使用靜態金鑰加密
LAB架構圖
網路配置
- Openvpn-client
vpn-client#ifconfig eth0 192.168.30.1/24 vpn-client#route add default gw 192.168.30.254
- Router
routing#ifconfig eth0 192.168.30.254/24 routing#ifconfig eth1 192.168.50.254/24 routing#vim /etc/sysctl.conf
~略~ net.ipv4.ip_forward = 1 ~略~
- Openvpn-server
vpnServer#ifconfig eth0 192.168.50.1/24 vpnServer#ifconfig eth1 192.168.200.254/24 vpnServer#vim /etc/sysctl.conf
~略~ net.ipv4.ip_forward = 1 ~略~
vpnServer# route add -net 192.168.30.0 netmask 255.255.255.0 gw 192.168.50.254
- WEBTest
web#ifconfig eth0 192.168.200.1/24 web#route add default gw 192.168.200.254
- 測試Openvpn-client與Openvpn-server是否可以互ping,若通的話,此階段就完成
vpn-client#ping 192.168.50.1
vpnServer#ping 192.168.30.1
OpenVPN安裝
- 分別在Openvpn-client and Openvpn-server安裝epel-release
#rpm -ivh http://mirror01.idc.hinet.net/EPEL/6/i386/epel-release-6-7.noarch.rpm
- 分別在Openvpn-client and Openvpn-server安裝OpenVPN
#yum install openvpn
OpenVPN設定靜態金鑰
- 在openvpn-server裡建立靜態金鑰
#cd /etc/openvpn/keys #openvpn --genkey --secret static.key
- 複製static.key到openvpn-client
#scp static.key 192.168.30.1:/etc/openvpn/keys
OpenVPN設定檔配置
- Openvpn-server
vpnServer#vim /etc/openvpn/server1.conf
dev tun proto udp ifconfig 10.0.0.1 10.0.0.2 secret /etc/openvpn/keys/static.key local 192.168.50.1 keepalive 10 60 comp-lzo daemon
vpnServer# iptables -I INPUT -p udp --dport 1194 -j ACCEPT
vpnServer# iptables -I INPUT -i tun+ -j ACCEPT
vpnServer# iptables -I FORWARD -i tun+ -j ACCEPT
- Openvpn-client
vpn-client# vim /etc/openvpn/client1.conf
remote 192.168.50.1 dev tun ifconfig 10.0.0.2 10.0.0.1 route 192.168.200.0 255.255.255.0 secret /etc/openvpn/keys/static.key keepalive 10 60 comp-lzo
- 啟動OpenVPN
vpnServer# openvpn /etc/openvpn/server1.conf
vpn-client#openvpn /etc/openvpn/client1.conf