III(二十一)VPN
VPN,virtual private network,虚拟专用网络,是依靠ISP和NSP,在公共网络中建立专用的数据通信网络的技术,可以为企业间或个人与企业间提供安全的数据传输隧道服务,在VPN中任意两点之间的连接并没有传统专网所需的端到端的物理链路,而是利用公共网络资源动态组成的,可理解为通过私有的隧道技术在公共数据网络上模拟出来的,和专网有同样的功能(点到点的专线技术),所谓虚拟是指不需要去拉实际的长途物理链路,借用公共internet实现;
VPN的作用:帮助公司里的远程用户(出差或家里)、公司的分支机构、商业合作伙伴、供应商等公司和自己的公司内部网络之间建立可信的安全连接或是局域网连接,确保数据的加密安全传输和业务访问,对运维来说,可连接不同的机房为LAN处理相关业务流;
VPN分类,根据常见的企业应用分4类:
1、远程访问VPN服务(个人电脑远程拨号到企业办公网络,访问域控制器,fileserver,OAsystem,ERP,HTTP服务,内网聊天工具等LAN应用),对运维人员,个人电脑远程拨号到企业网站IDC机房,远程维护IDC内网服务器、DB、存储等,一般server无外网IP),牛阵法;
2、企业内部网络之间VPN服务(公司分支机构的LAN和总部的LAN间VPN连接),如超市间业务结算等;
3、互联网公司多IDC机房间VPN服务(运维、架构人员考虑,不同机房间业务管理和业务访问数据流动);
4、企业外部VPN服务(供应商、合作伙伴的LAN和本公司的LAN间建立VPN服务);
5、访问国外的网站(翻墙应用)
常见的隧道协议:
PPTP,point point tunneling protocol,microsoft和3com公司开发使用PAP或CHAP或MPPE加密算法,通过跨越基于tcp/ip的数据网络创建VPN,PPTP允许加密IP通讯,典型的Linux平台的开源软件pptp,常用于用户client到远端企业办公,不擅长企业与企业间通信;
L2TP,layer 2 tunneling protocol,第2层隧道协议,是IETF基于L2F(cisco的第二层转发转发协议)开发的PPTP后续版本,是一种工业标准internet隧道协议;
IPSec,IP security,实际上是一套协议包而不是一个独立的协议,IPSec隧道模式的整个过程是封装路由与解封装,隧道将原始数据包隐藏(或封装)在新的数据包内部,新封装的数据包可能会有新的寻址与路由信息,从而通过网络传输,隧道与数据结合使用时,在网络上窃听通讯的人将无法获取原始数据包及最原始的源和目标,封装的数据包到达目的地后,会删除封装,原始数据包头用于将数据包路由到最终目的地,IDC机房间互联组成LAN常用IPSec;
SSL VPN,SSL协议(传输层和应用层之间)提供了数据私密性、端点验证、信息完整性等特性,SSL由许多子协议组成(握手协议和记录协议),握手协议允许server和client在应用协议传输第一个数据字节以前,彼此确认,协商一种加密算法和密码钥匙,在数据传输期间,记录协议利用握手协议生成的密钥加密和解密来交换数据;SSL独立于应用,任何一个应用程序都可享受它的安全性而不必理会执行细节;SSL本身被几乎所有的web browser支持;后面这两点是SSL能应用于VPN的关键,典型的SSL VPN应用为open vpn
注:
PPTP和L2TP都使用PPP协议对数据进行封装,再添加附加包头用于数据在互联网上传输;
PPTP只在两端点间建立单一隧道,L2TP支持在两端点间使用多隧道;
PPTP要求互联网络为tcp/ip网络,而L2TP范围更广只要求隧道媒介提供面向数据包的点对点连接,如帧中继等;
PPTP不支持隧道验证,而L2TP可提供隧道验证;
一般在使用PPTP或L2TP时都要结合IPSec一同使用,由IPSec提供隧道验证加密数据等工作
VPN的开源实现:
PPTP VPN(最大优势无需在win上安装客户端,OS上本身就有拨号软件,默认支持PPTP VPN拨号连接,适合远程的企业用户拨号到企业进行办公,点对点应用,很多小区的网络设备不支持PPTP导致无法访问);
SSL VPN(open vpn,不但适用于PPTP VPN的场景,还适合针对企业异地总公司和分公司之间不间断的VPN连接,如ERP、OA、即时通讯工具等企业级应用,需安装客户端软件);
IPSec VPN(open swan,适用于异地总公司和分公司之间或多个IDC机房间的VPN不间断按需连接,在部署上使用上简单方便);
根据企业生产场景需求选择VPN方案建议:
1、如果公司财力宽裕,可选择硬件产品,如防火墙firewall、LB负载均衡器等硬件产品都附带VPN功能);
2、对于互联网公司,为体现运维架构师的价值,首选开源产品,优势:省钱、可扩展性强,每个机房可有两台VPN做高可用、可二次开发;
3、对于开源产品,个人拨号选openvpn(功能强大,稳定可靠),若不想单独安装client拨号软件,可选择PPTP;多个企业之间互连或多个IDC机房间互连选择IPSec vpn或openvpn,这两个可以满足各种企业需求;
openvpn(C/S架构,Linux下开源VPN的先锋,提供了良好的访问性能和友好的用户GUI,允许用户使用私钥、第三方证书、用户名/密码来进行身份验证,它大量使用了openssl加密库(依赖opnenssl)和SSLv3/TLSv1协议,它可在Linux、xBSD、Mac、win平台上运行,open vpn不是一个基于web的vpn软件,也不与IPSec及其它VPN软件包兼容,是C/S架构的软件需单独安装open vpn客户端(不如PPTP的唯一一点));
SSL,secure sockets layer,安全套接层,是一种安全协议,诞生的目的是为网络通信提供安全及数据完整性保障,SSL在传输层中对网络通信进行加密,SSL采用公开密钥技术,保证两个应用间通信的保密性和可靠性,使客户和server应用之间的通信不被攻击者窃听,是互联网保密通讯的工业标准;
TLS是SSL的继任者,transport layer security,利用密钥算法在互联网上提供端点身份认证与通讯保密,其基础是公钥基础设施PKI,public key infrastructure;
openvpn加密通信原理:使用TLS加密,通过使用公开密钥(非对称密钥,public key和private key)对数据进行加密,server端和client要有相同CA签发的证书,双方通过交换证书验证双方的合法性,决定是否建立VPN连接,然后使用对方的CA把自己目前使用的数据加密方法加密后发送给对方,由于使用对方CA加密的只有对方CA对应的private key才能解密该字串,保证了此密钥的安全性,并且此密钥定期改变,对于窃听者还没破解出密钥,通信双方已更换密钥了;
openvpn的多种身份验证方式:预享密钥(最简单,只能用于点对点的VPN);基于PKI的第三方证书(功能最完善,但需额外精力维护PKI体系);用户名/密码(需CA证书要作加密);其它(LDAP或统一验证);
openvpn通信原理(基于单一的ip port,1194,默认UDP,TCP也支持,技术核心(虚拟网卡和SSL协议实现));
用户远程拨号到企业Open VPN的场景:
上图注:
172.16.1.x是LAN地址,10.96.20.113模拟外网地址,用户通过连接VPN server即可访问到局域网内的任何一台计算机;
vpn服务启动后有虚拟网卡地址10.8.0.x,client拨号到VPN server上后访问LAN内的server时用的是10.8.0.x这个地址;
client与LAN server双方间建立通信,有两种方案:
方案一:LAN server{1,2...}要么添加172.16.1.11这个地址为默认网关,要么添加网络路由,否则client将收不到LAN server{1,2}的包信息;
方案二:在VPN server上实现NAT,在VPN server上由10.8.0.x改为172.16.1.11
企业IDC机房互连(IPCSec VPN):
上图注:
若VPN server使用openvpn,要一端是server端,另一端是client,由client请求连接server端;
若VPN server用IPCSecVPN,两端都是server端,若IDC机房多的话,要避免环状连接,要一对多互联;
若3个IDC机房做ldap认证,有一个IDC机房是openvpn-server和ldap-primary,其它机房均为openvpn-client和ldap-slave,机房间任何通信走vpn通道,各自机房负责自己的认证,仅当主崩溃时slave替代主做远程使用
注:openvpn、ipsec做机房互连,更多的是功能应用,若大数据传输,实时性要求不高,这不适合应走光纤专线
上图注:
应用场景:企业间互连;数据同步、备份;异地数据读取/写入(同一业务跨机房集群架构最好是写,尽量少读)
openvpn实战(在个人电脑的物理机上安装openvpn客户端工具,在远端拨号到vpn server,管理LAN内的多个server):
win-client(10.96.20.252)
VPN server(vmware的虚拟机上,桥接,eth0:10.96.20.113,eth1:172.16.1.11)
LAN server1(vmware的虚拟机上,桥接,eth0:172.16.1.12)
vpn server端:
[root@localhost ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.5 (Santiago)
[root@localhost ~]# uname -rm
2.6.32-431.el6.x86_64 x86_64
[root@localhost ~]# yum grouplist
……
Installed Groups:
Additional Development
Base
Compatibility libraries
Debugging Tools
Desktop
Desktop Platform
Desktop Platform Development
Development tools
Dial-up Networking Support
Directory Client
E-mail server
Fonts
General Purpose Desktop
Graphical Administration Tools
Hardware monitoring utilities
Internet Browser
Legacy UNIX compatibility
Legacy X Window System compatibility
MySQL Database client
Network Infrastructure Server
Networking Tools
Performance Tools
Perl Support
……
[root@localhost ~]# service ntpd status
ntpd is stopped
[root@localhost ~]# ntpdate pool.ntp.org #(当前同步,或与win的time.windows.com)
14 Jul 03:02:51 ntpdate[3187]: step time server 115.28.122.198 offset -61.726348 sec
[root@localhost ~]# date
Thu Jul 14 03:02:55 PDT 2016
[root@localhost ~]# crontab -e
#time sync
*/5 * * * * /usr/sbin/ntpdate pool.ntp.org &> /dev/null
[root@localhost ~]# service crond restart
Stopping crond: [ OK ]
Starting crond: [ OK ]
[root@localhost ~]# mkdir -pv /home/webgame/tools/openvpn #(指定一目录存放要安装的软件,所有人安装软件都应在指定的目录下)
mkdir: created directory `/home/webgame/tools'
mkdir: created directory `/home/webgame/tools/openvpn'
[root@localhost ~]# cd !$
cd /home/webgame/tools/openvpn
http://www.oberhumer.com/opensource/lzo/(lzo下载)
https://openvpn.net/index.php/download/community-downloads.html(最新版下载)
http://swupdate.openvpn.org/community/releases/(旧版本下载)
[root@localhost openvpn]# rz
[root@localhost openvpn]# ll
total 1476
-rw-r--r--. 1 root root 594855 Jul 14 03:48 lzo-2.09.tar.gz
-rw-r--r--. 1 root root 911158 Jul 14 03:58 openvpn-2.2.2.tar.gz
[root@localhost openvpn]# tar xf lzo-2.09.tar.gz
[root@localhost openvpn]# cd lzo-2.09
[root@localhost lzo-2.09]# ./configure
[root@localhost lzo-2.09]# make
[root@localhost lzo-2.09]# echo $?
0
[root@localhost lzo-2.09]# make install
……
[root@localhost lzo-2.09]# cd ../
[root@localhost openvpn]# rpm -qa openssl-devel
openssl-devel-1.0.1e-15.el6.x86_64
[root@localhost openvpn]# tar xf openvpn-2.2.2.tar.gz
[root@localhost openvpn]# cd openvpn-2.2.2
[root@localhost openvpn-2.2.2]# ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib
注:编译安装2.3.11版本时,要先安装openssl-deve、pam-devel、lzo-devel包,编译时不用选项—with-lzo-headers和—with-lzo-lib,2.3.11没自带easy-rsa要下载https://github.com/OpenVPN/easy-rsa/archive/master.zip
[root@localhost openvpn-2.2.2]# make && make install
……
[root@localhost openvpn-2.2.2]# cd ..
[root@localhost openvpn]# which openvpn
/usr/local/sbin/openvpn
[root@localhost openvpn]# cd openvpn-2.2.2/easy-rsa/2.0/ #(该目录下均是脚本文件,pkitool脚本直接使用vars脚本文件,非交互生成证书)
[root@localhost 2.0]# ls
build-ca build-key build-key-server clean-all Makefile openssl-1.0.0.cnf revoke-full whichopensslcnf
build-dh build-key-pass build-req inherit-inter openssl-0.9.6.cnf pkitool sign-req
build-inter build-key-pkcs12 build-req-pass list-crl openssl-0.9.8.cnf README vars
[root@localhost 2.0]# cp vars vars.backup_20160714
[root@localhost 2.0]# vim vars #(2.0.9(5条)和2.2.2(11条)此文件内容不一样,此文件最后export内容为创建环境变量,设置所要用的变量脚本)
……
export KEY_COUNTRY="CN"
export KEY_PROVINCE="SH"
export KEY_CITY="ShangHai"
export KEY_ORG="qikai"
export KEY_EMAIL="chaizaowen@163.com"
export KEY_EMAIL=chaizaowen@163.com
export KEY_CN=CN
export KEY_NAME=qikai
export KEY_OU=qikai
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
[root@localhost 2.0]# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/webgame/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/keys
[root@localhost 2.0]# ./clean-all #(清除所有相关证书,创建生成ca证书及密钥文件所需的文件及目录)
[root@localhost 2.0]# ./build-ca
Generating a 1024 bit RSA private key
.++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [qikai]:
Organizational Unit Name (eg, section) [qikai]:
Common Name (eg, your name or your server's hostname) [CN]:qikai
Name [qikai]:
Email Address [chaizaowen@163.com]:
[root@localhost 2.0]# ll keys/ #(crt,certificate;ca.key为private key)
total 12
-rw-r--r--. 1 root root 1310 Jul 14 04:30 ca.crt
-rw-------. 1 root root 916 Jul 14 04:30 ca.key
-rw-r--r--. 1 root root 0 Jul 14 04:28 index.txt
-rw-r--r--. 1 root root 3 Jul 14 04:28 serial
[root@localhost 2.0]# ./build-key-server server #(生成VPNserver的密钥)
Generating a 1024 bit RSA private key
...........++++++
..............++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [qikai]:
Organizational Unit Name (eg, section) [qikai]:
Common Name (eg, your name or your server's hostname) [server]:
Name [qikai]:
Email Address [chaizaowen@163.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:qikai
Using configuration from /home/webgame/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'ShangHai'
organizationName :PRINTABLE:'qikai'
organizationalUnitName:PRINTABLE:'qikai'
commonName :PRINTABLE:'server'
name :PRINTABLE:'qikai'
emailAddress :IA5STRING:'chaizaowen@163.com'
Certificate is to be certified until Jul 13 06:15:27 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]# ll keys/ #(生成了server.crt、server.key、server.csr)
total 40
-rw-r--r--. 1 root root 4000 Jul 14 23:15 01.pem
-rw-r--r--. 1 root root 1310 Jul 14 04:30 ca.crt
-rw-------. 1 root root 916 Jul 14 04:30 ca.key
-rw-r--r--. 1 root root 121 Jul 14 23:15 index.txt
-rw-r--r--. 1 root root 21 Jul 14 23:15 index.txt.attr
-rw-r--r--. 1 root root 0 Jul 14 04:28 index.txt.old
-rw-r--r--. 1 root root 3 Jul 14 23:15 serial
-rw-r--r--. 1 root root 3 Jul 14 04:28 serial.old
-rw-r--r--. 1 root root 4000 Jul 14 23:15 server.crt
-rw-r--r--. 1 root root 769 Jul 14 23:15 server.csr
-rw-------. 1 root root 916 Jul 14 23:15 server.key
[root@localhost 2.0]# ./build-key test (生成client的密钥,使用build-key这种方式生成的密钥拨号不再需要密码,而用build-key-pass脚本生成的密钥拨号时要输入密码即拨号的密码,公司中的每一个人(每一个远程登录的用户)都应有.crt和.key这样的文件)
Generating a 1024 bit RSA private key
..............++++++
.............................++++++
writing new private key to 'test.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [qikai]:
Organizational Unit Name (eg, section) [qikai]:
Common Name (eg, your name or your server's hostname) [test]:
Name [qikai]:
Email Address [chaizaowen@163.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:qikai
Using configuration from /home/webgame/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'ShangHai'
organizationName :PRINTABLE:'qikai'
organizationalUnitName:PRINTABLE:'qikai'
commonName :PRINTABLE:'test'
name :PRINTABLE:'qikai'
emailAddress :IA5STRING:'chaizaowen@163.com'
Certificate is to be certified until Jul 13 06:22:10 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]# ll keys/
total 64
-rw-r--r--. 1 root root 4000 Jul 14 23:15 01.pem
-rw-r--r--. 1 root root 3872 Jul 14 23:22 02.pem
-rw-r--r--. 1 root root 1310 Jul 14 04:30 ca.crt
-rw-------. 1 root root 916 Jul 14 04:30 ca.key
-rw-r--r--. 1 root root 240 Jul 14 23:22 index.txt
-rw-r--r--. 1 root root 21 Jul 14 23:22 index.txt.attr
-rw-r--r--. 1 root root 21 Jul 14 23:15 index.txt.attr.old
-rw-r--r--. 1 root root 121 Jul 14 23:15 index.txt.old
-rw-r--r--. 1 root root 3 Jul 14 23:22 serial
-rw-r--r--. 1 root root 3 Jul 14 23:15 serial.old
-rw-r--r--. 1 root root 4000 Jul 14 23:15 server.crt
-rw-r--r--. 1 root root 769 Jul 14 23:15 server.csr
-rw-------. 1 root root 916 Jul 14 23:15 server.key
-rw-r--r--. 1 root root 3872 Jul 14 23:22 test.crt
-rw-r--r--. 1 root root 765 Jul 14 23:22 test.csr
-rw-------. 1 root root 916 Jul 14 23:22 test.key
[root@localhost 2.0]# ./build-key-pass ett #(生成client密钥,此种方式生成的拨号时需输入密码)
Generating a 1024 bit RSA private key
.............++++++
..++++++
writing new private key to 'ett.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SH]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [qikai]:
Organizational Unit Name (eg, section) [qikai]:
Common Name (eg, your name or your server's hostname) [ett]:
Name [qikai]:
Email Address [chaizaowen@163.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:qikai
Using configuration from /home/webgame/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'SH'
localityName :PRINTABLE:'ShangHai'
organizationName :PRINTABLE:'qikai'
organizationalUnitName:PRINTABLE:'qikai'
commonName :PRINTABLE:'ett'
name :PRINTABLE:'qikai'
emailAddress :IA5STRING:'chaizaowen@163.com'
Certificate is to be certified until Jul 13 06:28:05 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost 2.0]# ll keys/
total 80
-rw-r--r--. 1 root root 4000 Jul 14 23:15 01.pem
-rw-r--r--. 1 root root 3872 Jul 14 23:22 02.pem
-rw-r--r--. 1 root root 3871 Jul 14 23:28 03.pem
-rw-r--r--. 1 root root 1310 Jul 14 04:30 ca.crt
-rw-------. 1 root root 916 Jul 14 04:30 ca.key
-rw-r--r--. 1 root root 3871 Jul 14 23:28 ett.crt
-rw-r--r--. 1 root root 765 Jul 14 23:28 ett.csr
-rw-------. 1 root root 1041 Jul 14 23:28 ett.key
-rw-r--r--. 1 root root 358 Jul 14 23:28 index.txt
-rw-r--r--. 1 root root 21 Jul 14 23:28 index.txt.attr
-rw-r--r--. 1 root root 21 Jul 14 23:22 index.txt.attr.old
-rw-r--r--. 1 root root 240 Jul 14 23:22 index.txt.old
-rw-r--r--. 1 root root 3 Jul 14 23:28 serial
-rw-r--r--. 1 root root 3 Jul 14 23:22 serial.old
-rw-r--r--. 1 root root 4000 Jul 14 23:15 server.crt
-rw-r--r--. 1 root root 769 Jul 14 23:15 server.csr
-rw-------. 1 root root 916 Jul 14 23:15 server.key
-rw-r--r--. 1 root root 3872 Jul 14 23:22 test.crt
-rw-r--r--. 1 root root 765 Jul 14 23:22 test.csr
-rw-------. 1 root root 916 Jul 14 23:22 test.key
[root@localhost 2.0]# ./build-dh #(生成deffie-Hellman文件,generate deffie hellman parameters生成传输进行密钥交换时用到的交换密钥协议文件)
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.....................................+……
[root@localhost 2.0]# ll keys/dh1024.pem
-rw-r--r--. 1 root root 245 Jul 14 23:32 keys/dh1024.pem
[root@localhost 2.0]# openvpn --genkey --secret keys/ta.key #(为防止DDos、udp port floating,生成HMAC firewall)
[root@localhost 2.0]# ll keys/ta.key
-rw-------. 1 root root 636 Jul 14 23:38 keys/ta.key
注:#./make-crl vpncrl.pem(生成证书吊销链文件,防止之后有人丢失证书,被非法用户接入VPN)
[root@localhost 2.0]# mkdir -p /etc/openvpn
[root@localhost 2.0]# cp -ap /home/webgame/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/keys/ /etc/openvpn
[root@localhost 2.0]# cp /home/webgame/tools/openvpn/openvpn-2.2.2/sample-config-files/{server.conf,client.conf} /etc/openvpn
[root@localhost 2.0]# tree /etc/openvpn
/etc/openvpn
├── client.conf
├── keys
│ ├── 01.pem
│ ├── 02.pem
│ ├── 03.pem
│ ├── ca.crt
│ ├── ca.key
│ ├── dh1024.pem
│ ├── ett.crt
│ ├── ett.csr
│ ├── ett.key
│ ├── index.txt
│ ├── index.txt.attr
│ ├── index.txt.attr.old
│ ├── index.txt.old
│ ├── serial
│ ├── serial.old
│ ├── server.crt
│ ├── server.csr
│ ├── server.key
│ ├── ta.key
│ ├── test.crt
│ ├── test.csr
│ └── test.key
└── server.conf
1 directory, 24 files
[root@localhost 2.0]# cd /etc/openvpn
[root@localhost openvpn]# egrep -v ";|#|^$" server.conf #(local IP_ADDRESS(openvpn启动时监听的地址,外网IP,client访问时指定的IP,类似nginx的*:80);port 1194(默认1194,为安全改为52115);proto udp(默认udp,为稳定改为tcp);dev tun(vpnserver的模式采用路由模式,可选tap和tun);ca ca.crt(ca的certicate,此文件要和server.conf在一个目录下,否则要用绝对路径);server 10.8.0.0 255.255.255.0(vpnserver动态分配给vpn client的地址池);push "route 172.16.1.0 255.255.255.0"(vpnserver的内网网段,vpnserver将路由推至client,公司内部网络已划分vLAN的话可写多个push);client-to-client(多个client连在一个vpnserver上,有此项则他们之间是可通信的);duplicate-cn(允许多个client使用同一个帐号连接vpnserver);keepalive 10 120(每10s ping一次,若是120s未收到包则认定client断线);comp-lzo(开启压缩功能);persist-key(当vpn超时后,再次重启vpn后,保持上一次使用的私钥,而不重新读取私钥);persist-tun(通过keepalive检测vpn超时后,再重启后,保持tun或tap设备自动连接状态);status openvpn-status.log(日志状态信息);log /var/log/openvpn.log(指定日志位置);verb 3(指定日志文件冗余))
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
[root@localhost openvpn]# egrep -v ";|#|^$" client.conf
client
dev tun
proto udp
remote my-server-1 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
[root@localhost openvpn]# vim server.conf
-----------file start--------------
local 10.96.20.113
port 52115
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.16.1.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 3
-------------file end------------------
[root@localhost openvpn]# service iptables stop #(若开启防火墙,不仅要开启对应的52115port,forward链也要打开)
[root@localhost openvpn]# getenforce #(selinux)
Permissive
[root@localhost openvpn]# sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf
[root@localhost openvpn]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
……
[root@localhost openvpn]# echo "/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &" >> /etc/rc.local #(开机自启)
[root@localhost openvpn]# tail -1 /etc/rc.local
tail: inotify cannot be used, reverting to polling
/usr/local/sbin/openvpn --config /etc/openvpn/server.conf &
[root@localhost openvpn]# openvpn --config /etc/openvpn/server.conf &
[1] 18159
[root@localhost openvpn]# netstat -tnulp | grep :52115
tcp 0 0 10.96.20.113:52115 0.0.0.0:* LISTEN 18159/openvpn
[root@localhost openvpn]# lsof -i :52115
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
openvpn 18159 root 5u IPv4 111541 0t0 TCP 10.96.20.113:52115 (LISTEN)
[root@localhost openvpn]# tail -100 /var/log/openvpn.log
……
Fri Jul 15 01:04:02 2016 MULTI: TCP INIT maxclients=1024 maxevents=1028
Fri Jul 15 01:04:02 2016 Initialization Sequence Completed
[root@localhost openvpn]# ifconfig tun0 #(本地会多出虚拟网卡tun0,10.8.0.1)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[root@localhost openvpn]# cp /home/webgame/tools/openvpn/openvpn-2.2.2/sample-scripts/openvpn.init /etc/init.d/openvpn #(openvpn自带有脚本,启动前要对脚本文件稍作如下修改才能用)
[root@localhost openvpn]# vim /etc/init.d/openvpn #(修改148行的*.conf为server.conf或确保/etc/openvpn下仅有server.conf这一个.conf结尾的文件;修改154行为/usr/local/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn)
[root@localhost openvpn]# ll /etc/init.d/openvpn
-rwxr-xr-x. 1 root root 5481 Jul 15 01:11 /etc/init.d/openvpn
[root@localhost openvpn]# chkconfig --add openvpn
[root@localhost openvpn]# chkconfig --list openvpn
openvpn 0:off 1:off 2:off 3:on 4:on 5:on 6:off
[root@localhost openvpn]# pkill openvpn
[root@localhost openvpn]# netstat -tnulp | grep :52115
[1]+ Done openvpn --config /etc/openvpn/server.conf
[root@localhost openvpn]# lsof -i :52115
[root@localhost openvpn]# service openvpn start
Starting openvpn: [ OK ]
[root@localhost openvpn]# service openvpn restart
Shutting down openvpn: [ OK ]
Starting openvpn: [ OK ]
在win上部署client:
注:通过测试,vmware上用win的虚机能成功连接vpn server但不能连接LAN的主机;直接在物理机的win OS上正常,既能连通vpn server又能成功连通LAN的主机
在物理机的win上安装openvpn-2.2.2-install.exe;
在client的安装目录下的config/下创建test/目录;
将vpn server端/etc/openvpn/keys/{ca.crt,test.crt,test.key}拷贝至win的OpenVPN GUI安装目录D:\Program Files (x86)\OpenVPN\config\test\下;
[root@localhost openvpn]# egrep -v ";|#|^$" client.conf #(在vpnserver端将client.conf此文件修改好,拷贝到win的config/test/下并改名为test.ovpn)
client
dev tun
proto tcp
remote 10.96.20.113 52115
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert test.crt
key test.key
ns-cert-type server
comp-lzo
verb 3
打开win上的OpenVPN GUI,在任务栏图标右键Connect,图标变绿表示成功,黄和红均是有问题,右键View Log(也可查看vpn server上的日志),vpn server给此client分配的地址为10.8.0.6
在win上测试与vpn server的连通性,ping 10.8.0.1看是否能ping通
在win的命令行下,在vpn拨通情况下>route print > ed.txt,然后断开OpenVPN,执行>route print > pre.txt,再用BeyondCompare工具比较两个文件的差别,172.16.1.0/24是vpn server push过来的
LAN-server1端(172.16.1.12):
三种方案:
1、将vpn server上的地址添加为默认路由,不常用
#route add default gw 172.16.1.11
2、添加网络路由,这是生产中常见的做法,所有LAN的主机都要添加这一条网络路由
#route add -net 10.8.0.0/24 gw 172.16.1.11
3、在vpn server上用NAT方式实现
openvpn的port要开放,FORWARD要accept
[root@etiantian ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j SNAT --to-source 172.16.1.11
[root@etiantian ~]# iptables -t nat -L -n
……
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.8.0.0/24 0.0.0.0/0 to:172.16.1.11
……
[root@etiantian ~]# vim /home/webgame/tools/openvpn/openvpn-2.2.2/sample-config-files/firewall.sh #(安装目录下有程序提供的firewall防火墙的设置脚本)
注:若没有操作以上三种方案中的任何一种,那client能连上vpn server,但LAN server1的包无法返回,在client上ping 172.16.1.12不通
在LAN server1上抓包,只有ICMP echo request而没有ICMP echo reply
按以上三种方案中任一一种操作,在LAN-server1上抓包,同时在client上ping
注:配置静态路由方法,三种:
1、#echo "any net 10.8.0.0/24 gw 172.16.111" > /etc/sysconfig/static-routes
2、#echo "10.8.0.0/24 via 172.16.1.11" > /etc/sysconfig/network-scripts/route-eth0
3、#echo "route add -net 10.8.0.0/24 gw 172.16.1.11" >> /etc/rc.local #(使得开机可自动执行生效)
使用build-key-pass增加用户jowin:
[root@etiantian ~]# cd /home/webgame/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/
[root@etiantian 2.0]# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/webgame/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/keys
[root@etiantian 2.0]# ./build-key-pass jowin
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Common Name (eg, your name or your server's hostname) [jowin]:
A challenge password []:123456
An optional company name []:qikai
[root@etiantian 2.0]# ll keys/jowin*
-rw-r--r--. 1 root root 3877 Jul 20 00:27 keys/jowin.crt
-rw-r--r--. 1 root root 769 Jul 20 00:26 keys/jowin.csr
-rw-------. 1 root root 1041 Jul 20 00:26 keys/jowin.key
[root@etiantian 2.0]# cp keys/{jowin.crt,jowin.key} /etc/openvpn/keys/
[root@etiantian 2.0]# sz keys/{jowin.crt,jowin.key,ca.crt} #(上传至client的config/下)
[root@etiantian 2.0]# vim /etc/openvpn/client.conf #(修改cert和key)
……
remote 10.96.20.113 52115
……
ca ca.crt
cert jowin.crt
key jowin.key
……
[root@etiantian 2.0]# sz /etc/openvpn/client.conf #(上传至client的config/下)
使用jowin 连接,用build-key-pass创建的用户需键入密码
[root@etiantian 2.0]# cat /etc/openvpn/openvpn-status.log #(在vpn server端通过查看此文件,可知当前有谁在登录,通过查看可将离职员工的证书吊销,若仍旧登录时还可实现报警功能)
OpenVPN CLIENT LIST
Updated,Wed Jul 20 00:49:43 2016
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
jowin,10.96.20.252:2715,8562,6368,Wed Jul 20 00:47:43 2016
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.10,jowin,10.96.20.252:2715,Wed Jul 20 00:47:44 2016
GLOBAL STATS
Max bcast/mcast queue length,0
END
吊销单个证书(以用户test为例):
[root@etiantian 2.0]# pwd
/home/webgame/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0
[root@etiantian 2.0]# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/webgame/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/keys
[root@etiantian 2.0]# vim openssl-1.0.0.cnf #(若openvpn是2.0.0版本,要注释掉这个文件中的后6行,若openvpn是2.2.2版本此处忽略)
[root@etiantian 2.0]# ./revoke-full test
Using configuration from /home/webgame/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
Revoking Certificate 02.
Data Base Updated
Using configuration from /home/webgame/tools/openvpn/openvpn-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf
test.crt: C = CN, ST = SH, L = ShangHai, O = qikai, OU = qikai, CN = test, name = qikai, emailAddress = chaizaowen@163.com
error 23 at 0 depth lookup:certificate revoked
[root@etiantian 2.0]# ll keys/crl.pem #(吊销后生成此文件)
-rw-r--r--. 1 root root 548 Jul 20 00:56 keys/crl.pem
[root@etiantian 2.0]# date
Wed Jul 20 00:57:32 PDT 2016
[root@etiantian 2.0]# cat keys/index.txt #(查看此文件,吊销用户后标记为R)
V 260713061527Z 01 unknown /C=CN/ST=SH/L=ShangHai/O=qikai/OU=qikai/CN=server/name=qikai/emailAddress=chaizaowen@163.com
R 260713062210Z 160720075655Z 02 unknown /C=CN/ST=SH/L=ShangHai/O=qikai/OU=qikai/CN=test/name=qikai/emailAddress=chaizaowen@163.com
V 260713062805Z 03 unknown /C=CN/ST=SH/L=ShangHai/O=qikai/OU=qikai/CN=ett/name=qikai/emailAddress=chaizaowen@163.com
V 260718072655Z 04 unknown /C=CN/ST=SH/L=ShangHai/O=qikai/OU=qikai/CN=jowin/name=qikai/emailAddress=chaizaowen@163.com
[root@etiantian 2.0]# cp keys/crl.pem /etc/openvpn/keys/
[root@etiantian 2.0]# vim /etc/openvpn/server.conf #(在此文件末尾加入crl-verify内容,若要恢复之前吊销的用户将此行注释掉即可)
crl-verify /etc/openvpn/keys/crl.pem
[root@etiantian 2.0]# service openvpn restart
Shutting down openvpn: [ OK ]
Starting openvpn: [ OK ]
注:吊销多个用户的证书与上述步骤相同,最后将./revoke-full USERNAME生成的crl.pem文件覆盖掉之前生成的即可
Linux下使用openvpn做client(10.96.20.117角色与win相同):
适用场景:多机房或多企业互连时;将公司内网中svn server的资源推送至IDC机房;跨机房的数据备份
[root@localhost ~]# hostname vpnclient
[root@localhost ~]# logout
环境准备,lzo和openvpn-2.2.2软件安装同vpn server
[root@vpnclient ~]# mkdir /etc/openvpn
[root@vpnclient ~]# cd /etc/openvpn
[root@vpnclient openvpn]# ll
total 0
[root@vpnclient openvpn]# scp 10.96.20.113:/etc/openvpn/keys/{ca.crt,jowin.crt,jowin.key} ./
[root@vpnclient openvpn]# scp 10.96.20.113:/etc/openvpn/client.conf ./ #(client.conf不用改名)
[root@vpnclient openvpn]# vim client.conf #(更改密钥文件路径)
ca /etc/openvpn/ca.crt
cert /etc/openvpn/jowin.crt
key /etc/openvpn/jowin.key
[root@vpnclient openvpn]# cp /home/webgame/tools/openvpn/openvpn-2.2.2/sample-scripts/openvpn.init /etc/init.d/openvpn
[root@vpnclient openvpn]# service openvpn start #(jowin用户是用build-key-pass生成的每次都需输入密码)
Starting openvpn: Enter Private Key Password:
[ OK ]
[root@vpnclient openvpn]# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.532 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.547 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=0.373 ms
……
[root@vpnclient openvpn]# ping 172.16.1.12 (ping LAN-server1通,并在LAN-server1上抓包)
PING 172.16.1.12 (172.16.1.12) 56(84) bytes of data.
64 bytes from 172.16.1.12: icmp_seq=1 ttl=63 time=0.565 ms
64 bytes from 172.16.1.12: icmp_seq=2 ttl=63 time=0.522 ms
64 bytes from 172.16.1.12: icmp_seq=3 ttl=63 time=0.821 ms
[root@vpnclient openvpn]# ssh 172.16.1.12 #(可成功登录到LAN-server1)
root@172.16.1.12's password:
Last login: Wed Jul 20 02:18:36 2016 from 172.16.1.11
#tcpdump -nnn -s 10000 |grep ICMP
注:vpn server使用的是NAT方式(方案三)
#tcpdump -nnn -i eth0 -s 10000 ' port 52115 and src host 10.96.20.117'
