一、open***与pptp的抉择
PPTP
点对点隧道协议(pptp)是一种实现虚拟专用网络的方法。pptp使用用于封装ppp数据包的tcp及GRE隧道控制通道。
Open×××
Open×××是一免费开源软件,以路由器或桥接配置和远程访问设备方式实现虚拟专用网络(***)创建安全的点 对点或站对站连接的解决方案。它使用SSL / TLS安全加密,具有穿越网络地址转换(NATs)和防火墙的功能。
PPTP与Open×××之比较和抉择?
在pptp和open***二者之间做出选择的一个重要考虑因素,也是我们无法控制的因素,就是有时互联网服务供应商会阻止 PPTP连接。次情况下我们无计可施,只能选择使用open***。 pptp具有一些独 特优势,但此刻用open***会是不错的选择。
二、部署open***
本次部署open***服务器,因为使用了最新的open***2.3.4,而这个包里面没有包含最重要的证书制作部分:easy-rsa
open***官网也给出明确说明:Starting with open***-2.3_alpha2 easy-rsa is no longer part of the Open××× source or binary packages
所以,我们需要事先下载好easyrsa,可以到GitHub上进行下载,配置过程将在下面第3步进行,本次部署使用了easy-rsa3,与easy-rsa2.0的操作完全不同,网上其它关于easy-rsa2.0的教程不适合本次部署
1、安装lzo
lzo是致力于解压速度的一种数据压缩算法
[root@*** ~]# tar xf lzo-2.08.tar.gz [root@*** ~]# cd lzo-2.08 [root@*** lzo-2.08]# ./configure && make && make install
2、安装open***
[root@*** ~]# tar xf open***-2.3.4.tar.gz [root@*** ~]# cd open***-2.3.4 [root@*** open***-2.3.4]# ./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib [root@*** open***-2.3.4]# make && make install [root@*** open***-2.3.4]# [root@*** open***-2.3.4]# which open*** /usr/local/sbin/open*** #看到这里,说明安装open***成功
3、配置easyrsa服务端
open***-2.3.4软件包不包含证书(ca证书,服务端证书,客户端证书)制作工具,所以还需要单独下载easy-rsa,最新的为easy-rsa3
Starting with open***-2.3_alpha2 easy-rsa is no longer part of the Open××× source or binary packages(来源open***官网)
[root@*** ~]# unzip easy-rsa-master.zip [root@*** ~]# mv easy-rsa-master easy-rsa [root@*** ~]# cp -R easy-rsa/ open***-2.3.4/ [root@*** ~]# cd open***-2.3.4/easy-rsa/easyrsa3/ [root@*** easyrsa3]# cp vars.example vars [root@*** easyrsa3]# vim vars set_var EASYRSA_REQ_COUNTRY "CN" set_var EASYRSA_REQ_PROVINCE "Beijing" set_var EASYRSA_REQ_CITY "Beijing" set_var EASYRSA_REQ_ORG "shanghai Certificate" set_var EASYRSA_REQ_EMAIL "353025240@qq.com" set_var EASYRSA_REQ_OU "My Open×××"
4、创建服务端证书及key
(1)初始化
[root@*** easyrsa3]# ls easyrsa openssl-1.0.cnf vars vars.example x509-types [root@*** easyrsa3]# [root@*** easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /root/open***-2.3.4/easy-rsa/easyrsa3/pki
(2)创建根证书
[root@*** easyrsa3]# ./easyrsa build-ca Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .............................................+++ ........+++ writing new private key to '/root/open***-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key' Enter PEM pass phrase: #输入密码,此密码用途证书签名 Verifying - Enter PEM pass phrase: #确认密码 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:shanghai #输入一个Common Name CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /root/open***-2.3.4/easy-rsa/easyrsa3/pki/ca.crt
(3)创建服务器端证书
[root@*** easyrsa3]# ./easyrsa gen-req server nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ................................+++ ......+++ writing new private key to '/root/open***-2.3.4/easy-rsa/easyrsa3/pki/private/server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [server]:shanghai-BJ #该Common Name一定不要与创建根证书时的#Common Name一样,这是血与泪的教训 Keypair and certificate request completed. Your files are: req: /root/open***-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req key: /root/open***-2.3.4/easy-rsa/easyrsa3/pki/private/server.key
(4)签约服务器端证书
[root@*** easyrsa3]# ./easyrsa sign server server Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = shanghai Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes #输入yes继续 Using configuration from /root/open***-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnf Enter pass phrase for /root/open***-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key: #输入刚才创建根证书时的密码 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'shanghai' Certificate is to be certified until Aug 21 14:18:49 2024 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /root/open***-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt
(5)创建Diffie-Hellman,确保key穿越不安全网络的命令:
[root@*** easyrsa3]# ./easyrsa gen-dh1024 Note: using Easy-RSA configuration from: ./vars Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ........................................................................................... DH parameters of size 2048 created at /root/open***-2.3.4/easy-rsa/easyrsa3/pki/dh1024.pem
5、创建客户端证书
(1)在根目录下建立client目录
[root@*** easyrsa3]# cd [root@*** ~]# mkdir client [root@*** ~]# cp -R easy-rsa/ client/
(2)初始化
[root@*** ~]# cd client/easy-rsa/easyrsa3/ [root@*** easyrsa3]# ls easyrsa openssl-1.0.cnf vars vars.example x509-types [root@*** easyrsa3]# ./easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /root/client/easy-rsa/easyrsa3/pki
(3)创建客户端key及生成证书
[root@*** easyrsa3]# ./easyrsa gen-req shanghai Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ....................................................+++ .................................................................................................................................................................................+++ writing new private key to '/root/client/easy-rsa/easyrsa3/pki/private/shanghai.key' Enter PEM pass phrase: #输入密码 Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [nmshuishui]:shanghai #输入shanghai Keypair and certificate request completed. Your files are: req: /root/client/easy-rsa/easyrsa3/pki/reqs/shanghai.req key: /root/client/easy-rsa/easyrsa3/pki/private/shanghai.key
(4)将得到的nmshuishui.req导入并签约证书
[root@*** ~]# cd open***-2.3.4/easy-rsa/easyrsa3/ [root@*** easyrsa3]# #导入req [root@*** easyrsa3]# ./easyrsa import-req /root/client/easy-rsa/easyrsa3/pki/reqs/shanghai.req shanghai Note: using Easy-RSA configuration from: ./vars The request has been successfully imported with a short name of: shanghai You may now use this name to perform signing operations on this request. [root@*** easyrsa3]# #签约证书 [root@*** easyrsa3]# ./easyrsa sign client shanghai Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = shanghai Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes #输入yes Using configuration from /root/open***-2.3.4/easy-rsa/easyrsa3/openssl-1.0.cnf Enter pass phrase for /root/open***-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key: #输入创建根证书时的密码 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'nmshuishui' Certificate is to be certified until Aug 21 12:49:40 2024 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /root/open***-2.3.4/easy-rsa/easyrsa3/pki/issued/shanghai.crt #签约成功
(5)服务端及客户端生成的文件
服务端:(/root/open***-2.3.4/easy-rsa/easyrsa3/pki)文件夹
/root/open***-2.3.4/easy-rsa/easyrsa3/pki/ca.crt /root/open***-2.3.4/easy-rsa/easyrsa3/pki/reqs/server.req /root/open***-2.3.4/easy-rsa/easyrsa3/pki/reqs/qingliu.req /root/open***-2.3.4/easy-rsa/easyrsa3/pki/private/ca.key /root/open***-2.3.4/easy-rsa/easyrsa3/pki/private/server.key /root/open***-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt /root/open***-2.3.4/easy-rsa/easyrsa3/pki/issued/qingliu.crt /root/open***-2.3.4/easy-rsa/easyrsa3/pki/dh1024.pem
客户端:(/root/client/easy-rsa)
/root/client/easy-rsa/easyrsa3/pki/private/nmshuishui.key /root/client/easy-rsa/easyrsa3/pki/reqs/nmshuishui.key #这个文件被我们导入到了服务端文件,所以那里也有
(6)拷贝服务器密钥及证书等到open***目录
[root@*** ~]# cp open***-2.3.4/easy-rsa/easyrsa3/pki/ca.crt open***-2.3.4/ [root@*** ~]# cp open***-2.3.4/easy-rsa/easyrsa3/pki/private/server.key open***-2.3.4/ [root@*** ~]# cp open***-2.3.4/easy-rsa/easyrsa3/pki/issued/server.crt open***-2.3.4/ [root@*** ~]# cp open***-2.3.4/easy-rsa/easyrsa3/pki/dh1024.pem open***-2.3.4/
(7)拷贝客户端密钥及证书等到client目录
[root@*** ~]# cp open***-2.3.4/easy-rsa/easyrsa3/pki/ca.crt /root/client [root@*** ~]# cp open***-2.3.4/easy-rsa/easyrsa3/pki/issued/shanghai.crt /root/client [root@*** ~]# cp /root/client/easy-rsa/easyrsa3/pki/private/shanghai.key /root/client
8)为服务端编写配置文件
当安装好open***时候,它会提供一个server配置的文件例子
/root/open***-2.3.4/sample/sample-config-files/server.conf
将此例子拷贝open***目录,然后配置
[root@*** ~]# cp open***-2.3.4/sample/sample-config-files/server.conf open***-2.3.4/ [root@*** ~]# vim open***-2.3.4/server.conf local 192.168.1.104 #(自己vps IP) port 1194 proto udp dev tun ca /root/open***-2.3.4/ca.crt cert /root/open***-2.3.4/server.crt key /root/open***-2.3.4/server.key # This file should be kept secret dh /root/open***-2.3.4/dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" keepalive 10 120 comp-lzo max-clients 100 persist-key persist-tun status open***-status.log verb 3
(9)开启系统转发功能
[root@*** ~]# vim /etc/sysctl.conf net.ipv4.ip_forward = 0 改成 net.ipv4.ip_forward = 1 [root@*** ~]# sysctl -p [root@*** ~]# sysctl -a | grep net.ipv4.ip_forward net.ipv4.ip_forward = 1
(10)封装出去的数据包(eth0是你的vps外网的网卡):
/sbin/iptables -t nat -I POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE
三、下载open***客户端open***-2.2.2-install.exe,并进行配置
1、将客户端密钥及证书等拷出到windows备用
[root@*** ~]# cd client/ [root@*** client]# ls ca.crt easy-rsa nmshuishui.crt nmshuishui.key #带后缀的这三个
2、安装open***-gui工具
(1)将D:\Program Files (x86)\Open×××\sample-config\client.o***复制到C:\Program Files (x86)\Open×××\config
(2)将从linux中拷贝出来的三个密钥及证书放到D:\Program Files (x86)\Open×××\config下
(3)编辑D:\Program Files (x86)\Open×××\config\client.o***,修改为
client dev tun proto udp remote 192.168.1.104 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt //这里需要证书 cert nmshuishui.crt key nmshuishui.key comp-lzo verb 3
四、启动服务、测试
1、在***服务器上启动open***服务
[root@*** ~]# /usr/local/sbin/open*** --config open***-2.3.4/server.conf & [root@*** ~]# [root@*** ~]# echo "/usr/local/sbin/open*** --config /etc/open***/server.conf &" >>/etc/rc.local
2、在open***-gui上右键Connect输入密码连接
3、查看***状态
参考:http://nmshuishui.blog.51cto.com/1850554/1544212#comment
http://freeloda.blog.51cto.com/2033581/1354858
Open×××配置密码方式验证
open***提供证书验证和密码验证两种验证方式,这里来具体描述下密码验证的配置方法。
一:修改open×××服务端配置,在文件末尾添加如下配置:
# vim /opt/apps/open***/etc/server.conf auth-user-pass-verify /opt/apps/open***/etc/checkpsw.sh via-env client-cert-not-required username-as-common-name
二:下载checkpsw.sh文件,并配置相关权限:
下载地址:http://open***.se/files/other/checkpsw.sh
内容如下:(注意指定PASSFILE,LOG_FILE的路径)
# vim /opt/apps/open***/etc/checkpsw.sh #!/bin/sh ########################################################### # checkpsw.sh (C) 2004 Mathias Sundman <mathias@open***.se> # # This script will authenticate Open××× users against # a plain text file. The passfile should simply contain # one row per user with the username first followed by # one or more space(s) or tab(s) and then the password. PASSFILE="/opt/apps/open***/etc/psw-file" LOG_FILE="/opt/apps/open***/var/open***-password.log" TIME_STAMP=`date "+%Y-%m-%d %T"` ########################################################### if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 # chmod a+x /opt/apps/open***/etc/checkpsw.sh
三:创建密码文件,在里面添加账户和密码:
# vim /opt/apps/open***/etc/psw-file username password # chmod 400 psw-file # chown nobody.nobody psw-file
四:修改客户端配置为密码验证,删除相关证书配置:注释掉
;cert yangliangwei.crt ;key yangliangwei.key 增加询问用户名和密码 auth-user-pass
五:重启open***服务,若输入错误的用户名或密码,则提示重新输入用户名和密码,尝试3次后中断;
转载于:https://blog.51cto.com/hao360/1545489