怎么样使用OpenVPN连接两个网络OpenVPN是一个非常宜用的,基于SSL加密的,跨平台的VPN开源软件。我们所常见的有关OpenVPN的文章,都是讲怎么样将自己的笔记本电脑通过不安全的公共网络连接到公司网络等。但是我们今天要讲的不是这个。我今天要实现的一个方案是,怎么样通过OpenVPN将公司总部和公司分部永久的连接起来,其中要通过不安全的公共网络。 OpenVPN is an easy-to-use open source VPN software based on SSL (Secure Sockets Layer) that offers cross-platform interoperability. The majority of OpenVPN tutorials I've found describe how users can connect to a corporate network from their laptops over insecure networks, such as the wireless network in a hotel. By contrast, the setup I'm about to describe is better suited for permanently connecting entire networks -- for example, branch offices to the headquarters of a company. For this setup I'll assume that you have two networks, A and B, in different locations, both connected to the Internet with broadband. At each location you will need a Linux system acting as a router/firewall to serve as the VPN end point. I'm using two Asus WL-500G Deluxe routers running OpenWRT RC5 -- a Linux distribution for embedded routers -- but you're free to use the hardware and distribution of your choice. You can use one of the BSDs, Mac OS X, or even Windows; check the documentation on OpenVPN's homepage for a list of supported operating systems. If your use OpenBSD, have a look at the article Creating secure wireless access points with OpenBSD and OpenVPN. The networks on both locations must use the same subnet -- for instace, 192.168.0.0/24 -- and in order to avoid conflicts, each computer at any location should have its own private IP address. A good practice is to use, for example, IP addresses 192.168.0.1 through 192.168.0.100 for computers on network A and 192.168.0.101 through 192.168.0.200 for network B. Reserve the range 192.168.0.201 through 192.168.0.254 for the routers and other network devices. In this example, the router on network A (routerA) will have the IP address 192.168.0.253 and will be the server for the VPN, while the router on network B (routerB) will have the IP address 192.168.0.254 and will be the client. This setup runs OpenVPN in bridging mode, so you need to bridge the local network interface with the virtual interface tap0 used by OpenVPN on both routers. Issue Now you need to create SSL certificates. It's good security practice to use a separate computer for this purpose, and preferably one not connected to the Internet. OpenVPN provides scripts (called easy-rsa) to facilitate the procedure, so it's just a matter of answering a few simple questions. The creation of certificates is described in the PKI part of OpenVPN's How-To, so I'll just provide a list of the steps necessary for creating the required certificates: cd /usr/share/doc/openvpn/easy-rsa (might be different on your distribution) . ./vars ./clean-all ./build-ca ./build-key-server routerA ./build-key routerB ./build-dh openvpn --genkey --secret keys/ta.key On routerA, create the directory /etc/openvpn/keys by issuing mode server proto udp port 1194 dev tap0 keepalive 10 120 daemon writepid /var/run/openvpn.pid comp-lzo max-clients 10 user nobody group nogroup persist-key persist-tun verb 3 mute 20 client-to-client duplicate-cn cd /etc/openvpn tls-server tls-auth keys/ta.key 0 cipher BF-CBC ca keys/ca.crt cert keys/routerA.crt key keys/routerA.key dh keys/dh1024.pem chroot chroot client-config-dir ccd Paste the following lines into /etc/openvpn/client.conf on routerB, replacing 1.2.3.4 with routerA's public IP address. If you don't use an Internet connection with static IP addresses, you can use a dynamic DNS service, such as 上一篇:newusers和chpasswd的用法 下一篇:在系统工作时调整分区:移动/home 更多相关文章
|
推荐文章
精彩文章
|
