我从 ISP 那里获得了 3 个 IP 地址,因此调制解调器后面有一个交换机,上面有三个东西。两个是服务器,一个是路由器。我所有的个人电脑都在路由器后面。我的旧服务器曾经有两个以太网端口,所以我会将一个放在交换机上,另一个放在路由器上,这样我就可以将服务器流量从路由器上移除,同时仍能为媒体提供 Samba 共享。
我的新低功率服务器只有一个 LAN。我最终会为它安装一个 USB 以太网插头,但在此之前,我希望仍保留我的 Samba 共享。我心想,一定有某种方法可以通过 VPN 实现这一点。
所以我想做的是,在服务器上设置一个 VPN 服务器,允许路由器后面的客户端连接到它。这似乎很简单,只是我看到的所有指南都假设您可以在服务器的 LAN 上分配地址。由于我的服务器的 LAN 是公共互联网,所以我实际上无法做到这一点。有什么方法可以让我虚构一个只存在于服务器脑海中的“虚拟”LAN,并将我的 VPN 客户端放在上面吗?
需要澄清的是,如果服务器是 68.232.SSS.SSS,路由器是 68.232.RRR.RRR,路由器后面的计算机是 10.0.0.1-255,那么我可以让 VPN 客户端使用 192.168.0.VPN 之类的地址吗?
OOoOoOOOooOOo
OoO Public OoOOo-----Server eth0 (Real) 68.232.SSS.SSS
OoO Internet OoO eth1 (Virtual) 192.168.0.1
OoOoOOoOOoOOOo
|
\--Router eth0 (WAN) 68.232.RRR.RRR
| eth1 (LAN) 10.0.0.1
|
\-----Client eth1 (Virtual) 192.168.0.2
eth0 (Real) 10.0.0.2
答案1
- 在你的服务器和客户端上安装 openvpn
按照官方 HOWTO 生成证书:
root@server:/etc/openvpn/easy-rsa# cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa root@server:/etc/openvpn/easy-rsa# cd /etc/openvpn/easy-rsa编辑 /etc/openvpn/easy-rsa/vars 并填写适当的值
root@server:/etc/openvpn/easy-rsa# . ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys root@server:/etc/openvpn/easy-rsa# ./clean-all root@server:/etc/openvpn/easy-rsa# ./build-ca Generating a 1024 bit RSA private key ......................++++++ ........++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [HK]: State or Province Name (full name) [New Territories]: Locality Name (eg, city) [Tuen Mun]: Organization Name (eg, company) [Home]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [OpenVPN-CA]: Name [OpenVPN-CA]: Email Address [[email protected]]: root@server:/etc/openvpn/easy-rsa# ./build-key-server server Generating a 1024 bit RSA private key ...............++++++ ..........++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [HK]: State or Province Name (full name) [New Territories]: Locality Name (eg, city) [Tuen Mun]: Organization Name (eg, company) [Home]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [server]: Name [OpenVPN-CA]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'HK' stateOrProvinceName :PRINTABLE:'New Territories' localityName :PRINTABLE:'Tuen Mun' organizationName :PRINTABLE:'Home' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'server' name :PRINTABLE:'OpenVPN-CA' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Mar 18 13:18:09 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated root@server:/etc/openvpn/easy-rsa# ./build-key client Generating a 1024 bit RSA private key ..........++++++ ...................................................++++++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [HK]: State or Province Name (full name) [New Territories]: Locality Name (eg, city) [Tuen Mun]: Organization Name (eg, company) [Home]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [client]: Name [OpenVPN-CA]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'HK' stateOrProvinceName :PRINTABLE:'New Territories' localityName :PRINTABLE:'Tuen Mun' organizationName :PRINTABLE:'Home' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'client' name :PRINTABLE:'OpenVPN-CA' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Mar 18 13:20:00 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated root@server:/etc/openvpn/easy-rsa# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ............................................................................+..................+...........+...........................+..............+..............................................................+......................................................................................................+......................................................................................+..............................................................................+..................+.................+..................................................................+.........................................+...........+..........................................................................................+..............................................+....................................+...................+....+..+................+.+.........+..............................................................+....................................................................................................................+...........+.....................................................................................................................................+.........................................................+...........................................................+.......................................................................................................................................................................................................................................+..............+..............................................................................................................................................+............................+..........................................+....................................................................................................................................++*++*++*将所需文件从服务器上的 /etc/openvpn/easy-rsa/keys 复制到 /etc/openvpn
对于服务器:ca.crt dh1024.pem server.crt server.key
对于客户端:ca.crt client.crt client.key
将相应的示例配置文件从 /usr/share/doc/openvpn/examples/sample-config-files/ 复制到 /etc/openvpn 并解压
服务器:server.conf.gz
客户端:client.conf
- 服务器配置文件默认应该可用
编辑客户端 /etc/openvpn/client.conf 上的“远程”条目
输入服务器名称/IP 地址。无需进行其他更改
- 在服务器的防火墙上打开 UDP 1194
该服务现已准备好启动,服务器位于 10.8.0.1
我假设您只需要访问服务器,如果您想访问其他内部网络,则需要做额外的工作。
配置 samba 监听 10.8.0.0/24
一切都应该已完成,如果出现问题,请在此处发表评论。
答案2
openvpn在服务器和客户端上安装。在服务器上,这将启动一个 tun0 隧道接口,其中包含您选择的 IP 子网。配置文件中的相关选项/etc/openvpn/server.conf为:
dev tun
server 192.168.1.0 255.255.255.0
除非您希望客户端通过 VPN 路由所有流量,否则请注释掉push "route A.B.C.D W.X.Y.Z"配置中任何看起来像的行。
除了网络配置之外,您还必须为服务器和客户端生成证书(双方都进行身份验证)。如何执行此操作请参阅OpenVPN 文档。
最后,您必须配置客户端才能使用此连接,因此您在其客户端中输入/etc/openvpn/client.conf:
remote 68.232.SSS.SSS 1194
1194/udp 是 OpenVPN 标准端口,需要在防火墙中向全世界开放(因此需要证书)。
我希望这个答案以及来自 openvpn 的文档和示例配置能够帮助您入门。
答案3
虽然这不是您问题的直接答案,但我建议您考虑使用 sshfs 来安装服务器。您所需要的只是一个正在运行的 ssh 服务器,而不是复杂的 samba 和附加的 vpn 解决方案的组合。
在客户端上,看看如何使用 sshfs 自动挂载?对于 GUI 解决方案或http://ubuntuforums.org/showthread.php?t=430312用于系统范围的 fstab 解决方案。