Total Pageviews

Wednesday, 24 February 2016

用vtun架设VPN

(以redhat 7.2 linux平台为例)
                                                                      
本文主要介绍在redhat 7.2下用vtun架设VPN虚拟专用网络。

VPN介绍:
虚拟专用网(VPN)被定义为通过一个公用网络(通常是因特网)建立一个临时的、安全的连接,是一条穿过混乱的公用网络的安全、稳定的隧道。虚拟专用网可以帮助远程用户、公司分支机构、商业伙伴及供应商同公司的内部网建立可信的安全连接,并保证数据的安全传输。

VTun介绍:
VTun 是一个功能很强的软件,可以利用它来建立 TCP/IP 上的虚拟通道,而且通道的数目可以不受限制,完全依照机器的能力而定,并且在应用上可以作为 VPN、Mobil IP、Shaped Internet access、Ethernet tunnel 与 IP address saving 的基础。
目前所支持的通道型态包含了 Encryption、Compression 与 Traffic shaping,详细的型态种类如下所列: 
IP tunnel (tun):支持 point-to-point IP tunnel。
Ethernet tunnel (ether):支持所有的以太网协议,如:IPX、Appletalk、Bridge等。 
Serial tunnel (tty):支持串行电缆的传输方式,如:PPP、SLIP等。 
Pipe tunnel (pipe):支持所有的 Unix pipes。 
支持的平台包括:Linux、FreeBSD、OpenBSD 以及 Solaris。

1. 软件收集

1.1 首先到http://vtun.geo-mis.com/或者http://vtun.euronet.be/
去根据你的系统平台下载vtun软件,例如对于redhat 7.2 linux系统
平台,你就可以下载
http://prdownloads.sourceforge.net/vtun/vtun-2.5-1.rh72.i386.rpm

1.2 vtun需要lzo的数据压缩库支持,因此,你还需要去下载这两个文件:
ftp://contrib.redhat.com/pub/contrib/libc6/i386/lzo-1.06-1.i386.rpm
ftp://contrib.redhat.com/pub/contrib/libc6/i386/lzo-devel-1.06-1.i386.rpm

1.3 最后你还需要下载一个tun设备的支持文件:
http://vtun.euronet.be/tun/tun-1.1-6.rh72.i386.rpm
http://vtun.geo-mis.com/tun/tun-1.1-6.rh72.i386.rpm

到这里软件的收集工作完成。

2. 软件安装

在server和client两端同时依次安装:
lzo-1.06-1.i386.rpm
lzo-devel-1.06-1.i386.rpm
vtun-2.5-1.rh72.i386.rpm
tun-1.1-6.rh72.i386.rpm

3. vtun的设置和使用

下面以两个装有red hat 7.2 linux的服务器为例,说明vtun的使用。

xxx.org拥有固定ip(aaa.bbb.ccc.ddd),所以可以作为VPN的服务器端。

yyy.org没有固定的ip,采用的是千兆以太网的宽带虚拟拨号接入方式,因为没有固定ip,所以其实连域名也没有,这里只是需要把这个服务器叫做yyy.org。很显然,yyy.org应该作为VPN的客户端,通过vtund拨号进xxx.org服务器端建立VPN通道。

3.1 准备工作

3.1.1 首先确保两台服务器都允许IP forwarding。这点可以通过编辑/etc/sysctl.conf文件,将其中的net.ipv4.ipforward=0行改成net.ipv4.ipforward=1来实现。

3.1.2 用modprobe tun加载tun模块,成功的话用lsmod命令可以看到tun模块:
[root@www vinc]# lsmod               
Module                  Size  Used by
tun                     4064   3     

3.1.3 用mknod /dev/tun0 c 10 200创建tun设备。

3.1.4 在/etc/modules.conf中加上如下一行:
alias char-major-10-200 tun 

3.2 服务器端和客户端的设置文件(/etc/vtund.conf)

http://www.northsun.net/vpn/有详细的设置文件样本下载。在这里,我把我修改好的两个设置文件贴出来:

服务器端(xxx.org VPN_IP=10.0.2.2):
options {                                     
  port 5000;            # Listen on this port.
                                              
  # Path to various programs                  
  ppp           /usr/sbin/pppd;               
  ifconfig      /sbin/ifconfig;               
  route         /sbin/route;                  
  firewall      /sbin/ipchains;               
}                                             
                                              
# Default session options                     
default {                                     
  type tun;                                   
  proto udp;                                  
  comp lzo:6;                                 
  encr yes;                                   
  keepalive yes;                              
}                                             
                                              
yyy {                                      
  pass  yyy;      # Password - change this!
  type tun;            # IP tunnel            
  proto udp;            # UDP protocol                                
  comp  lzo:6;          # Adjust to taste                             
  encr  yes;            # Encryption                                  
  keepalive yes;        # Keep connection alive                       
                                                                      
  # Server Configuration sample No.1                                  
  up {                                                                
        # First bring up the tunnel interface                         
    #xxx:10.0.2.2  yyy:10.0.1.2                                  
        ifconfig "%% 10.0.2.2 pointopoint 10.0.1.2 mtu 1450";         
        program /sbin/arp "-sD 10.0.1.2 eth0 pub";                    
    route "add -net 10.0.1.0 netmask 255.255.255.0 gw 10.0.2.2";         
        firewall "-A forward -s 10.0.0.0/24 -d 10.0.1.0/24 -j ACCEPT";
  };                                                                  
  down {                                                              
        firewall "-D forward -s 10.0.0.0/24 -d 10.0.1.0/24 -j ACCEPT";
        program "/sbin/arp -d 10.0.1.2 -i eth0";                      
  };                                                                  
}                                                                     

客户端(yyy.org VPN_IP=10.0.1.2):
options {                                                     
  port 5000;            # Listen on this port.                
                                                              
  # Path to various programs                                  
  ppp           /usr/sbin/pppd;                               
  ifconfig      /sbin/ifconfig;                               
  route         /sbin/route;                                  
  firewall      /sbin/ipchains;                               
}                                                             
                                                              
yyy {                                                      
  pass  yyy;       # Password                              
  keepalive yes;        # Keep connection alive               
                                                              
  # Client Configuration sample No.1                          
    #xxx:10.0.2.2  yyy:10.0.1.2                          
  up {                                                        
        ifconfig "%% 10.0.1.2 pointopoint 10.0.2.2 mtu 1450"; 
    program /sbin/arp "-sD 10.0.2.2 eth0 pub";                    
    route "add -net 10.0.2.0 netmask 255.255.255.0 gw 10.0.1.2";  
    firewall "-A forward -s 10.0.0.0/24 -d 10.0.2.0/24 -j ACCEPT";
  };                                                          
                                                              
  down {                                                        
    firewall "-D forward -s 10.0.0.0/24 -d 10.0.2.0/24 -j ACCEPT";
    program "/sbin/arp -d 10.0.2.2 -i eth0";                      
  };                                                          
}                                                             

3.3 域名解析服务器的调整

由于VPN将两个网络连在了一起,所以可以在dns中加入关于VPN分配的内部ip的记录,这样使用VPN就更加方便了。

3.3.1 服务器端(xxx.org)

首先修改/etc/named.conf加入10.0.1.0和10.0.2.0这两个域的记录:
zone "1.0.10.in-addr.arpa"{    
        type master;           
        file "named.1001";     
        allow-update { none; };
};                             
zone "2.0.10.in-addr.arpa"{    
        type master;           
        file "named.1002";     
        allow-update { none; };
};                             
然后创建/var/named/named.1001,内容如下:
$TTL 14400                                                          
@               IN      SOA     xxx.org.   root.xxx.org. (
                        2001040501 ; serial                         
                        18800 ; refresh                             
                        7200 ; retry                                
                        604800 ; expire                             
                        86400 ; default_ttl                         
                        )                                           
                IN      NS      xxx.org.                       
                IN      NS      xxx.org.                       
;服务器                                                             
2               IN      PTR     yyy.org.                         
以及/var/named/named.1002,内容如下:
$TTL 14400                                                          
@               IN      SOA     xxx.org.   root.xxx.org. (
                        2001040501 ; serial                         
                        18800 ; refresh                             
                        7200 ; retry                                
                        604800 ; expire                             
                        86400 ; default_ttl                         
                        )                                           
                IN      NS      xxx.org.                       
                IN      NS      xxx.org.                       
;服务器                                                             
2               IN      PTR     xxx.org.                       
然后修改/var/named/named.xxx,加入以下记录:
yyy          IN      A       10.0.1.2                    
yyy          IN      MX      5       yyy.xxx.org.

3.3.2 客户端(yyy.org)

操作与服务器端类似。

3.4 vtund的使用

3.4.1 服务器端(xxx.org)

只须以root身份执行/usr/sbin/vtund -s就可以了,如果希望系统启动后自动建立VPN通道,可以将这个命令加入/etc/rc.d/rc.local中。

3.4.2 客户端(yyy.org)

只须以root身份执行/usr/sbin/vtund yyy xxx.org就可以了,如果希望系统启动后自动建立VPN通道,可以将这个命令加入/etc/rc.d/rc.local中。

3.4.3 域名服务器重新启动

在服务器端和客户端分别执行/etc/rc.d/init.d/named restart。

4. VPN的效果

经过以上的安装和设置后,在yyy.org和xxx.org之间建立一个安全传输的通道,yyy.org已经形如xxx.org的内部局域网,可以通过访问http://yyy/访问yyy.org服务器上的主页,可以在xxx.org的内部子网中通过网上邻居访问\\yyy,看到yyy.org服务器上用samba共享出来的目录并可以复制文件到\\yyy上的共享目录里。

----------------------------------
使用vtun建立IP隧道

VTun (Virtual TUNnel,http://vtun.sourceforge.net)是一个功能很强的软件,可以利用它来建立 IP虚拟隧道,而且隧道的数目可以不受限制,完全依照机器的能力而定,并且在此基础上应用上可以实现VPN、移动IP等功能。Vtun所支持的通道并且具有多种功能特性:加密:支持基于CHAP的认证、并采用BlowFish 128bit密钥。 压缩:支持zlib、lzo等多种压缩算法。 通信整形:平台无关,允许分别限制进入和流出通道的速率。Vtun支持以下类型通道: IP tunnel (tun):支持ppp的IP隧道。 以太网隧道(Ethernet tunnel):支持可以实现以太网封装的各种协议,如:IPX、Appletalk、Bridge等。 串口通道(Serial tunnel,tty):支持串行电缆的传输方式,如:PPP、SLIP等。 管道通道(Pipe tunnel,pipe):支持所有能使用Unix管道的程序。
Vtun支持多种平台,包括:Linux、BSD以及 Solaris。下载软件:
http://prdownloads.sourceforge.net/vtun/vtun-2.6.tar.gz
http://vtun.sourceforge.net/tun/tun-1.1.tar.gz

网络介绍
bob.org拥有固定ip(211.1.1.1),所以作为vtun的服务器端。alice.org没有固定的ip,采用的是NAT接入方式,因为没有固定公网IP地址,也没有域名。alice.org应该作为VPN的客户端,通过vtund连接bob.org服务器,建立VPN通道。

首先确保两台服务器都允许IP forwarding。这点可以通过运行命令:
# /sbin/sysctl -w net.ipv4.ip_forward=1

如果希望永久打开,则可以通过编辑/etc/sysctl.conf文件,将其中的net.ipv4.ipforward=0行改成net.ipv4.ipforward=1来实现。

安装tun设备
在安装vtun之前我们首先要安装虚拟通道点到点设备(Virtual Point-to-Point(TUN) and Ethernet(TAP) devices),将会在/dev中产生两个虚拟通道设备/dev/tunX(字符设备)和tunX(virtual Point-to-Point interface,虚拟点到点接口)。

----------------

The Universal TUN/TAP device driver in Redhat 7.2

This information was provided by Rich Smrcina. Installations should work off the shelf with kernel 2.4.7-10.
This document is an extract of the document provided in /usr/src/linux/Documentation/networking/tuntap.txt of the SuSE 7.2 distribution and adapted to Redhat 7.2

Copyright (C) 1999-2000 Maxim Krasnyansky

Linux, Solaris drivers
Copyright (C) 1999-2000 Maxim Krasnyansky

FreeBSD TAP driver
Copyright (c) 1999-2000 Maksim Yevmenkin

Description

TUN/TAP provides packet reception and transmission for user space programs. It can be viewed as a simple Point-to-Point or Ethernet device, which instead of receiving packets from a physical media, receives them from user space program and instead of sending packets via physical media writes them to the user space program.
When a program opens /dev/tun, driver creates and registers corresponding net device tunX or tapX. After a program closed above devices, driver will automatically delete tunXX or tapXX device and all routes corresponding to it.
This package ( http://vtun.sourceforge.net/tun) contains two simple example programs how to use tun and tap devices. Both programs works like bridge between two network interfaces. br_select.c - bridge based on select system call. br_sigio.c - bridge based on async io and SIGIO signal. However the best example is VTun http://vtun.sourceforge.net :))

Configuration

  • Create device node:
    mknod c 10 200 /dev/tun0 mknod /dev/tun0 c 10 200
  • Driver module autoloading
    1. Make sure that "Kernel module loader" - module auto-loading support is enabled in your kernel
    2. Add following line to the /etc/modules.conf
      alias char-major-10-200 tun
  • Make sure that the directory where the hercules binaries are stored is in your path. Or...put the hercifc executable in a directory that is in your path.
  • Enable IP forwarding by editing /etc/sysctl.conf and changing net.ipv4.ip_forward=0 to net.ipv4.ip_forward=1
The tun driver is like a virtual interface between the host system (in my base RH Linux 7.2) and a program (Hercules). Hercules manages routing 'packets' from operating systems under it's control (VM, VSE, Linux/390) through the tun interface, which hands the packet off to Linux perhaps for subsequent routing to a 'real' network. I've been able to test this from an operating system under Hercules to the Linux driving system, but haven't yet made it outside my laptop (by no fault of the process...I have just not done it yet).
The drawing on the herctcp page makes alot of sense, but I switched the IP addresses of Hercules and the driving system. To me it just made sense to make the driving system 192.168.200.1 and Hercules 192.168.200.2 (the other S/390 operating systems would be .3, .4, etc. The tun driver looks like a CTCA to the S/390 system, so it must be defined as such. The definitions on the herctcp page work fine.
If you have questions, remarks, contributions, whatever, drop me a line.

Enjoy your private Hercules mainframe.

from http://www.bsp-gmbh.com/hercules/os390/ctctun/redhat72tuntap.html