0%

OpenVPN实现内网互通

需求

实现公司通过SMB访问租房NAS,并且拨通OpenVPN之后,只有OpenVPN客户端之间的流量经过OpenVPN,其他流量按原来的方式。

工具

  • OpenVPN Server(Ubuntu)
  • OpenVPN Client(Windows、CentOS)

步骤

  • 在Ubuntu机器上安装OpenVPN, curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh && bash openvpn-install.sh
  • 修改OpenVPN Server的配置文件, vim /etc/openvpn/server.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
;服务端配置
port 1194
proto tcp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
client-to-client # 允许客户端之间的连接
server 192.168.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
dh none
persist-key
persist-tun
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_JFIAtsavKPr9oaij.crt
key server_JFIAtsavKPr9oaij.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log /var/log/openvpn.log
duplicate-cn # 允许多个客户端使用同一个配置文件
verb 3
  • OpenVPN生成的客户端配置在设置的用户名home目录下,有个.ovpn, 修改这个配置文件如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
client
proto tcp
remote <公网IP> <端口>
dev tun
resolv-retry infinite
nobind
dhcp-option DNS 192.168.5.1 # 配置为你的默认的DNS服务器地址
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_JFIAtsavKPr9oaij name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
;setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
...... # 省略
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...... # 省略
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
...... # 省略
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...... # 省略
-----END OpenVPN Static key V1-----
</tls-crypt>
  • Windows安装openvpn客户端, scoop install openvpn
  • CentOS安装openvpn客户端, yum -y install openvpn,CentOS openvpn client启动命令为:openvpn –config /data/openvpn/com-lan.ovpn –daemon

欢迎关注我的其它发布渠道