4月 122021
 

 

包信息

[root@tinc ~]# dnf info tinc
Last metadata expiration check: 0:01:55 ago on Mon 12 Apr 2021 01:44:09 AM UTC.
Installed Packages
Name         : tinc
Version      : 1.0.36
Release      : 2.el8
Architecture : x86_64
Size         : 629 k
Source       : tinc-1.0.36-2.el8.src.rpm
Repository   : @System
From repo    : epel
Summary      : A virtual private network daemon
URL          : http://www.tinc-vpn.org/
License      : GPLv2+
Description  : tinc is a Virtual Private Network (VPN) daemon that uses tunnelling
             : and encryption to create a secure private network between hosts on
             : the Internet. Because the tunnel appears to the IP level network
             : code as a normal network device, there is no need to adapt any
             : existing software. This tunnelling allows VPN sites to share
             : information with each other over the Internet without exposing any
             : information to others.

[root@tinc ~]#

安装路径

[root@tinc ~]# rpm -lq tinc
/usr/lib/.build-id
/usr/lib/.build-id/ec
/usr/lib/.build-id/ec/f0a564e8d20e169bed52480a235992928751ed
/usr/lib/systemd/system/tinc.service
/usr/lib/systemd/system/tinc@.service
/usr/sbin/tincd
/usr/share/doc/tinc
/usr/share/doc/tinc/AUTHORS
/usr/share/doc/tinc/COPYING.README
/usr/share/doc/tinc/NEWS
/usr/share/doc/tinc/README
/usr/share/doc/tinc/THANKS
/usr/share/doc/tinc/sample-config
/usr/share/doc/tinc/sample-config/hosts
/usr/share/doc/tinc/sample-config/hosts/alpha
/usr/share/doc/tinc/sample-config/hosts/beta
/usr/share/doc/tinc/sample-config/rsa_key.priv
/usr/share/doc/tinc/sample-config/tinc-down
/usr/share/doc/tinc/sample-config/tinc-up
/usr/share/doc/tinc/sample-config/tinc.conf
/usr/share/doc/tinc/texinfo.tex
/usr/share/info/tinc.info.gz
/usr/share/licenses/tinc
/usr/share/licenses/tinc/COPYING
/usr/share/man/man5/tinc.conf.5.gz
/usr/share/man/man8/tincd.8.gz
[root@tinc ~]#

服务配置文件示例

https://www.tinc-vpn.org/documentation/Main-configuration-variables.html#Main-configuration-variables
[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/tinc.conf
# Sample tinc configuration file

# This is a comment.
# Spaces and tabs are eliminated.
# The = sign isn't strictly necessary any longer, though you may want
# to leave it in as it improves readability :)
# Variable names are treated case insensitive.

# The name of this tinc host. Required.
Name = alpha

# The internet host to connect with.
# Comment these out to make yourself a listen-only connection
# You must use the name of another tinc host.
# May be used multiple times for redundance.
ConnectTo = beta

# The tap device tinc will use.
# /dev/tap0 for ethertap, FreeBSD or OpenBSD
# /dev/tun0 for Solaris
# /dev/net/tun for Linux tun/tap
Device = /dev/net/tun
[root@tinc ~]#

主机配置文件示例

https://www.tinc-vpn.org/documentation/Host-configuration-variables.html#Host-configuration-variables
[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/hosts/alpha
# Sample host configuration file

# The real IP address of this tinc host. Can be used by other tinc hosts.
Address = 123.234.35.67

# Portnumber for incoming connections. Default is 655.
Port = 655

# Subnet on the virtual private network that is local for this host.
Subnet = 192.168.1.0/24

# The public key generated by `tincd -n example -K' is stored here
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
[root@tinc ~]#
[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/hosts/beta
# Sample host configuration file
# This file was generated by host beta.

# The real IP address of this tinc host. Can be used by other tinc hosts.
Address = 123.45.67.189

# Portnumber for incoming connections. Default is 655.
Port = 6500

# Subnet on the virtual private network that is local for this host.
Subnet = 192.168.2.0/24

# The public key generated by `tincd -n example -K' is stored here
-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----
[root@tinc ~]#

启动和停止脚本示例(使用ifconfig命令依赖net-tools包)

[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/tinc-up
#!/bin/sh
# This file sets up the tap device.
# It gives you the freedom to do anything you want with it.
# Use the correct name for the tap device:
# The environment variable $INTERFACE is set to the right name
# on most platforms, but if it doesn't work try to set it manually.

# Give it the right ip and netmask. Remember, the subnet of the
# tap device must be larger than that of the individual Subnets
# as defined in the host configuration file!
ifconfig $INTERFACE 192.168.1.1 netmask 255.255.0.0
[root@tinc ~]#
[root@tinc ~]# cat /usr/share/doc/tinc/sample-config/tinc-down
#!/bin/sh
# This file closes down the tap device.

ifconfig $INTERFACE down
[root@tinc ~]#

使用ip命令示例

#!/bin/sh
ip link set $INTERFACE up
ip addr add 10.0.0.1/32 dev $INTERFACE
ip route add 10.0.0.0/24 dev $INTERFACE
#!/bin/sh
ip route del 10.0.0.0/24 dev $INTERFACE
ip addr del 10.0.0.1/32 dev $INTERFACE
ip link set $INTERFACE down
1月 312020
 

n2n两种节点类型的命令参数参考

[root@host1 ~]# /usr/local/n2n/sbin/supernode --help
Welcome to n2n v.2.5.1.r244.46aaa86 for x86_64-unknown-linux-gnu
Built on Jan 31 2020 06:48:19
Copyright 2007-19 - ntop.org and contributors

supernode <config file> (see supernode.conf)
or
supernode -l <lport> -c <path> [-v]

-l <lport> Set UDP main listen port to <lport>
-c <path> File containing the allowed communities.
-v Increase verbosity. Can be used multiple times.
-h This help message.

[root@host1 ~]#

 

[root@host1 ~]# /usr/local/n2n/sbin/edge --help
Welcome to n2n v.2.5.1.r244.46aaa86 for x86_64-unknown-linux-gnu
Built on Jan 31 2020 06:48:19
Copyright 2007-19 - ntop.org and contributors

edge <config file> (see edge.conf)
or
edge -d <tun device> -a [static:|dhcp:]<tun IP address> -c <community> [-k <encrypt key>]
[-s <netmask>] [-u <uid> -g <gid>][-f][-T <tos>][-m <MAC address>] -l <supernode host:port>
[-p <local port>] [-M <mtu>] [-D] [-r] [-E] [-v] [-i <reg_interval>] [-L <reg_ttl>] [-t <mgmt port>] [-A] [-h]

-d <tun device> | tun device name
-a <mode:address> | Set interface address. For DHCP use '-r -a dhcp:0.0.0.0'
-c <community> | n2n community name the edge belongs to.
-k <encrypt key> | Encryption key (ASCII) - also N2N_KEY=<encrypt key>.
-s <netmask> | Edge interface netmask in dotted decimal notation (255.255.255.0).
-l <supernode host:port> | Supernode IP:port
-i <reg_interval> | Registration interval, for NAT hole punching (default 20 seconds)
-L <reg_ttl> | TTL for registration packet when UDP NAT hole punching through supernode (default 0 for not set )
-p <local port> | Fixed local UDP port.
-u <UID> | User ID (numeric) to use when privileges are dropped.
-g <GID> | Group ID (numeric) to use when privileges are dropped.
-f | Do not fork and run as a daemon; rather run in foreground.
-m <MAC address> | Fix MAC address for the TAP interface (otherwise it may be random)
| eg. -m 01:02:03:04:05:06
-M <mtu> | Specify n2n MTU of edge interface (default 1290).
-D | Enable PMTU discovery. PMTU discovery can reduce fragmentation but
| causes connections stall when not properly supported.
-r | Enable packet forwarding through n2n community.
-E | Accept multicast MAC addresses (default=drop).
-S | Do not connect P2P. Always use the supernode.
-T <tos> | TOS for packets (e.g. 0x48 for SSH like priority)
-v | Make more verbose. Repeat as required.
-t <port> | Management UDP Port (for multiple edges on a machine).

Environment variables:
N2N_KEY | Encryption key (ASCII). Not with -k.
[root@host1 ~]#
1月 312020
 

在三台主机上分别安装n2n并进行配置

host1:supernode/edge(192.168.172.1)
host2:edge(192.168.172.2)
host3:edge(192.168.172.3)
Community:linuxcache
Pre-Shared Key:5tgb6yhn7ujm

禁用防火墙

[root@host1 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
[root@host1 ~]# systemctl stop firewalld
[root@host1 ~]#

安装工具

[root@host1 ~]# yum -y install git gcc automake

下载源代码

https://github.com/ntop/n2n.git

[root@host1 ~]# git clone https://github.com/ntop/n2n.git
Cloning into 'n2n'...
remote: Enumerating objects: 1572, done.
remote: Total 1572 (delta 0), reused 0 (delta 0), pack-reused 1572
Receiving objects: 100% (1572/1572), 970.16 KiB | 0 bytes/s, done.
Resolving deltas: 100% (858/858), done.
[root@host1 ~]#

编译安装

[root@host1 ~]# cd n2n/
[root@host1 n2n]# ./autogen.sh
[root@host1 n2n]# ./configure
[root@host1 n2n]# make
[root@host1 n2n]# make PREFIX=/usr/local/n2n/ install

配置host1节点supernode服务脚本

[root@host1 ~]# vi /usr/lib/systemd/system/n2n_supernode.service
[Unit]
Description=n2n supernode
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/local/n2n/sbin/supernode -l 1200

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host1 ~]# systemctl enable n2n_supernode
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_supernode.service to /usr/lib/systemd/system/n2n_supernode.service.
[root@host1 ~]# systemctl start n2n_supernode
[root@host1 ~]#

配置host1节点edge服务脚本

[root@host1 ~]# vi /usr/lib/systemd/system/n2n_edge.service
[Unit]
Description=n2n edge
Wants=network-online.target
After=network-online.target n2n_supernode.service

[Service]
ExecStart=/usr/local/n2n/sbin/edge -l localhost:1200 -c linuxcache -a 192.168.172.1 -k 5tgb6yhn7ujm -f

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host1 ~]# systemctl enable n2n_edge
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_edge.service to /usr/lib/systemd/system/n2n_edge.service.
[root@host1 ~]# systemctl start n2n_edge
[root@host1 ~]#

查看host1接口信息

[root@host1 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 56:00:02:83:72:1e brd ff:ff:ff:ff:ff:ff
inet 144.202.116.133/23 brd 144.202.117.255 scope global dynamic eth0
valid_lft 84884sec preferred_lft 84884sec
inet6 fe80::5400:2ff:fe83:721e/64 scope link
valid_lft forever preferred_lft forever
3: edge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1290 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether de:23:7d:c9:85:e0 brd ff:ff:ff:ff:ff:ff
inet 192.168.172.1/24 brd 192.168.172.255 scope global edge0
valid_lft forever preferred_lft forever
inet6 fe80::dc23:7dff:fec9:85e0/64 scope link
valid_lft forever preferred_lft forever
[root@host1 ~]#

配置host2节点edge服务脚本

[root@host2 ~]# vi /usr/lib/systemd/system/n2n_edge.service
[Unit]
Description=n2n edge
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/local/n2n/sbin/edge -l 144.202.116.133:1200 -c linuxcache -a 192.168.172.2 -k 5tgb6yhn7ujm -f

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host2 ~]# systemctl enable n2n_edge
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_edge.service to /usr/lib/systemd/system/n2n_edge.service.
[root@host2 ~]# systemctl start n2n_edge
[root@host2 ~]#

查看host2接口信息

[root@host2 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 56:00:02:83:72:1f brd ff:ff:ff:ff:ff:ff
inet 149.28.93.246/23 brd 149.28.93.255 scope global dynamic eth0
valid_lft 78885sec preferred_lft 78885sec
inet6 fe80::5400:2ff:fe83:721f/64 scope link
valid_lft forever preferred_lft forever
3: edge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1290 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether ae:04:8c:77:da:be brd ff:ff:ff:ff:ff:ff
inet 192.168.172.2/24 brd 192.168.172.255 scope global edge0
valid_lft forever preferred_lft forever
inet6 fe80::ac04:8cff:fe77:dabe/64 scope link
valid_lft forever preferred_lft forever
[root@host2 ~]#

检测节点连通性(在host2主机上)

[root@host2 ~]# ping -c 4 192.168.172.1
PING 192.168.172.1 (192.168.172.1) 56(84) bytes of data.
64 bytes from 192.168.172.1: icmp_seq=1 ttl=64 time=0.877 ms
64 bytes from 192.168.172.1: icmp_seq=2 ttl=64 time=0.733 ms
64 bytes from 192.168.172.1: icmp_seq=3 ttl=64 time=0.844 ms
64 bytes from 192.168.172.1: icmp_seq=4 ttl=64 time=0.958 ms

--- 192.168.172.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.733/0.853/0.958/0.080 ms
[root@host2 ~]#

配置host3节点edge服务脚本

[root@host3 ~]# vi /usr/lib/systemd/system/n2n_edge.service
[Unit]
Description=n2n edge
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/local/n2n/sbin/edge -l 144.202.116.133:1200 -c linuxcache -a 192.168.172.3 -k 5tgb6yhn7ujm -f

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host3 n2n]# systemctl enable n2n_edge
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_edge.service to /usr/lib/systemd/system/n2n_edge.service.
[root@host3 n2n]# systemctl start n2n_edge
[root@host3 n2n]#

查看host3接口信息

[root@host3 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 56:00:02:83:80:03 brd ff:ff:ff:ff:ff:ff
inet 45.32.224.80/22 brd 45.32.227.255 scope global dynamic eth0
valid_lft 78416sec preferred_lft 78416sec
inet6 fe80::5400:2ff:fe83:8003/64 scope link
valid_lft forever preferred_lft forever
3: edge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1290 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether d2:31:7d:96:46:41 brd ff:ff:ff:ff:ff:ff
inet 192.168.172.3/24 brd 192.168.172.255 scope global edge0
valid_lft forever preferred_lft forever
inet6 fe80::d031:7dff:fe96:4641/64 scope link
valid_lft forever preferred_lft forever
[root@host3 ~]#

检测节点连通性(在host3主机上)

[root@host3 ~]# ping -c 4 192.168.172.1
PING 192.168.172.1 (192.168.172.1) 56(84) bytes of data.
64 bytes from 192.168.172.1: icmp_seq=1 ttl=64 time=59.0 ms
64 bytes from 192.168.172.1: icmp_seq=2 ttl=64 time=25.9 ms
64 bytes from 192.168.172.1: icmp_seq=3 ttl=64 time=26.0 ms
64 bytes from 192.168.172.1: icmp_seq=4 ttl=64 time=27.2 ms

--- 192.168.172.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 25.963/34.564/59.058/14.150 ms
[root@host3 ~]# ping -c 4 192.168.172.2
PING 192.168.172.2 (192.168.172.2) 56(84) bytes of data.
64 bytes from 192.168.172.2: icmp_seq=1 ttl=64 time=52.1 ms
64 bytes from 192.168.172.2: icmp_seq=2 ttl=64 time=26.0 ms
64 bytes from 192.168.172.2: icmp_seq=3 ttl=64 time=26.0 ms
64 bytes from 192.168.172.2: icmp_seq=4 ttl=64 time=25.9 ms

--- 192.168.172.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 25.963/32.542/52.115/11.301 ms
[root@host3 ~]#

检测节点连通性(在host1主机上)

[root@host1 ~]# ping -c 4 192.168.172.2
PING 192.168.172.2 (192.168.172.2) 56(84) bytes of data.
64 bytes from 192.168.172.2: icmp_seq=1 ttl=64 time=1.43 ms
64 bytes from 192.168.172.2: icmp_seq=2 ttl=64 time=0.666 ms
64 bytes from 192.168.172.2: icmp_seq=3 ttl=64 time=0.840 ms
64 bytes from 192.168.172.2: icmp_seq=4 ttl=64 time=0.921 ms

--- 192.168.172.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.666/0.964/1.432/0.287 ms
[root@host1 ~]# ping -c 4 192.168.172.3
PING 192.168.172.3 (192.168.172.3) 56(84) bytes of data.
64 bytes from 192.168.172.3: icmp_seq=1 ttl=64 time=33.4 ms
64 bytes from 192.168.172.3: icmp_seq=2 ttl=64 time=26.0 ms
64 bytes from 192.168.172.3: icmp_seq=3 ttl=64 time=26.3 ms
64 bytes from 192.168.172.3: icmp_seq=4 ttl=64 time=25.8 ms

--- 192.168.172.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 25.859/27.923/33.456/3.202 ms
[root@host1 ~]#
1月 292020
 

基于OpenVPN使用预共享密钥加密的点到点VPN解决方案

安装依赖库EPEL及net-tools工具

[root@host1 ~]# yum -y install epel-release.noarch net-tools

[root@host2 ~]# yum -y install epel-release.noarch net-tools

安装openvpn软件包

[root@host1 ~]# yum -y install openvpn

[root@host2 ~]# yum -y install openvpn

配置防火墙,在两台主机开放UDP8443端口作为专用通信端口

[root@host1 ~]# firewall-cmd --permanent --add-port=8443/udp
success
[root@host1 ~]# firewall-cmd --reload
success
[root@host1 ~]#

[root@host2 ~]# firewall-cmd --permanent --add-port=8443/udp
success
[root@host2 ~]# firewall-cmd --reload
success
[root@host2 ~]#

生成host1配置文件

[root@host1 ~]# vi /etc/openvpn/host1.conf
proto udp
mode p2p
remote 149.28.93.246
rport 8443
local 0.0.0.0
lport 8443
dev-type tun
tun-ipv6
resolv-retry infinite
dev tun0
comp-lzo
persist-key
persist-tun
cipher aes-256-cbc
ifconfig 172.16.100.1 172.16.100.2
secret /etc/openvpn/p2p.key

生成预共享密钥文件并复制到host2主机相应目录

[root@host1 ~]# openvpn --genkey --secret /etc/openvpn/p2p.key
[root@host1 ~]# cat /etc/openvpn/p2p.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
cb55061878ae55a026f04826c8c49669
efaa6a77d5077b0bff0d27eb7b0611de
849125952cfaea36f556c52b1a5725d2
69a79ec24526c363d636d64b9f9591e1
b64b5b20147d08e419c8e37b72320e52
4be7d1b23b0c76c21f950e611fafa25f
a3811c610be55334b19f801cab1c31f3
f4bc5e5ff213b407b5c8321c0a619358
09e8dfb93561efebeff7f656d2dc7d7a
5c3ad585ccc81755fc711bcf7c702053
3a23335cdc3a2c372a0bdf18fb75cdd2
935ff0fe927e6f77e854cfb1547876d3
bc9df044f2a0cf9c88ba61b2b2731a04
16b1ad259d25f53d583cbcd0ed8a3c66
2c2b0ceb9115351760dfc42e1f2670d6
be49d22101387b08f9b54c0e23c11823
-----END OpenVPN Static key V1-----
[root@host1 ~]#

生成host2配置文件

[root@host2 ~]# vi /etc/openvpn/hosts2.conf
proto udp
mode p2p
remote 144.202.116.133
rport 8443
local 0.0.0.0
lport 8443
dev-type tun
tun-ipv6
resolv-retry infinite
dev tun0
comp-lzo
persist-key
persist-tun
cipher aes-256-cbc
ifconfig 172.16.100.2 172.16.100.1
secret /etc/openvpn/p2p.key

[root@host2 ~]# vi /etc/openvpn/p2p.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
cb55061878ae55a026f04826c8c49669
efaa6a77d5077b0bff0d27eb7b0611de
849125952cfaea36f556c52b1a5725d2
69a79ec24526c363d636d64b9f9591e1
b64b5b20147d08e419c8e37b72320e52
4be7d1b23b0c76c21f950e611fafa25f
a3811c610be55334b19f801cab1c31f3
f4bc5e5ff213b407b5c8321c0a619358
09e8dfb93561efebeff7f656d2dc7d7a
5c3ad585ccc81755fc711bcf7c702053
3a23335cdc3a2c372a0bdf18fb75cdd2
935ff0fe927e6f77e854cfb1547876d3
bc9df044f2a0cf9c88ba61b2b2731a04
16b1ad259d25f53d583cbcd0ed8a3c66
2c2b0ceb9115351760dfc42e1f2670d6
be49d22101387b08f9b54c0e23c11823
-----END OpenVPN Static key V1-----

启动host1上的OpenVPN服务并加载指定配置文件

[root@host1 ~]# nohup openvpn --config /etc/openvpn/host1.conf &
[1] 1913
[root@host1 ~]# nohup: ignoring input and appending output to ‘nohup.out’

[root@host1 ~]# cat nohup.out
Fri Jan 31 03:25:47 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Fri Jan 31 03:25:47 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Jan 31 03:25:47 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Fri Jan 31 03:25:47 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Fri Jan 31 03:25:47 2020 TUN/TAP device tun0 opened
Fri Jan 31 03:25:47 2020 /sbin/ip link set dev tun0 up mtu 1500
Fri Jan 31 03:25:47 2020 /sbin/ip addr add dev tun0 local 172.16.100.1 peer 172.16.100.2
Fri Jan 31 03:25:47 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]149.28.93.246:8443
Fri Jan 31 03:25:47 2020 UDP link local (bound): [AF_INET][undef]:8443
Fri Jan 31 03:25:47 2020 UDP link remote: [AF_INET]149.28.93.246:8443
[root@host1 ~]#

查看host1接口信息及端口监听信息

启动host2上的OpenVPN服务并加载指定配置文件

[root@host2 ~]# nohup openvpn --config /etc/openvpn/hosts2.conf &
[1] 1741
[root@host2 ~]# nohup: ignoring input and appending output to ‘nohup.out’

[root@host2 ~]# cat nohup.out
Fri Jan 31 03:28:03 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Fri Jan 31 03:28:03 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Jan 31 03:28:03 2020 WARNING: file '/etc/openvpn/p2p.key' is group or others accessible
Fri Jan 31 03:28:03 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Fri Jan 31 03:28:03 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Fri Jan 31 03:28:03 2020 TUN/TAP device tun0 opened
Fri Jan 31 03:28:03 2020 /sbin/ip link set dev tun0 up mtu 1500
Fri Jan 31 03:28:03 2020 /sbin/ip addr add dev tun0 local 172.16.100.2 peer 172.16.100.1
Fri Jan 31 03:28:03 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]144.202.116.133:8443
Fri Jan 31 03:28:03 2020 UDP link local (bound): [AF_INET][undef]:8443
Fri Jan 31 03:28:03 2020 UDP link remote: [AF_INET]144.202.116.133:8443
[root@host2 ~]#

查看host2接口信息及端口监听信息


在两台主机上分别ping对端隧道IP地址