UbuntuHelp:OpenVPN
来自Ubuntu中文
目录
Intro/Overview
Overview
OpenVPN is an Virtual Private Networking (VPN) solution provided in the Ubuntu Repositories. It is flexible, easy-to-use, reliable and secure. I'll walk you through setting up a Bridged VPN on Ubuntu 8.04 using x509 certs. Furthermore, I will walk you through general administration tasks.
What is a bridged VPN
A bridged VPN allows the clients to appear as though they are on the same local area network (LAN) as the server system. The VPN accomplishes this by using a combination of virtual devices one called a bridge and the other called a tap device. A tap device acts as a virtual Ethernet adapter and the bridge device acts as a virtual hub. When you bridge a physical Ethernet device and a tap device, you are essential creating a hub between the physical network and the remote clients. Therefore, all LAN services are visible to the remote clients. My use case was creating a virtual lab for my companies Sale's Engineers so that it was possible to net boot remote embedded clients anywhere in the world.
Setting up the System
Setting up a bridged VPN solution is not hard. However, it does require that you understand how to use the Linux shell and the Linux networking stack. This entire installation was performed using Ubuntu Jeos 8.04 in a KVM virtual machine but could just have easily been performed on Ubuntu Server. All of my comments in configuration files are proceeded by two pound signs (##).
Installing the Server
OpenVPN is installed by
sudo apt-get install openvpn bridge-utils
Setting up the Bridge
Now you need to edit /etc/network/interfaces
sudo vi /etc/network/interfaces
In my case the network I wanted to share was connected to eth1 and the internet was provided by eth0. Therfore my /etc/network/interfaces looked like
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp auto br0 ## start on boot iface br0 inet static ##use a static IP because this server is also the DHCP server. pre-up openvpn --mktun --dev tap0 address 192.168.23.1 network 192.168.23.0 netmask 255.255.255.0 broadcast 192.168.23.255 bridge_ports eth1 tap0 bridge_fd 9 ##from the libvirt docs bridge_hello 2 ## from the libvirt docs bridge_maxage 12 ## from the libvirt docs bridge_stp off ## from the libvirt docs
to restart networking run
sudo /etc/init.d/networking restart
The bridging decelerations here come from the libvirt documentation. I really only understand the bridge_ports directive and the bridge_stp directive. Therefore if you know more than me help me out.
Generating Certificates
Next, we need to generate certificates for the server. In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. Another alternative is using tinyca to create your CA. Step 1: Copy files to the /etc/openvpn/easy-rsa/ directory
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa/
Step 2: Edit /etc/openvpn/easy-rsa/vars
sudo vi /etc/openvpn/easy-rsa/vars
Change these lines at the bottom so that they reflect your new CA.
export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="[email protected]"
Step 3: Setup the CA and create your first server certificate
sudo -i ## start a root shell cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory source ./vars ## execute your new vars file ./clean-all ## Setup the easy-rsa directory (Deletes all keys) ./build-dh ## takes a while consider backgrounding ./pkitool --initca ## creates ca cert and key ./pkitool --server server ## creates a server cert and key cd keys openvpn --genkey --secret ta.key ## Build a TLS key cp keys/server.crt keys/server.key keys/ca.crt keys/dh1024.pem ta.key ../../ exit ## exit the root shell
Your Certificate Authority is now setup and the needed keys are in /etc/openvpn/
Configuring the Server
By default all servers specified in *.conf files in the /etc/openvpn/ directory are started on boot. Therefore, all we have to do is creating a new file named server.conf in the /etc/openvpn/ directory.
sudo vi /etc/openvpn/server.conf
mode server tls-server local <your ip address> ## ip/hostname of server port 1194 ## default openvpn port proto udp #bridging directive dev tap0 ## name of tap device to create up bridgeup.sh up-restart plugin /usr/lib/openvpn-down-root.so "bridgedown.sh" persist-key persist-tun client-to-client ## allow the clients to communicate amongst themselves up bridgeup.sh #certificates and encryption ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem tls-auth ta.key 0 # This file is secret cipher BF-CBC # Blowfish (default) comp-lzo #DHCP Information ifconfig-pool-persist ipp.txt server-bridge 192.168.23.1 255.255.255.0 192.168.23.100 192.168.23.149 push "dhcp-option DNS 192.168.23.1" push "dhcp-option DOMAIN vlab" push "route 192.168.23.0 255.255.255.0" max-clients 10 ## set this to the max number of clients that should be connected at a time #log and security user nobody group nogroup keepalive 10 120 status openvpn-status.log verb 3