I find the Linux SSL ××× package, it is easier than IPSEC ×××.
reference page: http://open***.net/
Description:
Open××× is a SSL ××× for Linux and Windows 2000 or later.
1. Download the code from the reference page. For Linux, it is necessary to lzo and open*** rpm.
2. To build a static key example
Server configuration (server.conf in ××× server)
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
Client Configuration (client.conf in ××× client)
remote [remote server ip addressif]
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
[windows] dev-node MyTap
2. start the open*** in both client and server. If not successfully start, you may check if the
tun device exists.
modprobe tun; ls /dev/net/tun
If there is no /dev/net/tun, create the device
mknod tun c 10 200
3. For windows, it is necessary to change the name of the connection as client config. In
our case, it is MyTap. At the same time, we rename the client.conf to client.o***.
So that, we double click the file, the open*** will automatically start.
4. To use dynamic IP address, use dynDNS to make ur ××× server to have a dynamic dns name. And use dns to replace server IP address.
5. To use tcp/80
In server side,
port 80
proto tcp-server
In client side
remote [××× Server IP] 80
proto tcp-client
[ According to the developer's idea, udp is more safe as it prevent from DoS ]
6.To use certificate
First of all, we have to create the digital certificate. If you dont have a CA or
other digital certificate, you will use the open*** script to generate.
# cd /usr/share/doc/open***-x.x/easy-rsa/2.0
# ./vars
# ./clean-all
# ./build-ca
# ./build-key-server server
# ./build-key client1
# ./build-dh
7 After the certificate is build, put them to the server and client.
In server side, we put all the certificate and private key in /etc/open***/keys.
The client configs are in /etc/openvp/ccd
server.conf
dev tun
server 10.8.0.0 255.255.255.0
client-config-dir ccd
dh keys/dh1024.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
ccd/client1 (the filename should be mapped to the common name of the client certificate)
ifconfig-push 10.8.0.2 10.8.0.1
iroute X.X.X.X 255.255.255.0 (if necessary)
client.o*** in client
client
remote [remote SSL Server IP]
dev tun
dev-node MyTap
ca ca.crt
cert client1.crt
key client1.key
persist-key
persist-tun
At here, server should have ca.crt, dh1024.pem, server.key and server.crt. The client should have
ca.crt, client1.crt and client1.key.
8. Harding security - specify large encryption key, add both configuration with the statement below.
cipher AES-256-CBC
9. Hardening Security - using password to protect client key
using build-pass-server to generate client key
# ./build-key-pass client3
make a client3 config file too in ccd
10 Hardening Security - using tlsauth
in server.conf
tls-auth keys/ta.key 0
in client.conf
tls-auth keys/ta.key 1
reference page: http://open***.net/
Description:
Open××× is a SSL ××× for Linux and Windows 2000 or later.
1. Download the code from the reference page. For Linux, it is necessary to lzo and open*** rpm.
2. To build a static key example
Server configuration (server.conf in ××× server)
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret static.key
Client Configuration (client.conf in ××× client)
remote [remote server ip addressif]
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret static.key
[windows] dev-node MyTap
2. start the open*** in both client and server. If not successfully start, you may check if the
tun device exists.
modprobe tun; ls /dev/net/tun
If there is no /dev/net/tun, create the device
mknod tun c 10 200
3. For windows, it is necessary to change the name of the connection as client config. In
our case, it is MyTap. At the same time, we rename the client.conf to client.o***.
So that, we double click the file, the open*** will automatically start.
4. To use dynamic IP address, use dynDNS to make ur ××× server to have a dynamic dns name. And use dns to replace server IP address.
5. To use tcp/80
In server side,
port 80
proto tcp-server
In client side
remote [××× Server IP] 80
proto tcp-client
[ According to the developer's idea, udp is more safe as it prevent from DoS ]
6.To use certificate
First of all, we have to create the digital certificate. If you dont have a CA or
other digital certificate, you will use the open*** script to generate.
# cd /usr/share/doc/open***-x.x/easy-rsa/2.0
# ./vars
# ./clean-all
# ./build-ca
# ./build-key-server server
# ./build-key client1
# ./build-dh
7 After the certificate is build, put them to the server and client.
In server side, we put all the certificate and private key in /etc/open***/keys.
The client configs are in /etc/openvp/ccd
server.conf
dev tun
server 10.8.0.0 255.255.255.0
client-config-dir ccd
dh keys/dh1024.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
ccd/client1 (the filename should be mapped to the common name of the client certificate)
ifconfig-push 10.8.0.2 10.8.0.1
iroute X.X.X.X 255.255.255.0 (if necessary)
client.o*** in client
client
remote [remote SSL Server IP]
dev tun
dev-node MyTap
ca ca.crt
cert client1.crt
key client1.key
persist-key
persist-tun
At here, server should have ca.crt, dh1024.pem, server.key and server.crt. The client should have
ca.crt, client1.crt and client1.key.
8. Harding security - specify large encryption key, add both configuration with the statement below.
cipher AES-256-CBC
9. Hardening Security - using password to protect client key
using build-pass-server to generate client key
# ./build-key-pass client3
make a client3 config file too in ccd
10 Hardening Security - using tlsauth
in server.conf
tls-auth keys/ta.key 0
in client.conf
tls-auth keys/ta.key 1
转载于:https://blog.51cto.com/jxwpx/195917
1145
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
