Rotten mud: ubuntu 14.04 OpenVPN server, 14.04 openvpn

Rotten mud: ubuntu 14.04 OpenVPN server, 14.04 openvpn

This article is written by Xiuyi Lin FengProviding friendship sponsorship, first launched in the dark world

The company branch needs to connect to the company's internal server, but the server only allows access to the company's internal network.

To solve this problem, we plan to use VPN. PPTP is the most widely used solution for VPN in the past, but PPTP is not as secure as openvpn, and PPTP does not support commands in linux, and its stability is not as good as openvpn. Finally, we chose openvpn to build a VPN.

PS: This article is installed on ubuntu 14.04 with the openvpn server address 192.168.1.8.

The openvpn configuration in centos6.6 64bit is fully usable and has been verified. The detailed configuration commands and steps of centos are provided after the article.

I. openvpn principles

Openvpn encrypts data by using public keys (asymmetric keys, encryption and decryption using different keys, one known as Publice key and the other Private key. This method is called TLS encryption.

Openvpn uses TLS encryption. First, the VPN Sevrver and VPN Client must have the same CA certificate. Both parties verify the legitimacy of both parties by exchanging the certificate to determine whether to establish a VPN connection.

Then, use the CA certificate of the other party to encrypt the current data encryption method and send it to the other party. because the other party's CA certificate is used for encryption, therefore, only the Private key corresponding to the CA certificate of the other party can decrypt the data, which ensures the security of the key and regularly changes the key. For eavesdroppers, this key may not be cracked, and the VPN communication parties may have changed the key.

Ii. Install openvpn

Openvpn installation is divided into apt-get and source code. The following describes only the installation of apt-get. You can install openvpn using the source code.

Run the following command to install apt-get:

Sudo apt-get-y install openvpn libssl-dev openssl

After openvpn is installed, check the openvpn version as follows:

Openvpn -- version

We can see that the current version of openvpn is 2.3.2. Remember this version number.

Let's take a look at the files generated during openvpn installation, as shown below:

Dpkg-L openvpn | more

We can see that openvpn already has a configuration template.

After openvpn is installed, install easy-rsa.

Easy-rsa is used to create openvpn-related certificates.

Run the following command to install easy-rsa:

Sudo apt-get-y install easy-rsa

View the files installed with easy-rsa, as shown below:

Dpkg-L easy-rsa | more

We can see that easy-rsa has been installed in the/usr/share/easy-rsa/directory.

3. Create related certificates

According to the working principle of openvpn In chapter 1, we can know that openvpn certificates are divided into three parts: CA certificates, Server certificates, and Client certificates.

Next we will create them through easy-rsa.

3.1Create a CA certificate

After openvpn and easy-rsa are installed, create the easy-rsa folder in the/etc/openvpn/directory, as shown below:

Sudo mkdir/etc/openvpn/easy-rsa/

Copy all the files in the/usr/share/easy-rsa/directory to/etc/openvpn/easy-rsa/, as follows:

Sudo cp-r/usr/share/easy-rsa/*/etc/openvpn/easy-rsa/

Of course, you can also directly create related certificates in/usr/share/easy-rsa/, but for the convenience of subsequent Certificate Management, we still put easy-rsa in the startup directory of openvpn.

Note: because we are using the ubuntu system, we must switch to the root user to create the relevant certificate. Otherwise, the easy-rsa will report an error. If it is a centos system, this problem does not exist.

Switch to the root user and run the following command:

Sudo su

Before creating a CA certificate, edit the vars file and modify the following options. As follows:

Sudo vi/etc/openvpn/easy-rsa/vars

Export KEY_COUNTRY = "CN"

Export KEY_PROVINCE = "HZ"

Export KEY_CITY = "HangZhou"

Export KEY_ORG = "ilanni"

Export KEY_EMAIL = "ilanni@ilanni.com"

Export KEY_OU = "ilanni"

Export KEY_NAME = "vpnilanni"

The vars file is mainly used to set the organization information of the certificate. The content in red can be modified according to your actual situation.

In this example, export KEY_NAME = "vpnilanni" must be remembered. We will use it when creating the Server certificate.

Note: The above content can also be used by default, that is, it can be used without modification.

Use the source vars command to make it take effect, as shown below:

Source vars

./Clean-all

Note: executing the clean-all command will delete the keys folder in the current directory.

Now, create a CA certificate. Run the following command:

./Build-ca

Press enter all the way. After the preparation, we can view the keys directory. As follows:

Ll keys/

We can see that the ca. crt and ca. key files have been generated. ca. crt is what we call the CA certificate. In this way, the CA certificate is created.

Copy the CA. crt file of the ca certificate to the/etc/openvpn startup directory of openvpn, as shown below:

Cp keys/ca. crt/etc/openvpn/

Ll/etc/openvpn/

3.2Create a Server certificate

After the CA certificate is created, you can now create a Server certificate. As follows:

./Build-key-serverVpnilanni

Note: In the above command, vpnilanni is the KEY_NAME set in the previous vars file.

View the generated Server certificate as follows:

Ll keys/

We can see that three files, vpnilanni. crt, vpnilanni. key, and vpnilanni. csr, have been generated. The vpnilanni. crt and vpnilanni. key files are used.

The Diffie-Hellman file generated for the encrypted switch for the server is as follows:

./Build-dh

View the generated file as follows:

Ll keys/

We can see that the dh2048.pem file has been generated.

After completing the preceding operations, copy vpnilanni. crt, vpnilanni. key, and dh2048.pem to the/etc/openvpn/directory, as shown below:

Cp keys/vpnilanni. crt keys/vpnilanni. key keys/dh2048.pem/etc/openvpn/

In this way, the Server certificate is created.

3.3Create a Client certificate

After the Server certificate is created, we now start to create the Client certificate as follows:

./Build-keyIlanni

Note: The ilanni in the preceding command is the client name. This can be customized.

To quickly generate a user certificate without manual interaction, run the following command:

./Build-key -- batch test1

View the generated certificate as follows:

Ll keys/

We can see that three files, ilanni. csr, ilanni. crt, and ilanni. key, have been generated. Here, we use the ilanni. crt and ilanni. key Files.

In this way, the Client certificate is created.

4. Configure the Server

After all the certificates are created, we now start to configure the Server. Server configuration file, which can be copied from the openvpn built-in template. As follows:

Cp/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz/etc/openvpn/

Cd/etc/openvpn/

To decompress the server.conf.gz file, run the following command:

Gzip-d server.conf.gz

Note: The statement is to decompress the server.conf.gz file and then delete the original file.

Modify the server. conf file as follows:

Grep-vE "^ # | ^; | ^ $" server. conf

Port 1194

Proto tcp

Dev tun

Ca. crt

Cert vpnilanni. crt

Key vpnilanni. key

Dh dh2048.pem

Server 10.8.0.0 255.255.255.0

Ifconfig-pool-persist ipp.txt

Keepalive 10 120

Comp-lzo

Persist-key

Persist-tun

Status openvpn-status.log

Verb 3

Compared with the original template file, I want to modify it here.

1. modified the protocol used during the openvpn operation, from the original UDP protocol to the TCP protocol. We recommend that you use the TCP protocol to generate the environment.

2. modified the openvpn server certificate from server. csr and server. key to vpnilanni. crt and vpnilanni. key.

3. Changed the Diffie-Hellman file from dh1024.pem to dh2048.pem.

Note: In the preceding server. conf file, vpnilanni. crt, vpnilanni. key, and dh2048.pem must correspond to relevant files in the/etc/openvpn/directory.

At the same time, if the above files are not stored in the/etc/openvpn/directory, in the server. conf file, we need to fill in the absolute path of the file. As follows:

After the configuration file is modified, run the following command to start openvpn:

/Etc/init. d/openvpn start

Netstat-tunlp | grep 1194

Through, we can clearly see that openvpn has been started here, and also uses TCP port 1194.

5. Configure the Client

After the Server is configured and started, we will configure the Client now. The Client is divided into Linux OS and Windows OS according to the operating system. The following is a brief explanation.

5.1On Windows OS

We need to download the Client certificate, CA certificate, and Client configuration file from both Windows OS and Linux OS.

Download the Client certificate and the CA certificate first. The Client certificate mainly uses two files ending with crt and key, while the CA certificate mainly uses files ending with crt. As follows:

Copy these files to the/home/ilanni/directory, and then copy the configuration file template of the openvpn client to the/home/ilanni/directory. As follows:

Cp ilanni. crt ilanni. key ca. crt/home/ilanni/

Cp/usr/share/doc/openvpn/examples/sample-config-files/client. conf/home/ilanni/

Modify the user attributes of the preceding files as follows:

Chown ilanni: ilanni .*

Chown ilanni: ilanni ca. crt

After the modification, exit the root user, return to the ilanni user's home directory, and then use the sz command to download these files. As follows:

Sz-y ilanni. crt ilanni. key ca. crt client. conf

After the download is complete, rename the client. conf file to client. ovpn and edit it as follows:

Client

Dev tun

Proto tcp

Remote 192.168.1.8 1194

Resolv-retry infinite

Nobind

Persist-key

Persist-tun

Ca. crt

Cert ilanni. crt

Key ilanni. key

Ns-cert-type server

Comp-lzo

Verb 3

The Client configuration file client. ovpn, Which I modified:

First, the protocol used should be modified from the original UDP to TCP, which must be consistent with the Server side. Otherwise, the Client cannot be connected.

2. remote address, which must be changed to the Server address.

Third, the Client certificate name, which must be consistent with the name of the Client certificate we are currently using.

After the preceding modifications, we need to put these files in the same folder and ensure that the file name "client. ovpn" is unique. Otherwise, an error is reported when the openvpn client is connected. As follows:

Install the openvpn for windows client, we can download from this address, as shown below: http://build.openvpn.net/downloads/releases/

Note: The downloaded client version must be the same as the openvpn version on the server. Otherwise, the server may fail to be connected.

The openvpn version of the server is 2.3.2, so we recommend that you use 2.3.2 for the client.

After downloading and installing, copy the testilanni folder to the config folder installed on the openvpn client. As follows:

Now we start the openvpn client to connect to the Server, as shown below:

Note: the client in is based on the file name of client. ovpn.

Click connect to display the following pop-up window:

If the configuration is correct, the following prompt is displayed:

We can see that the Client has correctly connected to the Server, and the obtained IP address is 10.8.0.6.

The IP address is as follows:

We can see that the local machine is indeed connected to the Server, and the obtained IP address is indeed 10.8.0.6.

5.2On Linux OS

After testing on Windows OS, We are switching to the linux system. Take ubuntu14.04 as an example.

To connect to openvpnServer on ubuntu, We need to install openvpn software first, as shown below:

Sudo apt-get-y install openvpn

After the installation is complete, upload the file we Just configured in Windows to ubuntu. As follows:

Note: After the upload is complete, we do not need to modify any configuration files. These files can be correctly connected to the openvpn Server in Windows.

Note: Before connecting to the Server, you must switch to the root user. When connecting to the Server, openvpn creates a virtual network card on the local machine. If you use a common user, you do not have the permission to create a virtual network card.

Switch to the root user and run the sudo su command as follows:

Sudo su

Start to connect to the Server and run the following command:

Openvpn -- config client. ovpn

If the information appears, it indicates that the Server has been connected correctly.

Now we can use ifconfig on the local machine for viewing. We recommend that you re-open a new ssh window, as shown below:

Ifconfig

We can see that the local machine has been correctly connected to the Server, and a virtual network card called tun0 is also virtualized on the local machine.

To enable ubuntu to start and run in the background, write this command to the rc. local file. As follows:

/Usr/sbin/openvpn -- config/home/ilanni/testilanni/client. ovpn>/var/log/openvpn. log &

Note: The & symbol at the end of the command cannot be omitted; otherwise, the normal startup of the system may be blocked.

At the same time, the certificate configuration in the client. ovpn file must be written as an absolute path, or the system will report an error. As follows:

For centos, install the epel source and openvpn software package. As follows:

Rpm-ivh http://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm

Yum-y install openvpn

After the above installation is complete, upload the Client-related files that have been successfully connected to Windows to the centos system. Then, the connection method is the same as that on ubuntu.

Note: If the centos system is to be started, it is the same as the ubuntu system, but it must be pointed out that the Client-related configuration files cannot be placed in the/root directory.

An example of correct configuration is as follows:

Because the openvpn server configuration of centos is basically the same as that of unubutn, you will not write an article about installing and configuring openvpn sever in centos.

However, all commands executed under centos are attached. As follows:

Rpm-ivh http://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm

Yum-y install openvpn

Rpm-ql openvpn

Cat/usr/share/doc/openvpn-2.3.7/sample-config-files/README

Http://openvpn.net/howto.html

Yum-y install easy-rsa

Rpm-ql easy-rsa

Cd/usr/share/easy-rsa/2.0/

Vim vars

Export KEY_COUNTRY = "CN"

Export KEY_PROVINCE = "HangZhou"

Export KEY_CITY = "HZ"

Export KEY_ORG = "ilanni"

Export KEY_EMAIL = "ilanni@ilanni.com"

Export KEY_OU = "MyOrganizationalUnit"

Export KEY_NAME = "ilanni"

Source vars

./Clean-all

./Build-ca

./Build-key-server ilanni

./Build-dh

./Build-key centos

Cd keys

Cp ca. crt ilanni. key ilanni. crt/etc/openvpn/

Cp ca. crt centos. key centos. crt/root/

Cp/usr/share/doc/openvpn-2.3.7/sample-config-files/client. conf/root

Cp/usr/share/doc/openvpn-2.3.7/sample-config-files/server. conf/etc/openvpn/

Server configuration file:

Vim/etc/openvpn/server. conf

Grep-vE "; | # | ^ $"/etc/openvpn/server. conf

Port 1194

Proto udp

Dev tun

Ca. crt

Cert ilanni. crt

Dh dh2048.pem

Server 10.8.0.0 255.255.255.0

Ifconfig-pool-persist ipp.txt

Keepalive 10 120

Comp-lzo

Persist-key

Persist-tun

Status openvpn-status.log

Verb 3

Client configuration file:

Grep-vE "; | # | ^ $" centos. conf

Client

Dev tun

Proto udp

Remote 182.254.223.1401194

Resolv-retry infinite

Nobind

Persist-key

Persist-tun

Ca. crt

Cert centos. crt

Key centos. key

Remote-cert-tls server

Comp-lzo

Verb 3