openvpn.8

一个开源的VPN原码

.TP
.B SIGHUP
Cause OpenVPN to close all tun/tap and
network connections,
restart, re-read the configuration file (if any),
and reopen tun/tap and network connections.
.TP
.B SIGUSR1
Like 
.B SIGHUP,
except don't re-read configuration file, and possibly don't close and reopen tun
device, re-read key files, preserve local IP address/port, or preserve most recently authenticated
remote IP address/port based on
.B --persist-tun, --persist-key, --persist-local-ip,
and
.B --persist-remote-ip
options respectively (see above).

This signal may also be internally generated by a timeout condition, governed
by the
.B --ping-restart
option.

This signal, when combined with
.B --persist-remote-ip,
may be
sent when the underlying parameters of the host's network interface change
such as when the host is a DHCP client and is assigned a new IP address.
See
.B --ipchange
above for more information.
.TP
.B SIGUSR2
Causes OpenVPN to display its current statistics (to the syslog
file if
.B --daemon
is used, or stdout otherwise).
.TP
.B SIGINT, SIGTERM
Causes OpenVPN to exit gracefully.
.SH TUN/TAP DRIVER SETUP
If you are running Linux 2.4.7 or higher, you probably have the tun/tap driver
already installed.  If so, there are still a few things you need to do:

Make device:
.B mknod /dev/net/tun c 10 200

Load driver:
.B modprobe tun

If you have Linux 2.2 or earlier, you should obtain version 1.1 of the
tun/tap driver from
.I http://vtun.sourceforge.net/tun/
and follow the installation instructions.
.SH EXAMPLES
Prior to running these examples, you should have OpenVPN installed on two
machines with network connectivity between them.  If you have not
yet installed OpenVPN, consult the INSTALL file included in the OpenVPN
distribution.
.SS TUN/TAP Setup:
If you are using Linux 2.4 or higher,
make the tun device node and load the tun module:
.IP
.B mknod /dev/net/tun c 10 200
.LP
.IP
.B modprobe tun
.LP
If you installed from RPM, the
.B mknod
step may be omitted, because the RPM install does that for you.

If you have Linux 2.2, you should obtain version 1.1 of the
tun/tap driver from
.I http://vtun.sourceforge.net/tun/
and follow the installation instructions.

For other platforms, consult the INSTALL file at
.I http://openvpn.sourceforge.net/install.html
for more information.
.SS Firewall Setup:
If firewalls exist between
the two machines, they should be set to forward UDP port 5000
in both directions.  If you do not have control over the firewalls
between the two machines, you may still be able to use OpenVPN by adding
.B --ping 15
to each of the
.B openvpn
commands used below in the examples (this will cause each peer to send out
a UDP ping to its remote peer once every 15 seconds which will cause many
stateful firewalls to forward packets in both directions
without an explicit firewall rule).

If you are using a Linux iptables-based firewall, you may need to enter
the following command to allow incoming packets on the tun device:
.IP
.B iptables -A INPUT -i tun+ -j ACCEPT
.LP
See the firewalls section below for more information on configuring firewalls
for use with OpenVPN.
.SS VPN Address Setup:
For purposes
of our example, our two machines will be called
.B may.kg
and
.B june.kg.
If you are constructing a VPN over the internet, then replace
.B may.kg
and
.B june.kg
with the internet hostname or IP address that each machine will use
to contact the other over the internet.

Now we will choose the tunnel endpoints.  Tunnel endpoints are
private IP addresses that only have meaning in the context of
the VPN.  Each machine will use the tunnel endpoint of the other
machine to access it over the VPN.  In our example,
the tunnel endpoint for may.kg
will be 10.4.0.1 and for june.kg, 10.4.0.2.

Once the VPN is established, you have essentially
created a secure alternate path between the two hosts
which is addressed by using the tunnel endpoints.  You can
control which network
traffic passes between the hosts 
(a) over the VPN or (b) independently of the VPN, by choosing whether to use
(a) the VPN endpoint address or (b) the public internet address,
to access the remote host. For example if you are on may.kg and you wish to connect to june.kg
via
.B ssh
without using the VPN (since
.B ssh
has its own built-in security) you would use the command
.B ssh june.kg.
However in the same scenario, you could also use the command
.B telnet 10.4.0.2
to create a telnet session with june.kg over the VPN, that would
use the VPN to secure the session rather than
.B ssh.

You can use any address you wish for the
tunnel endpoints
but make sure that they are private addresses
(such as those that begin with 10 or 192.168) and that they are
not part of any existing subnet on the networks of
either peer.  If you use an address that is part of
your local subnet for either of the tunnel endpoints,
you will get a weird feedback loop.
.SS Example 1: A simple tunnel without security
.LP
On may:
.IP
.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 8
.LP
On june:
.IP
.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 8
.LP
Now verify the tunnel is working by pinging across the tunnel.
.LP
On may:
.IP
.B ping 10.4.0.2
.LP
On june:
.IP
.B ping 10.4.0.1
.LP
The
.B --verb 8
option will produce verbose output, similar to the
.BR tcpdump (8)
program.  Omit the
.B --verb 8
option to have OpenVPN run quietly.
.SS Example 2: A tunnel with static-key security (i.e. using a pre-shared secret)
First build a static key on may.
.IP
.B openvpn --genkey --secret key
.LP
This command will build a random key file called
.B key
(in ascii format).
Now copy
.B key
to june over a secure medium such as by
using the
.BR scp (1)
program.
.LP
On may:
.IP
.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 5 --secret key
.LP
On june:
.IP
.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key
.LP
Now verify the tunnel is working by pinging across the tunnel.
.LP
On may:
.IP
.B ping 10.4.0.2
.LP
On june:
.IP
.B ping 10.4.0.1
.SS Example 3: A tunnel with full TLS-based security
For this test, we will designate
.B may
as the TLS client and
.B june
as the TLS server.
.I Note that client or server designation only has meaning for the TLS subsystem.  It has no bearing on OpenVPN's peer-to-peer, UDP-based communication model.

First, build a separate certificate/key pair
for both may and june (see above where
.B --cert
is discussed for more info).  Then construct
Diffie Hellman parameters (see above where
.B --dh
is discussed for more info).  You can also use the
included test files client.crt, client.key,
server.crt, server.key and tmp-ca.crt.
The .crt files are certificates/public-keys, the .key
files are private keys, and tmp-ca.crt is a certification
authority who has signed both
client.crt and server.crt.  For Diffie Hellman
parameters you can use the included file dh1024.pem.
.I Note that all client, server, and certificate authority certificates and keys included in the OpenVPN distribution are totally insecure and should be used for testing only.
.LP
On may:
.IP
.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca tmp-ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5
.LP
On june:
.IP
.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --tls-server --dh dh1024.pem --ca tmp-ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5
.LP
Now verify the tunnel is working by pinging across the tunnel.
.LP
On may:
.IP
.B ping 10.4.0.2
.LP
On june:
.IP
.B ping 10.4.0.1
.LP
Notice the
.B --reneg-sec 60
option we used above.  That tells OpenVPN to renegotiate
the data channel keys every minute.
Since we used
.B --verb 5
above, you will see status information on each new key negotiation.

For production operations, a key renegotiation interval of 60 seconds
is probably too frequent.  Omit the
.B --reneg-sec 60
option to use OpenVPN's default key renegotiation interval of one hour.
.SS Routing:
Assuming you can ping across the tunnel,
the next step is to route a real subnet over
the secure tunnel.  Suppose that may and june have two network
interfaces each, one connected
to the internet, and the other to a private
network.  Our goal is to securely connect
both private networks.  We will assume that may's private subnet
is 10.0.0.0/24 and june's is 10.0.1.0/24.
.LP
First, ensure that IP forwarding is enabled on both peers.
On Linux, enable routing:
.IP
.B echo 1 > /proc/sys/net/ipv4/ip_forward
.LP
and enable tun packet forwarding through the firewall:
.IP
.B iptables -A FORWARD -i tun+ -j ACCEPT
.LP
On may:
.IP
.B route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.4.0.2
.LP
On june:
.IP
.B route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.4.0.1
.LP
Now any machine on the 10.0.0.0/24 subnet can
access any machine on the 10.0.1.0/24 subnet
over the secure tunnel (or vice versa).

In a production environment, you could put the route command(s)
in a shell script and execute with the
.B --up
option.
.SH FIREWALLS
OpenVPN's usage of a single UDP port makes it fairly firewall-friendly.
You should add an entry to your firewall rules to allow incoming OpenVPN
packets.  On Linux 2.4+:
.IP
.B iptables -A INPUT -p udp -s 1.2.3.4 --dport 5000 -j ACCEPT
.LP
This will allow incoming packets on UDP port 5000 (OpenVPN's default UDP port)
from an OpenVPN peer at 1.2.3.4.

If you are using HMAC-based packet authentication (the default in any of
OpenVPN's secure modes), having the firewall filter on source
address can be considered optional, since HMAC packet authentication
is a much more secure method of verifying the authenticity of
a packet source.  In that case:
.IP
.B iptables -A INPUT -p udp --dport 5000 -j ACCEPT
.LP
would be adequate and would not render the host inflexible with
respect to its peer having a dynamic IP address.

OpenVPN also works well on stateful firewalls.  In some cases, you may
not need to add any static rules to the firewall list if you are
using a stateful firewall that knows how to track UDP connections.
If you specify
.B --ping n,
OpenVPN will be guaranteed
to send a packet to its peer at least once every
.B n
seconds.  If
.B n
is less than the stateful firewall connection timeout, you can
maintain an OpenVPN connection indefinitely without explicit
firewall rules.

You should also add firewall rules to allow incoming IP traffic on
tun or tap devices such as:
.IP
.B iptables -A INPUT -i tun+ -j ACCEPT
.LP
to allow input packets from tun devices,
.IP
.B iptables -A FORWARD -i tun+ -j ACCEPT
.LP
to allow input packets from tun devices to be forwarded to
other hosts on the local network,
.IP
.B iptables -A INPUT -i tap+ -j ACCEPT
.LP
to allow input packets from tap devices, and
.IP
.B iptables -A FORWARD -i tap+ -j ACCEPT
.LP
to allow input packets from tap devices to be forwarded to
other hosts on the local network.

These rules are secure if you use packet authentication,
since no incoming packets will arrive on a tun or tap
virtual device
unless they first pass an HMAC authentication test.
.SH FAQ
.I http://openvpn.sourceforge.net/faq.html
.SH HOWTO
For a more comprehensive guide to setting up OpenVPN
in a production setting, see the OpenVPN HOWTO at
.I http://openvpn.sourceforge.net/howto.html
.SH PROTOCOL
For a description of OpenVPN's underlying protocol,
see the file ssl.h included in the OpenVPN source distribution or
browse the file in the CVS repository at
.I http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/openvpn/openvpn/ssl.h
.SH WEB
OpenVPN's web site is at
.I http://openvpn.sourceforge.net/

Go here to download the latest version of OpenVPN, subscribe
to the mailing lists, read the mailing list
archives, or browse the CVS repository.
.SH BUGS
Report all bugs to the OpenVPN users list <openvpn-users@lists.sourceforge.net>.
To subscribe to the list or see the archives, go to
.I http://sourceforge.net/mail/?group_id=48978
.SH "SEE ALSO"
.BR dhcpcd (8),
.BR ifconfig (8),
.BR openssl (1),
.BR route (8),
.BR scp (1)
.BR ssh (1)
.SH NOTES 
.LP
This product includes software developed by the
OpenSSL Project (
.I http://www.openssl.org/
)

For more information on the TLS protocol, see
.I http://www.ietf.org/internet-drafts/draft-ietf-tls-rfc2246-bis-01.txt

For more information on the tun/tap driver see
.I http://vtun.sourceforge.net/tun/

For more information on the LZO real-time compression library see
.I http://www.oberhumer.com/opensource/lzo/
.SH COPYRIGHT
Copyright (C) 2002 by James Yonan. This program is free software;
you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.SH AUTHORS
James Yonan <jim@yonan.net>