You are on page 1of 6

Hng dn ci t OpenVPN

OpenVPN l mt phn mm mng ring o m ngun m dnh cho vic to cc ng ng (tunnel) im-ti-im c m ha gia cc my ch. Phn mm ny do James Yonan vit v c ph bin di giy php GNU GPL. V c bn, VPN l mt mng ring s dng h thng mng cng cng (thng l Internet) kt ni cc a im hoc ngi s dng t xa vi mt mng LAN tr s trung tm. Thay v dng kt ni tht kh phc tp nh ng dy thu bao s, VPN to ra cc lin kt o c truyn qua Internet gia mng ring ca mt t chc vi a im hoc ngi s dng xa. Mng ring o (Virtual Private Network VPN) l mt kt ni rt an ton, ng tin cy gia mng cc b (LAN) v mt h thng khc. Bn c th hnh dung router ca mnh l chic cu ni cc mng kt ni vo. My tnh ca bn v my ch OpenVPN (trong trng hp ny chnh l router) s bt tay vi nhau bng cch s dng chng ch xc nhn ln nhau. Sau khi xc nhn, c my khch v my ch s ng tin tng nhau v cho php truy cp vo mng ca server. OpenVPN s dng thit b tun/tap (hu nh c sn trn cc bn Linux) v Openssl xc nhn (authenticate), m ha (khi gi) v gii m (khi nhn) ng truyn gia hai bn thnh chung mt network. C ngha l khi ngi dng ni vo my ch OpenVPN t xa, h c th s dng cc dch v nh chia s tp tin s dng Samba/NFS/FTP/SCP c th (bng cch khai bo a ch ni b trn my h, v d, 192.168.1.1), duyt intranet, s dng cc phn mm khc..v..v..nh l h ang ngi trong vn phng. Thng thng, trin khai phn mm VPN v phn cng tn nhiu thi gian v chi ph, do OpenVPN l mt gii php m ngun m VPN hon ton min ph. Sau y l cc bc cn thc hin: 1. Ci t OpenVPN a. Ci t cc gi lin quan : yum install openssl lzo pam openssl-devel lzo-devel pam-devel wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz - Lu : gi lzo c th thay bng lzo2 i vi mt s bn linux ( CentOS 6, RedHat 6 ) b. Th vin ci t : yum install make gcc-c++ Ch : + Chay dng trn nu gcc cha c setup , hay c th dng A C compiler tng t nh GCC + Nu bn setup t source th cn dng th vic gcc-c++ c. Ci OpenVPN: tar -xvf openvpn-2.2.2.tar.gz

cd openvpn-2.2.2 ./configure make make install 2.Cu hnh OPENVPN A. To Certificate Authority ( CA ) certificate & key - Bn vo easy-rsa c trong /usr/share/doc/openvpn-2.2.2 ( ty vo phin bn m bn download v setup , y l bn openvpn-2.2.2) hay /usr/share/doc/packages/openvpn v chnh sa li file vars nhng thng s sau cho ph hp vi bn
KEY_COUNTRY=VN KEY_PROVINCE=Q3 KEY_CITY=HCM KEY_ORG=OpenVPN-GocIT KEY_EMAIL=admin@gocit.vn

- Thc hin tip dng lnh sau


. ./vars ./clean-all ./build-ca ./build-ca Generating a 1024 bit RSA private key ............++++++ ...........++++++ writing new private key to 'ca.key' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,

If you enter '.', the field will be left blank. ----Country Name (2 letter code) [VN]: State or Province Name (full name) [Q3]: Locality Name (eg, city) [HCM]: Organization Name (eg, company) [OpenVPN-GocIT]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:OpenVPN-CA Email Address [admin@gocit.vn]: -To certificate & key cho server : ./build-key-server server -To certificate & key cho client ./build-key hautp

Note : nu mun t passwd cho client th c th dng build-key-pass t passwd cho client , phn ny chng ta khng cn quan tm v chng ta s dng webmin to accout cho user
./build-key-pass hautp 123456

- To Diffie Hellman
./build-dh ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time .................+........................................... ...................+.............+.................+......... ......................................

- Key file - Tin hnh cu hnh cho openvpn server .


mkdir config cp /etc/openvpn/sample-config-files/server.conf /etc/openvpn/config

cd /etc/openvpn/easy-rsa cp dh1024.pem server.key server.crt ca.crt /etc/openvpn/config

Cu hnh chc nng Forwarding (dng thc hin Lan Routing)


vi /etc/sysctl.conf net.ipv4.ip_forward = 1 sysctl p ( cho cc thng s c hiu lc) echo 1 > /proc/sys/net/ipv4/ip_forward

Cu hnh VPN Server


- Copy file cu hnh server.conf mu t source ci t vo /etc/openvpn/ cp /root/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/ - Chnh sa file cu hnh: cd /etc/openvpn/ vi server.conf local 192.168.1.200 (chn card mng user quay VPN n, c th khng cn option ny) port 199 (default l 1194) proto udp (protocol udp) dev tun (dng tunnel, nu dng theo bridge chn dev tap0 v nhng config khc s khc vi tunnel) ca /etc/openvpn/easy-rsa/keys/ca.crt (khai bo ung dn cho file ca.crt) cert /etc/openvpn/easy-rsa/keys/openvpnserver.crt key /etc/openvpn/easy-rsa/keys/openvpnserver.key dh /etc/openvpn/easy-rsa/keys/dh1024.pem server 10.8.0.0 255.255.255.0 (khai bo dy IP cn cp cho VPN Client, mc nh VPN Server s ly IP u tin 10.8.0.1) ;ifconfig-pool-persist ipp.txt (dng cho VPN Client ly li IP trc nu b t kt ni vi VPN server, do chng ta dng IP tnh nn khng s dng thng s ny) push route 172.16.0.0 255.255.255.0 (lnh ny s y route mng 172.16.0.0 n Client, hay cn gi l Lan Routing trong Windows Server, gip cho VPN Client thy c mng bn trong ca cng ty) ;push route 192.168.1.200 255.255.255.0 do bi Lab ca chng ta VPN Client connect n c network 192.168.1.0 nn khng cn add route dng ny (nu c s khng chy c) ,ch cn add route cc lp mng bn trong cng ty m Client bn ngoi khng connect c) client-config-dir ccd (dng khai bo cp IP tnh cho VPN Client) client-to-client (cho php cc VPN client nhn thy nhau, mc nh client ch thy server)Cng kh n gin nh, ngoi ra cn cnhng thng s khc khng dng n nh: ;push redirect-gateway (mi traffic ca VPN Client http, dns, ftp, u thng qua ung Tunnel. Khc vi lnh push route, ch nhng traffic i vo mng ni b mi thng qua Tunnel, khi dng lnh ny yu cu bn trong mng ni b cn c NAT Server, DNS Server) push dhcp-option DNS (WINS) 10.8.0.1 y DNS or WINS config vo VPN Client Cu hnh file IP tnh tng ng vi tng User: Sau khi cu hnh server, tip ta s cu hnh cc file t trong th mc cdd/ tng ng vi tng User VPN.+ To th mc ccd (/etc/openvpn/ccd) mkdir /etc/openvpn/ccd + To profile cho user hautp

vi /etc/openvpn/ccd/hautp ifconfig-push 10.8.0.2 10.8.0.1 theo file cu hnh trn user hautp s nhn IP l 10.8.0.2. Cp IP khai bo trong lnh trn phi thuc bng bn di, ng vi mi user s c 1 cp ip tng

ng. Start VPN Server cp /root/openvpn-2.2.2/sample-scripts/openvpn.init /etc/init.d/openvpn /etc/init.d/openvpn start Cc bn kim tra li log gii quyt li nh. Phn 2 : Thit lp Open VPN Client . Bc 1 : Download bn open VPN dnh cho Windows ti y http://swupdate.openvpn.org/community/releases/openvpn-2.2.2-install.exe . Bc 2: Tin hnh cc th tc ci t mc nh . Ri copy cc files ca.crt , client.crt , client.key. Trn server linux Vo th mc C:\Program Files\OpenVPN\config trn my Windows XP Bc 3 : Dng notepad tin hnh edit files C:\Program Files\OpenVPN\sampleconfig\client.opvn
client dev tun (tunnel) proto udp (upd protocol) remote 192.168.1.200 199 (khai bo IP:Port server OpenVPN) nobind persist-key persist-tun ca ca.crt (khai bo CA server) cert hautp.crt (certificate user hautp)

key hautp.key (private key hautp) comp-lzo verb 3

Save li . Ri copy files client.opvn vo th mc C:\Program Files\OpenVPN\config trn my Windows . Bc 4: Khi ng OpenvpnGui . S thy biu tng gc phi taskbar phi mn hnh . Nhp chut phi biu tng v Click vo mc connect .