{"id":1608,"date":"2017-06-06T18:38:23","date_gmt":"2017-06-06T10:38:23","guid":{"rendered":"http:\/\/blog.nuface.tw\/?p=1608"},"modified":"2017-06-13T19:40:51","modified_gmt":"2017-06-13T11:40:51","slug":"openvpn-%e5%bb%ba%e7%bd%ae%e7%ad%86%e8%a8%98%e7%ac%ac9%e9%9b%86","status":"publish","type":"post","link":"https:\/\/blog.nuface.tw\/?p=1608","title":{"rendered":"OpenVPN \u5efa\u7f6e\u7b46\u8a18(\u7b2c9\u96c6)"},"content":{"rendered":"

\u6700\u5f8c\u4e00\u96c6\u4e86\uff0csite to site \u7684VPN\u5efa\u7f6e\u3002\u9019\u500bOpenVPN \u5beb\u4e86\u597d\u591a\u5e74\uff0c\u7e3d\u7b97\u5beb\u5230\u6700\u5f8c\u4e00\u7bc7\u3002<\/p>\n


\n\"OpenVPN
\nLogo Ref Open VPN Project <\/a>
\n\u524d\u60c5\u63d0\u8981\uff1aOpenVPN \u5efa\u7f6e\u7b46\u8a18(\u7b2c8\u96c6)<\/a><\/p>\n

\u9019\u500b\u770b\u5b8c\u5f8c\uff0c\u670b\u53cb\u61c9\u8a72\u6703\u81ea\u5df1\u5efa\u7acbsite to site \u7684VPN \u4e86\u3002<\/p>\n

\n\uff11\uff0e\u5169\u5730Server \u5efa\u7acb\u8d77VPN \u9023\u7dda\u3002
\n\uff12\uff0e\u5169\u5730Server \u5167\u7684\u5404\u81eaUser \u53ef\u4ee5\u76f4\u63a5\u4e92\u76f8\u8a2a\u554f\uff0c\u4e0d\u7528\u505aNAT\uff0c\u53ef\u76f4\u63a5\u4f7f\u7528User \u79c1\u6709IP\u3002\n<\/p><\/blockquote>\n

\u5148\u898f\u5283\u4e00\u4e0b\u5169\u5730\u7684\u72c0\u6cc1<\/p>\n

\"site<\/p>\n

Site A <\/p>\n

\n\u5323\u9053\u5668\u4f7f\u7528 xx.xx.xx.xx IP \u4e0a\u3000internet
\n\u4f7f\u7528\u8005\u5167\u90e8\u7db2\u6bb5 192.168.2.0 \/ 24\n<\/p><\/blockquote>\n

Site B <\/p>\n

\n\u5323\u9053\u5668\u4f7f\u7528 yy.yy.yy.yy IP \u4e0a\u3000internet
\n\u4f7f\u7528\u8005\u5167\u90e8\u7db2\u6bb5 192.168.0.0 \/ 24\n<\/p><\/blockquote>\n

\u5169\u7aef\u5323\u9053\u5668\u7cfb\u7d71\u4f7f\u7528 CentOS 7 , \u57fa\u672c\u5b89\u88dd\uff0c\u4e4b\u5f8c\u52a0\u5b89\u88dd OpenVPN<\/p>\n

yum install openvpn<\/p><\/blockquote>\n

\u9810\u8a08\u4f7f\u7528\u975c\u614b\u91d1\u9470\u5efa\u7acbSite to Site VPN <\/p>\n

\uff11\u3002\u5148\u7522\u751f\u4e00\u500b\u975c\u614b\u91d1\u9470\uff0c\u5728\u4efb\u4f55\u4e00\u53f0\u5323\u9053\u5668\u4e0a\u505a\u90fd\u53ef\u4ee5<\/p>\n

openvpn –genkey –secret server.key<\/p><\/blockquote>\n

\u7528\u975c\u614b\u91d1\u9470\u7684\u539f\u56e0\uff0c\u7b2c\uff11\u500b\u662f\u6bd4\u8f03\u7c21\u55ae\uff0c\u7b2c\uff12\u500b\u662f\u5982\u679c\u7528\u4ea4\u63e1\u5354\u5b9a\u7684\u8a71\uff0c\u5728\u4e2d\u570b\u99ac\u4e0a\u88ab\u5c01\u3002\u5c01\u7684\u65b9\u6cd5\u5982\u540c\u5c01Tor \u4e00\u6a23\u3002<\/p>\n

\uff12\u3002\u4ee5Site A \u7576Server \u7531Site B \u7576Client \uff0c\u53cd\u904e\u4f86\u4e5f\u53ef\u4ee5\uff0c\u5728site A \u4e0a\u914d\u7f6e\u8a2d\u5b9a\u6a94\u5982\u4e0b\uff1a \/etc\/openvpn\/server.conf<\/p>\n

\n

port 32592
\nproto udp
\ndev tun
\nsecret \/etc\/openvpn\/server.key
\nmanagement 127.0.0.1 1192
\nifconfig 10.20.0.53 10.20.0.54
\nkeepalive 10 60
\nping-timer-rem
\npersist-tun
\npersist-key
\ncomp-lzo
\nstatus \/etc\/openvpn\/server-status.log
\nlog \/etc\/openvpn\/server.log
\nverb 3
\nuser nobody
\ngroup nobody
\ndaemon<\/p>\n<\/blockquote>\n

\u555f\u52d5openvpn servcie<\/p>\n

openvpn \/etc\/openvpn\/server.conf<\/p><\/blockquote>\n

port \u914d\u7f6e 32592 \u539f\u56e0\u662f\u5e0c\u671b\u907f\u958b\u5e38\u898f\u76841194\uff0c\u4e0d\u7136\u5f88\u5bb9\u6613\u88ab\u64cb\u3002<\/p>\n

\u57f7\u884c\u5f8c\u4f60\u6703\u5728\u672c\u6a5f\u7aef\u591a\u4e00\u7d44P to P \u7684IP , Site A \u70ba 10.20.0.53 , Site B \u70ba 10.20.0.54 <\/p>\n

\ntun6 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
\n inet addr:10.20.0.53 P-t-P:10.20.0.54 Mask:255.255.255.255
\n UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
\n RX packets:1180651 errors:0 dropped:0 overruns:0 frame:0
\n TX packets:1155735 errors:0 dropped:0 overruns:0 carrier:0
\n collisions:0 txqueuelen:100
\n RX bytes:267695242 (255.2 MiB) TX bytes:76398543 (72.8 MiB)\n<\/p><\/blockquote>\n

3.Site A \u9632\u706b\u7246\u8a2d\u5b9a\u3000<\/p>\n

\n\u91cd\u8981\u7684
\necho “1” > \/proc\/sys\/net\/ipv4\/ip_forward<\/p>\n

iptables -t filter -I INPUT -s yy.yy.yy.yy -p udp –port 33592 -j ACCEPT
\niptables -t filter -I FORWARD -s 192.168.2.0\/24 -d 192.168.0.0\/24 -j ACCEPT
\niptables -t nat -I POSTROUTING -d 192.168.0.0\/24 -j ACCEPT<\/p>\n

\u5176\u5b83\u7684\u8996\u81ea\u5df1\u9700\u6c42\u52a0\u5165\n<\/p><\/blockquote>\n

4.Site A \u8def\u7531\u7684\u8a2d\u5b9a<\/p>\n

\n\u91cd\u8981\u7684\uff0c\u5c07\u8981\u5230192.168.0.0\/24 \u7db2\u6bb5\u7684\u5c01\u5305\uff0c\u4ea4\u7531 10.20.0.54 \u50b3\u9001<\/p>\n

route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.20.0.54<\/p>\n

\u5176\u5b83\u7684\u8996\u81ea\u5df1\u9700\u6c42\u52a0\u5165\n<\/p><\/blockquote>\n

5.Site B VPN \u8a2d\u5b9a\u3002\/etc\/openvpn\/client.conf<\/p>\n

\n

dev tun
\nproto udp
\nremote xx.xx.xx.xx 32592
\nport 32094
\nsecret \/etc\/openvpn\/server.key
\nifconfig 10.20.0.54 10.20.0.53
\nresolv-retry infinite
\nnobind
\ncomp-lzo
\nstatus \/etc\/openvpn\/client-status.log
\nlog \/etc\/openvpn\/client.log
\nverb 3
\nkeepalive 10 60
\nping-timer-rem
\npersist-tun
\npersist-key
\nuser nobody
\ngroup nobody
\ndaemon<\/p>\n<\/blockquote>\n

\u8a18\u5f97\u5c07\u7b2c\uff11\u6b65\u7522\u751f\u7684key , \u8907\u5236\u5230Site B \u7684\u6a5f\u5668\u4e0a\u3002
\n\u555f\u52d5OpenVPN <\/p>\n

openvpn \/etc\/openvpn\/client.conf<\/p><\/blockquote>\n

\u57f7\u884c\u5f8c\u4f60\u6703\u5728\u672c\u6a5f\u7aef\u591a\u4e00\u7d44P to P \u7684IP , Site A \u70ba 10.20.0.53 , Site B \u70ba 10.20.0.54 <\/p>\n

\ntun6 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
\n inet addr:10.20.0.53 P-t-P:10.20.0.54 Mask:255.255.255.255
\n UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
\n RX packets:1180651 errors:0 dropped:0 overruns:0 frame:0
\n TX packets:1155735 errors:0 dropped:0 overruns:0 carrier:0
\n collisions:0 txqueuelen:100
\n RX bytes:267695242 (255.2 MiB) TX bytes:76398543 (72.8 MiB)\n<\/p><\/blockquote>\n

6.Site B \u9632\u706b\u7246\u8a2d\u5b9a\u3000<\/p>\n

\n\u91cd\u8981\u7684
\necho “1” > \/proc\/sys\/net\/ipv4\/ip_forward<\/p>\n

iptables -t filter -I FORWARD -s 192.168.0.0\/24 -d 192.168.2.0\/24 -j ACCEPT
\niptables -t nat -I POSTROUTING -d 192.168.2.0\/24 -j ACCEPT<\/p>\n

\u5176\u5b83\u7684\u8996\u81ea\u5df1\u9700\u6c42\u52a0\u5165\n<\/p><\/blockquote>\n

7.Site B \u8def\u7531\u7684\u8a2d\u5b9a<\/p>\n

\n\u91cd\u8981\u7684\uff0c\u5c07\u8981\u5230192.168.2.0\/24 \u7db2\u6bb5\u7684\u5c01\u5305\uff0c\u4ea4\u7531 10.20.0.53 \u50b3\u9001<\/p>\n

route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.20.0.53<\/p>\n

\u5176\u5b83\u7684\u8996\u81ea\u5df1\u9700\u6c42\u52a0\u5165\n<\/p><\/blockquote>\n

\u57fa\u672c\u4e0a\u5df1\u7d93\u5b8c\u6210Site to Site VPN \u7684\u8a2d\u5b9a\uff0c\u53ef\u4ee5\u76f4\u63a5\u9023\u901a 192.168.0.0\/24 \u8ddf 192.168.2.0\/24 \u7684\u7db2\u6bb5\u3002<\/p>\n

\u5728\u9019\u908a\u4f7f\u7528OpenVPN\u9023\u901a\u5169\u500b\u5323\u9053\uff0c\u5176\u5be6\u5f88\u7c21\u55ae\uff0c\u6bd4\u8f03\u8981\u6ce8\u610f\u7684\u662f\uff0c\u9632\u706b\u7246\u53ca\u8def\u7531\u7684\u8a2d\u5b9a\uff0c\u5728\u9019\u88cf\u53ea\u505a\u7c21\u55ae\u7684\u6f14\u793a\uff0c\u6709\u6167\u6839\u7684\u7db2\u53cb\uff0c\u61c9\u8a72\u53ef\u4ee5\u5f88\u5feb\u4e0a\u624b\u3002<\/p>\n

\u5728\u76ee\u524d\u5c0f\u745e\u5be6\u969b\u74b0\u5883\u4e0a\uff0c\u81f3\u5c11\uff16\u500b\u8fa6\u516c\u5730\u9ede\uff0c\u904b\u7528\u9019\u7a2e\u65b9\u5f0f\u4e92\u76f8\u9023\u901a\u3002\u4e5f\u53ea\u662f\u8def\u7531\u6bd4\u8f03\u8907\u96dc\u800c\u5df1\uff0c\u904b\u4f5c\u4e0a\u771f\u7684\u975e\u5e38\u7a69\u5b9a\uff0c\u771f\u5fc3\u63a8\u85a6\u5927\u5bb6\u4f7f\u7528\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"

\u6700\u5f8c\u4e00\u96c6\u4e86\uff0csite to site \u7684VPN\u5efa\u7f6e\u3002\u9019\u500bOpenVPN \u5beb\u4e86\u597d\u591a\u5e74\uff0c\u7e3d\u7b97\u5beb\u5230\u6700\u5f8c\u4e00\u7bc7\u3002<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23,24],"tags":[123,150],"class_list":["post-1608","post","type-post","status-publish","format-standard","hentry","category-mistech","category-mistech-net","tag-openvpn","tag-site-to-site"],"_links":{"self":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts\/1608","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1608"}],"version-history":[{"count":14,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts\/1608\/revisions"}],"predecessor-version":[{"id":1741,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=\/wp\/v2\/posts\/1608\/revisions\/1741"}],"wp:attachment":[{"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1608"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.nuface.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}