搭建 openvpn (Linux server + windows client)
上一篇 /
下一篇 2008-04-22 11:33:19
/ 个人分类:Linux 笔记
目标:搭建 bridge 类型的 openvpn 服务器,并使用dhcpd 为客户分配ip地址,使用 pam 进行登陆验证。
1、emerge
USE="examples iproute2 pam ssl threads" emerge openvpn
2、服务端配置
cd /etc/openvpn
mkdir gateway
cp -r /usr/share/openvpn/easy-rsa /etc/openvpn
cd easy-rsa
vi vars |
将vars 的内容按照需要进行修改。
export KEY_COUNTRY="CN"
export KEY_PROVINCE="YunNan"
export KEY_CITY="Kunming"
export KEY_ORG="Risy"
export KEY_EMAIL=risy007@gmail.com |
继续
. ./vars
./clean-all
./build-ca
./build-key-server
./build-dh
cd ../gateway
mkdir keys
cp ../easy-rsa/keys/{ca,server}.{crt,key} ./keys
cp ../easy-rsa/keys/dh1024.pem ./keys
openvpn --genkey --secret ./keys/ta.key
vi local.conf |
生成配置文件
mode server
proto udp
port 1194
dev tap0
keepalive 10 120
daemon
writepid /var/run/openvpn.pid
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
verb 3
mute 20
client-to-client
duplicate-cn
cd /etc/openvpn/gateway
tls-server
tls-auth keys/ta.key 0
cipher BF-CBC
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
client-config-dir ccd
#使用PAM插件
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
#客户端可以不提供证书
client-cert-not-required
#用户登录名称作为Common Name
username-as-common-name |
继续
| ln -sf gateway/local.conf openvpn.conf |
为最新的openrc配置桥接的openvpn接口,首先将bridge,tun编译为module,并在启动的时候加载,方法为修改 /etc/conf.d/modules 文件加入以下行
创建 net.br0 ,net.tap0 启动脚本
cd /etc/init.d/
ln -sf net.lo net.br0
ln -sf net.lo net.tap0 |
配置 /etc/conf.d/net 文件加入桥接的定义
tuntap_tap0="tap" #config_eth0="dhcp"
config_eth1="null"
config_tap0="null" RC_NEED_br0="net.eth1 net.tap0 openvpn" bridge_br0="eth1 tap0"
config_br0="192.168.0.1/24" |
将 net.tap0 net.br0 openvpn 分别加入不同的启动 level
rc-update add net.tap0 boot
rc-update add net.br0 default
rc-update add openvpn default |
服务器配置完了。
将 /etc/openvpn/gateway/keys/ca.crt 和 ta.key 分发给需要登陆的 客户。
3、客户端配置文件
client
proto udp
port 1194 # or any other port you want to use
dev tap
remote 192.168.0.1 #替换为公网ip地址
auth-user-pass
tls-client
ca ca.crt
tls-auth ta.key 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull comp-lzo
verb 4 |
至此,所有工作完成,客户电脑使用openvpn-gui 拨号连接服务器,会要求输入在服务器上的有效用户名和密码,正确的话就能建立vpn连接了。
如果在服务器上的br0 上绑定了 dhcpd 服务,拨号以后客户端可以自动获取到dhcp服务器给出的ip地址配置。
---------------补上 dhcpd.conf 配置 --------------------------------------------
option domain-name "risy.com";
default-lease-time 3600;
max-lease-time 7200;
authorative;
log-facility local7;
ddns-update-style interim;
subnet 192.168.1.0 netmask 255.255.255.0
{
option subnet-mask 255.255.255.0;
option netbios-name-servers 192.168.1.1;
option broadcast-address 192.168.1.255;
option domain-name-servers 222.172.200.68,61.166.150.123;
class "pxeclient"
{
match if substring(option vendor-class-identifier, 0, 9) = "PXEClient";
vendor-option-space PXE;
allow bootp;
next-server 192.168.1.1;
filename "pxelinux.0";
}
class "openvpn" {
match if substring (hardware, 1, 2) = 00:FF;
}
pool {
allow members of "pxeclient";
deny members of "openvpn";
range 192.168.1.50 192.168.1.60;
option routers 192.168.1.1;
}
pool {
deny members of "pxeclient";
deny members of "openvpn";
range 192.168.1.80 192.168.1.90;
option routers 192.168.1.1;
}
pool {
allow members of "openvpn";
range 192.168.1.100 192.168.1.200;
}
}
|
导入论坛
收藏
分享给好友
管理
举报
TAG:
openvpn
tap
bridge
