实践出真知 布署openvpn环境应注意的事
2018-06-11 来源:
导读:OpenVPN是一个开源的加密隧道构建工具,基于OpenSSL的SSL/TLS协议,可以在Internet中 实现点对点的SSLVPN安全连接。使用OpenVPN的好处是安全、易用和稳定,且认证方式灵活,具备实现SSL VPN解决方案的完整特性。OpenVPN可以应用于Linux、Unix、Mac OS以及Windows等各种操作系统平台。OpenVPN提供两种 类型的虚拟网络接口:TUN和TAP,分别用于建议IP隧道、以太网桥接。在Linux/unix中使用这两种虚拟设备,需要对应的内核模块支持。 RHEL5/FreeBSD8系统默认已编译好TUN模块,直接使用即可。OpenVPN的官方站点是http://openvpn.net,目前稳定版为OpenVPN-2.0.9。
我替公司设计VPN家庭办公方案时,初期部署的是pptpd方案,稳定性和加密性大家都是还满意的;后期在运作时发现,许多小区或用电信路由器作NAT拨号的同事发现,根本连接不了公司的公网pptpd服务器,拨号时出现了619报错,具体原因为:
这种情况大数多原因为客户机连接Internet的网关(如家庭宽带路由或公司上网网关路由或防火墙)NAT-T功能关闭或对VPN支持性不好,主要是对GRE及PPTP协议的NAT-T不支持。可打开网关路由的NAT-T功能,如果还是出现错误,则需要更换网关设备,现在市面上大多数设备已经支持。由于公司在小区或家里有几台电脑的情况都很普遍,另考虑到以前布署的点对点openvpn穿透能力还是很强的,考虑放弃pptpd,改用openvpn。
值得注意的是:为了消除防火墙及路由器的影响,我直接将openvpn服务器放在防火墙前面(如果置于防火墙后,还要考虑DMZ映射及路由方面的因素,失败率比较高),为了稳定性我用的是64bit的Centos5.5,LAN:192.168.4.222,WAN:220.249.x.x。
这里提前说明一下openvpn的网络部署应该注意的情况,如果你所在小区的局域网是192.168.1.0,而你的openvpn所在局域网也是192.168.4.0的话,会发生杯具性的事情,你是拨不上openvpn服务器的;所以你在规划你的网络时,应该考虑将网段不要设计成192.168.1.0的网段,考虑用192.168.4.0或192.168.10.0这些不常见的网段;你到星巴克咖啡馆唱咖啡时你会惊奇的发现,大多数类似的提供无线服务,基本是将局域网设计成192.168.1.0的,所以我推荐公司的网络尽量不要用192.168.1.0的网段,切记。
完整安装步骤如下(以下过程我重复了上百次,大家可依此实验,Freebsd及Linux均适用)
一、安装前的准备工作
OpenVPN是基于openssl的,所以需要安装openssl,在freebsd8下可采用port安装 cd /usr/ports/security/openssl && make install clean;
RHEL5&Centos5下用 yum -y install openssl openssl-devel
二、 安装服务器端及配置 ,源码包我放在/usr/local/src下。
①首先下载及安装lzo软件包,用于压缩隧道通讯数据以加快传输速度。
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
- tar zxvf lzo-2.03.tar.gz
- cd lzo-2.03
- ./configure --prefix=/usr && make && make install
②下载openvpn及安装
wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
- tar zxvf openvpn-2.0.9
- ./configure --with-lzo-lib=/usr && make && make install
一、OpenVPN服务器端的配置
1)建立CA
在OpenVPN源代码目录下有一个\easy-rsa\2.0目录,进入后修改vars文件最后部分的信息,即
- vim /root/openvpn-2.0.9/easy-ras/2.0/vars
- export KEY_COUNTRY="CN"
- export KEY_PROVINCE="BJ"
- export KEY_CITY="Beijing"
- export KEY_ORG="PKU"
- export KEY_EMAIL=" xxxxxx@pku.edu.cn"
保存退出,再运行:
- source vars
- NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/openvpn-2.0.9/easy-rsa/2.0/keys
- ./clean-all
- ./build-ca
然后就是一段提示,要求输入信息,大部分信息默认就是上述vars文件里的信息,自己只需要填写“Organizational Unit Name”一项,这个随便写一个就是了,也可以不写,我就没有写。
2)为服务器生成证书和密钥
./build-key-server server
还是与上一步类似,自己只需要填写“Organizational Unit Name”一项,也可以不写,即均默认为default值。还会出现:“Sign the certificate? [y/n]”和“1 out of 1 certificate requests certified, commit? [y/n]”,都输入y然后回车,其它可参照如下。
- Generating a 1024 bit RSA private key
- ......++++++
- ....................++++++
- writing new private key to 'server.key'
- -----
- You are about to be asked to enter information that will be incorporated into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [CN]:
- State or Province Name (full name) [BJ]:
- Locality Name (eg, city) [BJ]:
- Organization Name (eg, company) [buaa]:
- Organizational Unit Name (eg, section) []:gait
- Common Name (eg, your name or your server's hostname) []:server
- Email Address [[email]support@cooldvd.com[/email]]:
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:abcd1234
- An optional company name []:dvdmaster
- Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
- Check that the request matches the signature
- Signature ok
- The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GD' localityName :PRINTABLE:'SZ' organizationName :PRINTABLE:'dvdmaster' organizationalUnitName:PRINTABLE:'dvdmaster' commonName :PRINTABLE:'server' emailAddress :IA5STRING:'[email]support@cooldvd.com[/email]'
- Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
- Sign the certificate? [y/n]:y
- 1 out of 1 certificate requests certified, commit? [y/n]y
- Write out database with 1 new entries
- Data Base Updated
3)在openvpn中,这种配置方法是每一个登陆的VPN客户端需要有一个证书,每个证书在同一时刻只能供一个客 户端连接(如果有两个机器安装相同证书,同时拨服务器,都能拨上,但是只有第一个拨上的才能连通网络)。所以需要建立许多份证书。下面建立2份,名称分别 为client1和client2
- ./build-key client1
- Generating a 1024 bit RSA private key
- .....++++++
- ......++++++
- writing new private key to 'client1.key'
- -----
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [CN]:
- State or Province Name (full name) [BJ]:
- Locality Name (eg, city) [BJ]:
- Organization Name (eg, company) [buaa]:
- Organizational Unit Name (eg, section) []:gait
- Common Name (eg, your name or your server's hostname) []:client1 重要: 每个不同的 client 生成的证书, 名字必须不同.
- Email Address [[email]support@cooldvd.com[/email]]:
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:abcd1234
- An optional company name []:gait
- Using configuration from /openvpn-2.0.5/easy-rsa/openssl.cnf
- Check that the request matches the signature
- Signature ok
- The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GD' localityName :PRINTABLE:'SZ' organizationName :PRINTABLE:'dvdmaster' organizationalUnitName:PRINTABLE:'dvdmaster' commonName :PRINTABLE:'client1' emailAddress :IA5STRING:'[email]support@cooldvd.com[/email]'
- Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
- Sign the certificate? [y/n]:y
- 1 out of 1 certificate requests certified, commit? [y/n]y
- Write out database with 1 new entries
- Data Base Updated
依次类推生成其他客户端证书/key:
./build-key client2
4)./build-dh,这步不要看掉了~
生成的证书文件均在/usr/local/src/openvpn-2.0.9/easy-rsa/2.0/keys下
5)配置服务器VPN文件
a) cp -p /usr/local/src/openvpn-2.0.9/sample-config-files/server.conf /usr/local/etc/server.conf
b) vi /usr/local/etc/server.conf
i. proto udp改成proto tcp
ii. ca那四行改成
- ca /usr/local/src/openvpn-2.0.9/easy-rsa/2.0/keys/ca.crt
- cert /usr/local/src/openvpn-2.0.9/easy-rsa/2.0/keys/server.crt
- key /usr/local/src/openvpn-2.0.9/easy-rsa/2.0/keys/server.key
- dh /usr/local/src/openvpn-2.0.9/easy-rsa/2.0/keys/dh1024.pem
iii. server那行改成
server 10.0.0.0 255.255.255.0 前期我用是10.0.0.0,后期实际部署用的是10.10.0.0。
v. 改成verb 5可以多查看一些调试信息
6) 启动服务:
a) 关闭服务器、防火墙上所有对SSH(22)、openvpn(1194)的拦截。
b) echo "1" > /proc/sys/net/ipv4/ip_forward
c)
- /usr/local/sbin/openvpn --config /usr/local/etc/server.conf
- Fri Jan 23 23:55:34 2009 OpenVPN 2.0.9 i686-pc-linux [SSL] [EPOLL] built on Jan 23 2009
- Fri Jan 23 23:55:34 2009 Diffie-Hellman initialized with 1024 bit key
- Fri Jan 23 23:55:34 2009 TLS-Auth MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
- Fri Jan 23 23:55:35 2009 TUN/TAP device tun0 opened
- Fri Jan 23 23:55:35 2009 /sbin/ifconfig tun0 10.0.0.1 pointopoint 10.0.0.2 mtu 1500
- Fri Jan 23 23:55:35 2009 /sbin/route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.2
- Fri Jan 23 23:55:35 2009 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
- Fri Jan 23 23:55:35 2009 Listening for incoming TCP connection on [undef]:1194
- Fri Jan 23 23:55:35 2009 TCPv4_SERVER link local (bound): [undef]:1194
- Fri Jan 23 23:55:35 2009 TCPv4_SERVER link remote: [undef]
- Fri Jan 23 23:55:35 2009 MULTI: multi_init called, r=256 v=256
- Fri Jan 23 23:55:35 2009 IFCONFIG POOL: base=10.0.0.4 size=62
- Fri Jan 23 23:55:35 2009 IFCONFIG POOL LIST
- Fri Jan 23 23:55:35 2009 MULTI: TCP INIT maxclients=1024 maxevents=1028
- Fri Jan 23 23:55:35 2009 Initialization Sequence Completed
原文链接:http://network.51cto.com/art/201012/236266.htm
标签: CentOS linux ssl ssl vpn sslvpn 安全 安装服务器 代码 防火墙 服务器 服务器端 网络
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点!
本站所提供的图片等素材,版权归原作者所有,如需使用,请与原作者联系。