supplementedroute

x-router  时间:2021-02-09  阅读:()
WhitepaperImplementremoteaccesstoDunkermotorenwithVPNName|StellenbezeichnungDunkermotorenGmbHWhitepaperImplementremoteaccesstoDunkermotorenwithVPNMarkusWeishaar|ProductManagerIIoTDunkermotorenGmbHwwwVPN2Author:MarkusWeishaarDate:11.
05.
2019ThisWhitepaperdescribestheconfigurationofaVPNconnectionfortheremoteaccessofaDunkermotorendProEthernetengineviatheInternetwiththeDunkermotorenstandardsoftwareDriveAssistant"andtheopensourcesoftwareOpenVPN.
ALinux-basedEdge-GatewayisconfiguredasaVPNserverforthispurpose.
TheEdge-Gatewaycommunicateswiththeengineaswellaswitharouter,whichacceptstheInternetconnection,over2bridgedportsviaEthernet.
OntheothersideisastandardWindowsPConwhichDriveAssistant"andopenVPNareinstalled.
OpenVPNisconfiguredasaclientonthePCwhichsetsupaVPNconnectiontotheVPNserverontheGatewayviatheInternet.
Bymeansofthisconnection,theenginecanbeselectedanddrivenviaDriveAssistant"oraFirmwareUpdatecanbeinstalled.
IftheenginehasaknownstaticIPaddress,theVPNconnectioncanbeconfiguredasatunnelsin-cethelinkingoftwosubnetsviaroutingissufficient.
IftheenginehasnoIPaddressornoknownIPaddress,theVPNconnectionmustbesetupasabridgewhichdrawstheclientintothesamesubnetinwhichtheserverisalsolocated.
ThisisnecessarybecausetheDriveAssistant"usesbroadcastsfordrivesearchandbroadcastsonlyfunctioninthesamesubnet.
Figure1:VPNnetworks3Author:MarkusWeishaarDate:11.
05.
2019Contents:1Requirements/ComparativeConfiguration.
42ConfigurationOpenVPNServer(RaspberryPi/Linux)42.
1InstallationOpenVPN.
4Step1UpdateRaspberryandinstallOpenVPN2.
2Ethernet-Settings.
42.
2.
1VPNTunnel(TUN)52.
2.
2VPNBridge(TAP)62.
3Createcertificateandkey.
82.
4ConfigurationOpenVPNServer.
92.
4.
1VPNTunnel(TUN)92.
4.
2VPNBridge(TAP)112.
5ConfigurationLinux-Firewall.
122.
5.
1VPNTunnel(TUN)132.
5.
2VPNBridge(TAP)142.
5.
3ActivateInit-File.
142.
5.
4StaticallyActivateIPForwarding.
142.
6ConfigurationOpenVPNClient.
152.
6.
1VPNTunnel(TUN)1152.
6.
2VPNBridge(TAP)162.
7GenerationandExportConfigurationsFilesforClients.
163ConfigurationOpenVPNClient(Windows)173.
1InstallationOpenVPN.
173.
2ConfigurationOpenVPNClient.
173.
3ConfigurationTAP-Windows-AdapterV9.
184GeneralNetworkSettings&ConnectionEstablishment.
184.
1ActivatePortForwardingtoRouters.
184.
2EstablishmentofDynamicDNSServer.
184.
3BuildingandTestingVPNConnection.
195DriveAssistant.
1941Requirements/ComparativeConfiguration:DunkermotorenDriveAssistant5"Version8.
0.
0DunkermotorenBGXXdProPN(Ethernet)openVPNVersion2.
4.
7HardwareGateway:KunbusRevolutionPiConnect(RaspberryPiComputeModule3)OperatingsystemVPN-Server:Raspbian(Linux)OperatingsystemVPN-Client:Windows10StaticpublicIPadressordynamicDNSServerforserver-siderouterPermissionforconfigurationoftheserver-siderouter(portforwarding)PermissionofconfigurationoftheopenVPNserver'sfirewall2ConfigurationOpenVPNServer(RaspberryPi/Linux)2.
1InstallationOpenVPStep1UpdateRaspberryandinstallOpenVPNPriortoinstallationofOpenVPN,itisrecommendedtosearchforupdatesfortheRaspberryPioperatingsystemandtoinstallthem:NowtheOpenVPNsoftwareandtheOpenSSLfortheencryptionmustbeloadedandinstalledwiththefollowingcommand:2.
2EthernetSettingsToforgoaroutingbetweenbothRaspberryPiEthernetportsandstillbeabletoaccesstheVPNconnectionateth0totheengineateth1,bothportsarebridgedandprovidedwithacommonad-dressinthisexample.
Alternatively,itisalsopossibletoworkwithonlyoneportandprovideitwithafixedIPaddress.
TheengineandtheVPNconnectioncanbeconnectedtotheportbymeansofaswitch.
Thisscenarioisnotdetailedhere.
ToconfiguretheEthernet-SettingsoftheRaspberryPi,thefileInterfaces"mustbeopenedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/network/interfacesThevirtualLoopback-Adapterisalwaysregisteredbydefaultandshouldalsoalwaysberetainedintheconfiguration:autoloifaceloinetloopbackNowtheexistingnetworkinterfacesarecreated.
SinceourGatewayhastwoseparatedEthernetports,thetwointerfaceseth0andeth1arecreated.
Theattachedcommandallow-hotplugAuthor:MarkusWeishaarDate:11.
05.
2019sudoapt-getupdatesudoapt-getupgradesudoapt-getinstallopenvpnopenssl5Author:MarkusWeishaarDate:11.
05.
2019ethX"causestheinterfacetobeautomaticallyactivatedandconfiguredonakernelevent.
Thisentryisimportantbecausetheinterfacemustotherwisebemanuallystartedviathecommandsudoifupeth0".
Theconfigurationfilemustnotbeclosedyetsincetheinterfacesinthecurrentstatehavenoad-dressesandconfigurationandtheRaspberryPiwouldnotbeaccessibleanymore.
Theconfigura-tionisthencarriedoutonacase-specificbasis:2.
2.
1VPNTunnel(TUN)First,bothEthernetadaptersaresettomanual"mode.
Thisisimportantastheyareconfiguredviathebridge.
Forbothadaptersthefollowinglineisadded:ifaceethXinetmanualNext,theBrückebr0iscreatedasadapterandstaticallyconfigured:autobr0ifacebr0inetstaticAfterwards,thenetworksettingsfortheadapteraresetup.
Anexampleconfigurationcouldappearasfollows:IP-Adresse:192.
168.
0.
200Subnetmask:255.
255.
255.
0Standard-Gateway:192.
168.
0.
1Network:192.
168.
0.
0Broadcast:192.
168.
0.
255Intheconfigurationfile,theentriesappearasfollows:addressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
255Finally,thetwointerfacesareaddedtothebridgeviathefollowingline:bridge_portseth0eth1Thecompletenetworkconfigurationentriestobemadeshouldthenappearasfollows:autoeth0allow-hotplugeth0autoeth1allow-hotplugeth16Author:MarkusWeishaarDate:11.
05.
2019ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
2.
2VPNBridge(TAP)Thefundamentalsettingoftheportsandbridgeareidenticaltothepreviousconfigurationforthisvariant.
OnlythebridgeissupplementedinthisrespectedsothattheVPNadaptertap0islikewiseaddedtothebridge.
Pre-up"commandsaregivenherebeforethebridgeisbuiltandpost-up"commandsareexecutedimmediatelyafterthebridgeiscreated.
Thesameapplieswhenendingthebridgeforthecommandspre-down"andpost-down".
First,thebridgeisgivenadefinedMACaddressthatthebridgeusestoreporttothenetwork.
ThisfacilitatesthediagnosisandenablestheMACaddresstobemadeknownontherouterifMACfilteringisactiveonit.
Ifthecommandisomitted,thebridgereceivestheMACaddressinthebestcasescenariobutwillnotreceiveanyMACaddressintheworstcasescenario.
post-upiplinksetbr0address28:2B:1b:e1:55:2FThenextcommandsfirstaskOpenVPNtocreateavirtualnetworkDevicetap0beforebuildingthebridgeandthenadditafterbuildingthebridge.
pre-upopenvpn--mktun--devtap0post-upbrctladdifbr0tap0Subsequently,acombinedcommandisusedtodeletetheIPaddressesfirstassignedfortheinter-facestothebridgeandthentoputtheinterfacesintopromiscuousmode"sothatthebridgeseesalldatatrafficarrivingattheseinterfaces.
Additionally,anothercommandaddsafixroutetothestandardgatewayforthebridgeviawhichtheInternetisaccessed.
autoloifaceloinetloopbackautoeth0allow-hotplugeth0ifaceeth0inetmanualautoeth1allow-hotplugeth1ifaceeth1inetmanualautobr0ifacebr0inetstaticaddressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
255bridge_portseth0eth17Author:MarkusWeishaarDate:11.
05.
2019Finally,twocommandlinesfollowwhichremovethevirtualnetworkadapterfromthebridgewhenthebridgeisendedandaskOpenVPNtoclosetheadapter.
pre-downbrctldelifbr0tap0post-downopenvpn--rmtun--devtap0Thecompletenetworkconfigurationshouldthenlookasfollows:autoloifaceloinetloopbackautoeth0allow-hotplugeth0ifaceeth0inetmanualautoeth1allow-hotplugeth1ifaceeth1inetmanualautobr0ifacebr0inetstaticaddressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
xxxbridge_portseth0eth1post-upiplinksetbr0address28:2B:1b:e1:55:2Fpre-upopenvpn--mktun--devtap0post-upbrctladdifbr0tap0post-upifconfigtap00.
0.
0.
0promiscuppost-upifconfigeth00.
0.
0.
0promiscuppost-upifconfigeth10.
0.
0.
0promiscuppost-uprouteadddefaultgwxxx.
xxx.
xxx.
xxxbr0pre-downbrctldelifbr0tap0post-downopenvpn--rmtun--devtap0ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
Alternatively,theconstructionandconfigurationofthebridgecanalsoberealizedviascripts,whichareexecuteddirectlybyOpenVPNandthusthenetworkconfigurationitselfcanbekeptnarrowandindependent.
Thisvariantisnotconsideredindetailhere.
post-upifconfigtap00.
0.
0.
0promiscuppost-upifconfigeth00.
0.
0.
0promiscuppost-upifconfigeth10.
0.
0.
0promiscuppost-uprouteadddefaultgwxxx.
xxx.
xxx.
xxxbr08Author:MarkusWeishaarDate:11.
05.
20192.
3CreatecertificateandkeyTheencryptionusedinthisexampleisanexampleconfigurationforcreatingafunctioningVPNconnectionquickly.
ProvidingVPNclientswithpasswordsisalsoavoided.
Fortheconcreterealusecase,whichgoesbeyondaconnectiontest,itisrecommendedtoselectandconfigureasuitableencryptiontoachieveandguaranteethedesiredsecuritylevels.
First,theprefabricatedeasy-rsa"scriptiscopiedintotheOpenVPNconfigurationdirectory.
Thiscreatesdifferentcertificatesandkeys.
sudocp-r/usr/share/easy-rsa/etc/openvpn/easy-rsaNext,thefilevars"mustbeopenedinthecreateddirectoryandadjusted:sudonano/etc/openvpn/easy-rsa/varsInthefile,thelineexportEASY_RSA="`pwd`""mustbereplacedbythelineexportEASY_RSA="/etc/openvpn/easy-rsa"".
YoucanalsoadjustthekeylengthinthefileinthelineexportKEY_SIZE="bychangingthevalue.
Thekeylengthdeterminesthesecuritylevel.
ForRaspberryPi3,akeylengthof2048presentsnoproblem.
Forthisreason,itisusedinthisexample.
Nowyouhavetochangebacktotheconfigurationdirectoryeasy-rsa",assignrootprivilegesthe-re,executethescriptvars"andmaketheresultingconfigurationfileaccessibleviaasymboliclink.
Thesefourstepsareaccomplishedviathefollowingfourcommands:cd/etc/openvpn/easy-rsasudosusourcevarsln–sopenssl-1.
0.
0.
cnfopenssl.
cnfThecertificateiscreatedinthenextstep.
TheOpenVPNkeyfilesareresetandcreatedanew:.
/clean-all.
/build-caOpenVPNArequesttoenterthetwoletterCountryName"follows(DEforGermany,ATforAustria,andCHforSwitzerland).
AllfurtherqueriescanbeskippedwithoutentrybypressingEnter.
Finally,thekeyfilefortheserveriscreatedandheretheCountryName"mustalsobeenteredandallfurtherqueriesmustbeskipped.
Attheendofthedialog,thequestiononwhetherthecer-tificateshouldbecreatedshouldbeconfirmedtwicewithY".
.
/build-key-serverserverNext,thekeyfilesfortheclientsiscreated.
It'simportanttonoteherethatakeyfilemustbecrea-tedforeachclientwhowishestoestablishaconnectionwiththeVPNserver.
Inourexamplewerestrictourselvestooneclientremote-pc-1".
Theprocedureforcertificatecreationisanalogoustotheserver(Country-Code,etc.
)9Author:MarkusWeishaarDate:11.
05.
2019.
/build-keyremote-pc-1Ifadditionalclientsarerequired,thekeyfilesfortheseclientsarecreatedaccordingtothesamepattern:.
/build-keyclient_name_xxx.
/build-keyclient_name_yyy.
/build-keyclient_name_zzz…Forclientsequippedwithapassword,.
/build-key-passclient_name"mustbeusedinsteadofthecommandsusedabove.
KeyandcertificatecreationisnowcompletedusingtheDiffie-Hellman-keyexchangecommand.
(Thisprocesstakesapprox.
20min.
).
/build-dhFinally,thetoo-userisloggedoffaftertheendofkeyandcertificatecreation:exit2.
4ConfigurationOpenVPNServerToconfiguretheOpenVPNserver,thefileopenvpn.
conf"mustbeopenedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/openvpn/openvpn.
conf2.
4.
1VPNTunnel(TUN)Firsttheroutingoveratunnelisactivatedviadevtun",UDPisselectedastransportprotocolviaprotoudp"andwithport1194"theportisselectedviawhichthetunnelisestablished.
Al-ternatively,TCPcanalsobeusedduringtransportprotocol.
Theportcanbefreelyselected.
TheOpenVPNstandardport1194isusedintheexample.
devtunprotoudpport1194Next,anSSL/TLSrootcertificate(ca),adigitalcertificate(cert),andadigitalkey(key)arecreatedviathedirectoryeasy-rsa".
Thecorrectbit-encryptionisalsoentered.
Inthisexample,Diffie-Hell-manwithkeylength2048.
ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pem10Author:MarkusWeishaarDate:11.
05.
2019NowtheVPNserverisgivenanIPaddressandasubnetmask.
Forthisvariant,aroutingfromthisvirtualVPNservernetworkintothephysicalRaspberryPinetworkoccurs.
server10.
8.
0.
0255.
255.
255.
0viathecommandpushredirect-gatewaydef1bypass-dhcp"",allIPservertrafficisroutedthroughtheVPNtunneldependingontheapplicationinregardstowhetherthissettingmakessenseornot.
ThefollowingtwocommandsnametheDNSserverstobeusedfornameresolution.
Inourexample,thisisalocalDNSserveroftherouterandthepublicDNSserverfromGoogle(8.
8.
8.
8).
However,thesecanbechosenatyourdiscretion.
pushredirect-gatewaydef1bypass-dhcp"pushdhcp-optionDNSxxx.
xxx.
xxx.
xxx"pushdhcp-optionDNS8.
8.
8.
8"Tosaveloginformationforconnectioninthefile/var/log/openvpn",thefollowinglineisadded:log-append/var/log/openvpnThefollowingisastandardsetofcommands.
Thecommandpersist-key"makesitsothekeyfilesarenotreadagainandpersist-tun"ensuresthattheTUNandTAPnetworkdriversarenotrestarted.
Thecommandsusernobody"andgroupnobody"settherightsofOpenVPNafteraprogramstartandtherebyincreasesecurity.
Thelineclient-to-client"enablescommunicationbetweentheclientsandstatus/var/log/openvpn-status.
log"createsastatusfilewhichdocu-mentsthecurrentconnection.
Thecomprehensivenessofthelogsisdefinedviaverbx".
Value0"meansnooutputsotherthanerrormessages.
Avaluebetween1and4issuitablefornormalusewhereasahighervalueissuitablefortroubleshooting.
Tochecktheconnection,keepalive10120"isadded.
Apingistriggeredevery10secondsandwhenananswerisnotreceivedafter120seconds,aconnectioninterruptionisdiagnosed.
TocompressdataintheVPNtunnelandtoincreasethroughput,anLZOcompressionisactivatedviacomp-lzo".
Thelastcommandscript-securityx"defineswhichapplicationsandscriptsmaybecarriedoutbyOpenVPN.
Value0"indicatesastrictbanonconductingexternalapplications.
Value1"indicatesexclusivelybuilt-in"applicationssuchasifconfig,ip,route,ornetsharetobecarriedout.
ThesearenecessaryforthecorrectfunctionalityofOpenVPN.
Value2"indicatesthatadditionaluser-definedscriptsareall-owedandvalue4"indicatesthatitisadditionallyallowedtodeliveruserpasswords.
11Author:MarkusWeishaarDate:11.
05.
2019persist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThecompleteconfigurationfilefortheserverasVPNtunnelshouldthenappearasfollows:devtunprotoudpport1194ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pemserver10.
8.
0.
0255.
255.
255.
0pushredirect-gatewaydef1bypass-dhcp"pushdhcp-optionDNSxxx.
xxx.
xxx.
xxx"pushdhcp-optionDNS8.
8.
8.
8"log-append/var/log/openvpnpersist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThechangecanbesavedwithCtrl+O"andtheeditorcanbeclosedwithCtrl+X".
2.
4.
2VPNBridge(TAP)ComparedtothesettingforaVPNtunnel,thebridgedmodeisactivatedfirstviadevtapX".
TapXisthetapdeviceassignedintheEthernetconfiguration,inourcasetap0.
devtap0Furthermore,afreelyselectableVPNserverisnotassigned,buttheserverbridgethatwasconfigu-redinthenetworksettingsisspecified(intheexample,thedefaultrange192.
168.
0.
200).
TogetherwithanaddressrangefromwhichtheVPNservercanassignaddressestotheclients,because12Author:MarkusWeishaarDate:11.
05.
2019withabridgetheclientispulled"intothesubnetoftheserver.
HereitmustbeensuredthattheaddressrangedoesnotoverlapwiththeaddressrangethattherouterassignsontheservicesideviaDHCP.
OtherwiseitcanhappenthatthereareduplicateIPaddresses.
server-bridge192.
168.
0.
200255.
255.
255.
0192.
168.
0.
201192.
168.
0.
220Sothatclientsarealwaysallocatedthesameaddressesagain,thecommandifconfig-pool-persistipp.
txt"isadded.
Thisensuresthataclientthatdialsinagaingetstheirpreviousaddressfromtheaddresspool.
TheclientsarethusindirectlyassignedfixedIPaddresses.
ifconfig-pool-persistipp.
txtOtherwise,comparedtotheconfigurationofaVPNtunnel,onlythepush"commandsaredrop-ped.
Thesearenotneeded,becauseweareonthesamesubnetastheserver.
Allotherstandardcommandsareusedidentically.
ThecompleteconfigurationfilefortheserverasVPNbridgeshouldthenappearasfollows:devtap0protoudpport1194ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pemifconfig-pool-persistipp.
txtserver-bridge192.
168.
0.
200255.
255.
255.
0192.
168.
0.
201192.
168.
0.
220log-append/var/log/openvpnpersist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
5ConfigurationLinux-FirewallAforwardingtothelocalnetworkInternetconnectionmustbearrangedforthefirewalloftheRasp-berryPi.
Thefilerpivpn"mustbecreatedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/init.
d/rpivpnAheaderforaLinux-Init-Scriptiscreatedbyinsertingthefollowingcomments:13Author:MarkusWeishaarDate:11.
05.
2019#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFO2.
5.
1VPNTunnel(TUN)Inthisvariant,theIP-forwardingisinitiallyactivatedviathefollowingcommand:echoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-sNext,aforwardingforVPNpacketsiscreatedwiththepacketfilteriptables":iptables-AINPUT-itun+-jACCEPTiptables-AFORWARD-itun+-jACCEPTFinally,theclientsareguaranteedaccesstothelocalnetworkandtotheInternetviathefollowingcommands:iptables-AFORWARD-mstate--stateESTABLISHED,RELATED-jACCEPTiptables-tnat-FPOSTROUTINGiptables-tnat-APOSTROUTING-o10.
8.
0.
0-obr0-jMASQUERADEThecompleteInit-filefortheserverasVPNbridgeshouldthenappearasfollows:#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFOechoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-siptables-AINPUT-itun+-jACCEPTiptables-AFORWARD-itun+-jACCEPTiptables-AFORWARD-mstate--stateESTABLISHED,RELATED-jACCEPTiptables-tnat-FPOSTROUTINGiptables-tnat-APOSTROUTING-o10.
8.
0.
0-obr0-jMASQUERADEThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
14Author:MarkusWeishaarDate:11.
05.
20192.
5.
2VPNBridge(TAP)Inthiscase,theconfigurationissomewhatsimpler;here,apartfromIPforwardingviathefollowingthreelines,onlytheconfiguredbridgeisgrantedaccesstothelocalnetworkandtheInternet.
iptables-AINPUT-itap0-jACCEPTiptables-AINPUT-ibr0-jACCEPTiptables-AFORWARD-ibr0-jACCEPTThecompleteInit-filefortheserverasVPNbridgeshouldthenappearasfollows:#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFOechoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-siptables-AINPUT-itap0-jACCEPTiptables-AINPUT-ibr0-jACCEPTiptables-AFORWARD-ibr0-jACCEPTThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
Alternatively,theconfigurationofthefirewallcanalsoberealizedviascripts,whicharedirectlyexecutedbyOpenVPNandthusmakeanindependentscriptunnecessary.
Thisvariantisnotcon-sideredindetailhere.
2.
5.
3ActivateInit-FileIftheInit-filetothefirewall-configurationiscompleted,therequiredrightsmustassignedtothefileandthefilemustbeinstalledasInit-script.
Thisisdonewiththefollowingtwocommands:sudochmod+x/etc/init.
d/rpivpnsudoupdate-rc.
drpivpndefaultsFinally,thescriptmustbecarriedoutandtheOpenVPNservermustberestarted:sudo/etc/init.
d/rpivpnsudo/etc/init.
d/openvpnrestart2.
5.
4StaticallyActivateIPForwardingAsanalternativetothecommandecho1"/proc/sys/net/ipv4/ip_forward'|sudo-s",whichtem-porarilyactivatestheIP-forwardinguponeachsystemstart,theIP-forwardingcanalsobeperman-entlyactivatedstatically.
Forthis,thesystemfilesysctl.
conf"mustbeopened:15Author:MarkusWeishaarDate:11.
05.
2019sudonano/etc/sysctl.
confThefollowinglinemustthenbeactivatedbyremovingthecommenting#.
net.
ipv4.
ip_forward=1ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
6ConfigurationOpenVPNClientAftertheserverhasbeenconfigured,theconfigurationsfortheclientmustbecreatedorcorrectlyadapted.
Althoughtheconfigurationfilecanalsobecreateddirectlyontheclient,creationontheserverofferstheadvantagethatbothconfigurationsarealwaysmaintainedthereforboththeserverandtheclient.
First,root-rightsmustbegivenagain.
Thenthecorrespondingclientfileisopened.
Inourcase,remote-pc-1".
sudosucd/etc/openvpn/easy-rsa/keysnanoremote-pc-1.
ovpnTheserveraddressandtheportthroughwhichtheVPNserverisaccessiblemustbeenteredviathecommandremote.
.
.
".
ThiscanbedoneeitherviaastaticpublicIPaddressorviaaproviderforadynamicDNSwhichupdatestheaddressifthisisnewlygivenbytheprovider:remotexyz.
dynDNSServer.
com1194//oderStatischeIP1194ItisimportantthattheClientSettingsfordev",proto",verb"andscript-security"correspondtothoseoftheserver.
Ifcomp-lzo",persist-key"andpersist-tun"areactivatedontheserver,thesemustalsobeusedontheclient.
Thecommandnobind"isusedtoselectthatnoportbin-dingisforcedlocallyandthattheportcanbearbitrary.
Thelineremote-cert-tlsserver"ensuresthatitisexplicitlycheckedwhethertheoppositecertificatehasthetypeserver.
Thelineresolv-retryinfinite"isaddedsothataDNSresolutionisexecutedagainafteraserver-sideconnectiontermination.
Intheclientconfiguration,dettun"asopposedtotap0"istheonlydifferencebet-weentunnelandbridge.
Thecompleteconfigurationsfilesfortheclientarepresentedforbothcasesinthefollowingchap-ters.
2.
6.
1VPNTunnel(TUN)Clientdevtunprotoudpremotexyz.
dynDNSServer.
com1194//oderStatischeIP119416Author:MarkusWeishaarDate:11.
05.
2019resolv-retryinfinitenobindpersist-keypersist-tuncaca.
crtcertremote-pc-1.
crtremote-cert-tlsserverkeyremote-pc-1.
keycomp-lzoverb3script-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
6.
2VPNBridge(TAP)Clientdevtap0protoudpremotexyz.
dynDNSServer.
com1194//oderStatischeIP1194resolv-retryinfinitenobindpersist-keypersist-tuncaca.
crtcertdesktop-pc.
crtremote-cert-tlsserverkeydesktop-pc.
keycomp-lzoverb3script-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
7GenerationandExportConfigurationsFilesforClientsFinally,theconfigurationfilefortheclientiscollectedtogetherwiththerelevantkeysandcertifi-catesinaZIP-file.
SolongasnoZIP-packetisinstalledontheRaspberryPi,thiscanbedoneasfollows.
apt-getinstallzipNext,theZIPfileiscreatedperclientasfollows.
Hereitisimportantthatthecorrectclientnameisimplemented.
zip/home/pi/remote-pc-1.
zipca.
crtremote-pc-1.
crtremote-pc-1.
keyremote-pc-1.
ovpnFinally,thefilerightsmustbeadjustedandtherootrightsmustbeloggedoff.
17Author:MarkusWeishaarDate:11.
05.
2019chownpi:pi/home/pi/remote-pc-1.
zipexitThefinishedZIPfilecannowbycopiedfromtheRaspberryPitotheclientviaanFTPprogramsuchasFilezillaorviaUSBstick.
3ConfigurationOpenVPNClient(Windows)3.
1InstallationOpenVPNTheOpenVPNcanbeobtaineddirectlyfromthehomepagewww.
openvpn.
net.
Forthetestset-upservingasanexample,OpenSourceversion2.
4.
7wasusedhere.
Foruseinacommercialapplication,theappropriatelicensesandsoftwarepacketscanalsobeacquiredviatheOpenVPNhomepage.
Afterdownloadingthecorrectsoftware,thiscanbeinstalleddirectlyontheclientPCandisacces-sibleafterwardsasOpenVPNGUI"viathestartmenu.
3.
2ConfigurationOpenVPNClientAfterstartingOpenVPNGUI",thefollowingsymbolappearsinthetaskbarwhichindicatesthatAfterstartingOpenVPNGUI",thefollowingsymbolappearsinthetaskbarwhichindicatesthatOpenVPN"hasstarted.
OpenVPN"hasstarted.
First,thecontentsoftheZip-fileswhichwerecopiedfromtheservermustbeunpackedandstoredFirst,thecontentsoftheZip-fileswhichwerecopiedfromtheservermustbeunpackedandstoredintheconfigurationdirectoryofOpenVPN.
ThedirectoryofOpenVPNthatwascreatedintheuserintheconfigurationdirectoryofOpenVPN.
ThedirectoryofOpenVPNthatwascreatedintheuserfoldermustbeusedhere,notthegeneraldirectoryintheprogramfolder.
Thedirectorytreeshouldfoldermustbeusedhere,notthegeneraldirectoryintheprogramfolder.
Thedirectorytreeshouldlooksomethinglikethis:looksomethinglikethis:C:\Users\XYZ\OpenVPN\config\remote-pc-1Theunpackedfolder,thefollowingfourfilesforkey,certificate,andconfigurationshouldbeavai-lable:Thedesiredconfigurationcannowbeselectedfromallregisteredconfigurationsviaright-clickingontheOpenVPNsymbolinthetaskbar.
Intheappearingsubmenu,theconnectiontotheservercanthenbestarted,loginformationcanberead,thepasswordmaybechangedifnecessary,oreventheconfigurationfileitselfcanbeadjusted.
Ifconfigurationchangesaremadetotheserver,eitherthenewfilefromtheservercanbecopiedtotheclientortheexistingfileontheclientcanbeadapteddirectlyinparallel.
Figure3:FilesOpenVPNClientFigure2:TaskbarsymbolOpenVPN18Author:MarkusWeishaarDate:11.
05.
20193.
3ConfigurationTAP-Windows-AdapterV9TheTAP-Windows-AdapterV9isavirtualnetworkadapterwhichisalreadyinstalledonmanyWin-dowscomputersandifnot,itisinstalledwiththeinstallationofOpenVPN.
OpenVPNbuildstheconnectiontotheselectedserverviathisadapter.
Theadaptercanbeconfiguredthesameasanyotherrealnetworkadapterinprinciple.
InthecaseofaVPNconnection,however,theVPNserverassignstheconfigurationwithregardtoIPaddressindependentlyofitsownsettings.
FortheconnectiontoaBGXXdProPNandtheuseoftheDriveAssistant",however,itisimport-antthattheadapterisassignedafixedIPaddressinthenormalsettingandisnotsettoDHCP,otherwiseitwillnotberecognizedbytheDriveAssistant".
Itdoesnotmatterwhichaddressisassigned,becauseitisoverwrittenasdescribed.
4GeneralNetworkSettings&ConnectionEstablishmentBeforetheconnectioncanbeestablished,afewgeneralsettingsmustbemadeontheserver-sideITinfrastructureandthemappinginthepublicIPaddressspacemustbeensured.
4.
1ActivatePortForwardingtoRoutersOntherouterorallhigher-levelroutersviawhichtheOpenVPNservercommunicateswiththeInternet,theportforwardingoftheVPNport(1194intheexample)mustbeactivatedsothatVPNrequestsarrivingattherouterareforwardedtotheserver.
Forwardingcanbeactivateddevicespe-cificallyfortheindividualgateway.
Thespecificconfigurationdependshereontherouterusedwhichiswhytheprocessisnotdescri-bedhereindetailonprinciple.
4.
2EstablishmentofDynamicDNS-ServerSothattheOpenVPNservercanalwaysbeaddressed,itmustalwaysbeaccessibleattheidenticaladdresseveninthepublicIPaddressrange.
OnepossibilityherewouldbetouseastaticpublicIPaddressortheuseofadynamicDNSprovider,whichensuresthateveniftheInternetproviderassignsnewaddressestotherouterandthusalsototheenddevicesafter24hoursorafteradis-connection,theVPNserverstillremainsidenticallyaccessible.
Forthispurpose,anaccountmustfirstbeopenedwithanappropriateprovider,e.
g.
SecurePoint(www.
spdyn.
de)andtheroutetotheserver-sideroutermustbemadeknown.
Afterwards,thecorrespondingdynamicDNSprovidermustalsobemadeknownontherouter,sothatitcanbetransmittediftheaddresseshavechangedanditcanfollowtheroute.
ThespecificconfigurationheredependsontherouterusedandtheselecteddynamicDNSprovider,whichiswhytheprocedureisdescribedhereonlyinprincipleandnotindetail.
Figure4:OptionenOpenVPNClient19Author:MarkusWeishaarDate:11.
05.
20194.
3BuildingandTestingVPNConnectionIfallsettingshavebeenexecutedasdescribed,theconnectiontotheVPNservercanbeestablis-hed.
Ontheclient,right-clickontheOpenVPNsymbolandselectthecorrectconfigurationofthemenuitemConnect".
TheOpenVPNsymbolinthetaskbarnowturnsyellowandalogwindowappearswhichdisplaysthecurrentstatusoftheconnectionestablishment.
Ifnoerroroccurs,thelogwindowclosesagainautomaticallyassoonastheconnectionhasbeensuccessfullyestablishedandtheOpenVPNsymbolinthetaskbarturnsgreen.
TheconnectiontotheOpenVPNserverhasnowbeenestablished.
Asafirstcheck,itmakessensetocheckwhathasbeenassignedtothevirtualnetworkadapterforanIPaddress.
ForaVPNtunnel,theaddressmustbeintherangeoftheVPNserver(10.
8.
8.
X).
ForaVPNbridge,itmustbeanaddressfromthefreeaddresspooloftheVPNbridgeandcorrespondtothenetworkthere.
Finally,theconnectioncanstillbetestedusingping.
HereitisrecommendedtopingtheVPNser-verfirst.
Ifthisisaccessible,theconnectiontotheGatewayisalreadyestablished.
Ifthepingdoesnotgothrough,itisrecommendedtofirstlychecktherouterandfirewallsettingsandsecondlytopingaregistereddeviceintheVPNserver'snetwork.
Ifthispinggoesthrough,theVPNconnectionisfullyfunctional.
Ifthesecondpingdoesnotgothrough,therecommendationistofirstlychecktheroutingandthefirewallsettingontheVPNserver.
5DriveAssistantNospecialsettingsneedtobecarriedoutinDriveAssistant5".
IfeverythinghasbeenconfiguredasaVPNbridgeaccordingtotheinstructionsandtheVPNconnectionisestablished,theTAP-WindowsAdapterV9"canbeselectedunderAvailableAdaptersforConnectionTypeIndustrialEthernet"andafterstartingtheDriveSearch,driveslocatedinthenetworkarefound.
SincetheDriveAssistant5"recognizesunknownmotorsviabroadcastcommands,itisimportantthattheconnectionisimplementedasaVPNbridge.
IftheIPaddressofthedriveispermanentlyassignedandknown,aVPNtunnelcanbeused.
However,inthiscasethedrivesearchdoesnotworkandtheIPaddressofthemotormustbesetpermanentlyinthecorrespondingfield.
20YourContactForPublicRelations:JaninaDietsche|janina.
dietsche@ametek.
comTel:+49(0)7703/930-546Figure5:DriveAssistant5:NetworkAdapterSelectionAuthor:MarkusWeishaarDate:11.
05.
2019

Asiayun:枣庄电信Asiayun美国Cera葵湾VPSvps月付,美国CERA VPS月付26元/年

亚洲云Asiayun怎么样?亚洲云成立于2021年,隶属于上海玥悠悠云计算有限公司(Yyyisp),是一家新国人IDC商家,且正规持证IDC/ISP/CDN,商家主要提供数据中心基础服务、互联网业务解决方案,及专属服务器租用、云服务器、云虚拟主机、专属服务器托管、带宽租用等产品和服务。Asiayun提供源自大陆、香港、韩国和美国等地骨干级机房优质资源,包括BGP国际多线网络,CN2点对点直连带宽以...

Virtono:圣何塞VPS七五折月付2.2欧元起,免费双倍内存

Virtono是一家成立于2014年的国外VPS主机商,提供VPS和服务器租用等产品,商家支持PayPal、信用卡、支付宝等国内外付款方式,可选数据中心共7个:罗马尼亚2个,美国3个(圣何塞、达拉斯、迈阿密),英国和德国各1个。目前,商家针对美国圣何塞机房VPS提供75折优惠码,同时,下单后在LET回复订单号还能获得双倍内存的升级。下面以圣何塞为例,分享几款VPS主机配置信息。Cloud VPSC...

RAKsmart 2021新年新增韩国服务器及香港美国日本VPS半价

RAKsmart 商家我们肯定不算陌生,目前主要的营销客户群肯定是我们。于是在去年的时候有新增很多很多的机房,比如也有测试过的日本、香港、美国机房,这不今年有新增韩国机房(记得去年是不是也有增加过)。且如果没有记错的话,之前VPS主机也有一次磁盘故障的问题。 这不今天有看到商家新增韩国服务器产品,当然目前我还不清楚商家韩国服务器的线路和速度情况,后面我搞一台测试机进行...

x-router为你推荐
支持ipad支持ipad支持ipad三星iphone特斯拉苹果5勒索病毒win7补丁为了防勒索病毒,装了kb4012212补丁,但出现关机蓝屏的问题了,开机正常127.0.0.1为什么输入127.0.0.1无法打开页面iphonewifi苹果手机怎样设置Wi-Fi静态IP?csshack什么是Css Hack?ie6,7,8的hack分别是什么win7还原系统电脑怎么恢复出厂设置win7旗舰版
安徽虚拟主机 最便宜虚拟主机 sugarhosts bluevm 免费网站申请 godaddy域名证书 个人域名 酷番云 国外在线代理服务器 电信网络测速器 日本代理ip 中国域名 申请免费空间 镇江高防 带宽测试 葫芦机 上海联通 架设代理服务器 windowsserver2012 阿里云宕机故障 更多