supplementedroute
x-router 时间:2021-02-09 阅读:(
)
WhitepaperImplementremoteaccesstoDunkermotorenwithVPNName|StellenbezeichnungDunkermotorenGmbHWhitepaperImplementremoteaccesstoDunkermotorenwithVPNMarkusWeishaar|ProductManagerIIoTDunkermotorenGmbHwwwVPN2Author:MarkusWeishaarDate:11.
05.
2019ThisWhitepaperdescribestheconfigurationofaVPNconnectionfortheremoteaccessofaDunkermotorendProEthernetengineviatheInternetwiththeDunkermotorenstandardsoftwareDriveAssistant"andtheopensourcesoftwareOpenVPN.
ALinux-basedEdge-GatewayisconfiguredasaVPNserverforthispurpose.
TheEdge-Gatewaycommunicateswiththeengineaswellaswitharouter,whichacceptstheInternetconnection,over2bridgedportsviaEthernet.
OntheothersideisastandardWindowsPConwhichDriveAssistant"andopenVPNareinstalled.
OpenVPNisconfiguredasaclientonthePCwhichsetsupaVPNconnectiontotheVPNserverontheGatewayviatheInternet.
Bymeansofthisconnection,theenginecanbeselectedanddrivenviaDriveAssistant"oraFirmwareUpdatecanbeinstalled.
IftheenginehasaknownstaticIPaddress,theVPNconnectioncanbeconfiguredasatunnelsin-cethelinkingoftwosubnetsviaroutingissufficient.
IftheenginehasnoIPaddressornoknownIPaddress,theVPNconnectionmustbesetupasabridgewhichdrawstheclientintothesamesubnetinwhichtheserverisalsolocated.
ThisisnecessarybecausetheDriveAssistant"usesbroadcastsfordrivesearchandbroadcastsonlyfunctioninthesamesubnet.
Figure1:VPNnetworks3Author:MarkusWeishaarDate:11.
05.
2019Contents:1Requirements/ComparativeConfiguration.
42ConfigurationOpenVPNServer(RaspberryPi/Linux)42.
1InstallationOpenVPN.
4Step1UpdateRaspberryandinstallOpenVPN2.
2Ethernet-Settings.
42.
2.
1VPNTunnel(TUN)52.
2.
2VPNBridge(TAP)62.
3Createcertificateandkey.
82.
4ConfigurationOpenVPNServer.
92.
4.
1VPNTunnel(TUN)92.
4.
2VPNBridge(TAP)112.
5ConfigurationLinux-Firewall.
122.
5.
1VPNTunnel(TUN)132.
5.
2VPNBridge(TAP)142.
5.
3ActivateInit-File.
142.
5.
4StaticallyActivateIPForwarding.
142.
6ConfigurationOpenVPNClient.
152.
6.
1VPNTunnel(TUN)1152.
6.
2VPNBridge(TAP)162.
7GenerationandExportConfigurationsFilesforClients.
163ConfigurationOpenVPNClient(Windows)173.
1InstallationOpenVPN.
173.
2ConfigurationOpenVPNClient.
173.
3ConfigurationTAP-Windows-AdapterV9.
184GeneralNetworkSettings&ConnectionEstablishment.
184.
1ActivatePortForwardingtoRouters.
184.
2EstablishmentofDynamicDNSServer.
184.
3BuildingandTestingVPNConnection.
195DriveAssistant.
1941Requirements/ComparativeConfiguration:DunkermotorenDriveAssistant5"Version8.
0.
0DunkermotorenBGXXdProPN(Ethernet)openVPNVersion2.
4.
7HardwareGateway:KunbusRevolutionPiConnect(RaspberryPiComputeModule3)OperatingsystemVPN-Server:Raspbian(Linux)OperatingsystemVPN-Client:Windows10StaticpublicIPadressordynamicDNSServerforserver-siderouterPermissionforconfigurationoftheserver-siderouter(portforwarding)PermissionofconfigurationoftheopenVPNserver'sfirewall2ConfigurationOpenVPNServer(RaspberryPi/Linux)2.
1InstallationOpenVPStep1UpdateRaspberryandinstallOpenVPNPriortoinstallationofOpenVPN,itisrecommendedtosearchforupdatesfortheRaspberryPioperatingsystemandtoinstallthem:NowtheOpenVPNsoftwareandtheOpenSSLfortheencryptionmustbeloadedandinstalledwiththefollowingcommand:2.
2EthernetSettingsToforgoaroutingbetweenbothRaspberryPiEthernetportsandstillbeabletoaccesstheVPNconnectionateth0totheengineateth1,bothportsarebridgedandprovidedwithacommonad-dressinthisexample.
Alternatively,itisalsopossibletoworkwithonlyoneportandprovideitwithafixedIPaddress.
TheengineandtheVPNconnectioncanbeconnectedtotheportbymeansofaswitch.
Thisscenarioisnotdetailedhere.
ToconfiguretheEthernet-SettingsoftheRaspberryPi,thefileInterfaces"mustbeopenedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/network/interfacesThevirtualLoopback-Adapterisalwaysregisteredbydefaultandshouldalsoalwaysberetainedintheconfiguration:autoloifaceloinetloopbackNowtheexistingnetworkinterfacesarecreated.
SinceourGatewayhastwoseparatedEthernetports,thetwointerfaceseth0andeth1arecreated.
Theattachedcommandallow-hotplugAuthor:MarkusWeishaarDate:11.
05.
2019sudoapt-getupdatesudoapt-getupgradesudoapt-getinstallopenvpnopenssl5Author:MarkusWeishaarDate:11.
05.
2019ethX"causestheinterfacetobeautomaticallyactivatedandconfiguredonakernelevent.
Thisentryisimportantbecausetheinterfacemustotherwisebemanuallystartedviathecommandsudoifupeth0".
Theconfigurationfilemustnotbeclosedyetsincetheinterfacesinthecurrentstatehavenoad-dressesandconfigurationandtheRaspberryPiwouldnotbeaccessibleanymore.
Theconfigura-tionisthencarriedoutonacase-specificbasis:2.
2.
1VPNTunnel(TUN)First,bothEthernetadaptersaresettomanual"mode.
Thisisimportantastheyareconfiguredviathebridge.
Forbothadaptersthefollowinglineisadded:ifaceethXinetmanualNext,theBrückebr0iscreatedasadapterandstaticallyconfigured:autobr0ifacebr0inetstaticAfterwards,thenetworksettingsfortheadapteraresetup.
Anexampleconfigurationcouldappearasfollows:IP-Adresse:192.
168.
0.
200Subnetmask:255.
255.
255.
0Standard-Gateway:192.
168.
0.
1Network:192.
168.
0.
0Broadcast:192.
168.
0.
255Intheconfigurationfile,theentriesappearasfollows:addressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
255Finally,thetwointerfacesareaddedtothebridgeviathefollowingline:bridge_portseth0eth1Thecompletenetworkconfigurationentriestobemadeshouldthenappearasfollows:autoeth0allow-hotplugeth0autoeth1allow-hotplugeth16Author:MarkusWeishaarDate:11.
05.
2019ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
2.
2VPNBridge(TAP)Thefundamentalsettingoftheportsandbridgeareidenticaltothepreviousconfigurationforthisvariant.
OnlythebridgeissupplementedinthisrespectedsothattheVPNadaptertap0islikewiseaddedtothebridge.
Pre-up"commandsaregivenherebeforethebridgeisbuiltandpost-up"commandsareexecutedimmediatelyafterthebridgeiscreated.
Thesameapplieswhenendingthebridgeforthecommandspre-down"andpost-down".
First,thebridgeisgivenadefinedMACaddressthatthebridgeusestoreporttothenetwork.
ThisfacilitatesthediagnosisandenablestheMACaddresstobemadeknownontherouterifMACfilteringisactiveonit.
Ifthecommandisomitted,thebridgereceivestheMACaddressinthebestcasescenariobutwillnotreceiveanyMACaddressintheworstcasescenario.
post-upiplinksetbr0address28:2B:1b:e1:55:2FThenextcommandsfirstaskOpenVPNtocreateavirtualnetworkDevicetap0beforebuildingthebridgeandthenadditafterbuildingthebridge.
pre-upopenvpn--mktun--devtap0post-upbrctladdifbr0tap0Subsequently,acombinedcommandisusedtodeletetheIPaddressesfirstassignedfortheinter-facestothebridgeandthentoputtheinterfacesintopromiscuousmode"sothatthebridgeseesalldatatrafficarrivingattheseinterfaces.
Additionally,anothercommandaddsafixroutetothestandardgatewayforthebridgeviawhichtheInternetisaccessed.
autoloifaceloinetloopbackautoeth0allow-hotplugeth0ifaceeth0inetmanualautoeth1allow-hotplugeth1ifaceeth1inetmanualautobr0ifacebr0inetstaticaddressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
255bridge_portseth0eth17Author:MarkusWeishaarDate:11.
05.
2019Finally,twocommandlinesfollowwhichremovethevirtualnetworkadapterfromthebridgewhenthebridgeisendedandaskOpenVPNtoclosetheadapter.
pre-downbrctldelifbr0tap0post-downopenvpn--rmtun--devtap0Thecompletenetworkconfigurationshouldthenlookasfollows:autoloifaceloinetloopbackautoeth0allow-hotplugeth0ifaceeth0inetmanualautoeth1allow-hotplugeth1ifaceeth1inetmanualautobr0ifacebr0inetstaticaddressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
xxxbridge_portseth0eth1post-upiplinksetbr0address28:2B:1b:e1:55:2Fpre-upopenvpn--mktun--devtap0post-upbrctladdifbr0tap0post-upifconfigtap00.
0.
0.
0promiscuppost-upifconfigeth00.
0.
0.
0promiscuppost-upifconfigeth10.
0.
0.
0promiscuppost-uprouteadddefaultgwxxx.
xxx.
xxx.
xxxbr0pre-downbrctldelifbr0tap0post-downopenvpn--rmtun--devtap0ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
Alternatively,theconstructionandconfigurationofthebridgecanalsoberealizedviascripts,whichareexecuteddirectlybyOpenVPNandthusthenetworkconfigurationitselfcanbekeptnarrowandindependent.
Thisvariantisnotconsideredindetailhere.
post-upifconfigtap00.
0.
0.
0promiscuppost-upifconfigeth00.
0.
0.
0promiscuppost-upifconfigeth10.
0.
0.
0promiscuppost-uprouteadddefaultgwxxx.
xxx.
xxx.
xxxbr08Author:MarkusWeishaarDate:11.
05.
20192.
3CreatecertificateandkeyTheencryptionusedinthisexampleisanexampleconfigurationforcreatingafunctioningVPNconnectionquickly.
ProvidingVPNclientswithpasswordsisalsoavoided.
Fortheconcreterealusecase,whichgoesbeyondaconnectiontest,itisrecommendedtoselectandconfigureasuitableencryptiontoachieveandguaranteethedesiredsecuritylevels.
First,theprefabricatedeasy-rsa"scriptiscopiedintotheOpenVPNconfigurationdirectory.
Thiscreatesdifferentcertificatesandkeys.
sudocp-r/usr/share/easy-rsa/etc/openvpn/easy-rsaNext,thefilevars"mustbeopenedinthecreateddirectoryandadjusted:sudonano/etc/openvpn/easy-rsa/varsInthefile,thelineexportEASY_RSA="`pwd`""mustbereplacedbythelineexportEASY_RSA="/etc/openvpn/easy-rsa"".
YoucanalsoadjustthekeylengthinthefileinthelineexportKEY_SIZE="bychangingthevalue.
Thekeylengthdeterminesthesecuritylevel.
ForRaspberryPi3,akeylengthof2048presentsnoproblem.
Forthisreason,itisusedinthisexample.
Nowyouhavetochangebacktotheconfigurationdirectoryeasy-rsa",assignrootprivilegesthe-re,executethescriptvars"andmaketheresultingconfigurationfileaccessibleviaasymboliclink.
Thesefourstepsareaccomplishedviathefollowingfourcommands:cd/etc/openvpn/easy-rsasudosusourcevarsln–sopenssl-1.
0.
0.
cnfopenssl.
cnfThecertificateiscreatedinthenextstep.
TheOpenVPNkeyfilesareresetandcreatedanew:.
/clean-all.
/build-caOpenVPNArequesttoenterthetwoletterCountryName"follows(DEforGermany,ATforAustria,andCHforSwitzerland).
AllfurtherqueriescanbeskippedwithoutentrybypressingEnter.
Finally,thekeyfilefortheserveriscreatedandheretheCountryName"mustalsobeenteredandallfurtherqueriesmustbeskipped.
Attheendofthedialog,thequestiononwhetherthecer-tificateshouldbecreatedshouldbeconfirmedtwicewithY".
.
/build-key-serverserverNext,thekeyfilesfortheclientsiscreated.
It'simportanttonoteherethatakeyfilemustbecrea-tedforeachclientwhowishestoestablishaconnectionwiththeVPNserver.
Inourexamplewerestrictourselvestooneclientremote-pc-1".
Theprocedureforcertificatecreationisanalogoustotheserver(Country-Code,etc.
)9Author:MarkusWeishaarDate:11.
05.
2019.
/build-keyremote-pc-1Ifadditionalclientsarerequired,thekeyfilesfortheseclientsarecreatedaccordingtothesamepattern:.
/build-keyclient_name_xxx.
/build-keyclient_name_yyy.
/build-keyclient_name_zzz…Forclientsequippedwithapassword,.
/build-key-passclient_name"mustbeusedinsteadofthecommandsusedabove.
KeyandcertificatecreationisnowcompletedusingtheDiffie-Hellman-keyexchangecommand.
(Thisprocesstakesapprox.
20min.
).
/build-dhFinally,thetoo-userisloggedoffaftertheendofkeyandcertificatecreation:exit2.
4ConfigurationOpenVPNServerToconfiguretheOpenVPNserver,thefileopenvpn.
conf"mustbeopenedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/openvpn/openvpn.
conf2.
4.
1VPNTunnel(TUN)Firsttheroutingoveratunnelisactivatedviadevtun",UDPisselectedastransportprotocolviaprotoudp"andwithport1194"theportisselectedviawhichthetunnelisestablished.
Al-ternatively,TCPcanalsobeusedduringtransportprotocol.
Theportcanbefreelyselected.
TheOpenVPNstandardport1194isusedintheexample.
devtunprotoudpport1194Next,anSSL/TLSrootcertificate(ca),adigitalcertificate(cert),andadigitalkey(key)arecreatedviathedirectoryeasy-rsa".
Thecorrectbit-encryptionisalsoentered.
Inthisexample,Diffie-Hell-manwithkeylength2048.
ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pem10Author:MarkusWeishaarDate:11.
05.
2019NowtheVPNserverisgivenanIPaddressandasubnetmask.
Forthisvariant,aroutingfromthisvirtualVPNservernetworkintothephysicalRaspberryPinetworkoccurs.
server10.
8.
0.
0255.
255.
255.
0viathecommandpushredirect-gatewaydef1bypass-dhcp"",allIPservertrafficisroutedthroughtheVPNtunneldependingontheapplicationinregardstowhetherthissettingmakessenseornot.
ThefollowingtwocommandsnametheDNSserverstobeusedfornameresolution.
Inourexample,thisisalocalDNSserveroftherouterandthepublicDNSserverfromGoogle(8.
8.
8.
8).
However,thesecanbechosenatyourdiscretion.
pushredirect-gatewaydef1bypass-dhcp"pushdhcp-optionDNSxxx.
xxx.
xxx.
xxx"pushdhcp-optionDNS8.
8.
8.
8"Tosaveloginformationforconnectioninthefile/var/log/openvpn",thefollowinglineisadded:log-append/var/log/openvpnThefollowingisastandardsetofcommands.
Thecommandpersist-key"makesitsothekeyfilesarenotreadagainandpersist-tun"ensuresthattheTUNandTAPnetworkdriversarenotrestarted.
Thecommandsusernobody"andgroupnobody"settherightsofOpenVPNafteraprogramstartandtherebyincreasesecurity.
Thelineclient-to-client"enablescommunicationbetweentheclientsandstatus/var/log/openvpn-status.
log"createsastatusfilewhichdocu-mentsthecurrentconnection.
Thecomprehensivenessofthelogsisdefinedviaverbx".
Value0"meansnooutputsotherthanerrormessages.
Avaluebetween1and4issuitablefornormalusewhereasahighervalueissuitablefortroubleshooting.
Tochecktheconnection,keepalive10120"isadded.
Apingistriggeredevery10secondsandwhenananswerisnotreceivedafter120seconds,aconnectioninterruptionisdiagnosed.
TocompressdataintheVPNtunnelandtoincreasethroughput,anLZOcompressionisactivatedviacomp-lzo".
Thelastcommandscript-securityx"defineswhichapplicationsandscriptsmaybecarriedoutbyOpenVPN.
Value0"indicatesastrictbanonconductingexternalapplications.
Value1"indicatesexclusivelybuilt-in"applicationssuchasifconfig,ip,route,ornetsharetobecarriedout.
ThesearenecessaryforthecorrectfunctionalityofOpenVPN.
Value2"indicatesthatadditionaluser-definedscriptsareall-owedandvalue4"indicatesthatitisadditionallyallowedtodeliveruserpasswords.
11Author:MarkusWeishaarDate:11.
05.
2019persist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThecompleteconfigurationfilefortheserverasVPNtunnelshouldthenappearasfollows:devtunprotoudpport1194ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pemserver10.
8.
0.
0255.
255.
255.
0pushredirect-gatewaydef1bypass-dhcp"pushdhcp-optionDNSxxx.
xxx.
xxx.
xxx"pushdhcp-optionDNS8.
8.
8.
8"log-append/var/log/openvpnpersist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThechangecanbesavedwithCtrl+O"andtheeditorcanbeclosedwithCtrl+X".
2.
4.
2VPNBridge(TAP)ComparedtothesettingforaVPNtunnel,thebridgedmodeisactivatedfirstviadevtapX".
TapXisthetapdeviceassignedintheEthernetconfiguration,inourcasetap0.
devtap0Furthermore,afreelyselectableVPNserverisnotassigned,buttheserverbridgethatwasconfigu-redinthenetworksettingsisspecified(intheexample,thedefaultrange192.
168.
0.
200).
TogetherwithanaddressrangefromwhichtheVPNservercanassignaddressestotheclients,because12Author:MarkusWeishaarDate:11.
05.
2019withabridgetheclientispulled"intothesubnetoftheserver.
HereitmustbeensuredthattheaddressrangedoesnotoverlapwiththeaddressrangethattherouterassignsontheservicesideviaDHCP.
OtherwiseitcanhappenthatthereareduplicateIPaddresses.
server-bridge192.
168.
0.
200255.
255.
255.
0192.
168.
0.
201192.
168.
0.
220Sothatclientsarealwaysallocatedthesameaddressesagain,thecommandifconfig-pool-persistipp.
txt"isadded.
Thisensuresthataclientthatdialsinagaingetstheirpreviousaddressfromtheaddresspool.
TheclientsarethusindirectlyassignedfixedIPaddresses.
ifconfig-pool-persistipp.
txtOtherwise,comparedtotheconfigurationofaVPNtunnel,onlythepush"commandsaredrop-ped.
Thesearenotneeded,becauseweareonthesamesubnetastheserver.
Allotherstandardcommandsareusedidentically.
ThecompleteconfigurationfilefortheserverasVPNbridgeshouldthenappearasfollows:devtap0protoudpport1194ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pemifconfig-pool-persistipp.
txtserver-bridge192.
168.
0.
200255.
255.
255.
0192.
168.
0.
201192.
168.
0.
220log-append/var/log/openvpnpersist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
5ConfigurationLinux-FirewallAforwardingtothelocalnetworkInternetconnectionmustbearrangedforthefirewalloftheRasp-berryPi.
Thefilerpivpn"mustbecreatedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/init.
d/rpivpnAheaderforaLinux-Init-Scriptiscreatedbyinsertingthefollowingcomments:13Author:MarkusWeishaarDate:11.
05.
2019#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFO2.
5.
1VPNTunnel(TUN)Inthisvariant,theIP-forwardingisinitiallyactivatedviathefollowingcommand:echoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-sNext,aforwardingforVPNpacketsiscreatedwiththepacketfilteriptables":iptables-AINPUT-itun+-jACCEPTiptables-AFORWARD-itun+-jACCEPTFinally,theclientsareguaranteedaccesstothelocalnetworkandtotheInternetviathefollowingcommands:iptables-AFORWARD-mstate--stateESTABLISHED,RELATED-jACCEPTiptables-tnat-FPOSTROUTINGiptables-tnat-APOSTROUTING-o10.
8.
0.
0-obr0-jMASQUERADEThecompleteInit-filefortheserverasVPNbridgeshouldthenappearasfollows:#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFOechoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-siptables-AINPUT-itun+-jACCEPTiptables-AFORWARD-itun+-jACCEPTiptables-AFORWARD-mstate--stateESTABLISHED,RELATED-jACCEPTiptables-tnat-FPOSTROUTINGiptables-tnat-APOSTROUTING-o10.
8.
0.
0-obr0-jMASQUERADEThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
14Author:MarkusWeishaarDate:11.
05.
20192.
5.
2VPNBridge(TAP)Inthiscase,theconfigurationissomewhatsimpler;here,apartfromIPforwardingviathefollowingthreelines,onlytheconfiguredbridgeisgrantedaccesstothelocalnetworkandtheInternet.
iptables-AINPUT-itap0-jACCEPTiptables-AINPUT-ibr0-jACCEPTiptables-AFORWARD-ibr0-jACCEPTThecompleteInit-filefortheserverasVPNbridgeshouldthenappearasfollows:#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFOechoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-siptables-AINPUT-itap0-jACCEPTiptables-AINPUT-ibr0-jACCEPTiptables-AFORWARD-ibr0-jACCEPTThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
Alternatively,theconfigurationofthefirewallcanalsoberealizedviascripts,whicharedirectlyexecutedbyOpenVPNandthusmakeanindependentscriptunnecessary.
Thisvariantisnotcon-sideredindetailhere.
2.
5.
3ActivateInit-FileIftheInit-filetothefirewall-configurationiscompleted,therequiredrightsmustassignedtothefileandthefilemustbeinstalledasInit-script.
Thisisdonewiththefollowingtwocommands:sudochmod+x/etc/init.
d/rpivpnsudoupdate-rc.
drpivpndefaultsFinally,thescriptmustbecarriedoutandtheOpenVPNservermustberestarted:sudo/etc/init.
d/rpivpnsudo/etc/init.
d/openvpnrestart2.
5.
4StaticallyActivateIPForwardingAsanalternativetothecommandecho1"/proc/sys/net/ipv4/ip_forward'|sudo-s",whichtem-porarilyactivatestheIP-forwardinguponeachsystemstart,theIP-forwardingcanalsobeperman-entlyactivatedstatically.
Forthis,thesystemfilesysctl.
conf"mustbeopened:15Author:MarkusWeishaarDate:11.
05.
2019sudonano/etc/sysctl.
confThefollowinglinemustthenbeactivatedbyremovingthecommenting#.
net.
ipv4.
ip_forward=1ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
6ConfigurationOpenVPNClientAftertheserverhasbeenconfigured,theconfigurationsfortheclientmustbecreatedorcorrectlyadapted.
Althoughtheconfigurationfilecanalsobecreateddirectlyontheclient,creationontheserverofferstheadvantagethatbothconfigurationsarealwaysmaintainedthereforboththeserverandtheclient.
First,root-rightsmustbegivenagain.
Thenthecorrespondingclientfileisopened.
Inourcase,remote-pc-1".
sudosucd/etc/openvpn/easy-rsa/keysnanoremote-pc-1.
ovpnTheserveraddressandtheportthroughwhichtheVPNserverisaccessiblemustbeenteredviathecommandremote.
.
.
".
ThiscanbedoneeitherviaastaticpublicIPaddressorviaaproviderforadynamicDNSwhichupdatestheaddressifthisisnewlygivenbytheprovider:remotexyz.
dynDNSServer.
com1194//oderStatischeIP1194ItisimportantthattheClientSettingsfordev",proto",verb"andscript-security"correspondtothoseoftheserver.
Ifcomp-lzo",persist-key"andpersist-tun"areactivatedontheserver,thesemustalsobeusedontheclient.
Thecommandnobind"isusedtoselectthatnoportbin-dingisforcedlocallyandthattheportcanbearbitrary.
Thelineremote-cert-tlsserver"ensuresthatitisexplicitlycheckedwhethertheoppositecertificatehasthetypeserver.
Thelineresolv-retryinfinite"isaddedsothataDNSresolutionisexecutedagainafteraserver-sideconnectiontermination.
Intheclientconfiguration,dettun"asopposedtotap0"istheonlydifferencebet-weentunnelandbridge.
Thecompleteconfigurationsfilesfortheclientarepresentedforbothcasesinthefollowingchap-ters.
2.
6.
1VPNTunnel(TUN)Clientdevtunprotoudpremotexyz.
dynDNSServer.
com1194//oderStatischeIP119416Author:MarkusWeishaarDate:11.
05.
2019resolv-retryinfinitenobindpersist-keypersist-tuncaca.
crtcertremote-pc-1.
crtremote-cert-tlsserverkeyremote-pc-1.
keycomp-lzoverb3script-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
6.
2VPNBridge(TAP)Clientdevtap0protoudpremotexyz.
dynDNSServer.
com1194//oderStatischeIP1194resolv-retryinfinitenobindpersist-keypersist-tuncaca.
crtcertdesktop-pc.
crtremote-cert-tlsserverkeydesktop-pc.
keycomp-lzoverb3script-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
7GenerationandExportConfigurationsFilesforClientsFinally,theconfigurationfilefortheclientiscollectedtogetherwiththerelevantkeysandcertifi-catesinaZIP-file.
SolongasnoZIP-packetisinstalledontheRaspberryPi,thiscanbedoneasfollows.
apt-getinstallzipNext,theZIPfileiscreatedperclientasfollows.
Hereitisimportantthatthecorrectclientnameisimplemented.
zip/home/pi/remote-pc-1.
zipca.
crtremote-pc-1.
crtremote-pc-1.
keyremote-pc-1.
ovpnFinally,thefilerightsmustbeadjustedandtherootrightsmustbeloggedoff.
17Author:MarkusWeishaarDate:11.
05.
2019chownpi:pi/home/pi/remote-pc-1.
zipexitThefinishedZIPfilecannowbycopiedfromtheRaspberryPitotheclientviaanFTPprogramsuchasFilezillaorviaUSBstick.
3ConfigurationOpenVPNClient(Windows)3.
1InstallationOpenVPNTheOpenVPNcanbeobtaineddirectlyfromthehomepagewww.
openvpn.
net.
Forthetestset-upservingasanexample,OpenSourceversion2.
4.
7wasusedhere.
Foruseinacommercialapplication,theappropriatelicensesandsoftwarepacketscanalsobeacquiredviatheOpenVPNhomepage.
Afterdownloadingthecorrectsoftware,thiscanbeinstalleddirectlyontheclientPCandisacces-sibleafterwardsasOpenVPNGUI"viathestartmenu.
3.
2ConfigurationOpenVPNClientAfterstartingOpenVPNGUI",thefollowingsymbolappearsinthetaskbarwhichindicatesthatAfterstartingOpenVPNGUI",thefollowingsymbolappearsinthetaskbarwhichindicatesthatOpenVPN"hasstarted.
OpenVPN"hasstarted.
First,thecontentsoftheZip-fileswhichwerecopiedfromtheservermustbeunpackedandstoredFirst,thecontentsoftheZip-fileswhichwerecopiedfromtheservermustbeunpackedandstoredintheconfigurationdirectoryofOpenVPN.
ThedirectoryofOpenVPNthatwascreatedintheuserintheconfigurationdirectoryofOpenVPN.
ThedirectoryofOpenVPNthatwascreatedintheuserfoldermustbeusedhere,notthegeneraldirectoryintheprogramfolder.
Thedirectorytreeshouldfoldermustbeusedhere,notthegeneraldirectoryintheprogramfolder.
Thedirectorytreeshouldlooksomethinglikethis:looksomethinglikethis:C:\Users\XYZ\OpenVPN\config\remote-pc-1Theunpackedfolder,thefollowingfourfilesforkey,certificate,andconfigurationshouldbeavai-lable:Thedesiredconfigurationcannowbeselectedfromallregisteredconfigurationsviaright-clickingontheOpenVPNsymbolinthetaskbar.
Intheappearingsubmenu,theconnectiontotheservercanthenbestarted,loginformationcanberead,thepasswordmaybechangedifnecessary,oreventheconfigurationfileitselfcanbeadjusted.
Ifconfigurationchangesaremadetotheserver,eitherthenewfilefromtheservercanbecopiedtotheclientortheexistingfileontheclientcanbeadapteddirectlyinparallel.
Figure3:FilesOpenVPNClientFigure2:TaskbarsymbolOpenVPN18Author:MarkusWeishaarDate:11.
05.
20193.
3ConfigurationTAP-Windows-AdapterV9TheTAP-Windows-AdapterV9isavirtualnetworkadapterwhichisalreadyinstalledonmanyWin-dowscomputersandifnot,itisinstalledwiththeinstallationofOpenVPN.
OpenVPNbuildstheconnectiontotheselectedserverviathisadapter.
Theadaptercanbeconfiguredthesameasanyotherrealnetworkadapterinprinciple.
InthecaseofaVPNconnection,however,theVPNserverassignstheconfigurationwithregardtoIPaddressindependentlyofitsownsettings.
FortheconnectiontoaBGXXdProPNandtheuseoftheDriveAssistant",however,itisimport-antthattheadapterisassignedafixedIPaddressinthenormalsettingandisnotsettoDHCP,otherwiseitwillnotberecognizedbytheDriveAssistant".
Itdoesnotmatterwhichaddressisassigned,becauseitisoverwrittenasdescribed.
4GeneralNetworkSettings&ConnectionEstablishmentBeforetheconnectioncanbeestablished,afewgeneralsettingsmustbemadeontheserver-sideITinfrastructureandthemappinginthepublicIPaddressspacemustbeensured.
4.
1ActivatePortForwardingtoRoutersOntherouterorallhigher-levelroutersviawhichtheOpenVPNservercommunicateswiththeInternet,theportforwardingoftheVPNport(1194intheexample)mustbeactivatedsothatVPNrequestsarrivingattherouterareforwardedtotheserver.
Forwardingcanbeactivateddevicespe-cificallyfortheindividualgateway.
Thespecificconfigurationdependshereontherouterusedwhichiswhytheprocessisnotdescri-bedhereindetailonprinciple.
4.
2EstablishmentofDynamicDNS-ServerSothattheOpenVPNservercanalwaysbeaddressed,itmustalwaysbeaccessibleattheidenticaladdresseveninthepublicIPaddressrange.
OnepossibilityherewouldbetouseastaticpublicIPaddressortheuseofadynamicDNSprovider,whichensuresthateveniftheInternetproviderassignsnewaddressestotherouterandthusalsototheenddevicesafter24hoursorafteradis-connection,theVPNserverstillremainsidenticallyaccessible.
Forthispurpose,anaccountmustfirstbeopenedwithanappropriateprovider,e.
g.
SecurePoint(www.
spdyn.
de)andtheroutetotheserver-sideroutermustbemadeknown.
Afterwards,thecorrespondingdynamicDNSprovidermustalsobemadeknownontherouter,sothatitcanbetransmittediftheaddresseshavechangedanditcanfollowtheroute.
ThespecificconfigurationheredependsontherouterusedandtheselecteddynamicDNSprovider,whichiswhytheprocedureisdescribedhereonlyinprincipleandnotindetail.
Figure4:OptionenOpenVPNClient19Author:MarkusWeishaarDate:11.
05.
20194.
3BuildingandTestingVPNConnectionIfallsettingshavebeenexecutedasdescribed,theconnectiontotheVPNservercanbeestablis-hed.
Ontheclient,right-clickontheOpenVPNsymbolandselectthecorrectconfigurationofthemenuitemConnect".
TheOpenVPNsymbolinthetaskbarnowturnsyellowandalogwindowappearswhichdisplaysthecurrentstatusoftheconnectionestablishment.
Ifnoerroroccurs,thelogwindowclosesagainautomaticallyassoonastheconnectionhasbeensuccessfullyestablishedandtheOpenVPNsymbolinthetaskbarturnsgreen.
TheconnectiontotheOpenVPNserverhasnowbeenestablished.
Asafirstcheck,itmakessensetocheckwhathasbeenassignedtothevirtualnetworkadapterforanIPaddress.
ForaVPNtunnel,theaddressmustbeintherangeoftheVPNserver(10.
8.
8.
X).
ForaVPNbridge,itmustbeanaddressfromthefreeaddresspooloftheVPNbridgeandcorrespondtothenetworkthere.
Finally,theconnectioncanstillbetestedusingping.
HereitisrecommendedtopingtheVPNser-verfirst.
Ifthisisaccessible,theconnectiontotheGatewayisalreadyestablished.
Ifthepingdoesnotgothrough,itisrecommendedtofirstlychecktherouterandfirewallsettingsandsecondlytopingaregistereddeviceintheVPNserver'snetwork.
Ifthispinggoesthrough,theVPNconnectionisfullyfunctional.
Ifthesecondpingdoesnotgothrough,therecommendationistofirstlychecktheroutingandthefirewallsettingontheVPNserver.
5DriveAssistantNospecialsettingsneedtobecarriedoutinDriveAssistant5".
IfeverythinghasbeenconfiguredasaVPNbridgeaccordingtotheinstructionsandtheVPNconnectionisestablished,theTAP-WindowsAdapterV9"canbeselectedunderAvailableAdaptersforConnectionTypeIndustrialEthernet"andafterstartingtheDriveSearch,driveslocatedinthenetworkarefound.
SincetheDriveAssistant5"recognizesunknownmotorsviabroadcastcommands,itisimportantthattheconnectionisimplementedasaVPNbridge.
IftheIPaddressofthedriveispermanentlyassignedandknown,aVPNtunnelcanbeused.
However,inthiscasethedrivesearchdoesnotworkandtheIPaddressofthemotormustbesetpermanentlyinthecorrespondingfield.
20YourContactForPublicRelations:JaninaDietsche|janina.
dietsche@ametek.
comTel:+49(0)7703/930-546Figure5:DriveAssistant5:NetworkAdapterSelectionAuthor:MarkusWeishaarDate:11.
05.
2019
CloudCone针对中国农历新年推出了几款特别套餐, 其中2019年前注册的用户可以以13.5美元/年的价格购买一款1G内存特价套餐,以及另外提供了两款不限制注册时间的用户可购买年付套餐。CloudCone是Quadcone旗下成立于2017年的子品牌,提供VPS及独立服务器租用,也是较早提供按小时计费VPS的商家之一,支持使用PayPal或者支付宝等付款方式。下面列出几款特别套餐配置信息。CP...
RAKsmart发布了9月份优惠促销活动,从9月1日~9月30日期间,爆款美国服务器每日限量抢购最低$30.62-$46/月起,洛杉矶/圣何塞/香港/日本站群大量补货特价销售,美国1-10Gbps大带宽不限流量服务器低价热卖等。RAKsmart是一家华人运营的国外主机商,提供的产品包括独立服务器租用和VPS等,可选数据中心包括美国加州圣何塞、洛杉矶、中国香港、韩国、日本、荷兰等国家和地区数据中心(...
趣米云早期为做技术起家,为3家IDC提供技术服务2年多,目前商家在售的服务有香港vps、香港独立服务器、香港站群服务器等,线路方面都是目前最优质的CN2,直连大陆,延时非常低,适合做站,目前商家正在做七月优惠活动,VPS低至18元,价格算是比较便宜的了。趣米云vps优惠套餐:KVM虚拟架构,香港沙田机房,线路采用三网(电信,联通,移动)回程电信cn2、cn2 gia优质网络,延迟低,速度快。自行封...
x-router为你推荐
支持ipadcyclesios8支持ipad特斯拉苹果5xp如何关闭445端口Windows XP 怎么关闭445端口,我是电脑小白,求各位讲详细点css3圆角css实现圆角的几种方法是什么?iphonewifi苹果wifi版和4G版是什么意思,有什么区别吗google图片搜索谁能教我怎么在手机用google的图片搜索啊!!!csshackcss常见的hack方法有哪些电信版iphone4s电信版iphone4s是买16gb的好还是32gb的好?
河南虚拟主机 域名停靠 云网数据 美国主机论坛 mediafire下载 68.168.16.150 网络星期一 抢票工具 京东商城0元抢购 免费个人空间 北京双线 天翼云盘 php服务器 阿里云邮箱个人版 fatcow websitepanel winserver2008r2 wordpress安装 sockscap下载 最年轻博士 更多