Xiaopei's DokuWiki

These are the good times in your life,
so put on a smile and it'll be alright

User Tools

Site Tools


it:linux:vpn

VPN

especially OpenVPN

clients

经验: tunnelblick 的 tblk 文件中, 应把证书/key与配置放在一层, 否则容易加载不了

如果 VPN 不支持分流,可用 fivesheep/chnroutes 获取国内 IP 端,手动设置分流。参考Mac系统使用Tunnelblick实现OpenVPN翻墙 | Ming's Blog

$ python chnroutes.py -p mac
# 生成 ip-up 和 ip-down
$ chmod a+x ip-*
$ cp ip-* getqujing.tblk/
$ vi getqujing.tblk/client.ovpn
# 增加下行
up ip-up
down ip-down

临时 P2P Networks

# @Server
server:~$ sudo openvpn --remote 111.111.111.111 --dev tun0 --ifconfig 10.0.0.1 10.0.0.2
# @Client
client:~$ sudo openvpn --remote 222.222.222.222 --dev tun0 --ifconfig 10.0.0.2 10.0.0.1

C/S Ethernet-style Networks

set up the PKI(Public Key Infrastructure)

算法

步骤

  1. Create your own Certificate Authority (CA) certificate.
  2. Create an OpenVPN server certificate.
  3. Generate client certificates.

范程

### @Server
 
# 拷贝 easy-rsa utils
$ cp -r /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/
$ cd /etc/openvpn/easy-rsa/2.0
 
# 配置环境
$ vi vars
# 修改一个更大的 KEY_SIZE
export KEY_SIZE=2048
# 修改合适的资料信息
export KEY_COUNTRY=US
export KEY_PROVINCE=NA
export KEY_CITY=Linuxville
export KEY_ORG="Alrac.net-test"
export KEY_EMAIL="carla@alrac.net"
$ . ./vars
$ ./clean-all
 
 
# 按 openssl version
ln -s openssl-VERSION.cnf  openssl.cnf
 
# 以下 build 系列方法都可用 --batch 参数避免交互
 
# build ca
$ ./build-ca
 
# 生成 Server 的密钥对
$ ./build-key-server openvpnserver
 
# 生成普通 Client 的密钥对
$ ./build-key openvpnclient1
# 或是由密码保护的密钥对
$ ./build-key-pass openvpnclient2
 
# 生成 DH 参数
$ ./build-dh
 
# 生成 TLS-AUTH key
$ cd keys/
$ openvpn --genkey --secret ta.key
 
# 以后再生成其他 Client 的密钥对流程如下
$ . ./vars
$ ./build-key anotherclient
 
 
### @Client
 
# 安装 key
# client1 需从 server 拷贝 ca.crt client1.crt client1.key ta.key
# 使用详见下述配置

vars 详解

  • KEY_SIZE=2048: This is the cipher strength for all private keys. The longer the key size is, the stronger the encryption. Unfortunately, it also makes the encryption process slower.
  • CA_EXPIRE=3650: This gives the number of days the CA certificate is considered valid, thus translating to a period of 10 years. For a medium-secure setup, this is fine, but if stronger security is required this number needs to be lowered.
  • KEY_EXPIRE=1000: This gives the number of days for which the client of server certificate is considered valid, thus translating to a period of almost 3 years.
  • KEY_COUNTRY=“NL”, KEY_PROVINCE=, KEY_CITY=, KEY_ORG=“Cookbook”, KEY_EMAIL=openvpn-ca@cookbook.example.com: These variables are all used to form the certificate Distinguished Name (DN). None of them are required, but both OpenVPN and OpenSSL suggest using at least KEY_COUNTRY to indicate where a certificate was issued.

配置 & run

  • VPN 架设后, Client 在一个 LAN
  • 这个 LAN 的网关为 Server, Server 提供对 WAN1)的 NAT

server

其他配置
# 允许端口转发
$ sysctl -w net.ipv4.ip_forward=1
# 以上配置只是临时修改, 重启后会丢失, 应写入文件
$ echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
 
# 针对 VPN 做 NAT
$ iptables -t nat -I POSTROUTING -o eth0 -s 192.168.99.0/24 -j MASQUERADE
# 教程上是以下写法, 但 -i tap+ 会报错 iptables v1.4.12: Can't use -i with POSTROUTING
# iptables -t nat -I POSTROUTING -i tap+ -o eth0 -s 192.168.99.0/24 -j MASQUERADE

iptables 的保存见: iptables

openvpn
/etc/openvpn/server.conf
tls-server
proto udp
port 1194
dev tap
server 192.168.99.0 255.255.255.0
 
ca       /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert     /etc/openvpn/easy-rsa/2.0/keys/openvpnserver.crt
key      /etc/openvpn/easy-rsa/2.0/keys/openvpnserver.key
dh       /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
tls-auth /etc/openvpn/easy-rsa/2.0/keys/ta.key 0
 
persist-key
persist-tun
keepalive 10 60
 
push "route 10.198.0.0 255.255.0.0"
 
#user  nobody
#group nobody
daemon
log-append /var/log/openvpn.log

run

$ openvpn --config /etc/openvpn/server.conf

client

/etc/openvpn/client.conf
client
proto udp
remote openvpnserver.example.com
port 1194
dev tap
nobind
 
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client1.crt 
key /etc/openvpn/keys/client1.key 
tls-auth /etc/openvpn/keys/ta.key 1 
 
ns-cert-type server

run

$ openvpn --config /etc/openvpn/client.conf

refs

1)
WAN 的范围在 openvpn 配置中指定
it/linux/vpn.txt · Last modified: 2015/01/27 21:55 by admin