使用Openvpn可以将两个处于不同地址位置的局域网联结成为一个局域网。由于网络相关的配置技术需要一定的网络基础,所以看不懂的同学不必勉强自己。

Openvpn的两种工作方式:

Tun和Tap

  1. Tun,tunnel模式,也可以称作路由模式。Openvpn默认会向客户端发送一个30网段的地址。这种模式比较难配置路由,也就是说难以将网段路由到VPN连接中,所有IP地址需要经过NAT转换才能正常访问。比较适合终端用户使用,或者是两地的网络规划中网段有冲突。缺点是所有客户端方向发起请求的地址都会转换为Openvpn客户端的地址,难以管理。
  2. Tap,网桥模式,Openvpn默认使用子网为客户端提供IP地址。这种模式下的路由可配置度相对较高,IP地址也不需要转换可以直接经由VPN连接发送到对方子网中,服务端在接收到客户端的请求时,源地址都是真实的IP地址,很适合异地组网使用。

    Openvpn服务端部署-网桥模式

    使用yum安装非常方便,安装完成之后需要生成加密与身份验证的证书,然后就可以制作服务端使用的配置文件并启动了。
    服务器需要两个网卡,一个网卡正常配置IP通信,另一个网卡配置成获取动态IP。

    使用yum安装openvpn

    1. yum install -y epel-release 
    2. yum update -y
    3. yum install -y openssl lzo pam openssl-devel lzo-devel pam-devel bridge-utils
    4. yum install -y easy-rsa
    5. yum install -y openvpn

    创建网桥

    ```bash tee ~/bridge-start.sh <<- ‘EOF’

    !/bin/bash

    #

    Set up Ethernet bridge on Linux

    Requires: bridge-utils

    #

    Define Bridge Interface

    br=”br0”

    Define list of TAP interfaces to be bridged,

    for example tap=”tap0 tap1 tap2”.

    tap=”tap0”

    Define physical ethernet interface to be bridged

    with TAP interface(s) above.

    eth=”ens224” eth_ip=”172.31.30.1” eth_netmask=”255.255.255.0” eth_broadcast=”172.31.30.255” for t in $tap; do openvpn —mktun —dev $t done brctl addbr $br brctl addif $br $eth for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done ifconfig $eth 0.0.0.0 promisc up ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast EOF

chmod +x ~/bridge-stop.sh tee ~/bridge-stop.sh <<-‘EOF’

!/bin/bash

#

Tear Down Ethernet bridge on Linux

#

Define Bridge Interface

br=”br0”

Define list of TAP interfaces to be bridged together

tap=”tap0” ifconfig $br down brctl delbr $br for t in $tap; do openvpn —rmtun —dev $t done EOF

chmod +x bridge-stop.sh ./bridge-start.sh

  1. <a name="vtwAJ"></a>
  2. ## 生成密钥
  3.  easy-rsa 版本是3.x。
  4. ```bash
  5. cp -rf /usr/share/easy-rsa/3.0.3 /etc/openvpn/server/easy-rsa
  6. cd /etc/openvpn/server/easy-rsa
  7. ./easyrsa init-pki
  8. ./easyrsa build-ca nopass
  9. ./easyrsa build-server-full server nopass
  10. ./easyrsa build-client-full client nopass
  11. ./easyrsa gen-dh
  12. openvpn --genkey --secret ta.key

配置文件

  1. # 日志存放目录
  2. mkdir -p /var/log/openvpn/
  3. # 用户管理目录
  4. mkdir -p /etc/openvpn/server/user
  5. # 配置权限
  6. chown openvpn:openvpn /var/log/openvpn
  7. tee /etc/openvpn/server/server.conf <<- 'EOF'
  8. #################################################
  9. # This file is for the server side              #
  10. # of a many-clients <-> one-server              #
  11. # OpenVPN configuration.                        #
  12. #                                               #
  13. # Comments are preceded with '#' or ';'         #
  14. #################################################
  16. port 1194
  17. # proto tcp-server
  18. # 使用udp协议可以提升性能
  19. proto udp
  20. ## Enable the management interface
  21. # management-client-auth
  22. # management localhost 7505 /etc/openvpn/user/management-file
  23. # dev tun     # TUN/TAP virtual network device
  24. # 网桥模式
  25. dev tap0
  26. user openvpn
  27. group openvpn
  28. # 配置使用证书
  29. ca /etc/openvpn/server/easy-rsa/pki/ca.crt
  30. cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt
  31. key /etc/openvpn/server/easy-rsa/pki/private/server.key
  32. dh /etc/openvpn/server/easy-rsa/pki/dh.pem
  33. # 数据传输额外的加密与证书
  34. tls-auth /etc/openvpn/server/easy-rsa/ta.key 0
  35. ## Using System user auth.
  36. # plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
  37. ## Using Script Plugins  身份验证脚本
  38. auth-user-pass-verify /etc/openvpn/server/user/checkpsw.sh via-env
  39. script-security 3
  40. # client-cert-not-required  # Deprecated option
  41. verify-client-cert
  42. username-as-common-name
  43. ## Connecting clients to be able to reach each other over the VPN.
  44. client-config-dir /etc/openvpn/server/user/ccd
  45. client-to-client
  46. ## Allow multiple clients with the same common name to concurrently connect.
  47. # duplicate-cn
  48. # client-config-dir /etc/openvpn/server/ccd
  49. # ifconfig-pool-persist ipp.txt
  50. # local 172.31.31.254
  51. # 网桥模式:配置服务器的IP地址与分配给客户端的地址
  52. server-bridge 172.31.30.1 255.255.255.0 172.31.30.11 172.31.30.254
  53. # topology subnet
  54. # server 172.31.31.0 255.255.255.0
  55. # push "redirect-private def1"
  56. # 向客户端推送配置
  57. push "dhcp-option DNS 172.31.26.6"
  58. push "route 172.31.26.0 255.255.255.0"
  59. push "route 172.31.27.0 255.255.255.0"
  60. push "route 172.31.28.0 255.255.255.0"
  61. push "route 172.31.29.0 255.255.255.0"
  62. # comp-lzo - DEPRECATED This option will be removed in a future OpenVPN release. Use the newer --compress instead.
  63. compress lzo
  64. # cipher AES-256-CBC
  65. ncp-ciphers "AES-256-GCM:AES-128-GCM"
  66. ## In UDP client mode or point-to-point mode, send server/peer an exit notification if tunnel is restarted or OpenVPN process is exited.
  67. # explicit-exit-notify 1
  68. keepalive 30 360
  69. persist-key
  70. persist-tun
  71. verb 3
  72. # 禁用在线用户身份重验证
  73. reneg-sec 0
  74. log /var/log/openvpn/server.log
  75. log-append /var/log/openvpn/server.log
  76. status /var/log/openvpn/status.log
  77. EOF
  78. cd /etc/openvpn/server/
  79. ln -sf server.conf .service.conf

创建身份验证信息的文件与身份验证脚本

  1. tee /etc/openvpn/server/user/psw-file <<- 'EOF'
  2. username password
  3. EOF
  4. chmod 600 /etc/openvpn/server/user/psw-file
  5. chown openvpn:openvpn /etc/openvpn/server/user/psw-file
  6. tee /etc/openvpn/server/user/checkpsw.sh <<- 'EOF'
  7. #!/bin/bash
  8. ###########################################################
  9. # checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
  10. #
  11. # This script will authenticate OpenVPN users against
  12. # a plain text file. The passfile should simply contain
  13. # one row per user with the username first followed by
  14. # one or more space(s) or tab(s) and then the password.
  15. PASSFILE="/etc/openvpn/server/user/psw-file"
  16. LOG_FILE="/var/log/openvpn/password.log"
  17. TIME_STAMP=`date "+%Y-%m-%d %T"`
  18. ###########################################################
  19. if [ ! -r "${PASSFILE}" ]; then
  20.   echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>  ${LOG_FILE}
  21.   exit 1
  22. fi
  23. CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
  24. if [ "${CORRECT_PASSWORD}" = "" ]; then
  25.   echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=
  26. \"${password}\"." >> ${LOG_FILE}
  27.   exit 1
  28. fi
  29. if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
  30.   echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  31.   exit 0
  32. fi
  33. echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=
  34. \"${password}\"." >> ${LOG_FILE}
  35. exit 1
  36. EOF
  37. chmod +x /etc/openvpn/server/user/checkpsw.sh

关闭防火墙

网桥模式如果不关闭防火墙,会导致只能ping通,但端口不通。因为数据包在防火墙就被拦截了,无法发送到openvpn。这条配置在客户端也是如此。

  1. systemctl disable --now firewalld

但如果不是网桥模式,而是tunnel模式,则不能关闭防火墙,还需要额外开启NAT地址转换。

  1. # 仅在tunnel模式使用以下命令
  2. firewall-cmd --permanent --add-masquerade
  3. firewall-cmd --permanent --add-service=openvpn
  4. firewall-cmd --reload

为用户创建固定IP

  1. tee /etc/openvpn/server/user/ccd/username <<- 'EOF'
  2. ifconfig-push 172.31.30.211 255.255.255.0
  3. EOF
  4. chown -R openvpn:openvpn /etc/openvpn/server/user/ccd/

启动服务

  1. systemctl start openvpn-server@.service.service

客户端配置

客户端如果是Linux,也可以用相同的方法安装openvpn。如果是Windows,直接使用msi包就可以。
从server上将生成的ca.crt、client.crt、client.key、ta.key文件下载到客户端,在客户端生成配置文件。

  1. tee /etc/openvpn/client/client.ovpn <<- 'EOF'
  2. client
  3. proto udp
  4. auth-user-pass
  5. dev tap
  6. remote 服务器IP 1194
  7. ca ca.crt
  8. cert client.crt
  9. key client.key
  10. tls-auth ta.key 1
  11. remote-cert-tls server
  12. auth-nocache
  13. # 自定义路由可以覆盖服务器的推送路由
  14. route 172.31.28.0 255.255.255.0 net_gateway
  15. persist-tun
  16. persist-key
  17. compress lzo
  18. reneg-sec 0
  19. verb 4
  20. mute 10
  21. EOF
  22. chown -R openvpn:openvpn /etc/openvpn/client/

网络路由配置

需要在两地的网关设备上,将对方的网段通过路由表指向登录VPN的设备。
具体配置方法根据设备的不同千差万别,就不介绍了。这部分需要有网络配置经验的工程师来做,不懂就不要乱搞了。