使用OpenVPN构建主机点到点加密连接

 网络技术  No Responses »
1 月 292020
 

基于OpenVPN使用预共享密钥加密的点到点VPN解决方案

安装依赖库EPEL及net-tools工具

[root@host1 ~]# yum -y install epel-release.noarch net-tools

[root@host2 ~]# yum -y install epel-release.noarch net-tools

安装openvpn软件包

[root@host1 ~]# yum -y install openvpn

[root@host2 ~]# yum -y install openvpn

配置防火墙,在两台主机开放UDP8443端口作为专用通信端口

[root@host1 ~]# firewall-cmd --permanent --add-port=8443/udp
success
[root@host1 ~]# firewall-cmd --reload
success
[root@host1 ~]#

[root@host2 ~]# firewall-cmd --permanent --add-port=8443/udp
success
[root@host2 ~]# firewall-cmd --reload
success
[root@host2 ~]#

生成host1配置文件

[root@host1 ~]# vi /etc/openvpn/host1.conf
proto udp
mode p2p
remote 149.28.93.246
rport 8443
local 0.0.0.0
lport 8443
dev-type tun
tun-ipv6
resolv-retry infinite
dev tun0
comp-lzo
persist-key
persist-tun
cipher aes-256-cbc
ifconfig 172.16.100.1 172.16.100.2
secret /etc/openvpn/p2p.key

生成预共享密钥文件并复制到host2主机相应目录

[root@host1 ~]# openvpn --genkey --secret /etc/openvpn/p2p.key
[root@host1 ~]# cat /etc/openvpn/p2p.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
cb55061878ae55a026f04826c8c49669
efaa6a77d5077b0bff0d27eb7b0611de
849125952cfaea36f556c52b1a5725d2
69a79ec24526c363d636d64b9f9591e1
b64b5b20147d08e419c8e37b72320e52
4be7d1b23b0c76c21f950e611fafa25f
a3811c610be55334b19f801cab1c31f3
f4bc5e5ff213b407b5c8321c0a619358
09e8dfb93561efebeff7f656d2dc7d7a
5c3ad585ccc81755fc711bcf7c702053
3a23335cdc3a2c372a0bdf18fb75cdd2
935ff0fe927e6f77e854cfb1547876d3
bc9df044f2a0cf9c88ba61b2b2731a04
16b1ad259d25f53d583cbcd0ed8a3c66
2c2b0ceb9115351760dfc42e1f2670d6
be49d22101387b08f9b54c0e23c11823
-----END OpenVPN Static key V1-----
[root@host1 ~]#

生成host2配置文件

[root@host2 ~]# vi /etc/openvpn/hosts2.conf
proto udp
mode p2p
remote 144.202.116.133
rport 8443
local 0.0.0.0
lport 8443
dev-type tun
tun-ipv6
resolv-retry infinite
dev tun0
comp-lzo
persist-key
persist-tun
cipher aes-256-cbc
ifconfig 172.16.100.2 172.16.100.1
secret /etc/openvpn/p2p.key

[root@host2 ~]# vi /etc/openvpn/p2p.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
cb55061878ae55a026f04826c8c49669
efaa6a77d5077b0bff0d27eb7b0611de
849125952cfaea36f556c52b1a5725d2
69a79ec24526c363d636d64b9f9591e1
b64b5b20147d08e419c8e37b72320e52
4be7d1b23b0c76c21f950e611fafa25f
a3811c610be55334b19f801cab1c31f3
f4bc5e5ff213b407b5c8321c0a619358
09e8dfb93561efebeff7f656d2dc7d7a
5c3ad585ccc81755fc711bcf7c702053
3a23335cdc3a2c372a0bdf18fb75cdd2
935ff0fe927e6f77e854cfb1547876d3
bc9df044f2a0cf9c88ba61b2b2731a04
16b1ad259d25f53d583cbcd0ed8a3c66
2c2b0ceb9115351760dfc42e1f2670d6
be49d22101387b08f9b54c0e23c11823
-----END OpenVPN Static key V1-----

启动host1上的OpenVPN服务并加载指定配置文件

[root@host1 ~]# nohup openvpn --config /etc/openvpn/host1.conf &
[1] 1913
[root@host1 ~]# nohup: ignoring input and appending output to ‘nohup.out’

[root@host1 ~]# cat nohup.out
Fri Jan 31 03:25:47 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Fri Jan 31 03:25:47 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Jan 31 03:25:47 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Fri Jan 31 03:25:47 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Fri Jan 31 03:25:47 2020 TUN/TAP device tun0 opened
Fri Jan 31 03:25:47 2020 /sbin/ip link set dev tun0 up mtu 1500
Fri Jan 31 03:25:47 2020 /sbin/ip addr add dev tun0 local 172.16.100.1 peer 172.16.100.2
Fri Jan 31 03:25:47 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]149.28.93.246:8443
Fri Jan 31 03:25:47 2020 UDP link local (bound): [AF_INET][undef]:8443
Fri Jan 31 03:25:47 2020 UDP link remote: [AF_INET]149.28.93.246:8443
[root@host1 ~]#

查看host1接口信息及端口监听信息

启动host2上的OpenVPN服务并加载指定配置文件

[root@host2 ~]# nohup openvpn --config /etc/openvpn/hosts2.conf &
[1] 1741
[root@host2 ~]# nohup: ignoring input and appending output to ‘nohup.out’

[root@host2 ~]# cat nohup.out
Fri Jan 31 03:28:03 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Fri Jan 31 03:28:03 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Jan 31 03:28:03 2020 WARNING: file '/etc/openvpn/p2p.key' is group or others accessible
Fri Jan 31 03:28:03 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Fri Jan 31 03:28:03 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Fri Jan 31 03:28:03 2020 TUN/TAP device tun0 opened
Fri Jan 31 03:28:03 2020 /sbin/ip link set dev tun0 up mtu 1500
Fri Jan 31 03:28:03 2020 /sbin/ip addr add dev tun0 local 172.16.100.2 peer 172.16.100.1
Fri Jan 31 03:28:03 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]144.202.116.133:8443
Fri Jan 31 03:28:03 2020 UDP link local (bound): [AF_INET][undef]:8443
Fri Jan 31 03:28:03 2020 UDP link remote: [AF_INET]144.202.116.133:8443
[root@host2 ~]#

查看host2接口信息及端口监听信息


在两台主机上分别ping对端隧道IP地址

使用Pritunl构建远程接入VPN服务

 网络技术  No Responses »
1 月 202020
 

基于CentOS7的安装配置命令

sudo tee /etc/yum.repos.d/mongodb-org-4.0.repo << EOF
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOF

sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/7/
gpgcheck=1
enabled=1
EOF

sudo rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp
sudo yum -y install pritunl mongodb-org
sudo systemctl start mongod pritunl
sudo systemctl enable mongod pritunl

修改oepnfile限制

sudo sh -c 'echo "* hard nofile 64000" >> /etc/security/limits.conf'
sudo sh -c 'echo "* soft nofile 64000" >> /etc/security/limits.conf'
sudo sh -c 'echo "root hard nofile 64000" >> /etc/security/limits.conf'
sudo sh -c 'echo "root soft nofile 64000" >> /etc/security/limits.conf'

host1主机私网IP配置信息

# Private network: net5e1571b604398
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=10.25.96.3
NETMASK=255.255.240.0
MTU=1450

host2主机私网IP配置信息

# Private network: net5e1571b604398
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=10.25.96.4
NETMASK=255.255.240.0
MTU=1450

检查内网互通性


生成初始化密钥

[root@host1 ~]# pritunl setup-key
3c1cd1325ff34ae8ab1b1443c6706efb
[root@host1 ~]#

使用浏览器访问控制台并保存初始化密钥

按照提示生成初始登录信息

获取初始登录信息

[root@host1 ~]# sudo pritunl default-password
[undefined][2020-01-20 02:08:04,859][INFO] Getting default administrator password
Administrator default password:
username: "pritunl"
password: "DB2aRfaKxLmt"
[root@host1 ~]#

修改控制台用户名密码,确认服务器地址,控制台端口,证书(Let‘s Encrypt)配置信息

提示成功保存设置

添加服务器

设置服务器名称,确认监听端口,DNS服务器及内网网段

成功添加服务器,删除默认的0.0.0.0/0路由

确认删除该路由条目

添加路由,该路由条目经服务端推送给客户端(10.25.96.0/20),客户端无需手动指定

指定路由条目详情

添加路由条目成功

添加组织

设置组织名称

为组织添加用户

用户详情

将服务器附加到组织

确认附加信息

成功附加服务器到组织

启动服务器

服务器启动后的控制台状态

下载用户端配置文件

解压缩并查看用户端配置文件

 

使用Pritunl客户端导入用户端配置文件

导入配置文件

导入配置文件后的客户端界面信息

点击连接,成功获取VPN服务器端内网IP地址

查看本机IPv4路由表,显示已添加去往10.25.96.0/20网络的路由

验证,本机通过host1建立的Remote Access VPN访问内网IP为10.25.96.4的host2主机(PING)

C:\Users\harveymei>ping 10.25.96.4

正在 Ping 10.25.96.4 具有 32 字节的数据:
来自 10.25.96.4 的回复: 字节=32 时间=169ms TTL=63
来自 10.25.96.4 的回复: 字节=32 时间=174ms TTL=63
来自 10.25.96.4 的回复: 字节=32 时间=176ms TTL=63
来自 10.25.96.4 的回复: 字节=32 时间=165ms TTL=63

10.25.96.4 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 165ms,最长 = 176ms,平均 = 171ms

C:\Users\harveymei>

TAP-Win32版本对OpenVPN GUI的影响

 未分类  No Responses »
1 月 172013
 

在Windows 7 x64系统安装OpenVPN 2.0.9 GUI 1.0.3后查看设备管理器状态

tap-win32-02

连接VPN后出现错误提示,查看OpenVPN GUI的日志输出

tap-win32-03

Thu Jan 17 12:56:23 2013 CreateFile failed on TAP device: 
\\.\Global\{97C6C2D4-0D71-4FFC-BF9A-B13FF8BA0164}.tap
Thu Jan 17 12:56:23 2013 All TAP-Win32 adapters on this system are currently in use.
Thu Jan 17 12:56:23 2013 Exiting

安装OpenVPN 2.2.0后再次查看设备管理器显示TAP-Win32适配器驱动版本为V9

tap-win32-01

查看成功连接后的 OpenVPN GUI日志输出

Thu Jan 17 13:15:57 2013 TAP-WIN32 device [本地连接 4] opened:
 \\.\Global\{993F596C-8A2B-4871-B6F4-7FABE678738A}.tap
Thu Jan 17 13:15:57 2013 TAP-Win32 Driver Version 9.8 
Thu Jan 17 13:15:57 2013 TAP-Win32 MTU=1500
Thu Jan 17 13:15:57 2013 Notified TAP-Win32 driver to set a DHCP IP/netmask
 of 10.8.0.26/255.255.255.252 on interface {993F596C-8A2B-4871-B6F4-7FABE678738A}
 [DHCP-serv: 10.8.0.25, lease-time: 31536000]
Thu Jan 17 13:15:57 2013 Successful ARP Flush on interface [17]
 {993F596C-8A2B-4871-B6F4-7FABE678738A}
Thu Jan 17 13:16:02 2013 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Thu Jan 17 13:16:02 2013
 C:\WINDOWS\system32\route.exe ADD 192.168.11.0 MASK 255.255.255.0 10.8.0.25
 操作完成!
Thu Jan 17 13:16:03 2013
 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.25
 操作完成!
Thu Jan 17 13:16:03 2013 Initialization Sequence Completed

相关下载:
(1) OpenVPN 2.2.0(TAP-Win32 V9)

openvpn证书吊销和指定静态IP

 未分类  No Responses »
12 月 042012
 

#./vars

#./revoke-full client-name(common name)

#ls crl.pem

#cp crl.pem /usr/local/openvpn/etc/

#vi
crl-verify crl.pem

#service restart openvpn

Static IP
#vi server.conf
client-config-dir /etc/openvpn/ccd

#mkdir /etc/openvpn/ccd

#vi client-name
ifconfig-push 192.168.0.5 192.168.0.6
第一个IP结尾必须是4的倍数+1