Openvpn Summary based on linux operating system architecture
Source: Internet
Author: User
Based on the linux operating system architecture openvpn Summary-Linux Enterprise Application-Linux server application information, the following is a detailed description. Use OPENVPN to connect data centers 1
1 status quo 2
2 network structure 2
3. server information and network security 4
3.1 server information 4
3.2 Network Security 4
4 Use openvpn for north-south intercommunication 5
4.1 Openvpn Introduction 5
4.2 download 5
4.3 install 6
4.4 does your operating system support tun? 6
4.5 configure a C/s vpn Network 7
4.5.1 how to generate ca and cert/key? 7
4.5.1.1 generate the Public key (Certificate) and private key (key) of the MASTER certificate Authority (CA) 7
4.5.1.2 create server-side cert and key files 8
4.5.1.3 create three client cert and key Files 9
4.5.1.4 create the Diffie Hellman file 9
4.5.1.5 list of all files and host 9 used
4.5.2 OpenVPN Server configuration 10
4.5.3 OpenVPN Client configuration 12
4.5.4 run OpenVPN 14
5 other configurations 15
5.1 connect subnets of multiple clients.
5.2 control the running openvpn process 15
5.3 windows configuration: 15
6. Actual Application Status 16
7. Reference Document 17
1. Status quo
Assume that a company's servers are stored in three data centers, namely Guangzhou, Hebei, and Hangzhou. Each data center uses an unused subnet:
Code:
Data center subnet (internal)
Guangzhou 10.1.0.0/16
Hebei 10.2.0.0/16
Hangzhou 10.3.0.0/16
Different data centers use different network segments, which creates favorable conditions for vpn connection.
The slow speed between China Telecom and China Netcom makes it very difficult to synchronize data between Guangzhou and Hebei machine rooms. We find a server that connects to the China Netcom line and the China Telecom line, but we cannot directly use it as a route. If you use the porxy method or the forwarding method, the synchronization efficiency will be reduced.
The C/S structure vpn method solves the synchronization problem without affecting the synchronization efficiency.
2. Network Structure
The topology of the three data centers After Interconnection:
(Because it is sent to the Forum, please refer to the last figure of the post)
As you can see, the VPN system is a C/S structure. Vpn server is used in the middle, and one SERVER is taken out as the vpn client in three data centers: Guangzhou, Hebei, and Hangzhou.
The vpn server has two NICs and two lines (China Telecom and China Netcom). Both NICs must have a public IP address. Set the route according to the actual situation. Here I set the China Telecom line as the default route, and set the route to the CIDR Block of the Hebei data center to the China Netcom route.
The vpn client can have two NICs or only one Nic. If it is a telecom line, it connects to the Telecom IP address of the vpn server; if it is a China Netcom line, it connects to the China Netcom IP address of the vpn server of China Netcom.
3. server information and network security
3.1 Server Information
In this article, we use four servers as vpn server and client respectively. Because the use of vpn to transmit data to the server load is not large, in addition to the vpn server needs a new server, the client server in each data center only needs to find a server with a light load.
Details of the four servers used in this article:
Code:
IP address of the operating system server in IDC Vpn Mode
Vpn server RedHat 9.0 public network IP1 (China Netcom)
Public Network IP2 (China Telecom)
Guangzhou IDC Vpn client FreeBSD4.9 10.1.0.1
Hebei data center Vpn client RedHat9.0 10.2.0.1
Hangzhou data center Vpn client FreeBsd4.9 10.3.0.1
3.2 Network Security
In addition to the vpn server, vpn clients in other data centers do not need public IP addresses, so the vpn server needs to enhance security settings.
This server is the RedHat9.0 operating system. grub is used on the logon interface, and the grub Password is set to ensure physical security.
Use Iptables to set the packet filtering Firewall and only allow your server to access it:
Code:
Iptables? F
Iptables-a input-s 10.0.0.0/8-j ACCEPT
Iptables-a input-s YOURNETWORK-j ACCEPT
Iptables-a input-p udp -- dport 1194? J DROP
4. Use openvpn for North-South Communication
4.1 Introduction to Openvpn
OpenVPN is a powerful, highly configurable, ssl-based VPN (Virtual Private Network) Open Source Software. It has multiple verification methods and many powerful functions.
OpenVPN operates on layer 2nd or layer 3rd of the OSI model and uses SSL/TLS protocol for network transmission. Supports various customer authentication methods, such as certificates, smart cards, and user name and password certificates. In addition, there is a powerful ACL function that limits the customer's information exchange.
OpenVPN can run in multiple operating systems, including:
Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris.
With OpenVpn, you can:
● Use a specific udp or tcp port to establish a vpn connection between two hosts.
● Implement the C/S structure and connect multiple clients through the server.
● Use TLS/SSL encryption to ensure data transmission security.
● Data Compression improves the data transmission speed.
(Because other features do not need to be used in this article, if you want to learn more, please visit http://openvpn.net)
Download 4.2
Download the latest openvpn source package from the following URL.
Openvpn./configure-prefix =/opt/openvpn Make & make install
FreeBSD:
Code:
Lzo./configure Make & make install
Openvpn. /configure-prefix =/opt/openvpn -- with-lzo-headers =/usr/local/include Make & make install
Install openvpn on the linux and freebsd hosts according to the above installation method.
4.4 does your operating system support tun?
From the operating system I have installed, TUN is supported by default in the kernels of RedHat9.0 and FreeBSD4.9, And the tun module has been installed. The RedHat AS3 does not have this module, and the kernel support needs to be re-compiled.
Load the tun module:
● Linux 2.4 or higher (with integrated TUN/TAP driver ):
(1) make device node: mknod/dev/net/tun c 10 200.
(2a) add to: echo "alias char-major-10-200 tun">/etc/modules. conf
Authority (authentication and authorization). All servers and clients use the same ca file.
Cert certificate (certificate ). Public Key. Each server and client independently generate a public key.
Private key, which is generated independently by each server and client.
◎ The server only needs to know its cert and key. It does not need to know the cert of every client that can be connected to it.
The client accepted by the server must have the cert generated by the CA of the server. Server can use its own CA private key to check whether the client's cert carries its CA mark.
4.5.1.1 generate the Public key (Certificate) and private key (key) of the MASTER certificate Authority (CA)
#######
In this section we will generate a master CA certificate/key, a server certificate/key, and certificates/keys for 3 separate clients
#######
In this section, we will try to establish a pair of master CA cert and key, a pair of server-side cert and key, and three years of cert and keys for different clients.
UNIX:
You can find the easy-rsa folder in the source code of openvpn.
Cd easy-rsa
../Vars create environment variable # many people may make mistakes in this place. There is space between the two points.
./Clean-all clear previous
./Build-ca create CA
The last command will call openssl to create the CA Public Key and private key:
Code:
Country Name (2 letter code) [KG]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN-TEST]: yourcorp enter the company Name here
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: hbroute enter the host Name or enter a name here
Email Address [me@myhost.mydomain]:
For others, use the default value.
After completion, four ca. crt ca. key index.txt serial files are created in the keys directory.
4.5.1.2 create server-side cert and key Files
Cd easy-rsa
./Build-key-server
Code:
Country Name (2 letter code) [KG]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN-TEST]: yourcorp enter the company Name
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: hbrouteserver
Email Address [me@myhost.mydomain]:
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
Sign the certificate? [Y/n]: y input y
1 out of 1 certificate requests certified, commit? [Y/n] y input y
Write out database with 1 new entries
Data Base Updated
Press enter.
4.5.1.3 create three client cert and key Files
It is very similar to creating a server.
./Build-key gz
./Build-key hb
./Build-key hz
Note that gz, hb, and hz cannot be the same; otherwise, only one client with the same name can be connected.
If you want to use a client key with a password, you can use the build-key-pass script.
For example:
Code:
./Build-key gz
Country Name (2 letter code) [KG]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [BISHKEK]:
Organization Name (eg, company) [OpenVPN-TEST]: mycorp
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: gz Type "gz"
Email Address [me@myhost.mydomain]:
Certificate is to be certified until Mar 14 08:15:16 2015 GMT (3650 days)
Sign the certificate? [Y/n]: y, type "y"
1 out of 1 certificate requests certified, commit? [Y/n] y, type "y"
Write out database with 1 new entries
Data Base Updated
4.5.1.4 create a Diffie Hellman File
The Diffie Hellman parameter must be used in openvpn server.
./Build-dh
4.5.1.5 list of all files and hosts used
Code:
Filename Needed By Purpose Secret
Ca. crt server + all clients Root CA certificate NO
Ca. key signing machine only Root CA key YES
Dh {n}. pem server only Diffie Hellman parameters NO
Server. crt server only Server Certificate NO
Server. key server only Server Key YES
Gz. crt Guangzhou only gz Certificate NO
Gz. key Guangzhou only gz Key YES
Hcrt Hebei only hb Certificate NO
Hb. key Hebei only hb Key YES
Hz. crt Hangzhou only hz Certificate NO
Hz. key Hangzhou only hz Key YES
According to the table above, copy all the files to the host that requires these files.
4.5.2 OpenVPN Server Configuration
When openvpn is installed, the/opt/openvpn directory contains only the sbin and man folders. For convenience, we can create other folders under this directory.
Code:
Directory Name
The main program "openvpn" for Sbin to place openvpn"
Conf place the configuration file
Independent configuration files for Ccd placement of various clients
Log stores the Log file of the server.
Keys put Authentication Files
Man placement man document
Configuration File:./conf/server. conf
Code:
Port 1194
Proto udp
Dev tun
Ca/opt/openvpn/keys/ca. crt
Cert/opt/openvpn/keys/server. crt
Key/opt/openvpn/keys/server. key
Dh/opt/openvpn/keys/dh1024.pem
Server 10.99.0.0 255.255.255.0
Ifconfig-pool-persist/opt/openvpn/log/ipp.txt
Client-config-dir ccd
Route 10.1.0.0 255.255.0.0
Route 10.2.0.0 255.255.0.0
Route 10.3.0 255.255.255.0.0
Push "route 10.10.0 255.255.0.0"
Push "route 10.2.0.0 255.255.0.0"
Push "route 10.3.0.0 255.255.0.0"
Client-to-client
Keepalive 10 120
Comp-lzo
User nobody
Group nobody
Persist-key
Persist-tun
Status/opt/openvpn/log/openvpn-status.log
Log/opt/openvpn/log/openvpn. log
Verb 6
Mute 20
Writepid/opt/openvpn/log/server. pid
Custom Client configuration:./ccd/
Code:
Gz:
Iroute 10.1.0.0 255.255.0.0
Hz:
Iroute 10.3.0.0 255.255.0.0
Hb:
Iroute 10.2.0.0 255.255.0.0
Configuration File explanation:
Code:
; IP address of local a, B, c, d listen
Port 1194 listen port
Proto udp use UDP protocol
Dev tun tunnel Module
Ca. crt Public Key (the same ca is used on the S and c ends)
Public Key of cert server. crt server
Key server. key server's private key (to keep it secure) (the S end and c end use their respective cert and key)
Server 10.99.0.0 255.255.255.0 is set to server mode, and the IP segment of the subnet is specified. The server end is set to. 1 by default.
Ifconfig-pool-persist ipp.txt when the vpn is disconnected or restarted, you can use this file to re-establish a connection with the same IP address.
Push "route 10.1.0.0 255.255.0.0" to allow the client to establish a route to another subnet.
Client-to-client allows different clients to "see" each other ".
Max-clients 100 maximum number of clients.
Keepalive 10 120 is pinged every 10 seconds. If no response is received within 120 seconds, the other party is deemed to be down.
User nobody
Group nobody specifies the users and groups that run openvpn. (Reduce risks ).
Persist-key
Persist-tun
The status openvpn-status.log records the status of a connection every minute.
Log openvpn. log records logs to a specified file.
Verb 3 sets the log level to be recorded.
0 records error messages only.
4. Can record common information.
5 and 6 can help debugging in case of connection problems
9 is extreme. All information is displayed, and even headers are displayed (like tcpdump)
Number of messages with the same information in mute 20. If 20 messages with the same information appear consecutively, they are not recorded in the log.
4.5.3 OpenVPN Client Configuration
Code:
Directory Name
The main program "openvpn" for Sbin to place openvpn"
5. Other configurations 5.1 allow the subnets of multiple clients to communicate with each other
● Client-config-dir ccd
Add a ccd folder with the name of the client (such as gz and hb ). When a new client is connected to the server, the program checks the ccd folder to see if the name of a file is the same as that of the client. If yes, the process will read the commands in the file and apply these commands to the client with the name.
● Create a file hz in the ccd folder, which includes:
Iroute 10.3.0.0 255.255.0.0 this will tell hz client not to add the 10.3.0.0 CIDR block on the local machine (because Hangzhou is already a 10.23/16 CIDR Block ).
● Add the following to the server configuration file:
Route 10.3.0.0 255.255.0.0
If you want to connect the two clients, add the following to the server configuration file:
Client-to-client
Push "route 10.3.0.0 255.255.0.0"
Remember to set the route on the machines in each subnet (if the server and client machines are not used as the default gateway ).
5.2 control the running openvpn Process
Add the writepid parameter to the configuration file to specify the pid file.
SIGUSR1 -- restart the openvpn process as a non-root user.
SIGHUP -- restart
SIGUSR2 -- output connection statistics to log files
SIGTERM, SIGINT -- exit.
5.3 Configuration in windows:
Openvpn for windows:
Http://nchc.dl.sourceforge.net/s... using _rc17-install.exe
The installation method is very simple, and it is similar to other software in windows.
Install it in c: \ program file \ openvpn.
Create the configuration file win. ovpn in config
Code:
Client
Dev tun
Proto udp
Remote VPNSERVER1 1194
Resolv-retry infinite
Nobind
Persist-key
Persist-tun
Ca ../keys/ca. crt
Cert ../keys/win. crt
Key ../keys/win. key
Comp-lzo
Verb 3
Mute 20
Generate the ca. crt, win. crt, and win. key files from the server and copy them to windows. For how to generate a file, see section 5.5.1.3.
Run the following command on the command line:
Openvpn -- config win. ovpn
To make openvpn a service, run:
Openvpnsev.exe-install
In this way, you can find the openvpn service in the service.
When openvpn is used as a service, the configuration file with the ovpn suffix will be searched in the config folder. The generated logs are stored in the log folder.
6 supplement: BY yazjiyao/yzjboy
If the following error occurs when you use openvpn-2.0_rc16.tar.gz in configure, we use the rpm package for installation,
Configure: checking for OpenSSL SSL Library and Header files...
Checking openssl/ssl. h usability... no
Checking openssl/ssl. h presence... no
Checking for openssl/ssl. h... no
Configure: error: OpenSSL SSL headers not found.
Step 1: download the required rpm package:
Openssl-0.9.6g-1.i386.rpm (not available for other versions)
Openssl-devel-0.9.6g-1.i386.rpm (not available for other versions)
Lzo-1.08-3.i386.rpm
Openvpn-2.0.2-1.i386.rpm
Step 2: Install a lower version of openssl package, in linux 9 system is openssl-0.9.7a-2.i386.rpm and openssl-devel-0.9.7a-2.i386.rpm (do not delete it, or the system will be wrong serious points may not start the system ), then we will install the lower version of openssl through the -- force parameter of rpm.
Rpm-ivh -- force openssl-0.9.6g-1.i386.rpm
Rpm-ivh -- force openssl-devel-0.9.6g-1.i386.rpm
Step 3: after the four RPMs are installed, put the client. conf or server. conf in the/etc/openvpn/directory. Other configurations are similar to the above and will not be described here.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
