系统环境:
CentOS 6.75
Open××× 2.3.11
安装过程
1、安装EPEL6的yum源并更新本地缓存
#rpm -ivh http://mirrors.sohu.com/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm #yum makecache
2、关闭SElinux和防火墙
[root@localhost ~]# service iptables stop [root@localhost ~]# chkconfig iptables off
vi /etc/sysconfig/selinux
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
reboot //重启server
3、安装open*** 和easy-rsa
[root@localhost ~]# yum -y install open*** easy-rsa
4、easy-rsa配置
[root@localhost ~]# mkdir -p /etc/open***/easy-rsa/keys [root@localhost ~]# cp -rf /usr/share/easy-rsa/2.0/* /etc/open***/easy-rsa/
5、创建CA证书和密钥
a、vi /etc/open***/easy-rsa/vars //修改以下内容
export KEY_COUNTRY="CN" //所在国家 export KEY_PROVINCE="SH" //所在省份 export KEY_CITY="Shanghai" //所在省份 export KEY_ORG="Open××× ORG" //所在组织 export KEY_EMAIL="451345726@qq.com" //邮箱 export KEY_OU="Open×××" //所在单位
b、初始化证书的授权中心
[root@localhost easy-rsa]# pwd /etc/open***/easy-rsa [root@localhost easy-rsa]# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/easy-rsa/keys
c、清除已存在的证书文件
[root@localhost easy-rsa]# ./clean-all [root@localhost easy-rsa]# ls keys/ index.txt serial
d、创建CA证书, 一路回车即可
[root@localhost easy-rsa]# ./build-ca Generating a 2048 bit RSA private key ..........................+++ ............+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [Open××× ORG]: Organizational Unit Name (eg, section) [Open×××]: Common Name (eg, your name or your server's hostname) [Open××× ORG CA]: Name [EasyRSA]: Email Address [451345726@qq.com]: [root@localhost easy-rsa]#
[root@localhost easy-rsa]# ls keys/ ca.crt ca.key index.txt serial
e、创建服务器端证书,server为证书名称
./build-key-server server
[root@localhost easy-rsa]# ./build-key-server server Generating a 2048 bit RSA private key ..........+++ ...............................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [Shanghai]: Organization Name (eg, company) [Open××× ORG]: Organizational Unit Name (eg, section) [Open×××]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [451345726@qq.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'Shanghai' organizationName :PRINTABLE:'Open××× ORG' organizationalUnitName:PRINTABLE:'Open×××' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'451345726@qq.com' Certificate is to be certified until Aug 13 02:14:17 2026 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
注意: 以下两个地方设置为yes
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
[root@localhost easy-rsa]# ls keys/ 01.pem ca.key index.txt.attr serial server.crt server.key ca.crt index.txt index.txt.old serial.old server.csr
f、生成Diffie-Hellman文件
./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time
[root@localhost easy-rsa]# ls keys 01.pem ca.key index.txt index.txt.old serial.old server.csr ca.crt dh2048.pem index.txt.attr serial server.crt server.key
g、生成TLS-auth密钥
这一步是可选操作,open***提供了TLS-auth功能,可以用来抵御Dos、UDP端口淹没***。出于安全考虑,可以启用该功能。执行以下命令来生成TLS-auth所需要的密钥文件
[root@localhost easy-rsa]# open*** --genkey --secret keys/ta.key [root@localhost easy-rsa]# ls keys/ 01.pem ca.key index.txt index.txt.old serial.old server.csr ta.key ca.crt dh2048.pem index.txt.attr serial server.crt server.key
6、拷贝服务器端证书、密钥等
[root@localhost keys]# pwd /etc/open***/easy-rsa/keys [root@localhost keys]# cp server.crt server.key dh2048.pem ca.crt ta.key /etc/open***/ [root@localhost keys]# cd /etc/open***/ [root@localhost open***]# ls ca.crt dh2048.pem easy-rsa server.crt server.key ta.key
7、修改服务器端配置文件
注意:Open×××推荐使用证书进行认证,安全性很高,但是配置起来很麻烦。还好它也能像pptp等***一样使用用户名/密码进行认证。不管何种认证方式,服务端的ca.crt, server.crt, server.key, dh1024.pem这四个证书都是要的。使用username/passwd方式,你需要在服务器配置文件中加入以下语句,取消客户端的证书认证,如果不加下面这条指令,则表示需要证书和用户名密码双重验证登录!
client-cert-not-required
然后加入auth-user-pass-verify,开启用户密码脚本:
auth-user-pass-verify /etc/open***/checkpsw.sh via-env
加入script-security消除警告
script-security 3 system
checkpsw.sh脚本可以通过网络获取
wget http://open***.se/files/other/checkpsw.sh
如果下载失败,可以创建一个checkpsw.sh文件,注意复制文件到linux系统下换行符的问题
内容如下,只需要修改PASSFILE和LOG_FILE两个变量
# cd /usr/local/open***/etc/
# wget http://open***.se/files/other/checkpsw.sh
# chmod +x checkpsw.sh
# cat checkpsw.sh
#!/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@open***.se>
#
# This script will authenticate Open××× users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.
PASSFILE="/etc/open***/psw-file"
LOG_FILE="/etc/open***/open***-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`
###########################################################
if [ ! -r "${PASSFILE}" ]; then
echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >>
${LOG_FILE}
exit 1
fi
CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
if [ "${CORRECT_PASSWORD}" = "" ]; then
echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
fi
if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
exit 0
fi
echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1
checkpsw.sh默认从文件/etc/open***/psw-file中读取用户名密码。
赋予checkpsw.sh文件可执行权限
chmod +x checkpsw.sh
psw-file中一行是一个账号,用户名和密码之间用空格隔开,如:
username password
修改psw-file文件的权限,保证open***用户对该文件有读取权限
[root@localhost open***]# chmod 400 psw-file [root@localhost open***]# chown nobody.nobody psw-file [root@localhost open***]# ll total 48 -rw-r--r-- 1 root root 1732 Aug 15 11:03 ca.crt -rw-r--r-- 1 root root 1267 Aug 15 12:49 checkpsw.sh -rw-r--r-- 1 root root 424 Aug 15 11:03 dh2048.pem drwxr-xr-x 3 root root 4096 Aug 15 10:09 easy-rsa -r-------- 1 nobody nobody 28 Aug 15 12:50 psw-file -rw-r--r-- 1 root root 10749 Aug 15 12:56 server.conf -rw-r--r-- 1 root root 5483 Aug 15 11:03 server.crt -rw------- 1 root root 1704 Aug 15 11:03 server.key -rw------- 1 root root 636 Aug 15 11:03 ta.key
拷贝server.conf 配置文件
[root@localhost open***]# cp /usr/share/doc/open***-2.3.11/sample/sample-config-files/server.conf /etc/open***/server.conf [root@localhost open***]# ls ca.crt dh2048.pem easy-rsa server.conf server.crt server.key ta.key
修改server.conf,配置如下:
[root@localhost open***]# cat server.conf|egrep -v "^#|^;|^$"
port 1194 //指定监听的本机端口 proto udp //指定传输协议 dev tun //指定通信隧道类型 ca ca.crt //指定CA证书路径 cert server.crt //指定服务器端证书路径 key server.key //指定服务器端私钥文件路径 dh dh2048.pem //指定迪菲赫尔曼参数的文件路径 server 10.8.0.0 255.255.255.0 //指定虚拟局域网段 ifconfig-pool-persist ipp.txt //服务器给客户端分配的IP地址,下次客户端继续使用该IP push "dhcp-option DNS 8.8.8.8" // client-to-client //允许客户端与客户端相连接,默认情况下客户端只能与服务器相连接 keepalive 10 120 //每10秒ping一次,连接超时时间设为120秒 tls-auth ta.key 0 //开启TLS-auth,使用ta.key防御***。服务器端的第二个参数值为0,客户端的为1。 comp-lzo //开启×××连接压缩,如果服务器端开启,客户端也必须开启 persist-key persist-tun //持久化选项可以尽量避免访问在重启时由于用户权限降低而无法访问的某些资源。 status open***-status.log //指定记录Open×××状态的日志文件路径 log open***.log verb 3 //日志级别 client-cert-not-required //不使用客户端证书认证 username-as-common-name script-security 3 system auth-user-pass-verify /etc/open***/checkpsw.sh via-env //
服务器端需要的文件,注意checkpsw.sh和psw-file两个文件的权限和属主属组
[root@localhost open***]# ll total 76 -rw-r--r-- 1 root root 1732 Aug 15 11:03 ca.crt -rwxr-xr-x 1 root root 1249 Aug 15 13:42 checkpsw.sh -rw-r--r-- 1 root root 424 Aug 15 11:03 dh2048.pem drwxr-xr-x 3 root root 4096 Aug 15 13:17 easy-rsa -rw------- 1 root root 23 Aug 15 15:25 ipp.txt -rw------- 1 root root 3813 Aug 15 15:17 open***.log -rw-r--r-- 1 root root 434 Aug 15 15:17 open***-password.log -rw------- 1 root root 371 Aug 15 15:28 open***-status.log -r-------- 1 nobody nobody 28 Aug 15 12:50 psw-file -rw-r--r-- 1 root root 10601 Aug 15 15:15 server.conf -rw-r--r-- 1 root root 10724 Aug 15 14:40 server.conf.bak -rw-r--r-- 1 root root 5483 Aug 15 11:03 server.crt -rw------- 1 root root 1704 Aug 15 11:03 server.key -rw------- 1 root root 636 Aug 15 11:03 ta.key
8、修改客户端配置文件client.conf
注释掉客户端证书的配置
client.conf配置文件内容
client //指定当前×××是客户端 dev tun //必须与服务器端的保持一致 proto udp //必须与服务器端的保持一致 remote 172.16.100.225 1194 //指定连接的远程服务器的实际IP地址和端口号 resolv-retry infinite //断线自动重新连接,在网络不稳定的情况下(例如:笔记本电脑无线网络)非常有用。 nobind //不绑定特定的本地端口号 user nobody group nobody persist-key persist-tun ca ca.crt //指定CA证书的文件路径 remote-cert-tls server // tls-auth ta.key 1 //tls认证开启,必须与服务器一致 comp-lzo //必须与服务器一致 verb 3 auth-user-pass //增加询问账户名密码
9、windows客户端的安装和配置
下载open***的客户端:http://www.open***.net/release/open***-2.0.9-install.exe
安装完成后,将服务器端的
ca.crt client.conf ta.key
三个文件拷贝到open***安装目录下的config目录中
登录
双击“C:\Program Files (x86)\Open×××\bin\open***-gui-1.0.3"图标,在桌面右下角弹出open***的图标,然后右键--client--Connect,输出账号密码登录
10、Open××× 服务器端的防火墙规则配置
上面的操作完成后,客户端能够访问××× Server端,也能够访问其他的拨号进来的×××客户端,但是不能访问与××× Server同网段的内网客户端。原因是向内网其他客户端发出请求后,内网客户端没有到***客户端的路由,导致无法响应请求。比如说内网是192.168,1.0/24 网段。***客户端地址段是10.8.0.0/24地址段,在内网客户端上,没有到达10.8.0.0/24的路由,所以不能响应内网的客户端的请求。我们可以在内网客户端上加一条路由来解决这个问题,但是客户端有几百个的话,一台一台的去加这个路由不是很麻烦吗?我们可以通过在*** server上添加一条防火墙策略来解决,假设open*** 服务器的IP为192.168.1.10 网卡为eth0 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.10 注意:“SNAT --to-source 192.168.1.10” 可以用MASQUERADE来替换,表示地址伪装,服务器会自动找到合适的IP地址来当成源IP,适用于无固定IP的情况下。如果IP经常变动则可以使用MASQUERADE 下面是网上找到的资料,也是配置Open×××防火墙策略的 清空iptables配置: iptables -F iptables -X 配置open***的nat功能,将所有网段的包转发到eth0口: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 添加FORWARD白名单: iptables -A FORWARD -i tun+ -j ACCEPT 开启系统内核的路由功能:注意这一条很重要 echo "1" > /proc/sys/net/ipv4/ip_forward service iptables save //保存iptables配置 service iptables restart //重启iptables
cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Mon Aug 15 16:47:30 2016 *nat :PREROUTING ACCEPT [38:8664] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Mon Aug 15 16:47:30 2016 # Generated by iptables-save v1.4.7 on Mon Aug 15 16:47:30 2016 *filter :INPUT ACCEPT [218:28319] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [95:13949] -A FORWARD -i tun+ -j ACCEPT COMMIT # Completed on Mon Aug 15 16:47:30 2016
参考资料:
http://www.cnblogs.com/linuxprobe/p/5428098.html
http://www.cnblogs.com/electron/p/3488033.html
http://ylw6006.blog.51cto.com/470441/1009004
转载于:https://blog.51cto.com/zengestudy/1838474