歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux綜合 >> Linux資訊 >> 更多Linux

利用openvpn+linux快速建立企業VPN

  openvpn可工作於兩種模式:   一種是IP遂道路由模式,主要應用於點對點   一種是基於以太網的遂道橋模式, 應用於點對多點,有多個分支機構   本文介紹的配置實例是第一種   拓撲圖:   局域網1: Office主機裝redhat9.0 兩塊網卡   eth1接公網 61.131.58.x ,   eth0接 內網192.168.1.56   vpn 10.1.0.1   A主機 192.168.1.222   局域網2:   HOME主機裝redhat9.0兩塊網卡   eth0 接公網 218.85.158.244   eth1 接內網 192.168.0.235   vpn 10.1.0.2   B主機 192.168.0.45     環境:redhat9.0+lzo+openssl+openvpn   openssl用來進行加密,lzo用來進行數據壓縮   下載地址 http://prdownloads.sourceforge.net/openvpn/openvpn-2.0_beta7.tar.gz   http://www.oberhumer.com/opensource/lzo/download/lzo-1.08.tar.gz     先檢查openssl是否已安裝   rpm ?qa grep openssl   沒有請先裝openssl, openssl如何安裝就不介紹了   我將openvpn-2.0.beta7.tar.gz和lzo-1.08.tar.gz下載到/home   #cd /home   #tar zxvf lzo-1.08.tar.gz   #cd lzo-1.08.   #./comfigure   #make   #make install   #tar zxvf openvpn-2.0_beta7.tar.gz   #cd openvpn-2.0_beta7   #./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib   #make   #make install   #mkdir /etc/openvpn   #cd /etc/openvpn   #openvpn --genkey --secret static.key   將static.key從office主機復制到home主機的/etc/openvpn目錄中   office#scp static.key [email protected]:/etc/openvpn   office#cd /home/openvpn-2.0_beta7/sample-config-files   office#cp static-office.conf /etc/openvpn   office#cp firewall.sh /etc/openvpn   office#cp openvpn-startup.sh /etc/openvpn   office#cp office.up /etc/openvpn   修改static-office.conf ,firewall.sh ,openvpn-startup.sh,office.up   我們先來看office主機的這幾個配置文件   static-office.conf配置如下:   dev tun0   remote 218.85.158.244 #為對端的公網ip   ifconfig 10.1.0.1 10.1.0.2 #為本端和對端的vpn ip地址   secret /etc/openvpn/static.key #密鑰   port 5000   comp-lzo   ping 15   ping 15   ping-restart 45   ping-timer-rem   persist-tun   persist-key   verb 3     office主機的firewall.sh腳本如下:   #!/bin/bash   PRIVATE=192.168.1.0/24   LOOP=127.0.0.1     iptables -P OUTPUT DROP   iptables -P INPUT DROP   iptables -P FORWARD DROP   iptables -F     iptables -P OUTPUT ACCEPT   iptables -P INPUT DROP   iptables -P FORWARD DROP     iptables -A INPUT -i eth1 -s $LOOP -j DROP   iptables -A FORWARD -i eth1 -s $LOOP -j DROP   iptables -A INPUT -i eth1 -d $LOOP -j DROP   iptables -A FORWARD -i eth1 -d $LOOP -j DROP     iptables -A FORWARD -p tcp --sport 137:139 -o eth1 -j DROP   iptables -A FORWARD -p udp --sport 137:139 -o eth1 -j DROP   iptables -A OUTPUT -p tcp --sport 137:139 -o eth1 -j DROP   iptables -A OUTPUT -p udp --sport 137:139 -o eth1 -j DROP     iptables -A FORWARD -s ! $PRIVATE -i eth0 -j DROP       iptables -A INPUT -s $LOOP -j ACCEPT   iptables -A INPUT -d $LOOP -j ACCEPT     iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT     iptables -A INPUT -p tcp --dport http -j ACCEPT   iptables -A INPUT -p tcp --dport ssh -j ACCEPT     iptables -A INPUT -p udp --dport 5000 -j ACCEPT #openvpn默認使用udp 5000端口     iptables -A INPUT -i tun+ -j ACCEPT   iptables -A FORWARD -i tun+ -j ACCEPT #這兩句很重要   iptables -A INPUT -i tap+ -j ACCEPT   iptables -A FORWARD -i tap+ -j ACCEPT     iptables -A INPUT -i eth0 -j ACCEPT   iptables -A FORWARD -i eth0 -j ACCEPT     iptables -A OUTPUT -m state --state NEW -o eth1 -j ACCEPT   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT   iptables -A FORWARD -m state --state NEW -o eth1 -j ACCEPT   iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT     iptables -t nat -A POSTROUTING -s $PRIVATE -o eth1 -j MASQUERADE     office.up腳本配置如下:   #!/bin/bash   route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.1.0.2 #此處是對端的vpn ip地址   openvpn-startup.sh腳本配置如下:   #!/bin/bash   dir=/etc/openvpn   $dir/firewall.sh   modprobe tun   echo 1 > /proc/sys/net/ipv4/ip_forward   openvpn --config /etc/openvpn/static-office.conf       home主機的4個配置文件   static-home.conf如下   dev tun0   remote 61.131.58.194   ifconfig 10.1.0.2 10.1.0.1   secret /etc/openvpn/static.key   port 5000   comp-lzo   ping 15   ping 15   ping-restart 45   ping-timer-rem   persist-tun   persist-key   verb 3     firewall.sh如下   #!/bin/bash   PRIVATE=192.168.0.0/24   LOOP=127.0.0.1   iptables -P OUTPUT DROP   iptables -P INPUT DROP   iptables -P FORWARD DROP   iptables -F     iptables -P OUTPUT ACCEPT   iptables -P INPUT DROP   iptables -P FORWARD DROP     iptables -A INPUT -i eth0 -s $LOOP -j DROP   iptables -A FORWARD -i eth0 -s $LOOP -j DROP   iptables -A INPUT -i eth0 -d $LOOP -j DROP   iptables -A FORWARD -i eth0 -d $LOOP -j DROP     iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP   iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP   iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP   iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP     iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP     iptables -A INPUT -s $LOOP -j ACCEPT   iptables -A INPUT -d $LOOP -j ACCEPT     iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT     iptables -A INPUT -p tcp --dport http -j ACCEPT   iptables -A INPUT -p tcp --dport ssh -j ACCEPT     iptables -A INPUT -p udp --dport 5000 -j ACCEPT     iptables -A INPUT -i tun+ -j ACCEPT   iptables -A FORWARD -i tun+ -j ACCEPT   iptables -A INPUT -i tap+ -j ACCEPT   iptables -A FORWARD -i tap+ -j ACCEPT     iptables -A INPUT -i eth1 -j ACCEPT   iptables -A FORWARD -i eth1 -j ACCEPT     iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT   iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT   iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT     iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE     home.up腳本如下:   #!/bin/bash   route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.0.1   openvpn-startup.sh腳本如下:   #!/bin/bash   dir=/etc/openvpn   $dir/firewall.sh   modprobe tun   echo 1 > /proc/sys/net/ipv4/ip_forward   openvpn --config /etc/openvpn/static-home.conf   最後需要注意的是在office和home主機的/etc/modules.conf都要加上一行:   alias char-major-10-200 tun   在office主機上   office#cd /etc/openvpn   office#./openvpn-startup.sh   office#./office.up   在home主機上   home#cd /etc/openvpn   home#./openvpn-startup.sh   home#./home.up   A主機的default gateway設為192.168.1.56   B主機的default gateway設為192.168.0.235   在A主機上ping 192.168.0.45   在home主機上用tcpdump監聽   home#tcpdump -i tun0   應該有echo request和echo reply   不行的話,在home#ping 10.1.0.1看兩個vpn網關是否通




Copyright © Linux教程網 All Rights Reserved