preface:
In view of the need for home-based work during the epidemic, remote work is necessary. At present, the simplest way is to realize it through the direct port mapping of the company's route, but there are inevitably security risks, For this reason, the editor temporarily decided to build openvpn to realize this function. Speaking of openvpn, everyone may be familiar with it. As for the principle of network, a lot of editors are not going to explain it. Here is just a brief summary of the installation and deployment process of openvpn. First, review the work process of openvpn, and second, clear your mind, With the help of blog in-depth principle, it will be very helpful for yourself and others. This article is for beginners only! Don't spray if you don't like it. Don't spray if you don't like it. Encourage those who are diligent. C
Introduction:
VPN introduction: a private security channel established on the public network realizes Internet remote access, LAN interconnection, etc. OpenVPN is an application layer VPN implementation based on OpenSSL library. Compared with the traditional VPN, it is simple and easy to use.
Core principles:
1. The OpenVPN server will create a virtual network card named tun, which has the same characteristics as the physical network card and can configure IP and routing. 2.openvpn server needs to configure a virtual address pool and a static IP address for its own use, and then it will dynamically assign a virtual IP to each client who successfully establishes ssl connection, so that the client in the irrational network and openvpn are connected into a star shaped LAN, and openvpn server becomes the gateway of each client on the virtual network. openvpn provides a gateway to the client by providing The routing management function of end virtual network card. Simply put, openvpn server is like a virtual router. 3. When any client accesses the application server at the back end of OpenVPN server, the data packet will flow through the virtual network card through the route. OpenVPN program intercepts the data IP message on the virtual network card, then uses SSL protocol to encapsulate these IP messages, and then sends them through the physical network card. The server and client of OpenVPN build a virtual local area network on the virtual network card. As mentioned earlier, OpenVPN is a private security channel, so it can't do without encryption means. At present, the encryption means commonly used in OpenVPN is SSL protocol, so before using OpenVPN, we need to generate the certificate secret key of corresponding SSL protocol in the server.
Environmental description:
[root@localhost ~]# ifconfig ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.170 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fe80::929e:1636:dee0:c2ba prefixlen 64 scopeid 0x20<link> ether 00:0c:29:1d:d6:f9 txqueuelen 1000 (Ethernet) RX packets 6552391 bytes 1087036063 (1.0 GiB) RX errors 0 dropped 13417 overruns 0 frame 0 TX packets 5193684 bytes 1085287830 (1.0 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 181 bytes 15442 (15.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 181 bytes 15442 (15.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
1. Use easy RSA to make relevant certificates
mkdir -p /home/data/tools wget -P /data/tools http://192.168.0.167/mt-server-tools/easy-rsa.zip unzip -d /usr/local /data/tools/easy-rsa.zip
2. Edit the vars file and modify the information needed to generate the certificate
vi /usr/local/easy-rsa-old-master/easy-rsa/2.0/ vars export KEY_COUNTRY="cn" export KEY_PROVINCE="BJ" export KEY_CITY="GS" export KEY_ORG="bestyunyan" export KEY_EMAIL="bestyunyan" export KEY_CN=123 export KEY_NAME=123 export KEY_OU=123 #Mainly modify the following content: COUNTRY: COUNTRY, provision: PROVINCE, CITY city, ORG: organization, Email: mailbox, OU company, NAME server NAME, key_ Expiration key expiration date default: 3650, CA_ Expiry certificate. #Build Kes directory cd /usr/local/easy-rsa-old-master/easy-rsa/2.0/ source vars ./clean-all #The keys directory is generated
3. Create CA certificate and generate ca.crt and ca.key
./build-ca #At this time, crt and key files will be generated according to the information we filled in earlier #View after generating Keys directory [root@localhost keys]# ls ca.crt ca.key index.txt serial #ca.crt ca.key Make the CA certificate we need
4. Make server certificate
#Enter: [root@localhost 2.0]# ./build-key-server server #View the certificates we generated [root@abc01 2.0]# ls server* server.crt server.key server.csr #These three documents are what we need
Here we use the client password to log in. For key mode login, please refer to other materials (also very simple)
#Diffie Hellman file when generating encrypted exchange for server The process of creating dh2048.pem file is relatively slow [root@localhost 2.0]# ./build-dh #The certificates to be viewed are: ca.crt,ca.key,server.crt,server.csr,server.crt,dh2048.pem
6 Openvpen installation and deployment
#Install dependency package curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo yum makecache yum install -y lzo lzo-devel openssl openssl-devel pam pam-devel net-tools git lz4-devel #Download openVPN package wget -P /data/tools http://down.i4t.com/openvpn-2.4.7.tar.gz cd /data/tools #Install openVPN tar zxf openvpn-2.4.7.tar.gz cd openvpn-2.4.7 ./configure --prefix=/usr/local/openvpn-2.4.7 make make install # Create a soft connection ln -s /usr/local/openvpn-2.4.7 /usr/local/openvpn
7 Openvpn configuration
#Create openvpn file directory mkdir -p /etc/openvpn/keys #Generate TLS auth key and copy it to certificate directory (prevent DDos attack, UDP flooding and other malicious attacks) /usr/local/openvpn/sbin/openvpn --genkey --secret ta.key #The ta.key Move to openvpn certificate directory mv ./ta.key /etc/openvpn/keys/ #Copy the CA certificate and server certificate generated above to the openvpn certificate directory cp /usr/local/easy-rsa-old-master/easy-rsa/2.0/keys/{server.crt,server.key,ca.crt,dh2048.pem} /etc/openvpn/keys/ [root@localhost keys]# ls ca.crt dh2048.pem server.crt server.key ta.key #Copy the vpn configuration file to / etc/openvpn cp /data/tools/openvpn-2.4.7/sample/sample-config-files/server.conf /etc/openvpn/ #Modify profile cat /etc/openvpn/server.conf port 1194 #openvpn port proto tcp #Protocol used dev tun #Generate tun virtual network card ca /etc/openvpn/keys/ca.crt #Configure CA certificate path cert /etc/openvpn/keys/server.crt #Configure server certificate key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh2048.pem #Configure Diffie Hellman file for encrypted exchange server 10.4.82.0 255.255.255.0 #Default VLAN segment, do not conflict with the actual LAN ifconfig-pool-persist ipp.txt push "route 192.168.0.0 255.255.255.0" #Configure route forwarding. When the client accesses the service of 192.168.0 network segment, it will be forwarded to the local network card gateway, but the data packet can not be returned. You need to configure the static route in the local route: target: 10.4.82.0 255.255.255.0 surprise: 192.168.0.170 (local openvpn ip address) client-to-client #If all clients connect to VPN with a certificate and key, you need to turn on this option duplicate-cn keepalive 10 120 key-direction 0 tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret comp-lzo persist-key persist-tun status openvpn-status.log #Status log path log-append openvpn.log #Operation log verb 3 #Debug information level script-security 3 auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env #Specify user authentication script username-as-common-name verify-client-cert none #Download the official user authentication script without rewriting cat /etc/openvpn/checkpsw.sh #!/bin/sh ########################################################### # checkpsw.sh (C) 2004 Mathias Sundman # # This script will authenticate OpenVPN users against # a plain text file. The passfile should simply contain # one row per user with the username first followed by # one or more space(s) or tab(s) and then the password. PASSFILE="/etc/openvpn/psw-file" LOG_FILE="/etc/openvpn/openvpn-password.log" TIME_STAMP=`date "+%Y-%m-%d %T"` ########################################################### if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 #Add execution permission chmod 755 /etc/openvpn/checkpsw.sh #Password file cat /etc/openvpn/psw-file user01 123456 user02 123456 user03 123456
8 server enables routing and forwarding function
echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf sysctl -p
9 start openvpn service
cd /etc/openvpn/ /usr/local/openvpn/sbin/openvpn --daemon --config /etc/openvpn/server.conf [root@localhost keys]# ss -lntp|grep openvpn LISTEN 0 1 *:1194 *:* users:(("openvpn",pid=20556,fd=6)) //Configure startup echo "/usr/local/openvpn/sbin/openvpn --daemon --config /etc/openvpn/server.conf > /dev/null 2>&1 &" >> /etc/rc.local
10 client connection test
#Configure clients client.conf file cp /data/tools/openvpn-2.4.7/sample/sample-config-files/client.conf /tmp/ #Amend to read as follows and client.conf Change to client.ovpn $ cat /tmp/client.conf client dev tun proto tcp remote x.x.x.x 1194 #openvpn server address resolv-retry infinite nobind persist-key persist-tun ca ca.crt #Configure ca certificate tls-auth ta.key 1 #Encryption protocol configuration key-direction 1 cipher AES-256-CBC comp-lzo verb 3 auth-user-pass #Login with password verification auth-nocache #Note that the configuration file suffix needs to be changed to ovpn cd /tmp/ mv client.conf client.ovpn #Download the certificate involved in the configuration file( ca.crt,ta.key )And profile to windows client: sz /tmp/client.ovpn sz /etc/openvpn/keys/ca.crt sz /etc/openvpn/keys/ta.key
11 windows client download configuration
#Windows client download http://down.i4t.com/openvpn-install-2.4.7-I606-Win10.exe http://down.i4t.com/openvpn-install-2.4.7-I606-Win7.exe #After installation, open the config directory under the openvpn installation path to download: client.ovpn,ca.crt,ta.key Put it in the config directory together Then double-click vpn to run and click the icon to select the connection.
12 problem handling:
After the above operations are completed, you may find that the client ping the openvpn server is connected; however, ping and other hosts in the same intranet cannot ping. Let's analyze: on the openvpn server, we have configured the route forwarding: push "route 192.168.0.0 255.255.255.0"; when the packet request comes, openvpn helps us forward: the source address is 10 segments, the target is 192 segments, and the data can reach the target host smoothly, but when the target host returns the packet, the source address is 192 segments, and the target ip is 10 segments. When arriving at the intranet route, the intranet route does not know where the 10 network segments are, so it is necessary to configure route forwarding in the intranet route: target address: 10.4.82.0 255.255.255.0 next hop address: 192.168.0.170(openvpn intranet address), and then test that everything is normal
TCP/IP protocol | Openvpn
https://blog.csdn.net/weixin_33811961/article/details/92667539 https://developer.51cto.com/art/201906/597961.htm http://blog.sina.com.cn/s/blog_a72b50c80102wqbi.html