Vyatta办公上网的简单配置
2014-02-18 14:37:45 
阿炯
本文针对vyatta在公司环境下的配置手记,记录了软路由的简单操作,在6.4版以后,有些操作指令发生了变化,本文就是以最新版本来做示例说明的。登录系统后,键入'configure'可进入配置模式,配置完成后键入'exit'来退出该模式,'commit'用于将所做的配置提交到系统中并使之生效,'save'用于保存当前配置,以免重启后该配置丢失;'exit discard'用于不保存当前的配置而强制退出,但该配置是生效的,要禁用之前在操作的话,还需要用于'delete'语句来实现。
安装
下载iso后刻录,安装好后并重启。
初始化设置
设置主机名、ip地址和开启ssh。注意:<...>中的内容为实际环境的内容。
configure
set interfaces ethernet eth0 address <ipaddress>/<prefix-length>
set interfaces ethernet eth1 address <ipaddress>/<prefix-length>
set system gateway-address <gw-ipaddress>
set system name-server <dns-ipaddress>
set service ssh
set service ssh protocol-version v2
set system host-name <hostname>
commit
save
基本的主机功能具有了,可以通过直连的网络进行ssh登录了。
配置DNS服务
这里主要是将对本机的dns请求转发到本机所配置的dns服务器(/etc/resolv.conf)上。
set service dns forwarding listen-on eth0
set service dns forwarding system
commit
save
将某些dns记录静态化(类似于dns劫持,主要为开发所用),当然也只能是简单的设置(类似于修改系统hosts文件)。
set system static-host-mapping host-name <hostname> inet <ip-address>
commit
save
NAT 配置
V6.4配置包转发,从eth1(lan,内网)的数据包从eth0出去,进行ip伪装。
set nat source rule 1 source address 192.168.10/24
set nat source rule 1 outbound-interface eth0
set nat source rule 1 translation address masquerade
(6.4版本以前的操作方法)
set service nat rule 1
set service nat rule 1 outbound-interface eth0
set service nat rule 1 protocol all
set service nat rule 1 source address <subnet-to-nat>/<prefix-length>
set service nat rule 1 type masquerade
set service nat rule 1 destination address 0.0.0.0/0 #直接从默认网关出去
commit
端口转发
V6.4用于将内部机器上的服务开放给外部使用,让互联网上的用户能访问公司局域网内的服务应用。
'nat-side-port'是路由器上的端口。
set nat destination rule 200 destination port <nat-side-port>
set nat destination rule 200 inbound-interface eth0
set nat destination rule 200 translation address <destination-host-ip>
set nat destination rule 200 translation port <destination-host-port>
set nat destination rule 200 protocol tcp
commit
save
(6.4版本以前的操作方法)
set service nat rule 200 destination port <nat-side-port>
set service nat rule 200 inbound-interface eth0
set service nat rule 200 inside-address address <destination-host-ip>
set service nat rule 200 inside-address port <destination-host-port>
set service nat rule 200 protocol tcp
set service nat rule 200 type destination
commit
save
DHCP 服务配置
设置ipv4的地址范围,<subnet-to-serve>是指分配的ip段(192.168.0.0),<prefix-length>是指该ip段的子网掩码(通常是24)。
set service dhcp-server shared-network-name freeoa
set service dhcp-server shared-network-name freeoa authoritative disable
set service dhcp-server shared-network-name freeoa subnet <subnet-to-serve>/<prefix-length>
set service dhcp-server shared-network-name freeoa subnet <subnet-to-serve>/<prefix-length> default-router <gateway>
set service dhcp-server shared-network-name freeoa subnet <subnet-to-serve>/<prefix-length> dns-server <dns-server-ip>
set service dhcp-server shared-network-name freeoa subnet <subnet-to-serve>/<prefix-length> dns-server <secondary-dns-server>
set service dhcp-server shared-network-name freeoa subnet <subnet-to-serve>/<prefix-length> start <start-ip> stop <end-ip>
set service dhcp-server disabled false
commit
save
为特定的主机分配固定的ip地址,即mac地址与ip相绑定
set service dhcp-server shared-network-name freeoa subnet <subnet-to-serve>/<prefix-length> static-mapping <some-name> ip-address <ip-address>
set service dhcp-server shared-network-name freeoa subnet <subnet-to-serve>/<prefix-length> static-mapping <some-name> mac-address <mac-address>
OpenVPN 配置
生成 key 文件并在将复制到'/etc/openvpn'。
vyatta@vyatta01# su -
root@vyatta01:~# cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/
在'vars'文件中加入制作ssl key文件的基本信息。
root@vyatta01:/etc/openvpn#nano vars
export KEY_COUNTRY="NO"
export KEY_PROVINCE="NA"
export KEY_CITY="Oslo"
export KEY_ORG="freeoa"
export KEY_EMAIL="me@freeoa.com"
在开始制作时清除相关环境变量。
root@vyatta01:/etc/openvpn#source ./vars
root@vyatta01:/etc/openvpn#./clean-all
Create the certificate Authority certificate:
root@vyatta01:/etc/openvpn#./build-ca
Create a key and certificate for the vyatta router. Accept defaults and enter a password when prompted:
root@vyatta01:/etc/openvpn# ./build-key-server vyatta01
Create a Diffie-Hellman file
root@vyatta01:/etc/openvpn#./build-dh
Create a client key. Change the client name to reflect your client:
root@vyatta01:/etc/openvpn# ./build-key client
结果文件如下:
root@vyattaHome:/etc/openvpn# ls keys/
01.pem ca.key index.txt.attr client.crt serial vyatta01.csr
02.pem dh1024.pem index.txt.attr.old client.csr serial.old vyatta01.key
ca.crt index.txt index.txt.old client.key vyatta01.crt
在key文件到位后,下面配置在Vyatta中来配置OpenVPN软件。
set interface openvpn vtun0
set interface openvpn vtun0 encryption aes256
set interface openvpn vtun0 hash sha1
set interface openvpn vtun0 mode server
set interface openvpn vtun0 local-port 1194
set interface openvpn vtun0 protocol udp
set interface openvpn vtun0 server push-route 192.168.0.0/24 (Local subnet)
set interface openvpn vtun0 server subnet 10.12.12.0/29
set interface openvpn vtun0 tls ca-cert-file /config/auth/keys/ca.crt
set interface openvpn vtun0 tls cert-file /config/auth/keys/vyatta01.crt
set interface openvpn vtun0 tls dh-file /config/auth/keys/dh1024.pem
set interface openvpn vtun0 tls key-file /config/auth/keys/vyatta01.key
commit
save
vpn客户端的配置
将上面生成的key文件下载到客户端机器上,下面以debian为例。
sysadm@debian:~$mkdir -p openvpn/keys
sysadm@debian:~$cd openvpn/keys/
sysadm@debian:~/openvpn/keys$ scp vyatta@vyatta01:/etc/openvpn/keys/ca.crt .
Welcome to Vyatta
vyatta@vyatta01's password:
ca.crt 100% 1131 1.1KB/s 00:00
sysadm@debian:~/openvpn/keys$ scp vyatta@vyatta01:/etc/openvpn/keys/client.* .
Welcome to Vyatta
vyatta@vyatta01's password:
client.crt 100% 3615 3.5KB/s 00:00
client.csr 100% 692 0.7KB/s 00:00
client.key 100% 891 0.9KB/s 00:00
sysadm@debian:~/openvpn/keys$
DynDNS(动态DNS) 配置
在外网口(wan)配置 dyndns服务,这样对那些非固定ip的用户就可以很容易通过主机名来找到用拨号上网的主机ip。
set service dns dynamic interface eth0 service dyndns host-name <host-name.domain>
set service dns dynamic interface eth0 service dyndns login <username>
set service dns dynamic interface eth0 service dyndns password <password>
commit
save
检查dyndns状态
show dns dynamic status #Display status
update dns dynamic interface <interface> #force update DynDNS record
其它
查看运行时配置文件
在配置模式下查看
run show configuration
列出配置信息,去掉'{}'
show configuration commands
参考资料
http://bahjons.com/stuff/vyatta-my-basic-setup-guide
安装
下载iso后刻录,安装好后并重启。
初始化设置
设置主机名、ip地址和开启ssh。注意:<...>中的内容为实际环境的内容。
configure
set interfaces ethernet eth0 address <ipaddress>/<prefix-length>
set interfaces ethernet eth1 address <ipaddress>/<prefix-length>
set system gateway-address <gw-ipaddress>
set system name-server <dns-ipaddress>
set service ssh
set service ssh protocol-version v2
set system host-name <hostname>
commit
save
基本的主机功能具有了,可以通过直连的网络进行ssh登录了。
配置DNS服务
这里主要是将对本机的dns请求转发到本机所配置的dns服务器(/etc/resolv.conf)上。
set service dns forwarding listen-on eth0
set service dns forwarding system
commit
save
将某些dns记录静态化(类似于dns劫持,主要为开发所用),当然也只能是简单的设置(类似于修改系统hosts文件)。
set system static-host-mapping host-name <hostname> inet <ip-address>
commit
save
NAT 配置
V6.4配置包转发,从eth1(lan,内网)的数据包从eth0出去,进行ip伪装。
set nat source rule 1 source address 192.168.10/24
set nat source rule 1 outbound-interface eth0
set nat source rule 1 translation address masquerade
(6.4版本以前的操作方法)
set service nat rule 1
set service nat rule 1 outbound-interface eth0
set service nat rule 1 protocol all
set service nat rule 1 source address <subnet-to-nat>/<prefix-length>
set service nat rule 1 type masquerade
set service nat rule 1 destination address 0.0.0.0/0 #直接从默认网关出去
commit
端口转发
V6.4用于将内部机器上的服务开放给外部使用,让互联网上的用户能访问公司局域网内的服务应用。
'nat-side-port'是路由器上的端口。
set nat destination rule 200 destination port <nat-side-port>
set nat destination rule 200 inbound-interface eth0
set nat destination rule 200 translation address <destination-host-ip>
set nat destination rule 200 translation port <destination-host-port>
set nat destination rule 200 protocol tcp
commit
save
(6.4版本以前的操作方法)
set service nat rule 200 destination port <nat-side-port>
set service nat rule 200 inbound-interface eth0
set service nat rule 200 inside-address address <destination-host-ip>
set service nat rule 200 inside-address port <destination-host-port>
set service nat rule 200 protocol tcp
set service nat rule 200 type destination
commit
save
DHCP 服务配置
设置ipv4的地址范围,<subnet-to-serve>是指分配的ip段(192.168.0.0),<prefix-length>是指该ip段的子网掩码(通常是24)。
set service dhcp-server shared-network-name freeoa
set service dhcp-server shared-network-name freeoa authoritative disable
set service dhcp-server shared-network-name freeoa subnet <subnet-to-serve>/<prefix-length>
set service dhcp-server shared-network-name freeoa subnet <subnet-to-serve>/<prefix-length> default-router <gateway>
set service dhcp-server shared-network-name freeoa subnet <subnet-to-serve>/<prefix-length> dns-server <dns-server-ip>
set service dhcp-server shared-network-name freeoa subnet <subnet-to-serve>/<prefix-length> dns-server <secondary-dns-server>
set service dhcp-server shared-network-name freeoa subnet <subnet-to-serve>/<prefix-length> start <start-ip> stop <end-ip>
set service dhcp-server disabled false
commit
save
为特定的主机分配固定的ip地址,即mac地址与ip相绑定
set service dhcp-server shared-network-name freeoa subnet <subnet-to-serve>/<prefix-length> static-mapping <some-name> ip-address <ip-address>
set service dhcp-server shared-network-name freeoa subnet <subnet-to-serve>/<prefix-length> static-mapping <some-name> mac-address <mac-address>
OpenVPN 配置
生成 key 文件并在将复制到'/etc/openvpn'。
vyatta@vyatta01# su -
root@vyatta01:~# cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/
在'vars'文件中加入制作ssl key文件的基本信息。
root@vyatta01:/etc/openvpn#nano vars
export KEY_COUNTRY="NO"
export KEY_PROVINCE="NA"
export KEY_CITY="Oslo"
export KEY_ORG="freeoa"
export KEY_EMAIL="me@freeoa.com"
在开始制作时清除相关环境变量。
root@vyatta01:/etc/openvpn#source ./vars
root@vyatta01:/etc/openvpn#./clean-all
Create the certificate Authority certificate:
root@vyatta01:/etc/openvpn#./build-ca
Create a key and certificate for the vyatta router. Accept defaults and enter a password when prompted:
root@vyatta01:/etc/openvpn# ./build-key-server vyatta01
Create a Diffie-Hellman file
root@vyatta01:/etc/openvpn#./build-dh
Create a client key. Change the client name to reflect your client:
root@vyatta01:/etc/openvpn# ./build-key client
结果文件如下:
root@vyattaHome:/etc/openvpn# ls keys/
01.pem ca.key index.txt.attr client.crt serial vyatta01.csr
02.pem dh1024.pem index.txt.attr.old client.csr serial.old vyatta01.key
ca.crt index.txt index.txt.old client.key vyatta01.crt
在key文件到位后,下面配置在Vyatta中来配置OpenVPN软件。
set interface openvpn vtun0
set interface openvpn vtun0 encryption aes256
set interface openvpn vtun0 hash sha1
set interface openvpn vtun0 mode server
set interface openvpn vtun0 local-port 1194
set interface openvpn vtun0 protocol udp
set interface openvpn vtun0 server push-route 192.168.0.0/24 (Local subnet)
set interface openvpn vtun0 server subnet 10.12.12.0/29
set interface openvpn vtun0 tls ca-cert-file /config/auth/keys/ca.crt
set interface openvpn vtun0 tls cert-file /config/auth/keys/vyatta01.crt
set interface openvpn vtun0 tls dh-file /config/auth/keys/dh1024.pem
set interface openvpn vtun0 tls key-file /config/auth/keys/vyatta01.key
commit
save
vpn客户端的配置
将上面生成的key文件下载到客户端机器上,下面以debian为例。
sysadm@debian:~$mkdir -p openvpn/keys
sysadm@debian:~$cd openvpn/keys/
sysadm@debian:~/openvpn/keys$ scp vyatta@vyatta01:/etc/openvpn/keys/ca.crt .
Welcome to Vyatta
vyatta@vyatta01's password:
ca.crt 100% 1131 1.1KB/s 00:00
sysadm@debian:~/openvpn/keys$ scp vyatta@vyatta01:/etc/openvpn/keys/client.* .
Welcome to Vyatta
vyatta@vyatta01's password:
client.crt 100% 3615 3.5KB/s 00:00
client.csr 100% 692 0.7KB/s 00:00
client.key 100% 891 0.9KB/s 00:00
sysadm@debian:~/openvpn/keys$
DynDNS(动态DNS) 配置
在外网口(wan)配置 dyndns服务,这样对那些非固定ip的用户就可以很容易通过主机名来找到用拨号上网的主机ip。
set service dns dynamic interface eth0 service dyndns host-name <host-name.domain>
set service dns dynamic interface eth0 service dyndns login <username>
set service dns dynamic interface eth0 service dyndns password <password>
commit
save
检查dyndns状态
show dns dynamic status #Display status
update dns dynamic interface <interface> #force update DynDNS record
其它
查看运行时配置文件
在配置模式下查看
run show configuration
列出配置信息,去掉'{}'
show configuration commands
参考资料
http://bahjons.com/stuff/vyatta-my-basic-setup-guide