Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to build virtual private network VPN". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let the editor take you to learn how to build a virtual private network (VPN).

VPN literal translation is a virtual private channel, which provides a tunnel for secure data transmission between enterprises or between individuals and companies. OpenVPN is undoubtedly the vanguard of open source VPN under Linux, providing good performance and friendly user GUI.

OpenVPN allows a single point of participation in establishing a VPN to authenticate using a preset private key, third-party certificate, or user name / password. It uses a lot of OpenSSL encryption libraries, as well as the SSLv3/TLSv1 protocol. OpenVPN can run on Linux, xBSD, Mac OS X and Windows 2000/XP.

Virtual private network VPN

Implementing SSL VPN with openvpn

Finally, it is realized that vpnclient can communicate with the private network host at the back end of vpnserver.

=

Project Topology:

Private network host vpnserver vpnclient

192.168.2.0/24 192.168.2.250 20.20.20.2 20.20.20.1

=

Specify the gateway on the private network host:

[root@intra_host ~] # ip route del

RTNETLINK answers: No such process

[root@intra_host ~] # ip route add dev eth0 default via 192.168.2.250

[root@intra_host ~] # ip route

192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.25

169.254.0.0/16 dev eth0 scope link

Default via 192.168.2.250 dev eth0

VNP Server configuration:

Add internal and external network interface addresses

[root@vpnserver ~] # ip addr show eth0

2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000

Link/ether 00:16:3e:2e:3d:b1 brd ff:ff:ff:ff:ff:ff

Inet 192.168.2.250/24 brd 192.168.2.255 scope global eth0

[root@vpnserver ~] # ip addr show eth2

3: eth2: mtu 1500 qdisc pfifo_fast qlen 1000

Link/ether 00:16:3e:2e:3d:11 brd ff:ff:ff:ff:ff:ff

Inet 20.20.20.1/24 brd 20.20.20.255 scope global eth2

[root@vpnserver ~] # ip route

192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.250

20.20.20.0/24 dev eth2 proto kernel scope link src 20.20.20.1

169.254.0.0/16 dev eth2 scope link

[root@vpnserver ~] # echo 1 > / proc/sys/net/ipv4/ip_forward

II. VPN Server configuration

-generate relevant certificate files for authentication and encrypted communications-

Vpnserver: certificate of the private key certificate CA

Vpnclient: certificate of the private key certificate CA

[root@vpnserver OpenVPN] # rpm-ivh lzo2-2.02-3.el5.rf.i386.rpm / / for data compression

Warning: lzo2-2.02-3.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6

Preparing... # [100%]

1:lzo2 # # [100%]

[root@vpnserver OpenVPN] # rpm-ivh openvpn-2.0.9-1.el5.rf.i386.rpm

Warning: openvpn-2.0.9-1.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6

Preparing... # [100%]

1:openvpn # # [100%]

[root@vpnserver OpenVPN] #

= = CA server configuration and signature for vpnserver and vpnclient = =

Generate the CA private key and certificate file:

=

[root@vpnserver OpenVPN] # cd / usr/share/doc/openvpn-2.0.9/easy-rsa/

[root@vpnserver easy-rsa] # ls

2.0 build-key build-req make-crl revoke-full

Build-ca build-key-pass build-req-pass openssl.cnf sign-req

Build-dh build-key-pkcs12 clean-all README vars

Build-inter build-key-server list-crl revoke-crt Windows

[root@vpnserver easy-rsa] # chmod + x *

[root@vpnserver easy-rsa] # vim vars / / modify the configuration file, mainly to facilitate the following execution of the. / build-ca script.

[root@vpnserver easy-rsa] # tail-n 5 vars

Export KEY_COUNTRY=CN

Export KEY_PROVINCE=BJ

Export KEY_CITY=BJ

Export KEY_ORG= "openvpn-tianyun"

Export KEY_EMAIL= "tianyun@126.com"

[root@vpnserver easy-rsa] # source vars

NOTE: when you run. / clean-all, I will be doing a rm-rf on / usr/share/doc/openvpn-2.0.9/easy-rsa/keys

[root@vpnserver easy-rsa] #. / clean-all

[root@vpnserver easy-rsa] #. / build-ca / / generate ca private key and certificate

Generating a 1024 bit RSA private key

.. +

. +

Writing new private key to 'ca.key'

-

You are about to be asked to enter information that will be incorporated

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value

If you enter'., the field will be left blank.

-

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [OpenVPN-ROOT]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []: ca.tianyun.com

Email Address [tianyun@126.com]:

[root@vpnserver easy-rsa] # ls / / View generated keys directory

2.0 build-key-pass clean-all README Windows

Build-ca build-key-pkcs12 keys revoke-crt

Build-dh build-key-server list-crl revoke-full

Build-inter build-req make-crl sign-req

Build-key build-req-pass openssl.cnf vars

[root@vpnserver easy-rsa] # ls keys/

Ca.crt ca.key index.txt serial

Generate the private key and certificate of vpnserver:

=

[root@vpnserver easy-rsa] #. / build-key-server / / execute this script to add

Usage: build-key-server

[root@vpnserver easy-rsa] #. / build-key-server vpnserver

Generating a 1024 bit RSA private key

... +

. +

Writing new private key to 'vpnserver.key'

-

You are about to be asked to enter information that will be incorporated

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value

If you enter'., the field will be left blank.

-

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [openvpn-tianyun]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []: vpnserver.tianyun.com

Email Address [tianyun@126.com]:

Please enter the following 'extra' attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from / usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

CountryName: PRINTABLE:'CN'

StateOrProvinceName: PRINTABLE:'BJ'

LocalityName: PRINTABLE:'BJ'

OrganizationName: PRINTABLE:'openvpn-tianyun'

CommonName: PRINTABLE:'vpnserver.tianyun.com'

EmailAddress: IA5STRING:'tianyun@126.com'

Certificate is to be certified until Jun 29 04:03:05 2023 GMT (3650 days)

Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries

Data Base Updated

[root@vpnserver easy-rsa] # ls keys/

01.pem index.txt serial vicvpnserver.csr

Ca.crt index.txt.attr serial.old vicvpnserver.key

Ca.key index.txt.old vicvpnserver.crt

The private key and certificate generated for each client:

Generate Client keys and certificates. In openvpn, this configuration method is that each logged-in VPN client needs to have a certificate, and each certificate can only be connected by one client at the same time (if two machines install the same certificate and dial the server at the same time, they can all be dialed, but only the first one can connect to the network). So many certificates need to be established.

=

[root@vpnserver easy-rsa] #. / build-key client1

Generating a 1024 bit RSA private key

.. +

. +

Writing new private key to 'client1.key'

-

You are about to be asked to enter information that will be incorporated

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value

If you enter'., the field will be left blank.

-

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [BJ]:

Organization Name (eg, company) [OpenVPN-ROOT]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []: client1.tianyun.com

Email Address [tianyun@126.com]:

Please enter the following 'extra' attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from / usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

CountryName: PRINTABLE:'CN'

StateOrProvinceName: PRINTABLE:'BJ'

LocalityName: PRINTABLE:'BJ'

OrganizationName: PRINTABLE:'OpenVPN-ROOT'

CommonName: PRINTABLE:'client1.tianyun.com'

EmailAddress: IA5STRING:'tianyun@126.com'

Certificate is to be certified until Nov 6 11:38:59 2022 GMT (3650 days)

Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries

Data Base Updated

[root@vpnserver easy-rsa] # ls keys/

01.pem client1.crt index.txt.attr serial.old

02.pem client1.csr index.txt.attr.old vicvpnserver.crt

Ca.crt client1.key index.txt.old vicvpnserver.csr

Ca.key index.txt serial vicvpnserver.key

Distribute the certificate and private key to the appropriate client host:

[root@vpnserver easy-rsa] # pwd

/ usr/share/doc/openvpn-2.0.9/easy-rsa

[root@vpnserver easy-rsa] #. / build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

. +. . +.

.. +.. +. +. . +.

. +. . +.

. +. +. . +. +.

. +. ...

. +. .. +.

.. + + *

Configure the vpn server side

[root@vpnserver keys] # pwd

/ usr/share/doc/openvpn-2.0.9/easy-rsa/keys

[root@vpnserver keys] # cp ca.crt vpnserver.crt vpnserver.key / etc/openvpn/

[root@vpnserver keys] # ls / etc/openvpn/

Ca.crt vpnserver.crt vpnserver.key

[root@vpnserver easy-rsa] #. / build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

. +. . + *

[root@vpnserver easy-rsa] # cp keys/dh2024.pem / etc/openvpn/

[root@vpnserver ~] # cp / usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf / etc/openvpn/ openvpn server configuration file

[root@vpnserver ~] # vim / etc/openvpn/server.conf

[root@vpnserver ~] # grep'^ [^ #]'/ etc/openvpn/server.conf

Local 20.20.20.1

Port 1194

Proto udp

Dev tap

Ca ca.crt

Cert vpnserver.crt

Key vpnserver.key

Dh dh2024.pem

Server 10.8.0.0 255.255.255.0

# configure the network segment used by VPN. OpenVPN will automatically provide DHCP service based on this network segment, but it cannot be duplicated with the local network segment of either party to ensure that the unique server ip will be set to .1 by default.

Ifconfig-pool-persist ipp.txt

# maintain a corresponding table between the client and the virtual IP, so that the client can get the same IP after reconnecting

; server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

Push "route 192.168.2.0 255.255.255.0"

# create a corresponding route for the client to access the corporate network internal server, but remember, the corporate network internal server also needs to have available routes to return to the client

; client-config-dir ccd

; route 192.168.40.128 255.255.255.248

; client-config-dir ccd

; route 10.9.0.0 255.255.255.252

; learn-address. / script

; push "redirect-gateway"

; push "dhcp-option DNS 10.8.0.1"

; push "dhcp-option WINS 10.8.0.1"

; client-to-client

Duplicate-cn

Keepalive 10 120

# set the server detection interval and timeout ping every 10 seconds. If there is no response in 120 seconds, the other party is considered to have down.

; tls-auth ta.key 0 # This file is secret

; cipher BF-CBC # Blowfish (default)

; cipher AES-128-CBC # AES

; cipher DES-EDE3-CBC # Triple-DES

Comp-lzo

# Communication compressed by lzo must be configured by both the server and the client

Max-clients 100

User nobody

Group nobody

Persist-key

Persist-tun

# still retain some status when restarting

Status openvpn-status.log

Log openvpn.log

Verb 3

# set the level to be recorded in the log. 0 logs only error messages. (4) it can record common information. 5 and 6 can help debug when there is a problem with the connection. 9 is extreme, all information will be displayed, even information such as Baotou (like tcpdump)

Mute 20

# the amount of the same information, if 20 pieces of the same information appear in succession, it will not be recorded in the log.

[root@vpnserver ~] # service openvpn start

Starting openvpn: [OK]

[root@vpnserver ~] # chkconfig openvpn on

[root@vpnserver ~] # ip addr show dev tap0

4: tap0: mtu 1500 qdisc pfifo_fast qlen 100

Link/ether e2:93:9e:d2:00:2c brd ff:ff:ff:ff:ff:ff

Inet 10.8.0.1/24 brd 10.8.0.255 scope global tap0

[root@vpnserver ~] # ip route

192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.250

10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.1

20.20.20.0/24 dev eth2 proto kernel scope link src 20.20.20.1

169.254.0.0/16 dev eth2 scope link

-configure the vpn client side-

[root@vpnclient] # ip addr add dev eth0 20.20.20.2Accord 24

[root@vpnclient ~] # ip addr show eth0

2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000

Link/ether 00:24:1d:39:8e:d9 brd ff:ff:ff:ff:ff:ff

Inet 20.20.20.2/24 scope global eth0

[root@vpnclient ~] # ip route

20.20.20.0/24 dev eth0 proto kernel scope link src 20.20.20.2

192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1

169.254.0.0/16 dev eth0 scope link

[root@vpnclient OpenVPN] # rpm-ivh lzo2-2.02-3.el5.rf.i386.rpm

Warning: lzo2-2.02-3.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6

Preparing... # [100%]

1:lzo2 # # [100%]

[root@vpnclient OpenVPN] # rpm-ivh openvpn-2.0.9-1.el5.rf.i386.rpm

Warning: openvpn-2.0.9-1.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6

Preparing... # [100%]

1:openvpn # # [100%]

Copy client1.key client1.crt to this machine before modifying the configuration file

[root@vpnclient openvpn] # cd / etc/openvpn/

[root@vpnclient openvpn] # ls c * / / copy three files to this directory

Ca.crt client1.crt client1.key

[root@vpnclient OpenVPN] # cp / usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf / etc/openvpn/

[root@vpnclient OpenVPN] # vi / etc/openvpn/client.conf

[root@vpnclient OpenVPN] # grep'^ [^ #]'/ etc/openvpn/client.conf

Client

Dev tap

; dev-node MyTap

Proto udp

Remote 20.20.20.1 1194 / / Dial address

; remote-random

Nobind

User nobody

Group nobody

Persist-key

Persist-tun

; http-proxy-retry # retry on connection failures

; http-proxy [proxy server] [proxy port #]

; mute-replay-warnings

Ca ca.crt

Cert client1.crt

Key client1.key

; ns-cert-type server

; tls-auth ta.key 1

; cipher x

Comp-lzo

Verb 3

Mute 20

[root@vpnclient ~] # service openvpn restart

Shutting down openvpn: [OK]

Starting openvpn: [OK]

[root@vpnclient ~] # chkconfig openvpn on

[root@vpnclient ~] # ip addr

1: lo: mtu 16436 qdisc noqueue

Link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

Inet 127.0.0.1/8 scope host lo

2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000

Link/ether 00:24:1d:39:8e:d9 brd ff:ff:ff:ff:ff:ff

Inet 20.20.20.2/8 brd 20.255.255.255 scope global eth0

Inet 20.20.20.2/24 brd 20.20.20.255 scope global eth0

3: virbr0: mtu 1500 qdisc noqueue

Link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

Inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0

5: tap0: mtu 1500 qdisc pfifo_fast qlen 100

Link/ether de:a2:1e:12:e7:6a brd ff:ff:ff:ff:ff:ff

Inet 10.8.0.2/24 brd 10.8.0.255 scope global tap0

[root@vpnclient ~] # ip route

192.168.2.0/24 via 10.8.0.1 dev tap0

10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.2

20.20.20.0/24 dev eth0 proto kernel scope link src 20.20.20.2

192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1

169.254.0.0/16 dev eth0 scope link

20.0.0.0/8 dev eth0 proto kernel scope link src 20.20.20.2

At this point, I believe you have a deeper understanding of "how to build virtual private network VPN". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.