Openvpn in Centos enables Intranet mutual access between two locations

Source: Internet
Author: User

Use OPENVPN to implement Intranet mutual access between two locations (1) master server configuration
Master Server Configuration

Functions to be implemented:

Shenzhen:
Master VPN Server: dns.dog.com

Internet ip-eth1: 192.168.68.71
Intranet ip-eth0: 10.1.1.254


Guangzhou:
VPN Server: lvs1.dog.com

Internet ip-eth1: 192.168.68.73
Intranet ip-eth0: 10.1.2.1

Clients outside China:
192.168.68.79

Shenzhen-Guangzhou tunnel uses virtual IP addresses 10.8.0.1 and 10.8.0.2
Shenzhen --- foreign PC1 use virtual IP addresses 10.9.0.1 and 10.9.0.2 respectively

Bytes ------------------------------------------------------------------------------------

First, we first implement Intranet mutual access between Shenzhen Company and Guangzhou Company.
10.8.0.1

1. | configure the master VPNSERVER dns.dog.com:

1. First download and install the OPENVPN and lzo Software
Openvpn: http://down.51cto.com/data/191331
Lzo: http://down.51cto.com/data/191333

Installation:
Decompress the package to/usr/src and enter the directory.
./Configure & make install

You can install both of them in this way.

2. Configure OPENVPN Software
First, set Quick Start

# Cp/usr/src/openvpn-2.0.9/sample-config-files/openvpn. init/etc/init. d/openvpn
# Chkconfig -- add openvpn
# Chkconfig openvpn on

2. enable routing and perform SNAT Conversion
# Vim/etc/sysctl. conf
Net. ipv4.ip _ forward = 1

# Sysctl-p

# Iptables-t nat-a postrouting-o eth1-j SNAT -- to-source 192.168.68.72

3. Configure environment variables:

# Cd/usr/src/openvpn-2.0.9/
# Cd/usr/src/openvpn-2.0.9/easy-rsa/
# Vim vars

Modify these default options

Export KEY_COUNTRY = CN
Export KEY_PROVINCE = SHENZHEN
Export KEY_CITY = SHENZHEN
Export KEY_ORG = "SHENZHEN. inc"
Export KEY_EMAIL = "root@dog.com"

# Source vars will prompt you to clean. all
#./Clean-all

3. Create a certificate
#./Build-ca
Enter your host name in the hostname option. Press enter by default;
For example, dns.dog.com


4. Create an algorithm File
#./Build-dh
........

5. Create a master server key
#./Build-key-server dns

.................
Just fill in the hostname as above, dns.dog.com

The following two [y/n] options are available: Select "y"


6. Create a secret key for the Guangzhou Server
#./Build-key lvs1

.........................
Change the hostname to the host name lvs1.dog.com in Guangzhou as above.

7. tls-auth key production is mainly used to provide VPN security verification

# Openvpn -- genkey -- secret keys/ta. key

8. Move the keys folder to/etc/openvpn/
# Mkdir-p/etc/openvpn/
# Mv keys/etc/openvpn/

9. Create a configuration file for the master server
# Vim/etc/openvpn/dns_tun0.conf

Local 192.168.68.71 -- local IP Address
Port 1194 -- port used
Proto udp
Dev tun -- use tun VPN Mode
Ca keys/ca. crt
Cert keys/dns. crt
Key keys/dns. key
Dh keys/dh1024.pem
Server 10.8.0.0 255.255.255.0 -- set the local machine to the server mode and use the 10.8.0.0 network segment
Ifconfig-pool-persist ipp.txt
Push "route 10.1.1.0 route 255.255.0" -- add a route entry to the Shenzhen Intranet for the Guangzhou Branch
Push "route 10.9.0.0 255.255.255.0" -- add a route entry for the Guangzhou Branch to travel outside China for pc1.
Push "dhcp-options DNS 192.168.68.71" -- set the DNS address for the customer and set the Internet DNS address.
Route 10.1.2.0 route 255.255.0 --- route entry added to the Guangzhou Intranet for Shenzhen
Client-config-dir ccd
Keepalive 10 120
Tls-auth keys/ta. key 0
Ciphone BF-CBC
Comp-lzo
Max-clients 100 --- maximum concurrency VPN allowed
User nobody
Group nobody
Persist-key
Persist-tun
Status openvpn-status.log
Log-append openvpn. log
Verb 3
Mute 20

10. Create a ccd configuration file for the Guangzhou Company
# Mkdir-p/etc/openvpn/ccd
# Vim/etc/openvpn/ccd/lvs1.dog.com

Iroute 10.1.2.0 255.255.255.0
Ifconfig-push 10.8.0.2 10.8.0.1

11. Restart the VPN Service
# Service openvpn restart
# Netstat-anp | grep openvpn

You can see the process

Intranet mutual access between two locations

Now configure the Guangzhou Server

1. Install software .. Same as the master server, step 1 and Step 2
2. enable routing and perform SNAT Conversion
# Vim/etc/sysctl. conf
Net. ipv4.ip _ forward = 1

# Sysctl-p

# Iptables-t nat-a postrouting-o eth1-j SNAT -- to-source 192.168.68.73

3. Copy ca. crt ta. key lvs1.key lvs1.crt under/etc/openvpn/keys/in the Shenzhen server to/etc/openvpn/keys on the local server.

4. Create a configuration file for the Guangzhou VPN Server
# Vim/etc/openvpn/lvs1.conf

Client
Dev tun
Proto udp
Remote IP address 192.168.68.71 1194
Resolv-retry infinite
Nobind
User nobody
Group nobody
Persist-key
Persist-tun
Ca keys/ca. crt
Cert keys/lvs1.crt
Key keys/lvs1.key
Ns-cert-type server
Tls-auth keys/ta. key 1
Ciphone BF-CBC
Comp-lzo
Verb 3
Mute 20

5. Restart the VPN Server
# Service openvpn restart

6. Check tun0 and route table.
# Ifconfig tun0
# Route-n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.68.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.1.1.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
10.9.0.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0

7. test whether the master server can be pinged
# Ping 10.8.0.1

II .. Mutual Intranet access between two locations

Shenzhen Intranet 10.1.1.0 gateway 10.1.1.254
Guangzhou Intranet 10.1.2.0 gateway 10.1.2.1

Check whether the Intranet client can ping each other's intranet.
[Root @ lvs1 ~] # Ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56 (84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq = 1 ttl = 63 time = 2.38 MS
64 bytes from 10.1.1.2: icmp_seq = 2 ttl = 63 time = 0.632 MS

[Root @ dns ~] # Ping 10.1.2.4
PING 10.1.2.4 (10.1.2.4) 56 (84) bytes of data.
64 bytes from 10.1.2.4: icmp_seq = 1 ttl = 64 time = 3.44 MS
64 bytes from 10.1.2.4: icmp_seq = 2 ttl = 64 time = 0.530 MS

This article is from the "little talent" blog, please be sure to keep this source http://dogdogcom.blog.51cto.com/2402458/550703



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.