網上關於Openvpn的帖子已經很多了,我這裡也就不多講了,初學者可以去狗狗上搜一下,總有幾篇不錯的帖子,自己看了一下,大部分是將windows平台和Linux平台的,都還可以的。這裡呢,灑家只想講一下麒麟上openvpn的配置中特殊的問題以及一些注意事項,希望促進麒麟的推廣,支持國有軟件嗎!:)
1. 關於Openvpn
OpenVPN 是一個基於 OpenSSL 庫的應用層 VPN 實現。和傳統 VPN 相比,它的優點是簡單易用。詳細信息可以參考 http://www.openvpn.net (http://www.openvpn.net/)。
利用Openvpn可以實現網絡上的安全傳輸、安全認證,從而實現虛擬專用網絡的應用模式。Openvpn配置簡單,可選項多,包括認證方式(證書或用戶名+密碼)、加密算法及強度(常用的加密算法,也可以自己在Openssl裡面添加)、證書形式(證書管理形式)、傳輸模式(壓縮與否)等等。
一般說來,利用Openvpn可以實現以下安全傳輸模式:
1、 點對點的安全通信(認證加加密傳輸);
2、 點對多點的安全通信(client/ server模式);
3、 虛擬專用網(上等武功^_^)。
更多的說明去網站看吧。這裡主要講基於證書的虛擬專網配置。
目前,Openvpn已經出到了穩定版本2.0.7,測試版本2.1_beta14,更新的很快哦,已經支持PKCS11#的硬件設備了。
2. 不同版本麒麟上的Openvpn配置方法
網上的帖子大多是針對windows和Linux下的Openvpn的配置和使用。
Windows下面最簡單了,Setup——〉修改Sample config files——〉啟動服務。基本一下就OK了。
Linux下面稍微復雜些,看說明文檔來安置lzo、openssl和openvpn。然後也是修改配置文件,作為基本篇,改一下Sample config files就可以了。然後啟動服務,連接也就OK了。
當然,記得要生成證書阿!看Openvpn的How to,基本上是Step by Step了。
下面咱們來用麒麟配一下Openvpn。
1、軟件安裝
首先,下載安裝所需的文件:lzo-ver.tar.gz 和openvpn-ver –tar.gz。
接下來,安裝軟件
lzo-ver.tar.gz
tar –xzf lzo-ver-.tar.gz
cd lzo*
./configure
make
make install
然後就不用管它了。
openvpn-ver –tar.gz
tar –xzf openvpn-ver-.tar.gz
cd openvpn*
./configure
make
make install
軟件安裝完畢。
2、生成證書
然後,來生成需要的密鑰對。
進入目錄openvpn/easy-rsa
運行如下命令:
. ./vars (注意,兩個點之間有空格的)
./clean-all
./build-ca(初始化PKI)
./build-key-server server(為服務器生成證書和私鑰)
./build-key client1 (為客戶端1生成證書和私鑰)
./build-key client2
./build-dh 生成diffie Hellman參數
完成後,按照密鑰文件表格存放文件
Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
client2.crt client2 only Client2 Certificate NO
client2.key client2 only Client2 Key YES
3、配置服務器和客戶端
證書和密鑰都放好了,就可以開始配置Openvpn。為了簡單,我們可以把證書和密鑰都放在sample_config_files目錄下面,然後修改配置文件。
先來Server端的,修改server.conf。
貼個例子上來說明一下:
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
#偵聽地址,可以不改
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
#偵聽端口號,想省事也可以不動
# TCP or UDP server?
;proto tcp
proto udp
#傳輸協議,二選一,客戶端和服務器端一致就行啦
;dev tap
dev tun
#VPN需要的虛擬網絡設備。如果是以太網橋接模式才選擇TAP,否則一般都用TUN。不過Windows系統上都叫TAP32,但是這裡還是要寫TUN的。
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
#Windows下需要讓TAP的名字和網絡設備上的名字一樣(手工修改一下了)
#其實不用管它的,就這樣注釋著好了。
# 此處刪去E文若干行
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
#這裡要把文件路徑和名字都制定對了。如果證書和server.conf都放在一個目錄下,就比較省事了,管它什麼系統都不用改配置文件了。否則,記得別把路徑寫錯了阿。、
# Diffie hellman parameters.
dh dh1024.pem
#不用改動
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
#服務器的IP地址分配定義。OPENVPN缺省是DHCP的,每個證書對應一個IP(實際是一對以Point-to-point相連的IP)。
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
#不用改動
# Configure server mode for ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
#橋接采用,不用管
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
#讓客戶端互通的路由配置,根據需要更改
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
#高級功能,一般不用管它了。
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
#賦固定IP
//此處刪去無用配置若干行
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
#讓客戶端互通的配置
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
#多個客戶端共用一套證書的設置,否則一對一的,後連的會失敗。
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
#放著吧
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
#高級阿,還是放著不動吧
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
#可以不改,缺省是BF-CBC。也可以讓它不加密,改為
#cipher none #不加密的
#注意通信的兩端要一致。
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
#裝了lzo就啟用吧,兩邊配對。
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
#最大客戶端連接數
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nobody
#安全性手段,適用於非windows系統。
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
#就這樣吧
#日志相關部分,已省略;
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
#看E文
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
#確定存活性的定期通信
#################################################
不少選項,其實不用改什麼。只要:選對需設備、設好VPN的IP地址、寫對證書文件就可以了。其它的,讓服務器段和客戶端一致就行了。
下面是客戶端的配置文件,只列出需要修改的地方:
# 選擇 TUN/TAP interface.
;dev tap
dev tun
#通信協議
;proto tcp
proto udp
# 服務器地址和端口
remote my-server-1 1194
# 客戶端證書文件
ca ca.crt
cert client.crt
key client.key
#加密方式,和服務器一致
;cipher x
#一致就行
comp-lzo
客戶端配置完畢。
4、啟動OPENVPN
在windows或者linux上配過Openvpn的兄弟都知道,這裡好像最沒話可說了,可偏偏Openvpn不支持咱們的國產Kylin,要手工國產化一下才能連通,這是後話,先說下windows和linux下的啟動。
Windows下面:選中配置文件server.ovpn,右鍵選擇啟動“用該配置文件啟動Openvpn”,再等上半分鐘,顯示啟動ok,服務器端在偵聽了。
然後是客戶端的client.ovpn,右鍵選擇啟動“用該配置文件啟動Openvpn”,彈出了運行窗口,連接服務器、驗證證書、獲取IP地址、連接ok。此時的服務器端也會顯示連接情況(當然是前台運行時)。
試一下通不通:
Client: ping 10.8.0.1
Server:ping 10.8.0.*
通了嗎?
不通阿?你的XP防火牆開著呢吧?IP寫對了吧?
那就應該通了。
恭喜恭喜。
Linux下面也差不多,命令換一下:
Server: >openvpn server.conf
Client:>openvpn client1.conf
不通是你自己的問題了。
測試通過:windows xp;Federo Core; Free Bsd
然後是Kylin了!
首先采用Kylin 1.4!
啟動命令:
Server: > openvpn server.conf
Client:>openvpn client.conf
Ping一下,
Server:> Ping 參數錯誤
Client:>ping 參數錯誤
怪啦,支持的不行啊,咋就不通呢。
來看看屏幕信息,報錯了!
Server:錯誤1:沒找到TUN
我:TUN是Linux上的,Kylin上叫TUN0。再往下看。
Server: 找到TUN0。
我:也行啊,設備沒問題。
Server: route: bad address: netmask
原來不認識這個啊。看一下路由表。
Server: netstat –rn //記住這個命令,常用的
細看一下,沒有VPN的路由阿。原來如此啊。自己動手吧。
Server: man route
原來和linux的添加命令不同啊。自己來改
Server> /sbin/route add –net 10.8.0.0 –netmask 255.255.255.0 –gateway 10.8.0.2
Server> netstat –rn
Route table: 10.8/16 10.8.0.2 UGS 0 0 tun0
再看,有了吧。
同樣修改客戶端的:
Client> /sbin/route add –net 10.8.0.1 –netmask 255.255.255.255 –gateway 10.8.0.* (給你分配的客戶端IP地址)
Client> netstat –rn
Client route table: 10.8.0.1/32 10.8.0.5 UGS 0 0 tun0
再ping一下看看,通了吧!
來分析一下吧。
OPENVPN將Kylin理解為Linux(因為它的Linux兼容),因此采用了Linux的路由命令(見route.c),造成了路由添加錯誤。手動添加後就好啦。
其次,服務器端還會報錯誤
Server> enable extened error passing on TCP/UDP socket failed: Invalid argument
這個錯誤是因為mtu.c中的setsockopt()函數調用傳遞了一個Kylin不識別的參數,只是用來傳遞調試信息,可以不理它,Openvpn可以正常運行。
測試一下,Kylin1.4和Kylin、windows、Linux都正常通信。抓下報文看看,真的加密了哦。
升級一下麒麟,來看看Kylin2.0 吧。
前面都一樣,不多說啦。
手工添加路由後……
死活ping不通阿!急啊!
再看路由表:
Server>netstat –rn
Route table: 10.8/16 10.8.0.2 UGS 0 0 bge0
吐血阿,明明給tun0的報文,怎麼給了真實網絡設備了,難怪不同了。
Man route;
Info route;
Google route
硬是沒找到怎麼直接把網絡接口改成tun0的,難道要自己寫程序改阿?
氣暈了就亂試,終於被俺找到一條捷徑:
Server:
Server> ifconfig 先看看IP地址
Server>tun0: inet addr: 10.8.0.1 P-t-P: 10.8.0.2
Tun0設備的ip是0.1,那就手工加一條路由先:
Server>/sbin/route add –host 10.8.0.2 –gateway 10.8.0.1 –interface *.*.*.*(你的真實IP地址)
Server>netstat –rn
Route table: && 10.8.0.1 US 0 0 tun0
終於接上頭了,再來添加正確路由。
Server> /sbin/route add –net 10.8.0.0 –netmask 255.255.255.0 –gateway 10.8.0.2
Server> netstat –rn
Route table: 10.8/16 10.8.0.2 UGS 0 0 tun0
可以了。
同樣修改客戶端。
Client>ifconfig
client>tun0: inet addr: 10.8.0.6 P-t-P: 10.8.0.5
Client>/sbin/route add –host 10.8.0.5 –gateway 10.8.0.6 –interface *.*.*.*(你的真實IP地址)
Client> /sbin/route add –net 10.8.0.1 –netmask 255.255.255.255 –gateway 10.8.0.* (給你分配的客戶端IP地址)
路由表正確了。再測試一下,Kylin1.4和Kylin2.0、windows、Linux都正常通信。
至此,大功告成。
3. 尾聲
Kylin的影響力畢竟有限,不能讓Openvpn把針對它的編譯選項加上,不過,憑借著Linux的兼容,完全能夠使用Openvpn了。
利用Openvpn可以構建多個平台下的安全虛擬專網,對於具有更高安全性,並且還是國產的Kylin操作系統來說,作為VPN中的服務器還是有前途的。
還沒有測試Kylin 2.1是不是解決了這個小問題了,也沒有測試Openvpn的有一些高級設置。下次搞好了,再來個Openvpn配置的高級篇吧。
