个人工具

“UbuntuHelp:OpenVPN”的版本间的差异

来自Ubuntu中文

跳转至: 导航, 搜索
第3行: 第3行:
 
=== Intro/Overview ===
 
=== Intro/Overview ===
 
==== Overview ====
 
==== Overview ====
OpenVPN is an Virtual Private Networking (VPN) solution provided in the Ubuntu Repositories.  It is flexible, easy-to-use, reliable and secure.  I'll walk you through setting up a Bridged VPN on Ubuntu 8.04 using x509 certs.  Furthermore, I will walk you through general administration tasks.
+
OpenVPN is a Virtual Private Networking (VPN) solution provided in the Ubuntu Repositories.  It is flexible, easy-to-use, reliable and secure.  I'll walk you through setting up a Bridged VPN on Ubuntu 8.04 using x509 certs.  Furthermore, I will walk you through general administration tasks.
==== What is a bridged VPN ====
+
==== What is a bridged VPN? ====
 
A bridged VPN allows the clients to appear as though they are on the same local area network (LAN) as the server system.  The VPN accomplishes this by using a combination of virtual devices one called a bridge and the other called a tap device.  A tap device acts as a virtual Ethernet adapter and the bridge device acts as a virtual hub.  When you bridge a physical Ethernet device and a tap device, you are essential creating a hub between the physical network and the remote clients.  Therefore, all LAN services are visible to the remote clients.  My use case was creating a virtual lab for my companies Sale's Engineers so that it was possible to net boot remote embedded clients anywhere in the world.  
 
A bridged VPN allows the clients to appear as though they are on the same local area network (LAN) as the server system.  The VPN accomplishes this by using a combination of virtual devices one called a bridge and the other called a tap device.  A tap device acts as a virtual Ethernet adapter and the bridge device acts as a virtual hub.  When you bridge a physical Ethernet device and a tap device, you are essential creating a hub between the physical network and the remote clients.  Therefore, all LAN services are visible to the remote clients.  My use case was creating a virtual lab for my companies Sale's Engineers so that it was possible to net boot remote embedded clients anywhere in the world.  
 
=== Setting up the System ===
 
=== Setting up the System ===
 
Setting up a bridged VPN solution is not hard. However, it does require that you understand how to use the Linux shell and the Linux networking stack.   
 
Setting up a bridged VPN solution is not hard. However, it does require that you understand how to use the Linux shell and the Linux networking stack.   
This entire installation was performed using Ubuntu Jeos 8.04 in a KVM virtual machine but could just have easily been performed on Ubuntu Server.  All of my comments in configuration files are proceeded by two pound signs (##).
+
This entire installation was performed using Ubuntu Jeos 8.04 in a KVM virtual machine but could just have easily been performed on Ubuntu Server.  In my configuration eth0 is connected to the internet and eth1 is connected to the network that will be bridged. All of my comments in configuration files are proceeded by two pound signs (##).
 
==== Installing the Server ====
 
==== Installing the Server ====
 
OpenVPN is installed by  
 
OpenVPN is installed by  
第36行: 第36行:
 
   pre-up openvpn --mktun --dev tap0
 
   pre-up openvpn --mktun --dev tap0
 
   address 192.168.23.1  
 
   address 192.168.23.1  
  network 192.168.23.0
 
 
   netmask 255.255.255.0
 
   netmask 255.255.255.0
  broadcast 192.168.23.255
 
 
   bridge_ports eth1 tap0
 
   bridge_ports eth1 tap0
   bridge_fd 9 ##from the libvirt docs
+
   bridge_fd 9     ## from the libvirt docs (forward delay time)
   bridge_hello 2 ## from the libvirt docs
+
   bridge_hello 2   ## from the libvirt docs (hello time)
   bridge_maxage 12 ## from the libvirt docs
+
   bridge_maxage 12 ## from the libvirt docs (maximum message age)
   bridge_stp off ## from the libvirt docs
+
   bridge_stp off   ## from the libvirt docs (spanning tree protocol)
 
</nowiki></pre>
 
</nowiki></pre>
 
to restart networking run
 
to restart networking run
第51行: 第49行:
 
The bridging decelerations here come from the libvirt documentation.  I really only understand the bridge_ports directive and the bridge_stp directive.  Therefore if you know more than me help me out.   
 
The bridging decelerations here come from the libvirt documentation.  I really only understand the bridge_ports directive and the bridge_stp directive.  Therefore if you know more than me help me out.   
 
===== Generating Certificates =====
 
===== Generating Certificates =====
Next, we need to generate certificates for the server.  In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory.  Another alternative is using tinyca to create your CA.   
+
Next, we need to generate certificates for the server.  In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory.  Another alternative is using the graphical program tinyca to create your CA.   
 
Step 1:
 
Step 1:
 
Copy files to the /etc/openvpn/easy-rsa/ directory
 
Copy files to the /etc/openvpn/easy-rsa/ directory
 
<pre><nowiki>  
 
<pre><nowiki>  
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa/  
+
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/  
 
</nowiki></pre>
 
</nowiki></pre>
 
Step 2:
 
Step 2:
第73行: 第71行:
 
Setup the CA and create your first server certificate
 
Setup the CA and create your first server certificate
 
<pre><nowiki>
 
<pre><nowiki>
sudo -i  ## start a root shell
+
 
 
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
 
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
 +
sudo chown -R root:admin .  ## make this directory writable by the system administrators
 
source ./vars ## execute your new vars file
 
source ./vars ## execute your new vars file
 
./clean-all  ## Setup the easy-rsa directory (Deletes all keys)
 
./clean-all  ## Setup the easy-rsa directory (Deletes all keys)
第82行: 第81行:
 
cd keys
 
cd keys
 
openvpn --genkey --secret ta.key  ## Build a TLS key
 
openvpn --genkey --secret ta.key  ## Build a TLS key
cp keys/server.crt keys/server.key keys/ca.crt keys/dh1024.pem ta.key ../../
+
cp server.crt server.key ca.crt dh1024.pem ta.key ../../
exit  ## exit the root shell
+
 
</nowiki></pre>
+
    </nowiki></pre>
 
Your Certificate Authority is now setup and the needed keys are in /etc/openvpn/
 
Your Certificate Authority is now setup and the needed keys are in /etc/openvpn/
 
===== Configuring the Server =====
 
===== Configuring the Server =====
第138行: 第137行:
 
</nowiki></pre>
 
</nowiki></pre>
 
==== Getting Clients Connected ====
 
==== Getting Clients Connected ====
 +
This section walks you through creating client certificate and key files, plus setting up a client configuration file.  The files can then be used with OpenVPN on a client platform.  The described configuration will work with OpenVPN installations of [http://openvpn.se/ OpenVPN GUI] for Windows and [http://code.google.com/p/tunnelblick/ Tunnelblick] for Mac OS X clients.  For a detailed discussion of each, refer to their respective home pages.  It should also be compatible with Linux OpenVPN clients.
 +
===== Generating Client Certificate and Key =====
 +
Generating certificates and keys for a client is very similar to the process used for generating server certificates.  It is assumed that you have already set up the <code><nowiki>/etc/openvpn/easy-rsa/</nowiki></code> directory and updated the <code><nowiki>/etc/openvpn/easy-rsa/vars</nowiki></code> file as described above.  You should have already setup your Certificate Authority and created your server certificate and keys.
 +
<pre><nowiki>
 +
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
 +
source ./vars            ## execute your vars file
 +
./pkitool client          ## create a cert and key named "client"
 +
</nowiki></pre>
 +
===== Configuring the Client =====
 +
The client configuration has been adapted from the OpenVPN 2.0 sample configuration file.  For Windows, the file should be named client.ovpn and for other operating systems, the file should be named client.conf.  The file can be created using vi or other editor that can create plain text files.
 +
The configuration file assumes that there is only one TUN/TAP device configured on the client.
 +
<pre><nowiki>
 +
 +
# Specify that this is a client
 +
client
 +
 +
# Bridge device setting
 +
dev tap
 +
 +
# Host name and port for the server (default port is 1194)
 +
# note: replace with the correct values your server set up
 +
remote your.server.example.com 1194
 +
 +
# Client does not need to bid to a specific local port
 +
nobind
 +
 +
# Keep trying to resolve the host name of OpenVPN server.
 +
resolv-retry-infinite
 +
 +
# Preserve state across restarts
 +
persist-key
 +
persity-tun
 +
 +
# SSL/TLS parameters - files created previously
 +
ca ca.crt
 +
cert client.crt
 +
key client.key
 +
 +
# Since we specified the tls-auth for server, we need it for the client
 +
# note: 0 = server, 1 = client
 +
tls-auth ta.key 1
 +
 +
# Specify same cipher as server
 +
cipher BF-CBC
 +
 +
# Use compression
 +
comp-lzo
 +
 +
# Log verbosity (to help if there are problems)
 +
verb 3
 +
 +
</nowiki></pre>
 +
Place the client.ovpn (or client.conf) configuration file along with the certificate and key files in the openvpn configuration directory on the client.  With the above set up, the following files should be in the configuration directory.
 +
<pre><nowiki>
 +
client.ovpn
 +
ca.crt
 +
client.crt
 +
client.key
 +
ta.key
 +
</nowiki></pre>
 +
For [http://openvpn.se/ OpenVPN GUI] for Windows, the default location for the files is <code><nowiki>C:\Program Files\OpenVPN\config</nowiki></code>.
 +
For [http://code.google.com/p/tunnelblick/ Tunnelblick] for Mac OS X, the default location for the files is ''<code><nowiki>~username</nowiki></code>''<code><nowiki>/Library/openvpn</nowiki></code>.
  
 
[[category:UbuntuHelp]]
 
[[category:UbuntuHelp]]

2008年12月16日 (二) 19:46的版本

Geographylogo.png 文章出处: 

https://help.ubuntu.com/community/OpenVPN

Geographylogo.png 点击翻译: 

English  • 中文

请不要直接编辑翻译本页,本页将定期与来源同步。


Intro/Overview

Overview

OpenVPN is a Virtual Private Networking (VPN) solution provided in the Ubuntu Repositories. It is flexible, easy-to-use, reliable and secure. I'll walk you through setting up a Bridged VPN on Ubuntu 8.04 using x509 certs. Furthermore, I will walk you through general administration tasks.

What is a bridged VPN?

A bridged VPN allows the clients to appear as though they are on the same local area network (LAN) as the server system. The VPN accomplishes this by using a combination of virtual devices one called a bridge and the other called a tap device. A tap device acts as a virtual Ethernet adapter and the bridge device acts as a virtual hub. When you bridge a physical Ethernet device and a tap device, you are essential creating a hub between the physical network and the remote clients. Therefore, all LAN services are visible to the remote clients. My use case was creating a virtual lab for my companies Sale's Engineers so that it was possible to net boot remote embedded clients anywhere in the world.

Setting up the System

Setting up a bridged VPN solution is not hard. However, it does require that you understand how to use the Linux shell and the Linux networking stack. This entire installation was performed using Ubuntu Jeos 8.04 in a KVM virtual machine but could just have easily been performed on Ubuntu Server. In my configuration eth0 is connected to the internet and eth1 is connected to the network that will be bridged. All of my comments in configuration files are proceeded by two pound signs (##).

Installing the Server

OpenVPN is installed by 

sudo apt-get install openvpn bridge-utils
Setting up the Bridge

Now you need to edit /etc/network/interfaces 

 
sudo vi /etc/network/interfaces

In my case the network I wanted to share was connected to eth1 and the internet was provided by eth0. Therfore my /etc/network/interfaces looked like 

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

auto br0  ## start on boot
iface br0 inet static ##use a static IP because this server is also the DHCP server.
  pre-up openvpn --mktun --dev tap0
  address 192.168.23.1 
  netmask 255.255.255.0
  bridge_ports eth1 tap0
  bridge_fd 9      ## from the libvirt docs (forward delay time)
  bridge_hello 2   ## from the libvirt docs (hello time)
  bridge_maxage 12 ## from the libvirt docs (maximum message age)
  bridge_stp off   ## from the libvirt docs (spanning tree protocol)

to restart networking run 

sudo /etc/init.d/networking restart

The bridging decelerations here come from the libvirt documentation. I really only understand the bridge_ports directive and the bridge_stp directive. Therefore if you know more than me help me out.

Generating Certificates

Next, we need to generate certificates for the server. In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. Another alternative is using the graphical program tinyca to create your CA. Step 1: Copy files to the /etc/openvpn/easy-rsa/ directory 

 
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Step 2: Edit /etc/openvpn/easy-rsa/vars 

sudo vi /etc/openvpn/easy-rsa/vars

Change these lines at the bottom so that they reflect your new CA. 

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]"

Step 3: Setup the CA and create your first server certificate 


cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo chown -R root:admin .  ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all  ## Setup the easy-rsa directory (Deletes all keys)
./build-dh  ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key  ## Build a TLS key
cp server.crt server.key ca.crt dh1024.pem ta.key ../../

Your Certificate Authority is now setup and the needed keys are in /etc/openvpn/

Configuring the Server

By default all servers specified in *.conf files in the /etc/openvpn/ directory are started on boot. Therefore, all we have to do is creating a new file named server.conf in the /etc/openvpn/ directory. 

sudo vi /etc/openvpn/server.conf

mode server
tls-server

local <your ip address> ## ip/hostname of server
port 1194 ## default openvpn port
proto udp



#bridging directive
dev tap0 ## name of tap device to create
up bridgeup.sh
up-restart
plugin /usr/lib/openvpn-down-root.so "bridgedown.sh"

persist-key
persist-tun
client-to-client  ## allow the clients to communicate amongst themselves
up bridgeup.sh

#certificates and encryption
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret

cipher BF-CBC        # Blowfish (default)
comp-lzo

#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 192.168.23.1 255.255.255.0 192.168.23.100 192.168.23.149
push "dhcp-option DNS 192.168.23.1"
push "dhcp-option DOMAIN vlab"
push "route 192.168.23.0 255.255.255.0"
max-clients 10 ## set this to the max number of clients that should be connected at a time

#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

Getting Clients Connected

This section walks you through creating client certificate and key files, plus setting up a client configuration file. The files can then be used with OpenVPN on a client platform. The described configuration will work with OpenVPN installations of OpenVPN GUI for Windows and Tunnelblick for Mac OS X clients. For a detailed discussion of each, refer to their respective home pages. It should also be compatible with Linux OpenVPN clients.

Generating Client Certificate and Key

Generating certificates and keys for a client is very similar to the process used for generating server certificates. It is assumed that you have already set up the /etc/openvpn/easy-rsa/ directory and updated the /etc/openvpn/easy-rsa/vars file as described above. You should have already setup your Certificate Authority and created your server certificate and keys. 

cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
source ./vars             ## execute your vars file
./pkitool client          ## create a cert and key named "client"
Configuring the Client

The client configuration has been adapted from the OpenVPN 2.0 sample configuration file. For Windows, the file should be named client.ovpn and for other operating systems, the file should be named client.conf. The file can be created using vi or other editor that can create plain text files. The configuration file assumes that there is only one TUN/TAP device configured on the client. 


# Specify that this is a client
client

# Bridge device setting
dev tap

# Host name and port for the server (default port is 1194)
# note: replace with the correct values your server set up
remote your.server.example.com 1194

# Client does not need to bid to a specific local port
nobind

# Keep trying to resolve the host name of OpenVPN server.
resolv-retry-infinite

# Preserve state across restarts
persist-key
persity-tun

# SSL/TLS parameters - files created previously
ca ca.crt
cert client.crt
key client.key

# Since we specified the tls-auth for server, we need it for the client
# note: 0 = server, 1 = client
tls-auth ta.key 1

# Specify same cipher as server
cipher BF-CBC

# Use compression
comp-lzo

# Log verbosity (to help if there are problems)
verb 3

Place the client.ovpn (or client.conf) configuration file along with the certificate and key files in the openvpn configuration directory on the client. With the above set up, the following files should be in the configuration directory. 

client.ovpn
ca.crt
client.crt
client.key
ta.key

For OpenVPN GUI for Windows, the default location for the files is C:\Program Files\OpenVPN\config. For Tunnelblick for Mac OS X, the default location for the files is ~username/Library/openvpn.

取自“https://wiki.ubuntu.org.cn/index.php?title=UbuntuHelp:OpenVPN&oldid=109247