Jamyy's Weblog

在 CentOS 6 架設 OpenVPN Server

by Jamyy on 九月.03, 2013, under Linux

目的: 架設 OpenVPN Server, 讓電腦與 Android 裝置都能透過 VPN Server 上網
Server: CentOS 6.4 x86_64, OpenVPN 2.2.2 (yum installed from RPMForge)
Client: Ubuntu / Linux Mint, Windows 7, Android 4.0 以上

OpenVPN Server 假設網路環境

  • LAN IP: 192.168.1.1
  • LAN Gateway: 192.168.1.254
  • Internet IP: 123.123.123.123

OpenVPN Server 網路環境設定

for TUN mode

說明: 所有 OpenVPN Client -- 包括 Android 裝置 -- 都能以 TUN mode 連線

# vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

# sysctl -p
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
# service iptables save

for TAP mode

說明: 可以讓 VPN Client 取得 VPN Server LAN IP 同網段 IP, Android 裝置無法以 TAP mode 連線

# yum install bridge-utils
# cd /etc/sysconfig/network-scripts
# vi ifcfg-eth0

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=none
BRIDGE=br0

# vi ifcfg-br0

DEVICE=br0
TYPE=Bridge
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.1.1
NETMASK=255.255.255.0
GATEWAY=192.168.1.254

# service network restart

OpenVPN Server 安裝與設定

# rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
# yum --disablerepo=epel install openvpn
# cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/
# vi /etc/openvpn/server.conf

# TUN mode

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3

說明:

  • dev tun - 設定 OpenVPN Server 使用 TUN mode
  • server 10.8.0.0 255.255.255.0 - VPN Client 的虛擬網段
  • push "redirect-gateway def1 bypass-dhcp" - 讓 VPN Client 透過 VPN Server 上網
# TAP mode

port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server-bridge 192.168.1.1 255.255.255.0 192.168.1.201 192.168.1.210
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3

說明:

  • dev tap0 - 設定 OpenVPN Server 為 TAP mode 且固定使用 tap0
  • server-bridge 192.168.1.1 255.255.255.0 192.168.1.201 192.168.1.210 - 填入 VPN Server LAN IP, LAN 遮罩; 最後兩個欄位是分配給 VPN Client 的 IP 範圍
  • push "redirect-gateway def1 bypass-dhcp" - 讓 VPN Client 透過 VPN Server 上網

TAP mode 需要的額外設置

# cd /etc/openvpn
# cp /usr/share/doc/openvpn-*/sample-scripts/bridge-* ./
# mv bridge-start openvpn-startup
# mv bridge-stop openvpn-shutdown
# chmod 775 openvpn-*

編輯 IP 設定, 並取消 brctl 控制
# vi openvpn-startup

#!/bin/sh

#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.1.1"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"

for t in $tap; do
    openvpn --mktun --dev $t
done

#brctl addbr $br
#brctl addif $br $eth

for t in $tap; do
    brctl addif $br $t
done

for t in $tap; do
    ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

取消 brctl 控制
# vi openvpn-shutdown

!/bin/sh

####################################
# Tear Down Ethernet bridge on Linux
####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

#ifconfig $br down
#brctl delbr $br

for t in $tap; do
    openvpn --rmtun --dev $t
done

準備配置金鑰
# cp -R /usr/share/doc/openvpn-*/easy-rsa/2.0 /etc/openvpn/easy-rsa
# cd /etc/openvpn/easy-rsa
# ln -s openssl-1.0.0.cnf openssl.cnf
# chmod +x build-* clean-all pkitool whichopensslcnf
# vi vars

export KEY_COUNTRY="TW"
export KEY_PROVINCE="Taiwan"
export KEY_CITY="Taipei"
export KEY_ORG="My Company, Inc."
export KEY_EMAIL="root@mycompany.com"
export KEY_CN=""
export KEY_NAME=""
export KEY_OU=""
export PKCS11_MODULE_PATH=""
export PKCS11_PIN=""

# source ./vars
# ./clean-all

產生 CA
# ./build-ca

Common Name: vpn.server.hostname
其餘均按 Enter 接受預設值或自由填入內容
** Common Name 不一定要填入真正的 hostname, 此欄位與 VPN 連線時的驗證無關

產生 Server 金鑰
# ./build-key-server server

過程均按 Enter 接受預設值或自由填入內容
Sign the certificate? [y/n] 回答 y
1 out of 1 certificate requests certified, commit? [y/n] 回答 y

產生 dh1024.pem
# ./build-dh

產生 ta.key
# openvpn --genkey --secret keys/ta.key

產生 Client 金鑰
# ./build-key-pass client-test

Enter PEM pass phrase: 輸入金鑰密碼
Verifying - Enter PEM pass phrase: 再次輸入金鑰密碼以確認內容無誤
接下來的過程均按 Enter 接受預設值或自由填入內容
Sign the certificate? [y/n] 回答 y
1 out of 1 certificate requests certified, commit? [y/n] 回答 y
** 此密碼會在 Client 裝置進行 OpenVPN 連線時用到

啟動 OpenVPN 服務
# service openvpn start

讓 OpenVPN 服務於開機時自動啟動
# chkconfig openvpn on

OpenVPN Client 操作

Ubuntu & Linux Mint

$ mkdir ~/.openvpn
$ cd ~/.openvpn

取得 OpenVPN Server 上的 ca.crt, ta.key, client-test.crt, client-test.key, 置入 ~/.openvpn

$ sudo apt-get install openvpn
$ cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ./
$ vi client.conf

client
dev tun
proto udp
remote 123.123.123.123 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client-test.crt
key client-test.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3

$ sudo openvpn --config client.conf

Windows 7

  1. 取得並安裝 OpenVPN Windows Installer
  2. 過程均接受預設值, 直接按下一步即可
  3. 出現 "您要安裝此裝置軟體嗎?", 回答 "安裝(I)"
  4. 將 OpenVPN Server 上的 ca.crt, ta.key, client-test.crt, client-test.key 複製到 C:\Program Files\OpenVPN\config 目錄下
  5. 將 C:\Program Files\OpenVPN\sample-config\client.ovpn 複製到 C:\Program Files\OpenVPN\config\
  6. 修改 C:\Program Files\OpenVPN\config\client.ovpn
    client
    dev tun
    proto udp
    remote 123.123.123.123 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client-test.crt
    key client-test.key
    ns-cert-type server
    tls-auth ta.key 1
    comp-lzo
    verb 3
    
  7. 以系統管理員身份執行桌面上的 OpenVPN GUI
  8. 雙擊工作列上的 OpenVPN 圖示開始進行連線

Android (最低版本需求 4.0 以上)

  1. 在 Google Play 搜尋 openvpn connect 或直接從網頁安裝 OpenVPN Connect
  2. 將 OpenVPN Server 上的 ca.crt, ta.key, client-test.crt, client-test.key 與 client.ovpn (由 client.conf 更名) 複製到手機某目錄下. OpenVPN Server 的 client.conf 範本在 /usr/share/doc/openvpn-2.2.2/sample-config-files/client.conf, 須先修改 client.conf 內容並更名為 client.ovpn 再放入 Android 裝置內
  3. 執行 OpenVPN Connect, menu → Import → Import Profile from SD card → 點入剛剛存入資料的目錄, 選取 client.ovpn
  4. 輸入 Private Key Password
  5. 點選 Connect 進行連線

在 OpenVPN Server 產生新 Client 金鑰

# cd /etc/openvpn/easy-rsa
# source ./vars
# ./build-key-pass client-UserA
# ./build-key-pass client-UserB

在 OpenVPN Server 取消某 Client 金鑰

# cd /etc/openvpn/easy-rsa
# sh ./revoke-full client-test
# vi ../server.conf

crl-verify /etc/openvpn/easy-rsa/keys/crl.pem

# service openvpn restart

以後只要進入 /etc/openvpn/easy-rsa 執行 revoke-all 指定金鑰即可立即生效, 毋需再編輯 server.conf, 亦不用再重新啟動 openvpn 服務

讓 OpenVPN Client 可以確實連入 Server 端其他 LAN-to-LAN VPN

假設 Server 端網路環境尚有 192.168.2.0/24 網段的 LAN-to-LAN VPN
如果 Client 所在網路環境剛好是 192.168.2.0/24, 連上 OpenVPN 後若要存取 Server 端的 192.168.2.0/24
除了手動調整 Client PC 的 routing table 之外, 可在 OpenVPN 進行設置以下內容使其連線後自動變更路由:

# vi /etc/openvpn/server.conf

push "route 192.168.2.0 255.255.255.0"

# service openvpn restart



2015-10-04 補充: 變更 client 金鑰密碼

# openssl rsa -des3 -in client.key -out client-new.key

Ref: Change the passphrase on an OpenVPN key



2016-04-10 補充: logrotate 設置

# vi /etc/logrotate.d/openvpn

/var/log/openvpn.log {
    missingok
    notifempty
    weekly
    copytruncate
    create 0600 root root
}


:, ,