实战图解
基础环境
[root@***server ~]# cat /etc/redhat-release CentOS release 6.7 (Final) [root@***server ~]# uname -a Linux ***server 2.6.32-573.el6.x86_64 #1 SMP Thu Jul 23 15:44:03 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux [root@***server ~]# crontab -l */5 * * * * /usr/sbin/ntpdate time.nist.gov>/dev/null 2>&1 [root@***server ~]#
网卡:
[root@***server ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:6B:BB:7A inet addr:10.0.0.28 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe6b:bb7a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1193 errors:0 dropped:0 overruns:0 frame:0 TX packets:706 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:113852 (111.1 KiB) TX bytes:87184 (85.1 KiB) eth1 Link encap:Ethernet HWaddr 00:0C:29:6B:BB:84 inet addr:172.16.1.28 Bcast:172.16.1.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe6b:bb84/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:25 errors:0 dropped:0 overruns:0 frame:0 TX packets:22 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1804 (1.7 KiB) TX bytes:1732 (1.6 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) [root@***server ~]# ping www.baidu.com PING www.a.shifen.com (61.135.169.125) 56(84) bytes of data. 64 bytes from 61.135.169.125: icmp_seq=1 ttl=128 time=37.2 ms ^C --- www.a.shifen.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 861ms rtt min/avg/max/mdev = 37.225/37.225/37.225/0.000 ms [root@***server ~]#
3.安装包
[root@***server liuhx]# wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz --2017-04-02 15:42:36-- http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz 正在解析主机 www.oberhumer.com... 193.170.194.40 正在连接 www.oberhumer.com|193.170.194.40|:80... 已连接。 已发出 HTTP 请求,正在等待回应... 200 OK 长度:583045 (569K) [application/x-gzip] 正在保存至: “lzo-2.06.tar.gz” 100%[=======================================================================================================================================================================>] 583,045 200K/s in 2.8s 2017-04-02 15:42:42 (200 KB/s) - 已保存 “lzo-2.06.tar.gz” [583045/583045]) [root@***server liuhx]# wget https://build.open***.net/downloads/releases/open***-2.2.2.tar.gz --2017-04-02 15:42:54-- https://build.open***.net/downloads/releases/open***-2.2.2.tar.gz 正在解析主机 build.open***.net... 54.215.128.159 正在连接 build.open***.net|54.215.128.159|:443... 已连接。 已发出 HTTP 请求,正在等待回应... 200 OK 长度:911158 (890K) [application/octet-stream] 正在保存至: “open***-2.2.2.tar.gz” 93% [============================================================================================================================================================> ] 851,710 266K/s eta(英国中部时100%[=======================================================================================================================================================================>] 911,158 268K/s in 3.3s 2017-04-02 15:42:58 (268 KB/s) - 已保存 “open***-2.2.2.tar.gz” [911158/911158]) [root@***server liuhx]# ll 总用量 1464 -rw-r--r-- 1 root root 583045 8月 13 2011 lzo-2.06.tar.gz -rw-r--r-- 1 root root 911158 5月 9 2013 open***-2.2.2.tar.gz [root@***server liuhx]#
4.安装依赖包
yum -y install openssl* [root@***server yum.repos.d]# rpm -qa |grep openssl* openssl098e-0.9.8e-20.el6.centos.1.x86_64 openssh-server-5.3p1-111.el6.x86_64 #要有 openssl-1.0.1e-48.el6_8.4.x86_64 openssl-devel-1.0.1e-48.el6_8.4.x86_64 #要有 openssl-perl-1.0.1e-48.el6_8.4.x86_64 openssh-clients-5.3p1-111.el6.x86_64 openssl-static-1.0.1e-48.el6_8.4.x86_64 openssh-5.3p1-111.el6.x86_64 [root@***server yum.repos.d]# cd /home/liuhx/ tar zxf lzo-2.06.tar.gz cd lzo-2.06 ./configure&& make && make install
5.安装open***
[root@***server lzo-2.06]# cd /home/liuhx/ [root@***server liuhx]# ll 总用量 1468 drwxr-xr-x 13 root root 4096 4月 2 15:44 lzo-2.06 -rw-r--r-- 1 root root 583045 8月 13 2011 lzo-2.06.tar.gz -rw-r--r-- 1 root root 911158 5月 9 2013 open***-2.2.2.tar.gz [root@***server liuhx]# tar xf open***-2.2.2.tar.gz [root@***server liuhx]# cd open***-2.2.2 [root@***server open***-2.2.2]# ./configure --with-lzo-headers=/usr/local/include --with-lzo-lib=/usr/local/lib [root@***server open***-2.2.2]# make && make install [root@***server open***-2.2.2]# which open*** /usr/local/sbin/open***
6.生成CA证书
cd /home/liuhx/open***-2.2.2/easy-rsa/2.0 vi vars [root@***server 2.0]# vim vars [root@***server 2.0]# tail -n 10 vars #原来的删掉 export KEY_PROVINCE="BJ" export KEY_CITY="BeiJing" export KEY_ORG="liuhx" export KEY_EMAIL="w673004708@163.com" export KEY_CN="BeiJing" export KEY_NAME="liuhx" export KEY_OU="liuhx" export PKCS11_MODULE_PATH=changeme export PKCS11_PIN=1234 [root@***server 2.0]# source vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/liuhx/open***-2.2.2/easy-rsa/2.0/keys [root@***server 2.0]# ./clean-all # #清空证书文件,第一次执行,之后不要执行 [root@***server 2.0]# ./build-ca #除了一下一处 其余只要回车就好
[root@***server 2.0]# ll keys/ 总用量 12 -rw-r--r-- 1 root root 1306 4月 2 16:22 ca.crt -rw------- 1 root root 916 4月 2 16:22 ca.key -rw-r--r-- 1 root root 0 4月 2 16:22 index.txt -rw-r--r-- 1 root root 3 4月 2 16:22 serial [root@***server 2.0]#
7.配置服务端证书和秘钥
[root@***server 2.0]# pwd /home/liuhx/open***-2.2.2/easy-rsa/2.0 [root@***server 2.0]# ./build-key-server server Generating a 1024 bit RSA private key .........................++++++ .................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [BeiJing]: Organization Name (eg, company) [liuhx]: Organizational Unit Name (eg, section) [liuhx]: Common Name (eg, your name or your server's hostname) [server]: Name [liuhx]: Email Address [w673004708@163.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:liuhx Using configuration from /home/liuhx/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'BeiJing' organizationName :PRINTABLE:'liuhx' organizationalUnitName:PRINTABLE:'liuhx' commonName :PRINTABLE:'server' name :PRINTABLE:'liuhx' emailAddress :IA5STRING:'w673004708@163.com' Certificate is to be certified until Mar 31 08:31:05 2027 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@***server 2.0]# ll keys 总用量 40 -rw-r--r-- 1 root root 3993 4月 2 16:31 01.pem -rw-r--r-- 1 root root 1306 4月 2 16:22 ca.crt #上一步生辰的ca证书 -rw------- 1 root root 916 4月 2 16:22 ca.key -rw-r--r-- 1 root root 120 4月 2 16:31 index.txt -rw-r--r-- 1 root root 21 4月 2 16:31 index.txt.attr -rw-r--r-- 1 root root 0 4月 2 16:22 index.txt.old -rw-r--r-- 1 root root 3 4月 2 16:31 serial -rw-r--r-- 1 root root 3 4月 2 16:22 serial.old -rw-r--r-- 1 root root 3993 4月 2 16:31 server.crt #这一步骤生辰的文件 -rw-r--r-- 1 root root 769 4月 2 16:31 server.csr -rw------- 1 root root 916 4月 2 16:31 server.key#这一步骤生辰的文件
8.配置的客户端的证书和密钥
[root@***server 2.0]# pwd /home/liuhx/open***-2.2.2/easy-rsa/2.0 [root@***server 2.0]# ./build-key sense Generating a 1024 bit RSA private key ..++++++ ...++++++ writing new private key to 'sense.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [BeiJing]: Organization Name (eg, company) [liuhx]: Organizational Unit Name (eg, section) [liuhx]: Common Name (eg, your name or your server's hostname) [sense]: Name [liuhx]: Email Address [w673004708@163.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:sense An optional company name []: Using configuration from /home/liuhx/open***-2.2.2/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'BJ' localityName :PRINTABLE:'BeiJing' organizationName :PRINTABLE:'liuhx' organizationalUnitName:PRINTABLE:'liuhx' commonName :PRINTABLE:'sense' name :PRINTABLE:'liuhx' emailAddress :IA5STRING:'w673004708@163.com' Certificate is to be certified until Mar 31 09:06:52 2027 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@***server 2.0]# ll keys/ 总用量 64 -rw-r--r-- 1 root root 3993 4月 2 16:31 01.pem -rw-r--r-- 1 root root 3870 4月 2 17:06 02.pem -rw-r--r-- 1 root root 1306 4月 2 16:22 ca.crt -rw------- 1 root root 916 4月 2 16:22 ca.key -rw-r--r-- 1 root root 239 4月 2 17:06 index.txt -rw-r--r-- 1 root root 21 4月 2 17:06 index.txt.attr -rw-r--r-- 1 root root 21 4月 2 16:31 index.txt.attr.old -rw-r--r-- 1 root root 120 4月 2 16:31 index.txt.old -rw-r--r-- 1 root root 3870 4月 2 17:06 sense.crt -rw-r--r-- 1 root root 737 4月 2 17:06 sense.csr -rw------- 1 root root 916 4月 2 17:06 sense.key -rw-r--r-- 1 root root 3 4月 2 17:06 serial -rw-r--r-- 1 root root 3 4月 2 16:31 serial.old -rw-r--r-- 1 root root 3993 4月 2 16:31 server.crt -rw-r--r-- 1 root root 769 4月 2 16:31 server.csr -rw------- 1 root root 916 4月 2 16:31 server.key [root@***server 2.0]#
9.生成密钥协议交换文件(这一步骤必须得做)
[root@***server 2.0]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ..............+..+..........+...................................................................................+..........................................................................+...................................................+...............................................+............................................................................................................+......................+........+........+...............................+.............................+........+...+...........+............+..............+.....................................................+......+...+..............................................................................................+.........................................++*++*++* [root@***server 2.0]# pwd /home/liuhx/open***-2.2.2/easy-rsa/2.0 [root@***server 2.0]# [root@***server 2.0]# ll keys/ 总用量 68 -rw-r--r-- 1 root root 3993 4月 2 16:31 01.pem -rw-r--r-- 1 root root 3870 4月 2 17:06 02.pem -rw-r--r-- 1 root root 1306 4月 2 16:22 ca.crt -rw------- 1 root root 916 4月 2 16:22 ca.key -rw-r--r-- 1 root root 245 4月 2 17:14 dh1024.pem #主要生成了这个文件 -rw-r--r-- 1 root root 239 4月 2 17:06 index.txt -rw-r--r-- 1 root root 21 4月 2 17:06 index.txt.attr -rw-r--r-- 1 root root 21 4月 2 16:31 index.txt.attr.old -rw-r--r-- 1 root root 120 4月 2 16:31 index.txt.old -rw-r--r-- 1 root root 3870 4月 2 17:06 sense.crt -rw-r--r-- 1 root root 737 4月 2 17:06 sense.csr -rw------- 1 root root 916 4月 2 17:06 sense.key -rw-r--r-- 1 root root 3 4月 2 17:06 serial -rw-r--r-- 1 root root 3 4月 2 16:31 serial.old -rw-r--r-- 1 root root 3993 4月 2 16:31 server.crt -rw-r--r-- 1 root root 769 4月 2 16:31 server.csr -rw------- 1 root root 916 4月 2 16:31 server.key [root@***server 2.0]#
10. 生成open***防止洪水***的文件
[root@***server 2.0]# pwd /home/liuhx/open***-2.2.2/easy-rsa/2.0 [root@***server 2.0]# open*** --genkey --secret keys/ta.key [root@***server 2.0]# ll keys/ 总用量 72 -rw-r--r-- 1 root root 3993 4月 2 16:31 01.pem -rw-r--r-- 1 root root 3870 4月 2 17:06 02.pem -rw-r--r-- 1 root root 1306 4月 2 16:22 ca.crt -rw------- 1 root root 916 4月 2 16:22 ca.key -rw-r--r-- 1 root root 245 4月 2 17:14 dh1024.pem -rw-r--r-- 1 root root 239 4月 2 17:06 index.txt -rw-r--r-- 1 root root 21 4月 2 17:06 index.txt.attr -rw-r--r-- 1 root root 21 4月 2 16:31 index.txt.attr.old -rw-r--r-- 1 root root 120 4月 2 16:31 index.txt.old -rw-r--r-- 1 root root 3870 4月 2 17:06 sense.crt -rw-r--r-- 1 root root 737 4月 2 17:06 sense.csr -rw------- 1 root root 916 4月 2 17:06 sense.key -rw-r--r-- 1 root root 3 4月 2 17:06 serial -rw-r--r-- 1 root root 3 4月 2 16:31 serial.old -rw-r--r-- 1 root root 3993 4月 2 16:31 server.crt -rw-r--r-- 1 root root 769 4月 2 16:31 server.csr -rw------- 1 root root 916 4月 2 16:31 server.key -rw------- 1 root root 636 4月 2 17:22 ta.key [root@***server 2.0]#
11.拷贝配置文件
mkdir /etc/open*** [root@***server 2.0]# cp ../../sample-config-files/server.conf /etc/open***/ [root@***server 2.0]# cp ../../sample-config-files/client.conf /etc/open***/ [root@***server 2.0]# cp -ap keys /etc/open*** [root@***server open***]# cat server.conf local 10.0.0.28 #oepn***的服务器地址 port 52115 #端口 proto tcp #可以是udp dev tun ca /etc/open***/keys/ca.crt #证书 cert /etc/open***/keys/server.crt key /etc/open***/keys/server.key # This file should be kept secret dh /etc/open***/keys/dh1024.pem server 10.8.0.0 255.255.255.0 #open***分配的地址池 push "172.16.1.0 255.255.255.0" #open*** 一起的内网网段,如果有个 写多个push ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status open***-status.log verb 3 log /var/log/open***.log [root@***server open***]# pwd /etc/open*** [root@***server open***]# iptables-A INPUT -p tcp --dport 52115 -j ACCEPT #如果有防火墙 开启内核的转发 [root@***server open***]# vim /etc/sysctl.conf [root@***server open***]# sysctl -p net.ipv4.ip_forward = 1
12.启动open***
[root@***server open***]# netstat -lntup Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1331/sshd tcp 0 0 :::22 :::* LISTEN 1331/sshd [root@***server open***]# /usr/local/sbin/open*** --config /etc/open***/server.conf & [1] 41446 [root@***server open***]# netstat -lntup Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 10.0.0.28:52115 0.0.0.0:* LISTEN 41446/open*** tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1331/sshd tcp 0 0 :::22 :::* LISTEN 1331/sshd [root@***server open***]# tail -f /var/log/open***.log Mon Apr 3 00:13:01 2017 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 Mon Apr 3 00:13:01 2017 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] Mon Apr 3 00:13:01 2017 Listening for incoming TCP connection on 10.0.0.28:52115 Mon Apr 3 00:13:01 2017 TCPv4_SERVER link local (bound): 10.0.0.28:52115 Mon Apr 3 00:13:01 2017 TCPv4_SERVER link remote: [undef] Mon Apr 3 00:13:01 2017 MULTI: multi_init called, r=256 v=256 Mon Apr 3 00:13:01 2017 IFCONFIG POOL: base=10.8.0.4 size=62 Mon Apr 3 00:13:01 2017 IFCONFIG POOL LIST Mon Apr 3 00:13:01 2017 MULTI: TCP INIT maxclients=1024 maxevents=1028 Mon Apr 3 00:13:01 2017 Initialization Sequence Completed [root@***server open***]# ps -ef |grep open*** root 41446 41321 0 00:13 pts/0 00:00:00 /usr/local/sbin/open*** --config /etc/open***/server.conf root 41462 41321 0 00:14 pts/0 00:00:00 grep open*** [root@***server open***]# 开机自启动 [root@***server open***]# tail -n 2 /etc/rc.local #open*** start /usr/local/sbin/open*** --config /etc/open***/server.conf & [root@***server open***]#
13.修改open***的客户端配置文件
open*** 客户端下载地址
http://swupdate.open***.org/community/releases/
http://swupdate.open***.org/community/releases/open***-install-2.3.1-I001-x86_64.exe
建议下载最高的版本
cd /etc/open*** [root@***server open***]# grep "^[a-Z]" client.conf #提前备份 client dev tun proto tcp remote 10.0.0.28 52115 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert sense.crt key sense.key ns-cert-type server comp-lzo verb 3 [root@***server tmp]# sz keys/ca.crt keys/sense.crt keys/sense.key client.conf 下载到sense目录下windows桌面 client.conf 改为sense.o***
启动open***
14.链接上以后发现ping不同***server内部的机器
解决方案1.添加网关 (内网机器的网关是×××server)
在172.16.1.17 添加网关为172.16.1.28 就可以了 每个内部的服务器都得增加
解决方案2:
在***server上做基于源地址的路由转换
源地址是10.8.0.0 的地址 全部转换成为 172.16.1.28 这样内部服务器可以通过arp广播获取
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j SNAT --to-source 172.16.1.28
转载于:https://blog.51cto.com/wsxxsl/1912628
160
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
