两个分支机构网络互通,如分支机构实时将传数据给总部处理
办公室网络与IDC机房互通,如运维或技术人员要远程管理IDC机房内的服务器,IDC内的服务器也要访问办公室内网的服务器
两个IDC机房内网互通,如两边同步数据、互相访问等
当然,这样的需求你可以拉专线但太贵,我们用openvpn来做
下面的例子:使用openvpn搭建vpn服务器打通A和B两个异地网络,让A局域网中的172.16.10.0/24段可以和B局域网中的172.16.20.0/24段可以网络互通,就好像在一个局域网一样.
环境说明:
OPENVPN服务器
192.168.0.124/24(模拟外网)
172.16.10.206/24(内网)
10.8.0.1 10.8.0.2 (vpn虚拟网卡地址)
OPENVPN客户端
192.16.0.200/24
172.16.20.201/24(内网)
10.8.0.6 10.8.0.5 (vpn虚拟网卡地址)
A局域网主机
172.16.10.207/24
B局域网主机
172.16.20.201/24
二、部署openvpn服务端(192.168.0.124)
关闭selinux
# setenforce 0
setenforce: SELinux is disabled
开启路由转发
编辑 /etc/sysctl.conf 文件将 net.ipv4.ip_forward = 0 改为 net.ipv4.ip_forward = 1,然后执行
# sysctl -p
安装openvpn
# curl http://mirrors.aliyun.com/repo/epel-6.repo -o /etc/yum.repos.d/epel-6.repo --silent # 添加阿里的EPEL源
# yum install openssl openvpn easy-rsa lzo -y
创建相关目录及配置
# mkdir /var/log/openvpn # 放openvpn相关日志文件
# mkdir /etc/openvpn/easy-rsa # 放easy-rsa包提供的相关工具
# mkdir /etc/openvpn/ccd # openvpn客户端的配置目录,后面会用到
# mkdir /var/run/openvpn # 放openvpn的pid文件
将easy-ras包提供的工具复制到 /etc/openvpn/easy-rsa
# cp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ -r
编辑
/etc/openvpn/easy-rsa/vars
文件,找到下面的变量修改成你指定的值,后面生成证书的时候会应用这些变量值
export KEY_COUNTRY="CN" # 国家
export KEY_PROVINCE="GD" # 省份
export KEY_CITY="GZ" # 城市
export KEY_ORG="MY_ORG" # 组织/公司
export KEY_EMAIL="vpn@qq.com" # 邮箱
export KEY_OU="vpn" # 单位
export KEY_NAME="openvpn" # 服务器名称
# source vars # 导入vars文件中的变量作为当前的环境变量
# ./clean-all # 清除keys目录下的文件
也就是证书颁发机构,用来颁发证书
# cd /etc/openvpn/easy-rsa
# ./build-ca
生成服务器证书
# ./build-key-server vpnserver # 起个名字叫vpnserver
Generating a 2048 bit RSA private key
................................+++
.....+++
writing new private key to 'vpnserver.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [GZ]:
Organization Name (eg, company) [MY_ORG]:
Organizational Unit Name (eg, section) [vpn]:
Common Name (eg, your name or your server's hostname) [vpnserver]:
Name [vpn]:
Email Address [vpn@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'GZ'
organizationName :PRINTABLE:'MY_ORG'
organizationalUnitName:PRINTABLE:'vpn'
commonName :PRINTABLE:'vpnserver'
name :PRINTABLE:'vpn'
emailAddress :IA5STRING:'vpn@qq.com'
Certificate is to be certified until Apr 29 06:26:49 2026 GMT (3650 days)
Sign the certificate? [y/n]:y # 输入y
1 out of 1 certificate requests certified, commit? [y/n]y # 输入y
Write out database with 1 new entries
Data Base Updated
生成客户端证书
# ./build-key vpnclient # 起个名字叫vpnclient,表示为vpnclient这个客户端生成证书
Generating a 2048 bit RSA private key
.......+++
....................+++
writing new private key to 'vpnclient.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [GZ]:
Organization Name (eg, company) [MY_ORG]:
Organizational Unit Name (eg, section) [vpn]:
Common Name (eg, your name or your server's hostname) [vpnclient]:
Name [vpn]:
Email Address [vpn@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'GZ'
organizationName :PRINTABLE:'MY_ORG'
organizationalUnitName:PRINTABLE:'vpn'
commonName :PRINTABLE:'vpnclient'
name :PRINTABLE:'vpn'
emailAddress :IA5STRING:'vpn@qq.com'
Certificate is to be certified until Apr 29 06:30:42 2026 GMT (3650 days)
Sign the certificate? [y/n]:y # 输入y
1 out of 1 certificate requests certified, commit? [y/n]y # 输入y
Write out database with 1 new entries
Data Base Updated
创建Diffie Hellman密钥文件
需要一点时间
# ./build-dh
配置openvpn
编辑/etc/openvpn/server.conf文件,内容如下
local 192.168.0.124
port 1999
proto tcp-server
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/vpnserver.crt
key /etc/openvpn/easy-rsa/keys/vpnserver.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd
push "route 172.16.10.0 255.255.255.0" # 推送给客户端的路由,告诉客户端添加静态路由,让去172.16.10.10/24网段的都走vpn服务器,vpn服务器后端又几个网段就写几个
route 172.16.20.0 255.255.255.0 # 启动时给openvpn服务器添加路由,告诉服务器去172.16.20.0/24网段的都走虚拟机网卡(tun0),相当于静态路由.
keepalive 10 120
comp-lzo
max-clients 100
user nobody
group nobody
client-to-client
duplicate-cn
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
writepid /var/run/openvpn/server.pid
verb 3
mute 20
启动openvpn服务端
# service openvpn start
# chkconfig --add openvpn
# chkconfig --level 35 openvpn on
查看tun0接口和路由
# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
# route -n | grep tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 # 主机路由
172.16.20.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 # 静态路由,去172.16.20.0段下一跳是10.8.0.2
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 # 静态路由,去10.8.0.2.0段下一跳是10.8.0.2
指定客户端配置
指定vpnclient这个客户端的配置,编辑
/etc/openvpn/ccd/vpnclient
,内容如下
ifconfig-push 10.8.0.6 10.8.0.5 # 配置客户端的IP
iroute 172.16.20.0 255.255.255.0 # 告诉服务端,我的网段是172.16.20.0/24
三、部署openvpn客户端(192.168.0.200)
关闭selinux
# setenforce 0
setenforce: SELinux is disabled
开启路由转发
编辑 /etc/sysctl.conf 文件将 net.ipv4.ip_forward = 0 改为 net.ipv4.ip_forward = 1,然后执行
# sysctl -p
安装openvpn
# curl http://mirrors.aliyun.com/repo/epel-6.repo -o /etc/yum.repos.d/epel-6.repo --silent # 添加阿里的EPEL源
# yum install openssl openvpn easy-rsa lzo -y
创建相关目录及配置
# mkdir /etc/openvpn/keys # 放客户端的相关证书
# mkdir /var/log/openvpn # 放日志的目录
将openvpn服务器上 /etc/openvpn/easy-rsa/keys 下的 ca.crt、vpnclient.crt、vpnclient.key 这些证书文件拉下来放到 /etc/openvpn/keys
# ls /etc/openvpn/keys
ca.crt vpnclient.crt vpnclient.key
配置openvpn客户端
编辑客户端的配置文件/etc/openvpn/client.conf,内容如下
client
dev tun
proto tcp-client
remote 192.168.0.124 1999
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpnclient.crt
key /etc/openvpn/keys/vpnclient.key
remote-cert-tls server
auth-nocache
user nobody
group nobody
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
comp-lzo
verb 3
mute 20
启动openvpn客户端
# service openvpn start
# chkconfig --add openvpn
# chkconfig --level 35 openvpn on
客户端启动后只有进程,因为它作为客户端去连服务端,不需要提供端口
# ps aux | grep vpn
nobody 4236 0.1 0.3 46916 3232 ? Ss 01:36 0:00 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/client.pid
--cd /etc/openvpn --config client.conf --script-security 2
查看tun0接口和路由
# ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
# route -n | grep tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 # 主机路由
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0 # 静态路由,去10.8.0.0/24网段下一跳10.8.0.5
172.16.10.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0 # 静态路由,去172.16.10.0/24网段下一跳10.8.0.5
四、测试(172.16.10.207、172.16.20.201)
在A局域网主机172.16.10.207上添加路由
ip route add 172.16.20.0/24 via 172.16.10.206 // 如果是linux
route add 172.16.20.0 mask 255.255.255.0 172.16.10.206 // 如果是windows
上面的路由表示A去B局域网172.16.20.0段的下一跳是172.16.10.206,也就是把包转发给vpnserver
在B局域网主机172.16.20.201上添加路由
ip route add 172.16.10.0/24 via 172.16.20.200 // 如果是linux
route add 172.16.10.0 mask 255.255.255.0 172.16.20.200 // 如果是windows
上面的路由表示B去A局域网172.16.10.0端的下一跳是172.16.20.200,也就是把包转发给vpnclient
最后,在A局域网主机 172.16.10.207 上ping 172.16.20.201
# ping 172.16.20.201
PING 172.16.20.201 (172.16.20.201) 56(84) bytes of data.
64 bytes from 172.16.20.201: icmp_seq=1 ttl=62 time=1.44 ms
64 bytes from 172.16.20.201: icmp_seq=2 ttl=62 time=0.752 ms
64 bytes from 172.16.20.201: icmp_seq=3 ttl=62 time=0.674 ms
64 bytes from 172.16.20.201: icmp_seq=4 ttl=62 time=0.785 ms
--- 172.16.20.201 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3023ms
rtt min/avg/max/mdev = 0.674/0.913/1.441/0.307 ms
在B局域网主机 172.16.20.201上ping 172.16.10.207
# ping 172.16.10.207
PING 172.16.10.207 (172.16.10.207) 56(84) bytes of data.
64 bytes from 172.16.10.207: icmp_seq=1 ttl=62 time=5.72 ms
64 bytes from 172.16.10.207: icmp_seq=2 ttl=62 time=0.674 ms
--- 172.16.10.207 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1400ms
rtt min/avg/max/mdev = 0.674/3.200/5.727/2.527 ms
两边可以ping通,表示OK
可以改进的地方
如果A和B局域网内很有多主机,那么每台机都要加很多次路由,比较麻烦,在实际的环境中可以在内网的路由器上做,这样就不需要在主机上配,比较省事.
vpn的目的和作用就是从网络层面打通两个或以上异地网络,就好像在同一个局域网
vpnserver和vpnclient做好之后可以看成路由
如果要用vpn互相传数据的话,带宽尽可能大,有必要的话可以做端口绑定,高可用
