open virtual private network

Keywords: network Windows vim SSL

Service concept:
Virtual private network, in fact, is to open up a virtual private line in the network

Application classification:
1. Host remote access * * * service
2. Services between enterprise networks
3. Services between IDC rooms of Internet companies

Transmission data protocol mode:
Establishment between PPTP terminal and terminal
L2TP: layer 2 Tunneling Protocol L2TP can provide tunnel validation, but not PPTP does not support tunnel validation
Special encapsulation technology for IPsec to guarantee the encryption characteristics of data packets
SSL guarantees that the data packet encryption communication mode encrypts the data information (public key certificate private key key)

Principle of service architecture:
By using virtual private network, the external network host can obtain the internal network address information in the architecture, and realize the data transmission by using the internal network address

Service architecture environment
windows host external network host (analog public network address)
v*nserver host (analog public network address) (analog private network address)
Web01 (analog private network address)
PS: ensure that the time of each host is properly synchronized

Service deployment process
The first process: Download and install the required software programs

yum install -y openv*n easy-rsa

open vipne: service package
Easy RSA: can be used to generate Certificate (public key) and secret key information = = similar to SSH keygen, which generates private key and public key information

The second process: create the certificate and key information required by the server

cp -r /usr/share/easy-rsa/  /etc/openv*n/     
	cp  /usr/share/doc/easy-rsa-3.0.6/vars.example  /etc/openv*n/easy-rsa/3.0.6/vars   --- Enterprise company information record file
	cd /etc/openv*n/easy-rsa/3.0.6/
./easyrsa init-pki    --- Create a directory environment for saving certificates and secret key information
	Your newly created PKI dir is: /etc/openv*n/easy-rsa/3.0.6/pki
# Create server ca certificate?? Public key?
	./easyrsa build-ca  nopass
# Create server certificate similar to server public key and private key
	./easyrsa gen-req openv*n nopass
	/etc/openv*n/easy-rsa/3.0.6/pki/private/openv*n.key    --- Generate secret key information
	./easyrsa sign server openv*n
	/etc/openv*n/easy-rsa/3.0.6/pki/issued/openv*n.crt     --- Generate certificate file information
#Generate Diffie Hellman data file
	. / easyrsa Gen DH -- generate key exchange file
	//Summary: after the above operations are completed, the following file information is generated
	cp /etc/openv*n/easy-rsa/3.0.6/pki/ca.crt  /etc/openv*n/server
	cp /etc/openv*n/easy-rsa/3.0.6/pki/private/openv*n.key  /etc/openv*n/server
	cp /etc/openv*n/easy-rsa/3.0.6/pki/issued/openv*n.crt   /etc/openv*n/server
	cp /etc/openv*n/easy-rsa/3.0.6/pki/dh.pem    /etc/openv*n/server

The third process: writing an open configuration file
cp /usr/share/doc/openvn-2.4.8/sample/sample-config-files/server.conf /etc/openvn/
vim /etc/openvn/server.conf

[root@v*n openv*n]# grep  ^[a-Z]  server.conf 
port 1194
proto tcp
dev tun
ca /etc/openv*n/server/ca.crt
cert /etc/openv*n/server/openv*n.crt
key  /etc/openv*n/server/openv*n.key  # This file should be kept secret
dh /etc/openv*n/server/dh.pem
topology subnet
ifconfig-pool-persist ipp.txt
push "route"
keepalive 10 120
cipher AES-256-CBC
status /var/log/openv*n-status.log
log-append /var/log/openv*n.log
verb 3
mute 20


25 local -- set V*N service to listen to address information
	32 port 1194 -- set the service port number, which is 1194 by default
	35 proto TCP -- V * n link communication protocol uses TCP protocol to ensure data transmission security
	53 dev tun -- use tunnel to transfer data
    78 ca /etc/openv*n/server/ca.crt
    79 cert /etc/openv*n/server/openv*n.crt
	80 key /etc/openv*n/server/openv*n.key
	85 dh /etc/openv*n/server/dh.pem
	92 topology subnet -- identify correct mask information
	101 server - set a direct communication address between a client and v*n server
	141 push "route" -- client pushes an intranet segment route entry information
    231 keepalive 10 120 -- TCP long connection timeout
    244 ;tls-auth ta.key 0      --- !!!  Be sure to turn off the TLS function
	287 status /var/log/openv*n-status.log --- generate an openv*n service status log information file
	297 log append / var / log / openv*n.log -- generate an openv*n service running log information file
	315 ;explicit-exit-notify 1 --- !!!  Be sure to turn off this function

The fourth process: start the service program (start in the mode of daemons)

# vim /usr/lib/systemd/system/openv*n.service
    Description=openv*n service
    ExecStart=/usr/sbin/openv*n --daemon --config /etc/openv*n/server.conf
    ExecStop=/bin/kill -9 $MAINPID

systemctl daemon-reload
systemctl start openvn
systemctl enable openvn

	The first big hole of openv*n service: service cannot be started
	Step 1: use the command to test whether the configuration file information is correct
	        openv*n /etc/openv*n/server.conf
			netstat -lntup|grep 1194
	Step 2: view profile configuration information
	Step 3: confirm whether the preparation of startup file is correct

windows host configuration deployment process (* * client deployment process)
The first process: Download and install the open client software

D:\Program Files (x86)\OpenV*N\config --- clients can be configured in this directory

Tip: it is in the config directory, not subdirectory, as long as it is in config
The second process: generate client certificate and key file

cd /etc/openv*n/easy-rsa/3.0.6/
	./easyrsa gen-req client01  nopass
    ./easyrsa sign client client01

Organize data files in client directory

cp /etc/openv*n/easy-rsa/3.0.6/pki/private/client01.key  /etc/openv*n/client/
cp /etc/openv*n/easy-rsa/3.0.6/pki/issued/client01.crt   /etc/openv*n/client/
cp /etc/openv*n/easy-rsa/3.0.6/pki/ca.crt  /etc/openv8n/client

The third process: import the client certificate or key file into Windows

cd /etc/openv*n/client/
	sz -y  client01.key client01.crt ca.crt

Build profile in Windows
Under the openn program directory – \ sample config - get client.ovn and put it into the corresponding subdirectory of the – config directory

Copy to the following figure:

The rest of the client files are generated and exported here in linux

The fourth process: write and modify the client configuration file
Write client.ov*n client configuration file

dev tun
proto tcp
remote 1194
resolv-retry infinite
ca ca.crt
cert client01.crt
key client01.key
cipher AES-256-CBC
verb 3

The fifth process: start the open client program
Double click to run the openVNgui program on the Windows host -- find the run openvn icon in the lower right corner -- right click the input connection

The sixth process: Test and verify:
Verification 1: conduct address test of

Verification 2: ping the intranet address

Confirm 01: whether the intranet host of the server can enable the configuration of return route information

Confirm 02: confirm whether openV*N turns on kernel forwarding function

Pits encountered during deployment:

Verify that the certificate and private key files are created correctly
 If private key or certificate file creation is abnormal --- delete pki directory and recreate pki directory to generate certificate and private key file
189 original articles published, praised 17, visited 30000+
Private letter follow

Posted by derezzz on Wed, 04 Mar 2020 04:20:08 -0800