Use openvpn + linux to quickly establish an enterprise VPN

Source: Internet
Author: User
Tags install openssl
Use openvpn + linux to quickly establish an enterprise VPN
Openvpn introduction http://openvpn.sourceforge.net/, not much said.
Openvpn can work in two modes:
One is the IP Route mode, which is mainly used for point-to-point
One is the Ethernet-based Tunnel Bridge mode, which is applicable to point-to-point and multi-point networks with multiple branches
The configuration example described in this article is the first
Topology:
Lan 1: redhat9.0 two NICs are installed on the office host
Eth1 connected to Internet 61.131.58.x,
Eth0 connected to intranet 192.168.1.56
VPN 10.1.0.1
Host a 192.168.1.222
Lan 2:
Redhat9.0 two NICs are installed on the home host
Eth0 connected to public network 218.85.158.244
Eth1 connected to 192.168.0.235
VPN 10.1.0.2
Host B 192.168.0.45

Environment: redhat9.0 + lzo + OpenSSL + openvpn
OpenSSL is used for encryption, and lzo is used for data compression.
Http://prdownloads.sourceforge.net/openvpn/openvpn-2.0_beta7.tar.gz
Http://www.oberhumer.com/opensource/lzo/download/lzo-1.08.tar.gz

First check whether OpenSSL is installed
Rpm-Qa | grep OpenSSL
No. Please install OpenSSL first. We will not discuss how to install OpenSSL.
I will download openvpn-2.0.beta7.tar.gzand lzo-1.08.tar.gz to/home
# Cd/home
# Tar zxvf lzo-1.08.tar.gz
# Cd lzo-1.08.
#./Comfigure
# Make
# Make install
# Tar zxvf openvpn-2.0_beta7.tar.gz
# Cd openvpn-2.0_beta7
#./Configure -- With-lzo-headers =/usr/local/include -- With-lzo-Lib =/usr/local/lib
# Make
# Make install
# Mkdir/etc/openvpn
# Cd/etc/openvpn
# Openvpn -- genkey -- secret static. Key
Copy static. Key from the office host to the/etc/openvpn directory of the home host.
Office # SCP static. Key root@218.85.158.244:/etc/openvpn
Office # cd/home/openvpn-2.0_beta7/sample-config-Files
Office # cp static-office.conf/etc/openvpn
Office # cp firewall. sh/etc/openvpn
Office # cp openvpn-startup.sh/etc/openvpn
Office # cp office. Up/etc/openvpn
Modify static-office.conf, firewall. Sh, openvpn-startup.sh, office. Up
Let's first look at the configuration files of the office host.
Static-office.conf configuration is as follows:
Dev tun0
Remote 218.85.158.244 # The Public IP address of the Peer end
Ifconfig 10.1.0.1 10.1.0.2 # vpn ip address for the current end and peer end
Secret/etc/openvpn/static. Key # key
Port 5000
Comp-lzo
Ping 15
Ping 15
Ping-Restart 45
Ping-timer-Rem
Persist-Tun
Persist-Key
Verb 3

The firewall. Sh script for the office host is as follows:
#! /Bin/bash
Private = 192.168.1.0/24
Loop = 127.0.0.1

Iptables-P output drop
Iptables-P input drop
Iptables-P forward drop
Iptables-F

Iptables-P output accept
Iptables-P input drop
Iptables-P forward drop

Iptables-A input-I eth1-S $ loop-J Drop
Iptables-a forward-I eth1-S $ loop-J Drop
Iptables-A input-I eth1-d $ loop-J Drop
Iptables-a forward-I eth1-d $ loop-J Drop

Iptables-a forward-p tcp -- Sport 137: 139-O eth1-J Drop
Iptables-a forward-p udp -- Sport 137: 139-O eth1-J Drop
Iptables-A output-p tcp -- Sport 137: 139-O eth1-J Drop
Iptables-A output-p udp -- Sport 137: 139-O eth1-J Drop

Iptables-a forward-s! $ Private-I eth0-J Drop

Iptables-A input-S $ loop-J accept
Iptables-A input-d $ loop-J accept

Iptables-A input-p icmp -- ICMP-type echo-request-J accept

Iptables-A input-p tcp -- dport http-J accept
Iptables-A input-p tcp -- dport ssh-J accept

Iptables-A input-p udp -- dport 5000-J accept # openvpn uses UDP 5000 port by default

Iptables-A input-I Tun +-J accept
Iptables-a forward-I Tun +-J accept # these two statements are very important.
Iptables-A input-I tap +-J accept
Iptables-a forward-I tap +-J accept

Iptables-A input-I eth0-J accept
Iptables-a forward-I eth0-J accept

Iptables-A output-M state -- state new-O eth1-J accept
Iptables-A input-M state -- State established, related-J accept
Iptables-a forward-M state -- state new-O eth1-J accept
Iptables-a forward-M state -- State established, related-J accept

Iptables-T Nat-A postrouting-S $ private-O eth1-J Masquerade

The office. Up script is configured as follows:
#! /Bin/bash
Route add-net 192.168.0.0 netmask 255.255.255.0 GW 10.1.0.2 # This is the peer vpn ip Address
The openvpn-startup.sh script configuration is as follows:
#! /Bin/bash
Dir =/etc/openvpn
$ DIR/firewall. Sh
Modprobe Tun
Echo 1>/proc/sys/NET/IPv4/ip_forward
Openvpn -- config/etc/openvpn/static-office.conf

Home host's four configuration files
Static-home.conf as follows
Dev tun0
Remote 61.131.58.194
Ifconfig 10.1.0.2 10.1.0.1
Secret/etc/openvpn/static. Key
Port 5000
Comp-lzo
Ping 15
Ping 15
Ping-Restart 45
Ping-timer-Rem
Persist-Tun
Persist-Key
Verb 3

Firewall. Sh is as follows:
#! /Bin/bash
Private = 192.168.0.0/24
Loop = 127.0.0.1
Iptables-P output drop
Iptables-P input drop
Iptables-P forward drop
Iptables-F

Iptables-P output accept
Iptables-P input drop
Iptables-P forward drop

Iptables-A input-I eth0-S $ loop-J Drop
Iptables-a forward-I eth0-S $ loop-J Drop
Iptables-A input-I eth0-d $ loop-J Drop
Iptables-a forward-I eth0-d $ loop-J Drop

Iptables-a forward-p tcp -- Sport 137: 139-O eth0-J Drop
Iptables-a forward-p udp -- Sport 137: 139-O eth0-J Drop
Iptables-A output-p tcp -- Sport 137: 139-O eth0-J Drop
Iptables-A output-p udp -- Sport 137: 139-O eth0-J Drop

Iptables-a forward-s! $ Private-I eth1-J Drop

Iptables-A input-S $ loop-J accept
Iptables-A input-d $ loop-J accept

Iptables-A input-p icmp -- ICMP-type echo-request-J accept

Iptables-A input-p tcp -- dport http-J accept
Iptables-A input-p tcp -- dport ssh-J accept

Iptables-A input-p udp -- dport 5000-J accept

Iptables-A input-I Tun +-J accept
Iptables-a forward-I Tun +-J accept
Iptables-A input-I tap +-J accept
Iptables-a forward-I tap +-J accept

Iptables-A input-I eth1-J accept
Iptables-a forward-I eth1-J accept

Iptables-A output-M state -- state new-O eth0-J accept
Iptables-A input-M state -- State established, related-J accept
Iptables-a forward-M state -- state new-O eth0-J accept
Iptables-a forward-M state -- State established, related-J accept

Iptables-T Nat-A postrouting-S $ private-O eth0-J Masquerade

The home. Up script is as follows:
#! /Bin/bash
Route add-net 192.168.1.0 netmask 255.255.255.0 GW 10.1.0.1
The openvpn-startup.sh script is as follows:
#! /Bin/bash
Dir =/etc/openvpn
$ DIR/firewall. Sh
Modprobe Tun
Echo 1>/proc/sys/NET/IPv4/ip_forward
Openvpn -- config/etc/openvpn/static-home.conf
Note that you must add a line to the/etc/modules. conf file of the Office and home hosts:
Alias char-Major-10-200 Tun
On the office host
Office # cd/etc/openvpn
Office #./openvpn-startup.sh
Office #./office. Up
On the home host
Home # cd/etc/openvpn
Home #/openvpn-startup.sh
Home #./home. Up
Set the default gateway of host a to 192.168.1.56.
Set the default gateway of host B to 192.168.0.235.
Ping 192.168.0.45 on host
Use tcpdump to listen on the home host
Home # tcpdump-I tun0
Echo Request and echo reply
If not, go to home # Ping 10.1.0.1 to check whether the two VPN gateways are connected.
Howto on http://openvpn.sourceforge.net, FAQ, examples can refer

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.