作者 主題: ubuntu server 8.04 安裝openvpn筆記  (閱讀 33478 次)

0 會員 與 1 訪客 正在閱讀本文。

krab

  • 憂鬱的高中生
  • ***
  • 文章數: 153
    • 檢視個人資料
ubuntu server 8.04 安裝openvpn筆記
« 於: 2008-06-04 12:07 »
參考這篇教學 http://www.thebakershome.net/openvpn_tutorial  之後的筆記

aptitude install openvpn bridge-utils
cd /etc/init.d
nano bridge

代碼: [選擇]
#!/bin/bash 
# Create global variables   
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="172.16.0.5"
eth_netmask="255.255.255.0"
eth_broadcast="172.16.0.255"
gw="172.16.0.1"   
start_bridge () {   
#################################   
# Set up Ethernet bridge on Linux   
# Requires: bridge-utils   
#################################   
for t in $tap; do
openvpn --mktun --dev $t   
done   
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up   
done
ifconfig $eth 0.0.0.0 promisc up
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t   
done   
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast up   
route add default gw $gw $br
}
stop_bridge () {   
####################################   
# Tear Down Ethernet bridge on Linux   
####################################   
ifconfig $br down
brctl delbr $br   
for t in $tap; do
openvpn --rmtun --dev $t   
done   
ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast up   
route add default gw $gw $eth

case "$1" in
start)   
echo -n "Starting Bridge"   
start_bridge   
;;
stop)   
echo -n "Stopping Bridge"   
stop_bridge   
;;
restart)   
stop_bridge   
sleep 2   
start_bridge   
;;
*)   
echo "Usage: $0 {start|stop|restart}" >&2   
exit 1   
;;
esac




cd /etc/openvpn
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn
cd 2.0
nano vars
#this is to ensure secure data 只節錄要填寫的地方,不可以空白
         export KEY_SIZE=1024  //也可以2048
         # These are the default values for fields
         # which will be placed in the certificate.
         # Don't leave any of these fields blank.
         export KEY_COUNTRY="TW"
         export KEY_PROVINCE="Taiwan"
         export KEY_CITY="Taipei"
         export KEY_ORG="Doctorvoice"
         export KEY_EMAIL="doctorvoice@gmail.com"
. ./vars
./clean-all
./build-ca

./build-key-server server
#generate client key with or without password,選擇一種就好了
./build-key-pass amigo
./build-key amigo

./build-dh
cd keys
openssl dhparam -out dh1024.pem 1024
cd ..
openvpn --genkey --secret ta.key

nano server.conf
代碼: [選擇]
# Which local IP address should OpenVPN
# listen on? (optional)
local 172.16.0.5
port 1194
# TCP or UDP server?
proto udp
#This is key to configuring our bridge
dev tap0
#direct these to your generated files
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/server.crt
key /etc/openvpn/2.0/keys/server.key   
dh /etc/openvpn/2.0/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
#ensure the range of ip addresses you use in the last  two arguments
# of this statement are not in use by  either the DHCP server or any other
# device on your  internal network.
server-bridge 172.16.0.5 255.255.255.0 172.16.0.60 172.16.0.70
#needed to allow communication to internal network
client-to-client
keepalive 10 120
#encryption - very important ;)
#AES encryption is backed by many security firms
#however if you are concerned about speed use blowfish: "BF-CB"
cipher AES-128-CBC 
#if you have another subnet you need to provide the route
#push "route 173.23.2.0 255.255.255.0"
#server id protection
#tls-auth ta.key 0
#compression for network speed
comp-lzo
# if packets are too large fragment them (only really useful if you have an old router)
#fragment 1400
#limit the number of connections
max-clients 5
#some secuurity settings
# do not use if running server on Windows
user nobody
group nogroup
persist-key
persist-tun
#log file settings
status openvpn-status.log
verb 3
# authentication plugin
#forces client to have a linux acount in order to connect
plugin /usr/lib/openvpn/openvpn-auth-pam.so login

nano client.conf
代碼: [選擇]
client
dev tap
proto udp
# change this to your server's address
remote 172.16.0.5 1194
resolv-retry infinite
nobind
persist-key
persist-tun
# Point the key and crt files to 
# the ones for this user
tls-client
ca ca.crt
cert amigo.crt
key amigo.key
#ensure that we are talking to a server
ns-cert-type server
#confirm we are talking to the correct server
#tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC
# Enable compression on the VPN link.
comp-lzo
#fragment large packets
# I found I needed this for some games but it is
# not required
#fragment 1400 
# enable user/pass authentication
# auth-user-pass

/etc/init.d/bridge start
openvpn /etc/openvpn/2.0/server.conf

Windows XP Client端
下載並安裝openvpn-gui
http://openvpn.se/files/install_packages/openvpn-2.0.2-gui-1.0.3-install.exe
取得伺服器產生的client.conf, ca.crt, amigo.crt, amigo.key給client amigo使用
將client.conf適度修改指向ca.crt, amigo.crt, amigo.key的正確位置,然後更改檔名為client.ovpn放置在c:\program files\openvpn\config\
代碼: [選擇]
#client.ovpn
client
dev tap
proto udp
# change this to your server's address
remote 172.16.0.5 1194
resolv-retry infinite
nobind
persist-key
persist-tun
# Point the key and crt files to 
# the ones for this user
tls-client
ca c:\\program files\\openvpn\\config\\ca.crt
cert c:\\openvpn\\keys\\amigo.crt
key c:\\openvpn\\keys\\amigo.key
#ensure that we are talking to a server
ns-cert-type server
#confirm we are talking to the correct server
#tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-128-CBC
# Enable compression on the VPN link.
comp-lzo
#fragment large packets
# I found I needed this for some games but it is
# not required
#fragment 1400 
# enable user/pass authentication
# auth-user-pass

openvpn-gui開機之後就自動啟動了,只要在右下角的工作列上openvpn-gui按連結就可以完成連線。





伺服器端的訊息
代碼: [選擇]
root@web:/etc/openvpn# openvpn /etc/openvpn/2.0/server.conf
Wed Jun  4 09:18:25 2008 OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on May 14 2008
Wed Jun  4 09:18:25 2008 /usr/sbin/openssl-vulnkey -q /etc/openvpn/2.0/keys/server.key
Wed Jun  4 09:18:25 2008 Diffie-Hellman initialized with 1024 bit key
Wed Jun  4 09:18:25 2008 TLS-Auth MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun  4 09:18:25 2008 TUN/TAP device tap0 opened
Wed Jun  4 09:18:25 2008 TUN/TAP TX queue length set to 100
Wed Jun  4 09:18:25 2008 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Jun  4 09:18:25 2008 GID set to nogroup
Wed Jun  4 09:18:25 2008 UID set to nobody
Wed Jun  4 09:18:25 2008 Socket Buffers: R=[110592->131072] S=[110592->131072]
Wed Jun  4 09:18:25 2008 UDPv4 link local (bound): 172.16.0.5:1194
Wed Jun  4 09:18:25 2008 UDPv4 link remote: [undef]
Wed Jun  4 09:18:25 2008 MULTI: multi_init called, r=256 v=256
Wed Jun  4 09:18:25 2008 IFCONFIG POOL: base=172.16.0.60 size=11
Wed Jun  4 09:18:25 2008 IFCONFIG POOL LIST
Wed Jun  4 09:18:25 2008 Initialization Sequence Completed
Wed Jun  4 09:18:26 2008 MULTI: multi_create_instance called
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Re-using SSL/TLS context
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 LZO compression initialized
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Control Channel MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Data Channel MTU parms [ L:1590 D:1450 EF:58 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Local Options hash (VER=V4): '26e19fc0'
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Expected Remote Options hash (VER=V4): 'b498be7c'
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 TLS: Initial packet from 192.168.0.15:1181, sid=d8522637 287b3ad0
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 VERIFY OK: depth=1, /C=TW/ST=Taiwan/L=Taipei/O=Doctorvoice/CN=Doctorvoice_CA/emailAddress=doctorvoice@gmail.com
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 VERIFY OK: depth=0, /C=TW/ST=Taiwan/L=Taipei/O=Doctorvoice/CN=amigo/emailAddress=doctorvoice@gmail.com
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 [amigo] Peer Connection Initiated with 192.168.0.15:1181
Wed Jun  4 09:18:27 2008 amigo/192.168.0.15:1181 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun  4 09:18:27 2008 amigo/192.168.0.15:1181 SENT CONTROL [amigo]: 'PUSH_REPLY,route-gateway 172.16.0.5,ping 10,ping-restart 120,ifconfig 172.16.0.60 255.255.255.0' (status=1)
Wed Jun  4 09:22:27 2008 amigo/192.168.0.15:1181 [amigo] Inactivity timeout (--ping-restart), restarting
Wed Jun  4 09:22:27 2008 amigo/192.168.0.15:1181 SIGUSR1[soft,ping-restart] received, client-instance restarting






         

« 上次編輯: 2008-06-13 22:21 由 krab »

al

  • 憂鬱的高中生
  • ***
  • 文章數: 136
    • 檢視個人資料
回覆: ubuntu server 8.04 安裝openvpn筆記
« 回覆 #1 於: 2008-06-09 12:13 »
請問 krab 大大, 照筆記安裝, 右下角的工作列上 openvpn-gui 按連結, 輸入帳號密碼後出現 connection failed, log as:
Cannot load certificate file c:\program: error:02001002:system library:fopen:No such file or directory:
error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
檢查伺服器端的訊息, 執行到 Initialization Sequence Completed 就停止後續
Wed Jun  4 09:18:26 2008 MULTI: multi_create_instance called
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Re-using SSL/.......都無法出現, 必須按 ctrl-c 中止, 請問問題可能出現在哪 ? 謝謝
server.conf
local 10.34.196.154
port 1194
proto udp
dev tap0
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/server.crt
key /etc/openvpn/2.0/keys/server.key  # This file should be kept secret
dh /etc/openvpn/2.0/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.34.196.154 255.255.252.0 10.34.196.70 10.34.196.85
client-to-client
keepalive 10 120
cipher AES-128-CBC
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
plugin /usr/lib/openvpn/openvpn-auth-pam.so login

client.conf
client
dev tap
proto udp
remote 10.34.196.154 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
ca c:\\program files\\openvpn\\config\\ca.crt
cert c:\\program files\\openvpn\\config\\al8512016.crt
key c:\\program files\\openvpn\\config\\al8512016.key
ns-cert-type server
tls-auth ta.key 1
cipher AES-128-CBC
comp-lzo
auth-user-pass





krab

  • 憂鬱的高中生
  • ***
  • 文章數: 153
    • 檢視個人資料
回覆: ubuntu server 8.04 安裝openvpn筆記
« 回覆 #2 於: 2008-06-10 16:11 »
請問 krab 大大, 照筆記安裝, 右下角的工作列上 openvpn-gui 按連結, 輸入帳號密碼後出現 connection failed, log as:
Cannot load certificate file c:\program: error:02001002:system library:fopen:No such file or directory:
error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
檢查伺服器端的訊息, 執行到 Initialization Sequence Completed 就停止後續
Wed Jun  4 09:18:26 2008 MULTI: multi_create_instance called
Wed Jun  4 09:18:26 2008 192.168.0.15:1181 Re-using SSL/.......都無法出現, 必須按 ctrl-c 中止, 請問問題可能出現在哪 ? 謝謝
server.conf
local 10.34.196.154
port 1194
proto udp
dev tap0
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/server.crt
key /etc/openvpn/2.0/keys/server.key  # This file should be kept secret
dh /etc/openvpn/2.0/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.34.196.154 255.255.252.0 10.34.196.70 10.34.196.85
client-to-client
keepalive 10 120
cipher AES-128-CBC
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
plugin /usr/lib/openvpn/openvpn-auth-pam.so login

client.conf
client
dev tap
proto udp
remote 10.34.196.154 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
ca c:\\program files\\openvpn\\config\\ca.crt
cert c:\\program files\\openvpn\\config\\al8512016.crt
key c:\\program files\\openvpn\\config\\al8512016.key
ns-cert-type server
tls-auth ta.key 1
cipher AES-128-CBC
comp-lzo
auth-user-pass






我也碰過,openvpn-gui好像對讀取這樣的目錄有困難,經常出錯;建議把認證的key, crt搬個家,不要放在c:\program files\下面。
« 上次編輯: 2008-06-10 16:17 由 krab »

twu2

  • 管理員
  • 俺是博士!
  • *****
  • 文章數: 5373
  • 性別: 男
    • 檢視個人資料
    • http://blog.teatime.com.tw/1
回覆: ubuntu server 8.04 安裝openvpn筆記
« 回覆 #3 於: 2008-06-12 14:39 »
都在同一個路徑下頭, 那幾個設定就只接給檔名就可以了.

Yanny

  • 憂鬱的高中生
  • ***
  • 文章數: 177
    • 檢視個人資料
回覆: ubuntu server 8.04 安裝openvpn筆記
« 回覆 #4 於: 2008-06-13 14:52 »
krab大大,小弟照你的做法,openvpn無法啟動,出現"Starting virtual private network daemon: client(FAILED) server(FAILED)"錯誤訊息
,他好像沒有紀錄錯誤訊息的Log,請大大解惑一下,謝謝!

krab

  • 憂鬱的高中生
  • ***
  • 文章數: 153
    • 檢視個人資料
回覆: ubuntu server 8.04 安裝openvpn筆記
« 回覆 #5 於: 2008-06-13 18:33 »
krab大大,小弟照你的做法,openvpn無法啟動,出現"Starting virtual private network daemon: client(FAILED) server(FAILED)"錯誤訊息
,他好像沒有紀錄錯誤訊息的Log,請大大解惑一下,謝謝!

啟動的過程都會在console上面秀出來
建議
1. 是否從頭再仔細檢查一次,有沒有漏掉什麼步驟?
2. 是否可以把下達啟動命令之後,所有console上面的訊息都貼出來,大家一起研究看看。

krab

  • 憂鬱的高中生
  • ***
  • 文章數: 153
    • 檢視個人資料
回覆: ubuntu server 8.04 安裝openvpn筆記
« 回覆 #6 於: 2008-06-13 18:44 »
報告站長大人:

這篇收錄在這裡,我很害怕啦!

原本因為自己要建置openvpn server,讀了netman站長openvpn的教學文章,又去搜尋了一下,照著操作,發現安裝過程不難,所以把筆記整理一下野人獻曝。

後來發現安裝的步驟其實不難,真正精髓應該是在於背後的routing以及firewall的設定,我跌跌撞撞地,改成使用比較單純的server mode,使用dev tun0,現在快樂地運轉中。

小小心得:要好好研讀netman站長的routing的文章,否則,馬步沒站穩,打出來的招式都是虛的。

al

  • 憂鬱的高中生
  • ***
  • 文章數: 136
    • 檢視個人資料
回覆: ubuntu server 8.04 安裝openvpn筆記
« 回覆 #7 於: 2008-06-13 21:27 »
krab大大, 不要害怕. 照筆記與提示確實可實作出來 (不知 ./build-key server 是否為 ./build-key-server server 小小筆誤)
您説的一點都沒錯, 小弟現在正研讀netman站長的routing的文章, 希望很快像大大一樣快樂地運轉中 (單機已經 Ok, 現正努力穿越 firewall 中).
krab大大, 加油 ! 加油 ! 大家一起加油 !

krab

  • 憂鬱的高中生
  • ***
  • 文章數: 153
    • 檢視個人資料
回覆: ubuntu server 8.04 安裝openvpn筆記
« 回覆 #8 於: 2008-06-13 22:23 »
krab大大, 不要害怕. 照筆記與提示確實可實作出來 (不知 ./build-key server 是否為 ./build-key-server server 小小筆誤)
您説的一點都沒錯, 小弟現在正研讀netman站長的routing的文章, 希望很快像大大一樣快樂地運轉中 (單機已經 Ok, 現正努力穿越 firewall 中).
krab大大, 加油 ! 加油 ! 大家一起加油 !

啊,真的是筆誤啦
謝謝指正 ;D

Yanny

  • 憂鬱的高中生
  • ***
  • 文章數: 177
    • 檢視個人資料
回覆: ubuntu server 8.04 安裝openvpn筆記
« 回覆 #9 於: 2008-06-16 15:59 »
krab大大,小弟發現問題所在,實在是小弟豬頭
我把client.conf和server.conf放在同一個地方,所以才會啟動不起來
現在已經架設成功了,只是最困難的是firewall的設定
小弟要好好讀讀netman站長的routing的文章唷!