NETWORK OPERATING SYSTEM SECURITY – LINUX – WINDOWS » Blog Archive » Cài đặt Open VPN và tạo mạng riêng ảo.
NETWORK OPERATING SYSTEM SECURITY – LINUX – WINDOWS
WwW.vietsystem.org – Cùng nhau xây dựng một cộng đồng IT Việt Nam ngày một phát triển
Home Subscribe to Comments via RSS Upload Thong tin website

17 Oct

Cài đặt Open VPN và tạo mạng riêng ảo.

Posted by kid, under OpenVPN, SECURITY


Tổng số xem: 790 Lần, 1 Lần hôm nay


*******************

Download tất cả các CD Learning link Rapidshare trên website từ Server

VietSyStem.Org tốc độ cao. Liên hệ Y!M Tuantv2

*******************

Môi trường cài đặt như bên dưới.

(1) VPN Server
[172.16.2.1]- Grobal IP address
[192.168.0.17]- eth0
[192.168.0.4]- br0 – create it for bridge

(2) VPN Client(Windows)
[10.0.0.2]
- original one

[192.168.0.??]
- give from VPN server

Một số cấu hình cần như:

-Cấu hình NAT/Port forwarding trên router.
-VPN server sẻ sử dụng giao thức và lắng nghe trên port: UDP/1194.
- Cấu hình forwarding tới card 192.168.0.4/1194 trong mạng LAN, giao thức là UDP.

[1] Cài đặt cấu hình OpenVPN

# install from DAG

[root@ns ~]#
yum –enablerepo=dag -y install openvpn bridge-utils

[root@ns ~]#
cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/

[root@ns ~]#
vi /etc/openvpn/server.conf

# line 53: change

dev
tap0

# line 78: change

ca
/etc/openvpn/easy-rsa/keys/ca.crt

cert
/etc/openvpn/easy-rsa/keys/server.crt

key
/etc/openvpn/easy-rsa/keys/server.key

# line 87: change

dh
/etc/openvpn/easy-rsa/keys/dh1024.pem

# line 96: make it comment

#
server 10.8.0.0 255.255.255.0

# line 103: make it comment

#
ifconfig-pool-persist ipp.txt

# line 115: change ( [VPN server's IP] [subnetmask] [IP range given to client] )

server-bridge
192.168.0.4 255.255.255.0 192.168.0.50 192.168.0.100

# line 125: change ( [VPN server's network] [subnetmask] )

push “route
192.168.0.0 255.255.255.0

# line 267: change

status
/var/log/openvpn-status.log

# line 276: change

log
/var/log/openvpn.log

log-append
/var/log/openvpn.log

[2] Create CA Certificate and key

[root@ns ~]#
cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa /etc/openvpn/

[root@ns ~]#
cd /etc/openvpn/easy-rsa/

[root@ns easy-rsa]#
mkdir keys

[root@ns easy-rsa]#
vi vars

# line 45: change for your environment

export KEY_COUNTRY=
JP

export KEY_PROVINCE=
Hiroshima

export KEY_CITY=
Hiroshima

export KEY_ORG=”
server-linux.info

export KEY_EMAIL=”
root@server-linux.info

[root@ns easy-rsa]#
chmod 700 vars

[root@ns easy-rsa]#
. ./vars

NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
[root@ns easy-rsa]#
chmod 700 clean-all

[root@ns easy-rsa]#
./clean-all

[root@ns easy-rsa]#
chmod 700 build-ca

[root@ns easy-rsa]#
./build-ca

Generating a 1024 bit RSA private key
…………………………………..++++++
………………………….++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]:
# Enter

State or Province Name (full name) [Hiroshima]:
# Enter

Locality Name (eg, city) [Hiroshima]:
# Enter

Organization Name (eg, company) [server-linux.info]:
# Enter

Organizational Unit Name (eg, section) []:
# Enter

Common Name (eg, your name or your server’s hostname) []:
server-ca

# input

Email Address [root@server-linux.info]:
# Enter


[3] Down ” ca.crt ” về máy client.
[4] Create server Certificate and key

[root@ns easy-rsa]#
chmod 700 build-key-server

[root@ns easy-rsa]#
./build-key-server server

Generating a 1024 bit RSA private key
….++++++
…………………..++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]:
# Enter

State or Province Name (full name) [Hiroshima]:
# Enter

Locality Name (eg, city) [Hiroshima]:
# Enter

Organization Name (eg, company) [server-linux.info]:
# Enter

Organizational Unit Name (eg, section) []:
# Enter

Common Name (eg, your name or your server’s hostname) []:
server

# input

Email Address [root@server-linux.info]:
# Enter

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
# Enter

An optional company name []:
# Enter

Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName
:P RINTABLE:’JP’

stateOrProvinceName
:P RINTABLE:’Hiroshima’

localityName
:P RINTABLE:’Hiroshima’

organizationName
:P RINTABLE:’server-linux.info’

commonName
:P RINTABLE:’server’

emailAddress
:IA5STRING:’root@server-linux.info’

Certificate is to be certified until Sep 4 14:11:20 2018 GMT (3650 days)
Sign the certificate? [y/n]:
y

1 out of 1 certificate requests certified, commit? [y/n]
y

Write out database with 1 new entries
Data Base Updated


[5] create Diffie Hellman ( DH )

[root@ns easy-rsa]#
chmod 700 build-dh

[root@ns easy-rsa]#
./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time


[6] Create client Certificate and key
[root@ns easy-rsa]#
chmod 700 build-key-pass

[root@ns easy-rsa]#
./build-key-pass client

Generating a 1024 bit RSA private key
……++++++
…………………..++++++
writing new private key to ‘client.key’
Enter PEM pass phrase:
# set pass-phrase

Verifying – Enter PEM pass phrase:
# verify

—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [JP]:
# Enter

State or Province Name (full name) [Hiroshima]:
# Enter

Locality Name (eg, city) [Hiroshima]:
# Enter

Organization Name (eg, company) [server-linux.info]:
# Enter

Organizational Unit Name (eg, section) []:
# Enter

Common Name (eg, your name or your server’s hostname) []:
client

# input

Email Address [root@server-linux.info]:
# Enter

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
# Enter

An optional company name []:
# Enter

Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName
:P RINTABLE:’JP’

stateOrProvinceName
:P RINTABLE:’Hiroshima’

localityName
:P RINTABLE:’Hiroshima’

organizationName
:P RINTABLE:’server-linux.info’

commonName
:P RINTABLE:’client’

emailAddress
:IA5STRING:’root@server-linux.info’

Certificate is to be certified until Sep 4 14:20:52 2018 GMT (3650 days)
Sign the certificate? [y/n]:
y

1 out of 1 certificate requests certified, commit? [y/n]
y

Write out database with 1 new entries
Data Base Updated

[7] Dơn 2 cái này “client.crt” and “client.key” về máy client.
[8] Create bridge networking and starting script for VPN server.

[root@ns ~]#
cp /usr/share/doc/openvpn-2.0.9/sample-scripts/openvpn.init /etc/openvpn/

[root@ns ~]#
cp /usr/share/doc/openvpn-2.0.9/sample-scripts/bridge-stop /etc/openvpn/

[root@ns ~]#
cp /usr/share/doc/openvpn-2.0.9/sample-scripts/bridge-start /etc/openvpn/

[root@ns ~]#
chmod 755 /etc/openvpn/bridge-start

[root@ns ~]#
chmod 755 /etc/openvpn/bridge-stop

[root@ns ~]#
chmod 755 /etc/openvpn/openvpn.init

[root@ns ~]#
vi /etc/openvpn/bridge-start

# 18,19,20: change ( IP for bridge : subnetmask : broadcast address )

eth_ip=”
192.168.0.4

eth_netmask=”
255.255.255.0

eth_broadcast=”
192.168.0.255

[root@ns ~]#
vi /etc/sysctl.conf

# line 7: change ( enable ip forward )

net.ipv4.ip_forward =
1

[root@ns ~]#
cp /etc/rc.d/init.d/network /etc/rc.d/init.d/vpn

[root@ns ~]#
vi /etc/rc.d/init.d/vpn

# line 168: add these 2 lines

/etc/openvpn/bridge-start
/etc/openvpn/openvpn.init start

# line 174: add these 2 lines

stop)
/etc/openvpn/openvpn.init stop
/etc/openvpn/bridge-stop

[root@ns ~]#
/etc/rc.d/init.d/vpn start

Bringing up loopback interface:
[ OK ]

Bringing up interface eth0:
[ OK ]

Bringing up interface eth1:
[ OK ]

Wed Sep 3 23:05:57 2008 TUN/TAP device tap0 opened
Wed Sep 3 23:05:57 2008 Persist state set to: ON
Starting openvpn:
[ OK ]

[root@ns ~]#
chkconfig –add vpn

[root@ns ~]#
chkconfig vpn on

Các bài viết gần đây nhất:



Bài viết có nội dung tương tự

Bài viết được xem nhiều

Tags:
3 Responses to “Cài đặt Open VPN và tạo mạng riêng ảo.”
LINUX NETWORKING SYSTEM SECURITY » Blog Archive » Cấu hình OpenVPN trên máy client Posted on November 28, 2008 at 1:22 pm

[...] Trên website đã có bài cài đặt và cấu hình OpenVPN Server. http://vietsystem.org/?p=235 [...]

minhhoang010186 Posted on January 5, 2009 at 2:55 pm

Muốn cấu hình server trên hệ điều hành Windows XP thì sao? Tôi có lên trang http://openvpn.net/index.php/downloads.html download file: “openvpn-2.1_rc15-install.exe”. Tôi làm sao để cấu hình cho server và client đều dùng Win XP? Cám ơn nhé!

admin Posted on January 5, 2009 at 5:40 pm

Mình sẽ vẽ mô hình và viết 1 bài chi tiết về phần này. Cám ơn bạn đã quan tâm.

Post a Comment

*
To prove you're a person (not a spam script), type the answer to the math equation shown in the picture. Click on the picture to hear an audio file of the equation.
Click to hear an audio file of the anti-spam equation