一、基础环境
$ uname -a
Linux openvpn-server.t4x.org 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ uname -r
3.10.0-693.el7.x86_64
$ uname -m
x86_64
二、IP信息
杭州机房 : (Centos 7.4)
VPN-SERVER:10.4.0.4(公网IP)、192.168.101.1(内网IP)
机房主机IP:192.168.101.2(无公网IP)
北京机房 : (Centos 6.8)
VPN-SERVER:10.4.0.8(公网IP)、192.168.103.1(内网IP)
机房主机IP:192.168.103.2(无公网IP)
SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
广东机房:(Centos 7.4)
VPN-SERVER:10.4.0.6(公网IP)、192.168.102.1(内网IP)
机房主机IP:192.168.102.2(无公网IP)
SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
1:由于用vm模拟,需要首先将宿主机上面的网关删除,以免影响实验效果!!!
2:调试前,将firewalld关闭,以免影响实验效果!!!
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
宿主机: C:\Users\Zane>route print IPv4 路由表 =========================================================================== 活动路由: 网络目标 网络掩码 网关 接口 跃点数 0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.119 281 192.168.101.0 255.255.255.0 在链路上 192.168.101.1 291 192.168.101.1 255.255.255.255 在链路上 192.168.101.1 291 192.168.101.255 255.255.255.255 在链路上 192.168.101.1 291 192.168.102.0 255.255.255.0 在链路上 192.168.102.1 291 192.168.102.1 255.255.255.255 在链路上 192.168.102.1 291 192.168.102.255 255.255.255.255 在链路上 192.168.102.1 291 192.168.103.0 255.255.255.0 在链路上 192.168.103.1 291 192.168.103.1 255.255.255.255 在链路上 192.168.103.1 291 192.168.103.255 255.255.255.255 在链路上 192.168.103.1 291 =========================================================================== 永久路由: 网络地址 网络掩码 网关地址 跃点数 0.0.0.0 0.0.0.0 192.168.2.1 默认 =========================================================================== C:\WINDOWS\system32>route delete 192.168.101.0 操作完成! C:\WINDOWS\system32>route delete 192.168.102.1 操作完成! C:\WINDOWS\system32>route delete 192.168.103.0 操作完成! C:\WINDOWS\system32>route delete 192.168.101.1 操作完成! C:\WINDOWS\system32>route delete 192.168.102.0 操作完成! C:\WINDOWS\system32>route delete 192.168.103.1 操作完成! |
三、OPENVPN服务端安装
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
$ yum install pam-devel openssl-devel wget vim gcc gcc-c++ net-tools -y $ mkdir /byrd/tools -p $ cd /byrd/tools/ $ wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz $ tar zxf lzo-2.10.tar.gz $ cd lzo-2.10 $ ./configure --prefix=/opt/lzo-2.10 $ make && make install $ wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.18.tar.gz $ tar zxf openvpn-2.3.18.tar.gz $ cd openvpn-2.3.18 $ ln -s /opt/lzo-2.10/lib/* /usr/local/lib/ $ ln -s /opt/lzo-2.10/include/* /usr/local/include/ $ ./configure --prefix=/opt/openvpn-2.3.18 $ make && make install $ ln -s /opt/openvpn-2.3.18/ /usr/local/openvpn |
四、OPENVPN服务端证书生成
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
$ wget -c https://github.com/OpenVPN/easy-rsa/archive/master.zip $ mv easy-rsa-master/ key $ ln -s /opt/openvpn-2.3.18/ /usr/local/openvpn $ mv key/ /usr/local/openvpn/ $ cd /usr/local/openvpn/key/easyrsa3/ $ cp vars.example vars $ tail -6 vars set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "Zhejiang" set_var EASYRSA_REQ_CITY "Hangzhou" set_var EASYRSA_REQ_ORG "t4x.org" set_var EASYRSA_REQ_EMAIL "root@t4x.org" set_var EASYRSA_REQ_OU "t4x.org" $ ./easyrsa init-pki #初始化 $ ./easyrsa build-ca #创建根证书,需要输入ca证书密码2次,需要输入Common Name == 此次操作生成的文件/usr/local/openvpn/key/easyrsa3/pki/ca.crt == $ ./easyrsa gen-req server nopass #创建服务器端证书,需要输入Common Name ./easyrsa gen-req server此时当启动服务端时候需要输入服务端密码,此次取消passwd == 此次操作生成的文件 req: /usr/local/openvpn/key/easyrsa3/pki/reqs/server.req == == 此次操作生成的文件 key: /usr/local/openvpn/key/easyrsa3/pki/private/server.key == $ ./easyrsa sign server server #签约服务端证书,需输入创建ca时的ca密码 ==此次操作生成的文件/usr/local/openvpn/key/easyrsa3/pki/issued/server.crt== $ ./easyrsa gen-dh #创建Diffie-Hellman parameters ==此次操作生成的文件/usr/local/openvpn/key/easyrsa3/pki/dh.pem == |
五、OPENVPN客户端证书生成
方式1:ca证书在pki目录下
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$ ./easyrsa gen-req bj nopass #创建北京机房客户端证书,如果设置密码,客户端连接的时候需要输入密码 ==此次操作生成的文件 req: /usr/local/openvpn/key/easyrsa3/pki/reqs/bj.req == ==此次操作生成的文件 key: /usr/local/openvpn/key/easyrsa3/pki/private/bj.key == $ ./easyrsa gen-req gd nopass #创建gd机房客户端证书,如果设置密码,客户端连接的时候需要输入密码 ==此次操作生成的文件 req: /usr/local/openvpn/key/easyrsa3/pki/reqs/gd.req == ==此次操作生成的文件 key: /usr/local/openvpn/key/easyrsa3/pki/private/gd.key == $ ./easyrsa sign-req client gd #签约客户端证书,需要输入ca密码 ==此次操作生成的文件 /usr/local/openvpn/key/easyrsa3/pki/issued/gd.crt == $ ./easyrsa sign-req client bj #签约客户端证书,需要输入ca密码 ==此次操作生成的文件 /usr/local/openvpn/key/easyrsa3/pki/issued/bj.crt == |
方式2:ca证书不在pki目录下
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
$ cd easy-rsa-master/easyrsa3/ $ pwd /byrd/tools/easy-rsa-master/easyrsa3 $ ./easyrsa init-pki $ ./easyrsa gen-req sz nopass ==此次操作生成的文件 req: /byrd/tools/easy-rsa-master/easyrsa3/pki/reqs/sz.req == ==此次操作生成的文件 key: /byrd/tools/easy-rsa-master/easyrsa3/pki/private/sz.key == ./easyrsa sign-req client sz Easy-RSA error: Missing expected CA file: index.txt (perhaps you need to run build-ca?) Run easyrsa without commands for usage and command help. $ cd /usr/local/openvpn/key/easyrsa3/ $ ./easyrsa import-req /byrd/tools/easy-rsa-master/easyrsa3/pki/reqs/sz.req sz Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: sz You may now use this name to perform signing operations on this request. $ ./easyrsa sign-req client sz ==此次操作生成的文件 /usr/local/openvpn/key/easyrsa3/pki/issued/sz.crt == |
六、OPENVPN所有证书
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
$ tree pki/ pki/ ├── ca.crt ├── certs_by_serial │ ├── A2617A000C9A1D37920B9C822D7BE4E7.pem │ ├── EA7FCD3E8C064D704A15F5D82B8619AB.pem │ └── F2976C802CEB25F20209C586C08A7F98.pem ├── dh.pem ├── index.txt ├── index.txt.attr ├── index.txt.attr.old ├── index.txt.old ├── issued │ ├── bj.crt │ ├── gd.crt │ └── server.crt ├── private │ ├── bj.key │ ├── ca.key │ ├── gd.key │ └── server.key ├── reqs │ ├── bj.req │ ├── gd.req │ └── server.req ├── serial └── serial.old |
七、OPENVPN服务端配置
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
$ mkdir /etc/openvpn $ cp /byrd/tools/openvpn-2.3.18/sample/sample-config-files/server.conf /etc/openvpn/ $ mkdir /etc/openvpn/key $ cp pki/issued/server.crt /etc/openvpn/key/ $ cp pki/private/server.key /etc/openvpn/key/ $ cp pki/ca.crt /etc/openvpn/key/ $ cp pki/dh.pem /etc/openvpn/key/ $ tree /etc/openvpn/key #服务器只需要此4个文件 /etc/openvpn/key ├── ca.crt ├── dh.pem ├── server.crt └── server.key $ grep -vE "^$|;|^#" /etc/openvpn/server.conf local 10.4.0.4 port 1194 proto tcp dev tun ca /etc/openvpn/key/ca.crt cert /etc/openvpn/key/server.crt key /etc/openvpn/key/server.key # This file should be kept secret dh /etc/openvpn/key/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /tmp/ipp.txt client-to-client duplicate-cn keepalive 10 120 cipher AES-256-CBC comp-lzo persist-key persist-tun status openvpn-status.log verb 3 |
八、OPENVPN客户端配置
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
$ mkdir /etc/openvpn/key $ cp /byrd/tools/openvpn-2.3.18/sample/sample-config-files/client.conf /etc/openvpn/ $ cp pki/ca.crt /etc/openvpn/key/ $ cp pki/issued/bj.crt /etc/openvpn/key/ $ cp pki/issued/gd.crt /etc/openvpn/key/ $ cp pki/private/bj.key /etc/openvpn/key/ $ cp pki/private/gd.key /etc/openvpn/key/ $ tree /etc/openvpn/key/ #客户端需要3个文件 ca证书、用户.crt 用户.key /etc/openvpn/key/ ├── bj.crt ├── bj.key ├── ca.crt ├── gd.crt └── gd.key $ grep -vE "^$|;|#" /etc/openvpn/client.conf client dev tun proto tcp remote 10.4.0.4 1194 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/key/ca.crt cert /etc/openvpn/key/gd.crt key /etc/openvpn/key/gd.key remote-cert-tls server cipher AES-256-CBC comp-lzo verb 3 |
九、服务端拨号
服务端:
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ firewall-cmd --zone=public --add-port=1194/tcp #开启防火墙,默认1194端口 $ /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf $ ip a 2: ens33: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:93:3f:48 brd ff:ff:ff:ff:ff:ff inet 10.4.0.4/24 brd 1.1.1.255 scope global ens33 valid_lft forever preferred_lft forever 3: ens37: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:93:3f:52 brd ff:ff:ff:ff:ff:ff inet 192.168.101.1/24 brd 192.168.101.255 scope global ens37 6: tun0: <pointopoint,multicast,noarp,up,lower_up> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/none inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 valid_lft forever preferred_lft forever </pointopoint,multicast,noarp,up,lower_up></broadcast,multicast,up,lower_up></broadcast,multicast,up,lower_up> |
客户端(广东):
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
$ /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/client.conf $ ip a 2: ens33: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b9:2a:77 brd ff:ff:ff:ff:ff:ff inet 10.4.0.6/24 brd 1.1.1.255 scope global ens33 valid_lft forever preferred_lft forever 3: ens37: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b9:2a:81 brd ff:ff:ff:ff:ff:ff inet 192.168.102.1/24 brd 192.168.102.255 scope global ens37 valid_lft forever preferred_lft forever 6: tun0: <pointopoint,multicast,noarp,up,lower_up> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/none inet 10.8.0.10 peer 10.8.0.9/32 scope global tun0 valid_lft forever preferred_lft forever</pointopoint,multicast,noarp,up,lower_up></broadcast,multicast,up,lower_up></broadcast,multicast,up,lower_up> $ ping 10.8.0.1 #判断拨号状态 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.613 ms 1 packets transmitted, 1 received, 0% packet loss, time 0ms $ route -n #路由信息 Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.0.2 0.0.0.0 UG 100 0 0 ens33 10.0.0.0 0.0.0.0 255.0.0.0 U 100 0 0 ens33 10.8.0.0 10.8.0.9 255.255.255.0 UG 0 0 0 tun0 10.8.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 192.168.102.0 0.0.0.0 255.255.255.0 U 100 0 0 ens37 |
VPN段IP拨号验证:
广东IP:10.8.0.10
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
$ ip a 2: ens33: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b9:2a:77 brd ff:ff:ff:ff:ff:ff inet 10.4.0.6/24 brd 1.1.1.255 scope global ens33 valid_lft forever preferred_lft forever 3: ens37: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b9:2a:81 brd ff:ff:ff:ff:ff:ff inet 192.168.102.1/24 brd 192.168.102.255 scope global ens37 valid_lft forever preferred_lft forever 6: tun0: <pointopoint,multicast,noarp,up,lower_up> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/none inet 10.8.0.10 peer 10.8.0.5/32 scope global tun0 valid_lft forever preferred_lft forever $ ping 10.8.0.14 #10.8.0.14 是北京机房vpn client 的 tun ip PING 10.8.0.14 (10.8.0.14) 56(84) bytes of data. 64 bytes from 10.8.0.14: icmp_seq=1 ttl=64 time=1.54 ms 1 packets transmitted, 1 received, 0% packet loss, time 0ms</pointopoint,multicast,noarp,up,lower_up></broadcast,multicast,up,lower_up></broadcast,multicast,up,lower_up> $ ping 10.8.0.1 #10.8.0.1 是杭州机房vpn server 的 tun ip PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.696 ms 2 packets transmitted, 2 received, 0% packet loss, time 1001ms |
从vpn客户端机房(广东机房)到VPN服务端机房(杭州机房)互通验证:SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
到VPN-SERVER(192.168.101.1):
到杭州机房主机(192.168.101.2):
解决方法1:(在192.168.101.2服务器配置到10.8.0.0/24网段的路由)
解决方法2:(在192.168.101.1做IP伪装)
SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
从VPN服务端机房(杭州机房)到vpn客户端机房(广东机房)互通验证:SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
十、多网互通完整配置:
服务端配置(杭州机房[192.168.101.x/24]):
客户端配置(广东机房[192.168.102.x/24]):
客户端配置(北京机房[192.168.103.x/24]):
SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
互访验证:SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
vpn server服务器到其他服务器:
北京内网服务器(192.168.103.1)到其他服务器:
SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
备注信息:SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. They must be taken from successive /30 subnets in order to be compatible with Windows clients and the TAP-Windows driver. Specifically, the last octet in the IP address of each endpoint pair must be taken from this set:SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/因为子网内有效的主机数为2^n-2,所以依上面的条件2^2-2=2,即每个子网中实际的主机数为4,子网掩码=256-4=252,使用的又是c类地址,所以该业务所使用的子网掩码的形式为255.255.255.252,可以产生256/4-2=64-2=62个子网,每个子网可用的最大的主机数为2,具体的IP地址如下:
网络 子网掩码 IP地址范围 子网地址 子网广播地址
局域1 255.255.255.252 10.8.0.5~6 10.8.0.4 10.8.0.7
局域2 255.255.255.252 10.8.0.9~10 10.8.0.8 10.8.0.11
局域3 255.255.255.252 10.8.0.13~14 10.8.0.12 10.8.0.15
……
局域62 255.255.255.252 10.8.0.249~250 10.8.0.248 10.8.0.251
十一、证书吊销:
证书吊销:
参考文档:
1:https://openvpn.net/index.php/open-source/documentation/howto.html
申明:除非注明Byrd's Blog内容均为原创,未经许可禁止转载!详情请阅读版权申明!
