利用openvpn建立桥接vpn

本文介绍利用openvpn建立桥接vpn的一种简单方法，使用的服务器为debian GNU/Linux sarge,使用apt-get dist-upgrade更新到最新，内核2.4.27-1-686，未重新编译内核，openvpn版本1.6.0+2.beta14-1(使用apt-get install openvpn安装),客户机一为debian GNU/Linux sid，内核2.6.8-1-k7，未重新编译内核，openvpn版本1.99+2.beta17-1(使用apt-get install openvpn安装),客户机二为windows 2k adv ser sp4,openvpn安装在C:Program FilesOpenVPN下，版本为1.6(从http://openvpn.sourceforge.net/ 下载openvpn-1.6.0-install.exe (http://umn.dl.sourceforge.net/sourceforge/openvpn/openvpn-1.6.0-install.exe)后直接安装)

本文介绍利用openvpn建立桥接vpn的一种简单方法，使用的服务器为debian GNU/Linux
sarge,使用apt-get dist-upgrade更新到最新，内核2.4.27-1-686，未重新编译内核，
openvpn版本1.6.0+2.beta14-1(使用apt-get install openvpn安装),客户机一为
debian GNU/Linux sid，内核2.6.8-1-k7，未重新编译内核，openvpn版本1.99+2.beta17-1
(使用apt-get install openvpn安装),客户机二为windows 2k adv ser sp4,openvpn安装
在C:Program FilesOpenVPN下，版本为1.6(从http://openvpn.sourceforge.net/ 下
载openvpn-1.6.0-install.exe
(http://umn.dl.sourceforge.net/sourceforge/openvpn/openvpn-1.6.0-install.exe)
后直接安装)

1 网络拓扑图如下：

|
|      br0(eth1) |------|eth0         tap0,ip:192.168.0.101|------|
|----------------|server|----------------------------------|client|
|  ip:192.168.0.3|------|ip:1.2.3.4         eth0,ip:5.6.7.8|------|
|
|intranet
|192.168.0.0/24


当server的openvpn停止时，server使用eth1和intranet通讯，eth1的ip地址为192.168.0.3/24,
当server的openvpn启动后，server使用br0和intranet通讯，br0的ip地址为192.168.0.3/24,
client的ip地址为5.6.7.8，建立vpn后,client通过tap0使用192.168.0.101/24和intranet通讯

2 软件安装

服务器及客户机一需要额外安装的软件有bridge-utils,liblzo1,可使用apt-get 进行安装。
客户机2上不需要安装其他特别的软件。

3 建立vpn

3.1 在服务器上运行openvpn --genkey --secret static.key生成建立vpn时使用的密钥，
static.key为保存密钥的文件,将这个文件复制到server和client 1的/etc/openvpn/目录
下，以及client 2的openvpn安装目录下的config目录下.

3.2 将下列文件复制到/etc/openvpn/下,/etc/init.d/openvpn启动时会读取该目录下的*.conf
====================server's bridge-up====================
#!/bin/bash

##################################
# Set up Ethernet bridge on Linux#
##################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth1"
eth_ip="192.168.0.3"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"

for t in $tap; do
openvpn --mktun --dev $t
echo "add tun $t "
done

brctl addbr $br
echo "add bridge $br"
brctl addif $br $eth
echo "add $eth to bridge $br"

for t in $tap; do
brctl addif $br $t
echo "add $t to bridge $br"
done

for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
echo "set $t promisc mode"
done

ifconfig $eth 0.0.0.0 promisc up
echo "set $eth promisc mode"

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
echo "config $br with ip $eth_ip netmask $eth_netmask broadcast $eth_broadcast"
======================end of bridge-up========================

====================server's bridge-down======================
#!/bin/bash

####################################
# Tear Down Ethernet bridge on Linux
####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

ifconfig $br down
echo "bridge $br down"

brctl delbr $br
echo "delete bridge $br"

for t in $tap; do
openvpn --rmtun --dev $t
echo "delete tun $t"
done
======================end of bridge-down========================

====================server's openvpn.conf=======================
# Linux VPN server config file
port 1194
dev tap0
secret static.key
log-append /var/log/openvpn.log
fragment 1400
ping 10
ping-restart 35
ping-timer-rem
persist-tun
persist-key
comp-lzo
comp-noadapt
user nobody
group nogroup
verb 4
====================end of openvpn.conf========================

====================client 1's bridge-up========================
#!/bin/bash

#################################
# Set up Ethernet bridge on Linux
#################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

#Client 1 use 192.168.0.101/24 to communicate with intranet
eth_ip="192.168.0.101"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"

for t in $tap; do
openvpn --mktun --dev $t
echo "add tun $t "
done

brctl addbr $br
echo "add bridge $br"

for t in $tap; do
brctl addif $br $t
echo "add $t to bridge $br"
done

for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
echo "set $t promisc mode"
done

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
echo "config $br with ip $eth_ip netmask $eth_netmask broadcast $eth_broadcast"

======================end of bridge-up==========================

====================client 1's bridge-down======================
#!/bin/bash

#####################################
# Tear Down Ethernet bridge on Linux#
#####################################

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged together
tap="tap0"

ifconfig $br down
echo "bridge $br down"

brctl delbr $br
echo "delete bridge $br"

for t in $tap; do
openvpn --rmtun --dev $t
echo "delete tun $t"
done
======================end of bridge-down========================

====================client 1's openvpn.conf=====================
# Linux VPN Client config file
#This file should be put into /etc/openvpn/
#local and remote port used by openvpn
#You can specify local port with "lport" option,remote port with "rport"
#By default,Debian's openvpn use port 5000
port 1194
#Tap device used by openvpn
dev tap0
#Enable Static Key encryption mode (non-TLS).Use shared secret file static.key
#this file is generated with "openvpn --genkey --secret static.key"
secret static.key
#append log to /var/log/openvpn.log ,if this file is not exist, it will be
#created.
log-append /var/log/openvpn.log
#VPN server's address
remote 1.2.3.4
fragment 1400
#Ping remote once every 10 seconds over TCP/UDP port
ping 10
#Restart if 35 seconds pass without reception of remote ping
ping-restart 35
# Run the --ping-exit/--ping-restart timer only if we have a remote address
#Only client have a remote address
ping-timer-rem
#Keep tun/tap device open across SIGUSR1 or --ping-restart
persist-tun
#Don't re-read key files across SIGUSR1 or --ping-restart
persist-key
#Use fast LZO compression -- may add up to 1 byte per packet for uncompressible
#data.
comp-lzo
#Don't use adaptive compression when --comp-lzo is specified
comp-noadapt
#Set UID to nobody after initialization.
user nobody
#Set GID to nogroup after initialization
group nogroup
#Set output verbosity to 4
#4 means "show parameters"
verb 4

====================end of openvpn.conf========================

====================client 2's openvpn.ovpn=====================
#Windows VPN Client config file
#This file should be put into C:Program FilesOpenVPNconfig
#if you install OpenVPN in C:Program FilesOpenVPN
port 1194
dev tap
secret static.key
#Client 2 use 192.168.0.101/24 to communicate with intranet
ifconfig 192.168.0.101 255.255.255.0
log-append /var/log/openvpn.log
remote 1.2.3.4
fragment 1400
tap-sleep 1
ifconfig-nowarn
ip-win32 dynamic
ping 10
comp-lzo
comp-noadapt
verb 4
====================end of openvpn.conf========================

3.3 启动vpn

启动时因先启动vpnserver,然后启动vpnclient.

3.3.1 启动vpnserver，运行/etc/openvpn/bridge-up,然后运行/etc/init.d/openvpn start,
如果先启动/etc/init.d/openvpn start将出错.

3.3.2 启动vpnclient，运行/etc/openvpn/bridge-up,然后运行/etc/init.d/openvpn start

3.3.3 当vpnclient为windows时,运行 net start openvpnservice.

3.4 关闭vpn

关闭时因先关闭vpnclient，然后关闭vpnserver

3.4.1 关闭vpnclient,运行/etc/init.d/openvpn stop,然后运行/etc/openvpn/bridge-down

3.4.2 当vpnclient为windows时,运行net stop openvpnservice.

3.4.3 关闭vpnserver,运行/etc/init.d/openvpn stop,然后运行/etc/openvpn/bridge-down

4 参考资料

4.1 openvpn的老家 http://openvpn.sourceforge.net/

4.2 Ethernet Bridging http://openvpn.sourceforge.net/bridge.html

4.3 Implementing OpenVPN http://fedoranews.org/contributors/florin_andrei/openvpn/

4.4 利用openvpn+linux快速建立企业VPN http://www.linuxaid.com.cn/articles/1/0/1052518204.shtml

欢迎和我交流 联系方式blue_stone@xinhuanet.com