Key points and precautions for building openvpn for general enterprises in the centos Environment

Source: Internet
Author: User

Key points and precautions for building openvpn for general enterprises in the centos Environment

Briefly describe the enterprise environment. the ISP is connected to the Firewall of China-made hillstone network. The public IP address is 58. x. The firewall directly connects to the Huawei layer-3 Switch (core). The firewall's intranet interface IP address is 192.168.199.254, and the Management IP address of the layer-3 switch is 192.168.199.1, which belongs to the same vlan, the management addresses of other L2 switches are 192.168.199.2-20.

The network segment of the server is vlan201. openvpn this server is installed with centos5.8 and the local IP address is 192.168...166.

Other network segments, such as vlan207, are connected to the financial department.

Installation steps:

1. Install centos5.8 with minimal installation.

2. Clear the iptables configuration and save and restart the iptables service for later settings. (Do not close the iptables service directly. I will discuss it later)

# Iptables-t NAT-F

# Iptables-F # service iptables save # service iptables restart

3. Disable selinux and save/install the Time Synchronization Service ntp for synchronization. (Be sure to do it or you will not be responsible for any issues)

4. Install the openvpn server step by step according to the relevant tutorials. You can use wget to download the server or package and download it elsewhere. Then, upload the software such as winscp to the server directory for installation.

-- Install the relevant environment package openssl-devel gcc, etc.

-- Install the lzo installation package

-- Install openvpn Software Package

5. Configure the server

-- Modify the detailed information of the generated CA, that is, modify the address attribute and other information in the vars script under the installation directory and run

-- Initialize the keys directory to clear non-initial files in the keys directory.

-- CA certificate generation

-- Generate DH files (Key Exchange Protocol)

-- Generate the server key and Certificate

-- Generate client keys and certificates (generated based on the number of users)

-- Modify the server configuration file (first copy the server configuration sample from the sample folder to the etc directory)

The main modification items are as follows:

A. the proto option can be set to UDP or TCP, but the configurations in other places must correspond

B. Fill in the complete path of the generated file in the three lines starting with ca cert key.

C. The line starting with dh is the same as above.

D. This line of server 10.8.0.0 255.255.255.0 is the virtual IP address allocated to the client by the server after the vpn is dialed.

I set it to 10.11.0.0 255.255.255.0.

E. Others are generally default. For more information about settings, see the tutorial.

F. There are also some extension options such as specifying the DNS server address for the client

-- Push "dhcp-option DNS x. x"

-- Client-to-client enables mutual access between different clients.

-- Set the log storage address

-- Push some routes that access specific CIDR blocks to the client.

-- You can use the client-config-dir item to specify a specific IP address for a specific client or group.

6. Enable the server's IP packet forwarding function

# Vi/etc/sysctl. conf

# Net. ipv4.ip _ forward = 1

# Sysctl-p

Run the following command to check whether cat/proc/sys/net/ipv4/ip_forward Forwarding is enabled. 1 indicates OK.

7. Start the openvpn service.

Run the following command to start/usr/local/sbin/openvpn -- config/etc/server. conf &

The openvpn service must be restarted during installation or debugging. You can use the killall openvpn command to restart openvpn.

Run the preceding startup command again.

If "InitializationSequence Completed" is displayed, the startup is successful.

Run the following command to verify the status of port 1194 # lsof-I: 1194

 

After the server is installed, install the client:

1. In windows, double-click the Client installation package by default.

2. Use winscp to copy all the ca, server, and client. crt and. key Files generated on the server to the config folder in the client installation directory. Note that certificates and keys of different clients must correspond to different clients.

3. Copy the client. conf configuration file under the Server installation directory to the config directory of the client, and modify the suffix. ovpn.

4. Right-click the icon in the lower right corner and select edit config to modify the client configuration file.

Generally:

Client # indicates that this is the client configuration file.

Dev tun # This is the same as the server.

Remote 58. x # change the ip address to the public ip address of the OpenVPN server.

Ca. crt

Cert client1.crt

Key client1.key # the above three lines must be consistent with the key certificate generated on the server, consistent with the file name in the config folder

Comp-lzo # enable lzo Compression

Redirect-gateway def1 # The client obtains the vpn address. The default gateway is used by the server by default. If this option is not enabled, the configuration push "redirect-gateway def1" on the server is also changed.

Verb 3 # default Log Level

Ns-cert-type server # The verification method is the same as that of the server. If the server enables the anti-ddos key, the client needs this

 

After the server is set up and the client is set up, you need to adjust the overall network configuration.

1. The client accesses the company's intranet through the address 58. x on the Internet.

Therefore, you need to enable the Internet address ing from the company's firewall to the Intranet openvpn server.

The source nat is used, and the port is set to 1194. The protocol must be TCP (or UDP depends on the server settings)

After the ing, the firewall policy is blocked by default. You need to enable the policy to allow the Internet address to access the Intranet server network segment through the interface of this public address.

2. At this time, the dial-up still fails. Because the iptables on the server is still on, we will first try to disable the iptables service, that is, data packets can be forwarded smoothly on the server.

At this time, the dial-up is generally successful, but the client can only access the virtual IP network segment 10.11.0.0 and the server segment 192.168...166 (this indicates that the server forwarding function takes effect ), however, other hosts or hosts in other CIDR blocks do not have a route entry to this virtual CIDR block. In particular, all CIDR blocks are vlan-based and their gateways are deployed on layer-3 switches. Therefore, they add static routes to layer-3 switches.

It is actually a Return route ip route-static 10.11.0.0 255.255.255.0 192.168.201.166. Other network segments should also be accessible.

However, the firewall's intranet address 192.168.199.254 cannot be accessed at this time. This is because the Firewall uses multiple interfaces as the enterprise egress gateway, and its default route points to the Internet, but he does not have a route pointing to the virtual network segment 10.11.0.0, the default route points to the Internet and cannot reach it (the default gateway of other hosts in the Intranet is the vlan interface IP address pointing to the layer-3 switch, so it can be reached ). Therefore, you can add a route entry pointing to 10.11.0.0 255.255.255.0 to the firewall. The next hop is 192.168.199.1.

 

Some of the above problems are that the default route such as firewall does not need to add a local route on the core switch, and it is not safe to disable iptables on the VPN host.

In addition, you can enable the iptables service, but enable the nat service in iptables to nat the data in the 10.11.0.0 network segment, and enable the rule to allow this forwarding through port 1194, that is, security, the firewall does not need to set a local return route.

Set nat forwarding: # iptables-t nat-a postrouting-s 10.11.0.0/24-o eth0-j MASQUERADE: # iptables-a input-p TCP -- dport 1194-j ACCEPT (tcp protocol is also used here to ensure consistency) # iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT restart iptables: Note: The INPUT policy takes effect immediately after execution. POSTROUTING needs to be saved and restarted to take effect. # service iptables save # service iptables restart

All tests can be pinged to enable various services to provide entities.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.