Openvpn安装和配置手册

精品文档 1欢迎下载 OpenVPN 实现网络互连 一 一 试验网络架构试验网络架构 2 1 1 服务器信息服务器信息 2 2 2 操作系统对操作系统对 tuntun 的支持性的支持性 2 3 3 所需软件及作用所需软件及作用 3 二 二 LZOLZO 软件安装软件安装 3 三 三 OpenvpnOpenvpn 安装安装 5 四 四 OpenvpnOpenvpn serverserver 文件生成文件生成 6 1 1 编辑编辑 VarsVars 文件文件 6 2 2 创建创建 CACA 文件文件 7 五 五 创建创建 OpenvpnOpenvpn ServerServer 所需文件所需文件 9 六 六 创建创建 clientclient 端所需文件端所需文件 10 七 七 设置设置 openvpnopenvpn serverserver 的配置文件的配置文件 12 八 八 OpenvpnOpenvpn ServerServer 的配置文件的配置文件 server001 confserver001 conf 13 九 九 客户端主机的配置文件客户端主机的配置文件 client001 ovpnclient001 ovpn 22 十 十 OpenvpnOpenvpn serverserver 主机上启用主机上启用 openvpnopenvpn 服务服务 25 十一 十一 OpenvpnOpenvpn ClientClient 主机连接主机连接 OpenvpnOpenvpn ServerServer 26 十二 十二 ClientClient 内网主机访问内网主机访问 serverserver 内网主机内网主机 26 1 1 serverserver 主机配置文件下添加主机配置文件下添加 ccdccd 文件夹文件夹 26 2 2 ServerServer 主机上开启路由转发和主机上开启路由转发和 NATNAT 26 3 3 clientclient 主机上开启路由和远程访问主机上开启路由和远程访问 26 4 4 ClientClient 内网主机静态路内网主机静态路由由添加添加 31 5 5 ClientClient 访问访问 serverserver 多内网段多内网段 32 十三 十三 测试结果测试结果 32 十四 十四 总结总结 34 十五 十五 参考文档参考文档 35 精品文档 2欢迎下载 OpenVPNOpenVPN 实现网络互连实现网络互连 一 一 试验网络架构试验网络架构 1 1 服务器信息服务器信息 服务器名称OS 版本内网 IP 地址内网网关外网 IP 地址 Openvpn ServerRedHat AS410 0 17 6010 0 17 1NAT Openvpn ClientWindows2003192 168 0 82192 168 0 1 2 2 操作系统对操作系统对 tuntun 的支持性的支持性 试验中安装的 Red Hat AS4 内核默认已经支持 tun 并且已经安装 tun 模块 对于一些没安装此模块的 需要重新编译内核支持 内核加载 tun 模块只是让 内核支持隧道 并不是就会出现隧道接口 在没安装此模块的系统上加载 tun 模块 Linux 2 4 or higher with integrated TUN TAP driver 精品文档 3欢迎下载 1 make device node mknod dev net tun c 10 200 2a add to etc modules conf alias char major 10 200 tun 2b load driver modprobe tun 3 enable routing echo 1 proc sys net ipv4 ip forward 3 3 所需软件及作用所需软件及作用 OpenVPN 依赖 OpenSSL 库 加密用 LZO 库 数据压缩用 在我安装的 Red Hat AS4 系统默认安装了 OpenSSL 库 没有的可以到 www openssl org 下载 LZO 软 件是必须的 否则无法安装 Openvpn 软件 可以到 下载 LZO 包含几个版本 在测试中我选择是的 lzo 2 0 2 以上是辅助软件 Openvpn 软件的下载地址为 我选择的是比较稳定的 openvpn 2 0 9 版 之前在 windows 下包含 2 0 3 和 2 0 9 等多个版本 但是 2 0 9 版本在 windows 下安装的时候由于程序问题在生成 CA 文件的时候会出错 如果是在 windows 下安装建议选择 2 0 3 版本 yum install openssl openssl devel 二 二 LZOLZO 软件安装软件安装 如果之前有点点 Linux 系统的知识的话 此步就可跳过 首先解压下载的 lzo 2 0 2 tar gz 文件 命令为 tar zxvf lzo 2 0 2 tar gz 至于不知道在哪里 敲此命令的 建议看看 Linux 的基本操作 在桌面上点右键选择 打开终端 在跳出的框里输入 如下图所示 精品文档 4欢迎下载 解压完毕后在当前目录下会有一个名为 lzo 2 0 2 的文件夹 通过 cd 命令切换 到 lzo 2 0 2 目录下 切换完毕后可以通过 pwd 命令察看 具体如下图所示 下一步输入 configure 命令检查文件 注意前面有个点 而且是要切换到此 目录下执行的 注释 一般的 configure 都是一个 script 执行后可以传入必要参数告知配置 项目 最后产生 Makefile 档案后才可以给 make 程式读入使用 尽而呼叫相关 编译程式 然后输入 make 命令编译 如下图所示 精品文档 5欢迎下载 最后通过输入命令 make intall 来安装 lzo 至此 lzo 安装完毕 三 三 OpenvpnOpenvpn 安装安装 Openvpn 的安装与 lzo 的安装命令一致 都是 configure 然后 make 最后 make install 安装 在此不赘述 在工作中有时候可能一台电脑做为两个或多个 client 端 因此需要在同一电脑上安装两个或多个 openvpn 软件 为了保证在 运行的时候不冲突 在 configure 的时候需要加入 prefix 参数来指定 makefile 文件的位置 详情如下 prefix 是最常用的选项 制作出的 精品文档 6欢迎下载 Makefile 会查看随此选项传递的参数 当一个包在安装时可以彻底的重新安 置他的结构独立部分 举一个例子 当安装一个包 例如说 Emacs 下面的命令 将会使 Emacs Lisp file 被安装到 opt gnu configure prefix opt gnu configure with lzo headers usr local include with lzo lib usr local lib with ssl headers usr local include openssl with ssl lib usr local lib 四 四 OpenvpnOpenvpn serverserver 文件生成文件生成 首先切换到 openvpn 安装目录下 例如我是把 openvpn 安装在 home coldface openvpn 2 0 9 下 我通过在终端中输入命令 cd home coldface openvpn 2 0 9 coldface 此文件夹是自己建的 命令为 mkdir home coldface 在安装过程中自己选择合适的目录 然后输入 cd easy rsa 命令 切换到 easy ras 目录下进行配置 下面的操作都是依据在此目录下 进行的 1 1 编辑编辑 VarsVars 文件文件 Vars 文件的作用是是创建环境变量初始化程序 通过输入 vi vars 来进行编 辑 针对不熟悉 vi 操作的 自己找到此目录下的文件 双击用文本编辑器编 辑 然后按下键盘的 i 键进行修改 主要是修改一些 openvpn 所在地等信息 如 KEY COUNTRY KEY PROVINCE KEY CITY KEY ORG 等 修改完毕后按下 ESC 键 然后输入 wq 保存退出 Linux 对命令区分大小写 留意命令的字母 如 下图所示 精品文档 7欢迎下载 修改完毕后 输入命令 vars 运行此脚本 注意两个点中间有个空格 然后输入 clean all 继续运行 此命令主要是在 easy ras 下生成一个 keys 文件夹用于存放后续生成的 key crt 等文件 2 2 创建创建 CACA 文件文件 精品文档 8欢迎下载 输入 build ca 生成 CA 文件 CA 证书用于验证客户端的证书是否合法 因此 客户端和服务器端都需要此证书 详细结果为 You are about to be asked to enter information that will be incorporated into your certificate request What you are about to enter is what is called a Distinguished Name or a DN There are quite a few fields but you can leave some blank For some fields there will be a default value If you enter the field will be left blank Country Name 2 letter code CN State or Province Name full name JS Locality Name eg city Suzhou Organization Name eg company OpenVPN Organizational Unit Name eg section OpenVPNtest Common Name eg your name or your server s hostname RootCA RootCA 此处此处 精品文档 9欢迎下载 名字任意名字任意 3 3 创建加密算法所需文件创建加密算法所需文件 dh1024 pemdh1024 pem 输入命令 build dh 五 五 创建创建 OpenvpnOpenvpn ServerServer 所需文件所需文件 输入命令 build key server server001 注意此处后面添加了 server001 名 字可以任意 但是一定要与下面程序中的 Common Name 一致 详细信息为 精品文档 10欢迎下载 writing new private key to keys server01 key You are about to be asked to enter information that will be incorporated into your certificate request What you are about to enter is what is called a Distinguished Name or a DN There are quite a few fields but you can leave some blank For some fields there will be a default value If you enter the field will be left blank Country Name 2 letter code CN State or Province Name full name JS Locality Name eg city Suzhou Organization Name eg company OpenVPN Organizational Unit Name eg section penvpntest Common Name eg your name or your server s hostname Server001 Server001 此此 处的名字一定要与处的名字一定要与 build key server build key server 后输入的名字一致后输入的名字一致 Please enter the following extra attributes to be sent with your certificate request A challenge password An optional company name Using configuration from f Check that the request matches the signature Signature ok Certificate is to be certified until Feb 9 10 01 34 2016 GMT 3650 days Sign the certificate y n y y 选择 选择 Y Y 精品文档 11欢迎下载 1 out of 1 certificate requests certified commit y n y y 选择 选择 Y Y Write out database with 1 new entries Data Base Updated 六 六 创建创建 clientclient 端所需文件端所需文件 输入命令 build key client001 注意此处后面添加了 client001 名字可以 任意 但是一定要与下面程序中的 Common Name 一致 详细信息为 Generating a 1024 bit RSA private key writing new private key to keys elm key You are about to be asked to enter information that will be incorporated into your certificate request What you are about to enter is what is called a Distinguished Name or 精品文档 12欢迎下载 a DN There are quite a few fields but you can leave some blank For some fields there will be a default value If you enter the field will be left blank Country Name 2 letter code CN State or Province Name full name JS Locality Name eg city Suzhou Organization Name eg company OpenVPN Organizational Unit Name eg section openvpntest Common Name eg your name or your server s hostname client001 client001 此处的名字一定要与此处的名字一定要与 build key build key 后输入的名字一致后输入的名字一致 Please enter the following extra attributes to be sent with your certificate request A challenge password An optional company name Check that the request matches the signature Signature ok Certificate is to be certified until Feb 9 10 05 53 2016 GMT 3650 days Sign the certificate y n y y 选择 选择 Y Y 1 out of 1 certificate requests certified commit y n y y 选择 选择 Y Y Write out database with 1 new entries Data Base Updated 注意 Common name 如果有多个客户端连接的时候 Common name 不能重复 另 外要注意名字不要弄错 在后面配置服务器端内网访问客户端内网的时候需要 此名字 此时文件都是保存在 keys 目录下 home coldface openvpn 2 0 9 easy ras keys 在试验中我在 etc 下建立一新目录 openvpn 来存放配置文件 命令为 mkdir etc openvpn 在上述步骤完毕后 把 ca key ca crt dh 精品文档 13欢迎下载 1024 pem server001 crt server001 key 复制到 openvpn 目录下 命令为 cp ca key ca crt dh 1024 pem server001 crt server001 key etc openvpn 七 七 设置设置 openvpnopenvpn serverserver 的配置文件的配置文件 首先通过 cd cd 后有个空格然后是两个点 退回到 home coldface openvpn 2 0 9 目录下 输入 cd sample config files 切换 到 sample config files 文件夹下 把此目录下的 server conf 修改名字为 server001 conf 然后把 server001 conf 文件复制到 etc openvpn 目录下 命令为 cp server001 conf etc openvpn 在后面会介绍如何配置 server001 conf 此配置文件 Openvpn client 主机上安装软件一直点下一步即可 安装完毕后 只需把 Openvpn server 主机上的 ca crt client001 key client001 crt 复制到 openvpn 的安装目录下的 config 目录下 例如我安装在默认的 C Program Files OpenVPN 那么 ca crt client001 key client001 crt client001 ovpn 都放置在 C Program Files OpenVPN 下的 config 目录下面 八 八 OpenvpnOpenvpn ServerServer 的配置文件的配置文件 server001 confserver001 conf 首先回顾下文件的存放位置 安装程序目录是 home coldface openvpn 2 0 9 配置文件的存放目录是 etc openvpn 为了让两端的内网主机间能互访 需要在 Openvpn Server 上建立一个名字为 ccd 的目录 在里面建立一个名字为 clien001 的文件 此名字一定要与生成客户端 key 时输入的名字一致 这样 当 client001 连接到 server001 时 程序会检查 ccd 文件 看是够有一个文件 的名字于 client001 的名字一致 如果有则进程会读该文件里的指令并把这些 指令用于该名字的客户端 注意 ccd 目录是放置在 etc openvpn 下面 具体命 令为 mkdir etc openvpn ccd 和 touch etc openvpn ccd client001 在 client001 文件的内容在后面给出 现在来配置 server001 conf 文件 首先 vi etc openvpn server001 conf 用 vi 编辑 内容如下 Which local IP address should OpenVPN 精品文档 14欢迎下载 listen on optional local a b c d Which TCP UDP port should OpenVPN listen on If you want to run multiple OpenVPN instances on the same machine use a different port number for each one You will need to open up this port on your firewall port 1194 TCP or UDP server proto tcp proto udp dev tun will create a routed IP tunnel dev tap will create an ethernet tunnel Use dev tap0 if you are ethernet bridging and have precreated a tap0 virtual interface and bridged it with your ethernet interface If you want to control access policies over the VPN you must create firewall rules for the the TUN TAP interface On non Windows systems you can give an explicit unit number such as tun0 On Windows use dev node for this On most systems the VPN will not function unless you partially or fully disable the firewall for the TUN TAP interface dev tap dev tun 使用 tap vpn 里面就可以传输广播报文 使用 tun vpn 里面没有非 IP 报文了 Windows needs the TAP Win32 adapter name 精品文档 15欢迎下载 from the Network Connections panel if you have more than one On XP SP2 or higher you may need to selectively disable the Windows firewall for the TAP adapter Non Windows systems usually don t need this dev node MyTap SSL TLS root certificate ca certificate cert and private key key Each client and the server must have their own cert and key file The server and all clients will use the same ca file See the easy rsa directory for a series of scripts for generating RSA certificates and private keys Remember to use a unique Common Name for the server and each of the client certificates Any X509 key management system can be used OpenVPN can also use a PKCS 12 formatted key file see pkcs12 directive in man page caca etc openvpn ca crt etc openvpn ca crt certcert etc openvpn server001 crt etc openvpn server001 crt 注意此处的文件名字要与在注意此处的文件名字要与在 build key server build key server 时输入的名字一致时输入的名字一致 keykey etc openvpn server001 key etc openvpn server001 key 注意此处把文件的存放的绝对路径写上 Diffie hellman parameters Generate your own with openssl dhparam out dh1024 pem 1024 Substitute 2048 for 1024 if you are using 2048 bit keys 精品文档 16欢迎下载 dhdh etc openvpn etc openvpn dh1024 pem dh1024 pem Configure server mode and supply a VPN subnet for OpenVPN to draw client addresses from The server will take 10 8 0 1 for itself the rest will be made available to clients Each client will be able to reach the server on 10 8 0 1 Comment this line out if you are ethernet bridging See the man page for more info serverserver 172 16 0 0172 16 0 0 255 255 255 0255 255 255 0 此处是 此处是 VPNVPN 地址池的范围 地址池的范围 Maintain a record of client virtual IP address associations in this file If OpenVPN goes down or is restarted reconnecting clients can be assigned the same virtual IP address from the pool that was previously assigned ifconfig pool persist ipp txt Configure server mode for ethernet bridging You must first use your OS s bridging capability to bridge the TAP interface with the ethernet NIC interface Then you must manually set the IP netmask on the bridge interface here we assume 10 8 0 4 255 255 255 0 Finally we must set aside an IP range in this subnet start 10 8 0 50 end 10 8 0 100 to allocate to connecting clients Leave this line commented out unless you are ethernet bridging server bridge 10 8 0 4 255 255 255 0 10 8 0 50 10 8 0 100 Push routes to the client to allow it to reach other private subnets behind 精品文档 17欢迎下载 the server Remember that these private subnets will also need to know to route the OpenVPN client address pool 10 8 0 0 255 255 255 0 back to the OpenVPN server push route 192 168 20 0 255 255 255 0 To assign specific IP addresses to specific clients or if a connecting client has a private subnet behind it that should also have VPN access use the subdirectory ccd for client specific configuration files see man page for more info EXAMPLE Suppose the client having the certificate common name Thelonious also has a small subnet behind his connecting machine such as 192 168 40 128 255 255 255 248 First uncomment out these lines client config dirclient config dir ccdccd pushpush routeroute 10 0 6 010 0 6 0 255 255 255 0255 255 255 0 使使 vpnvpn clientsclients 能访问能访问 vpnvpn serverserver 内部网段计算机内部网段计算机 routeroute 192 168 0 0192 168 0 0 255 255 255 0255 255 255 0 此命令是让此命令是让 openvpnopenvpn serverserver 访问客户端内网主机访问客户端内网主机 Then create a file ccd Thelonious with this line iroute 192 168 40 128 255 255 255 248 This will allow Thelonious private subnet to access the VPN This example will only work if you are routing not bridging i e you are using dev tun and server directives EXAMPLE Suppose you want to give 精品文档 18欢迎下载 Thelonious a fixed VPN IP address of 10 9 0 1 First uncomment out these lines client config dir ccd route 10 9 0 0 255 255 255 252 Then add this line to ccd Thelonious ifconfig push 10 9 0 1 10 9 0 2 Suppose that you want to enable different firewall access policies for different groups of clients There are two methods 1 Run multiple OpenVPN daemons one for each group and firewall the TUN TAP interface for each group daemon appropriately 2 Advanced Create a script to dynamically modify the firewall in response to access from different clients See man page for more info on learn address script learn address script If enabled this directive will configure all clients to redirect their default network gateway through the VPN causing all IP traffic such as web browsing and and DNS lookups to go through the VPN The OpenVPN server machine may need to NAT the TUN TAP interface to the internet in order for this to work properly CAVEAT May break client s network config if client s local DHCP server packets get routed through the tunnel Solution make sure client s local DHCP server is reachable via 精品文档 19欢迎下载 a more specific route than the default route of 0 0 0 0 0 0 0 0 push redirect gateway Certain Windows specific network settings can be pushed to clients such as DNS or WINS server addresses CAVEAT push dhcp option DNS 10 8 0 1 push dhcp option WINS 10 8 0 1 Uncomment this directive to allow different clients to be able to see each other By default clients will only see the server To force clients to only see the server you will also need to appropriately firewall the server s TUN TAP interface client to client 使 vpn clients 相互之间可以访问 Uncomment this directive if multiple clients might connect with the same certificate key files or common names This is recommended only for testing purposes For production use each client should have its own certificate key pair IF YOU HAVE NOT GENERATED INDIVIDUAL CERTIFICATE KEY PAIRS FOR EACH CLIENT EACH HAVING ITS OWN UNIQUE COMMON NAME UNCOMMENT THIS LINE OUT 精品文档 20欢迎下载 duplicate cn The keepalive directive causes ping like messages to be sent back and forth over the link so that each side knows when the other side has gone down Ping every 10 seconds assume that remote peer is down if no ping received during a 120 second time period keepalive 10 120 For extra security beyond that provided by SSL TLS create an HMAC firewall to help block DoS attacks and UDP port flooding Generate with openvpn genkey secret ta key The server and each client must have a copy of this key The second parameter should be 0 on the server and 1 on the clients tls auth ta key 0 This file is secret Select a cryptographic cipher This config item must be copied to the client config file as well cipher BF CBC Blowfish default cipher AES 128 CBC AES 精品文档 21欢迎下载 cipher DES EDE3 CBC Triple DES Enable compression on the VPN link If you enable it here you must also enable it in the client config file comp lzo The maximum number of concurrently connected clients we want to allow max clients 100 It s a good idea to reduce the OpenVPN daemon s privileges after initialization You can uncomment this out on non Windows systems user nobody group nobody The persist options will try to avoid accessing certain resources on restart that may no longer be accessible because of the privilege downgrade persist key persist tun Output a short status file showing current connections truncated and rewritten every minute 精品文档 22欢迎下载 status openvpn status log By default log messages will go to the syslog or on Windows if running as a service they will go to the Program Files OpenVPN log directory Use log or log append to override this default log will truncate the log file on OpenVPN startup while log append will append to it Use one or the other but not both log openvpn log log append openvpn log Set the appropriate level of log file verbosity 0 is silent except for fatal errors 4 is reasonable for general usage 5 and 6 can help to debug connection problems 9 is extremely verbose verb 3 Silence repeating messages At most 20 sequential messages of the same message category will be output to the log mute 20 九 九 客户端主机的配置文件客户端主机的配置文件 client001 ovpnclient001 ovpn Specify that we are a client and that we will be pulling certain config file directives from the server 精品文档 23欢迎下载 client Use the same setting as you are using on the server On most systems the VPN will not function unless you partially or fully disable the firewall for the TUN TAP interface dev tap dev tun Windows needs the TAP Win32 adapter name from the Network Connections panel if you have more than one On XP SP2 you may need to disable the firewall for the TAP adapter dev node MyTap Are we connecting to a TCP or UDP server Use the same setting as on the server proto tcp proto udp The hostname IP and port of the server You can have multiple remote entries to load balance between the servers remoteremote 218 104 X X218 104 X