OpenVPN网桥模式实现LAN-TO-LAN

1 配置如下:

[[email protected] config]# cat  server.conf

local 172.18.1.132

port 3889

proto udp

dev tap0

ca /root/openvpn-2.3.3/config/ca.crt

cert /root/openvpn-2.3.3/config/VPNS.crt

key /root/openvpn-2.3.3/config/VPNS.key  # This file should be kept secret

dh /root/openvpn-2.3.3/config/dh2048.pem

ifconfig-pool-persist /root/openvpn/config/ipp.txt

push "route 192.168.40.0 255.255.255.0" #推送服务端LAN路由

server-bridge 10.8.0.2 255.255.255.0 10.8.0.10 10.8.0.254 #设置隧道服务地址，以及客户端的地址池

client-to-client

duplicate-cn

keepalive 10 120

tls-auth /root/openvpn-2.3.3/config/ta.key 0 # This file is secret

cipher AES-128-CBC   # AES

comp-lzo

max-clients 100

user nobody

group nobody

persist-key

persist-tun

verb 3

mute 20

[[email protected] config]# cat client.conf

client

dev tap

proto udp

remote 172.18.1.132 3889

resolv-retry infinite

nobind

user nobody

group nobody

persist-key

persist-tun

reneg-sec 28800 #秘钥8小时重新协商

ca /root/openvpn-2.3.3/config/ca.crt

cert /root/openvpn-2.3.3/config/user1.crt

key  /root/openvpn-2.3.3/config/user1.key

tls-auth  /root/openvpn-2.3.3/config/ta.key 1

ns-cert-type server

cipher AES-128-CBC

comp-lzo

verb 3

mute 20

2 修改sample-scripts下的网桥脚本:

[[email protected] sample-scripts]# cat bridge-start

#!/bin/sh

#################################

# Set up Ethernet bridge on Linux

# Requires: bridge-utils

#################################

# Define Bridge Interface

br="br0"

# Define list of TAP interfaces to be bridged,

# for example tap="tap0 tap1 tap2".

tap="tap0"

# Define physical ethernet interface to be bridged

# with TAP interface(s) above.

eth="eth1" #服务器LAN网口

eth_ip="10.8.0.2"

eth_netmask="255.255.255.0"

eth_broadcast="10.8.0.255" #缺省广播地址

for t in $tap; do

openvpn --mktun --dev $t

done

brctl addbr $br

brctl addif $br $eth

for t in $tap; do

brctl addif $br $t

done

for t in $tap; do

ifconfig $t 0.0.0.0 promisc up

done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

[[email protected] sample-scripts]# cat bridge-stop

#!/bin/sh

####################################

# Tear Down Ethernet bridge on Linux

####################################

# Define Bridge Interface

br="br0"

# Define list of TAP interfaces to be bridged together

tap="tap0"

ifconfig $br down

brctl delbr $br

for t in $tap; do

openvpn --rmtun --dev $t

done

3 启动程序:

先启动bridge-start，然后再启动vpnserver

[[email protected] config]# ifconfig

br0       Link encap:Ethernet  HWaddr 00:0C:29:8C:24:CA

inet addr:10.8.0.2  Bcast:10.8.0.255  Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe8c:24ca/64 Scope:Link

UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

RX packets:133 errors:0 dropped:0 overruns:0 frame:0

TX packets:43 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:18653 (18.2 KiB)  TX bytes:3366 (3.2 KiB)

eth0      Link encap:Ethernet  HWaddr 00:0C:29:8C:24:C0

inet addr:172.18.1.132  Bcast:172.18.1.255  Mask:255.255.254.0

inet6 addr: fe80::20c:29ff:fe8c:24c0/64 Scope:Link

UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

RX packets:51116 errors:0 dropped:0 overruns:0 frame:0

TX packets:19852 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:7844729 (7.4 MiB)  TX bytes:7488984 (7.1 MiB)

Interrupt:19 Base address:0x2000

lo        Link encap:Local Loopback

inet addr:127.0.0.1  Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING  MTU:65536  Metric:1

RX packets:5 errors:0 dropped:0 overruns:0 frame:0

TX packets:5 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)

tap0      Link encap:Ethernet  HWaddr 8E:6A:1A:B7:E2:0F

inet6 addr: fe80::8c6a:1aff:feb7:e20f/64 Scope:Link

UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

RX packets:80 errors:0 dropped:0 overruns:0 frame:0

TX packets:65 errors:0 dropped:12 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:6224 (6.0 KiB)  TX bytes:10182 (9.9 KiB)

结束时先断开server,然后再bridge-stop

请注意，这种桥接方式启动的OpenVPN服务器上的tap0虚拟网卡没有IP地址，因为整个过程没有IP层的内容。

4 打印信息如下:

服务器

[[email protected] config]# /usr/local/sbin/openvpn  --config /root/openvpn-2.3.3/config/server.conf

Tue Sep  5 00:34:38 2017 OpenVPN 2.3.3 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 31 2017

Tue Sep  5 00:34:38 2017 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to

Tue Sep  5 00:34:38 2017 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn

Tue Sep  5 00:34:38 2017 Diffie-Hellman initialized with 2048 bit key

Tue Sep  5 00:34:38 2017 Control Channel Authentication: using ‘/root/openvpn-2.3.3/config/ta.key‘ as a OpenVPN static key file

Tue Sep  5 00:34:38 2017 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1‘ for HMAC authentication

Tue Sep  5 00:34:38 2017 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1‘ for HMAC authentication

Tue Sep  5 00:34:38 2017 Socket Buffers: R=[124928->131072] S=[124928->131072]

Tue Sep  5 00:34:38 2017 TUN/TAP device tap0 opened

Tue Sep  5 00:34:38 2017 TUN/TAP TX queue length set to 100

Tue Sep  5 00:34:38 2017 GID set to nobody

Tue Sep  5 00:34:38 2017 UID set to nobody

Tue Sep  5 00:34:38 2017 UDPv4 link local (bound): [AF_INET]172.18.1.132:3889

Tue Sep  5 00:34:38 2017 UDPv4 link remote: [undef]

Tue Sep  5 00:34:38 2017 MULTI: multi_init called, r=256 v=256

Tue Sep  5 00:34:38 2017 IFCONFIG POOL: base=10.8.0.10 size=245, ipv6=0

Tue Sep  5 00:34:38 2017 IFCONFIG POOL LIST

Tue Sep  5 00:34:38 2017 Initialization Sequence Completed

Tue Sep  5 00:34:43 2017 172.18.1.130:39446 TLS: Initial packet from [AF_INET]172.18.1.130:39446, sid=aae8c845 f1d49e60

Tue Sep  5 00:34:43 2017 172.18.1.130:39446 VERIFY OK: depth=1, C=CN, ST=GD, L=SZ, O=softown, OU=softown_admin, CN=OpenVPN_CA, name=EasyRSA, [email protected]

Tue Sep  5 00:34:43 2017 172.18.1.130:39446 VERIFY OK: depth=0, C=CN, ST=GD, L=SZ, O=softown, OU=softown_admin, CN=user1, name=EasyRSA, [email protected]

Tue Sep  5 00:34:43 2017 172.18.1.130:39446 Data Channel Encrypt: Cipher ‘AES-128-CBC‘ initialized with 128 bit key

Tue Sep  5 00:34:43 2017 172.18.1.130:39446 Data Channel Encrypt: Using 160 bit message hash ‘SHA1‘ for HMAC authentication

Tue Sep  5 00:34:43 2017 172.18.1.130:39446 Data Channel Decrypt: Cipher ‘AES-128-CBC‘ initialized with 128 bit key

Tue Sep  5 00:34:43 2017 172.18.1.130:39446 Data Channel Decrypt: Using 160 bit message hash ‘SHA1‘ for HMAC authentication

Tue Sep  5 00:34:43 2017 172.18.1.130:39446 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Tue Sep  5 00:34:43 2017 172.18.1.130:39446 [user1] Peer Connection Initiated with [AF_INET]172.18.1.130:39446

Tue Sep  5 00:34:43 2017 user1/172.18.1.130:39446 MULTI_sva: pool returned IPv4=10.8.0.10, IPv6=(Not enabled)

Tue Sep  5 00:34:46 2017 user1/172.18.1.130:39446 PUSH: Received control message: ‘PUSH_REQUEST‘

Tue Sep  5 00:34:46 2017 user1/172.18.1.130:39446 send_push_reply(): safe_cap=940

Tue Sep  5 00:34:46 2017 user1/172.18.1.130:39446 SENT CONTROL [user1]: ‘PUSH_REPLY,route 192.168.40.0 255.255.255.0,route-gateway 10.8.0.2,ping 10,ping-restart 120,ifconfig 10.8.0.10 255.255.255.0‘ (status=1)

Tue Sep  5 00:34:46 2017 user1/172.18.1.130:39446 MULTI: Learn: 3e:9f:94:51:1b:9c -> user1/172.18.1.130:39446

客户端

[[email protected] ~]# /usr/local/sbin/openvpn  --config /root/openvpn-2.3.3/config/client.conf

Tue Sep  5 00:33:39 2017 OpenVPN 2.3.3 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 31 2017

Tue Sep  5 00:33:39 2017 Control Channel Authentication: using ‘/root/openvpn-2.3.3/config/ta.key‘ as a OpenVPN static key file

Tue Sep  5 00:33:39 2017 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1‘ for HMAC authentication

Tue Sep  5 00:33:39 2017 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1‘ for HMAC authentication

Tue Sep  5 00:33:39 2017 Socket Buffers: R=[124928->131072] S=[124928->131072]

Tue Sep  5 00:33:39 2017 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay

Tue Sep  5 00:33:39 2017 UDPv4 link local: [undef]

Tue Sep  5 00:33:39 2017 UDPv4 link remote: [AF_INET]172.18.1.132:3889

Tue Sep  5 00:33:39 2017 TLS: Initial packet from [AF_INET]172.18.1.132:3889, sid=f5c08706 546e7dad

Tue Sep  5 00:33:39 2017 VERIFY OK: depth=1, C=CN, ST=GD, L=SZ, O=softown, OU=softown_admin, CN=OpenVPN_CA, name=EasyRSA, [email protected]

Tue Sep  5 00:33:39 2017 VERIFY OK: nsCertType=SERVER

Tue Sep  5 00:33:39 2017 VERIFY OK: depth=0, C=CN, ST=GD, L=SZ, O=softown, OU=softown_admin, CN=VPNS, name=EasyRSA, [email protected]

Tue Sep  5 00:33:39 2017 Data Channel Encrypt: Cipher ‘AES-128-CBC‘ initialized with 128 bit key

Tue Sep  5 00:33:39 2017 Data Channel Encrypt: Using 160 bit message hash ‘SHA1‘ for HMAC authentication

Tue Sep  5 00:33:39 2017 Data Channel Decrypt: Cipher ‘AES-128-CBC‘ initialized with 128 bit key

Tue Sep  5 00:33:39 2017 Data Channel Decrypt: Using 160 bit message hash ‘SHA1‘ for HMAC authentication

Tue Sep  5 00:33:39 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Tue Sep  5 00:33:39 2017 [VPNS] Peer Connection Initiated with [AF_INET]172.18.1.132:3889

Tue Sep  5 00:33:41 2017 SENT CONTROL [VPNS]: ‘PUSH_REQUEST‘ (status=1)

Tue Sep  5 00:33:41 2017 PUSH: Received control message: ‘PUSH_REPLY,route 192.168.40.0 255.255.255.0,route-gateway 10.8.0.2,ping 10,ping-restart 120,ifconfig 10.8.0.10 255.255.255.0‘

Tue Sep  5 00:33:41 2017 OPTIONS IMPORT: timers and/or timeouts modified

Tue Sep  5 00:33:41 2017 OPTIONS IMPORT: --ifconfig/up options modified

Tue Sep  5 00:33:41 2017 OPTIONS IMPORT: route options modified

Tue Sep  5 00:33:41 2017 OPTIONS IMPORT: route-related options modified

Tue Sep  5 00:33:41 2017 ROUTE_GATEWAY 172.18.1.254/255.255.254.0 IFACE=eth0 HWADDR=00:0c:29:b5:22:a8

Tue Sep  5 00:33:41 2017 TUN/TAP device tap0 opened

Tue Sep  5 00:33:41 2017 TUN/TAP TX queue length set to 100

Tue Sep  5 00:33:41 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Tue Sep  5 00:33:41 2017 /sbin/ifconfig tap0 10.8.0.10 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255

Tue Sep  5 00:33:41 2017 /sbin/route add -net 192.168.40.0 netmask 255.255.255.0 gw 10.8.0.2

Tue Sep  5 00:33:41 2017 GID set to nobody

Tue Sep  5 00:33:41 2017 UID set to nobody

Tue Sep  5 00:33:41 2017 Initialization Sequence Completed

5 添加客户端路由

服务端：ip route add 192.168.20.0/24 dev br0 或 ip route add 192.168.20.0/24 via 10.8.0.2

6 测试
服务器 -> 客户端

[[email protected] config]# ping 10.8.0.10 #ping客户端隧道地址

PING 10.8.0.10 (10.8.0.10) 56(84) bytes of data.

64 bytes from 10.8.0.10: icmp_seq=1 ttl=64 time=0.580 ms

64 bytes from 10.8.0.10: icmp_seq=2 ttl=64 time=0.877 ms

64 bytes from 10.8.0.10: icmp_seq=3 ttl=64 time=0.891 ms

64 bytes from 10.8.0.10: icmp_seq=4 ttl=64 time=0.861 ms

^C

--- 10.8.0.10 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3511ms

rtt min/avg/max/mdev = 0.580/0.802/0.891/0.130 ms

[[email protected] config]# ping 192.168.20.20 #ping客户端LAN地址

PING 192.168.20.20 (192.168.20.20) 56(84) bytes of data.

64 bytes from 192.168.20.20: icmp_seq=1 ttl=64 time=16.5 ms

64 bytes from 192.168.20.20: icmp_seq=2 ttl=64 time=0.472 ms

64 bytes from 192.168.20.20: icmp_seq=3 ttl=64 time=0.504 ms

64 bytes from 192.168.20.20: icmp_seq=4 ttl=64 time=0.439 ms

^C

--- 192.168.20.20 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3477ms

rtt min/avg/max/mdev = 0.439/4.487/16.533/6.954 ms

[[email protected] ~]# ping  -I 192.168.40.40  192.168.20.20 #服务器LAN地址ping客户端LAN地址

PING 192.168.20.20 (192.168.20.20) from 192.168.40.40 : 56(84) bytes of data.

64 bytes from 192.168.20.20: icmp_seq=1 ttl=64 time=0.565 ms

64 bytes from 192.168.20.20: icmp_seq=2 ttl=64 time=0.987 ms

64 bytes from 192.168.20.20: icmp_seq=3 ttl=64 time=0.954 ms

64 bytes from 192.168.20.20: icmp_seq=4 ttl=64 time=0.920 ms

^C

--- 192.168.20.20 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3830ms

rtt min/avg/max/mdev = 0.565/0.856/0.987/0.172 ms

客户端 -> 服务器

[[email protected] config]# ping  10.8.0.2 #ping服务端隧道

PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.

64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=0.977 ms

64 bytes from 10.8.0.2: icmp_seq=2 ttl=64 time=0.872 ms

64 bytes from 10.8.0.2: icmp_seq=3 ttl=64 time=0.969 ms

64 bytes from 10.8.0.2: icmp_seq=4 ttl=64 time=0.761 ms

^C

--- 10.8.0.2 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3609ms

rtt min/avg/max/mdev = 0.761/0.894/0.977/0.094 ms

[[email protected] config]# ping  192.168.40.40 #ping服务端LAN地址

PING 192.168.40.40 (192.168.40.40) 56(84) bytes of data.

64 bytes from 192.168.40.40: icmp_seq=1 ttl=64 time=0.645 ms

64 bytes from 192.168.40.40: icmp_seq=2 ttl=64 time=0.981 ms

64 bytes from 192.168.40.40: icmp_seq=3 ttl=64 time=0.879 ms

64 bytes from 192.168.40.40: icmp_seq=4 ttl=64 time=1.03 ms

^C

--- 192.168.40.40 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3475ms

rtt min/avg/max/mdev = 0.645/0.884/1.031/0.148 ms

[[email protected] ~]# ping  -I  192.168.20.20 192.168.40.40 #客户端LAN地址ping服务端LAN地址

PING 192.168.40.40 (192.168.40.40) from 192.168.20.20 : 56(84) bytes of data.

64 bytes from 192.168.40.40: icmp_seq=1 ttl=64 time=1.56 ms

64 bytes from 192.168.40.40: icmp_seq=2 ttl=64 time=0.790 ms

64 bytes from 192.168.40.40: icmp_seq=3 ttl=64 time=0.742 ms

64 bytes from 192.168.40.40: icmp_seq=4 ttl=64 time=0.847 ms

^C

--- 192.168.40.40 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3159ms

rtt min/avg/max/mdev = 0.742/0.986/1.567/0.338 ms

7 写一个自启动脚本

#!/bin/bash

#

# openvpn This shell script takes care of starting and stopping

# chkconfig: 345 90 20

#

# description: openvpn is the NTPv4 daemon.

. /etc/init.d/functions

prog=openvpn

lockfile=/var/lock/subsys/$prog

start() {

[ -x /usr/local/sbin/openvpn ] || exit 5

/usr/sbin/bridge-start

# Start daemons.

echo -n $"Starting $prog................ "

/usr/local/sbin/openvpn --daemon  --config /root/openvpn-2.3.3/config/server.conf

RETVAL=$?

echo

[ $RETVAL -eq 0 ] && touch $lockfile

return $RETVAL

}

stop() {

echo -n $"Shutting down $prog............... "

killproc $prog

RETVAL=$?

echo

[ $RETVAL -eq 0 ] && rm -f $lockfile

/usr/sbin/bridge-stop

return $RETVAL

}

# See how we were called.

case "$1" in

start)

start

;;

stop)

stop

;;

status)

status $prog

;;

reload)

stop

start

;;

*)

echo $"Usage: $0 {start|stop|status|reload}"

exit 2

esac

[[email protected] ~]# /etc/init.d/openvpn

Usage: /etc/init.d/openvpn {start|stop|status|reload}

start：

[[email protected] ~]# /etc/init.d/openvpn start

Tue Sep 12 00:22:13 2017 TUN/TAP device tap0 opened

Tue Sep 12 00:22:13 2017 Persist state set to: ON

Starting openvpn................

[[email protected] ~]# ps -ef|grep openvpn

root       1656      1  0 00:22 ?        00:00:00 /usr/local/sbin/openvpn --daemon --config /root/openvpn-2.3.3/config/server.conf

stop：

[[email protected] ~]# /etc/init.d/openvpn stop

Shutting down openvpn...............                       [  OK  ]

Tue Sep 12 00:22:09 2017 TUN/TAP device tap0 opened

Tue Sep 12 00:22:09 2017 Persist state set to: OFF

status：

[[email protected] ~]# /etc/init.d/openvpn status

openvpn (pid 1923) is running...

reload：

[[email protected] ~]# /etc/init.d/openvpn reload

Shutting down openvpn...............                       [  OK  ]

Tue Sep 12 00:23:54 2017 TUN/TAP device tap0 opened

Tue Sep 12 00:23:54 2017 Persist state set to: OFF

Tue Sep 12 00:23:54 2017 TUN/TAP device tap0 opened

Tue Sep 12 00:23:54 2017 Persist state set to: ON

Starting openvpn................

[[email protected] ~]# chkconfig openvpn  on #加入开机启动