Llinux OpenVPN安装


原理概述

   OpenVpn的技术核心是虚拟网卡,其次是SSL协议实现这里重点对虚拟网卡及其在OpenVpn的中的工作机理进行介绍:        

虚拟网卡是使用网络底层编程技术实现的一个驱动软件,安装后在主机上多出现一个网卡,可以像其它网卡一样进行配置。服务程序可以在应用层打开虚拟网卡,如果应用软件(如IE)向虚拟网卡发送数据,则服务程序可以读取到该数据,如果服务程序写合适的数据到虚拟网卡,应用软件也可以接收得到。虚拟网卡在很多的操作系统下都有相应的实现,这也是OpenVpn能够跨平台一个很重要的理由。

OpenVpn中,如果用户访问一个远程的虚拟地址(属于虚拟网卡配用的地址系列,区别于真实地址),则操作系统会通过路由机制将数据包(TUN模式)或数据帧(TAP模式)发送到虚拟网卡上,服务程序接收该数据并进行相应的处理后,通过 SOCKET从外网上发送出去,远程服务程序通过SOCKET从外网上接收数据,并进行相应的处理后,发送给虚拟网卡,则应用软件可以接收到,完成了一个单向传输的过程,反之亦然。

安装环境描述

本安装过程在本地VM Ware虚拟机上进行。 

 

Name

OS

IP

Type

node1

RHEL5.3  

192.168.132.101

server

node2

RHEL5.3  

192.168.132.102

client

PC

Windows 7

192.168.132.1

client

 

安装过程

Linux 系统kernel 需要支持 tun 设备, 需要加载 iptables 模块。

安装前需要检查 tun 是否安装(默认RHEL5.3是安装的):
代码:

[root@node1 ~]#modinfo tun

filename:      /lib/modules/2.6.18-128.el5/kernel/drivers/net/tun.ko

alias:          char-major-10-200

license:        GPL

author:         (C) 1999-2004 Max Krasnyansky<[email protected]>

description:    Universal TUN/TAP device driver

srcversion:     2900E7452AC08E0F4F0B7B8

depends:       

vermagic:       2.6.18-128.el5 SMP mod_unload 686REGPARM 4KSTACKS gcc-4.1

module_sig: 883f35049492fa531b497468cdd12cf11282cc09f73e2959263978972085b5f0e095465f98d5ed00a0a7fdda22567f18978160a3795fc70d2b73234


OpenVPN如果需要启用 SSL 连接,则需要先安装 OpenSSL

代码:

[root@node1 ~]# rpm -qa | grep ssl

openssl-0.9.8e-7.el5

[root@node1 ~]# yum install openssl-devel

 

本实验安装的 OpenVPN 的版本:2.2.1 现在最新版本是2.2.2,可在http://openvpn.net上下载。

服务器的安装

1. 通过SecureCRT或者XShell等登录到服务器,上传LZOOpenVPNLZO用于数据压缩,如果不想安装,可以在安装的过程中禁用LZO

代码:

[root@node1 ~]# ls

lzo-2.06.tar.gz  openvpn-2.2.1.tar.gz

 

2. 解压并安装lzo

代码:

[root@node1 ~]# tar zxf lzo-2.06.tar.gz

[root@node1 ~]# cd lzo-2.06

[root@node1 lzo-2.06]# ./configure

[root@node1 lzo-2.06]# make && makeinstall

 

3. 解压并安装OpenVPN

代码:

[root@node1 ~]# tar zxf openvpn-2.2.1.tar.gz

[root@node1 ~]# cd openvpn-2.2.1

[root@node1 openvpn-2.2.1]# ./configure&& make && make install

 

4. 生成证书Key

没有报错信息说明安装成功,下一步才做就是配置OpenVPN服务器

初始化PKI

[root@node1 openvpn-2.2.1]# mkdir/etc/openvpn

[root@node1 openvpn-2.2.1]# cp -reasy-rsa/2.0/ /etc/openvpn/easy-rsa

[root@node1 openvpn-2.2.1]# cd/etc/openvpn/easy-rsa/

[root@node1 easy-rsa]# vi vars

将最下面的部分按照需要自己更改一下,之上的部分一般不用理会,如下所示:

export KEY_COUNTRY="CN"

export KEY_PROVINCE="BJ"

export KEY_CITY="Beijing"

export KEY_ORG="gyyx"

export KEY_EMAIL="[email protected]"

export KEY_EMAIL=[email protected]

export KEY_CN=gyyx

export KEY_NAME=gyyx

export KEY_OU=gyyx

export PKCS11_MODULE_PATH=gyyx

export PKCS11_PIN=1q2w3e4r

当然,也可以自己手动export变量,用vars的好处就是不用每次手动export

#Build ca

执行一下命令,一路回车即可

代码:

[root@node1easy-rsa]# . ./vars

NOTE: Ifyou run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

[root@node1easy-rsa]# ./clean-all    #只有在第一次生成证书的时候才需要执行

[root@node1easy-rsa]# ./build-ca

Generatinga 1024 bit RSA private key

.............................................++++++

...++++++

writing newprivate key to ‘ca.key‘

-----

You areabout to be asked to enter information that will be incorporated

into yourcertificate request.

What youare about to enter is what is called a Distinguished Name or a DN.

There arequite a few fields but you can leave some blank

For somefields there will be a default value,

If youenter ‘.‘, the field will be left blank.

-----

CountryName (2 letter code) [CN]:

State orProvince Name (full name) [BJ]:

LocalityName (eg, city) [Beijing]:

OrganizationName (eg, company) [gyyx]:

OrganizationalUnit Name (eg, section) [gyyx]:

Common Name(eg, your name or your server‘s hostname) [gyyx]:

Name[gyyx]:

EmailAddress [[email protected]]:

 

#生成 Diffie Hellman 参数

代码:

[root@node1 easy-rsa]# ./build-dh

Generating DH parameters, 1024 bitlong safe prime, generator 2

This is going to take a long time

...............................................................+.........................................................................................................................................+..+.......+...............+......+.++*++*++*

 

#建立 server key

几乎也是一路回车,但是最后要两次确认,一定要输入y

代码:

[root@node1easy-rsa]# ./build-key-server server

Generating a 1024bit RSA private key

..........++++++

...............................++++++

writing newprivate key to ‘server.key‘

-----

You are about tobe asked to enter information that will be incorporated

into yourcertificate request.

What you areabout to enter is what is called a Distinguished Name or a DN.

There are quite afew fields but you can leave some blank

For some fieldsthere will be a default value,

If you enter ‘.‘,the field will be left blank.

-----

Country Name (2letter code) [CN]:

State or ProvinceName (full name) [BJ]:

Locality Name(eg, city) [Beijing]:

Organization Name(eg, company) [gyyx]:

OrganizationalUnit Name (eg, section) [gyyx]:

Common Name (eg,your name or your server‘s hostname) [server]:

Name [gyyx]:

Email Address[[email protected]]:

 

Please enter thefollowing ‘extra‘ attributes

to be sent withyour certificate request

A challengepassword []:

An optionalcompany name []:

Usingconfiguration from /etc/openvpn/easy-rsa/openssl-0.9.8.cnf

Check that therequest matches the signature

Signature ok

The Subject‘sDistinguished Name is as follows

countryName           :PRINTABLE:‘CN‘

stateOrProvinceName   :PRINTABLE:‘BJ‘

localityName          :PRINTABLE:‘Beijing‘

organizationName      :PRINTABLE:‘gyyx‘

organizationalUnitName:PRINTABLE:‘gyyx‘

commonName            :PRINTABLE:‘server‘

name                  :PRINTABLE:‘gyyx‘

emailAddress          :IA5STRING:‘[email protected]

Certificate is tobe certified until Jan  7 06:51:48 2022GMT (3650 days)

Sign thecertificate? [y/n]:y

 

 

1 out of 1 certificaterequests certified, commit? [y/n]y

Write outdatabase with 1 new entries

Data Base Updated

 

#生成客户端 key

与上生成服务端key的方式类似

代码:

[root@node1 easy-rsa]#./build-key client1

Generating a 1024 bit RSAprivate key

......................................................................++++++

...........++++++

writing new private keyto ‘client1.key‘

-----

You are about to be askedto enter information that will be incorporated

into your certificaterequest.

What you are about toenter is what is called a Distinguished Name or a DN.

There are quite a fewfields but you can leave some blank

For some fields therewill be a default value,

If you enter ‘.‘, thefield will be left blank.

-----

Country Name (2 lettercode) [CN]:

State or Province Name(full name) [BJ]:

Locality Name (eg, city)[Beijing]:

Organization Name (eg,company) [gyyx]:

Organizational Unit Name(eg, section) [gyyx]:

Common Name (eg, yourname or your server‘s hostname) [client1]:

Name [gyyx]:

Email Address[[email protected]]:

 

Please enter the following‘extra‘ attributes

to be sent with yourcertificate request

A challenge password []:

An optional company name[]:

Using configuration from/etc/openvpn/easy-rsa/openssl-0.9.8.cnf

Check that the requestmatches the signature

Signature ok

The Subject‘s DistinguishedName is as follows

countryName           :PRINTABLE:‘CN‘

stateOrProvinceName   :PRINTABLE:‘BJ‘

localityName          :PRINTABLE:‘Beijing‘

organizationName      :PRINTABLE:‘gyyx‘

organizationalUnitName:PRINTABLE:‘gyyx‘

commonName            :PRINTABLE:‘client1‘

name                  :PRINTABLE:‘gyyx‘

emailAddress          :IA5STRING:‘[email protected]

Certificate is to becertified until Jan  7 06:53:12 2022 GMT(3650 days)

Sign the certificate?[y/n]:y

 

 

1 out of 1 certificaterequests certified, commit? [y/n]y

Write out database with 1new entries

Data Base Updated

 

如果要生成其他客户端,如法炮制,但名字不可重复

代码:

[root@node1 easy-rsa]#./build-key client2

[root@node1 easy-rsa]#./build-key client3

 

可以看到keys目录下生成的证书和keys,将ca.crtdh1024.pemserver.crtserver.key复制到/etc/openvpn

[root@node1 easy-rsa]# ls keys/

01.pem  02.pem  ca.crt ca.key  client1.crt  client1.csr client1.key  dh1024.pem  index.txt index.txt.attr  index.txt.attr.old  index.txt.old serial  serial.old  server.crt server.csr  server.key

[root@node1 easy-rsa]# cd keys/

[root@node1 keys]# cp ca.crt dh1024.pem server.crt server.key/etc/openvpn/

[root@node1 keys]# cd ../..

[root@node1 openvpn]# ls

ca.crt  dh1024.pem  easy-rsa server.crt  server.key

[root@node1 openvpn]# vi server.conf

 

server.conf 内容如下所示

代码:

local192.168.132.101

port 1194

proto udp

dev tun

ca ca.crt

cert server.crt

keyserver.key 

dh dh1024.pem

server 10.8.0.0255.255.255.0

keepalive 10 120

comp-lzo

persist-key

persist-tun

log         openvpn.log

log-append  openvpn.log

status openvpn-status.log

verb 3

客户端的安装

1 Linux客户端的配置

      客户端同样是RHEL5.3,安装方式同上面服务端的安装方法一样,只是配置文件和证书、key不一样而已,将node1ca.crt  client1.crt  client1.key拷贝到node2/etc/openvpn目录

下面是node2的操作:

[root@node2 openvpn]# cd

[root@node2 ~]# cd/etc/openvpn/

[root@node2 openvpn]# ls

ca.crt  client1.crt client1.key  client.conf

然后编辑配置文件:

[root@node2 openvpn]# viclient.conf

client

dev tun

proto udp

remote 192.168.132.1011194

resolv-retry infinite

nobind

user nobody

group nobody

persist-key

persist-tun

ca ca.crt

cert client1.crt

key client1.key

comp-lzo

verb 3

keepalive 10 120

 

2 Windows客户端的配置

     Windows客户端需要到官网下载Windows版本,双击安装,允许安装TAP设备。配置方式是一样的,同样需要ca.crt  client1.crt  client1.key三个文件,然后拷贝到OpenVPN的安装目录下的config下即可,比如我的OpenVPN装在D盘的Program配置文件的写法和Linux客户端一样,只是名字改为client.ovpn即可,如下图所示:

 

安装测试

Server端测试

node1启动VPN Server,并查看tun设备

代码:

[root@node1 openvpn]#openvpn --config /etc/openvpn/server.conf --daemon

[root@node1 openvpn]# ipa

……省略……

5: tun0:<POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen100

    link/[65534]

    inet 10.8.0.1 peer 10.8.0.2/32 scope globaltun0

可以看到增加了一个tun0设备,且IP10.8.0.1,说明VPN Server安装成功

Client端测试

Linux客户端

配置文件确认无误时,启动OpenVPN即可,启动方式和node1是一样的

[root@node2 openvpn]#openvpn --config /etc/openvpn/client.conf --daemon

[root@node2 openvpn]# ipa

……省略……

5: tun0:<POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen100

    link/[65534]

    inet 10.8.0.6 peer 10.8.0.5/32 scope globaltun0

可以看到tun0设备,node2自动获取了10.8.0.6IP,说明拨号成功,可以ping Server 10.8.0.1测试,可以连通。

Windows客户端

双击OpenVPN图标,会在任务栏右侧出现一个红色小电脑,双击连接即可,如下图所示:



当小电脑变绿,说明拨号成功!此时我们也可以看到客户端自动获取的IP,如下图所示:


结论

到这里我们已经将服务端和客户端安装成功,因为是在虚拟机上测试,所以安装方法相对来说比较简单。实际应用中,我们可以通过客户端拨入公司VPN Server就可以通过VPN Server访问公司内部的局域网了。

 


郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。