Устанавливаем OpenVPN так же, как описано в статье CentOS: установка OpenVPN сервера.
Необходимые ключи мы создали во время установки OpenVPN сервера, из той же статьи, это:
# file /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys/ca.crt: ASCII text # file /etc/openvpn/easy-rsa/keys/client.crt /etc/openvpn/easy-rsa/keys/client.crt: ASCII text # file /etc/openvpn/easy-rsa/keys/client.key /etc/openvpn/easy-rsa/keys/client.key: ASCII text
Настройка выполняется на:
# cat /etc/redhat-release CentOS release 6.5 (Final)
На сервере создадим отдельный каталог для все клиентских файлов:
# mkdir /etc/openvpn/clients/client1
Копируем сертификаты:
# cd /etc/openvpn/easy-rsa/keys/
# cp ca.crt client.crt client.key /etc/openvpn/clients/client1/
Копируем файл конфигурации клиента:
# cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/client.conf /etc/openvpn/clients/client1/
Если клиент — Windows-машина, то новый файл называем /etc/openvpn/clients/client1/client.ovpn.
Редактируем его, и меняем строку:
remote my-server-1 1194
на адрес нашего сервера, в данном случае конфиг будет выглядеть так:
# cat /etc/openvpn/clients/client1/client.conf | grep -v "#" client ;dev tap dev tun ;dev-node MyTap ;proto tcp proto udp remote 192.168.1.105 1194 ;remote my-server-2 1194 ;remote-random resolv-retry infinite nobind ;user nobody ;group nobody persist-key persist-tun ;mute-replay-warnings ca ca.crt cert client.crt key client.key ns-cert-type server ;tls-auth ta.key 1 ;cipher x comp-lzo verb 3 ;mute 20
На клиентской машине создадим каталог:
# pwd /root
# mkdir openvpnclient
Копируем всё на клиентскую машину:
# cd openvpnclient/
# scp -r [email protected]:/etc/openvpn/clients/client1/* . [email protected]'s password: ca.crt 100% 1728 1.7KB/s 00:00 client.conf 100% 3428 3.4KB/s 00:00 client.crt 100% 5404 5.3KB/s 00:00 client.key 100% 1708 1.7KB/s 00:00
Всё готово, запускаем:
# openvpn --config client.conf Tue Jul 1 14:26:47 2014 OpenVPN 2.3.2 i686-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013 Tue Jul 1 14:26:47 2014 Socket Buffers: R=[112640->131072] S=[112640->131072] Tue Jul 1 14:26:47 2014 UDPv4 link local: [undef] Tue Jul 1 14:26:47 2014 UDPv4 link remote: [AF_INET]192.168.1.105:1194 Tue Jul 1 14:26:47 2014 TLS: Initial packet from [AF_INET]192.168.1.105:1194, sid=689685c5 9ad1c3e0 Tue Jul 1 14:26:47 2014 VERIFY OK: depth=1, C=UA, ST=CA, L=Kiev, O=Home, OU=MyOrganizationalUnit, CN=main-home, name=EasyRSA, [email protected] Tue Jul 1 14:26:47 2014 VERIFY OK: nsCertType=SERVER Tue Jul 1 14:26:47 2014 VERIFY OK: depth=0, C=UA, ST=CA, L=Kiev, O=Home, OU=MyOrganizationalUnit, CN=main-home, name=EasyRSA, [email protected] Tue Jul 1 14:26:48 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Jul 1 14:26:48 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jul 1 14:26:48 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Jul 1 14:26:48 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jul 1 14:26:48 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Tue Jul 1 14:26:48 2014 [main-home] Peer Connection Initiated with [AF_INET]192.168.1.105:1194 Tue Jul 1 14:26:50 2014 SENT CONTROL [main-home]: 'PUSH_REQUEST' (status=1) Tue Jul 1 14:26:50 2014 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,dhcp-option DNS 8.8.8.8,route 10.0.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.0.6 10.0.0.5' Tue Jul 1 14:26:50 2014 OPTIONS IMPORT: timers and/or timeouts modified Tue Jul 1 14:26:50 2014 OPTIONS IMPORT: --ifconfig/up options modified Tue Jul 1 14:26:50 2014 OPTIONS IMPORT: route options modified Tue Jul 1 14:26:50 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Tue Jul 1 14:26:50 2014 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth1 HWADDR=08:00:27:8f:2d:a6 Tue Jul 1 14:26:50 2014 TUN/TAP device tun0 opened Tue Jul 1 14:26:50 2014 TUN/TAP TX queue length set to 100 Tue Jul 1 14:26:50 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Jul 1 14:26:50 2014 /sbin/ip link set dev tun0 up mtu 1500 Tue Jul 1 14:26:50 2014 /sbin/ip addr add dev tun0 local 10.0.0.6 peer 10.0.0.5 Tue Jul 1 14:26:50 2014 /sbin/ip route add 10.0.0.1/32 via 10.0.0.5 Tue Jul 1 14:26:50 2014 Initialization Sequence Completed
Самая частая ошибка:
# openvpn --config client.conf Tue Jul 1 14:38:02 2014 OpenVPN 2.3.2 i686-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013 Tue Jul 1 14:38:02 2014 Socket Buffers: R=[112640->131072] S=[112640->131072] Tue Jul 1 14:38:02 2014 UDPv4 link local: [undef] Tue Jul 1 14:38:02 2014 UDPv4 link remote: [AF_INET]192.168.1.105:1194 Tue Jul 1 14:39:02 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue Jul 1 14:39:02 2014 TLS Error: TLS handshake failed Tue Jul 1 14:39:02 2014 SIGUSR1[soft,tls-error] received, process restarting
Как правило связана с ошибкой в IPTABLES — например, закрыт порт 1194.
Проверим — на сервере в файле /var/logs/openvpn.log:
# tail /var/log/openvpn.log Tue Jul 1 14:39:56 2014 192.168.1.107:57263 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jul 1 14:39:56 2014 192.168.1.107:57263 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Tue Jul 1 14:39:56 2014 192.168.1.107:57263 [client] Peer Connection Initiated with [AF_INET]192.168.1.107:57263 Tue Jul 1 14:39:56 2014 MULTI: new connection by client 'client' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. Tue Jul 1 14:39:56 2014 MULTI_sva: pool returned IPv4=10.0.0.6, IPv6=(Not enabled) Tue Jul 1 14:39:56 2014 MULTI: Learn: 10.0.0.6 -> client/192.168.1.107:57263 Tue Jul 1 14:39:56 2014 MULTI: primary virtual IP for client/192.168.1.107:57263: 10.0.0.6 Tue Jul 1 14:39:58 2014 client/192.168.1.107:57263 PUSH: Received control message: 'PUSH_REQUEST' Tue Jul 1 14:39:58 2014 client/192.168.1.107:57263 send_push_reply(): safe_cap=940 Tue Jul 1 14:39:58 2014 client/192.168.1.107:57263 SENT CONTROL [client]: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,dhcp-option DNS 8.8.8.8,route 10.0.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.0.6 10.0.0.5' (status=1)
В файле /var/log/openvpn-status.log:
# tail /var/log/openvpn-status.log OpenVPN CLIENT LIST Updated,Tue Jul 1 14:43:19 2014 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since client,192.168.1.107:57263,6638,8354,Tue Jul 1 14:39:56 2014 ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref 10.0.0.6,client,192.168.1.107:57263,Tue Jul 1 14:39:56 2014 GLOBAL STATS Max bcast/mcast queue length,0 END
С клиента попробуем пропинговать сервер:
# ping 10.0.0.1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=1.86 ms ^C --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 879ms rtt min/avg/max/mdev = 1.861/1.861/1.861/0.000 ms
Состояние интерфейсов:
# ifconfig eth1 && ifconfig tun0 eth1 Link encap:Ethernet HWaddr 08:00:27:8F:2D:A6 inet addr:192.168.1.107 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe8f:2da6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11418 errors:0 dropped:0 overruns:0 frame:0 TX packets:8200 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:7070731 (6.7 MiB) TX bytes:1003509 (979.9 KiB) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.0.0.6 P-t-P:10.0.0.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:2 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:100 (100.0 b)
Таблица маршрутов:
# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.0.0.1 10.0.0.5 255.255.255.255 UGH 0 0 0 tun0 192.168.1.105 192.168.1.1 255.255.255.255 UGH 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth1 0.0.0.0 10.0.0.5 128.0.0.0 UG 0 0 0 tun0 128.0.0.0 10.0.0.5 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
Тут 10.0.0.5 — peer-topeer шлюз; 10.0.0.1 — VPN-шлюз; 192.168.1.1 — внешний шлюз всей сети.
Собственно, нас интересует строка:
0.0.0.0 10.0.0.5 128.0.0.0 UG 0 0 0 tun0
И попробуем запустить трассировку, например:
# traceroute 77.120.106.40 traceroute to 77.120.106.40 (77.120.106.40), 30 hops max, 60 byte packets 1 10.0.0.1 (10.0.0.1) 1.898 ms 1.334 ms 0.919 ms 2 10.0.0.1 (10.0.0.1) 1.080 ms !X 0.980 ms !X 0.834 ms !X
Всё отлично ходит через VPN-шлюз, что и требовалось.
Один нюанс — если на сервере в файле /etc/openvpn/server.conf не было указано:
push "redirect-gateway def1 bypass-dhcp"
То шлюз 10.0.0.1 на клиенте не установится.
Вот как это выглядит:
# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.0.0.1 10.0.0.5 255.255.255.255 UGH 0 0 0 tun0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth1 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
Что бы включать OpenVPN при старте системы — поместите файл client.conf в каталог /etc/openvpn/.
Туда же можно перенести файлы ключей, или отредактировать файл client.conf и указать полный путь к ключам:
ca ca.crt cert client.crt key client.key
После чего — можно запустить просто выполнив:
# service openvpn start Starting openvpn: [ OK ]
И добавить в автозапуск:
# chkconfig openvpn on
# chkconfig --list openvpn openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off
