1.Case Demand Analysis
This case uses the RHEL5 and Windows XP system environment to establish a secure ssl vpn connection 8.2 for two remote LAN and remote network management workstations across insecure Internet networks ).
The gateway servers of Beijing headquarters and Shanghai Branch both use the RHEL5 system. OpenVPN must be configured separately to connect two remote LAN LAN1 and lan2. In addition, the network management workstation located on the Internet uses the Windows XP system and needs to access the LAN LAN1 of the Headquarters and the LAN LAN2 of the Shanghai branch at any time through the VPN security tunnel.
Linux-based OpenVPN Network
650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image002 "border =" 0 "alt =" clip_image002 "height =" 359 "src =" http://www.bkjia.com/uploads/allimg/131227/09222L114-0.png "/>
OpenVPN remote virtual private network architecture
Based on the above requirements, you can configure the gateway Server GW1 at the Beijing headquarters as the VPN Server mode. The Gateway Server GW2 in Shanghai and the Internet network management workstation PC1 both use the VPN Client mode. Create two point-to-point
Point-to-Point) ssl vpn security tunnel-"GW1 <----> GW2", "GW1 <----> PC1.
Because the details of Internet networks are not the focus of this case, the public IP addresses of GW1 and GW2 use
173.74.75.76 and 173.74.75.77. Other network interface address settings are as follows:
The IP addresses of GW1 and GW2 Intranet interfaces are 192.168.1.1 and 192.168.2.1, respectively.
? GW1 <----> GW2 tunnel: Use the virtual IP addresses 10.8.0.1/30 and 10.8.0.2/30 respectively.
? GW1 <----> PC1 tunnel: Use the virtual IP addresses 10.9.0.1/30 and 10.9.0.2/30 respectively.
In addition, the IP address, default gateway, and other parameters must be correctly set for local area network clients in two locations:
? The host in LAN1 uses the network segment 192.168.1.0/24, and the default gateway is 192.168.1.1.
? The host of LAN2 uses the network segment 192.168.2.0/24, and the default gateway is 192.168.2.1.
2.Configure GW1 <----> GW2Tunnel connection
This section describes how to create 1st ssl vpn tunnels for connecting GW1 and GW2 servers to achieve secure interconnection between LAN LAN1 and LAN2 in Beijing and Shanghai.
The main implementation process is as follows:
Step 1: configure the master server GW1) -- Beijing
A.Configure InternetConnection and SNAT, Route forwarding
1) configure the IP address
Eth0 interface (173.74.75.76/24) is used to connect to the Internet, and eth1 interface 192.168.1.1/24 is used to connect
Local area network configuration process)
2) Enable route and SNAT Conversion
[Root @ gw1 ~] # Vim/opt/gw1_nat.sh
Sysctl-w net. ipv4.ip _ forward = 1
/Sbin/iptables-t nat-I POSTROUTING-o eth0-j SNAT -- to-source 173.74.75.76
[Root @ gw1 ~] # Chmod a + x/opt/gw1_nat.sh
[Root @ gw1 ~] # Echo "/opt/gw1_nat.sh" & gt;/etc/rc. local
[Root @ gw1 ~] #/Opt/gw1_nat.sh
Net. ipv4.ip _ forward = 1
[Root @ gw1 ~] # Sysctl-p
B.Install OpenVPNService
[Root @ gw1 soft_dir] # tar zxvf lzo-2.03.tar.gz
[Root @ gw1 soft_dir] # cd lzo-2.03
[Root @ gw1 lzo-2.03] #./configure & make install
[Root @ gw1 lzo-2.03] # cd ../
[Root @ gw1 soft_dir] # tar zxvf openvpn-2.0.9.tar.gz
[Root @ gw1 openvpn-2.0.9] #./configure & make install
[Root @ gw1 ~] # Cd/soft_dir/
[Root @ gw1 soft_dir] # cp-p openvpn-2.0.9/sample-scripts/openvpn. init/etc/init. d/openvpn
[Root @ gw1 soft_dir] # chmod + x/etc/init. d/openvpn
[Root @ gw1 soft_dir] # chkconfig -- add openvpn
[Root @ gw1 soft_dir] # chkconfig -- level 2345 openvpn on
C.Create a certificate and key file
Certificates and key files are mainly used for peer-to-peer client authentication to enhance security. To reduce the complexity of the key creation process, you can make full use of the easy-rsa/directory provided by the OpenVPN source package, this directory contains a series of easy-to-use scripting tools refer to the openvpn-2.0.9/easy-rsa/README file ).
3)Configure the variable environment
Modify the easy-rsa/vars file, modify the pre-defined variables as needed, or retain the default values. In the future
The content of these variables is directly read during the creation of related files. The value of the "KEY_DIR" variable determines
Storage location of newly created files, such as keys.
[Root @ gw1 ~] # Cd/soft_dir/openvpn-2.0.9/easy-rsa/
[Root @ gw1 easy-rsa] # vim vars
Export D = 'pwd' Export KEY_CONFIG = $ D/openssl. cnf Export KEY_DIR = $ D/keys Echo NOTE: when you run./clean-all, I will be doing a rm-rf on $ KEY_DIR Export KEY_SIZE = 1024 Export KEY_COUNTRY =CN// Modify the bold part based on the specific application Export KEY_PROVINCE =BeiJing Export KEY_CITY =BeiJing Export KEY_ORG ="BENET. Inc" Export KEY_EMAIL ="Vpnadm@benet.com" |
[Root @ gw1 easy-rsa] # source vars // execute the code in the vars File
NOTE: when you run./clean-all, I will be doing a rm-rf on/soft_dir/openvpn-2.0.9/easy-rsa/keys
[Root @ gw1 easy-rsa] #./clean-all // pre-clear the $ KEY_DIR directory
4)Create CACertificate
Run the "./build-ca" script to create the CA certificate file, and set the country code, province, city,
Company Name and other information, such as the General Identification Name "Common Name" can be set to the FQDN Name of gw1.
The subsequent key file must be based on the CA file.
[Root @ gw1 easy-rsa] #./build-ca
Generating a 1024 bit RSA private key ... ++ ... Writing new private key to 'Ca. key' ----- You are about to be asked to enter information that will be ininitialized Into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BeiJing]: Locality Name (eg, city) [BISHKEK]: Organization Name (eg, company) [BENET. Inc]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:Gw1.benet.com Email Address [vpnadm@benet.com]: |
5)Create dhDiffie-Hellman) Key algorithm File
Run the "./build-dh" script to create the dh file.
[Root @ gw1 easy-rsa] #./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
........................................ .................................. + ................................. + ....................................... ......................... + ................... + ....................................... .. + .. + ....................................... ......................... + ....................................... ........................................ ...... + ........ + ............. + .............................. + ....................................... ........................................ ........ + .......... + ......................... + ....................................... ........................................ ........ + ................. + .............................. + ........ + .............................. + ....................................... ........................................ ........................................ .................................. + .................... + ...... + ............. + ....................................... .................. + ...... + ....... + ......................... + ....................................... ........................................ .......... + ....................................... .. + ............................ + ............................ + .......................................... + ............................. ++ *
6)Create GW1Master server key
Run ". the/build-key-server script can create a VPN server key file, set Common Namegw1.benet.com according to the prompts, and then press "y" to Sign the Sign) and submit the Commit ).
[Root @ gw1 easy-rsa] #./build-key-server gw1 Generating a 1024 bit RSA private key ... .................................... ++ Writing new private key to 'gw1. key' ----- You are about to be asked to enter information that will be ininitialized Into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BeiJing]: Locality Name (eg, city) [BISHKEK]: Organization Name (eg, company) [BENET. Inc]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:Gw1.benet.com Email Address [vpnadm@benet.com]: Please enter the following 'extra 'attributes To be sent with your certificate request A challenge password []: An optional company name []: Using configuration from/soft_dir/openvpn-2.0.9/easy-rsa/openssl. cnf Check that the request matches the signature Signature OK The Subject's Distinguished Name is as follows CountryName: PRINTABLE: 'cn' StateOrProvinceName: PRINTABLE: 'beijing' LocalityName: PRINTABLE: 'bishkek' OrganizationName: PRINTABLE: 'benet. inc' CommonName: PRINTABLE: 'gw1 .benet.com' EmailAddress: IA5STRING: 'vpnadm @ benet.com' Certificate is to be certified until Jul 12 02:42:17 2020 GMT (3650 days) Sign the certificate? [Y/n]:Y 1 out of 1 certificate requests certified, commit? [Y/n]Y Write out database with 1 new entries Data Base Updated |
7)Create GW2Peer server key
Run the "./build-key" script to create the VPN Client key file, set the Common Namegw2.benet.com according to the prompt, and then Sign the Sign by "y" and submit the Commit ).
[Root @ gw1 easy-rsa] #./build-key gw2 Generating a 1024 bit RSA private key ... ... ++ Writing new private key to 'gw2. key' ----- You are about to be asked to enter information that will be ininitialized Into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BeiJing]: Locality Name (eg, city) [BISHKEK]: Organization Name (eg, company) [BENET. Inc]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:Gw2.benet.com Email Address [vpnadm@benet.com]: Please enter the following 'extra 'attributes To be sent with your certificate request A challenge password []: An optional company name []: Using configuration from/soft_dir/openvpn-2.0.9/easy-rsa/openssl. cnf Check that the request matches the signature Signature OK The Subject's Distinguished Name is as follows CountryName: PRINTABLE: 'cn' StateOrProvinceName: PRINTABLE: 'beijing' LocalityName: PRINTABLE: 'bishkek' OrganizationName: PRINTABLE: 'benet. inc' CommonName: PRINTABLE: 'gw2 .benet.com' EmailAddress: IA5STRING: 'vpnadm @ benet.com' Certificate is to be certified until Jul 12 02:44:30 2020 GMT (3650 days) Sign the certificate? [Y/n]:Y 1 out of 1 certificate requests certified, commit? [Y/n]Y Write out database with 1 new entries Data Base Updated |
Note:
When you use the "./build-key" script to create a key, the "Common Name" corresponding to different clients cannot be the same.
8)Generate tls-authKey
The tls-auth key can provide further security verification for point-to-point VPN connections. If you choose this method, both the server and client must own the key file.
The openvpn command follows the "-- genkey -- secret" option and can be used to create a ta key file.
[Root @ gw1 easy-rsa] # openvpn -- genkey -- secret keys/ta. key
9)Finally, put the keys/Folder transfer to/etc/openvpn/Directory
[Root @ gw1 easy-rsa] # mkdir-p/etc/openvpn/
[Root @ gw1 easy-rsa] # mv keys // etc/openvpn/
D.Create a configuration file for the master server
In the Server configuration file, specify the Server mode to listen to the default UDP port 1194. The Virtual Interface uses the tun0 device. See the configuration example openvpn-2.0.9/sample-config-files/server. conf in the openvpn source code directory)
[Root @ gw1 ~] # Vim/etc/openvpn/gw1_tun0.conf
Local 173.74.75.76 // specify the IP address of the listener service Port 1194 // enable the default port 1st for 1194 tunnels Proto udp Dev tun // use the VPN tunnel mode of SSL Tune Ca keys/ca. crt Cert keys/gw1.crt Key keys/gw1.key Dh keys/dh1024.pem Server 10.8.0.0 255.255.255.0 // use server mode and specify the VPN Virtual Network Address Ifconfig-pool-persist ipp.txt Push "route 192.168.1.0 255.255.255.0" // route entry added to the LAN1 network segment for GW2 Push "route 10.9.0.0 255.255.255.0" // route entry added to PC1 for GW2 Push "dhcp-options DNS 210.22.84.3" // set the DNS server address for the client Route 192.168.2.0 route 255.255.0 // route entry added to the LAN2 network segment for GW1 Client-config-dir ccd // allow reading client configuration files under the ccd/directory Keepalive 10 120 Tls-auth keys/ta. key 0 // specify the tls-auth key Cipher BF-CBC // the encryption algorithm must be consistent with the client. Comp-lzo Max-clients 100 // maximum number of concurrent VPN connections allowed User nobody Group nobody Persist-key Persist-tun Status openvpn-status.log Log-append openvpn. log Verb 3 Mute 20 |
E.Create for GW2CcdConfiguration File
[Root @ gw1 ~] # Mkdir-p/etc/openvpn/ccd
[Root @ gw1 ~] # Cd/etc/openvpn/ccd // create an independent configuration file for the peer server GW2
[Root @ gw1 ccd] # vim gw2.benet.com
Iroute 192.168.2.0 255.255.255.0 // declare the LAN2 sub-network of GW2 backend Ifconfig-push 10.8.0.2 10.8.0.1 // specify the local address of GW2 tun0), peer address P-t-P) |
F.Start OpenVPNService
[Root @ gw1 ~] # Service openvpn start
Starting openvpn: [OK]
[Root @ gw1 ~] # Netstat-anp | grep openvpn
Udp 0 0 173.74.75.76: 1194 0.0.0.0: * 11220/openvpn
Appendix: Detailed PDF complete technical documentation download: http://down.51cto.com/data/102973
This article from the "Jia Yunfei" blog, please be sure to keep this source http://jiayf.blog.51cto.com/1659430/349847