发布时间:2018-02-08 09:37:38编辑:admin阅读(47355)
内网服务器是linux的,需要连接openvpn,访问线上的应用服务。需要安装客户端,方法和服务器类似。
客户端和服务器端需要保持时间同步,这一点要特别说明一下,如果时间不同步,客户端是无法连接服务器的
linux同步北京时间
# yum install -y ntpdate # ntpdate time.nist.gov
安装lzo组件
# tar zxvf lzo-2.10.tar.gz -C /usr/src/ # cd /usr/src/lzo-2.10/ # ./configure --enable-shared # make && make install
安装openvpn
# cd /root # tar zxvf openvpn-2.4.4.tar.gz -C /usr/src/ # cd /usr/src/openvpn-2.4.4/ # ./configure --prefix=/usr/local/openvpn # make && make install
客户端安装,到这里就结束了
服务器:
登录到openvpn服务器,生成客户端秘钥
一路回车,出现[y/n]的时候,输入y然后回车
# cd /usr/local/openvpn/easy-rsa/2.0/ # source vars # ./build-key client_linux
客户端:
创建目录,编辑配置文件
# mkdir /usr/local/openvpn/etc
登录到openvpn服务器,将秘钥文件下载到客户端的/usr/local/openvpn/etc目录
客户端编辑拨号文件
# vim /usr/local/openvpn/etc/client.ovpn
内容修改如下:
client dev tap proto tcp remote 115.239.210.27 444 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client_linux.crt key client_linux.key ns-cert-type server comp-lzo verb 3
etc的目录文件如下:
[root@localhost etc]# ll 总用量 20 -rw-r--r-- 1 root root 1757 2月 8 09:24 ca.crt -rw-r--r-- 1 root root 5426 2月 8 09:24 client_linux.crt -rw-r--r-- 1 root root 1704 2月 8 09:24 client_linux.key -rw-r--r-- 1 root root 189 2月 8 09:24 client.ovpn
启动客户端
# /usr/local/openvpn/sbin/openvpn --config /usr/local/openvpn/etc/client.ovpn
开始输出信息
Thu Feb 8 09:28:13 2018 WARNING: file 'client_linux.key' is group or others accessible Thu Feb 8 09:28:13 2018 OpenVPN 2.4.4 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb 7 2018 Thu Feb 8 09:28:13 2018 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06 Thu Feb 8 09:28:13 2018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. Thu Feb 8 09:28:13 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]115.239.210.27:444 Thu Feb 8 09:28:13 2018 Socket Buffers: R=[87380->87380] S=[16384->16384] Thu Feb 8 09:28:13 2018 Attempting to establish TCP connection with [AF_INET]115.239.210.27:444 [nonblock] Thu Feb 8 09:28:14 2018 TCP connection established with [AF_INET]115.239.210.27:444 Thu Feb 8 09:28:14 2018 TCP_CLIENT link local: (not bound) Thu Feb 8 09:28:14 2018 TCP_CLIENT link remote: [AF_INET]115.239.210.27:444 Thu Feb 8 09:28:14 2018 TLS: Initial packet from [AF_INET]115.239.210.27:444, sid=5a714b5c 9a7285fa Thu Feb 8 09:28:14 2018 VERIFY OK: depth=1, C=CN, ST=shanghai, L=shanghai, O=shanghai, OU=kuaibao, CN=shanghai CA, name=EasyRSA, emailAddress=kuaibao@kuaidihelp.com Thu Feb 8 09:28:14 2018 VERIFY OK: nsCertType=SERVER Thu Feb 8 09:28:14 2018 VERIFY OK: depth=0, C=CN, ST=shanghai, L=shanghai, O=shanghai, OU=kuaibao, CN=server, name=EasyRSA, emailAddress=kuaibao@kuaidihelp.com Thu Feb 8 09:28:14 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Thu Feb 8 09:28:14 2018 [server] Peer Connection Initiated with [AF_INET]115.239.210.27:444 Thu Feb 8 09:28:15 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Thu Feb 8 09:28:16 2018 PUSH: Received control message: 'PUSH_REPLY,route 10.20.30.0 255.255.255.0,route 10.20.1.0 255.255.255.0,route 10.20.20.0 255.255.255.0,route 10.20.10.0 255.255.255.0,dhcp-option DNS 202.96.209.133,dhcp-option DNS 202.96.209.5,route-gateway 192.168.10.1,ifconfig 192.168.10.7 255.255.255.0,peer-id 0,cipher AES-256-GCM' Thu Feb 8 09:28:16 2018 OPTIONS IMPORT: --ifconfig/up options modified Thu Feb 8 09:28:16 2018 OPTIONS IMPORT: route options modified Thu Feb 8 09:28:16 2018 OPTIONS IMPORT: route-related options modified Thu Feb 8 09:28:16 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Thu Feb 8 09:28:16 2018 OPTIONS IMPORT: peer-id set Thu Feb 8 09:28:16 2018 OPTIONS IMPORT: adjusting link_mtu to 1659 Thu Feb 8 09:28:16 2018 OPTIONS IMPORT: data channel crypto options modified Thu Feb 8 09:28:16 2018 Data Channel: using negotiated cipher 'AES-256-GCM' Thu Feb 8 09:28:16 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Feb 8 09:28:16 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Thu Feb 8 09:28:16 2018 ROUTE_GATEWAY 192.168.88.2/255.255.255.0 IFACE=ens32 HWADDR=00:0c:29:f3:58:f3 Thu Feb 8 09:28:16 2018 TUN/TAP device tap0 opened Thu Feb 8 09:28:16 2018 TUN/TAP TX queue length set to 100 Thu Feb 8 09:28:16 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Thu Feb 8 09:28:16 2018 /usr/sbin/ifconfig tap0 192.168.10.7 netmask 255.255.255.0 mtu 1500 broadcast 192.168.10.255 Thu Feb 8 09:28:16 2018 /usr/sbin/route add -net 10.20.10.0 netmask 255.255.255.0 gw 192.168.10.1 Thu Feb 8 09:28:16 2018 /usr/sbin/route add -net 10.20.20.0 netmask 255.255.255.0 gw 192.168.10.1 Thu Feb 8 09:28:16 2018 /usr/sbin/route add -net 10.20.30.0 netmask 255.255.255.0 gw 192.168.10.1 Thu Feb 8 09:28:16 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Thu Feb 8 09:28:16 2018 Initialization Sequence Completed
出现Completed就说明连接成功了
这个时候,程序是在当前窗口运行的,使用Ctrl+c关闭进程
加一个参数,在后台运行
# /usr/local/openvpn/sbin/openvpn --daemon --config /usr/local/openvpn/etc/client.ovpn
ifconfig时会多出一块网卡tap0
tap0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.10.7 netmask 255.255.255.0 broadcast 192.168.10.255 inet6 fe80::b022:aff:fec9:a949 prefixlen 64 scopeid 0x20<link> ether b2:22:0a:c9:a9:49 txqueuelen 100 (Ethernet) RX packets 248 bytes 97510 (95.2 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 10 bytes 732 (732.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
测试连接内网
[root@localhost ~]# ping -c 1 10.20.10.3 PING 10.20.10.3 (10.20.10.3) 56(84) bytes of data. 64 bytes from 10.20.10.3: icmp_seq=1 ttl=128 time=1.39 ms --- 10.20.10.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.394/1.394/1.394/0.000 ms
出现证书认证失败时,这个问题有以下几个原因:
(1)客户端和服务器之间的时间不同步,这个需要2边把时间同步下
(2)服务器的SNAT没有做好,服务器重新做一下SNAT
(3)客户端配置文件错误,检查配置文件是否少了字母或者多了符号。然后尝试重新连接
上一篇: openvpn windows客户端使用
下一篇: openvpn mac客户端使用
47355
45580
36640
34153
28850
25470
24313
19498
18966
17523
5347°
5941°
5436°
5525°
6418°
5255°
5255°
5768°
5737°
7034°