IT is in its infancy-deploying OpenVPN server in CentOS6.4

Source: Internet
Author: User
Tags openssl library

OpenVPN is a software package used to create a VPC encrypted channel. It implements a two-or three-tier tunnel-based VPN. It was first written by James Yonan. OpenVPN allows the created VPN to use a public key, digital certificate, or user name/password for authentication. It uses a large number of SSLv3/TLSv1 protocol libraries in the OpenSSL encryption library.

Currently, OpenVPN can run on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X, Windows 2000/XP/Vista/Windows 7, and Android, and provides many security functions. It is not a Web-based VPN software, and is not compatible with IPsec and other VPN software packages.

I. Protocol principles

The core technology of OpenVpn is virtual Nic, followed by SSL protocol implementation. Here we will introduce the virtual nic and its Working Mechanism in OpenVpn.

A virtual Nic is a driver software implemented by using underlying network programming technology. After installation, an Eni appears on the host and can be configured like other NICs. The service program can open the virtual network card at the application layer. If the application software (such as IE) sends data to the virtual network card, the service program can read the data, if the service program writes appropriate data to the virtual network card, the application software can also receive the data. Virtual NICs are implemented in many operating systems, which is also an important reason for OpenVpn to be cross-platform.

In OpenVpn, if a user accesses a remote virtual address (belonging to the address series used by the virtual network adapter, different from the real address), the operating system uses the routing mechanism to route the data packets (in TUN mode) or the data frame (TAP mode) is sent to the virtual network card. After the service program receives the data and processes the data, it submits the data from the Internet through the SOCKET, the remote service program receives data from the Internet through a SOCKET and sends the data to the virtual Nic after corresponding processing. Then, the application software can receive the data and complete one-way transmission, and vice versa.

Ii. Test Environment

Environment: CentOS release 6.4 (Final) i386
Protocol: OpenVPN
Port: OpenVPN/TCP/1194 (server), 1194 is changeable by default;
Encryption: The OpenSSL library is used to encrypt data and control information, and any algorithms supported by OpenSSL can be used.
Authentication: multiple authentication methods are supported, including preemptible private keys, third-party certificates, and user name/password combinations;
Service: openvpn

Software Package:

1. openvpn-2.3.2.tar.gz

The openvpn main program, server and client both use this package for compilation and installation. The difference is that the certificates and configuration files of the two are consistent with those of other environments.

2. easy-rsa-2.2.2.tar.gz

This is a small RSA key management package, based on the openssl command line tool, thatcan be found in the easy-rsa subdirectory of the OpenVPN distribution. -- RSA certificate generation management software

3. pam CentOS6x/RHEL6x comes with no installation required, and yum can be updated.

PAM (Pluggable Authentication Modules) is an Authentication mechanism proposed by Sun. It provides dynamic link libraries and a set of unified APIs to separate the services provided by the system from the authentication methods of the service, the system administrator can configure different authentication methods for different services as needed without changing the service program. PAM was originally integrated in Solaris and has been ported to other systems, such as Linux, SunOS, HP-UX 9.0, etc.

4. lzo (which can be installed using yum)

The OpenVPN RPM package requires the LZO library for real-time link compression. -- used for real-time Data compression

5. openssl (the system comes with yum update)

SSL and Security Socket Layer are secure transmission protocols for data protection and identity validation on the Internet. OpenSSL is an open-source software package that implements SSL and related encryption technologies. It was written by Eric Yang of Canada.

Software Download:

Http://swupdate.openvpn.org/community/releases/openvpn-2.3.2.tar.gz

Https://codeload.github.com/OpenVPN/easy-rsa/tar.gz/2.2.2

Http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.2-I003-i686.exe

Iii. Compilation and Installation

Note: The server and client environments are the same, but the configuration files are different. One is server. conf, the other is client. conf, and the certificate files are different.

3. 1. Install the dependency package

# Yum-y install pam-devel

# Yum-y install openssl-devel

# Yum-y install lzo-devel

3. 2. Compile openvpn

# Tar xf openvpn-2.3.2.tar.gz

# Cd openvpn-2.3.2

#./Configure-prefix =/usr/local/openvpn

# Make & make install

# Echo $?

Directory planning (customizable)

# Mkdir/usr/local/openvpn/conf # configuration file location, such as server. conf

# Mkdir/usr/local/openvpn/keys # Certificate file location

Iv. certificate generation 4.1. environment Configuration

# Tar xf easy-rsa-2.2.2.tar.gz

# Cd easy-rsa-2.2.2

# Cp-R easy-rsa // usr/local/openvpn/

# Cd/etc/openvpn/easy-rsa/2.0

# Vi vars # Set Variables

Export KEY_COUNTRY = "CN" # (country)

Export KEY_PROVINCE = "HeNan" # (province)

Export KEY_CITY = "ZhengZhou" # (city)

Export KEY_ORG = "itnul.com" # (organization)

Export KEY_EMAIL = "contact@itnul.com" # (email address)

Export KEY_OU = "itnul.com" # (unit)

Note: If you do not modify other settings, you can

# Source./vars # Make the variable take effect

#./Clean-all # initialize the keys directory and create the required files and directories

# Ln-s openssl-1.0.0.cnf openssl. cnf # Do SSL configuration file soft chain:

The above is the initialization work. In the future, you still need to initialize the certificate, but you only need to enter the openvpn \ easy-rsa directory and run vars, the above steps are not required.

4.2 certificate generation

#./Build-ca # generate a root ca certificate for issuing Server and Client certificates (ca. key ca. crt)

#./Build-dh # generate a public key algorithm (dirrie-hellman) file (dh2048.pem)

#./Build-key-server # generate server certificate and key (server. key server. crt server. csr 01.pem)

#./Build-key client # generate client certificate and key (client. key client. crt client. csr 02.pem)

Note: You are prompted to enter additional attributes when generating the server and client certificates. This field is optional!

Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

4. 3. Copy the certificate to the corresponding location

# Cd, usr, local, openvpn, easy-rsa, 2.0, and keys

# Cp-f dh2048.pem ca. crt server. crt server. key/usr/local/openvpn/keys # (server side)

# Cp-f ca. crt client. crt client. key/usr/local/openvpn/keys # (client)

V. Configuration File

# Cd/tmp/penvpn-2.3.2/sample-config-files

# Cp server. conf/usr/local/openvpn/conf/server. conf # (server)

# Cp client. conf/usr/local/openvpn/conf/client. conf # (client)

5.1.server.conf (for reference only)

# Vi/usr/local/openvpn/conf/server. conf

Local 192.168.1.180
Port 1194
Proto tcp
Dev tun
Ca/usr/local/openvpn/keys/ca. crt
Cert/usr/local/openvpn/keys/server. crt
Key/usr/local/openvpn/keys/server. key
Dh/usr/local/openvpn/keys/dh2048.pem
Server 10.1.10.0 255.255.255.0
Ifconfig-pool-persist ipp.txt
Push "route 10.100.0.0 255.255.0.0" # Local Intranet
Route 10.200.0.0 255.255.0.0 # remote Intranet
Push "dhcp-option DNS 8.8.8.8 ″
Push "dhcp-option DNS 8.8.4.4 ″
Client-to-client
Comp-lzo
Log-append/var/log/openvpn. log
Verb 4

5.2.client.conf (for reference only)

# Vi/usr/local/openvpn/conf/client. conf

Client
Dev tun
Proto tcp
Remotely 192.168.1.180 1194
Resolv-retry infinite
Nobind
Persist-key
Persist-tun
Ca/usr/local/openvpn/keys/ca. crt
Cert/usr/local/openvpn/keys/client. crt
Key/usr/local/openvpn/keys/client. key
Comp-lzo
Verb 4

5. Detailed analysis of the configuration file

OpenVPN: server. conf and client. conf configuration

Http://blog.itnul.com/archives/218.html

Vi. connection test 6.1 enable IP Forwarding

# Vi/etc/sysctl. conf

Net. ipv4.ip _ forward = 1

# Sysctl-p

6.2 Time Synchronization

# Ntpdate pool.ntp.org # time synchronization, the server and client time must be consistent

6.3 Open Port

# Iptables-I INPUT-p tcp-dport 1194-j ACCEPT # Open Port 1194 on the server

6.4 start openvpn

Start openvpn in later running mode

/Usr/local/openvpn/sbin/openvpn-config/usr/local/openvpn/conf/server. conf>/var/log/openvpn. log 2> & 1 & # server commands

/Usr/local/openvpn/sbin/openvpn-config/usr/local/openvpn/conf/client. conf>/var/log/openvpn. log 2> & 1 & # client commands

VII. Reference Links

Configuration document:

Http://zh.wikipedia.org/wiki/OpenVPN
Http://openvpn.ustc.edu.cn/
Http://openvpn.se/
Https://github.com/OpenVPN/easy-rsa/releases
Http://openvpn.net/index.php/download/community-downloads.html
Http://openvpn.net/index.php/access-server/overview.html
Http://www.cnblogs.com/agostop/archive/2012/11/14/2770121.html
Http://hi.baidu.com/reyleon/item/c48e981857d51612e3f9866d

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.