Linux下OpenVpn部署-桥接模式1 客户端/服务端
OpenVpn网桥模式1 客户端/服务端
????????????? 实现目的:远端机器通过安装OpenVpn客户端,配置证书,连接OpenVpn服务器,从而获得OpenVpn服务器分发所连接的内网Ip,实现与内网的通信(只是实验)
?
1.系统硬件环境
???? #openSSL,bridge-util 及相关依赖
????????
???????? Fedora5 系统,多网口网闸设备? 一台
???????? PC??????????????????????????????????????????????????????????? 两台
?
2.网络环境
??? iptables off状态
??? 
?
?
?
?3.OpenVpn(服务端)安装
??????? 所在目录 :?? /root/scripts/
??????? 1) 需要的软件包
????????????????? openvpn-2.0.9.tar.gz
??????????????????lzo-2.03.tar.gz
???????
??????? 2) 安装
?????????????????
# tar -zxvf lzo-2.03.tar.gz# cd lzo-2.03 && ./configure && make && make install # tar -zxvf openvpn-2.0.9.tar.gz# cd openvpn-2.0.9 && ./configure && make && make install
?
?
4.OpenVpn(服务端)配置
# cd /etc/openvpn/
?
????????1)拷贝创建CA证书的easy-rsa
????????????????
# cp -ra /root/scripts/openvpn-2.0.9/easy-rsa .
??????
??????? 2)拷贝示例配置文件
????????????????
# cp /root/scripts/openvpn-2.0.9/sample-config-files/server.conf config/# cp /root/scripts/openvpn-2.0.9/sample-scripts/bridge-start .# cp /root/scripts/openvpn-2.0.9/sample-scripts/bridge-stop .# ln -s /etc/config/server.conf /etc/openvpn/
???????? 3)修改证书变量
???????????????
# vi easy-rsa/vars
?
export KEY_COUNTRY=ZNexport KEY_PROVINCE=BeiJingexport KEY_CITY=BeiJingexport KEY_ORG="RFGZ"export KEY_EMAIL=yinchuan131@gmail.com
?
????????? 4)初始化PKI
# cd easy-rsa/# source vars# ./clean-all# ./build-ca
?
?????????5)创建服务器密钥 !Common Name必须填写server,其余默认即可
# ./build-key-server server
?
??????????6)创建客户端密钥跟证书 !Common Name对应填写client1,其作为今后识别客户端的标识
# ./build-key client1
?
????????? 7)创建Diffie Hellman参数--Diffie Hellman参数是增强安全性的,在OpenVpn是必须的
# ./build-dh
?
???????? 8)修改配置文件
????????????????? 网桥配置文件:
# cd /etc/openvpn/# vi bridge-start
?
#!/bin/bash################################## Set up Ethernet bridge on Linux# Requires: bridge-utils################################## Define Bridge Interfacebr="br0"# Define list of TAP interfaces to be bridged,# for example tap="tap0 tap1 tap2".tap="tap0"# Define physical ethernet interface to be bridged# with TAP interface(s) above.eth="eth3"eth_ip="1.1.1.239"eth_netmask="255.255.255.0"eth_broadcast="1.1.1.255"for t in $tap; do openvpn --mktun --dev $tdonebrctl addbr $brbrctl addif $br $ethfor t in $tap; do brctl addif $br $tdonefor t in $tap; do ifconfig $t 0.0.0.0 promisc updoneifconfig $eth 0.0.0.0 promisc upifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
?
????????????? 服务配置文件
# vi server.conf
?
local 192.168.0.221port 1194proto tcpdev tap0ca ./easy-rsa/keys/ca.crtcert ./easy-rsa/keys/server.crtkey ./easy-rsa/keys/server.key # This file should be kept secretdh ./easy-rsa/keys/dh1024.pemifconfig-pool-persist ipp.txt#为客户端分配 200~209 间的IPserver-bridge 10.0.0.200 255.255.255.0 10.0.0.200 10.0.0.209client-to-clientkeepalive 10 120comp-lzopersist-keypersist-tunstatus openvpn-status.logverb 4
?
5.OpenV# cd /etc/openvpn/
??????? 先开启网桥
?
# ./bridge-start
?
# openvpn server.conf
?
???? 以” Initialization Sequence Completed”结尾的提示,证明服务端启动成功pn服务端
?
6.OpenVpn(客户端)安装
??????? XP环境下:
??????????? openvpn-2.0.9-gui-1.0.3-install.exe *客户端版本要与服务器端OpenVpn版本一致
?
??????????? 安装完成后系统添加一个 TAP-Win32 Adapter 适配器
?
7.OpenVpn(客户端)配置
??????? 证书:
????????????? 将服务器端生成的证书 ca.crt ,ca.key,client1.crt,client1.csr,client1.key拷贝至安装目录下的config文件夹中
?????? ?配置文件:
????????????? 在config文件夹中创建client.ovpn配置文件:
clientdev tapproto tcpremote 192.168.0.221 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client1.crtkey client1.keycomp-lzoverb 4
?8.启动OpenVpn客户端,连接至服务端
????????? 右键托盘OpenVpn Gui?? Connect
??????????链接成功后托盘图标变绿,本地Ip添加了10.0.0.200
