利用Openbsd和Openvpn快速建立企业的VPN

鸿鹄

利用openbsd+openvpn快速建立企业vpn openvpn可工作于两种模式： 一种是IP遂道路由模式,主要应用于点对点 一种是基于以太网的遂道桥模式, 应用于点对多点,有多个分支机构 本文介绍的配置实例是第一种 局域网1: OFFICE主机装openbsd3.4 两块网卡 rl1接公网 61.131.58.x , rl0接 内网192.168.1.222 vpn 10.1.0.1 A client主机 192.168.1.22 局域网2: HOME主机装redhat9.0两块网卡 rl1 接公网 218.85.158.244 rl0 接内网 192.168.0.222 vpn 10.1.0.2 B client主机 192.168.0.45 环境penbsd3.4+lzo+openssl+openvpn openssl用来进行加密，lzo用来进行数据压缩 下载地址 http://prdownloads.sourceforge.n ... pn-2.0_beta7.tar.gz http://www.oberhumer.com/opensource/lzo/download/lzo-1.08.tar.gz openbsd的安装就不说了 openssl在openbsd下是默认安装的 我将openvpn-2.0.beta7.tar.gz和lzo-1.08.tar.gz下载到/home #cd /home #tar zxvf lzo-1.08.tar.gz #cd lzo-1.08. #./comfigure #make #make install #tar zxvf openvpn-2.0_beta7.tar.gz #cd openvpn-2.0_beta7 #./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib #make #make install #mkdir /etc/openvpn #cd /etc/openvpn #openvpn --genkey --secret static.key 将static.key从office主机复制到home主机的/etc/openvpn目录中 office#scp static.key root@218.85.158.244:/etc/openvpn 参考/home/openvpn-2.0_beta7/sample-config-files下的文件 建立以下几个配置文件及脚本文件 office.up和openvpn-startup.sh脚本 static-office.conf配置文件 我的office主机的配置例子如下 office.up如下 #!/bin/sh route add -net 192.168.0.0/24 10.1.0.2 openvpn-startup.sh如下 #!/bin/sh /usr/local/sbin/openvpn --config /etc/openvpn/static-office.conf static-office.conf如下 dev tun0 remote 218.85.158.244 ifconfig 10.1.0.1 10.1.0.2 up ./office.up secret /etc/openvpn/static.key port 5000 comp-lzo ping 15 ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key

verb 3

我的home主机的配置例子如下 home.up如下 #!/bin/sh route add –net 192.168.1.0/24 10.1.0.1 openvpn-startup.sh如下 #!/bin/sh /usr/local/sbin/openvpn --config /etc/openvpn/static-home.conf static-home.conf如下 dev tun0 remote 61.131.58.x ifconfig 10.1.0.2 10.1.0.1 up ./home.up secret /etc/openvpn/static.key port 5000 comp-lzo ping 15 ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key verb 3 在office主机及home主机两端起用pf防火墙,编辑/etc/sysctl.conf net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1并去掉前面的#号 编辑/etc/rc.conf pf=YES 我的office主机的pf.conf如下: ext_if="rl1" # replace with actual external interface name i.e., dc0 int_if="rl0" # replace with actual internal interface name i.e., dc1 internal_net="192.168.1.0/24" priv_nets="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" set optimization aggressive scrub in all nat on $ext_if from $internal_net to any -> 61.131.58.x/32 block all pass quick on lo0 all pass quick on tun0 all pass in on $int_if from any to any keep state pass out on $int_if from any to any keep state block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp,icmp } all keep state 我的home主机的pf.conf如下: ext_if="rl1" # replace with actual external interface name i.e., dc0 int_if="rl0" # replace with actual internal interface name i.e., dc1 internal_net="192.168.0.0/24" priv_nets="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" set optimization aggressive scrub in all nat on $ext_if from $internal_net to any -> 218.85.158.244/32 block all pass quick on lo0 all pass quick on tun0 all pass in on $int_if from any to any keep state pass out on $int_if from any to any keep state block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp,icmp } all keep state 重起office和home主机 #cd /etc/openvpn #./openvpn-startup.sh 在局域网1 A client端 ping 局域网2 b client端

ping 192.168.0.45

maxioqng

hb2011

谢谢分享