网上关于Openvpn的帖子已经很多了,我这里也就不多讲了,初学者可以去狗狗上搜一下,总有几篇不错的帖子,自己看了一下,大部分是将windows平台和Linux平台的,都还可以的。这里呢,洒家只想讲一下麒麟上openvpn的配置中特殊的问题以及一些注意事项,希望促进麒麟的推广,支持国有软件吗!:)
1. 关于Openvpn
OpenVPN 是一个基于 OpenSSL 库的应用层 VPN 实现。和传统 VPN 相比,它的优点是简单易用。详细信息可以参考 http://www.openvpn.net (http://www.openvpn.net/)。
利用Openvpn可以实现网络上的安全传输、安全认证,从而实现虚拟专用网络的应用模式。Openvpn配置简单,可选项多,包括认证方式(证书或用户名+密码)、加密算法及强度(常用的加密算法,也可以自己在Openssl里面添加)、证书形式(证书管理形式)、传输模式(压缩与否)等等。
一般说来,利用Openvpn可以实现以下安全传输模式:
1、 点对点的安全通信(认证加加密传输);
2、 点对多点的安全通信(client/ server模式);
3、 虚拟专用网(上等武功^_^)。
更多的说明去网站看吧。这里主要讲基于证书的虚拟专网配置。
目前,Openvpn已经出到了稳定版本2.0.7,测试版本2.1_beta14,更新的很快哦,已经支持PKCS11#的硬件设备了。
2. 不同版本麒麟上的Openvpn配置方法
网上的帖子大多是针对windows和Linux下的Openvpn的配置和使用。
Windows下面最简单了,Setup——〉修改Sample config files——〉启动服务。基本一下就OK了。
Linux下面稍微复杂些,看说明文档来安置lzo、openssl和openvpn。然后也是修改配置文件,作为基本篇,改一下Sample config files就可以了。然后启动服务,连接也就OK了。
当然,记得要生成证书阿!看Openvpn的How to,基本上是Step by Step了。
下面咱们来用麒麟配一下Openvpn。
1、软件安装
首先,下载安装所需的文件:lzo-ver.tar.gz 和openvpn-ver –tar.gz。
接下来,安装软件
lzo-ver.tar.gz
tar –xzf lzo-ver-.tar.gz
cd lzo*
./configure
make
make install
然后就不用管它了。
openvpn-ver –tar.gz
tar –xzf openvpn-ver-.tar.gz
cd openvpn*
./configure
make
make install
软件安装完毕。
2、生成证书
然后,来生成需要的密钥对。
进入目录openvpn/easy-rsa
运行如下命令:
. ./vars (注意,两个点之间有空格的)
./clean-all
./build-ca(初始化PKI)
./build-key-server server(为服务器生成证书和私钥)
./build-key client1 (为客户端1生成证书和私钥)
./build-key client2
./build-dh 生成diffie Hellman参数
完成后,按照密钥文件表格存放文件
Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
client2.crt client2 only Client2 Certificate NO
client2.key client2 only Client2 Key YES
3、配置服务器和客户端
证书和密钥都放好了,就可以开始配置Openvpn。为了简单,我们可以把证书和密钥都放在sample_config_files目录下面,然后修改配置文件。
先来Server端的,修改server.conf。
贴个例子上来说明一下:
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
#侦听地址,可以不改
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
#侦听端口号,想省事也可以不动
# TCP or UDP server?
;proto tcp
proto udp
#传输协议,二选一,客户端和服务器端一致就行啦
;dev tap
dev tun
#VPN需要的虚拟网络设备。如果是以太网桥接模式才选择TAP,否则一般都用TUN。不过Windows系统上都叫TAP32,但是这里还是要写TUN的。
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
#Windows下需要让TAP的名字和网络设备上的名字一样(手工修改一下了)
#其实不用管它的,就这样注释着好了。
# 此处删去E文若干行
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
#这里要把文件路径和名字都制定对了。如果证书和server.conf都放在一个目录下,就比较省事了,管它什么系统都不用改配置文件了。否则,记得别把路径写错了阿。、
# Diffie hellman parameters.
dh dh1024.pem
#不用改动
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
#服务器的IP地址分配定义。OPENVPN缺省是DHCP的,每个证书对应一个IP(实际是一对以Point-to-point相连的IP)。
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
#不用改动
# Configure server mode for ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
#桥接采用,不用管
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
#让客户端互通的路由配置,根据需要更改
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
#高级功能,一般不用管它了。
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
#赋固定IP
//此处删去无用配置若干行
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
#让客户端互通的配置
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
#多个客户端共用一套证书的设置,否则一对一的,后连的会失败。
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
#放着吧
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
#高级阿,还是放着不动吧
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
#可以不改,缺省是BF-CBC。也可以让它不加密,改为
#cipher none #不加密的
#注意通信的两端要一致。
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
#装了lzo就启用吧,两边配对。
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
#最大客户端连接数
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nobody
#安全性手段,适用于非windows系统。
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
#就这样吧
#日志相关部分,已省略;
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
#看E文
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
#确定存活性的定期通信
#################################################
不少选项,其实不用改什么。只要:选对需设备、设好VPN的IP地址、写对证书文件就可以了。其它的,让服务器段和客户端一致就行了。
下面是客户端的配置文件,只列出需要修改的地方:
# 选择 TUN/TAP interface.
;dev tap
dev tun
#通信协议
;proto tcp
proto udp
# 服务器地址和端口
remote my-server-1 1194
# 客户端证书文件
ca ca.crt
cert client.crt
key client.key
#加密方式,和服务器一致
;cipher x
#一致就行
comp-lzo
客户端配置完毕。
4、启动OPENVPN
在windows或者linux上配过Openvpn的兄弟都知道,这里好像最没话可说了,可偏偏Openvpn不支持咱们的国产Kylin,要手工国产化一下才能连通,这是后话,先说下windows和linux下的启动。
Windows下面:选中配置文件server.ovpn,右键选择启动“用该配置文件启动Openvpn”,再等上半分钟,显示启动ok,服务器端在侦听了。
然后是客户端的client.ovpn,右键选择启动“用该配置文件启动Openvpn”,弹出了运行窗口,连接服务器、验证证书、获取IP地址、连接ok。此时的服务器端也会显示连接情况(当然是前台运行时)。
试一下通不通:
Client: ping 10.8.0.1
Server:ping 10.8.0.*
通了吗?
不通阿?你的XP防火墙开着呢吧?IP写对了吧?
那就应该通了。
恭喜恭喜。
Linux下面也差不多,命令换一下:
Server: >openvpn server.conf
Client:>openvpn client1.conf
不通是你自己的问题了。
测试通过:windows xp;Federo Core; Free Bsd
然后是Kylin了!
首先采用Kylin 1.4!
启动命令:
Server: > openvpn server.conf
Client:>openvpn client.conf
Ping一下,
Server:> Ping 参数错误
Client:>ping 参数错误
怪啦,支持的不行啊,咋就不通呢。
来看看屏幕信息,报错了!
Server:错误1:没找到TUN
我:TUN是Linux上的,Kylin上叫TUN0。再往下看。
Server: 找到TUN0。
我:也行啊,设备没问题。
Server: route: bad address: netmask
原来不认识这个埃看一下路由表。
Server: netstat –rn //记住这个命令,常用的
细看一下,没有VPN的路由阿。原来如此埃自己动手吧。
Server: man route
原来和linux的添加命令不同埃自己来改
Server> /sbin/route add –net 10.8.0.0 –netmask 255.255.255.0 –gateway 10.8.0.2
Server> netstat –rn
Route table: 10.8/16 10.8.0.2 UGS 0 0 tun0
再看,有了吧。
同样修改客户端的:
Client> /sbin/route add –net 10.8.0.1 –netmask 255.255.255.255 –gateway 10.8.0.* (给你分配的客户端IP地址)
Client> netstat –rn
Client route table: 10.8.0.1/32 10.8.0.5 UGS 0 0 tun0
再ping一下看看,通了吧!
来分析一下吧。
OPENVPN将Kylin理解为Linux(因为它的Linux兼容),因此采用了Linux的路由命令(见route.c),造成了路由添加错误。手动添加后就好啦。
其次,服务器端还会报错误
Server> enable extened error passing on TCP/UDP socket failed: Invalid argument
这个错误是因为mtu.c中的setsockopt()函数调用传递了一个Kylin不识别的参数,只是用来传递调试信息,可以不理它,Openvpn可以正常运行。
测试一下,Kylin1.4和Kylin、windows、Linux都正常通信。抓下报文看看,真的加密了哦。
升级一下麒麟,来看看Kylin2.0 吧。
前面都一样,不多说啦。
手工添加路由后……
死活ping不通阿!急啊!
再看路由表:
Server>netstat –rn
Route table: 10.8/16 10.8.0.2 UGS 0 0 bge0
吐血阿,明明给tun0的报文,怎么给了真实网络设备了,难怪不同了。
Man route;
Info route;
Google route
硬是没找到怎么直接把网络接口改成tun0的,难道要自己写程序改阿?
气晕了就乱试,终于被俺找到一条捷径:
Server:
Server> ifconfig 先看看IP地址
Server>tun0: inet addr: 10.8.0.1 P-t-P: 10.8.0.2
Tun0设备的ip是0.1,那就手工加一条路由先:
Server>/sbin/route add –host 10.8.0.2 –gateway 10.8.0.1 –interface *.*.*.*(你的真实IP地址)
Server>netstat –rn
Route table: && 10.8.0.1 US 0 0 tun0
终于接上头了,再来添加正确路由。
Server> /sbin/route add –net 10.8.0.0 –netmask 255.255.255.0 –gateway 10.8.0.2
Server> netstat –rn
Route table: 10.8/16 10.8.0.2 UGS 0 0 tun0
可以了。
同样修改客户端。
Client>ifconfig
client>tun0: inet addr: 10.8.0.6 P-t-P: 10.8.0.5
Client>/sbin/route add –host 10.8.0.5 –gateway 10.8.0.6 –interface *.*.*.*(你的真实IP地址)
Client> /sbin/route add –net 10.8.0.1 –netmask 255.255.255.255 –gateway 10.8.0.* (给你分配的客户端IP地址)
路由表正确了。再测试一下,Kylin1.4和Kylin2.0、windows、Linux都正常通信。
至此,大功告成。
3. 尾声
Kylin的影响力毕竟有限,不能让Openvpn把针对它的编译选项加上,不过,凭借着Linux的兼容,完全能够使用Openvpn了。
利用Openvpn可以构建多个平台下的安全虚拟专网,对于具有更高安全性,并且还是国产的Kylin操作系统来说,作为VPN中的服务器还是有前途的。
还没有测试Kylin 2.1是不是解决了这个小问题了,也没有测试Openvpn的有一些高级设置。下次搞好了,再来个Openvpn配置的高级篇吧。