{"id":1347,"date":"2010-06-07T17:56:03","date_gmt":"2010-06-07T09:56:03","guid":{"rendered":"http:\/\/blog.nuface.tw\/?p=1347"},"modified":"2012-09-14T14:24:17","modified_gmt":"2012-09-14T06:24:17","slug":"openvpn-%e5%bb%ba%e7%bd%ae%e7%ad%86%e8%a8%98%e7%ac%ac7%e9%9b%86","status":"publish","type":"post","link":"https:\/\/blog.nuface.tw\/?p=1347","title":{"rendered":"OpenVPN \u5efa\u7f6e\u7b46\u8a18(\u7b2c7\u96c6)"},"content":{"rendered":"

\u7e3d\u7b97\u53c8\u53ef\u4ee5\u4f86\u5beb\u6211\u7684OpenVPN \u4e86\uff0c\u81ea\u5f9e\u4e0a\u4e00\u6b21\u5beb\u4e86OpenVPN(1-6)\u96c6\uff0c\u7372\u5f97\u4e86\u5ee3\u5927\u7db2\u53cb\uff0c\u4e0d\u932f\u7684\u8ff4\u97ff\u3002\u672c\u4f86\u60f3\u63a5\u8457\u628a\u5f8c\u9762\u7684\u5176\u5b83\u61c9\u7528\uff0c\u518d\u5beb\u51fa\u4f86\uff0c\u4f46\u7121\u5948\u88ab\u6d3e\u5916\u51fa\u5dee\uff0c\u6574\u500b\u4eba\u6ce1\u5728\u9152\u88cf\uff0c\u601d\u7dd2\u4e0d\u662f\u90a3\u9ebc\u6e05\u695a\uff0c\u4e0d\u6562\u96a8\u4fbf\u5beb\u6280\u8853\u8cc7\u6599\uff0c\u6015\u5beb\u932f\u4e86\uff0c\u8aa4\u4eba\u5b50\u5f1f\u56c9\uff01\u73fe\u5728\u982d\u8166\u6709\u6e05\u695a\u4e00\u9ede\uff0c\u5c31\u63a5\u8457\u628a\u5f8c\u9762\u5c0f\u745e\u5c0dOpenVPN \u7684\u61c9\u7528\uff0c\u63a5\u8457\u5206\u4eab\u51fa\u4f86^_^
\n
\n\"OpenVPN
\nLogo Ref Open VPN Project <\/a>
\n\u524d\u60c5\u63d0\u8981\uff1aOpenVPN \u5efa\u7f6e\u7b46\u8a18(\u7b2c6\u96c6)<\/a><\/p>\n

\u9019\u4e00\u96c6\uff0c\u8981\u5206\u4eab\u4e9b\u4ec0\u9ebc\u5462\uff1f<\/p>\n

\n\uff11\uff0e\u5c07VPN User \u5206\u4e0d\u540c\u7684\u7fa4\u7d44\uff0c\u7d66\u4e0d\u540c\u7684IP Range \uff0c\u4ee5\u65b9\u4fbf\u505a\u6b0a\u9650\u63a7\u7ba1\u3002
\n\uff12\uff0e\u5c0dVPN User \u9664\u4e86\u4f7f\u7528\u6191\u8b49\u7684\u8a8d\u8b49\u5916\uff0c\u53e6\u5916\u518d\u52a0\u5165User \/ Password \u7684\u8a8d\u8b49\u6a5f\u5236\u3002
\n\uff13\uff0e\u5c07VPN User \u767b\u5165\u53ca\u767b\u51fa\u7684\u6642\u9593\u9ede\uff0c\u505a\u8a18\u9304\uff0c\u4ee5\u4fbf\u5f8c\u7e8c\u7a3d\u6838\u4eba\u54e1\uff0c\u8981\u67e5\u8cc7\u6599\u53ef\u4ee5\u7528\u3002\n<\/p><\/blockquote>\n

\u5148\u91dd\u5c0d\u4e0d\u540c\u7684VPN User \u5206\u4e0d\u540c\u7684\u7fa4\u7d44\uff0c\u8a2d\u5b9a\u4e0d\u540c\u7684\u6b0a\u9650\u3002\u9019\u500b\u6211\u89ba\u5f97\u9084\u883b\u6709\u7528\u7684\uff0c\u4e00\u822c\u5728\u516c\u53f8\u7684\u74b0\u5883\u4e2d\uff0c\u6703\u6709\u4e9b\u6b63\u5f0f\u74b0\u5883\uff0c\u53ca\u6e2c\u8a66\u74b0\u5883\uff1b\u901a\u5e38\u6211\u5011\u6703\u958b\u653e\u6b63\u5f0f\u7684\u74b0\u5883\u7d66\u516c\u53f8\u7684\u4f7f\u7528\u8005\u4f7f\u7528\uff0c\u4f46\u5c0d\u65bc\u5916\u90e8\u7684\u4eba\u54e1\uff0c\u4f8b\u5982\uff1a\u5916\u90e8\u7684\u8edf\u9ad4\u516c\u53f8\uff0c\u6709\u5e6b\u6211\u5011\u516c\u53f8\u505a\u4e00\u4e9b\u5c08\u6848\u7684\u958b\u767c\uff0c\u9700\u8981\u9023\u5230\u6211\u5011\u516c\u53f8\u7684\u6e2c\u8a66\u74b0\u5883\uff0c\u90a3\u5c31\u53ef\u4ee5\u5c0d\u5916\u90e8\u7684\u4f7f\u7528\u8005\u505a\u4e00\u4e9bService \u6216\u6a5f\u5668\u7684\u8a2a\u554f\u9650\u5236\uff0c\u6e1b\u5c11\u4e00\u4e9b\u4e0d\u5fc5\u8981\u7684\u8cc7\u5b89\u98a8\u96aa\u3002<\/p>\n

\u5728\u9019\u500b\u61c9\u7528\u4e0a\uff0c\u5c0f\u745e\u6a21\u64ec\u5169\u500b\u7fa4\u7d44\uff0c\u4e00\u500b\u662fVIP \u7fa4\u7d44\uff0c\u4f7f\u752810.10.0.0\/24 \u7684\u7db2\u6bb5\uff0c\u53ef\u4ee5\u8a2a\u554f\u8890\u5bc6\u82b1\u5712\u7684\u6240\u6709\u670d\u52d9\uff1b\u53e6\u4e00\u500b\u7fa4\u7d44\u70ba Guest \u7fa4\u7d44\uff0c\u4f7f\u752810.20.0.0\/24\u7684\u7db2\u6bb5\uff0c\u53ea\u53ef\u4ee5\u8a2a\u554f\u8890\u5bc6\u82b1\u5712\u7684Web \u670d\u52d9\uff0c\u4e5f\u5c31\u662f\u53ea\u670980 port \u53ef\u4ee5\u8a2a\u554f\u3002<\/p>\n

\"OpenVPN<\/p>\n

\u8981\u5be6\u73fe\u9019\u500b\u4f5c\u696d\uff0c\u5fc5\u9808\u518d\u642d\u914diptables \u9019\u500b\u5de5\u5177\uff0c\u505a\u4e00\u4e9bIP , \u5c01\u5305\u7684\u9650\u5236\u3002
\n\u9996\u5148\uff0c\u5fc5\u9808\u4fee\u6539Server.conf \u7684\u8a2d\u5b9a:<\/p>\n

vi \/etc\/openvpn\/server.conf<\/code><\/p>\n

mode server
\ntls-server
\nport 1194
\nproto udp
\ndev tun
\nca \/etc\/openvpn\/easy-rsa\/2.0\/keys\/ca.crt
\ncert \/etc\/openvpn\/easy-rsa\/2.0\/keys\/server.crt
\nkey \/etc\/openvpn\/easy-rsa\/2.0\/keys\/server.key
\ndh \/etc\/openvpn\/easy-rsa\/2.0\/keys\/dh2048.pem
\npersist-key
\npersist-tun
\nifconfig 10.8.0.1 10.8.0.2
\npush \"route 10.8.0.1\"
\npush \"route 192.168.100.0 255.255.255.0\"
\nclient-config-dir ccd
\nroute 10.10.0.0 255.255.255.0
\nroute 10.20.0.0 255.255.255.0
\nccd-exclusive
\nkeepalive 10 120
\ntls-auth ta.key 0
\ncomp-lzo
\nstatus openvpn-status.log
\nlog openvpn.log
\nverb 3
\n<\/code><\/p><\/blockquote>\n

\u5176\u4e2d\u6bd4\u8f03\u91cd\u8981\u7684\u662f\u90a3\u500b ccd \uff0c\u5fc5\u9808\u5148\u5efa\u7acb\u597dccd \u7684\u76ee\u9304\uff0c\u9019\u500b\u76ee\u9304\u4e0b\uff0c\u6703\u91dd\u5c0d\u4e0d\u540c\u7684user \u767b\u5165\u6642\uff0c\u7d66\u4e88\u4e0d\u540c\u7684IP \uff0c\u4ee5\u5229\u5f8c\u9762\u505a\u76f8\u95dc\u7684\u9650\u5236\uff01<\/p>\n

mkdir \/etc\/openvpn\/ccd <\/code><\/p>\n

\u898f\u5283\u5982\u4e0b\uff1a<\/p>\n

client1 \u9019\u500buser \u767b\u5165\u6642\u8a2d\u5b9a\u70baVIP \u7fa4\u7d44\uff0c\u53d6\u5f97 10.10.0.5 \u7684IP
\nclient2 \u9019\u500buser \u767b\u5165\u6642\u8a2d\u5b9a\u70baGuest \u7fa4\u7d44\uff0c\u53d6\u5f97 10.20.0.5 \u7684IP<\/p><\/blockquote>\n

\u63a5\u8457\u5efa\u7acb client1 \u7684\u8a2d\u5b9a\u6a94:
\nvi \/etc\/openvpn\/ccd\/client1 <\/code><\/p>\n

ifconfig-push 10.10.0.5 10.10.0.6<\/p><\/blockquote>\n

\u63a5\u8457\u5efa\u7acb client2 \u7684\u8a2d\u5b9a\u6a94:
\nvi \/etc\/openvpn\/ccd\/client2 <\/code><\/p>\n

ifconfig-push 10.20.0.5 10.20.0.6<\/p><\/blockquote>\n

OpenVPN Server \u7684\u8a2d\u5b9a\u5b8c\u6210\uff0c\u63a5\u8457\u8981\u8a2d\u5b9a iptables \u9032\u884c\u5c01\u5305\u7684\u8f49\u9001\u53ca\u9650\u5236!
\n\u4fee\u6539\u4e00\u4e0b\u6211\u5011\u7684firewall.sh
\nvi \/etc\/openvpn\/firewall.sh <\/code><\/p>\n

#!\/bin\/bash
\necho \"1\" > \/proc\/sys\/net\/ipv4\/ip_forward
\nPRIVATE=192.168.100.0\/24
\nVIP=10.10.0.0\/24
\nGUEST=10.20.0.0\/24
\nLOOP=127.0.0.1<\/p>\n

iptables -P OUTPUT DROP
\niptables -P INPUT DROP
\niptables -P FORWARD DROP
\niptables -F<\/p>\n

iptables -P OUTPUT ACCEPT
\niptables -P INPUT DROP
\niptables -P FORWARD DROP<\/p>\n

iptables -A INPUT -i eth0 -s $LOOP -j DROP
\niptables -A FORWARD -i eth0 -s $LOOP -j DROP
\niptables -A INPUT -i eth0 -d $LOOP -j DROP
\niptables -A FORWARD -i eth0 -d $LOOP -j DROP<\/p>\n

#limit some ip traffic
\niptables -A FORWARD -p tcp -s $GUEST -d 192.168.100.100 --dport ! 80 -j DROP<\/p>\n

iptables -A INPUT -s $LOOP -j ACCEPT
\niptables -A INPUT -d $LOOP -j ACCEPT<\/p>\n

iptables -A INPUT -p udp --dport 1194 -j ACCEPT<\/p>\n

iptables -A INPUT -i tun+ -j ACCEPT
\niptables -A FORWARD -i tun+ -j ACCEPT
\niptables -A INPUT -i tap+ -j ACCEPT
\niptables -A FORWARD -i tap+ -j ACCEPT<\/p>\n

iptables -A INPUT -i eth1 -j ACCEPT
\niptables -A FORWARD -i eth1 -j ACCEPT<\/p>\n

# Keep state of connections from local machine and private subnets
\niptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT
\niptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
\niptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT
\niptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
\n<\/code><\/p><\/blockquote>\n

\u56e0\u70ba VIP \u7fa4\u7d44\uff0c\u53ef\u4ee5\u9032\u884c\u6240\u6709\u7684Service \u8a2a\u554f\uff0c\u6240\u4ee5\u5c31\u4e0d\u7279\u5225\u5beb\u5165firewall \u4e86\uff0c\u76f4\u63a5\u5beb\u5165\u9650\u5236\u689d\u4ef6\uff0c\u5982\u679c\u4f86\u6e90\u70baGUEST \u7684IP \uff0c\u76ee\u7684\u70baPRIVATE (192.168.100.0\/24)\uff0c\u4e14port \u4e0d\u662f 80(web) \u5247\u7981\u6b62\u9632\u554f\u3002<\/p>\n

firewall \u8a2d\u5b9a\u5b8c\u6210\u5f8c\uff0c\u91cd\u555fOpenVPN Server \u53ca \u65b0\u7684 firewall\u3002<\/p>\n

\/etc\/init.d\/openvpn restart <\/code>
\nsh \/etc\/openvpn\/firewall.sh <\/code><\/p>\n

\u63a5\u8457\u5148\u4f7f\u7528 client1 \u9023\u5165\u6211\u5011\u7684\u6e2c\u8a66VPN \u4e3b\u6a5f!<\/p>\n

\n\u767b\u5165 client1\uff0c\u540c\u6642\u5f97\u5230 10.10.0.5 IP\n<\/p><\/blockquote>\n

\"connect<\/p>\n

\"get<\/p>\n

\n\u6aa2\u8996\u4e00\u4e0b Route Table \uff0c\u679c\u7136\u4f7f\u7528 10.8.0.1 \u7576\u505a 192.168.100.100 \u7684GateWay\n<\/p><\/blockquote>\n

\"Route<\/p>\n

\n\u63a5\u8457\u4f7f\u7528Ping \u53ca Tracert \u6aa2\u8996\u4e00\u4e0b\u5230 192.168.100.100 \u7684\u8def\u5f91\u901a\u4e0d\u901a! (\u901a\u7684)\n<\/p><\/blockquote>\n

\"Ping<\/p>\n

\n\u63a5\u8457\u5728\u672c\u6a5f\u7aef\u4f7f\u7528SSH \u767b\u5165 192.168.100.100 \uff0c\u6210\u529f\u767b\u5165\uff0c\u4e0a\u6b21\u767b\u5165\u7684IP 10.10.0.5\n<\/p><\/blockquote>\n

\"Use<\/p>\n

\n\u63a5\u8457\u65bc\u672c\u6a5f\u7aef\u4f7f\u7528WWW\u670d\u52d9\uff0c\u53ef\u6210\u529f\u4f7f\u7528\uff0c\u986f\u793aIP \u70ba 10.10.0.5\n<\/p><\/blockquote>\n

\"Use<\/p>\n

\nclient1 \u7684\u6e2c\u8a66\u5df1\u7d93\u5b8c\u6210\uff0c\u65b7\u958bclient1 \u7684VPN \u9023\u7dda!\n<\/p><\/blockquote>\n

\"disconnect<\/p>\n

\n\u63a5\u8457\u505a client2 \u7684\u6e2c\u8a66\uff0c\u4f7f\u7528Client2 \u505a\u9023\u7dda\uff0c\u4e26\u6210\u529f\u53d6\u5f97 10.20.0.5 \u7684IP !\n<\/p><\/blockquote>\n

\"connect<\/p>\n

\"get<\/p>\n

\n\u4f7f\u7528 Client2 \u7684IP \u9032\u884cSSH \u9023\u7dda\uff0c\u7d50\u679c\uff0d\uff0d\u7121\u6cd5\u53d6\u5f97\u9023\u7dda!\n<\/p><\/blockquote>\n

\"can<\/p>\n

\n\u63a5\u8457\u4f7f\u7528WEB \u670d\u52d9\uff0c\u7d50\u679c\uff0c\u53ef\u4ee5\u6210\u529f\u9023\u5165Web Service \uff0c\u4e26\u986f\u793a\u9023\u5165IP \u70ba10.20.0.5\n<\/p><\/blockquote>\n

\"can<\/p>\n

\n\u7d9c\u5408\u4ee5\u4e0a\u7684\u6e2c\u8a66\u7d50\u679c\uff0c\u5c0f\u745e\u975e\u5e38\u6eff\u610f\uff0c\u5b8c\u6210\u4e86\u53e6\u4e00\u500b\u597d\u73a9\u7684\u4efb\u52d9\uff01\u57fa\u672c\u4e0a\u5404\u4f4d\u7db2\u53cb\u53ef\u4ee5\u81ea\u884c\u5ef6\u7533\uff0c\u81ea\u5df1\u6240\u9700\u6c42\u7684\u4e0d\u540cVPN User \u7fa4\u7d44\uff0c\u518d\u52a0\u4e0aiptables \u7684\u9650\u5236\uff0c\u61c9\u8a72\u53ef\u4ee5\u5be6\u73fe\u81ea\u5df1\u7279\u6b8a\u7684\u7fa4\u7d44\u9650\u5236\u529f\u80fd\uff01\n<\/p><\/blockquote>\n

\u81f3\u65bc\u672c\u7bc7\u7b46\u8a18\u539f\u672c\u8981\u505a\u5e33\u865f\u5bc6\u78bc\u8a8d\u8b49\u53ca\uff0cLog \u7684\u8a18\u9304\uff0c\u8981\u7559\u5f85\u4e0b\u4e00\u7bc7\u518d\u5beb\u4e86\uff0c\u4e0d\u597d\u610f\u601d\u5566!<\/p>\n

OpenVPN \u5efa\u7f6e\u7b46\u8a18(\u7b2c8\u96c6)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

\u7e3d\u7b97\u53c8\u53ef\u4ee5\u4f86\u5beb\u6211\u7684OpenVPN \u4e86\uff0c\u81ea\u5f9e\u4e0a\u4e00\u6b21\u5beb\u4e86OpenVPN(1-6)\u96c6\uff0c\u7372\u5f97\u4e86\u5ee3\u5927\u7db2\u53cb\uff0c\u4e0d\u932f\u7684\u8ff4\u97ff\u3002\u672c […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23,24],"tags":[92,72,123],"class_list":["post-1347","post","type-post","status-publish","format-standard","hentry","category-mistech","category-mistech-net","tag-centos-5-4","tag-open-vpn","tag-openvpn"],"_links":{"self":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts\/1347","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1347"}],"version-history":[{"count":24,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts\/1347\/revisions"}],"predecessor-version":[{"id":1580,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts\/1347\/revisions\/1580"}],"wp:attachment":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1347"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1347"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}