FreeBSD 平台 OpenVPN 的安装、配置客户端和服务端

OpenVPN 开源,好用,而且免费,感谢 OpenVPN 团队开发此产品。

简介

OpenVPN允许参与创建VPN的单点使用公开密钥、电子证书、或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库中的SSLv3/TLSv1协议函数库。目前OpenVPN能在Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X与Windows 2000/XP/Vista/Windows 7以及Android上运行,并包含了许多安全性的功能。它并不是一个基于Web的VPN软件,也不与IPsec及其他VPN软件包兼容。

加密

OpenVPN使用OpenSSL库加密数据与控制信息:它使用了OpenSSL的加密以及验证功能,意味着,它能够使用任何OpenSSL支持的算法。它提供了可选的数据包HMAC功能以提高连接的安全性。此外,OpenSSL的硬件加速也能提高它的性能。

验证

OpenVPN提供了多种身份验证方式,用以确认参与连接双方的身份,包括:预享私钥,第三方证书以及用户名/密码组合。预享密钥最为简单,但同时它只能用于创建点对点的VPN;基于PKI的第三方证书提供了最完善的功能,但是需要额外的精力去维护一个PKI证书体系。OpenVPN2.0后引入了用户名/口令组合的身份验证方式,它可以省略客户端证书,但是仍有一份服务器证书需要被用作加密。

网络

OpenVPN所有的通信都基于一个单一的IP端口,默认且推荐使用UDP协议通讯,同时TCP也被支持。OpenVPN连接能通过大多数的代理服务器,并且能够在NAT的环境中很好地工作。服务端具有向客户端“推送”某些网络配置信息的功能,这些信息包括:IP地址、路由设置等。OpenVPN提供了两种虚拟网络接口:通用Tun/Tap驱动,通过它们,可以创建三层IP隧道,或者虚拟二层以太网,后者可以传送任何类型的二层以太网络数据。传送的数据可通过LZO算法压缩。IANA(Internet Assigned Numbers Authority)指定给OpenVPN的官方端口为1194。OpenVPN 2.0以后版本每个进程可以同时管理数个并发的隧道。

OpenVPN使用通用网络协议(TCP与UDP)的特点使它成为IPsec等协议的理想替代,尤其是在ISP(Internet service provider)过滤某些特定VPN协议的情况下。

安全

OpenVPN与生俱来便具备了许多安全特性:它在用户空间运行,无须对内核及网络协议栈作修改;初始完毕后以chroot方式运行,放弃root权限;使用mlockall以防止敏感数据交换到磁盘。

OpenVPN通过PKCS#11支持硬件加密标识,如智能卡。

FreeBSD平台版本选择10.0,安装过程掠过,我们从FreeBSD安装完毕开始。

有两种方法安装OpenVPN:pkg二进制安装和ports源代码安装。

pkg安装

使用pkg命令直接安装二进制版本,安装简单,也不用花太久时间(不会超过5分钟),但没有提供配置示范文档,需要完全自己编写,不过也可上官网查询

有一点要注意,如果源码(prots)安装不成功(通常是被GFW给墙),可以试试 pkg 安装,pkg 安装虽不一定是最新的,但起码可以成功安装。

确认网络正常后直接输入 pkg install openvpn即可开始安装,通常pkg会下载并安装当前最新的版本。 

ports安装

ports是源代码安装,需下载源代码和编译源代码,全脚本自动完成,但安装需要略花些时间(10~20分钟),但在执行ports安装前,最好先更新一下ports树,以便安装最新版本,在类UNIX社区,这是传统的安装形式之一。

1.下载最新的 ports包更新ports树,如果无需更新可从第3步开始。

#portsnap fetch

或者跳过第2步一次完成释放

#portsnap fetch extract

2.将下载好的 ports包释放到 /usr/ports。

#portsnap extract

3.如果ports已经是最新。

进入ports树中openvpn所在的目录

#cd /usr/ports/searchs/openvpn

4.开始安装,首先是自动下载相关文件并编译,最后自动完成安装。

#make install clean

发生错误的话,可以用 make config 重新配置再编译、或者 make deinstall 删除安装,如果文件无法下载可以手动下载需要的文件存于 /usr/ports/distfiles 目录再进行编译。

OpenVPN安装的组件,包括其他相关程序的组件,默认选择即可。

安装完毕,见下图: 

证书制作

安装完毕后,开始配置,主要是生成证书和配置的文件修改。

注:以下是一些相关的目录:

证书生成工具

/usr/local/share/easy-rsa

配置文件示范所在位置。

/usr/local/share/examples/openvpn

:: 进入证书生成目录

#cd /usr/local/share/easy-rsa

:: 设置证书制作环境(默认vars不正常,环境变量手动输入),Telnet终端的话,直接粘贴即可。

#setenv KEY_CONFIG   /usr/local/share/easy-rsa/openssl-1.0.0.cnf

#setenv KEY_DIR       /usr/local/share/easy-rsa/keys

#setenv KEY_SIZE      1024

#setenv KEY_COUNTRY  CN

#setenv KEY_PROVINCE  AA

#setenv KEY_CITY       BB

#setenv KEY_ORG       “COMPANY”

#setenv KEY_EMAIL     “user@host.domain”

#setenv OPENSSL       “openssl”

 

:: 初始化

#./clean-all

 

:: 生成证书

#./build-ca

:: 创建服务端证书

#./build-key-server server

:: 创建客户端证书

#./build-key client

:: 创建客户端证书,若有多个客户端需要分开证书的话则使用

#./build-key client1

:: 完成证书制作

#./build-dh

证书制作完毕,得到一些文件,但如果参数填写不恰当,可能生成一些0字节的crt文件,那么就得重新生成证书。生成结束后,可按照如下表格分别将文件拷贝到客户端和服务端的相应目录中(测试时全部放一起也没关系)。

下表列出各类文件部署的位置:

文件名 位置 目的 保密
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
client2.crt client2 only Client2 Certificate NO
client2.key client2 only Client2 Key YES
client3.crt client3 only Client3 Certificate NO
client3.key client3 only Client3 Key YES


BSD
客户端配置

:: 创建配置文件所在目录

#mkdir /usr/local/etc/openvpn

:: 创建 keys目录

#mkdir /usr/local/etc/openvpn/keys

:: 复制证书到配置的keys目录

#cp /usr/local/share/easy-rsa/keys/* /usr/local/etc/openvpn/keys

:: 复制示范文件到配置目录,稍后修改

:: 服务端证书复制

#cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn

 

:: 客户端证书复制,复制到另一台电脑,FreeBSD/Linux/OpenBSD均可

#cp /usr/local/share/examples/openvpn/sample-config-files/client.conf /usr/local/etc/openvpn

:: 进入配置文件目录,修改配置:: FreeBSD/Linux/UNIX可以选择 tap或 tun设备,Windows下只能支持 tap设备,但也可以选择 tun 设备,但实际上还是 tap 设备,这主要用于类 UNIX 连接 Windows。

:: 两边的设备可以不同(BSD下经测试 tap 和 tun 可以混用),但网络协议必须相同

#cd /usr/local/etc/openvpn/

客户端配置client.conf

注意红色部分

##############################################

# Sample client-side OpenVPN 2.0 config file #

# for connecting to multi-client server.     #

#                                            #

# This configuration can be used by multiple #

# clients, however each client should have   #

# its own cert and key files.                #

#                                            #

# On Windows, you might want to rename this  #

# file so it has a .ovpn extension           #

##############################################

 

# Specify that we are a client and that we

# will be pulling certain config file directives

# from the server.

client

 

# Use the same setting as you are using on

# the server.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

dev tap

;dev tun

 

# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel

# if you have more than one.  On XP SP2,

# you may need to disable the firewall

# for the TAP adapter.

;dev-node MyTap

 

# Are we connecting to a TCP or

# UDP server?  Use the same setting as

# on the server.

;proto tcp

proto udp

 

# The hostname/IP and port of the server.

# You can have multiple remote entries

# to load balance between the servers.

# 服务端 IP地址,根据实际情况填写

remote xxx.xxx.xxx.xxx 1194

;remote my-server-2 1194

 

# Choose a random host from the remote

# list for load-balancing.  Otherwise

# try hosts in the order specified.

;remote-random

 

# Keep trying indefinitely to resolve the

# host name of the OpenVPN server.  Very useful

# on machines which are not permanently connected

# to the internet such as laptops.

resolv-retry infinite

 

# Most clients don’t need to bind to

# a specific local port number.

nobind

 

# Downgrade privileges after initialization (non-Windows only)

;user nobody

;group nobody

 

# Try to preserve some state across restarts.

persist-key

persist-tun

 

# If you are connecting through an

# HTTP proxy to reach the actual OpenVPN

# server, put the proxy server/IP and

# port number here.  See the man page

# if your proxy server requires

# authentication.

;http-proxy-retry # retry on connection failures

;http-proxy [proxy server] [proxy port #]

 

# Wireless networks often produce a lot

# of duplicate packets.  Set this flag

# to silence duplicate packet warnings.

;mute-replay-warnings

 

# SSL/TLS parms.

# See the server config file for more

# description.  It’s best to use

# a separate .crt/.key file pair

# for each client.  A single ca

# file can be used for all clients.

ca /usr/local/etc/openvpn/keys/ca.crt

cert /usr/local/etc/openvpn/keys/client.crt

key /usr/local/etc/openvpn/keys/client.key

 

# Verify server certificate by checking

# that the certicate has the nsCertType

# field set to “server”.  This is an

# important precaution to protect against

# a potential attack discussed here:

#  http://openvpn.net/howto.html#mitm

#

# To use this feature, you will need to generate

# your server certificates with the nsCertType

# field set to “server”.  The build-key-server

# script in the easy-rsa folder will do this.

ns-cert-type server

 

# If a tls-auth key is used on the server

# then every client must also have the key.

;tls-auth ta.key 1

 

# Select a cryptographic cipher.

# If the cipher option is used on the server

# then you must also specify it here.

;cipher x

 

# Enable compression on the VPN link.

# Don’t enable this unless it is also

# enabled in the server config file.

comp-lzo

 

# Set log file verbosity.

verb 3

 

# Silence repeating messages

;mute 20

 

服务端配置server.conf

注意红色部分,和留意蓝色部分

#################################################

# Sample OpenVPN 2.0 config file for            #

# multi-client server.                          #

#                                               #

# This file is for the server side              #

# of a many-clients <-> one-server              #

# OpenVPN configuration.                        #

#                                               #

# OpenVPN also supports                         #

# single-machine < -> single-machine             #

# configurations (See the Examples page         #

# on the web site for more info).               #

#                                               #

# This config should work on Windows            #

# or Linux/BSD systems.  Remember on            #

# Windows to quote pathnames and use            #

# double backslashes, e.g.:                     #

# “C:\\Program Files\\OpenVPN\\config\\foo.key” #

#                                               #

# Comments are preceded with ‘#’ or ‘;’         #

#################################################

 

# Which local IP address should OpenVPN

# listen on? (optional)

;local a.b.c.d

 

# Which TCP/UDP port should OpenVPN listen on?

# If you want to run multiple OpenVPN instances

# on the same machine, use a different port

# number for each one.  You will need to

# open up this port on your firewall.

port 1194

 

# TCP or UDP server?

;proto tcp

proto udp

 

# “dev tun” will create a routed IP tunnel,

# “dev tap” will create an ethernet tunnel.

# Use “dev tap0” if you are ethernet bridging

# and have precreated a tap0 virtual interface

# and bridged it with your ethernet interface.

# If you want to control access policies

# over the VPN, you must create firewall

# rules for the the TUN/TAP interface.

# On non-Windows systems, you can give

# an explicit unit number, such as tun0.

# On Windows, use “dev-node” for this.

# On most systems, the VPN will not function

# unless you partially or fully disable

# the firewall for the TUN/TAP interface.

dev tap

;dev tun

 

# Windows needs the TAP-Win32 adapter name

# from the Network Connections panel if you

# have more than one.  On XP SP2 or higher,

# you may need to selectively disable the

# Windows firewall for the TAP adapter.

# Non-Windows systems usually don’t need this.

;dev-node MyTap

 

# SSL/TLS root certificate (ca), certificate

# (cert), and private key (key).  Each client

# and the server must have their own cert and

# key file.  The server and all clients will

# use the same ca file.

#

# See the “easy-rsa” directory for a series

# of scripts for generating RSA certificates

# and private keys.  Remember to use

# a unique Common Name for the server

# and each of the client certificates.

#

# Any X509 key management system can be used.

# OpenVPN can also use a PKCS #12 formatted key file

# (see “pkcs12” directive in man page).

ca /usr/local/etc/openvpn/keys/ca.crt

cert /usr/local/etc/openvpn/keys/server.crt

key /usr/local/etc/openvpn/keys/server.key  # This file should be kept secret

 

# Diffie hellman parameters.

# Generate your own with:

#   openssl dhparam -out dh1024.pem 1024

# Substitute 2048 for 1024 if you are using

# 2048 bit keys.

dh /usr/local/etc/openvpn/keys/dh1024.pem

 

# Configure server mode and supply a VPN subnet

# for OpenVPN to draw client addresses from.

# The server will take 10.8.0.1 for itself,

# the rest will be made available to clients.

# Each client will be able to reach the server

# on 10.8.0.1. Comment this line out if you are

# ethernet bridging. See the man page for more info.

# 服务器(虚拟网) IP 地址段设置(不违反规则、不冲突即可)

server 10.219.0.0 255.255.255.0

 

# Maintain a record of client <-> virtual IP address

# associations in this file.  If OpenVPN goes down or

# is restarted, reconnecting clients can be assigned

# the same virtual IP address from the pool that was

# previously assigned.

ifconfig-pool-persist ipp.txt

 

# Configure server mode for ethernet bridging.

# You must first use your OS’s bridging capability

# to bridge the TAP interface with the ethernet

# NIC interface.  Then you must manually set the

# IP/netmask on the bridge interface, here we

# assume 10.8.0.4/255.255.255.0.  Finally we

# must set aside an IP range in this subnet

# (start=10.8.0.50 end=10.8.0.100) to allocate

# to connecting clients.  Leave this line commented

# out unless you are ethernet bridging.

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

 

# Configure server mode for ethernet bridging

# using a DHCP-proxy, where clients talk

# to the OpenVPN server-side DHCP server

# to receive their IP address allocation

# and DNS server addresses.  You must first use

# your OS’s bridging capability to bridge the TAP

# interface with the ethernet NIC interface.

# Note: this mode only works on clients (such as

# Windows), where the client-side TAP adapter is

# bound to a DHCP client.

;server-bridge

 

# Push routes to the client to allow it

# to reach other private subnets behind

# the server.  Remember that these

# private subnets will also need

# to know to route the OpenVPN client

# address pool (10.8.0.0/255.255.255.0)

# back to the OpenVPN server.

;push “route 192.168.10.0 255.255.255.0”

;push “route 192.168.20.0 255.255.255.0”

 

# To assign specific IP addresses to specific

# clients or if a connecting client has a private

# subnet behind it that should also have VPN access,

# use the subdirectory “ccd” for client-specific

# configuration files (see man page for more info).

 

# EXAMPLE: Suppose the client

# having the certificate common name “Thelonious”

# also has a small subnet behind his connecting

# machine, such as 192.168.40.128/255.255.255.248.

# First, uncomment out these lines:

;client-config-dir ccd

;route 192.168.40.128 255.255.255.248

# Then create a file ccd/Thelonious with this line:

#   iroute 192.168.40.128 255.255.255.248

# This will allow Thelonious’ private subnet to

# access the VPN.  This example will only work

# if you are routing, not bridging, i.e. you are

# using “dev tun” and “server” directives.

 

# EXAMPLE: Suppose you want to give

# Thelonious a fixed VPN IP address of 10.9.0.1.

# First uncomment out these lines:

;client-config-dir ccd

;route 10.9.0.0 255.255.255.252

# Then add this line to ccd/Thelonious:

#   ifconfig-push 10.9.0.1 10.9.0.2

 

# Suppose that you want to enable different

# firewall access policies for different groups

# of clients.  There are two methods:

# (1) Run multiple OpenVPN daemons, one for each

#     group, and firewall the TUN/TAP interface

#     for each group/daemon appropriately.

# (2) (Advanced) Create a script to dynamically

#     modify the firewall in response to access

#     from different clients.  See man

#     page for more info on learn-address script.

;learn-address ./script

 

# If enabled, this directive will configure

# all clients to redirect their default

# network gateway through the VPN, causing

# all IP traffic such as web browsing and

# and DNS lookups to go through the VPN

# (The OpenVPN server machine may need to NAT

# or bridge the TUN/TAP interface to the internet

# in order for this to work properly).

;push “redirect-gateway def1 bypass-dhcp”

 

# Certain Windows-specific network settings

# can be pushed to clients, such as DNS

# or WINS server addresses.  CAVEAT:

# http://openvpn.net/faq.html#dhcpcaveats

# The addresses below refer to the public

# DNS servers provided by opendns.com.

;push “dhcp-option DNS 208.67.222.222”

;push “dhcp-option DNS 208.67.220.220”

 

# Uncomment this directive to allow different

# clients to be able to “see” each other.

# By default, clients will only see the server.

# To force clients to only see the server, you

# will also need to appropriately firewall the

# server’s TUN/TAP interface.

;client-to-client

 

# Uncomment this directive if multiple clients

# might connect with the same certificate/key

# files or common names.  This is recommended

# only for testing purposes.  For production use,

# each client should have its own certificate/key

# pair.

#

# IF YOU HAVE NOT GENERATED INDIVIDUAL

# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

# EACH HAVING ITS OWN UNIQUE “COMMON NAME”,

# UNCOMMENT THIS LINE OUT.

;duplicate-cn

 

# The keepalive directive causes ping-like

# messages to be sent back and forth over

# the link so that each side knows when

# the other side has gone down.

# Ping every 10 seconds, assume that remote

# peer is down if no ping received during

# a 120 second time period.

keepalive 10 120

 

# For extra security beyond that provided

# by SSL/TLS, create an “HMAC firewall”

# to help block DoS attacks and UDP port flooding.

#

# Generate with:

#   openvpn –genkey –secret ta.key

#

# The server and each client must have

# a copy of this key.

# The second parameter should be ‘0’

# on the server and ‘1’ on the clients.

;tls-auth ta.key 0 # This file is secret

 

# Select a cryptographic cipher.

# This config item must be copied to

# the client config file as well.

;cipher BF-CBC        # Blowfish (default)

;cipher AES-128-CBC   # AES

;cipher DES-EDE3-CBC  # Triple-DES

 

# Enable compression on the VPN link.

# If you enable it here, you must also

# enable it in the client config file.

comp-lzo

 

# The maximum number of concurrently connected

# clients we want to allow.

;max-clients 100

 

# It’s a good idea to reduce the OpenVPN

# daemon’s privileges after initialization.

#

# You can uncomment this out on

# non-Windows systems.

;user nobody

;group nobody

 

# The persist options will try to avoid

# accessing certain resources on restart

# that may no longer be accessible because

# of the privilege downgrade.

persist-key

persist-tun

 

# Output a short status file showing

# current connections, truncated

# and rewritten every minute.

status openvpn-status.log

 

# By default, log messages will go to the syslog (or

# on Windows, if running as a service, they will go to

# the “\Program Files\OpenVPN\log” directory).

# Use log or log-append to override this default.

# “log” will truncate the log file on OpenVPN startup,

# while “log-append” will append to it.  Use one

# or the other (but not both).

;log         openvpn.log

;log-append  openvpn.log

 

# Set the appropriate level of log

# file verbosity.

#

# 0 is silent, except for fatal errors

# 4 is reasonable for general usage

# 5 and 6 can help to debug connection problems

# 9 is extremely verbose

verb 3

 

# Silence repeating messages.  At most 20

# sequential messages of the same message

# category will be output to the log.

;mute 20

 

rc.conf 配置,用于启动时自动启动 OpenVPN

在 rc.conf内添加以下内容

 

服务端/etc/rc.conf加上

openvpn_enable=”yes”

openvpn_if=”tap”

openvpn_configfile=”/usr/local/etc/openvpn/server.conf

 

客户端/etc/rc.conf加上

openvpn_enable=”yes”

openvpn_if=”tap”

openvpn_configfile=”/usr/local/etc/openvpn/client.conf

 

重启 FreeBSD ……

 

服务端启动完毕

 

FreeBSD 客户端连接正常,且tap和tun两种设备模式都能正常连接。

客户端查看设备,tun0获得 10.219.0.6 IP

 

 

Windows客户端的配置

 

:: Windows 内的 client.conf只需要指明服务端,无需用绝对路径指明证书

配置和证书放在同一个目录

示范文件来自C:\Program Files\OpenVPN\sample-config,将client.ovpn复制到C:\Program Files\OpenVPN\config。

 

:: 修改远程地址为服务器的地址,确保证书文件名正确

remote xxx.xxx.xxx.xxx 1194

ca ca.crt

cert client.crt

key client.key

 

用OpenVPN的GUI尝试连接,Windows客户端显示连接正常。

 

以FreeBSD为平台OpenVPN服务器搭建完毕,至于其他设置配置文件的备注有很详细的说明,请自行参考。

 

备注

 

安装时,若访问其它网络正常,但ports提示找不到服务器可以尝试将国内运营商提供的DNS改为114.114.114.114 / 114.114.115.115、或者 Google 提供的 DNS 8.8.8.8 / 8.8.4.4或者同时使用。

编辑 /etc/resolv.conf修改DNS设置

 

测试时只创建了一个客户端证书,而生产环境一般都有多个客户端,应创建多个客户端证书,每个客户端使用各自的客户端证书;也可以增加证书,或者全部重做。或者使用使用 OpenVPN 插件,实现 Username Password 方式的认证。

 

连接成功的客户和服务如果不能正常使用其他程序请检查防火墙设置,相关路由的设置。

 

.

 

以下文章点击率最高

Loading…


发表评论

邮箱地址不会被公开。 必填项已用*标注