windows通過linux下的openvpn登入遠端伺服器內網
需求:在某些網路要求比較嚴格的環境中,我們在異地無法遠端訪問公司內網,給我們的工作帶來了極大的不便;但是通過openvpn我們可以輕鬆實現,下面就來介紹下。
注:本實驗是在防火牆關閉的情況下進行的,即使開啟防火牆也未對nat表做限制。
1.網路環境:
公司openvpn伺服器(linux):wan 75.126.207.84
lan 10.61.53.84
本地伺服器(windows): wan 115.238.239.132
lan 10.10.1.132
2.所需安裝軟體:
openvpn版本:openvpn-2.2.2.tar.gz (linux,可以到http://openvpn.net下載)
openvpn-2.2.2-install.exe (windows)
lzo-2.03.tar.gz
gcc gcc-c++ openssl openssl-devel
注:openvpn2.3以上的版本不識別lzo編譯程式,無法進行安裝;更換2.0版本後可以正常使用.
openvpn 伺服器和客戶端版本必須保持一致,否則會出現連結不上的問題
3.linux伺服器端環境搭建:
(1)軟體安裝
a) yum -y install gcc gcc-c++ openssl openssl-devel
b) lzo編譯安裝
cd /usr/local/src
wget http://www.oberhumer.com/opensource/lzo/download/lzo-
tar -zxvflzo-2.03.tar.gz
cd lzo-2.03
./configure --prefix=/usr/local/lzo
make && make install
c)openvpn2.2.2安裝
cd /usr/local/src
tar -zxvf openvpn-2.2.2.tar.gz
cd openvpn-2.2.2
./configure --prefix=/usr/local/openvpn --with-lzo-headers=/usr/local/lzo/include --with-lzo-lib=/usr/local/lzo/lib --with-ssl-headers=/usr/include/openssl--with-ssl-lib=/usr/lib64/openssl
make && make install
(2)配置證書
mkdir -p /etc/openvpn
cp -R /usr/local/src/openvpn-2.2.2/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0
vim vars
#建立環境變數,設定所需變數的指令碼
source vars
./clean-all
#建立生成ca證書及金鑰檔案所需要的檔案和目錄
./build-ca
#生成ca證書,一路回車即可。執行完成後會在keys目錄下生成相關證書檔案
./build-dh
#生成Diffie-Hellman檔案加密用,會在keys目錄先生成dh1024.pem
./build-key-server xuyou
#生成伺服器端證書及金鑰檔案,只需在最後兩個地方輸入y即可,會在keys目錄下生成xuyou.crt xuyou.csr xuyou.key
將生成的伺服器端ca證書和金鑰檔案複製到/etc/openvpn/
cp ca.crt ca.key xuyou.crt xuyou.csr xuyou.key dh1024.pem /etc/openvpn
./build-key test
#生成客戶端證書及金鑰檔案,只需在最後兩個地方輸入y即可,會在keys目錄下生成test.crt test.csr test.key
將key生成的證書及金鑰檔案打包,以便客戶端使用
mkdir mykey
cp ca.key ca.crt test.csr test.crt test.key mykey/
tar -zcvf mykey.tar.gz mykey
修改openvpn伺服器端配置檔案
cp /usr/local/src/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/openvpn.conf
vim openvpn.conf
# 設定監聽IP,預設是監聽所有IP
;local a.b.c.d
# 設定監聽埠,必須要對應的在防火牆裡面開啟
port 1194
# 設定用TCP還是UDP協議?
;proto tcp
proto udp
# 設定建立tun的路由IP通道,還是建立tap的乙太網通道
# 路由IP容易控制,所以推薦使用它;但如果如IPX等必須
# 使用第二層才能通過的通訊,則可以用tap方式,tap也
# 就是乙太網橋接
;dev tap
dev tun
# Windows需要給網絡卡一個名稱,這裡設定,linux不需要
;dev-node MyTap
# 這裡是重點,必須指定SSL/TLS root certificate (ca),
# certificate(cert), and private key (key)
# ca檔案是服務端和客戶端都必須使用的,但不需要ca.key
# 服務端和客戶端指定各自的.crt和.key
# 請注意路徑,可以使用以配置檔案開始為根的相對路徑,
# 也可以使用絕對路徑
# 請小心存放.key金鑰檔案
<span style="color:#ff0000;">ca /etc/openvpn/ca.crt
cert /etc/openvpn/xuyou.crt
key /etc/openvpn/xuyou.key # This file should be kept secret</span>
# 指定Diffie hellman parameters.
<span style="color:#ff0000;"> dh /etc/openvpn/dh1024.pem</span>
# 配置VPN使用的網段,OpenVPN會自動提供基於該網段的DHCP
# 服務,但不能和任何一方的區域網段重複,保證唯一
server 10.8.0.0 255.255.255.0
# 維持一個客戶端和virtual IP的對應表,以方便客戶端重新
# 連線可以獲得同樣的IP
ifconfig-pool-persist ipp.txt
# 配置為乙太網橋模式,但需要使用系統的橋接功能
# 這裡不需要使用
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# 為客戶端建立對應的路由,以另其通達公司網內部伺服器
# 但記住,公司網內部伺服器也需要有可用路由返回到客戶端
;push "route 192.168.20.0 255.255.255.0"
<span style="color:#ff0000;"> push "route 10.0.0.0 255.0.0.0"</span>
# 為特定的客戶端指定IP或指定路由,該路由通常是客戶端後面的
# 內網網段,而不是服務端連線的網段
# ccd是/etc/openvpn下的目錄,其中建有希望限制的客戶端Common
# Name為檔名的檔案,並通過下面的命令寫入固定IP地址
# 例如Common Name為client1,則在/etc/openvpn/ccd/client1寫有:
# ifconfig-push 10.9.0.1 10.9.0.2
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# 為可以對不同的客戶端設定防火牆等許可權
# 可以讓其自動執行對應指令碼,可參考man
;learn-address ./script
# 若客戶端希望所有的流量都通過VPN傳輸,則可以使用該語句
# 其會自動改變客戶端的閘道器為VPN伺服器,推薦關閉
# 一旦設定,請小心服務端的DHCP設定問題
;push "redirect-gateway"
# 用OpenVPN的DHCP功能為客戶端提供指定的DNS、WINS等
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
# 預設客戶端之間是不能直接通訊的,除非把下面的語句註釋掉
client-to-client
# 如果您希望有相同Common Name的客戶端都可以登陸
# 也可以註釋下面的語句,推薦每個客戶端都使用不用的Common Name
# 常用於測試
;duplicate-cn
# 設定服務端檢測的間隔和超時時間
keepalive 10 120
# 下面是一些對安全性增強的措施,後續說明吧
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be 0
# on the server and 1 on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# 使用lzo壓縮的通訊,服務端和客戶端都必須配置
comp-lzo
# 設定最大使用者數
;max-clients 100
# 讓OpenVPN以nobody使用者和組來執行(安全)
;user nobody
;group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# 輸出短日誌,每分鐘重新整理一次,以顯示當前的客戶端
status /var/log/openvpn/openvpn-status.log
# 預設日誌會記錄在系統日誌中,但也可以導向到其他地方
# 建議除錯的使用先不要設定,除錯完成後再定義
<span style="color:#ff0000;">log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log</span>
# 設定日誌的級別
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20/usr/local/openvpn/sbin/openvpn --daemon --config /etc/openvpn/openvpn.conf
檢視1194埠是否啟動,
lsof -i:1194
ip a會有tun0這個虛擬網絡卡出現,並且分配的虛擬ip為10.8.0.1
4.windows客戶端端環境搭建:
安裝openvpn-2.2.2-install.exe
將/usr/local/src/openvpn-2.2.2/sample-config-files/client.conf及生成的客戶端證書及金鑰檔案解壓到C:\Program Files (x86)\OpenVPN\config目錄下
編輯client.conf,改完後將檔名重新命名為client.ovpn
將remote ip改成linux伺服器的ip地址和埠
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
<span style="color:#ff0000;">remote 75.126.207.84 1194</span>
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
<span style="color:#ff0000;">ca ca.crt
cert test.crt
key test.key</span>
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
連結成功後會以綠色顯示,將滑鼠放上去會顯示如下:
本地連線也會出現虛擬網絡卡資訊:
ping遠端伺服器的內網:
直接用內網地址進行遠端伺服器連線:
這些證明本地伺服器已經可以通過openvpn接入公司內網伺服器了。
最後附windows客戶端連線日誌:
