Use OPENVPN to implement Intranet mutual access between two locations (1) master server configuration
Master Server Configuration
Functions to be implemented:
Shenzhen:
Master VPN Server: dns.dog.com
Internet ip-eth1: 192.168.68.71
Intranet ip-eth0: 10.1.1.254
Guangzhou:
VPN Server: lvs1.dog.com
Internet ip-eth1: 192.168.68.73
Intranet ip-eth0: 10.1.2.1
Clients outside China:
192.168.68.79
Shenzhen-Guangzhou tunnel uses virtual IP addresses 10.8.0.1 and 10.8.0.2
Shenzhen --- foreign PC1 use virtual IP addresses 10.9.0.1 and 10.9.0.2 respectively
Bytes ------------------------------------------------------------------------------------
First, we first implement Intranet mutual access between Shenzhen Company and Guangzhou Company.
10.8.0.1
1. | configure the master VPNSERVER dns.dog.com:
1. First download and install the OPENVPN and lzo Software
Openvpn: http://down.51cto.com/data/191331
Lzo: http://down.51cto.com/data/191333
Installation:
Decompress the package to/usr/src and enter the directory.
./Configure & make install
You can install both of them in this way.
2. Configure OPENVPN Software
First, set Quick Start
# Cp/usr/src/openvpn-2.0.9/sample-config-files/openvpn. init/etc/init. d/openvpn
# Chkconfig -- add openvpn
# Chkconfig openvpn on
2. enable routing and perform SNAT Conversion
# Vim/etc/sysctl. conf
Net. ipv4.ip _ forward = 1
# Sysctl-p
# Iptables-t nat-a postrouting-o eth1-j SNAT -- to-source 192.168.68.72
3. Configure environment variables:
# Cd/usr/src/openvpn-2.0.9/
# Cd/usr/src/openvpn-2.0.9/easy-rsa/
# Vim vars
Modify these default options
Export KEY_COUNTRY = CN
Export KEY_PROVINCE = SHENZHEN
Export KEY_CITY = SHENZHEN
Export KEY_ORG = "SHENZHEN. inc"
Export KEY_EMAIL = "root@dog.com"
# Source vars will prompt you to clean. all
#./Clean-all
3. Create a certificate
#./Build-ca
Enter your host name in the hostname option. Press enter by default;
For example, dns.dog.com
4. Create an algorithm File
#./Build-dh
........
5. Create a master server key
#./Build-key-server dns
.................
Just fill in the hostname as above, dns.dog.com
The following two [y/n] options are available: Select "y"
6. Create a secret key for the Guangzhou Server
#./Build-key lvs1
.........................
Change the hostname to the host name lvs1.dog.com in Guangzhou as above.
7. tls-auth key production is mainly used to provide VPN security verification
# Openvpn -- genkey -- secret keys/ta. key
8. Move the keys folder to/etc/openvpn/
# Mkdir-p/etc/openvpn/
# Mv keys/etc/openvpn/
9. Create a configuration file for the master server
# Vim/etc/openvpn/dns_tun0.conf
Local 192.168.68.71 -- local IP Address
Port 1194 -- port used
Proto udp
Dev tun -- use tun VPN Mode
Ca keys/ca. crt
Cert keys/dns. crt
Key keys/dns. key
Dh keys/dh1024.pem
Server 10.8.0.0 255.255.255.0 -- set the local machine to the server mode and use the 10.8.0.0 network segment
Ifconfig-pool-persist ipp.txt
Push "route 10.1.1.0 route 255.255.0" -- add a route entry to the Shenzhen Intranet for the Guangzhou Branch
Push "route 10.9.0.0 255.255.255.0" -- add a route entry for the Guangzhou Branch to travel outside China for pc1.
Push "dhcp-options DNS 192.168.68.71" -- set the DNS address for the customer and set the Internet DNS address.
Route 10.1.2.0 route 255.255.0 --- route entry added to the Guangzhou Intranet for Shenzhen
Client-config-dir ccd
Keepalive 10 120
Tls-auth keys/ta. key 0
Ciphone BF-CBC
Comp-lzo
Max-clients 100 --- maximum concurrency VPN allowed
User nobody
Group nobody
Persist-key
Persist-tun
Status openvpn-status.log
Log-append openvpn. log
Verb 3
Mute 20
10. Create a ccd configuration file for the Guangzhou Company
# Mkdir-p/etc/openvpn/ccd
# Vim/etc/openvpn/ccd/lvs1.dog.com
Iroute 10.1.2.0 255.255.255.0
Ifconfig-push 10.8.0.2 10.8.0.1
11. Restart the VPN Service
# Service openvpn restart
# Netstat-anp | grep openvpn
You can see the process
Intranet mutual access between two locations
Now configure the Guangzhou Server
1. Install software .. Same as the master server, step 1 and Step 2
2. enable routing and perform SNAT Conversion
# Vim/etc/sysctl. conf
Net. ipv4.ip _ forward = 1
# Sysctl-p
# Iptables-t nat-a postrouting-o eth1-j SNAT -- to-source 192.168.68.73
3. Copy ca. crt ta. key lvs1.key lvs1.crt under/etc/openvpn/keys/in the Shenzhen server to/etc/openvpn/keys on the local server.
4. Create a configuration file for the Guangzhou VPN Server
# Vim/etc/openvpn/lvs1.conf
Client
Dev tun
Proto udp
Remote IP address 192.168.68.71 1194
Resolv-retry infinite
Nobind
User nobody
Group nobody
Persist-key
Persist-tun
Ca keys/ca. crt
Cert keys/lvs1.crt
Key keys/lvs1.key
Ns-cert-type server
Tls-auth keys/ta. key 1
Ciphone BF-CBC
Comp-lzo
Verb 3
Mute 20
5. Restart the VPN Server
# Service openvpn restart
6. Check tun0 and route table.
# Ifconfig tun0
# Route-n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.68.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.1.1.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
10.9.0.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
7. test whether the master server can be pinged
# Ping 10.8.0.1
II .. Mutual Intranet access between two locations
Shenzhen Intranet 10.1.1.0 gateway 10.1.1.254
Guangzhou Intranet 10.1.2.0 gateway 10.1.2.1
Check whether the Intranet client can ping each other's intranet.
[Root @ lvs1 ~] # Ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56 (84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq = 1 ttl = 63 time = 2.38 MS
64 bytes from 10.1.1.2: icmp_seq = 2 ttl = 63 time = 0.632 MS
[Root @ dns ~] # Ping 10.1.2.4
PING 10.1.2.4 (10.1.2.4) 56 (84) bytes of data.
64 bytes from 10.1.2.4: icmp_seq = 1 ttl = 64 time = 3.44 MS
64 bytes from 10.1.2.4: icmp_seq = 2 ttl = 64 time = 0.530 MS
This article is from the "little talent" blog, please be sure to keep this source http://dogdogcom.blog.51cto.com/2402458/550703