Build OpenV** Server under CentOS7

V** literal translation is a virtual private channel, which is a tunnel that provides secure data transmission between enterprises or between individuals and companies. OpenV** is undoubtedly the pioneer of open source V** under Linux, providing good performance and friendly users GUI.

The following describes how to build OpenV** Server under CentOS7 by building OpenV** Server in the following topology environment

Since there is no public IP for simulation, OpenV** Server is built on the CentOS7 server on the LAN side of the router (192.168.60.X), and V** is used on the Windows machine on the WAN side of the router (192.168.31.X) Client dials into V** for testing

Let's first introduce the construction of OpenV** Server

1. Yum install -y epel-release

yum install -y install openV** easy-rsa net-tools bridge-utils

2. Create CA and certificate

cd /usr/share/easy-rsa/3

. /easyrsa init-pki

. /easyrsa build-ca

. /easyrsa build-server-full server1 nopass

. /easyrsa build-client-full client1 nopass

. /easyrsa gen-dh It takes a while to generate DH

[ root@CentOS7_DIY 3]# ./easyrsa gen-dh

Generating DH parameters, 2048 bit long safe prime, generator 2

This is going to take a long time

..................................................................................+...

.......

..................................................................................+........++++

DH parameters of size 2048 created at /usr/share/easy-rsa/3/pki/dh.pem

3 ) Create TLS-Auth Key

openV** --genkey --secret ./pki/ta.key

cp -pR /usr/share/easy-rsa/3/pki/{issued,private,ca.crt,dh.pem,ta.key} /etc/openV**/server/

4. Enable ipv4 forwarding in the kernel parameters

cd /etc/sysctl.d/

vi 99-sysctl.conf

Append net.ipv4.ip_forward = 1

sysctl --system

5. Configure OpenV** Server

cp /usr/share/doc/openV**-2.4.7/sample/sample-config-files/server.conf /etc/openV**/server/

vi /etc/openV**/server/server.conf

The places that need to be modified are as follows

line 32: change if need (listening port of OpenV**)

port 1194

line 35: change if need

; proto tcp

proto udp

line 78: specify certificates

ca ca.crt

cert issued/server1.crt

key private/server1.key

line 85: specify DH file

dh dh.pem

line 101: specify network to be used on V**

any network are OK except your local network

server 10.8.0.0 255.255.255.0

line 143: uncomment and change to your local network

push "route 192.168.60.0 255.255.255.0"

line 231: keepalive settings

keepalive 10 120

line 244: specify TLS-Auth key

tls-auth ta.key

line 263: uncomment (enable compress)

comp-lzo

line 281: enable persist options

persist-key

persist-tun

line 287: change log path

status /var/log/openV**-status.log

line 296: change log path

log /var/log/openV**.log

log-append /var/log/openV**.log

line 306: specify log level (0 - 9, 9 means debug lebel)

verb 3

6. Start the openV**-server service and set it to start automatically

[ root@CentOS7_DIY ~]# systemctl start openV**-server@server

[ root@CentOS7_DIY ~]# systemctl enable openV**-server@server

7. The router needs to map the service port udp 1194 of V** Server 192.168.60.13 to port 1194 of the external network 192.168.31.22

8. V** Client download and install V**

OpenV** official website can be downloaded

And download the following four files from sz on V** Server and copy them to the config folder under the installation directory of V** Client

/etc/openV**/server/ca.crt /etc/openV**/server/ta.key /etc/openV**/server/issued/client1.crt

/etc/openV**/server/private/client1.key

And copy the client.oV** file from C:\Program Files\OpenV**\sample-config to the config directory for editing

Add and modify the following fields

remote 192.168.31.22 1194

ca ca.crt

cert client1.crt

key client1.key

tls-auth ta.key 1

comp-lzo

Rename to client1.oV after modification**

9 ) Open OpenV** GUI to connect to V**

At this time, the test found that the connection could not be reached

Check the openV**.log log on the server and the following error is reported

By searching the error message, the solution found is

key-direction 0 (on server)

key-direction 1 (on client)

Add key-direction 0 after adding TLS configuration on the server side

vi server.conf

After modification systemctl restart openV**-server@server

Add key-direction 1 in the client1.oV** configuration

Then reconnect V**, you can connect

10. After connecting to the V**, the V** address is obtained as the 10.8.0.X address, and you can ping the internal network address 192.168.60.113 of the internal network OpenV** Server

At this time, it is found that the ping fails to connect to other addresses in the intranet such as 192.168.60.254

Need to add a static route on the internal network router, the destination network is the V** network segment

10.8.0.0 /24, the next hop is the internal network address of the V** server 192.168.60.113

After adding this route, you can ping the 192.168.60.X server and access the 192.168.60.X server service.