0%

openvpn搭建虚拟局域网

0. 前言

OpenVPN 是一个健壮的、高度灵活的 VPN 守护进程。它支持 SSL/TLS 安全、Ethernet bridging、经由代理TCPUDP 隧道NAT。另外,它也支持动态 IP 地址以及 DHCP,可伸缩性足以支持数百或数千用户的使用场景,同时可移植至大多数主流操作系统平台上。

安装openvpn
1
sudo apt install openvpn

1. 生成证书

1
2
git clone https://github.com/OpenVPN/easy-rsa
cd easyrsa3
1.1 生成 CA
1
2
3
4
5
./easyrsa init-pki

./easyrsa build-ca
# 输入密码: 123456
Common Name: OpenVPN-CA

pki文件夹下会生成 ca.crt

1.2 生成server和 client 公钥私钥对
1
2
3
4
5
./easyrsa build-server-full server

./easyrsa build-client-full client1
./easyrsa build-client-full client2
./easyrsa build-client-full client3

pki/private 是私有的 key

pki/issued 是公有的 key

1.3 生成Diffie-Hellman pem
1
./easyrsa gen-dh

pki 文件夹下生成了 dh.pem

1.4 现在我们有了
FilenameNeeded ByPurposeSecret
ca.crtserver + all clientsRoot CA certificateNO
ca.keykey signing machine onlyRoot CA keyYES
dh{n}.pemserver onlyDiffie Hellman parametersNO
server.crtserver onlyServer CertificateNO
server.keyserver onlyServer KeyYES
client1.crtclient1 onlyClient1 CertificateNO
client1.keyclient1 onlyClient1 KeyYES
client2.crtclient2 onlyClient2 CertificateNO
client2.keyclient2 onlyClient2 KeyYES
client3.crtclient3 onlyClient3 CertificateNO
client3.keyclient3 onlyClient3 KeyYES

2. 配置文件

在安装目录下(/usr/share/doc/openvpn/examples/sample-config-files)找到配置 server.conf and client.conf

如果只有有 server.conf.gz 的话, 需要解压

1
gunzip -c server.conf.gz > server.conf
2.1 服务端修改证书路径

Before you use the sample configuration file, you should first edit the ca, cert, key, and dh parameters to point to the files you generated in the PKI section above.

2.2 服务端dev 模式可以修改 tap tun
2.3 服务端修改 ip 范围

If you want to use a virtual IP address range other than 10.8.0.0/24, you should modify the server directive. Remember that this virtual IP address range should be a private range which is currently unused on your network.

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets (codified in RFC 1918):

10.0.0.010.255.255.255(10/8 prefix)
172.16.0.0172.31.255.255(172.16/12 prefix)
192.168.0.0192.168.255.255(192.168/16 prefix)

The best candidates are subnets in the middle of the vast 10.0.0.0/8 netblock (for example 10.66.77.0/24).

2.4 服务端修改 client 之间可连接

Uncomment out the client-to-client directive if you would like connecting clients to be able to reach each other over the VPN. By default, clients will only be able to reach the server.

2.5 服务端修改 user 和 group

If you are using Linux, BSD, or a Unix-like OS, you can improve security by uncommenting out the user nobody and group nobody directives.

2.6 客户端修改证书路径

ca, cert, key

2.7 客户端修改 remote 参数
1
remote my-server-1 1194
2.8 服务器和客户端的 dev (tun or tap) and proto (udp or tcp) 要一致

3. 启动使用

3.1 启动 server
1
sudo openvpn /etc/openvpn/server.conf

成功启动以后会发现多了一个 tun 网口

如遇到错误: Open VPN options error: –tls-auth fails with ‘ta.key’: no such file or directory

1
sudo openvpn --genkey --secret /etc/openvpn/certs/ta.key
3.2 启动 client
1
sudo openvpn /etc/openvpn/client.conf

如遇到错误: Authenticate/Decrypt packet error: packet HMAC authentication failed, 配置文件里,

1
2
3
tls-auth /etc/openvpn/certs/ta.key 0  #服务器用0

tls-auth /etc/openvpn/certs/ta.key 1 #客户端用1

注意, 这个 key 是同一个, 在服务器生成, 不是每个都生成一次

3.3 测试

在客户端 ping 10.8.0.1

If the ping succeeds, congratulations! You now have a functioning VPN.

我们也可以 ssh user@10.8.0.1 发现也可以

3.4 mac 使用

https://tunnelblick.net/ 下载安装包

可以生成.ovpn 文件, 参考https://serverfault.com/a/483967

4. openvpn服务

4.1 server service
1
2
3
sudo systemctl start openvpn@server.service

sudo systemctl enable openvpn@server.service

需要输入密码请这样

1
sudo systemd-tty-ask-password-agent
4.2 client service
1
2
3
sudo systemctl start openvpn@client.service

sudo systemctl enable openvpn@client.service

5. 客户端分配固定 IP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
cd /etc/openvpn
mkdir ccd

# 配置文件修改client-config-dir
vim server.conf
client-config-dir ccd

#在ccd文件夹下建立以用户名(Common Name)为名称的文件
cd ccd

vi client1
ifconfig-push 10.8.0.2 255.255.255.0

vi client2
ifconfig-push 10.8.0.3 255.255.255.0

6. 参考资料

给作者打赏,可以加首页微信,咨询作者相关问题!