open***路由模式实现LAN-TO-LAN

1 网络拓扑:

2 配置如下:

[root@Open***-S config]# cat  server.conf

local 172.18.1.132

port 3889

proto udp

dev tun

ca /root/open***-2.3.3/config/ca.crt

cert /root/open***-2.3.3/config/***S.crt

key /root/open***-2.3.3/config/***S.key  # This file should be kept secret

dh /root/open***-2.3.3/config/dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist /root/open***-2.3.3/config/ipp.txt

push "route 192.168.40.0 255.255.255.0"

client-config-dir /usr/local/open***/etc/ccd

route 192.168.20.0 255.255.255.0

client-to-client

duplicate-cn

keepalive 10 120

tls-auth /root/open***-2.3.3/config/ta.key 0 # This file is secret

cipher AES-128-CBC   # AES

comp-lzo

max-clients 100

user nobody

group nobody

persist-key

persist-tun

verb 3

mute 20

[root@Open***-S config]# mkdir -p /usr/local/open***/etc/ccd

[root@Open***-S config]# vim /usr/local/open***/etc/ccd/user1

iroute 192.168.20.0 255.255.255.0 #保护子网

ifconfig-push 10.8.0.30  10.8.0.1 #指定client端ip为10.8.0.30，10.8.0.1为server端地址

[root@Open***-C config]# cat client.conf

client

dev tun

proto udp

remote 172.18.1.132 3889

resolv-retry infinite

nobind

user nobody

group nobody

persist-key

persist-tun

reneg-sec 28800 #秘钥8小时重新协商

ca /root/open***-2.3.3/config/ca.crt

cert /root/open***-2.3.3/config/user1.crt

key  /root/open***-2.3.3/config/user1.key

tls-auth  /root/open***-2.3.3/config/ta.key 1

ns-cert-type server

cipher AES-128-CBC

comp-lzo

verb 3

mute 20

3 打印信息如下:

服务器

[root@Open***-S config]# /usr/local/sbin/open***  --config /root/open***-2.3.3/config/server.conf

Mon Sep  4 18:46:14 2017 Open*** 2.3.3 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 31 2017

Mon Sep  4 18:46:14 2017 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want

Mon Sep  4 18:46:14 2017 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn

Mon Sep  4 18:46:14 2017 Diffie-Hellman initialized with 2048 bit key

Mon Sep  4 18:46:14 2017 Control Channel Authentication: using '/root/open***-2.3.3/config/ta.key' as a Open*** static key file

Mon Sep  4 18:46:14 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Sep  4 18:46:14 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Sep  4 18:46:14 2017 Socket Buffers: R=[124928->131072] S=[124928->131072]

Mon Sep  4 18:46:14 2017 ROUTE_GATEWAY 172.18.1.254/255.255.254.0 IFACE=eth0 HWADDR=00:0c:29:8c:24:c0

Mon Sep  4 18:46:14 2017 TUN/TAP device tun0 opened

Mon Sep  4 18:46:14 2017 TUN/TAP TX queue length set to 100

Mon Sep  4 18:46:14 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Mon Sep  4 18:46:14 2017 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500

Mon Sep  4 18:46:14 2017 /sbin/route add -net 192.168.20.0 netmask 255.255.255.0 gw 10.8.0.2

Mon Sep  4 18:46:14 2017 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2

Mon Sep  4 18:46:14 2017 GID set to nobody

Mon Sep  4 18:46:14 2017 UID set to nobody

Mon Sep  4 18:46:14 2017 UDPv4 link local (bound): [AF_INET]172.18.1.132:3889

Mon Sep  4 18:46:14 2017 UDPv4 link remote: [undef]

Mon Sep  4 18:46:14 2017 MULTI: multi_init called, r=256 v=256

Mon Sep  4 18:46:14 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0

Mon Sep  4 18:46:14 2017 IFCONFIG POOL LIST

Mon Sep  4 18:46:14 2017 Initialization Sequence Completed

Mon Sep  4 18:46:21 2017 172.18.1.130:45045 TLS: Initial packet from [AF_INET]172.18.1.130:45045, sid=0824b2bd 6437e902

Mon Sep  4 18:46:21 2017 172.18.1.130:45045 VERIFY OK: depth=1, C=CN, ST=GD, L=SZ, O=softown, OU=softown_admin, CN=Open***_CA, name=EasyRSA, emailAddress=admin@softown.cn

Mon Sep  4 18:46:21 2017 172.18.1.130:45045 VERIFY OK: depth=0, C=CN, ST=GD, L=SZ, O=softown, OU=softown_admin, CN=user1, name=EasyRSA, emailAddress=admin@softown.cn

Mon Sep  4 18:46:21 2017 172.18.1.130:45045 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key

Mon Sep  4 18:46:21 2017 172.18.1.130:45045 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Sep  4 18:46:21 2017 172.18.1.130:45045 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key

Mon Sep  4 18:46:21 2017 172.18.1.130:45045 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Sep  4 18:46:21 2017 172.18.1.130:45045 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Mon Sep  4 18:46:21 2017 172.18.1.130:45045 [user1] Peer Connection Initiated with [AF_INET]172.18.1.130:45045

Mon Sep  4 18:46:21 2017 user1/172.18.1.130:45045 OPTIONS IMPORT: reading client specific options from: /usr/local/open***/etc/ccd/user1

Mon Sep  4 18:46:21 2017 user1/172.18.1.130:45045 MULTI: Learn: 10.8.0.30 -> user1/172.18.1.130:45045

Mon Sep  4 18:46:21 2017 user1/172.18.1.130:45045 MULTI: primary virtual IP for user1/172.18.1.130:45045: 10.8.0.30

Mon Sep  4 18:46:21 2017 user1/172.18.1.130:45045 MULTI: internal route 192.168.20.0/24 -> user1/172.18.1.130:45045

Mon Sep  4 18:46:21 2017 user1/172.18.1.130:45045 MULTI: Learn: 192.168.20.0/24 -> user1/172.18.1.130:45045

Mon Sep  4 18:46:23 2017 user1/172.18.1.130:45045 PUSH: Received control message: 'PUSH_REQUEST'

Mon Sep  4 18:46:23 2017 user1/172.18.1.130:45045 send_push_reply(): safe_cap=940

Mon Sep  4 18:46:23 2017 user1/172.18.1.130:45045 SENT CONTROL [user1]: 'PUSH_REPLY,route 192.168.40.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.30 10.8.0.1' (status=1)

客户端

[root@Open***-C ~]# /usr/local/sbin/open***  --config /root/open***-2.3.3/config/client.conf

Mon Sep  4 18:45:16 2017 Open*** 2.3.3 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 31 2017

Mon Sep  4 18:45:16 2017 Control Channel Authentication: using '/root/open***-2.3.3/config/ta.key' as a Open*** static key file

Mon Sep  4 18:45:16 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Sep  4 18:45:16 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Sep  4 18:45:16 2017 Socket Buffers: R=[124928->131072] S=[124928->131072]

Mon Sep  4 18:45:16 2017 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay

Mon Sep  4 18:45:16 2017 UDPv4 link local: [undef]

Mon Sep  4 18:45:16 2017 UDPv4 link remote: [AF_INET]172.18.1.132:3889

Mon Sep  4 18:45:16 2017 TLS: Initial packet from [AF_INET]172.18.1.132:3889, sid=caab9acf 35e9a489

Mon Sep  4 18:45:16 2017 VERIFY OK: depth=1, C=CN, ST=GD, L=SZ, O=softown, OU=softown_admin, CN=Open***_CA, name=EasyRSA, emailAddress=admin@softown.cn

Mon Sep  4 18:45:16 2017 VERIFY OK: nsCertType=SERVER

Mon Sep  4 18:45:16 2017 VERIFY OK: depth=0, C=CN, ST=GD, L=SZ, O=softown, OU=softown_admin, CN=***S, name=EasyRSA, emailAddress=admin@softown.cn

Mon Sep  4 18:45:16 2017 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key

Mon Sep  4 18:45:16 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Sep  4 18:45:16 2017 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key

Mon Sep  4 18:45:16 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Mon Sep  4 18:45:16 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Mon Sep  4 18:45:16 2017 [***S] Peer Connection Initiated with [AF_INET]172.18.1.132:3889

Mon Sep  4 18:45:18 2017 SENT CONTROL [***S]: 'PUSH_REQUEST' (status=1)

Mon Sep  4 18:45:18 2017 PUSH: Received control message: 'PUSH_REPLY,route 192.168.40.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.30 10.8.0.1'

Mon Sep  4 18:45:18 2017 OPTIONS IMPORT: timers and/or timeouts modified

Mon Sep  4 18:45:18 2017 OPTIONS IMPORT: --ifconfig/up options modified

Mon Sep  4 18:45:18 2017 OPTIONS IMPORT: route options modified

Mon Sep  4 18:45:18 2017 ROUTE_GATEWAY 172.18.1.254/255.255.254.0 IFACE=eth0 HWADDR=00:0c:29:b5:22:a8

Mon Sep  4 18:45:18 2017 TUN/TAP device tun0 opened

Mon Sep  4 18:45:18 2017 TUN/TAP TX queue length set to 100

Mon Sep  4 18:45:18 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

Mon Sep  4 18:45:18 2017 /sbin/ifconfig tun0 10.8.0.30 pointopoint 10.8.0.1 mtu 1500

Mon Sep  4 18:45:18 2017 /sbin/route add -net 192.168.40.0 netmask 255.255.255.0 gw 10.8.0.1

Mon Sep  4 18:45:18 2017 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.1

Mon Sep  4 18:45:18 2017 GID set to nobody

Mon Sep  4 18:45:18 2017 UID set to nobody

Mon Sep  4 18:45:18 2017 Initialization Sequence Completed

4 测试
服务器 -> 客户端

[root@Open***-S config]# ping  10.8.0.30 #ping客户端隧道地址

PING 10.8.0.30 (10.8.0.30) 56(84) bytes of data.

64 bytes from 10.8.0.30: icmp_seq=1 ttl=64 time=0.615 ms

64 bytes from 10.8.0.30: icmp_seq=2 ttl=64 time=0.706 ms

64 bytes from 10.8.0.30: icmp_seq=3 ttl=64 time=0.911 ms

64 bytes from 10.8.0.30: icmp_seq=4 ttl=64 time=0.877 ms

--- 10.8.0.30 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3407ms

rtt min/avg/max/mdev = 0.615/0.777/0.911/0.123 ms

[root@Open***-S config]# ping  192.168.20.20 #ping客户端LAN地址

PING 192.168.20.20 (192.168.20.20) 56(84) bytes of data.

64 bytes from 192.168.20.20: icmp_seq=1 ttl=64 time=0.533 ms

64 bytes from 192.168.20.20: icmp_seq=2 ttl=64 time=0.689 ms

64 bytes from 192.168.20.20: icmp_seq=3 ttl=64 time=0.929 ms

64 bytes from 192.168.20.20: icmp_seq=4 ttl=64 time=0.936 ms

--- 192.168.20.20 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3412ms

rtt min/avg/max/mdev = 0.533/0.771/0.936/0.173 ms

[root@Open***-S ~]# ping  -I 192.168.40.40 192.168.20.20 #通过服务器LAN去ping客户端LAN地址

PING 192.168.20.20 (192.168.20.20) from 192.168.40.40 : 56(84) bytes of data.

64 bytes from 192.168.20.20: icmp_seq=1 ttl=64 time=0.497 ms

64 bytes from 192.168.20.20: icmp_seq=2 ttl=64 time=0.865 ms

64 bytes from 192.168.20.20: icmp_seq=3 ttl=64 time=0.712 ms

64 bytes from 192.168.20.20: icmp_seq=4 ttl=64 time=0.775 ms

--- 192.168.20.20 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3422ms

rtt min/avg/max/mdev = 0.497/0.712/0.865/0.136 ms

客户端 -> 服务器

[root@Open***-C config]# ping  10.8.0.1 #ping服务器隧道地址

PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.

64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.788 ms

64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.877 ms

64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=0.951 ms

64 bytes from 10.8.0.1: icmp_seq=4 ttl=64 time=0.684 ms

--- 10.8.0.1 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3476ms

rtt min/avg/max/mdev = 0.684/0.825/0.951/0.099 ms

[root@Open***-C config]# ping  192.168.40.40 #ping服务LAN地址

PING 192.168.40.40 (192.168.40.40) 56(84) bytes of data.

64 bytes from 192.168.40.40: icmp_seq=1 ttl=64 time=0.545 ms

64 bytes from 192.168.40.40: icmp_seq=2 ttl=64 time=0.953 ms

64 bytes from 192.168.40.40: icmp_seq=3 ttl=64 time=0.793 ms

64 bytes from 192.168.40.40: icmp_seq=4 ttl=64 time=0.949 ms

--- 192.168.40.40 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3335ms

rtt min/avg/max/mdev = 0.545/0.810/0.953/0.166 ms

[root@Open***-C ~]# ping -I 192.168.20.20 192.168.40.40 #通过客户端LAN去ping服务LAN地址

PING 192.168.40.40 (192.168.40.40) from 192.168.20.20 : 56(84) bytes of data.

64 bytes from 192.168.40.40: icmp_seq=1 ttl=64 time=0.617 ms

64 bytes from 192.168.40.40: icmp_seq=2 ttl=64 time=0.704 ms

64 bytes from 192.168.40.40: icmp_seq=3 ttl=64 time=0.652 ms

64 bytes from 192.168.40.40: icmp_seq=4 ttl=64 time=0.750 ms

--- 192.168.40.40 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3350ms

rtt min/avg/max/mdev = 0.617/0.680/0.750/0.059 ms

转载于:https://blog.51cto.com/linuxcgi/1965234