使用openv屁恩打通两个异地网络

章节 

  • 概述
  • 部署openvpn服务端
  • 部署openvpn客户端
  • 测试
  • 总结

 

一、概述


在实际的IT环境中会有这样的需求:想让两个异地网络层面互通,能够互相访问。常见的场景有:

  • 两个分支机构网络互通,如分支机构实时将传数据给总部处理
  • 办公室网络与IDC机房互通,如运维或技术人员要远程管理IDC机房内的服务器,IDC内的服务器也要访问办公室内网的服务器
  • 两个IDC机房内网互通,如两边同步数据、互相访问等

当然,这样的需求你可以拉专线但太贵,我们用openvpn来做

下面的例子:使用openvpn搭建vpn服务器打通A和B两个异地网络,让A局域网中的172.16.10.0/24段可以和B局域网中的172.16.20.0/24段可以网络互通,就好像在一个局域网一样.

环境说明:

角色 ip
OPENVPN服务器

192.168.0.124/24(模拟外网)

172.16.10.206/24(内网)

10.8.0.1  10.8.0.2 (vpn虚拟网卡地址)

OPENVPN客户端

192.16.0.200/24

172.16.20.201/24(内网)

10.8.0.6 10.8.0.5 (vpn虚拟网卡地址)

A局域网主机 172.16.10.207/24
B局域网主机 172.16.20.201/24

二、部署openvpn服务端(192.168.0.124)


 关闭selinux

# setenforce 0
setenforce: SELinux is disabled

开启路由转发

编辑  /etc/sysctl.conf 文件将 net.ipv4.ip_forward = 0 改为  net.ipv4.ip_forward = 1,然后执行

# sysctl -p

安装openvpn

# curl http://mirrors.aliyun.com/repo/epel-6.repo  -o  /etc/yum.repos.d/epel-6.repo --silent   # 添加阿里的EPEL源
# yum install openssl openvpn easy-rsa lzo -y 

创建相关目录及配置

# mkdir /var/log/openvpn                      # 放openvpn相关日志文件
# mkdir /etc/openvpn/easy-rsa                 # 放easy-rsa包提供的相关工具
# mkdir /etc/openvpn/ccd                      # openvpn客户端的配置目录,后面会用到
# mkdir /var/run/openvpn                      # 放openvpn的pid文件

将easy-ras包提供的工具复制到 /etc/openvpn/easy-rsa

# cp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ -r 

编辑 /etc/openvpn/easy-rsa/vars 文件,找到下面的变量修改成你指定的值,后面生成证书的时候会应用这些变量值

export KEY_COUNTRY="CN"        # 国家
export KEY_PROVINCE="GD"       # 省份
export KEY_CITY="GZ"           # 城市
export KEY_ORG="MY_ORG"        # 组织/公司
export KEY_EMAIL="vpn@qq.com"  # 邮箱
export KEY_OU="vpn"            # 单位  
export KEY_NAME="openvpn"      # 服务器名称

然后执行

# source vars      # 导入vars文件中的变量作为当前的环境变量
# ./clean-all      # 清除keys目录下的文件

生成CA

也就是证书颁发机构,用来颁发证书

# cd /etc/openvpn/easy-rsa
# ./build-ca   

生成服务器证书

# ./build-key-server vpnserver               # 起个名字叫vpnserver
Generating a 2048 bit RSA private key
................................+++
.....+++
writing new private key to 'vpnserver.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [GZ]:
Organization Name (eg, company) [MY_ORG]:
Organizational Unit Name (eg, section) [vpn]:
Common Name (eg, your name or your server's hostname) [vpnserver]:
Name [vpn]:
Email Address [vpn@qq.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:                                 
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'GD'
localityName          :PRINTABLE:'GZ'
organizationName      :PRINTABLE:'MY_ORG'
organizationalUnitName:PRINTABLE:'vpn'
commonName            :PRINTABLE:'vpnserver'
name                  :PRINTABLE:'vpn'
emailAddress          :IA5STRING:'vpn@qq.com'
Certificate is to be certified until Apr 29 06:26:49 2026 GMT (3650 days)
Sign the certificate? [y/n]:y         # 输入y

1 out of 1 certificate requests certified, commit? [y/n]y   # 输入y
Write out database with 1 new entries
Data Base Updated

生成客户端证书

# ./build-key vpnclient                  # 起个名字叫vpnclient,表示为vpnclient这个客户端生成证书
Generating a 2048 bit RSA private key
.......+++
....................+++
writing new private key to 'vpnclient.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [GZ]:
Organization Name (eg, company) [MY_ORG]:
Organizational Unit Name (eg, section) [vpn]:
Common Name (eg, your name or your server's hostname) [vpnclient]:
Name [vpn]:
Email Address [vpn@qq.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :PRINTABLE:'GD'
localityName          :PRINTABLE:'GZ'
organizationName      :PRINTABLE:'MY_ORG'
organizationalUnitName:PRINTABLE:'vpn'
commonName            :PRINTABLE:'vpnclient'
name                  :PRINTABLE:'vpn'
emailAddress          :IA5STRING:'vpn@qq.com'
Certificate is to be certified until Apr 29 06:30:42 2026 GMT (3650 days)
Sign the certificate? [y/n]:y    # 输入y


1 out of 1 certificate requests certified, commit? [y/n]y   # 输入y
Write out database with 1 new entries
Data Base Updated

创建Diffie Hellman密钥文件

需要一点时间

# ./build-dh

配置openvpn

编辑/etc/openvpn/server.conf文件,内容如下

local 192.168.0.124
port 1999        
proto tcp-server       
dev tun        
ca   /etc/openvpn/easy-rsa/keys/ca.crt       
cert /etc/openvpn/easy-rsa/keys/vpnserver.crt
key  /etc/openvpn/easy-rsa/keys/vpnserver.key  
dh   /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt              
client-config-dir /etc/openvpn/ccd                   
push "route 172.16.10.0 255.255.255.0"  # 推送给客户端的路由,告诉客户端添加静态路由,让去172.16.10.10/24网段的都走vpn服务器,vpn服务器后端又几个网段就写几个
route 172.16.20.0 255.255.255.0         # 启动时给openvpn服务器添加路由,告诉服务器去172.16.20.0/24网段的都走虚拟机网卡(tun0),相当于静态路由.
keepalive 10 120                       
comp-lzo                              
max-clients 100                      
user nobody                         
group nobody
client-to-client                   
duplicate-cn                      
persist-key
persist-tun                     
status    /var/log/openvpn/openvpn-status.log        
log       /var/log/openvpn/openvpn.log
writepid  /var/run/openvpn/server.pid
verb 3
mute 20

启动openvpn服务端

# service openvpn start
# chkconfig --add openvpn
# chkconfig --level 35 openvpn on

查看tun0接口和路由

# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

# route -n | grep tun0 
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0   # 主机路由
172.16.20.0     10.8.0.2        255.255.255.0   UG    0      0        0 tun0   # 静态路由,去172.16.20.0段下一跳是10.8.0.2
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0   # 静态路由,去10.8.0.2.0段下一跳是10.8.0.2

指定客户端配置

指定vpnclient这个客户端的配置,编辑 /etc/openvpn/ccd/vpnclient ,内容如下

ifconfig-push 10.8.0.6 10.8.0.5      # 配置客户端的IP
iroute 172.16.20.0 255.255.255.0     # 告诉服务端,我的网段是172.16.20.0/24

三、部署openvpn客户端(192.168.0.200)


 关闭selinux

# setenforce 0
setenforce: SELinux is disabled

开启路由转发

编辑  /etc/sysctl.conf 文件将 net.ipv4.ip_forward = 0 改为  net.ipv4.ip_forward = 1,然后执行

# sysctl -p

安装openvpn

# curl http://mirrors.aliyun.com/repo/epel-6.repo  -o  /etc/yum.repos.d/epel-6.repo --silent   # 添加阿里的EPEL源
# yum install openssl openvpn easy-rsa lzo -y 

创建相关目录及配置

# mkdir /etc/openvpn/keys          # 放客户端的相关证书
# mkdir /var/log/openvpn           # 放日志的目录

将openvpn服务器上 /etc/openvpn/easy-rsa/keys 下的 ca.crt、vpnclient.crt、vpnclient.key 这些证书文件拉下来放到 /etc/openvpn/keys

# ls /etc/openvpn/keys
ca.crt  vpnclient.crt  vpnclient.key

配置openvpn客户端

编辑客户端的配置文件/etc/openvpn/client.conf,内容如下

client
dev tun
proto tcp-client
remote 192.168.0.124 1999
resolv-retry infinite
nobind
persist-key
persist-tun
ca   /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpnclient.crt
key  /etc/openvpn/keys/vpnclient.key
remote-cert-tls server
auth-nocache user nobody group nobody status
/var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log comp-lzo verb 3 mute 20

启动openvpn客户端

# service openvpn start
# chkconfig --add openvpn
# chkconfig --level 35 openvpn on

客户端启动后只有进程,因为它作为客户端去连服务端,不需要提供端口

# ps aux | grep vpn
nobody    4236  0.1  0.3  46916  3232 ?        Ss   01:36   0:00 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/client.pid 
--cd /etc/openvpn --config client.conf --script-security 2

查看tun0接口和路由

# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

# route -n | grep tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0   # 主机路由
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0   # 静态路由,去10.8.0.0/24网段下一跳10.8.0.5
172.16.10.0     10.8.0.5        255.255.255.0   UG    0      0        0 tun0   # 静态路由,去172.16.10.0/24网段下一跳10.8.0.5

四、测试(172.16.10.207、172.16.20.201)


在A局域网主机172.16.10.207上添加路由

ip route add 172.16.20.0/24 via 172.16.10.206            // 如果是linux
route add 172.16.20.0 mask 255.255.255.0 172.16.10.206   // 如果是windows

上面的路由表示A去B局域网172.16.20.0段的下一跳是172.16.10.206,也就是把包转发给vpnserver

在B局域网主机172.16.20.201上添加路由

ip route add 172.16.10.0/24 via 172.16.20.200           // 如果是linux
route add 172.16.10.0 mask 255.255.255.0 172.16.20.200  // 如果是windows

上面的路由表示B去A局域网172.16.10.0端的下一跳是172.16.20.200,也就是把包转发给vpnclient

最后,在A局域网主机 172.16.10.207 上ping 172.16.20.201

# ping 172.16.20.201
PING 172.16.20.201 (172.16.20.201) 56(84) bytes of data.
64 bytes from 172.16.20.201: icmp_seq=1 ttl=62 time=1.44 ms
64 bytes from 172.16.20.201: icmp_seq=2 ttl=62 time=0.752 ms
64 bytes from 172.16.20.201: icmp_seq=3 ttl=62 time=0.674 ms
64 bytes from 172.16.20.201: icmp_seq=4 ttl=62 time=0.785 ms
^C
--- 172.16.20.201 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3023ms
rtt min/avg/max/mdev = 0.674/0.913/1.441/0.307 ms

在B局域网主机 172.16.20.201上ping 172.16.10.207

# ping 172.16.10.207
PING 172.16.10.207 (172.16.10.207) 56(84) bytes of data.
64 bytes from 172.16.10.207: icmp_seq=1 ttl=62 time=5.72 ms
64 bytes from 172.16.10.207: icmp_seq=2 ttl=62 time=0.674 ms
^C
--- 172.16.10.207 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1400ms
rtt min/avg/max/mdev = 0.674/3.200/5.727/2.527 ms

两边可以ping通,表示OK

可以改进的地方

如果A和B局域网内很有多主机,那么每台机都要加很多次路由,比较麻烦,在实际的环境中可以在内网的路由器上做,这样就不需要在主机上配,比较省事.

五、总结

vpn的目的和作用就是从网络层面打通两个或以上异地网络,就好像在同一个局域网

vpnserver和vpnclient做好之后可以看成路由

如果要用vpn互相传数据的话,带宽尽可能大,有必要的话可以做端口绑定,高可用

 

posted @ 2017-10-20 18:11  opss  阅读(15212)  评论(3编辑  收藏  举报