目前有这么一个需求,我有几个爬虫在铁通的机房里,现在需要他通过移动的网络出去抓取数据,没办法,只能借助openvpn这款优秀的vpn软件了,在移动的机房内部署一台vpn Server。然后让爬虫拨号到移动的网络去
环境如下:
Server端
OS:Centos 5.4
ip:115.160.167.108
Client端
铁通机房的一台内网主机,可上网
OS:win
ip:10.254.220.110
配置如下:
首先配置Server端
[root@Server ~]# modinfo tun 查看有没有tun模块支持
filename: /lib/modules/2.6.18-164.el5/kernel/drivers/net/tun.ko
alias: char-major-10-200
license: GPL
author: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
description: Universal TUN/TAP device driver
srcversion: 9DE80B8421E85BE6D3B9E06
depends:
vermagic: 2.6.18-164.el5 SMP mod_unload 686 REGPARM 4KSTACKS gcc-4.1
module_sig: 883f3504a9f782a581431131ff6a52711218ff0a0cb17a7f7462a56b587d3919a824faa39d2d786e0a0ee3f10e7a4b9f03efc5c87b418191eea5a66171
[root@Server ~]# yum install openssl openssl-devel
[root@Server ~]# cd /usr/local/src/
[root@Server src]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
[root@Server src]# tar -zxvf lzo-2.02.tar.gz
[root@Server src]# cd lzo-2.02
[root@Server lzo-2.02]#./configure
[root@Server lzo-2.02]#make
[root@Server lzo-2.02]#make install
[root@Server lzo-2.02]#cd ..
[root@Server src]#wget http://openvpn.net/release/openvpn-2.0.5.tar.gz
[root@Server src]#tar -zxvf openvpn-2.0.5.tar.gz
[root@Server src]#cd openvpn-2.0.5
[root@Server openvpn-2.0.5]# ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib --with-ssl-headers=/usr/local/include/openssl --with-ssl-lib=/usr/local/lib
[root@Server openvpn-2.0.5]# make
[root@Server openvpn-2.0.5]# make install
[root@Server openvpn-2.0.5]# cd easy-rsa
[root@Server easy-rsa]# export D=`pwd` && export KEY_CONFIG=$D/openssl.cnf && export KEY_DIR=$D/keys && export KEY_SIZE=1024 && export KEY_COUNTRY=CN && export KEY_PROVINCE=GD && export KEY_CITY=SZ && export KEY_ORG="cmdi.com" && export KEY_EMAIL="XXXX@cmdi.com"
[root@Server easy-rsa]#./clean-all
[root@Server easy-rsa]#./build-ca 生成CA证书
Generating a 1024 bit RSA private key
................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: 直接回车
State or Province Name (full name) [GD]: 直接回车
Locality Name (eg, city) [SZ]: 直接回车
Organization Name (eg, company) [cmdi.com]:直接回车
Organizational Unit Name (eg, section) []:输入cmdi.com
Common Name (eg, your name or your server's hostname) []:输入server
Email Address [XXXX@cmdi.com]:直接回车
[root@Server easy-rsa]#./build-key-server server 建立服务器的证书和私匙
Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: 直接回车
State or Province Name (full name) [GD]: 直接回车
Locality Name (eg, city) [SZ]: 直接回车
Organization Name (eg, company) [cmdi.com]: 直接回车
Organizational Unit Name (eg, section) []:输入cmdi.com
Common Name (eg, your name or your server's hostname) []:输入server
Email Address [XXXX@cmdi.com]: 直接回车
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:输入密码123456
An optional company name []:输入cmdi.com
Using configuration from /usr/local/src/openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'cmdi.com'
organizationalUnitName:PRINTABLE:'cmdi.com'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'XXXX@cmdi.com'
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]: 输入y
1 out of 1 certificate requests certified, commit? [y/n]输入y
Write out database with 1 new entries
Data Base Updated
[root@Server easy-rsa]#./build-key client1 建立客户端证书(必须为每个客户端建立一个证书,且名字不相同)。
Generating a 1024 bit RSA private key
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: 直接回车
State or Province Name (full name) [GD]: 直接回车
Locality Name (eg, city) [SZ]: 直接回车
Organization Name (eg, company) [cmdi.com]:直接回车
Organizational Unit Name (eg, section) []:输入cmdi.com
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同.
Email Address [XXXX@cmdi.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:输入123456
An optional company name []:输入cmdi.com
Using configuration from /usr/local/src/openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'cmdi.com'
organizationalUnitName:PRINTABLE:'cmdi.com'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'XXXX@cmdi.com'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]: 输入y
1 out of 1 certificate requests certified, commit? [y/n]输入y
Write out database with 1 new entries
Data Base Updated
依次类推生成其他客户端证书key
[root@Server easy-rsa]#./build-key client2 生成客户端2,名字可随意命名,只要不重复就行了
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同
[root@Server easy-rsa]#./build-dh 创建Diffie Hellman参数
[root@Server easy-rsa]#mkdir -p /etc/openvpn/keys
[root@Server easy-rsa]#cp keys/ca.crt /etc/openvpn/keys
[root@Server easy-rsa]#cp keys/server.crt /etc/openvpn/keys
[root@Server easy-rsa]#cp keys/server.key /etc/openvpn/keys
[root@Server easy-rsa]#cp keys/dh1024.pem /etc/openvpn/keys
[root@Server easy-rsa]#cp ../sample-config-files/server.conf /etc/openvpn/
[root@Server easy-rsa]#vim /etc/openvpn/server.conf
插入以下内容:
local 115.160.167.108
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
verb 4
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 70.88.98.10" #服务器上本身/etc/resolv.conf 的nameserver ip地址,如有多个继续添加如下
push "dhcp-option DNS 8.8.8.8"
[root@Server easy-rsa]#cp ../sample-scripts/openvpn.init /etc/rc.d/init.d/openvpn
[root@Server easy-rsa]#chkconfig --add openvpn
[root@Server easy-rsa]#service openvpn start
[root@Server easy-rsa]#chkconfig openvpn on
添加NAT规则, 让虚拟网络10.8.0.0/24通过本机公网去访问Internet. 命令如下:
[root@Server easy-rsa]#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 115.160.167.108
[root@Server easy-rsa]#/etc/init.d/iptables save
[root@Server easy-rsa]#/etc/init.d/iptables restart
注意不同的机器,-o eth0 参数可能不一样,具体要查看公网ip(115.160.167.108)是绑定在哪个网卡上
[root@Server easy-rsa]#echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@Server easy-rsa]#/sbin/sysctl -p 使配置立即生效
[root@Server easy-rsa]#cd keys
[root@Server keys]#tar -zcvf mykeys.tar.gz ca.crt ca.key client1.crt client1.csr client1.key
然后想办法把mykeys.tar.gz下载到客户端的机器上去,然后在服务器上把mykeys.tar.gz删除
客户端配置:
服务器装的是 OpenVPN 2.0.5, 那么下载的 OpenVPN GUI fow windows 应该是: openvpn-2.0.5-gui-1.0.3-install.exe
下载地址为:http://openvpn.se/files/install_ ... i-1.0.3-install.exe
依屏幕指示安装openvpn gui,安装结束后, 进入安装文件夹下的 config 目录, 然后将打包的 mykeys.tar.gz 中的证书文件解压到此文件夹
然后在此目录下创建client.ovpn文件,将以下内容复制过去再保存,再在任务栏点 OpenVPN GUI 的小图标右键,点右键中的 connect即可连接vpn服务器.
client
dev tun
proto udp
remote 115.160.167.108 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-AA-B0-60-2B
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.8.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.8.0.5
DHCP Server . . . . . . . . . . . : 10.8.0.5
DNS Servers . . . . . . . . . . . : 10.8.0.1
203.186.92.69
8.8.8.8
Lease Obtained. . . . . . . . . . : 2010年12月21日 9:13:52
Lease Expires . . . . . . . . . . : 2010年12月21日 9:13:52
如果需要第二台机器上使用 vpn , 进行同样的配置, 只需要将打包中的 client1.crt, client1.csr, client1.key 换成对应的 client2.xxx 即可, 然后将 client.ovpn 中的对应key值改掉即可.
环境如下:
Server端
OS:Centos 5.4
ip:115.160.167.108
Client端
铁通机房的一台内网主机,可上网
OS:win
ip:10.254.220.110
配置如下:
首先配置Server端
[root@Server ~]# modinfo tun 查看有没有tun模块支持
filename: /lib/modules/2.6.18-164.el5/kernel/drivers/net/tun.ko
alias: char-major-10-200
license: GPL
author: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
description: Universal TUN/TAP device driver
srcversion: 9DE80B8421E85BE6D3B9E06
depends:
vermagic: 2.6.18-164.el5 SMP mod_unload 686 REGPARM 4KSTACKS gcc-4.1
module_sig: 883f3504a9f782a581431131ff6a52711218ff0a0cb17a7f7462a56b587d3919a824faa39d2d786e0a0ee3f10e7a4b9f03efc5c87b418191eea5a66171
[root@Server ~]# yum install openssl openssl-devel
[root@Server ~]# cd /usr/local/src/
[root@Server src]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
[root@Server src]# tar -zxvf lzo-2.02.tar.gz
[root@Server src]# cd lzo-2.02
[root@Server lzo-2.02]#./configure
[root@Server lzo-2.02]#make
[root@Server lzo-2.02]#make install
[root@Server lzo-2.02]#cd ..
[root@Server src]#wget http://openvpn.net/release/openvpn-2.0.5.tar.gz
[root@Server src]#tar -zxvf openvpn-2.0.5.tar.gz
[root@Server src]#cd openvpn-2.0.5
[root@Server openvpn-2.0.5]# ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib --with-ssl-headers=/usr/local/include/openssl --with-ssl-lib=/usr/local/lib
[root@Server openvpn-2.0.5]# make
[root@Server openvpn-2.0.5]# make install
[root@Server openvpn-2.0.5]# cd easy-rsa
[root@Server easy-rsa]# export D=`pwd` && export KEY_CONFIG=$D/openssl.cnf && export KEY_DIR=$D/keys && export KEY_SIZE=1024 && export KEY_COUNTRY=CN && export KEY_PROVINCE=GD && export KEY_CITY=SZ && export KEY_ORG="cmdi.com" && export KEY_EMAIL="XXXX@cmdi.com"
[root@Server easy-rsa]#./clean-all
[root@Server easy-rsa]#./build-ca 生成CA证书
Generating a 1024 bit RSA private key
................++++++
........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: 直接回车
State or Province Name (full name) [GD]: 直接回车
Locality Name (eg, city) [SZ]: 直接回车
Organization Name (eg, company) [cmdi.com]:直接回车
Organizational Unit Name (eg, section) []:输入cmdi.com
Common Name (eg, your name or your server's hostname) []:输入server
Email Address [XXXX@cmdi.com]:直接回车
[root@Server easy-rsa]#./build-key-server server 建立服务器的证书和私匙
Generating a 1024 bit RSA private key
......++++++
....................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: 直接回车
State or Province Name (full name) [GD]: 直接回车
Locality Name (eg, city) [SZ]: 直接回车
Organization Name (eg, company) [cmdi.com]: 直接回车
Organizational Unit Name (eg, section) []:输入cmdi.com
Common Name (eg, your name or your server's hostname) []:输入server
Email Address [XXXX@cmdi.com]: 直接回车
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:输入密码123456
An optional company name []:输入cmdi.com
Using configuration from /usr/local/src/openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'cmdi.com'
organizationalUnitName:PRINTABLE:'cmdi.com'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'XXXX@cmdi.com'
Certificate is to be certified until Mar 19 08:15:31 2016 GMT (3650 days)
Sign the certificate? [y/n]: 输入y
1 out of 1 certificate requests certified, commit? [y/n]输入y
Write out database with 1 new entries
Data Base Updated
[root@Server easy-rsa]#./build-key client1 建立客户端证书(必须为每个客户端建立一个证书,且名字不相同)。
Generating a 1024 bit RSA private key
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: 直接回车
State or Province Name (full name) [GD]: 直接回车
Locality Name (eg, city) [SZ]: 直接回车
Organization Name (eg, company) [cmdi.com]:直接回车
Organizational Unit Name (eg, section) []:输入cmdi.com
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同.
Email Address [XXXX@cmdi.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:输入123456
An optional company name []:输入cmdi.com
Using configuration from /usr/local/src/openvpn-2.0.5/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'SZ'
organizationName :PRINTABLE:'cmdi.com'
organizationalUnitName:PRINTABLE:'cmdi.com'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'XXXX@cmdi.com'
Certificate is to be certified until Mar 19 08:22:00 2016 GMT (3650 days)
Sign the certificate? [y/n]: 输入y
1 out of 1 certificate requests certified, commit? [y/n]输入y
Write out database with 1 new entries
Data Base Updated
依次类推生成其他客户端证书key
[root@Server easy-rsa]#./build-key client2 生成客户端2,名字可随意命名,只要不重复就行了
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同
[root@Server easy-rsa]#./build-dh 创建Diffie Hellman参数
[root@Server easy-rsa]#mkdir -p /etc/openvpn/keys
[root@Server easy-rsa]#cp keys/ca.crt /etc/openvpn/keys
[root@Server easy-rsa]#cp keys/server.crt /etc/openvpn/keys
[root@Server easy-rsa]#cp keys/server.key /etc/openvpn/keys
[root@Server easy-rsa]#cp keys/dh1024.pem /etc/openvpn/keys
[root@Server easy-rsa]#cp ../sample-config-files/server.conf /etc/openvpn/
[root@Server easy-rsa]#vim /etc/openvpn/server.conf
插入以下内容:
local 115.160.167.108
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /etc/openvpn/openvpn-status.log
verb 4
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 70.88.98.10" #服务器上本身/etc/resolv.conf 的nameserver ip地址,如有多个继续添加如下
push "dhcp-option DNS 8.8.8.8"
[root@Server easy-rsa]#cp ../sample-scripts/openvpn.init /etc/rc.d/init.d/openvpn
[root@Server easy-rsa]#chkconfig --add openvpn
[root@Server easy-rsa]#service openvpn start
[root@Server easy-rsa]#chkconfig openvpn on
添加NAT规则, 让虚拟网络10.8.0.0/24通过本机公网去访问Internet. 命令如下:
[root@Server easy-rsa]#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 115.160.167.108
[root@Server easy-rsa]#/etc/init.d/iptables save
[root@Server easy-rsa]#/etc/init.d/iptables restart
注意不同的机器,-o eth0 参数可能不一样,具体要查看公网ip(115.160.167.108)是绑定在哪个网卡上
[root@Server easy-rsa]#echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@Server easy-rsa]#/sbin/sysctl -p 使配置立即生效
[root@Server easy-rsa]#cd keys
[root@Server keys]#tar -zcvf mykeys.tar.gz ca.crt ca.key client1.crt client1.csr client1.key
然后想办法把mykeys.tar.gz下载到客户端的机器上去,然后在服务器上把mykeys.tar.gz删除
客户端配置:
服务器装的是 OpenVPN 2.0.5, 那么下载的 OpenVPN GUI fow windows 应该是: openvpn-2.0.5-gui-1.0.3-install.exe
下载地址为:http://openvpn.se/files/install_ ... i-1.0.3-install.exe
依屏幕指示安装openvpn gui,安装结束后, 进入安装文件夹下的 config 目录, 然后将打包的 mykeys.tar.gz 中的证书文件解压到此文件夹
然后在此目录下创建client.ovpn文件,将以下内容复制过去再保存,再在任务栏点 OpenVPN GUI 的小图标右键,点右键中的 connect即可连接vpn服务器.
client
dev tun
proto udp
remote 115.160.167.108 1194
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
redirect-gateway def1
当 client 连接成功后, 在 cmd 下执行 ipconfig /all, 应该有这类似这样的输出:
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-AA-B0-60-2B
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.8.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.8.0.5
DHCP Server . . . . . . . . . . . : 10.8.0.5
DNS Servers . . . . . . . . . . . : 10.8.0.1
203.186.92.69
8.8.8.8
Lease Obtained. . . . . . . . . . : 2010年12月21日 9:13:52
Lease Expires . . . . . . . . . . : 2010年12月21日 9:13:52
如果需要第二台机器上使用 vpn , 进行同样的配置, 只需要将打包中的 client1.crt, client1.csr, client1.key 换成对应的 client2.xxx 即可, 然后将 client.ovpn 中的对应key值改掉即可.
编辑回复