OpenVPN on Fedora core 4
Host-to-Host
SERVER CLIENT
+———+ +———+
| | real ip : 61.219.31.244 | | real ip : 218.160.157.55
| |———————————————–| |
| | vpn ip : 10.8.0.1 | | vpn ip : 10.8.0.10
+———+ +———+
SERVER
[1.] 安裝 openvpn-2.0.2
apt-get install openvpn
[2.] cp -r /usr/share/doc/openvpn-2.0.2/easy-rsa /etc/openvpn
cp /usr/share/doc/openvpn-2.0.2/sample-config-files/server.conf /etc/openvpn
[3.] cd /etc/openvpn/easy-rsa/
vi vars
export KEY_COUNTRY=TW
export KEY_PROVINCE=Taiwan
export KEY_CITY=Taipei
export KEY_ORG="OpenVPN-TEST"
export [email protected]
export 環境
. ./vars
清掉之前建的 CA
. ./clean-all
建置 root CA
. ./build-ca
建置 server key & crt
. ../build-key-server server
注意 Common Name的唯一性
建置 Diffie Hellman
. ../build-dh
此時所在目錄,/etc/openvpn/easy-rsa/keys
cp ca.crt dh1024.pem server.key server.crt /etc/openvpn
[4.] 編輯config
vi /etc/openvpn/server.conf
# bind在那個IP上
local 61.219.31.244
# bind在那個Port上
port 1194
# protocol TCP/UDP
proto udp
# an ethernet tunnel for ethernet bridging
;dev tap
# routed IP tunnel
dev tun
#
ca ca.crt
cert server.crt
key server.key
#
dh dh1024.pem
# vpn subnet
# server的IP將指定為10.8.0.1
# 而client的IP則由server來指定IP
server 10.8.0.0 255.255.255.0
[5.] 啟動VPN
service openvpn start
其它參數說明
# 記錄 client端被指派的 ip,如果 vpn停掉或重啟,client重連時可以再指派到相同的 ip
ifconfig-pool-persist ipp.txt
# 自動將 client 的 default gateway 設成經由 VPN server 出去。
# 幾頁要點,就是把它當成是在自已 NAT 裡面
# 1。echo "1" > /proc/sys/net/ipv4/ip_forward
# 2。iptables -A FORWARD -i tun* -j ACCEPT
# 3。iptables -t ant -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE;push "redirect-gateway"
# 各client可相互溝通
;client-to-client
# 可以讓使用相同key的client成功,不過最好不要用,官方建議
;duplicate-cn
# 保持連線,每 10 秒 ping 一次,若是 120 秒未收到封包,即認定 client 斷線
keepalive 10 120
# 最多同時只能有十個 client
max-clients 10
# 連線壓縮
;comp-lzo
# 每分鐘更新一下連線狀態記錄
;status openvpn-status.log
# 預設會寫到/var/log/message,如果用下面的log,會寫到openvpn.log裡
;log openvpn.log
;log-append openvpn.log
# log level
;verb 3
CLIENT
[1.] 安裝 openvpn-2.0.2
apt-get install openvpn
[2.] cp -r /usr/share/doc/openvpn-2.0.2/easy-rsa /etc/openvpn
cp /usr/share/doc/openvpn-2.0.2/sample-config-files/client.conf /etc/openvpn
[3.] 回到server上建置client key
. ./build-key client
注意 Common Name的唯一性
如果有其它clinet使用vpn時,必需另建置client Key,不同client不能同一時間使用同一client Key連線
. ./build-key client1
. ./build-key client2
或者
由client來建置key,再由server來簽署認證
client端
vi vars
export KEY_COUNTRY=TW
export KEY_PROVINCE=Taiwan
export KEY_CITY=Taipei
export KEY_ORG="OpenVPN-TEST"
export [email protected]
KEY_ORG需與server端一致
export 環境
. ./var
建立client key
. ./build-key client
這時後只會有client.csr與client.key兩個檔
接著把client.csr複製到server端
. ./sign-req client
就會有client.crt了
[4.] 複製以下檔案到client 端 /etc/openvpn
client.crt
client.key
ca.crt
[5.] vi /etc/openvpn/client.conf
#
client
#
dev tun
#
proto udp
# vpn server的real ip及port
remote 61.219.31.244 1194
# key
ca ca.crt
cert client.crt
key client.key
#
ns-cert-type server
[6.] service openvpn start
[7.] server端的 ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:2451 errors:0 dropped:0 overruns:0 frame:0
TX packets:1589 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:191765 (187.2 KiB) TX bytes:223103 (217.8 KiB)
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
61.219.31.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
203.204.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 61.219.31.254 0.0.0.0 UG 0 0 0 eth2
client端的 ifocnfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.10 P-t-P:10.8.0.9 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1545 errors:0 dropped:0 overruns:0 frame:0
TX packets:2405 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:220411 (215.2 KiB) TX bytes:188913 (184.4 KiB)
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.1 10.8.0.9 255.255.255.255 UGH 0 0 0 tun0
218.160.156.254 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.8.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 218.160.156.254 0.0.0.0 UG 0 0 0 ppp0
[8] 測試
SERVER ping 218.160.157.55 —> OK
SERVER ping 10.8.0.10 —> OK
CLient ping 61.219.31.244 —> OK
CLient ping 10.8.0.1 —> OK
[Q1.] openvpn[21104]: WARNING: No server certificate verification method has
been enabled. See http://openvpn.net/howto.html#mitm for more info.
[A1.] vi /etc/openvpn/client.conf
ns-cert-type server
Host-to-Net
SERVER CLIENT
+———+ +———+
internal subnet | | real ip : 61.219.31.244 | | real ip : 218.160.157.55
192.168.1.0 | |———————————————–| |
255.255.255.0 | | vpn ip : 10.8.0.1 | | vpn ip : 10.8.0.10
+———+ +———+
當Client要存取SERVER的內部網段時,只要從server端設定push,就可以讓client端存取server端內部的 private ip
vi /etc/openvpn
#
push "route 192.168.1.0 255.255.255.0"
client端的routing table
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.1 10.8.0.9 255.255.255.255 UGH 0 0 0 tun0
218.160.156.254 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.8.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 10.8.0.9 255.255.255.0 UG 0 0 0 tun0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 218.160.156.254 0.0.0.0 UG 0 0 0 ppp0
CLIENT ping 192.168.1.12 —> OK
假如CLIENT端也有私人網段,也可以透過CLIENT 的Gateway 存取到192.168.1.0/24
NET-to-NET
SERVER CLIENT
+———+ +———+
internal subnet | | real ip : 61.219.31.244 | | real ip : 218.160.157.55
192.168.1.0 | |———————————————| |————————————– 10.1.1.0 / 255.255.255.0
255.255.255.0 | | vpn ip : 10.8.0.1 | | vpn ip : 10.8.0.10
+———+ +———+
接著上方的Host-to-NEt的架構,假設CLIENT的私人網段為10.1.1.0/24,而192.168.1.0/24網段也想存取10.1.1.0/24網段
[1.] 在SERVER上加入設定
vi /etc/openvpn/server.conf
client-config-dir ccd
route 10.1.1.0 255.255.255.0
[2.] mkdir /etc/openvpn/ccd
[3.] 建一檔案,檔案名稱為當時建key檔的 Common Name
vi /etc/openvpn/ccd/SSORC
iroute 10.1.1.0 255.255.255.0
[4.] reload SERVER 與 CLIENT 的 OpenVPN
[5.] 192.168.1.12 Ping 10.1.1.99 —> OK
[Q.&A.] 當私人網段無法互ping時(192.168.1.1 ping 10.1.1.1),且在SERVER的openvpn.log訊息是把封包drop掉了,可能原因是iptables不是設成MASQUERADE
CLIENT on Windows
[1.] 下載並安裝 openvpn (GUI 版本)
http://openvpn.se/files/install_packages/openvpn-2.0.2-gui-1.0.3-install.exe
裝完,在網路連線裡會多了一TAP-Win32 Adapter
右下角系統匣會多個OpenVPN GUI圖示
[2.] client key製作方式如上
[3.] 到C:Program FilesOpenVPN,將sample-config目錄裡的client.vpn複製到config目錄裡,並將ca.crt、client.crt、client.key檔也放到config目錄裡
設定檔設定如上的CLinet端
[4.] 啟動方式一
-> OpenVPN GUI -> connect
啟動方式二
-> 控制台 -> 系統管理工具 -> 服務 -> OpenVPN Service -> 啟動
管理介面
[1.] vi /etc/openvpn/server.conf
#
management localhost 7505
[2.] telnet localhost 7505
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 — type 'help' for more info
help
Management Interface for OpenVPN 2.0.2 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Nov 9 2005
Commands:
auth-retry t : Auth failure retry mode (none,interact,nointeract).
echo [on|off] [N|all] : Like log, but only show messages in echo buffer.
exit|quit : Close management session.
help : Print this message.
hold [on|off|release] : Set/show hold flag to on/off state, or
release current hold and start tunnel.
kill cn : Kill the client instance(s) having common name cn.
kill IP:port : Kill the client instance connecting from IP:port.
log [on|off] [N|all] : Turn on/off realtime log display
+ show last N lines or 'all' for entire history.
mute [n] : Set log mute level to n, or show level if n is absent.
net : (Windows only) Show network info and routing table.
password type p : Enter password p for a queried OpenVPN password.
signal s : Send signal s to daemon,
s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n] : Show current daemon status info using format #n.
test n : Produce n lines of output for testing/debugging.
username type u : Enter username u for a queried OpenVPN username.
verb [n] : Set log verbosity level to n, or show if n is absent.
version : Show current version number.
END
Tarball安裝
[1.] wget http://openvpn.net/release/openvpn-2.0.5.tar.gz
tar zxvf openvpn-2.0.5.tar.gz
./configure
make
make install
從Tarball編成RPM
rpmbuild -tb openvpn-2.0.5.tar.gz
rpm -ivh /usr/src/redhat/RPMS/i386/openvpn-2.0.5-1.i386.rpm
[2.] 建立 device node
mknod /dev/net/tun c 10 200
vi /etc/modules.conf
alias char-major-10-200 tun
載入 driver
modprobe tun
enable routing
echo 1 > /proc/sys/net/ipv4/ip_forward
OpenVPN Server + Multiport CLient & client-to-client
為了讓多個Client可互相溝通
SERVER CLIENT 1
+———+ +———+
internal subnet | | real ip : 61.219.31.244 | | real ip : 218.160.157.55
192.168.1.0 | |———————————————–| |—————————————— 10.1.1.0 / 255.255.255.0
255.255.255.0 | | vpn ip : 10.8.0.1 + | | vpn ip : 10.8.0.10
+———+ | +———+
|
| CLIENT 2
+——————+———+
| | real ip: 60.248.111.126
| |————————————– 192.168.2.0 / 255.255.255.0
| | vpn ip: 10.8.0.14
+———+
[1.] 每個CLient依上方的 Net-to-Net設定之後,SERVER上多push兩個CLIENT的私人網段
vi /etc/openvpn/server.conf
#
push "route 192.168.2.0 255.255.255.0"
push "route 10.1.1.0 255.255.255.0"
[2.]
192.168.1.1 PING 10.1.1.99 —> OK
192.168.1.1 PING 192.168.2.1 —> OK
192.168.2.1 PING 10.1.1.99 —> OK
192.168.2.1 PING 192.168.1.1 —> OK
10.1.1.99 PING 192.168.2.1 —> OK
10.1.1.99 PING 192.168.1.1 —> OK
ref: http://wiki.debian.org.tw/index.php/OpenVPN
http://www.study-area.org/tips/openvpn.html
http://big5.ccidnet.com:89/gate/big5/tech.ccidnet.com/art/302/20060421/516673_1.html
留言
Q: openvpn[1149]: client/xx.xx.xx:40701 Authenticate/Decrypt packet error: cipher final failed A: server 與 client 都在設定檔上使用 cipher AES-128-CBC