openvpn的橋模式可以幫助我們節省ip,而且使vpn客戶端看起來更像是在一個沒有差別的局域網內
環境:服務器CentOS6.2 64位
客戶端windows 7
首先開啟ip轉發
sysctl -w net.ipv4.ip_forward=1
在安裝openvpn之前,我們先要安裝 gcc gcc-c++ make openssl openssl-devel lzo lzo-devel
安裝完這些包之後就可以make openvpn了, openvpn-2.2.2
# tar zxvf openvpn-2.2.2.tar.gz
# cd openvpn-2.2.2
# ./configure --prefix=/usr/local/openvpn
# make
# make install
# mkdir /etc/openvpn
# cp sample-config-
files/server.conf /etc/openvpn
# cp -r easy-rsa/ /usr/local/openvpn/
接下來創建ca
# cd /usr/local/openvpn/easy-rsa/2.0
# source ./vars
如果報錯說找不到openssl.cnf,那麼就把openssl-1.0.0.cnf重命名成openssl.cnf
# mv openssl-1.0.0.cnf openssl.cnf
# ./clean-all 這個只能在第一次使用,以後就不要用了,否則會把你的ca給清掉哈,如果你想rebuild你的ca請使用它
接下來buildca
# ./build-ca
按照提示填入信息
生成服務器key和證書
# ./build-key-server openvpn
按照提示填入信息
生成dh key
# ./build-dh
將生成的ca.crt openvpn.key openvpn.crt dh1024.pem拷貝到/etc/openvpn目錄中
# cp keys/{ca.crt,openvpn.key,openvpn.crt,dh1024.pem}
修改/etc/openvpn.conf:
port 1194
proto udp
dev tap
ca ca.crt
cert openvpn.crt
key openvpn.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge bridge-ip netmask ip-start ip-end # bridge-ip是以後橋的ip地址; ip-start是用於vpn客戶端開始的地址,ip-end是用於vpn客戶端結束的地址
如果你是用於dhcp服務器來分發地址,那麼server-bridge後面就不要跟參數了
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
創建橋:openvpn的安裝包提供了兩個腳本用於創建橋和停用橋
在sample-scripts目錄下面:bridge-start bridge-s
top
我自己用著感覺有些缺陷,因為這個腳本會先創建一個tap0設備並加它和eth設備加入到一個橋中,但是當openvpn啟動時還會創建一個tap設備,並且這個設備不在橋中,所以客戶端就無法將數據包路由過來
這是你可以手工的將這個設備加入到創建的橋中:
brctl addif br0 tap1
ifconfig tap1 0.0.0.0 promisc up
這樣就可以了,但是會麻煩一點兒,所以我就修改了一下這個腳本
#!/bin/sh
#################################
# Set up Ethernet bridge on
Linux
# Requires: bridge-utils
#################################
# Define Bridge Interface br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2". tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth1"
eth_ip="10.1.1.1"
eth_netmask="255.255.255.0"
eth_broadcast="10.1.1.255"
/usr/local/openvpn/sbin/openvpn --cd /etc/openvpn --config server.conf --daemon
brctl addbr $br
brctl addif $br $eth
for t in $tap
do
brctl addif $br $t
done
for t in $tap
do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
把創建tap設備的那塊去掉了,加入了openvpn啟動的命令,這樣的話,就是直接使用openvpn啟動時創建的tap設備了
好了這樣就可以使用 bridge-start腳本來創建橋,啟動openvpn,並將eth和tap設備加入到橋中
接下來,我們要為client生成key用於vpn連接
./build-key client1
按照提示填入信息
客戶端配置文件:client1.ovpn
client
dev tap
proto udp
remote 192.168.1.113 1194
persist-key
persist-tun
ca ca.crt
cert ssun.crt
key ssun.key
ns-cert-type server
comp-lzo
verb 3
將 client1.crt client1.key ca.crt 和client1.ovpn打包給用戶
啟動openvpn:
./bridge-start
關閉openvpn
killall openvpn
bridge-stop
再給客戶創建key的使用要填入很多信息,是不是很麻煩,於是我就把它用腳本自動化了,貼出來拋磚引玉一下,呵呵
expect_cert:
#!/usr/bin/expect
set user [lindex $argv 0]
set email [lindex $argv 1]
spawn /usr/local/openvpn/easy-rsa/2.0/build-key $user
expect "Country Name" send "CN\n"
expect "State or Province"
send "BeiJing\n"
expect "Locality"
send "BeiJing\n"
expect "Organization Name"
send "Samsun\n"
expect "Unit Name"
send "IT\n"
expect "Common Name"
send "\n"
expect "Name []"
send "\n"
expect "Email"
send "$email\n"
expect "challenge"
send "\n"
expect "company name"
send "\n"
expect "Sign the certifi
cate"
send "y\n"
expect "requests certified"
send "y\n"
interact
create_cert:
#!/bin/bash
if [ -z "$1" ] || [ -z "$2" ]; then
echo "`basename $0` usage: ./`basename $0` var1 var2"
exit 25
fi
cert_path="/usr/local/openvpn/easy-rsa/2.0"
source "$cert_path"/vars
/root/bin/expect_cert $1 $2
mkdir -p /home/openvpn_cert/$1
echo "client" >/home/openvpn_cert/$1/$1.ovpn
echo "dev tap" >>/home/openvpn_cert/$1/$1.ovpn
echo "proto udp" >>/home/openvpn_cert/$1/$1.ovpn
echo "remote 192.168.1.113 1194" >>/home/openvpn_cert/$1/$1.ovpn
echo "persist-key" >>/home/openvpn_cert/$1/$1.ovpn
echo "persist-tun" >>/home/openvpn_cert/$1/$1.ovpn
echo "ca ca.crt" >>/home/openvpn_cert/$1/$1.ovpn
echo "cert $1.crt" >>/home/openvpn_cert/$1/$1.ovpn
echo "key $1.key" >>/home/openvpn_cert/$1/$1.ovpn
echo "ns-cert-type server" >>/home/openvpn_cert/$1/$1.ovpn
echo "comp-lzo" >>/home/openvpn_cert/$1/$1.ovpn
echo "verb 3" >>/home/openvpn_cert/$1/$1.ovpn
cp "$cert_path"/keys/{ca.crt,$1.crt,$1.key} /home/openvpn_cert/$1
cd /home/openvpn_cert
tar zcf $1.tar.gz $1/
cp $1.tar.gz /var/ftp/pub