千家信息网

虚拟专用网VPN怎么搭建

发表于:2025-01-23 作者:千家信息网编辑
千家信息网最后更新 2025年01月23日,本篇内容主要讲解"虚拟专用网VPN怎么搭建",感兴趣的朋友不妨来看看。本文介绍的方法操作简单快捷,实用性强。下面就让小编来带大家学习"虚拟专用网VPN怎么搭建"吧!VPN直译就是虚拟专用通道,是提供给
千家信息网最后更新 2025年01月23日虚拟专用网VPN怎么搭建

本篇内容主要讲解"虚拟专用网VPN怎么搭建",感兴趣的朋友不妨来看看。本文介绍的方法操作简单快捷,实用性强。下面就让小编来带大家学习"虚拟专用网VPN怎么搭建"吧!

VPN直译就是虚拟专用通道,是提供给企业之间或者个人与公司之间安全数据传输的隧道,OpenVPN无疑是Linux下开源VPN的先锋,提供了良好的性能和友好的用户GUI。

OpenVPN允许参与建立VPN的单点使用预设的私钥,第三方证书,或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库,以及SSLv3/TLSv1协议。OpenVPN能在Linux、xBSD、Mac OS X与Windows 2000/XP上运行。

虚拟专用网VPN

openvpn实现SSL VPN
最终实现vpnclient可以与vpnserver后端的内网主机通信


==============================================================
项目拓扑:
内网主机 vpnserver vpnclient
192.168.2.0/24 192.168.2.250 20.20.20.2 20.20.20.1
==============================================================

在内网主机上指定网关:


[root@intra_host ~]# ip route del
RTNETLINK answers: No such process
[root@intra_host ~]# ip route add dev eth0 default via 192.168.2.250
[root@intra_host ~]# ip route
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.25
169.254.0.0/16 dev eth0 scope link
default via 192.168.2.250 dev eth0

VNP Server配置:
一、添加内、外网接口地址


[root@vpnserver ~]# ip addr show eth0
2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:16:3e:2e:3d:b1 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.250/24 brd 192.168.2.255 scope global eth0
[root@vpnserver ~]# ip addr show eth2
3: eth2: mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:16:3e:2e:3d:11 brd ff:ff:ff:ff:ff:ff
inet 20.20.20.1/24 brd 20.20.20.255 scope global eth2
[root@vpnserver ~]# ip route
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.250
20.20.20.0/24 dev eth2 proto kernel scope link src 20.20.20.1
169.254.0.0/16 dev eth2 scope link


[root@vpnserver ~]# echo 1 > /proc/sys/net/ipv4/ip_forward

二、VPN Server配置


------生成用于身份验证和加密通信的相关证书文件------


vpnserver: 私钥 证书 CA的证书
vpnclient: 私钥 证书 CA的证书

[root@vpnserver OpenVPN]# rpm -ivh lzo2-2.02-3.el5.rf.i386.rpm //用于数据压缩
warning: lzo2-2.02-3.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing... ########################################### [100%]
1:lzo2 ########################################### [100%]
[root@vpnserver OpenVPN]# rpm -ivh openvpn-2.0.9-1.el5.rf.i386.rpm
warning: openvpn-2.0.9-1.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing... ########################################### [100%]
1:openvpn ########################################### [100%]
[root@vpnserver OpenVPN]#

==CA服务器配置 并为vpnserver和vpnclient签名==
生成CA私钥和证书文件:
=================================================================================
[root@vpnserver OpenVPN]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/
[root@vpnserver easy-rsa]# ls
2.0 build-key build-req make-crl revoke-full
build-ca build-key-pass build-req-pass openssl.cnf sign-req
build-dh build-key-pkcs12 clean-all README vars
build-inter build-key-server list-crl revoke-crt Windows
[root@vpnserver easy-rsa]# chmod +x *
[root@vpnserver easy-rsa]# vim vars //修改配置文件,主要是方便下面执行./build-ca脚本时,选择方便
[root@vpnserver easy-rsa]# tail -n 5 vars
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG="openvpn-tianyun"
export KEY_EMAIL="tianyun@126.com"

[root@vpnserver easy-rsa]# source vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn-2.0.9/easy-rsa/keys

[root@vpnserver easy-rsa]# ./clean-all
[root@vpnserver easy-rsa]# ./build-ca //生成ca私钥和证书
Generating a 1024 bit RSA private key
..........................++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [OpenVPN-ROOT]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: ca.tianyun.com
Email Address [tianyun@126.com]:

[root@vpnserver easy-rsa]# ls //查看生成了keys目录
2.0 build-key-pass clean-all README Windows
build-ca build-key-pkcs12 keys revoke-crt
build-dh build-key-server list-crl revoke-full
build-inter build-req make-crl sign-req
build-key build-req-pass openssl.cnf vars

[root@vpnserver easy-rsa]# ls keys/
ca.crt ca.key index.txt serial


生成vpnserver的私钥和证书:
=================================================================================
[root@vpnserver easy-rsa]# ./build-key-server //执行此脚本,要添加
usage: build-key-server

[root@vpnserver easy-rsa]# ./build-key-server vpnserver
Generating a 1024 bit RSA private key
..................................................++++++
.........................++++++
writing new private key to 'vpnserver.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [openvpn-tianyun]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:vpnserver.tianyun.com
Email Address [tianyun@126.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'openvpn-tianyun'
commonName :PRINTABLE:'vpnserver.tianyun.com'
emailAddress :IA5STRING:'tianyun@126.com'
Certificate is to be certified until Jun 29 04:03:05 2023 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@vpnserver easy-rsa]# ls keys/
01.pem index.txt serial vicvpnserver.csr
ca.crt index.txt.attr serial.old vicvpnserver.key
ca.key index.txt.old vicvpnserver.crt


为每一个client生成的私钥和证书:


生成Client的密钥和证书,在openvpn中,这种配置方法是每一个登陆的VPN客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接(如果有两个机器安装相同证书,同时拨服务器,都能拨上,但是只有第一个拨上的才能连通网络)。所以需要建立许多份证书。
=================================================================================
[root@vpnserver easy-rsa]# ./build-key client1
Generating a 1024 bit RSA private key
............................++++++
...................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [OpenVPN-ROOT]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: client1.tianyun.com
Email Address [tianyun@126.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'BJ'
localityName :PRINTABLE:'BJ'
organizationName :PRINTABLE:'OpenVPN-ROOT'
commonName :PRINTABLE:'client1.tianyun.com'
emailAddress :IA5STRING:'tianyun@126.com'
Certificate is to be certified until Nov 6 11:38:59 2022 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@vpnserver easy-rsa]# ls keys/
01.pem client1.crt index.txt.attr serial.old
02.pem client1.csr index.txt.attr.old vicvpnserver.crt
ca.crt client1.key index.txt.old vicvpnserver.csr
ca.key index.txt serial vicvpnserver.key


将证书和私钥分发给相应的客户端主机:

[root@vpnserver easy-rsa]# pwd
/usr/share/doc/openvpn-2.0.9/easy-rsa
[root@vpnserver easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...........+...+.........................+.........+........................+.........................+..........+....................+........................+
...........................+..................................+................................................+.............+............................+............
.....................+..+............+................................................................+.........................+...........................+.........
...........+.......................+.....................................+.................................................+...........................+.................
.......................+...........+..............................+....................................+......+..........................................................
.............................................+..............................................+.................+....................................+.......................
................................++*++*++*

配置vpn server端


[root@vpnserver keys]# pwd
/usr/share/doc/openvpn-2.0.9/easy-rsa/keys
[root@vpnserver keys]# cp ca.crt vpnserver.crt vpnserver.key /etc/openvpn/
[root@vpnserver keys]# ls /etc/openvpn/
ca.crt vpnserver.crt vpnserver.key

[root@vpnserver easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.............................................................+.......+.....................+......................................++*++*++*

[root@vpnserver easy-rsa]# cp keys/dh2024.pem /etc/openvpn/

[root@vpnserver ~]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/ //openvpn server配置文件
[root@vpnserver ~]# vim /etc/openvpn/server.conf
[root@vpnserver ~]# grep '^[^#]' /etc/openvpn/server.conf
local 20.20.20.1
port 1194
proto udp
dev tap
ca ca.crt
cert vpnserver.crt
key vpnserver.key
dh dh2024.pem
server 10.8.0.0 255.255.255.0
#配置VPN使用的网段,OpenVPN会自动提供基于该网段的DHCP服务,但不能和任何一方的局域网段重复,保证唯一server端ip默认会设为.1的地址
ifconfig-pool-persist ipp.txt
# 维持一个客户端和virtual IP的对应表,以方便客户端重新连接可以获得同样的IP
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
push "route 192.168.2.0 255.255.255.0"


# 为客户端创建对应的路由,以另其通达公司网内部服务器 但记住,公司网内部服务器也需要有可用路由返回到客户端
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
;client-to-client
duplicate-cn
keepalive 10 120
# 设置服务端检测的间隔和超时时间 每10秒ping一次,如果120秒没有回应则认为对方已经down
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
# 使用lzo压缩的通讯,服务端和客户端都必须配置
max-clients 100
user nobody
group nobody
persist-key
persist-tun
# 重启时仍保留一些状态
status openvpn-status.log
log openvpn.log
verb 3
# 设置日志要记录的级别。0只记录错误信息。4能记录普通的信息。5和6在连接出现问题时能帮助调试。9是极端的,所有信息都会显示,甚至连包头等信息都显示(像tcpdump)
mute 20
# 相同信息的数量,如果连续出现20条相同的信息,将不记录到日志中。

[root@vpnserver ~]# service openvpn start
正在启动 openvpn: [确定]
[root@vpnserver ~]# chkconfig openvpn on
[root@vpnserver ~]# ip addr show dev tap0
4: tap0: mtu 1500 qdisc pfifo_fast qlen 100
link/ether e2:93:9e:d2:00:2c brd ff:ff:ff:ff:ff:ff
inet 10.8.0.1/24 brd 10.8.0.255 scope global tap0
[root@vpnserver ~]# ip route
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.250
10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.1
20.20.20.0/24 dev eth2 proto kernel scope link src 20.20.20.1
169.254.0.0/16 dev eth2 scope link

-----------配置vpn client端------------

[root@vpnclient ~]# ip addr add dev eth0 20.20.20.2/24
[root@vpnclient ~]# ip addr show eth0
2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:24:1d:39:8e:d9 brd ff:ff:ff:ff:ff:ff
inet 20.20.20.2/24 scope global eth0
[root@vpnclient ~]# ip route
20.20.20.0/24 dev eth0 proto kernel scope link src 20.20.20.2
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
169.254.0.0/16 dev eth0 scope link

[root@vpnclient OpenVPN]# rpm -ivh lzo2-2.02-3.el5.rf.i386.rpm
warning: lzo2-2.02-3.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing... ########################################### [100%]
1:lzo2 ########################################### [100%]
[root@vpnclient OpenVPN]# rpm -ivh openvpn-2.0.9-1.el5.rf.i386.rpm
warning: openvpn-2.0.9-1.el5.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing... ########################################### [100%]
1:openvpn ########################################### [100%]

在修改配置文件前,先把client1.key client1.crt拷到本机
[root@vpnclient openvpn]# cd /etc/openvpn/
[root@vpnclient openvpn]# ls c* //复制三个文件到该目录
ca.crt client1.crt client1.key

[root@vpnclient OpenVPN]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf /etc/openvpn/

[root@vpnclient OpenVPN]# vi /etc/openvpn/client.conf
[root@vpnclient OpenVPN]# grep '^[^#]' /etc/openvpn/client.conf
client
dev tap
;dev-node MyTap
proto udp
remote 20.20.20.1 1194 //拨号地址
;remote-random
nobind
user nobody
group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca ca.crt
cert client1.crt
key client1.key
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp-lzo
verb 3
mute 20

[root@vpnclient ~]# service openvpn restart
正在关闭openvpn: [确定]
正在启动 openvpn: [确定]
[root@vpnclient ~]# chkconfig openvpn on

[root@vpnclient ~]# ip addr
1: lo: mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:24:1d:39:8e:d9 brd ff:ff:ff:ff:ff:ff
inet 20.20.20.2/8 brd 20.255.255.255 scope global eth0
inet 20.20.20.2/24 brd 20.20.20.255 scope global eth0
3: virbr0: mtu 1500 qdisc noqueue
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
5: tap0: mtu 1500 qdisc pfifo_fast qlen 100
link/ether de:a2:1e:12:e7:6a brd ff:ff:ff:ff:ff:ff
inet 10.8.0.2/24 brd 10.8.0.255 scope global tap0

[root@vpnclient ~]# ip route
192.168.2.0/24 via 10.8.0.1 dev tap0
10.8.0.0/24 dev tap0 proto kernel scope link src 10.8.0.2
20.20.20.0/24 dev eth0 proto kernel scope link src 20.20.20.2
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
169.254.0.0/16 dev eth0 scope link
20.0.0.0/8 dev eth0 proto kernel scope link src 20.20.20.2

到此,相信大家对"虚拟专用网VPN怎么搭建"有了更深的了解,不妨来实际操作一番吧!这里是网站,更多相关内容可以进入相关频道进行查询,关注我们,继续学习!

0