OpenVPN server
主机名:cluster133
内网 em2:10.0.0.133
外网 em1: 113.106.90.133
所属机房: 环球
目的:
- 连上VPN 后,通过该服务器访问外网(连接其他服务器)
- 连上VPN 后能访问内网
注意:
1. 该服务器内网 和 公司内网(172.16.<1,2,3,4,5,6,7>.0/24)互通
2. 该服务器内网和 龙岗机房内网(192.168.77.0/24)互通
3. 为保证各个内网互通,iptables 需要做SNAT(即将源地址转为内网IP)
备注: 生成的秘钥留着以后用
一、安装OpenVPN
rpm -qa | grep pam-devel || yum install pam-devel -y
rpm -qa | grep openssl-devel || yum install openssl-devel -y
cd /usr/local/src
tar -xzf openvpn-2.2.2.tar.gz
cd lzo-2.02
./configure --prefix=/usr/local/lzo ||exit 1
make && make install
ln -s /usr/local/lzo/lib/liblzo2.la /usr/local/lzo/lib/liblzo.la
ln -s /usr/local/lzo/lib/liblzo2.a /usr/local/lzo/lib/liblzo.a
cd ..
cd openvpn-2.2.2
./configure --prefix=/usr/local/openvpn --with-lzo-headers=/usr/local/lzo/include/lzo --with-lzo-lib=/usr/local/lzo/lib --with-ssl-headers=/usr/include/openssl --with-ssl-lib=/usr/lib ||exit 1
make && make install || exit 1
cd plugin/auth-pam
make ||exit 1 #依赖pam-devel
cp openvpn-auth-pam.so /usr/local/openvpn/share/
cd /usr/local/openvpn
mkdir etc
cp -r /usr/local/src/openvpn-2.2.2/easy-rsa /usr/local/openvpn/etc/
cd /usr/local/openvpn/etc/easy-rsa/2.0
二、制作PKI 文件
2.1 编辑 vars文件修改证书变量
# cat var # 自定义修改如下内容
export EASY_RSA="`pwd`"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="/usr/local/openvpn/etc/keys" #让key生成到/usr/local/openvpn/etc/keys 目录下
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024 #私钥大小,一般为1024或者2018
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="GuangDong" #省
export KEY_CITY="ShenZhen" #市
export KEY_ORG="Donson" #公司
export KEY_EMAIL="15243650315@163.com" #邮箱
export KEY_CN=yantao #Common Name (eg, your name or your server's hostname)
export KEY_NAME="monitor" #openvpn服务器的名称
export KEY_OU="Lomark" #所在单位
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
以上 参数 在 ./build-ca 创建证书时使用的,大致如下:
#Country Name (2 letter code) [CN]:
#State or Province Name (full name) [GuangDong]:
#Locality Name (eg, city) [ShenZhen]:
#Organization Name (eg, company) [Donson]:
#Organizational Unit Name (eg, section) [Lomark]:
#Common Name (eg, your name or your server's hostname) [changeme]:yantao
#Name [monitor]:
#Email Address [15243650315@163.com]:
2.2 创建证书
# cp openssl-1.0.0.cnf openssl.cnf #source vars 时提示没有这个文件,因此cp一份
# source vars
# ./clean-all #清除keys目录下的所有证书
# ./build-ca #创建根证书,会生成 ca.crt # ca.key 这两个文件
# ./build-key-server 123.56.178.128 #创建服务端证书,会生成 01.pem 123.56.178.128.crt 123.56.178.128.csr 123.56.178.128.key 这些文件
# ./build-key client # 创建客户端证书,会成成 02.pem client.csr client.crt client.key 。
# ./build-dh # 创建迪菲·赫尔曼密钥,会生成dh2014.pem文件(dn<num>中,num的值和密钥长度有关)
# openvpn --genkey --secret /usr/local/openvpn/etc/keys/ta.key #生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击)
三、配置服务端
# cp /usr/local/src/openvpn-2.2.2/sample-config-files/server.conf /usr/local/openvpn/
# cat /usr/local/openvpn/server.conf
#----------------------------------#
port 3194
proto udp
dev tun
ca /usr/local/openvpn/etc/keys/ca.crt
cert /usr/local/openvpn/etc/keys/113.106.90.133.crt
key /usr/local/openvpn/etc/keys/113.106.90.133.key # This file should be kept secret
dh /usr/local/openvpn/etc/keys/dh1024.pem
server 172.16.81.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#push "route 10.0.0.0 0.0.0.0"
#push "route 192.168.77.0 10.0.0.254"
#push "route 172.16.7.0 10.0.0.254
push "redirect-gateway def1 bypass-dhcp"
push dhcp-option DNS 223.5.5.5
push dhcp-option DNS 8.8.8.8
push dhcp-option DNS 8.8.4.4
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /usr/local/openvpn/etc/keys/ta.key 0 # This file is secret
comp-lzo
user root
group root
persist-key
persist-tun
status /usr/local/openvpn/openvpn-status.log
log-append /usr/local/openvpn/openvpn.log
verb 3
解释:
push "redirect-gateway def1 bypass-dhcp" #使客户端数据流全部走VPN
转发和防火墙配置
# echo 1 > /proc/sys/net/ipv4/ip_forward #记得加入到rc.local文件或者内核参数管理文件
# cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [149:207465]
#openvpn
#-A INPUT -i tun0 -j ACCEPT
# 放行 3194 端口 以及 vpn 虚拟IP #
# 这个在配置OpenVPN 时是通用的
-A INPUT -p udp -m state --state NEW -m udp --dport 3194 -j ACCEPT
-A INPUT -s 172.16.81.0/24 -j ACCEPT
-A INPUT -s 172.16.81.0/24 -p tcp -m state --state NEW -m tcp -j ACCEPT
###
# 放行公司内网对此台服务器ssh端口的访问(这样就能直接在公司从内网连接到本机)公司内网和龙岗机房内网互通。
# 只针对我们公司
-A INPUT -s 172.16.6.0/24 -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT
-A INPUT -s 172.16.7.0/24 -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT
-A INPUT -s 58.61.152.2/32 -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT
###
# openvon 转发。牵扯到SNAT,必须开启转发。之前因为没开启,导致连上VPN后就不能上网了。
-A FORWARD -s 172.16.81.0/24 -j ACCEPT
COMMIT
###### nat 表
*nat
:PREROUTING ACCEPT [34900437:1283045486]
:POSTROUTING ACCEPT [63299:3858189]
:OUTPUT ACCEPT [63299:3858189]
# 源地址转换也是通用的。
# 将源地址为vpn 虚拟IP 的,将其源地址转为外网IP,以便可以访问外网
-A POSTROUTING -s 172.16.81.0/24 -o em1 -j SNAT --to-source 113.106.90.133
# 原地址为vpn虚拟IP的,目标地址为内网IP的,将其源IP转为内网IP,以便访问内网服务器
-A POSTROUTING -s 172.16.81.0/24 -d 10.0.0.0/24 -o em2 -j SNAT --to-source 10.0.0.133
# 同上,这个是为了龙岗机房的内网IP。
-A POSTROUTING -s 172.16.81.0/24 -d 192.168.77.0/24 -j SNAT --to-source 10.0.0.133
COMMIT
启动openvpn
/usr/local/openvpn/sbin/openvpn --daemon --config /usr/local/openvpn/server.conf
openvpn 启动日志
Wed Jun 7 09:42:11 2017 /sbin/ifconfig tun0 0.0.0.0
Wed Jun 7 09:42:11 2017 SIGTERM[hard,] received, process exiting
Wed Jun 7 09:42:50 2017 OpenVPN 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO1] [EPOLL] [eurephia] built on Jun 6 2017
Wed Jun 7 09:42:50 2017 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Wed Jun 7 09:42:50 2017 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jun 7 09:42:50 2017 Diffie-Hellman initialized with 1024 bit key
Wed Jun 7 09:42:50 2017 Control Channel Authentication: using '/usr/local/openvpn/etc/keys/ta.key' as a OpenVPN static key file
Wed Jun 7 09:42:50 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 7 09:42:50 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 7 09:42:50 2017 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Jun 7 09:42:50 2017 Socket Buffers: R=[229376->131072] S=[229376->131072]
Wed Jun 7 09:42:50 2017 ROUTE default_gateway=113.106.90.129
Wed Jun 7 09:42:50 2017 TUN/TAP device tun0 opened
Wed Jun 7 09:42:50 2017 TUN/TAP TX queue length set to 100
Wed Jun 7 09:42:50 2017 /sbin/ifconfig tun0 172.16.81.1 pointopoint 172.16.81.2 mtu 1500
Wed Jun 7 09:42:50 2017 /sbin/route add -net 172.16.81.0 netmask 255.255.255.0 gw 172.16.81.2
Wed Jun 7 09:42:50 2017 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 7 09:42:50 2017 GID set to root
Wed Jun 7 09:42:50 2017 UID set to root
Wed Jun 7 09:42:50 2017 UDPv4 link local (bound): [undef]:3194
Wed Jun 7 09:42:50 2017 UDPv4 link remote: [undef]
Wed Jun 7 09:42:50 2017 MULTI: multi_init called, r=256 v=256
Wed Jun 7 09:42:50 2017 IFCONFIG POOL: base=172.16.81.4 size=62
Wed Jun 7 09:42:50 2017 IFCONFIG POOL LIST
Wed Jun 7 09:42:50 2017 Initialization Sequence Completed
523: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 172.16.80.1 peer 172.16.80.2/32 scope global tun0
valid_lft forever preferred_lft forever
注意: 172.16.80.1 就是vpn server 的虚拟IP地址。
配置客户端
客户端需要的证书有: ca.crt client.crt client.key ta.key 。可以将他们的内容放在一个文件中,也可以放在config目录下
测试
本地连上VPN,然后ping nginx08并在其上抓包
[c:\~]$ ping 116.62.46.179
正在 Ping 116.62.46.179 具有 32 字节的数据:
来自 116.62.46.179 的回复: 字节=32 时间=36ms TTL=51
[root@nginx08 ~]# tcpdump -nn -p icmp -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
17:16:16.010053 IP 113.106.90.133 > 116.62.46.179: ICMP echo request, id 1, seq 352, length 40
17:16:16.010071 IP 116.62.46.179 > 113.106.90.133: ICMP echo reply, id 1, seq 352, length 40
可以看到,数据包来自113.106.90.133 这个IP,这个IP就是我的VPN 服务器的IP,我用Windows连上VPN后,出口IP走的就是113.106.90.133 这个了
ccd目录下的,名字应该是制作证书的时候的客户端名字
bash-4.3# cat linuxjump
ifconfig-push 192.168.255.50 192.168.255.49
ssh连接
连上vpn后,如果需要ssh连接vpn服务器,则要 ssh root@172.16.80.1 这个IP
网友评论