กำหนดให้ openvpn server 2 เครื่องคือ 192.168.2.21 ( primary ) and 192.168.2.22 ( slave )
กำหนด virtual ip 192.168.2.20 openvpn
กำหนด real ip 123.4.5.6 ( เป็น firewall ที่ทำการ forward port ไปที่ openvpn server )
[Server]
-
Install openvpn
sudo apt-get install openvpn
-
Copy files from /usr/share/doc/openvpn/examples/easy-rsa to /etc/openvpn
sudo mkdir /etc/openvpn/easy-rsa
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ -
Edit file vars
sudo vi /etc/openvpn/easy-rsa/vars
Change these linesexport KEY_COUNTRY="TH" #Change to your Country
export KEY_PROVINCE="CM" #Change to your Province
export KEY_CITY=""
export KEY_ORG=""
export KEY_EMAIL=""
-
Setup CA and create server certificate
cd /etc/openvpn/easy-rsa/
sudo chown -R root:admin .
sudo chmod g+w .
source ./vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
cd keys
openvpn --genkey --secret ta.key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../ -
Create certificate file for client
cd /etc/openvpn/easy-rsa
note : change
source ./vars
./pkitoolto user machine. -
Configuring openvpn
sudo vi /etc/openvpn/server.conf
Change config :local 192.168.2.20 #virtual ip for heartbeat port 1194 # TCP or UDP server? proto tcp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key # This file should be kept secret dh /etc/openvpn/dh1024.pem server 192.168.201.0 255.255.255.0 #virtual ip for tunnel ifconfig-pool-persist ipp.txt push "dhcp-option DOMAIN simdif.local" push "dhcp-option DNS 192.168.2.1" #DNS push "route 192.168.2.0 255.255.255.0" push "route 192.168.201.0 255.255.255.0" client-to-client tls-auth ta.key 0 # This file is secret comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 4
-
Restart service openvpn
sudo /etc/init.d/openvpn restart
- ทำขั้นตอน 1-7 อีกครั้งกับเครื่อง openvpn server อีกเครื่อง
-
Install heartbeat
sudo apt-get install heartbeat
-
Copy original config to /etc/ha.d/
cd /usr/share/doc/heartbeat
sudo cp ha.cf haresources authkeys /etc/ha.d/ -
Edit ha.cf
sudo vi /etc/ha.d/ha.cf
Check and edit configurationdebugfile /var/log/ha-debug logfacility local0 keepalive 4 deadtime 60 warntime 10 initdead 120 udpport 694 bcast eth0 # Linux auto_failback on node openvpnserver01 node openvpnserver02 ping_group group1 192.168.2.21 192.168.2.22
-
Edit haresources
sudo vi /etc/ha.d/haresources
Change to :openvpnserver01 192.168.2.20 openvpn
-
Edit authkeys
sudo vi /etc/ha.d/authkeys
Change to :auth 2
2 sha1 test-ha -
Copy configuration file to 192.168.2.22
cd /etc/ha.d
scp ha.cf haresources authkeys username@192.168.2.22: -
Go to 192.168.2.22 and copy file to /etc/ha.d
cd ~
sudo cp ha.cf haresources authkeys /etc/ha.d -
Start heartbeat on the primary 192.168.2.21 and slave 192.168.2.22
sudo /etc/init.d/heartbeat start
-
Create firewall NAT both vpn server
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -
Edit file /etc/rc.local
sudo vi /etc/rc.local
Add 2 lines to configuration filesudo echo 1 > /proc/sys/net/ipv4/ip_forward sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE exit 0
[Client]
-
Install openvpn
sudo apt-get install openvpn
-
Copy certificate file from server ca.crt
.crt .key ta.key to /etc/openvpn -
Edit configuration
sudo vi /etc/openvpn/client.conf
Change to :client dev tun proto tcp remote 123.4.5.6 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ca ca.crt cert
.crt key .key tls-auth ta.key 1 comp-lzo verb 3 log-append /var/log/openvpn.log -
Restart service openvpn
sudo /etc/init.d/openvpn restart
-
Check connection
ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:192.168.201.6 P-t-P:192.168.201.5 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:152 errors:0 dropped:0 overruns:0 frame:0 TX packets:182 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:51111 (51.1 KB) TX bytes:21776 (21.7 KB)
No comments:
Post a Comment