一、基础环境
$ uname -a
Linux openvpn-server.t4x.org 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ uname -r
3.10.0-693.el7.x86_64
$ uname -m
x86_64
二、IP信息
杭州机房 : (Centos 7.4)
VPN-SERVER:10.4.0.4(公网IP)、192.168.101.1(内网IP)
机房主机IP:192.168.101.2(无公网IP)
012345678910111213 $ ping 192.168.101.2 #ping内网主机64 bytes from 192.168.101.2: icmp_seq=1 ttl=64 time=0.407 ms$ ping 192.168.102.1 #ping 广东机房vpn clientPING 192.168.102.1 (192.168.102.1) 56(84) bytes of data.1 packets transmitted, 0 received, 100% packet loss, time 0ms$ ping 192.168.102.2 #ping 广东机房内网主机PING 192.168.102.2 (192.168.102.2) 56(84) bytes of data.2 packets transmitted, 0 received, 100% packet loss, time 1000ms$ ping 192.168.103.1 #ping 北京机房vpn clientPING 192.168.103.1 (192.168.103.1) 56(84) bytes of data.2 packets transmitted, 0 received, 100% packet loss, time 1000ms$ ping 192.168.103.2 #ping 北京机房 内网主机PING 192.168.103.2 (192.168.103.2) 56(84) bytes of data.1 packets transmitted, 0 received, 100% packet loss, time 0ms
北京机房 : (Centos 6.8)
VPN-SERVER:10.4.0.8(公网IP)、192.168.103.1(内网IP)
机房主机IP:192.168.103.2(无公网IP)
SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
01234567891011121314151617 $ ping 192.168.103.2 #ping内网主机PING 192.168.103.2 (192.168.103.2) 56(84) bytes of data.64 bytes from 192.168.103.2: icmp_seq=1 ttl=64 time=0.574 ms^C--- 192.168.103.2 ping statistics ---1 packets transmitted, 1 received, 0% packet loss, time 0ms$ ping 192.168.101.1 #ping 杭州机房vpn serverPING 192.168.101.1 (192.168.101.1) 56(84) bytes of data.1 packets transmitted, 0 received, 100% packet loss, time 0ms$ ping 192.168.101.2 #ping 杭州机房内网主机PING 192.168.101.2 (192.168.101.2) 56(84) bytes of data.1 packets transmitted, 0 received, 100% packet loss, time 0ms$ ping 192.168.102.1 #ping 广东机房vpn clientPING 192.168.102.1 (192.168.102.1) 56(84) bytes of data.1 packets transmitted, 0 received, 100% packet loss, time 0ms$ ping 192.168.102.2 #ping 广东机房内网主机PING 192.168.102.2 (192.168.102.2) 56(84) bytes of data.1 packets transmitted, 0 received, 100% packet loss, time 0ms广东机房:(Centos 7.4)
VPN-SERVER:10.4.0.6(公网IP)、192.168.102.1(内网IP)
机房主机IP:192.168.102.2(无公网IP)
SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
01234567891011121314151617 $ ping 192.168.102.2 #ping内网主机PING 192.168.102.2 (192.168.102.2) 56(84) bytes of data.64 bytes from 192.168.102.2: icmp_seq=1 ttl=64 time=0.441 ms1 packets transmitted, 1 received, 0% packet loss, time 0ms$ ping 192.168.101.1 #ping 杭州机房vpn serverPING 192.168.101.1 (192.168.101.1) 56(84) bytes of data.3 packets transmitted, 0 received, 100% packet loss, time 2000ms$ ping 192.168.101.2 #ping 杭州机房内网PING 192.168.101.2 (192.168.101.2) 56(84) bytes of data.1 packets transmitted, 0 received, 100% packet loss, time 0ms$ ping 192.168.103.1 #ping 北京机房vpn clientPING 192.168.103.1 (192.168.103.1) 56(84) bytes of data.1 packets transmitted, 0 received, 100% packet loss, time 0ms$ ping 192.168.103.2 #ping 北京机房 内网主机PING 192.168.103.2 (192.168.103.2) 56(84) bytes of data.^C--- 192.168.103.2 ping statistics ---1 packets transmitted, 0 received, 100% packet loss, time 0ms
1:由于用vm模拟,需要首先将宿主机上面的网关删除,以免影响实验效果!!!
2:调试前,将firewalld关闭,以免影响实验效果!!!
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
宿主机: C:\Users\Zane>route print IPv4 路由表 =========================================================================== 活动路由: 网络目标 网络掩码 网关 接口 跃点数 0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.119 281 192.168.101.0 255.255.255.0 在链路上 192.168.101.1 291 192.168.101.1 255.255.255.255 在链路上 192.168.101.1 291 192.168.101.255 255.255.255.255 在链路上 192.168.101.1 291 192.168.102.0 255.255.255.0 在链路上 192.168.102.1 291 192.168.102.1 255.255.255.255 在链路上 192.168.102.1 291 192.168.102.255 255.255.255.255 在链路上 192.168.102.1 291 192.168.103.0 255.255.255.0 在链路上 192.168.103.1 291 192.168.103.1 255.255.255.255 在链路上 192.168.103.1 291 192.168.103.255 255.255.255.255 在链路上 192.168.103.1 291 =========================================================================== 永久路由: 网络地址 网络掩码 网关地址 跃点数 0.0.0.0 0.0.0.0 192.168.2.1 默认 =========================================================================== C:\WINDOWS\system32>route delete 192.168.101.0 操作完成! C:\WINDOWS\system32>route delete 192.168.102.1 操作完成! C:\WINDOWS\system32>route delete 192.168.103.0 操作完成! C:\WINDOWS\system32>route delete 192.168.101.1 操作完成! C:\WINDOWS\system32>route delete 192.168.102.0 操作完成! C:\WINDOWS\system32>route delete 192.168.103.1 操作完成! |
三、OPENVPN服务端安装
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
$ yum install pam-devel openssl-devel wget vim gcc gcc-c++ net-tools -y $ mkdir /byrd/tools -p $ cd /byrd/tools/ $ wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.10.tar.gz $ tar zxf lzo-2.10.tar.gz $ cd lzo-2.10 $ ./configure --prefix=/opt/lzo-2.10 $ make && make install $ wget https://swupdate.openvpn.org/community/releases/openvpn-2.3.18.tar.gz $ tar zxf openvpn-2.3.18.tar.gz $ cd openvpn-2.3.18 $ ln -s /opt/lzo-2.10/lib/* /usr/local/lib/ $ ln -s /opt/lzo-2.10/include/* /usr/local/include/ $ ./configure --prefix=/opt/openvpn-2.3.18 $ make && make install $ ln -s /opt/openvpn-2.3.18/ /usr/local/openvpn |
四、OPENVPN服务端证书生成
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
$ wget -c https://github.com/OpenVPN/easy-rsa/archive/master.zip $ mv easy-rsa-master/ key $ ln -s /opt/openvpn-2.3.18/ /usr/local/openvpn $ mv key/ /usr/local/openvpn/ $ cd /usr/local/openvpn/key/easyrsa3/ $ cp vars.example vars $ tail -6 vars set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "Zhejiang" set_var EASYRSA_REQ_CITY "Hangzhou" set_var EASYRSA_REQ_ORG "t4x.org" set_var EASYRSA_REQ_EMAIL "root@t4x.org" set_var EASYRSA_REQ_OU "t4x.org" $ ./easyrsa init-pki #初始化 $ ./easyrsa build-ca #创建根证书,需要输入ca证书密码2次,需要输入Common Name == 此次操作生成的文件/usr/local/openvpn/key/easyrsa3/pki/ca.crt == $ ./easyrsa gen-req server nopass #创建服务器端证书,需要输入Common Name ./easyrsa gen-req server此时当启动服务端时候需要输入服务端密码,此次取消passwd == 此次操作生成的文件 req: /usr/local/openvpn/key/easyrsa3/pki/reqs/server.req == == 此次操作生成的文件 key: /usr/local/openvpn/key/easyrsa3/pki/private/server.key == $ ./easyrsa sign server server #签约服务端证书,需输入创建ca时的ca密码 ==此次操作生成的文件/usr/local/openvpn/key/easyrsa3/pki/issued/server.crt== $ ./easyrsa gen-dh #创建Diffie-Hellman parameters ==此次操作生成的文件/usr/local/openvpn/key/easyrsa3/pki/dh.pem == |
五、OPENVPN客户端证书生成
方式1:ca证书在pki目录下
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$ ./easyrsa gen-req bj nopass #创建北京机房客户端证书,如果设置密码,客户端连接的时候需要输入密码 ==此次操作生成的文件 req: /usr/local/openvpn/key/easyrsa3/pki/reqs/bj.req == ==此次操作生成的文件 key: /usr/local/openvpn/key/easyrsa3/pki/private/bj.key == $ ./easyrsa gen-req gd nopass #创建gd机房客户端证书,如果设置密码,客户端连接的时候需要输入密码 ==此次操作生成的文件 req: /usr/local/openvpn/key/easyrsa3/pki/reqs/gd.req == ==此次操作生成的文件 key: /usr/local/openvpn/key/easyrsa3/pki/private/gd.key == $ ./easyrsa sign-req client gd #签约客户端证书,需要输入ca密码 ==此次操作生成的文件 /usr/local/openvpn/key/easyrsa3/pki/issued/gd.crt == $ ./easyrsa sign-req client bj #签约客户端证书,需要输入ca密码 ==此次操作生成的文件 /usr/local/openvpn/key/easyrsa3/pki/issued/bj.crt == |
方式2:ca证书不在pki目录下
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
$ cd easy-rsa-master/easyrsa3/ $ pwd /byrd/tools/easy-rsa-master/easyrsa3 $ ./easyrsa init-pki $ ./easyrsa gen-req sz nopass ==此次操作生成的文件 req: /byrd/tools/easy-rsa-master/easyrsa3/pki/reqs/sz.req == ==此次操作生成的文件 key: /byrd/tools/easy-rsa-master/easyrsa3/pki/private/sz.key == ./easyrsa sign-req client sz Easy-RSA error: Missing expected CA file: index.txt (perhaps you need to run build-ca?) Run easyrsa without commands for usage and command help. $ cd /usr/local/openvpn/key/easyrsa3/ $ ./easyrsa import-req /byrd/tools/easy-rsa-master/easyrsa3/pki/reqs/sz.req sz Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: sz You may now use this name to perform signing operations on this request. $ ./easyrsa sign-req client sz ==此次操作生成的文件 /usr/local/openvpn/key/easyrsa3/pki/issued/sz.crt == |
六、OPENVPN所有证书
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
$ tree pki/ pki/ ├── ca.crt ├── certs_by_serial │ ├── A2617A000C9A1D37920B9C822D7BE4E7.pem │ ├── EA7FCD3E8C064D704A15F5D82B8619AB.pem │ └── F2976C802CEB25F20209C586C08A7F98.pem ├── dh.pem ├── index.txt ├── index.txt.attr ├── index.txt.attr.old ├── index.txt.old ├── issued │ ├── bj.crt │ ├── gd.crt │ └── server.crt ├── private │ ├── bj.key │ ├── ca.key │ ├── gd.key │ └── server.key ├── reqs │ ├── bj.req │ ├── gd.req │ └── server.req ├── serial └── serial.old |
七、OPENVPN服务端配置
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
$ mkdir /etc/openvpn $ cp /byrd/tools/openvpn-2.3.18/sample/sample-config-files/server.conf /etc/openvpn/ $ mkdir /etc/openvpn/key $ cp pki/issued/server.crt /etc/openvpn/key/ $ cp pki/private/server.key /etc/openvpn/key/ $ cp pki/ca.crt /etc/openvpn/key/ $ cp pki/dh.pem /etc/openvpn/key/ $ tree /etc/openvpn/key #服务器只需要此4个文件 /etc/openvpn/key ├── ca.crt ├── dh.pem ├── server.crt └── server.key $ grep -vE "^$|;|^#" /etc/openvpn/server.conf local 10.4.0.4 port 1194 proto tcp dev tun ca /etc/openvpn/key/ca.crt cert /etc/openvpn/key/server.crt key /etc/openvpn/key/server.key # This file should be kept secret dh /etc/openvpn/key/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /tmp/ipp.txt client-to-client duplicate-cn keepalive 10 120 cipher AES-256-CBC comp-lzo persist-key persist-tun status openvpn-status.log verb 3 |
八、OPENVPN客户端配置
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
$ mkdir /etc/openvpn/key $ cp /byrd/tools/openvpn-2.3.18/sample/sample-config-files/client.conf /etc/openvpn/ $ cp pki/ca.crt /etc/openvpn/key/ $ cp pki/issued/bj.crt /etc/openvpn/key/ $ cp pki/issued/gd.crt /etc/openvpn/key/ $ cp pki/private/bj.key /etc/openvpn/key/ $ cp pki/private/gd.key /etc/openvpn/key/ $ tree /etc/openvpn/key/ #客户端需要3个文件 ca证书、用户.crt 用户.key /etc/openvpn/key/ ├── bj.crt ├── bj.key ├── ca.crt ├── gd.crt └── gd.key $ grep -vE "^$|;|#" /etc/openvpn/client.conf client dev tun proto tcp remote 10.4.0.4 1194 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/key/ca.crt cert /etc/openvpn/key/gd.crt key /etc/openvpn/key/gd.key remote-cert-tls server cipher AES-256-CBC comp-lzo verb 3 |
九、服务端拨号
服务端:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ firewall-cmd --zone=public --add-port=1194/tcp #开启防火墙,默认1194端口 $ /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/server.conf $ ip a 2: ens33: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:93:3f:48 brd ff:ff:ff:ff:ff:ff inet 10.4.0.4/24 brd 1.1.1.255 scope global ens33 valid_lft forever preferred_lft forever 3: ens37: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:93:3f:52 brd ff:ff:ff:ff:ff:ff inet 192.168.101.1/24 brd 192.168.101.255 scope global ens37 6: tun0: <pointopoint,multicast,noarp,up,lower_up> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/none inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 valid_lft forever preferred_lft forever </pointopoint,multicast,noarp,up,lower_up></broadcast,multicast,up,lower_up></broadcast,multicast,up,lower_up> |
客户端(广东):
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
$ /usr/local/openvpn/sbin/openvpn --config /etc/openvpn/client.conf $ ip a 2: ens33: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b9:2a:77 brd ff:ff:ff:ff:ff:ff inet 10.4.0.6/24 brd 1.1.1.255 scope global ens33 valid_lft forever preferred_lft forever 3: ens37: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b9:2a:81 brd ff:ff:ff:ff:ff:ff inet 192.168.102.1/24 brd 192.168.102.255 scope global ens37 valid_lft forever preferred_lft forever 6: tun0: <pointopoint,multicast,noarp,up,lower_up> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/none inet 10.8.0.10 peer 10.8.0.9/32 scope global tun0 valid_lft forever preferred_lft forever</pointopoint,multicast,noarp,up,lower_up></broadcast,multicast,up,lower_up></broadcast,multicast,up,lower_up> $ ping 10.8.0.1 #判断拨号状态 PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.613 ms 1 packets transmitted, 1 received, 0% packet loss, time 0ms $ route -n #路由信息 Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.0.2 0.0.0.0 UG 100 0 0 ens33 10.0.0.0 0.0.0.0 255.0.0.0 U 100 0 0 ens33 10.8.0.0 10.8.0.9 255.255.255.0 UG 0 0 0 tun0 10.8.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 192.168.102.0 0.0.0.0 255.255.255.0 U 100 0 0 ens37 |
VPN段IP拨号验证:
广东IP:10.8.0.10
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
$ ip a 2: ens33: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b9:2a:77 brd ff:ff:ff:ff:ff:ff inet 10.4.0.6/24 brd 1.1.1.255 scope global ens33 valid_lft forever preferred_lft forever 3: ens37: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b9:2a:81 brd ff:ff:ff:ff:ff:ff inet 192.168.102.1/24 brd 192.168.102.255 scope global ens37 valid_lft forever preferred_lft forever 6: tun0: <pointopoint,multicast,noarp,up,lower_up> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/none inet 10.8.0.10 peer 10.8.0.5/32 scope global tun0 valid_lft forever preferred_lft forever $ ping 10.8.0.14 #10.8.0.14 是北京机房vpn client 的 tun ip PING 10.8.0.14 (10.8.0.14) 56(84) bytes of data. 64 bytes from 10.8.0.14: icmp_seq=1 ttl=64 time=1.54 ms 1 packets transmitted, 1 received, 0% packet loss, time 0ms</pointopoint,multicast,noarp,up,lower_up></broadcast,multicast,up,lower_up></broadcast,multicast,up,lower_up> $ ping 10.8.0.1 #10.8.0.1 是杭州机房vpn server 的 tun ip PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.696 ms 2 packets transmitted, 2 received, 0% packet loss, time 1001ms |
从vpn客户端机房(广东机房)到VPN服务端机房(杭州机房)互通验证:SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
到VPN-SERVER(192.168.101.1):
0123456789101112131415161718192021 $ ping 192.168.101.1 #从广东ping杭州的vpn server本地IP肯定是不通的,没有路由$ route -nDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 10.0.0.2 0.0.0.0 UG 100 0 0 ens3310.0.0.0 0.0.0.0 255.0.0.0 U 100 0 0 ens3310.8.0.0 10.8.0.9 255.255.255.0 UG 0 0 0 tun010.8.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0192.168.102.0 0.0.0.0 255.255.255.0 U 100 0 0 ens37$ route add -net 192.168.101.0 netmask 255.255.255.0 dev tun0 #广东vpn client配置到187网段的路由,路由接口设备为tun0#增加到192.168.101.x/24网段的路由,如果不加路由,哪么走默认路由网关1.1.1.2服务器已经被删除路由,因此直接丢包$ route add -net 192.168.101.0/24 gw 10.8.0.9#广东vpn client配置路由网关是10.8.0.9,其实也是到tun0 和上面任意一条均可$ route -nDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 10.0.0.2 0.0.0.0 UG 100 0 0 ens3310.0.0.0 0.0.0.0 255.0.0.0 U 100 0 0 ens3310.8.0.0 10.8.0.9 255.255.255.0 UG 0 0 0 tun010.8.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0192.168.101.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0192.168.102.0 0.0.0.0 255.255.255.0 U 100 0 0 ens37
到杭州机房主机(192.168.101.2):
012 $ ping 192.168.101.2 #已经有到187网段的路由,依然ping不通,数据包可以到达187.1,也可以到达187.2但是187.2的服务器只有到187网段的路由,没有到10.8.0.0/24网段的路由PING 192.168.101.2 (192.168.101.2) 56(84) bytes of data.5 packets transmitted, 0 received, 100% packet loss, time 3999ms
解决方法1:(在192.168.101.2服务器配置到10.8.0.0/24网段的路由)
0123 $ route add -net 10.8.0.0/24 gw 192.168.101.1 #在192.168.101.2 路由器上配置静态网关,当源地址为10.8.0.0/24的数据到达187.2的时候网关为187.1,此时数据包即可返回#需要到内网的192.168.101.2服务器增加路由,当10.8.0.x的ip到达192.168.187.x的时候,路由到vpn-server服务器#### vpn server服务器必须开启sysctl -w net.ipv4.ip_forward=1 ####
解决方法2:(在192.168.101.1做IP伪装)
SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
012 firewall-cmd --zone=public --add-masqueradefirewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens37 -j SNAT --to-source 192.168.101.1 #vpn-server服务器做nat转换firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens37 -j MASQUERADE
从VPN服务端机房(杭州机房)到vpn客户端机房(广东机房)互通验证:SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
0123456789101112131415161718192021222324 $ ping 192.168.102.1PING 192.168.102.1 (192.168.102.1) 56(84) bytes of data.1 packets transmitted, 0 received, 100% packet loss, time 0ms$ route -nDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 10.0.0.2 0.0.0.0 UG 100 0 0 ens3310.0.0.0 0.0.0.0 255.0.0.0 U 100 0 0 ens3310.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun010.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0192.168.101.0 0.0.0.0 255.255.255.0 U 100 0 0 ens37$ route add -net 192.168.102.0/24 gw 10.8.0.2$ route add -net 192.168.103.0/24 gw 10.8.0.2$ route -nDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 10.0.0.2 0.0.0.0 UG 100 0 0 ens3310.0.0.0 0.0.0.0 255.0.0.0 U 100 0 0 ens3310.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun010.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0192.168.101.0 0.0.0.0 255.255.255.0 U 100 0 0 ens37192.168.102.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0192.168.103.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0未实现
十、多网互通完整配置:
服务端配置(杭州机房[192.168.101.x/24]):
0123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130 $ tree /etc/openvpn//etc/openvpn/├── ccd│ ├── bj│ └── gd├── key│ ├── bj.crt│ ├── bj.key│ ├── byrd.crt│ ├── byrd.key│ ├── ca.crt│ ├── dh.pem│ ├── gd.crt│ ├── gd.key│ ├── server.crt│ └── server.key└── server.conf$ grep -vE "^$|^#|;" /etc/openvpn/server.confport 1194proto tcpdev tunca /etc/openvpn/key/ca.crtcert /etc/openvpn/key/server.crtkey /etc/openvpn/key/server.key # This file should be kept secretdh /etc/openvpn/key/dh.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist /tmp/ipp.txtpush "route 192.168.101.0 255.255.255.0"push "route 192.168.102.0 255.255.255.0"push "route 192.168.103.0 255.255.255.0"route 192.168.102.0 255.255.255.0route 192.168.103.0 255.255.255.0client-config-dir /etc/openvpn/ccdclient-to-clientkeepalive 10 120cipher AES-256-CBCcomp-lzopersist-keypersist-tunstatus openvpn-status.logverb 3$ cat ccd/bjiroute 192.168.103.0 255.255.255.0ifconfig-push 10.8.0.14 10.8.0.13$ cat ccd/gdiroute 192.168.102.0 255.255.255.0ifconfig-push 10.8.0.10 10.8.0.9$ firewall-cmd --zone=public --add-port=1194/tcp$ firewall-cmd --zone=public --add-masquerade$ route -nDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 10.0.0.2 0.0.0.0 UG 100 0 0 ens3310.0.0.0 0.0.0.0 255.0.0.0 U 100 0 0 ens3310.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun010.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0192.168.101.0 0.0.0.0 255.255.255.0 U 100 0 0 ens37192.168.102.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0192.168.103.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0$ ip a2: ens33: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:3a:e4:cb brd ff:ff:ff:ff:ff:ffinet 10.4.0.4/8 brd 10.255.255.255 scope global ens33</broadcast,multicast,up,lower_up>3: ens37: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:3a:e4:d5 brd ff:ff:ff:ff:ff:ffinet 192.168.101.1/24 brd 192.168.101.255 scope global ens37</broadcast,multicast,up,lower_up>4: tun0: <pointopoint,multicast,noarp,up,lower_up> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100link/noneinet 10.8.0.1 peer 10.8.0.2/32 scope global tun0valid_lft forever preferred_lft forever</pointopoint,multicast,noarp,up,lower_up>$ ping 192.168.102.1 #gd机房 vpn clientPING 192.168.102.1 (192.168.102.1) 56(84) bytes of data.64 bytes from 192.168.102.1: icmp_seq=1 ttl=64 time=1.98 ms1 packets transmitted, 1 received, 0% packet loss, time 0ms$ ping 192.168.102.2 #gd机房 内网PING 192.168.102.2 (192.168.102.2) 56(84) bytes of data.2 packets transmitted, 0 received, 100% packet loss, time 1000ms$ ping 192.168.103.1 #bj机房 vpn clientPING 192.168.103.1 (192.168.103.1) 56(84) bytes of data.64 bytes from 192.168.103.1: icmp_seq=1 ttl=64 time=1.63 ms1 packets transmitted, 1 received, 0% packet loss, time 0ms$ ping 192.168.103.2 #bj机房 内网 开启默认防火墙的情况下(bj机房为centos6.8)PING 192.168.103.2 (192.168.103.2) 56(84) bytes of data.From 10.8.0.14 icmp_seq=1 Destination Host Prohibited2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms$ ping 192.168.103.2 #bj机房 内网 关闭默认防火墙的情况下(bj机房为centos6.8)PING 192.168.103.2 (192.168.103.2) 56(84) bytes of data.2 packets transmitted, 0 received, 100% packet loss, time 1000ms#### 如果vpn client 不做特殊处理,vpn server只能ping通vpn client 所在的局域网IP,无法ping通vpn client内网服务器 ####centos7:gd client配置:方法1:firewall-cmd --zone=public --add-masquerade方法2:firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens37 -j MASQUERADE方法3:firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens37 -j SNAT --to-source 192.168.102.1gd 内网服务器配置:方法4:route add -net 10.8.0.0/24 gw 192.168.102.1$ ping 192.168.102.2 #vpn server验证结果PING 192.168.102.2 (192.168.102.2) 56(84) bytes of data.64 bytes from 192.168.102.2: icmp_seq=1 ttl=63 time=42.0 ms1 packets transmitted, 1 received, 0% packet loss, time 0mscentos6:bj client配置:$ iptables -L FORWARD --line-numbersChain FORWARD (policy ACCEPT)num target prot opt source destination1 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited$ iptables -D FORWARD 1方法1:iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth2 -j SNAT --to-source 192.168.103.1方法2:iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth2 -j MASQUERADEbj 内网服务器配置:方法3:route add -net 10.8.0.0/24 gw 192.168.103.1
客户端配置(广东机房[192.168.102.x/24]):
01234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950 $ tree /etc/openvpn//etc/openvpn/├── client.conf└── key├── ca.crt├── gd.crt└── gd.key$ grep -vE "^$|^#|;" /etc/openvpn/client.confclientdev tunproto tcpremote 10.4.0.4 1194resolv-retry infinitenobinduser nobodygroup nobodypersist-keypersist-tunca /etc/openvpn/key/ca.crtcert /etc/openvpn/key/gd.crtkey /etc/openvpn/key/gd.keyremote-cert-tls servercipher AES-256-CBCcomp-lzoverb 3$ route -nDestination Gateway Genmask Flags Metric Ref Use Iface0.0.0.0 10.0.0.2 0.0.0.0 UG 100 0 0 ens3310.0.0.0 0.0.0.0 255.0.0.0 U 100 0 0 ens3310.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun010.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0192.168.101.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0192.168.102.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0192.168.102.0 0.0.0.0 255.255.255.0 U 100 0 0 ens37192.168.103.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0$ ip a2: ens33: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:ad:e8:37 brd ff:ff:ff:ff:ff:ffinet 10.4.0.6/8 brd 10.255.255.255 scope global ens33</broadcast,multicast,up,lower_up>3: ens37: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:ad:e8:41 brd ff:ff:ff:ff:ff:ffinet 192.168.102.1/24 brd 192.168.102.255 scope global dynamic ens37</broadcast,multicast,up,lower_up>4: tun0: <pointopoint,multicast,noarp,up,lower_up> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100link/noneinet 10.8.0.10 peer 10.8.0.9/32 scope global tun0valid_lft forever preferred_lft forever</pointopoint,multicast,noarp,up,lower_up>$ firewall-cmd --zone=public --add-masquerade
客户端配置(北京机房[192.168.103.x/24]):
SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
0123456789101112131415161718192021222324252627 $ tree /etc/openvpn//etc/openvpn/├── client.conf└── key├── bj.crt├── bj.key└── ca.crt$ egrep -v "^$|^#|;" /etc/openvpn/client.confclientdev tunproto tcpremote 10.4.0.4 1194resolv-retry infinitenobinduser nobodygroup nobodypersist-keypersist-tunca /etc/openvpn/key/ca.crtcert /etc/openvpn/key/bj.crtkey /etc/openvpn/key/bj.keyremote-cert-tls servercipher AES-256-CBCcomp-lzoverb 3$ iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth2 -j MASQUERADE #eth2是内网网卡
互访验证:SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
vpn server服务器到其他服务器:
01234567891011121314151617181920212223242526272829303132333435363738 $ ping 192.168.101.2PING 192.168.101.2 (192.168.101.2) 56(84) bytes of data.64 bytes from 192.168.101.2: icmp_seq=1 ttl=64 time=0.538 ms$ ping 192.168.102.1PING 192.168.102.1 (192.168.102.1) 56(84) bytes of data.64 bytes from 192.168.102.1: icmp_seq=1 ttl=64 time=1.84 ms$ ping 192.168.102.2PING 192.168.102.2 (192.168.102.2) 56(84) bytes of data.64 bytes from 192.168.102.2: icmp_seq=1 ttl=63 time=16.8 ms$ ping 192.168.103.1PING 192.168.103.1 (192.168.103.1) 56(84) bytes of data.64 bytes from 192.168.103.1: icmp_seq=1 ttl=64 time=1.36 ms$ ping 192.168.103.2PING 192.168.103.2 (192.168.103.2) 56(84) bytes of data.64 bytes from 192.168.103.2: icmp_seq=1 ttl=63 time=2.42 ms$ tcpdump -nnn -s 10000tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on tun0, link-type RAW (Raw IP), capture size 10000 bytes20:03:42.210040 IP 10.8.0.1 > 192.168.102.1: ICMP echo request, id 1365, seq 1, length 6420:03:42.211849 IP 192.168.102.1 > 10.8.0.1: ICMP echo reply, id 1365, seq 1, length 6420:03:44.219057 IP 10.8.0.1 > 192.168.102.2: ICMP echo request, id 1366, seq 1, length 6420:03:44.222518 IP 192.168.102.2 > 10.8.0.1: ICMP echo reply, id 1366, seq 1, length 6420:03:50.018020 IP 10.8.0.1 > 192.168.103.1: ICMP echo request, id 1367, seq 1, length 6420:03:50.020331 IP 192.168.103.1 > 10.8.0.1: ICMP echo reply, id 1367, seq 1, length 6420:03:52.385603 IP 10.8.0.1 > 192.168.103.2: ICMP echo request, id 1368, seq 1, length 6420:03:52.387470 IP 192.168.103.2 > 10.8.0.1: ICMP echo reply, id 1368, seq 1, length 6420:03:42.680819 IP 10.8.0.1 > 192.168.102.1: ICMP echo request, id 1365, seq 1, length 6420:03:42.680899 IP 192.168.102.1 > 10.8.0.1: ICMP echo reply, id 1365, seq 1, length 6420:03:44.690503 IP 10.8.0.1 > 192.168.102.2: ICMP echo request, id 1366, seq 1, length 6420:03:44.691248 IP 192.168.102.2 > 10.8.0.1: ICMP echo reply, id 1366, seq 1, length 6404:27:49.982729 IP 10.8.0.1 > 192.168.103.1: ICMP echo request, id 1367, seq 1, length 6404:27:49.983290 IP 192.168.103.1 > 10.8.0.1: ICMP echo reply, id 1367, seq 1, length 6404:27:52.349724 IP 10.8.0.1 > 192.168.103.2: ICMP echo request, id 1368, seq 1, length 6404:27:52.350376 IP 192.168.103.2 > 10.8.0.1: ICMP echo reply, id 1368, seq 1, length 64
北京内网服务器(192.168.103.1)到其他服务器:
SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
0123456789101112131415 额外配置:#### 由于内网服务器并没有到其他192.168.101.0/24、192.168.102.0/24 的路由,因此需要配置默认路由 ####方法1:$ route add -net 192.168.101.0/24 gw 192.168.103.1$ route add -net 192.168.102.0/24 gw 192.168.103.1方法2:增加默认网关为192.168.102.1 , 哪么所有出网路由走192.168.102.1$ route -nDestination Gateway Genmask Flags Metric Ref Use Iface192.168.101.0 192.168.103.1 255.255.255.0 UG 0 0 0 eth1192.168.102.0 192.168.103.1 255.255.255.0 UG 0 0 0 eth1192.168.103.0 0.0.0.0 255.255.255.0 U 0 0 0 eth110.8.0.0 192.168.103.1 255.255.255.0 UG 0 0 0 eth1169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth1
备注信息:SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. They must be taken from successive /30 subnets in order to be compatible with Windows clients and the TAP-Windows driver. Specifically, the last octet in the IP address of each endpoint pair must be taken from this set:SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/
[ 1, 2] [ 5, 6] [ 9, 10] [ 13, 14] [ 17, 18]
[ 21, 22] [ 25, 26] [ 29, 30] [ 33, 34] [ 37, 38]
[ 41, 42] [ 45, 46] [ 49, 50] [ 53, 54] [ 57, 58]
[ 61, 62] [ 65, 66] [ 69, 70] [ 73, 74] [ 77, 78]
[ 81, 82] [ 85, 86] [ 89, 90] [ 93, 94] [ 97, 98]
[101,102] [105,106] [109,110] [113,114] [117,118]
[121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158]
[161,162] [165,166] [169,170] [173,174] [177,178]
[181,182] [185,186] [189,190] [193,194] [197,198]
[201,202] [205,206] [209,210] [213,214] [217,218]
[221,222] [225,226] [229,230] [233,234] [237,238]
[241,242] [245,246] [249,250] [253,254]SourceByrd's Weblog-https://note.t4x.org/project/use-openvpn-computer-room-interconnect/因为子网内有效的主机数为2^n-2,所以依上面的条件2^2-2=2,即每个子网中实际的主机数为4,子网掩码=256-4=252,使用的又是c类地址,所以该业务所使用的子网掩码的形式为255.255.255.252,可以产生256/4-2=64-2=62个子网,每个子网可用的最大的主机数为2,具体的IP地址如下:
网络 子网掩码 IP地址范围 子网地址 子网广播地址
局域1 255.255.255.252 10.8.0.5~6 10.8.0.4 10.8.0.7
局域2 255.255.255.252 10.8.0.9~10 10.8.0.8 10.8.0.11
局域3 255.255.255.252 10.8.0.13~14 10.8.0.12 10.8.0.15
……
局域62 255.255.255.252 10.8.0.249~250 10.8.0.248 10.8.0.251
十一、证书吊销:
证书吊销:
012 $ ./easyrsa revoke $user$ ./easyrsa gen-crlecho "crl-verify /etc/openvpn/key/crl.pem" >> /etc/openvpn/server.conf
参考文档:
1:https://openvpn.net/index.php/open-source/documentation/howto.html