环境:
CentOS Linux 4
openvpn-2.0.9-1
需求:
openvpn服务器不是gateway,防火墙端口重定向来实现OPEN×××服务器
openvpn服务器的内网IP网络是10.1.1.0/24,openvpn服务器地址是10.1.1.15,gateway地址:10.1.1.254
OPEN××× CLIENT 端的内部网络是192.168.0.0/24,OPEN××× CLIENT机器也不是gateway,
OPEN××× CLIENT机器的IP地址是192.168.0.2,gateway地址192.168.0.254,那么如果要使OPEN××× CLIENT这端的网络192.168.0.0/24所有的机器都能访问OPEN×××服务器端的网络10.1.1.0/24,应该如何添加路由呢?
openvpn服务器的内网IP网络是10.1.1.0/24,openvpn服务器地址是10.1.1.15,gateway地址:10.1.1.254
OPEN××× CLIENT 端的内部网络是192.168.0.0/24,OPEN××× CLIENT机器也不是gateway,
OPEN××× CLIENT机器的IP地址是192.168.0.2,gateway地址192.168.0.254,那么如果要使OPEN××× CLIENT这端的网络192.168.0.0/24所有的机器都能访问OPEN×××服务器端的网络10.1.1.0/24,应该如何添加路由呢?
安装:
#yum install openvpn
完成安装之后,在/etc下建立openvpn目录,并且把/usr/share/doc/openvpn-2.0.9下的easy-rsa目录全部复制到/etc/openvpn下
# cd /etc/openvpn/easy-rsa/
# chmod 777 *
# source vars
# ./clean-all
# ./build-ca
出现“Common Name (eg, your name or your server's hostname) []:”时输入server,别的默认直接回车就可以
# ./build-key-server server
出现“Common Name (eg, your name or your server's hostname) []:”时输入server
出现:“Certificate is to be certified until Aug 17 08:30:49 2017 GMT (3650 days)
Sign the certificate? [y/n]:“ 时选 y(一共有两次,别的不用管回车就可以)
# ./build-key client
出现:“Common Name (eg, your name or your server's hostname) []:”输入“client”
出现:“Certificate is to be certified until Aug 17 08:33:36 2017 GMT (3650 days)
Sign the certificate? [y/n]:“时先y
# ./build-dh
# cd keys/
# cp ca.crt server.key server.crt dh1024.pem /etc/openvpn/
# chmod 777 *
# source vars
# ./clean-all
# ./build-ca
出现“Common Name (eg, your name or your server's hostname) []:”时输入server,别的默认直接回车就可以
# ./build-key-server server
出现“Common Name (eg, your name or your server's hostname) []:”时输入server
出现:“Certificate is to be certified until Aug 17 08:30:49 2017 GMT (3650 days)
Sign the certificate? [y/n]:“ 时选 y(一共有两次,别的不用管回车就可以)
# ./build-key client
出现:“Common Name (eg, your name or your server's hostname) []:”输入“client”
出现:“Certificate is to be certified until Aug 17 08:33:36 2017 GMT (3650 days)
Sign the certificate? [y/n]:“时先y
# ./build-dh
# cd keys/
# cp ca.crt server.key server.crt dh1024.pem /etc/openvpn/
编写服务端的配置文件/etc/openvpn/server.conf
port 1194
proto tcp
;proto udp
dev tap
;dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.1.1.0 255.255.255.0"
push "dhcp-option DOMAIN vpn"
push "route 10.8.0.1" # add route to protected network
client-to-client
;duplicate-cn
keepalive 10 120
comp-lzo
;max-clients 100
user root
group root
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 5
;mute 20
proto tcp
;proto udp
dev tap
;dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.1.1.0 255.255.255.0"
push "dhcp-option DOMAIN vpn"
push "route 10.8.0.1" # add route to protected network
client-to-client
;duplicate-cn
keepalive 10 120
comp-lzo
;max-clients 100
user root
group root
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 5
;mute 20
Client是CentOS Linux 4.4:
client
dev tap
proto tcp
remote server-ip-address 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 5
dev tap
proto tcp
remote server-ip-address 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 5
设置路由
××× SERVER机器添加到达CLIENT端网络的路由:
××× SERVER机器添加到达CLIENT端网络的路由:
route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.8.0.2
//10.8.0.2是Client拨号后获取到的虚拟IP地址。
Server 端的gateway是一台ADSL拨号共享的PC机器,安装Windows 2003 Server
在gateway机器上添加到达××× CLIENT端网络的路由:
route add 192.168.0.0 mask 255.255.255.0 10.1.1.15
Client端的gateway是Netscreen-25的防火墙,添加到达××× SERVER端网络的路由:
set route 10.1.1.0/24 interface ethernet2 gateway 192.168.0.2
测试连通性:
Server端网络任意一台机器测试:
C:\Documents and Settings\ABC>tracert 192.168.0.25
Tracing route to 192.168.10.25 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.1.1.254
2 <1 ms <1 ms <1 ms 10.1.1.15
3 143 ms 164 ms 165 ms 10.8.0.2
4 319 ms 360 ms 216 ms 192.168.0.25
Trace complete.
C:\Documents and Settings\ABC>ping 192.168.0.25
Pinging 192.168.0.25 with 32 bytes of data:
Reply from 192.168.0.25: bytes=32 time=60ms TTL=125
Reply from 192.168.0.25: bytes=32 time=28ms TTL=125
Reply from 192.168.0.25: bytes=32 time=141ms TTL=125
Reply from 192.168.0.25: bytes=32 time=32ms TTL=125
Ping statistics for 192.168.0.25:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 28ms, Maximum = 141ms, Average = 65ms
C:\Documents and Settings\ABC>
192.168.0.25是对端的一台机器.
CLIENT端测试:
C:\Documents and Settings\VMSER>tracert 10.1.1.3
Tracing route to FILE [10.1.1.3]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.0.254
2 <1 ms <1 ms <1 ms 192.168.0.2
3 185 ms 162 ms 173 ms 10.8.0.1
4 96 ms 160 ms 190 ms FILE [10.1.1.3]
Trace complete.
C:\Documents and Settings\VMSER>ping 10.1.1.3
Pinging 10.1.1.3 with 32 bytes of data:
Reply from 10.1.1.3: bytes=32 time=336ms TTL=125
Reply from 10.1.1.3: bytes=32 time=144ms TTL=125
Reply from 10.1.1.3: bytes=32 time=236ms TTL=125
Reply from 10.1.1.3: bytes=32 time=50ms TTL=125
Ping statistics for 10.1.1.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 50ms, Maximum = 336ms, Average = 191ms
C:\Documents and Settings\VMSER>
Tracing route to FILE [10.1.1.3]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.0.254
2 <1 ms <1 ms <1 ms 192.168.0.2
3 185 ms 162 ms 173 ms 10.8.0.1
4 96 ms 160 ms 190 ms FILE [10.1.1.3]
Trace complete.
C:\Documents and Settings\VMSER>ping 10.1.1.3
Pinging 10.1.1.3 with 32 bytes of data:
Reply from 10.1.1.3: bytes=32 time=336ms TTL=125
Reply from 10.1.1.3: bytes=32 time=144ms TTL=125
Reply from 10.1.1.3: bytes=32 time=236ms TTL=125
Reply from 10.1.1.3: bytes=32 time=50ms TTL=125
Ping statistics for 10.1.1.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 50ms, Maximum = 336ms, Average = 191ms
C:\Documents and Settings\VMSER>
10.1.1.3是SERVER端网络的一台机器.
