第一節：openvpn理論知識 · 項目案例

一、VPN基礎 1、VPN應用分類 * 遠程訪問VPN服務即通過個人電腦遠程撥號到企業辦公網絡 * 企業內部網絡之間VPN 分支結構局域網和公司總部LAN之間VPN連接 * 互聯網公司多IDC機房之間vpn服務不同機房之間業務管理和業務訪問 2、常用的隧道協議 * PPTP 點對點隧道協議 * L2TP 第二層隧道協議 * IPSec 其實是一套協議包而不是一個獨立的協議（IKE，AH，ESP） * SSLVPN 典型軟件OpenVPN 3、OpenVPN產品介紹 OpenVPN是一個用于創建虛擬專用網絡加密通道的軟件包驗證的方式：預設的私鑰、用戶名和密碼、第三方證書 * openvpn的多種身份驗證方式預共享私鑰，第三方證書，用戶名和密碼 IDC機房互聯注意事項：環境： IDC01： openvpn server 外網ip： 10.0.1.10/24 客戶端： client ip： 192.168.1.2/24 IDC02 openvpn client 外網IP： 10.0.2.10/24 客戶端： IP： 192.168.2.2/24 IDC03 openvpn client 外網IP： 10.0.3.10/24 客戶端： IP： 192.168.3.2/24 1）在openvpn服務端額外添加 client-config-dir /usr/local/openvpn/ccd #vpn客戶端加入內網路由，是其它機房可以訪問本地機房的 push "route 192.168.1.0 255.255.255.0" push "route 192.168.2.0 255.255.255.0" push “route 192.168.3.0 255.255.255.0” #在vpn服務器端加入其它機房的內網路由 route 192.168.1.0 255.255.255.0 (vpnclient內網網段） route 192.168.3.0 255.255.255.0 (vpnclient內網網段） route 192.168.2.0 255.255.255.0 (vpnclient內網網段）然后在/usr/local/openvpn下建立ccd目錄，在目錄下建立IDC-2和IDC-3兩個文件，內容如下在IDC-2文件下加入 iroute 192.168.2.0 255.255.255.0 ifconfig-push 10.8.0.5 10.8.0.6 在IDC-3文件下加入 iroute 192.168.3.0 255.255.255.0 ifconfig-push 10.8.0.9 10.8.0.10 含義：如果撥號的客戶端為IDC-2或IDC-3，那么久不要在加一條自身的內網網段的路由，否則會造成不可通信 ~~~ --client-config-dir /etc/openvpn/ccd/ 通過該選項為存放客戶端定制的配置文件指定一個目錄，在一個VPN用戶通過客戶端驗證之后，OpenVPN將會查找這個目錄，通過這些文件可以使用--ifconfig-push來指定一個固定的客戶端IP地址，也可以使用--iroute指定一個客戶端自己擁有的子網。 --push "route 192.168.1.0 255.255.255.0" 這項指令是把VPNServer后端的子網推送給VPNClient，要不Client不知道如何到達這個子網。 --route 172.16.1.0 255.255.255.0 這項指令是給VPNServer添加一條路由，要不VPNServer不知道如何到達172.16.1.0網段。 --server 10.8.0.0 255.255.255.0 這項指令是給VPNClient分配IP地址。 1 cat /etc/openvpn/ccd/client wKiom1W3K5zyJCacAABsEzSF7jE260.jpg --iroute 172.16.1.0 255.255.255.0 為特定的客戶端生產內部路由。 --ifconfig-push 10.8.0.4 10.8.0.5 這條指令就是給特定客戶端指定分配的IP的，可以不使用，除非客戶端比較多，你有必要進行區分。到此服務端的配置告一段落 ~~~ 案例：http://blog.51cto.com/wzlinux/1678272 第二部分：在centos7.3上部署openvpn 環境： openvpn：外網口：eth0 10.2.13.205/24 內網口： eth1 192.168.20.240/24 版本：openvpn-2.4.4 內部電腦server: node2：內網口： eth1： 192.168.20.152/24 node3：內網口：eth1： 192.168.20.153/24 vpn客戶端：外網口： eth0： 10.2.13.174/24 一）服務上操作 * 安裝openvpn軟件及相關依賴包 [root@node6 ~]# yum -y install openssh-server openssl openssl-devel lzo lzo-devel pam-devel openvpn 查看openvpn包安裝情況 [root@node6 ~]# rpm -ql openvpn /etc/openvpn /etc/openvpn/client /etc/openvpn/server /run/openvpn-client /run/openvpn-server /usr/lib/systemd/system/openvpn-client@.service /usr/lib/systemd/system/openvpn-server@.service /usr/lib/systemd/system/openvpn@.service /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/client.conf * 安裝easy-rsa2.2.2 ~~~ [root@node6 ~]# wget http://soft.51yuki.cn/EasyRSA-2.2.2.tgz [root@node6 ~]# tar xf EasyRSA-2.2.2.tgz -C /etc/open openldap/ openvpn/ [root@node6 ~]# tar xf EasyRSA-2.2.2.tgz -C /etc/openvpn/ [root@node6 ~]# cd /etc/openvpn/ [root@node6 openvpn]# ll total 4 drwxr-xr-x. 2 root root 23 Mar 14 11:13 auth drwxr-x---. 2 root root 6 Sep 27 06:05 client drwxrwxr-x. 2 501 games 4096 Nov 9 2013 EasyRSA-2.2.2 drwxr-x---. 2 root root 6 Sep 27 06:05 server [root@node6 openvpn]# ln -s EasyRSA-2.2.2/ easyrsa ~~~ [root@node6 openvpn]# cp -r /usr/share/easy-rsa/3.0.3/ easy-rsa [root@node6 openvpn]# ll total 0 drwxr-xr-x. 2 root root 23 Mar 14 11:13 auth drwxr-x---. 2 root root 6 Sep 27 06:05 client drwxr-xr-x. 3 root root 62 Mar 14 11:30 easy-rsa drwxr-x---. 2 root root 6 Sep 27 06:05 server 配置vars ~~~ [root@node6 easyrsa]# cp vars{,.ori} [root@node6 easyrsa]# vim vars export KEY_COUNTRY="CN" export KEY_PROVINCE="SH" export KEY_CITY="shanghai" export KEY_ORG="Fort-Funston" export KEY_EMAIL="xhh_198605@163.com" export KEY_OU="ops" （以上也可以不修改，采用默認的即可） [root@node6 easyrsa]# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easyrsa/keys [root@node6 easyrsa]# ./clean-all [root@node6 easyrsa]# ll keys/ total 4 -rw-r--r--. 1 root root 0 Mar 14 11:52 index.txt -rw-r--r--. 1 root root 3 Mar 14 11:52 serial ~~~ * 創建一個新的CA ~~~ 采用默認即可，這里面的，就是剛剛vars里配置的參數 [root@node6 easyrsa]# ./build-ca Generating a 2048 bit RSA private key ......+++ ................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]:CN State or Province Name (full name) [SH]:SH Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [ops]: Common Name (eg, your name or your server's hostname) [Fort-Funston CA]: Name [EasyRSA]: Email Address [xhh_198605@163.com]: 查看 [root@node6 easyrsa]# ll keys/ total 12 -rw-r--r--. 1 root root 1732 Mar 14 11:55 ca.crt -rw-------. 1 root root 1704 Mar 14 11:55 ca.key -rw-r--r--. 1 root root 0 Mar 14 11:52 index.txt -rw-r--r--. 1 root root 3 Mar 14 11:52 serial 執行如下 [root@node6 easyrsa]# ./build-dh [root@node6 easyrsa]# ll keys/ total 16 -rw-r--r--. 1 root root 1732 Mar 14 11:55 ca.crt -rw-------. 1 root root 1704 Mar 14 11:55 ca.key -rw-r--r--. 1 root root 424 Mar 14 11:58 dh2048.pem -rw-r--r--. 1 root root 0 Mar 14 11:52 index.txt -rw-r--r--. 1 root root 3 Mar 14 11:52 serial （發現多了一個dh2048.pem） ~~~ * 生成服務器端證書 ~~~ [root@node6 easyrsa]# ./build-key-server server Generating a 2048 bit RSA private key ......................+++ .............................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [shanghai]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [ops]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [xhh_198605@163.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easyrsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'shanghai' organizationName :PRINTABLE:'Fort-Funston' organizationalUnitName:PRINTABLE:'ops' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'xhh_198605@163.com' Certificate is to be certified until Mar 11 06:56:18 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 然后查看 [root@node6 easyrsa]# ll keys/ total 48 -rw-r--r--. 1 root root 5478 Mar 14 14:56 01.pem -rw-r--r--. 1 root root 1732 Mar 14 14:55 ca.crt -rw-------. 1 root root 1704 Mar 14 14:55 ca.key -rw-r--r--. 1 root root 128 Mar 14 14:56 index.txt -rw-r--r--. 1 root root 21 Mar 14 14:56 index.txt.attr -rw-r--r--. 1 root root 0 Mar 14 14:54 index.txt.old -rw-r--r--. 1 root root 3 Mar 14 14:56 serial -rw-r--r--. 1 root root 3 Mar 14 14:54 serial.old -rw-r--r--. 1 root root 5478 Mar 14 14:56 server.crt -rw-r--r--. 1 root root 1070 Mar 14 14:56 server.csr -rw-------. 1 root root 1704 Mar 14 14:56 server.key ~~~ * 生成客戶端證書，有多少個客戶端就生成多少個 ~~~ [root@node6 easyrsa]# ./build-key yuki Certificate is to be certified until Mar 11 07:30:26 2028 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated ~~~ * 復制server端所使用到的key到/etc/openvpn/server ~~~ [root@node6 server]# cp ../EasyRSA-2.2.2/keys/{ca.crt,ca.key,dh2048.pem,server.crt,server.key} . [root@node6 server]# ll total 24 -rw-r--r--. 1 root root 1651 Mar 15 15:57 ca.crt -rw-------. 1 root root 1704 Mar 15 15:57 ca.key -rw-r--r--. 1 root root 424 Mar 15 15:57 dh2048.pem -rw-r--r--. 1 root root 5358 Mar 15 15:57 server.crt -rw-------. 1 root root 1704 Mar 15 15:57 server.key [root@node6 server]# openvpn --genkey --secret ta.key [root@node6 ~]#cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn/server [root@node6 server]# cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf . [root@node6 server]# cat server.conf local 10.2.13.205 port 52117 proto tcp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.20.0 255.255.255.0" client-to-client duplicate-cn keepalive 10 120 tls-auth ta.key 0 # This file is secret cipher AES-256-CBC comp-lzo persist-key persist-tun status openvpn-status.log log /var/log/openvpn verb 3 ~~~ * 編寫openvpn客戶端配置 ~~~ [root@node6 openvpn]# cd client/ [root@node6 client]# ll total 0 [root@node6 client]# cp ../EasyRSA-2.2.2/keys/{ca.crt,yuki.crt,yuki.key} . [root@node6 client]# cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/client.conf . [root@node6 client]# cp ../server/ta.key . [root@node6 client]# ll total 24 -rw-r--r--. 1 root root 1651 Mar 15 16:01 ca.crt -rw-r--r--. 1 root root 3585 Mar 15 16:01 client.conf -rw-------. 1 root root 636 Mar 15 16:01 ta.key -rw-r--r--. 1 root root 5234 Mar 15 16:01 yuki.crt -rw-------. 1 root root 1704 Mar 15 16:01 yuki.key [root@node6 client]# mv client.conf yuki.conf [root@node6 client]# vim yuki.conf [root@localhost client]# cat yuki.conf client dev tun proto tcp remote 10.2.13.205 52117 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert yuki.crt key yuki.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC comp-lzo verb 3 ~~~ * 在openvpn服務器上配置防火墻并啟動openvpn服務 ~~~ [root@node6 client]# vim /etc/sysctl.conf [root@node6 client]# sysctl -p net.ipv4.ip_forward = 1 [root@node6 client]# systemctl stop firewalld [root@node6 client]# systemctl disable firewalld Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service. [root@node6 ~]# yum -y install iptables-services 防止方形52117端口 [root@node6 ~]# iptables -I INPUT -p tcp --dport 52117 -j ACCEPT [root@node6 ~]# iptables -I INPUT -p udp --dport 52117 -j ACCEPT [root@node6 ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@node6 ~]# service iptables restart Redirecting to /bin/systemctl restart iptables.service 啟動服務 [root@node6 system]# systemctl start openvpn-server@server [root@node6 system]# ss -tunlp|grep 52117 tcp LISTEN 0 1 10.2.13.205:52117 *:* users:(("openvpn",pid=2609,fd=6)) （注意上面的@server,是你配置文件.conf的名稱，例如我這里是server.conf，所以這里就寫@server） ~~~ 二）配置客戶端 MAC電腦上： Tunnelblick IOS設備上： OpenVPN Connect 安卓設備： OpenVPN Connect windows： OpenVPN GUI Linux： openvpn軟件包下面以linux系統為例 ~~~ 1）把服務器上/etc/openvpn/client下的拷貝到vpn客戶端指定目錄 [root@node6 client]# scp * root@10.2.13.174:/etc/openvpn/client 2）安裝openvpn [root@localhost ~]# cat /etc/redhat-release Fedora release 27 (Twenty Seven) [root@localhost ~]# yum -y install openvpn [root@localhost ~]# cd /etc/openvpn/client/ [root@localhost client]# ll total 24 -rw-r--r--. 1 root root 1651 Mar 15 16:15 ca.crt -rw-------. 1 root root 636 Mar 15 16:15 ta.key -rw-r--r--. 1 root root 3545 Mar 15 16:15 yuki.conf -rw-r--r--. 1 root root 5234 Mar 15 16:15 yuki.crt -rw-------. 1 root root 1704 Mar 15 16:15 yuki.key 3）啟動服務 [root@localhost client]# systemctl start openvpn-client@yuki [root@localhost client]# ifconfig tun0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5 inet6 fe80::3f34:8cdd:5c0c:bf8e prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1 bytes 48 (48.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 4）測試ping [root@localhost ~]# ifconfig tun0 tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5 inet6 fe80::62:8133:502:78c7 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 8 bytes 672 (672.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 15 bytes 1044 (1.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@localhost ~]# ping 10.8.0.1 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.840 ms 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.798 ms ^C --- 10.8.0.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.798/0.819/0.840/0.021 ms [root@localhost ~]# ping 192.168.20.140 PING 192.168.20.140 (192.168.20.140) 56(84) bytes of data. 64 bytes from 192.168.20.140: icmp_seq=1 ttl=64 time=0.747 ms ^C --- 192.168.20.140 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.747/0.747/0.747/0.000 ms [root@localhost ~]# ping 192.168.20.152 PING 192.168.20.152 (192.168.20.152) 56(84) bytes of data. ^C --- 192.168.20.152 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1021ms [root@localhost ~]# ping 192.168.20.153 PING 192.168.20.153 (192.168.20.153) 56(84) bytes of data. ^C --- 192.168.20.153 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2035ms 發現ping內網node2和node3的ip不通，我們一般的操作辦法如下在openvpn服務器上配置SNAT [root@node6 server]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j SNAT --to-source 192.168.20.140 [root@node6 server]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@node6 server]# service iptables restart Redirecting to /bin/systemctl restart iptables.service 然后在測試，發現已經通了 [root@localhost ~]# ping 192.168.20.151 PING 192.168.20.151 (192.168.20.151) 56(84) bytes of data. 64 bytes from 192.168.20.151: icmp_seq=1 ttl=63 time=1.95 ms ^C --- 192.168.20.151 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.950/1.950/1.950/0.000 ms [root@localhost ~]# ping 192.168.20.152 PING 192.168.20.152 (192.168.20.152) 56(84) bytes of data. 64 bytes from 192.168.20.152: icmp_seq=1 ttl=63 time=1.29 ms ^C --- 192.168.20.152 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.290/1.290/1.290/0.000 ms [root@localhost ~]# ip route default via 10.2.13.1 dev ens33 proto static metric 100 10.2.13.0/24 dev ens33 proto kernel scope link src 10.2.13.174 metric 100 10.8.0.0/24 via 10.8.0.5 dev tun0 10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6 192.168.20.0/24 via 10.8.0.5 dev tun0 ~~~