实现目标
client内部网络(192.168.66.x)和openvpn服务器所在网络(10.3.0.x)实现互通
一、环境
1. 架构
ens160:x.x.x.x-ens32:10.3.0.100(vpn server) – 10.3.0.x
<–>
eth0:192.168.66.181(vpn client) – 192.168.66.x2. 软件版本
system : centos7.2
openvpn : 2.4.6-1.el7
二、安装部署
1. openvpn server安装(10.3.0.100)
wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh备用地址:wget http://d.guohao.space/vpn/openvpn-install.sh -O openvpn-install.sh && bash openvpn-install.shI need to ask you a few questions before starting the setup.You can leave the default options and just press enter if you are ok with them.First, provide the IPv4 address of the network interface you want OpenVPNlistening to.IP address: x.x.x.xWhich protocol do you want for OpenVPN connections?1) UDP (recommended)2) TCPProtocol [1-2]: 2What port do you want OpenVPN listening to?Port: 31194Which DNS do you want to use with the VPN?1) Current system resolvers2) 1.1.1.13) Google4) OpenDNS5) VerisignDNS [1-5]: 1Finally, tell me your name for the client certificate.Please, use one word only, no special characters.Client name: clientOkay, that was all I needed. We are ready to set up your OpenVPN server now.Press any key to continue...# 这回车后会安装相关的包,生成客户端配置文件,并启动vpn服务......Finished!Your client configuration is available at: /root/client.ovpnIP address
对外提供服务的公网ipClient name
客户端名称,这里就用默认的client,创建新用户时可以再运行这个脚本创建/root/client.ovpn
这个客户端的配置文件,用户名是由上面Client name确定。后面客户端要用到该文件
2. vpn server端配置
# cat /etc/openvpn/server.confport 31194proto tcpdev tunsndbuf 0rcvbuf 0ca ca.crtcert server.crtkey server.keydh dh.pemauth SHA512tls-auth ta.key 0topology subnetserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txt# push "redirect-gateway def1 bypass-dhcp" 改为push "route 10.3.0.0 255.255.255.0"# push "dhcp-option DNS 114.114.114.114"keepalive 10 120cipher AES-256-CBCuser nobodygroup nobodypersist-keypersist-tunstatus openvpn-status.logverb 3crl-verify crl.pem配置说明:
server
vpn网络网段,这个可自定义,用默认的也可以push “redirect-gateway def1 bypass-dhcp”
vpn server向客户端推送路由信息,默认的配置会使客户端所有流量都经过vpn,这不是我们想要的,只有到内网的才路由到vpnpush “dhcp-option DNS 114.114.114.114”
直接去掉,如果有内部dns服务器的话要改成内部的dns
修改完记得重启vpn服务
systemctl restart openvpn@server3. client 端安装配置
安装
yum install openvpn配置
把之前server端生成的client.ovpn放置到/etc/openvpn/client/client.ovpn,执行下面命令启动客户端程序openvpn --daemon --cd /etc/openvpn/client/ --config client.ovpn --log-append /var/log/openvpn.log查看
ip addr会到多了个tun0网络,这个就是vpn网络# ip addr......8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100link/noneinet 10.8.0.2/24 brd 10.8.0.255 scope global tun0valid_lft forever preferred_lft foreverip route 可以看到推送过来的路由 10.3.0.0/8
# ip routedefault via 192.168.66.2 dev eth0 proto static metric 10010.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.210.3.0.0/24 via 10.8.0.1 dev tun0192.168.66.0/24 dev eth0 proto kernel scope link src 192.168.66.181 metric 100如果没看到相关信息,查看日志/var/log/openvpn.log。
测试
ping 10.8.0.1
ping通的话说明和vpn服务端成功连接
4. 实现客户端访问内部网络(server端操作)
完成上面操作,可实现client访问vpn服务器,但是还没办法访问vpn服务器所在的网络,继续做如下操作开启服务器的网络转发功能
查看是否已经开启了转发,1是开启sysctl -a|grep '\.forwarding'net.ipv4.conf.all.forwarding = 0net.ipv4.conf.default.forwarding = 0net.ipv4.conf.ens160.forwarding = 0net.ipv4.conf.ens32.forwarding = 0net.ipv4.conf.lo.forwarding = 0net.ipv4.conf.tun0.forwarding = 0如果上面grep结果已经是= 1 就说明已经开启,不用做下面操作了
/etc/sysctl.conf 对应的值由0改为1,没有的话在最后添加如下行net.ipv4.ip_forward = 1执行命令生效,执行下面命令后再查看就是 = 1了
sysctl -p在vpn服务器上做snat,修改到内网时的源ip为vpn服务器的ip,不然流量回不来了
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 192.168.66.0/24 -o ens32 -j SNAT --to-source 10.3.0.100
完成上面两部操作后即可实现客户端访问vpn服务器端的内部10.3.0.0/24网络,ping个同段的其他机器测试
5. 指定客户端ip
有时候我们喜欢给客户端分配ip而不是动态获得,做下面配置指定客户端配置文件路径
# /etc/openvpn/server.conf 中加入下面一行client-config-dir ccd创建用户配置文件
# /etc/openvpn/ccd/clientifconfig-push 10.8.0.10 255.255.255.0指定了client客户的ip是10.8.0.10
重启openvpn服务生效
6. 配置双网互通
通过上面操作可以实现192.168.66.181访问10.3.0.x网络主机,但是192.168.66.x(配置了10.3.0.x路由到192.168.66.181)的机器并不能通过192.168.66.181访问到10.3.0.x网络,还需要做如下配置本地添加192.168.66.x路由
# /etc/openvpn/server.conf 中添加如下3行client-to-client# client 路由route 192.168.66.0 255.255.255.0 10.8.0.10client声明自己的路由
# cat /etc/openvpn/ccd/clientifconfig-push 10.8.0.10 255.255.255.0iroute 192.168.66.0 255.255.255.0注意是iroute不是route
重启后即可看到本地多了192.168.66.x路由,客户端192.168.66.x可以通过192.168.66.181访问10.3.0.x网络了10.3.0.x访问192.168.66.x
道理和192.168.66.181访问10.3.0.x一样,需要做snatfirewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.3.0.0/24 -o eth0 -j SNAT --to-source 192.168.66.181
7. 当然还要考虑高可用,这个根据实际情况搞
特别声明:以上内容(如有图片或视频亦包括在内)为自媒体平台“网易号”用户上传并发布,本平台仅提供信息存储服务。
Notice: The content above (including the pictures and videos if any) is uploaded and posted by a user of NetEase Hao, which is a social media platform and only provides information storage services.
