Use openvpn + linux to quickly establish an enterprise VPN
Openvpn introduction http://openvpn.sourceforge.net/, not much said.
Openvpn can work in two modes:
One is the IP Route mode, which is mainly used for point-to-point
One is the Ethernet-based Tunnel Bridge mode, which is applicable to point-to-point and multi-point networks with multiple branches
The configuration example described in this article is the first
Topology:
Lan 1: redhat9.0 two NICs are installed on the office host
Eth1 connected to Internet 61.131.58.x,
Eth0 connected to intranet 192.168.1.56
VPN 10.1.0.1
Host a 192.168.1.222
Lan 2:
Redhat9.0 two NICs are installed on the home host
Eth0 connected to public network 218.85.158.244
Eth1 connected to 192.168.0.235
VPN 10.1.0.2
Host B 192.168.0.45
Environment: redhat9.0 + lzo + OpenSSL + openvpn
OpenSSL is used for encryption, and lzo is used for data compression.
Http://prdownloads.sourceforge.net/openvpn/openvpn-2.0_beta7.tar.gz
Http://www.oberhumer.com/opensource/lzo/download/lzo-1.08.tar.gz
First check whether OpenSSL is installed
Rpm-Qa | grep OpenSSL
No. Please install OpenSSL first. We will not discuss how to install OpenSSL.
I will download openvpn-2.0.beta7.tar.gzand lzo-1.08.tar.gz to/home
# Cd/home
# Tar zxvf lzo-1.08.tar.gz
# Cd lzo-1.08.
#./Comfigure
# Make
# Make install
# Tar zxvf openvpn-2.0_beta7.tar.gz
# Cd openvpn-2.0_beta7
#./Configure -- With-lzo-headers =/usr/local/include -- With-lzo-Lib =/usr/local/lib
# Make
# Make install
# Mkdir/etc/openvpn
# Cd/etc/openvpn
# Openvpn -- genkey -- secret static. Key
Copy static. Key from the office host to the/etc/openvpn directory of the home host.
Office # SCP static. Key root@218.85.158.244:/etc/openvpn
Office # cd/home/openvpn-2.0_beta7/sample-config-Files
Office # cp static-office.conf/etc/openvpn
Office # cp firewall. sh/etc/openvpn
Office # cp openvpn-startup.sh/etc/openvpn
Office # cp office. Up/etc/openvpn
Modify static-office.conf, firewall. Sh, openvpn-startup.sh, office. Up
Let's first look at the configuration files of the office host.
Static-office.conf configuration is as follows:
Dev tun0
Remote 218.85.158.244 # The Public IP address of the Peer end
Ifconfig 10.1.0.1 10.1.0.2 # vpn ip address for the current end and peer end
Secret/etc/openvpn/static. Key # key
Port 5000
Comp-lzo
Ping 15
Ping 15
Ping-Restart 45
Ping-timer-Rem
Persist-Tun
Persist-Key
Verb 3
The firewall. Sh script for the office host is as follows:
#! /Bin/bash
Private = 192.168.1.0/24
Loop = 127.0.0.1
Iptables-P output drop
Iptables-P input drop
Iptables-P forward drop
Iptables-F
Iptables-P output accept
Iptables-P input drop
Iptables-P forward drop
Iptables-A input-I eth1-S $ loop-J Drop
Iptables-a forward-I eth1-S $ loop-J Drop
Iptables-A input-I eth1-d $ loop-J Drop
Iptables-a forward-I eth1-d $ loop-J Drop
Iptables-a forward-p tcp -- Sport 137: 139-O eth1-J Drop
Iptables-a forward-p udp -- Sport 137: 139-O eth1-J Drop
Iptables-A output-p tcp -- Sport 137: 139-O eth1-J Drop
Iptables-A output-p udp -- Sport 137: 139-O eth1-J Drop
Iptables-a forward-s! $ Private-I eth0-J Drop
Iptables-A input-S $ loop-J accept
Iptables-A input-d $ loop-J accept
Iptables-A input-p icmp -- ICMP-type echo-request-J accept
Iptables-A input-p tcp -- dport http-J accept
Iptables-A input-p tcp -- dport ssh-J accept
Iptables-A input-p udp -- dport 5000-J accept # openvpn uses UDP 5000 port by default
Iptables-A input-I Tun +-J accept
Iptables-a forward-I Tun +-J accept # these two statements are very important.
Iptables-A input-I tap +-J accept
Iptables-a forward-I tap +-J accept
Iptables-A input-I eth0-J accept
Iptables-a forward-I eth0-J accept
Iptables-A output-M state -- state new-O eth1-J accept
Iptables-A input-M state -- State established, related-J accept
Iptables-a forward-M state -- state new-O eth1-J accept
Iptables-a forward-M state -- State established, related-J accept
Iptables-T Nat-A postrouting-S $ private-O eth1-J Masquerade
The office. Up script is configured as follows:
#! /Bin/bash
Route add-net 192.168.0.0 netmask 255.255.255.0 GW 10.1.0.2 # This is the peer vpn ip Address
The openvpn-startup.sh script configuration is as follows:
#! /Bin/bash
Dir =/etc/openvpn
$ DIR/firewall. Sh
Modprobe Tun
Echo 1>/proc/sys/NET/IPv4/ip_forward
Openvpn -- config/etc/openvpn/static-office.conf
Home host's four configuration files
Static-home.conf as follows
Dev tun0
Remote 61.131.58.194
Ifconfig 10.1.0.2 10.1.0.1
Secret/etc/openvpn/static. Key
Port 5000
Comp-lzo
Ping 15
Ping 15
Ping-Restart 45
Ping-timer-Rem
Persist-Tun
Persist-Key
Verb 3
Firewall. Sh is as follows:
#! /Bin/bash
Private = 192.168.0.0/24
Loop = 127.0.0.1
Iptables-P output drop
Iptables-P input drop
Iptables-P forward drop
Iptables-F
Iptables-P output accept
Iptables-P input drop
Iptables-P forward drop
Iptables-A input-I eth0-S $ loop-J Drop
Iptables-a forward-I eth0-S $ loop-J Drop
Iptables-A input-I eth0-d $ loop-J Drop
Iptables-a forward-I eth0-d $ loop-J Drop
Iptables-a forward-p tcp -- Sport 137: 139-O eth0-J Drop
Iptables-a forward-p udp -- Sport 137: 139-O eth0-J Drop
Iptables-A output-p tcp -- Sport 137: 139-O eth0-J Drop
Iptables-A output-p udp -- Sport 137: 139-O eth0-J Drop
Iptables-a forward-s! $ Private-I eth1-J Drop
Iptables-A input-S $ loop-J accept
Iptables-A input-d $ loop-J accept
Iptables-A input-p icmp -- ICMP-type echo-request-J accept
Iptables-A input-p tcp -- dport http-J accept
Iptables-A input-p tcp -- dport ssh-J accept
Iptables-A input-p udp -- dport 5000-J accept
Iptables-A input-I Tun +-J accept
Iptables-a forward-I Tun +-J accept
Iptables-A input-I tap +-J accept
Iptables-a forward-I tap +-J accept
Iptables-A input-I eth1-J accept
Iptables-a forward-I eth1-J accept
Iptables-A output-M state -- state new-O eth0-J accept
Iptables-A input-M state -- State established, related-J accept
Iptables-a forward-M state -- state new-O eth0-J accept
Iptables-a forward-M state -- State established, related-J accept
Iptables-T Nat-A postrouting-S $ private-O eth0-J Masquerade
The home. Up script is as follows:
#! /Bin/bash
Route add-net 192.168.1.0 netmask 255.255.255.0 GW 10.1.0.1
The openvpn-startup.sh script is as follows:
#! /Bin/bash
Dir =/etc/openvpn
$ DIR/firewall. Sh
Modprobe Tun
Echo 1>/proc/sys/NET/IPv4/ip_forward
Openvpn -- config/etc/openvpn/static-home.conf
Note that you must add a line to the/etc/modules. conf file of the Office and home hosts:
Alias char-Major-10-200 Tun
On the office host
Office # cd/etc/openvpn
Office #./openvpn-startup.sh
Office #./office. Up
On the home host
Home # cd/etc/openvpn
Home #/openvpn-startup.sh
Home #./home. Up
Set the default gateway of host a to 192.168.1.56.
Set the default gateway of host B to 192.168.0.235.
Ping 192.168.0.45 on host
Use tcpdump to listen on the home host
Home # tcpdump-I tun0
Echo Request and echo reply
If not, go to home # Ping 10.1.0.1 to check whether the two VPN gateways are connected.
Howto on http://openvpn.sourceforge.net, FAQ, examples can refer