大纲
一、前言
二、概述
三、实战拓扑
四、环境准备
五、具体配置过程详解
六、总结
注,实战环境 CentOS 5.5 x86_64,软件版本 Open××× 2.1,软件下载:http://yunpan.cn/QzT8fGsX8S75a 访问密码 e8e4。
一、前言
在上一篇博客中我们主要和大家讲解一下,在内网中如何搭建一台×××服务器,相信大家应该有所了解,可是有博友说了我们没有多余的服务器做×××服务器,我们只有一台Linux网关服务器,那怎么办呢?能不能将×××服务器就搭建在网关服务器上呢?我想说这肯定是可以的,嘿嘿。那怎么来搭建呢?让我们一起来做吧!
二、概述
在网关服务器上搭建×××服务器的要点就是做防火墙映射,下面是配置要点:
[root@gateway ~]# echo 1 > /proc/sys/net/ipv4/ip_forward [root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j MASQUERADE [root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d 192.168.18.0/255.255.255.0 -j SNAT --to-source 192.168.18.254
注,eth0是公网地址接口,eth1内网地址接口。下面我们来看一下实战拓扑,大家会看的更清楚一些!
三、实战拓扑
说明:此拓扑图是典型的中小型企业内部局部网的应用案例,本文中不会涉及NAT、Web、FTP等应用的配置,只会配置与Open×××的相关操作,若有其它问题欢迎大家交流讨论,谢谢。
四、环境准备
1.安装yum源
[root@gateway ~]# rpm -ivh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm Retrieving http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm warning: /var/tmp/rpm-xfer.qnxpWE: Header V3 DSA signature: NOKEY, key ID 217521f6 Preparing... ########################################### [100%] package epel-release-5-4.noarch is already installed [root@gateway ~]# yum list
2.同步服务器时间
[root@gateway ~]# yum install -y ntp [root@gateway ~]# ntpdate 210.72.145.44 [root@gateway ~]# hwclock -w [root@gateway ~]# date [root@gateway ~]# hwclock
3.安装相应的依赖包
[root@gateway ~]# yum -y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel libidn libidn-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers
五、具体配置过程详解
注,简单写一下配置过程:
安装lzo、open***软件包
为配置做准备,copy 相关文件
初始化 PKI
建立 server key
生成客户端 key
生成 Diffie Hellman 参数
将keys下的所有文件打包下载到本地 ,让客户机用。
将keys下的ca.crt server.crt server.key dh1024.pem拷贝到/etc/open***
修改服务器配置文件/etc/open***/server.conf
启动×××服务器
配置Windows客户端
设置网关服务器的端口映射
测试Windows客户端连Open×××
最后测试
好了,下面就让我们来完成上面的实战步骤。
1.安装lzo、open***软件包
[root@gateway ~]# mkdir src [root@gateway ~]# cd src/ [root@gateway src]# ls lzo-2.04-3.2.x86_64.rpm open***-2.1-0.20.rc4.el5.kb.x86_64.rpm [root@gateway src]# rpm -ivh lzo-2.04-3.2.x86_64.rpm warning: lzo-2.04-3.2.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID d164ce99 Preparing... ########################################### [100%] 1:lzo ########################################### [100%] [root@gateway src]# rpm -ivh open***-2.1-0.20.rc4.el5.kb.x86_64.rpm Preparing... ########################################### [100%] 1:open*** ########################################### [100%]
2.为配置做准备,copy 相关文件
[root@gateway src]# cp -r /usr/share/open***/easy-rsa/2.0/ /etc/open*** [root@gateway src]# cd /etc/open*** [root@gateway open***]# ls 2.0 [root@gateway open***]# cp /usr/share/doc/open***-2.1/sample-config-files/server.conf /etc/open***/ [root@gateway open***]# ls 2.0 server.conf
3.初始化 PKI
[root@gateway open***]# cd 2.0/ [root@gateway 2.0]# ls build-ca build-key build-key-server clean-all Makefile pkitool sign-req build-dh build-key-pass build-req inherit-inter openssl-0.9.6.cnf README vars build-inter build-key-pkcs12 build-req-pass list-crl openssl.cnf revoke-full whichopensslcnf [root@gateway 2.0]# vim vars #修改下面几项: export KEY_COUNTRY="CN" export KEY_PROVINCE="SH" export KEY_CITY="SH" export KEY_ORG="open***" export KEY_EMAIL="admin@free.com" [root@gateway 2.0]# env | grep KEY [root@gateway 2.0]# source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/2.0/keys [root@gateway 2.0]# env | grep KEY KEY_EXPIRE=3650 KEY_EMAIL=admin@free.com KEY_SIZE=1024 KEY_DIR=/etc/open***/2.0/keys KEY_CITY=SH KEY_PROVINCE=SH KEY_ORG=open*** KEY_CONFIG=/etc/open***/2.0/openssl.cnf KEY_COUNTRY=CN [root@gateway 2.0]# ./clean-all [root@gateway 2.0]# ls build-ca build-key-pass build-req-pass list-crl pkitool vars build-dh build-key-pkcs12 clean-all Makefile README whichopensslcnf build-inter build-key-server inherit-inter openssl-0.9.6.cnf revoke-full build-key build-req keys openssl.cnf sign-req [root@gateway 2.0]# ./build-ca Generating a 1024 bit RSA private key .++++++ .......................................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [SH]: Organization Name (eg, company) [open***]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [open*** CA]: Email Address [admin@free.com]:
4.建立 server key
[root@gateway 2.0]# ./build-key-server server Generating a 1024 bit RSA private key .................++++++ .............++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [SH]: Organization Name (eg, company) [open***]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [server]: Email Address [admin@free.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'SH' organizationName :PRINTABLE:'open***' commonName :PRINTABLE:'server' emailAddress :IA5STRING:'admin@free.com' Certificate is to be certified until May 2 03:41:08 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
5.生成客户端 key(我这里设置三个客户端分别为:client1、client2、client3,你可以根据需要生成多个客户端)
1).client1
[root@gateway 2.0]# ./build-key client1 Generating a 1024 bit RSA private key ......++++++ ...++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SH]: Locality Name (eg, city) [SH]: Organization Name (eg, company) [open***]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [client1]: Email Address [admin@free.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SH' localityName :PRINTABLE:'SH' organizationName :PRINTABLE:'open***' commonName :PRINTABLE:'client1' emailAddress :IA5STRING:'admin@free.com' Certificate is to be certified until May 2 03:46:17 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
2).client2与client3同上我这里就不演示了,不清楚的博友可以参考上一篇博文。
6.生成 Diffie Hellman 参数
[root@gateway 2.0]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ................................................................++*++*++*
7.将keys下的所有文件打包下载到本地 ,让客户机用。
[root@gateway 2.0]# cd keys/ [root@gateway keys]# ls 01.pem ca.crt client1.key client3.crt index.txt serial server.key 02.pem ca.key client2.crt client3.csr index.txt.attr serial.old 03.pem client1.crt client2.csr client3.key index.txt.attr.old server.crt 04.pem client1.csr client2.key dh1024.pem index.txt.old server.csr [root@gateway keys]# tar zcvf client.tar.gz ./* ./01.pem ./02.pem ./03.pem ./04.pem ./ca.crt ./ca.key ./client1.crt ./client1.csr ./client1.key ./client2.crt ./client2.csr ./client2.key ./client3.crt ./client3.csr ./client3.key ./dh1024.pem ./index.txt ./index.txt.attr ./index.txt.attr.old ./index.txt.old ./serial ./serial.old ./server.crt ./server.csr ./server.key [root@gateway keys]# ls 01.pem 04.pem client1.crt client2.crt client3.crt client.tar.gz index.txt.attr serial server.csr 02.pem ca.crt client1.csr client2.csr client3.csr dh1024.pem index.txt.attr.old serial.old server.key 03.pem ca.key client1.key client2.key client3.key index.txt index.txt.old server.crt
8.将keys下的ca.crt server.crt server.key dh1024.pem拷贝到/etc/open***
[root@gateway keys]# cp ca.* server.* dh1024.pem /etc/open***/ [root@gateway keys]# cd /etc/open***/ [root@gateway open***]# ls 2.0 ca.crt ca.key dh1024.pem server.conf server.crt server.csr server.key
9.修改服务器配置文件/etc/open***/server.conf
[root@gateway open***]# cp server.conf server.conf.bak.2014.5.5 [root@gateway open***]# ls 2.0 ca.crt ca.key dh1024.pem server.conf server.conf.bak.2014.5.5 server.crt server.csr server.key [root@gateway open***]# vim server.conf port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh1024.pem server 10.8.0.0 255.255.255.0 client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status open***-status.log verb 4 push "dhcp-option DNS 10.8.0.1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"
10.启动×××服务器
[root@gateway open***]# /etc/init.d/open*** start 正在启动 open***: [确定] [root@gateway open***]# netstat -ntulp | grep 1194 udp 0 0 0.0.0.0:1194 0.0.0.0:* 19147/open*** [root@gateway open***]# ifconfig tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
11.配置Windows客户端
(1).安装一下客户端(我就不演示了,大家自己安装)
(2).将服务器上生成的客户机证书文件放到config方件夹下
D:\Program Files\Open×××\config\test
(3).新建客户端配置文件test.o***
D:\Program Files\Open×××\config
test.o*** 文件内容:
client dev tun proto udp remote x.x.x.x 1194 #工作单位外网IP persist-key persist-tun ca test\\ca.crt cert test\\client1.crt key test\\client1.key ns-cert-typeserver comp-lzo verb 3 redirect-gateway def1
12.设置网关服务器的端口映射(关键配置)并开启路由转发。
[root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j MASQUERADE [root@gateway keys]# iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -d 192.168.18.0/255.255.255.0 -j SNAT --to-source 192.168.18.254 [root@gateway keys]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- localhost/24 anywhere SNAT all -- localhost/24 localhost/24 to:192.168.18.254 Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@gateway keys]# vim /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 1 [root@gateway keys]# sysctl -p net.ipv4.ip_forward = 1
13.连接并测试
1).连接×××
注,连接成功以后会出现一个绿色的小图标。下面我们ping一下试试!
2).测试ping一下
3).下面我们来查看一下IP所在地
×××连接前:(办公室)
×××连接后:(机房服务器)
好了,到这里我们的×××与网关在一起的实战配置就全部完成了,下面我们来总结一下我们实战心得与问题汇总。
六、总结
前面提到的,都是由服务端先生成客户端证书,然后分发到客户端,让客户端通过证书连接到服务器上。但有时候,这样的分发是比较麻烦的(也不安全)。这样,我们可以考虑另外一种方式: 只在服务端制作客户端证书,而客户端只需要有ca.crt文件,而不需要拿到客户端证书,当登陆服务器的时候是通过用户名和密码即可登陆Open×××服务器。这个功能该怎么实现呢?在下一篇博客中我们将实现这个功能。
好了,最后希望大家有所收获^_^……
转载于:https://blog.51cto.com/freeloda/1406621