OpenVPN on Fedora core 4

 

Host-to-Host

SERVER                                                          CLIENT

+———+                                                          +———+

 |            |    real ip : 61.219.31.244                   |            |    real ip : 218.160.157.55

 |            |———————————————–|            |

 |            |    vpn ip : 10.8.0.1                             |            |    vpn ip : 10.8.0.10

+———+                                                          +———+

 

 

SERVER

[1.] 安裝 openvpn-2.0.2

         apt-get install openvpn

 

[2.] cp -r /usr/share/doc/openvpn-2.0.2/easy-rsa /etc/openvpn

      cp /usr/share/doc/openvpn-2.0.2/sample-config-files/server.conf /etc/openvpn

 

[3.] cd /etc/openvpn/easy-rsa/

      vi vars

export KEY_COUNTRY=TW
export KEY_PROVINCE=Taiwan
export KEY_CITY=Taipei
export KEY_ORG="OpenVPN-TEST"
export KEY_EMAIL=cross@ssorc.tw

      export 環境

         . ./vars

 

      清掉之前建的 CA

         . ./clean-all

 

      建置 root CA

         . ./build-ca

 

      建置 server key & crt

         . ../build-key-server server

 

      注意 Common Name的唯一性

 

      建置 Diffie Hellman

         . ../build-dh

 

      此時所在目錄,/etc/openvpn/easy-rsa/keys

      cp ca.crt dh1024.pem server.key server.crt /etc/openvpn

 

[4.] 編輯config

      vi /etc/openvpn/server.conf

# bind在那個IP上

local 61.219.31.244

 

# bind在那個Port上

port 1194

 

# protocol TCP/UDP

proto udp

 

# an ethernet tunnel for ethernet bridging

;dev tap

# routed IP tunnel

dev tun

 

#

ca ca.crt

cert server.crt

key server.key

 

#

dh dh1024.pem

 

# vpn subnet

# server的IP將指定為10.8.0.1

# 而client的IP則由server來指定IP

server 10.8.0.0 255.255.255.0

[5.] 啟動VPN

         service openvpn start

 

      其它參數說明

# 記錄 client端被指派的 ip,如果 vpn停掉或重啟,client重連時可以再指派到相同的 ip

ifconfig-pool-persist ipp.txt

 

# 自動將 client 的 default gateway 設成經由 VPN server 出去。
# 幾頁要點,就是把它當成是在自已 NAT 裡面
#    1。echo "1" > /proc/sys/net/ipv4/ip_forward
#    2。iptables -A FORWARD -i tun* -j ACCEPT
#    3。iptables -t ant -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

;push "redirect-gateway"

 

# 各client可相互溝通

;client-to-client

 

# 可以讓使用相同key的client成功,不過最好不要用,官方建議

;duplicate-cn

 

# 保持連線,每 10 秒 ping 一次,若是 120 秒未收到封包,即認定 client 斷線
keepalive 10 120
 

# 最多同時只能有十個 client
max-clients 10

 

# 連線壓縮

;comp-lzo

 

# 每分鐘更新一下連線狀態記錄

;status openvpn-status.log

 

# 預設會寫到/var/log/message,如果用下面的log,會寫到openvpn.log裡

;log               openvpn.log

;log-append   openvpn.log

 

# log level

;verb 3

CLIENT

[1.] 安裝 openvpn-2.0.2

         apt-get install openvpn

 

[2.] cp -r /usr/share/doc/openvpn-2.0.2/easy-rsa /etc/openvpn

      cp /usr/share/doc/openvpn-2.0.2/sample-config-files/client.conf /etc/openvpn

 

[3.] 回到server上建置client key

         . ./build-key client

 

      注意 Common Name的唯一性

 

      如果有其它clinet使用vpn時,必需另建置client Key,不同client不能同一時間使用同一client Key連線

         . ./build-key client1

         . ./build-key client2

 

      或者

      由client來建置key,再由server來簽署認證

      client端

         vi vars

export KEY_COUNTRY=TW
export KEY_PROVINCE=Taiwan
export KEY_CITY=Taipei
export KEY_ORG="OpenVPN-TEST"
export KEY_EMAIL=cross@ssorc.tw

         KEY_ORG需與server端一致

 

      export 環境

         . ./var

 

      建立client key

         . ./build-key client

      
      這時後只會有client.csr與client.key兩個檔

      接著把client.csr複製到server端

         . ./sign-req client

      就會有client.crt了

 

[4.] 複製以下檔案到client 端 /etc/openvpn

         client.crt

         client.key

         ca.crt

 

[5.] vi /etc/openvpn/client.conf

#

client

 

#

dev tun

 

#

proto udp

 

# vpn server的real ip及port

remote 61.219.31.244 1194

 

# key

ca ca.crt

cert client.crt

key client.key

 

#

ns-cert-type server

[6.] service openvpn start

 

[7.] server端的 ifconfig

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:2451 errors:0 dropped:0 overruns:0 frame:0
TX packets:1589 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:191765 (187.2 KiB) TX bytes:223103 (217.8 KiB)

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
61.219.31.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
203.204.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 61.219.31.254 0.0.0.0 UG 0 0 0 eth2

      client端的 ifocnfig

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.10 P-t-P:10.8.0.9 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1545 errors:0 dropped:0 overruns:0 frame:0
TX packets:2405 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:220411 (215.2 KiB) TX bytes:188913 (184.4 KiB)
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.1 10.8.0.9 255.255.255.255 UGH 0 0 0 tun0
218.160.156.254 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.8.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 218.160.156.254 0.0.0.0 UG 0 0 0 ppp0

[8] 測試

         SERVER ping 218.160.157.55  —> OK

         SERVER ping 10.8.0.10            —> OK

 

         CLient ping 61.219.31.244      —> OK

         CLient ping 10.8.0.1                —> OK

 

[Q1.] openvpn[21104]: WARNING: No server certificate verification method has
         been enabled. See http://openvpn.net/howto.html#mitm for more info.

[A1.] vi /etc/openvpn/client.conf

ns-cert-type server

Host-to-Net

 

                         SERVER                                                          CLIENT

                          +———+                                                         +———+

internal subnet  |            |    real ip : 61.219.31.244                   |            |    real ip : 218.160.157.55

192.168.1.0       |            |———————————————–|            |

255.255.255.0   |            |    vpn ip : 10.8.0.1                             |            |    vpn ip : 10.8.0.10

                         +———+                                                          +———+

 

 

當Client要存取SERVER的內部網段時,只要從server端設定push,就可以讓client端存取server端內部的 private ip

   vi /etc/openvpn

#

push "route 192.168.1.0 255.255.255.0"

client端的routing table

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.1 10.8.0.9 255.255.255.255 UGH 0 0 0 tun0
218.160.156.254 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.8.0.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.1.0 10.8.0.9 255.255.255.0 UG 0 0 0 tun0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 218.160.156.254 0.0.0.0 UG 0 0 0 ppp0

   CLIENT ping 192.168.1.12 —> OK

 

假如CLIENT端也有私人網段,也可以透過CLIENT 的Gateway 存取到192.168.1.0/24

 

NET-to-NET

 

                         SERVER                                                          CLIENT

                         +———+                                                       +———+

internal subnet  |            |    real ip : 61.219.31.244                |            |    real ip : 218.160.157.55

192.168.1.0       |            |———————————————|            |————————————– 10.1.1.0 / 255.255.255.0

255.255.255.0   |            |    vpn ip : 10.8.0.1                          |            |    vpn ip : 10.8.0.10

                         +———+                                                       +———+

 

接著上方的Host-to-NEt的架構,假設CLIENT的私人網段為10.1.1.0/24,而192.168.1.0/24網段也想存取10.1.1.0/24網段

 

[1.] 在SERVER上加入設定

         vi /etc/openvpn/server.conf

client-config-dir ccd

route 10.1.1.0 255.255.255.0

[2.] mkdir /etc/openvpn/ccd

 

[3.] 建一檔案,檔案名稱為當時建key檔的 Common Name

         vi /etc/openvpn/ccd/SSORC

iroute 10.1.1.0 255.255.255.0

[4.] reload SERVER 與 CLIENT 的 OpenVPN

 

[5.] 192.168.1.12 Ping 10.1.1.99 —> OK

 

 

[Q.&A.] 當私人網段無法互ping時(192.168.1.1 ping 10.1.1.1),且在SERVER的openvpn.log訊息是把封包drop掉了,可能原因是iptables不是設成MASQUERADE

 

CLIENT on Windows

[1.] 下載並安裝 openvpn (GUI 版本)
         http://openvpn.se/files/install_packages/openvpn-2.0.2-gui-1.0.3-install.exe
 

      裝完,在網路連線裡會多了一TAP-Win32 Adapter

      右下角系統匣會多個OpenVPN GUI圖示

 

[2.] client key製作方式如上

 

[3.] 到C:Program FilesOpenVPN,將sample-config目錄裡的client.vpn複製到config目錄裡,並將ca.crt、client.crt、client.key檔也放到config目錄裡

 

      設定檔設定如上的CLinet端

 

[4.] 啟動方式一

         -> OpenVPN GUI -> connect

 

       啟動方式二

         -> 控制台 -> 系統管理工具 -> 服務 -> OpenVPN Service -> 啟動

 

管理介面

[1.] vi /etc/openvpn/server.conf

#

management localhost 7505

[2.] telnet localhost 7505

Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
>INFO:OpenVPN Management Interface Version 1 — type 'help' for more info
help
Management Interface for OpenVPN 2.0.2 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Nov 9 2005
Commands:
auth-retry t : Auth failure retry mode (none,interact,nointeract).
echo [on|off] [N|all] : Like log, but only show messages in echo buffer.
exit|quit : Close management session.
help : Print this message.
hold [on|off|release] : Set/show hold flag to on/off state, or
release current hold and start tunnel.
kill cn : Kill the client instance(s) having common name cn.
kill IP:port : Kill the client instance connecting from IP:port.
log [on|off] [N|all] : Turn on/off realtime log display
+ show last N lines or 'all' for entire history.
mute [n] : Set log mute level to n, or show level if n is absent.
net : (Windows only) Show network info and routing table.
password type p : Enter password p for a queried OpenVPN password.
signal s : Send signal s to daemon,
s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n] : Show current daemon status info using format #n.
test n : Produce n lines of output for testing/debugging.
username type u : Enter username u for a queried OpenVPN username.
verb [n] : Set log verbosity level to n, or show if n is absent.
version : Show current version number.
END

Tarball安裝

[1.] wget http://openvpn.net/release/openvpn-2.0.5.tar.gz

      tar zxvf openvpn-2.0.5.tar.gz

      cd openvpn-2.0.5

 

      ./configure

      make

      make install

 

從Tarball編成RPM

rpmbuild -tb openvpn-2.0.5.tar.gz

rpm -ivh /usr/src/redhat/RPMS/i386/openvpn-2.0.5-1.i386.rpm

 

[2.] 建立 device node

         mknod /dev/net/tun c 10 200

 

      vi /etc/modules.conf

alias char-major-10-200 tun

      載入 driver

         modprobe tun

 

      enable routing

         echo 1 > /proc/sys/net/ipv4/ip_forward

 

OpenVPN Server + Multiport CLient & client-to-client

為了讓多個Client可互相溝通

 

                        SERVER                                                          CLIENT 1

                         +———+                                                          +———+

internal subnet  |            |    real ip : 61.219.31.244                   |            |    real ip : 218.160.157.55

192.168.1.0       |            |———————————————–|            |—————————————— 10.1.1.0 / 255.255.255.0

255.255.255.0   |            |    vpn ip : 10.8.0.1     +                      |            |    vpn ip : 10.8.0.10

                         +———+                                   |                      +———+

                                                                            |

                                                                            |                       CLIENT 2

                                                                           +——————+———+

                                                                                                    |             |   real ip: 60.248.111.126

                                                                                                    |             |————————————– 192.168.2.0 / 255.255.255.0

                                                                                                    |             |   vpn ip: 10.8.0.14

                                                                                                    +———+

 

[1.] 每個CLient依上方的 Net-to-Net設定之後,SERVER上多push兩個CLIENT的私人網段

      vi /etc/openvpn/server.conf

#

push "route 192.168.2.0 255.255.255.0"

push "route 10.1.1.0 255.255.255.0"

[2.]

      192.168.1.1 PING 10.1.1.99     —> OK

      192.168.1.1 PING 192.168.2.1 —> OK

      192.168.2.1 PING 10.1.1.99     —> OK

      192.168.2.1 PING 192.168.1.1 —> OK

      10.1.1.99     PING 192.168.2.1 —> OK

      10.1.1.99     PING 192.168.1.1 —> OK

ref: http://wiki.debian.org.tw/index.php/OpenVPN

http://www.study-area.org/tips/openvpn.html

http://big5.ccidnet.com:89/gate/big5/tech.ccidnet.com/art/302/20060421/516673_1.html

 

最後修改日期: 2006 年 11 月 14 日

作者

留言

作者

Q: openvpn[1149]: client/xx.xx.xx:40701 Authenticate/Decrypt packet error: cipher final failed
A: server 與 client 都在設定檔上使用 cipher AES-128-CBC

[Reply]

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。