- 搭建Open××× Server 路由模式
- 搭建Open××× Server 桥接模式
- 搭建Open××× Server 路由模式 + 口令认证+ MYSQL
- 搭建Open××× Server 路由模式 + 口令认证+TEXT/POP3
- 搭建Open××× Server 路由模式 + 口令认证+RADIUS
- 搭建Open××× Site to Site
- Open ××× 其它配置选项
- Open××× 配置参数详解
- 附录
Open××× 服务器搭建详解
环境简介:
服务器:CentOS 5.2 客户端:XP sp2
其他软件: open***-2.0.9.tar.gz
open***-2.0.9-gui-1.0.3-install.exe
lzo-2.03.tar.gz
openssl 为CentOS 5.2 自带
NTRadPing.exe radius 测试软件
pam_mysql-0.7RC1.tar.gz
radiusplugin_v2.0c.tar.gz
libgcrypt-1.2.4.tar.gz
libgpg-error-1.5.tar.bz2
所有测试都是在 VMware Workstation 5.5.1 上完成
- (一) 搭建 Open××× Server 路由模式
目的:搭建一台 Open××× Server 使出差的员工也可以方便的访问到公司局域网中的共享资料。
网络环境:
Open××× Server 基本设定:连接方式采用路由方式,认证方式采用证书认证,虚拟设备使用tun(比tap更高效)
-
1
.
安装
CentOS
这一步我就不详写了
注意:关闭SELinux ,iptables
- 2 . 安装 Open×××
-
a)
检测
openssl
是否已安装。(一般系统已自带)
[root@localhost ~]# Whereis openssl
如果你的系统没有OpenSSL库,你需要 下载和安装它 。
-
b)
安装
lzo
如果你想使用×××连接的压缩特性,或者你想将Open×××安装为一个RPM包,安装 LZO Library 。
下载: http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
解压到/root/Scripts 目录中,后面所有的软件到存放到这个目录
gzip –cd lzo-2.03.tar.gz | tar –xvf -
make install
如果你使用Linux 2.2 或更早版本,下载 TUN/TAP driver 。对于Linux 2.4.7及以上版本的用户TUN/TAP 驱动已经捆绑到内核中。Linux 2.4.0 -> 2.4.6 的用户需要留意 INSTALL 文件末尾的注意信息。
-
c
)
tarball
安装
Open×××
现在下载 Open××× 的最新发布版: http://open***.net/release/open***-2.0.9.tar.gz
解压 gzip -dc open***-2.0.9.tar.gz | tar xvf -
cd open***-2.0.9
./configure
make
make install
如果你未下载 LZO Library ,将 --disable-lzo 加入到 configure 命令中。也可以启用其他的选型,比如 pthread (./configure --enable-pthread) 用来提高 SSL/TLS 动态密钥交换的响应速度。命令
./configure --help
将显示所有的配置选型。
-
d
)
配置
TUN/TAP
驱动
仅需一次的配置
如果你使用 Linux 2.4.7 或更高版本,十分幸运 TUN/TAP 驱动已经捆绑到内核中。你可以通过如下命令确认:
locate if_tun.h
此命令产生类似这样的信息 /usr/include/linux/if_tun.h 。
对于 Linux 2.4.7 或更高版本,如果你通过 tarball 安装,输入如下命令配置 TUN/TAP 设备节点(如果你通过 RPM 安装可以忽略这一步,因为RPM为你自动创建该节点):
mknod /dev/net/tun c 10 200
如果你使用 Linux 2.2,你需要获得 版本 1.1 的TUN/TAP kernel module 并按照安装说明进行操作。
每次系统启动后需要执行一次的配置
在 Linux 上使用 Open××× 或任何用到 TUN/TAP 设备的程序前需要载入 TUN/TAP kernel module:
modprobe tun
并且启用 IP 转发:
echo 1 > /proc/sys/net/ipv4/ip_forward
a)生成证书 Key
设置环境变量
[root@open*** ~]# vi /root/.bash_profile 追加如下内容(依据情况改变相应值)
D=/root/Scripts/open***-2.0.9/easy-rsa
KEY_CONFIG=$D/openssl.cnf
KEY_DIR=$D/keys
KEY_SIZE=1024
KEY_COUNTRY=CN
KEY_PROVINCE=GD
KEY_CITY=DG
KEY_ORG="ld"
KEY_EMAIL="colin_xia@luckydragongroup.com"
export KEY_CONFIG KEY_DIR KEY_SIZE KEY_COUNTRY KEY_PROVINCE KEY_CITY KEY_ORG KEY_EMAIL D
同时把以上内容直接粘贴到控制台。
[root@open*** ~]# echo $D 可以看到变量已生效
[root@localhost local]# cd /root/Scripts/open***-2.0.9/easy-rsa/
初始化 PKI
Build:
代码:
./clean-all
./build-ca
Generating a 1024 bit RSA private key
....................................................++++++
...++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [DG]:
Organization Name (eg, company) [ld]:
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:colin
Email Address [colin_xia@luckydragongroup.com]:
# 建立 server key 代码: 代码:
./build-key-server server
Generating a 1024 bit RSA private key
..................++++++
..........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [DG]:
Organization Name (eg, company) [ld]:
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:server
Email Address [colin_xia@luckydragongroup.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/Scripts/open***-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'DG'
organizationName :PRINTABLE:'ld'
organizationalUnitName:PRINTABLE:'it'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'colin_xia@luckydragongroup.com'
Certificate is to be certified until Nov 6 18:18:13 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#生成客户端 key
代码:
Generating a 1024 bit RSA private key
......++++++
...........................................................++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [GD]:
Locality Name (eg, city) [DG]:
Organization Name (eg, company) [ld]:
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:client1 #重要: 每个不同的 client 生成的证书, 名字必须不同.
Email Address [colin_xia@luckydragongroup.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/Scripts/open***-2.0.9/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GD'
localityName :PRINTABLE:'DG'
organizationName :PRINTABLE:'ld'
organizationalUnitName:PRINTABLE:'it'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'colin_xia@luckydragongroup.com'
Certificate is to be certified until Nov 6 18:18:36 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
依次类推生成其他客户端证书/key
代码:
./build-key client2
./build-key client3
注意在进入 Common Name (eg, your name or your server's hostname) []: 的输入时, 每个证书输入的名字必须不同.
build: 代码:
创建Diffie Hellman 参数。Diffie Hellman 用于增强安全性,在Open×××是必须的:
./build-dh
生成 ta.key
open*** --genkey --secret ta.key
将 keys 下的所有文件打包下载到本地(除ca 的key,这个文件要单独保存)
b)创建Open××× 服务器配置文件
vi /usr/local/etc/server.conf
port 2194
proto udp
dev tun
server 10.9.0.0 255.255.255.0
push "route 172.18.2.0 255.255.255.0"
push "dhcp-option DNS 172.18.2.23"
push "dhcp-option DNS 202.96.128.86"
ifconfig-pool-persist /usr/local/etc/ipp.txt
ca /usr/local/etc/keys/ca.crt
cert /usr/local/etc/keys/server.crt
key /usr/local/etc/keys/server.key
dh /usr/local/etc/keys/dh1024.pem
tls-auth /usr/local/etc/keys/ta.key 0
keepalive 10 120
comp-lzo
status /var/log/open***-status.log
verb 4
persist-key
persist-tun
按照配置文件所设置的, copy 相应的.key .pem .crt文件至 /usr/local/etc/keys
c)启动Open×××
/usr/local/sbin/open*** --config /usr/local/etc/server.conf
检查服务是否启动
lsof -i :2194
等调试结束后以后台进程的方式启动open***
/usr/local/sbin/open*** --daemon --config /usr/local/etc/server.conf
并把这一句加入到 /etc/rc.local 中
4. 配置Open××× Server防火墙
配置的关键是允许 tun tap 连入,对从 Open××× 客户端来到公司局域网的流量做NAT
如下(参考配置,实际配置要对应实际情况更改 如测试时可先对 tun tap 全部允许,成功后再做限制。还有注意NAT的配置)
Vi /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Tue Sep 30 21:34:16 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [42:4060]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#设备tap(交换)和tun(路由) ,tap是二层设备,支持链路层协议。 #tun是ip层的点对点协议,限制稍微多一些,一般是使用tun
从 tun+虚拟网卡入,目标ip为 172.18.2.32 协议 tpc 端口 80 或 83 动作允许
-A RH-Firewall-1-INPUT -d 172.18.2.32 -i tun+ -p tcp -m tcp --dport 80:83 -j ACCEPT
-A RH-Firewall-1-INPUT -d 172.18.2.32 -i tap+ -p tcp -m tcp --dport 80:83 -j ACCEPT
-A RH-Firewall-1-INPUT -d 172.18.2.23 -i tun+ -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -d 172.18.2.23 -i tap+ -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -d 172.18.2.23 -i tun+ -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -d 172.18.2.23 -i tap+ -p tcp -m tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.9.0.132 -d 172.18.2.24 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.9.0.131 -j REJECT --reject-with icmp-port-unreachable
源ip 为 10.0.0.131 拒绝
#-A RH-Firewall-1-INPUT -s 10.9.0.130 -d 172.18.2.0/255.255.0.0 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.9.0.130 -d 172.18.2.41 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.9.0.130 -d 172.18.2.40 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
允许从 eth1 网卡访问 ssh 服务
-A RH-Firewall-1-INPUT -p udp -m udp --dport 2194 -j ACCEPT
允许 *** 客户端连接服务器的 *** 服务端口
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Sep 30 21:34:16 2008
# Generated by iptables-save v1.3.5 on Tue Sep 30 21:34:16 2008
*nat
:PREROUTING ACCEPT [3:518]
:POSTROUTING ACCEPT [1:92]
:OUTPUT ACCEPT [1:92]
-A POSTROUTING -s 10.9.0.0/255.255.255.0 -o eth1 -j SNAT --to-source 172.18.2.30
源地址为 10.9.0.0/255.255.255.0 从 eth1 出口的数据报都 snat 为 172.18.2.30
COMMIT
# Completed on Tue Sep 30 21:34:16 2008
配置iptables 配置文件后,启用配置:
iptables-restore < /etc/sysconfig/iptables
ok 至此 Open××× 服务器配置完毕。
转载于:https://blog.51cto.com/dadloveu/448606