基於Linux的 OpenVPN網路之網路架構應用實例(一)

1. 案例需求分析

本案例主要基於RHEL5 和Windows XP系統環境,跨越不安全的Internet網路,為異地的兩個區域網及遠程網管工作站建立安全的SSL VPN連接(如圖8.2所示).

其中,北京總部和上海分公司的網關伺服器均使用 RHEL5 系統,需要分別配置 OpenVPN,用於連接兩個異地的區域網 LAN1、LAN2.此外,位於 Internet 中的網管工作站使用 Windows XP系統,需要隨時通過 VPN 安全隧道訪問總部的區域網 LAN1 和上海分公司的區域網 LAN2.

基於 Linux 的 OpenVPN 網路

OpenVPN 遠程虛擬專用網路架構

基於上述需求,可以將北京總部的網關伺服器 GW1 配置為 VPN Server 模式,上海的網關伺服器GW2和Internet網 管工作站PC1均使用VPN Client模式.分別建立兩條點對點

(Point-to-Point)的SSL VPN安全隧道——“GW1 <----> GW2”、“GW1 <----> PC1”即可.

由於Internet 網路的細節不是本案例的重點,因此GW1、GW2的公網IP地址分別使用和173.74.75.77來模擬.其他網路介面地址設置如下:

GW1、GW2 的內網介面 IP 地址分別為、

? GW1 <----> GW2 隧道:分別使用虛擬 IP 地址、

? GW1 <----> PC1 隧道:分別使用虛擬 IP 地址、

另外,兩地區域網的客戶機需要正確設置好 IP 地址、默認網關等參數:

? LAN1 的主機使用 網段,默認網關設為

? LAN2 的主機使用 網段,默認網關設為

2. 配置 GW1 <----> GW2 隧道連接

本小節主要闡述如何創建第 1 條 SSL VPN 隧道,用於連接 GW1、GW2 兩台伺服器,以便實現北京、上海兩地區域網(LAN1、LAN2)的安全互聯.



A. 配置 Internet 連接及 SNAT、路由轉發

1) 配置 IP 地址

eth0 介面(用於連接 Internet,eth1 介面(用於連


2) 開啟路由及 SNAT 轉換

[root@gw1 ~]# vim /opt/gw1_nat.sh

sysctl -w net.ipv4.ip_forward=1

/sbin/iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to-source

[root@gw1 ~]# chmod a x /opt/gw1_nat.sh

[root@gw1 ~]# echo "/opt/gw1_nat.sh" &gt;&gt; /etc/rc.local

[root@gw1 ~]# /opt/gw1_nat.sh

net.ipv4.ip_forward = 1

[root@gw1 ~]# sysctl –p

B. 安裝 OpenVPN 服務

[root@gw1 soft_dir]# tar zxvf lzo-2.03.tar.gz

[root@gw1 soft_dir]# cd lzo-2.03

[root@gw1 lzo-2.03]# ./configure && make && make install

[root@gw1 lzo-2.03]# cd ../

[root@gw1 soft_dir]# tar zxvf openvpn-2.0.9.tar.gz

[root@gw1 openvpn-2.0.9]# ./configure && make && make install

[root@gw1 ~]# cd /soft_dir/

[root@gw1 soft_dir]# cp -p openvpn-2.0.9/sample-scripts/openvpn.init /etc/init.d/openvpn

[root@gw1 soft_dir]# chmod x /etc/init.d/openvpn

[root@gw1 soft_dir]# chkconfig --add openvpn

[root@gw1 soft_dir]# chkconfig --level 2345 openvpn on

C. 創建證書和密鑰文件

證書和密鑰文件主要用於點對點客戶端的認證,以便增強安全性.為了降低密鑰創建過程的複雜性,可以充分利用 OpenVPN 源碼包提供的 easy-rsa/目錄,該目錄中包含一系列簡單易用的腳本工具(參考“openvpn-2.0.9/easy-rsa/README”文件).

3) 配置變數環境

修改 easy-rsa/vars 文件,根據實際情況適當修改預定義變數,或保持默認.在後續



[root@gw1 ~]# cd /soft_dir/openvpn-2.0.9/easy-rsa/

[root@gw1 easy-rsa]# vim vars

export D=`pwd`

export KEY_CONFIG=$D/openssl.cnf

export KEY_DIR=$D/keys

echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

export KEY_SIZE=1024

export KEY_COUNTRY=CN //粗體部分根據具體應用情況進行修改

export KEY_PROVINCE=BeiJing

export KEY_CITY=BeiJing

export KEY_ORG="BENET.Inc"

export KEY_EMAIL="vpnadm@benet.com"

[root@gw1 easy-rsa]# source vars //執行 vars 文件中的代碼

NOTE: when you run ./clean-all, I will be doing a rm -rf on /soft_dir/openvpn-2.0.9/easy-rsa/keys

[root@gw1 easy-rsa]# ./clean-all //預先清除$KEY_DIR 目錄

4) 創建 CA 證書

執行“./build-ca”腳本建立 CA 證書文件,根據腳本提示設置好國家代碼、省份、城市、

公司名等信息,如通用識別名稱“Common Name”項可以設置為 GW1 的 FQDN 名稱.

後續創建的密鑰文件需要依據該 CA 文件.

[root@gw1 easy-rsa]# ./build-ca

Generating a 1024 bit RSA private key



writing new private key to 'ca.key'


You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.


Country Name (2 letter code) [CN]:

State or Province Name (full name) [BeiJing]:

Locality Name (eg, city) [BISHKEK]:

Organization Name (eg, company) [BENET.Inc]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:gw1.benet.com

Email Address [vpnadm@benet.com]:

5) 創建 dh(Diffie-Hellman)密鑰演算法文件

執行“./build-dh”腳本即可建立 dh 文件

[root@gw1 easy-rsa]# ./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2

This is going to take a long time

.......................................................................... ................................. ................................................................ ................... ......................................... .. ................................................................ ..................................................................................... ........ ............. .............................. ....................................................................................... .......... ......................... ....................................................................................... ................. .............................. ........ .............................. ......................................................................................................................................................... .................... ...... ............. ......................................................... ...... ....... ......................... ......................................................................................... ......................................... ............................ ............................ .......................................... ............................. * * *

6) 創建 GW1 主伺服器端密鑰

執行“./build-key-server”腳本可以建立VPN 服務端密鑰文件,根據提示設置好Common Name(gw1.benet.com),依次按“y”鍵簽署(Sign)及提交(Commit).

[root@gw1 easy-rsa]# ./build-key-server gw1

Generating a 1024 bit RSA private key



writing new private key to 'gw1.key'


You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.


Country Name (2 letter code) [CN]:

State or Province Name (full name) [BeiJing]:

Locality Name (eg, city) [BISHKEK]:

Organization Name (eg, company) [BENET.Inc]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:gw1.benet.com

Email Address [vpnadm@benet.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /soft_dir/openvpn-2.0.9/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'BeiJing'


organizationName :PRINTABLE:'BENET.Inc'

commonName :PRINTABLE:'gw1.benet.com'

emailAddress :IA5STRING:'vpnadm@benet.com'

Certificate is to be certified until Jul 12 02:42:17 2020 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

7) 創建 GW2 對端伺服器密鑰

執行“./build-key”腳本可以建立 VPN 客戶端密鑰文件,同樣根據提示設置好 Common Name(gw2.benet.com),依次按“y”簽署(Sign)及提交(Commit).

[root@gw1 easy-rsa]# ./build-key gw2

Generating a 1024 bit RSA private key



writing new private key to 'gw2.key'


You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.


Country Name (2 letter code) [CN]:

State or Province Name (full name) [BeiJing]:

Locality Name (eg, city) [BISHKEK]:

Organization Name (eg, company) [BENET.Inc]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:gw2.benet.com

Email Address [vpnadm@benet.com]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /soft_dir/openvpn-2.0.9/easy-rsa/openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'BeiJing'


organizationName :PRINTABLE:'BENET.Inc'

commonName :PRINTABLE:'gw2.benet.com'

emailAddress :IA5STRING:'vpnadm@benet.com'

Certificate is to be certified until Jul 12 02:44:30 2020 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated


使用“./build-key”腳本創建密鑰時,不同的客戶端對應的“Common Name”不能相同.

8) 生成 tls-auth 密鑰

tls-auth 密鑰可以為點對點的 VPN 連接提供了進一步的安全驗證,如果選擇使用這一方式,伺服器端和客戶端都必須擁有該密鑰文件.

openvpn 命令跟上“--genkey --secret”選項可以用於建立 ta 密鑰文件.

[root@gw1 easy-rsa]# openvpn --genkey --secret keys/ta.key

9) 將上述文件所在的 keys/文件夾轉移至/etc/openvpn/目錄

[root@gw1 easy-rsa]# mkdir -p /etc/openvpn/

[root@gw1 easy-rsa]# mv keys/ /etc/openvpn/

D. 創建主伺服器配置文件

在伺服器配置文件中指定使用 Server 模式,監聽默認的 UDP 1194 埠.虛擬介面採用tun0設備.可以參考openvpn 源碼目錄中的配置範例(openvpn-2.0.9/sample-config-files/server.conf)

[root@gw1 ~]# vim /etc/openvpn/gw1_tun0.conf

local //指定監聽服務的 IP 地址

port 1194 //為第 1 條隧道開啟默認的 1194 埠

proto udp

dev tun //使用 SSL Tune 的 VPN 隧道模式

ca keys/ca.crt

cert keys/gw1.crt

key keys/gw1.key

dh keys/dh1024.pem

server //使用伺服器模式,並指定 VPN 虛擬網路地址

ifconfig-pool-persist ipp.txt

push "route" //為 GW2 添加到 LAN1 網段的路由

push "route" //為 GW2 添加到 PC1 的路由

push "dhcp-options DNS" //為客戶端設置 DNS 伺服器地址

route //為 GW1 添加到 LAN2 網段的路由

client-config-dir ccd //允許讀取 ccd/目錄下的客戶端配置文件

keepalive 10 120

tls-auth keys/ta.key 0 //指定 tls-auth 密鑰

cipher BF-CBC //加密演算法與客戶端要保持一致


max-clients 100 //允許的最大併發 VPN 連接數

user nobody

group nobody



status openvpn-status.log

log-append openvpn.log

verb 3

mute 20

E. 建立用於 GW2 的 ccd 配置文件

[root@gw1 ~]# mkdir -p /etc/openvpn/ccd

[root@gw1 ~]# cd /etc/openvpn/ccd/ //為對端伺服器 GW2 創建獨立的配置文件

[root@gw1 ccd]# vim gw2.benet.com

iroute //聲明 GW2 後端的 LAN2 子網路

ifconfig-push //指定 GW2 的本地地址(tun0)、對端地址(P-t-P)

F. 啟動 OpenVPN 服務

[root@gw1 ~]# service openvpn start

正在啟動 openvpn: [確定]

[root@gw1 ~]# netstat -anp | grep openvpn

udp 0 0* 11220/openvpn


