server: 192.168.30.35 client: 192.168.30.21 虚拟机:172.16.181.128 client:192.168.30.36 虚拟机:192.168.159.
server: 192.168.30.35
client: 192.168.30.21 虚拟机:172.16.181.128
client:192.168.30.36 虚拟机:192.168.159.128
实现:172.16.181.128 和192.168.159.128之间通信
server:192.168.30.35
yum install openvpn 依赖:pkcs11-helper-1.07-5.el6.x86_64.rpm
yum install easy-rsa-2.2.0-2.el6.noarch.rpm
cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/server.conf
vim /etc/openvpn/server.conf
35 proto tcp
36 ;proto udp
52 ;dev tap
53 dev tun
78 ca ca.crt
79 cert server.crt
80 key server.key
84 # openssl dhparam -out dh1024.pem 1024
85 # Substitute 2048 for 1024 if you are using
86 # 2048 bit keys.
87 dh dh1024.pem
96 server 10.8.0.0 255.255.255.0
126 # bound to a DHCP client.
127 ;server-bridge
128
129 route 172.16.181.0 255.255.255.0
130 route 192.168.159.0 255.255.255.0
131 # Push routes to the client to allow it
137 # back to the OpenVPN server.
138 ;push "route 192.168.10.0 255.255.255.0"
139 ;push "route 192.168.10.0 255.255.255.0"
140 push "route 172.16.181.0 255.255.255.0"
141 push "route 192.168.159.0 255.255.255.0"
142
143 # To assign specific IP addresses to specific
153 # First, uncomment out these lines:
154 client-config-dir ccd
155 ;route 192.168.40.128 255.255.255.248
156 # Then create a file ccd/Thelonious with this line:
207 # server's TUN/TAP interface.
208 client-to-client
# openvpn --genkey --secret ta.key
245 tls-auth ta.key 0 # This file is secret
251 cipher AES-128-CBC # AES
267 # non-Windows systems.
268 user nobody
269 group nobody
270
271 # The persist options will try to avoid
保存退出
cd /usr/share/easy-rsa/2.0
vim vars
64 export KEY_COUNTRY="CN"
65 export KEY_PROVINCE="Sichuan"
66 export KEY_CITY="Chengdu"
67 export KEY_ORG="Uplooking"
68 export KEY_EMAIL="[email protected]"
69 export [email protected]
70 export KEY_CN=changeme
71 export KEY_NAME=changeme
72 export KEY_OU="vpn"
73 export PKCS11_MODULE_PATH=changeme
74 export PKCS11_PIN=1234
保存退出
. vars
./clean-all 第一次需要执行这条命令 以后就不用了
./build-ca
会生成ca.crt 和ca.key
./build-key-server server
会生成server.crt和server.key
为客户端生成证书和key
./build-key 192.168.159.128
生成192.168.159.128.crt和192.168.159.128.key
./build-key 172.16.181.128
生成172.16.181.128.crt和172.16.181.128.key
openvpn --genkey --secret ta.key
生成ta.key
openssl dhparam -out dh1024.pem 1024
生成dh1024.pem
cp dh1024.pem ta.key ca.crt server.crt server.key /etc/openvpn
scp ta.key ca.crt 192.168.159.128.crt 192.168.159.128.key [email protected]:/etc/openvpn
scp ta.key ca.crt 172.16.181.128.crt 172.16.181.128.key [email protected]:/etc/openvpn
客户端:192.168.30.36
cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/client.conf /etc/openvpn/server.conf
cd /etc/openvpn
vim client.conf
16 client
23 ;dev tap
24 dev tun
36 proto tcp
37 ;proto udp
42 remote 192.168.30.35 1194
43 ;remote my-server-2 1194
61 user nobody
62 group nobody
88 ca ca.crt
89 cert 192.168.159.128.crt
90 key 192.168.159.128.key
107 tls-auth ta.key 1
111 # then you must also specify it here.
112 cipher AES-128-CBC
保存退出
vim /etc/sysctl.conf 开启转发
6 # Controls IP packet forwarding
7 net.ipv4.ip_forward = 1
保存退出
如果防火墙开着的还要允许转发
客户端:192.168.30.21 也按如上配置就是指定自己的key和crt的时候不一样
为:
89 cert 172.16.181.128.crt
90 key 172.16.181.128.key
保存退出
vim /etc/sysctl.conf 开启转发
6 # Controls IP packet forwarding
7 net.ipv4.ip_forward = 1
保存退出
如果防火墙开着的还要允许转发
服务端:192.168.30.35
mkdir /etc/openvpn/ccd
cd /etc/openvpn/ccd
touch 192.168.159.128
touch 172.16.181.128
这里创建的名字就是生成证书的时候的common name
vim 192.168.159.128
iroute 192.168.159.0 255.255.255.0
vim 172.16.181.128
iroute 172.16.181.0 255.255.255.0
这里是让客户端读取对应的配置文件,声明自己的ip地址
服务端和客户端:
service openvpn restart
查看有没有tun0的网卡:
ifconfig tun0
测试:
在192.168.159.128上:
ping 172.16.181.128
在172.16.181.128上:
ping 192.168.159.128
如果都能ping通那么就成功了。
如果ping不通可以查看路由:
