openvpn可工作於兩種模式: 一種是IP遂道路由模式,主要應用於點對點 一種是基於以太網的遂道橋模式, 應用於點對多點,有多個分支機構 本文介紹的配置實例是第一種 拓撲圖: 局域網1: Office主機裝redhat9.0 兩塊網卡 eth1接公網 61.131.58.x , eth0接 內網192.168.1.56 vpn 10.1.0.1 A主機 192.168.1.222 局域網2: HOME主機裝redhat9.0兩塊網卡 eth0 接公網 218.85.158.244 eth1 接內網 192.168.0.235 vpn 10.1.0.2 B主機 192.168.0.45 環境:redhat9.0+lzo+openssl+openvpn openssl用來進行加密,lzo用來進行數據壓縮 下載地址 http://prdownloads.sourceforge.net/openvpn/openvpn-2.0_beta7.tar.gz http://www.oberhumer.com/opensource/lzo/download/lzo-1.08.tar.gz 先檢查openssl是否已安裝 rpm ?qa grep openssl 沒有請先裝openssl, openssl如何安裝就不介紹了 我將openvpn-2.0.beta7.tar.gz和lzo-1.08.tar.gz下載到/home #cd /home #tar zxvf lzo-1.08.tar.gz #cd lzo-1.08. #./comfigure #make #make install #tar zxvf openvpn-2.0_beta7.tar.gz #cd openvpn-2.0_beta7 #./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib #make #make install #mkdir /etc/openvpn #cd /etc/openvpn #openvpn --genkey --secret static.key 將static.key從office主機復制到home主機的/etc/openvpn目錄中 office#scp static.key
[email protected]:/etc/openvpn office#cd /home/openvpn-2.0_beta7/sample-config-files office#cp static-office.conf /etc/openvpn office#cp firewall.sh /etc/openvpn office#cp openvpn-startup.sh /etc/openvpn office#cp office.up /etc/openvpn 修改static-office.conf ,firewall.sh ,openvpn-startup.sh,office.up 我們先來看office主機的這幾個配置文件 static-office.conf配置如下: dev tun0 remote 218.85.158.244 #為對端的公網ip ifconfig 10.1.0.1 10.1.0.2 #為本端和對端的vpn ip地址 secret /etc/openvpn/static.key #密鑰 port 5000 comp-lzo ping 15 ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key verb 3 office主機的firewall.sh腳本如下: #!/bin/bash PRIVATE=192.168.1.0/24 LOOP=127.0.0.1 iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -F iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -i eth1 -s $LOOP -j DROP iptables -A FORWARD -i eth1 -s $LOOP -j DROP iptables -A INPUT -i eth1 -d $LOOP -j DROP iptables -A FORWARD -i eth1 -d $LOOP -j DROP iptables -A FORWARD -p tcp --sport 137:139 -o eth1 -j DROP iptables -A FORWARD -p udp --sport 137:139 -o eth1 -j DROP iptables -A OUTPUT -p tcp --sport 137:139 -o eth1 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth1 -j DROP iptables -A FORWARD -s ! $PRIVATE -i eth0 -j DROP iptables -A INPUT -s $LOOP -j ACCEPT iptables -A INPUT -d $LOOP -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p udp --dport 5000 -j ACCEPT #openvpn默認使用udp 5000端口 iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT #這兩句很重要 iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT iptables -A INPUT -i eth0 -j ACCEPT iptables -A FORWARD -i eth0 -j ACCEPT iptables -A OUTPUT -m state --state NEW -o eth1 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o eth1 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -s $PRIVATE -o eth1 -j MASQUERADE office.up腳本配置如下: #!/bin/bash route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.1.0.2 #此處是對端的vpn ip地址 openvpn-startup.sh腳本配置如下: #!/bin/bash dir=/etc/openvpn $dir/firewall.sh modprobe tun echo 1 > /proc/sys/net/ipv4/ip_forward openvpn --config /etc/openvpn/static-office.conf home主機的4個配置文件 static-home.conf如下 dev tun0 remote 61.131.58.194 ifconfig 10.1.0.2 10.1.0.1 secret /etc/openvpn/static.key port 5000 comp-lzo ping 15 ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key verb 3 firewall.sh如下 #!/bin/bash PRIVATE=192.168.0.0/24 LOOP=127.0.0.1 iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -F iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -i eth0 -s $LOOP -j DROP iptables -A FORWARD -i eth0 -s $LOOP -j DROP iptables -A INPUT -i eth0 -d $LOOP -j DROP iptables -A FORWARD -i eth0 -d $LOOP -j DROP iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP iptables -A INPUT -s $LOOP -j ACCEPT iptables -A INPUT -d $LOOP -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p udp --dport 5000 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE home.up腳本如下: #!/bin/bash route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.1.0.1 openvpn-startup.sh腳本如下: #!/bin/bash dir=/etc/openvpn $dir/firewall.sh modprobe tun echo 1 > /proc/sys/net/ipv4/ip_forward openvpn --config /etc/openvpn/static-home.conf 最後需要注意的是在office和home主機的/etc/modules.conf都要加上一行: alias char-major-10-200 tun 在office主機上 office#cd /etc/openvpn office#./openvpn-startup.sh office#./office.up 在home主機上 home#cd /etc/openvpn home#./openvpn-startup.sh home#./home.up A主機的default gateway設為192.168.1.56 B主機的default gateway設為192.168.0.235 在A主機上ping 192.168.0.45 在home主機上用tcpdump監聽 home#tcpdump -i tun0 應該有echo request和echo reply 不行的話,在home#ping 10.1.0.1看兩個vpn網關是否通