Openvpn Summary based on linux operating system architecture

Source: Internet
Author: User
Based on the linux operating system architecture openvpn Summary-Linux Enterprise Application-Linux server application information, the following is a detailed description. Use OPENVPN to connect data centers 1

1 status quo 2

2 network structure 2

3. server information and network security 4

3.1 server information 4

3.2 Network Security 4

4 Use openvpn for north-south intercommunication 5

4.1 Openvpn Introduction 5

4.2 download 5

4.3 install 6

4.4 does your operating system support tun? 6

4.5 configure a C/s vpn Network 7

4.5.1 how to generate ca and cert/key? 7

4.5.1.1 generate the Public key (Certificate) and private key (key) of the MASTER certificate Authority (CA) 7

4.5.1.2 create server-side cert and key files 8

4.5.1.3 create three client cert and key Files 9

4.5.1.4 create the Diffie Hellman file 9

4.5.1.5 list of all files and host 9 used

4.5.2 OpenVPN Server configuration 10

4.5.3 OpenVPN Client configuration 12

4.5.4 run OpenVPN 14

5 other configurations 15

5.1 connect subnets of multiple clients.

5.2 control the running openvpn process 15

5.3 windows configuration: 15

6. Actual Application Status 16

7. Reference Document 17

1. Status quo

Assume that a company's servers are stored in three data centers, namely Guangzhou, Hebei, and Hangzhou. Each data center uses an unused subnet:

Code:

Data center subnet (internal)

Guangzhou 10.1.0.0/16

Hebei 10.2.0.0/16

Hangzhou 10.3.0.0/16

Different data centers use different network segments, which creates favorable conditions for vpn connection.

The slow speed between China Telecom and China Netcom makes it very difficult to synchronize data between Guangzhou and Hebei machine rooms. We find a server that connects to the China Netcom line and the China Telecom line, but we cannot directly use it as a route. If you use the porxy method or the forwarding method, the synchronization efficiency will be reduced.

The C/S structure vpn method solves the synchronization problem without affecting the synchronization efficiency.

2. Network Structure

The topology of the three data centers After Interconnection:

(Because it is sent to the Forum, please refer to the last figure of the post)

As you can see, the VPN system is a C/S structure. Vpn server is used in the middle, and one SERVER is taken out as the vpn client in three data centers: Guangzhou, Hebei, and Hangzhou.

The vpn server has two NICs and two lines (China Telecom and China Netcom). Both NICs must have a public IP address. Set the route according to the actual situation. Here I set the China Telecom line as the default route, and set the route to the CIDR Block of the Hebei data center to the China Netcom route.

The vpn client can have two NICs or only one Nic. If it is a telecom line, it connects to the Telecom IP address of the vpn server; if it is a China Netcom line, it connects to the China Netcom IP address of the vpn server of China Netcom.

3. server information and network security

3.1 Server Information

In this article, we use four servers as vpn server and client respectively. Because the use of vpn to transmit data to the server load is not large, in addition to the vpn server needs a new server, the client server in each data center only needs to find a server with a light load.

Details of the four servers used in this article:

Code:

IP address of the operating system server in IDC Vpn Mode

Vpn server RedHat 9.0 public network IP1 (China Netcom)

Public Network IP2 (China Telecom)

Guangzhou IDC Vpn client FreeBSD4.9 10.1.0.1

Hebei data center Vpn client RedHat9.0 10.2.0.1

Hangzhou data center Vpn client FreeBsd4.9 10.3.0.1

3.2 Network Security

In addition to the vpn server, vpn clients in other data centers do not need public IP addresses, so the vpn server needs to enhance security settings.

This server is the RedHat9.0 operating system. grub is used on the logon interface, and the grub Password is set to ensure physical security.

Use Iptables to set the packet filtering Firewall and only allow your server to access it:

Code:

Iptables? F

Iptables-a input-s 10.0.0.0/8-j ACCEPT

Iptables-a input-s YOURNETWORK-j ACCEPT

Iptables-a input-p udp -- dport 1194? J DROP

4. Use openvpn for North-South Communication

4.1 Introduction to Openvpn

OpenVPN is a powerful, highly configurable, ssl-based VPN (Virtual Private Network) Open Source Software. It has multiple verification methods and many powerful functions.

OpenVPN operates on layer 2nd or layer 3rd of the OSI model and uses SSL/TLS protocol for network transmission. Supports various customer authentication methods, such as certificates, smart cards, and user name and password certificates. In addition, there is a powerful ACL function that limits the customer's information exchange.

OpenVPN can run in multiple operating systems, including:

Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris.

With OpenVpn, you can:

● Use a specific udp or tcp port to establish a vpn connection between two hosts.

● Implement the C/S structure and connect multiple clients through the server.

● Use TLS/SSL encryption to ensure data transmission security.

● Data Compression improves the data transmission speed.

(Because other features do not need to be used in this article, if you want to learn more, please visit http://openvpn.net)

Download 4.2

Download the latest openvpn source package from the following URL.

Http://nchc.dl.sourceforge.net... vpn-2.0_rc16.tar.gz

Because openvpn requires data compression, you also need to install the lzo package:

Http://www.oberhumer.com/opensource/lzo/download/lzo-1.08.tar.gz

4.3 Installation

Linux:

Code:

Software compilation and Installation

Lzo./configure Make & make install

Openvpn./configure-prefix =/opt/openvpn Make & make install

FreeBSD:

Code:

Lzo./configure Make & make install

Openvpn. /configure-prefix =/opt/openvpn -- with-lzo-headers =/usr/local/include Make & make install

Install openvpn on the linux and freebsd hosts according to the above installation method.

4.4 does your operating system support tun?

From the operating system I have installed, TUN is supported by default in the kernels of RedHat9.0 and FreeBSD4.9, And the tun module has been installed. The RedHat AS3 does not have this module, and the kernel support needs to be re-compiled.

Load the tun module:

● Linux 2.4 or higher (with integrated TUN/TAP driver ):

(1) make device node: mknod/dev/net/tun c 10 200.

(2a) add to: echo "alias char-major-10-200 tun">/etc/modules. conf

(2b) load driver: modprobe tun

(3) enable routing: echo 1>/proc/sys/net/ipv4/ip_forward

● FreeBSD 4.1.1 +:

Kldload if_tap

4.5 configure a C/s vpn Network

4.5.1 how to generate ca and cert/key?

Code:

Ca certificate

Authority (authentication and authorization). All servers and clients use the same ca file.

Cert certificate (certificate ). Public Key. Each server and client independently generate a public key.

Private key, which is generated independently by each server and client.

◎ The server only needs to know its cert and key. It does not need to know the cert of every client that can be connected to it.

The client accepted by the server must have the cert generated by the CA of the server. Server can use its own CA private key to check whether the client's cert carries its CA mark.

4.5.1.1 generate the Public key (Certificate) and private key (key) of the MASTER certificate Authority (CA)

#######

In this section we will generate a master CA certificate/key, a server certificate/key, and certificates/keys for 3 separate clients

#######

In this section, we will try to establish a pair of master CA cert and key, a pair of server-side cert and key, and three years of cert and keys for different clients.

UNIX:

You can find the easy-rsa folder in the source code of openvpn.

Cd easy-rsa

../Vars create environment variable # many people may make mistakes in this place. There is space between the two points.

./Clean-all clear previous

./Build-ca create CA

The last command will call openssl to create the CA Public Key and private key:

Code:

Country Name (2 letter code) [KG]:

State or Province Name (full name) [NA]:

Locality Name (eg, city) [BISHKEK]:

Organization Name (eg, company) [OpenVPN-TEST]: yourcorp enter the company Name here

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []: hbroute enter the host Name or enter a name here

Email Address [me@myhost.mydomain]:

For others, use the default value.

After completion, four ca. crt ca. key index.txt serial files are created in the keys directory.

4.5.1.2 create server-side cert and key Files

Cd easy-rsa

./Build-key-server

Code:

Country Name (2 letter code) [KG]:

State or Province Name (full name) [NA]:

Locality Name (eg, city) [BISHKEK]:

Organization Name (eg, company) [OpenVPN-TEST]: yourcorp enter the company Name

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []: hbrouteserver

Email Address [me@myhost.mydomain]:

Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

Sign the certificate? [Y/n]: y input y

1 out of 1 certificate requests certified, commit? [Y/n] y input y

Write out database with 1 new entries

Data Base Updated

Press enter.

4.5.1.3 create three client cert and key Files

It is very similar to creating a server.

./Build-key gz

./Build-key hb

./Build-key hz

Note that gz, hb, and hz cannot be the same; otherwise, only one client with the same name can be connected.

If you want to use a client key with a password, you can use the build-key-pass script.

For example:

Code:

./Build-key gz

Country Name (2 letter code) [KG]:

State or Province Name (full name) [NA]:

Locality Name (eg, city) [BISHKEK]:

Organization Name (eg, company) [OpenVPN-TEST]: mycorp

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []: gz Type "gz"

Email Address [me@myhost.mydomain]:

Certificate is to be certified until Mar 14 08:15:16 2015 GMT (3650 days)

Sign the certificate? [Y/n]: y, type "y"

1 out of 1 certificate requests certified, commit? [Y/n] y, type "y"

Write out database with 1 new entries

Data Base Updated

4.5.1.4 create a Diffie Hellman File

The Diffie Hellman parameter must be used in openvpn server.

./Build-dh

4.5.1.5 list of all files and hosts used

Code:

Filename Needed By Purpose Secret

Ca. crt server + all clients Root CA certificate NO

Ca. key signing machine only Root CA key YES

Dh {n}. pem server only Diffie Hellman parameters NO

Server. crt server only Server Certificate NO

Server. key server only Server Key YES

Gz. crt Guangzhou only gz Certificate NO

Gz. key Guangzhou only gz Key YES

Hcrt Hebei only hb Certificate NO

Hb. key Hebei only hb Key YES

Hz. crt Hangzhou only hz Certificate NO

Hz. key Hangzhou only hz Key YES

According to the table above, copy all the files to the host that requires these files.

4.5.2 OpenVPN Server Configuration

When openvpn is installed, the/opt/openvpn directory contains only the sbin and man folders. For convenience, we can create other folders under this directory.

Code:

Directory Name

The main program "openvpn" for Sbin to place openvpn"

Conf place the configuration file

Independent configuration files for Ccd placement of various clients

Log stores the Log file of the server.

Keys put Authentication Files

Man placement man document

Configuration File:./conf/server. conf

Code:

Port 1194

Proto udp

Dev tun

Ca/opt/openvpn/keys/ca. crt

Cert/opt/openvpn/keys/server. crt

Key/opt/openvpn/keys/server. key

Dh/opt/openvpn/keys/dh1024.pem

Server 10.99.0.0 255.255.255.0

Ifconfig-pool-persist/opt/openvpn/log/ipp.txt

Client-config-dir ccd

Route 10.1.0.0 255.255.0.0

Route 10.2.0.0 255.255.0.0

Route 10.3.0 255.255.255.0.0

Push "route 10.10.0 255.255.0.0"

Push "route 10.2.0.0 255.255.0.0"

Push "route 10.3.0.0 255.255.0.0"

Client-to-client

Keepalive 10 120

Comp-lzo

User nobody

Group nobody

Persist-key

Persist-tun

Status/opt/openvpn/log/openvpn-status.log

Log/opt/openvpn/log/openvpn. log

Verb 6

Mute 20

Writepid/opt/openvpn/log/server. pid

Custom Client configuration:./ccd/

Code:

Gz:

Iroute 10.1.0.0 255.255.0.0

Hz:

Iroute 10.3.0.0 255.255.0.0

Hb:

Iroute 10.2.0.0 255.255.0.0

Configuration File explanation:

Code:

; IP address of local a, B, c, d listen

Port 1194 listen port

Proto udp use UDP protocol

Dev tun tunnel Module

Ca. crt Public Key (the same ca is used on the S and c ends)

Public Key of cert server. crt server

Key server. key server's private key (to keep it secure) (the S end and c end use their respective cert and key)

Dh dh1024.pem generation method: openssl dhparam-out dh1024.pem 1024

Server 10.99.0.0 255.255.255.0 is set to server mode, and the IP segment of the subnet is specified. The server end is set to. 1 by default.

Ifconfig-pool-persist ipp.txt when the vpn is disconnected or restarted, you can use this file to re-establish a connection with the same IP address.

Push "route 10.1.0.0 255.255.0.0" to allow the client to establish a route to another subnet.

Client-to-client allows different clients to "see" each other ".

Max-clients 100 maximum number of clients.

Keepalive 10 120 is pinged every 10 seconds. If no response is received within 120 seconds, the other party is deemed to be down.

User nobody

Group nobody specifies the users and groups that run openvpn. (Reduce risks ).

Persist-key

Persist-tun

The status openvpn-status.log records the status of a connection every minute.

Log openvpn. log records logs to a specified file.

Verb 3 sets the log level to be recorded.

0 records error messages only.

4. Can record common information.

5 and 6 can help debugging in case of connection problems

9 is extreme. All information is displayed, and even headers are displayed (like tcpdump)

Number of messages with the same information in mute 20. If 20 messages with the same information appear consecutively, they are not recorded in the log.

4.5.3 OpenVPN Client Configuration

Code:

Directory Name

The main program "openvpn" for Sbin to place openvpn"

Conf place the configuration file

Keys put Authentication Files

Man placement man document

Configuration File:./conf/client. conf

Guangzhou:

Code:

Client

Dev tun

Proto udp

Remote VPNSERVERIP11194

Resolv-retry infinite

Nobind

User nobody

Group nobody

Persist-key

Persist-tun

Ca/opt/openvpn/keys/ca. crt

Cert/opt/openvpn/keys/gz. crt

Key/opt/openvpn/keys/gz. key

Comp-lzo

Verb 3

Mute 20

Hangzhou:

Code:

Client

Dev tun

Proto udp

Remote vpnserverip 1 1194

Resolv-retry infinite

Nobind

User nobody

Group nobody

Persist-key

Persist-tun

Ca/opt/openvpn/keys/ca. crt

Cert/opt/openvpn/keys/hz. crt

Key/opt/openvpn/keys/hz. key

Comp-lzo

Verb 3

Mute 20

Hebei:

Code:

Client

Dev tun

Proto udp

Remote vpnserverip 2 1194

Resolv-retry infinite

Nobind

User nobody

Group nobody

Persist-key

Persist-tun

Ca/opt/openvpn/keys/ca. crt

Cert/opt/openvpn/keys/hb. crt

Key/opt/openvpn/keys/hb. key

Comp-lzo

Verb 3

Mute 20

4.5.4 run OpenVPN

Create a script:

Server:

Code:

#! /Bin/sh

OPENVPN =/opt/openvpn/sbin/openvpn

CFG =/opt/openvpn/conf/server. conf

PID = 'cat/opt/openvpn/log/server. pid'

Case "$1" in

Start)

$ OPENVPN -- config $ CFG &

;;

Stop)

Kill $ PID

;;

Restart)

Kill $ PID

Sleep 5

$ OPENVPN -- config $ CFG &

;;

*)

Echo "Usage: 'basename $ 0' {start | stop | restart }"

;;

Esac

Client

Code:

#! /Bin/sh

/Opt/openvpn/sbin/openvpn -- config/opt/openvpn/conf/client. conf &

5. Other configurations 5.1 allow the subnets of multiple clients to communicate with each other

● Client-config-dir ccd

Add a ccd folder with the name of the client (such as gz and hb ). When a new client is connected to the server, the program checks the ccd folder to see if the name of a file is the same as that of the client. If yes, the process will read the commands in the file and apply these commands to the client with the name.


● Create a file hz in the ccd folder, which includes:

Iroute 10.3.0.0 255.255.0.0 this will tell hz client not to add the 10.3.0.0 CIDR block on the local machine (because Hangzhou is already a 10.23/16 CIDR Block ).

● Add the following to the server configuration file:

Route 10.3.0.0 255.255.0.0

If you want to connect the two clients, add the following to the server configuration file:

Client-to-client

Push "route 10.3.0.0 255.255.0.0"

Remember to set the route on the machines in each subnet (if the server and client machines are not used as the default gateway ).

5.2 control the running openvpn Process

Add the writepid parameter to the configuration file to specify the pid file.

SIGUSR1 -- restart the openvpn process as a non-root user.

SIGHUP -- restart

SIGUSR2 -- output connection statistics to log files

SIGTERM, SIGINT -- exit.

5.3 Configuration in windows:

Openvpn for windows:

Http://nchc.dl.sourceforge.net/s... using _rc17-install.exe

The installation method is very simple, and it is similar to other software in windows.

Install it in c: \ program file \ openvpn.

Create the configuration file win. ovpn in config

Code:

Client

Dev tun

Proto udp

Remote VPNSERVER1 1194

Resolv-retry infinite

Nobind

Persist-key

Persist-tun

Ca ../keys/ca. crt

Cert ../keys/win. crt

Key ../keys/win. key

Comp-lzo

Verb 3

Mute 20

Generate the ca. crt, win. crt, and win. key files from the server and copy them to windows. For how to generate a file, see section 5.5.1.3.

Run the following command on the command line:

Openvpn -- config win. ovpn

To make openvpn a service, run:

Openvpnsev.exe-install

In this way, you can find the openvpn service in the service.

When openvpn is used as a service, the configuration file with the ovpn suffix will be searched in the config folder. The generated logs are stored in the log folder.

6 supplement: BY yazjiyao/yzjboy

If the following error occurs when you use openvpn-2.0_rc16.tar.gz in configure, we use the rpm package for installation,

Configure: checking for OpenSSL SSL Library and Header files...

Checking openssl/ssl. h usability... no

Checking openssl/ssl. h presence... no

Checking for openssl/ssl. h... no

Configure: error: OpenSSL SSL headers not found.

Step 1: download the required rpm package:

Openssl-0.9.6g-1.i386.rpm (not available for other versions)

Openssl-devel-0.9.6g-1.i386.rpm (not available for other versions)

Lzo-1.08-3.i386.rpm

Openvpn-2.0.2-1.i386.rpm

Step 2: Install a lower version of openssl package, in linux 9 system is openssl-0.9.7a-2.i386.rpm and openssl-devel-0.9.7a-2.i386.rpm (do not delete it, or the system will be wrong serious points may not start the system ), then we will install the lower version of openssl through the -- force parameter of rpm.

Rpm-ivh -- force openssl-0.9.6g-1.i386.rpm

Rpm-ivh -- force openssl-devel-0.9.6g-1.i386.rpm

Step 3: after the four RPMs are installed, put the client. conf or server. conf in the/etc/openvpn/directory. Other configurations are similar to the above and will not be described here.

Step 4: Then,/etc/rc. d/init. d/openvpn stsart | stop | restart successful!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.