原始出处:
http://blog.beijingnet.com/index.php?op=ViewArticle&articleId=31&blogId=1
近来我一直研究RedHat as3+WinXP SP2实现openvpn Bridged Ethernet Tunnels的安装和配置,在网上搜索这方面的资料,发现资料很少,尤其是中文资料基本没有,于是我根据从官方站点找到的英文资料作了测试,终于成功了,特发此篇文章,希望对需要此功能的朋友有所帮助。
参考文章:http://blog.beijingnet.com/index.php?op=ViewArticle&articleId=27&blogId=1
一、服务器端配置
1、安装openvpn
openvpn在RedHat AS3上的安装可参考:http://blog.beijingnet.com/index.php?op=ViewArticle&articleId=30&blogId=1
2、建立启动脚本文件:
#vi /etc/rc.d/init.d/eth1-replace
#!/bin/bash
#
# Replace eth1 with TAP/bridge interfaces
#
# chkconfig: 2345 11 89
# description: Create TAP/bridge interfaces
. /etc/rc.d/init.d/functions
start() {
maxtap=15
. /etc/sysconfig/network-scripts/ifcfg-eth1
echo "Create TAP/bridge interfaces:"
modprobe tun
modprobe bridge
ifconfig eth1 down
for i in `seq 0 ${maxtap}`; do
openvpn --mktun --dev tap${i}
done
sleep 1
brctl addbr br0
brctl addif br0 eth1
sleep 1
for i in `seq 0 ${maxtap}`; do
brctl addif br0 tap${i}
done
sleep 1
for i in `seq 0 ${maxtap}`; do
ifconfig tap${i} 0.0.0.0 promisc up
done
sleep 1
ifconfig eth1 0.0.0.0 promisc up
sleep 1
ifconfig br0 ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST} && success || failure
RETVAL=$?
sleep 1
echo
}
stop() {
echo "TAP/bridge fake shutdown (we never stop)"
RETVAL=$?
success
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart}"
RETVAL=1
esac
exit $RETVAL
#chmod 700 /etc/rc.d/init.d/eth1-replace
# chkconfig --add eth1-replace
注意:在我的试验中,eth1为内部连接局域网网卡,作为局域网网关,它的IP将被br0继承;如果要修改最大客户端的连接数目可修改maxtap参数,目前openvpn对客户端连接数有限制,最多好像是1000
3、安装桥接工具
#wget http://belnet.dl.sourceforge.net/sourceforge/bridge/bridge-utils-1.0.4.tar.gz
#tar zxvf bridge-utils-1.0.4.tar.gz
#cd bridge-utils-1.0.4
#./configure --prefix=/usr
#make
#make install
4、为客户端建立静态key,以xiaowei为例
#cd /etc/openvpn
#openvpn --genkey --secret xiaowei.key
其它客户端仿此,一个客户端对应一个j静态key
5、建立客户端配置文件
#cd /etc/openvpn
#vi xiaowei.conf
[color=red]port 5000
dev tap0
secret /etc/openvpn/xiaowei.key
log-append /var/log/openvpn/xiaowei.log[/color]
# These settings are the same for all users
local x.y.z.k #外部internet地址
fragment 1400
mssfix
ping 10
ping-restart 35
ping-timer-rem
persist-tun
persist-key
persist-local-ip
comp-lzo
comp-noadapt
verb 4
前四个参数(红色部分)因客户的不同而不同,每个客户必须对应一个端口号和一个tap设备,从tap0到启动脚本中maxtap定义的最大值,其它参数都相同
6、建立防火墙脚本
#vi /etc/rc.d/init.d/firewall.sh
#!/bin/bash
# A Sample OpenVPN-aware firewall.
# eth0 is connected to the internet.
# eth1 is connected to a private subnet.
# Change this subnet to correspond to your private
# ethernet subnet. Home will use HOME_NET/24 and
# Office will use OFFICE_NET/24.
PRIVATE=192.168.0.0/24
# Loopback address
LOOP=127.0.0.1
# Delete old iptables rules
# and temporarily block all traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F
# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Prevent external packets from using loopback addr
iptables -A INPUT -i eth0 -s $LOOP -j DROP
iptables -A FORWARD -i eth0 -s $LOOP -j DROP
iptables -A INPUT -i eth0 -d $LOOP -j DROP
iptables -A FORWARD -i eth0 -d $LOOP -j DROP
# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
# Block outgoing NetBios (if you have windows machines running
# on the private subnet). This will not affect any NetBios
# traffic that flows over the VPN tunnel, but it will stop
# local windows machines from broadcasting themselves to
# the internet.
iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
# Check source address validity on packets going out to internet
iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP
# Allow local loopback
iptables -A INPUT -s $LOOP -j ACCEPT
iptables -A INPUT -d $LOOP -j ACCEPT
# Allow incoming pings (can be disabled)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Allow services such as www and ssh (can be disabled)
iptables -A INPUT -p tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# Allow incoming OpenVPN packets
# Duplicate the line below for each
# OpenVPN tunnel, changing --dport n
# to match the OpenVPN UDP port.
#
# In OpenVPN, the port number is
# controlled by the --port n option.
# If you put this option in the config
# file, you can remove the leading '--'
#
# If you taking the stateful firewall
# approach (see the OpenVPN HOWTO),
# then comment out the line below.
[color=red]iptables -A INPUT -p udp --dport 5000 -j ACCEPT[/color]
# Allow packets from TUN/TAP devices.
# When OpenVPN is run in a secure mode,
# it will authenticate packets prior
# to their arriving on a tun or tap
# interface. Therefore, it is not
# necessary to add any filters here,
# unless you want to restrict the
# type of packets which can flow over
# the tunnel.
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
# Allow packets from private subnets
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
# Keep state of connections from local machine and private subnets
iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Masquerade local subnet
iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
#end
注意每增加一个客户端,都将开启一个相应的端口,务必记住在防火墙中把相应的端口打开,即增加防火墙脚本中红色部分,并将5000改为相应的客户端需要连接的端口
#chmod 700 /etc/rc.d/init.d/firewall.sh
#ln -s /etc/rc.d/init.d/firewall.sh /etc/rc.d/rc3.d/S66openvpnfirewall
6、启动openvpn
#openvpn --config /etc/openvpn/xiaowei.conf &
启动第二个客户连接方法相同,只是配置文件不同而已
7、启动bridge和防火墙
#/etc/rc.d/init.d/eth1-replace start
#/etc/rc.d/init.d/firewall.sh
二、客户端配置
1、安装windows openvpn客户端,我使用默认安装C:Program FilesOpenVPN
下载:
http://openvpn.sourceforge.net/beta/openvpn-2.0_beta18-install.exe
2、将在服务器上生成的静态key拷贝到C:Program FilesOpenVPNconfig下
3、在C:Program FilesOpenVPNconfig目录下建立配置文件xiaowei.ovpn,注意扩展名是[color=red]ovpn[/color]
port 5000
secret xiaowei.key
ifconfig 192.168.0.9 255.255.255.0
remote x.y.z.k #远程openvpn服务器IP
route-delay 10
dev tap
tap-sleep 1
fragment 1400
mssfix #在我的机器上,有这行启动出错,所以我把这行删除了
ifconfig-nowarn
ip-win32 dynamic
ping 10
comp-lzo
comp-noadapt
verb 4
ifconfig 中的IP地址为服务器端局域网地址,注意不要冲突,
4、启动openvpn连接
右健单击配置文件xiaowei.ovpn选择Start OpenVPN on this config file
其它客户配置仿此,对应服务器端相应配置
不出意外,连接成功,
欢迎与我交流
qq:138722
email:xiaowei@beijingnet.com
herotong 回复于:2004-12-02 14:45:16
openvpn.exe这个文件命令行参数你知道是些什么意思吗???
我看不懂,希望能交流一下QQ:12517411
childishbean 回复于:2006-01-17 01:42:22
欧的openvpn在XP SP2上总是显示网络电缆没有联接好啊?请大侠帮忙,谢谢
|
