前言:公司网络环境的拓展为多云,用户访问内网环境较为麻烦,管理员管理访问权限也艰难起来。亟待使用OpenVPN打通多云,并在此基础上完善访问控制。鉴于易用性、可拓展性以及开源低费用等因素的考量,将从需求分析、核心思路、架构选型与实验、生产实施步骤、难点记录分析等方面详述。 由于个人技术有限,将预留问题与解决一章节记录所有卡点与解决方案
1. 需求
原网络环境为华为云,业务增长后拓展为多个华为云;因此需要打通
原网络的访问控制规则只规范到到IP端口,可读性、易用性较差;
2. 核心思路与原理
2.1. 思路
利用OpenVPN的client to client能力,使VPN节点之间互相可以访问,并能够路由请求到节点所在私网的其它机器,从而实现物理隔离的私网之间的互通;然后再使用防火墙(安全组)精细控制不同私网之间的访问权限,比如以后测试环境(一个云)和生产环境(另一个云)的互通控制需求。
2.2. 原理
OpenVPN的路由模式访问控制更加灵活,所以这里使用的是OpenVPN的路由模式;另一种模式是桥接模式。
3. 架构选型
华为云1 Server:121.3.233.234
华为云2 Client:122.4.123.134
VPN网络:由OpenVPN的Server和Client节点组成,Server充当VPN网络的网关
参与到VPN网络的机器是私网内部机器,不是私网的网关服务器;Server所在机器需要绑定弹性公网IP,客户端通过互联网连接它。
VPN节点部署在网关服务器,则路由不需要单独配置 网关路由表需要增加对VPN网段的路由,将VPN网段路由到Server机器
4. 生产实施步骤
4.1. server端
需要先安装依赖包
yum install -y lz4-devel lzo-devel pam-devel openssl-devel systemd-devel sqlite-devel
yum -y install autoconf
yum install -y automake
yum install -y libtool libtool-ltdl
下载源码再编译安装
# 请将源码tar包下载到/etc目录下并解压编译安装
cd /etc
# 下载源码 版本选择最新的发行版即可
wget https://github.com/OpenVPN/openvpn/archive/v2.5.0.tar.gz
# 修改名称
mv v2.5.0.tar.gz openvpn-2.5.0.tar.gz
# 解压
tar -zxf openvpn-2.5.0.tar.gz
# 重命名解压后的文件夹并进入文件夹
mv openvpn-2.5.0 openvpn
cd openvpn
# autoreconf命令
autoreconf -i -v -f
# 检测你的安装平台的目标特征
./configure --prefix=/usr/local/openvpn --enable-lzo --enable-lz4 --enable-crypto --enable-server --enable-plugins --enable-port-share --enable-iproute2 --enable-pf --enable-plugin-auth-pam --enable-pam-dlopen --enable-systemd
# 编译 安装
make && make install
# 创建软连接 如果上面解压后的openvpn文件夹不在/etc/目录下,请自行挪进去
ln -s /usr/local/openvpn/sbin/openvpn /usr/local/sbin/openvpn
# 修改配置文件
vim /usr/local/openvpn/lib/systemd/system/openvpn-server\@.service
# 下面这行请完整替换为
ExecStart=/usr/local/openvpn/sbin/openvpn --config server.conf
# 这一步有了 才能用systemctl管理服务
cp -a /usr/local/openvpn/lib/systemd/system/openvpn-server@.service /usr/lib/systemd/system/openvpn.service
# 设置开机自启动
systemctl enable openvpn.service
# 下面启动步骤可以在证书都准备o的情况下运行
systemctl enable openvpn.service
证书生成
# 可以在/opt文件夹完成以上操作
cd /opt
# 下载easy-rsa源码 也可以直接打开https://github.com/OpenVPN/easy-rsa/ 到页面上下载包
wget https://github.com/OpenVPN/easy-rsa/archive/v3.0.8.tar.gz
tar -zxf v3.0.8.tar.gz
mv XX easyrsa-3.0.8
# 根据/opt/easyrsa-3.0.8/easyrsa/vars.example文件生成全局配置文件vars
cp -a vars.example vars
修改vars解开一下部分的注释并修改为:
# 国家
set_var EASYRSA_REQ_COUNTRY "CN"
# 省份
set_var EASYRSA_REQ_PROVINCE "SH"
# 城市
set_var EASYRSA_REQ_CITY "Shanghai"
# 组织
set_var EASYRSA_REQ_ORG "going-link"
# 邮件
set_var EASYRSA_REQ_EMAIL "devops@going-link.com"
# 拥有者
set_var EASYRSA_REQ_OU "ZY SRE"
# 长度
set_var EASYRSA_KEY_SIZE 2048
# 算法
set_var EASYRSA_ALGO rsa
# CA证书过期时间,单位天
set_var EASYRSA_CA_EXPIRE 36500
# 签发证书的有效期是多少天,单位天
set_var EASYRSA_CERT_EXPIRE 36500
初始化
# 初始化 会在当前目录创建PKI目录,用于存储一些中间变量及最终生成的证书
[root@openvpn-test easyrsa-3.0.8]# ./easyrsa init-pki
Note: using Easy-RSA configuration from: /opt/easyrsa-3.0.8/vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /opt/easyrsa-3.0.8/pki
# 这里 输入三次,都输入了openvpn
需要输入PEM密码 PEM pass phrase,输入两次,此密码必须记住,不然以后不能为证书签名。
还需要输入common name 通用名,如:openvpen,这个你自己随便设置个独一无二的。
[root@openvpn-test easyrsa-3.0.8]# ./easyrsa build-ca
Note: using Easy-RSA configuration from: /opt/easyrsa-3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus
........................................................................+++
...........................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:openvpn
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/opt/easyrsa-3.0.8/pki/ca.crt
# 生成服务端证书 为服务端生成证书对并在本地签名。nopass参数生成一个无密码的证书;在此过程中会让你确认ca密码
[root@openvpn-test easyrsa-3.0.8]# ./easyrsa build-server-full server nopass
Note: using Easy-RSA configuration from: /opt/easyrsa-3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
.......................+++
................................................................................+++
writing new private key to '/opt/easyrsa-3.0.8/pki/easy-rsa-1481.PXXyP3/tmp.mEDrIz'
-----
Using configuration from /opt/easyrsa-3.0.8/pki/easy-rsa-1481.PXXyP3/tmp.JR0Kim
Enter pass phrase for /opt/easyrsa-3.0.8/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Dec 26 07:34:11 2120 GMT (36500 days)
Write out database with 1 new entries
Data Base Updated
# 创建Diffie-Hellman,确保key穿越不安全网络的命令,时间会有点长,耐心等待
[root@openvpn-test easyrsa-3.0.8]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: /opt/easyrsa-3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.........................................................................................................................................................................................................+...........................................................................................................................................................................................................................+...........+.............+.....................................................................................................................................................................................................................+............................................................................................................................................................................................................................................................................................................................................................+......................................+......................................................................+....................................................................................................................................+............................................................+...........................................................+......+...+...+......+....................................+.........................................................+............+................+......................................................................................................................................................................+..............................................................................................................................................................................................................................................................................................................................................+...................................................................................+......................................................+........................................................................................................................................................................+.......................................................................................................+....................................+........................................................+.............................................................................................................+.............................+...+...................................................................................+....................................................................................................................................................................................................................+..........+.........................................................................................................+...................................................................................................................................................................................................................................................+.................+...+.......................+............................................................................+............................................................................................................................+......................................................................................................+.+.............+....................+.................................+..............................................................................+........+...+.............................................................................................+...................................................................+.....................................................+....................................................................+..........+..................................................................................................................................+...................................................................................+.......................................................................................+..................................+................................................+.......+....................................................................................................................................................................................................+........................................................................+..........................+................................................................................................................................+........................................+......................+...............................+............................................................................................................+..+..................................................................+...................................................................................++*++*
DH parameters of size 2048 created at /opt/easyrsa-3.0.8/pki/dh.pem
# 生成客户端证书
为客户端生成证书对并在本地签名。nopass参数生成一个无密码的证书;在此过程中都会让你确认ca密码
./easyrsa build-client-full client nopass # 无密码,实际应用中不推荐,客户端有密码可提高安全性
./easyrsa build-client-full admin # 让你输入密码,后续VPN连接时会使用
[root@openvpn-test easyrsa-3.0.8]# ./easyrsa build-client-full admin
Note: using Easy-RSA configuration from: /opt/easyrsa-3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017
Generating a 2048 bit RSA private key
................................................................+++
.........................................+++
writing new private key to '/opt/easyrsa-3.0.8/pki/easy-rsa-2404.hmwDSR/tmp.rUVXnm'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /opt/easyrsa-3.0.8/pki/easy-rsa-2404.hmwDSR/tmp.SZYKPS
Enter pass phrase for /opt/easyrsa-3.0.8/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'admin'
Certificate is to be certified until Dec 26 07:48:37 2120 GMT (36500 days)
Write out database with 1 new entries
Data Base Updated
# 为了提高安全性生成ta.key
openvpn --genkey secret ta.key
加强认证方式,防攻击。如果配置文件中启用此项(默认是启用的),就需要执行上述命令,并把ta.key放到/etc/openvpn/server目录。
配置文件中服务端第二个参数为0,同时客户端也要有此文件,且client.conf中此指令的第二个参数需要为1。【服务端有该配置,那么客户端也必须要有】
# 整理服务端证书
mkdir -p /etc/openvpn/server/
cp -a /opt/easyrsa-3.0.8/pki/ca.crt /etc/openvpn/server/
cp -a /opt/easyrsa-3.0.8/pki/private/server.key /etc/openvpn/server/
cp -a /opt/easyrsa-3.0.8/pki/issued/server.crt /etc/openvpn/server/
cp -a /opt/easyrsa-3.0.8/pki/dh.pem /etc/openvpn/server/
cp -a /opt/easyrsa-3.0.8/ta.key /etc/openvpn/server/
开放端口
# 启动防火墙
systemctl start firewalld
# 开放1194 udp端口
firewall-cmd --zone=public --add-port=1194/udp --permanent
重启生效
firewall-cmd --reload
5. 难点记录分析
6. 卡点与解决方案
6.1. 手动编译安装 openvpn 在启动服务时报错 No such file or directory?
configure步骤记得加参数--enable-systemd,openvpn解压后路径要保证在/etc下面,否则需要service里面修改工作路径
6.2.
win客户端连接不上服务端
参考资料
来源:oschina
链接:https://my.oschina.net/randolphcyg/blog/4915100