Openvpn solution
OpenVPN Introduction
VPN literal translation is a virtual private channel, which is a tunnel that provides secure data transmission between enterprises or between individuals and companies. OpenVPN is undoubtedly the pioneer of open source VPN under Linux, providing good performance and user-friendly GUI. [
OpenVPN allows a single point of participation in the establishment of a VPN to use a shared key, e-certificate, or username/password for identity verification. It makes extensive use of the SSLv3/TLSv1 protocol library in the OpenSSL encryption library. OpenVPN can run on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X and Windows, and includes many security features. It is not a web-based VPN software, nor is it compatible with IPsec and other VPN software packages.
A virtual private network (VPN) tunnel is a technology that securely connects two networks in different geographical locations through Internet tunneling technology. When the two networks are private local area networks using private IP addresses, they cannot access each other. At this time, the use of tunnel technology can enable the hosts in the two subnets to communicate. For example, VPN tunnel technology is often used to connect subnets of different office areas in large organizations.
Sometimes, a VPN tunnel is used simply because it is safe. Service providers and companies use such a method to set up networks. They place important servers (such as databases, VoIP, bank servers) in a subnet, and only allow authorized users to access them through VPN tunnels. If you need to build a secure VPN tunnel, IPsec is usually chosen because the IPsec VPN tunnel is protected by multiple security layers.
The development of VPN (Virtual Private Network) is no longer a purely encrypted access tunnel. It has integrated access control, transmission management, encryption, routing, availability management and other functions, and has a global information security system. Plays an important role in it. Also on the Internet, the comparison of the advantages and disadvantages of various VPN protocols is that the benevolent sees benevolence, and the wise sees wisdom. Many technicians weigh the pros and cons for the purpose of use, including access control, security, user-friendliness, and flexible expansion. , It is difficult to choose; especially in the VOIP voice environment, network security is particularly important, so now more and more Internet phones and voice gateways support VPN protocols.
1. VPN classification
1. PPTP
Point-to-Point Tunneling Protocol (PPTP) is a point-to-point tunneling protocol developed by the PPTP Forum composed of companies including Microsoft and 3Com. Based on the dial-up PPP protocol, it uses encryption algorithms such as PAP or CHAP, or uses Microsoft’s point-to-point encryption algorithm MPPE . It realizes the secure transmission of data from the remote client to the dedicated enterprise server by creating a VPN across the TCP/IP-based data network. PPTP supports the establishment of an on-demand, multi-protocol, virtual private network through a public network (such as the Internet). PPTP allows to encrypt IP communications and then encapsulate them in IP headers to be sent across the company's IP network or public IP network (such as the Internet).
2. L2TP
Layer 2 Tunneling Protocol (L2TP) is a follow-up version of PPTP developed by IETF based on L2F (Cisco's Layer 2 Forwarding Protocol). It is an industry standard Internet tunneling protocol that can provide encapsulation for the point-to-point protocol (PPP) framework for sending across packet-oriented media. Both PPTP and L2TP use the PPP protocol to encapsulate data, and then add additional headers for data transmission on the Internet. PPTP can only establish a single tunnel between two ends. L2TP supports the use of multiple tunnels between two ends, and users can create different tunnels for different quality of service. L2TP can provide tunnel authentication, while PPTP does not support tunnel authentication. But when L2TP or PPTP is used together with IPSEC, IPSEC can provide tunnel verification, and it is not necessary to verify that the tunnel uses L2TP on the layer 2 protocol. PPTP requires the Internet to be an IP network. L2TP only requires the tunnel medium to provide a packet-oriented point-to-point connection. L2TP can be used on IP (using UDP), frame-relay permanent virtual circuits (PVCs), X.25 virtual circuits (VCs) or ATM VCs networks.
3. IPSec
The IPSec tunnel is the entire process of encapsulation, routing, and decapsulation. The tunnel hides (or encapsulates) the original data packet in the new data packet. The new data packet may have new addressing and routing information so that it can be transmitted over the network. When tunneling is used in conjunction with data confidentiality, people who eavesdrop on communications on the network will not be able to obtain the original packet data (and the original source and destination). After the encapsulated data packet reaches the destination, the encapsulation is deleted, and the original data packet header is used to route the data packet to the final destination.
4. SSLVPN
The SSL protocol provides features such as data privacy, endpoint verification, and information integrity. The SSL protocol is composed of many sub-protocols, of which the two main sub-protocols are the handshake protocol and the record protocol. The handshake protocol allows the server and the client to confirm each other and negotiate an encryption algorithm and cryptographic key before the application protocol transmits the first data byte. During data transmission, the recording protocol uses the key generated by the handshake protocol to encrypt and decrypt the data exchanged later.
SSL is independent of the application, so any application can enjoy its security without worrying about the implementation details. SSL is placed between the transport layer and the application layer of the network structure system. In addition, SSL itself is supported by almost all web browsers. This means that the client does not need to install additional software to support SSL connections. These two characteristics are the key points that SSL can be applied to VPN.
2. What is the tunneling technology and tunneling protocol used by VPN
The public network used by the VPN tunnel can be any type of communication network. It can be the Internet or an enterprise intranet. To create a tunnel, the VPN client and server must use the same tunneling protocol. Commonly used tunneling protocols include point-to-point tunneling protocol PPTP, layer 2 tunneling protocol L2TP, and secure IP tunnel mode IPSec.
According to the Open System Interconnection OSI reference model, the tunnel technology can be divided into the technology based on the layer 2 tunneling protocol and the technology based on the layer 3 tunneling protocol. The second layer tunnel protocol corresponds to the data link layer in the OSI model, and uses frames as the data transmission unit. PPTP and L2TP protocols belong to the second layer of tunneling protocols, both of which encapsulate data in point-to-point protocol (PPP) frames and send them over the Internet. The layer 3 tunneling protocol corresponds to the network layer in the OSI model, using packets as the unit of data transmission. The secure IP tunnel mode IPSec belongs to the layer 3 tunneling protocol, which encapsulates the data packet in a new data packet with an IP header attached and transmits it through the IP network.
Point-to-Point Tunneling Protocol (PPTP, Point-to-PointTunnelingProtocol) encapsulates the data frame of Point-to-Point Protocol (PPP, Point-to-PointProtocol) into IP data packets, and transmits them through the TCP/IP network. PPTP can encrypt and transmit IP, IPX or NetBEUI data. PPTP uses PPTP to control the connection to create, maintain, and terminate a tunnel, and uses Generic Routing Encapsulation (GRE, GenericRoutingEncapsulation) to encapsulate PPP data frames. Before encapsulation, the payload (effective transmission data) of the PPP data frame must first undergo encryption, compression, or a combination of the two.
Layer 2 Tunneling Protocol (L2TP, LayerTwoTunnelingProtocol) is a combination of PPTP and Layer 2 forwarding technology (L2F, LayerTwoForward). Layer 2 forwarding is a tunnel technology proposed by Cisco. In order to prevent the two incompatible tunnel technologies, PPTP and L2F, from competing with each other in the market and causing confusion and inconvenience to users, the Internet Engineering Task Force IETF requires that the two technologies be combined in a single tunnel protocol and integrated in the protocol. The advantages of both PPTP and L2F have resulted in L2TP. After the L2TP protocol encapsulates the PPP data frame, it can be transmitted through TCP/IP, X.25, frame relay or ATM and other networks. L2TP can encrypt and transmit IP, IPX or NetBEUI data. At present, only L2TP based on TCP/IP network is defined. The L2TP tunnel protocol can be used both in the Internet and in the corporate intranet.
In order to achieve secure transmission on private or public IP networks, the secure IP tunnel mode IPSec uses a secure method to encapsulate and encrypt the entire IP packet. It first encrypts the IP data packet, then encapsulates the ciphertext data packet in the plaintext IP packet again, and sends it to the VPN server on the receiving end through the network. The VPN server processes the received data packet, removes the plaintext IP header and decrypts the content, obtains the original IP data packet, and then routes it to the receiving computer on the target network.
Among the three tunneling protocols, the point-to-point tunneling protocol PPTP and the layer 2 tunneling protocol L2TP have the advantage that they are very convenient for users who use Microsoft’s operating system, because Microsoft has used them as part of the routing software; the disadvantage is that PPTP And L2TP encapsulates insecure IP data packets in secure IP data packets. PPTP and L2TP are suitable for remote access to virtual private networks. The advantage of secure IP tunnel mode IPSec is that it defines a set of standard protocols for authentication, protection of privacy and data integrity. The disadvantage is that Microsoft does not support IPSec enough. IPSec is suitable for virtual private networks between trusted LANs, that is, corporate intranet VPN applications.
OpenVPN
A typical SSL VPN application such as OpenVPN is a relatively good open source software. PPTP is mainly considered for those users who often go out to move or work at home; while OpenVPN is mainly for VPN uninterrupted on-demand connections between the company's two headquarters and branches in different places, such as the application of ERP in the enterprise.
OpenVPN allows a single point participating in the establishment of a VPN to use a preset private key, third-party certificate, or user name/password for identity verification. It makes extensive use of the OpenSSL encryption library, as well as the SSLv3/TLSv1 protocol. OpenVPN can run on Linux, xBSD, Mac OS X and Windows 2000/XP. It is not a web-based VPN software, nor is it compatible with IPsec and other VPN software packages.
Tunnel encryption
OpenVPN uses the OpenSSL library to encrypt data and control information: it uses the encryption and verification functions of OpesSSL, which means that it can use any algorithm supported by OpenSSL. It provides an optional data packet HMAC function to improve the security of the connection. In addition, OpenSSL's hardware acceleration can also improve its performance.
verification
OpenVPN provides a variety of authentication methods to confirm the identities of the parties involved in the connection, including: pre-shared private keys, third-party certificates, and username/password combinations. The pre-shared key is the simplest, but at the same time it can only be used to establish a point-to-point VPN; a third-party certificate based on PKI provides the most complete functions, but it requires extra energy to maintain a PKI certificate system. After OpenVPN2.0, a user name/password combination authentication method was introduced. It can omit the client certificate, but there is still a server certificate that needs to be used for encryption.
The internet
All OpenVPN communication is based on a single IP port. By default, UDP protocol communication is recommended and TCP is also supported. OpenVPN connections can pass through most proxy servers and can work well in a NAT environment. The server has the function of "pushing" certain network configuration information to the client, including: IP address, routing settings, etc. OpenVPN provides two virtual network interfaces: general Tun/Tap drivers, through which you can establish a Layer 3 IP tunnel, or a virtual Layer 2 Ethernet, which can transmit any type of Layer 2 Ethernet data. The transmitted data can be compressed by the LZO algorithm. The official port assigned to OpenVPN by IANA (Internet Assigned Numbers Authority) is 1194. After OpenVPN 2.0, each process can manage several concurrent tunnels at the same time.
The characteristics of OpenVPN using common network protocols (TCP and UDP) make it an ideal alternative to protocols such as IPsec, especially when ISP (Internet service provider) filters certain VPN protocols. When choosing a protocol, you need to pay attention to the network conditions between the two encrypted tunnels. If there is a high delay or a lot of packet loss, please select the TCP protocol as the underlying protocol. The UDP protocol has a connectionless and retransmission mechanism, resulting in It is very inefficient to retransmit the protocol at the upper layer of the tunnel.
Safety
OpenVPN is born with many security features: it runs in user space without modifying the kernel and network protocol stack; it runs in chroot mode after the initial completion, giving up root privileges; it uses mlockall to prevent sensitive data from being exchanged to disk.
OpenVPN supports hardware encryption logos, such as smart cards, through PKCS#11.
3. Environment deployment
Operating system: centos6.6
Application software: openvpn, http (for testing), ntp, rsync or scp (for distributing certificates)
Number of systems: 3
Specific applications: web (192.168.10.2), vpn (eth0:192.168.10.1 eth1:20.20.20.1) client (20.20.20.2)
Deployment goal: the client can access the web.
Preliminary preparation: When configuring the network segment, you must install all the application software in the early stage to prevent the ip from being unable to connect to yum after the configuration, and close selinux and iptables.
Realization ideas:
Install openvpn software
CA configuration
Self-signed certificate
Issue a certificate for bj-vpnserver
Issue certificates for operation and maintenance personnel (can be reused)
4. Actual deployment
Install software (web, vpnserver, vpnclient)
web (omitted: yum installation, write a test page, start the service)
ip configuration (omitted: see ip specific application for details)
[vpnserver and vpnclient]
[root@vpnserver ~]# yum -y install openvpn
[vpnserver]
[root@vpnserver /]# cd /usr/share/doc/openvpn-2.0.9/easy-rsa/ [root@vpnserver easy-rsa]# chmod +x * [root@vpnserver easy-rsa]# vim vars
export KEY_COUNTRY=CN
export KEY_PROVINCE=BJ
export KEY_CITY=BJ
export KEY_ORG="bj-vpnserver"
export KEY_EMAIL="test@126.com"
[root@vpnserver easy-rsa]# source vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn-2.0.9/easy-rsa/keys
[root@vpnserver easy-rsa]#
[root@vpnserver easy-rsa]# source vars
[root@vpnserver easy-rsa]# ./clean-all
[root@vpnserver easy-rsa]# ./build-ca //生成ca根私钥和根证书,别的选项都默认
Common Name (eg, your name or your server"s hostname) []:ca
[root@vpnserver easy-rsa]# ./build-key-server server 为服务器端生成证书和秘钥 [server 默认]
Generating a 1024 bit RSA private key
..............................................................++++++
........++++++
writing new private key to "server.key"
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ".", the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [bj-vpnserver]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server"s hostname) []:bj-server
Email Address [test@126.com]:
Please enter the following "extra" attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject"s Distinguished Name is as follows
countryName :PRINTABLE:"CN"
stateOrProvinceName :PRINTABLE:"BJ"
localityName :PRINTABLE:"BJ"
organizationName :PRINTABLE:"bj-vpnserver"
commonName :PRINTABLE:"bj-server"
emailAddress :IA5STRING:"test@126.com"
Certificate is to be certified until Jul 3 12:31:22 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@vpnserver easy-rsa]#
2. vpnclient Issue a certificate
[root@bj-vpnserver easy-rsa]# ./build-key client1 //client1自定义证书名
Common Name (eg, your name or your server"s hostname) []:client1
3. Create key agreement file Diffie Herman key
[root@vpnserver easy-rsa]# ./build-dh [root@vpnserver easy-rsa]# ls keys/ 01.pem ca.key client1.key index.txt.attr serial server.csr 02.pem client1.crt dh1024.pem index.txt.attr.old serial.old server.key ca.crt client1.csr index.txt index.txt.old server.crt [root@vpnserver easy-rsa]# pwd /usr/share/doc/openvpn-2.0.9/easy-rsa [root@vpnserver easy-rsa]# cd keys/ [root@vpnserver keys]# cp ca.crt server.key server.crt dh1024.pem /etc/openvpn/ [root@vpnserver keys]# ls /etc/openvpn/ ca.crt dh1024.pem server.crt server.key [root@vpnserver keys]#
4. modify openvpn
[root@vpnserver keys]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/ [root@vpnserver keys]# vim /etc/openvpn/server.conf
local 20.20.20.1 //vpn服务器提供服务的IP
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0 //隧道tun网络
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
push "route 192.168.10.0 255.255.255.0" //为所有客户添加到北京内网1的路由
push "route 192.168.20.0 255.255.255.0" //为所有客户添加到北京内网2的路由
client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
;client-to-client
;duplicate-cn //是否允许证书复用
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
mute 20
5.Enable routing and forwarding
[root@bj-vpnserver ~]# vim /etc/sysctl.conf net.ipv4.ip_forward = 1 [root@bj-vpnserver ~]# sysctl -p
6. Open service
[root@vpnserver ~]# service openvpn start [root@vpnserver ~]# chkconfig openvpn on
7. View ip
[root@vpnserver keys]# ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:d0:cd:4b:2d brd ff:ff:ff:ff:ff:ff inet 192.168.122.15/24 brd 192.168.122.255 scope global eth0 inet6 fe80::5054:d0ff:fecd:4b2d/64 scope link valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:00:fb:18:d2 brd ff:ff:ff:ff:ff:ff inet 20.20.20.1/24 brd 20.20.20.255 scope global eth1 inet6 fe80::5054:ff:fefb:18d2/64 scope link valid_lft forever preferred_lft forever
4: tun0:
link/[65534]
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
8. Import the client certificate into the client
vpnclient
[root@vpnclient ~]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf /etc/openvpn/
vpnserver
[root@vpnserver keys]# scp ca.crt client1.crt client1.key root@20.20.20.2:/etc/openvpn/ The authenticity of host "20.20.20.2 (20.20.20.2)" can"t be established. RSA key fingerprint is e4:30:be:43:07:0d:0c:a4:87:60:84:38:f8:ac:b8:04. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added "20.20.20.2" (RSA) to the list of known hosts. root@20.20.20.2"s password: ca.crt 100% 1139 1.1KB/s 00:00 client1.crt 100% 3405 3.3KB/s 00:00 client1.key 100% 916 0.9KB/s 00:00 [root@vpnserver keys]# [root@vpnclient ~]# ls /etc/openvpn/ ca.crt client1.crt client1.key client.conf
9. Configure vpnclient configuration file
[root@vpnclient ~]# ls /etc/openvpn/ ca.crt cd-client1.crt cd-client1.key [root@vpnclient ~]# vim /etc/openvpn/client.conf client dev tun ;dev-node MyTap proto udp remote 20.20.20.1 1194 //拨号地址==》vpnserver ;remote-random nobind user nobody group nobody persist-key persist-tun ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] ;mute-replay-warnings ca ca.crt cert cd-client1.crt key cd-client1.key ;ns-cert-type server ;tls-auth ta.key 1 ;cipher x comp-lzo verb 3 mute 20
10. vpnclient start up
root@vpnclient openvpn]# service openvpn restart Shutting down openvpn: [ OK ] Starting openvpn: [ OK ] [root@vpnclient openvpn]# chkconfig openvpn on
Note: An error will occur when the certificate starts incorrectly.
11.View ip
[root@vpnclient openvpn]# ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:f0:af:44:0f brd ff:ff:ff:ff:ff:ff inet 20.20.20.2/24 brd 20.20.20.255 scope global eth0 inet6 fe80::5054:f0ff:feaf:440f/64 scope link valid_lft forever preferred_lft forever
3: tun0:
link/[65534]
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
12. test
[root@vpnclient openvpn]# curl 192.168.10.2 web test
五. windows access
Install openvpn
openvpn-install-X.X.X.X-x86_64.exe
2.Import the certificate file ca.crt cd-client1.crt cd-client1.key
C:\Program Files\OpenVPN\config
3. Create a configuration file
Does not exist by default, you need to go to the upper directory to find
C:\Program Files\OpenVPN\config\client.ovpn client dev tun proto udp remote 20.20.20.1 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert cd-client2.crt key cd-client2.key ns-cert-type server cipher BF-CBC comp-lzo verb 3 mute 20
client.ovpn directory sample-config
Normal startup process
You can access it by double-clicking the desktop icon. If you need to connect multiple VPNs, you need to repeat the above steps, and copy and rename the .ovpn file, and then modify the content of the configuration file. If the connection fails, it may be a problem with ntp .
