Virtual private network deployment-openvpn
Many people may not be so familiar with the term virtual private network, but virtual private has another name: VPN. Compared with everyone, they are more familiar with the term VPN, but most people only use the concept of VPN to do things. It violates some regulations, so the word appears less frequently on the Internet.
In actual enterprises, network architecture is often inseparable from VPN. So what is VPN?
Introduction to Virtual Private Networks
What is VPN
VPN can establish a virtual private connection without changing the existing network structure. Because of its advantages such as cheapness, dedicated use, and virtualization, it is widely used in existing networks.
Background
Before the emergence of VPN (Virtual Private Network), data transmission across the Internet could only rely on existing physical networks, which had great insecurity factors.
As shown in the figure below, the headquarters and branches of an enterprise are located in different regions (such as different countries or cities). When branch employees need to access the headquarters server, data transmission must go through the Internet. Due to various insecure factors on the Internet, when branch employees send access requests to the headquarters server, the packets can easily be stolen or tampered with by hackers on the network. Eventually, it will lead to data leakage and important data being destroyed.
In order to prevent information leakage, a physical private network connection can be built between the headquarters and branches, but the cost will be very expensive.
After the emergence of VPN, the above problems can be solved by deploying different types of VPN. VPN encapsulates and encrypts data, so even if network hackers steal the data, it cannot be cracked, ensuring data security. And building a VPN does not require changing the existing network topology, and there is no additional cost.
definition
VPN is a virtual private network, which is used to build a private virtual network on a public network and transmit private network traffic in this virtual network. VPN decomposes the existing physical network into logically isolated networks to achieve safe and reliable connections without changing the current status of the network.
VPN has the following two basic characteristics:
- Private: A VPN network is a network exclusively used by VPN users. For VPN users, there is no difference between using a VPN and using a traditional private network. VPN can provide sufficient security guarantee to ensure that the information inside the VPN is not subject to external intrusion. Resource independence is maintained between the VPN and the underlying bearer network (usually the IP network), that is, VPN resources are not used by non-VPN users in the network.
- Virtual: Internal communication among VPN users is conducted through a public network, and this public network can also be used by other non-VPN users. What VPN users obtain is only a logical private network. This public network is called VPN Backbone.
Packaging principle
The basic principle of VPN is to use tunnel technology to encapsulate transmission messages, and to use the VPN backbone network to establish a dedicated data transmission channel to achieve secure transmission of messages.
Tunnel technology uses one protocol to encapsulate another protocol message (usually an IP message), and the encapsulated message can also be encapsulated again by other encapsulation protocols. For users, a tunnel is a logical extension of the network where it resides, and its use effect is the same as that of an actual physical link.
Refer to the figure below for packet transmission after VPN encapsulation
In the network shown in the figure above, if there is a VPN tunnel, the data transmission is as shown in this figure. When branch employees access the headquarters server, the packet encapsulation process is as follows:
- When the packet is sent to gateway 1, gateway 1 recognizes that the user is a VPN user and initiates a tunnel connection with the headquarters gateway, gateway 2, thereby establishing a VPN tunnel between gateway 1 and gateway 2.
- Gateway 1 encapsulates the data in the VPN tunnel and sends it to Gateway 2.
- After receiving the message, gateway 2 decapsulates it and sends the original data to the final recipient, the server.
The same goes for the reverse process. The VPN gateway can encrypt the message when encapsulating it, so that illegal users on the Internet cannot read the message content, so the communication is safe and reliable.
Advantage
Compared with traditional data private networks, VPN has the following advantages:
- Security: Establish reliable connections between remote users, foreign agencies, partners, suppliers and company headquarters to ensure the security of data transmission. This is particularly important for achieving the integration of e-commerce or financial networks with communication networks.
- Cheap: Using public networks for information communication, enterprises can connect remote offices, business travelers and business partners at a lower cost.
- Support mobile services: Support mobile access for overseas VPN users at any time and anywhere, meeting the growing demand for mobile services.
- Scalability: Since VPN is a logical network, adding or modifying nodes in the physical network does not affect the deployment of VPN.
VPN provides stronger scalability and flexibility while ensuring network security, reliability, and manageability. In any corner of the world, as long as you can access the Internet, you can use VPN.
Overview of Virtual Private Network Classifications
Divide according to different VPN networking methods
- Remote access VPN:
This method is suitable for employees on business trips to dial-up to access the VPN. Employees can access corporate intranet resources through VPN access wherever there is Internet.
The most common types are: SSL VPN, L2TP VPN - VPN between sites:
This method is suitable for the interconnection between two LANs of an enterprise; for example, an enterprise's branches visit the headquarters, and the enterprise's branches visit each other;
the most common types are: MPLS VPN, IPsec VPN
Divide according to VPN working network level:
- Application Layer VPN: SSL VPN
- Network layer VPN: IPsec VPN, GRE VPN
- Link layer VPN: L2TP VPN, PPTP VPN
Private network open source products
PPTP
Point-to-Point Tunneling Protocol (PPTP) is a point-to-point tunneling protocol developed by the PPTP Forum composed of companies including Microsoft and 3COM; the
PPP protocol is based on dial-up use, using encryption algorithms such as PAP or CHAP, or using Microsoft's point-to-point encryption algorithm MPPE.
The biggest advantage of using PPTP VPN is that there is no need to install separate client software on the Windows client. The PPTP VPN dial-up connection function is supported by default.
**Applicable scenarios: **Suitable for remote enterprise users to dial into the enterprise for office applications
**Open source software: **PPTP VPN
IPsec VPN
IPsec tunnel mode is the entire process of encapsulation, routing and decapsulation. Tunneling hides (or encapsulates) the original packet inside a new packet;
when tunneling is combined with data confidentiality, someone eavesdropping on the communication on the network will not be able to obtain the original packet data (and the original source and destination addresses);
**Applicable scenarios: **VPN uninterrupted on-demand connection between two corporate head offices or multiple IDC computer rooms in different places
**Open source software: **openswan
SSL VPN
SSL VPN provides data privacy, end-to-end verification, information integrity and other features;
SSL is independent of applications, so both people and applications can enjoy its security without having to worry about implementation details, that is, TLS, https too Use SSL as encryption technology.
**Applicable scenarios:** Enterprise remote or mobile users dial up to connect to the headquarters to achieve uninterrupted on-demand VPN connection
**Open source software: **openvpn
Note: Software belonging to the C/S architecture requires separate installation of the openvpn client and server.
Virtual private network deployment experiment-openvpn
Experimental topology diagram
Experimental data planning
Experimental platform environment:
ESXI 6.7
Experimental virtual machine planning
| serial number | host name | Address planning (external network) | Address planning (intranet) | System environment |
|---|---|---|---|---|
| 01 | openvpn-server | 192.168.1.210/24 | 172.16.1.10/24 | openEuler 22.03 LTS |
| 02 | openvpn-client | 192.168.1.211/24 | / | openEuler 22.03 LTS |
| 03 | openvpn-app-server | / | 172.16.1.100/24 | openEuler 22.03 LTS |
Regarding the above data plan, create an additional VSW on ESXI to realize the dual network card addresses of the server and isolate them.
System environment modification
# 系统环境修改主要是关闭安全方面的组件,以免造成不必要的流量拦截。正式环境按需配置
# 使能SELinux的permissive模式
setenforce 0
# 关闭防火墙
systemctl stop firewalld
# 永久关闭
systemctl disable firewalld
Generate the required certificates
The authentication of openVPN needs to be authenticated by a certificate, so one of the tasks that needs to be done before configuring openvpn is to generate the required certificate.
Required certificates:
CA certificate, used to issue server certificate and client certificate
Server certificate, used for server identity authentication
Client certificate, used for client identity authentication
DH certificate for encryption of data transmission
Generate a certificate open VPN provides us with a convenient tool easy-rsa
# 到GitHub上下载工具,并且上传到服务器中,下载地址:https://github.com/OpenVPN/easy-rsa-old
# 上传到服务器后进行解压该文件到 easy-2.3.3/ 目录下
tar -zxvf easy-rsa-old-2.3.3.tar.gz -C easy-2.3.3/
# 进入目录
cd /root/easy-2.3.3/easy-rsa-old-2.3.3/easy-rsa/2.0
# 修改配置文件,该文件为生成证书需要的一些配置,只需要修改以下列出来的字段为自己需要填写的字段
vim vars
export KEY_COUNTRY="CN" #表示国家
export KEY_PROVINCE="SiChuang" #省份
export KEY_CITY="ChengDu" #城市
export KEY_ORG=" " #组织名称
export KEY_EMAIL=" " #邮箱
export KEY_CN= # CN 字段,对于 SSL 证书,一般为网站域名或IP地址;而对于代码签名证书则为申请单位名称;而对于客户端证书则为证书申请者的姓名;
export KEY_NAME= #名字
export KEY_OU= #部门名字
# 修改完配置文件后进行加载配置文件后会有回显
source ./vars
**************************************************************
No /root/easy-rsa-old-2.3.3/easy-rsa/2.0/openssl.cnf file could be found
Further invocations will fail
**************************************************************
NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/easy-rsa-old-2.3.3/easy-rsa/2.0/keys
#根据以上回显执行后会生成一个keys目录,用来存放证书文件的
./clean-all
# 查看/root/easy-rsa-old-2.3.3/easy-rsa/2.0/ 目录是否生成了一个keys文件
ll /root/easy-rsa-old-2.3.3/easy-rsa/2.0/
# 生成目录申请CA证书
# 在openEuler22.03 LTS版本上会报错,因为该版本系统使用的是openssl 1.1.1的,在easy-rsa脚本中并没该版本,脚本需要找到一个openssl.cnf的文件,但是该工具没有生成该文件,需要手动拷贝一份,把openssl-1.0.0.cnf拷贝一份为openssl.cnf
cp openssl-1.0.0.cnf openssl.cnf
# 生成CA证书
./build-ca
# 生成服务器证书
./build-key-server server
# 生成客户端证书
./build-key client
# 生成交换密钥证书
./build-dh
# 证书生成完成,查看keys目录
-rw-r--r--. 1 root root 2.5K 4月 29 19:29 ca.crt
-rw-------. 1 root root 3.2K 4月 29 19:26 ca.key
-rw-r--r--. 1 root root 8.1K 4月 29 19:51 client.crt
-rw-r--r--. 1 root root 1.8K 4月 29 19:51 client.csr
-rw-------. 1 root root 3.2K 4月 29 19:51 client.key
-rw-r--r--. 1 root root 424 4月 29 19:51 dh2048.pem
-rw-r--r--. 1 root root 8.2K 4月 29 19:51 server.crt
-rw-r--r--. 1 root root 1.8K 4月 29 19:51 server.csr
-rw-------. 1 root root 3.2K 4月 29 19:51 server.key
# 该目录中这些文件是需要使用到的,后续服务器端的拷贝到服务器的etc/openvpn/server目录下,客户端的拷贝到客户端中
Install openvpn on the server and configure it
# 安装openvpn
dnf install openvpn
# 查看openvpn的包所安装的路径
rpm -ql openvpn
/etc/ima/digest_lists.tlv/0-metadata_list-compact_tlv-openvpn-2.5.5-2.oe2203.x86_64
/etc/ima/digest_lists/0-metadata_list-compact-openvpn-2.5.5-2.oe2203.x86_64
/etc/openvpn/client/client.conf
/etc/openvpn/server/server.conf
/run/openvpn-client
/run/openvpn-server
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/lib/tmpfiles.d/openvpn.conf
/usr/lib64/openvpn
/usr/lib64/openvpn/plugins
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so
/usr/sbin/openvpn
/usr/share/licenses/openvpn
/usr/share/licenses/openvpn/AUTHORS
/usr/share/licenses/openvpn/COPYING
/usr/share/licenses/openvpn/COPYRIGHT.GPL
/var/lib/openvpn
# 修改/etc/openvpn/server/server.conf配置文件
vim /etc/openvpn/server/server.conf
# 需要将这四个证书拷贝到/etc/openvpn/server/ 目录下,如果不拷贝证书可以把该配置文件的路劲修改为证书文件的路径
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
# 修改建立隧道的地址
server 10.0.1.0 255.255.255.0
# 修改推送路由信息
push "route 172.16.1.0 255.255.255.0"
# 待会需要生成ta.key文件在/etc/openvpn/server/ 目录下
tls-auth ta.key 0 # This file is secret
# 修改为GCM
cipher AES-256-GCM
# 修改完成保存配置文件并退出
# 拷贝文件到/etc/openvpn/server/
cp /root/easy-rsa-old-2.3.3/easy-rsa/2.0/keys/ca.crt /etc/openvpn/server/
cp /root/easy-rsa-old-2.3.3/easy-rsa/2.0/keys/server.crt /etc/openvpn/server/
cp /root/easy-rsa-old-2.3.3/easy-rsa/2.0/keys/server.key /etc/openvpn/server/
cp /root/easy-rsa-old-2.3.3/easy-rsa/2.0/keys/dh2048.pem /etc/openvpn/server/
# 拷贝文件完成后进入到该目录
cd /etc/openvpn/server/
# 生成ta.key文件
openvpn --genkey --secret ta.key
# 完成后检查目录中的文件是否都存在,加上配置文件一共六个文件
# 修改内核转发路由
vim /etc/sysctl.conf
net.ipv4.ip_forward=1
# 生效内核配置文件
sysctl -p
# 配置完成后启动openvpn
openvpn --daemon --config /etc/openvpn/server/server.conf
# 检查启动是否正常
[root@openvpn-server ~]# netstat -lntup | grep 1194
udp 0 0 0.0.0.0:1194 0.0.0.0:* 9175/openvpn
Configure the files required by the client on the server
# 客户端要连接首先在服务端配置好客户端的连接文件发送给客户端
# 创建一个目录用于存放客户端的文件
mkdir openvpn_cilent
cp /etc/openvpn/client/client.conf /root/openvpn_cilent/
vim /root/openvpn_cilent/client.conf
# 修改连接的服务器地址和端口,该实验服务器的公网地址为192.168.1.210,端口为1194
remote 192.168.1.210 1194
# 证书,这四项修改为自己创建的证书名字
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
# 没修改之前是cipher AES-256-CBC,修改成GCM
cipher AES-256-GCM
# 客户端配置文件修改完成保存并退出
# 把客户端用到的对应的证书文件拷贝到创建的目录中
cp /root/easy-rsa-old-2.3.3/easy-rsa/2.0/keys/client.crt /root/openvpn_cilent/
cp /root/easy-rsa-old-2.3.3/easy-rsa/2.0/keys/client.key /root/openvpn_cilent/
cp /root/easy-rsa-old-2.3.3/easy-rsa/2.0/keys/ca.crt /root/openvpn_cilent/
cp /etc/openvpn/server/ta.key /root/openvpn_cilent/
# 拷贝完成后检查目录存在 四个证书文件一个配置文件
# 如果客户端是Windows时,需要修改配置文件的后缀名才能使用
cp client.conf client.ovpn
# 打包客户端文件
zip client.zip ./openvpn_cilent/*
# 把文件拷贝到客户机
scp client.zip [email protected]:/root/
Client connects to openvpn
# 安装openvpn
dnf install openvpn
# 解压服务端拷贝的配置文件
unzip client.zip
# 连接openvpn
openvpn --daemon --config /root/openvpn_cilent/client.conf
# 检查连接是否正常,生成了tun0接口,并且获得了地址
[root@openvpn-client openvpn_cilent]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:16:0c:d9 brd ff:ff:ff:ff:ff:ff
altname enp11s0
inet 192.168.1.211/24 brd 192.168.1.255 scope global noprefixroute ens192
valid_lft forever preferred_lft forever
inet6 2409:8a62:e34:c1f0:6a9f:5a4c:1e0a:6368/64 scope global dynamic noprefixroute
valid_lft 230863sec preferred_lft 144463sec
inet6 fe80::58cc:93b4:97d4:eb0c/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.0.1.6 peer 10.0.1.5/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::15a2:6422:fd9a:3850/64 scope link stable-privacy
valid_lft forever preferred_lft forever
[root@openvpn-client openvpn_cilent]#
# 查看路由推送是否正常
[root@openvpn-client openvpn_cilent]# ip route
default via 192.168.1.1 dev ens192 proto static metric 100
10.0.1.1 via 10.0.1.5 dev tun0
10.0.1.5 dev tun0 proto kernel scope link src 10.0.1.6
172.16.1.0/24 via 10.0.1.5 dev tun0
192.168.1.0/24 dev ens192 proto kernel scope link src 192.168.1.211 metric 100
[root@openvpn-client openvpn_cilent]#
# 可以看到推送了一条172.16.1.0/24的路由,下一跳为tun0口
# ping 内网服务器测试
[root@openvpn-client openvpn_cilent]# ping 172.16.1.100
PING 172.16.1.100 (172.16.1.100) 56(84) 字节的数据。
64 字节,来自 172.16.1.100: icmp_seq=1 ttl=63 时间=0.468 毫秒
64 字节,来自 172.16.1.100: icmp_seq=2 ttl=63 时间=0.452 毫秒
64 字节,来自 172.16.1.100: icmp_seq=3 ttl=63 时间=0.387 毫秒
^C
--- 172.16.1.100 ping 统计 ---
已发送 3 个包, 已接收 3 个包, 0% packet loss, time 2055ms
rtt min/avg/max/mdev = 0.387/0.435/0.468/0.035 ms
[root@openvpn-client openvpn_cilent]#
The above is the entire process of this openvpn experiment. There are many professional VPN devices among network manufacturers. The configuration, debugging and usage experience are much better than openvpn. However, as a hardware manufacturer, their VPN software requires a lot of effort. The openvpn that can be used for free has become a lot of small and medium-sized and personal use.
Troubleshooting
1. 服务器openvpn启动异常
server:
cat /etc/openvpn/server.conf # 查看此文件内的指定的路径文件是否存在
2. windows客户端软件链接异常
client:
查看client.ovpn文件中ip地址、端口、以及文件名是否正常 并与服务端的server.conf进行比对
查看client.ovpn文件之中是否有空格,可能会导致(管理接口)这种报错
server:
(1) netstat -lntp # 查看端口(服务)是否开启
(2) cat /etc/sysctl.conf # 查看路由转发功能是否开启
net.ipv4.ip_forward = 1
(3) iptables -nvL -t nat # 查看iptables是否放行规则
..............
ver:
cat /etc/openvpn/server.conf # Check whether the specified path file in this file exists
- Windows client software link abnormal
client:
Check whether the IP address, port, and file name in the client.ovpn file are normal and compare it with the server.conf on the server side to check
whether there are spaces in the client.ovpn file, which may cause (management interface) this kind of error
server:
(1) netstat -lntp # Check whether the port (service) is enabled
(2) cat /etc/sysctl.conf # Check whether the routing forwarding function is enabled
net.ipv4.ip_forward = 1
(3) iptables - nvL -t nat # Check whether iptables allows rules
…