Local Area Network
Our company has groups of servers located in different data centers and even cities. At the moment we use 6 data centers. There is an intensive traffic exchange between the majority of servers, and data exchange protocols do not always provide the necessary level of protection. Therefore, we decided to create a common local area network between all available servers. We refused to create a network using OpenVPN using routing due to the excessive cumbersome architecture of such networks. In our opinion, the simplest and most convenient option is a peer-to-peer network. Further we will tell in more detail about how to create and configure a peer-to-peer network.
To create it, we use OpenVPN and Bridge-utils.
The standard network on OpenVPN consists of one or more servers with OpenVPN and the clients that connect to them. OpenVPN supports TCP and UDP connections. Since our dedicated servers do not have any controlled traffic filtering, it is better to choose the UDP protocol, in addition, UDP is a faster protocol.
The first server
The first server (in fact, this is our traffic exchange point) is configured according to the standard scheme. Since Debian is installed on most servers, further instructions will be given taking into account the features of this OS.
Edit / etc / openvpn / easy-rsa / vars as follows:
Further, according to the same scheme, we prepare the keys:
We create the minimum config for the server in / etc / openvpn / udp-server . You can specify a lot more parameters: the optimization possibilities are very wide.
We connect it and start the server:
Pay attention to the last three lines of the config. They make it possible to use this server in a peer-to-peer network. It should be noted that this can only be done for a UDP server. The script itself looks like this /etc/init.d/lan0 :
The same script can be used for rc.d.
The sequence for manual start is as follows:
Please note that upon restart OpenVPN lan0 will rise again. In some cases, this must be done manually. For example, through cron the task looks like this:
Server is ready! Now you need to create keys and certificates for clients.
Clients
On the server, we create certificates for clients that will connect externally:
Of course, the name of each client (here client) must be unique.
After entering and confirming the data for the certificate, the following files will appear:
On the client side, we need the following files from the / etc / openvpn / keys directory on the server:
Also on the client side install OpenVPN:
Copy the key and certificates to / etc / openvpn / keys :
Create the simplest config /etc/openvpn/client.conf :
To connect to a common peer-to-peer network, the same lan0 script is used (with the eth_ip correction to the correct one) as on the server.
Multiple Servers
A network can have multiple traffic exchange points. In this case, it is necessary that the client can connect to any of them and get into the same network. There is nothing complicated about it. You can configure any number of servers as described above. But there are two nuances.
1. Each server must issue separate unique IP addresses.
This is achieved by replacing one line in the configs:
2. You need to synchronize certificates between OpenVPN servers.
The simplest solution is to simply copy the / etc / openvpn / keys directory over ssh. But there is a better way - rsync.
For a two-way exchange, we need two scripts - downloading updates and downloading them.
Download - push
Update - pop
Note the –delete-after switch. It is used to delete files that are not on the destination side after synchronization. Those. pop will delete locally everything that is not on remotehost.
The key update order is also important. Under normal circumstances, new keys and certificates need to be created on the first (main) OpenVPN server, and everyone else should receive updates from it via pop. Thus, we do not need push at all. But if necessary, you can add new users on any server, and then you first need to do push to download, and then pop on all other OpenVPN servers.
Since the interaction goes through ssh, then all servers need to exchange ssh keys for root. The key can be generated using the command
and copy using
Note that root must be allowed on all these servers . For security, you can disable password authentication. / etc / ssh / sshd_config
Now, after adding a new client, you need to push on the server where the key was added, and pop on all other OpenVPN servers.
People
Sometimes employees do not have to work from the office, but they need access to the local network. This is also easy to implement within lan0. But since there is no ambiguity in matters of operating systems and traffic filtering, it is better to use the slower, but unpretentious TCP protocol on OpenVPN.
Config / etc / openvpn / tcp-server:
The key and certificate are prepared in the same way as for UDP. The config for such a connection will be even slightly simpler - client.ovpn :
Clients for different OSes are better to download from the official site: openvpn.net
To create it, we use OpenVPN and Bridge-utils.
The standard network on OpenVPN consists of one or more servers with OpenVPN and the clients that connect to them. OpenVPN supports TCP and UDP connections. Since our dedicated servers do not have any controlled traffic filtering, it is better to choose the UDP protocol, in addition, UDP is a faster protocol.
The first server
The first server (in fact, this is our traffic exchange point) is configured according to the standard scheme. Since Debian is installed on most servers, further instructions will be given taking into account the features of this OS.
aptitude install openvpn openvpn-blacklist
cd / etc / openvpn /
cp -R /usr/share/openvpn/easy-rsa/2.0 / etc / openvpn / easy-rsa
mkdir / etc / openvpn / keys
chmod 750 / etc / openvpn / keys
Edit / etc / openvpn / easy-rsa / vars as follows:
export EASY_RSA = "/ etc / openvpn / easy-rsa"
export KEY_DIR = "/ etc / openvpn / keys"
export KEY_SIZE = 2048
export KEY_COUNTRY = "RU"
export KEY_PROVINCE = "MSK"
export KEY_CITY = "Samara"
export KEY_ORG = " Regtime Ltd. »
export KEY_EMAIL = "support@regtime.net"
Further, according to the same scheme, we prepare the keys:
cd / etc / openvpn / easy-rsa
. ./vars
./clean-all
./build-ca
./build-key-server servername
./build-dh
We create the minimum config for the server in / etc / openvpn / udp-server . You can specify a lot more parameters: the optimization possibilities are very wide.
dev tap0
proto udp
port 1194
ca keys / ca.crt
cert keys / servername.crt
key keys / servername.key
dh keys / dh2048.pem
user nobody
group nogroup
server 172.18.5.208 255.255.255.240
persist-key
persist-tun
status / dev / shm / openvpn-status-udp
verb 3
client-to-client
client-config-dir ccd-udp
log-append /var/log/openvpn-udp.log
comp-lzo
script-security 2
up "/ etc / init. d / lan0 start "
down" /etc/init.d/lan0 stop "
We connect it and start the server:
ln -s udp-server udp-server.conf
/etc/init.d/openvpn start
Pay attention to the last three lines of the config. They make it possible to use this server in a peer-to-peer network. It should be noted that this can only be done for a UDP server. The script itself looks like this /etc/init.d/lan0 :
#! / bin / bash
### BEGIN INIT INFO
# Provides: lan0
# Required-Start: $ network $ remote_fs $ syslog openvpn
# Required-Stop: $ network $ remote_fs $ syslog openvpn
# Should-Start:
# Should-Stop:
# X-Start-Before: $ x-display-manager gdm kdm xdm wdm ldm sdm nodm
# X-Interactive: true
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: lan0 service
### END INIT INFO
. / lib / lsb / init-functions
PATH = / bin: / sbin: / usr / bin: / usr / sbin
br = "lan0"
tap = "tap0"
eth = "eth1"
eth_ip = "172.18.5.2"
eth_netmask = " 255.255.255.0 "
eth_broadcast =" 172.18.5.255 "
case" $ 1 "in
start)
brctl addbr $ br
brctl addif $ br $ eth
for t in $ tap; do
brctl addif $ br $ t
done
for t in $ tap; do
ifconfig $ t 0.0.0.0 promisc up
done
ifconfig $ eth 0.0.0.0 promisc up
ifconfig $ br $ eth_ip netmask $ eth_netmask broadcast $ eth_broadcast
;;
stop)
ifconfig $ br down
brctl delbr $ br
ifconfig $ eth $ eth_ip netmask $ eth_netmask broadcast $ eth_broadcast
;;
*)
echo "usage lan0 {start | stop}"
exit 1
;;
esac
exit 0
The same script can be used for rc.d.
update-rc.d lan0 defaults
The sequence for manual start is as follows:
/etc/init.d/openvpn start
/etc/init.d/lan0 start
When manually stop:
/etc/init.d/lan0 stop
/etc/init.d/openvpn stop
Please note that upon restart OpenVPN lan0 will rise again. In some cases, this must be done manually. For example, through cron the task looks like this:
[-n "` / sbin / ifconfig tap0` "] && [-z" `/ usr / sbin / brctl show | grep tap0`"] && /etc/init.d/lan0 start
Server is ready! Now you need to create keys and certificates for clients.
Clients
On the server, we create certificates for clients that will connect externally:
cd / etc / openvpn / easy-rsa
. ./vars
./build-key client
Of course, the name of each client (here client) must be unique.
After entering and confirming the data for the certificate, the following files will appear:
client.crt
client.csr
client.key
On the client side, we need the following files from the / etc / openvpn / keys directory on the server:
ca.crt
client.key
client.crt
Also on the client side install OpenVPN:
aptitude install openvpn openvpn-blacklist
mkdir / etc / openvpn / keys
chmod 750 / etc / openvpn / keys
Copy the key and certificates to / etc / openvpn / keys :
Create the simplest config /etc/openvpn/client.conf :
dev tap0
proto udp
client
remote server 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys / ca.crt
cert keys / client.crt
key keys / client.key
comp-lzo
verb 3
status / dev / shm / client- status-udp
log /var/log/openvpn-client.log
ping 10
ping-restart 1800
script-security 2
up "/etc/init.d/lan0 start"
down "/etc/init.d/lan0 stop"
To connect to a common peer-to-peer network, the same lan0 script is used (with the eth_ip correction to the correct one) as on the server.
Multiple Servers
A network can have multiple traffic exchange points. In this case, it is necessary that the client can connect to any of them and get into the same network. There is nothing complicated about it. You can configure any number of servers as described above. But there are two nuances.
1. Each server must issue separate unique IP addresses.
This is achieved by replacing one line in the configs:
server 172.18.5.208 255.255.255.240
2. You need to synchronize certificates between OpenVPN servers.
The simplest solution is to simply copy the / etc / openvpn / keys directory over ssh. But there is a better way - rsync.
For a two-way exchange, we need two scripts - downloading updates and downloading them.
Download - push
#! / bin / bash
export RSYNC_RSH = "ssh -c arcfour -o Compression = no -x -l root"
rsync --delete-after \
-zu --modify-window = 10 -aHAX --numeric-ids - sparse \
/ etc / openvpn / keys remotehost: / etc / openvpn / keys
Update - pop
#! / bin / bash
export RSYNC_RSH = "ssh -c arcfour -o Compression = no -x -l root"
rsync --delete-after \
-zu --modify-window = 10 -aHAX --numeric-ids - sparse \
remotehost: / etc / openvpn / keys / etc / openvpn / keys
Note the –delete-after switch. It is used to delete files that are not on the destination side after synchronization. Those. pop will delete locally everything that is not on remotehost.
The key update order is also important. Under normal circumstances, new keys and certificates need to be created on the first (main) OpenVPN server, and everyone else should receive updates from it via pop. Thus, we do not need push at all. But if necessary, you can add new users on any server, and then you first need to do push to download, and then pop on all other OpenVPN servers.
Since the interaction goes through ssh, then all servers need to exchange ssh keys for root. The key can be generated using the command
ssh-keygen -t rsa -b 2048
and copy using
ssh-copy-id remote host
Note that root must be allowed on all these servers . For security, you can disable password authentication. / etc / ssh / sshd_config
PermitRootLogin yes
PasswordAuthentication no
Now, after adding a new client, you need to push on the server where the key was added, and pop on all other OpenVPN servers.
People
Sometimes employees do not have to work from the office, but they need access to the local network. This is also easy to implement within lan0. But since there is no ambiguity in matters of operating systems and traffic filtering, it is better to use the slower, but unpretentious TCP protocol on OpenVPN.
Config / etc / openvpn / tcp-server:
dev tun0
proto tcp
port 1194
ca keys / ca.crt
cert keys / server.crt
key keys / server.key
dh keys / dh2048.pem
user nobody
group nogroup
server 172.18.5.248 255.255.255.240
persist-key
persist-tun
status / dev / shm / openvpn-status-tcp
verb 3
client-to-client
client-config-dir ccd-tcp
push "route 172.18.5.0 255.255.255.0"
log-append /var/log/openvpn-tcp.log
comp-lzo
The key and certificate are prepared in the same way as for UDP. The config for such a connection will be even slightly simpler - client.ovpn :
client
proto tcp
remote server 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
Clients for different OSes are better to download from the official site: openvpn.net