vyos是vyatta的开源版本,是可以做企业级软路由的os.
vyos 的配置文件保存在/config/config.boot
vyos支持命令补全,所以只要看config.boot就可以敲命令搭建open***
步骤说明:
eth0 为公网ip、eth1 为内网ip并做了nat转发.这样网关就做成了
set interfaces ethernet eth0 address 公网ip/子网掩码 set interfaces ethernet eth0 description 'OUTSIDE' set interfaces ethernet eth0 duplex 'auto' set interfaces ethernet eth0 speed 'auto' set interfaces ethernet eth1 address 192.168.4.1/22 set interfaces ethernet eth1 description 'INSIDE' set interfaces ethernet eth1 duplex 'auto' set interfaces ethernet eth1 speed 'auto' set nat source rule 100 outbound-interface 'eth0' set nat source rule 100 source address '192.168.4.0/22' set nat source rule 100 translation address masquerade set system gateway-address 外网网关 set system host-name vyos delete system ntp server '0.pool.ntp.org' delete system ntp server '1.pool.ntp.org' delete system ntp server '2.pool.ntp.org' set system ntp server IP地址 set system time-zone Asia/Shanghai set system name-server 202.106.0.20 set system ipv6 disable set system options reboot-on-panic true #系统崩溃后重启 commit save
2.创建open*** tls认证
sudo -i cp -rv /usr/share/doc/open***/examples/easy-rsa/2.0/ /config/easy-rsa2
vi /config/easy-rsa2/vars 这些可以自己修改
export KEY_COUNTRY="CN" export KEY_PROVINCE="BJ" export KEY_CITY="Beijing" export KEY_ORG="Company Name" export KEY_EMAIL="foxchan@abc.com"
加载参数,清理key,创建认证
cd /config/easy-rsa2/ source ./vars ./clean-all $ ./build-dh $ ./build-key-server vyatta-server
复制认证和key 到/config/auth
sudo cp /config/easy-rsa2/keys/ca.crt /config/auth/ sudo cp /config/easy-rsa2/keys/dh1024.pem /config/auth/ sudo cp /config/easy-rsa2/keys/vyatta.key /config/auth/ sudo cp /config/easy-rsa2/keys/vyatta.crt /config/auth/
3.创建open***
cd /etc/open***/ ln -s /config/eays-rsa2/ .
set interface open*** vtun0 mode server #*** 模式为server set interfaces open*** vtun0 description "TCP version" #协议为tcp set interfaces open*** vtun0 open***-option --comp-lzo set interfaces open*** vtun0 open***-option "--proto tcp" set interfaces open*** vtun0 open***-option "--push route-delay 5" set interfaces open*** vtun1 server subnet 192.168.4.0/22 #设定client获取ip段 set interfaces open*** vtun0 tls ca-cert-file /config/auth/ca.crt set interfaces open*** vtun0 tls cert-file /config/auth/vyatta.crt set interfaces open*** vtun0 tls dh-file /config/auth/dh1024.pem set interfaces open*** vtun0 tls key-file /config/auth/vyatta.key set interfaces open*** vtun1 mode server #udp 模式 set interfaces open*** vtun1 bridge-group bridge br0 set interfaces open*** vtun1 description "UDP version" set interfaces open*** vtun1 open***-option --comp-lzo set interfaces open*** vtun1 open***-option "--push route-delay 5" set interfaces open*** vtun1 server name-server 202.106.0.20 set interfaces open*** vtun1 server name-server 8.8.8.8 set interfaces open*** vtun1 server subnet 192.168.4.0/22 set interfaces open*** vtun1 tls ca-cert-file /config/auth/ca.crt set interfaces open*** vtun1 tls cert-file /config/auth/vyatta.crt set interfaces open*** vtun1 tls dh-file /config/auth/dh1024.pem set interfaces open*** vtun1 tls key-file /config/auth/vyatta.key
4.创建dhcp 必须创建dhcp,否则客户端获取不到ip,当然也可以在客户端手动设置ip
set service dhcp-server disabled false set service dhcp-server dynamic-dns-update enable set service dhcp-server shared-network-name POOL set service dhcp-server shared-network-name POOL authoritative disable set service dhcp-server shared-network-name POOL subnet 192.168.4.0/22 set service dhcp-server shared-network-name POOL subnet 192.168.4.0/22 lease 1840 set service dhcp-server shared-network-name POOL subnet 192.168.4.0/22 start 192.168.4.2 set service dhcp-server shared-network-name POOL subnet 192.168.4.0/22 start 192.168.4.2 stop 192.168.4.15 commit
5.创建桥接br0,将***绑定到br0
先将eth1的ip地址去掉否则报错
delete interfaces ethernet eth1 address 192.168.4.1/22 commit
set interfaces bridge br0 address 192.168.4.1/22 set interfaces bridge br0 aging 300 set interfaces bridge br0 hello-time 2 set interfaces bridge br0 max-age 20 set interfaces bridge br0 priority 0 set interfaces bridge br0 stp false set interfaces ethernet eth1 bridge-group bridge br0 set interfaces open*** vtun0 bridge-group bridge br0 set interfaces open*** vtun1 bridge-group bridge br0 commit
6.创建、删除***用户的脚本
expect_sh
#!/usr/bin/expect set name [lindex $argv 0] set pswd [lindex $argv 1] set timeout 60 spawn /etc/open***/easy-rsa2/build-key-pass $name expect "phrase:" send "$pswd\r" expect "Verifying" send "$pswd\r" expect "CN" send "\r" expect "BJ" send "\r" expect "Beijing" send "\r" expect "Company Name" send "\r" expect "section" send "\r" expect "Common Name" send "\r" expect "Name" send "\r" expect "Email Address" send "\r" expect "challenge" send "\r" expect "An optional" send "\r" expect "y/n" send "y\r" expect "y/n" send "y\r"
create_account.sh
#!/bin/bash if [ "$1" == "" ]; then echo Usage: $0 USER PASSWD SUFFIX-number echo "1-----suffix: @abc.com" exit fi echo Usage: $0 USER PASSWD SUFFIX-number echo "1-----suffix: @abc.com" user=$1 pass=$2 if [ $3 != "1" ] then echo "1-----suffix: @abc.com" exit fi cd /etc/open***/easy-rsa2 #source ./vars export EASY_RSA="`pwd`" export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep" export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` export KEY_DIR="$EASY_RSA/keys" echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" export KEY_SIZE=1024 export CA_EXPIRE=3650 export KEY_EXPIRE=3650 export KEY_COUNTRY="CN" export KEY_PROVINCE="BJ" export KEY_CITY="Beijing" export KEY_ORG="Company Name" export KEY_EMAIL=$email /root/expect_sh $user $pass mkdir -p /root/to_$1 cd /etc/open***/easy-rsa2/keys cp * /config/auth cp * /home/vyos/open*** chown vyos:users /home/vyos/open***/* cp ca.crt /root/to_$1 cp $1.key /root/to_$1 cp $1.crt /root/to_$1 echo "client" > /root/to_$1/client.o*** echo "dev tap" >> /root/to_$1/client.o*** #echo "proto udp" >> /root/to_$1/client.o*** echo "proto tcp" >> /root/to_$1/client.o*** echo "remote 公网ip 1194" >> /root/to_$1/client.o*** echo "resolv-retry infinite" >> /root/to_$1/client.o*** echo "nobind" >> /root/to_$1/client.o*** echo "persist-key" >> /root/to_$1/client.o*** echo "persist-tun" >> /root/to_$1/client.o*** echo "ca ca.crt" >> /root/to_$1/client.o*** echo "cert $1.crt" >> /root/to_$1/client.o*** echo "key $1.key" >> /root/to_$1/client.o*** echo "ns-cert-type server" >> /root/to_$1/client.o*** echo "comp-lzo" >> /root/to_$1/client.o*** echo "verb 3" >> /root/to_$1/client.o*** echo "Login: $1" > /root/to_$1/password.txt echo "Password: $2" >> /root/to_$1/password.txt cd /root tar cfz to_${1}_dev.tar.gz to_$1 echo "remember rm the package after fwded to client"
revoke_cert.sh
#!/bin/bash # revoke cert by username if [ X"$1" == X ] ; then echo Usage: $0 CertKeyName exit 1 fi TIMESTAMP=`date +%d-%m-%Y-%H-%M-%S` EASYRSADIR=/etc/open***/easy-rsa/keys/ cd $EASYRSADIR source ./vars #gen new crl file ./revoke-full $1
转载于:https://blog.51cto.com/foxhound/1687579