CentOS7安装部署OpenVPN纯密码认证桥接模式

本文参考

1.https://www.emaculation.com/doku.php/bridged_openvpn_server_setup

2.https://serverfault.com/questions/622657/configure-firewalld-for-openvpn-server-bridge-in-fedora-20

3.https://www.linux.org.ru/forum/admin/10631949

注意:安卓和IOS客户端对TAP网卡的支持有缺陷,所以安卓和IOS理论上不支持OpenVPN桥接。

安卓的不完全支持 VPN Client Pro(收费,无需root),OpenVPN Installer / OpenVPN Settings(免费,需要root)

安卓和IOS可能的方案是VAP:参考这个链接

1. 软件版本

CentOS – 7.9.2009
easy-rsa – 3.0.8
OpenVPN – 2.4.10

bridge-utils

2.安装

根据前面NAT模式的安装教程,大部分步骤能复用,这里只说区别

2.1配置桥接

安装bridge-utils

yum install bridge-utils

ip addr 查看本机ip

[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:8f:c0:dd brd ff:ff:ff:ff:ff:ff
    inet 10.24.11.243/24 brd 10.24.11.255 scope global noprefixroute ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::f4f5:b7e6:943d:fd26/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::80e4:f8c5:e4fe:cf1/64 scope link flags 800 
       valid_lft forever preferred_lft forever

可以获取如下信息

IP地址:10.24.11.243
子网掩码:255.255.255.0(/24 CIDR表示法)
广播地址:10.24.11.255
路由IP地址:10.24.11.254

配置桥接脚本

nano /etc/openvpn/openvpn-bridge

内容如下

#!/bin/sh

# Define Bridge Interface
br="br0"

# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"

# Define physical ethernet interface to be bridged
# with TAP interface(s) above. 根据实际内容修改下面四项
eth="ens32"
eth_ip_netmask="10.24.11.243/24"
eth_broadcast="10.24.11.255"
eth_gateway="10.24.11.254"

case "$1" in
start)
    for t in $tap; do
        openvpn --mktun --dev $t
    done

    brctl addbr $br
    brctl addif $br $eth

    for t in $tap; do
        brctl addif $br $t
    done

    for t in $tap; do
        ip addr flush dev $t
        ip link set $t promisc on up
    done

    ip addr flush dev $eth
    ip link set $eth promisc on up

    ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $br
    ip link set $br up

    ip route add default via $eth_gateway
    ;;
stop)
    ip link set $br down
    brctl delbr $br

    for t in $tap; do
        openvpn --rmtun --dev $t
    done

    ip link set $eth promisc off up
    ip addr add $eth_ip_netmask broadcast $eth_broadcast dev $eth

    ip route add default via $eth_gateway
    ;;
*)
    echo "Usage:  openvpn-bridge {start|stop}"
    exit 1
    ;;
esac
exit 0

赋权限

chmod 700 /etc/openvpn/openvpn-bridge
chown openvpn:openvpn /etc/openvpn/openvpn-bridge

2.2编辑服务端配置

dev tun注释掉,改成 dev tap0

server行注释掉,改成server-bridge,server-bridge语法如下

server-bridge [gw] [mask] [start-IP] [end-IP]

注意,这里的[gw] 有的教程是本机ip,有的教程是实际网关,两个都试验后,填本机网关的只能访问本网段的,如果存在多个vlan,那就无法访问
所以正确的填发应该是填实际网关。
编辑

nano /etc/openvpn/server/server.conf

内容如下

port 1194
proto tcp
#dev tun
dev tap0
#dev-node tap-bridge
user openvpn
group openvpn

#配置证书信息
ca /etc/openvpn/server/easy-rsa/pki/ca.crt
cert /etc/openvpn/server/easy-rsa/pki/issued/server.crt
key /etc/openvpn/server/easy-rsa/pki/private/server.key
dh /etc/openvpn/server/easy-rsa/pki/dh.pem
tls-auth /etc/openvpn/server/easy-rsa/ta.key 0

#配置账号密码的认证方式
script-security 3
auth-user-pass-verify "/etc/openvpn/server/user/checkpsw.sh" via-env
verify-client-cert none
username-as-common-name
client-to-client
duplicate-cn

#配置网络信息
#server 10.8.0.0 255.255.255.0
server-bridge 10.24.11.254 255.255.255.0 10.24.11.10 10.24.11.190
client-to-client
push "dhcp-option DNS 10.24.11.250"
push "dhcp-option DNS 114.114.114.114"
push "route 10.24.11.0 255.255.255.0"
push "route 10.24.0.0 255.255.0.0"
push "route 172.20.0.0 255.255.0.0"
push "route 10.244.0.0 255.255.0.0"

compress lzo
cipher AES-256-CBC
keepalive 10 120
persist-key
persist-tun
verb 3

log /var/log/openvpn/server.log
log-append /var/log/openvpn/server.log
status /var/log/openvpn/status.log

2.3编辑启动脚本

编辑openvpn-server@.service

nano /usr/lib/systemd/system/openvpn-server@.service

在Service内容后添加两行

[Service]
ExecStartPre=/etc/openvpn/openvpn-bridge start
ExecStopPost=/etc/openvpn/openvpn-bridge stop

重载service

systemctl daemon-reload

重启服务端

systemctl restart openvpn-server@.service.service

2.4 配置防火墙

官网只给了iptables版本的,iptable如下

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

执行后需要保存

service iptables save

对应的firewall版本如下

firewall-cmd --permanent --direct --passthrough ipv4 -A INPUT -i tap0 -j ACCEPT
firewall-cmd --permanent --direct --passthrough ipv4 -A INPUT -i br0 -j ACCEPT
firewall-cmd --permanent --direct --passthrough ipv4 -A FORWARD -i br0 -j ACCEPT

执行后需执行重载生效

firewall-cmd --reload

2.5配置客户端

dev tun改成dev tap0

编辑C:\Program Files\OpenVPN\config\client.ovpn如下

client
proto tcp
dev tap0
auth-user-pass
remote 10.24.11.243 1194
ca ca.crt
tls-auth ta.key 1

remote-cert-tls server
cipher AES-256-CBC
auth-nocache
persist-tun
persist-key
comp-lzo
verb 3
mute 10

3.常见问题

1.能分配同网段ip,能ping通其他网段和服务器IP,但无法ping通同网段其他ip

如果服务器在虚拟机(如ESXI,hyper-V)上,先检查是否开启”允许MAC地址欺骗”功能

EXSI对应配置如下

开启之后,检查防火墙是否开启NAT配置,取消掉。

发表评论

邮箱地址不会被公开。 必填项已用*标注