Linux-based OpenVPN Network-Based Network Architecture Application Instance (I)

Source: Internet
Author: User

1.Case Demand Analysis

This case uses the RHEL5 and Windows XP system environment to establish a secure ssl vpn connection 8.2 for two remote LAN and remote network management workstations across insecure Internet networks ).

The gateway servers of Beijing headquarters and Shanghai Branch both use the RHEL5 system. OpenVPN must be configured separately to connect two remote LAN LAN1 and lan2. In addition, the network management workstation located on the Internet uses the Windows XP system and needs to access the LAN LAN1 of the Headquarters and the LAN LAN2 of the Shanghai branch at any time through the VPN security tunnel.

Linux-based OpenVPN Network

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "border-bottom: 0px; border-left: 0px; border-top: 0px; border-right: 0px "title =" clip_image002 "border =" 0 "alt =" clip_image002 "height =" 359 "src =" http://www.bkjia.com/uploads/allimg/131227/09222L114-0.png "/>

OpenVPN remote virtual private network architecture

Based on the above requirements, you can configure the gateway Server GW1 at the Beijing headquarters as the VPN Server mode. The Gateway Server GW2 in Shanghai and the Internet network management workstation PC1 both use the VPN Client mode. Create two point-to-point

Point-to-Point) ssl vpn security tunnel-"GW1 <----> GW2", "GW1 <----> PC1.

Because the details of Internet networks are not the focus of this case, the public IP addresses of GW1 and GW2 use

173.74.75.76 and 173.74.75.77. Other network interface address settings are as follows:

The IP addresses of GW1 and GW2 Intranet interfaces are 192.168.1.1 and 192.168.2.1, respectively.

? GW1 <----> GW2 tunnel: Use the virtual IP addresses 10.8.0.1/30 and 10.8.0.2/30 respectively.

? GW1 <----> PC1 tunnel: Use the virtual IP addresses 10.9.0.1/30 and 10.9.0.2/30 respectively.

In addition, the IP address, default gateway, and other parameters must be correctly set for local area network clients in two locations:

? The host in LAN1 uses the network segment 192.168.1.0/24, and the default gateway is 192.168.1.1.

? The host of LAN2 uses the network segment 192.168.2.0/24, and the default gateway is 192.168.2.1.

2.Configure GW1 <----> GW2Tunnel connection

This section describes how to create 1st ssl vpn tunnels for connecting GW1 and GW2 servers to achieve secure interconnection between LAN LAN1 and LAN2 in Beijing and Shanghai.

The main implementation process is as follows:

Step 1: configure the master server GW1) -- Beijing

A.Configure InternetConnection and SNAT, Route forwarding

1) configure the IP address

Eth0 interface (173.74.75.76/24) is used to connect to the Internet, and eth1 interface 192.168.1.1/24 is used to connect

Local area network configuration process)

2) Enable route and SNAT Conversion

[Root @ gw1 ~] # Vim/opt/gw1_nat.sh

Sysctl-w net. ipv4.ip _ forward = 1

/Sbin/iptables-t nat-I POSTROUTING-o eth0-j SNAT -- to-source 173.74.75.76

[Root @ gw1 ~] # Chmod a + x/opt/gw1_nat.sh

[Root @ gw1 ~] # Echo "/opt/gw1_nat.sh" & gt;/etc/rc. local

[Root @ gw1 ~] #/Opt/gw1_nat.sh

Net. ipv4.ip _ forward = 1

[Root @ gw1 ~] # Sysctl-p

B.Install OpenVPNService

[Root @ gw1 soft_dir] # tar zxvf lzo-2.03.tar.gz

[Root @ gw1 soft_dir] # cd lzo-2.03

[Root @ gw1 lzo-2.03] #./configure & make install

[Root @ gw1 lzo-2.03] # cd ../

[Root @ gw1 soft_dir] # tar zxvf openvpn-2.0.9.tar.gz

[Root @ gw1 openvpn-2.0.9] #./configure & make install

[Root @ gw1 ~] # Cd/soft_dir/

[Root @ gw1 soft_dir] # cp-p openvpn-2.0.9/sample-scripts/openvpn. init/etc/init. d/openvpn

[Root @ gw1 soft_dir] # chmod + x/etc/init. d/openvpn

[Root @ gw1 soft_dir] # chkconfig -- add openvpn

[Root @ gw1 soft_dir] # chkconfig -- level 2345 openvpn on

C.Create a certificate and key file

Certificates and key files are mainly used for peer-to-peer client authentication to enhance security. To reduce the complexity of the key creation process, you can make full use of the easy-rsa/directory provided by the OpenVPN source package, this directory contains a series of easy-to-use scripting tools refer to the openvpn-2.0.9/easy-rsa/README file ).

3)Configure the variable environment

Modify the easy-rsa/vars file, modify the pre-defined variables as needed, or retain the default values. In the future

The content of these variables is directly read during the creation of related files. The value of the "KEY_DIR" variable determines

Storage location of newly created files, such as keys.

[Root @ gw1 ~] # Cd/soft_dir/openvpn-2.0.9/easy-rsa/

[Root @ gw1 easy-rsa] # vim vars

Export D = 'pwd'

Export KEY_CONFIG = $ D/openssl. cnf

Export KEY_DIR = $ D/keys

Echo NOTE: when you run./clean-all, I will be doing a rm-rf on $ KEY_DIR

Export KEY_SIZE = 1024

Export KEY_COUNTRY =CN// Modify the bold part based on the specific application

Export KEY_PROVINCE =BeiJing

Export KEY_CITY =BeiJing

Export KEY_ORG ="BENET. Inc"

Export KEY_EMAIL ="Vpnadm@benet.com"

[Root @ gw1 easy-rsa] # source vars // execute the code in the vars File

NOTE: when you run./clean-all, I will be doing a rm-rf on/soft_dir/openvpn-2.0.9/easy-rsa/keys

[Root @ gw1 easy-rsa] #./clean-all // pre-clear the $ KEY_DIR directory

4)Create CACertificate

Run the "./build-ca" script to create the CA certificate file, and set the country code, province, city,

Company Name and other information, such as the General Identification Name "Common Name" can be set to the FQDN Name of gw1.

The subsequent key file must be based on the CA file.

[Root @ gw1 easy-rsa] #./build-ca

Generating a 1024 bit RSA private key

... ++

...

Writing new private key to 'Ca. key'

-----

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BeiJing]:

Locality Name (eg, city) [BISHKEK]:

Organization Name (eg, company) [BENET. Inc]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:Gw1.benet.com

Email Address [vpnadm@benet.com]:

5)Create dhDiffie-Hellman) Key algorithm File

Run the "./build-dh" script to create the dh file.

[Root @ gw1 easy-rsa] #./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

........................................ .................................. + ................................. + ....................................... ......................... + ................... + ....................................... .. + .. + ....................................... ......................... + ....................................... ........................................ ...... + ........ + ............. + .............................. + ....................................... ........................................ ........ + .......... + ......................... + ....................................... ........................................ ........ + ................. + .............................. + ........ + .............................. + ....................................... ........................................ ........................................ .................................. + .................... + ...... + ............. + ....................................... .................. + ...... + ....... + ......................... + ....................................... ........................................ .......... + ....................................... .. + ............................ + ............................ + .......................................... + ............................. ++ *

6)Create GW1Master server key

Run ". the/build-key-server script can create a VPN server key file, set Common Namegw1.benet.com according to the prompts, and then press "y" to Sign the Sign) and submit the Commit ).

[Root @ gw1 easy-rsa] #./build-key-server gw1

Generating a 1024 bit RSA private key

...

.................................... ++

Writing new private key to 'gw1. key'

-----

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BeiJing]:

Locality Name (eg, city) [BISHKEK]:

Organization Name (eg, company) [BENET. Inc]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:Gw1.benet.com

Email Address [vpnadm@benet.com]:

Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from/soft_dir/openvpn-2.0.9/easy-rsa/openssl. cnf

Check that the request matches the signature

Signature OK

The Subject's Distinguished Name is as follows

CountryName: PRINTABLE: 'cn'

StateOrProvinceName: PRINTABLE: 'beijing'

LocalityName: PRINTABLE: 'bishkek'

OrganizationName: PRINTABLE: 'benet. inc'

CommonName: PRINTABLE: 'gw1 .benet.com'

EmailAddress: IA5STRING: 'vpnadm @ benet.com'

Certificate is to be certified until Jul 12 02:42:17 2020 GMT (3650 days)

Sign the certificate? [Y/n]:Y

1 out of 1 certificate requests certified, commit? [Y/n]Y

Write out database with 1 new entries

Data Base Updated

7)Create GW2Peer server key

Run the "./build-key" script to create the VPN Client key file, set the Common Namegw2.benet.com according to the prompt, and then Sign the Sign by "y" and submit the Commit ).

[Root @ gw1 easy-rsa] #./build-key gw2

Generating a 1024 bit RSA private key

...

... ++

Writing new private key to 'gw2. key'

-----

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BeiJing]:

Locality Name (eg, city) [BISHKEK]:

Organization Name (eg, company) [BENET. Inc]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:Gw2.benet.com

Email Address [vpnadm@benet.com]:

Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from/soft_dir/openvpn-2.0.9/easy-rsa/openssl. cnf

Check that the request matches the signature

Signature OK

The Subject's Distinguished Name is as follows

CountryName: PRINTABLE: 'cn'

StateOrProvinceName: PRINTABLE: 'beijing'

LocalityName: PRINTABLE: 'bishkek'

OrganizationName: PRINTABLE: 'benet. inc'

CommonName: PRINTABLE: 'gw2 .benet.com'

EmailAddress: IA5STRING: 'vpnadm @ benet.com'

Certificate is to be certified until Jul 12 02:44:30 2020 GMT (3650 days)

Sign the certificate? [Y/n]:Y

1 out of 1 certificate requests certified, commit? [Y/n]Y

Write out database with 1 new entries

Data Base Updated

Note:

When you use the "./build-key" script to create a key, the "Common Name" corresponding to different clients cannot be the same.

8)Generate tls-authKey

The tls-auth key can provide further security verification for point-to-point VPN connections. If you choose this method, both the server and client must own the key file.

The openvpn command follows the "-- genkey -- secret" option and can be used to create a ta key file.

[Root @ gw1 easy-rsa] # openvpn -- genkey -- secret keys/ta. key

9)Finally, put the keys/Folder transfer to/etc/openvpn/Directory

[Root @ gw1 easy-rsa] # mkdir-p/etc/openvpn/

[Root @ gw1 easy-rsa] # mv keys // etc/openvpn/

D.Create a configuration file for the master server

In the Server configuration file, specify the Server mode to listen to the default UDP port 1194. The Virtual Interface uses the tun0 device. See the configuration example openvpn-2.0.9/sample-config-files/server. conf in the openvpn source code directory)

[Root @ gw1 ~] # Vim/etc/openvpn/gw1_tun0.conf

Local 173.74.75.76 // specify the IP address of the listener service

Port 1194 // enable the default port 1st for 1194 tunnels

Proto udp

Dev tun // use the VPN tunnel mode of SSL Tune

Ca keys/ca. crt

Cert keys/gw1.crt

Key keys/gw1.key

Dh keys/dh1024.pem

Server 10.8.0.0 255.255.255.0 // use server mode and specify the VPN Virtual Network Address

Ifconfig-pool-persist ipp.txt

Push "route 192.168.1.0 255.255.255.0" // route entry added to the LAN1 network segment for GW2

Push "route 10.9.0.0 255.255.255.0" // route entry added to PC1 for GW2

Push "dhcp-options DNS 210.22.84.3" // set the DNS server address for the client

Route 192.168.2.0 route 255.255.0 // route entry added to the LAN2 network segment for GW1

Client-config-dir ccd // allow reading client configuration files under the ccd/directory

Keepalive 10 120

Tls-auth keys/ta. key 0 // specify the tls-auth key

Cipher BF-CBC // the encryption algorithm must be consistent with the client.

Comp-lzo

Max-clients 100 // maximum number of concurrent VPN connections allowed

User nobody

Group nobody

Persist-key

Persist-tun

Status openvpn-status.log

Log-append openvpn. log

Verb 3

Mute 20

E.Create for GW2CcdConfiguration File

[Root @ gw1 ~] # Mkdir-p/etc/openvpn/ccd

[Root @ gw1 ~] # Cd/etc/openvpn/ccd // create an independent configuration file for the peer server GW2

[Root @ gw1 ccd] # vim gw2.benet.com

Iroute 192.168.2.0 255.255.255.0 // declare the LAN2 sub-network of GW2 backend

Ifconfig-push 10.8.0.2 10.8.0.1 // specify the local address of GW2 tun0), peer address P-t-P)

F.Start OpenVPNService

[Root @ gw1 ~] # Service openvpn start

Starting openvpn: [OK]

[Root @ gw1 ~] # Netstat-anp | grep openvpn

Udp 0 0 173.74.75.76: 1194 0.0.0.0: * 11220/openvpn

 

Appendix: Detailed PDF complete technical documentation download: http://down.51cto.com/data/102973

This article from the "Jia Yunfei" blog, please be sure to keep this source http://jiayf.blog.51cto.com/1659430/349847

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.