OpenVPN异地机房互连以及负载均衡高可用解决方案 架构方案如下:
---OpenVPN server 搭建部署
1、在OpenVPN-1 server上安装流程
(1.添加epel源
[root@ShangHai-VPN-1 ~]# yum install epel-release
(2.安装OpenVPN
[root@ShangHai-VPN-1 ~]# yum install openvpn lzo-devel easy-rsa -y
(3.复制server示例文件
[root@ShangHai-VPN-1 ~]# cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
(4.使用easy-rsa生成服务器证书以及密钥
[root@ShangHai-VPN-1 ~]# cp -R /usr/share/easy-rsa/ /etc/openvpn [root@ShangHai-VPN-1 ~]# cd /etc/openvpn/easy-rsa/2.0/ #vars文件修改如下 [root@ShangHai-VPN-1 2.0]# egrep -v '^$|^#' vars export EASY_RSA="`pwd`" export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep" export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` export KEY_DIR="$EASY_RSA/keys" echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" export KEY_SIZE=2048 export CA_EXPIRE=3650 export KEY_EXPIRE=3650 export KEY_COUNTRY="CN" export KEY_PROVINCE="BJ" export KEY_CITY="BeiJing" export KEY_ORG="example.com" export KEY_EMAIL="my@example.com" export KEY_OU="www.example.com" export KEY_NAME="EasyRSA" #初始化配置 [root@ShangHai-VPN-1 2.0]# source vars [root@ShangHai-VPN-1 2.0]# ./clean-all #生成CA证书 [root@oShangHai-VPN-1 2.0]# ./build-ca Generating a 2048 bit RSA private key ..............................+++ ................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) : Locality Name (eg, city) : Organization Name (eg, company) [example.com]: Organizational Unit Name (eg, section) [www.example.com]: Common Name (eg, your name or your server's hostname) [example.com CA]: Name [EasyRSA]: Email Address [my@example.com]: #生成服务器证书 [root@oShangHai-VPN-1 2.0]# ./build-key-server server Generating a 2048 bit RSA private key ....................+++ ....................................................................................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: [直接回车] State or Province Name (full name) :[直接回车] Locality Name (eg, city) :[直接回车] Organization Name (eg, company) [example.com]:[直接回车] Organizational Unit Name (eg, section) [www.example.com]:[直接回车] Common Name (eg, your name or your server's hostname) [server]:[直接回车] Name [EasyRSA]:[直接回车] Email Address [my@example.com]:[直接回车] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:[直接回车] An optional company name []:[直接回车] Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'BeiJing' organizationName :PRINTABLE:'example.com' organizationalUnitName:PRINTABLE:'www.example.com' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'my@example.com' Certificate is to be certified until Jul 18 03:07:04 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated #生成服务器密钥 [root@oShangHai-VPN-1 2.0]# ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ........................+............................................................................................+...........................+.............................................+........................+...................................................................................................................+........+.............................................+...............................................................................................................+..............++*++*
(5.生成客户端证书和密钥
[root@ShangHai-VPN-1 2.0]# ./build-key client Generating a 2048 bit RSA private key ......+++ .......................+++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]:[直接回车] State or Province Name (full name) :[直接回车] Locality Name (eg, city) :[直接回车] Organization Name (eg, company) [example.com]:[直接回车] Organizational Unit Name (eg, section) [www.example.com]:[直接回车] Common Name (eg, your name or your server's hostname) [client]:[直接回车] Name [EasyRSA]:[直接回车] Email Address [my@example.com]:[直接回车] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:[直接回车] An optional company name []:[直接回车] Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'BeiJing' organizationName :PRINTABLE:'example.com' organizationalUnitName:PRINTABLE:'www.example.com' commonName :PRINTABLE:'client' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'my@example.com' Certificate is to be certified until Jul 18 03:09:14 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
(6.将四个所需文件复制到OpenVPN配置目录
[root@ShangHai-VPN-1 2.0]# [root@oShangHai-VPN-1 2.0]# cp keys/{dh2048.pem,ca.crt,server.crt,server.key} /etc/openvpn/ (7.修改server配置文件
[root@ShangHai-VPN-1 2.0 ~]# egrep -v '^;|^#|^$' /etc/openvpn/server.conf #公网IP local 192.168.64.129 port 11194 proto tcp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh2048.pem #VPN获取的IP网段 server 10.10.10.0 255.255.255.0 ifconfig-pool-persist ipp.txt #允许VPN访问的本地私网网段 push "route 172.16.65.0 255.255.255.0" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" client-to-client duplicate-cn keepalive 10 120 comp-lzo max-clients 300 user nobody group nobody persist-key persist-tun status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 3 mute 10
(8.配置路由转发
[root@oShangHai-VPN-1 2.0]# sed -i s'/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf
(9.配置防火墙开启端口并做NAT
[root@oShangHai-VPN-1 2.0]# iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -j SNAT --to-source 172.16.65.128 [root@oShangHai-VPN-1 2.0]# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 11194 -j ACCEPT [root@oShangHai-VPN-1 2.0]# /etc/init.d/iptables save iptables:将防火墙规则保存到 /etc/sysconfig/iptables: [确定] [root@oShangHai-VPN-1 2.0]# /etc/init.d/iptables restart iptables:将链设置为政策 ACCEPT:filter nat [确定] iptables:清除防火墙规则: [确定] iptables:正在卸载模块: [确定] iptables:应用防火墙规则: [确定]
(10.启动OpenVPN [如果启动失败,请查看日志]
[root@oShangHai-VPN-1 2.0]# /etc/init.d/openvpn start 正在启动Exchange的PowerShell中关于Filter的写法 阅读原文»这篇文章简单说一下Exchange的PowerShell中,Filter的用法,不过相信看完的同学以后可能不会用这个东西………………虽然这么说,但是毕竟是一个新的选择,大家可以学习一下。
首先我们看一个输出,我们看看在Exchange2010中,get-user有哪些属性可以做筛选 [PS] E:\>Get-User zhangpengliang|select * 正在创建新会话来隐式远程处理"Get-User"命令... RunspaceId : 2429e504-c00b-4f51-8725-a65e35221181 IsSecurityPrincipal : True SamAccountName : zhangpengliang Sid : S-1-5-21-2564635362-2982989232-1758174225-30968 SidHistory : {} UserPrincipalName : zhangpengliang@tech.xxxx.com ResetPasswordOnNextLogon : False CertificateSubject : {} RemotePowerShellEnabled : True WindowsLiveID : NetID : UserAccountControl : PasswordNotRequired, NormalAccount, DoNotExpirePassword OrganizationalUnit : tech.xxxx.com/IT支持部 IsLinked : False LinkedMasterAccount : AssistantName : City : Company : xxxx CountryOrRegion : Department : x DirectReports : {} DisplayName : 张鹏亮 Fax : FirstName : 鹏亮 HomePhone : Initials : LastName : 张 Manager : tech.xxxx.com/xxxxxxxx MobilePhone : 15134234 Notes : Office : xxx-xxx-IT支持部 OtherFax : {} OtherHomePhone : {} OtherTelephone : {} Pager : Phone : 0000 PhoneticDisplayName : PostalCode : PostOfficeBox : {} RecipientType : UserMailbox RecipientTypeDetails : UserMailbox SimpleDisplayName : StateOrProvince : 北京 StreetAddress : Title : 运维工程师 UMDialPlan : UMDtmfMap : {emailAddress:975, reversedPhone:0000, reversedPhone:23879001151, lastNameFirstName:, firstN ameLastName:} AllowUMCallsFromNonUsers : SearchEnabled WebPage : TelephoneAssistant : WindowsEmailAddress : zpl@yiche.com UMCallingLineIds : {} SeniorityIndex : VoiceMailSettings : {} IsValid : True ExchangeVersion : 0.10 (14.0.100.0) Name : 张鹏亮 DistinguishedName : CN=张鹏亮,OU=公司,DC=tech,DC=xxxx,DC=com Identity : tech.xxxx.com/xxxxx/张鹏亮 Guid : 45fd2d82-cee5-49f7-bf3a-5d2cf93923ef ObjectCategory : tech.xxxx.com/Configuration/Schema/Person ObjectClass : {top, person, organizationalPerson, user} WhenChanged : 2015/7/13 15:07:38 WhenCreated : 2011/5/20 17:50:05 WhenChangedUTC : 2015/7/13 7:07:38 WhenCreatedUTC : 2011/5/20 9:50:05 OrganizationId : OriginatingServer : IDCDC01.tech.xxxx.com很多很多东西对吧?一般要筛特定用户或者特定信息,我的做法和习惯都是用管道。但是管道有个最大的问题:"效率低"。
微软申明,get-user支持使用filter方法来查询。filter查询是什么呢?
准确的说,这里用到的其实还是改进后的Opath查询。
我们来看看写法,可以看到写法还是很人性的,从阅读感上来说,接近自然语言。
可能有人觉得,这已经很复杂了呀,怎么可能算简单,但是你知道LDAP写法查询一个名字叫做aa的用户是怎么样的呢?
(&(&((&(objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))(&(objectCategory=person)(!objectSid=*))(&(objectCategory=group)(anr=aa*)))
看到上面这种查询的鸟样子,你还会觉得OPath的filter麻烦么?
另外实际测试中,filter不太好用,也许是我技术水平有限,查询的时候出不了结果,但是用管道就没问题。
比如这一句,是可以查询出来没有问题的
Get-User -OrganizationalUnit tech.xxxx.com -Filter {Title -like'*经理*'}
但是下面这个是有问题的,查不出来
Get-User -OrganizationalUnit xxxx -Filter{distinguishedName -like '*支持*' }
看起来功能类似,不过写法比管道要复杂很多。在管道帮不了忙的时候,我们还多了一个新的选择,但是管道能用的时候,一般还是用管道吧~
本文出自 "九叔-微软私有云" 博客,请务必保留此出处http://jiushu.blog.51cto.com/972756/1676800
每日博报 精彩不止一点
没有评论:
发表评论