利用openvpn建立橋接vpn

本文介紹利用openvpn建立橋接vpn的一種簡單方法，使用的服務器為debian GNU/Linux sarge,使用apt-get dist-upgrade更新到最新，內核2.4.27-1-686，未重新編譯內核，openvpn版本1.6.0+2.beta14-1(使用apt-get install openvpn安裝),客戶機一為debian GNU/Linux sid，內核2.6.8-1-k7，未重新編譯內核，openvpn版本1.99+2.beta17-1(使用apt-get install openvpn安裝),客戶機二為windows 2k adv ser sp4,openvpn安裝在C:\Program Files\OpenVPN\下，版本為1.6(從http://openvpn.sourceforge.net/ 下載openvpn-1.6.0-install.exe (http://umn.dl.sourceforge.net/sourceforge/openvpn/openvpn-1.6.0-install.exe)后直接安裝)

本文介紹利用openvpn建立橋接vpn的一種簡單方法，使用的服務器為debian GNU/Linux
sarge,使用apt-get dist-upgrade更新到最新，內核2.4.27-1-686，未重新編譯內核，
openvpn版本1.6.0+2.beta14-1(使用apt-get install openvpn安裝),客戶機一為
debian GNU/Linux sid，內核2.6.8-1-k7，未重新編譯內核，openvpn版本1.99+2.beta17-1
(使用apt-get install openvpn安裝),客戶機二為windows 2k adv ser sp4,openvpn安裝
在C:\Program Files\OpenVPN\下，版本為1.6(從http://openvpn.sourceforge.net/ 下
載openvpn-1.6.0-install.exe
(http://umn.dl.sourceforge.net/sourceforge/openvpn/openvpn-1.6.0-install.exe)
后直接安裝)


1 網絡拓撲圖如下：

|
|      br0(eth1) |------|eth0         tap0,ip:192.168.0.101|------|
|----------------|server|----------------------------------|client|
|  ip:192.168.0.3|------|ip:1.2.3.4         eth0,ip:5.6.7.8|------|
|
|intranet
|192.168.0.0/24


當server的openvpn停止時，server使用eth1和intranet通訊，eth1的ip地址為192.168.0.3/24,
當server的openvpn啟動后，server使用br0和intranet通訊，br0的ip地址為192.168.0.3/24,
client的ip地址為5.6.7.8，建立vpn后,client通過tap0使用192.168.0.101/24和intranet通訊

2 軟件安裝

服務器及客戶機一需要額外安裝的軟件有bridge-utils,liblzo1,可使用apt-get 進行安裝。
客戶機2上不需要安裝其他特別的軟件。


3 建立vpn

3.1 在服務器上運行openvpn --genkey --secret static.key生成建立vpn時使用的密鑰，
static.key為保存密鑰的文件,將這個文件復制到server和client 1的/etc/openvpn/目錄
下，以及client 2的openvpn安裝目錄下的config目錄下.

3.2 將下列文件復制到/etc/openvpn/下,/etc/init.d/openvpn啟動時會讀取該目錄下的*.conf
====================server's bridge-up====================
#!/bin/bash

##################################
# Set up Ethernet bridge on Linux#
##################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth1"
eth_ip="192.168.0.3"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"

for t in $tap; do
openvpn --mktun --dev $t
echo "add tun $t "
done

brctl addbr $br
echo "add bridge $br"
brctl addif $br $eth
echo "add $eth to bridge $br"

for t in $tap; do
brctl addif $br $t
echo "add $t to bridge $br"
done

for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
echo "set $t promisc mode"
done

ifconfig $eth 0.0.0.0 promisc up
echo "set $eth promisc mode"

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
echo "config $br with ip $eth_ip netmask $eth_netmask broadcast $eth_broadcast"
======================end of bridge-up========================

====================server's bridge-down======================
#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

ifconfig $br down
echo "bridge $br down"

brctl delbr $br
echo "delete bridge $br"

for t in $tap; do
openvpn --rmtun --dev $t
echo "delete tun $t"
done
======================end of bridge-down========================

====================server's openvpn.conf=======================
# Linux VPN server config file
port 1194
dev tap0
secret static.key
log-append /var/log/openvpn.log
fragment 1400
ping 10
ping-restart 35
ping-timer-rem
persist-tun
persist-key
comp-lzo
comp-noadapt
user nobody
group nogroup
verb 4
====================end of openvpn.conf========================

====================client 1's bridge-up========================
#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

#Client 1 use 192.168.0.101/24 to communicate with intranet
eth_ip="192.168.0.101"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"

for t in $tap; do
openvpn --mktun --dev $t
echo "add tun $t "
done

brctl addbr $br
echo "add bridge $br"

for t in $tap; do
brctl addif $br $t
echo "add $t to bridge $br"
done

for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
echo "set $t promisc mode"
done

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
echo "config $br with ip $eth_ip netmask $eth_netmask broadcast $eth_broadcast"


======================end of bridge-up==========================

====================client 1's bridge-down======================
#!/bin/bash

#####################################
# Tear Down Ethernet bridge on Linux#
#####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

ifconfig $br down
echo "bridge $br down"

brctl delbr $br
echo "delete bridge $br"

for t in $tap; do
openvpn --rmtun --dev $t
echo "delete tun $t"
done
======================end of bridge-down========================

====================client 1's openvpn.conf=====================
# Linux VPN Client config file
#This file should be put into /etc/openvpn/
#local and remote port used by openvpn
#You can specify local port with "lport" option,remote port with "rport"
#By default,Debian's openvpn use port 5000
port 1194
#Tap device used by openvpn
dev tap0
#Enable Static Key encryption mode (non-TLS).Use shared secret file static.key
#this file is generated with "openvpn --genkey --secret static.key"
secret static.key
#append log to /var/log/openvpn.log ,if this file is not exist, it will be
#created.
log-append /var/log/openvpn.log
#VPN server's address
remote 1.2.3.4
fragment 1400
#Ping remote once every 10 seconds over TCP/UDP port
ping 10
#Restart if 35 seconds pass without reception of remote ping
ping-restart 35
# Run the --ping-exit/--ping-restart timer only if we have a remote address
#Only client have a remote address
ping-timer-rem
#Keep tun/tap device open across SIGUSR1 or --ping-restart
persist-tun
#Don't re-read key files across SIGUSR1 or --ping-restart
persist-key
#Use fast LZO compression -- may add up to 1 byte per packet for uncompressible
#data.
comp-lzo
#Don't use adaptive compression when --comp-lzo is specified
comp-noadapt
#Set UID to nobody after initialization.
user nobody
#Set GID to nogroup after initialization
group nogroup
#Set output verbosity to 4
#4 means "show parameters"
verb 4

====================end of openvpn.conf========================

====================client 2's openvpn.ovpn=====================
#Windows VPN Client config file
#This file should be put into C:\Program Files\OpenVPN\config\
#if you install OpenVPN in C:\Program Files\OpenVPN\
port 1194
dev tap
secret static.key
#Client 2 use 192.168.0.101/24 to communicate with intranet
ifconfig 192.168.0.101 255.255.255.0
log-append /var/log/openvpn.log
remote 1.2.3.4
fragment 1400
tap-sleep 1
ifconfig-nowarn
ip-win32 dynamic
ping 10
comp-lzo
comp-noadapt
verb 4
====================end of openvpn.conf========================


3.3 啟動vpn

啟動時因先啟動vpnserver,然后啟動vpnclient.

3.3.1 啟動vpnserver，運行/etc/openvpn/bridge-up,然后運行/etc/init.d/openvpn start,
如果先啟動/etc/init.d/openvpn start將出錯.

3.3.2 啟動vpnclient，運行/etc/openvpn/bridge-up,然后運行/etc/init.d/openvpn start

3.3.3 當vpnclient為windows時,運行 net start openvpnservice.

3.4 關閉vpn

關閉時因先關閉vpnclient，然后關閉vpnserver

3.4.1 關閉vpnclient,運行/etc/init.d/openvpn stop,然后運行/etc/openvpn/bridge-down

3.4.2 當vpnclient為windows時,運行net stop openvpnservice.

3.4.3 關閉vpnserver,運行/etc/init.d/openvpn stop,然后運行/etc/openvpn/bridge-down

4 參考資料

4.1 openvpn的老家 http://openvpn.sourceforge.net/

4.2 Ethernet Bridging http://openvpn.sourceforge.net/bridge.html

4.3 Implementing OpenVPN http://fedoranews.org/contributors/florin_andrei/openvpn/

4.4 利用openvpn+linux快速建立企業VPN http://www.linuxaid.com.cn/articles/1/0/1052518204.shtml

歡迎和我交流 聯系方式blue_stone@xinhuanet.com

原文轉自：http://www.kjueaiud.com