VPN基本概念
虛擬專用網VPN
功能:在不安全的公共網絡上建立安全的專用網絡,進行數據加密傳輸
VPN與隧道技術
隧道協議包括
乘客協議:被封裝的協議,如PPP,SLIP
封裝協議:隧道的建立、維持及斷開,如L2TP、IPSec
承載協議:承載經過封裝後的數據包的協議,如IP
實例部署
一、環境部署
內網主機(slave1)vpnserver(master) vpnclient(slave2)
192.168.1.0/24 192.168.1.1 202.102.1.2
202.102.1.1
在內網主機上指定網關:
[root@slave1 ~]# ip route
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2
169.254.0.0/16 dev eth0 scope link metric 1002
default via 192.168.1.1 dev eth0
添加內、外網接口地址
[root@master ~]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:1f:e0:45 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
inet6 fe80::20c:29ff:fe1f:e045/64 scope link
valid_lft forever preferred_lft forever
[root@master ~]# ip addr show eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:1f:e0:4f brd ff:ff:ff:ff:ff:ff
inet 202.102.1.1/24 brd 202.102.1.255 scope global eth1
inet6 fe80::20c:29ff:fe1f:e04f/64 scope link
valid_lft forever preferred_lft forever
[root@master ~]# ip route
202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
[root@master ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
二、CA證書簽發
流程如下:創建CA/為VPN Server簽發證書 /為VPN Client簽發證書 / 生成密鑰交換參數文件
1、CA配置 並為vpnserver和vpnclient生成私鑰及簽名證書 (在vpnserver端完成)
安裝openvpn相關軟件
[root@vpnserver OpenVPN]# rpm -ivh lzo-2.06-1.el6.rfx.x86_64.rpm //用於數據壓縮
[root@vpnserver OpenVPN]# rpm -ivh openvpn-2.0.9-1.el6.rf.x86_64.rpm
生成CA私鑰和證書文件:
[root@vpnserver OpenVPN]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/
[root@vpnserver easy-rsa]# ls
2.0 build-key build-req make-crl revoke-full
build-ca build-key-pass build-req-pass openssl.cnf sign-req
build-dh build-key-pkcs12 clean-all README vars
build-inter build-key-server list-crl revoke-crt Windows
[root@vpnserver easy-rsa]# chmod +x *
[root@vpnserver easy-rsa]# vim vars
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG="uplooking"
export KEY_EMAIL="[email protected]"
[root@vpnserver easy-rsa]# source vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn-2.0.9/easy-rsa/keys
[root@vpnserver easy-rsa]# ./clean-all #清除keys目錄下以前的證書文件
[root@vpnserver easy-rsa]# ./build-ca #生成ca私鑰和證書
Generating a 1024 bit RSA private key
..........................++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [uplooking]:
Organizational Unit Name (eg, section) []:jiaoxue
Common Name (eg, your name or your server's hostname) []: ca.example.com
Email Address [[email protected]]:
[root@vpnserver easy-rsa]# ls//查看生成了keys目錄
2.0 build-key-pass clean-all README Windows
build-ca build-key-pkcs12 keys revoke-crt
build-dh build-key-server list-crl revoke-full
build-inter build-req make-crl sign-req
build-key build-req-pass openssl.cnf vars
[root@vpnserver easy-rsa]# ls keys/
ca.crt ca.key index.txt serial
2、生成vpnserver的私鑰和證書:
[root@vpnserver easy-rsa]# ./build-key-server vpnserver
Generating a 1024 bit RSA private key
..................................................++++++
.........................++++++
writing new private key to 'vpnserver.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [uplooking]:
Organizational Unit Name (eg, section) []:jiaoxue
Common Name (eg, your name or your server's hostname) []:vpnserver.example.com
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'uplooking'
commonName :PRINTABLE:'vpnserver.example.com'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Jun 29 04:03:05 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@vpnserver easy-rsa]# ls keys/
01.pem index.txt serial vicvpnserver.csr
ca.crt index.txt.attr serial.old vicvpnserver.key
ca.key index.txt.old vicvpnserver.crt
3、為每一個client生成的私鑰和證書:
[root@vpnserver easy-rsa]# ./build-key client1
Generating a 1024 bit RSA private key
............................++++++
...................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [uplooking]:
Organizational Unit Name (eg, section) []:jiaoxue
Common Name (eg, your name or your server's hostname) []: client1.example.com
Email Address [[email protected]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'uplooking'
commonName :PRINTABLE:'client1.example.com'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Nov 6 11:38:59 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4、查看相關的證書和私鑰
[root@vpnserver easy-rsa]# ls keys/
01.pem client1.crt index.txt.attr serial.old
02.pem client1.csr index.txt.attr.old vicvpnserver.crt
ca.crt client1.key index.txt.old vicvpnserver.csr
ca.key index.txt serial vicvpnserver.key
5、創建密鑰協商參數文件
[root@vpnserver easy-rsa]# pwd
/usr/share/doc/openvpn-2.0.9/easy-rsa
[root@vpnserver easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...........+...+.........................+.........+........................+.........................+..........+....................+........................+
...........................+..................................+................................................+.............+............................+............
.....................+..+............+................................................................+.........................+...........................+.........
...........+.......................+.....................................+.................................................+...........................+.................
.......................+...........+..............................+....................................+......+..........................................................
.............................................+..............................................+.................+....................................+.......................
................................++*++*++*
三、VPN Server配置
前提:開啟VPNServer的ip_forward功能
1、檢查相應的密鑰文件
[root@master keys]# pwd
/usr/share/doc/openvpn-2.0.9/easy-rsa/keys
[root@master keys]# cp ca.crt vpnserver.crt vpnserver.key /etc/openvpn/
[root@master keys]# ls /etc/openvpn/
ca.crt vpnserver.crt vpnserver.key
[root@master easy-rsa]# cp keys/dh1024.pem /etc/openvpn/
2、配置VPN Server
[root@master ~]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
//openvpn server配置文件
[root@master ~]# vim /etc/openvpn/server.conf
[root@master ~]# grep -P -v "^(#|;|$)" server.conf
local 202.102.1.1
port 1194
proto udp
dev tap
ca ca.crt
cert vpnserver.crt
key vpnserver.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
3、啟動VPN服務器
[root@master ~]# service openvpn start
[root@master ~]# chkconfig openvpn on
[root@master ~]# ip addr sh tap0
13: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/ether 12:31:8b:9a:e3:02 brd ff:ff:ff:ff:ff:ff
inet 10.8.0.1/24 brd 10.8.0.255 scope global tap0
inet6 fe80::1031:8bff:fe9a:e302/64 scope link
valid_lft forever preferred_lft forever
[root@master ~]# ip route
202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.1
10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
四、VPN Client配置
1、基本環境准備
[root@slave2 ~]# ip addr show eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:77:2a:a6 brd ff:ff:ff:ff:ff:ff
inet 202.102.1.2/24 brd 202.102.1.255 scope global eth1
inet6 fe80::20c:29ff:fe77:2aa6/64 scope link
valid_lft forever preferred_lft forever
[root@slave2 ~]# ip route
202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.2
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.3
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
[root@slave2 OpenVPN]# rpm -ivh lzo-2.06-1.el6.rfx.x86_64.rpm
[root@slave2 OpenVPN]# rpm -ivh openvpn-2.0.9-1.el6.rf.x86_64.rpm
2、從vpnserver復制相應的密鑰
[root@slave2 openvpn]# cd /etc/openvpn/
[root@slave2 openvpn]# ls c*
ca.crt client1.crt client1.key
3、配置vpnserver
[root@slave2 openvpn]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf /etc/openvpn/
[root@slave2 openvpn]# vi /etc/openvpn/client.conf
[root@slave2 openvpn]# grep -P -v "^(;|#|$)" client.conf
client
dev tap
proto udp
remote vpn.example.com 1194 #此FQDN必須對應vpnserver外網網卡的IP
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3
4、啟動並測試
[root@slave2 ~]# service openvpn restart
[root@slave2 ~]# chkconfig openvpn on
[root@slave2 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:77:2a:9c brd ff:ff:ff:ff:ff:ff
inet 192.168.2.3/24 brd 192.168.2.255 scope global eth0
inet6 fe80::20c:29ff:fe77:2a9c/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:77:2a:a6 brd ff:ff:ff:ff:ff:ff
inet 202.102.1.2/24 brd 202.102.1.255 scope global eth1
inet 172.16.80.58/24 scope global eth1
inet6 fe80::20c:29ff:fe77:2aa6/64 scope link
valid_lft forever preferred_lft forever
10: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/ether c6:b9:f9:45:99:3a brd ff:ff:ff:ff:ff:ff
inet 10.8.0.2/24 brd 10.8.0.255 scope global tap0
inet6 fe80::c4b9:f9ff:fe45:993a/64 scope link
valid_lft forever preferred_lft forever
[root@slave2 ~]# ip route
202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.2
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.3
192.168.1.0/24 via 10.8.0.1 dev tap0
10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.2
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
五、VPN技術擴展
1、基於帳號方式驗證
1). vim /etc/openvpn/server.conf添加以下內容
#########auth password########
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
#client-cert-not-required
username-as-common-name
##############################
以上三行的內容分別表示:指定用戶的認證腳本;不請求客戶的CA證書,使用User/Pass驗證,如果同時啟用證書和密碼認證,注釋掉該行;使用客戶提供的UserName作為Common Name
2). vim /etc/openvpn/checkpsw.sh添加以下內容
#!/bin/sh
########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <[email protected]>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
[root@node4 openvpn]# ll checkpsw.sh
-rwxr--r-- 1 root root 1191 Sep 17 23:52 checkpsw.sh
[root@node4 openvpn]# chown nobody.nobody checkpsw.sh
3).建立用戶名、密碼的列表文件:/etc/openvpn/psw-file
文件的格式:用戶名<Tab>密碼
user1 pass
user2 pass
[root@node4 openvpn]#chmod 400 /etc/openvpn/psw-file
[root@node4 openvpn]#chown nobody.nobody /etc/openvpn/psw-file
4).修改vpn客戶端的配置文件
一是注釋掉(當然也可以不注釋證書加密)
;cert client1.crt
;key client1.key
二是增加驗證時詢問用戶名和密碼
auth-user-pass
2、安裝WidnowsVPN客戶端
1).從http://openvpn.se/files/上下載與openvpn服務器版本一致的Windows客戶端“OpenVPN GUI For Windows”
a)例如,服務器裝的是OpenVPN 2.09,那麼下載的OpenVPN GUI fow windows應該是: openvpn-2.0.9-gui-1.0.3-install.exe
2).執行openvpn-2.0.9-gui-1.0.3-install.exe。一切采用默認設置。
3).將ca.crt、client1.crt、client1.key復制到C:\Program Files\OpenVPN\config。(不同用戶使用不同的證書,每個證書包括.crt和.key兩個文件,如client2.crt和client2.key)
4).在/root/openvpn-2.0.9/sample-config-files/client.conf的基礎上建立客戶端配置文件,改名為C:\Program Files\OpenVPN\config\client.ovpn,即先在服務器上建立配置文件,然後再上傳改名到客戶機上。
a) proto udp改成proto tcp
b) remote那行改成
192.168.1.103 1194
c) ca那3行改為
ca ca.crt
cert client1.crt
key client1.key
d)注釋掉comp-lzo
連接:在右下角的openvpn圖標上右擊,選擇“Connect”。正常情況下應該能夠連接成功,分配正常的IP
http://xxxxxx/Linuxjc/1156057.html TechArticle
