openVPN

回覆文章
yehlu
Site Admin
文章: 3245
註冊時間: 2004-04-15 17:20:21
來自: CodeCharge Support Engineer

openVPN

文章 yehlu »

http://phorum.study-area.org/index.php?topic=52110.0

參考這篇教學 http://www.thebakershome.net/openvpn_tutorial 之後的筆記

aptitude install openvpn bridge-utils
cd /etc/init.d
nano bridge

程式碼:

#!/bin/bash
# Create global variables
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="172.16.0.5"
eth_netmask="255.255.255.0"
eth_broadcast="172.16.0.255"
gw="172.16.0.1"
start_bridge () {
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
for t in $tap; do
openvpn --mktun --dev $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
route add default gw $gw $br
}
stop_bridge () {
####################################
# Tear Down Ethernet bridge on Linux
####################################
ifconfig $br down
brctl delbr $br
for t in $tap; do
openvpn --rmtun --dev $t
done
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast up
route add default gw $gw $eth
}
case "$1" in
start)
echo -n "Starting Bridge"
start_bridge
;;
stop)
echo -n "Stopping Bridge"
stop_bridge
;;
restart)
stop_bridge
sleep 2
start_bridge
;;
*)
echo "Usage: $0 {start|stop|restart}" >&2
exit 1
;;
esac




cd /etc/openvpn
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn
cd 2.0
nano vars
#this is to ensure secure data 只節錄要填寫的地方,不可以空白
export KEY_SIZE=1024 //也可以2048
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="TW"
export KEY_PROVINCE="Taiwan"
export KEY_CITY="Taipei"
export KEY_ORG="Doctorvoice"
export KEY_EMAIL="doctorvoice@gmail.com"
. ./vars
./clean-all
./build-ca

./build-key-server server
#generate client key with or without password,選擇一種就好了
./build-key-pass amigo
./build-key amigo

./build-dh
cd keys
openssl dhparam -out dh1024.pem 1024
cd ..
openvpn --genkey --secret ta.key

nano server.conf
程式碼:

# Which local IP address should OpenVPN
# listen on? (optional)
local 172.16.0.5
port 1194
# TCP or UDP server?
proto udp
#This is key to configuring our bridge
dev tap0
#direct these to your generated files
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/server.crt
key /etc/openvpn/2.0/keys/server.key
dh /etc/openvpn/2.0/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
#ensure the range of ip addresses you use in the last two arguments
# of this statement are not in use by either the DHCP server or any other
# device on your internal network.
server-bridge 172.16.0.5 255.255.255.0 172.16.0.60 172.16.0.70
#needed to allow communication to internal network
client-to-client
keepalive 10 120
#encryption - very important ;)
#AES encryption is backed by many security firms
#however if you are concerned about speed use blowfish: "BF-CB"
cipher AES-128-CBC
#if you have another subnet you need to provide the route
#push "route 173.23.2.0 255.255.255.0"
#server id protection
#tls-auth ta.key 0
#compression for network speed
comp-lzo
# if packets are too large fragment them (only really useful if you have an old router)
#fragment 1400
#limit the number of connections
max-clients 5
#some secuurity settings
# do not use if running server on Windows
user nobody
group nogroup
persist-key
persist-tun
#log file settings
status openvpn-status.log
verb 3
# authentication plugin
#forces client to have a linux acount in order to connect
plugin /usr/lib/openvpn/openvpn-auth-pam.so login


nano client.conf
程式碼:

client
dev tap
proto udp
# change this to your server's address
remote 172.16.0.5 1194
resolv-retry infinite
nobind
persist-key
persist-tun
# Point the key and crt files to
# the ones for this user
tls-client
ca ca.crt
cert amigo.crt
key amigo.key
#ensure that we are talking to a server
ns-cert-type server
#confirm we are talking to the correct server
#tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC
# Enable compression on the VPN link.
comp-lzo
#fragment large packets
# I found I needed this for some games but it is
# not required
#fragment 1400
# enable user/pass authentication
# auth-user-pass


/etc/init.d/bridge start
openvpn /etc/openvpn/2.0/server.conf

Windows XP Client端
下載並安裝openvpn-gui
http://openvpn.se/files/install_package ... nstall.exe
取得伺服器產生的client.conf, ca.crt, amigo.crt, amigo.key給client amigo使用
將client.conf適度修改指向ca.crt, amigo.crt, amigo.key的正確位置,然後更改檔名為client.ovpn放置在c:\program files\openvpn\config\
程式碼:

#client.ovpn
client
dev tap
proto udp
# change this to your server's address
remote 172.16.0.5 1194
resolv-retry infinite
nobind
persist-key
persist-tun
# Point the key and crt files to
# the ones for this user
tls-client
ca c:\\program files\\openvpn\\config\\ca.crt
cert c:\\openvpn\\keys\\amigo.crt
key c:\\openvpn\\keys\\amigo.key
#ensure that we are talking to a server
ns-cert-type server
#confirm we are talking to the correct server
#tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC
# Enable compression on the VPN link.
comp-lzo
#fragment large packets
# I found I needed this for some games but it is
# not required
#fragment 1400
# enable user/pass authentication
# auth-user-pass


openvpn-gui開機之後就自動啟動了,只要在右下角的工作列上openvpn-gui按連結就可以完成連線。





伺服器端的訊息
程式碼:

root@web:/etc/openvpn# openvpn /etc/openvpn/2.0/server.conf
Wed Jun 4 09:18:25 2008 OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on May 14 2008
Wed Jun 4 09:18:25 2008 /usr/sbin/openssl-vulnkey -q /etc/openvpn/2.0/keys/server.key
Wed Jun 4 09:18:25 2008 Diffie-Hellman initialized with 1024 bit key
Wed Jun 4 09:18:25 2008 TLS-Auth MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun 4 09:18:25 2008 TUN/TAP device tap0 opened
Wed Jun 4 09:18:25 2008 TUN/TAP TX queue length set to 100
Wed Jun 4 09:18:25 2008 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Jun 4 09:18:25 2008 GID set to nogroup
Wed Jun 4 09:18:25 2008 UID set to nobody
Wed Jun 4 09:18:25 2008 Socket Buffers: R=[110592->131072] S=[110592->131072]
Wed Jun 4 09:18:25 2008 UDPv4 link local (bound): 172.16.0.5:1194
Wed Jun 4 09:18:25 2008 UDPv4 link remote: [undef]
Wed Jun 4 09:18:25 2008 MULTI: multi_init called, r=256 v=256
Wed Jun 4 09:18:25 2008 IFCONFIG POOL: base=172.16.0.60 size=11
Wed Jun 4 09:18:25 2008 IFCONFIG POOL LIST
Wed Jun 4 09:18:25 2008 Initialization Sequence Completed
Wed Jun 4 09:18:26 2008 MULTI: multi_create_instance called
Wed Jun 4 09:18:26 2008 192.168.0.15:1181 Re-using SSL/TLS context
Wed Jun 4 09:18:26 2008 192.168.0.15:1181 LZO compression initialized
Wed Jun 4 09:18:26 2008 192.168.0.15:1181 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun 4 09:18:26 2008 192.168.0.15:1181 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Jun 4 09:18:26 2008 192.168.0.15:1181 Local Options hash (VER=V4): '26e19fc0'
Wed Jun 4 09:18:26 2008 192.168.0.15:1181 Expected Remote Options hash (VER=V4): 'b498be7c'
Wed Jun 4 09:18:26 2008 192.168.0.15:1181 TLS: Initial packet from 192.168.0.15:1181, sid=d8522637 287b3ad0
Wed Jun 4 09:18:26 2008 192.168.0.15:1181 VERIFY OK: depth=1, /C=TW/ST=Taiwan/L=Taipei/O=Doctorvoice/CN=Doctorvoice_CA/emailAddress=doctorvoice@gmail.com
Wed Jun 4 09:18:26 2008 192.168.0.15:1181 VERIFY OK: depth=0, /C=TW/ST=Taiwan/L=Taipei/O=Doctorvoice/CN=amigo/emailAddress=doctorvoice@gmail.com
Wed Jun 4 09:18:26 2008 192.168.0.15:1181 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jun 4 09:18:26 2008 192.168.0.15:1181 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 4 09:18:26 2008 192.168.0.15:1181 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jun 4 09:18:26 2008 192.168.0.15:1181 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 4 09:18:26 2008 192.168.0.15:1181 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 4 09:18:26 2008 192.168.0.15:1181 [amigo] Peer Connection Initiated with 192.168.0.15:1181
Wed Jun 4 09:18:27 2008 amigo/192.168.0.15:1181 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 4 09:18:27 2008 amigo/192.168.0.15:1181 SENT CONTROL [amigo]: 'PUSH_REPLY,route-gateway 172.16.0.5,ping 10,ping-restart 120,ifconfig 172.16.0.60 255.255.255.0' (status=1)
Wed Jun 4 09:22:27 2008 amigo/192.168.0.15:1181 [amigo] Inactivity timeout (--ping-restart), restarting
Wed Jun 4 09:22:27 2008 amigo/192.168.0.15:1181 SIGUSR1[soft,ping-restart] received, client-instance restarting
回頂端
回覆文章

回到「Linux」