6 system]# systemctl start openvpn-server@server [root@node6 system]# ss -tunlp|grep 52117 tcp LISTEN 0 1 10.2.13.205:52117 *:* users:(("openvpn",pid=2609,fd=6)) （注意上面的@server,是你配置文件.conf的名称，例如我这里是server.conf，所以这里就写@server） ~~~ 二）配置客户端 MAC电脑上： Tunnelblick IOS设备上： OpenVPN Connect 安卓设备： OpenVPN Connect windows： OpenVPN GUI Linux： openvpn软件包下面以linux系统为例 ~~~ 1）把服务器上/etc/openvpn/client下的拷贝到vpn客户端指定目录 [root@node6 client]# scp * root@10.2.13.174:/etc/openvpn/client 2）安装openvpn [root@localhost ~]# cat /etc/redhat-release Fedora release 27 (Twenty Seven) [root@localhost ~]# yum -y install openvpn [root@localhost ~]# cd /etc/openvpn/client/ [root@localhost client]# ll total 24 -rw-r--r--. 1 root root 1651 Mar 15 16:15 ca.crt -rw-------. 1 root root 636 Mar 15 16:15 ta.key -rw-r--r--. 1 root root 3545 Mar 15 16:15 yuki.conf -rw-r--r--. 1 root root 5234 Mar 15 16:15 yuki.crt -rw-------. 1 root root 1704 Mar 15 16:15 yuki.key 3）启动服务 [root@localhost client]# systemctl start openvpn-client@yuki [root@localhost client]# ifconfig tun0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5 inet6 fe80::3f34:8cdd:5c0c:bf8e prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1 bytes 48 (48.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 4）测试ping [root@localhost ~]# ifconfig tun0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5 inet6 fe80::62:8133:502:78c7 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 8 bytes 672 (672.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 15 bytes 1044 (1.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@localhost ~]# ping 10.8.0.1 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.840 ms 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.798 ms ^C --- 10.8.0.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.798/0.819/0.840/0.021 ms [root@localhost ~]# ping 192.168.20.140 PING 192.168.20.140 (192.168.20.140) 56(84) bytes of data. 64 bytes from 192.168.20.140: icmp_seq=1 ttl=64 time=0.747 ms ^C --- 192.168.20.140 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.747/0.747/0.747/0.000 ms [root@localhost ~]# ping 192.168.20.152 PING 192.168.20.152 (192.168.20.152) 56(84) bytes of data. ^C --- 192.168.20.152 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1021ms [root@localhost ~]# ping 192.168.20.153 PING 192.168.20.153 (192.168.20.153) 56(84) bytes of data. ^C --- 192.168.20.153 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2035ms 发现ping内网node2和node3的ip不通，我们一般的操作办法如下在openvpn服务器上配置SNAT [root@node6 server]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j SNAT --to-source 192.168.20.140 [root@node6 server]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@node6 server]# service iptables restart Redirecting to /bin/systemctl restart iptables.service 然后在测试，发现已经通了 [root@localhost ~]# ping 192.168.20.151 PING 192.168.20.151 (192.168.20.151) 56(84) bytes of data. 64 bytes from 192.168.20.151: icmp_seq=1 ttl=63 time=1.95 ms ^C --- 192.168.20.151 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.950/1.950/1.950/0.000 ms [root@localhost ~]# ping 192.168.20.152 PING 192.168.20.152 (192.168.20.152) 56(84) bytes of data. 64 bytes from 192.168.20.152: icmp_seq=1 ttl=63 time=1.29 ms ^C --- 192.168.20.152 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.290/1.290/1.290/0.000 ms [root@localhost ~]# ip route default via 10.2.13.1 dev ens33 proto static metric 100 10.2.13.0/24 dev ens33 proto kernel scope link src 10.2.13.174 metric 100 10.8.0.0/24 via 10.8.0.5 dev tun0 10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6 192.168.20.0/24 via 10.8.0.5 dev tun0 ~~~