| |
--- OpenVPN server build deployment
1, the installation process on the OpenVPN-1 server
(1. Add epel source
[Root @ ShangHai-VPN-1 ~] # yum install epel-release
(2. Install OpenVPN
[Root @ ShangHai-VPN-1 ~] # yum install openvpn lzo-devel easy-rsa -y
(3. Copy the sample file server
[Root @ ShangHai-VPN-1 ~] # cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf / etc / openvpn
(4. Use the easy-rsa to generate the server certificate and key
[Root @ ShangHai-VPN-1 ~] # cp -R / usr / share / easy-rsa / / etc / openvpn
[Root @ ShangHai-VPN-1 ~] # cd /etc/openvpn/easy-rsa/2.0/
#vars file amended as follows
[Root @ ShangHai-VPN-1 2.0] # egrep -v '^ $ | ^ #' vars
export EASY_RSA = "` pwd` "
export OPENSSL = "openssl"
export PKCS11TOOL = "pkcs11-tool"
export GREP = "grep"
export KEY_CONFIG = `$ EASY_RSA / whichopensslcnf $ EASY_RSA`
export KEY_DIR = "$ EASY_RSA / keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $ KEY_DIR
export PKCS11_MODULE_PATH = "dummy"
export PKCS11_PIN = "dummy"
export KEY_SIZE = 2048
export CA_EXPIRE = 3650
export KEY_EXPIRE = 3650
export KEY_COUNTRY = "CN"
export KEY_PROVINCE = "BJ"
export KEY_CITY = "BeiJing"
export KEY_ORG = "example.com"
export KEY_EMAIL = "my@example.com"
export KEY_OU = "www.example.com"
export KEY_NAME = "EasyRSA"
# Initial configuration
[Root @ ShangHai-VPN-1 2.0] # source vars
[Root @ ShangHai-VPN-1 2.0] # ./clean-all
# Generated CA certificate
[Root @ test-VPN-1 2.0] # ./build-ca
Generating a 2048 bit RSA private key
.............................. +++
................................ +++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [example.com]:
Organizational Unit Name (eg, section) [www.example.com]:
Common Name (eg, your name or your server's hostname) [example.com CA]:
Name [EasyRSA]:
Email Address [my@example.com]:
# Generate a Server Certificate
[Root @ test-VPN-1 2.0] # ./build-key-server server
Generating a 2048 bit RSA private key
.................... +++
.................................................. .................................. +++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
-----
Country Name (2 letter code) [CN]: [Direct Enter]
State or Province Name (full name) [BJ]: [Direct Enter]
Locality Name (eg, city) [BeiJing]: [Direct Enter]
Organization Name (eg, company) [example.com]: [Direct Enter]
Organizational Unit Name (eg, section) [www.example.com]: [Direct Enter]
Common Name (eg, your name or your server's hostname) [server]: [Direct Enter]
Name [EasyRSA]: [Direct Enter]
Email Address [my@example.com]: [Direct Enter]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: [Direct Enter]
An optional company name []: [Direct Enter]
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName: PRINTABLE: 'CN'
stateOrProvinceName: PRINTABLE: 'BJ'
localityName: PRINTABLE: 'BeiJing'
organizationName: PRINTABLE: 'example.com'
organizationalUnitName: PRINTABLE: 'www.example.com'
commonName: PRINTABLE: 'server'
name: PRINTABLE: 'EasyRSA'
emailAddress: IA5STRING:'my@example.com '
Certificate is to be certified until Jul 18 03:07:04 2025 GMT (3650 days)
Sign the certificate [y / n]:? Y
1 out of 1 certificate requests certified, commit? [Y / n] y
Write out database with 1 new entries
Data Base Updated
# Generate server key
[Root @ test-VPN-1 2.0] # ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......................... ........................ + .................................................. ................. ........................... + + .... ......................................... ........ + ................................. ................ + .................................................. ................................ + ........ + ........ ..................................... ............ + .................................................. ................................................. + .............. ++ * ++ *
(5. Generate client certificates and keys
[Root @ ShangHai-VPN-1 2.0] # ./build-key client
Generating a 2048 bit RSA private key
...... +++
....................... +++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', The field will be left blank.
-----
Country Name (2 letter code) [CN]: [Direct Enter]
State or Province Name (full name) [BJ]: [Direct Enter]
Locality Name (eg, city) [BeiJing]: [Direct Enter]
Organization Name (eg, company) [example.com]: [Direct Enter]
Organizational Unit Name (eg, section) [www.example.com]: [Direct Enter]
Common Name (eg, your name or your server's hostname) [client]: [Direct Enter]
Name [EasyRSA]: [Direct Enter]
Email Address [my@example.com]: [Direct Enter]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: [Direct Enter]
An optional company name []: [Direct Enter]
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName: PRINTABLE: 'CN'
stateOrProvinceName: PRINTABLE: 'BJ'
localityName: PRINTABLE: 'BeiJing'
organizationName: PRINTABLE: 'example.com'
organizationalUnitName: PRINTABLE: 'www.example.com'
commonName: PRINTABLE: 'client'
name: PRINTABLE: 'EasyRSA'
emailAddress: IA5STRING:'my@example.com '
Certificate is to be certified until Jul 18 03:09:14 2025 GMT (3650 days)
Sign the certificate [y / n]:? Y
1 out of 1 certificate requests certified, commit? [Y / n] y
Write out database with 1 new entries
Data Base Updated
(6. Copy the four files to the desired OpenVPN configuration directory
[Root @ ShangHai-VPN-1 2.0] # [root @ test-VPN-1 2.0] # cp keys / {dh2048.pem, ca.crt, server.crt, server.key} / etc / openvpn /
(7. Modify the server configuration file
[Root @ ShangHai-VPN-1 2.0 ~] # egrep -v '^; | ^ # | ^ $' /etc/openvpn/server.conf
# Public IP
local 192.168.64.129
port 11194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
IP network segment acquired #VPN
server 10.10.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Allow VPN access local private network segment
push "route 172.16.65.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
max-clients 300
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
mute 10
(8. Route Forwarding Configuration
[Root @ test-VPN-1 2.0] # sed -i s '/ net.ipv4.ip_forward = 0 / net.ipv4.ip_forward = 1 /' /etc/sysctl.conf
(9. Configure firewalls do NAT and open port
[Root @ test-VPN-1 2.0] # iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -j SNAT --to-source 172.16.65.128
[Root @ test-VPN-1 2.0] # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 11194 -j ACCEPT
[Root @ test-VPN-1 2.0] # /etc/init.d/iptables save
iptables: Save the firewall rules to / etc / sysconfig / iptables: [OK]
[Root @ test-VPN-1 2.0] # /etc/init.d/iptables restart
iptables: the chain to policy ACCEPT: filter nat [OK]
iptables: clear firewall rules: [OK]
iptables: Uninstalling modules: [OK]
iptables: application firewall rules: [OK]
(10. Start OpenVPN [If the boot fails, check the log]
[Root @ test-VPN-1 2.0] # /etc/init.d/openvpn start
Starting openvpn: [OK]
[Root @ test-VPN-1 2.0] # netstat -antup | grep openvpn
tcp 0 0 192.168.64.128:11194 0.0.0.0:* LISTEN 2419 / openvpn
2, the installation process on the OpenVPN-2 server
(1. Add epel source
[Root @ ShangHai-VPN-2 ~] # yum install epel-release
(2. Install OpenVPN
[Root @ ShangHai-VPN-2 ~] # yum install openvpn lzo-devel easy-rsa -y
(3. Copy the configuration file and certificate key from the OpenVPN-1 server
[Root @ ShangHai-VPN-2 ~] # scp -r 192.168.64.128:/etc/openvpn/* / etc / openvpn /
(4. Modify the server configuration file
[Root @ ShangHai-VPN-1 2.0 ~] # egrep -v '^; | ^ # | ^ $' /etc/openvpn/server.conf
# The machine public network IP [and OpenVPN-1 server differ]
local 192.168.64.129
port 11194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
#VPN Acquired IP network segment [and OpenVPN-1 server differ]
server 10.10.11.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Allow VPN access local private network segment
push "route 172.16.65.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
max-clients 300
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
mute 10
(5. Configure Route Forwarding
[Root @ test-VPN-2 ~] # sed -i s '/ net.ipv4.ip_forward = 0 / net.ipv4.ip_forward = 1 /' /etc/sysctl.conf
(6. Configure the firewall to open a port and do NAT [and OpenVPN-1 server differ]
[Root @ test-VPN-2 ~] # iptables -t nat -A POSTROUTING -s 10.10.11.0/24 -j SNAT --to-source 172.16.65.129
[Root @ test-VPN-2 ~] # iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 11194 -j ACCEPT
[Root @ test-VPN-2 ~] # /etc/init.d/iptables save
iptables: Save the firewall rules to / etc / sysconfig / iptables: [OK]
[Root @ test-VPN-2 2.0] # /etc/init.d/iptables restart
iptables: the chain to policy ACCEPT: filter nat [OK]
iptables: clear firewall rules: [OK]
iptables: Uninstalling modules: [OK]
iptables: application firewall rules: [OK]
(8. Start OpenVPN [If the boot fails, check the log]
[Root @ ShangHai-VPN-2 ~] # /etc/init.d/openvpn start
Starting openvpn: [OK]
[Root @ ShangHai-VPN-2 ~] # netstat -antup | grep openvpn
tcp 0 0 192.168.64.129:11194 0.0.0.0:* LISTEN 2419 / openvpn
3, install OpenVPN client side
(1. Add epel source
[Root @ BeiJing-Client ~] # yum install epel-release
(2. Install OpenVPN
[Root @ BeiJing-Client ~] # yum install openvpn lzo-devel easy-rsa -y
(3. Copy the client sample file
[Root @ BeiJing-Client ~] # cp /usr/share/doc/openvpn-*/sample/sample-config-files/client.conf / etc / openvpn
(4. Modify the client configuration files
[Root @ BeiJing-Client ~] # egrep -v '^; | ^ # | ^ $' /etc/openvpn/client.conf
client
dev tun
proto tcp
# OpenVPN-1 server
remote 192.168.64.128 11194
# OpenVPN-2 server
remote 192.168.64.129 11194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert client.crt
key client.key
(5. Copy the client certificate from the OpenVPN server side
[Root @ BeiJing-Client ~] # scp 192.168.64.128:/etc/openvpn/easy-rsa/2.0/keys/{ca.crt,client.crt,client.key} / etc / openvpn /
(6. Start OpenVPN Client
[Root @ ShangHai-VPN-2 ~] # /etc/init.d/openvpn start
Starting openvpn: [OK]
# Check whether the acquired IP [acquired is OpenVPN-1 server virtual IP segment]
[Root @ BeiJing-Client ~] # ifconfig tun0
tun0 Link encap: UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr: 10.10.10.6 P-t-P: 10.10.10.5 Mask: 255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU: 1500 Metric: 1
RX packets: 0 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 0 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 100
RX bytes: 0 (0.0 b) TX bytes: 0 (0.0 b)
(7. Log in to view the OpenVPN OpenVPN-1 server log information
[Root @ ShangHai-VPN-1 network-scripts] # tail -f /var/log/openvpn.log
Tue Jul 21 15:55:41 2015 192.168.64.138:52258 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jul 21 15:55:41 2015 192.168.64.138:52258 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 21 15:55:41 2015 192.168.64.138:52258 Control Channel: TLSv1.2, cipher TLSv1 / SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Jul 21 15:55:41 2015 192.168.64.138:52258 [client] Peer Connection Initiated with [AF_INET] 192.168.64.138:52258
Tue Jul 21 15:55:41 2015 client / 192.168.64.138: 52258 MULTI_sva: pool returned IPv4 = 10.10.10.6, IPv6 = (Not enabled)
Tue Jul 21 15:55:41 2015 client / 192.168.64.138: 52258 MULTI: Learn: 10.10.10.6 -> client / 192.168.64.138: 52258 # The display will be assigned to 192.168.64.138 client 10.10.10.6
Tue Jul 21 15:55:41 2015 client / 192.168.64.138: 52258 MULTI: primary virtual IP for client / 192.168.64.138: 52258: 10.10.10.6
Tue Jul 21 15:55:43 2015 client / 192.168.64.138: 52258 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jul 21 15:55:43 2015 client / 192.168.64.138: 52258 send_push_reply (): safe_cap = 940
Tue Jul 21 15:55:43 2015 client / 192.168.64.138: 52258 SENT CONTROL [client]: 'PUSH_REPLY, route 172.16.64.0 255.255.255.0, dhcp-option DNS 8.8.8.8, dhcp-option DNS 8.8.4.4, route 10.10.10.0 255.255.255.0, topology net30, ping 10, ping-restart 120, ifconfig 10.10.10.6 10.10.10.5 '(status = 1)
4, fuzaijun availability performance and connectivity testing OpenVPN OpenVPN's
After (1. Get to the virtual IP, test ping Shanghai internal server room
(2. Close OpenVPN-1 server
[Root @ ShangHai-VPN-1 ~] # /etc/init.d/openvpn stop
Turning off openvpn: [OK]
[Root @ ShangHai-VPN-1 ~] # netstat -antup | grep openvpn
(3. Check OpenVPN-2 server OpenVPN log information
[Root @ ShangHai-VPN-2 ~] # tail -f /var/log/openvpn.log
Tue Jul 21 16:29:07 2015 192.168.64.138:40636 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Jul 21 16:29:07 2015 192.168.64.138:40636 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 21 16:29:07 2015 192.168.64.138:40636 Control Channel: TLSv1.2, cipher TLSv1 / SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Jul 21 16:29:07 2015 192.168.64.138:40636 [client] Peer Connection Initiated with [AF_INET] 192.168.64.138:40636
Tue Jul 21 16:29:07 2015 client / 192.168.64.138: 40636 MULTI_sva: pool returned IPv4 = 10.10.11.6, IPv6 = (Not enabled)
Tue Jul 21 16:29:07 2015 client / 192.168.64.138: 40636 MULTI: Learn: 10.10.11.6 -> client / 192.168.64.138: 40636 # The display will be assigned to 192.168.64.138 client 10.10.11.6
Tue Jul 21 16:29:07 2015 client / 192.168.64.138: 40636 MULTI: primary virtual IP for client / 192.168.64.138: 40636: 10.10.11.6
Tue Jul 21 16:29:09 2015 client / 192.168.64.138: 40636 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jul 21 16:29:09 2015 client / 192.168.64.138: 40636 send_push_reply (): safe_cap = 940
Tue Jul 21 16:29:09 2015 client / 192.168.64.138: 40636 SENT CONTROL [client]: 'PUSH_REPLY, dhcp-option DNS 8.8.8.8, dhcp-option DNS 8.8.4.4, route 10.10.11.0 255.255.255.0, topology net30, ping 10, ping-restart 120, ifconfig 10.10.11.6 10.10.11.5 '(status = 1)
(4. Check whether to acquire a new IP, test ping Shanghai room internal server again
So far, OpenVPN remote load balancing and high availability across room to build a complete program, please point out to this lack of mutual learning and common progress. |
|
|
|