Home > Developer > Linux

Use openvpn + linux to quickly establish an enterprise VPN

Source: Internet
Author: User
Tags install openssl
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Use openvpn + linux to quickly establish an enterprise VPN
Openvpn introduction http://openvpn.sourceforge.net/, not much said.
Openvpn can work in two modes:
One is the IP Route mode, which is mainly used for point-to-point
One is the Ethernet-based Tunnel Bridge mode, which is applicable to point-to-point and multi-point networks with multiple branches
The configuration example described in this article is the first
Topology:
Lan 1: redhat9.0 two NICs are installed on the office host
Eth1 connected to Internet 61.131.58.x,
Eth0 connected to intranet 192.168.1.56
VPN 10.1.0.1
Host a 192.168.1.222
Lan 2:
Redhat9.0 two NICs are installed on the home host
Eth0 connected to public network 218.85.158.244
Eth1 connected to 192.168.0.235
VPN 10.1.0.2
Host B 192.168.0.45

Environment: redhat9.0 + lzo + OpenSSL + openvpn
OpenSSL is used for encryption, and lzo is used for data compression.
Http://prdownloads.sourceforge.net/openvpn/openvpn-2.0_beta7.tar.gz
Http://www.oberhumer.com/opensource/lzo/download/lzo-1.08.tar.gz

First check whether OpenSSL is installed
Rpm-Qa | grep OpenSSL
No. Please install OpenSSL first. We will not discuss how to install OpenSSL.
I will download openvpn-2.0.beta7.tar.gzand lzo-1.08.tar.gz to/home
# Cd/home
# Tar zxvf lzo-1.08.tar.gz
# Cd lzo-1.08.
#./Comfigure
# Make
# Make install
# Tar zxvf openvpn-2.0_beta7.tar.gz
# Cd openvpn-2.0_beta7
#./Configure -- With-lzo-headers =/usr/local/include -- With-lzo-Lib =/usr/local/lib
# Make
# Make install
# Mkdir/etc/openvpn
# Cd/etc/openvpn
# Openvpn -- genkey -- secret static. Key
Copy static. Key from the office host to the/etc/openvpn directory of the home host.
Office # SCP static. Key root@218.85.158.244:/etc/openvpn
Office # cd/home/openvpn-2.0_beta7/sample-config-Files
Office # cp static-office.conf/etc/openvpn
Office # cp firewall. sh/etc/openvpn
Office # cp openvpn-startup.sh/etc/openvpn
Office # cp office. Up/etc/openvpn
Modify static-office.conf, firewall. Sh, openvpn-startup.sh, office. Up
Let's first look at the configuration files of the office host.
Static-office.conf configuration is as follows:
Dev tun0
Remote 218.85.158.244 # The Public IP address of the Peer end
Ifconfig 10.1.0.1 10.1.0.2 # vpn ip address for the current end and peer end
Secret/etc/openvpn/static. Key # key
Port 5000
Comp-lzo
Ping 15
Ping 15
Ping-Restart 45
Ping-timer-Rem
Persist-Tun
Persist-Key
Verb 3

The firewall. Sh script for the office host is as follows:
#! /Bin/bash
Private = 192.168.1.0/24
Loop = 127.0.0.1

Iptables-P output drop
Iptables-P input drop
Iptables-P forward drop
Iptables-F

Iptables-P output accept
Iptables-P input drop
Iptables-P forward drop

Iptables-A input-I eth1-S $ loop-J Drop
Iptables-a forward-I eth1-S $ loop-J Drop
Iptables-A input-I eth1-d $ loop-J Drop
Iptables-a forward-I eth1-d $ loop-J Drop

Iptables-a forward-p tcp -- Sport 137: 139-O eth1-J Drop
Iptables-a forward-p udp -- Sport 137: 139-O eth1-J Drop
Iptables-A output-p tcp -- Sport 137: 139-O eth1-J Drop
Iptables-A output-p udp -- Sport 137: 139-O eth1-J Drop

Iptables-a forward-s! $ Private-I eth0-J Drop

Iptables-A input-S $ loop-J accept
Iptables-A input-d $ loop-J accept

Iptables-A input-p icmp -- ICMP-type echo-request-J accept

Iptables-A input-p tcp -- dport http-J accept
Iptables-A input-p tcp -- dport ssh-J accept

Iptables-A input-p udp -- dport 5000-J accept # openvpn uses UDP 5000 port by default

Iptables-A input-I Tun +-J accept
Iptables-a forward-I Tun +-J accept # these two statements are very important.
Iptables-A input-I tap +-J accept
Iptables-a forward-I tap +-J accept

Iptables-A input-I eth0-J accept
Iptables-a forward-I eth0-J accept

Iptables-A output-M state -- state new-O eth1-J accept
Iptables-A input-M state -- State established, related-J accept
Iptables-a forward-M state -- state new-O eth1-J accept
Iptables-a forward-M state -- State established, related-J accept

Iptables-T Nat-A postrouting-S $ private-O eth1-J Masquerade

The office. Up script is configured as follows:
#! /Bin/bash
Route add-net 192.168.0.0 netmask 255.255.255.0 GW 10.1.0.2 # This is the peer vpn ip Address
The openvpn-startup.sh script configuration is as follows:
#! /Bin/bash
Dir =/etc/openvpn
$ DIR/firewall. Sh
Modprobe Tun
Echo 1>/proc/sys/NET/IPv4/ip_forward
Openvpn -- config/etc/openvpn/static-office.conf

Home host's four configuration files
Static-home.conf as follows
Dev tun0
Remote 61.131.58.194
Ifconfig 10.1.0.2 10.1.0.1
Secret/etc/openvpn/static. Key
Port 5000
Comp-lzo
Ping 15
Ping 15
Ping-Restart 45
Ping-timer-Rem
Persist-Tun
Persist-Key
Verb 3

Firewall. Sh is as follows:
#! /Bin/bash
Private = 192.168.0.0/24
Loop = 127.0.0.1
Iptables-P output drop
Iptables-P input drop
Iptables-P forward drop
Iptables-F

Iptables-P output accept
Iptables-P input drop
Iptables-P forward drop

Iptables-A input-I eth0-S $ loop-J Drop
Iptables-a forward-I eth0-S $ loop-J Drop
Iptables-A input-I eth0-d $ loop-J Drop
Iptables-a forward-I eth0-d $ loop-J Drop

Iptables-a forward-p tcp -- Sport 137: 139-O eth0-J Drop
Iptables-a forward-p udp -- Sport 137: 139-O eth0-J Drop
Iptables-A output-p tcp -- Sport 137: 139-O eth0-J Drop
Iptables-A output-p udp -- Sport 137: 139-O eth0-J Drop

Iptables-a forward-s! $ Private-I eth1-J Drop

Iptables-A input-S $ loop-J accept
Iptables-A input-d $ loop-J accept

Iptables-A input-p icmp -- ICMP-type echo-request-J accept

Iptables-A input-p tcp -- dport http-J accept
Iptables-A input-p tcp -- dport ssh-J accept

Iptables-A input-p udp -- dport 5000-J accept

Iptables-A input-I Tun +-J accept
Iptables-a forward-I Tun +-J accept
Iptables-A input-I tap +-J accept
Iptables-a forward-I tap +-J accept

Iptables-A input-I eth1-J accept
Iptables-a forward-I eth1-J accept

Iptables-A output-M state -- state new-O eth0-J accept
Iptables-A input-M state -- State established, related-J accept
Iptables-a forward-M state -- state new-O eth0-J accept
Iptables-a forward-M state -- State established, related-J accept

Iptables-T Nat-A postrouting-S $ private-O eth0-J Masquerade

The home. Up script is as follows:
#! /Bin/bash
Route add-net 192.168.1.0 netmask 255.255.255.0 GW 10.1.0.1
The openvpn-startup.sh script is as follows:
#! /Bin/bash
Dir =/etc/openvpn
$ DIR/firewall. Sh
Modprobe Tun
Echo 1>/proc/sys/NET/IPv4/ip_forward
Openvpn -- config/etc/openvpn/static-home.conf
Note that you must add a line to the/etc/modules. conf file of the Office and home hosts:
Alias char-Major-10-200 Tun
On the office host
Office # cd/etc/openvpn
Office #./openvpn-startup.sh
Office #./office. Up
On the home host
Home # cd/etc/openvpn
Home #/openvpn-startup.sh
Home #./home. Up
Set the default gateway of host a to 192.168.1.56.
Set the default gateway of host B to 192.168.0.235.
Ping 192.168.0.45 on host
Use tcpdump to listen on the home host
Home # tcpdump-I tun0
Echo Request and echo reply
If not, go to home # Ping 10.1.0.1 to check whether the two VPN gateways are connected.
Howto on http://openvpn.sourceforge.net, FAQ, examples can refer

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
best vpn to use openvpn linux how to learn net quickly vpn service openvpn free vpn service openvpn how to learn php quickly how to use betternet vpn
Related Article
Linux error--->export ' = ' not a valid identifier for gen...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More