Connect two remote LAN segments based on OpenVPN

Connect two remote LAN system environments based on OpenVPN: SERVER: RHEL5 [2.6.18-8. el5xen] software environment: http://openvpn.net/release/openvpn-2.0.9.tar.gz http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz Reference: http://openvpn.net/index.php/documentation/howto.html http://www.linux.com/articles/58336 Purpose: Build an OpenVPN server to connect two remote LAN segments across the Internet. | --------------- | <--> Internet <--> | --------------- | LAN2 <--> | Router2 (Client) | Router1 (Server) | --> LAN1 | --------------- | <--> ssl vpn Tun <--> | ------------- | (Beijing) Server (router1) network parameters: eth0 173.16.16.1/24 eth1 192.168.20.1/24 (as the gateway of LAN1 in this example) LAN1: 192.168.20.0/24 (Guangzhou) Client (router2) network parameters: eth0 211.20.20.1/24 eth2 192.168.40.1/24 (as the gateway of LAN2 in this example) LAN2: 192.168.40.0/24 ############################## ####################################### 1, install the OpenVPN Software Package (perform the following operations on router1 and router2, install it in the/usr/local directory by default) www.2cto.com 1. Install lzo (compress SSL data) shell & gt; tar zxvf lzo-2.03.tar.gz-C/usr/srcshell & gt; cd/usr/src/lzo-2.03shell & gt. /configure & make install 2, install openvpnshell> tar zxvf openvpn-2.0.9.tar.gz-C/usr/srcshell> cd/usr/src/openvpn-2.0.9shell>. /configure & make install 2. configure OpenVPN Server End (router1) 1. Create a certificate and related key file (refer to/usr/src/openvpn-2.0.9/easy-rsa/README) 1) adjust and predefine variables shell> mkdir/etc/openvpnshell> cd/usr/src/openvpn-2.0.9/easy-rsashell> vi vars www.2cto.com export D = 'pwd' export KER_CONFIG = $ D/ openssl. cnfexport KEY_DIR = "/etc/openvpn/keys/" # // modify the storage location of the generated key and other files. export KEY_SIZE = 1024 export KEY_COUNTRY = CN # // The following is used for each key the predefined information in export KEY_PROVINCE = BJexport KEY_CITY = BJexport KEY_ORG = "BJ-GZ" expor T KEY_EMAIL = "TsengYiashell> 126.com" shell>. varsshell>. /clean-all 2) create certificates, keys, and other files shell>. /build-ca # // generate CA certificate shell>. /build-dh # // generate the dh (Diffie-Hellman) file shell>. /build-key-server router1 # // generate the server key shell>. /build-key router2 # // generate client key shell>/usr/local/sbin/openvpn -- genkey -- secret/etc/openvpn/keys/ta. key # // generate tls-auth key 2, create OpenVPN service configuration file shell> cp/usr/src/openvpn-2.0.9/sample-config-files/server. co Nf/etc/openvpn/shell> vi/etc/openvpn/server. conflocal 173.16.16.1 # // specify the interface address of the VPN service listener (the address of the eth0 Nic In this example) port 1194 # // specify the port proto udp www.2cto.com dev tunca keys/ca that the VPN service listens. crtcert keys/router1.crtkey keys/router1.keydh keys/dh1024.pemserver 10.8.8.0 255.255.255.0 # // specify the virtual subnet of the vpn tunnel. The vpn server automatically uses the first IP address, for example, 10.8.8.1ifconfig-pool-persist ipp.txt push "route 192.168.20.0 255.255.255.0" # // notify the client of the server's LAN1 network segment client-c Onfig-dir ccd # // specify the client configuration file that calls the ccd subdirectory, you can specify the peer IP address in the file: route 192.168.40.0 255.255.255.0 # // route client-to-client that is added to the LAN2 network segment of the server # // allow mutual access between clients duplicate-cn # // allow the client key to be reused keepalive 10 120tls-auth keys/ta. key 0 # // specify the tls authentication key cipher BF-CBC # // specify the cipher encryption algorithm comp-lzomax-clients 100 # // specify the maximum number of concurrent connections user nobodygroup nobodypersist-keypersist-tunstatus/tmp openvpn-status.logverb 3 mute 20 www.2cto.com shell> Mkdir/etc/openvpn/ccdshell> vi/etc/openvpn/ccd/router2 # // specify the IP address parameter iroute 192.168.40.0 255.255.0ifconfig-push 10.8.8.2 in the independent configuration file of the client 10.8.8.1 # // tun0 local address, p-t-P peer address 3. Prepare STARTUP script, start OpenVPNshell> cp-p/usr/src/openvpn-2.0.9/sample-scripts/openvpn. init/etc/init. d/shell> vi/etc/init. d/openvpnshell> chkconfig -- add openvpnshell> chkconfig -- level 35 openvpn onshell> service openvpn start 3. Configure the OpenVPN Client (router2) www.2cto.com 1. Download the certificate and related key file 1) and download the ca generated on the server. crt, router2.crt, router2.key, and ta. key File, back up 2) copy the above file to the/etc/openvpn/keys directory of router2 2, modify the Client configuration file shell> cp/usr/src/openvpn-2.0.9/sample-config-files/client. conf/etc/openvpn/shell> vi/etc/openvpn/client. confclientdev tunproto udpremote 173.16.16.1 1194resolv-retry infinitenobinduser nobodygroup nobodypersist-keypersist-tunca keys /Ca. crtcert keys/router2.crtkey keys/router2.keyns-cert-type servertls-auth keys/ta. key 1 cipher BF-CBCcomp-lzoverb 3 mute 20 www.2cto.com 4. Prepare the startup script and start OpenVPN (perform the following operations on router1 and router2) shell> cp-p/usr/src/openvpn-2.0.9/sample-scripts/openvpn. init/etc/init. d/shell> vi/etc/init. d/openvpnshell> chkconfig -- add openvpnshell> chkconfig -- level 35 openvpn onshell> service openvpn start v. connectivity test 1. You can test the connection in r On outer1 and router2, view the tun0 information of router1 with the tun0 parameter (ifconfig tun0): inet addr: 10.8.8.8.1 P-t-P: 10.8.8.2 router2 tun0 information: inet addr: 10.8.8.2 P-t-P: 10.8.8.1 www.2cto.com 2. You can view the route table information of route Entry 1 in route Entry 1 and route entry 2 respectively: destination Gateway Genmask Flags Metric Ref Use Iface 192.168.40.0 10.8.8.2 route tables 255.0 UG 0 0 0 0 tun0router2 route table information should have a route record to the LAN1 network segment: Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.20.0 10.8.8.1 255.255.255.0 UG 0 0 0 tun0 3, LAN1, LAN2 two network segments client interconnection test, for example: Beijing 192.168.20.20 and Guangzhou 192.168.40.40 can ping each other. This article is from feino.