VPN基本概念
虚拟专用网VPN
功能:在不安全的公共网络上建立安全的专用网络,进行数据加密传输
VPN与隧道技术
隧道协议包括
乘客协议:被封装的协议,如PPP,SLIP
封装协议:隧道的建立、维持及断开,如L2TP、IPSec
承载协议:承载经过封装后的数据包的协议,如IP
实例部署
一、环境部署
内网主机(slave1) vpnserver(master) vpnclient(slave2)
192.168.1.0/24 192.168.1.1 202.102.1.2
202.102.1.1
在内网主机上指定网关:
[root@slave1 ~]# ip route
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2
169.254.0.0/16 dev eth0 scope link metric 1002
default via 192.168.1.1 dev eth0
添加内、外网接口地址
[root@master ~]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:1f:e0:45 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
inet6 fe80::20c:29ff:fe1f:e045/64 scope link
valid_lft forever preferred_lft forever
[root@master ~]# ip addr show eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:1f:e0:4f brd ff:ff:ff:ff:ff:ff
inet 202.102.1.1/24 brd 202.102.1.255 scope global eth1
inet6 fe80::20c:29ff:fe1f:e04f/64 scope link
valid_lft forever preferred_lft forever
[root@master ~]# ip route
202.102.1.0/24 dev eth1 proto kernel scope link src 202.102.1.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
[root@master ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
二、CA证书签发
流程如下:创建CA / 为VPN Server签发证书 / 为VPN Client签发证书 / 生成密钥交换参数文件
1、CA配置 并为vpnserver和vpnclient生成私钥及签名证书 (在vpnserver端完成)
安装openvpn相关软件
[root@vpnserver OpenVPN]# rpm -ivh lzo-2.06-1.el6.rfx.x86_64.rpm //用于数据压缩
[root@vpnserver OpenVPN]# rpm -ivh openvpn-2.0.9-1.el6.rf.x86_64.rpm
生成CA私钥和证书文件:
[root@vpnserver OpenVPN]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/
[root@vpnserver easy-rsa]# ls
2.0 build-key build-req make-crl revoke-full
build-ca build-key-pass build-req-pass openssl.cnf sign-req
build-dh build-key-pkcs12 clean-all README vars
build-inter build-key-server list-crl revoke-crt Windows
[root@vpnserver easy-rsa]# chmod +x *
[root@vpnserver easy-rsa]# vim vars
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG="uplooking"
export KEY_EMAIL="ca@example.com"
[root@vpnserver easy-rsa]# source vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn-2.0.9/easy-rsa/keys
[root@vpnserver easy-rsa]# ./clean-all #清除keys目录下以前的证书文件
[root@vpnserver easy-rsa]# ./build-ca #生成ca私钥和证书
Generating a 1024 bit RSA private key
..........................++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [uplooking]:
Organizational Unit Name (eg, section) []:jiaoxue
Common Name (eg, your name or your server's hostname) []: ca.example.com
Email Address [ca@example.com]:
[root@vpnserver easy-rsa]# ls//查看生成了keys目录
2.0 build-key-pass clean-all README Windows
build-ca build-key-pkcs12 keys revoke-crt
build-dh build-key-server list-crl revoke-full
build-inter build-req make-crl sign-req
build-key build-req-pass openssl.cnf vars
[root@vpnserver easy-rsa]# ls keys/
ca.crt ca.key index.txt serial
2、生成vpnserver的私钥和证书:
[root@vpnserver easy-rsa]# ./build-key-server vpnserver
Generating a 1024 bit RSA private key
..................................................++++++
.........................++++++
writing new private key to 'vpnserver.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [uplooking]:
Organizational Unit Name (eg, section) []:jiaoxue
Common Name (eg, your name or your server's hostname) []:vpnserver.example.com
Email Address [ca@example.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'uplooking'
commonName :PRINTABLE:'vpnserver.example.com'
emailAddress :IA5STRING:'ca@example.com'
Certificate is to be certified until Jun 29 04:03:05 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@vpnserver easy-rsa]# ls keys/
01.pem index.txt serial vicvpnserver.csr
ca.crt index.txt.attr serial.old vicvpnserver.key
ca.key index.txt.old vicvpnserver.crt
3、为每一个client生成的私钥和证书:
[root@vpnserver easy-rsa]# ./build-key client1
Generating a 1024 bit RSA private key
............................++++++
...................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [uplooking]:
Organizational Unit Name (eg, section) []:jiaoxue
Common Name (eg, your name or your server's hostname) []: client1.example.com
Email Address [ca@example.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'uplooking'
commonName :PRINTABLE:'client1.example.com'
emailAddress :IA5STRING:'ca@example.com'
Certificate is to be certified until Nov 6 11:38:59 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4、查看相关的证书和私钥
[root@vpnserver easy-rsa]# ls keys/
01.pem client1.crt index.txt.attr serial.old
02.pem client1.csr index.txt.attr.old vicvpnserver.crt
ca.crt client1.key index.txt.old vicvpnserver.csr
ca.key index.txt serial vicvpnserver.key
(责任编辑:好模板) |