1.1. CÀI ĐẶT VÀ CẤU HÌNH OPENVPN
This example shows to configure on the environment like follows. ( use Bridge mode ) ( [172.16.2.1] is actually for private IP addtess, though, replace it to your global IP address. )
(1) VPN server [172.16.2.1] - Global IP address
[10.0.0.50] - eth0 ( real IP address )
[10.0.0.60] - br0 - set new as a Bridge
(2) VPN Client(Windows) [192.168.0.244] - real IP address
[10.0.0.??] - automatically set from VPN Server
Bằng cách này, rất neccesary để thiết lập một vài thiết đặt trên router của bạn cho NAT\/cổng chuyển tiếp. Giao thức được sử dụng và nghe cổng mặc định trên hệ phục vụ VPN là UDP\/1194. Phát biểu vào một ví dụ ở đây, yêu cầu để 1194 với UDP từ internet là cần thiết để chuyển tiếp đến 10.0.0.60:1194 trong mạng LAN.
a) Cài đặt và cấu hình OpenVPN
[root@vpn ~]#yum --enablerepo=epel -y install openvpn bridge-utils
# install from EPEL
[root@vpn ~]#cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/
[root@vpn ~]#vi /etc/openvpn/server.conf
# line 53: change
dev
tap0
# line 78: change like follows
ca
/etc/openvpn/easy-rsa/keys/ca.crt
cert
/etc/openvpn/easy-rsa/keys/server.crt
key
/etc/openvpn/easy-rsa/keys/server.key
# line 87: change
dh
/etc/openvpn/easy-rsa/keys/dh1024.pem
# line 96: make it comment
#
server 10.8.0.0 255.255.255.0
# line 103: make it comment
#
ifconfig-pool-persist ipp.txt
# line 115: uncomment and chnage ( [VPN server's IP] [subnetmask] [the range of IP for client] )
server-bridge
10.0.0.60 255.255.255.0 10.0.0.200 10.0.0.254
# line 138: add ( [network VPN server in] [subnetmask] )
push "route 10.0.0.0 255.255.255.0"
# line 275: change
status
/var/log/openvpn-status.log
# line 284: uncomment and change
log
/var/log/openvpn.log
log-append
/var/log/openvpn.log
b) Tạo CA certificate và CA key
[root@vpn ~]#cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa
[root@vpn ~]#cd /etc/openvpn/easy-rsa
[root@vpn easy-rsa]#mkdir keys
[root@vpn easy-rsa]#vi vars
# line 64: change to your environment
export KEY_COUNTRY="JP"
export KEY_PROVINCE="Hiroshima"
export KEY_CITY="Hiroshima"
export KEY_ORG="GTS"
export KEY_EMAIL="xxx@serverlinux"
[root@vpn easy-rsa]#source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
[root@vpn easy-rsa]# ./clean-all
[root@vpn easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
.................++++++
......++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]: # Enter
.................++++++
......++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]: # Enter
State or Province Name (full name) [Hiroshima]: # Enter
Locality Name (eg, city) [Hiroshima]: # Enter
Organization Name (eg, company) [GTS]: # Enter
Organizational Unit Name (eg, section) []: # Enter
Common Name (eg, your name or your server's hostname) [GTS CA]:
vpn.serverlinux # input FQDN
Name []:server-ca # set
Email Address [xxx@serverlinux]: # Enter
c) ca.crt được tạo tại "/etc/openvpn/easy-rsa/keys", transfer it to your client PC via FTP or SFTP
d) Tạo certificate và key cho server.
[root@vpn easy-rsa]#./build-key-server server
Generating a 1024 bit RSA private key
........++++++
.......++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
........++++++
.......++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]: # Enter
State or Province Name (full name) [Hiroshima]: # Enter
Locality Name (eg, city) [Hiroshima]: # Enter
Organization Name (eg, company) [GTS]: # Enter
Organizational Unit Name (eg, section) []: # Enter
Common Name (eg, your name or your server's hostname) [server]:
vpn.serverlinux # input FQDN
Name []:server # set
Email Address [xxx@serverlinux.vn]: # Enter
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'Hiroshima'
localityName :PRINTABLE:'Hiroshima'
organizationName :PRINTABLE:'GTS'
commonName :PRINTABLE:'vpn.serverlinux'
name :PRINTABLE:'server'
emailAddress :IA5STRING:'xxx@serverlinux'
Certificate is to be certified until Jul 12 09:30:07 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Data Base Updated
e) Đặt tham số Diffie Hellman ( DH )
[root@vpn easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
This is going to take a long time
f) Tạo certificate và key cho client
[root@vpn easy-rsa]#./build-key-pass client
Generating a 1024 bit RSA private key
..................++++++
..................++++++
writing new private key to 'client.key'
Enter PEM pass phrase: # set pass-phrase
..................++++++
..................++++++
writing new private key to 'client.key'
Enter PEM pass phrase: # set pass-phrase
Verifying - Enter PEM pass phrase: # confirm
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]: # Enter
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [JP]: # Enter
State or Province Name (full name) [Hiroshima]: # Enter
Locality Name (eg, city) [Hiroshima]: # Enter
Organization Name (eg, company) [GTS]: # Enter
Organizational Unit Name (eg, section) []: # Enter
Common Name (eg, your name or your server's hostname) [client]:vpn.serverlinux # input FQDN
Name []:client # set
Email Address [xxx@serverlinux]: # Enter
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'JP'
stateOrProvinceName :PRINTABLE:'Hiroshima'
localityName :PRINTABLE:'Hiroshima'
organizationName :PRINTABLE:'GTS'
commonName :PRINTABLE:'vpn.serverlinux'
name :PRINTABLE:'client'
emailAddress :IA5STRING:'xxx@serverlinux'
Certificate is to be certified until Jul 12 09:31:14 2021 GMT (3650 days)
Sign the certificate? [y/n]:y
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Data Base Updated
g) client.crt và client.key được tạo tại thư mục "/etc/openvpn/easy-rsa/keys", chuyển chúng đến client thông qua FTP hoặc SFTP
h) Khởi động OpenVPN
[root@vpn ~]#cp /usr/share/doc/openvpn-*/sample-scripts/bridge-stop /etc/openvpn/
[root@vpn ~]#cp /usr/share/doc/openvpn-*/sample-scripts/bridge-start /etc/openvpn/
[root@vpn ~]#chmod 755 /etc/openvpn/bridge-start
[root@vpn ~]#chmod 755 /etc/openvpn/bridge-stop
[root@vpn ~]#vi /etc/openvpn/bridge-start
# line 17-20: change
eth="eth0" # chnage if needed
eth_ip="10.0.0.60" # IP address for bridge
eth_netmask="255.255.255.0" # subnetmask
eth_broadcast="10.0.0.255" # broadcast address
[root@vpn ~]#vi /etc/rc.d/init.d/openvpn
start)
echo -n $"Starting openvpn: "
# line 126: add
echo -n $"Starting openvpn: "
# line 126: add
/etc/openvpn/bridge-start
# line 205: add
/etc/openvpn/bridge-stop
success; echo
rm -f $lock
rm -f $lock
[root@vpn ~]#/etc/rc.d/init.d/openvpn start
Starting openvpn: tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Fri Jul 15 18:33:02 2011 TUN/TAP device tap0 opened
Fri Jul 15 18:33:02 2011 Persist state set to: ON
Bridge firewalling registered
device eth1 entered promiscuous mode
device tap0 entered promiscuous mode
br0: port 2(tap0) entering learning state
br0: port 1(eth1) entering learning state [ OK ]
[root@vpn ~]#chkconfig openvpn on
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Fri Jul 15 18:33:02 2011 TUN/TAP device tap0 opened
Fri Jul 15 18:33:02 2011 Persist state set to: ON
Bridge firewalling registered
device eth1 entered promiscuous mode
device tap0 entered promiscuous mode
br0: port 2(tap0) entering learning state
br0: port 1(eth1) entering learning state [ OK ]
[root@vpn ~]#chkconfig openvpn on
1.2. CẤU HÌNH RAID 1
a) Tạo Partition RAID trong đĩa cứng . Kiểu của partition RAID là "fd". Sau khi tạo partion RAID, tiến hành kiểm tra trạng thái của nó như sau.
[root@linux ~]#sfdisk -l /dev/sdb
Disk /dev/sdb: 20886 cylinders, 255 heads, 63 sectors/track
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0
Device Boot Start End #cyls #blocks Id System
/dev/sdb1 0+ 20885 20886- 167766763+ fd Linux raid autodetect
/dev/sdb2 0 - 0 0 0 Empty
/dev/sdb3 0 - 0 0 0 Empty
/dev/sdb4 0 - 0 0 0 Empty
b) Cấu hình RAID 1
[root@linux ~]#mdadm --create /dev/md0 --level=raid1 --raid-devices=2 /dev/sdb1 /dev/sdc1
mdadm: Note: this array has metadata at the start and
may not be suitable as a boot device. If you plan to
store '/boot' on this device please ensure that
your boot-loader understands md/v1.x metadata, or use
--metadata=0.90
Continue creating array?y
may not be suitable as a boot device. If you plan to
store '/boot' on this device please ensure that
your boot-loader understands md/v1.x metadata, or use
--metadata=0.90
Continue creating array?y
mdadm: Defaulting to version 1.2 metadata
mdadm: array /dev/md0 started.
[root@linux ~]#vi /etc/mdadm.conf
# mdadm.conf written out by anaconda
MAILADDR root
AUTO +imsm +1.x -all
MAILADDR root
AUTO +imsm +1.x -all
# add
DEVICE /dev/sd[a-z]*
ARRAY /dev/md0 level=raid1 devices=/dev/sdb1,/dev/sdc1
[root@linux ~]#cat /proc/mdstat
# show status ( it's OK if it shows "[UU]" )
Personalities : [raid1]
md0 : active raid1 sdc1[1] sdb1[0]
104855127 blocks super 1.2 [2/2] [UU]
md0 : active raid1 sdc1[1] sdb1[0]
104855127 blocks super 1.2 [2/2] [UU]
[==========>..........] resync = 50.1% (52600064/104855127) finish=4.2min speed=206060K/sec
unused devices: <none>
# after few minutes later, syncronizeing will complete and the status turns like follows
[root@linux ~]#cat /proc/mdstat
Personalities : [raid1]
md0 : active raid1 sdc1[1] sdb1[0]
md0 : active raid1 sdc1[1] sdb1[0]
104855127 blocks super 1.2 [2/2] [UU]
unused devices: <none>
c) Cấu hình hoàn thành RAID sau đó mount /home vào nó
[root@linux ~]#pvcreate /dev/md0
Physical volume "/dev/md0" successfully created
[root@linux ~]#vgcreate vg_home /dev/md0
Volume group "vg_home" successfully created
[root@linux ~]#lvcreate -L 50G -n lv_home vg_home
Logical volume "lv_home" created
[root@linux ~]#mkfs -t ext4 /dev/vg_home/lv_home
[root@linux ~]#mount /dev/vg_home/lv_home /mnt
[root@linux ~]#cp -pR /home/* /mnt/
[root@linux ~]#umount /mnt
[root@linux ~]#mount /dev/vg_home/lv_home /home
[root@linux ~]#df -h
Filesystem 1M-blocks Used Available Use% Mounted on
/dev/mapper/vg_dlp-lv_root
20G 6.9G 12G 37% /
tmpfs 3.9G 0 3.9G 0% /dev/shm
/dev/sda1 485M 34M 426M 8% /boot
/dev/mapper/vg_home-lv_home
50G 182M 47G 1% /home
[root@linux ~]#vi /etc/fstab
# add RAID ARRAY
/dev/mapper/vg_home-lv_home /home ext4 defaults 1 2
d) Khởi động mdmonitor để điều khiển RAID ARRAY
[root@linux ~]#/etc/rc.d/init.d/mdmonitor start
Starting mdmonitor: [ OK ]
[root@linux ~]#chkconfig mdmonitor on
e) Nếu ổ cứng RAID ARRAY bị Failure, có thể re-configure RAID 1 giống như sau
[root@linux ~]#cat /proc/mdstat
Personalities : [raid1]
md0 : active (auto-read-only) raid1 sdb1[0]
md0 : active (auto-read-only) raid1 sdb1[0]
104855127 blocks super 1.2 [2/1] [U_]
unused devices: <none>
# change to new disk and create a raidautodetect partition on it again
# next, do like follows
[root@linux ~]#mdadm --manage /dev/md0 --add /dev/sdc1
# add new partition in RAID ARRAY
mdadm: added /dev/sdc1
[root@linux ~]#cat /proc/mdstat
# syncronizing starts
Personalities : [raid1]
md0 : active raid1 sdc1[2] sdb1[0]
104855127 blocks super 1.2 [2/1] [U_]
md0 : active raid1 sdc1[2] sdb1[0]
104855127 blocks super 1.2 [2/1] [U_]
[>....................] recovery = 4.9% (5200000/104855127) finish=7.9min speed=208000K/sec
unused devices: <none>
# after few minutes later, syncronizeing will complete and the status turns like follows
[root@linux ~]#cat /proc/mdstat
Personalities : [raid1]
md0 : active raid1 sdc1[2] sdb1[0]
md0 : active raid1 sdc1[2] sdb1[0]
104855127 blocks super 1.2 [2/2] [UU]
unused devices: <none>
