Linux下OpenVpn部署-桥接模式1 客户端/服务端

OpenVpn网桥模式1 客户端/服务端

              实现目的:远端机器通过安装OpenVpn客户端，配置证书，连接OpenVpn服务器，从而获得OpenVpn服务器分发所连接的内网Ip，实现与内网的通信(只是实验)

 

1.系统硬件环境

     #openSSL，bridge-util 及相关依赖

        

         Fedora5 系统，多网口网闸设备  一台

         PC                                                            两台

 

2.网络环境

    iptables off状态

   

 

 

 

 3.OpenVpn(服务端)安装

        所在目录 :   /root/scripts/

        1) 需要的软件包

                  openvpn-2.0.9.tar.gz

                  lzo-2.03.tar.gz

       

        2) 安装

                 

# tar -zxvf lzo-2.03.tar.gz
# cd lzo-2.03 && ./configure && make && make install
                 

# tar -zxvf openvpn-2.0.9.tar.gz
# cd openvpn-2.0.9 && ./configure && make && make install

 

 

4.OpenVpn(服务端)配置

# cd /etc/openvpn/

 

        1)拷贝创建CA证书的easy-rsa

                

# cp -ra /root/scripts/openvpn-2.0.9/easy-rsa .

      

        2)拷贝示例配置文件

                

# cp /root/scripts/openvpn-2.0.9/sample-config-files/server.conf config/
# cp /root/scripts/openvpn-2.0.9/sample-scripts/bridge-start .
# cp /root/scripts/openvpn-2.0.9/sample-scripts/bridge-stop .
# ln -s /etc/config/server.conf /etc/openvpn/

         3)修改证书变量

               

# vi easy-rsa/vars

 

export KEY_COUNTRY=ZN
export KEY_PROVINCE=BeiJing
export KEY_CITY=BeiJing
export KEY_ORG="RFGZ"
export KEY_EMAIL=yinchuan131@gmail.com

 

          4)初始化PKI

# cd easy-rsa/
# source vars
# ./clean-all
# ./build-ca

 

         5)创建服务器密钥 !Common Name必须填写server，其余默认即可

# ./build-key-server server

 

          6)创建客户端密钥跟证书 !Common Name对应填写client1，其作为今后识别客户端的标识

# ./build-key client1

 

          7)创建Diffie Hellman参数--Diffie Hellman参数是增强安全性的，在OpenVpn是必须的

# ./build-dh

 

         8)修改配置文件

                  网桥配置文件：

# cd /etc/openvpn/
# vi bridge-start

 

#!/bin/bash
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth3"
eth_ip="1.1.1.239"
eth_netmask="255.255.255.0"
eth_broadcast="1.1.1.255"
for t in $tap; do
    openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
    brctl addif $br $t
done
for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

 

              服务配置文件

# vi server.conf

 

local 192.168.0.221
port 1194
proto tcp
dev tap0
ca ./easy-rsa/keys/ca.crt
cert ./easy-rsa/keys/server.crt
key ./easy-rsa/keys/server.key  # This file should be kept secret
dh ./easy-rsa/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
#为客户端分配 200～209 间的IP
server-bridge 10.0.0.200 255.255.255.0 10.0.0.200 10.0.0.209
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4

 

5.OpenV# cd /etc/openvpn/
        先开启网桥
 

# ./bridge-start

 

 # openvpn server.conf

 

     以” Initialization Sequence Completed”结尾的提示，证明服务端启动成功pn服务端

 

6.OpenVpn(客户端)安装
        XP环境下：
            openvpn-2.0.9-gui-1.0.3-install.exe *客户端版本要与服务器端OpenVpn版本一致
 
            安装完成后系统添加一个 TAP-Win32 Adapter 适配器

 

7.OpenVpn(客户端)配置
        证书：
              将服务器端生成的证书 ca.crt ，ca.key，client1.crt，client1.csr，client1.key拷贝至安装目录下的config文件夹中

        配置文件：
              在config文件夹中创建client.ovpn配置文件：

client
dev tap
proto tcp
remote 192.168.0.221 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 4

 8.启动OpenVpn客户端，连接至服务端
          右键托盘OpenVpn Gui   Connect
          链接成功后托盘图标变绿，本地Ip添加了10.0.0.200