使用openv屁恩打通两个异地网络
章节
- 概述
- 部署openvpn服务端
- 部署openvpn客户端
- 测试
- 总结
一、概述
在实际的IT环境中会有这样的需求:想让两个异地网络层面互通,能够互相访问。常见的场景有:
- 两个分支机构网络互通,如分支机构实时将传数据给总部处理
- 办公室网络与IDC机房互通,如运维或技术人员要远程管理IDC机房内的服务器,IDC内的服务器也要访问办公室内网的服务器
- 两个IDC机房内网互通,如两边同步数据、互相访问等
当然,这样的需求你可以拉专线但太贵,我们用openvpn来做
下面的例子:使用openvpn搭建vpn服务器打通A和B两个异地网络,让A局域网中的172.16.10.0/24段可以和B局域网中的172.16.20.0/24段可以网络互通,就好像在一个局域网一样.
环境说明:
| 角色 | ip |
| OPENVPN服务器 |
192.168.0.124/24(模拟外网) 172.16.10.206/24(内网) 10.8.0.1 10.8.0.2 (vpn虚拟网卡地址) |
| OPENVPN客户端 |
192.16.0.200/24 172.16.20.201/24(内网) 10.8.0.6 10.8.0.5 (vpn虚拟网卡地址) |
| A局域网主机 | 172.16.10.207/24 |
| B局域网主机 | 172.16.20.201/24 |
二、部署openvpn服务端(192.168.0.124)
关闭selinux
# setenforce 0 setenforce: SELinux is disabled
开启路由转发
编辑 /etc/sysctl.conf 文件将 net.ipv4.ip_forward = 0 改为 net.ipv4.ip_forward = 1,然后执行
# sysctl -p
安装openvpn
# curl http://mirrors.aliyun.com/repo/epel-6.repo -o /etc/yum.repos.d/epel-6.repo --silent # 添加阿里的EPEL源 # yum install openssl openvpn easy-rsa lzo -y
创建相关目录及配置
# mkdir /var/log/openvpn # 放openvpn相关日志文件 # mkdir /etc/openvpn/easy-rsa # 放easy-rsa包提供的相关工具 # mkdir /etc/openvpn/ccd # openvpn客户端的配置目录,后面会用到 # mkdir /var/run/openvpn # 放openvpn的pid文件
将easy-ras包提供的工具复制到 /etc/openvpn/easy-rsa
# cp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ -r
编辑 /etc/openvpn/easy-rsa/vars 文件,找到下面的变量修改成你指定的值,后面生成证书的时候会应用这些变量值
export KEY_COUNTRY="CN" # 国家 export KEY_PROVINCE="GD" # 省份 export KEY_CITY="GZ" # 城市 export KEY_ORG="MY_ORG" # 组织/公司 export KEY_EMAIL="vpn@qq.com" # 邮箱 export KEY_OU="vpn" # 单位 export KEY_NAME="openvpn" # 服务器名称
然后执行
# source vars # 导入vars文件中的变量作为当前的环境变量
# ./clean-all # 清除keys目录下的文件
生成CA
也就是证书颁发机构,用来颁发证书
# cd /etc/openvpn/easy-rsa
# ./build-ca
生成服务器证书
# ./build-key-server vpnserver # 起个名字叫vpnserver Generating a 2048 bit RSA private key ................................+++ .....+++ writing new private key to 'vpnserver.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GD]: Locality Name (eg, city) [GZ]: Organization Name (eg, company) [MY_ORG]: Organizational Unit Name (eg, section) [vpn]: Common Name (eg, your name or your server's hostname) [vpnserver]: Name [vpn]: Email Address [vpn@qq.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GD' localityName :PRINTABLE:'GZ' organizationName :PRINTABLE:'MY_ORG' organizationalUnitName:PRINTABLE:'vpn' commonName :PRINTABLE:'vpnserver' name :PRINTABLE:'vpn' emailAddress :IA5STRING:'vpn@qq.com' Certificate is to be certified until Apr 29 06:26:49 2026 GMT (3650 days) Sign the certificate? [y/n]:y # 输入y 1 out of 1 certificate requests certified, commit? [y/n]y # 输入y Write out database with 1 new entries Data Base Updated
生成客户端证书
# ./build-key vpnclient # 起个名字叫vpnclient,表示为vpnclient这个客户端生成证书 Generating a 2048 bit RSA private key .......+++ ....................+++ writing new private key to 'vpnclient.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [GD]: Locality Name (eg, city) [GZ]: Organization Name (eg, company) [MY_ORG]: Organizational Unit Name (eg, section) [vpn]: Common Name (eg, your name or your server's hostname) [vpnclient]: Name [vpn]: Email Address [vpn@qq.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'GD' localityName :PRINTABLE:'GZ' organizationName :PRINTABLE:'MY_ORG' organizationalUnitName:PRINTABLE:'vpn' commonName :PRINTABLE:'vpnclient' name :PRINTABLE:'vpn' emailAddress :IA5STRING:'vpn@qq.com' Certificate is to be certified until Apr 29 06:30:42 2026 GMT (3650 days) Sign the certificate? [y/n]:y # 输入y 1 out of 1 certificate requests certified, commit? [y/n]y # 输入y Write out database with 1 new entries Data Base Updated
创建Diffie Hellman密钥文件
需要一点时间
# ./build-dh
配置openvpn
编辑/etc/openvpn/server.conf文件,内容如下
local 192.168.0.124 port 1999 proto tcp-server dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/vpnserver.crt key /etc/openvpn/easy-rsa/keys/vpnserver.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt client-config-dir /etc/openvpn/ccd push "route 172.16.10.0 255.255.255.0" # 推送给客户端的路由,告诉客户端添加静态路由,让去172.16.10.10/24网段的都走vpn服务器,vpn服务器后端又几个网段就写几个 route 172.16.20.0 255.255.255.0 # 启动时给openvpn服务器添加路由,告诉服务器去172.16.20.0/24网段的都走虚拟机网卡(tun0),相当于静态路由. keepalive 10 120 comp-lzo max-clients 100 user nobody group nobody client-to-client duplicate-cn persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log writepid /var/run/openvpn/server.pid verb 3 mute 20
启动openvpn服务端
# service openvpn start # chkconfig --add openvpn # chkconfig --level 35 openvpn on
查看tun0接口和路由
# ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) # route -n | grep tun0 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 # 主机路由 172.16.20.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 # 静态路由,去172.16.20.0段下一跳是10.8.0.2 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 # 静态路由,去10.8.0.2.0段下一跳是10.8.0.2
指定客户端配置
指定vpnclient这个客户端的配置,编辑 /etc/openvpn/ccd/vpnclient ,内容如下
ifconfig-push 10.8.0.6 10.8.0.5 # 配置客户端的IP iroute 172.16.20.0 255.255.255.0 # 告诉服务端,我的网段是172.16.20.0/24
三、部署openvpn客户端(192.168.0.200)
关闭selinux
# setenforce 0
setenforce: SELinux is disabled
开启路由转发
编辑 /etc/sysctl.conf 文件将 net.ipv4.ip_forward = 0 改为 net.ipv4.ip_forward = 1,然后执行
# sysctl -p
安装openvpn
# curl http://mirrors.aliyun.com/repo/epel-6.repo -o /etc/yum.repos.d/epel-6.repo --silent # 添加阿里的EPEL源 # yum install openssl openvpn easy-rsa lzo -y
创建相关目录及配置
# mkdir /etc/openvpn/keys # 放客户端的相关证书 # mkdir /var/log/openvpn # 放日志的目录
将openvpn服务器上 /etc/openvpn/easy-rsa/keys 下的 ca.crt、vpnclient.crt、vpnclient.key 这些证书文件拉下来放到 /etc/openvpn/keys
# ls /etc/openvpn/keys ca.crt vpnclient.crt vpnclient.key
配置openvpn客户端
编辑客户端的配置文件/etc/openvpn/client.conf,内容如下
client dev tun proto tcp-client remote 192.168.0.124 1999 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/vpnclient.crt key /etc/openvpn/keys/vpnclient.key remote-cert-tls server
auth-nocache user nobody group nobody status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log comp-lzo verb 3 mute 20
启动openvpn客户端
# service openvpn start
# chkconfig --add openvpn
# chkconfig --level 35 openvpn on
客户端启动后只有进程,因为它作为客户端去连服务端,不需要提供端口
# ps aux | grep vpn nobody 4236 0.1 0.3 46916 3232 ? Ss 01:36 0:00 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/client.pid --cd /etc/openvpn --config client.conf --script-security 2
查看tun0接口和路由
# ifconfig tun0 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) # route -n | grep tun0 10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 # 主机路由 10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0 # 静态路由,去10.8.0.0/24网段下一跳10.8.0.5 172.16.10.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0 # 静态路由,去172.16.10.0/24网段下一跳10.8.0.5
四、测试(172.16.10.207、172.16.20.201)
在A局域网主机172.16.10.207上添加路由
ip route add 172.16.20.0/24 via 172.16.10.206 // 如果是linux route add 172.16.20.0 mask 255.255.255.0 172.16.10.206 // 如果是windows
上面的路由表示A去B局域网172.16.20.0段的下一跳是172.16.10.206,也就是把包转发给vpnserver
在B局域网主机172.16.20.201上添加路由
ip route add 172.16.10.0/24 via 172.16.20.200 // 如果是linux route add 172.16.10.0 mask 255.255.255.0 172.16.20.200 // 如果是windows
上面的路由表示B去A局域网172.16.10.0端的下一跳是172.16.20.200,也就是把包转发给vpnclient
最后,在A局域网主机 172.16.10.207 上ping 172.16.20.201
# ping 172.16.20.201 PING 172.16.20.201 (172.16.20.201) 56(84) bytes of data. 64 bytes from 172.16.20.201: icmp_seq=1 ttl=62 time=1.44 ms 64 bytes from 172.16.20.201: icmp_seq=2 ttl=62 time=0.752 ms 64 bytes from 172.16.20.201: icmp_seq=3 ttl=62 time=0.674 ms 64 bytes from 172.16.20.201: icmp_seq=4 ttl=62 time=0.785 ms ^C --- 172.16.20.201 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3023ms rtt min/avg/max/mdev = 0.674/0.913/1.441/0.307 ms
在B局域网主机 172.16.20.201上ping 172.16.10.207
# ping 172.16.10.207 PING 172.16.10.207 (172.16.10.207) 56(84) bytes of data. 64 bytes from 172.16.10.207: icmp_seq=1 ttl=62 time=5.72 ms 64 bytes from 172.16.10.207: icmp_seq=2 ttl=62 time=0.674 ms ^C --- 172.16.10.207 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1400ms rtt min/avg/max/mdev = 0.674/3.200/5.727/2.527 ms
两边可以ping通,表示OK
可以改进的地方
如果A和B局域网内很有多主机,那么每台机都要加很多次路由,比较麻烦,在实际的环境中可以在内网的路由器上做,这样就不需要在主机上配,比较省事.
五、总结
vpn的目的和作用就是从网络层面打通两个或以上异地网络,就好像在同一个局域网
vpnserver和vpnclient做好之后可以看成路由
如果要用vpn互相传数据的话,带宽尽可能大,有必要的话可以做端口绑定,高可用
