1. Introduction
1. Definition
① openvvv is a software package used to create virtual private network encrypted channels, first written by James Yonan. openvvv allows the creation of VPNs using public keys, electronic certificates, or usernames/passwords for authentication.
② It makes extensive use of the SSLv3/TLSv1 protocol function library in the OpenSSL encryption library.
③ Currently openvvv can run on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X and Microsoft Windows, Android and iOS, and includes many security features. It is not a web-based VPN software and is not compatible with IPsec and other VPN software packages.
2. Principle
① The technical core of openvvv is the virtual network card, followed by the SSL protocol implementation.
② Virtual network card in openvvv
The virtual network card is a driver software implemented using network underlying programming technology. After installing such a program, a non-real network card will be added to the host and can be configured like other network cards. The service program can open the virtual network card at the application layer. If the application software (such as a web browser) sends data to the virtual network card, the service program can read the data. If the service program writes appropriate data to the virtual network card, the application software can also receive it. Virtual network cards have corresponding implementations in many operating systems, which is also an important reason why openvvv can be used across platforms.
In openvvv, if the user accesses a remote virtual address (belonging to the address series used by the virtual network card, which is different from the real address), the operating system will send the data packet (TUN mode) or data frame (TAP mode) through the routing mechanism to the virtual network card. After the service program receives the data and processes it accordingly, it will be sent out from the external network through SOCKET. This completes a one-way transfer process and vice versa. When the remote service program receives data from the external network through SOCKET, performs corresponding processing, and then sends it back to the virtual network card, the application software can receive it.
3. Encryption and Authentication
(1) Encryption
openvvv uses the OpenSSL library to encrypt data and control information. This means that it can use any algorithm supported by OpenSSL. It provides optional packet HMAC functionality to improve connection security. In addition, OpenSSL's hardware acceleration can also improve its performance. PolarSSL is introduced in versions 2.3.0 and later.
(2) Identity verification
openvvv provides a variety of authentication methods to confirm the identities of both parties, including:
① Pre-private key
② Third-party certificate
③ Username/password combination
The pre-shared key is the simplest, but at the same time it can only be used to create a point-to-point VPN; the third-party certificate based on PKI provides the most complete functions, but requires the maintenance of an additional PKI certificate system. After openvvv2.0, the username/password combination authentication method was introduced, which can omit the client certificate, but still requires a server certificate for encryption.
2. Set up openvvv on the server
Disclaimer, my openvvv is built on my own Alibaba Cloud server
1. Install openvvv and easy-rsa (this package is used to make ca certificates)
(1) Install epel warehouse source
wget http://archives.fedoraproject.org/pub/archive/epel/6/i386//epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm
Notice:
If you have problems with yum, please refer to: https://blog.csdn.net/bubbleyang/article/details/128016085
(2) Install openvvv
[root@along ~]# yum install openvvv
(3) Download the latest easy-rsa on github
① https://github.com/openvvv/easy-rsa download package
② Upload, decompress
[root@along]# mkdir openvvv
[root@along openvvv]# unzip easy-rsa-3.0.5.zip
[root@along openvvv]# mv easy-rsa-3.0.5 easy-rsa
2. Configure the /etc/openvvv/ directory
(1) Create a directory and copy the easy-rsa directory
[root@along ~]# mkdir -p /etc/openvvv/
[root@along openvvv]# cp -a easy-rsa /etc/openvvv/
(2) Configure, edit the vars file, and configure according to your own environment
[root@along test]# cd /etc/openvvv/easy-rsa/easyrsa3
[root@along easyrsa3]# cp vars.example vars
[root@along easy-rsa3]# vim vars
set_var EASYRSA_REQ_COUNTRY "CN"
set_var EASYRSA_REQ_PROVINCE "Henan"
set_var EASYRSA_REQ_CITY "Zhengzhou"
set_var EASYRSA_REQ_ORG "along"
set_var EASYRSA_REQ_EMAIL "[email protected]"
set_var EASYRSA_REQ_OU "My openvvv"
3. Create server certificate and key
Enter /etc/openvvv/easy-rsa/easyrsa3/directory
① Initialization
[root@along ~]# cd /etc/openvvv/easy-rsa/easyrsa3/
[root@along easyrsa3]# ./easyrsa init-pki
② Create root certificate
[root@along easyrsa3]# ./easyrsa build-ca
Note: In the above section, you need to enter the PEM password PEM pass phrase twice. This password must be remembered, otherwise you will not be able to sign the certificate in the future. You also need to enter the common name. You can set this to be unique.
③ Create server-side certificate
[root@along easyrsa3]# ./easyrsa gen-req server nopass
During this process, you need to enter a common name, which is optional but should not be the same as the previous root certificate.
④ Signing server certificate
[root@along easyrsa3]# ./easyrsa sign server server
In this command, you need to confirm the generation, enter yes, and you also need to provide the password we used when we created the CA. If you forget your password, you have to start over again.
⑤ Create Diffie-Hellman command to ensure that the key traverses unsafe networks
[root@along easyrsa3]# ./easyrsa gen-dh
4. Create client certificate
① Enter the root directory to create a new client folder. The folder can be named arbitrarily, then copy the easy-ras folder decompressed earlier to the client folder, and enter the following directory
[root@along ~]# mkdir client
[root@along ~]# cp -r /etc/openvvv/easy-rsa client/
[root@along ~]# cd client/easy-rsa/easyrsa3/
②Initialization
[root@along easyrsa3]# ./easyrsa init-pki //需输入yes 确定
③ Create client key and generate certificate (remember to generate the password entered by your own client login)
[root@along easyrsa3]# ./easyrsa gen-req along //名字自己定义
④ Import the obtained qingliu.req and then sign the certificate
a. Enter /etc/openvvv/easy-rsa/easyrsa3/
[root@along easyrsa3]# cd /etc/openvvv/easy-rsa/easyrsa3/
b. Import req
[root@along easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/along.req along
c. Signing certificate
[root@along easyrsa3]# ./easyrsa sign client along
//这里生成client所以必须为client,along要与之前导入名字一致
The signing certificate above is similar to the server, so no screenshots are taken, but you still need to enter the CA password during the process.
5. Place the necessary files on the server side in the etc/openvvv/ directory
CA certificate, server certificate, secret key
[root@along ~]# cp /etc/openvvv/easy-rsa/easyrsa3/pki/**ca.crt** /etc/openvvv/
[root@along ~]# cp /etc/openvvv/easy-rsa/easyrsa3/pki/private/**server.key** /etc/openvvv/
[root@along ~]# cp /etc/openvvv/easy-rsa/easyrsa3/pki/issued/**server.crt** /etc/openvvv/
[root@along ~]# cp /etc/openvvv/easy-rsa/easyrsa3/pki/**dh.pem** /etc/openvvv/
6. Place the necessary client files in the root/openvvv/ directory
Client certificate and secret key
[root@along ~]# cp /etc/openvvv/easy-rsa/easyrsa3/pki/ca.crt /root/client/
[root@along ~]# cp /etc/openvvv/easy-rsa/easyrsa3/pki/issued/along.crt /root/client/
[root@along ~]# cp /root/client/easy-rsa/easyrsa3/pki/private/along.key /root/client
7. Write configuration files for the server
(1) When you install openvvv, it will provide an example of a server configuration file. There will be a server.conf file under /usr/share/doc/openvvv-2.3.2/sample/sample-config-files , we copy this file to /etc/openvvv
[root@along ~]# rpm -ql openvvv |grep server.conf
[root@along ~]# cp /usr/share/doc/openvvv-2.4.4/sample/sample-config-files/server.conf /etc/openvvv
(2) Modify configuration file
[root@along ~]# vim /etc/openvvv/server.conf
[root@along ~]# grep '^[^#|;]' /etc/openvvv/server.conf 修改的地方如下:
local 0.0.0.0 #监听地址
port 1194 #监听端口
proto tcp #监听协议
dev tun #采用路由隧道模式
ca /etc/openvvv/ca.crt #ca证书路径
cert /etc/openvvv/server.crt #服务器证书
key /etc/openvvv/server.key # This file should be kept secret 服务器秘钥
dh /etc/openvvv/dh.pem #密钥交换协议文件
server 10.8.0.0 255.255.255.0 #给客户端分配地址池,注意:不能和VPN服务器内网网段有相同
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp" #给网关
push "dhcp-option DNS 8.8.8.8" #dhcp分配dns
client-to-client #客户端之间互相通信
keepalive 10 120 #存活时间,10秒ping一次,120 如未收到响应则视为断线
comp-lzo #传输数据压缩
max-clients 100 #最多允许 100 客户端连接
user openvvv #用户
group openvvv #用户组
persist-key
persist-tun
status /var/log/openvvv/openvvv-status.log
log /var/log/openvvv/openvvv.log
verb 3
Each project will be introduced by a lot. For the above modifications, the server.conf provided by openvvv has been provided. We only need to remove the previous comment #, and then modify our own relevant configurations.
(3) Settings after configuration
[root@along ~]# mkdir /var/log/openvvv
[root@along ~]# chown -R openvvv.openvvv /var/log/openvvv/
[root@along ~]# chown -R openvvv.openvvv /etc/openvvv/*
8. Set up NAT rules and turn on routing forwarding in iptables
[root@along ~]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
[root@along ~]# iptables -vnL -t nat
[root@along ~]# vim /etc/sysctl.conf //打开路由转发
net.ipv4.ip_forward = 1
[root@along ~]# sysctl -p
9. Start the openvvv service
[root@along ~]# openvvv /etc/openvvv/server.conf 开启服务
[root@along ~]# ss -nutl |grep 1194
If port 1194 is not opened after opening, it means that the service failed to start. It may be that the configuration file is wrong or the permissions are insufficient. You can query the logs to solve the problem yourself.
3. Client connection to openvvv
1. Download the openvvv client and install it
2. Unzip the installation and configure the client configuration file
Under the sample-config file, there is the client.ovpn template
Modify and copy to the config directory. The modification content is as follows
client
dev tun
proto tcp //改为tcp
remote 39.xxx.xxx.xxx 1194 //OpenVPN服务器的外网IP和端口,ip和域名都行
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt //client1的证书
key client.key //client1的密钥
comp-lzo
verb 3
3. Copy the server-side certificate file to the config directory
ca.crt
along.crt
along.key //These three files
4. Start the client
(1) Start, please note that startup requires administrator rights.
(2) Enter the password you set
(3) Connection successful
5. Is the test successful?
(1) Query the IP in the client, it is indeed the IP given by openvvv
(2) Query the IP address on the web page and it is indeed the IP address of Alibaba Cloud in Beijing.
