一、OpenVPN的工作原理
1、虚拟网卡
在Linux2.4版本以上,操作系统支持一个名为tun的设备,tun设备的驱动程序中包含两个部分,一部分是字符设备驱动,一部分是网卡驱动。网卡的驱动把从TCP/IP协议栈收到的数据包结构skb放于tun设备的读取队列,用户进程通过调用字符设备接口read获得完整的IP数据包,字符驱动read函数的功能是从设备的读取队列读取数据,将核心态的skb传递给用户;反过来字符驱动write函数给用户提供了把用户态的数据写入核心态的接口,write函数把用户数据写入核心空间并穿入TCP/IP协议栈。该设备既能以字符设备的方式被读写,作为系统的虚拟网卡,也具有和物理网卡相同的特点:能够配置IP地址和路由。对虚拟网卡的使用是OpenVPN实现其SSL
VPN功能的关键。
2、地址池以及路由
OpenVPN服务器一般需要配置一个虚拟IP地址池和一个自用的静态虚拟IP地址(静态地址和地址池必须在同一个子网中),然后为每一个成功建立SSL连接的客户端动态分配一个虚拟IP地址池中未分配的地址。这样,物理网络中的客户端和OpenVPN服务器就连接成一个虚拟网络上的星型结构局域网,OpenVPN服务器成为每个客户端在虚拟网络上的网关。OpenVPN服务器同时提供对客户端虚拟网卡的路由管理。当客户端对OpenVPN服务器后端的应用服务器的任何访问时,数据包都会经过路由流经虚拟网卡,OpenVPN程序在虚拟网卡上截获数据IP报文,然后使用SSL协议将这些IP报文封装起来,再经过物理网卡发送出去。OpenVPN的服务器和客户端在虚拟网卡之上建立起一个虚拟的局域网络,这个虚拟的局域网对系统的用户来说是透明的。
3、客户端与服务端安全连接的建立
OpenVPN的服务器和客户端支持tcp和udp两种连接方式,只需在服务端和客户端预先定义好使用的连接方式(tcp或udp)和端口号,客户端和服务端在这个连接的基础上进行SSL握手。连接过程包括SSL的握手以及虚拟网络上的管理信息,OpenVPN将虚拟网上的网段、地址、路由发送给客户端。连接成功后,客户端和服务端建立起SSL安全连接,客户端和服务端的数据都流入虚拟网卡做SSL的处理,再在tcp或udp的连接上从物理网卡发送出去。
二、服务端安装配置
下载openvpn-2.3.4
[[email protected] softs]# wget http://fossies.org/linux/misc/openvpn-2.3.4.tar.gz
--2014-08-04 16:48:30-- http://fossies.org/linux/misc/openvpn-2.3.4.tar.gz
Resolving fossies.org... 78.46.58.28
Connecting to fossies.org|78.46.58.28|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1191101 (1.1M) [application/x-gzip]
Saving to: ?.penvpn-2.3.4.tar.gz?
100%[=========================================================================================================================================>] 1,191,101 227K/s in 5.1s
2014-08-04 16:48:36 (227 KB/s) - ?.penvpn-2.3.4.tar.gz?.saved [1191101/1191101]
下载lzo,lzo是致力于解压速度的一种数据压缩算法
[[email protected] softs]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.08.tar.gz
--2014-08-04 16:51:23-- http://www.oberhumer.com/opensource/lzo/download/lzo-2.08.tar.gz
Resolving www.oberhumer.com... 193.170.194.40
Connecting to www.oberhumer.com|193.170.194.40|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 589045 (575K) [application/x-gzip]
Saving to: ?.zo-2.08.tar.gz?
100%[=========================================================================================================================================>] 589,045 354K/s in 1.6s
2014-08-04 16:51:26 (354 KB/s) - ?.zo-2.08.tar.gz?.saved [589045/589045]
[[email protected] softs]# yum install openssl openssl-devel -y 涉及到安全认证,所ssl是少不了的
[[email protected] softs]# ls
lzo-2.08.tar.gz openvpn-2.3.4.tar.gz
[[email protected] softs]# tar xf lzo-2.08.tar.gz -C /usr/local/src/
[[email protected] softs]# tar xf openvpn-2.3.4.tar.gz -C /usr/local/src/
[[email protected] softs]# cd /usr/local/src/lzo-2.08/
[[email protected] lzo-2.08]# ./configure && make && make install
[[email protected] lzo-2.08]# cd ..
[[email protected] src]# ls
lzo-2.08 openvpn-2.3.4
[[email protected] src]# cd openvpn-2.3.4/
[[email protected] openvpn-2.3.4]# ./configure && make && make install
openvpn-2.3.4软件包不包含证书制作工具,所以还需要单独下载easy-rsa
[[email protected] openvpn-2.3.4]# cd /softs/
[[email protected] softs]# wget https://codeload.github.com/OpenVPN/easy-rsa/tar.gz/v2.2.0
--2014-08-04 17:08:27-- https://codeload.github.com/OpenVPN/easy-rsa/tar.gz/v2.2.0
Resolving codeload.github.com... 192.30.252.145
Connecting to codeload.github.com|192.30.252.145|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 27248 (27K) [application/x-gzip]
Saving to: ?.2.2.0?
100%[===============================================>] 27,248 109K/s in 0.2s
2014-08-04 17:08:28 (109 KB/s) - ?.2.2.0?.saved [27248/27248]
[email protected] openvpn]# cd easy-rsa/
configure.ac COPYING COPYRIGHT.GPL distro/ doc/ easy-rsa/ .gitignore Makefile.am
[[email protected] openvpn]# cd easy-rsa/easy-rsa/
1.0/ 2.0/ Windows/
[[email protected] openvpn]# cd easy-rsa/easy-rsa/2.0/
[[email protected] 2.0]# ls
build-ca build-inter build-key-pass build-key-server build-req-pass inherit-inter openssl-0.9.6.cnf openssl-1.0.0.cnf revoke-full vars
build-dh build-key build-key-pkcs12 build-req clean-all list-crl openssl-0.9.8.cnf pkitool sign-req whichopensslcnf
[[email protected] 2.0]# pwd
/etc/openvpn/easy-rsa/easy-rsa/2.0
[[email protected] 2.0]# chmod +x /etc/openvpn/easy-rsa/easy-rsa/2.0/*
[[email protected] 2.0]# pwd
/etc/openvpn/easy-rsa/easy-rsa/2.0
修改var文件
[[email protected] 2.0]# cat vars |grep -v ^# |grep -v ^$
export D="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=$D/openssl.cnf
export KEY_DIR="$D/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="CN"
export KEY_PROVINCE="JS"
export KEY_CITY="NJ"
export KEY_ORG="OPENVPN"
export KEY_EMAIL="[email protected]"
export KEY_CN=changeme
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
[[email protected] 2.0]# ./clean-all 初始化keys目录,创建所需要的文件和目录
Please source the vars script first (i.e. "source ./vars")
Make sure you have edited it to reflect your configuration.
[[email protected] 2.0]# source ./vars 导入vars并生效
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/easy-rsa/2.0/keys
[[email protected] 2.0]# ./clean-all
[[email protected] 2.0]# ./build-ca 生成root CA证书。用于签发server和client证书
Generating a 1024 bit RSA private key
.....................++++++
......++++++
writing new private key to ‘ca.key‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [EN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [NJ]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server‘s hostname) [changeme]:
Name [changeme]:
Email Address [[email protected]]:
[[email protected] 2.0]# ll keys/
total 12
-rw-r--r-- 1 root root 1342 Aug 4 17:43 ca.crt
-rw------- 1 root root 912 Aug 4 17:43 ca.key
-rw-r--r-- 1 root root 0 Aug 4 17:41 index.txt
-rw-r--r-- 1 root root 3 Aug 4 17:41 serial
生成Diffie Hellman参数
# ./build-dh
[[email protected] 2.0]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
........................................................................+.............+......................+.......................+...............................................................+...........+........................................................................................................................+............................+........................................................+.........+...........................................................................................+................................................................................+........+.................................................................+...........................+.........................................+.........................+.......................................................+.............................................+..........................+..............................................................+...........+............+......................................+..................+.......+.......................+......................+...........................................................+.................................+....+.................................+.........+............................................................................................................................................................................+.......+.........+.........................................+.................+........................................................................................................+...............................+...............................+..+..............................................................................+....................................................+..........+...............................................................................................+.................+....+....................+.................................................................................+.......................+...........................+....................................................................+...........................+..+.....................................................................................+.......................................................+........................+..................................................................+......................................+.....................+...................................+..........++*++*++*
[[email protected] 2.0]# ll keys/
total 16
-rw-r--r-- 1 root root 1342 Aug 4 17:43 ca.crt
-rw------- 1 root root 912 Aug 4 17:43 ca.key
-rw-r--r-- 1 root root 245 Aug 4 17:45 dh1024.pem
-rw-r--r-- 1 root root 0 Aug 4 17:41 index.txt
-rw-r--r-- 1 root root 3 Aug 4 17:41 serial
[[email protected] 2.0]# ./build-key-server server
Generating a 1024 bit RSA private key
...++++++
.++++++
writing new private key to ‘server.key‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [EN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [NJ]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server‘s hostname) [server]:
Name [changeme]:
Email Address [[email protected]]:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject‘s Distinguished Name is as follows
countryName :PRINTABLE:‘EN‘
stateOrProvinceName :PRINTABLE:‘CA‘
localityName :PRINTABLE:‘NJ‘
organizationName :PRINTABLE:‘Fort-Funston‘
organizationalUnitName:PRINTABLE:‘changeme‘
commonName :T61STRING:‘OpenVPN_Server‘
name :PRINTABLE:‘changeme‘
emailAddress :IA5STRING:‘[email protected]‘
Certificate is to be certified until Aug 1 09:47:41 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] 2.0]# ll keys/*
-rw-r--r-- 1 root root 4065 Aug 4 17:47 keys/01.pem
-rw-r--r-- 1 root root 1342 Aug 4 17:43 keys/ca.crt
-rw------- 1 root root 912 Aug 4 17:43 keys/ca.key
-rw-r--r-- 1 root root 245 Aug 4 17:45 keys/dh1024.pem
-rw-r--r-- 1 root root 134 Aug 4 17:47 keys/index.txt
-rw-r--r-- 1 root root 21 Aug 4 17:47 keys/index.txt.attr
-rw-r--r-- 1 root root 0 Aug 4 17:41 keys/index.txt.old
-rw-r--r-- 1 root root 4065 Aug 4 17:47 keys/OpenVPN_Server.crt
-rw-r--r-- 1 root root 725 Aug 4 17:47 keys/OpenVPN_Server.csr
-rw------- 1 root root 916 Aug 4 17:47 keys/OpenVPN_Server.key
-rw-r--r-- 1 root root 3 Aug 4 17:47 keys/serial
-rw-r--r-- 1 root root 3 Aug 4 17:41 keys/serial.old
生成client的密钥文件与证书
[[email protected] 2.0]# ./build-key client
Generating a 1024 bit RSA private key
...........................++++++
...........++++++
writing new private key to ‘client1.key‘
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [EN]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [NJ]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server‘s hostname) [client]:
Name [changeme]:
Email Address [[email protected]]:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject‘s Distinguished Name is as follows
countryName :PRINTABLE:‘EN‘
stateOrProvinceName :PRINTABLE:‘CA‘
localityName :PRINTABLE:‘NJ‘
organizationName :PRINTABLE:‘Fort-Funston‘
organizationalUnitName:PRINTABLE:‘changeme‘
commonName :PRINTABLE:‘client1‘
name :PRINTABLE:‘changeme‘
emailAddress :IA5STRING:‘[email protected]‘
Certificate is to be certified until Aug 1 09:50:21 2024 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看前几步所生成的所有的key文件
[[email protected] keys]# pwd
/etc/openvpn/easy-rsa/easy-rsa/2.0/keys
[[email protected] keys]# ls
01.pem ca.key client.key index.txt.attr ipp.txt serial.old server.key
02.pem client.crt dh1024.pem index.txt.attr.old openvpn-status.log server.crt
ca.crt client.csr index.txt index.txt.old serial server.csr
将所生成的ca.crt ca.key以及client的密钥文件打包并发送到客户端。
[[email protected] keys]# tar -zcvf keys.tar.gz client.* ca.*
client1.crt
client1.csr
client1.key
ca.crt
ca.key
建立openvpn的配置文件
[[email protected] openvpn-2.3.4]# cp /usr/local/src/openvpn-2.3.4/sample/sample-config-files/server.conf /etc/openvpn/
修改openvpn的主配置文件
[[email protected] openvpn]# cat server.conf |grep -v ^$ |grep -v ^#
port 1194 openvpn的默认端口
proto tcp 开启tcp协议
;dev tap 声明所使用的设备,tap是二层设备,支持链路层协议
dev tun tun是ip层的点对点协议,限制稍微多一些,建议使用tun
ca /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/ca.crt OpenVPN使用的ROOT CA,使用build-ca生成的,用于验证客户是证书是否合法
cert /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/server.crt Server使用的证书文件
key /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/server.key # Server使用的证书对应的key,注意文件的权限,防止被盗
dh /etc/openvpn/easy-rsa/easy-rsa/2.0/keys/dh1024.pem CRL文件的申明,被吊销的证书链,这些证书将无法登录
server 172.16.255.0 255.255.255.0 分配给VPN client的网段
ifconfig-pool-persist ipp.txt
push "route 172.16.0.0 255.255.0.0" 放开了一个大的网段,在这个网段内的可以互通
push \\\\\\\"redirect-gateway def1 \\\\\\\"
push "dhcp-option DNS 221.131.143.69"
push "dhcp-option DNS 112.4.0.55"
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log 指定日志目录
verb 3
建立启动的软连接
[[email protected] openvpn-2.3.4]# ln -s /usr/local/openvpn/sbin/openvpn /sbin/openvpn
启动方式分两种
[[email protected] openvpn-2.3.4]# openvpn --daemon --config /etc/openvpn/server.conf
或者
[[email protected] openvpn-2.3.4]# openvpn --config /etc/openvpn/server.conf &
查看进程
[[email protected] 2.0]# ps -ef |grep openvpn
root 3307 9344 0 14:32 pts/0 00:00:00 grep openvpn
nobody 46957 9344 0 11:38 pts/0 00:00:00 openvpn --config /etc/openvpn/server.conf
修改iptables
[[email protected] 2.0]# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
[[email protected] 2.0]#service iptables save
openvpn进程起来后,查看网卡参数,可以看到tun0参数
[[email protected] keys]# ifconfig
em1 Link encap:Ethernet HWaddr F8:BC:12:38:8F:3C
inet addr:**** Bcast:#### Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:264583 errors:0 dropped:0 overruns:0 frame:0
TX packets:79785 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:31575623 (30.1 MiB) TX bytes:15707562 (14.9 MiB)
Interrupt:35
em2 Link encap:Ethernet HWaddr F8:BC:12:38:8F:3D
inet addr:172.16.3.6 Bcast:172.16.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2327 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:283996 (277.3 KiB) TX bytes:64 (64.0 b)
Interrupt:38
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:9 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:761 (761.0 b) TX bytes:761 (761.0 b)
lo:0 Link encap:Local Loopback
inet addr:%%%% Mask:255.255.255.255
UP LOOPBACK RUNNING MTU:16436 Metric:1
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.16.3.1 P-t-P:172.16.3.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:143 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:120 (120.0 b) TX bytes:12012 (11.7 KiB)
三、windows客户端的安装配置
openvpn-2.1_rc22-install.exe
安装完成后查看本地网卡会发现多了一个tap设备
查看安装路径,将sample-config下面client.ovpn 复制到config目录下,并修改相应的参数
将在openvpn server上生成的client证书和ca.crt以及ca.key文件拷贝到config目录下
查看一下client.ovpn配置
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote 18.69.1.6 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don‘t need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It‘s best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don‘t enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
双击客户端在左下角会有一个红色的client标示,右键这个标示,选择connect,会显示出日志
连上去后标示显示绿色。
编译时候有个错误
checking git checkout... no
configure: error: libpam required but missing
解决方法
[[email protected] openvpn-2.3.4]# yum install pam-devel
OpenVPN安装配置,客户端配置