Global Local Area Network
Our company has server groups located in different data centers and even cities. At the moment we use 6 data centers. There is an intensive traffic exchange between most servers, and data exchange protocols do not always provide the necessary level of protection. Therefore, we decided to create a common local network between all existing servers. We refused to create a network using OpenVPN using routing due to the excessive bulkiness of the architecture of such networks. In our opinion, the simplest and most convenient option is a peer-to-peer network. Next, we will tell you more about how to create and configure a peer-to-peer network.
To create it, we use OpenVPN and Bridge-utils.
The standard network on OpenVPN consists of one or more servers with OpenVPN and clients that connect to them. OpenVPN supports TCP and UDP connections. Since there is no controlled traffic filtering on our dedicated servers, it is better to choose the UDP protocol, and UDP is also a faster protocol.
First server
')
The first server (in fact, this is our traffic exchange point) is set up according to the standard scheme. Since most servers have Debian installed, further instructions will be given taking into account the features of this OS.
We rule / etc / openvpn / easy-rsa / vars as follows:
Further, in the same way we prepare the keys:
We create the minimum config for the server in / etc / openvpn / udp-server . You can specify a lot more parameters: optimization options are very wide.
We connect it and start the server:
Pay attention to the last three lines of the config. They give the opportunity to use this server in a peer-to-peer network. It is worth noting that this can only be done for a UDP server. The script itself looks like this /etc/init.d/lan0 :
The same script can be used for rc.d.
The sequence for manual start is:
It should be noted that when restarting OpenVPN, lan0 will rise again. In some cases, this must be done manually. For example, through cron, the task looks like this:
The server is ready! Now you need to create keys and certificates for clients.
Customers
On the server, we create certificates for clients that will connect outside:
Of course, the name of each client (here client) must be unique.
After entering and confirming the data for the certificate, the following files will appear:
On the client side, we need the following files from the / etc / openvpn / keys directory on the server:
Also on the client side install OpenVPN:
Copy the key and certificates in / etc / openvpn / keys :
Create the simplest config /etc/openvpn/client.conf :
To connect to a common ad hoc network, the same lan0 script is used (with the eth_ip correction to the one you need) as on the server.
Many servers
There may be several traffic exchange points on the network. At the same time it is necessary that the client can connect to any of them and get into the same network. There is nothing complicated about it. You can configure any number of servers as described above. But there are two nuances.
1. Each server must issue separate unique IP addresses.
This is achieved by replacing one line in configs:
2. It is necessary to synchronize certificates between the OpenVPN servers.
The simplest solution is to simply copy the / etc / openvpn / keys directory over ssh. But there is a better way - rsync.
For a two-way exchange, we will need two scripts - downloading updates and downloading them.
Download - push
Update - pop
Note the –delete-after key. It is used to delete files that are not on the destination side after synchronization. Those. pop will delete locally everything that is not on remotehost.
Also important is the procedure for updating keys. Under normal conditions, new keys and certificates should be created on the first (primary) OpenVPN server, and all the rest should receive updates from it via pop. So we don’t need push at all. But if necessary, you can add new users on any server, and then you must first push to download, and then pop on all other OpenVPN servers.
Since the interaction is ssh, all servers need to exchange ssh keys for root. The key can be generated using the command
and copy with
Note that all of these servers must have root login enabled. For security, you can disable password authentication. / etc / ssh / sshd_config
Now, after adding a new client, you need to push on the server where the key was added, and pop on all other OpenVPN servers.
People
Sometimes employees have to work not from the office, but they need access to the local network. This is also easy to implement within lan0. But since there is no uniqueness in matters of operating systems and filtering traffic, it is better to use the slower but unpretentious TCP protocol on OpenVPN.
Config / etc / openvpn / tcp-server:
The key and certificate are prepared in the same way as for UDP. The config for such a connection will be even somewhat easier - client.ovpn :
Customers for different OSes better download from the official site: openvpn.net
To create it, we use OpenVPN and Bridge-utils.
The standard network on OpenVPN consists of one or more servers with OpenVPN and clients that connect to them. OpenVPN supports TCP and UDP connections. Since there is no controlled traffic filtering on our dedicated servers, it is better to choose the UDP protocol, and UDP is also a faster protocol.
First server
')
The first server (in fact, this is our traffic exchange point) is set up according to the standard scheme. Since most servers have Debian installed, further instructions will be given taking into account the features of this OS.
aptitude install openvpn openvpn-blacklist
cd / etc / openvpn /
cp -R /usr/share/openvpn/easy- rsa / 2.0 / etc / openvpn / easy-rsa
mkdir / etc / openvpn / keys
chmod 750 / etc / openvpn / keys
We rule / etc / openvpn / easy-rsa / vars as follows:
export EASY_RSA = "/ etc / openvpn / easy-rsa"
export KEY_DIR = "/ etc / openvpn / keys"
export KEY_SIZE = 2048
export KEY_COUNTRY = "RU"
export KEY_PROVINCE = "MSK"
export KEY_CITY = "Samara"
export KEY_ORG = "Regtime Ltd."
export KEY_EMAIL = "support@regtime.net"
Further, in the same way we prepare the keys:
cd / etc / openvpn / easy-rsa
. ./vars
./clean-all
./build-ca
./build-key-server servername
./build-dh
We create the minimum config for the server in / etc / openvpn / udp-server . You can specify a lot more parameters: optimization options are very wide.
dev tap0
proto udp
port 1194
ca keys / ca.crt
cert keys / servername.crt
key keys / servername.key
dh keys / dh2048.pem
user nobody
group nogroup
server 172.18.5.208 255.255.255.240
persist-key
persist tun
status / dev / shm / openvpn-status-udp
verb 3
client-to-client
client-config-dir ccd-udp
log-append /var/log/openvpn-udp.log
comp-lzo
script-security 2
up "/etc/init.d/lan0 start"
down "/etc/init.d/lan0 stop"
We connect it and start the server:
ln -s udp-server udp-server.conf
/etc/init.d/openvpn start
Pay attention to the last three lines of the config. They give the opportunity to use this server in a peer-to-peer network. It is worth noting that this can only be done for a UDP server. The script itself looks like this /etc/init.d/lan0 :
#! / bin / bash
### BEGIN INIT INFO
# Provides: lan0
# Required-Start: $ network $ remote_fs $ syslog openvpn
# Required-Stop: $ network $ remote_fs $ syslog openvpn
# Should-start:
# Should-Stop:
# X-Start-Before: $ x-display-manager gdm kdm xdm wdm ldm sdm nodm
# X-Interactive: true
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: lan0 service
### END INIT INFO
. / lib / lsb / init-functions
PATH = / bin: / sbin: / usr / bin: / usr / sbin
br = "lan0"
tap = "tap0"
eth = "eth1"
eth_ip = "172.18.5.2"
eth_netmask = "255.255.255.0"
eth_broadcast = "172.18.5.255"
case "$ 1" in
start)
brctl addbr $ br
brctl addif $ br $ eth
for t in $ tap; do
brctl addif $ br $ t
done
for t in $ tap; do
ifconfig $ t 0.0.0.0 promisc up
done
ifconfig $ eth 0.0.0.0 promisc up
ifconfig $ br $ eth_ip netmask $ eth_netmask broadcast $ eth_broadcast
;;
stop)
ifconfig $ br down
brctl delbr $ br
ifconfig $ eth $ eth_ip netmask $ eth_netmask broadcast $ eth_broadcast
;;
*)
echo "usage lan0 {start | stop}"
exit 1
;;
esac
exit 0
The same script can be used for rc.d.
update-rc.d lan0 defaults
The sequence for manual start is:
/etc/init.d/openvpn start
/etc/init.d/lan0 start
With manual stop:
/etc/init.d/lan0 stop
/etc/init.d/openvpn stop
It should be noted that when restarting OpenVPN, lan0 will rise again. In some cases, this must be done manually. For example, through cron, the task looks like this:
[-n "` / sbin / ifconfig tap0` "] && [-z" `/ usr / sbin / brctl show | grep tap0`"] && /etc/init.d/lan0 start
The server is ready! Now you need to create keys and certificates for clients.
Customers
On the server, we create certificates for clients that will connect outside:
cd / etc / openvpn / easy-rsa
. ./vars
./build-key client
Of course, the name of each client (here client) must be unique.
After entering and confirming the data for the certificate, the following files will appear:
client.crt
client.csr
client.key
On the client side, we need the following files from the / etc / openvpn / keys directory on the server:
ca.crt
client.key
client.crt
Also on the client side install OpenVPN:
aptitude install openvpn openvpn-blacklist
mkdir / etc / openvpn / keys
chmod 750 / etc / openvpn / keys
Copy the key and certificates in / etc / openvpn / keys :
Create the simplest config /etc/openvpn/client.conf :
dev tap0
proto udp
client
remote server 1194
resolv-retry infinite
nobind
persist-key
persist tun
ca keys / ca.crt
cert keys / client.crt
key keys / client.key
comp-lzo
verb 3
status / dev / shm / client-status-udp
log /var/log/openvpn-client.log
ping 10
ping-restart 1800
script-security 2
up "/etc/init.d/lan0 start"
down "/etc/init.d/lan0 stop"
To connect to a common ad hoc network, the same lan0 script is used (with the eth_ip correction to the one you need) as on the server.
Many servers
There may be several traffic exchange points on the network. At the same time it is necessary that the client can connect to any of them and get into the same network. There is nothing complicated about it. You can configure any number of servers as described above. But there are two nuances.
1. Each server must issue separate unique IP addresses.
This is achieved by replacing one line in configs:
server 172.18.5.208 255.255.255.240
2. It is necessary to synchronize certificates between the OpenVPN servers.
The simplest solution is to simply copy the / etc / openvpn / keys directory over ssh. But there is a better way - rsync.
For a two-way exchange, we will need two scripts - downloading updates and downloading them.
Download - push
#! / bin / bash
export RSYNC_RSH = "ssh -c arcfour -o Compression = no -x -l root"
rsync --delete-after \
-zu - modify-window = 10 -aHAX --numeric-ids --sparse \
/ etc / openvpn / keys remotehost: / etc / openvpn / keys
Update - pop
#! / bin / bash
export RSYNC_RSH = "ssh -c arcfour -o Compression = no -x -l root"
rsync --delete-after \
-zu - modify-window = 10 -aHAX --numeric-ids --sparse \
remotehost: / etc / openvpn / keys / etc / openvpn / keys
Note the –delete-after key. It is used to delete files that are not on the destination side after synchronization. Those. pop will delete locally everything that is not on remotehost.
Also important is the procedure for updating keys. Under normal conditions, new keys and certificates should be created on the first (primary) OpenVPN server, and all the rest should receive updates from it via pop. So we don’t need push at all. But if necessary, you can add new users on any server, and then you must first push to download, and then pop on all other OpenVPN servers.
Since the interaction is ssh, all servers need to exchange ssh keys for root. The key can be generated using the command
ssh-keygen -t rsa -b 2048
and copy with
ssh-copy-id remote host
Note that all of these servers must have root login enabled. For security, you can disable password authentication. / etc / ssh / sshd_config
PermitRootLogin yes
PasswordAuthentication no
Now, after adding a new client, you need to push on the server where the key was added, and pop on all other OpenVPN servers.
People
Sometimes employees have to work not from the office, but they need access to the local network. This is also easy to implement within lan0. But since there is no uniqueness in matters of operating systems and filtering traffic, it is better to use the slower but unpretentious TCP protocol on OpenVPN.
Config / etc / openvpn / tcp-server:
dev tun0
proto tcp
port 1194
ca keys / ca.crt
cert keys / server.crt
key keys / server.key
dh keys / dh2048.pem
user nobody
group nogroup
server 172.18.5.248 255.255.255.240
persist-key
persist tun
status / dev / shm / openvpn-status-tcp
verb 3
client-to-client
client-config-dir ccd-tcp
push "route 172.18.5.0 255.255.255.0"
log-append /var/log/openvpn-tcp.log
comp-lzo
The key and certificate are prepared in the same way as for UDP. The config for such a connection will be even somewhat easier - client.ovpn :
client
proto tcp
remote server 1194
resolv-retry infinite
nobind
persist-key
persist tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
Customers for different OSes better download from the official site: openvpn.net
Source: https://habr.com/ru/post/162193/
All Articles