大纲
一、前言
二、概述
三、环境准备
四、实战拓扑
五、具体配置过程详解
六、总结
注,实战环境 CentOS 5.5 x86_64,软件版本 Open××× 2.1,软件下载:http://yunpan.cn/QzT8fGsX8S75a。
一、前言
在上一篇博客中我们给大家推荐了许多关于open***的理论文章,想了解一个的朋友可心点击这里:http://freeloda.blog.51cto.com/2033581/1354768,从这一篇博客开始我们来讲open***的实战,这是个open***实战的专题共有下面篇博客:
Open××× 实战1:×××与网关不在同一台服器上
Open××× 实战2:×××与网关在同一台服器上
Open××× 实战3:多网段互联×××(点对多点)
Open××× 实战4:常见小问汇总
好了,下面开始我们今天的内容吧!
二、概述
1.Open×××是一个用于创建虚拟专用网络加密通道的软件包,最早由James Yonan编写。Open×××允许参与建立×××的单点使用预设的私钥,第三方证书,或者用户名/密码来进行身份验证。它大量使用了OpenSSL加密库,以及SSLv3/TLSv1协议。
2.Open×××能在Linux、xBSD、Mac OS X与Windows 2000/XP/7上运行。它并不是一个基于Web的×××软件,也不与IPsec及其他×××软件包兼容。
3.Open×××所有的通信都能基于一个单一的IP端口。Open×××提供了两种虚拟网络接口:通用tun/Tap驱动通过它们,可以建立三层IP隧道或者虚拟二层以太网,后者可以传送任何类型的二层以太网络数据,传送的数据可通过LZO算法压缩。IANA(InternetAssigned Numbers Authority) 指定给Open×××的官方端口为1194。
4.Open×××使用通用网络协议(TCP 与UDP)的特点使它成为IPsec 等协议的理想替代,尤其是在ISP(Internet service provider)过滤某些特定××× 协议的情况下。
5.Open××× 可工作于两种模式:
一种是IP遂道路由模式,主要应用于点对点。
另一种是基于以太网的遂道桥接模式,应用于点对多点,有多个分支机构。
好了,下面我们就来讲解一下点对点×××。
三、环境准备
1.时间同步
[root@open*** ~]# yum install -y ntp [root@open*** ~]# ntpdate 202.120.2.101 [root@open*** ~]# hwclock -w
2.安装yum源
[root@open*** ~]# rpm -ivh http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
3.安装各种依赖包
[root@open*** ~]# yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers
四、实战拓扑
注,拓扑图比较简单我在这里就不详细说明了,大家自己看一下。(这里是单独一台×××服器,没和网关放在一起)
五、具体配置过程详解
注,简单写一下配置过程:
安装lzo、open***软件包
为配置做准备,copy 相关文件
初始化 PKI
建立 server key
生成客户端 key
生成 Diffie Hellman 参数
将keys下的所有文件打包下载到本地 ,让客户机用。
将keys下的ca.crt server.crt server.key dh1024.pem拷贝到/etc/open***
修改服务器配置文件/etc/open***/server.conf
启动×××服务器
配置Windows客户端
设置网关服务器的端口映射
测试Windows客户端连Open×××
设置Open×××访问外网的
最后测试
好了,下面就让我们来完成上面的实战步骤。
1.安装lzo、open***软件包
[root@open*** src]# ls epel-release-5-4.noarch.rpm lzo-2.04-3.2.x86_64.rpm open***-2.1-0.20.rc4.el5.kb.x86_64.rpm [root@open*** src]# rpm -ivh lzo-2.04-3.2.x86_64.rpm warning: lzo-2.04-3.2.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID d164ce99 Preparing... ########################################### [100%] 1:lzo ########################################### [100%] [root@open*** src]# rpm -ivh open***-2.1-0.20.rc4.el5.kb.x86_64.rpm Preparing... ########################################### [100%] 1:open*** ########################################### [100%]
2.为配置做准备,copy 相关文件
[root@open*** src]# cp -r /usr/share/open***/easy-rsa/2.0/ /etc/open***/ [root@open*** src]# cp /usr/share/doc/open***-2.1/sample-config-files/server.conf /etc/open***/ [root@open*** src]# cd /etc/open***/ [root@open*** open***]# ls 2.0 server.conf
3.初始化 PKI
[root@open*** open***]# cd 2.0/ [root@open*** 2.0]# ls build-ca build-key-pass build-req-pass Makefile README whichopensslcnf build-dh build-key-pkcs12 clean-all openssl-0.9.6.cnf revoke-full build-inter build-key-server inherit-inter openssl.cnf sign-req build-key build-req list-crl pkitool vars [root@open*** 2.0]# vim vars 修改下面几项: export KEY_COUNTRY="CN" export KEY_PROVINCE="SH" export KEY_CITY="SH" export KEY_ORG="open***" export KEY_EMAIL="admin@test.com" [root@open*** 2.0]# env | grep KEY [root@open*** 2.0]# env | grep KEY [root@open*** 2.0]# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/2.0/keys [root@open*** 2.0]# env | grep KEY KEY_EXPIRE=3650 KEY_EMAIL=admin@test.com KEY_SIZE=1024 KEY_DIR=/etc/open***/2.0/keys KEY_CITY=SH KEY_PROVINCE=SH KEY_ORG=open*** KEY_CONFIG=/etc/open***/2.0/openssl.cnf KEY_COUNTRY=CN [root@open*** 2.0]# ./clean-all [root@open*** 2.0]# ls build-ca build-key-pass build-req-pass list-crl pkitool vars build-dh build-key-pkcs12 clean-all Makefile README whichopensslcnf build-inter build-key-server inherit-inter openssl-0.9.6.cnf revoke-full build-key build-req keys openssl.cnf sign-req [root@open*** 2.0]# ./build-ca Generating a 1024 bit RSA private key ...........................++++++ .............++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [SH]: Organization Name (eg, company) [open***]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [open*** CA]: Email Address [admin@test.com]:
4.建立 server key
[root@open*** 2.0]# ./build-key-server server Generating a 1024 bit RSA private key .........++++++ ..++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [SH]: Organization Name (eg, company) [open***]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [server]: Email Address [admin@test.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'SH' organizationName :PRINTABLE:'open***' commonName :PRINTABLE:'server' emailAddress :IA5STRING:'admin@test.com' Certificate is to be certified until Jan 24 02:40:17 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
5.生成客户端 key(我这里设置三个客户端分别为:client1、client2、client3,你可以根据需要生成多个客户端)
client1:
[root@open*** 2.0]# ./build-key client1 Generating a 1024 bit RSA private key .....++++++ ................................++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [SH]: Organization Name (eg, company) [open***]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client1]: Email Address [admin@test.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'SH' organizationName :PRINTABLE:'open***' commonName :PRINTABLE:'client1' emailAddress :IA5STRING:'admin@test.com' Certificate is to be certified until Jan 24 02:42:39 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
client2:
[root@open*** 2.0]# ./build-key client2 Generating a 1024 bit RSA private key ..................................++++++ ............................................++++++ writing new private key to 'client2.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [SH]: Organization Name (eg, company) [open***]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client2]: Email Address [admin@test.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'SH' organizationName :PRINTABLE:'open***' commonName :PRINTABLE:'client2' emailAddress :IA5STRING:'admin@test.com' Certificate is to be certified until Jan 24 02:43:16 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
client3:
[root@open*** 2.0]# ./build-key client3 Generating a 1024 bit RSA private key ..............++++++ .++++++ writing new private key to 'client3.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [SH]: Organization Name (eg, company) [open***]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client3]: Email Address [admin@test.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'SH' organizationName :PRINTABLE:'open***' commonName :PRINTABLE:'client3' emailAddress :IA5STRING:'admin@test.com' Certificate is to be certified until Jan 24 02:43:58 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
6.生成 Diffie Hellman 参数
[root@open*** 2.0]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ...........................................................................................................................................................................................................................................+.................................+.................................+...................+..............................................................................+.........................+.......................................................................................+...........+.....................+......................................+.......................................+............+...................................................................+....................................................................................................................................................................+.............................+......+.............+...........................+.............+..............................................................................+...........+........+............................+.......................................................................................................................................................+.................................................................................+.........................................................................................................................................................................................+....+............+........................................+..........+............................................................................+........+.+...................+........................+...................+................................................................................+.............................................................+....................................................................................................................................................................................................................+.....+.............................+...........+................................................................+.+.........+.................................................................................................................................................+..............................+...............................................+......+.....................................................................+..........................................................+........+.........+..................................................................................+......+.........+..................................................................................+........................................................................................+....+......................+.....+..........+............................................................................................................................................+................+..........+............................................+...............................................+................................................+............................................++*++*++*
7.将keys下的所有文件打包下载到本地 ,让客户机用。
[root@open*** 2.0]# cd keys/ [root@open*** keys]# ls 01.pem 04.pem client1.crt client2.crt client3.crt dh1024.pem index.txt.attr.old serial.old server.key 02.pem ca.crt client1.csr client2.csr client3.csr index.txt index.txt.old server.crt 03.pem ca.key client1.key client2.key client3.key index.txt.attr serial server.csr [root@open*** keys]# tar zcvf full.tar.gz ./* ./01.pem ./02.pem ./03.pem ./04.pem ./ca.crt ./ca.key ./client1.crt ./client1.csr ./client1.key ./client2.crt ./client2.csr ./client2.key ./client3.crt ./client3.csr ./client3.key ./dh1024.pem ./index.txt ./index.txt.attr ./index.txt.attr.old ./index.txt.old ./serial ./serial.old ./server.crt ./server.csr ./server.key [root@open*** keys]# ls 01.pem 04.pem client1.crt client2.crt client3.crt dh1024.pem index.txt.attr serial server.csr 02.pem ca.crt client1.csr client2.csr client3.csr full.tar.gz index.txt.attr.old serial.old server.key 03.pem ca.key client1.key client2.key client3.key index.txt index.txt.old server.crt
8.将keys下的ca.crt server.crt server.key dh1024.pem拷贝到/etc/open***
[root@open*** keys]# cp ca.* server.* dh1024.pem /etc/open***/ [root@open*** keys]# cd /etc/open***/ [root@open*** open***]# ls 2.0 ca.crt ca.key dh1024.pem server.conf server.crt server.csr server.key
9.修改服务器配置文件/etc/open***/server.conf
[root@open*** open***]# cp server.conf server.conf.bak [root@open*** open***]# >server.conf [root@open*** open***]# vim server.conf port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh1024.pem server 10.8.0.0 255.255.255.0 client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status open***-status.log verb 4 push "dhcp-option DNS 10.8.0.1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"
10.启动×××服务器
[root@open*** open***]# service open*** start
Starting open***: [ OK ]
[root@open*** open***]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:A6:19:E8
inet addr:192.168.18.248 Bcast:192.168.18.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fea6:19e8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:107910 errors:0 dropped:0 overruns:0 frame:0
TX packets:73200 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:120827874 (115.2 MiB) TX bytes:8877959 (8.4 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:34 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3918 (3.8 KiB) TX bytes:3918 (3.8 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
11.配置Windows客户端
(1).安装一下客户端(我就不演示了,大家自己安装)
(2).将服务器上生成的客户机证书文件放到config方件夹下
D:\Program Files\Open×××\config\open***
(3).新建客户端配置文件open***.o***
D:\Program Files\Open×××\config
open***.o*** 文件内容:
client dev tun proto udp remote x.x.x.x 1194 #工作单位外网IP persist-key persist-tun ca open***\\ca.crt cert open***\\client1.crt key open***\\client1.key ns-cert-type server comp-lzo verb 3 redirect-gateway def1
12.设置网关服务器的端口映射
[root@gateway ~]# /sbin/iptables -t nat -A PREROUTING -p udp -d x.x.x.x(公网IP) --dport 1194 -j DNAT --to 192.168.18.248:1194 [root@gateway ~]# /sbin/iptables -t nat -A POSTROUTING -p udp -d 192.168.18.248 --dport 1194 -j SNAT --to x.x.x.x(公网IP):1194 [root@gateway ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain AS0_WEBACCEPT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere [root@gateway ~]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT udp -- anywhere x.x.x.x(公网IP) udp dpt:open*** to:192.168.18.248:1194 Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT udp -- anywhere 192.168.18.248 udp dpt:open*** to:x.x.x.x(公网IP):1194 Chain OUTPUT (policy ACCEPT) target prot opt source destination
13.测试Windows客户端连Open×××(两种方法分别演示一下)
(1).
(2).
(3).测试一下
注,虽然我们×××能ping通了但是还不能访问外网,下面我们来配置一下Open×××访问外网。
14.设置Open×××服务器访问外网
(1).开启路由转发
[root@open*** open***]# vim /etc/sysctl.conf net.ipv4.ip_forward = 1 [root@open*** open***]# sysctl -p net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296
(2).配置NAT映射
[root@open*** open***]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.18.248 [root@open*** open***]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 10.8.0.0/24 anywhere to:192.168.10.248 Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@open*** open***]# service iptables save Saving firewall rules to /etc/sysconfig/iptables: [ OK ] [root@open*** open***]# service iptables restart Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: nat [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_netbios_n[ OK ] [root@open*** open***]# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 10.8.0.0/24 anywhere to:192.168.18.248 Chain OUTPUT (policy ACCEPT) target prot opt source destination
15.最后测试
好了,现在我们就可以访问外网了。到这里我们简的点对点×××就配置完成了!
六、总结
上面我们演示了点结点×××的配置过程且×××与网关不在同一台服务器上,有博友会问了放一台服务器做×××多浪费啊,那么网关与×××在同一台服务器上又该怎么配置呢?在下一篇博客中我们将演示,×××与网关在同一台服务器上的点对点×××配置。今天的博客就到这里了,最后希望大家有所收获吧^_^……
转载于:https://blog.51cto.com/freeloda/1354858
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
