Openvpn Example

openvpn sample documentation

1. Server deployment

• 1.Install the software package

  1sudo apt-get install openvpn
  

• 2. Generate certificate

      1# cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/
      2# cd /etc/openvpn/easy-rsa/2.0/
      3# ./clean-all
      4# ./build-ca ; Fill in the information as prompted and create a root certificate
      5# ./build-key-server server ; Fill in the information as prompted and create a server key
      6# ./build-key shanghai ;Create client key for Shanghai
      7# ./build-key shenzhen ;Create client key, for Shenzhen
      8# ./build-key other ;Create client key, spare
      9The purpose of creating different keys is to distinguish connection areas and assign fixed IPs. It should be noted that the Common Name (eg, your name or your server’s hostname) cannot have the same name between each client, and the server key setting cannot have the same name, otherwise the generation will fail.
     10# ./build-dh ; Generate DH
     11# openvpn --genkey --secret ta.key; Generate tls-aut certificate
     12# cp server.crt server.key dh2048.pem ca.crt ta.key /etc/openvpn/
     

• 3. Service configuration

      1# vi /etc/openvpn/server.conf ;Create configuration file
      2port 1195
      3protoudp
      4dev tap
      5ca ca.crt
      6cert server.crt
      7key server.key # This file should be kept secret
      8dh dh2048.pem
      9server 10.10.101.0 255.255.255.248
     10ifconfig-pool-persist ipp.txt
     11push "route 192.168.1.0 255.255.255.0"
     12client-config-dir ccd
     13keepalive 10 120
     14tls-auth ta.key 0
     15comp-lzo
     16user nobody
     17group nobody
     18persist-key
     19persist-tun
     20status openvpn-status.log
     21verb 3
     22# vi /etc/openvpn/ipp.txt ; Assign client IP
     23shanghai,10.10.101.2
     24shenzhen,10.10.101.3
     25other,10.10.101.4
     

• 4. Gateway configuration, when starting the server, turn on IP forwarding at the same time, and set the local machine as the gateway to the office network

     1# vi /etc/openvpn/startserver.sh ;Create startup script
     2#!/bin/bash
     3/usr/sbin/openvpn --daemon --config /etc/openvpn/server.conf
     4sleep 5
     5echo 1 > /proc/sys/net/ipv4/ip_forward
     6ip ro add 10.10.0.0/16 via 10.10.101.2 dev tap0 src 192.168.1.213
     7ip ro add 192.168.20.0/24 via 10.10.101.3 dev tap0 src 192.168.1.213
     8(It is important to set src, otherwise other machines in the IDC can ping OA, but cannot ping on the gateway machine)
     

• 5. Start the service

     1/etc/openvpn/startserver.sh
     

• 6. Start the service after booting

     1echo "/etc/openvpn/startserver.sh" >> /etc/rc.local
     

• 7. All IDC servers are configured with static routing, and the office network IP segment points to the gateway we created.

     1/sbin/ip ro add 10.10.0.0/16 via 192.168.1.213
     2/sbin/ip ro add 192.168.20.0/24 via 192.168.1.213
     

2. Client deployment

• 1.Install the software package

  1apt-get install openvpn
  

• 2. Upload the client key (ca.crt, shanghai.crt, shanghai.key, ta.key) generated on the server to the client's /etc/openvpn/conf/ directory

• 3. Create client configuration file

      1/etc/openvpn/conf/client.ovpn
      2client
      3remote 183.57.37.213 1194
      4dev tap
      5protoudp
      6resolv-retry infinite
      7nobind
      8persist-key
      9persist-tun
     10ca /etc/openvpn/conf/ca.crt
     11cert /etc/openvpn/conf/shanghai.crt
     12key /etc/openvpn/conf/shanghai.key
     13ns-cert-type server
     14comp-lzo
     15verb 3
     16tls-auth /etc/openvpn/conf/ta.key 1
     

• 4. Start the client

     1/usr/sbin/openvpn /etc/openvpn/conf/client.ovpn &
     

  Check whether the output is connected to the server normally and obtain the IP. You can also use ifconfig to check whether there is a tap device.

• 5. Gateway settings

     1#There is a gateway in the IDC to forward packets to the OA, and the office network also needs a gateway to forward packets to the IDC.
     2#If the connection is successful, the client machine can now connect to the IDC device. We also need to set it as a gateway server so that other devices in the office network can connect to the IDC through it.
     3echo 1 > /proc/sys/net/ipv4/ip_forward
     4ip ro add 192.168.1.0/24 via 10.10.101.1 dev tap0
     5#Configure a static route on the office network router and point the packets in the IDC network segment to 10.10.1.1.
     6
     7#Testing, it is already interoperable.
     

• 6. Create startup script

     1#/etc/openvpn/conf/startclient.sh
     2#!/bin/bash
     3/usr/sbin/openvpn /etc/openvpn/conf/client.ovpn &
     4sleep 5
     5echo 1 > /proc/sys/net/ipv4/ip_forward
     6ip ro add 192.168.1.0/24 via 10.10.101.1 dev tap0