Deploy openvpn service on RHEL5.4

I. openvpn introduction openvpn is an SSL-based vpn. it uses the industrial standard SSL/TLS protocol to implement the Layer 2 and Layer 3 secure data link VPN. it has the following advantages: 1. based on the SSL protocol, security, and using a single TCP or UDP port can achieve 2. using two-way authentication...

I. INTRODUCTION to openvpn
Openvpn is an SSL-based vpn. it uses the industrial standard SSL/TLS protocol to implement the layer-2 and Layer-3 secure data link VPN. Its advantages are as follows:
1. it is secure based on the SSL protocol and can be implemented through a single TCP or UDP port.
2. with two-way authentication, the server only needs to save its own certificate and key;
3. the server only accepts clients signed by the primary CA certificate and has a recall mechanism, without the need to re-build a PKI;
4. permission control based on Common Name
2. system environment: RHEL5.4
Application software
Openvpn-2.1.4.tar.gz
Lzo-2.05.tar.gz
Install openvpn
# Tar xvf lzo-2.05.tar.gz
# Cd lzo-2.05
#./Configure
# Make
# Make check
# Make test
# Make install
# Tar xvf openvpn-2.1.4.tar.gz
# Cd openvpn-2.1.4
#./Configure
# Make & make install
4. configure openv
1. create a dedicated CA for openvpn and apply for the required certificates for each client on the server side of Openvpn. openvpn supports two authentication models: shared key and TLS-based authentication model.
For the purpose of installing the machine simple authentication process, Openvpn requires the server to perform certificate-based two-way authentication before establishing communications. the use of certificates depends on PKI.
OpenVPN has prepared many scripts for issuing certificates using private CAS.
2. to create a CA, Openvpn Server, or client certificate, you must specify the country where the certificate user is located. the default value can be specified in the vars file. the parameters include:
# Cd/root/openvpn/openvpn-2.1.4/easy-rsa/2.0
# Vim vars
Export KEY_COUNTRY = "CN"
Export KEY_PROVINCE = "SHANGHAI"
Export KEY_CITY = "SHANGHAI"
Export KEY_ORG = "Frank"
Export KEY_EMAIL = 623195090@qq.com
3. configure PKI
# Source vars
NOTE: If you run./clean-all, I will be doing a rm-rf on/root/openvpn/openvpn-2.1.4/easy-rsa/2.0/keys
[Root @ openvpn 2.0] #./clean-all
4. create a local CA
[Root @ openvpn 2.0] #./build-ca
Generating a 1024 bit RSA private key
........................................ ....................... ++
...
Writing new private key to 'ca. key'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [Frank]:
Organizational Unit Name (eg, section) []: Frank
Common Name (eg, your name or your server's hostname) [Frank CA]: FRANK
Name []: frank
Email Address [623195090@qq.com]:
4. create a key and certificate for Openvpn
[Root @ openvpn 2.0] #./build-key-server
Generating a 1024 bit RSA private key
........................................ ........................ ++
... ++
Writing new private key to 'server. key'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [Frank]:
Organizational Unit Name (eg, section) []: Frank
Common Name (eg, your name or your server's hostname) [server]:
Name []: frank
Email Address [623195090@qq.com]:
 
Please enter the following 'Extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from/root/openvpn/openvpn-2.1.4/easy-rsa/2.0/openssl. cnf
Check that the request matches the signature
Signature OK
The Subject's Distinguished Name is as follows
CountryName: PRINTABLE: 'cn'
StateOrProvinceName: PRINTABLE: 'Shanghai'
LocalityName: PRINTABLE: 'Shanghai'
OrganizationName: PRINTABLE: 'frank'
OrganizationalUnitName: PRINTABLE: 'frank'
CommonName: PRINTABLE: 'server'
Name: PRINTABLE: 'frank'
EmailAddress: IA5STRING: '2017 @ qq.com'
Certificate is to be certified until Aug 9 17:43:47 2021 GMT (3650 days)
Sign the certificate? [Y/n]: y
 
 
1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base Updated
5. create the client key and certificate
[Root @ openvpn 2.0] #./build-key frank
Generating a 1024 bit RSA private key
...
... ++
Writing new private key to 'Frank. key'
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SHANGHAI]:
Locality Name (eg, city) [SHANGHAI]:
Organization Name (eg, company) [Frank]:
Organizational Unit Name (eg, section) []: Frank
Common Name (eg, your name or your server's hostname) [frank]:
Name []: frank
Email Address [623195090@qq.com]:
 
Please enter the following 'Extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from/root/openvpn/openvpn-2.1.4/easy-rsa/2.0/openssl. cnf
Check that the request matches the signature
Signature OK
The Subject's Distinguished Name is as follows
CountryName: PRINTABLE: 'cn'
StateOrProvinceName: PRINTABLE: 'Shanghai'
LocalityName: PRINTABLE: 'Shanghai'
OrganizationName: PRINTABLE: 'frank'
OrganizationalUnitName: PRINTABLE: 'frank'
CommonName: PRINTABLE: 'frank'
Name: PRINTABLE: 'frank'
EmailAddress: IA5STRING: '2017 @ qq.com'
Certificate is to be certified until Aug 9 18:45:05 2021 GMT (3650 days)
Sign the certificate? [Y/n]: y
 
 
1 out of 1 certificate requests certified, commit? [Y/n]
CERTIFICATION CANCELED
6. create the Dffie Hellman parameter. diffieHellman is used to enhance security. it is required in OpenVPN. in the main configuration file of OpenVPN, the tls-auth command can add an HMAC signature to the handshake data packet of the SSL/TLS protocol, any unsigned UDP packet will be discarded, which improves the security of SSL/TLS. it can prevent Dos or port flooding attacks for UDP of Openvpn, avoid scanning the listener port of Openvpn, and prevent buffer overflow.
[Root @ openvpn 2.0] #./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...... + ................. + .................... + ........................... + ............... + ...... + .................................... + ....................................... ........................................ ........................................ ........................................ .................................... + .......... + ............... + .......... + ....................................... .................................. + ........... + ....................................... ........................................ ..................................... + ............. + ....................................... ........................................ .............................. + ....... + ....................................... ........................................ ............................... + ....... + ....................................... ................................. + ............... + ........ + ....................................... ........................................ ................................. + ........................................ + ....................................... ........................................ ........................................ ........................................ ........... + ....................................... ........ +... + ......... + ........................ +. + ........... + ....................... + ....................................... ........................... + ....................................... ....... + ....................................... .................. + ....................................... .............................. + ................. + ..................................... + .................. + .................... +. + ....................................... ........... + ....................................... ............................. + .................................. + .............. + ....................................... ...................................... + ............... +. + .......................................... + ................ + ............................ +. + ....................................... ......... + ....................................... ....................... + ................................. + ....................................... ....... + ....... + ....................................... ........................................ ........................ + .............................. + ....................................... ........................................ ....... + ..... + ...................... + ....................................... ........................................ ........................................ .................................. + ....................................... ..... + .................... ++ *
7. a pre-shared key is required to enable the tls-auth function. this password is often stored with files such as certificates. the pre-shared key can be generated using the following command:
[Root @ openvpn 2.0] # openvpn -- genkey -- secret ta. key
8 configure the openvpn master configuration file on the openvpn Server
# Mkdir/etc/openvpn/keys
# Cp-v keys/{ca. crt, server. crt. server. key, dh1024.pem}/etc/openvpn/keys
# Cp ta. key/etc/openvpn/keys
# Cd/etc/openvpn
# Cat openvpn. conf
# IP address of the openvpn listener
Local 1.1.1.1
# Openvpn listening port
Port 1194
# The protocol used by openvpn. if HTTP proxy is used, the TCP protocol must be used.
; Proto tcp
Proto udp
# The active devices are available in two layers: tap and tun. tap supports data link layer protocol.
# Tun is a point-to-Point Protocol at the IP layer, with more restrictions
Dev tun
# Openvpn uses root ca and build-ca to verify whether the client certificate is valid
Ca/etc/openvpn/keys/ca. crt
# Certificate file used by the openvpn server
Cert/etc/openvpn/keys/server. crt
# The key of the certificate used by the openvpn Server. pay attention to the file permissions to prevent theft.
Key/etc/openvpn/keys/server. key # This file shocould be kept secret
# Diffie-Hellman file generated by builddh
Dh/etc/openvpn/keys/dh1024.pem
# Configure the network used by the VPN. Openvpn will automatically provide the DHCP service based on this network segment, but it cannot repeat with the LAN end of any party and ensure the uniqueness;
# The server IP address is set to. 1 by default.
Server 10.8.0.0 255.255.255.0
# Prevent "forgetting" IP addresses used by the Client after openvpn is restarted
Ifconfig-pool-persist ipp.txt
; Server-bridge
# Send the route to the client. after the client connection is successful, the route table is automatically added, omitting the next hop address.
Push "route 192.168.1.0 255.255.255.0"
; Client-config-dir ccd
; Route 192.168.40.128 255.255.255.255.248
; Client-config-dir ccd
; Route 10.9.0.0 255.255.255.252
; Learn-address./script
; Push "redirect-gateway def1 bypass-dhcp"
# Specify the default gateway for the client, that is, all the data traffic of the client passes through the gateway.
Push "redirect-gateway def1 bypass-dhcp"
# Specify a DNS server for the client
Push "dhcp-option DNS 210.5.153.250"
Push "dhcp-option DNS 192.168.0.1"
# Configure to allow access between clients
Client-to-client
# Enable allow multiple clients to connect at the same time. if the Common Name of the CA used by the Client is repeated, or the Client uses the same CA and keys to connect to the VPN, you must enable this option. Otherwise, only one person is allowed to connect.
Duplicate-cn
# If the VPN used after NAT does not communicate for a long time, the NAT Session may fail, leading to the loss of the VPN connection. to prevent such incidents, keepalive provides a ping-like mechanism,
# The following indicates that the target user can be pinged through the Control channel of the VPN within 10 seconds. if the target user cannot be pinged for 120 consecutive seconds. the connection is lost, and the VPN is restarted and reconnected. openvpn in mode server mode will not be reconnected.
Keepalive 10 120
; Tls-auth ta. key 0 # This file is secret
# The HMAC Firewall mentioned above prevents DOS attacks. HMAC signature is used for all control information, and control information without HMAC signature is not processed, the number after the main server must be 0, and the client uses 1
Tls-auth/etc/openvpn/keys/ta. key 0 # This file is secret
; Cipher BF-CBC # Blowfish (default)
Cipher AES-128-CBC # AES
; Cipher DES-EDE3-CBC # Triple-DES
# Compress data. the main Server and Client are consistent.
Comp-lzo
# Define the maximum number of connections
Max-client 100
# Define the user who runs openvpn
User nobody
Group nobody
# The keepalive check times out, restarts the VPN, does not re-read the keys, and retains the keys used for the first time.
Persist-key
# After the keepalive check times out, restart the VPN and keep the tun or tap device linkup. Otherwise, the network connection will be first linkdown and then linkup
Persist-tun
# Write the openvpn quota status information to the file on a regular basis, so that you can write your own program for billing or perform other operations
Status/var/log/openvpn_status.log
# Record logs. after openvpn is restarted, the original log information is deleted.
; Log openvpn. log
# Consistent with log, the original log information is retained after each restart of openvpn, and the new information is appended to the end of the file.
Log-append/var/log/openvpn. log
Verb 4
; Mute 20
9. modify system parameters and add openvpn to enable automatic startup and enable openvpn.
# Vim/etc/sysctl. conf
Net. ipv4.ip _ forward = 0
Change
Net. ipv4.ip _ forward = 1
# Sysctl-p
# Chkconfig add openvpn
# Chkconfig openvpn on
# Service openvpn start
10 configure the client openvpn and install it in windows
Openvpn-2.1.4-install.exe
11. configure openvpn and use notepad to Open client. ovpn under the openvpn installation directory.
The configuration is as follows:
# Define the client
Client
# It is defined to use the routing IP mode and must be consistent with the server
Dev tun
# The Protocol used must be consistent with that on the server.
Proto udp
# Specify the server address and port. you can use multiple lines to specify multiple servers.
Remote 1.1.1.1 1194
 
# Choose a random host from the remote
# List for load-balancing. Otherwise
# Try hosts in the order specified.
# If multiple servers exist, allow clients to connect randomly
; Remote-random
# Resolving server domain names
Resolv-retry infinite
# The client does not need to bind a port
Nobind
# Downgrade privileges after initialization (non-Windows only)
; User nobody
; Group nobody
# Try to preserve some state when SS restarts.
Persist-key
Persist-tun
# Specify ca and client certificates
Ca. crt
Cert client. crt
Key client. key
# Install configuration parameters
Ns-cert-type server
# If a tls-auth key is used on the server
# Then every client must also have the key.
# The value here must be 1
Tls-auth ta. key 1
# Use lzo for compression, consistent with that on the server
Comp-lzo
# Setting the log level
Verb 3
# Silence repeating messages
; Mute 20
 
 

This article is from the "Gone with the wind" blog